Generalization of Boolean Functions Properties to Functions Defined over GF(p)

: Problem statement: Traditionally, cryptographic applications designed on hardware have always tried to take advantage of the simplicity of implementation functions over GF(p), p = 2, to reduce costs and improve performance. On the contrast, functions defined over GF(p); p > 2, possess far better cryptographic properties than GF(2) functions. Approach: We generalize some of the previous results on cryptographic Boolean functions to functions defined over GF(p); p > 2. Results: We generalize Siegenthaler’s construction to functions defined over finite field. We characterize the linear structures of functions over GF(p) in terms of their Walsh transform values. We then investigate the relation between the autocorrelation coefficients of functions over GF(p) and their Walsh spectrum. We also derive an upper bound for the dimension of the linear space of the functions defined over GF(p). Finally, we present a method to construct a bent function from semi-bent functions. Conclusion: Functions defined over GF(p) can achieve better cryptographic bounds than GF(2) functions. In this paper we gave a generalization of several of the GF(2) cryptographic properties to functions defined over GF(p), where p is an odd prime.


INTRODUCTION
The existence of a tradeoff between the cryptographic properties in GF(2) functions has an immense consequences on the security of the cryptosystem using these functions. For instance, the algebraic degree and the correlation immunity order in Boolean functions are two important security measures. It is well known that a cryptographic function that has a high resistance to correlation attacks may have a low linear complexity to counter the linear synthesis by the Berlekamp-Massey algorithm (Massey, 1969).
In the special case where p = 2, the Siegenthaler inequality (Siegenthaler, 1984) states that if a function f(x) with n variables is a correlation-immune of order m then its algebraic degree d≤ n-m. Moreover, if f(x) is an m-resilient, m≤ n -2, then d≤ n-m-1. It is clear from the Siegenthaler inequality that we cannot construct a function over GF(2) with the maximum order of correlation immunity (n-1) and algebraic degree higher than 1. On the other hand, when the function is defined over GF(p), it is possible to construct an (n-1)-correlation immune function with algebraic degree greater than 1. f (x , x ) x x = + . Then, f(x) is a resilient function of degree 1 and its algebraic degree equals 3 (Liu et al., 1998).
This example illustrate the fact that functions over GF(p) can possess high correlation immunity and high algebraic degree. Thus motivated by the better bounds these functions can achieve, various cryptographic properties have already been extended from GF(2) to other finite fields. For example, (Liu et al., 1998) presented a series of constructions of correlationimmune function over finite fields. Later, (Hu and Xiao, 2003) investigated the existence, construction, and enumeration of resilient functions. Li and Cusick (2005) extended the concept of the Strict Avalanche Criterion (SAC) to GF(p) functions. Due to its importance in cryptography and coding theory, bent function and its properties were generalized in (Kumar et al., 1985).
The concept of hyper-bent function was extended to functions over GF(p) in (Youssef, 2007). A new characterization of semi-bent and bent quadratic functions on finite fields was given in (Khoo et al., 2006). The author in (Li, 2008) generalized the counting results of rotation symmetric Boolean functions to the rotation symmetric polynomials over finite fields GF(p). Cusick et al. (2008) gave a lower bound on the number of n-variable balanced symmetric polynomials over finite fields GF(p). Recently, functions defined over GF(p) have been used to propose a new a group re-keying protocol based on modular polynomial arithmetic (Sudha et al., 2009). In this paper, we generalize some of the previous results on cryptographic binary functions to functions defined over GF(p), where p is an odd prime.

Preliminaries
The autocorrelation function is defined as Eq. 2: where, n p W,a F ∈ and <w.x> denotes the dot product between w and x, i.e., <w.x>=Pn I n i i j 1 w x = ∑ mod p.
We will denote by |X| the magnitude of the complex number X. Most of the properties of the cryptographic functions can be measured using theWalsh transform or the autocorrelation function.  (Kumar et al., 1985). Generalization of siegenthaler's construction: A simple and useful method to construct Boolean functions is through direct constructions. Direct constructions can produce functions that are optimal with respect to the designed property. Lots of research efforts have been put into these construction techniques in GF(2). Thus, it is significant to extend these constructions from GF(2) to GF(p). Siegenthaler, (1984) proposed a method to construct a Boolean function f of order n by combining two functions f 1 , f 2 of order n-1, such that n n 2 2 2 n n 1 n 2 In the following, we generalize the Siegenthaler's construction method to functions over GF(p). We also derive some cryptographic properties of the constructed functions. Let In other words, f denotes the function whose truth table is the concatenation of the truth tables of f 1 ,f 2 ,….f p in the given order.

