## A new characterization of almost bent functions (1999)

Venue: | Fast Software Encryption 99, LNCS 1636, L. Knudsen edt |

Citations: | 13 - 2 self |

### BibTeX

@INPROCEEDINGS{Canteaut99anew,

author = {Anne Canteaut and Pascale Charpin and Hans Dobbertin},

title = {A new characterization of almost bent functions},

booktitle = {Fast Software Encryption 99, LNCS 1636, L. Knudsen edt},

year = {1999},

pages = {186--200},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We study the functions from F m 2 into F m 2 for odd m which oppose an optimal resistance to linear cryptanalysis. These functions are called almost bent. It is known that almost bent functions are also almost perfect nonlinear, i.e. they also ensure an optimal resistance to differential cryptanalysis but the converse is not true. We here give a necessary and sufficient condition for an almost perfect nonlinear function to be almost bent. This notably enables us to exhibit some infinite families of power functions which are not almost bent. 1

### Citations

2033 |
The theory of error-correcting Codes
- MacWilliams, Sloane
- 1977
(Show Context)
Citation Context ...n then assume that f(0)=0 without loss of generality. Both APN and AB properties can also be expressed in terms of error-correcting codes. We use standard notation of the algebraic coding theory (see =-=[15]-=-). The (Hamming) weight of any vector x ∈ F n 2 is denoted by wt(x). Any linear subspace of F n 2 is called a binary linear code of length n and dimension k and is denoted by [n, k]. Any [n, k]-linear... |

536 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ... dot product on Fm 2 . These values are of great importance in cryptography especially for measuring the security of an iterated block cipher using f as a round permutation [6]. A differential attack =-=[2]-=- against such a cipher exploits the existence of a pair (a, b) with a �= 0 such that δf (a, b) is high. Similarly a linear attack [16] is successful if there is a pair (a, b) with b �= 0 such that λf ... |

171 |
Crosscorrelation properties of pseudorandom and related sequences
- Sarwate, Pursle
- 1980
(Show Context)
Citation Context ... of exponents s (up to equivalence) such that the power function x ↦→ x s is APN (resp. AB). AB power permutations also correspond to pairs of maximum-length sequences with preferred crosscorrelation =-=[23]-=-. Table 1. Known and conjectured APN power functions x s on F2m with m =2t +1 exponents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven [10,19] Kasami’s functions 2 2i − 2... |

141 |
Differentially uniform mappings for cryptography
- Nyberg
- 1994
(Show Context)
Citation Context ...ith preferred crosscorrelation [23]. Table 1. Known and conjectured APN power functions x s on F2m with m =2t +1 exponents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven =-=[10,19]-=- Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] inverse function 2 2t − 1 proven [19,1] Welch’s function 2 t +3 proven [9] Niho’s function 2 t +2 t 2 − 1iftis even prov... |

116 |
Cryptanalysis Method for DES Cipher
- Linear
- 1993
(Show Context)
Citation Context ...k cipher using f as a round permutation [6]. A differential attack [2] against such a cipher exploits the existence of a pair (a, b) with a �= 0 such that δf (a, b) is high. Similarly a linear attack =-=[16]-=- is successful if there is a pair (a, b) with b �= 0 such that λf (a, b) is high. The function f can then be used as a round function of an iterated cipher only if both δf = max a�=0 max δf (a, b) and... |

81 |
Maximal recursive sequences with 3-valued recursive crosscorrelation functions
- Gold
- 1968
(Show Context)
Citation Context ...ith preferred crosscorrelation [23]. Table 1. Known and conjectured APN power functions x s on F2m with m =2t +1 exponents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven =-=[10,19]-=- Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] inverse function 2 2t − 1 proven [19,1] Welch’s function 2 t +3 proven [9] Niho’s function 2 t +2 t 2 − 1iftis even prov... |

71 | Links between differential and linear cryptanalysis
- Chabaud, Vaudenay
- 1995
(Show Context)
Citation Context ...n particular when f isapower function, f : x ↦→ xs , this code Cf is the cyclic code C1,s of length (2m − 1) whose zeros are α and α s (α denotes a primitive element of F2 m). It was also established =-=[6]-=- that if a function over F m 2 for odd m ensures the best resistance to linear cryptanalysis, it also ensures the best resistance to differential cryptanalysis. For the associated code Cf , this means... |

