A Composition Construction of Bent-Like Boolean Functions from Quadratic Polynomials

A Composition Construction of Bent-Like Boolean

Functions from Quadratic Polynomials

ZENG Xiangyong and HU Lei State Key Laboratory of Information Security (Graduate School of Chinese Academy of Sciences)

Beijing, 100039, China

e-mail: {xyzeng2002, gnuleihu}@sina.com September 26, 2003

Abstract: In this paper, we generalize the composition construction of Khoo et al. for highly nonlinear Boolean functions ([1]). We utilize general quadratic forms instead of the trace map in the construction. The construction composes an -variable Boolean function and an -variable quadratic form over to get an -variable Boolean function with beautiful spectrum property and a doubled algebraic degree. Especially, the method is suitable to construct functions with 3-valued spectra (bent-like functions) or ones with better spectra (near-bent functions). Our proof technique is based on classification of quadratic forms over finite fields and enumeration of solutions of quadratic equations. We also prove the

n

m

n

F

₂

nm

p

-ary analogy of these results for odd prime

p

.

Keywords: bent-like function, bent function, near-bent function, algebraic degree, 3-valued spectrum, quadratic form

1 Introduction

Boolean functions used in cryptosystems are required to have good cryptographic properties, such as balancedness, high nonlinearity and high algebraic degree, to ensure the systems are resistant against linear cryptanalysis ([2]). Besides, it is a desirable property that a Boolean function has 3-valued spectra. This property provides a protection against the soft output joint attack ([3]).

A framework unifies such cryptographic properties is to introduce the concept of near-bent function. Except balancedness, such a function behaves like a bent function, that is, it has 3-valued spectra and high nonlinearity close to the upper bound on nonlinearity, and may have high algebraic degree. It is important to study near-bent functions since bent functions are not balanced and can’t be directly used in a cryptosystem.

Recently, Khoo et al. present a new construction for highly nonlinear Boolean functions from the theory of geometric sequence ([1, 15]). Their functions are cryptographically good and do not have a weakness shared by Boolean functions constructed by concatenating linear functions ([16]). They use a composition construction idea originated from GMW-sequences in communication ([17]). Essentially, they utilize in their construction a special quadratic form, which can be derived from a trace map between finite fields.

In this paper, we generalize their idea to utilize general quadratic forms. Our generalization can obtain a larger class of functions than that in Khoo et al.’s method. On the other hand, our method not only can construct usual binary near-bent functions, but also

p

-ary functions ([18-22,10]) for any prime

p

. In addition, our method constructs a larger class of functions than near-bent functions, called bent-like functions. On the other hand, our proof method is completely different with that of Khoo et al. It is direct and is based on classification of quadratic forms over finite fields and enumeration of solutions of quadratic equations. The proof of Khoo et al. is especially indirect and makes reference to one result of Klapper etc. ([17]), which again makes reference to another one ([23]) whose proof is complicated and very long.

This paper is arranged as follows. We give some definitions and preliminaries in Section 2. In Sections 3-4 we construct binary bent-like and near-bent functions, and discuss the basic construction in Section 3 and extend it to a cascaded construction in Section 4. In section 5, we first show a quadratic form over

F

_p must be bent-like, and then give the similar construction of

p

-ary bent-like and near-bent functions for odd

p

.

2 Preliminaries

Let

p

be a prime, , and and be the finite fields with

q

and

elements, respectively. An -variable function (over ) is a map from to . It is usually called a Boolean function if

n

p

q

=

n

q

F

F

_qm

p

F

m

q

f

F

_pn

F

_p

2

=

p

and a generalized Boolean function if

p

>

2

.

Taking a basis

(

α

₁

,

α

₂

,

_L

,

α

_n

)

q

F

of over , an -tuple over

uniquely represents an element of ,

q

F

F

_p

n

n

a

)

,

,

,

(

a

₁

a

₂

_L

a

_n

F

_p

n

a

a

α

+

₂

α

₂

+

_L

+

α

nm

1

1 . Under this representation and

its induced representation, we always assume in this paper that is the domain of any

-variable function , and is the domains of -variable functions.

q

F

n

f

F

_qm

Let

(

β

₁

,

β

₂

,

_L

,

β

_n

)

be the dual basis of

(

α

₁

,

α

₂

,

_L

,

α

_n

)

, i.e.,

Tr

(

α

_i

β

_i

)

=

1

and

0

)

=

(

Tr

α

_i

β

_j for

i

≠

j

, where

Tr

is the trace map from to . Then the usual dot

product of two

n

-tuples and over is

Tr

q

F

)

