Abstract
It is known that correlation-immune (CI) Boolean functions used in the framework of side channel attacks need to have low Hamming weights. The supports of CI functions are (equivalently) simple orthogonal arrays, when their elements are written as rows of an array. The minimum Hamming weight of a CI function is then the same as the minimum number of rows in a simple orthogonal array. In this paper, we use Rao’s Bound to give a sufficient condition on the number of rows, for a binary orthogonal array (OA) to be simple. We apply this result for determining the minimum number of rows in all simple binary orthogonal arrays of strengths 2 and 3; we show that this minimum is the same in such case as for all OA, and we extend this observation to some OA of strengths 4 and 5. This allows us to reply positively, in the case of strengths 2 and 3, to a question raised by the first author and X. Chen on the monotonicity of the minimum Hamming weight of 2-CI Boolean functions, and to partially reply positively to the same question in the case of strengths 4 and 5.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
In cryptography, correlation immune (CI) functions are those Boolean functions over \(\mathbb {F}_2^k\) whose output distribution does not change when at most t input bits are fixed, where \(t\le k\) is the correlation immunity order, whatever is the choice of these input bits and whatever are the values to which they are fixed. As shown in [19], they are those k-variable Boolean functions whose Fourier transform \({\widehat{f}}(a)=\sum _{x\in \mathbb {F}_2^k}f(x)(-1)^{a\cdot x}\) (where “\(\cdot \)" is the usual inner product in \(\mathbb {F}_2^k\)) vanishes for all nonzero inputs \(a\in \mathbb {F}_2^k\) of Hamming weight at most t. In other words, the supports of these functions are unrestricted (i.e., linear or nonlinear) binary codes of dual distance at least \(t+1\). The correlation immunity of a function f allows the resistance against the Siegenthaler correlation attack on the stream ciphers using f as a combining function (see [4] for more details). CI functions can also be used for implementing the rotating S-box masking counter-measure against side channel attacks (see [4] as well). We can reduce the cost of this counter-measure by finding, for given k and t, the minimum Hamming weight \(w_{k,t}\) of t-th order CI-functions in k variables, that is the minimal size of their supports, and then by using a CI function of such weight in the implementation. The first author and Guilley [5, 6] published a table containing the values of \(w_{k,t}\) for small k, t. It is difficult to give these values even for small parameters, this is demonstrated by the facts that the table is limited to \(k\le 13\) and even then, there are missing values in the table.
CI-functions are closely related to orthogonal arrays, introduced by C.R. Rao [16] in 1947. Let N, t, k be positive integers, \(t\le k\), and S a finite set of cardinality s. An \(N\times k\) array A with entries from S is said to be an orthogonal array with s symbols, strength t, and index \(\lambda \), if every \(N\times t\) subarray of A contains each t-tuple based on S exactly \(\lambda \) times as a row. We will denote such an array by \( OA (N,k,s,t)\). We have \(\lambda = N/s^t\). An orthogonal array is called simple if the rows are distinct. Supports of t-th order CI-functions give simple binary orthogonal arrays with strength t, if their elements are written as rows, and vice versa.
In the theory of orthogonal arrays, for both simple and general orthogonal arrays, the main question is to give—for given numbers k of columns and s of symbols, and for strength t—the minimum value of N for which an orthogonal array \( OA (N,k,s,t)\) exists with N rows. We will denote this value by \(F^*(k,s,t)\) for simple orthogonal arrays (we have then \(w_{k,t}=F^*(k,2,t)\)) and by F(k, s, t) for general orthogonal arrays. This problem is very hard even for the smallest parameters \(s=t=2\). In fact, a binary orthogonal array of strength 2 with k columns and \(k+1\) rows is equivalent to a Hadamard matrix of order \(k+1\). A Hadamard matrix of order n is an \(n\times n\) matrix whose entries are either \(+1\) or \(-1\), and whose rows are mutually orthogonal. The famous Hadamard conjecture proposes that a Hadamard matrix of order n exists if and only if n is divisible by 4. Equivalently in our notation: \(F(k,2,2)=k+1\) if and only if k is congruent to 3 modulo 4.
