l

nent

Information Processing Letters 97 (2006) 124–127

www.elsevier.com/locate/ip

Linear structures of symmetric functions over finite fields

Yuan Lia,∗, T.W. Cusickb

a Department of Mathematical Science, Alcorn State University, Alcorn State, MS 39096, USAb SUNY Department of Mathematics, 244 Mathematics Building, Buffalo, NY 14260, USA

Received 27 October 2004; accepted 23 June 2005

Available online 7 November 2005

Communicated by Y. Desmedt

Abstract

It is shown that nonlinear symmetric functions over finite fieldsGF(p) have no linear structures other than equal compovectors. 2005 Elsevier B.V. All rights reserved.

Keywords:Walsh transform; Cryptography; Linear structure; Finite field; Boolean function; Symmetric polynomial

eanm-sta-ym-and,om-

ite-

thepli-tureen-

-

f

it

-

1. Introduction

Symmetric Boolean functions are a class of Boolfunctions with some interesting properties since symetry guarantees that all of the input bits have equaltus in a very strong sense. A lot of research about smetry has been done [2–4,6,9–11]. On the other hit is natural to extend various cryptographic ideas frGF(2) to GF(p) or GF(pn). For example, [8,13] studied the resilient functions onGF(p). Also, [5,7] investi-gated the generalized bent functions onGF(pn). In [12],Li and Cusick first introduced the strict avalanche crrion overGF(p).

The presence of linear structures often weakensusefulness of a Boolean function in cryptographic apcations. Dawson and Wu [4] studied the linear strucof symmetric Boolean functions in detail. Here, we geralize this concept to finite fieldsGF(p) and we getmany similar results.

* Corresponding author.E-mail addresses:yuanli7983@gmail.com (Y. Li),

cusick@buffalo.edu (T.W. Cusick).

0020-0190/$ – see front matter 2005 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2005.06.010

2. Preliminaries

In this paper,p is always prime.If f : GF(p)n → GF(p), thenf can be uniquely ex

pressed in the following form:

f (x1, x2, . . . , xn)

=p−1∑k1=0

p−1∑k2=0

· · ·p−1∑kn=0

ak1k2···knx1k1x2

k2 · · ·xnkn .

Each coefficientak1k2···kn ∈ GF(p) is a constant.The function f (x) is called an affine function i

f (x) = a1x1 + a2x2 + · · · + anxn + a0. If a0 = 0, f (x)

is also called a linear function. We will denote byFn theset of all Boolean functions ofn variables and byLn theset of affine ones. We will call a function nonlinear ifis not inLn.

If f (x) ∈ Fn, thenf (x) is called a symmetric function if for any permutationσ on {1,2, . . . , n}, we havef (xσ(1), xσ(2), . . . , xσ(n)) = f (x1, x2, . . . , xn). Let

φk(x) =∑

xi1xi2 · · ·xik .

{i1,i2,...,ik}⊂{1,2,...,n}

Y. Li, T.W. Cusick / Information Processing Letters 97 (2006) 124–127 125

o-al

d

n

-

f

,

-

is

le

ity

y

We callφk thekth order elementary symmetric polynmial. It is well known that any symmetric polynomican be written as a polynomial inφ1, φ2, . . . , φn, i.e.,if f ∈ Fn is symmetric, thenf = g(φ1, φ2, . . . , φn),whereg ∈ Fn.

For any x, y ∈ GF(p)n, x = (x1, x2, . . . , xn), y =(y1, y2, . . . , yn), we sayx andy are equivalent, denoteby x ∼ y, if there exists a permutationσ on{1,2, . . . , n}such that (y1, y2, . . . , yn) = (xσ(1), xσ(2), . . . , xσ(n))

(y = σ(x)); ∼ is obviously an equivalence relatioover GF(p)n. Let x = {y | ∃σ,σ (x) = y}. Let x =(x1, x2, . . . , xn) be the representative ofx, where 0�x1 � x2 · · · � xn � p − 1. Immediately, we havex =y ⇔ x = y. We denote byej = (j, j, . . . , j) the equalcomponent vectors,j = 0,1, . . . , p − 1.

