1 Introduction

Bent functions are extremal combinatorial objects with several areas of application, such as coding theory, maximum length sequences, cryptography, the theory of difference sets to name a few. The term bent Boolean function was introduced by Rothaus [17], where also two classes of bent functions were considered. Among other equivalent characterizations of bent functions, the one that is most often used is a characterization of bent functions as a class of Boolean functions having so-called flat Walsh spectra. This means that an n-variable function f, where n is even, is bent is equivalent to the fact that Wf(u) ∈{± 2n/2}, for any \(u \in {\mathbb {F}_{2}^{n}}\). Alternatively, the Hamming distance to any n-variable affine functions is 2n− 1 ± 2n/2 − 1.

The known primary classes of bent functions are the Partial Spread (\(\mathcal {P}\mathcal {S}\)) class due to Dillon [7], the Maiorana-McFarland (\(\mathcal {M}\mathcal {M}\)) class introduced in [11] and the Dobbertin’s class [8] commonly denoted by \(\mathcal {H}\). Apart from these classes, the so-called secondary constructions of bent functions have received a lot of attention [2, 3, 5, 13, 14, 18,19,20]. In particular, some secondary constructions known as indirect sum (and its extensions) have been proposed by Carlet [3] which use three initial bent functions satisfying certain conditions for the purpose of constructing bent functions on larger variable spaces. A similar approach, though without increasing the variable space was initially considered by Carlet [6] and later addressed by Mesnager [15]. The mentioned references above mainly refer to secondary constructions and for an exhaustive survey on bent functions the reader is referred to [4]. The known primary of bent functions constitute just a tiny portion in the space of all bent functions (the same applies to secondary constructions) and consequently they are not sufficient to fully describe the variety of bent functions.

In difference to these approaches, two decades ago Hou and Langevin [9] proposed quite a different framework for specifying the bent properties of Boolean functions. More precisely, considering an arbitrary Boolean function f one may ask a question what kind of nonlinear permutation σ over \({\mathbb {F}_{2}^{n}}\) composed to the input variables of f yield a bent function fσ− 1. In a rather simple manner they showed that both the necessary and sufficient condition that fσ− 1 is bent is equivalent to the fact that the linear span of the coordinate Boolean functions of σ, thus σ1(x),…, σn(x) is a subset of the set of all Boolean functions whose Hamming distance to f is 2n− 1 ± 2n/2 − 1. This simple result is of great significance in many aspects. In the first place, it is not necessary that f is bent in order that fσ− 1 is bent. Moreover, the permutation σ being nonlinear gives immediately affine non-equivalence between f and fσ− 1 when f is bent. However, apart from two sporadic examples of cubic bent functions in 8-variables for which suitable nonlinear transformation of the input could be applied, no efficient method for identifying suitable classes of bent functions to which such transformation could be applied was given in [9].

In this article, we address the problem of deducing affine inequivalent bent functions by specifying two different (infinite) families of bent functions that can be represented in a suitable form so that fσ− 1 is in general affine inequivalent to f, for a nonlinear permutation σ given in [9]. Even though the nonlinear permutation, as originally considered in [9], only acts on two input variables (whereas the remaining inputs are kept fixed/invariant), a suitable representation (form) of f was hard to identify in a generic manner in [9]. The main question regarding these two infinite families of bent functions that we identify, that generate affine inequivalent bent functions, is whether this method generates bent functions outside the class the initial bent function belongs to. It is also shown that the efficiency of this method when applied to bent functions in the \(\mathcal {M}\mathcal {M}\) class largely depends on the choice of input variables used to represent \(f \in \mathcal {M}\mathcal {M}\) in a suitable form. More precisely, if f(x, y) = xϕ(y) + ψ(y), \(x,y \in \mathbb {F}_{2}^{n/2}\), is represented by means of the variables x1 and x2, thus given by (3) as originally considered by Hou and Langevin, then we only obtain affine inequivalent bent functions that provably remain within the \(\mathcal {M}\mathcal {M}\) class. On the other hand, for suitably chosen permutation ϕ and Boolean function ψ, expressing f with respect to two variables from the set y1,…, yn/2 may potentially give rise to bent functions F which are outside the \(\mathcal {M}\mathcal {M}\) class. Nevertheless, this important question, which is intrinsically hard, remains open. Increasing the action of nonlinear permutations to a larger subset of inputs appears to be very difficult due to the condition that the bentness of the input function is preserved. In this context, using self-inverse matrices, we introduce a nonlinear permutation that acts on three input variables. More importantly, we illustrate by an example that a larger class of permutations acting on the whole input space can be employed for the same purpose, which opens up for a much wider framework than originally considered by Hou and Langevin.

In another direction, we continue the initiative initially taken by Hou and Langevin in terms of establishing a generic connection between bent functions and permutations over finite fields (vector spaces). Namely, it is well known that all the derivatives of a bent function, say an n-variable function f, are balanced Boolean functions and the question raised in [9] concerns the possibility of selecting n derivatives such that all their (notrivial) linear combinations are also balanced. This would imply that such a bent function induces a permutation over \({\mathbb {F}_{2}^{n}}\). This idea was actually confirmed in [9] using a computer search for some cubic 8-variable bent functions. In this context a more general (and interesting) connection may be established when considering the \(\mathcal {M}\mathcal {M}\) class. More precisely, a bent function f(x, y) = ϕ(y) ⋅ x + ψ(y), \(x,y \in \mathbb {F}_{2}^{n/2}\) is bent if and only if ϕ is a permutation over \(\mathbb {F}_{2}^{n/2}\). Then, since a permutation ϕ induces a bent function a natural question in this context is whether there is a class of permutations ϕ which has the property that the derivatives of f (taken for instance with respect to canonical basis of \({\mathbb {F}_{2}^{n}}\)) induces a permutation over \({\mathbb {F}_{2}^{n}}\). We answer this question positively by providing a generic connection between a subclass of bent functions in \(\mathcal {M}\mathcal {M}\) (defined by means of a suitable permutation over \(\mathbb {F}_{2}^{n/2}\) that we specify) and deduced permutations over \({\mathbb {F}_{2}^{n}}\), which is an interesting connection between two seemingly different algebraic objects. As an independent contribution, this approach gives a new infinite family of permutations over finite fields.

This article is organized as follows. In Section 2, we give some basic definitions related to Boolean functions. Two generic methods of identifying bent functions that can be represented in a suitable form are discussed in Section 3. Furthermore, the possibility of finding bent functions within some primary (secondary) classes to which we can efficiently apply the specific nonlinear permutation proposed by Hou and Langevin is addressed here. The extended framework of nonlinear permutations that act on three input variables is presented in Section 4. In Section 5, we identify suitable bent functions within \(\mathcal {M}\mathcal {M}\) class, by specifying a new class of permutations over finite fields over \({\mathbb {F}_{2}^{m}}\), whose derivatives give rise to permutations over \(\mathbb {F}_{2}^{2m}\). Some concluding remarks are given in Section 6.

2 Preliminaries

Let \(\mathbb {F}_{2} = \{0,1\}\) denote the binary field of characteristic two. Furthermore, let \(\mathbb {F}_{2^{n}}\) denote the Galois field of order 2n and \({\mathbb {F}_{2}^{n}}\) be its corresponding vector space (once the basis is fixed). Any function from \(\mathbb {F}_{2}^{n}\) or \(\mathbb {F}_{2^{n}}\) to \(\mathbb {F}_{2}\) is called an n-variable Boolean function, and the set of all Boolean functions in n variables is denoted by \(\mathcal {B}_{n}\).

A Boolean function f(x1,…, xn) is commonly represented as a multivariate polynomial over \(\mathbb {F}_{2}\) called the algebraic normal form (ANF) of f. More precisely, f(x1,…, xn) can be written as

$$ f(x_{1},\dots,x_{n})=\sum\limits_{u\in {\mathbb{F}_{2}^{n}}}\lambda_{u}\left( \prod\limits_{i = 1}^{n} x_{i}^{u_{i}}\right) , $$
(1)

for \(\lambda _{u}\in \mathbb {F}_{2} , u=(u_{1},\ldots ,u_{n})\).

The algebraic degree of \(f \in \mathcal {B}_{n}\), denoted by deg(f), is equal to the maximum Hamming weight of \(u \in {\mathbb {F}_{2}^{n}}\) for which λu≠ 0. The set of affine functions in n-variables is denoted by \(\mathcal {A}_{n}=\{\ell (x) \in \mathcal {B}_{n} : \deg (\ell ) \leq 1\}\). A Boolean function f (x1,…, xn) may also be represented as the output column of its truth tablef, i.e., a binary string of length 2n,

$$f=[f(0,0,\ldots,0),f(1,0,\ldots,0),\ldots,f(1,1,\ldots,1)]. $$

The Hamming weight of f is the number of ones in the truth table of f. This is denoted by wtH(f). The Walsh transform of \(f\in \mathcal { B}_{n}\) at \( \lambda \in \mathbb {F}_{2}^{n}\) is defined as

$$W_{f}(\lambda) = \sum\limits_{x \in \mathbb{F}_{2}^{n}}(-1)^{f(x) + \ll \cdot x}, $$

where denotes the standard inner (dot) product of two vectors, that is, λx = λ1x1 + … + λnxn. If n is an even integer a function \(f \in \mathcal {B}_{n}\) is said to be bent if and only if \(W_{f}(\lambda ) \in \left \{2^{\frac {n}{2}}, -2^{\frac {n}{2}}\right \}\), for all \(\lambda \in \mathbb {F}_{2}^{n}\). Equivalently, f is bent if and only if wh(f + a) = 2n− 1 ± 2n/2 − 1, for any affine function \(a \in \mathcal {B}_{n}\). A function \(f\in \mathcal {B}_{n}\) is said to be semi-bent, if \(W_{f}(\lambda )\in \left \{0,\pm 2^{\frac {n+s}{2}}\right \}\), where s = 1 if n is odd, or s = 2 if n is even. The Walsh support of \(f\in \mathcal {B}_{n}\) is defined as \(S_{f}=\{\lambda \in \mathbb {F}^{n}_{2}:W_{f}(\lambda )\neq 0\}\).

