A new class of monomial bent functionsAnne Canteaut∗, Pascale Charpin∗ and Gohar M. Kyureghyan†∗INRIA projet CODES, B.P. 105, 78153 Le Chesnay Cedex, France

{Anne.Canteaut, Pascale.Charpin}@inria.fr†Department of Mathematics, Otto-von-Guericke University of Magdeburg,

Universitatplatz 2, 39106 Magdeburg, GermanyGohar.Kyureghyan@Mathematik.Uni-Magdeburg.DE

Abstract— We study the Boolean functions on F2n , n = 6r, ofthe form x �→ Tr(λxd) with d = 22r + 2r + 1. Our main resultis the characterization of those λ for which they are bent.

I. INTRODUCTION

A number of recent papers are devoted to the character-ization of new classes of bent functions. The main purposecould be to determine such functions which do not belongto the main known classes, for instance, in order to exhibitnon-normal bent functions [3] or to construct bent functionsby concatenating quadratic functions [4]. Another purposeconsists in finding new expressions of bent functions. It isessentially the expressions by means of trace-functions whichare considered in [7], [8], [9]. More generally, considering anypolynomial P (x) in F2n [x], it can be viewed as function withn inputs and n outputs. The properties of P are then studied bymeans of their 2n component functions, the Boolean functionsx �→ Tr(λP (x)) where Tr is the trace function from F2n toF2. Determining the weights of these functions is of greatinterest in coding theory and cryptography (see [1], [7] and[5], for instance).

Our paper has to be replaced in this context. The generalpurpose is to study the so-called monomial functions, that isthe functions x �→ Tr(λxd) on F2n , notably to determine forwhich λ they are bent. Here n = 6r, for some integer r > 1,and we study, for λ ∈ F∗

2n , the functions :

fλ(x) = Tr(λxd), d = 22r + 2r + 1. (1)

We first prove that the weight of fλ takes only three valueswhen λ runs through F∗

2n , one of them corresponding to thebent case. We later describe the set of those λ such that fλ

is bent and we prove that these functions are Maiorana andMcFarland bent functions. Moreover, we prove that a part ofthem form a subspace of dimension 2r of bent functions ofdegree 3. We also give the spectra of the derivatives of thefunctions fλ.

This paper is an extended abstract. Some proofs are omitted.The proofs which are given are generally sketches of proofs.

II. PRELIMINARIES

In the whole paper, α is a primitive root of F2n . The linearBoolean functions on F2n are the functions

ϕa : x �→ Tr(ax), a ∈ F∗2n ,

We use notation Tr for the trace function on F2n . But, forany k dividing n and n = uk, we denote as follows the tracefunction from F2n to F2k :

T nk (β) = β + β2k

+ . . . + β2k(u−1).

For any Boolean function f on F2n , we denote by F(f) thefollowing value related to the Walsh transform of f :

F(f) =∑

x∈F2n

(−1)f(x) = 2n − 2wt(f) , (2)

where wt(f) is the Hamming weight of f , i.e., the numberof x ∈ F2n such that f(x) = 1. The function f is said to bebalanced if and only if F(f) = 0 or, equivalently, wt(f) =2n−1. The Walsh spectrum of f is the multiset

{F(f + ϕa), a ∈ F2n} .

For even n, a function is bent if and only if its Walsh spectrumcontains the values {±2n/2} only.

A. The Maiorana and McFarland bent functions

The Maiorana and McFarland class of bent functions wasintroduced in [10] and extensively studied by Dillon [6]. Itis usually called the class M of bent functions. By the nextlemma, we give the expression of functions of M that we willuse later.

Lemma 1: Let n = 2t and V = F2t . Let us denote byW a subspace of representatives of the cosets of V , that isF2n = ∪a∈W (a + V ). Define the functions

f : (x, a) ∈ V × W �→ T t1 (xπ(a) + h(a))

where π is a bijection from W to V and h is any functionfrom W to V . Then f is a bent function which belongs to theclass M.

Remark 1: The previous lemma can be generalized bytaking a shift of F2t instead of F2t , i.e., V = {0} ∪ γF∗

2t ,γ �∈ F∗

2t . In other terms, the shifts of the function f (of Lemma1), the functions y �→ f(γy), are also in M.

B. Definition of the class fλ

From now on, we consider Boolean functions on F2n withn = 6r, r > 1. Note that,

2n − 1 = (23r − 1)(23r + 1) = d(22r − 1)(22r − 2r + 1).