Let w = e2π i/p. We call the complex number

Sf (x) =∑

y∈GF(p)n

wf (x)−xy

the Walsh transform off , wherexy = x1y1+· · ·+xnyn

is the inner product ofx andy overGF(p). The inversetransform is expressed as

wf (x) = p−n∑

y∈GF(p)n

Sf (y)wxy.

We have

Lemma 1. f (x) is symmetric if and only ifSf (x) issymmetric(as a function from GF(p)n to C, complex).

3. Linear structures

Definition 1. If f (x) ∈ Fn, a vectorα ∈ GF(p)n iscalled a linear structure off (x) if f (x +α)−f (x) = c

(constant) for anyx ∈ GF(p)n. If c = 0, we callα aninvariant linear structure.

Let

Vf (i) = {α | f (x + α) − f (x) = i, ∀x ∈ GF(p)n

},

0� i � p − 1.

Then,Vf = ⋃p−1i=0 Vf (i) is the set of all the linear struc

tures off .

Lemma 2. Vf (0) and Vf form vector subspaces oGF(p)n, Vf (i)∩Vf (j) = Φ if i = j . If αi ∈ Vf (i), thenVf (i) = αi + Vf (0) anddimVf = dimVf (0) + 1.

Proof. The proof is just simple linear algebra.�Let C(n, k) = n!

k!(n−k)! if 0 � k � n and 0 otherwisethen we have

Lemma 3. The number ofn-variable symmetric polynomials over GF(p) is pC(p+n−1,n).

Proof. The number of different vector classesx is thenumber of solutions of the equationi0 + i1 + · · · +ip−1 = n, where ik is the times ofk that appears inx. According to [1] (p. 69), we know this numberC(p + n − 1, n). Since a symmetric functionf (x) hasthe same value for any element ofx, we are done. �Lemma 4. If f is symmetric(hence, a polynomial inφ1, . . . , φn), but not a polynomial(one variable) in φ1,then there existsα ∈ GF(p)n −{e0, . . . , ep−1} such thatSf (α) = 0.

Proof. If Sf (α) = 0 for all α ∈ GF(p)n − {e0, . . . ,

ep−1}, then

wf (x) = p−n(Sf (e0) + Sf (e1)w

∑ni=1 xi + · · ·

+ Sf (ep−1)w(p−1)

∑ni=1 xi

).

The right side is a function ofφ1, hencef (x) is a poly-nomial inφ1. �Theorem 1. Supposef (x) is symmetric andX0 ∈GF(p)n − {e0, . . . , ep−1}. Then,f (x + X0) is symmet-ric if and only if f (x) can be written as a one variabpolynomial inφ1.

Proof. The sufficiency is obvious. We prove necessas follows.

Let g(x) = f (x + X0), so we have

Sg(x) =∑

y∈GF(p)n

wg(y)−xy =∑

y∈GF(p)n

wf (y+X0)−xy

=∑

y′∈GF(p)n

wf (y′)−x(y′−X0)

= wxX0∑

y′∈GF(p)n

wf (y′)−xy′ = wxX0Sf (x).

Because of symmetry, we may assumeX0 = (b1, . . . ,

bn), p − 1 � b1 � b2 · · · � bn � 0. By Lemma 4, iff is not a polynomial inφ1, then we can findα =(a1, . . . , an) /∈ {e0, e1, . . . , ep−1} such thatSf (α) = 0.By Lemma 1,Sf andSg are symmetric. Again, we maassumep − 1 � a1 � a2 · · · � an � 0. Letβ = (an, a2,

. . . , an−1, a1), thenα ∼ β. We have

Sg(β) = Sg(α) ⇒ wβX0Sf (β) = wαX0Sf (α)

⇒ wβX0 = wαX0

126 Y. Li, T.W. Cusick / Information Processing Letters 97 (2006) 124–127

in

r

se

e-

ysm-r.

ar

if-f

ber

o

,ar

since

Sf (β) = Sf (α) = 0 ⇒ (α − β)X0 ≡ 0 modp

⇒ (a1 − an)b1 + (an − a1)bn

= (a1 − an)(b1 − bn)

= 0

⇒ a1 = an or b1 = bn

⇒ a1 = · · · = an or b1 = · · ·= bn

⇒ α ∈ {e0, . . . , ep−1}or X0 ∈ {e0, . . . , ep−1}, a contradiction. �Theorem 2. Let f (x) be a symmetric function fromGF(p)n to GF(p), then

(1) f (x) is constant if and only if every vectorGF(p)n is an invariant linear structure off (x).

