A construction method of balanced rotation symmetric Boolean functions on arbitrary even number of variables with optimal algebraic immunity

Abstract

Rotation symmetric Boolean functions incorporate a super-class of symmetric functions which represent an attractive corpus for computer investigation. These functions have been investigated from the viewpoints of bentness and correlation immunity and have also played a role in the study of nonlinearity. In the literature, many constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity have been derived. While it seems that the construction of balanced even-variable rotation symmetric Boolean functions with optimal algebraic immunity is very hard work to breakthrough. In this paper, we present for the first time a construction of balanced rotation symmetric Boolean functions on an arbitrary even number of variables with optimal algebraic immunity by modifying the support of the majority function. The nonlinearity of the newly constructed rotation symmetric Boolean functions is also derived.

Change history

• 26 November 2020

  The CE name is incorrectly published. The correct CE name is C. Ding.

Appendix

In Sect. 3, we said:“In fact, we can use the subsets A, T, and \(P'\) of \({\mathbb {F}}_2^n\) being defined above to construct an n-variable balanced RS Boolean function with optimal algebraic immunity, but its nonlinearity would be low.” Now, we give the details as follows.

With the subsets A, T, and \(P'\) of \({\mathbb {F}}_2^n\) being defined in (5) and (6), define an n-variable Boolean function as

$$\begin{aligned} g(x)=\left\{ \begin{array}{ll}F(x)\oplus 1,&{}{x\in A\cup T\cup P'},\\ F(x),&{}\mathrm {otherwise}, \end{array}\right. \end{aligned}$$

(19)

where \(x\in {\mathbb {F}}_2^n\) and F is the n-variable majority function defined in (12).

Example 3

When \(n=4,6,\ldots ,12\), the subsets \(S'\) and \(P'\) of \({\mathbb {F}}_2^n\) defined in (6) and the algebraic degree, algebraic immunity, fast algebraic immunity of the n-variable Boolean function g in (19) are given as follows.

(1):

When \(n=4\) or 6, the n-variable Boolean function g defined in (19) is the same as the n-variable Boolean function f defined in (11), since \(S'=S\) and \(P'=P\) if \(n=4\) or 6.

(2):

If \(n= 8\), the subsets \(S'\) and \(P'\) of \({\mathbb {F}}_2^n\) defined in (6) are

$$\begin{aligned} S'= & {} \{23, 46, 92, 113, 139, 184, 197, 226\}\cup \{27,54,99,108,141,177,198,216\}\\&\cup \{43, 86, 89, 101, 149, 172, 178, 202\},\\ P'= & {} \{29, 58, 71, 116, 142, 163, 209, 232\}\cup \{39, 57, 78, 114, 147, 156, 201, 228\}\\&\cup \{53, 77, 83, 106, 154, 166, 169, 212\}. \end{aligned}$$

Then, the 8-variable Boolean function g defined in (19) satisfies \(deg(g)=5\), \(AI(g)=4\), and \(FAI(g)=5\).

(3):

If \(n=10\), the subsets \(S'\) and \(P'\) of \({\mathbb {F}}_2^n\) defined in (6) are

$$\begin{aligned} \begin{array}{llll} S'=\{O_{10}(47), O_{10}(55), O_{10}(59), O_{10}(87), O_{10}(91), O_{10}(103), O_{10}(107),\\ \qquad O_{10}(109), O_{10}(171), O_{10}(173), O_{10}(179)\},\\ P'=\{O_{10}(61), O_{10}(79), O_{10}(115), O_{10}(117), O_{10}(121),O_{10}(151),O_{10}(157),\\ \qquad O_{10}(167), O_{10}(181),O_{10}(205),O_{10}(213)\}. \end{array} \end{aligned}$$

Then, the 10-variable Boolean function g defined in (19) satisfies \(deg(g)=7,AI(g)=5\) and \(FAI(g)=6\).