For some lower bounds on the number N of rows, it is known that if an \( OA (N,k,s,t)\) attains this special bound, then it is simple. For example, this is true for the Friedman-Bierbrauer bound [1]
Indeed, it is seen from the proof that any multiplicity greater than 1 makes the inequality strict. For binary orthogonal arrays of strength \(t\ge (2k-2)/3\), the bound \(N\ge 2^{k-1}\) implies simplicity in the case of equality, see [13].
In [6], the first author and Guilley asked the the following question:
problem 1
(Carlet-Guilley) Is \(F^*(k,2,t)\) a monotone non-decreasing function when k grows and t remains fixed?
The same question for F(k, s, t) is trivial, since an \( OA (N,k,s,t)\) gives rise to an \( OA (N,k-1,s,t)\) by deleting one of the columns. Moreover, if \(F(k,s,t)=F^*(k,s,t)\), then
Hence, the solution of the following problem would imply an answer to the problem posed by the first author and Guilley:
problem 2
Find all parameters k, s, t such that \(F(k,s,t)=F^*(k,s,t)\).
In this paper, we give a partial answer to Problem 2. Our main theoretical result is the following:
Theorem 1
Let A be an \( OA (N,k,s,2u)\). Define the integer
-
(i)
If A has a row of multiplicity \(\rho \), then \(N\ge \rho \, M(k,s,2u)\).
-
(ii)
If \(N<2\,M(k,s,2u)\), then A is simple. If \(N<3\,M(k,s,2u)\), then each row of A has multiplicity at most 2.
-
(iii)
If \(k\ge 5\), \(s=2\), \(u=2\) and
$$\begin{aligned}N=2\,M(k,2,4)=k^2+k+2, \end{aligned}$$then either A is simple, or \(k=5\) and A is obtained by the juxtaposition of two identical arrays \( OA (16,5,2,4)\).
Part (ii) of Theorem 1 implies a sufficient condition for the parameters k, s, t to fulfill Problem 2:
Corollary 2
If t is even and
then
Notice that the integer M(k, s, t) is the lower bound for the number of rows in an orthogonal array with k columns, s symbols and strength t, given in Rao’s famous theorem [11, Theorem 2.1]:
For part (iii) of Theorem 1, we observe that \(M(5,2,4)=16\), and up to equivalence, there is a unique \( OA (16,5,2,4)\). If we assume that such an array has an all-0 row, then all its rows have an even number of 1s.
We conclude this section with Table 1, which shows the values of \(F^*(k,2,t)\) for \(1\le k,t \le 13\); it is a reproduction of the tables in [5, 6, 18]. Using old and new computational results, and Theorem 1, we were able to fill in new entries in Table 1, denoted by capital letters. For previously known entries we colored the cells; the meaning of the colors are explained below.
- gray:
-
The light gray fields are trivial. The dark gray fields are consequences of the Fon-Der-Flaass Theorem [8].
- yellow:
-
The yellow fields are related to the constructions of Hadamard matrices, to the famous Hadamard Conjecture, and to a recent conjecture by the first author and Chen, see Sect. 4 for details.
- green:
-
The values equal to Delsarte’s LP Bound, and the construction is given by a linear code of codimension 2, see [5, 6, 18].
- red:
-
The first author and Guilley [6] contributed the values by using the Satisfiability Modulo Theory (SMT) tool z3 [7]. The upper bound follows from a well-known construction that is related to shortening of the non-linear binary Kerdock code of length 16, see [12].
- A, A’:
-
\(A=128\) and \(A'=256\), see Proposition 12(A).
- B, B’:
-
\(B=768\) and \(B'=1\,536\). The values equal to Delsarte’s LP Bound. The existence and uniqueness of an \( OA (1536,13,2,7)\) has been shown recently by Krotov [15]. See Proposition 12(B) for an independent construction.