The concatenation, denoted by || simply means that the truth tables of the functions are merged. For instance, for \(f_{1},f_{2}\in \mathcal {B}_{n}\) one may construct \(f=f_{1}||f_{2}\in \mathcal {B}_{n + 1}, \)meaning that the upper half part of the truth table of f correspond to f1 and the lower part to f2. The ANF of f is then given as f(x1,…, xn, xn+ 1) = (1 + xn+ 1)f1(x1,…, xn) + xn+ 1f2(x1,…, xn).

A function F is called a Boolean permutation if it is a bijective mapping from \({\Bbb F}_{2}^{m}\) to \({\Bbb F}_{2}^{m}\). The Maiorana-McFarland class of bent functions [11], denoted by \(\mathcal {M}\mathcal {M}\), is the set of all bent functions on \({\Bbb F}^{2m}_{2}=\left \{(x,y):x,y\in {\Bbb F}_{2}^{m}\right \}\) of the form:

$$ f(x,y)=x\cdot \phi(y) + \psi(y), $$
(2)

where ϕ = (ϕ1,…, ϕm) is any permutation on \({\Bbb F}_{2}^{m}\) and \(\psi \in \mathcal {B}_{m}\) is arbitrary. Moreover, f is a bent function if and only if ϕ is a Boolean permutation.

Two functions \(f, f^{\prime } \in \mathcal {B}_{n}\) are said to be affine equivalent if there exists an invertible binary matrix A of size n × n, binary vectors \(b, c \in {\mathbb {F}_{2}^{n}}\) and \(\epsilon \in \mathbb {F}_{2}\) so that f(x) = f(Ax + b) + cx + 𝜖. The affine equivalence is degree invariant and we necessarily have that deg(f) = deg(f).

3 Generic methods for affine inequivalent bent functions

A different approach for constructing bent functions was taken in [9], where Hou and Langevin considered the compositional problem of determining nonlinear permutations σ such that fσ− 1 is a bent function regardless whether f is bent or not. Throughout this article a permutation \(\sigma : {\mathbb {F}_{2}^{n}} \rightarrow {\mathbb {F}_{2}^{n}}\) is represented as a collection of its n coordinate functions so that σ(x) = (σ1(x),…, σn(x)), where \(\sigma _{i}:{\mathbb {F}_{2}^{n}} \rightarrow \mathbb {F}_{2}\). For even n, denoting by \(l(f) =\left \{g \in \mathcal {B}_{n} : d_{H}(f,g)= 2^{n-1} \pm 2^{n/2-1}\right \}\) the set of Boolean functions at the bent distance from f the authors showed that fσ− 1 is bent if and only if the linear span 〈σ1,…, σn〉 = span(σ) is a subset of l(f), cf. Lemma 3.1 in [9]. Furthermore, they also analyzed a special form of bent functions given as

$$ f=x_{1}f_{1} + x_{2}f_{2} +x_{1}x_{2} \alpha + g, $$
(3)

where the functions f1, f2, g and α (where \(\alpha \in \mathcal {A}_{n}\)) only depend on variables x3,…, xn. One example of such a bent function f in eight variables was provided and then employed to demonstrate the various possibilities of generating affine non-equivalent functions by showing that the function

$$ F=(\alpha + 1)f_{1}f_{2} + (x_{1}+ 1)f_{1} + (x_{1}+x_{2} + \alpha + 1)f_{2} + \alpha(x_{1}+ 1)x_{2} + g $$
(4)

is again a bent function. Here F = fσ− 1 where

$$ \sigma^{-1}(x_{1},x_{2},\ldots, x_{n})= \left( [(f_{1},f_{2})+ (x_{1},x_{2})] \left[ \begin{array}{cc} 1 & \alpha + 1 \\ \alpha & 1 \end{array} \right], x_{3}, \ldots, x_{n} \right), $$
(5)

and consequently

$$ \sigma(x_{1},x_{2},\ldots, x_{n})= \left( (f_{1},f_{2})+ (x_{1},x_{2}) \left[ \begin{array}{cc} 1 & \alpha + 1 \\ \alpha & 1 \end{array} \right], x_{3}, \ldots, x_{n} \right). $$
(6)

Remark 1

The case α = 1 implies that F is a simple linear translate of f and is of no interest.

Notice that σ− 1 acts as the identity permutation with respect to x3,…, xn and essentially replaces x1 and x2 by f1 + x1 + α(f2 + x2) and (α + 1)(f1 + x1) + f2 + x2, respectively. The balancedness of the coordinate functions \(\sigma _{1}^{-1}(x), \ldots ,\sigma _{n}^{-1}(x)\) of σ− 1(x) is then ensured through the fact that f1, f2 and α all depend only on the variables x3,…, xn. More importantly, it was shown that the linear span 〈σ1,…, σn〉 is indeed a subset of l(f) due to a subtle choice of the coordinate functions \(\sigma _{1}^{-1}\) and \(\sigma _{2}^{-1}\).

This method immediately raises the question whether there are known classes of bent functions which can be represented similarly as in (3). This question is answered positively by providing two efficient and generic methods for designing (generally) affine inequivalent bent functions using some suitable secondary classes of bent functions. Furthermore, it will be shown that when f is in the Maiorana-McFarland class of bent functions then it can be represented in a suitable form similar to (3). Therefore, one can in general derive a bent function F which is affine inequivalent to f and furthermore F is not necessarily in the \(\mathcal {M}\mathcal {M}\) class.

3.1 Employing indirect sum to obtain affine non-equivalent bent functions

We use the indirect sum [3] to represent the initial bent function in the suitable form. In difference to the approach taken by Hou and Langevin [9], where two sporadic examples of bent functions having a suitable decomposition form given by (3) were discussed, we provide some infinite classes of bent functions which are (in general) not affine equivalent to initial ones.

Corollary 1

[3] Let\(x\in \Bbb {F}_{2}^{n}, \, y\in \Bbb {F}_{2}^{m}\).Letf0andf1be twon-variable bent functions ( neven) and letg0andg1be twom-variable bent functions(m even). Define

$$h(x,y)= f_{0}(x)+ g_{0}(y)+ (f_{0}+ f_{1})(x)\, (g_{0}+ g_{1})(y).$$

Then the function\(h \in \mathcal {B}_{2}^{n+m}\)is bent.

For convenience, we set \(x=(x_{1},\ldots ,x_{n})\in \mathbb {F}_{2}^{n}\) and X(i) = (x1, x2,…, xi), for 1 ≤ in − 1. Furthermore, let X = (x1,…, xρ− 1, xρ+ 1,…,, xn− 2) where 1 ≤ ρ < n − 2. Then, by extracting the variable xρ a given bent function \(\vartheta \in \mathcal {B}_{n-2}\) (in general any Boolean function) can be represented as

$$ \vartheta(X^{(n-2)})=x_{\rho} T_{1}(X^{\prime})+ T_{2}(X^{\prime}), $$
(7)

for some functions \(T_{1}, T_{2} \in \mathcal {B}_{n-3}\). Let us define \(\mathfrak {f}_{0},\mathfrak {f}_{1} \in \mathcal {B}_{n}\) as

$$\begin{array}{@{}rcl@{}} \mathfrak{f}_{0}(x)&=& \vartheta(X^{(n-2)}) + x_{n-1}x_{n} =x_{\rho} T_{1}(X^{\prime})+ T_{2}(X^{\prime})+ x_{n-1}x_{n}, \\ \mathfrak{f}_{1}(x)&=&\mathfrak{f}_{0}(x) + x_{\rho} x_{n-1}. \end{array} $$
(8)

Without loss of generality, we set ρ = 1 which means that X = (x2, x3,…, xn− 2) and \(\mathfrak {f}_{0}, \mathfrak {f}_{1}\) are defined accordingly using xρ = x1.

Theorem 1

Let\(g_{0} \in \mathcal {B}_{m}\)be a bent function and define\(\mathfrak {f}_{0}\),\(\mathfrak {f}_{1}\),T1 (X) andT2 (X) as in (7) and (8) , respectively. Then, hdefined as

$$ h(x,y) = x_{1}T_{1}(X^{\prime})+ x_{n-1}x_{n}+ T_{2}(X^{\prime}) + g_{0}(y)+ x_{1}x_{n-1}l(y), \;\; x \in {\mathbb{F}_{2}^{n}}, \; y \in {\mathbb{F}_{2}^{m}}, $$
(9)

is a bent function in n + mvariables, wherel (y) is an affine function. Furthermore, the function\(H \in \mathcal {B}_{n+m}\)defined as

$$H(x,y)=h(x,y) + (l(y)x_{n}+ x_{n}+ 1)T_{1}(X^{\prime})+(x_{1}+ l(y)+ 1)x_{n}+ l(y)x_{n-1}, $$

is also a bent function inn + mvariables. If \(\deg (T_{1}(X^{\prime }))=\deg (\mathfrak {f}_{0})-1 \geq 2\)and\(\deg (g_{0})\leq \deg (\mathfrak {f}_{0})\), then\(\deg (H)=\deg (\mathfrak {f}_{0})+ 1>\deg (h)=\deg (\mathfrak {f}_{0})\).