Algebraic
Then we can write the ANF of f(x) as follows: The Walsh transform of the concatenated function is given by: Characterization of linear structures of functions over GF(p): Direct use of Boolean functions possessing linear structure should be avoided in cryptographic applications. It has been shown in (Evertse, 1988;Hellman et al., 1976;Chaum and Evertse, 1986;Josef et al., 2002) that block ciphers with linear structure are vulnerable to attacks much faster than the exhaustive search. Several studies were conducted on the existence of the linear structures in several classes of Boolean functions, as in (Dubuc, 1998) for vectorial functions and for symmetric functions (Dawson and Wu, 1997). In the following, we study this criterion for functions defined over GF(p). In particular, we characterize linear structures of functions over GF(p) in terms of their Walsh transform values.
We use Theorem 1 to characterize the linear structures of semi-bent functions defined over GF(p).
Corollary 1: For a semi-bent function f(x), e is a linear structure with a corresponding constant c if and only if F(w) = 0 for all w such that < w . e >6 ≠ c and |F (w)| = p (n+1)/2 for all w such that < w . e >= c.

Proof:
The absolute value of the Walsh transform of the semi-bent function have only two values 0 and p(n+1) = 2. Since the number of w that satisfy the equation <w. e>6 = c is pn-1(p-1), which it is exactly the same number of zeros in the Walsh transform F(w) = 0. Hence, there is a one-to-one mapping between the Walsh transform and the relation < w . e > ≠ c, i.e., F(w) = 0 if and only if <w . e > ≠ c and also |F (w)| = p (n+1)/2 if and only if < w . e >= c.

Relation between the autocorrelation function and the walsh transform:
The autocorrelation is another useful criterion in analyzing Boolean functions. It measures the probability distribution of the output difference of the function for a fixed input difference. The autocorrelation coefficient AC( α) measures the statistical bias of the output distribution of dαf(x) relative to the uniform distribution. In the next, we show how the autocorrelation coefficients of functions over GF(p) are related to their Walsh spectrum.

∑ ∑
We now derive the relation between the Walsh spectrum of the semi-bent functions and their autocorrelation coefficients.
Theorem 4: Let f(x) be a semi-bent function defined over GF(p). Then Eq. 5: Proof: Since f(x) is a semi-bent function, the Walsh transform contains the values F max (w) = p (n+1)/2 and occurs p n−1 times while 0 occurs (p n -p n−1 ) times. We refer throughout the rest of this paper to the value p (n+1)/2 as F max (w). Thus: Theorem 5: (Generalization of theorem 3 in (Canteaut et al., 2000)) Let f(x) be a function defined over GF(p) with n variables. Then, the dimension k of the linear space V n is such that k ≤ 1. which implies that k ≤ 1.

Construction of bent functions from semi-bent
functions with linear structure: Bent functions achieve the best possible nonlinearity. Accordingly, they provide good confusion properties, and they are perfect in resisting differential cryptanalysis (Biham and Shamir, 1991) and by definition linear cryptanalysis (Matsui, 1994). Their major flaw is that they are not balanced. Another useful class of functions which achieve high nonlinearity is semi-bent functions. These functions also possess good cryptographic characteristics, and some of them are balanced. Bent and semi-bent functions over GF(p), p > 2, can exist in even and odd dimensions. It is possible to construct bent functions with (n+1) variables from semi-bent function with n variables, and similarly, construct semibent functions with n variables from bent functions with (n + 1) variables. Here, we focus on constructing bent functions with n+1 variables from semi-bent functions with n variables.
The following lemmas are needed to simplify the proof of Theorem 9.
Lemma 6: Let g(x) = f(x)-<x.e>. If e is a linear structure for f(x) with a corresponding constant c, then g(x) has e as a linear structure with the corresponding constant c-< e . e >.
Proof: If f(x + e) -f(x) = c and g(x) = f(x)-< x . e > then: f (x e) (x e).e f (x) x .e f (x e) x.e e.e f (x) x.e f (x e) f (x) e.e c e.e Proof: Let f(x+e 1 )-f(x) = c 1 and f(x+e 2 )-f(x) = c 2 . Then f(x+e 1 )-f(x+e 1 ) = c 1 -c 2 and f(x + (e 1 + e 2 ))-f(x) = c 1 -c 2 , which implies (e 1 -e 2 ) is a linear structure with a corresponding constant c 1 -c 2 . From the above lemma, it follows that if e is a linear structure for f(x), then a e, a 2 Fp is also a linear structure for f(x), where a e denotes the vector whose coordinates are obtained by multiplying the individual coordinates of e by a mod p.
Theorem 9: Let f(x) be a semi-bent function defined over GF(p) with non trivial linear structures e 1, e 2 ,…, e p-1 . Then: x . e f (x) x . e ...
Proof: Since f(x) has linear structures e 1 , e 2 ,…., e p-1 with corresponding constants c 1…., c p-1 ; respectively, then from Lemmas 6 and 7, the function f(x)-< x-e i >, 1 ≤ I ≤ p-1 ; will have a linear structure ei with a corresponding constant ci-<e i .e i > and Walsh transform F(w + e i ).

CONCLUSION
Functions defined over GF(p) can achieve better cryptographic bounds than GF(2) functions. Thus, In this paper we gave a generalization of several of the GF(2) cryptographic properties to functions defined over GF(p), where p is an odd prime.