,

,

,

₂ 1

b

L

b

n

p

F

p

F

)

,

,

n n

a

a

a

α

α

α

α

=

1 1

+

2 2

+

_L

+

and

β

=

b

1

β

1

+

b

2

β

2

+

L

+

b

n

β

n

)

,

,

,

1,2 , 1

,

1

a

L

a

mn

(

b

1,1

,

b

n n i i

i

a

a

a

. As a consequence, the dot

product of two -tuples and over is

, where

nm

)

(

Tr

u

₁

v

₁

+

_L

+

u

_m

v

_m

(

a

i

)

,

,

, 2

,

1

L

b

mn

F

p

u

=

_,1

α

₁

+

_,2

α

₂

+

_L

+

_,

α

and

v

_i

=

b

_i,1

β

₁

+

_L

+

b

_i,n

β

_n. In this paper, we will study the -variable functions over with good Walsh spectra, and we always make such a convention that the input variables of the functions are written as

where each

nm

F

_p

q i

F

x

)

,

,

,

(

x

₁

x

₂

_L

x

_m

∈

corresponds to an -dimensional vector

over by

n

n

)

,

,

,

(

x

_i,1

x

_i,2

_L

x

_i,n

F

_p

x

_i

=

x

_i,1

α

₁

+

x

_i,2

α

₂

+

_L

+

x

_i,n

α

)

n

under the representation derived from the basis

(

α

1

,

α

2

,

L

,

α

,

1

, whilst the input variables of the Walsh spectra of the functions are written as

(

λ

λ

2

,

L

,

λ

m

)

where each

λ

i

∈

F

corresponds to an

-dimensional vector

n

(

λ

i,1

,

λ

i,2

,

L

,

λ

i,n

)

over

F

p by

λ

i

=

λ

i,1

β

1

+

L

+

λ

i,n

β

n under the

representation derived from the basis

(

β

₁

,

β

₂

,

_L

,

β

_n

)

p

F

i n

n

x

L

x

n

c

i in

F

p

.

n

∑

−

=

=

1

0

)

(

q s

s s

x

a

x

f

x

,

a

_s

∈

∑

∑

−

= −

=

=

1

0 , , 1

0

1 1

1

)

,

,

(

p i

i i p

i n

n

c

x

x

f

_L

_L

_L

f

q

F

n

x

1

1

i

_∈

, , 1

,

L

,

,

1L

}

0

:

max{

_{1 , ,}

1

f

deg( )

=

+

+

≠

n

i i n

c

i

i

_L

_L

f

}

0

:

)

(

Wh

max{

_p

s

a

_s

≠

s

p i

e

2π/

ω

=

)

(

Wh

_p

s

p

n

f

:

F

_q

→

∑

∈

−

=

q

F x

x x f f

W

(

λ

)

ω

( ) Tr(λ) p

F

W

_f

q

F

q

F

∈

λ

n

p

F

∑

∈

⋅ −

=

n p

F x

x x f f

W

(

λ

)

ω

( ) λ

λ

∈

F

pn

x

n p

F

f

f

An -variable function over has a unique polynomial expression of the form

( ) and a unique algebraic expression of the form

(

x

). The algebraic degree of

is defined as , and it is equal to

([24]), where is the sum of the coefficients of the p-adic expression of .

Let be a primitive complex -th root of unity. The Walsh transform of an -variable function is a complex function defined over and defined

by for , or equivalently, defined over and defined by

for , where is a vector of . The values of

W

are

Definition 1:

f

:

F

_q

→

F

_p is called a bent-like function if

|

W

_f

(

λ

)

|

is 0 or

p

u for any

q

F

∈

λ

, where

2

u

is a fixed integer.

f

is called a bent function if

|

W

_f

(

λ

)

|

=

p

n/2 for any

q

F

∈

λ

. A bent-like function is called a near-bent function if

u

=

(

n

+

1

)

/

2

when , and

for odd and

2

>

p

2

/

)

1

+

(

=

n

u

n

u

=

(

n

+

2

)

/

2

for even

n

when

p

=

2

.

Remark 1: (i) Parseval’s equation n

F

f

p

W

q

2 2

)

(

=

∑

∈

λ

λ

tells us that if

|

W

_f

(

λ

)

|

takes only one

nonzero value

θ

for

λ

∈

F

_q, then is a rational number. However, is an

algebraic integer ([25]), so is an integer ([25,26]), and hence divides by Parseval’s equation again. So, for some with being an integer.

