Báo cáo toán học: " Linear recurrences and asymptotic behavior of exponential sums of symmetric boolean functions" pptx

Medina Department of MathematicsUniversity of Puerto Rico, San Juan, PR 00931 luis.medina17@upr.eduSubmitted: Jan 28, 2011; Accepted: May 13, 2011; Published: May 25, 2011 Mathematics Su

Linear recurrences and asymptotic behavior of

exponential sums of symmetric boolean functions

Francis N Castro

Department of MathematicsUniversity of Puerto Rico, San Juan, PR 00931

francis.castro@upr.edu

Luis A Medina

Department of MathematicsUniversity of Puerto Rico, San Juan, PR 00931

luis.medina17@upr.eduSubmitted: Jan 28, 2011; Accepted: May 13, 2011; Published: May 25, 2011

Mathematics Subject Classification: 11T23, 05E05

Dedicated to Doron Zeilberger on the occasion of his 60th birthday

Abstract

In this paper we give an improvement of the degree of the homogeneous linearrecurrence with integer coefficients that exponential sums of symmetric Booleanfunctions satisfy This improvement is tight We also compute the asymptoticbehavior of symmetric Boolean functions and provide a formula that allows us todetermine if a symmetric boolean function is asymptotically not balanced In par-ticular, when the degree of the symmetric function is a power of two, then theexponential sum is much smaller than 2n

Keywords: Exponential sums, recurrences, Cusick et al Conjecture for elementarybalanced symmetric boolean functions

1 Introduction

Boolean functions are one of the most studied objects in mathematics They are tant in many applications, for example, in the design of stream ciphers, block and hashfunctions These functions also play a vital role in cryptography as they are used as filterand combination generator of stream ciphers based on linear feed-back shift registers The

impor-case of boolean functions of degree 2 has been intensively studied because of its relation

to bent functions (see [11], [1])

One can find many papers and books discussing the properties of boolean functions(see [5], [9], [2] and [6]) The subject can be studied from the point of view of complexitytheory or from the algebraic point of view as we do in this paper, where we compute theasymptotic behavior of exponential sums of symmetric boolean functions

The correlation between two Boolean functions of n inputs is defined as the number

of times the functions agree minus the number of times they disagree all divided by 2n,i.e.,

func-of the minimal recurrence func-of this type that C(F ) satisfies In this paper we give animprovement to the degree of the minimal homogeneous linear recurrence with integercoefficients satisfying by C(F ) In particular, our lower and upper bounds are tight inmany cases Also, in the case of an elementary symmetric function we provide the minimalhomogeneous linear recurrence

We also compute the asymptotic value of C(F ) In particular, we give infinite families

of boolean functions that are asymptotically not balanced, i.e., limn→∞C(F ) 6= 0 In [7],

T Cusick et al conjectured that there are no nonlinear balanced elementary symmetricpolynomials except for the elementary symmetric boolean function of degree k = 2r in

2r· l − 1 variables, where r and l are any positive integers In this paper, we prove that

lim

n→∞C(σn,k) = 2

w 2 (k)−1− 1

where σn,k is the elementary symmetric polynomial of degree k in n variables and w2(k)

is the sum of the binary digits of k Note that this implies that Cusick et al.’s ture holds for sufficiently large n In particular, an elementary symmetric function isasymptotically not balanced if and only if its degree is not a power of 2 In [8], Cusick

conjec-et al presented some progress on proving this conjecture In particular, they presentedthe following stronger version of their conjecture: If n ≥ 2(k − 1), where k is fixed and

w2(k) ≥ 6, then C(F ) > 1/2 Formula (1.2) implies that this holds for sufficiently large

n when w2(k) ≥ 3

When the asymptotic value of C(F ) is zero, we compute the asymptotic values of

is a periodic function in n

2 Preliminaries

Let F be the binary field, Fn = {(x1, , xn) | xi ∈ F, i = 1, , n}, and F (X) =

F (X1, , Xn) be a polynomial in n variables over F The exponential sum associated

