best linear approximation and correlation immunity of functions over zm*
TRANSCRIPT
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 303
[12] C. Koukouvinos, “Sequences with zero autocorrelation,” inCRC Hand-book of Combinatorial Designs, C. J. Colbourn and J. H. Dinitz, Eds.Baco Raton, FL: CRS, 1996, pp. 452-456.
[13] N. Levanon,Radar Principles. New York: Wiley, 1988.[14] C. T. Lin and P. J. S. Shiue, “Some families of periodic complementary
binary sequences,” preprint.[15] C. T. Lin, J. L. Selfridge, and P. J. S. Shiue, “A note on periodic com-
plementary binary sequences,”J. Combin. Math. and Combin. Comp.,vol. 19, pp. 225–229, 1995.
[16] R. E. A. C. Paley, “On orthogonal matrices,”J.Math. and Phys., vol.12, pp. 311–320, 1933.
[17] B. Schmidt, “Cyclotomic integers and finite geometry,” preprint.[18] J. Seberry and M. Yamada, “Hadamard matrices, sequences and block
designs,” inContemporary Design Theory(A Collection of Surveys),J. H. Dinitz and D. R. Stinson, Eds. New York: Wiley, 1992, pp.431–456.
[19] R. Sivaswamy, “Self-clutter cancellation and ambiguity properties ofsubcomplementary sequences,”IEEE Trans. Aerosp. Electron. Syst., vol.AES-18, pp. 163–180, 1982.
[20] C. Tseng and C. Liu, “Complementary sets of sequences,”IEEE Trans.Inform. Theory, vol. IT-18, pp. 644–665, 1972.
[21] R. Turyn, “Hadamard matrices, Baumert-Hall units, four-symbol se-quences, pulse compression and surface wave encodings,”J. Combin.Theory (A), vol. 16, pp. 313–333, 1974.
[22] G. Weathers and E. Holiday, “Group-complementary array coding forradar clutter rejection,”IEEE Trans. Aerosp. Electron. Syst., vol. AES-29, pp. 369–379, 1983.
[23] G. R. Welti, “Quaternary codes for pulsed radar,”IRE Trans. Inform.Theory, vol. IT-6, pp. 400–408, 1960.
Best Linear Approximation and CorrelationImmunity of Functions Over
Jinjun Zhou, Weihong Chen, and Fengxiu Gao
Abstract—A fast algorithm for the computation of the �-representationof n-dimensional discrete Fourier transform (DFT) is given, where��� isan mth primitive root of unity. Applying this algorithm to the standard�-representation of the DFT of�f(x), the best linear approximation of afunction f(x) can be easily obtained when the codomain off(x) is Zm.
A spectral characterization of correlation-immune functions overZmis also presented in terms of the DFT of�f(x).
Index Terms—Best linear approximation, correlation-immunity, dis-crete Fourier transform, fast algorithms, multivalued logical functions,�-representation.
I. INTRODUCTION
Let Z be the ring of integers,Zm be the residue ring ofZ modulom, wherem is a positive integer. With the development of computertechnology, multivalued logical functions are more and more usefulin cryptography, communication, signal processing, and other areas.Discrete Fourier transform (DFT) is an important tool in studyingmultivalued logical functions. There are many papers [1]–[6] devotedto this topic.
Manuscript received July 26, 1996; revised April 8, 1998. This work wassupported by State Key Laboratory of Information Security, Graduate Schoolof Academica Sinica.
The authors are with the Department of Applied Mathematics, ZhengzhouInformation Engineering Institute, P.O. Box 1001-46, Zhengzhou 450002,China (e-mail: [email protected]).
Communicated by T. Kløve, Associate Editor for Coding Theory.Publisher Item Identifier S 0018-9448(99)00060-7.
