Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

Symmetric cryptography is a cornerstone of everyday digital security, where two parties must share a common key to communicate. The most common primitives in symmetric cryptography are stream ciphers and block ciphers that guarantee confidentiality of communications and hash functions for integrity. Thus, for securing our everyday life communication, it is necessary to be convinced by the security level provided by all the symmetric-key cryptographic primitives. The most important part of a stream cipher is the key stream generator, which provides the overall security for stream ciphers. Nonlinear Boolean functions were preferred for a long time to construct the key stream generator. In order to resist several known attacks, many requirements have been proposed on the Boolean functions. Attacks against the cryptosystems have forced deep research on Boolean function to allow us a more secure encryption. In this work we describe all main requirements for constructing of cryptographically significant Boolean functions. Moreover, we provide a construction of Boolean functions (semi-bent Boolean functions) which can be used in the construction of orthogonal variable spreading factor codes used in code division multiple access (CDMA) systems as well as in certain cryptographic applications. division multiple access technology. In this work we present an infinite sequence of semi-bent functions using known classes of quadratic bent functions. The construction of other classes of infinite sequences of semi-bent functions is an interesting research challenge.


Introduction
Cryptography has become a branch of information theory and is used within a mathematical approach to study the transmission of information from place to place. In a modern society, exchange and storage of information in an efficient, reliable, and secure manner are of fundamental importance. Applications of cryptography are present in many aspects of our society, and they include authentication and encryption (bank cards, wireless telephone, e-commerce), access control (car lock systems, ski lifts), and payment (prepaid telephone cards, e-cash). Behind all the previously mentioned applications, an underlying cryptographic system has to satisfy a number of security goals. Some important aspects in information security are data confidentiality, data integrity, authentication, and non-repudiation, and some of these goals will be elaborated later in the framework of Boolean functions. Therefore, cryptography is evermore important for business and industry as well as for society at large.
A classic example of a cryptosystem is depicted in Figure 1. Such a cryptosystem primitive is also called symmetric-key encryption algorithm, since the transmitted message (plaintext) is encrypted (into ciphertext) and decrypted with the same secret key which is shared between both sender and recipient. Symmetric cryptography is best introduced with an easy-to-understand problem: There are two users, Alice and Bob, who want to communicate over an insecure channel. The actual problem starts with the bad guy, Oscar, who has access to the channel, for instance, by hacking into an Internet router or by listening to the radio signals of a Wi-Fi communication. This type of unauthorized listening is called eavesdropping. Obviously, there are many situations in which Alice and Bob would prefer to communicate without Oscar listening. For instance, if Alice and Bob represent two offices of a car manufacturer, and they are transmitting documents containing the business strategy for the introduction of new car models in the next few years, these documents should not get into the hands of their competitors or of foreign intelligence agencies for that matter. In this situation, symmetric cryptography offers a powerful solution: Alice encrypts her message m using a symmetric algorithm, yielding the ciphertext c. Bob receives the ciphertext and decrypts the message. Decryption is, thus, the inverse process of encryption. What is the advantage? If we have a strong encryption algorithm, the ciphertext will look like random bits to Oscar and will contain no information whatsoever that is useful to him.
Symmetric-key cryptography comprises two large families of cryptographic primitives, namely, block and stream ciphers (see Figure 2). Since both block and stream ciphers provide significant performance improvement compared to publickey encryption techniques, they are commonly used as encryption schemes in practice. However, the design rules for these two primitives are quite different.
In general, symmetric-key cryptography is much more computationally efficient than public-key cryptography (approximately 1000 faster), and it requires shorter key length to ensure the same level of security. On the other hand, every pair of users that wants to communicate using symmetric encryption must share a common secret key. If n users want to ensure a pairwise secure communication, a total of n nÀ1 ð Þ 2 secret keys need to be exchanged, and every user must store and keep safe n À 1 different secret keys, which is in many cases highly impractical. In comparison, public-key cryptography offers a functionality of only keeping a single private key secret.
