In the mathematical field of combinatorics, a **bent function** is a special type of Boolean function. Defined and named in the 1960s by Oscar Rothaus in research not published until 1976, bent functions are so called because they are as different as possible from all linear and affine functions. They have been extensively studied for their applications in cryptography, but have also been applied to spread spectrum, coding theory, and combinatorial design. The definition can be extended in several ways, leading to different classes of generalized bent functions that share many of the useful properties of the original.

## Walsh transform[]

The Walsh transform of a Boolean function Template:Nowrap is the function given by

where Template:Nowrap is the dot product in **Z**Template:Sup sub.^{[1]} Alternatively, let
Template:Nowrap and
Template:Nowrap.
Then Template:Nowrap and hence

For any Boolean function *ƒ* and Template:Nowrap the transform lies in the range

Moreover, the linear function Template:Nowrap and the affine function Template:Nowrap correspond to the two extreme cases, since

Thus, for each Template:Nowrap the value of characterizes where the function *ƒ*(*x*) lies in the range from *ƒ*_{0}(*x*) to *ƒ*_{1}(*x*). Bent functions are in a sense equidistant from all of these, so they are equally hard to approximate with any affine function.

## Definition and properties[]

Rothaus defined a **bent function** as a Boolean function Template:Nowrap whose Walsh transform has constant absolute value.

The simplest examples of bent functions are *F*(*x*_{1},*x*_{2}) =
*x*_{1}*x*_{2} and *G*(*x*_{1},*x*_{2},*x*_{3},*x*_{4}) =
*x*_{1}*x*_{2} + *x*_{3}*x*_{4}. This pattern continues:
*x*_{1}*x*_{2} + *x*_{3}*x*_{4} + ... + *x*_{n − 1}*x*_{n} is a bent function Template:Nowrap for every even *n*, but there is a wide variety of different types of bent functions as *n* increases.^{[2]} The sequence of values (−1)^{ƒ(x)}, with Template:Nowrap taken in lexicographical order, is called a **bent sequence**; bent functions and bent sequences have equivalent
properties. In this ±1 form, the Walsh transform is easily computed as

where *W*(2^{n}) is the natural-ordered Walsh matrix and the sequence is treated as a column vector.^{[3]}

Rothaus proved that bent functions exist only for even *n*, and that for a bent function *ƒ*,
for all Template:Nowrap.^{[1]} In fact, , where *g* is also bent. In this case,
, so *ƒ* and *g* are considered dual functions.^{[3]}

Every bent function has a Hamming weight (number of times it takes the value 1) of 2^{n − 1} ± 2^{n/2 − 1}, and in fact agrees with any affine function at one of those two numbers of points. So the *nonlinearity* of *ƒ* (minimum number of times it equals any affine function) is 2^{n − 1} − 2^{n/2 − 1}, the maximum possible. Conversely, any Boolean function with nonlinearity 2^{n − 1} − 2^{n/2 − 1} is bent.^{[1]} The degree of *ƒ* in algebraic normal form (called the *nonlinear order* of *ƒ*) is at most *n*/2 (for *n* > 2).^{[2]}

Although bent functions are vanishingly rare among Boolean functions of many variables, they come
in many different kinds. There has been detailed research into special classes of bent functions,
such as the homogeneous ones^{[4]} or those arising from
a monomial over a finite field,^{[5]} but so far the bent functions have defied
all attempts at a complete enumeration or classification.

## Applications[]

As early as 1982 it was discovered that maximum length sequences based on bent functions have
cross-correlation and autocorrelation properties rivalling those of the Gold codes and
Kasami codes for use in CDMA.^{[6]} These sequences have several applications in
spread spectrum techniques.