2

θ

u

2

u

2

|

)

(

λ

f

W

2

|

θ

=

n

p

2 2

θ

u

p

=

θ

(ii) Parseval’s equation also says that

u

for a bent-like function, and that if then

|

2

/

n

≥

2

/

n

u

=

W

f

(

λ

)

|

is always nonzero.

(iii) When , the above defined bent-like functions are also called plateaued functions ([27,28,1]) or ones with 3-value spectra ([29-34,1]) since

2

=

p

)

(

λ

f

W

takes one of three values 0, ,

and , and for odd , the near-bent functions are also called Gold-like ([12,14,15]).

u

2

u

2

−

n

(iv) For

p

=

2

,

W

_f

(

λ

)

is always an integer. So, is an integer for a bent-like function,

and a bent function exists only when is even. This is a well known fact. For , may be a half integer. See [15] and the example in Section 5 (Theorem 3). For results on existence of generalized bent functions, see [20-22].

u

n

p

>

2

u

Definition 2: Let be an -variable function over . If the outputs of at exact

1

of its all possible inputs are for any element of , then is called to be balanced.

f

n

a

p

F

p

F

f

/

p

a

f

Lemma 1: Let be an -variable function over . is balanced if and only if

.

f

n

F

p

f

0

)

0

(

=

f

Proof. It is clear by the fact that

0

if and only if 1

0

=

∑

−

=

p i

i i

a

ω

a

₀

=

a

₁

=

_L

=

a

_p−1, where

are integers. 1

0

,

,

a

p−

a

_L

Bent functions are ones with optimal nonlinearity ([35]), but they are not balanced by Lemma 1 (also a well known fact), so they can’t be directly used in the design of cryptosystems. Patterson and Wiedemann show that for odd , it is possible to construct functions whose nonlinearity is greater than that obtained by concatenating two bent functions ([36]). Maitra and Sarkar give methods to heuristically modify the Patterson-Wiedemann and bent functions to achieve balanced and still retain nonlinearity higher than the bent concatenation value ([37]). However, the spectra of these modified functions are not considered and maybe they are vulnerable under the soft output joint attack ([3]). One of our purposes is also to obtain balanced Boolean functions with good nonlinearity and we concentrate our attention on studying near-bent functions. Different from their methods, our idea is composing an -variable near-bent function and a quadratic form over . See [38] for knowledge of quadratic form over a finite field.

15

≥

n

n

n

p

F

Definition 3: An -variable quadratic form over is a polynomial over of the form

,

m

a

m j

∑

=1

q

F

q

F

q

F

c

x

b

x

x

x

x

Q

m i

i i i

j i ij

m

=

+

∑

+

=1 ,

1

,

,

)

(

_L

a

_ij

,

b

_i

,

c

∈

q

F

. It needs not to be homogeneous, i.e.,

and may be nonzero. If for any

i

b

c

β

∈

, the outputs of at exact

1

of

its all possible inputs are

)

,

,

(

x

₁

x

_m

Q

_L

/

q

β

, then is called to be balanced. is called to be non-degenerate if it is not transformed to a quadratic form of fewer variables under any invertible affine transformation over on .

Q

q

F

(

x

₁

,

_L

)

,

,

(

x

₁

x

_m

Q

_L

)

,

x

_m

3 Bent-like functions from quadratic forms

In this section, we assume , and present a construction of bent-like functions, which composes balanced quadratic forms.

2

=

p

Let be an -variable Boolean function, and Q be an -variable quadratic form over . Define an -variable function

f

n

q

F

)

,

,

(

x

₁

_L

x

_m

m

nm

g

as

f

(

Q

(

x

₁

,

_L

,

x

_m

))

.

spectra of

g

take such values: 0 and , , where is an integer depending

only on .

)

(

λ

f d

W

q

±

m q

* q

F

∈

λ

d

)

,

,

x

_m

Q

_L

=

Λ

(

λ

(

x

₁

∑

∈

−

m q m F

x

x )

,

( Tr ₁₁

)

1

(

λ L+λmxm)+f

,

,

(

x

1

x

2

m))

)

,

1

x

m

x

,

_L

d

1

x

1

L

+

d

m

1

≥

0

≥

t

x

2

≥

1 2t+

≥

2 2t

x

α

+

2 2

+

+

α

x

_t

'

Q

x

x

x

1 2

+

3

3 2 1

x

+

x

x

3 2 1

x

+

x

x

x

x

x

1 2

+

3

3 2 1

x

+

x

x

2 1

(

x

x

+

x

3 2 1

(

x

x

+

x

q

t

x

2

≥

1

1 2 2t

+

x

t+

x

2 1 2 2t

+

x

t+

x

t

t

x

x

2−2

+

22−1

+

2

1 2 2t

+

x

t+

+

x

x

2 1 2 2

1

x

t

)