The components of the DFT of a functionf : Znm ! Zm or �f(x),
where� is anmth primitive root of unity, are complex numbers. Ifwe represent them asa + b
p�1, then on the one hand it is ratherdifficult to calculate and obtain the exact values by computer, on theother hand, some important properties of functions cannot be seen.To avoid this, we introduce�-representation and present an algorithmfor computing DFT in terms of�-representation. The most importantbenefit of using�-representation is that the complex operations forcomputing DFT are replaced by additions and circular shifts of integervectors, which can be easily realized, and the values represented by�-representation are exact; besides, the best linear approximation canbe easily seen. In this algorithm,O (N logmN) additions are neededbut not multiplications. Whenm = 2, this algorithm is just the fastalgorithm for Walsh–Hadamand transform.
The best linear approximation of functions overZm is an importantproblem in both theory and application. This is an open problemproposed by Ding and Xiao in [3]. They think it is a hard problem.In Section III, we present a discriminant and a fast algorithm for thebest linear approximation of a functionf(x) overZm in terms of thestandard�-representation of the DFT of�f(x).
Correlation-immune functions over finite fields GF(q) are studiedin [5], [6], [8], and [9]. In Section IV, a spectral characterization ofcorrelation-immune functions overZm is studied by using the DFTof �f(x), which is simpler than those in [5], [6], [8], and [9], where� is the residue classx + (xm � 1) in ring C[x]=(xm � 1).
II. A N ALGORITHM FOR DFT
Let Znm be then-fold Cartesian product ofZm, the residue class
x + (m) 2 Zm is briefly denoted asx; 0 � x � m� 1. Let
x = (x0; x1; � � � ; xn�1) 2 Znm
corresponding to the integer
x =
n�1
i=0
ximn�1�i 2 [0; mn � 1]
where 0 � xi � m � 1 for all i. Let C be the complex fieldC� = C � f0g and � = exp 2�
p�1=m be anmth primitiveroot of unity.
The following homomorphisms are characters of additive groups(Zn
m; +) (see [7]):
�! :Znm �! C�
x 7! �!�x
where
x = (x0; x1; � � � ; xn�1)
! = (!0; !1; � � � ; !n�1) 2 Znm
! � x = !0x0 + !1x1 + � � �+ !n�1xn�1:
Let f : Znm ! C (or Zm) be a function, then the discrete Fourier
transform (DFT) off(x) is
Sf (!) =x2Z
f(x)�!(x) =x2Z
f(x)�!�x; ! 2 Znm:
(1)
(Note: The elements ofZm are identified with integers0; 1; � � � ; m�
1 in (1) whenf(x) 2 Zm.)
0018–9448/99$10.00 1999 IEEE
304 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999
Let
M(m)1 =
1 1 1 � � � 11 � �2 � � � �m�1
1 �2 �4 � � � �2(m�1)
......
......
1 �m�1 �2(m�1) � � � �(m�1)(m�1)
:
M(m)n = M
(m)n�1 M
(m)1 , briefly Mn; n = 2; 3; � � � ; then
Sf (0)Sf (1)
...Sf (m
n � 1)
= Mn
f(0)f(1)
...f(mn � 1)
: (2)
From now on, we always assumef : Znm ! Zm and denote the
DFT of �f(x) as S(f)(!) instead ofS� (!). It is easy to give analgorithm for the computation ofSf(!) andS(f)(!) by means ofthe matrix representation of (2), which is a generalization of the fastalgorithm for Walsh–Hadamard transform. But the calculations hereare complex operations or real operations which makes it difficult toobtain exact and precise results by computers. To avoid this, weintroduce �-representation by means of which the usual complexoperations can be replaced by integer operations and some importantproperties of functions can be easily seen.
The mth cyclotomic fieldQ(�) over rational fieldQ is a sub-field of complex fieldC. Any � 2 Q(�) can be represented as� = a0 + a1� + � � � + am�1�
m�1 and corresponds to the vector(a0; � � � ; am�1), whereai 2 Q. We call it a�-representation of�and briefly write� = (a0; � � � ; am�1). The representation is notunique. Let�m(x) be themth cyclotomic polynomial overQ, then�m(�) = 0 and � + �m(�) = � for all � 2 Q(�). Especially,a+ a�+ � � �+ a�m�1 = 0. Hence all vectors(a; a; � � � ; a) are the�-representation of0, wherea 2 Q.