Proof

From (8), \(\mathfrak {f}_{0}\) is bent being the direct sum of two bent functions 𝜗(X(n− 2)) and xn− 1xn. Similarly, 𝜗(X(n− 2)) + x1 and xn− 1xn + xn− 1 are also bent. Representing \(\mathfrak {f}_{1}\) as

$$\begin{array}{rl}\mathfrak{f}_{1}(x)= & \underbrace{\vartheta(X^{(n-2)})}_{f_{0}} + \underbrace{x_{n-1}x_{n}}_{g_{0}}+ \left( \vartheta(X^{(n-2)}) + \underbrace{\left( \vartheta(X^{(n-2)}) + x_{1}\right)}_{f_{1}}\right)\left( x_{n-1}x_{n}+ \underbrace{x_{n-1}x_{n}+ x_{n-1}}_{g_{1}}\right)\\ = & \mathfrak{f}_{0}(x)+ \left( \vartheta(X^{(n-2)}) +\left( \vartheta(X^{(n-2)}) + x_{1}\right)\right)\left( x_{n-1}x_{n}+ x_{n-1}x_{n}+ x_{n-1}\right)\\ = & \mathfrak{f}_{0}(x)+ x_{1} x_{n-1}, \end{array} $$

by Corollary 1, \(\mathfrak {f}_{1}\) is a bent function in n variables.

Furthermore, defining g1(y) = g0(y) + l(y) where l is affine, it is readily checked that

$$\begin{array}{@{}rcl@{}} h(x,y)&=& \mathfrak{f}_{0}(x)+ g_{0}(y)+ (\mathfrak{f}_{0}+\mathfrak{f}_{1})(x)(g_{0}+g_{1})(y) \\ &=& \mathfrak{f}_{0}(x)+ g_{0}(y)+ x_{1}x_{n-1}l(y) \\ &=& x_{1}T_{1}(X^{\prime})+ x_{n-1}x_{n}+ T_{2}(X^{\prime}) + g_{0}(y)+ x_{1}x_{n-1}l(y), \end{array} $$
(10)

has the decomposition form given by (3) with respect to variables x1 and xn− 1. By Corollary 1, h is a bent function in n + m variables. Then, applying the permutation σ− 1 given by (5) one can verify that H = hσ− 1 is given by

$$ \begin{array}{rl} H(x,y) =&(l(y)+ 1)x_{n}T_{1}(X^{\prime})+ (x_{1}+ 1)T_{1}(X^{\prime})\\ &+(x_{1}+ x_{n-1}+ l(y)+ 1)x_{n}+ l(y)(x_{1}+ 1)x_{n-1}+ g_{0}(y)+ T_{2}(X^{\prime})\\ =&h(x,y) + (l(y)+ 1)x_{n}T_{1}(X^{\prime})+ T_{1}(X^{\prime})+(x_{1}+ l(y)+ 1)x_{n}+ l(y)x_{n-1}\\ =&h(x,y) + (l(y)x_{n}+ x_{n}+ 1)T_{1}(X^{\prime})+(x_{1}+ l(y)+ 1)x_{n}+ l(y)x_{n-1}. \end{array} $$
(11)

By Theorem 4.1 in [9], due to the form of h, the function H is bent. The statement regarding the algebraic degree is trivial. □

Note that \(\deg (T_{1}(X^{\prime }))=\deg (\mathfrak {f}_{0})-1\) is easily obtained since we can take ρ = 1,2⋯ , n/2 − 1. Thus, depending on the properties of initial functions g0 and \(\mathfrak {f}_{0}\) different bent functions (affine inequivalent to h) can be deduced.

3.2 Using semi-bent 4-decomposition of bent functions

In general, the 4-decomposition of a bent function \(f\in \mathcal {B}_{n}\) (where n is even) is a decomposition of f into four subfunctions defined on the four cosets of some (n − 2)-dimensional linear subspace [1]. More precisely, for nonzero \(a,b \in {\mathbb F}_{2}^{n}\) with ab this (n − 2)-dimensional subspace is defined as 〈a, b, where the dual of a linear subspace \(V\subset {\mathbb F}_{2}^{n}\), denoted by V, is defined as \(V^{\perp }=\left \{x\in {\mathbb F}_{2}^{n}: \forall y\in V, x\cdot y = 0\right \}\). We call such a decomposition canonical when a = (1,0,0,…,0) and b = (0,1,0,…,0) and denote f = (f00, f01, f10, f11), where fij are then usual restrictions of f obtained by fixing x1 and x2, for i, j ∈{0,1}. Thus, for instance, f00(x3,…, xn) = f(0,0, x3,…, xn).

It was shown in [1] that there are three possible cases: bent 4-decomposition when all fij are bent; semi-bent 4-decomposition when all fij are semi-bent; 5-valued 4-decomposition when all fij are 5-valued Walsh spectra functions. In particular, for the semi-bent decomposition we obviously have \(W_{f_{ij}}(\omega ) \in \left \{0, \pm 2^{n/2}\right \}\) since fij are semi-bent on \( {\mathbb F}_{2}^{n-2}\), n is even. Furthermore, to ensure the bentness of f we necessarily have that for any \(\omega \in \mathbb {F}^{n-2}_{2}\) only one coefficient is non-zero, say \(W_{f_{ij}}(\omega )=\pm 2^{\frac {n}{2}}\) and \(W_{f_{kl}}(\omega )= 0\) for ijkl, thus one needs a quadruple of disjoint spectra semi-bent functions.

Our main goal is to provide a generic method of specifying a bent function f using four suitable (disjoint spectra) semi-bent functions so that f can be represented as f = x1f1 + x2f2 + x1x2α + g. Using our canonical decomposition the restrictions of such f are given by

$$ (f_{00},f_{10},f_{01},f_{11})=(f_{\textbf{0}},f_{a},f_{b},f_{a + b})=(g,g + f_{1},g + f_{2},g + f_{1} + f_{2} + \alpha). $$
(12)

The following preparatory result is proved useful for achieving our main goal.

Proposition 1

Letn be even and define\(g:\mathbb {F}^{\frac {n-2}{2}+ 1}_{2}\times \mathbb {F}^{\frac {n-2}{2}-1}_{2}\rightarrow \mathbb {F}_{2}\)by

$$ g(x,y)=x\cdot \phi_{ij}(y),\;\;\; \phi_{ij}(y)=(i,j,\pi(y)),\;\;\;\;(x,y)\in \mathbb{F}^{\frac{n-2}{2}+ 1}_{2}\times \mathbb{F}^{\frac{n-2}{2}-1}_{2}, $$
(13)

wherei, j ∈{0,1} are (arbitrary) fixed integers, \(\phi _{ij}:\mathbb {F}^{\frac {n-2}{2}-1}_{2}\rightarrow \mathbb {F}^{\frac {n-2}{2}+ 1}_{2}\), and\(\pi :\mathbb {F}^{\frac {n-2}{2}-1}_{2}\rightarrow \mathbb {F}^{\frac {n-2}{2}-1}_{2}\)is an arbitrary permutation. Then\(g \in \mathcal {B}_{n-2}\)is a semi-bent function.

Proof

For any \((\omega _{1},\omega _{2})\in \mathbb {F}^{\frac {n-2}{2}+ 1}_{2}\times \mathbb {F}^{\frac {n-2}{2}-1}_{2}\), we write \(\omega _{1}=(\omega ^{(1)}_{1},\omega ^{(2)}_{1},\omega ^{\prime })\in \mathbb {F}_{2}\times \mathbb {F}_{2}\times \mathbb {F}^{\frac {n-2}{2}-1}_{2}\) and compute

$$\begin{array}{@{}rcl@{}} W_{g}(\omega_{1},\omega_{2})&=&\sum\limits_{(x,y)\in \mathbb{F}^{\frac{n-2}{2}+ 1}_{2}\times \mathbb{F}^{\frac{n-2}{2}-1}_{2}}(-1)^{g(x,y)+ (x,y)\cdot (\omega_{1},\omega_{2})}=\sum\limits_{y\in \mathbb{F}^{\frac{n-2}{2}-1}_{2}}(-1)^{y\cdot\omega_{2}}\sum\limits_{x\in \mathbb{F}^{\frac{n-2}{2}+ 1}_{2}}(-1)^{x\cdot ((i,j,\pi(y))+ \omega_{1})}\\ &=&\left\{\begin{array}{cc} 2^{\frac{n-2}{2}+ 1}(-1)^{\pi^{-1}(\omega^{\prime})\cdot \omega_{2}}= 2^{\frac{n}{2}}(-1)^{\pi^{-1}(\omega^{\prime})\cdot \omega_{2}}, & (i,j)=(\omega^{(1)}_{1},\omega^{(2)}_{1}) \\ 0, & (i,j)\neq(\omega^{(1)}_{1},\omega^{(2)}_{1}) \end{array} \right. , \end{array} $$

which means that g is semi-bent. □

From the previous computation, the Walsh support of g is given by \(S_{g}=(i,j)\times \mathbb {F}^{n-4}_{2}\subset \mathbb {F}^{n-2}_{2}\). Then, the function d = g + , where \(\ell (x,y)=c\cdot (x,y) \in \mathcal {A}_{n-2}\), is also a semi-bent function whose Walsh support is Sd = c + Sg. Based on this fact we provide the following construction of f having the form as in (3).