In this paper we study exponential sums associated to symmetric boolean functions

F Any symmetric function is a linear combination of elementary symmetric polynomials,thus we start with exponential sums of elementary symmetric polynomials

Let σn,k be the elementary symmetric polynomial in n variables of degree k Forexample,

σ4,3 = X1X2X3 + X1X4X3+ X2X4X3+ X1X2X4 (2.2)Fix k ≥ 2 and let n vary Consider the sequence of exponential sums {S(σn,k)}n∈N where

S(σn,k) = X

x 1 ,··· ,x n ∈F

(−1)σn,k (x 1 ,··· ,x n )

Define Aj to be the set of all (x1, · · · , xn) ∈ Fn with exactly j entries equal to 1 Clearly,

|Aj| = nj
and σn,k(x) = kj
for x ∈ Aj Therefore,

 (2.5)

Remark 1 Note that the sum on the right hand side of (2.5) makes sense for values of

n less than ks, while S(σn,k1+ · · · + σn,ks) does not However, throughout the paper we letS(σn,k1+ · · · + σn,ks) to be defined by the sum in (2.5), even for values of n less than ks

3 The recurrence

Computer experimentation suggests that for fix 1 ≤ k1 < · · · < ks, the sequence {S(σn,k1+

· · · + σn,k s)}n∈N satisfies a homogeneous linear recurrence with integer coefficients Forexample, if we consider {S(σn,7)}n∈N and type

If we continue with these experiments, we arrive to the observation that if r = blog2(ks)c+

1, then {S(σn,k1 + · · · + σn,ks)}n∈N seems to satisfy the recurrence

=n − 1k

+n − 1

correspond-From Theorem 3.1 it is now evident that {S(σn,k 1 + · · · + σn,k s)}n∈N satisfies (3.2).Moreover, the roots of the characteristic polynomial associated to the linear recurrence(3.2) are all different and the polynomial is given by

4 On the degree of the recurrence relation

Now that we are equipped with equation (3.6), we move to the problem of reducing thedegree of the recurrence relation that our sequences of exponential sums satisfy Theidea behind our approach is very simple Consider all roots 1 + ζ’s of Φ2t+1(x − 1) where

1 ≤ t ≤ r − 1 We know that (1 + ζ)n appears in (3.5) If we show that the coefficientthat corresponds to (1 + ζ)n is zero for each 1 + ζ, then we reduce the degree of thecharacteristic polynomial, and therefore the degree of the recurrence, by 2t

However, note that Φ2t+1(x−1) is irreducible over Q (according to Eisenstein’s criterion

on Φ2t+1(x − 1) with Φ2t+1(x) = x2t + 1, see [10]) Therefore, the coefficients related tothe roots of Φ2t+1(x − 1) are either all zeros or all non-zeros In view of (3.6), this can bedetermined by checking whether or not the sum

poly-Lemma 4.1 (Lucas’ theorem) Let n be a natural number with 2-adic expansion n =

2a 1 + 2a 2 + · · · + 2a l The binomial coefficient nk
is odd if and only if k is either 0 or asum of some of the 2ai’s

Proof: Recall that (1 + x)2 m

Corollary 4.2 Fix a natural number k Suppose its 2-adic expansion is k = 2a1 + 2a2 +

· · · + 2a l A natural number m is such that mk
is odd if and only if m has a 2-adicexpansion of the form

m = k + X

2 i 6∈{2 a1,2a2,··· ,2al}

δi2i (4.2)

where δi ∈ {0, 1}

Remark 2 Let k ≥ 1 be an integer with 2-adic expansion k = 2a 1 + · · · + 2a l Suppose

m ∈ {0, 1, 2, 3, · · · , 2r− 1} is such that mk
is odd Note that Corollary 4.2 implies

m = k + δ12b1 + δ22b2 + · · · + δt2bf, (4.3)where {2b 1, 2b 2, · · · , 2b f} = {1, 2, 22, · · · , 2r−1}\{2a 1, 2a 2, · · · , 2a l}