ISIT 2006, Seattle, USA, July 9 ­ 14, 2006

9031­4244­0504­1/06/$20.00 ©2006 IEEE

Consider fαi , defined by (1), for 0 ≤ i ≤ d − 1. For any �,0 ≤ � ≤ (n/d)− 1, the function fλ with λ = αiα�d is a shiftof fαi . Thus fλ has the same Walsh spectrum as fαi . Let usdefine the set of shifts of αi (modulo d) :

sh(i) = { αi+�d | 0 ≤ � ≤ (n/d) − 1 }.The next lemma is obvious.

Lemma 2: For any i, 0 ≤ i ≤ d − 1, sh(i) ∩ F23r is notempty. Consequently, the subset of F23r

{ αj(23r+1) | 0 ≤ j ≤ d − 1 }is a set of representatives of the sh(i).

According to the previous lemma, to study the spectra ofall the functions fλ, defined by (1), it is sufficient to study thefunctions

fλ(x) = Tr(λxd),

⎧⎨⎩

d = 22r + 2r + 1,

λ = αj(23r+1),0 ≤ j ≤ d − 1.

(3)

III. ON THE SPECTRUM OF THE fλ

In this section fλ is defined by (3). We denote by β aprimitive root of F23r and let G = 〈γ〉 be the subgroup ofF2n of order 23r + 1. Since gcd(23r + 1, 23r − 1) = 1 thenany nonzero x ∈ F2n can be written as follows:

x = yz , y ∈ F∗23r and z ∈ G. (4)

A. The weight of fλ

Recall that wt(fλ) is the weight of fλ. We are going to showthat there are three possibilities only for wt(fλ) (Theorem 1).

Proposition 1: Let us define

Lλ = { z ∈ G | T 6rr (λzd) �= 0 }.

Then the weight of fλ is wt(fλ) = d 2r−1#Lλ.

Proof: Using (4), we express wt(fλ) as an integer sumon the pairs (y, z). We get

wt(fλ) =∑

x∈F2n

Tr(λxd) =∑z, y

Tr(λ(zy)d)

=∑z∈G

∑y∈F23r

T r1

(ydT 6r

r (λzd))

=∑z∈G

d∑

ρ∈F2r

T r1

(ρT 6r

r (λzd))

= #Lλ × d × 2r−1,

We denote by Lλ the set G \ Lλ:

Lλ = { z ∈ G | T 6rr (λzd) = 0 }.

Lemma 3: Set, for any λ ∈ F23r ,

Nλ = { y ∈ F∗23r | T 3r

r (λy) = 0 and T 3r1 (

1y) = 1 }.

Then #Lλ = 2 × #Nλ + 1.

Theorem 1: The functions fλ (and λ itself) are defined by(3). Let us denote by Gd the subgroup of order d of F∗

23r .Consider the solutions v ∈ Gd of the equation:

v2 + vT 3r

r (λ)λ2r +

1λ2r−1

= 0. (5)

Then F(fλ) = 2n − 2rd #Lλ with :

(a) Equation (5) has only one solution in Gd if and onlyif T 3r

r (λ) = 0; in this case #Lλ = 22r(2r − 1).(b) If Equation (5) has no solution in Gd then #Lλ =

2r(22r − 2r − 1).(c) Otherwise, Equation (5) has two solutions in Gd and

#Lλ = 2r(22r − 2r + 1).Consequently, we obtain:

case F(fλ)(a) 23r

(b) 24r + 23r+1 + 22r

(c) −(24r + 22r)

Proof: According to Lemma 3, we are going to compute#Nλ. Since 23r−1 = (2r−1)d we can express any y ∈ F∗

23r

as follows:

y = uβi, u = βkd, 0 ≤ k ≤ 2r − 2 and 0 ≤ i ≤ d − 1.

Thus

#Nλ = #{ y ∈ βiF∗2r | T 3r

r (λβi) = 0 and T 3r1 (

1y) = 1 }.

Set I = { i | T 3rr (λβi) = 0}. So #I = 2r + 1, because the

polynomial x+x2r

+x22r

has 22r roots in F23r and y ∈ xF∗2r

is such a root as soon as x is a root too. Hence

#Nλ =∑i∈I

#{ y ∈ βiF∗2r | T r

1 (1u

T 3rr (β−i)) = 1 }

= 2r−1(2r + 1 − #{ i ∈ I | T 3rr (β−i) = 0}).(6)

Now set w = βi. We have to solve

T 3rr (λw) = 0 and T 3r

r (w−1) = 0.

which we transform into

w2r+1−2 + w2r−1 δ

λ2r +1

λ2r−1= 0,

where δ = T 3rr (λ). Setting v = w2r−1, we get (5). This is an

equation of degree 2 which has 0, 1 or 2 solutions in F∗23r . If

it has 2 solutions, v1 and v2, then v1 ∈ Gd implies v2 ∈ Gd

since v1v2 = 1/λ2r−1. So (5) has one and only one solutionin Gd if and only if δ = 0. Using (6) we get #Nλ = 2r−12r

and further #Lλ completing the proof of the case (a). In thesame way, we compute #Lλ for the cases (b) and (c).

