Simplicity conditions for binary orthogonal arrays

It is known that correlation-immune (CI) Boolean functions used in the framework of side channel attacks need to have low Hamming weights. The supports of CI functions are (equivalently) simple orthogonal arrays, when their elements are written as rows of an array. The minimum Hamming weight of a CI function is then the same as the minimum number of rows in a simple orthogonal array. In this paper, we use Rao’s Bound to give a sufficient condition on the number of rows, for a binary orthogonal array (OA) to be simple. We apply this result for determining the minimum number of rows in all simple binary orthogonal arrays of strengths 2 and 3; we show that this minimum is the same in such case as for all OA, and we extend this observation to some OA of strengths 4 and 5. This allows us to reply positively, in the case of strengths 2 and 3, to a question raised by the first author and X. Chen on the monotonicity of the minimum Hamming weight of 2-CI Boolean functions, and to partially reply positively to the same question in the case of strengths 4 and 5.


Introduction
In cryptography, correlation immune (CI) functions are those Boolean functions over F k 2 whose output distribution does not change when at most t input bits are fixed, where t ≤ k is the correlation immunity order, whatever is the choice of these input bits and whatever are the values to which they are fixed. As shown in [19], they are those k-variable Boolean functions whose Fourier transform f (a) = x∈F k 2 f (x)(−1) a·x (where "·" is the usual inner product in F k 2 ) vanishes for all nonzero inputs a ∈ F k 2 of Hamming weight at most t. In other words, the supports of these functions are unrestricted (i.e. linear or nonlinear) binary codes of dual distance at least t + 1. The correlation immunity of a function f allows the resistance against the Siegenthaler correlation attack on the stream ciphers using f as a combining function (see [4] for more details). CI functions can also be used for implementing the rotating S-box masking counter-measure against side channel attacks (see [4] as well). We can reduce the cost of this counter-measure by finding, for given k and t, the minimum Hamming weight w k,t of t-th order CI-functions in k variables, that is the minimal size of their supports, and then by using a CI function of such weight in the implementation. The first author and Guilley [5,6] published a table containing the values of w k,t for small k, t. It is difficult to give these values even for small parameters, this is demonstrated by the facts that the table is limited to k ≤ 13 and even then, there are missing values in the table. CI-functions are closely related to orthogonal arrays, introduced by C.R. Rao [16] in 1947. Let N, t, k be positive integers, t ≤ k, and S a finite set of cardinality s. An N × k array A with entries from S is said to be an orthogonal array with s symbols, strength t, and index λ, if every N × t subarray of A contains each t-tuple based on S exactly λ times as a row. We will denote such an array by OA(N, k, s, t). We have λ = N/s t . An orthogonal array is called simple if the rows are distinct. Supports of t-th order CI-functions give simple binary orthogonal arrays with strength t, if their elements are written as rows, and vice versa.
