On quadratic binomial vectorial functions with maximal bent components

Published 9 Apr 2026 in cs.IT | (2604.08311v1)

Abstract: Assume $n=2m\geq 2$ and let $F(x)=x^{{d_1}+x^{d_2}$} be a binomial vectorial function over $\F_{2^n}$ possessing the maximal number (i.e. $2^{n-2^m$)} of bent components. Suppose the $2$-adic Hamming weights $\wt_2(d_1)$ and $\wt_2(d_2)$ are both at most $2$, we prove that $F(x)$ is affine equivalent to either $x^{{2^m+1}$} or $x^{{2^{i}(x+x^{{2^m})$,}}} provided that [ \ell(n):=\min_{γ:~\F_2(γ)=\F_{2^n}} \dim_{\F_2}\F_2[σ]γ>m, ] where $σ$ is the Frobenius $(x\mapsto x^2)$ on $\F_{2^n}$, and $\gcd(d_1,d_2,2^m-1)>1$. Under this condition, we also establish two bounds on the nonlinearity and the differential uniformity of $F$ by means of the cardinality of its image set.

Abstract PDF Upgrade to Chat

Authors (3)

Summary

The paper shows that quadratic binomial vectorial functions achieving maximal bent components are affine-equivalent to either the Gold function or a specific canonical form.
It employs advanced combinatorial and field-theoretic techniques, including Stickelberger's theorem and Walsh spectrum analysis, to achieve these classifications.
The work provides explicit bounds on nonlinearity and differential uniformity, offering practical insights for cryptographic S-box design and analysis.

Quadratic Binomial Vectorial Functions with Maximal Bent Components

Introduction and Problem Context

The paper "On quadratic binomial vectorial functions with maximal bent components" (2604.08311) delivers a rigorous algebraic investigation into binomial vectorial functions over finite fields, specifically those achieving the maximal number of bent components. Let $n=2m$ and $F(x)=x^{d_1}+x^{d_2}$ be a quadratic binomial vectorial function on $\mathbb{F}_{2^n}$ . The main focus is the structural characterization, with cryptographic consequences, of such $F$ under the constraint that the number of its bent components equals $2^n-2^m$ —the known maximum as shown by Pott et al. This work tightly links combinatorial, field-theoretic, and number-theoretic methods to obtain strong structural, nonlinearity, and uniformity results for the studied class.

Background: Bent Components in Vectorial Functions

Given $F:\mathbb{F}_{2^n}\to\mathbb{F}_{2^n}$ , the component functions $F_a(x) = \mathrm{Tr}_{2^n/2}(a F(x))$ play a central role in cryptography, where bentness indicates maximum distance from the set of all affine functions, i.e., optimal resistance against linear attacks. The paper leverages the pivotal result that the set $S_F$ of non-bent directions, i.e., $a$ with $F_a$ not bent, is an $F(x)=x^{d_1}+x^{d_2}$ 0-subspace of dimension $F(x)=x^{d_1}+x^{d_2}$ 1, ensuring that the upper bound $F(x)=x^{d_1}+x^{d_2}$ 2 is maximal for the number of bent components. Furthermore, the paper contextualizes its contributions in the line of classification efforts, referencing the complete classification of maximally bent monomials and significant work on binomials.

Main Structural Results

Structural Reductions for Binomial Functions

Assuming the binary Hamming weights $F(x)=x^{d_1}+x^{d_2}$ 3, the paper proves that such $F(x)=x^{d_1}+x^{d_2}$ 4 must be affine-equivalent either to the Gold function $F(x)=x^{d_1}+x^{d_2}$ 5 or to the function $F(x)=x^{d_1}+x^{d_2}$ 6. This equivalence is contingent on a technical field-theoretic condition involving the minimal linear complexity $F(x)=x^{d_1}+x^{d_2}$ 7 of the Frobenius orbit.