Theorem 2

Letg be defined by (13), and assume that for a given permutationπover\(\mathbb {F}^{\frac {n-2}{2}-1}_{2}\)the mappings\(\varphi , \sigma : \mathbb {F}^{\frac {n-2}{2}-1}_{2} \rightarrow \mathbb {F}^{\frac {n-2}{2}-1}_{2}\)are such that\(\pi + \langle \varphi ,\sigma \rangle =\{\pi +c_{1}\varphi +c_{2}\sigma :c_{1},c_{2}\in \mathbb {F}_{2}\}\)is an affine space of permutations. Then define\(f_{1},f_{2}, \alpha \in \mathcal {B}_{n-2}\)as

$$\begin{array}{@{}rcl@{}} f_{1}(x,y)&=&x\cdot (1,0,\varphi(y)),\;\;\; f_{2}(x,y)=x\cdot (0,1,\sigma(y)),\;\;\; (x,y)\in \mathbb{F}^{\frac{n-2}{2}+ 1}_{2}\times \mathbb{F}^{\frac{n-2}{2}-1}_{2},\\ \alpha(x^{\prime})&=&a\cdot x^{\prime}=(0,0,a^{\prime})\cdot x^{\prime},\;\;\;x^{\prime}\in \mathbb{F}^{n-2}_{2},\;\;\;(\alpha\neq 0,1), \end{array} $$

where\(a^{\prime }\in \mathbb {F}^{n-4}_{2}\)is arbitrary.Then the functionf = x1f1 + x2f2 + x1x2α + g,with restrictions given by (12), is a bent function which admits the semi-bent4-decomposition.

Proof

Since π + 〈φ, σ〉 is an affine space of permutations, then the semi-bent property of g + f1, g + f2 and g + f1 + f2 + α can be easily proved as in the case of g in Proposition 1. Additionally, we have that \(S_{g}=(i,j)\times \mathbb {F}^{n-4}_{2}\), \(S_{g+ f_{1}}=(i + 1,j)\times \mathbb {F}^{n-4}_{2}\), \(S_{g+ f_{2}}=(i,j + 1)\times \mathbb {F}^{n-4}_{2}\) and \(S_{g+ f_{1}+ f_{2}+ \alpha }=(i + 1,j + 1)\times \mathbb {F}^{n-4}_{2}\), and these affine subspaces clearly partition the space \(\mathbb {F}^{n-2}_{2}\). Consequently, f = x1f1 + x2f2 + x1x2α + g is a bent function which allows the semi-bent 4-decomposition. □

Remark 2

Notice that the only possibility for the first two coordinates of the vector a (which defines the function α) is to have (0,0), in which case the Walsh support of g + f1 + f2 + α is given as \(S_{g+ f_{1} + f_{2}+\alpha }=(i + 1, j + 1)\times \mathbb {F}^{n-4}_{2}\). In other words, any other choice of the first two coordinates of a would imply that Sg, \(S_{g+ f_{1}}\), \(S_{g+ f_{2}}\) and \(S_{g+ f_{1} + f_{2}+\alpha }\) do not partition the space \(\mathbb {F}^{n-2}_{2}\), which is the necessary condition to have a semi-bent 4-decomposition.

Remark 3

Note also that φ and σ do not necessarily need to be permutations. For instance, they can be constant mappings defined on \(\mathbb {F}^{\frac {n-2}{2}-1}_{2}\), but in that case f1 and f2 are linear, and the degree of F (defined by (4)) remains the same as the degree of f (which is then trivial).

Hence, the construction provided by Theorem 2 is non-trivial (in terms of degrees of F and f ) when the mappings φ and σ are non-trivial (i.e., they are not constant). Employing the above approach, we now illustrate the possibility of obtaining affine inequivalent bent functions from the known ones.

Example 1

We first construct the component functions g, f1, f2, α of \(f:\mathbb {F}^{10}_{2}\rightarrow \mathbb {F}_{2}\)(n = 10) in form (3) as follows. Let g(x, y) be defined by (13) as g(x, y) = x ⋅ (1,1, π(y)), \((x,y)\in \mathbb {F}^{8}_{2}=\mathbb {F}^{5}_{2}\times \mathbb {F}^{3}_{2}\), where \(\pi :\mathbb {F}^{3}_{2}\rightarrow \mathbb {F}^{3}_{2}\) is a permutation given by

$$\pi(y_{1},y_{2},y_{3})=(\pi_{1}(y),\pi_{2}(y),\pi_{3}(y))=(y_{1}+ y_{2}+ y_{1} y_{2} + y_{3},y_{2}+ y_{1}y_{3}+ y_{2}y_{3},y_{1}+ y_{2}y_{3}). $$

In addition, let f1, f2 and α be defined as in Theorem 2, where the mappings \(\varphi ,\sigma :\mathbb {F}^{3}_{2}\rightarrow \mathbb {F}^{3}_{2}\) and vector \(a^{\prime }\in \mathbb {F}^{6}_{2}\) are given by

$$\varphi(y)=(\pi_{3}(y),0,0),\;\;\;\sigma(y)=(0,\pi_{3}(y),0),\;\;\;a^{\prime}=(1,1,0,0,0,1). $$

It is easily verified that π + 〈φ, σ〉 is an affine space of permutations. For (x, y) = (x1,…, x5,\(y_{1},y_{2},y_{3})\in \mathbb {F}^{5}_{2}\times \mathbb {F}^{3}_{2}, \)the functions g, f1, f2 and α are given as

$$\begin{array}{@{}rcl@{}} g(x,y)&=&x_{1} + x_{2} + x_{3}(y_{1} + y_{2} + y_{1}y_{2} + y_{3}) + x_{4}(y_{2} + y_{1}y_{3} + y_{2}y_{3}) + x_{5}(y_{1} + y_{2}y_{3})\\ f_{1}(x,y)&=&x_{1} + x_{3}(y_{1} + y_{2}y_{3})\\ f_{2}(x,y)&=&x_{2}+ x_{4}(y_{1} + y_{2}y_{3})\\ \alpha(x,y)&=&x_{3} + x_{4} + y_{3}. \end{array} $$

Then, f given by (3) is a bent function of degree 3 which admits the semi-bent 4-decomposition (12), and F defined by (4) is a bent function of degree 5. Notice that the terms of degree 5 in the ANF of F entirely come from (α + 1)f1f2.

Remark 4

A method of constructing quadruples of disjoint spectra functions is given in [18]. In general, to construct a function f in form (3), one can take (any) three pairwise disjoint spectra functions f00, f10 and f01. But then we need to select f11 = g + f1 + f2 + α = g + (g + f1) + (g + f2) = (f00 + f10 + f01) + α (for some affine function α≠ 0,1) so that f00, f10, f01 and f11 are pairwise disjoint spectra semi-bent functions. In other words, (f00, f10, f01, f11) is not an arbitrary quadruple of disjoint spectra semi-bent functions.

3.3 Suitable forms for some known classes of bent functions

We start this section by a further analysis of f and F in terms of their algebraic structure. A canonical decomposition of \(f \in \mathcal {B}_{n}\) given as f = f00||f01||f10||f11, corresponds to the ANF of f which can be written as

$$ f=x_{1}x_{2}(f_{00}+f_{01}+f_{10}+f_{11})+ x_{1}(f_{00}+f_{01})+x_{2}(f_{00}+f_{10})+f_{00}, $$
(14)

where any fij only depends on the variables x3,…, xn. Denoting by

$$ f_{00}+f_{01}+f_{10}+f_{11}=\alpha, \;f_{00}+f_{01}=f_{1},\; f_{00}+f_{10}=f_{2}, \; f_{00}=g, $$
(15)

we essentially have f = x1f1 + x2f2 + x1x2α + g which is same as (3). This also implies that we can write f = g||(f2 + g)||(f1 + g)||(f1 + f2 + g + α).

We observe that \({\sum }_{a \in {\mathbb {F}_{2}^{2}}} f_{a}=\alpha \) is supposed to be an affine function, and further the bent property of f depends on the proper choice of f1, f2, α and g. We only need to ensure that α≠ 1 since for α = 1 the transformation is trivial due to the vanishing term (1 + α)f1f2 in the definition of F.

Remark 5

The elementary approach of defining f = g + x1x2, assuming the bentness of g, implies that f is bent but in this case f = g||g||g||(g + 1) and the sum of restrictions is α = 1.

The following result shows that a suitable representation of functions in the \(\mathcal {M}\mathcal {M}\) class may potentially lead to bent functions outside this class. We always assume that f1, f2, α and g do not depend on the two input variables used to represent f suitably, and that α is affine.

Proposition 2

Letf (x, y) = xϕ (y) + ψ(y) , where\(x,y \in \mathbb {F}_{2}^{n/2}\), be an arbitrarybent function in the\(\mathcal {M}\mathcal {M}\)class. Then, representingf as:

  1. i)

    f = xkf1 + xlf2 + xkxlα + g,where1 ≤ kln/2,gives a bent functionF that remains in the\(\mathcal {M}\mathcal {M}\)class,

  2. ii)

    f = ykf1 + ylf2 + ykylα + g,where1 ≤ kln/2,for a suitable choice ofϕandψ,gives a bent functionF that may potentially lie outside the\(\mathcal {M}\mathcal {M}\)class.