(2) f (x) = aφ1 + b (a = 0) if and only if every vectoin GF(p)n is a linear structure off (x).

(3) f (x) is nonlinear if and only iff (x) has no linearstructure other thane0, e1, . . . , ep−1.

Proof. (1) Obvious!(2) Necessity is obvious. For sufficiency, choo

X0 ∈ GF(p)n − {e0, e1, . . . , ep−1}. Now f (x + X0) −f (x) = c meansf (x + X0) = f (x) + c is symmetric.By Theorem 1,f is a polynomial inφ1, i.e., f (x) =g(φ1), g a one variable polynomial. But if deg(g) � 2,thenf (x + X0) − f (x) = g(φ1 + X0) − g(φ1) is not aconstant since deg(g(φ1+X0)−g(φ1)) = deg(g)−1�1. Hence, deg(g) = 1, i.e.,f (x) = aφ1 + b.

(3) Sufficiency is (2). For necessity, letα ∈ GF(p)n−{e0, e1, . . . , ep−1} be a linear structure. With the samproof as (2), we knowf must be affine, a contradiction. �

If p = 2, this is Theorem 1 of [4]. Theorem 2 sathat onlyei can be a linear structure of a nonlinear symetric polynomial. We now consider this case furthe

Lemma 5. For any fixedk, 1 � k � p − 1, ek = (k,

. . . , k), x = (x1, x2, . . . , xn), we have

x = x + ek ⇔ p|n and

x = (0, . . . ,0︸ ︷︷ ︸n/p

1, . . . ,1︸ ︷︷ ︸n/p

, . . . , p − 1, . . . , p − 1︸ ︷︷ ︸n/p

).

Proof. Sufficiency is obvious. For necessity, leti0 be acomponent ofx, then so arei0 + jk, j = 0, . . . , p − 1,

sincex = x + ek . But {i0, i0 + k, . . . , i0 + (p − 1)k} ={0,1, . . . , p − 1}, so

x = (0, . . . ,0︸ ︷︷ ︸N0

1, . . . ,1︸ ︷︷ ︸N1

, . . . , p − 1, . . . , p − 1︸ ︷︷ ︸Np−1

).

We haveN0 = Nk = N2k = · · · = N(p−1)k since x =x + ek . We getN0 = N1 = · · · = Np−1 because{0, k,

. . . , (p −1)k} = {0,1, . . . , p −1}. Hence,Ni = n/p foranyi = 0, . . . , p − 1. �Theorem 3. For any fixedi0, 1 � i0 � p − 1, the num-ber of symmetric polynomials with an invariant linestructureei0 = (i0, . . . , i0) is the same, namely

N ={

pC(p+n−1,n)/p if p�n,

p1+ C(p+n−1,n)−1

p if p|n.

Proof. For a fixedi0, f (x + ei0) − f (x) = 0 for anyx

impliesf (x + kei0)−f (x) = 0 for anyx andk. Hence,for anyx andi,

f (x + ei) − f (x) = 0. (1)

Case1. p�n. If k = t , then x + ek and x + et aredifferent vector classes by Lemma 5. Butf (x + ek) =f (x + et ) because of Eq. (1). The total number of dferent vector classes isC(p +n−1, n) (see the proof oLemma 3). Nowx, x + e1, . . . , ˜x + ep−1 are different,but f has the same values on them, hence the numof such functions must bepC(p+n−1,n)/p.

Case 2. p|n. By Lemma 5, x + ei and x + ej

are different for anyx and any i, j , i = j exceptx = (0, . . . ,0︸ ︷︷ ︸

n/p

1, . . . ,1︸ ︷︷ ︸n/p

, . . . ,p − 1, . . . , p − 1︸ ︷︷ ︸n/p

). Hence,

the number of functions isp1+C(p+n−1,n)−1/p . �If p = 2, this result was given by [4] (corollary t

Theorem 2).Since there are onlyp2 affine symmetric functions

we know most symmetric functions with invariant linestructureei are nonlinear.