+

α

x

t−

−

2 1 2 2

1

x

t

)

+

α

x

t−

≥

1

F

∈

α

Q

)

L

,

x

_m

∑

∈

−

m q m F

x x, , ) (

Tr

1

)

1

(

L

+ + dmx

x d11 L

Λ

g

W

(

(

)

,

(

x , ,

1L

,

1

L

λ

m

=

λ

(

d

₁

,

_L

,

d

_m

)

=

(

0

,

_L

,

0

)

1

)

1

1 ) ( Tr

, , ( ) ( Tr

0 1 0

)

1

(

)

1

(

( ( ' (

−

−

0)

∑

∈ −

m

z m d

x x d

q

L

+ ∈

q m q

F

z f F

x Q f

'

Q

g

Proof. Let ₁

,

_L

,

λ

_m

)

∈

F

. Then

+

=

Λ

x

x x Q g

W

, (

, , ( (

1

1

)

(

L

L _.

By applying an invertible affine transformation on

L

,

x

m

)

([38]),

λ

1

x

1

+

L

+

λ

m

x

m

and

Q

(

can be transformed into

+

x

m

+

d

0 and ,

respectively, where is of one of the following (pairwisely affinely non-equivalent) forms:

0

1

,

,

)

(

'

x

L

x

m

+

c

Q

)

,

,

(

x

₁

_L

x

_m

i)

x

4

+

L

+

x

2_t−1 (

t

);

ii)

x

₄

+

_L

+

x

_2t−1 (

t

);

iii)

x

₄

+

_L

+

x

_2t−1 (

t

);

iv)

x

4

+

L

+

x

2_t−3 (

t

1

);

v)

x

₄

+

L

+

x

_2t−1 (

t

0

);

vi) ₃

x

₄

+

_L

+

x

_2t (

t

≥

1

);

vii)

x

₄

+

_L

+

x

_2t−

x

_2t+1 (

t

),

where satisfies

Tr

(

α

)

=

1

. Since is balanced, so is . By Lemma 3 in Appendix,

should be one of Cases ii), iii), iv), and vii).

'

Q

,

(

'

x

₁

Q

We have

+ +

−

=

₍

₁

₎

Tr(d0) ( m) f(Q'(x m) c0)

)

If

Λ

=

0

,

_L

,

0

)

, then

)

, and

0

(

(

)

(

) )

) , ,

0 1

=

−

=

−

=

Λ

∑

+

m

c c x g

W

L

)

0

,

,

0

(

)

,

,

(

1

L

≠

L

=

Λ

λ

λ

m and

(

d

1

,

L

,

d

m

)

≠

(

0

,

L

,

0

)

. For

y

,

z

∈

F

q, let

δ

y,z be the

number of

(

x

₁

,

_L

,

x

_m

)

∈

F

_qm satisfying both that

d

₁

x

₁

+

_L

+

d

_m

x

_m

=

y

and . Then

z

x

x

Q

'

(

₁

,

_L

,

_m

)

=

∑

∈

−

−

q F z y y z y d , ( Tr , ) ( Tr ₀

)

1

(

)

1

δ

f(z+c0)

=

(

)

Λ

g

W

(

0

≠

Λ

z y,

)

δ

y

W

_g

(

Λ

)

=

0

'

,

,

,

₂

1

N

d

d

N

if

if

1 2 1







≠

=

+

=

dz

y

N

dz

y

N

N

'

,

,

,

₂

1

N

d

d

N

y

y

z

z

,z y

δ

)

(

)

(

N

2

W

d

W

g

Λ

=

±

f

'

,z

=

y

δ

)

(

)

(

N

₂

W

d

2

W

_g

Λ

=

±

_f

N

+c z f( 0)

)

1

0

) ( Tr

=

−

)

1

−

Tr

)

1

(

∑

∈Fq

y

)

1

(

−

Tr

=

Λ

g

W

(

)

)

(

Λ

=

y

)

1

( )

) ( ) 0 0 z f c z c + + g

W

)

(

W

g

Λ

1

(

1

(

(

−

=

−

=

−

=

( f z

−

−

)

1

(

.

Now we need the following lemma.

Lemma 2: For a fixed ,

(a) If is independent on , then .

(b) Assume there exist integers , independent on and , such that

'

'

+

+

d

d

Then .

(c) Assume there exist integers , independent on and , such that

if

'

if

1 2 1









+

≠

+

=

+

d

z

d

y

N

d

z

d

y

N

N

Then .