Proof

Let us consider the restrictions of f(x, y) = xϕ(y) + ψ (y) in the \(\mathcal {M}\mathcal {M}\) class, where \(x,y \in \mathbb {F}_{2}^{n/2}\) and \(\psi \in \mathcal {B}_{n/2}\) is arbitrary, see (2). i) Due to symmetry, w.l.o.g. we consider its decomposition by fixing x1 and x2, which gives

$$\begin{array}{@{}rcl@{}} f_{00}(x^{\prime},y)&=&(x_{3},\ldots,x_{n/2}) \cdot (\phi_{3}(y),\ldots,\phi_{n/2}(y)) + \psi(y), \\ f_{01}(x^{\prime},y)&=&\phi_{2}(y) + (x_{3},\ldots,x_{n/2}) \cdot (\phi_{3}(y),\ldots,\phi_{n/2}(y)) + \psi(y), \\ f_{10}(x^{\prime},y)&=&\phi_{1}(y) + (x_{3},\ldots,x_{n/2}) \cdot (\phi_{3}(y),\ldots,\phi_{n/2}(y)) + \psi(y), \\ f_{11}(x^{\prime},y)&=&\phi_{1}(y)+ \phi_{2}(y) + (x_{3},\ldots,x_{n/2}) \cdot (\phi_{3}(y),\ldots,\phi_{n/2}(y)) + \psi(y), \end{array} $$
(16)

where x = (x3,…, xn/2). Apparently, \({\sum }_{(i,j)\in {\mathbb {F}_{2}^{2}}} f_{ij} = \alpha = 0\) and furthermore f1, f2 and g = f00 (cf. (15)) do not depend on variables x1, x2. Therefore, with α = 0, the function F given by (4) can be written as

$$ F(x,y)= f_{1}f_{2} + (x_{1}+ 1)f_{1} + (x_{1}+x_{2} + 1)f_{2} + g, $$
(17)

which is a bent function. In particular, f1 = f00 + f01 = ϕ2(y), f2 = f00 + f10 = ϕ1(y) and f1f2 = ϕ1(y)ϕ2(y) so that

$$F(x,y) = \phi_{1}(y)\phi_{2}(y) + (x_{1}+ 1)\phi_{2}(y) + (x_{1}+x_{2} + 1)\phi_{1}(y) + (x_{3},\ldots,x_{n/2}) \cdot (\phi_{3}(y),\ldots,\phi_{n/2}(y)) + \psi(y). $$

But this is just another bent function in the \(\mathcal {M}\mathcal {M}\) class obtained from f by a simple linear transformation and addition of some function that only depends on y variables. Indeed, we can write

$$F(x,y)=(x_{1},x_{1}+x_{2}, x_{3},\ldots,x_{n})\cdot (\phi_{1}(y), \ldots,\phi_{n}(y)) + \psi^{\prime}(y), $$

where ψ(y) = ϕ1(y)ϕ2(y) + ϕ1(y) + ϕ2(y) + ψ(y).

ii) For simplicity, by fixing y1 and y2, we consider f = y1f1 + y2f2 + y1y2α + g. In this case, the restrictions of ϕi(y) and ψ(y) w.r.t. y1 and y2 are not necessarily the same for different choices of (y1, y2). Let fij(x, y), for i, j ∈{0,1} and y = (y3,…, yn/2), denote the restriction of f when (y1, y2) = (i, j) so that

$$f_{ij}(x,y^{\prime})=x_{1}\phi_{1}^{ij}(y^{\prime}) + {\ldots} + x_{n/2}\phi_{n/2}^{ij}(y^{\prime}) + \psi^{ij}(y^{\prime}), $$

where \(\phi _{k}^{ij}(y^{\prime })\) and ψij(y) are obtained by fixing (y1, y2) = (i, j). Then, the necessary condition that \({\sum }_{(i,j)\in {\mathbb {F}F_{2}^{2}}}f_{ij}(x,y^{\prime })=\alpha \) is affine implies that

$$ \sum\limits_{(i,j)\in {\mathbb{F}_{2}^{2}}} \phi_{k}^{i,j}(y^{\prime})=const \; \; \forall k \in [1,n/2] ; \; \sum\limits_{(i,j)\in {\mathbb{F}F_{2}^{2}}} \psi^{ij}(y^{\prime}) \text{ is affine} . $$
(18)

Since ψ is arbitrary the second condition can always be satisfied and it can be easily verified that for instance ϕ(y) = y satisfies the first condition. In general, depending on the choice of ϕ and ψ the function F given by (4), where x1 and x2 are substituted by y1 and y2 respectively, may potentially lie outside the \(\mathcal {M}\mathcal {M}\) class. □

Though the conditions related to the restrictions of ϕk given by (18) may appear difficult, it turns out that these conditions can be easily satisfied in a nontrivial manner (for nonlinear permutations ϕ).

Example 2

For instance, one can define a permutation ϕ over \(\mathbb {F}_{2}^{n/2}\) as

$$\phi(y_{1},\ldots,y_{n/2})=(\phi_{1}(y), \ldots, \phi_{n/2}(y))=(y_{1}y_{2}+y_{3}+r(\widetilde{y}),y_{1}y_{2}+y_{4}+r^{\prime}(\widetilde{y}),y_{1},y_{2}, \pi(\widetilde{y})),$$

where \(\widetilde {y}=(y_{5},\ldots ,y_{n/2})\), π is a permutation with respect to \(\widetilde {y}\) and r, r are any functions that only depend on the subset of variables \(\widetilde {y}\). In addition, let ψ(y) = y1y2yt for some t ∈ [5, n/2]. Then, the sum of restrictions of the coordinate functions of ϕ are given as

$$\left( \sum\limits_{(i,j)\in {\mathbb{F}_{2}^{2}}} \phi_{1}^{i,j}(y^{\prime}), \ldots, \sum\limits_{(i,j)\in {\mathbb{F}_{2}^{2}}} \phi_{n/2}^{i,j}(y^{\prime})\right)=(1,1,0,0,\textbf{0}_{n/2-4}), $$

where y = (y3,…, yn/2) and 0n/2 − 4 denotes the all zero vector of length n/2 − 4. Then, \(\alpha ={\sum }_{(i,j)\in {\mathbb {F}_{2}^{2}}}f_{ij}(x,y^{\prime })=x\cdot (1,1,0,0, \textbf {0}_{n/2-4} )+y_{t}, \) where \(x=(x_{1}, \ldots ,x_{n/2})\in \mathbb {F}^{n/2}_{2}\). Moreover, since f00(x, y) = g(x, y), f01(x, y) = g(x, y) + f2(x, y) and f10(x, y) = g(x, y) + f1(x, y), we have that

$$\begin{array}{@{}rcl@{}} g(x,y^{\prime})&=&(y_{3}+r(\widetilde{y}),y_{4}+r^{\prime}(\widetilde{y}),0,0, \pi(\widetilde{y})),\\ f_{1}(x,y^{\prime})&=&x\cdot (0,0,1,0,\textbf{0}_{n/2-4})=x_{3},\\ f_{2}(x,y^{\prime})&=&x\cdot (0,0,0,1,\textbf{0}_{n/2-4})=x_{4}. \end{array} $$

Consequently, the functions f(x, y) and F(x, y) are given as

$$\begin{array}{@{}rcl@{}} f(x,y)&=&y_{1}x_{3}+y_{2}x_{4}+y_{1}y_{2}(x_{1}+x_{2}+y_{t})+g(x,y^{\prime}),\\ F(x,y)&=& (\alpha + 1)f_{1}f_{2} + (y_{1}+ 1)f_{1} + (y_{1}+y_{2} + \alpha + 1)f_{2} + \alpha(y_{1}+ 1)y_{2} + g \\ &=&(x_{1}+x_{2}+y_{t}+ 1)x_{3}x_{4}+(y_{1}+ 1)x_{3}+(y_{1}+y_{2}+x_{1}+x_{2}+y_{t}+ 1)x_{4}\\ &&+(x_{1}+x_{2}+y_{t})(y_{1}+ 1)y_{2}+g(x,y^{\prime}), \end{array} $$

and thus both functions have degree max{3, g(x, y)}. However, since the function F contains the terms which are products of certain coordinates of x = (x1,…, xn/2) (for instance it contains x3x4 instead of y1y2 as in f), then it is not obvious whether F remains in the \(\mathcal {M}\mathcal {M}\) class.

Remark 6

It can be shown that if ψ(y) = 0 then F belongs to the \(\mathcal {M}\mathcal {M}\) class. However, if ψ(y) = y1y2yt and ϕ is chosen suitably the question whether F remains in \(\mathcal {M}\mathcal {M}\) becomes difficult.

Open Problem 1

In general, due to a nonlinear action of σ on two fixed coordinates the resulting functions are affine inequivalent to initial ones. However, the exact classification of bent functions obtained by the above methods remains open and it is of crucial importance for our better understanding of these objects.

Remark 7

A similar analysis can be performed on the Rothaus generic method of defining a bent function f [17] as

$$\begin{array}{@{}rcl@{}} f(x_{1},x_{2},x)&=& A(x)B(x)+ A(x)C(x)+ B(x)C(x)\\ &&+\,x_{1}x_{2} + [A(x)+ B(x)]x_{1}+ [A(x)+ C(x)]x_{2}, \end{array} $$

where A, B, C are bent and additionally A + B + C is bent. Due to its particular form f cannot be represented as f = x1f1 + x2f2 + x1x2α + g since it would imply that α = 1 which is the trivial case due to the annihilation of the term (1 + α)f1f2 in F.

We remark that the \(\mathcal {D}_{0}\) class of bent functions introduced in [2], which for n = 2m corresponds to a bent function \(f(x,y)=x \cdot \phi (y) + {\prod }_{i = 1}^{m}(x_{i}+ 1)\), can in certain cases be represented suitably.