- C:
2 Preliminary results
In this section, we collected some preliminary results and notation on the minimum number of rows of an orthogonal array with k rows, s symbols and strength t. Recall the definition
Lemma 3
Proof
2 and 3 are trivial. [11, Theorem 2.24] and [11, Corollary 2.25] imply 4. 5 holds by [5, Proposition 2.6].\(\square \)
Remark 4
Equation (5) implies that it suffices to deal with orthogonal arrays of even strength \(t=2u\) when studying the Carlet–Guilley problem and Problem 2. This also shows that in the case of binary orthohonal arrays (\(s=2\)), one can use Theorem 1 to investigate the simplicity of arrays of odd strength.
Remark 5
For all integer m, duals of certain double-error-correcting BCH codes provide arrays \( OA (2^{2m+1},2^m+1,2,5)\), and \( OA (2^{2m},2^m,2,4)\) by 5. (See [11, p. 103].) If k is an integer with \(2^{m-1}<k\le 2^m\), then
By Rao’s Bound, \(F(k,2,4)\ge (k^2+k+2)/2\). This shows that asymptotically, F(k, 2, 4) and F(k, 2, 5) are quadratic functions of k.
For tuples \(u,v \in \{0,\ldots ,s-1\}^k\), \(w_H(u)\) denotes the Hamming weight, and
denotes the usual inner product (sometimes also denoted by \(u\cdot v\) or by \(\langle u,v\rangle \)). For a matrix H with complex entries, \(H^*\) is the conjugate transpose of H. In particular, for complex (row) vectors \(u,v \in \mathbb {C}^n\),
The 2-norm of \(u\in \mathbb {C}^n\) is
Fix a primitive s-th root of unity \(\zeta \). Let A denote an \(N\times k\) array with entries from \(\{0,\ldots ,s-1\}\). The i-th row of A is denoted by \(a_i\). For \(1\le i \le N\) and \(v\in \{0,\ldots ,s-1\}^k\), we write:
Clearly, for the zero vector \(v=0\), we have \(\alpha _{i,0}=1\). For any \(v,v'\), we have
and
Lemma 6
The following statements are equivalent:
-
(i)
The array A is an \( OA (N,k,s,t)\).
-
(ii)
\(\sum _{i=1}^N \alpha _{i,v}=0\) for any \(v\in \{0,\ldots ,s-1\}^k\) with \(1\le w_H(v)\le t\).
-
(iii)
\(\sum _{i=1}^N \alpha _{i,v}{\bar{\alpha }}_{i,v'}=0\) for any \(v,v'\in \{0,\ldots ,s-1\}^k\) with \(w_H(v)+w_H(v')\le t\).
Proof
The equivalence of (i) and (ii) is precisely [11, Theorem 3.30]. Setting \(v'=0\), we obtain (ii) from (iii). For any \(v,v'\), we have \(\alpha _{i,v}{\bar{\alpha }}_{i,v'}=\alpha _{i,v-v'}\). As \(w_H(v-v')\le w_H(v)+w_H(v')\le t\), (ii) implies (iii).\(\square \)
Remark 7
For binary arrays (\(s=2\)), Lemma 6(ii) is the Xiao-Massey characterization of k-variable t-CI Boolean functions, see [19] or [5, Theorem 2.2].
3 The proof of the main theorem
The proof of [11, Theorem 2.1] is based on the introduction of two matrices H and Q. We shall see that the same matrices can be used for proving our result.
Proof of Theorem 1
Without loss of generality, we assume that the entries of A are from \(\{0,\ldots ,s-1\}\). For any \(0\le j \le u\), we define the \(N\times \left( {\begin{array}{c}k\\ j\end{array}}\right) (s-1)^j\) matrix \(H_j\) in the following way. The columns of \(H_j\) are indexed with the tuples \(v\in \{0,\ldots ,s-1\}^k\) of Hamming weight j. For \(1\le i \le N\) and tuple v with \(w_H(v)=j\), the entry (i, v) of \(H_j\) is \(\alpha _{i,v}\).