(d) For any constant ,

∑

∈

−

−

q F z y y z y d

N

, ) ( Tr , )

( 0

₍

δ

₎₍

₁

₎

₍

.

Proof. We use the fact that

(

−

1

)

Tr(y)

=

0

. So, (d) is trivial. (a) We have

(

)

1

(

( ) , )

( 0

∑

−

0

∑

−

∈ ∈

+

q q

F

z y F

c z f z y d

δ

. (b) We have

(c) Similarly as (b), we have

).

(

)

1

(

)

1

(

)

1

(

)

1

(

)

1

(

)

1

(

)

1

(

)

(

2 ) ' (

Tr

) ( ) ( Tr 2 ) ' (

Tr

) ( ) ( Tr 2 ) ' (

Tr

0 0

2 0

0 0 0

d

W

N

N

W

f d dc d

F z

z f z d d

dc d

F z

z f z d d

dc d g

q q

+ −

∈ + −

∈ + −

−

=

−

−

−

=

−

−

−

=

Λ

∑

∑

Continue the proof of Theorem 1. Note that

δ

_y,z is the number of the solutions of the system of equations

m q

m

F

x

x

,

,

)

∈

(

₁

_L

(2)

)

,

,

(

'

(1)

1 1 1







=

=

+

+

z

x

x

Q

y

x

d

x

d

m m m

L

L

Let be the all variables which appear in the expression of , that is, for iv), and for ii), iii), and vii). If there exists a subscript such that , then by taking values of satisfying (2), arbitrarily taking values for and then taking a uniquely determined value for to make (1) holds, we are easy to know that

u

x

x

1

,

L

,

t

2

0

≠

u

x

,

,

,

+2

L

)

,

,

(

'

x

1

x

m

Q

_L

u

i

>

u

=

i

d

u

x

+1

1

2

+

=

t

u

i i+1

,

x

+2

,

L

,

u

x

x

1

,

L

,

z y, m

i

x

x

x

−1

,

x

i

δ

is equal to the product of and the number

of solutions of Equation (2), and

1

− −u m

q

)

,

x

_u

L

,

,

₂ 1

x

x

(

δ

_y,z is independent on . Thus, by Lemma

2 (a), .

y

0

=

)

(

Λ

g

W

Below we assume that

d

u+1

=

L

=

d

m

=

0

u

x

x

x

1

,

2

,

L

,

. Then the system of equations (1) and (2) is degenerately on the variables . Let

δ

'

_y,z be the number of the solutions

of this degenerated system of equations, then .

u q

u

F

x

x

,

,

)

∈

(

₁

_L

δ

_y,z

=

q

m−u

δ

'

_y,z

If , then by taking values of satisfying (1) and taking a uniquely determined value of satisfying (2), we have and , then by Lemma 2 (a) again,

0

=

u

d

x

₁

,

x

₂

,

_L

,

x

_u−1

,

'

_yz

=

q

u

δ

u

x

0

2

− 2

,

−

=

m z

y

q

δ

)

(

Λ

=

g

W

.

Assume

d

u

≠

0

. Then

u u

u

u

c

x

c

x

y

d

where

c

i

=

d

i

/

d

u. Replacing

x

u in (2) by

c

1

x

1

+

L

+

c

u−1

x

u−1

+

y

/

d

u

1 2

1

,

x

,

,

x

u−

x

_L

, the degenerated system of equations becomes a single equation on variables , which has a form of one of the following:

∑

∑

= − = −

+

+

=

t i i i u t i i

i

x

z

y

d

c

c

x

1 2 1 2 1 2 1

2

'

/

'

(3)

2 1 2 2 2 2 2 2 2 1 2 2 1

2

)

(

/

)

(

u t i i i i i i

i

x

c

x

c

x

z

y

d

x

+

+

=

+

∑

= − − (4)

∑

∑

− = − − − − − = −

+

+

=

+

+

1 1 2 1 2 1 2 1 2 2 1 2 1 1 2 1

2

'

/

'

t i i i u t t t t i i

i

x

x

c

x

z

y

d

c

c

x

(5)

∑

∑

= − − − = −

+

+

+

+

=

+

+

t i i i t t u t t t i i

i

x

x

x

z

y

d

c

c

c

c

x

1 2 1 2 2 2 2 1 2 2 2 2 1 2 1 2 1

2

'

'

'

/

'

α

α

α

α

(6)

corresponding to Cases ii), iii), iv), and vii), respectively, where and (

i i

i

x

c

x

'

₂₋₁

=

₂₋₁

+

₂

1 2 2 2

'