Example 3

When n = 2m = 6 and \(f(x,y)=x \cdot \phi (y) + {\prod }_{i = 1}^{3}(x_{i}+ 1)\), \(x,y \in {\mathbb {F}_{2}^{3}}\), only the restriction f00 in (16) is different compared to the standard \(\mathcal {M}\mathcal {M}\) class and equals to f00(x3, y) = x3ϕ3(y) + (1 + x3) since fixing (x1, x2) to any other value different from (0,0) makes that the term \({\prod }_{i = 1}^{3}(x_{i}+ 1)\) vanishes. Thus, \({\sum }_{(i,j) \in {\mathbb {F}_{2}^{2}}}f_{ij}=\alpha = 1+x_{3}\). Representing f as in (14), where f1 = 1 + x3 + ϕ2(y), f2 = 1 + x3 + ϕ1(y) and g = 1 + x3 + x3ϕ3(y) (which do not depend on x1, x2), we obtain using (4) that

$$\begin{array}{@{}rcl@{}} F(x,y) &=& x_{3}\phi_{1}(y)\phi_{2}(y) + (x_{1}+ 1)(\phi_{2}(y) + 1 +x_{3}) + (x_{1}+x_{2} + x_{3}) (\phi_{1}(y) + 1+x_{3}) \\ && + (1+x_{3})(1+x_{1})x_{2} + 1+ x_{3} + x_{3} \phi_{3}(y). \end{array} $$

In the above example the terms xiϕj(y) could have been obtained by some (invertible) affine transformation of the input space but this is not the case for the term x3ϕ1(y)ϕ2(y). Nevertheless, as remarked in Corollary 4.2 [9], the algebraic degree of x3ϕ1(y)ϕ2(y) in Example 3 cannot be larger than 3 and therefore in general the product ϕi(y)ϕj(y), for a permutation (ϕ1,…, ϕm) over \({\mathbb {F}_{2}^{m}}\), is of degree ≤ m − 1. The next result confirms that this is always the case for any permutation ϕ.

Proposition 3

Letϕ (y) = (ϕ1 (y),…, ϕm(y)) be a permutation over\({\mathbb {F}_{2}^{m}}\),wherem ≥ 3.Then, deg (ϕiϕj) ≤ m − 1 for any 1 ≤ i, jm.

Proof

Since ϕ is a permutation over \({\mathbb {F}_{2}^{m}}\) all nonzero linear combinations of ϕi are balanced. In particular, wt(ϕi) = wt(ϕj) = wt(ϕi + ϕj) = 2m− 1, for 1 ≤ ijm. Using a well-known result [12] that

$$wt(\phi_{i} + \phi_{j})= wt(\phi_{i}) + wt(\phi_{j}) -2wt(\phi_{i}(y)\phi_{j}(y)), $$

we deduce that wt(ϕi(y)ϕj(y)) = 2m− 2, which is an even number for m ≥ 3. Thus, the ANF of ϕi(y)ϕj(y) contains an even number of terms of degree m (that cancel out each other) and consequently deg(ϕi(y)ϕj(y)) ≤ m − 1. If i = j then ϕi(y)ϕj(y) = ϕi(y), which is balanced by assumption implying deg(ϕi) ≤ m − 1. □

The main problem related to a generalization of the above example for n > 6 is that for k > 3 the term \({\prod }_{i = 1}^{k}(x_{i}+ 1)\) is not cubic any longer and thus by fixing x1 and x2 the function \(\alpha ={\sum }_{(i,j) \in {\mathbb {F}_{2}^{2}}} f_{ij}\) is not affine, which implies that (4) does not apply in this case. The problem of extending the approach of Hou and Langevin to nonlinear transformations that include more than two variables is treated in the next section.

4 Extended bent transforms

The approach of Hou and Langevin only addressed the transformation of input space with respect to two variables. It can be readily checked that their construction relies on the fact that σ and σ− 1 are related through the property that \(A=\left [ \begin {array}{cc} 1 & \alpha + 1 \\ \alpha & 1 \end {array} \right ]\) is a self-inverse matrix, that is, A = A− 1. A natural question is whether this approach can be extended by defining other permutations that keep fixed k number of variables, where k > 2, thus defining

$$ \sigma(x_{1},\ldots,x_{k}, x_{k + 1}, {\ldots} , x_{n})= \left( (f_{1}, \ldots,f_{k})+ (x_{1},\ldots,x_{k}) A, x_{k + 1}, \ldots, x_{n} \right), $$
(19)

where A is a k × k invertible matrix, k > 2, with entries in \(\mathcal {A}_{n}^{k}=\{\ell (x_{k + 1},\ldots , x_{n}) \in \mathcal {A}_{n}\}\) (the subset of \(\mathcal {A}_{n}\) with variables xk+ 1,…, xn) with the property that A = A− 1 so that A2 = I.

In terms of the existence of self-inverse matrices the following example and remark are useful.

Example 4

For instance when k = 3, the binary matrix \(A_{3\times 3}=\left [ \begin {array}{ccc} 1 & 0 & 0 \\ 0 & 1 & 0 \\ 1 & 0 & 1 \end {array} \right ]\) is self-inverse. Nevertheless, there are self-inverse matrices with entries in \(\mathcal {A}_{n}\), e.g. \(A^{*}=\left [ \begin {array}{ccc} 1 & \alpha + 1 &0 \\ \alpha & 1 & 0 \\ \alpha & 0 & 1 \end {array} \right ]\) is self-inverse for any non-constant affine function \(\alpha \in \mathcal {A}_{n}\).

Remark 8

Self-inverse matrices are easily defined recursively when their size is a power of two. For instance, taking A(0) = [1] one can define self-inverse matrices \(A^{(n)}=\left [ \begin {array}{cc} A^{(n-1)} & A^{(n-1)} \\ \textbf {0} & A^{(n-1)} \end {array}\right ]\) of size 2n × 2n for n ≥ 1. Here 0 denotes an all-zero matrix of size 2n− 1 × 2n− 1. For instance,

$$A^{(2)}=\left[ \begin{array}{cccc} 1 & \alpha + 1 & 1 & \alpha + 1 \\ \alpha & 1 & \alpha & 1 \\ 0 & 0 & 1 & \alpha + 1 \\ 0 & 0 & \alpha & 1 \end{array} \right]$$

is a self-inverse matrix where α is an affine function. In addition, we remark that given any self-inverse matrix A the matrix PAP− 1 is also self-inverse whenever P is invertible.

Notice that self-inverse matrices simply relate σ and σ− 1 efficiently but the sufficient condition that fσ− 1 is bent (where f is not necessarily bent) is that

$$\sigma(x_{1},\ldots, x_{k},x_{k + 1},\ldots,x_{n})= \left( (f_{1},\ldots, f_{k})+ (x_{1},\ldots, x_{k}) A^{(k)} , x_{k + 1}, \ldots, x_{n} \right) $$

is such that span(σ) ⊂ l(f), where \(l(f) =\{g \in \mathcal {B}_{n} : d_{H}(f,g)= 2^{n-1} \pm 2^{n/2-1}\}\), where n is even. More precisely, the main difficulty is to guarantee that the above condition is satisfied rather than to specify different self-inverse matrices.

4.1 The special case of nonlinear action on three input variables

Since the sufficient conditions in terms of finding suitable (nontrivial) transformations whose linear span is at bent distance for a given f appears to be hard, we restrict our attention to the case k = 3. For this purpose, we use a self-inverse matrix A given in Example 4. The coordinate functions σ1,…, σ3 of a permutation σ = (σ1,…, σn) over \({\mathbb {F}_{2}^{n}}\) (cf. (19) and substitute A by A) are given as:

$$ \sigma_{1}= f_{1} + x_{1} + \alpha (x_{2}+x_{3}); \;\; \sigma_{2}= f_{2} + (\alpha + 1)x_{1} + x_{2}; \;\;\sigma_{3}= f_{3} + x_{3}, $$
(20)

and σ acts as identity permutation for the remaining coordinate functions, that is, σi(x) = xi for 4 ≤ in. Once again, the functions fi and α only depend on variables x4,…, xn, and furthermore α is affine. Using the same variable dependency for \(g \in \mathcal {B}_{n}\) as for fi and α, let us assume that \(f \in \mathcal {B}_{n}\) can be represented as

$$ f=x_{1}f_{1} + x_{2}f_{2} + x_{3}f_{3} + x_{1}x_{2} \alpha + g. $$
(21)

In contrast to (3), we later demonstrate by an example that the function α may also depend on the variables x1,…, x3 in this case. Apparently, \(span(\sigma )\subset span(\mathcal {A}_{n}, f_{1} + \alpha (x_{2}+x_{3}), f_{2} + \alpha x_{1}, f_{3})=\mathcal {U}\) and we need to show that span(σ) ⊂ l(f). For any \(\beta \in \mathcal {U}\) we can write

$$ \beta=\epsilon_{1}(f_{1} + \alpha (x_{2}+x_{3})) + \epsilon_{2}(f_{2} + \alpha x_{1}) + \epsilon_{3}f_{3} + \gamma, $$
(22)

where \(\epsilon _{i} \in \mathbb {F}_{2}\) and \(\gamma \in \mathcal {A}_{n}\). Combining (21) and (22) we obtain

$$ f + \beta =f(x_{1}+\epsilon_{1}, x_{2}+\epsilon_{2},x_{3}+\epsilon_{3},x_{4}, \ldots,x_{n}) + \epsilon_{1}\alpha x_{3} + \gamma^{\prime}, $$
(23)

where γ is an affine function. Thus, if βl(f) we must have wH(f + β) = 2n− 1 − 2n/2. This is in general true only if α ∈{0,1} (assuming that α depends on x4,…, xn), in which case we have that fσ− 1 is a bent function (due to invertibility of the self-inverse matrix A) and is given as:

$$\begin{array}{@{}rcl@{}} F(x)&=&f \circ \sigma^{-1}=\alpha(f_{1}f_{3}+f_{1}f_{2} + f_{2}f_{3})+ f_{1} + f_{2} + f_{3} + f_{1}x_{1} + f_{2}x_{2} + f_{3}x_{3} + \\ & & \alpha(x_{3}f_{1}+x_{3}f_{2} + x_{2}f_{3}) + \alpha (f_{2} + x_{1} + x_{3}) + x_{2}x_{3} + f_{1}f_{2} + f_{2}x_{1} + g, \end{array} $$
(24)

where we have used the following substitution in f related to σ− 1 :

$$\begin{array}{@{}rcl@{}} & & x_{1} \rightarrow f_{1} + x_{1} + \alpha (f_{2}+x_{2}) + \alpha (f_{3}+x_{3}); \\ && x_{2} \rightarrow (f_{1} + x_{1})(\alpha+ 1) + f_{2}+x_{2}); \\ && x_{3} \rightarrow f_{3} + x_{3}. \end{array} $$

With the following example we show that in (21) it is possible to take α = x3 (which also implies that f + β is bent, cf. (23)) in which case α does not strictly depend on variables x4,…, xn. This implies that σ− 1 is not given as above, i.e., \(\sigma ^{-1}(x)=(\sigma _1^{-1}(x), \sigma _2^{-1}(x),\sigma _3^{-1}(x), x_4,\ldots ,x_{n})\) is not equal to ([(f1(x), f2(x), f3(x))⊕ (x1, x2, x3)]A, x4,…, xn), since the matrix A contains α that depends on x3.