The security of symmetric cryptosystems is strongly influenced by Boolean functions. They are often used as nonlinear combining functions in stream ciphers based on linear feedback shift register. Those functions allow making the relationship between the plaintext and the ciphertext as complex as possible. More precisely, a bit of the ciphertext is obtained from a bit of the plaintext by adding bitwise a key digit (the output of the Boolean function) whose dependence upon the LFSR entries (the secret information) is nonlinear. Thus, the security of such cryptosystems deeply relies on the choice of the Boolean function because the complexity of the relationship between the plaintext and the ciphertext depends entirely on the Boolean function. Indeed, some properties of the Boolean function can be exploited to gain access to the contents of encrypted messages, even if the key is unknown. Therefore, Boolean functions need to have some important characteristics that are called security criteria to resist several types of attacks (see Section 3). Furthermore, the research fields of Boolean functions regarding the cryptography include the design and implementation, the properties of Boolean functions, the construction and counting of Boolean functions with certain properties, the trade-off between different properties, and the properties according to new attacks.
A special class of Boolean functions defined as semi-bent function has been introduced in 1994, by scientists Chee, Lee, and Kim [1]. The motivation for their study is firstly related to their use in cryptography (in the design of cryptographic functions). Indeed, semi-bent functions can be balanced and resilient. They also possess various desirable characteristics such as low autocorrelation, a maximal nonlinearity among balanced plateaued functions, but they cannot have high algebraic degree. In terms of linear feedback shift-register synthesis, they are usually generated by certain power polynomials over a finite field and in addition are characterized by a low cross-correlation and high nonlinearity. Besides their practical use in cryptography, they are also widely used in code division multiple access (CDMA) communication systems for sequence design [2,3]. In this context, families of maximum length linear feedback shift-register sequences having threevalued cross-correlation are used. Such sequences have received a lot of attention since the late 1960s and can be generated by a semi-bent function. Even though a lot of work has been done on semi-bent functions, there are a few generic methods of constructing semi-bent functions that can be found in the literature. The classification of these functions is still elusive, especially their construction are challenging problems. Some open problems and an overview of the known construction related on semi-bent functions can be found in the book of Mesnager [4]. The rest of this chapter is organized as follows. In Section 2 the essential background on Boolean functions is given. Some main requirements for constructing significant Boolean function are given in Section 3. An infinity class of semi-bent function specified by employing some sufficient conditions is given in Section 4. Some concluding remarks are given in Section 5.

Useful definitions and terms
Let F n 2 denote the n-dimensional vector space over the prime field F 2 . Let Þbe a vector over F 2 of length n. A Boolean function f x 1 ; …; x n ð Þin n-variables is an arbitrary function from F n 2 to F 2 . It can also be interpreted as the output column of its truth table, i.e., a binary string of length 2 n , An n-variable function f is said to be balanced if its output column in the truth table contains equal number of 1's and 0's.
Any Boolean function has a unique representation as a multivariate polynomial over Galois field of two elements, called algebraic normal form (ANF), where the coefficients a 0 , a ij , …, a 12…n belong to 0; 1 f g. The algebraic degree, denoted by deg f ð Þ, is the number of variables in the highest order monomial with nonzero coefficient. A Boolean function with deg f ð Þ≤ 1 is said to be affine, and the set of all n-variable affine functions is denoted by A n . An affine function with the constant term equal to zero is called a linear function.
The nonlinearity of an n-variable function f is N f ¼ min g ∈ A n d f; g ð Þ, which measures the minimum distance between f and all n-variable affine functions.
Many properties of Boolean function can be deduced from its Walsh spectra. The Walsh transform of f x ð Þ in point ω ∈ F n 2 is an integer-valued function over F n 2 defined by A Boolean function f x ð Þ is called plateaued if its Walsh spectrum only takes three values, 0 and AE2 λ , where λ is some positive integer.
Two Boolean functions f x ð Þ, g x ð Þ are said to be a pair of disjoint spectra functions if for all ω ∈ F n 2 : In terms of Walsh spectra, the nonlinearity of f is given by The The notion of the derivative of a Boolean function is extended to higher orders as follows. Suppose for all x ∈ F n 2 :

Cryptographic requirements for constructing Boolean functions
One of the fundamental research topics in cryptography is the construction of cryptographically significant Boolean functions, that is, a function which possesses some of the following properties: 1. High algebraic degree aims to increase the linear complexity in ciphers. Using Boolean functions of high degree in block ciphers leads to more complicated systems of equations describing the cipher and hence makes cryptanalysis of the cipher more difficult. All cryptosystems using Boolean functions for confusion can be attacked if the functions have relatively low algebraic degree, i.e., the Berlekamp-Massey attack [5] or the Ronjom-Helleseth attack [6] can be applied. Note that the algebraic degree of a Boolean function in n-variables is at most n.