This result is achieved via:

Detailed analysis of Walsh spectra of component functions, with critical use of Stickelberger's theorem on 2-adic Gauss sums.
Tight combinatorial reasoning around the Hamming weights of binomial exponents.
Precise use of field automorphisms and trace properties to reduce to standard representatives.
Field-theoretic invariance arguments to show that the affine equivalence class is determined by the exponent structure (via modular relations and coprimality).

Characterization of Non-Bent Direction Set

By exploiting a generalized linear complexity measure $F(x)=x^{d_1}+x^{d_2}$ 8 and assuming $F(x)=x^{d_1}+x^{d_2}$ 9, it follows that $\mathbb{F}_{2^n}$ 0. This reduction explicitly connects the combinatorial structure of the underlying field’s Frobenius automorphism with bentness properties, allowing for a clean algebraic description of $\mathbb{F}_{2^n}$ 1 under additional technical assumptions.

Figure 1: Division Relations of the gcd parameters $\mathbb{F}_{2^n}$ 2 affecting the structure of $\mathbb{F}_{2^n}$ 3 and its bentness.

Nonlinearity and Differential Uniformity Bounds

The paper supplies theoretical bounds on nonlinearity $\mathbb{F}_{2^n}$ 4 and differential uniformity $\mathbb{F}_{2^n}$ 5 of $\mathbb{F}_{2^n}$ 6 in terms of the cardinality of its image set and algebraic structure:

Nonlinearity bound: $\mathbb{F}_{2^n}$ 7 for general functions, with a potentially sharper bound involving images when $\mathbb{F}_{2^n}$ 8 arises from specific binomial forms.
Differential uniformity lower bound: $\mathbb{F}_{2^n}$ 9, where $F$ 0 is the set of distinct differences of points in the same fiber of $F$ 1.

These bounds are derived using advanced techniques combining combinatorial analysis (Cauchy-Schwarz on preimage sizes), trace map properties, and explicit cardinality enumerations. For the binomials achieving bentness maxima, the image set size can be directly linked to parameters such as $F$ 2 and $F$ 3 (a coset count), offering explicit expressions for cryptographic assessments.

Explicit Image Size Computation

For family members of the form $F$ 4 or $F$ 5, the image size $F$ 6 is shown to be:

$F$ 7 (when $F$ 8)
$F$ 9 (otherwise)

These formulas enable practical instantiations of the theoretical results for S-box design and APN function analysis.

Implications and Prospects

Cryptographic Function Design

The results have direct impact on the design and evaluation of S-boxes and cryptographically significant vectorial Boolean functions. By pinning down all maximally bent quadratic binomials to well-characterized affine-equivalence classes, the security margin against linear and differential cryptanalysis for associated block ciphers can be sharply quantified. Concrete bounds on nonlinearity and differential uniformity further guide the optimality of such S-box instantiations.

Theoretical Significance

From an algebraic combinatorics perspective, the reduction of structure to affine-equivalent forms shows the rarity and special status of maximally bent binomials, especially given constraints on exponent Hamming weights. The use of Stickelberger’s theorem sets a template for further spectral analyses of vectorial functions in finite fields and points toward productive cross-fertilization between additive combinatorics, algebraic number theory, and applied cryptography.

Open Directions

Extension to higher-order multinomials or more involved exponent configurations, including analysis under relaxed or alternative field conditions ( $2^n-2^m$ 0).
Empirical and theoretical refinement of bounds in the case of non-plateaued/non-quadratic cases.
Further study of the connection between the minimal linear complexity of Frobenius orbits and bentness properties.

Conclusion

This paper rigorously resolves the classification of quadratic binomial vectorial functions over $2^n-2^m$ 1 with the maximal number of bent components, under explicit algebraic and field-theoretic constraints, and provides exact cryptographic parameter bounds. It establishes that such functions are necessarily affine-equivalent to certain canonical forms, supporting both theoretical insight and practical function selection in cryptography. The presented analysis and structural reductions also sharpen known quantitative bounds on nonlinearity and differential uniformity, solidifying the status of these functions in the design of cryptographically robust primitives.