Example 5

In [9] an example of a cubic bent function \(f \in \mathcal {B}_{8}\) having the form as in (3) was given. Namely,

$$\begin{array}{@{}rcl@{}} f(x)&=&x_{1}x_{2}x_{3} +x_{2}x_{4}x_{5} + x_{4}x_{5} +x_{1}x_{8} +x_{2}x_{7}+x_{3}x_{6}+x_{4}x_{8}+x_{5}x_{6} \\ &=& x_{1}(x_{8}) + x_{2}(x_{4}x_{5} +x_{7}) + x_{3}(x_{6}) + x_{1}x_{2}(x_{3}) +(x_{4}x_{8}+x_{5}x_{6}+x_{4}x_{5}), \end{array} $$

which is now represented using the form (21). Thus, f1 = x8, f2 = x4x5 + x7, f3 = x6, α = x3 and g = x4x5 + x4x8 + x5x6. By relation (20), setting α = x3, we have that the first three coordinate functions of σ = (σ1, σ2, σ3,…, σ8) = (σ1, σ2, σ3, x4,…, x8) are given as

$$\sigma_{1}= x_{8} + x_{1} + x_{3}(x_{2}+x_{3}), \;\; \sigma_{2}= x_{4}x_{5}+x_{7} + (x_{3} + 1)x_{1} + x_{2}, \;\;\sigma_{3}= x_{6} + x_{3}. $$

Since α = x3, then we find that \(\sigma ^{-1}=(\sigma ^{-1}_{1},\sigma ^{-1}_{2},\sigma ^{-1}_{3},x_{4},\ldots ,x_{8})\) is given by

$$\begin{array}{@{}rcl@{}} \sigma^{-1}_{1} &=& x_{1} + x_{6} + x_{2} x_{6} + x_{4} x_{5} x_{6} + x_{6} x_{7} + x_{3} (1 + x_{2} + x_{4} x_{5} + x_{7}) + x_{8},\\ \sigma^{-1}_{2} &=& x_{2} + x_{4} x_{5} + x_{1} (1 + x_{3} + x_{6}) + x_{7} + x_{8} + x_{3} x_{8} + x_{6} x_{8},\\ \sigma^{-1}_{3} &=& x_{6} + x_{3}. \end{array} $$

Using the substitution \(x_{1}\rightarrow \sigma ^{-1}_{1}\), \(x_{2}\rightarrow \sigma ^{-1}_{2}\) and \(x_{3}\rightarrow \sigma ^{-1}_{3}\) in relation (21) we have that the bent function F = fσ− 1 is given as

$$\begin{array}{@{}rcl@{}} F(x)=f \circ \sigma^{-1}&=&x_{1} x_{2} x_{3} + x_{1} x_{4} x_{5} + x_{2} x_{4} x_{5} + x_{6} + x_{1} x_{2} x_{6} + x_{3} x_{6} + x_{5} x_{6} + x_{7} + x_{1} x_{7} + x_{2} x_{7}\\ && + x_{8} + x_{1} x_{8} + x_{3} x_{8} + x_{4} x_{8} + x_{4} x_{5} x_{8} + x_{3} x_{4} x_{5} x_{8} + x_{6} x_{8} + x_{4} x_{5} x_{6} x_{8} + x_{7} x_{8}\\ && + x_{3} x_{7} x_{8} + x_{6} x_{7} x_{8}, \end{array} $$

which is a bent function of degree 4 and therefore affine inequivalent to f.

Remark 9

The importance of the above example lies in the fact that one can combine the extended form (21) and the possibility that α can essentially depend on x1,…, xn and not only on xk+ 1,…, xn. In the same way, we may consider that some of the functions f1, f2, f3 depends on arbitrary input variables, but clearly the bent conditions (along with the difficulty of specifying suitable σ and σ− 1) become much harder.

5 Bent functions from nonlinear permutations and vice versa

It is well-known that any permutation ϕ over \({\mathbb {F}_{2}^{m}}\) induces a bent function in the \(\mathcal {M}\mathcal {M}\) class f(x, y) = ϕ(y) ⋅ x + ψ(y), where \(x,y \in {\mathbb {F}_{2}^{m}}\). On the other hand, ϕ(y) = (ϕ1(y),…, ϕm(y)) is a permutation over \({\mathbb {F}_{2}^{m}}\) if and only if all linear (nonzero) combinations of the coordinate functions ϕi are balanced [10, Theorem 7.7]. The fact that for any bent function \(f \in \mathcal {B}_{n}\) the derivatives Daf(x) = f(x + a) + f(x) are balanced functions, for any nonzero \(a \in {\mathbb {F}_{2}^{n}}\), leads to a natural question whether certain classes of bent functions have balanced linear combinations of their derivatives thus giving rise to permutations over \(\mathbb {F}_{2}^{2m}\). In [9], Hou and Langevin provided two sporadic examples of cubic bent functions \(f \in \mathcal {B}_{8}\) to define a permutation \(\sigma =(D_{e_{1}}f, \ldots ,D_{e_{8}}f)\), where \(D_{e_{i}}f\) is a derivative of with respect to the set {e1,…, e8} that forms a basis of \({\mathbb {F}_{2}^{8}}\). The authors noted that for the considered cubic bent function approximately half of the choices of different basis essentially give rise to permutations. Henceforth, we always use the canonical basis of the vector space \({\mathbb {F}_{2}^{n}}\), that is, the set \(\{e_{1},\ldots ,e_{n}\} \in {\mathbb {F}_{2}^{n}}\) where ei equals one at position i otherwise its entries are zeros.

The main motivation of this section is to investigate whether there is a generic method of deriving permutations σ over \(\mathbb {F}_{2}^{2m}\) given a bent function in the \(\mathcal {M}\mathcal {M}\) class defined using a suitable permutation ϕ over \({\mathbb {F}_{2}^{m}}\). The next result gives sufficient conditions for a permutation ϕ over \({\mathbb {F}_{2}^{m}}\) that can be used to design a permutation σ over \(\mathbb {F}_{2}^{2m}\).

Proposition 4

Letϕ = (ϕ1,…, ϕm) be a permutation over\({\mathbb {F}_{2}^{m}}\).Letf (y, x) = ϕ(y) ⋅ xbe a bent function in\(\mathcal {B}_{2m}\),\(x,y \in {\mathbb {F}_{2}^{m}}\).Let\(e_{i}=(e_{i}^{\prime },e_{i}^{\prime \prime })\)where\(e_{i}^{\prime },e_{i}^{\prime \prime } \in {\mathbb {F}_{2}^{m}}\).If\(\{ \phi (y+ e_{1}^{\prime })+\phi (y), \ldots ,\phi (y+ e_{m}^{\prime })+\phi (y) \}\)is a basis of\({\mathbb {F}_{2}^{m}}\)for any fixed\(y\in {\mathbb {F}_{2}^{m}}\),then the function\(\sigma =(D_{e_{1}}f, \ldots , D_{e_{2m}}f )\)is a permutation over\(\mathbb {F}_{2}^{2m}\).

Proof

It is convenient to write f(y, x) = ϕ1(y)x1 + ⋯ + ϕm(y)xm. Since f is bent it implies that \(D_{e_{i}}f\) are balanced functions, thus it remains to show that the linear combinations of \(D_{e_{1}}f, \ldots , D_{e_{2m}}f \) are also balanced.

Then, for i = m + 1,…,2m we have \(D_{e_{i}}f=f(y,x+e_{i}^{\prime \prime })+f(y,x)=\phi _{i-m}(y)\). Now, considering \(\sigma =(\sigma _{1},\ldots ,\sigma _{2m})=(D_{e_{1}}f, \ldots ,D_{e_{2m}}f)\), we notice that \({\sum }_{j=m + 1}^{2m}b_{j}\sigma _{j}={\sum }_{j=m + 1}^{2m}b_{j}\phi _{j -m}(y)\) is a balanced function for any \( (b_{m + 1},\ldots ,b_{2m}) \in {{\mathbb {F}_{2}^{m}}}^{*}\), since ϕ is a permutation.

