Hadamard matrices, d-linearly independent sets and correlation-immune Boolean functions with minimum Hamming weights

Abstract

It is known that correlation-immune (CI) Boolean functions used in the framework of side channel attacks need to have low Hamming weights. In this paper, we study minimum Hamming weights of 3-CI Boolean functions, and prove that the Carlet-Chen conjecture is equivalent to the famous Hadamard conjecture. Moreover, we propose a method to construct low-weight n-variable CI functions through d-linearly independent sets, which can provide numerous minimum-weight d-CI functions. Particularly, we obtain some new values of the minimum Hamming weights of d-CI functions in n variables for \(n\le 13\).

Appendices

Appendix A: Some results on the maximum number of orthogonal vectors in \({\mathbb {F}}_{2}^{n}\)

A group of vectors in \({\mathbb {F}}_{2}^{n}\) are said to be d-orthogonal if any m vectors of them are orthogonal, for \(1\le m\le d\). We use \(OA_{n,d}\) to denote the maximum number of d-orthogonal vectors in \({\mathbb {F}}_{2}^{n}\). Let \({\mathbf {p}}_1,{\mathbf {p}}_2,\ldots ,{\mathbf {p}}_m\) be d-orthogonal row vectors and M be the matrix \([{\mathbf {p}}_1^T,{\mathbf {p}}_2^T,\ldots ,{\mathbf {p}}_m^T]\). Clearly, if we negate any columns or exchange any rows of M, then the columns of the induced matrix are still d-orthogonal.

Let \({\mathbf {p}}_1,{\mathbf {p}}_2,\ldots ,{\mathbf {p}}_m\) be 4-orthogonal column vectors and \(M=[{\mathbf {p}}_1,{\mathbf {p}}_2,\ldots ,{\mathbf {p}}_m]\). Clearly, by exchanging rows, the first four columns of M can be transformed to the following vectors one by one:

$$\begin{aligned} {\mathbf {q}}_1= & {} \left( {\mathbf {0}}_{\frac{n}{2}},{\mathbf {1}}_{\frac{n}{2}}\right) ^T,\\ {\mathbf {q}}_2= & {} \left( {\mathbf {0}}_{\frac{n}{4}},{\mathbf {1}}_{\frac{n}{4}},{\mathbf {0}}_{\frac{n}{4}},{\mathbf {1}}_{\frac{n}{4}}\right) ^T,\\ {\mathbf {q}}_3= & {} \left( {\mathbf {0}}_{\frac{n}{8}},{\mathbf {1}}_{\frac{n}{8}},{\mathbf {0}}_{\frac{n}{8}},{\mathbf {1}}_{\frac{n}{8}},{\mathbf {0}}_{\frac{n}{8}},{\mathbf {1}}_{\frac{n}{8}},{\mathbf {0}}_{\frac{n}{8}},{\mathbf {1}}_{\frac{n}{8}}\right) ^T,\\ {\mathbf {q}}_4= & {} \left( {\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}},{\mathbf {0}}_{\frac{n}{16}},{\mathbf {1}}_{\frac{n}{16}}\right) ^T, \end{aligned}$$

where \({\mathbf {0}}_{i}=(0,\ldots ,0)\) and \({\mathbf {1}}_{i}=(1,\ldots ,1)\in {\mathbb {F}}_{2}^{i}\). Let \({\mathbf {q}}_5=[\alpha _1,\ldots ,\alpha _{8}]^T\), where \(\alpha _j\in {\mathbb {F}}_{2}^{n/8}\). Suppose \({\mathbf {q}}_1\), \({\mathbf {q}}_2\), \({\mathbf {q}}_3\), \({\mathbf {q}}_4\) and \({\mathbf {q}}_5\) are 4-orthogonal. Clearly, \(\alpha _1,\ldots ,\alpha _{8}\) must be balanced vectors, since \({\mathbf {q}}_1\), \({\mathbf {q}}_2\), \({\mathbf {q}}_3\) and \({\mathbf {q}}_5\) are 4-orthogonal. Let \({\mathbf {q}}_4=[\beta _1,\ldots ,\beta _{8}]^T\) and \(x_i\) be the Hamming weight of \(\alpha _i\oplus \beta _i\), where \(1\le i\le 8\). Since \({\mathbf {q}}_5\oplus {\mathbf {q}}_4\oplus c_1{\mathbf {q}}_1\oplus c_2{\mathbf {q}}_2\oplus c_3{\mathbf {q}}_3\) is balanced for \((c_1,c_2,c_3)\in {\mathbb {F}}_{2}^{3}\) and \(wt(c_1,c_2,c_3)\le 2\), we have

$$\begin{aligned} \left\{ \begin{array} {l} x_1+x_2+x_3+x_4+x_5+x_6+x_7+x_8=\frac{n}{2} \\ x_1+x_2+x_3+x_4-x_5-x_6-x_7-x_8=0 \\ x_1+x_2-x_3-x_4+x_5+x_6-x_7-x_8=0 \\ x_1-x_2+x_3-x_4+x_5-x_6+x_7-x_8=0 \\ x_1+x_2-x_3-x_4-x_5-x_6+x_7+x_8=0 \\ x_1-x_2+x_3-x_4-x_5+x_6-x_7+x_8=0 \\ x_1-x_2-x_3+x_4+x_5-x_6-x_7+x_8=0. \\ \end{array} \right. \end{aligned}$$