We now proceed to show which coefficients cj(k) are zero We start with c0(k)

Lemma 4.3 Suppose k ≥ 2 is an integer Then,

Consider now the coefficients

with j > 0 From Theorem 3.1 we know each cj(k) is the coefficient of (1 + ζj)n where

1 + ζj is a root of Φ2t+1(x − 1) for some t = 1, 2, · · · , 2r−1

Lemma 4.4 Let k ≥ 2 be an integer with 2-adic expansion k = 2a 1 + · · · + 2a l Then

cj(k) = 0 if and only if it is the coefficient of (1 + ζ)n, where 1 + ζ is a root of Φ2b+1(x − 1)and b 6= ai for all i = 1, · · · , l, i.e 2b does not appear in the 2-adic expansion of k.Proof: Recall that to show that the coefficients of the roots of Φ2t+1(x − 1) are zero isequivalent to show that

(δ 1 ,··· ,δ f )∈Ff2

exp π√−1

2t (δ12b1 + · · · + δt2bf)



(4.11)Thus, (4.10) holds if and only if expπ

However, if we set δ1 = 1, then we have

We conclude that (4.10) holds for t = b1, i.e the 2b 1 coefficients related to the roots of

Φ2b1+1(x − 1) are zero Repeat this argument with t = b2, · · · , bf to conclude that the

coefficients related to the roots of Φ2bi+1(x − 1), i = 1, · · · , f are zero Since (4.12) is ofdegree d = 2b 1 + · · · + 2b f, then only d of the coefficients cj(k) can be zero Since wealready found d coefficients that are zero, then we conclude that these are all of them.

Lemmas 4.3 and 4.4 are put together in the following theorem The function (n) used

in the theorem is defined as

(n) = 0, if n is a power of 2,

1, otherwise (4.15)Theorem 4.5 Let k be a natural number and Pk(x) be the characteristic polynomial asso-ciated to the minimal linear recurrence with integer coefficients that {S(σn,k)}n∈Nsatisfies.Let ¯k = 2bk/2c + 1 We know ¯k has a 2-adic expansion of the form

¯

k = 1 + 2a1 + 2a2 + · · · + 2al, (4.16)where the last exponent is given by al = blog2(¯k)c Then Pk(x) equals

Theorem 4.6 Let 1 ≤ k1 < k2 < · · · < ks be fixed integers and Pk1,··· ,ks(x) be the acteristic polynomial associated to the minimal linear recurrence with integer coefficientsthat {S(σn,k1+ · · · + σn,ks)}n∈N satisfies Let ¯k = 2b(k1∨ · · · ∨ ks)/2c + 1 We know ¯k has

char-a 2-char-adic expchar-ansion of the form

¯

k = 1 + 2a1 + 2a2 + · · · + 2al, (4.21)where the last exponent is given by al = blog2(¯k)c Then Pk1,··· ,ks(x) divides the polynomial

ks



is odd

 (4.23)

Suppose 2b ∈ {2, 22, · · · , 2r−1} is such that 2b does not appear in the 2-adic expansion of

Suppose m ∈ N is such that 2b does not appear in the 2-adic expansion of m Note thatequation (4.3) implies m + 2b ∈ N Thus, the same argument as in (4.13) and (4.14)imply that (4.24) is true Hence, the claim follows The following example presents a case when Theorem 4.6 is tight

Example 4.7 Consider k1 = 6 and k2 = 17 Note that 2b(6 ∨ 17)/2c + 1 = 23 =1+2+4+16 In this case, the characteristic polynomial associated to {S(σn,6+σn,17)}n∈Nis