_i

=

x

_i

+

c

_i−

x

1

≤

i

≤

t

) in (3), (5), and (6). For Case ii), by Lemma 3 in Appendix,

/

if

/

if

'

1 2 1 2 1 1 2 1 2 1 2 1 1 2 ,













≠

+

−

=

+

+

−

=

∑

∑

= − − − = − − − t i i i u t t t i i i u t t t z y

c

c

d

y

z

q

q

c

c

d

y

z

q

q

q

δ

and by Lemma 2 (b),

W

_g

(

Λ

)

=

±

q

m−2t−1

q

t

W

_f

(

d

_u

)

=

±

q

m−t−1

W

_f

(

d

_u

)

. For Case iii), by Lemma 4 in Appendix,

0

)

/

(

if

0

)

/

(

if

'

2 1 1 2 2 1 1 2 ,









≠

+

±

=

+

±

=

_{− −} − − u t t u t t t z y

d

y

z

q

q

d

y

z

q

q

q

_m

δ

and by Lemma 2(c),

W

(

)

q

2 1

q

W

(

d

'

'

)

q

1

W

f

(

d

'

'

)

.

t m f t t m g − − − −

₌

_±

±

=

Λ

For Case iv), if

c

2t−1

=

0

then and 2 2 ,

'

yz

=

q

t−

δ

W

g

(

Λ

)

=

0

by Lemma 2(a). Suppose

. Replacing by

c

(

1

0

1 2t−

≠

c

x

'

_{i 2t−1}

x

'

'

_i

≤

i

≤

2

t

−

2

) and replacing by , (5)

become

1 2

'

_t−

x

c

_2t−1

x

'

'

_2t−1

1 2 2 1 1 2 1 2 1 2 2 1 2 1 1 2 1

2

'

'

'

'

'

'

(

/

)

/

'

'

− − = − − − − = −

∑

∑

+

+

=

+

+

t

t i i i u t t t i i

i

x

x

x

z

y

d

c

c

c

x

.

)

1

(

'

, 2 2 1 Tr( )

a t

t z

y

=

q

+

q

−

− −

δ

, , 2 1

(

1

)

Tr( ) ,

a t

m m z

y

=

q

+

q

−

− − −

δ

where 22 1. By Lemma 2(d),

1 1

2 1

2

)

/

/

(

−

−

= −

∑

+

+

=

t

t i

i i

u

c

c

c

d

y

z

a









=

±

≠

=

−

−

±

=

Λ

− −

− −

− ∈

+ +

−

−

∑

1

if

)

(

1

if

0

)

1

(

)

1

(

)

(

1 2 2 2

1 2

1 2 2 ,

) ( ) ( Tr

1 0

t u t

f t m

t u F

z y

c z f a y t

m g

c

d

c

W

q

c

d

q

W

q

For Case vii), by Lemma 3,

otherwise

/

if

'

1 1 2

1 2 1 2 2

2 2

1 2 1

1 2 ,











−

+

+

=

+

+

−

=

− −

= −

− −

−

∑

t t

t i

i i t

t u t

t t z y

q

q

c

c

c

c

d

y

z

q

q

q

α

α

δ

and by Lemma 2(b) again, . This completes the

proof.

)

(

)

(

)

(

2 1 1 f u

t m u

f t t m

g

q

q

W

d

q

W

d

W

Λ

=

±

− −

=

±

−−

Remark 2: (1) As noted in Introduction, our proof technique is direct and is based on enumeration of solutions of quadratic forms over a finite field. Khoo et al. prove their conclusion by using a result on crosscorrelation of sequences.

(2) Our result is different with that of Khoo et al. in three aspects: a) The quadratic form used

in [1] is , where

Tr

is the trace map from to . The form is

homogeneous, and is special among homogeneous forms, while the form in our construction is any (balanced) and may be not homogeneous; b) The index in [1] is assumed to be odd, while in ours can be even; c) The quadratic form used in [1,17] is non-degenerate and is equivalent to only one case, Case iii) in Theorem 1, while ours can be any balanced form.

)

(

Tr

m_/ k+1

q q

q

x

qm/q

F

qm

F

q

m

m

Corollary 1: Assume and Q are balanced and is non-degenerate. Then

the spectrum set of is

f

(

Q

)

,

,

(

x

1

L

x

m

))

,

x

_m

Q

,

(

x

₁

f

_L

{

±

q

[m/2]

W

_f

(

λ

)

:

λ

∈

F

_q

}

.