B. Another expression of fλ

Set V = F23r and let W be a subspace of F2n which is aset of representatives of the cosets of V , that is

F2n =⋃

a∈W

(a + V ).

ISIT 2006, Seattle, USA, July 9 ­ 14, 2006

904

Thus, for any x ∈ F2n there is a unique pair (y, a) ∈ V ×Wsuch that x = y + a. Then, we define

fλ(y, a) = fλ(y + a) = Tr(λ(y + a)d

). (7)

Theorem 2: Recall that δ = T 3rr (λ). Define the function π

from W to V :

π(a) = λ22r

(a + a23r

)22r+2r

+ δ T 6r3r (a22r+2r

) (8)

Then, for any (y, a) ∈ V × W :

fλ(y, a) = T 3r1

(y2r+1δ(a + a23r

)22r

+ yπ(a)

+ λ(ad + a23rd))

. (9)

Proof: We compute fλ(y, a), which is defined by (7) :

fλ(y, a) = Tr(λ(y + a)d) =Tr(λyd) + Tr

(λ(a22r

y2r+1 + a2r

y22r+1 + ay2r(2r+1)))

+ Tr(λ(y22r

a2r+1 + y2r

a22r+1 + ya2r(2r+1) + ad))

= A + B + C,

First A = Tr(λyd) = 0 since λ and y are in F23r . Now, usingtrace properties, we have

B = Tr(y2r+1(λa22r

+ λ2r

a22r

+ λ22r

a22r

))

= Tr(y2r+1a22r

(λ + λ2r

+ λ22r

))

= T 3r1

(y2r+1δ (a + a23r

)22r

).

Finally the part which is affine relatively to y is:

C = Tr(y(λa2r(2r+1) + λ2r

a2r(2r+1)

+ λ22r

a22r(22r+1)) + λad)

= T 3r1 (y π(a) + λ T 6r

3r (ad)).

Indeed, we have C = Tr(yD + λad) where

T 6r3r (D) = (λ22r

+ δ)T 6r3r (a22r+2r

) + λ22r

T 6r3r (a24r+22r

)

= λ22r

T 6r3r

(a22r

(a + a23r

)2r)

+ δT 6r3r (a22r+2r

)

= λ22r

(a + a23r

)22r+2r

+ δ T 6r3r (a22r+2r

)

which is exactly π(a), completing the proof of (9).

C. The bent functions fλ

Theorem 3: The function fλ, defined by (3), is bent if andonly if λ + λ2r

+ λ22r

= 0.There are 2r + 1 such bent functions and, at all

(22r − 1)(23r + 1)

bent functions defined by (1). All these bent functions belongto the class M. Moreover, let us define

B = { fλ | λ ∈ F23r , T 3rr (λ) = 0 },

where f0 is the null function. Then B is a subspace of thespace of Boolean functions on F2n . Its dimension is 2r andany function fλ ∈ B∗ is a cubic bent function.

Proof: First, if δ �= 0 then fλ cannot be bent. Thiswas proved by Theorem 1. Consider fλ expressed by (9) withδ = 0. Notation is as in Theorem 2. Then we get:

fλ(y, a) = T 3r1

(yπ(a) + λ(ad + a23rd)

)(10)

with π(a) = λ22r

(a + a23r

)22r+2r

. Clearly the function a �→a+a23r

is a bijection from W to V . Since 2r +1 and 23r −1are coprime, we can conclude that π is a bijection from Wto V . According to Lemma 1, the functions expressed by (10)are bent functions belonging to the class M.

It is not difficult to prove that the cardinality of

{ λ = α�(23r+1) | 0 ≤ � ≤ d − 1, T 3rr (λ) = 0 }

is equal to 2r + 1. Then we get 2r + 1 bent functions definedby (3), each of them having (2n −1)/d shifts. Moreover, as itwas explained in Remark 1 these shifts are also elements ofM. The proof is completed by using the linearity of the tracefunction and by computing the cardinality of B.

Concerning the spectra of the non bent functions fλ, ournumerical results suggest several conjecture. Notably, weconjecture that there are three spectra only, corresponding tothe three possible weights of fλ.