In the theory of orthogonal arrays, for both simple and general orthogonal arrays, the main question is to give -for given numbers k of columns and s of symbols, and for strength t -the minimum value of N for which an orthogonal array OA(N, k, s, t) exists with N rows. We will denote this value by F * (k, s, t) for simple orthogonal arrays (we have then w k,t = F * (k, 2, t)) and by F (k, s, t) for general orthogonal arrays. This problem is very hard even for the smallest parameters s = t = 2. In fact, a binary orthogonal array of strength 2 with k columns and k + 1 rows is equivalent to a Hadamard matrix of order k + 1. A Hadamard matrix of order n is an n × n matrix whose entries are either +1 or −1, and whose rows are mutually orthogonal. The famous Hadamard conjecture proposes that a Hadamard matrix of order n exists if and only if n is divisible by 4. Equivalently in our notation: F (k, 2, 2) = k + 1 if and only if k is congruent to 3 modulo 4.
For some lower bounds on the number N of rows, it is known that if an OA(N, k, s, t) attains this special bound, then it is simple. For example, this is true for the Friedman-Bierbrauer bound [1] Indeed, it is seen from the proof that any multiplicity greater than 1 makes the inequality strict. For binary orthogonal arrays of strength t ≥ (2k − 2)/3, the bound N ≥ 2 k−1 implies simplicity in the case of equality, see [12]. In [6], the first author and Guilley asked the the following question: Problem 1 (Carlet-Guilley). Is F * (k, 2, t) a monotone non-decreasing function when k grows and t remains fixed?
The same question for F (k, s, t) is trivial, since an OA(N, k, s, t) gives rise to an OA(N, k−1, s, t) by deleting one of the columns. Moreover, if F (k, s, t) = F * (k, s, t), then F * (k, s, t) ≤ F (k + 1, s, t) ≤ F * (k + 1, s, t). Hence, the solution of the following problem would imply an answer to the problem posed by the first author and Guilley: Problem 2. Find all parameters k, s, t such that F (k, s, t) = F * (k, s, t).
In this paper, we give a partial answer to Problem 2. Our main theoretical result is the following: then either A is simple, or k = 5 and A is obtained by the juxtaposition of two identical arrays OA (16,5,2,4).
Part (ii) of Theorem 1 implies a sufficient condition for the parameters k, s, t to fulfill Problem 2: Corollary 2. If t is even and Notice that the integer M(k, s, t) is the lower bound for the number of rows in an orthogonal array with k columns, s symbols and strength t, given in Rao's famous theorem [10, Theorem 2.1]: for all positive integers k, s, t.
For part (iii) of Theorem 1, we observe that M(5, 2, 4) = 16, and up to equivalence, there is a unique OA(16, 5, 2, 4). If we assume that such an array has an all-0 row, then all its rows have an even number of 1s.
We conclude this section with Table 1, which shows the values of F * (k, 2, t) for 1 ≤ k, t ≤ 13; it is a reproduction of the tables in [5,6,18]. Using old and new computational results, and Theorem 1, we were able to fill in new entries in Table  1, denoted by capital letters. For previously known entries we colored the cells; the meaning of the colors are explained below.
gray: The light gray fields are trivial. The dark gray fields are consequences of the Fon-Der-Flaass Theorem [7].
yellow: The yellow fields are related to the constructions of Hadamard matrices, to the famous Hadamard Conjecture, and to a recent conjecture by the first author and Chen, see section 4 for details. green: The values equal to Delsarte's LP Bound, and the construction is given by a linear code of codimension 2, see [5,6,18]. red: The first author and Guilley [6] contributed the values by using the Satisfiability Modulo Theory (SMT) tool z3 [15]. The upper bound follows from a well-known construction that is related to shortening of the non-linear binary Kerdock code of length 16, see [11].  [14]. See Proposition 12(B) for an independent construction. C: C = 1 024, see Proposition 12(C) and [18].