2. In order to prevent the system from leaking statistical dependence between the input and output, the concept of balancedness implies that a given Boolean function outputs equally many zeros and ones over all possible input values. To avoid distinguishing attacks [7], cryptographic function must be balanced.
Note that the algebraic degree of a Boolean balanced function in n-variables is at most n À 1.
3. High nonlinearity is one of the most important properties in the design of symmetric-key cryptosystems, since it directly affects the resistance of the cipher to majority of cryptanalytic techniques. The nonlinearity simply measures the Hamming distance to the set of all affine functions. Therefore, a high nonlinearity implies a better resistance to affine approximation attacks [8]. According to the definition of nonlinearity, all affine functions have zero nonlinearity. On the other hand, a Boolean function having nonzero nonlinearity implies the function is not affine. Thus, the nonlinearity of a nonlinear Boolean function cannot exceed 2 nÀ1 . On an even size Boolean space, there is a class of Boolean functions, called bent functions, that have maximum nonlinearity (2 nÀ1 À 2 n 2 À1 ). In general, it is not an easy problem to identify all Boolean functions with high nonlinearity. However, this problem has been completely solved for quadratic Boolean functions (Boolean functions with the algebraic degree 2). 4.In order to avoid correlation attack [9], the concept of correlation immune of order m implies that any sub-function deduced from a given Boolean function by fixing at most m inputs has the same output distribution as a given Boolean function. Correlation immune has long been recognized as one of the critical indicators of nonlinear combining functions of shift registers in stream generators. Moreover, if a balanced Boolean function f is correlation immune of order m, then f is said to be m-resilient. When used in stream cipher systems, a Boolean function is required to have high nonlinearity and resiliency for protection against correlation attacks. It is actually very difficult to find a balanced Boolean function which has a high correlation immunity order and at the same time has a high nonlinearity.

5.
Optimal algebraic immunity aims to provide resistance against algebraic attack. The algebraic immunity is the minimum value of d such that a given Boolean function f or its complement 1 þ f admits an annihilator (a nonzero Boolean function g such that fg ¼ 0) of algebraic degree d. In ciphers, Boolean functions with high algebraic immunity should be used in order to avoid the application of algebraic cryptanalysis [10]. Recall that algebraic attacks recover the secret key, or at least the initialization of the system, by solving a system of multivariate algebraic equations that describes a cipher. Although a high algebraic immunity is the necessary cryptographic requirement, it is not sufficient, because of a more general kind of attack introduced by Courtois [11] in 2003 called fast algebraic attack. It is well-known that maximum algebraic immunity of n-variable Boolean function is n 2 AE Ç . The problem of efficiently constructing balanced Boolean functions with optimal algebraic immunity is thus of great significance. Moreover, several examples of functions having optimal algebraic immunity could be found but no example of correlation immune Boolean function with optimal algebraic immunity.
However, the major problem in construction of cryptographically strong functions is that the multiple criteria mentioned above have to be satisfied at the same time, while there exist intrinsic trade-offs between them. Such properties allow the system designer to quantify the level of resistance of the system to attacks. Since the number of Boolean functions in n-variables is 2 2 n , an exhaustive search of functions which satisfy some of the properties above is practically impossible (unless the input variable space n is quite small). Indeed, the difficulty precisely lies in finding the best trade-offs between all criteria and proposing concrete constructions of functions achieving them. Thus, bringing new construction methods of these functions is still a vivid research activity. By n; m; d; N f À Á function we specify an n-variable, m-resilient Boolean function f , algebraic degree d, and nonlinearity N f . Siegenthaler [9] proved that m þ d ≤ n þ 1 if m ≤ n À 2. The exact nature of trade-offs among order of correlation immunity, nonlinearity, and algebraic degree has also been investigated, for instance, ( [12,13]. Using the above bounds, one may naturally try to provide the construction of an n; m; d; N f À Á function for any given n and m while at the same time attempting to optimize d and N f . This optimization can be efficiently done for a small number of variables n ≤ 5, but even some interesting open problems for n>5, related to the existence of 8; 1; 6; 116 ð Þand 7; 2; 4; 56 ð Þfunctions, were settled using some sophisticated computer search and theoretical results [14]. The importance