(4):

If \(n=12\), the subsets \(S'\) and \(P'\) of \({\mathbb {F}}_2^n\) defined in (6) are

$$\begin{aligned} \begin{array}{llll} S'=\{O_{12}(95), O_{12}(111), O_{12}(119), O_{12}(123), O_{12}(175), O_{12}(183), O_{12}(187), \\ \qquad ~O_{12}(207), O_{12}(215), O_{12}(219), O_{12}(221), O_{12}(231), O_{12}(235), O_{12}(237),\\ \qquad ~ O_{12}(311), O_{12}(343), O_{12}(347), O_{12}(349), O_{12}(359), O_{12}(363), O_{12}(365),\\ \qquad ~ O_{12}(371), O_{12}(407), O_{12}(411),O_{12}(423), O_{12}(427), O_{12}(429), O_{12}(435),\\ \qquad ~ O_{12}(437), O_{12}(603), O_{12}(619), O_{12}(683), O_{12}(685), O_{12}(691), O_{12}(717)\},\\ P'=\{O_{12}(125), O_{12}(249), O_{12}(287), O_{12}(159), O_{12}(245), O_{12}(489),O_{12}(317), \\ \qquad ~ O_{12}(243), O_{12}(485), O_{12}(591), O_{12}(377), O_{12}(399), O_{12}(335), O_{12}(303), \\ \qquad ~ O_{12}(473), O_{12}(469), O_{12}(629), O_{12}(373), O_{12}(467), O_{12}(669), O_{12}(605),\\ \qquad ~ O_{12}(413), O_{12}(461), O_{12}(627), O_{12}(459), O_{12}(679), O_{12}(663), O_{12}(615),\\ \qquad ~ O_{12}(599), O_{12}(621), O_{12}(667), O_{12}(853), O_{12}(725), O_{12}(821), O_{12}(723)\}.\\ \end{array} \end{aligned}$$

Then, the 12-variable Boolean function g defined in (19) satisfies \(deg(g)=9,AI(g)=6\) and \(FAI(g)=10\).

Similarly, the cryptographic properties of the n-variable Boolean function g defined in (19) are given as follows.

Firstly, according to Theorem 1, we know the function g(x) defined in (19) is a balanced RS Boolean function, since \(|P'|=|P|\) which is given in (14) and \(O_n(x)\subseteq P'\) for all the vectors \(x\in P'\).

Secondly, by the same discussion as we did in the proof of Theorem 2, we know the n-variable RS Boolean function g(x) defined in (19) has optimal algebraic immunity.

Thirdly, the nonlinearity of the function g(x) defined in (19) would be low since we can only deduce the Walsh transform of the function g at the vector \(\omega \in {\mathbb {F}}_2^n\) with \(\mathrm {wt}(\omega )\in \{3,5,\ldots ,n-1\}\) as

$$\begin{aligned} |W_g(\omega )|= & {} |W_F(\omega )+2\sum \limits _{x \in A}(-1)^{\omega \cdot x}+2\sum \limits _{x \in T}(-1)^{\omega \cdot x}+2\sum \limits _{x \in P'}(-1)^{\omega \cdot x}|\\\le & {} |W_F(\omega )|+2|A|+2|P'|\\\le & {} \frac{1}{n-1}{n\atopwithdelims ()m}+2(|A|+|P'|) \\\le & {} \left\{ \begin{array}{ll} \frac{n}{n-1}{n\atopwithdelims ()m}, &{} m \text { is odd},\\ \frac{n}{n-1}{n\atopwithdelims ()m}-2{m\atopwithdelims ()\frac{m}{2}}, &{} m \text { is even}, \end{array} \right. \end{aligned}$$

where the first inequality holds since \(\sum _{x \in T}(-1)^{\omega \cdot x}=0\), the second identity holds since

$$\begin{aligned} |A|+|P'|=|A|+|P|= \left\{ \begin{array}{ll} \frac{1}{2}{n\atopwithdelims ()m}, &{} m ~\text {is odd},\\ \frac{1}{2}{n\atopwithdelims ()m}-{m\atopwithdelims ()\frac{m}{2}}, &{} m ~\text {is even}, \end{array} \right. \end{aligned}$$

by (13) and (14). While, in the proof of Theorem 3, the Walsh transform of the function f defined in (11) at the vector \(\omega \in {\mathbb {F}}_2^n\) with \(\mathrm {wt}(\omega )\in \{3,5,\ldots ,n-1\}\) satisfies \(|W_f(\omega )|\le \frac{2}{3}{n\atopwithdelims ()m}\). So, we can get \(\max \limits _{\omega \in {\mathbb {F}}_2^n}|W_f(\omega )|={n\atopwithdelims ()m}-2{m-1\atopwithdelims ()\lceil \frac{m-1}{2}\rceil }\). We leave the computation of Walsh transform of the function g at the vector \(\omega \in {\mathbb {F}}_2^n\) with \(\mathrm {wt}(\omega )\in \{3,5,\ldots ,n-1\}\) as an open problem.