Let � = (b0; b1; � � � ; bm�1) 2 Q(�), then the following opera-tions are well defined:
�� � = (a0 � b0; a1 � b1; � � � ; am�1 � bm�1)
c� = (ca0; ca1; � � � ; cam�1), for any c 2 Q. Let
T :Qm �! Qm
� = (a0; � � � ; am�1) 7! T� = (am�1; a0; � � � ; am�2)be the right circular shift, then�� = T�; ��1� = T�1� =(a1; � � � ; am�1; a0), the left circular shift, and�m� = Tm� = �.
For anyf(x); Sf (!)�Z[�] andS(f)(!)�Z[�], Z[�] is the ring ofintegers inQ(�). In terms of �-representation, operations inZ[�]can be realized by using integer vectorial additions, subtractions,scalar multiplications, and circular shifts. They are clearly suitablefor computer calculation.
Now, we have the following algorithm for computing the�-representation of DFT.
Algorithm 1: ComputeMn(x0; x1; � � � ; xm �1)T :
Input:
x = (x0; x1; � � � ; xm �1)T
and each xi = (xi0; xi1; � � � ; xi;m�1) is one of the�-representations ofxi, i = 0; 1; � � � ; mn � 1.
Output:
y = (y0; y1; � � � ; ym �1)T = Mnx
whereyi = (yi0; yi1; � � � ; yi;m�1) is one of the�-representationsof yi; i = 0; 1; � � � ; mn � 1.
Initial: N = n; M = 1; i = 1; k = 0.Step 1: Separatex into m segments equally, namely,
x = (x(1); x(2); � � � ; x(m))T
and each
x(i) = (x(i�1)m ; � � � ; xim �1)T :
Let
x(i�1)m
= x(i)j ; j = 0; 1; � � � ; mN�1 � 1:
Step 2: Calculatez = (z(1); � � � ; z(m))T , where
z(i) = (z(i)0 ; � � � ; z(i)
m �1)T ; i = 1; 2; � � � ; m:
For every0 � j � mN�1 � 1, calculate
z(1)j = x
(1)j + x
(2)j + � � �+ x
(m)j
z(2)j = x
(1)j + Tx
(2)j + � � �+ Tm�1x
(m)j
= x(1)j + T (x
(2)j + T (� � �+ T (x
(m�1)j + Tx
(m)j ) � � �))
� � � � � � � � � � � �z(m)j = x
(1)j + Tm�1x
(2)j + � � �+ T (m�1)(m�1)x
(m)j
= x(1)j + Tm�1(x
(2)j + Tm�1(� � �+ Tm�1(x
(m�1)j
+ Tm�1x(m)j ) � � �)):
(Note: Eachx(i)j is a vector, and so is eachz(i)j .)Set
z(i) = (z(i)0 ; z
(i)1 ; � � � ; z(i)
m �1)T ;
w(k+j) = z(j); j = 1; 2; � � � ; m; and k = k +m:
If i < M , let i = i + 1; x = y(i), and return to Step 1.If i = M and M � mn�1, setM = mM; k = 0; y(j) = w(j);
j = 1; � � � ; M , and setx = y(1); i = 1; N = N � 1, and returnto Step 1.
If i = M and M = mn, let yj�1 = y(j); 1 � j � M , theny = (y0; � � � ; ym �1)
T ; eachyi = (yi0; � � � ; yi;m�1), is the output.And stop.
Example 1: m = 3; n = 2, � = �1 +p�3 =2.The computation of(y0; y1; � � � ; y8)T = M2(x0; x1; � � � ; x8)T
is illustrated as follows, wherexi = xi0 + xi1� + xi2�2 =
(xi0; xi1; xi2), and 0 � i � 8 (see the bottom of this page). For
x(1) =x0x1x2
x(2) =x3x4x5
x(3) =x6x7x8
z(1) =x0x1x2
+x3x4x5
+x6x7x8
=
z(1)0
z(1)1
z(1)2
z(2) =x0x1x2
+Tx3Tx4Tx5
+T 2x6T 2x7T 2x8
=
z(2)0
z(2)1
z(2)2
z(3) =x0x1x2
+T 2x3T 2x4T 2x5
+Tx6Tx7Tx8
=
z(3)0
z(3)1
z(3)2
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 305
i = 1; 2; 3
z(i)0
z(i)1
z(i)2
z(i)0 + z
(i)1 + z
(i)2 = y
(i)0
z(i)0 + Tz
(i)1 + T 2z
(i)2 = y
(i)1
z(i)0 + T 2z
(i)1 + Tz
(i)2 = y
(i)2 :
Let y(i)j = y3(i�1)+j , i = 1; 2; 3; j = 0; 1; 2, then
(y0; y1; � � � ; y8)T = M2(x0; x1; � � � ; x8)T :
Theorem 1: Algorithm 1 is correct.Proof: Let Ik be the unit matrix of ordermk.