Preliminary results
In this section, we collected some preliminary results and notation on the minimum number of rows of an orthogonal array with k rows, s symbols and strength t.
For tuples u, v ∈ {0, . . . , s − 1} k , w H (u) denotes the Hamming weight, and denotes the usual inner product (sometimes also denoted by u · v or by u, v ). For a matrix H with complex entries, H * is the conjugate transpose of H. In particular, for complex (row) vectors u, v ∈ C n , Fix a primitive s-th root of unity ζ. Let A denote an N × k array with entries from {0, . . . , s − 1}. The i-th row of A is denoted by a i . For 1 ≤ i ≤ N and v ∈ {0, . . . , s − 1} k , we write: Clearly, for the zero vector v = 0, we have α i,0 = 1. For any v, v ′ , we have Lemma 6. The following statements are equivalent: Proof. The equivalence of (i) and (ii) is precisely [10, Theorem 3.30]. Setting v ′ = 0, we obtain (ii) from (iii). For any v, v ′ , we have Remark 7. For binary arrays (s = 2), Lemma 6(ii) is the Xiao-Massey characterization of k-variable t-CI Boolean functions, see [19] or [5, Theorem 2.2].

The proof of the main theorem
The proof of [10, Theorem 2.1] is based on the introduction of two matrices H and Q. We shall see that the same matrices can be used for proving our result. The rows of Q form an orthonormal basis, thus for all 1 ≤ r = s ≤ ρ, Assume that N < ρM. Then (7) and (8) imply We have using (9) in the last step. The assumption N < ρM makes the right hand side negative, a contradiction. This proves (i). Part (ii) is a straightforward consequence of (i). For the rest of the proof, A denotes a non-simple OA(k 2 +k +2, k, 2, 4) with k ≥ 5. By reordering the rows of A, and adding a fixed row to all rows modulo 2, we may assume that the first two rows of A are all 0s. We use the notation H i , i = 0, 1, 2, H and Q from above. Recall that H has N rows and N/2 columns. As ζ = −1, the entries of H are ±1. The key observation is the following: (*) In rows 3, . . . , N, the number of 1s is either ℓ 1 or ℓ 2 , where Let us prove this. As the first two rows of A are all-zeros, the first two rows of Q have the form [u u ′ ] and [u u ′′ ], where Using the fact that N = 2M(k, 2, 4), we show u ′′ = −u ′ in the same way as above.
This is orthogonal to the first two rows, hence, This implies uv T = 0. This means that among the entries of v, 1 √ N and − 1 √ N occur equally often. In terms of H, this means that in this row, 1 occurs N/4 times. Let ℓ denote the number of 1s in row i of A. H 0 has one column, which consists of all 1s. In row i of H 1 , the number of 1s is k − ℓ. In row i of H 2 , the number of 1s is Hence, for the number of 1s in row i of H, we have Hence, we have ℓ 2 − (k + 1)ℓ + (k 2 + k + 2)/4 = 0, which implies (*). Immediate consequences are that κ = √ k − 1 is an integer, N = k 2 + k + 2 can be written as N = κ 4 + 3κ 2 + 4, and ℓ 1,2 = (κ 2 ± κ + 2)/2.
Let us construct the array A ′ by selecting all rows of A that start with three zeros. We get where B is a subarray with N/8 − 2 rows and k − 3 columns. Since A has strength 4, then according to Lemma 6, columns 4 to k of A ′ have a number of 1s equal to their number of 0s, that equals then N/16. Let a denote the number of rows of weight ℓ 1 in B. The total number of 1s in B is (10) We reorder to get: Also, the right hand side can be expanded into a polynomial of κ. This yields: We obtain that 16 ≡ 0 (mod κ), that is κ divides 16, and since by assumption, we have k ≥ 5, that is, κ ≥ 2, then we have κ ∈ {2, 4, 8, 16}. If κ ∈ {4, 8, 16}, then −12κ + 16 ≡ 0 (mod 64), that is, 3κ ≡ 4 (mod 16). This implies κ ≡ 12 (mod 16) (since the inverse of 3 modulo 16 equals 11), a contradiction.

Simple arrays of strength 2 and 4
In the special case of orthogonal arrays of strength 2, we solve Problem 2, and this allows us to give an affirmative answer to Problem 1.
We finish this section by a partial answer to Problem 2 for orthogonal arrays of strength 4.
Proof. For any even integer m ≥ 4, Kerdock [11] constructed a binary, non-linear code of length 2 m , cardinality 4 m , minimum distance 2 m−1 − 2 (m−2)/2 and dual distance 6. This code can be interpreted as a simple OA(4 m , 2 m , 2, 5), since we know that an unrestricted code has dual distance d ⊥ if and only if its indicator is a correlation immune function of order d ⊥ − 1 (and not of order d ⊥ ), that is, if and only if the array obtained by writing all codewords as rows is a simple OA of strength d ⊥ − 1. In the usual way, we take the rows that start with a 0, and delete the starting 0 to obtain a simple OA(2 2m−1 , 2 m − 1, 2, 4). This shows F (2 m − 1, 2, 4) ≤ F * (2 m − 1, 2, 4) ≤ 2 2m−1 for m ≥ 4 even.
We can interpret the above result in such a way that the set of integers k confirming the Carlet-Guilley problem has a positive density. For any integer t, we define the set G(t) of integers k such that F * (k, 2, t) = F (k, 2, t). Let 4 ≤ µ be an even integer. For 4 ≤ m ≤ µ even, the set G(4) <2 µ contains disjoint intervals of length Summing this up, we obtain Hence, Remark 11. It is not known (but not excluded either) if the Kerdock code is optimal as an unrestricted code of dual distance 6, that is, if F * (2 m , 2, 5) = 4 m and F * (2 m − 1, 2, 4) = 2 2m−1 , for m ≥ 4 even. It is more or less conjectured, but not yet proved explicitly, that the Preparata code of length 2 m , with m ≥ 4 even, is optimal as a code with size 2 2 m −2m and dual distance 2 m−1 − 2 m/2−1 , that is,

Applications and further constructions
Proposition 12. The missing entries of Table 1  For all these parameters k, t, we have F * (k, 2, t) = F (k, 2, t).
of Table 1. Hence, (14) holds for k = 10, as well. As F (k, s, t) is non-decreasing in k, we obtain (A).
As shown in [14], B ′ is unique and it can be constructed from an equitable partition of the 13-cube.
(C) For k = 13, t = 6, Delsarte's LP Bound has value 1 024. The generator matrix Notice that this construction is given in a more general context in [18].
Data Availability Statement. Data sharing not applicable to this article as no datasets were generated or analysed during the current study