The matrix:
has N rows and
columns. Any two columns of H are orthogonal complex vectors by Lemma 6(iii). Moreover, if column h of H is indexed by the tuple v, then
This means that \(H^* H = N I\), and the columns of \(\frac{1}{\sqrt{N}} H\) form an orthonormal set of vectors in \(\mathbb {C}^N\). This set can be extended into an orthonormal basis of \(\mathbb {C}^N\). In other words, one can add columns to \(\frac{1}{\sqrt{N}} H\) such that one obtains an \(N\times N\) unitary matrix Q. Each row of Q has the form \([u \, u']\), where u is a vector of length M, with entries \(\frac{\zeta ^{a_iv^T}}{\sqrt{N}}\). In particular,
Let us assume that the rows \(i_1,\ldots ,i_\rho \) of A are equal. Then, the rows \(i_1,\ldots ,i_\rho \) of H are equal, and, the rows \(i_1,\ldots ,i_\rho \) of Q have the form
The rows of Q form an orthonormal basis, thus for all \(1\le r\ne s\le \rho \),
Assume that \(N<\rho M\). Then 7 and 8 imply
We have
using 9 in the last step. The assumption \(N<\rho M\) makes the right hand side negative, a contradiction. This proves (i). Part (ii) is a straightforward consequence of (i).
For the rest of the proof, A denotes a non-simple \( OA (k^2+k+2,k,2,4)\) with \(k\ge 5\). By reordering the rows of A, and adding a fixed row to all rows modulo 2, we may assume that the first two rows of A are all 0s. We use the notation \(H_i\), \(i=0,1,2\), H and Q from above. Recall that H has N rows and N/2 columns. As \(\zeta =-1\), the entries of H are \(\pm 1\). The key observation is the following:
-
(*)
In rows \(3,\ldots ,N\), the number of 1s is either \(\ell _1\) or \(\ell _2\), where
$$\begin{aligned} \ell _{1,2}=\frac{k+1\pm \sqrt{k-1}}{2}. \end{aligned}$$
Let us prove this. As the first two rows of A are all-zeros, the first two rows of Q have the form \([u \, u']\) and \([u \, u'']\), where
Using the fact that \(N=2 M(k,2,4)\), we show \(u''=-u'\) in the same way as above. Let \([v\,v']\) be row i of Q with \(i\ge 3\). This is orthogonal to the first two rows, hence,
This implies \(uv^T=0\). This means that among the entries of v, \(\frac{1}{\sqrt{N}}\) and \(-\frac{1}{\sqrt{N}}\) occur equally often. In terms of H, this means that in this row, 1 occurs N/4 times.
Let \(\ell \) denote the number of 1s in row i of A. \(H_0\) has one column, which consists of all 1s. In row i of \(H_1\), the number of 1s is \(k-\ell \). In row i of \(H_2\), the number of 1s is
Hence, for the number of 1s in row i of H, we have
Hence, we have \(\ell ^2-(k+1)\ell +(k^2+k+2)/4=0\), which implies (*).
Immediate consequences are that \(\kappa =\sqrt{k-1}\) is an integer, \(N=k^2+k+2\) can be written as \(N=\kappa ^4+3\kappa ^2+4\), and \(\ell _{1,2}=(\kappa ^2\pm \kappa +2)/2\).
Let us construct the array \(A'\) by selecting all rows of A that start with three zeros. We get
where B is a subarray with \(N/8-2\) rows and \(k-3\) columns. Since A has strength 4, then according to Lemma 6, columns 4 to k of \(A'\) have a number of 1s equal to their number of 0s, that equals then N/16. Let a denote the number of rows of weight \(\ell _1\) in B. The total number of 1s in B is
We reorder to get:
Now, \(\ell _1-\ell _2=\kappa =\sqrt{k-1}\). Also, the right hand side can be expanded into a polynomial of \(\kappa \). This yields:
We obtain that \(16\equiv 0\pmod {\kappa }\), that is \(\kappa \) divides 16, and since by assumption, we have \(k\ge 5\), that is, \(\kappa \ge 2\), then we have \(\kappa \in \{2,4,8,16\}\). If \(\kappa \in \{4,8,16\}\), then \(-12\kappa +16\equiv 0\pmod {64}\), that is, \(3\kappa \equiv 4\pmod {16}\). This implies \(\kappa \equiv 12 \pmod {16}\) (since the inverse of 3 modulo 16 equals 11), a contradiction.