The properties of bent functions are naturally of interest in modern digital cryptography, which seeks to obscure relationships between input and output. By 1988 Forré recognized that the Walsh transform of a function can be used to show that it satisfies the Strict Avalanche Criterion (SAC) and higher-order generalizations, and recommended this tool to select candidates for good S-boxes achieving near-perfect diffusion.^{[7]} Indeed, the functions satisfying the SAC to the highest possible order are always bent.^{[8]} Furthermore, the bent functions are as far as possible from having what are called *linear structures*, nonzero vectors a such that *ƒ*(*x*+*a*) + *ƒ*(*x*) is a constant. In the language of differential cryptanalysis (introduced after this property was discovered) the *derivative* of a bent function *ƒ* at every nonzero point *a* (that is, *ƒ*_{a}(*x*) = *ƒ*(*x*+*a*) + *ƒ*(*x*)) is a *balanced* Boolean function, taking on each value exactly half of the time. This property is called *perfect nonlinearity*.^{[2]}

Given such good diffusion properties, apparently perfect resistance to differential cryptanalysis,
and resistance by definition to linear cryptanalysis, bent functions might at first seem the
ideal choice for secure cryptographic functions such as S-boxes. Their fatal flaw is that they fail to be balanced. In particular, an invertible S-box cannot be constructed directly from bent
functions, and a stream cipher using a bent combining function is vulnerable to a correlation attack. Instead, one might start with a bent function and randomly complement appropriate values until the result is balanced. The modified function still has high nonlinearity, and as such functions are very rare the process should be much faster than a brute-force search.^{[2]} But functions produced in this way may lose other desirable properties, even failing to satisfy the SAC—so careful testing is necessary.^{[8]} A number of cryptographers have worked on techniques for generating balanced functions that preserve as many of the good cryptographic qualities of bent functions as possible.^{[9]}^{[10]}^{[11]}

Some of this theoretical research has been incorporated into real cryptographic algorithms. The
*CAST* design procedure, used by Carlisle Adams and Stafford Tavares to construct the S-boxes for the block ciphers CAST-128 and CAST-256, makes use of bent functions.^{[11]} The cryptographic hash function HAVAL uses Boolean functions built from representatives of all four of the equivalence classes of bent functions on six variables.^{[12]} The stream cipher Grain uses an NLFSR whose nonlinear feedback polynomial is, by design, the sum of a bent function and a linear function.^{[13]}

## Generalizations[]

The most common class of *generalized bent functions* is the mod m type,
such that

has constant absolute value *m*^{n/2}. Perfect nonlinear functions , those such that for all nonzero *a*, *ƒ*(*x*+*a*) − *ƒ*(*a*) takes on each value *m*^{n − 1} times, are generalized bent. If *m* is prime, the converse is true. In most cases only prime *m* are considered. For odd prime *m*, there are generalized bent functions for every positive *n*, even and odd. They have many of the same good cryptographic properties as the binary bent functions.^{[14]}

**Semi-bent functions** are an odd-order counterpart to bent functions. A semi-bent function is
with *n* odd, such that takes only the values 0 and *m*^{(n+1)/2}. They also have good cryptographic characteristics, and some of them are balanced, taking on all possible values equally often.^{[15]}

The **partially bent functions** form a large class defined by a condition on the Walsh transform and autocorrelation functions. All affine and bent functions are partially bent. This is in turn a proper subclass of the *plateaued functions*.^{[16]}

The idea behind the **hyper-bent functions** is to maximize the minimum distance to all Boolean
functions coming from bijective monomials on the finite field *GF*(2^{n}), not just the affine functions. For these functions this distance is constant, which may make them resistant to an interpolation attack.

Other related names have been given to cryptographically important classes of functions Template:Nowrap, such as **almost bent functions** and **crooked functions**. While not Boolean functions themselves, these are closely related to the bent functions and have good nonlinearity properties.

## References[]

- ↑
^{1.0}^{1.1}^{1.2}Cite error: Invalid`<ref>`

tag; no text was provided for refs named`bool`

- ↑
^{2.0}^{2.1}^{2.2}^{2.3}Cite error: Invalid`<ref>`

tag; no text was provided for refs named`nonlin`

- ↑
^{3.0}^{3.1}Cite error: Invalid`<ref>`

tag; no text was provided for refs named`dual`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`homo`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`mono`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`seq`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`spectral`

- ↑
^{8.0}^{8.1}Cite error: Invalid`<ref>`

tag; no text was provided for refs named`sac`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`nyberg`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`highly`

- ↑
^{11.0}^{11.1}Cite error: Invalid`<ref>`

tag; no text was provided for refs named`cast`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`haval`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`grain`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`nyberg2`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`semi`

- ↑ Cite error: Invalid
`<ref>`

tag; no text was provided for refs named`plat`

## Further reading[]

- Template:Cite conference
- Template:Cite journal
- Template:Cite journal
- Template:Cite book