IV. OTHER PROPERTIES

In this section, we give, without proofs, some other resultson the properties of the functions fλ. First the divisibility ofthe Walsh spectrum can be deduced from Theorems 1 and 2.

Corollary 1: Assume that λ is such that fλ is not bent. Setk = 2r. Then for all b ∈ F2n

F(fλ + ϕb) ≡ 0 (mod 2k).

Moreover, this does not hold for k > 2r.Let us define the derivative of fλ with respect to a ∈ F∗

2n :

Dafλ(x) = Tr(λxd) + Tr(λ(x + a)d).

These functions are quadratic and have the following form:

Dafλ(x) = Tr(µx22r+1 + Ax2r+1 + Bx + µ)

with

µ = λad, A = µ + µ25r

, B = µ + µ24r

+ µ25r

.

The spectra of these functions are completely known as soonas the dimension of the kernel of their symplectic forms isknown.

Lemma 4: Let us denote by K(a, λ) the kernel of thesymplectic form of Dafλ. Set µ = λad and A = µ + µ25r

and define the polynomial of F∗2n [x] :

P (x) = µx22r

+ Ax2r

+ (µx)24r

+ (Ax)25r

.

Then K(a, λ) is the subspace of the roots of P in F2n .

It is easy to check that F2r is included in K(a, λ) for anya and for any λ. But, we can prove that there is always a rootof P which is not in F2r . Further, we obtain the followingresult.

ISIT 2006, Seattle, USA, July 9 ­ 14, 2006

905

Theorem 4: Let a, λ ∈ F∗2n . Set µ = λad and

σ = µ2r+24r

+ µ2r+23r

+ µ22r+24r

.

Then

dim K(a, λ) ={

2r if σ �= 04r if σ = 0.

Consequently, the Walsh transform of Dafλ takes the values{0,±25r} if σ = 0 and {0,±24r} otherwise.

We can also give the form of some kernels K(a, λ).In particular, the biggest dimension 4r appears for the λcorresponding to bent functions; moreover, in this case, thekernel contains the subfield F23r .

V. CONCLUSION

The complete classification of monomial bent functions isnot achieved. Actually, little is known about this corpus, asrecalled in [9]. They do not all lie in the known classes,especially in class M. For instance, some bent functionscharacterized in [7], namely with Kasami exponents, are notnormal [3], implying that they do not belong to any previouslyknown class. On the other hand, the most recent result onmonomial bent functions is due to Leander [9] who provedthat the functions gλ : x �→ Tr(λxd) on F24r , d = (2r + 1)2,belong to M for a specific value of λ. Using our method(Theorem 2), we show that all functions gλ, for λ ∈ F22r , canbe viewed as a concatenation of affine functions.

REFERENCES

[1] T. Berger, A. Canteaut, P. Charpin and Y. Laigle-Chapuy, “On AlmostPerfect Nonlinear functions,” IEEE Trans. Inform. Theory, to appear.

[2] A. Canteaut and P. Charpin, “Decomposing bent functions,” IEEE Trans.Inform. Theory, 49(8), pp. 2004-19, August 2003.

[3] A. Canteaut, M. Daum, G. Leander and H. Dobbertin, “Normal and nonnormal bent functions,” Discrete Applied Mathematics, Vol. 154, Issue 2,pp. 202-18, February 2006.

[4] P. Charpin, C. Tavernier and E. Pasalic, “On bent and semi-bent quadraticBoolean functions,” IEEE Trans. Inform. Theory, 51(12), pp. 4287-98,December 2005.

[5] C. Carlet and P. Gaborit, “Hyper-bent functions and cyclic codes,” Jour.Comb. Theory, Series A, to appear.

[6] J. Dillon, “Elementary Hadamard Difference sets,” Ph.D. dissertation,University of Maryland, 1974.

[7] J. Dillon and H. Dobbertin, “New cyclic difference sets with Singerparameters,” Finitie Fields and Their Applications, 10(2004) 342-389.

[8] N.G. Leander, “Bent functions with 2r Niho exponents,” In Proceedingsof of the 2005 International Workshop on Coding and Cryptography(WCC 2005), Bergen (Norway), pp. 454-61, March 2005.

[9] N.G. Leander, “Monomial bent functions,” In Proceedings of of the2005 International Workshop on Coding and Cryptography (WCC 2005),Bergen (Norway), pp. 461-70, March 2005.

[10] R. L. McFarland, “A family of noncyclic difference sets,” J. Combin.Theory Ser. A, vol. 15, pp. 1–10, 1973. vol. 20, 1983.

ISIT 2006, Seattle, USA, July 9 ­ 14, 2006

906