Corollary 2: Assume is balanced and the spectra of are 3-valued: 0 and ,

where is an integer satisfying and

f

f

)

2

2 / ) (

2

n+l

±

l

l

≥

1

l

=

n

(mod

, and assume is

balanced and non-degenerate. Then the spectra of are also 3-valued: 0 and

. Furthermore, if

m

is odd, then the nonzero spectrum values of

are , and consequently, is near-bent if and

)

,

x

_m

L

,

(

x

₁

Q

))

,

x

_m

,

,

1

x

x

L

,

1

L

(

Q

(

(

Q

x

f

(

f

[ 2]n+

,

1

x

2 / ) ( /

2

m n+l

±

,

(

(

Q

x

m

only if also is

f

; while if

m

is even, the nonzero spectrum values are

±

2

(nm+n+l)/2.

2

}

m

∑

=

=

)

(

q s

x

f

)

,

,

(

x

1

L

x

m

,

L

,

0

q

t

}

m

u

s

2

1

≤

_s

<

L

1

0

u

t

s

s

=

u

x

Q

0

(

+

2

s

,

'

1

t

<

'

1

Wh

+

L

0

Wh

q

(

q

u

,

,

,

t

1

t

f

u

)

+v

)

Q

=

.

(

q

=

_L

Remark 3: When is even, can’t be a near-bent function. It is an

interesting phenomenon that in study of bent-like functions, we usually obtain better conclusion in the case of being odd than that of being even.

m

f

(

Q

(

x

1

,

L

,

x

m

))

m

m

Theorem 2: Assume

m

≥

. Then

deg

f

(

Q

(

x

1

,

L

,

x

m

))

=

2

deg(

f

).

Proof. Let

{

γ

₁

,

_L

,

γ

be a basis of the field over . Let be

the polynomial expression of . Set

m

q

F

m

x

q

F

−1 0

s s

x

a

f

X

=

x

1

γ

1

+

L

+

γ

m. Since is quadratic,

it can be written as

Q

∑

∈S

t t

X

c

=

t

)

m

x

x

Q

(

₁

,

, where

0

,

0

:

,

{

q

q

u

m

v

v

w

S

=

u v

+

v+w

≤

<

≤

<

+

<

, and there exists a subscript of the form

q

v

+

q

v+w such that

c

_t

≠

0

.

Let

s

=

+

_L

+

2

s be the binary expression of

s

,

1

≤

s

<

2

n,

<

s

u

<

n

. Then

u s s u s u s u

t t

t S t S t q s

s

q s

s t

t t s m

X

c

c

a

a

X

c

a

x

f

2 2 2 2

1 1

1 0 1

1 1 1

1 1

)

(

))

,

,

(

+ +

∈ ∈ −

=

−

=

∑

∑

∑

∑ ∑

=

=

L

L

L

L

It is easy to show that if , then

'

, , and

, where is the binary expression of ,

,

'

2

'

2

2

' ₁ '

1

1 1

v s s

u s s

t

t

t

t

+

+

u

=

+

+

v

L

L

' '

2

2

'

s1 sv

s

=

+

_L

+

n

s

v

v

=

)

'

,

(

)

,

,

(

t

1

L

t

u

=

L

t

v n

s

'

2

1

≤

<

'

s

<

<

'

L

)

(

)

(

1 q u

q

t

+

L

+

Wh

t

(

0

≤

0

)

2

2

(

1

2

1

u s s

t

t

Wh

+

u

, and also to show that , where

=

Wh

q

)

=

, , and

. So,

1

)

=

2

(

u

+

u

=

q

q

q

Wh

deg

2

}

deg

)

(

1

:

)

(

)

max{

(

deg

1 2

f

S

s

Wh

u

t

Wh

t

Wh

4 Recursively composed bent-like functions

Similar as the construction of cascaded GMW sequences ([17]), we recursively compose bent-like functions in this section.

Set 0

2

,

n

q

q

=

=

1

,

i

m i i

q

q

=

₋

1

≤

i

≤

l

.

Let be an -variable Boolean

function, and be an -variable quadratic form over .

Define recursively the functions

2

0

:

F

F

g

q

→

i

m

n

1

−

→

i

q

F

:

)

,

i i q

m

F

x

,

(

1 i

x

Q

_L

1

−

i

q

F

.

1

)),

,

,

(

(

)

(

x

g

₁

Q

x

₁

x

i

l

g

i

m i

i

i

=

−

L

≤

≤

By Theorems 1-2 and Corollary 2we have

Corollary 3: Assume

f

and

Q

(

₁

,

,

)

with are balanced.

i

m

i

x

L

x

m

i

≥

2

(i)

g

_l is balanced, and

deg

g

l

=

2

l

deg

f

.