P6,17(x) = (x − 2)Φ4(x − 1)Φ8(x − 1)Φ32(x − 1) This is the best case scenario of Theorem4.6, i.e we have equality rather than just divisibility Also, note that in this case therecurrence given by Theorem 3.1 is of degree 31, while the minimal linear recurrence is ofdegree 23

The next example presents a case in which Theorem 4.6 improves the degree of thehomogeneous linear recurrence provided by Theorem 3.1 However it did not provide theminimal degree of the recurrence

Example 4.8 Consider k1 = 3, k2 = 5, and k3 = 17 We have 2b(3 ∨ 5 ∨ 17)/2c + 1 = 23.

In this case, the characteristic polynomial of the minimal recurrence is P3,5,17(x) = (x −2)Φ32(x − 1) It divides (x − 2)Φ4(x − 1)Φ8(x − 1)Φ32(x − 1) as Theorem 4.6 predicted,but are clearly not equal The factors Φ4(x − 1) and Φ8(x − 1) do not appear in P3,5,17(x).This means that the coefficients cj(3, 5, 17) related to the roots of Φ4(x) = x2 + 1 and

Φ8(x) = x4 + 1 are zero However, since 2 and 4 appear in the 2-adic expansion of 23,then Theorem 4.6 cannot detect this

We now provide bounds on the degree of the minimal linear recurrence that {S(σn,k1+

· · · + σn,ks)}n∈N satisfies We start with the following theorem

Theorem 4.9 Suppose 1 ≤ k1 < · · · < ks are integers Let r = blog2(ks)c + 1 Then

Φ2r(x − 1) divides Pk1,··· ,ks(x), the characteristic polynomial associated to {S(σn,k1+ · · · +

This is equivalent to showing that x2r−1+ 1 does not divide

ks)xm

We present the core of our proof with a particular example The general case willfollow in a similar manner Consider the case k1 = 3, k2 = 5, and k3 = 10 Then (4.27)equals,

1 + x + x2− x3+ x4− x5+ x6+ x7+ x8+ x9− x10+ x11+ x12− x13− x14− x15 (4.28)Look at the sign of xj for j = 8, 9, · · · , 15 If xj and xj−8 have the same sign, then leavethe sign of xj as it is Otherwise, change the sign of xj After doing this, we get

1 + x + x2− x3+ x4− x5+ x6+ x7+ x8+ x9+ x10− x11+ x12− x13+ x14+ x15, (4.29)which equals

(1 + x8)(1 + x + x2− x3+ x4 − x5 + x6+ x7) (4.30)

Of course, in order to get (4.28) back, we need to add to (4.30) two times the terms forwhich we changed their signs:

(1 + x8)(1 + x + x2− x3+ x4− x5+ x6+ x7) − 2x10+ 2x11− 2x14− 2x15 (4.31)This last polynomial equals

(1 + x8)(1 + x + x2− x3+ x4− x5+ x6+ x7) + 2x8(−x2+ x3− x6− x7) (4.32)

!

+2x2r−1q(x), (4.33)where q(x) is a polynomial of degree at most 2r−1− 1 We conclude that x2 r−1

+ 1 doesnot divide (4.27) and so the claim follows Corollary 4.10 Let 1 ≤ k1 < · · · < ks be integers Let D be the degree of the minimalhomogeneous linear recurrence with integer coefficients that {S(σn,k1 + · · · + σn,ks)}n∈Nsatisfies Then 2blog2 (k s )c ≤ D ≤ 2b(k1∨ · · · ∨ ks)/2c + 1

Proof: Note that the upper bound follows from Theorem 4.6 while the lower bound is a

Note that Corollary 4.10 is an improvement of Theorem 3.1 with respect to the degree

D of the minimal homogeneous linear recurrence with integer coefficients that {S(σn,k1+