Let us then consider the case \(\kappa =2\). Then \(k=5\), \(N=32\), \(\ell _1=4\) and \(\ell _2=2\). Since A has 30 non-zero rows, and \(\left( {\begin{array}{c}5\\ 2\end{array}}\right) +\left( {\begin{array}{c}5\\ 4\end{array}}\right) =15\), each nonzero row has multiplicity 2. In other words, A is twice an \( OA (16,5,2,4)\). This finishes the proof of (iii).\(\square \)
4 Simple arrays of strength 2 and 4
In the special case of orthogonal arrays of strength 2, we solve Problem 2, and this allows us to give an affirmative answer to Problem 1.
Proposition 8
For \(k\ge 2\), we have \(F^*(k,2,2)=F(k,2,2)\). In particular, the sequence \(F^*(k,2,2)\) is non-decreasing.
Proof
For any positive integer h, a classical Hadamard matrix \(H_{2^h}\) is the matrix of the Hadamard Fourier transform, equal to the Kronecker product \(H_2\otimes \cdots \otimes H_2\) of the matrix:
with itself. This implies
Given a positive integer k, let h be the positive integer such that \(2^{h-1}\le k \le 2^h-1\), then 3 and 12 imply:
As \(M(k,2,2)=k+1\), we can apply Corollary 2 to obtain \(F(k,2,2)=F^*(k,2,2)\).\(\square \)
The solution of Problem 2 has an implication to a recent conjecture by the first author and Chen. In [5, Conjecture 2.8], the authors asked if
Wang proved in [18, Theorem 3.7] that CC and the Hadamard conjecture are equivalent. However, Wang’s proof is incomplete, since no explanation is given for \(w_{4\lambda +\varepsilon ,3}\le w_{4\lambda +4,3}\), where \(1\le \varepsilon \le 3\) (and \(w_{n,t}=F^*(n,2,t)\)). In fact, this follows from Proposition 8. In order to be self-contained, we present a complete proof of the two conjectures.
Proposition 9
The Hadamard conjecture is equivalent with Conjecture CC.
Proof
Recall that [11, Theorem 7.5] states that orthogonal arrays \( OA (4\lambda , 4\lambda -1, 2, 2)\) and/or \( OA (8\lambda , 4\lambda , 2, 3)\) exist (and then \(F(4\lambda -1,2,2) \le 4\lambda \)) if and only if there exists a Hadamard matrix of order \(4\lambda \). According to Rao’s Bound, we have \(F(4\lambda -1,2,2) \ge 4\lambda \). The Hadamard conjecture is then equivalent with:
for all positive integer \(\lambda \). By 5 and Proposition 8, CC is equivalent with
If \(k=4\lambda \), then Ha and CC’ are clearly equivalent. It remains to show that Ha implies CC’ for any integer \(k=4\lambda +\varepsilon \) with \(1\le \varepsilon \le 3\). Rao’s Bound gives
which implies
since 4 divides \(F(k-1,2,2)\), and F(k, s, t) is non-decreasing in k. By Ha and 13,
and the Carlet–Chen conjecture follows.\(\square \)
We finish this section by a partial answer to Problem 2 for orthogonal arrays of strength 4.
Proposition 10
Let k, m be integers, \(m\ge 4\) even, with
Then \(F^*(k,2,4)=F(k,2,4)\).