68 |
Linear approximations of block ciphers
- NYBERG
- 1995
(Show Context)
Citation Context ... λf = max b a max b�=0 λf (a, b) are small. Moreover if f defines the S-boxes of a Feistel cipher, the values of δf and λf completely determine the complexity of differential and linear cryptanalysis =-=[21,20]-=-. Proposition 1. [21] For any function f : Fm 2 → Fm 2 , δf ≥ 2 . In case of equality f is called almost perfect nonlinear (APN).s188 A. Canteaut, P. Charpin, and H. Dobbertin Proposition 2. [24,6] Fo... |

63 | Codes, bent functions and permutations suitable for DES-like cryptosystems, Des
- CARLET, CHARPIN, et al.
- 1998
(Show Context)
Citation Context ...d almost bent. These functions play a major role in cryptography; in particular their use in the S-boxes of a Feistel cipher ensure the best resistance to linear cryptanalysis. It was recently proved =-=[5]-=- that the nonlinearity of a function from Fm 2 into Fm 2 corresponds to the minimum distance of the dual of a linear code Cf of length (2m − 1). In particular when f isapower function, f : x ↦→ xs , t... |

45 |
Almost Perfect Nonlinear Power Functions on GF (2 n ): The Welch Case
- Dobbertin
(Show Context)
Citation Context ... + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] inverse function 2 2t − 1 proven [19,1] Welch’s function 2 t +3 proven [9] Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd =-=[8]-=- Dobbertin’s function 2 4i +2 3i +2 2i +2 i − 1ifm =5i conjectured [8] Table 2. Known AB power permutations x s on F2m with m =2t +1 exponents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 a... |

45 |
Provable security against a differential cryptanalysis
- Nyberg, Knudsen
- 1993
(Show Context)
Citation Context ... λf = max b a max b�=0 λf (a, b) are small. Moreover if f defines the S-boxes of a Feistel cipher, the values of δf and λf completely determine the complexity of differential and linear cryptanalysis =-=[21,20]-=-. Proposition 1. [21] For any function f : Fm 2 → Fm 2 , δf ≥ 2 . In case of equality f is called almost perfect nonlinear (APN).s188 A. Canteaut, P. Charpin, and H. Dobbertin Proposition 2. [24,6] Fo... |

37 |
The Weight Enumerators for several Classes of Subcodes of Second Order Binary Reed
- Kasami
- 1971
(Show Context)
Citation Context ...tions x s on F2m with m =2t +1 exponents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven [10,19] Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven =-=[14]-=- inverse function 2 2t − 1 proven [19,1] Welch’s function 2 t +3 proven [9] Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd [8] Dobbertin’s function 2 4i +2 3i +2 2i +2 i − ... |

36 | Binary m-sequences with three-valued crosscorrelation: a proof of Welch’s conjecture
- Canteaut, Charpin, et al.
- 2000
(Show Context)
Citation Context ...ents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven [10,19] Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] Welch’s function 2 t +3 proven =-=[4,3]-=- Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd [12] 2.2 Weight Divisibility of Cyclic Codes We now give some properties of binary cyclic codes since the linear code Cf ass... |

30 |
On Mutual Correlation of Sequences
- Sidelnikov
(Show Context)
Citation Context ...s [21,20]. Proposition 1. [21] For any function f : Fm 2 → Fm 2 , δf ≥ 2 . In case of equality f is called almost perfect nonlinear (APN).s188 A. Canteaut, P. Charpin, and H. Dobbertin Proposition 2. =-=[24,6]-=- For any function f : F m 2 → F m 2 , λf ≥ 2 m−1 2 . In case of equality f is called almost bent (AB). Note that this minimum value for λf can only be achieved if m is odd. For even m, some functions ... |

28 |
On almost perfect nonlinear permutations
- Beth, Ding
- 1994
(Show Context)
Citation Context ...ts s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven [10,19] Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] inverse function 2 2t − 1 proven =-=[19,1]-=- Welch’s function 2 t +3 proven [9] Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd [8] Dobbertin’s function 2 4i +2 3i +2 2i +2 i − 1ifm =5i conjectured [8] Table 2. Known ... |

27 |
A proof of the Welch and Niho conjectures on crosscorrelation of binary m-sequences”, Finite Fields and Their applications, v
- Hollmann, Xiang
(Show Context)
Citation Context ... [10,19] Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] Welch’s function 2 t +3 proven [4,3] Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd =-=[12]-=- 2.2 Weight Divisibility of Cyclic Codes We now give some properties of binary cyclic codes since the linear code Cf associated to a power function f : x ↦→ xs on F2m is a binary cyclic code of length... |