(ii) The spectra of take the values 0 and , , where

is an integer depending only on .

l

g

₀1 ₁2 ₁

(

λ

)

f e l e e

W

q

q

q

l

−

±

_L

)

,

i

m

x

L

* q

F

∈

λ

]

2

/

[

i

i

m

e

≥

Q

i

(

x

1

,

(iii) Assume all are non-degenerate. Then the spectra of take the values 0 and , where . In particular, when all are odd,

the spectra of take values 0 and

i

Q

] 2 /

W

l

g

)

(

[

1 ] 2 / [ 1 ] 2 / [ 0

2

1

λ

f m l m

m

q

q

q

l

−

±

_L

l

g

* q

F

∈

λ

m

i

(

1

≤

i

≤

l

)

)

(

1

λ

f m

W

l− 2

2 1m

m

q

L

±

, . Furthermore, if is

near-bent, then also is .

* q

F

∈

λ

f

l

g

5 A generalization to p-ary bent-like functions

In this section we assume

p

is odd and generalize the above results to

p

-ary bent-like functions. First, we show that any quadratic polynomial over is bent-like.

The similar result is well known for

)

,

,

(

x

1

x

n

h

_L

F

p

2

=

p

. Further, we characterize when is bent or near-bent. Second, we show that a composition of a bent-like function and a quadratic form is also bent-like, and as a consequence, there is also a GMW-like construction of bent-like functions for odd

)

,

(

x

x

_n

h

₁

,

_L

Theorem 3: Let

p

be odd and

h

(

x

1

,

L

,

x

n

)

be an

n

-variable quadratic form over

F

p. Then (i)

h

(

x

₁

,

_L

,

x

_n

)

is always bent-like.

(ii) Assume

h

(

x

₁

,

_L

,

x

_n

)

is affinely equivalent to a

r

-variable non-degenerate quadratic form. Then the nonzero value of

|

W

h

(

λ

)

|

is either or .

2 / ) 2 ( n r

p

−

p

(2n−r+1)/2

(iii) is bent if and only if it is equivalent to , where

, .

)

,

,

(

x

₁

x

_n

h

_L

q

F

c

0

∈

0 2 1

1 2

c

cx

x

_n

n i

i

+

+

∑

−

=

* q

F

c

∈

(iv) If

h

(

x

1

,

L

,

x

n

)

is homogeneous, then the nonzero value of

|

W

h

(

λ

)

|

is ,

and is bent and near-bent if and only if

2 / ) 2 ( n r

p

−

)

,

x

n

L

,

(

x

1

h

r

=

n

and

n

−

1

, respectively.

Proof. Let

x

=

(

x

₁

,

_L

,

x

_n

)

denote a row vector. There are an

n

×

n

matrix , a column vector

A

B

and a

c

∈

F

_p such that , where denotes the

transpose of

c

xB

xAx

x

x

h

(

₁

,

_L

,

_n

)

=

t

+

+

x

t

x

. Then for

λ

=

(

λ

1

,

L

,

λ

_n

)

∈

F

_pn,

∑

∑

∑

∑

∑

∑

∈

+

∈

− ⋅ −

∈

− − +

∈

⋅ − ∈

+ ⋅ − + + − ⋅ ∈

⋅ − −

⋅

=

=

=

=

n p

t t n

p

n p n

p n p

n p

F x

x A A z F

z

c z z h

F x

z h x h z x h F

z

z z h F z x

z x z x h x h x F y x

y y h x h x h

W

) ( )

(

) ( ) ( ) ( )

( ,

) ( ) ( ) ( ,

) ( ) ( 2

|

)

(

|

ω

ω

ω

ω

ω

ω

ω

λ

λ λ

λ λ

λ λ

Let

V

=

{

z

∈

F

_pn

:

z

(

A

+

A

t

)

=

0

}

and

V

s

p

F

=

dim

. Since

∑

=

0

∈ n

p t

F x

zx

ω

for

0

,

we have

n p

F

z

∈

≠

|

)

(

|

2

∑

( )

∈

− ⋅ −

=

V z

c z z h n

h

p

W

λ

ω

λ .

c

x

h

(

)

−

V z

∑

∈

ω

is a linear function on since

h

, and

so, or 0. Thus, or 0, and is

bent-like.

V

(

x

+

z

)

−

h

(

x

)

−

h

(

z

)

−

c

=

z

(

A

+

A

t

)

z

t

=

0

2

/ ) (

|

)

(

n s

h

p

W

λ

=

+

h

(

x

₁

,

x

₂

,

_L

,

x

_n

s c z z h

p

=

− ⋅ −λ

) (