Proof
For any even integer \(m\ge 4\), Kerdock [12] constructed a binary, non-linear code of length \(2^{m}\), cardinality \(4^m\), minimum distance \(2^{m-1}-2^{(m-2)/2}\) and dual distance 6. This code can be interpreted as a simple \( OA (4^m,2^m,2,5)\), since we know that an unrestricted code has dual distance \(d^\perp \) if and only if its indicator is a correlation immune function of order \(d^\perp -1\) (and not of order \(d^\perp \)), that is, if and only if the array obtained by writing all codewords as rows is a simple OA of strength \(d^\perp -1\). In the usual way, we take the rows that start with a 0, and delete the starting 0 to obtain a simple \( OA (2^{2m-1},2^m-1,2,4)\). This shows
Assume \(2^{m-1/2} \le k \le 2^m-1\). Then
Corollary 2 implies \(F^*(k,2,4)=F(k,2,4)\).\(\square \)
We can interpret the above result in such a way that the set of integers k confirming the Carlet-Guilley problem has a positive density. For any integer t, we define the set \({\mathcal {G}}(t)\) of integers k such that \(F^*(k,2,t)=F(k,2,t)\). Let \(4\le \mu \) be an even integer. For \(4\le m \le \mu \) even, the set \({\mathcal {G}}(4)_{< 2^\mu }\) contains disjoint intervals of length
Summing this up, we obtain
Hence,
Remark 11
It is not known (but not excluded either) if the Kerdock code is optimal as an unrestricted code of dual distance 6, that is, if \(F^*(2^m,2,5)=4^m\) and \(F^*(2^m-1,2,4)=2^{2m-1}\), for \(m\ge 4\) even. It is more or less conjectured, but not yet proved explicitly, that the Preparata code of length \(2^m\), with \(m\ge 4\) even, is optimal as a code with size \(2^{2^m-2m}\) and dual distance \(2^{m-1}-2^{m/2-1}\), that is, \(F^*(2^m,2,2^{m-1}-2^{m/2-1}-1)= 2^{2^m-2m}\).
5 Applications and further constructions
Proposition 12
The missing entries of Table 1 are the following:
For all these parameters k, t, we have \(F^*(k,2,t)=F(k,2,t)\).
Proof
(A) For \(u=4\) and \(k\le 15\), shortening the Kerdock code gives
If \(11\le k \le 15\), then Corollary 2 implies
Assume \(F(10,2,4)<128\) and let A denote an \( OA (n,10,2,4)\) with \(n<128\). Then \(n\le 112\) and A is simple by Theorem 1. Hence, \(F^*(10,2,4)\le 112\), which contradicts to the entry
of Table 1. Hence, 14 holds for \(k=10\), as well. As F(k, s, t) is non-decreasing in k, we obtain (A).
(B) For \(k=12, t=6\), Delsarte’s LP Bound has value 768. We modified the ILP method of Bulutoglu and Margot [3] to construct an array \(B= OA (768,12,2,6)\) that has an automorphism
of order 5. This gives rise to an array \(B'= OA (1\,536,13,2,7)\) with weight polynomial
As shown in [15], \(B'\) is unique and it can be constructed from an equitable partition of the 13-cube.
(C) For \(k=13, t=6\), Delsarte’s LP Bound has value \(1\,024\). The generator matrix
defines a binary linear [13, 3, 7]-code C. The dual of C is a linear \( OA (1\,024,13,2,6)\). Notice that this construction is given in a more general context in [18].\(\square \)
Remark 13
-
(1)
\(F(10,2,4)\ge 128\) can be deduced from [3, Table 1], from [17, Table III], from [18, Appendix A], or from [2, Theorems 18 and 20].
-
(2)
The values in (A) are given in [14], with a more computer-based proof.
-
(3)
The true value of F(11, 2, 4) has been asked in the Fifth International Students’ Olympiad in Cryptography NSUCRYPTO’2018 [10, Problem “Orthogonal arrays”].
-
(4)
The true value of \(F^*(12,2,6)\) has been asked in the Fourth International Students’ Olympiad in Cryptography NSUCRYPTO’2017 [9, Problem “Masking”].
-
(5)
It is quite surprising that 15 has no computer-free proof.
Data availibility
Data sharing not applicable to this article as no datasets were generated or analysed during the current study
References
Bierbrauer J.: Bounds on orthogonal arrays and resilient functions. J. Combin. Des. 3(3), 179–183 (1995). https://doi.org/10.1002/jcd.3180030304.
Boyvalenkov P., Marinova T., Stoyanova M.: Nonexistence of a few binary orthogonal arrays. Discret. Appl. Math. 217(part 2), 144–150 (2017). https://doi.org/10.1016/j.dam.2016.07.023.
Bulutoglu D.A., Margot F.: Classi cation of orthogonal arrays by integer programming. J. Stat. Plann. Inference 138(3), 654–666 (2008). https://doi.org/10.1016/j.jspi.2006.12.003.
Carlet C.: Boolean Functions for Cryptography and Coding Theory. Cambridge University Press, Cambridge (2021).