On the other hand, for any ej, j = 1,…, m, (thus of the form \((e_{j}^{\prime },\textbf {0}_{m}))\) we have

$$D_{e_{j}}f=(\phi_{1}(y+e_{j}^{\prime})+\phi_{1}(y))x_{1} + {\ldots} + (\phi_{m}(y+e_{j}^{\prime})+\phi_{m}(y))x_{m}=\sum\limits_{i = 1}^{m} (\phi_{i}(y+e_{j}^{\prime})+\phi_{i}(y))x_{i}, $$

which are balanced by assumption. In order that σ is a permutation we need to have that all (nontrivial) linear combinations of the form

$$\sum\limits_{j = 1}^{m}a_{j}D_{e_{j}}f + \sum\limits_{j=m + 1}^{2m}b_{j}D_{e_{j}}f=\sum\limits_{j = 1}^{m} a_{j}\sum\limits_{i = 1}^{m}(\phi_{i}(y+e_{j}^{\prime})+\phi_{i}(y))x_{i} + \sum\limits_{j=m + 1}^{2m}b_{j}\phi_{j - m}(y) $$
(25)

(involving both halves ) are balanced. Then, defining

$$M_{m\times m}=\left[\begin{array}{cccc} \phi_{1}(y+e_{1}^{\prime})+\phi_{1}(y) & \phi_{1}(y+e_{2}^{\prime})+\phi_{1}(y) & {\ldots} & \phi_{1}(y+e_{m}^{\prime})+\phi_{1}(y)\\ \phi_{2}(y+e_{1}^{\prime})+\phi_{2}(y)& \phi_{2}(y+e_{2}^{\prime})+\phi_{2}(y) & {\ldots} &\phi_{2}(y+e_{m}^{\prime})+\phi_{2}(y)\\ {\vdots} \\ \phi_{m}(y+e_{1}^{\prime})+\phi_{m}(y) & \phi_{m}(y+e_{2}^{\prime})+\phi_{m}(y)& {\ldots} & \phi_{m}(y+e_{m}^{\prime})+\phi_{m}(y) \end{array}\right], $$

it is sufficient to show that the equation

$$ \begin{array}{c} (a_{1}, a_{2},\ldots,a_{m})M_{m\times m} \left( \begin{array}{c} x_{1}\\ x_{2}\\ \vdots\\ x_{m} \end{array} \right)+ \sum\limits_{j=m + 1}^{2m}b_{j}\phi_{j - m}(y)= 0 \end{array} $$
(26)

has 22m− 1 solutions, for any \((a_{1}, a_{2}, \ldots ,a_{m},b_{m + 1},\ldots ,b_{2m})\in {{\Bbb F}_{2}^{2m}}^{*} \).

If a = (a1,…, am) = 0m, then we know \({\sum }_{j=m + 1}^{2m}b_{j}\phi _{j - m}(y)\) is a balanced function for any \( (b_{m + 1},\ldots ,b_{2m}) \in {{\mathbb {F}_{2}^{m}}}^{*}\), that is, the (26) has 22m− 1 solutions.

Now assume a = (a1,…, am)≠0m. Since \(\{ \phi (y+ e_{1}^{\prime })+\phi (y), \ldots ,\phi (y+ e_{m}^{\prime })+\phi (y) \}\) is a basis of \({\mathbb {F}_{2}^{m}}\) for any fixed \(y\in {\mathbb {F}_{2}^{m}}\) (the matrix Mm×m is nonsingular for any fixed \(y\in {\mathbb {F}_{2}^{m}}\)), then (a1, a2,…, am)Mm×m is a nonzero vector. Hence, the equation (26) has 22m− 1 solutions since ((a1, a2,…, am)M) ⋅ x is a linear function. □

If ϕ(y) = (ϕ1(y),…, ϕm(y)) = (y1,…, ym), then the matrix Mm×m is an identity matrix. In the following, we provide a nonlinear permutation ϕ such that \(\{ \phi (y+ e_{1}^{\prime })+\phi (y), \ldots ,\phi (y+ e_{m}^{\prime })+\phi (y) \}\) is a basis of \({\mathbb {F}_{2}^{m}}\), for any fixed \(y\in {\mathbb {F}_{2}^{m}}\). For this purpose, using the canonical basis \(\{e_{1}^{\prime },\ldots , e_{m}^{\prime }\}\) of \({\mathbb {F}_{2}^{m}}\), we simply define the permutation \(\phi :{\mathbb {F}_{2}^{m}} \rightarrow {\mathbb {F}_{2}^{m}}\) as follows:

$$ \phi(y)= \left\{ \begin{array}{ll} y, & y\notin \{e_{1}^{\prime},\ldots,e_{m}^{\prime}\} \\ e^{\prime}_{\gamma(i)}, & y\in \{e_{1}^{\prime},\ldots,e_{m}^{\prime}\} \end{array} \right., $$
(27)

where γ(i) = i + 1 for i ∈ [1, m − 1] and γ(m) = 1. Thus, ϕ can be viewed as an identity permutation on \({\mathbb {F}_{2}^{m}} \setminus \{e_{1}^{\prime },\ldots ,e_{m}^{\prime }\}\), whereas the images of ϕ are cyclically shifted when \(y \in \{e_{1}^{\prime },\ldots ,e_{m}^{\prime }\}\).

Theorem 3

Let\(e_{i}=(e_{i}^{\prime },e_{i}^{\prime \prime })\)where\(e_{i}^{\prime },e_{i}^{\prime \prime } \in {\mathbb {F}_{2}^{m}}\)and define a permutation\(\phi :{\mathbb {F}_{2}^{m}} \rightarrow {\mathbb {F}_{2}^{m}}\)by (27) . Letf (y, x) = ϕ (y) ⋅ xbe a bent function in\(\mathcal {B}_{2m}\),\(x,y \in {\mathbb {F}_{2}^{m}}\).Then\(\{ \phi (y+ e_{1}^{\prime })+\phi (y), \ldots ,\phi (y+ e_{m}^{\prime })+\phi (y) \}\)is a basis of\({\mathbb {F}_{2}^{m}}\),for any fixed\(y\in {\mathbb {F}_{2}^{m}}\).Consequently,\(\sigma =(D_{e_{1}}f, \ldots , D_{e_{2m}}f )\)is a permutation over\(\mathbb {F}_{2}^{2m}\).

Proof

It is enough to show that \(\{ \phi (y+ e_{1}^{\prime })+\phi (y), \ldots ,\phi (y+ e_{m}^{\prime })+\phi (y) \}\) is a basis of \({\mathbb {F}_{2}^{m}}\), for any fixed \(y\in {\mathbb {F}_{2}^{m}}\). There are three cases to be considered.

  1. 1.

    If wt(y) = 1, w.l.o.g. we set \(y=e_{1}^{\prime }\). From the definition of ϕ we have that

    $$\begin{array}{c} \phi(y+ e_{1}^{\prime})+\phi(y)= e_{2}^{\prime},\\ \phi(y+ e_{2}^{\prime})+\phi(y)= e_{1}^{\prime}+e_{2}^{\prime}+e_{2}^{\prime}=e_{1}^{\prime},\\ \phi(y+ e_{3}^{\prime})+\phi(y)= e_{1}^{\prime}+e_{3}^{\prime}+e_{2}^{\prime},\\ \vdots\\ \phi(y+ e_{m}^{\prime})+\phi(y)= e_{1}^{\prime}+e_{m}^{\prime}+e_{2}^{\prime} \end{array} $$

    is a basis of \({\mathbb {F}_{2}^{m}}\).

  2. 2.

    If wt(y) = 2, w.l.o.g. we set \(y=e_{1}^{\prime }+e_{2}^{\prime }\). Similarly, as above

    $$\begin{array}{c} \phi(y+ e_{1}^{\prime})+\phi(y)= e_{3}^{\prime}+e_{1}^{\prime}+e_{2}^{\prime},\\ \phi(y+ e_{2}^{\prime})+\phi(y)= e_{2}^{\prime}+e_{1}^{\prime}+e_{2}^{\prime}=e_{1}^{\prime},\\ \phi(y+ e_{3}^{\prime})+\phi(y)= e_{1}^{\prime}+e_{2}^{\prime}+ e_{3}^{\prime}+e_{1}^{\prime}+e_{2}^{\prime}=e_{3}^{\prime},\\ \vdots\\ \phi(y+ e_{m}^{\prime})+\phi(y)= e_{1}^{\prime}+e_{2}^{\prime}+e_{m}^{\prime}+e_{1}^{\prime}+e_{2}^{\prime}=e_{m}^{\prime} \end{array} $$

    is a basis of \({\mathbb {F}_{2}^{m}}\).

  3. 3.

    Now for wt(y) ≥ 3, we have \(wt(y+e_{i}^{\prime })\geq 2\), that is, \(\phi (y+e_{i}^{\prime })=y+e_{i}^{\prime }\). From the definition of ϕ we obtain

    $$\begin{array}{c} \phi(y+ e_{1}^{\prime})+\phi(y)= y+e_{1}^{\prime}+y,\\ \phi(y+ e_{2}^{\prime})+\phi(y)= y+e_{2}^{\prime}+y,,\\ \vdots\\ \phi(y+ e_{m}^{\prime})+\phi(y)= y+e_{m}^{\prime}+y, \end{array} $$

    which is a basis of \({\mathbb {F}_{2}^{m}}\).

By Proposition 4, \(\sigma =(D_{e_{1}}f, \ldots , D_{e_{2m}}f )\) is a permutation over \(\mathbb {F}_{2}^{2m}\). □

Notice that σ is in general a nonlinear permutation and can have large algebraic degree which entirely depends on ϕ. This result has its independent significance as a generic design method to construct permutations over finite fields. The question whether the permutation σ may be used to construct f(x, y) = σ(y) ⋅ x whose linear combinations of its derivatives are again balanced (thus giving rise to an infinite sequence of permutations) is left open.

Remark 10

The same approach can be applied to a class of permutations proposed recently in [16]. Namely it was checked by computer that the permutations over \({\mathbb {F}_{2}^{m}}\) given in Construction 2 also give rise to permutations over \(\mathbb {F}_{2}^{2m}\) similarly to the class described in Theorem 3.

6 Conclusions

In this article we have identified two generic methods for constructing (in general) affine inequivalent bent functions using suitable classes of existing bent functions. A natural question which remains to be answered is to which primary class of bent functions these functions do belong. More precisely, assuming that a bent function f is provably within a certain class the question is whether the function F constructed by means of a nonlinear transform σ remains in the same class or not. We find this question to be fundamental with respect to the classification of bent functions.