· · · + σn,k s)}n∈N satisfies From Theorem 3.1 we can only infer that D ≤ 2r− 1, where

r = blog2(ks)c + 1 However, now we know that 2blog2 (k s )c≤ D ≤ 2b(k1∨ · · · ∨ ks)/2c + 1and 2b(k1∨ · · · ∨ ks)/2c + 1 ≤ 2r− 1 Also, example 4.7 shows that the upper bound ofCorollary 4.10 can be attained In the next theorem, we show that when ks (the highestdegree) is a power of two, then the lower bound is tight

Theorem 4.11 Suppose 1 ≤ k1 < k2 < · · · < ks are fixed integers with ks = 2r−1 a power

of two Let Pk1,k2,··· ,2r−1(x) be the characteristic polynomial associated to the minimallinear recurrence that {S(σn,k1 + σn,k2 + · · · + σn,2r−1)}n∈N satisfies Then

In particular, deg(Pk1,k2,··· ,2r−1(x)) = 2r−1 = 2blog2 (k s )c

Proof: The theorem will follow if we show that c0(k1, k2, · · · , 2r−1) = 0, and

From Theorem 4.9 we know that (4.36) holds true Now, the coefficient c0(k1, · · · , ks−1,

2r−1) is zero if and only if

ks−1)+( m 2r−1)

From (3.3) we see that the period of (−1)(

m k1)+···+( m

ks−1) (4.38)

However,

(−1)(2r−1m ) = 1, if m ≤ 2r−1− 1

−1, if m ≥ 2r−1 (4.39)Thus, (4.37) holds and therefore c0(k1, · · · , ks−1, 2r−1) = 0 Similarly, the periodicity of(−1)(

ks−1)exp π√−1m

ks−1)exp π√−1m

2j

.(4.40)

So, (4.39) and (4.40) imply (4.35) This concludes the proof 

We conclude this section with the following result, which shows that when ks is apower of two, then, as n increases, |S(σn,k1 + · + σn,ks)| is much smaller than 2n

Corollary 4.12 Suppose 1 ≤ k1 < k2 < · · · < ks are fixed integers with ks = 2r−1 apower of two Then, for 0 ≤ j ≤ 2r− 1, cj(k1, · · · , ks−1, 2r−1) 6= 0 if and only if j is odd

Thus, we study c0(k1, · · · , ks) first

We already discussed the case of one elementary symmetric polynomial {S(σn,k)}n∈N,see (4.4):

c0(k) = 2

w 2 (k)−1− 1

For instance, we know that c0(k) ≥ 0, and the equality holds if and only if k is a power

of two

The method of inclusion-exclusion can be used to get a formula in the case that wehave more than one symmetric polynomial For example, in the case of two elementarysymmetric polynomials {S(σn,k1 + σn,k2)}n∈N, we have

c0(k1, k2) = 1 − 21−w2 (k 1 )− 21−w2 (k 2 )

+ 22−w2 (k 1 ∨k 2 )

(5.3)The reader can check that this formula implies c0(k1, k2) ≥ 0, with equality if and only if

w2(k1∨ k2) = w(k1) + w2(k2) and w2(ki) = 1, where i = 1 or i = 2 We start the generalcase with the following lemma

Lemma 5.1 Suppose that 1 ≤ k1 < k2 < · · · < ks are integers Define

kij



is odd

 (5.4)

m

k1

+ · · · +m

an even amount of them For example, the case of four k’s can be represented by the Venndiagram in Figure 1 In this case, we want to include the shaded regions and exclude thewhite ones

We start by adding #N (k1) + #N (k2) + · · · + #N (ks) Then, we proceed to takeout all the intersections of two sets N (ki) ∩ N (kj), i 6= j In this case, each of themhas been added twice in our previous sum Therefore, to take them out, we should add

−2#(N (k1) ∩ N (k2)) − 2#(N (k1) ∩ N (k3)) − · · · − 2#(N (ks−1) ∩ N (ks)) to the previoussum So, now we have