Carlet C., Chen X.: Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform. IEEE Trans. Inform. Theory 64(4), 2969–2978 (2018). https://doi.org/10.1109/TIT.2017.2785775.
Carlet’ C., Guilley S.: Correlation-immune Boolean functions for easing counter measures to side-channel attacks. In: Algebraic Curves and Finite Fields, vol. 16, pp. 41–70 (2014).
de Moura L., Bjørner N.: Z3: An efficient SMT solver. In: Ramakrishnan C.R., Rehof J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340. Springer, Berlin Heidelberg (2008).
Fon-Der-Flaass D.G.: A bound on correlation immunity. Sib. Elektron. Mat. Izv. 4, 133–135 (2007).
Gorodilova A., et al.: Problems and solutions from the fourth International Students’ Olympiad in Cryptography (NSUCRYPTO). Cryptologia 43(2), 138–174 (2019). https://doi.org/10.1080/01611194.2018.1517834.
Gorodilova A., et al.: The Fifth International Students Olympiad in cryptography NSUCRYPTO: Problems and their solutions. Cryptologia 44(3), 223–256 (2020). https://doi.org/10.1080/01611194.2019.1670282.
Hedayat A.S., Sloane N.J.A., Stufken J.: Orthogonal Arrays. Springer Series in Statistics. Theory and Applications With a Foreword by C. R. Rao, p. 24. Springer-Verlag, New York (1999).
Kerdock A.: A class of low-rate nonlinear binary codes. Inf. Control 20(2), 182–187 (1972). https://doi.org/10.1016/S0019-9958(72)90376-2.
Khalyavin A.V.: Estimates of the capacity of orthogonal arrays of large strength. Mosc. Univ. Math. Bull. 65(3), 110–131 (2010). https://doi.org/10.3103/S0027132210030101.
Kiss R., Nagy G.P.: On the nonexistence of certain orthogonal arrays of strength four. Prikl. Diskretn. Mat 52, 65–68 (2021). https://doi.org/10.17223/20710410/51/3.
Krotov D.S.: On the OA(1536; 13; 2; 7) and related orthogonal arrays. Discret. Math. 343, 111659 (2020). https://doi.org/10.1016/j.disc.2019.111659.
Rao C.R.: Factorial experiments derivable from combinatorial arrangements of arrays. Suppl. J. R. Stat. Soc. 9(1), 128–139 (1947).
Schoen E.D., Eendebak P.T., Nguyen M.V.M.: Complete enumeration of pure-level and mixed-level orthogonal arrays. J. Combin. Des. 18(2), 123–140 (2010). https://doi.org/10.1002/jcd.20236.
Wang Q.: Hadamard matrices, d-linearly independent sets and correlation-immune Boolean functions with minimum Hamming weights. Des. Codes Cryptogr. 87(10), 2321–2333 (2019). https://doi.org/10.1007/s10623-019-00620-1.
Xiao G.-Z., Massey J.: A spectral characterization of correlation-immune combining functions. IEEE Trans. Inf. Theory 34(3), 569–571 (1988). https://doi.org/10.1109/18.6037.
Acknowledgements
We thank Denis Krotov, Patrick Solé and Victor Zinoviev for useful information on the optimality of the Kerdock and Preparata codes. We are grateful to the anonymous referees for their insightful comments and advices which led to substantial improvements.
Funding
Open access funding provided by Budapest University of Technology and Economics.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. Teirlinck.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The research of C. Carlet is partly supported by the Trond Mohn Foundation and Norwegian Research Council. For R. Kiss and G.P. Nagy, support has been provided from the National Research, Development and Innovation Fund of Hungary, financed under the 2018-1.2.1-NKP funding scheme, within the SETIT Project 2018-1.2.1-NKP-2018-00004. The research of G.P. Nagy is partly supported by NKFIH-OTKA Grant SNN 132625.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Carlet, C., Kiss, R. & Nagy, G.P. Simplicity conditions for binary orthogonal arrays. Des. Codes Cryptogr. 91, 151–163 (2023). https://doi.org/10.1007/s10623-022-01105-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-022-01105-4