of finding these optimized functions in small number of variables lies in the fact that one can use these functions recursively to obtain new instances of optimal functions in larger number of variables. For instance, Tarannikov [15] has provided a construction technique of optimized resilient Boolean functions with maximum possible nonlinearity. Basically Tarannikov's construction is a recursive one, and using this technique and taking an n; m; d; N f À Á optimized function, such as the 7; 2; 4; 56 ð Þfunction, one can generate a sequence of optimal plateaued 7 þ 3i; 2 þ 2i; 4 þ i; 2 7þ3iÀ1 À 2 2þ2iþ1 À Á functions, 10; 4; 5; 480 ð Þ , 13; 6; 6; 3968 ð Þ , 16; 8; 7; 32256 ð Þ , etc: A modified version of Tarannikov's construction was presented in [16]. A construction of Boolean functions with maximum nonlinearity and small order of resiliency has also been considered in [17]. Later, Carlet [18] proposed a general framework for these iterative concatenation methods, unifying most of these techniques into a single method called "indirect sum." This construction leads to a multiple branching infinite tree of functions, but in order to employ this construction in the design of optimal plateaued functions in an iterative manner, there are certain conditions imposed on the initial pairs of disjoint spectra functions. A recursive construction method of optimal plateaued functions (the functions of the form n; m; n À m À 1; 2 nÀ1 À 2 mþ1 À Á and for m> n 2 À 2) is given in [19]. The iteration once again employs a 7; 2; 4; 56 ð Þfunction, whose 6-variable sub-functions have disjoint spectra, to construct a sequence of 7 þ 4i; 2 þ 3i; 4 þ i; 2 7þ4iÀ1 À 2 2þ3iþ1 À Á optimal plateaued functions (whose 7 þ 4i À 1 ð Þ -variable sub-functions are again disjoint spectra functions). Nevertheless, this iterative method generates the functions with relatively large order of resiliency ( 11; 5; 5; 964 ð Þ , 15; 8; 6; 15872 ð Þ , 19; 11; 7; 258048 ð Þ , etc:), and in addition it only gives one infinite sequence of optimal plateaued functions. For instance, in the first step of iteration, an optimal plateaued 11; 5; 5; 964 ð Þfunction is generated whose 10-variable sub-functions are again disjoint spectra functions (two 10; 5; 4; 452 ð Þdisjoint spectra functions), thus leaving some open slots concerning the construction of optimal plateaued functions when n ¼ 8, 9, 10. On the other hand, a modified Tarannikov construction has a slightly different effect, since the resiliency is increased by two at each step of iteration (but the degree is also increased by one) and the iteration step is three instead of four. Still, optimal plateaued functions cannot be generated for n ¼ 8 or n ¼ 9 using the particular 7; 2; 4; 56 ð Þfunction. The idea of employing a set of disjoint spectra functions in construction of highly nonlinear resilient functions was firstly elaborated in [16]. Later, the sets of disjoint spectra functions were successfully used in constructions of almost optimal resilient functions. The generalized Maiorana-McFarland (GMM) construction method for obtaining the almost optimal resilient functions has been proposed in [20]. Namely, this construction generates the functions with relatively large number of variables and small order of resiliency. The resulting functions cannot be viewed as a pair of disjoint spectra almost optimal resilient functions. Recently, Zhang and Pasalic used GMM technique to obtain the strictly optimal resilient functions with high nonlinearity and good algebraic properties [21]. The design of some balanced functions that also achieve currently best known nonlinearity can be found in [22]. Although these construction methods achieve currently the best nonlinearity for a given function, these methods are only efficient for relatively large input space of variables.

A construction of semi-bent Boolean functions
As it is described in the previous section, in the design of cryptographic functions, there is a need to consider various nonlinear characteristics simultaneously. But some characteristics restrict each other. Bent functions, for example, have maximum nonlinearity and satisfy the propagation criteria with respect to every nonzero vector over the Boolean spaces on which they are defined. However, bent functions are not balanced and exist only on even size Boolean spaces. Furthermore, bent functions are not correlation immune, and they are not suitable for use in cryptosystems. Partially bent functions are highly nonlinear and can be balanced. However, except for bent functions, partially bent functions have nonzero linear structures that are cryptographically undesirable. For these reasons, people study other classes of Boolean functions to try to overcome the disadvantage of bent functions or partially bent functions. The class of plateaued Boolean functions is one candidate that is defined by a series of inequalities and examines the critical case of each inequality. Compared with other functions, plateaued functions may reach the upper bound on nonlinearity given by the inequalities.