Let

Nij = #{f | f (x + ei) − f (x) = j,∀x ∈ GF(p)n

},

1� i � p − 1, 1 � j � p − 1.

Now f (x + ei) = f (x) + j for any x impliesf (x + kei) = f (x) + kj , k = 0,1, . . . , p − 1. In otherwords, for fixedj , f (x + kei), hencef (x + ek) are de-termined byf (x) for any k = 0,1, . . . , p − 1. If p|n,let x = (0, . . . ,0︸ ︷︷ ︸1, . . . ,1︸ ︷︷ ︸, . . . , p − 1, . . . , p − 1︸ ︷︷ ︸), then

n/p n/p n/p

Y. Li, T.W. Cusick / Information Processing Letters 97 (2006) 124–127 127

4fori-

ofcts

of

thatre

rk,

of04)

s49

tric.

ized6–

onrm.

nc-90–

er6.

ricIn-

hic

tric,

s,

s.

Nij = 0 sincef (x + ei) − f (x) = 0 = j . Similar toTheorem 3, we have

Theorem 4. For anyi, j ∈ {1,2, . . . , p − 1},Nij =

{pC(p+n−1,n)/p if p�n,

0 if p|n.

If p = 2, this result was given by [4] (Theorem 3).We take this opportunity to remark that Theorem

in [4] is not correct. Here is a counterexamplen = 3, where we usex, y, z to denote the three varables: The setsA andB defined in Lemma 5 of [4] areA = {0,1, g, g + 1}, B = {f,h,f + 1, h + 1}, wheref = x + y + z, g = x + y + z + xy + xz + yz andh =xy + xz + yz. Now calculation givesgf = g(h + 1) =xyz + x + y + z, so the first sentence of the proofTheorem 4 in [4] (which says that all of the produof a nonzero function fromA and a function fromB

are different) is false. In fact, the set of all productsa nonconstant function fromA and a function fromB

contains only 5 elements, instead of the 8 elementswould be needed if the proof of Theorem 4 of [4] weto be correct.

References

[1] C.A. Charalambides, Enumerative Combinatorics, New YoCRC Press, 2002.

[2] C.-k. Wu, E. Dawson, Correlation immunity and resiliencysymmetric Boolean functions, Theoret. Comput. Sci. 312 (20321–335.

[3] T.W. Cusick, Y. Li,kth order symmetric SAC Boolean functionand bisecting binomial coefficients, Discrete Appl. Math. 1(2005) 73–86.

[4] E. Dawson, C.-k. Wu, On the linear structure of symmeBoolean functions, Australas. J. Combin. 16 (1997) 239–243

[5] K. Feng, F. Liu, New results on the nonexistence of generalbent functions, IEEE Trans. Inform. Theory 49 (2003) 3063071.

[6] K. Gopalakrishnan, D.G. Hoffman, D.R. Stinson, A notea conjecture concerning symmetric resilient functions, InfoProcess. Lett. 47 (1993) 139–143.

[7] P.V. Kumar, R.A. Scholtz, L.R. Welch, Generalized bent futions and their properties, J. Combin. Theory (A) 40 (1985)107.

[8] M. Liu, P. Lu, G.L. Mullen, Correlation-immune functions ovfinite fields, IEEE Trans. Inform. Theory 44 (1998) 1273–127

[9] S. Maitra, P. Sarkar, Maximum nonlinearity of symmetBoolean functions on odd number of variables, IEEE Trans.form. Theory 48 (2002) 2626–2630.

[10] C. Mitchell, Enumerating Boolean functions of cryptograpsignificance, J. Cryptology 2 (1990) 155–170.

[11] P. Savicky, On the bent Boolean functions that are symmeEuropean J. Combin. 15 (1994) 407–410.

[12] Y. Li, T.W. Cusick, Strict avalanche criterion over finite fieldhttp://eprint.iacr.org/2005/361.pdf.

[13] Y. Hu, G. Xiao, Resilient functions over finite fields, IEEE TranInform. Theory 49 (2003) 2040–2046.