Therefore,

$$\begin{aligned} (x_1,x_2,x_3,x_4,x_5,x_6,x_7,x_8)=\left( C,\frac{n}{8}-C,\frac{n}{8}-C,C,\frac{n}{8}-C,C,C,\frac{n}{8}-C\right) , \end{aligned}$$

(1)

where \(0\le C\le \frac{n}{8}\).

Take \(n=48\). Then by exchanging rows or negating the column, \({\mathbf {q}}_5\) can be transformed to \((\gamma _1,\gamma _2,\gamma _2,\gamma _1,\gamma _2,\gamma _1,\gamma _1,\gamma _2)\), where \((\gamma _1,\gamma _2)\) is

$$\begin{aligned} (0, 0, 0, 1, 1, 1,1,1,1,0,0,0) \ or \ (0, 0, 1, 0, 1, 1,0,1,1,0,0,1). \end{aligned}$$

If \((\gamma _1,\gamma _2)=(0, 0, 0, 1, 1, 1,1,1,1,0,0,0)\), then there is no \({\mathbf {q}}_6=(\theta _1,\ldots ,\theta _{8})\) such that \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\) are 4-orthogonal. Otherwise, \(\theta _1,\ldots ,\theta _{8}\) must be balanced vectors and

$$\begin{aligned} wt(\theta _1\oplus \beta _1)+wt(\theta _2\oplus \beta _2)+wt(\theta _1\oplus \gamma _1)+wt(\theta _2\oplus \gamma _2)=6+6=2wt(\theta _1\oplus \beta _1)+6. \end{aligned}$$

That is, \(wt(\theta _1\oplus \beta _1)=3\), which is contradictory to the fact that \(\theta _1\) and \(\beta _1\) are balanced vectors.

Now consider the case \((\gamma _1,\gamma _2)=(0, 0, 1, 0, 1, 1,0,1,1,0,0,1)\). Suppose \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\) are 4-orthogonal. Then \({\mathbf {q}}_6\) can be transformed to \((\theta _1,\ldots ,\theta _{8})\), where

$$\begin{aligned} \theta _1,\theta _4,\theta _6,\theta _7\in \{(0, 0, 1, 1, 0, 1),(0, 1, 0, 0, 1, 1)\},\theta _2=\theta _3=\theta _5=\theta _8=(1, 1, 0, 0, 1, 0), \end{aligned}$$

or

$$\begin{aligned} \theta _2,\theta _3,\theta _5,\theta _8\in \{(0, 0, 1, 1, 1, 0),(1, 0, 0, 0, 1, 1)\},\theta _1=\theta _4=\theta _6=\theta _7=(1, 0, 1, 0, 1, 0). \end{aligned}$$

It is easy to verify that all these 32 vectors are not 4-orthogonal with \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_5\). Therefore, \(OA_{48,4}=5\), which seems to be a previously unknown value. Hence, the minimum number of rows w of an orthogonal array OA(w, 7, 2, 4) is 64, which was known to be \(\ge 48\) (see Table 1 of [2]).

Now consider \(n=80\). Suppose \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\) are 4-orthogonal. Then \({\mathbf {q}}_5\) can be transformed to \((\alpha _1,\alpha _2,\alpha _2,\alpha _1,\alpha _2,\alpha _1,\alpha _1,\alpha _2)\), where

$$\begin{aligned} \alpha _1=(0, 0, 0, 1, 1, 0,0,1,1, 1),\alpha _2=( 0,0,1,1, 1,0, 0, 0, 1, 1). \end{aligned}$$

Moreover, \({\mathbf {q}}_6\) can be transformed to \((\theta _1,\ldots ,\theta _{8})\), where

$$\begin{aligned} \theta _1,\theta _4,\theta _6,\theta _7\in \{(0, 1, 1, 0, 1, 0, 0, 0, 1, 1),(0, 0, 1, 1, 1, 0, 1, 0, 0, 1)\}, \end{aligned}$$

and

$$\begin{aligned}&\theta _2,\theta _3,\theta _5,\theta _8\in \{(1, 1, 0, 0, 0, 0, 0, 1, 1, 1),(0, 1, 0, 0, 1, 0, 1, 1, 0, 1),\\&\quad (0, 0, 0, 1, 1, 1, 1, 1, 0, 0)\}. \end{aligned}$$

It is easy to check by computer that only 8 such vectors are 4-orthogonal with \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_5\). We then consider \({\mathbf {q}}_7\) for these 8 cases. Using the Eq. (1) for \({\mathbf {q}}_7\oplus {\mathbf {q}}_i\), wherer \(i=4,5,6\), it is easy to verify by computer that there is no \({\mathbf {q}}_7\) 4-orthogonal with \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\). Therefore, \(OA_{80,4}=6\).