In what follows we specify a simple generic method for deriving semi-bent functions. This method is deduced from two bent functions whose derivatives differ by a constant one. It should be noticed that there are strong connections behind the concepts of bentness and semi-bentness though many questions remain unanswered. In particular, it is not settled how the cardinality of the whole class of bent functions relates to the class of semi-bent functions. Most notably, it appears that certain classes of semi-bent functions derived in [23] defined for even n are not extendable to bent functions in n þ 2 variables. In [24] and recently in [25], a sufficient condition on two bent functions g and h used in the construction of semi-bent functions was given as the following theorem.
Theorem 1. Let n be even, and suppose that f and g are two bent Boolean functions in n-variables. If there exists an a ∈ F n 2 such that D a f x ð Þ ¼ D a g x ð Þ þ 1, then the function is a semi-bent function in even number of variables. This condition immediately implies the possibility of constructing infinite classes of semi-bent functions using known classes of quadratic bent functions. Notice that all quadratic Boolean functions (including bent and semi-bent functions) are classified up to equivalence and any quadratic bent function is affine equivalent to the canonical form given by ∑ n=2 i¼1 x 2iÀ1 x 2i .
One may define a Boolean function f with n even to be a quadratic bent function of the form f x ð Þ ¼ ∑ n i¼1 b i x i þ ∑ 1 ≤ i < j ≤ n c i, j x i x j for suitably chosen b i , c i, j ∈ F 2 . Furthermore, let g be a Boolean function defined as g is a quadratic semi-bent Boolean function. Another related approach, though without restriction on the degree of a single bent function used, is given by the following result.
Theorem 2. Let f be bent Boolean function in even number of variables. For a, α ∈ F n 2 such that a Á α ¼ 1 define the function g as either where d ∈ F 2 . Then, the function Proof. Obviously, in both cases g is also a bent function, and if g is a semi-bent function.
q.e.d. This result enables us to construct, for even n, an infinite sequence of semi-bent functions from bent functions. It would be of interest to find other examples or classes of bent functions g 1 , g 2 , apart from using affine equivalent functions g 1 and g 2 , satisfying D a g 1 x ð Þ ¼ D a g 2 x ð Þ þ 1. This appears to be a nontrivial task since apart from establishing the fact that the used bent functions are indeed affine inequivalent, at the same time, their derivatives need to satisfy the condition in Theorem 1.
x 5 x 6 be a bent function of degree 3 over F 6 2 . Take a ¼ 0; 0; 1; 0; 0; 0 ð Þ and α ¼ 1; 0; 1; 0; 0; 0 ð Þ such that a Á α ¼ 1. Define the function g as either : Then, using the idempotent property of Boolean ring, After some simplification, we get It is easy to compute the Walsh spectrum of function h x ð Þ, i.e., W h ω ð Þ ¼ 0; AE16 f g, which means that h x ð Þ is a semi-bent function. Notice that the standard derivation rule for multiplication does not apply for our definition of derivatives. Indeed, the derivative D a f x ð Þg x þ a ð Þ: Furthermore, using the fact that D a D a f x ð Þ ¼ 0 for any Boolean function f , we have Thus, the element a is always a linear structure of h x ð Þ. Nevertheless, we show that under certain sufficient conditions, a is the only linear structure of h x ð Þ. We have the following theorem.
Theorem 3. Let h be defined as in Theorem 2, and assume that a bent function f x ð Þ is such that deg D b f x ð Þ ð Þ>1, for any b ∈ F n 2 ∖ 0 f g: Then h has a single linear structure, that is, Þis a constant function only for b ¼ a.

Conclusions
The need for the most possible secure cryptographic primitives in cipher systems is of great importance. In the case of stream ciphers, most of the reliability and security lies in the Boolean functions. For the cryptographic point of view to be good, a Boolean function should possess several cryptographic properties mentioned in this work. Very often such properties contradict each other. Therefore, the problem of constructing Boolean functions with stronger cryptographic properties is still a vivid research activity. We may also require new properties because attacks never stop. On the other hand, semi-bent functions are interesting for defending against the so-called soft output joint attack on pseudorandom generators, which are used in the IS-95 standard of code division multiple access technology. In this work we present an infinite sequence of semi-bent functions using known classes of quadratic bent functions. The construction of other classes of infinite sequences of semi-bent functions is an interesting research challenge.