15 |
Multi-valued cross-correlation functions between two maximal linear recursive sequence
- Niho
- 1972
(Show Context)
Citation Context ...nctions x ↦→x s on F m 2 with s =2m−1 2 +2i − 1 In his 1968 paper [11], Golomb mentioned a conjecture of Welch stating that for m =2t + 1, the power function x ↦→ xs with s =2t + 3 is AB on F2m. Niho =-=[18]-=- stated a similar conjecture for s =2 t +2 t 2 −1 when t is even and s =2 t +2 3t+1 2 −1 when t is odd. Note that all of these exponents s can be written as 2 t +2 i − 1 for some i. Since both Welch’s... |

15 |
Power moment identities on weight distributions in error correcting codes
- Pless
- 1963
(Show Context)
Citation Context ...dual (or orthogonal) code, denoted by C ⊥ f , has the highest possible minimum distance, then Cf has minimum distance at least 5. But the reciprocal does not hold. Using Pless power moment identities =-=[22]-=- and some ideas due to Kasami [13], we make this condition necessary and sufficient by adding a requirement on the divisibility of the weights of C ⊥ f . Since the divisibility of the weights of the c... |

11 |
Weight congruence for p-ary cyclic codes
- McEliece
- 1972
(Show Context)
Citation Context ...ary and sufficient by adding a requirement on the divisibility of the weights of C ⊥ f . Since the divisibility of the weights of the cyclic code C⊥ 1,s is completely determined by McEliece’s theorem =-=[17]-=-, the determination of the values of s such that the power function x ↦→ xs is almost bent on F2m is now L. Knudsen (Ed.): FSE’99, LNCS 1636, pp. 186–200, 1999. c○ Springer-Verlag Berlin Heidelberg 19... |

8 |
On binary cyclic codes with minimum distance d
- Charpin, Tietävämen, et al.
- 1997
(Show Context)
Citation Context ...e. Proof. Theorem 4 provide a necessary condition for obtaining an AB power function on F2m: this function has to be APN and C⊥ 1,s has to be 2 m−1 2 -divisible. When s ≡ 2i mod (2g − 1), it is known =-=[7]-=- that the cyclic code C1,s has minimum distance 3. It follows that x ↦→ xs is not APN in this case. Suppose now that the dual of the cyclic code of length (2g − 1) with defining set {1,s0} is exactly ... |

5 |
Theory of transformation groups of polynomials over GF (2) with applications to linear shift register sequences
- Golomb
- 1968
(Show Context)
Citation Context .... Corollary 4. Let m be an odd integer. If the power permutation f : x ↦→ xs is AB on F2m, then m +1 degree(f) =w2(s) ≤ . 2 4 Power Functions x ↦→x s on F m 2 with s =2m−1 2 +2i − 1 In his 1968 paper =-=[11]-=-, Golomb mentioned a conjecture of Welch stating that for m =2t + 1, the power function x ↦→ xs with s =2t + 3 is AB on F2m. Niho [18] stated a similar conjecture for s =2 t +2 t 2 −1 when t is even a... |

3 |
Couples de suites binaires de longueur maximale ayant une corrélation croisée à trois valeurs: Conjecture de
- Canteaut, Charpin, et al.
- 1999
(Show Context)
Citation Context ...ents s status quadratic functions 2 i + 1 with gcd(i, m) = 1 and 1 ≤ i ≤ t proven [10,19] Kasami’s functions 2 2i − 2 i + 1 with gcd(i, m) = 1 and 2 ≤ i ≤ t proven [14] Welch’s function 2 t +3 proven =-=[4,3]-=- Niho’s function 2 t +2 t 2 − 1iftis even proven 2 t +2 3t+1 2 − 1iftis odd [12] 2.2 Weight Divisibility of Cyclic Codes We now give some properties of binary cyclic codes since the linear code Cf ass... |

1 |
distributions of Bose-Chaudhuri-Hocquenghem codes
- Weight
- 1968
(Show Context)
Citation Context ... by C ⊥ f , has the highest possible minimum distance, then Cf has minimum distance at least 5. But the reciprocal does not hold. Using Pless power moment identities [22] and some ideas due to Kasami =-=[13]-=-, we make this condition necessary and sufficient by adding a requirement on the divisibility of the weights of C ⊥ f . Since the divisibility of the weights of the cyclic code C⊥ 1,s is completely de... |