Now consider \(n=96\). We have the following facts:

1. (1)

   Suppose \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\) are 4-orthogonal. Then one of \({\mathbf {q}}_5\) and \({\mathbf {q}}_6\) can be transformed to \((\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha )\), where \(\alpha =(0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1)\).

2. (2)

   If there exists a \({\mathbf {q}}_7\) which is 4-orthogonal with \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\), then the constant C in the Eq. (1) for \({\mathbf {q}}_7\oplus {\mathbf {q}}_i\) or \({\mathbf {q}}_6\oplus {\mathbf {q}}_i\) is \(\frac{n}{16}\), wherer \(i=4,5\).

So, we can take \({\mathbf {q}}_5=(\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha ,\alpha )\) and there are 48 cases for \({\mathbf {q}}_6\). Suppose there exists a \({\mathbf {q}}_8\) which is 4-orthogonal with \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_7\). Then only four cases for \({\mathbf {q}}_6\) are remained. For these four cases, it is easy to verify by computer that the vectors can be extended to a group of seven vectors 4-orthogonal with each other, but no \({\mathbf {q}}_8\) exists. Therefore, \(OA_{96,4}=7\), which is a previously unknown value. Hence, the minimum number of rows w of an orthogonal array OA(w, 9, 2, 4) is 128 (it cannot be 112 from the next paragraph), which was known to be \(\ge 96\) [2].

Now consider \(n=112\). Suppose \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_6\) are 4-orthogonal. Then one of \({\mathbf {q}}_5\) and \({\mathbf {q}}_6\) can be transformed to \((\alpha _1,\alpha _2,\alpha _2,\alpha _1,\alpha _2,\alpha _1,\alpha _1,\alpha _2)\), where

$$\begin{aligned} \alpha _1=(0,0,0,0,1,1,1,0,0,0,1,1,1,1),\alpha _2=(0,0,0,1,1,1,1,0,0,0,0,1,1,1). \end{aligned}$$

So, we can take \({\mathbf {q}}_5\) to be this vector. Suppose \({\mathbf {q}}_1,{\mathbf {q}}_2,\ldots ,{\mathbf {q}}_7\) are 4-orthogonal. Then \({\mathbf {q}}_6\) can be reduced to eight cases, and it is easy to verify by computer that no \({\mathbf {q}}_7\) exists. Therefore, \(OA_{112,4}=6\), which is a previously unknown value. Hence, the minimum number of rows w of an orthogonal array OA(w, 12, 2, 4) is 128, which was known to be \(\ge 112\) [2].

We summarize the results in Table 3. It is noted that by Table 3 the minimum number of rows w of an orthogonal array OA(w, n, 2, 4) can be determined, for \(n\le 13\).

Table 3 Maximum number of 4-orthogonal vectors in \({\mathbb {F}}_{2}^{n}\)

Appendix B: An 11-variable 4-CI Boolean function with the minimum Hamming weight

Take \(m=7\) and S be the absolute maximum 4-linearly independent set with 11 vectors given in Example 2. We have

$$\begin{aligned}&l_1=x_1, \ l_2=x_2, \ l_3=x_3, \ l_4=x_4, \ l_5=x_5, \ l_6=x_6, \ l_7=x_7, \\&l_8=x_1\oplus x_2\oplus x_3\oplus x_4, \ l_9=x_1\oplus x_2\oplus x_5\oplus x_6,\\&l_{10}=x_1\oplus x_3\oplus x_5\oplus x_7, \ l_{11}=x_1\oplus x_2\oplus x_3\oplus x_4\oplus x_5\oplus x_6\oplus x_7. \end{aligned}$$

Then we can get the function \(f\in {\mathcal {B}}_{11}\) by Construction 2 with the support

$$\begin{aligned}&\{(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0),(1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1),(0, 1, 0, 0, 0, 0, 0,1, 1, 0, 1),\\&(1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0), \ldots ,(0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0),(1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1)\} \end{aligned}$$

It is easy to check that f is a 4-CI Boolean function with the Hamming weight 128. Therefore, \(w_{11,4}\le 128\). From Table 3 of Appendix 1, we have \(w_{11,4}\ge 128\). Hence, \(w_{11,4}=128\). This is a previously unknown value, thus a triple question mark ??? in Table II of [5] can be taken place by it.