Mn =Mn�1 M1 =
Mn�1
Mn�1
. . .Mn�1
�
In�1 In�1 � � � In�1In�1 �In�1 � � � �m�1In�1
......
...In�1 �m�1In�1 � � � �(m�1)(m�1)In�1
andIn�1 In�1 � � � In�1In�1 �In�1 � � � �m�1In�1
......
...In�1 �m�1In�1 � � � �(m�1)(m�1)In�1
x
=
m
i=1
x(i)
m
i=1
�i�1x(i)
...m
i=1
�(i�1)(m�1)x(i)
=
m
i=1
x(i)
m
i=1
T i�1x(i)
...m
i=1
T (i�1)(m�1)x(i)
=
y(1)
y(2)
...y(m)
:
Therefore,
Mnx =
Mn�1y(1)
Mn�1y(2)
. . .Mn�1y
(m)
:
For eachMn�1y(k); 1 � k � m, repeat the above procedure. By
induction onn Algorithm 1 is correct.
Remark 1: In Algorithm 1,n(m�1)mn+1 additions are requiredbut not any multiplication. And each
yi = (yi0; yi1; � � � ; yi;m�1) = yi0 + yi1�+ � � �+ yi;m�1�m�1
(the output) is exact. For the computation of the DFT off :Znm ! Zm and �f , the �-representations off(x) and �f(x)
are integer vectors. Hence allxij (the input) are integers,i =0; 1; � � � ; mn�1; j = 0; 1; � � � ; m�1; and the additions are integeradditions. If we replace the�-representation by the representationa+ b
p�1, the operatorT by complex multiplier�, then Algorithm1 requiresn(m � 1)2mn�1 complex multiplications (or4n(m �1)2mn�1 real multiplications) andn(m� 1)mn complex additions.And m2n complex multiplications will be required for a directcomputation by using (1). In order to obtain the representation
a + bp�1 from Algorithm 1, if it is necessary, some additional
operations are needed as follows.Let
�j = aj + bjp�1; 0 � j � m� 1
then
yi = yi0 + yi1�+ � � �+ yi;m�1�m�1 = Ai +Bi
p�1
where
Ai =
m�1
j=0
yijaj ; Bi =
m�1
j=0
yijbj :
If xij 2 R (R is the real field) for alli = 0; � � � ; mn � 1 and j =0; � � � ; m�1, then allyij 2 R and2(m�1)mn real multiplicationsare needed. And4(m � 1)mn real multiplications are needed ifxij 2 C for i = 0; 1; � � � ; mn � 1 and j = 0; 1; � � � ; m � 1.Both 2(m�1)mn and4(m�1)mn are less than4n(m�1)2mn�1
for n � 2.Obviously, Algorithm 1 is valid for the extension fieldE = F (�)
over any fieldF , where� is an element of orderm.
Remark 2: In the case ofm = 2k, Algorithm 1 can be modifiedas follows. Since�k = �1, each� 2 Q(�) can be represented as
� = a0 + a1� + � � �+ ak�1�k�1 = (a0; a1; � � � ; ak�1);
ai 2 Q
which is called�=2-representation. Let
T 0(a0; � � � ; ak�1) = (�ak�1; a0; � � � ; ak�2)then �� = T 0�. Replacing�-representation by�=2-representationand the operatorT by T 0 in Algorithm 1 we obtain Algorithm 10
which is valid for the case ofm = 2k. The number of additions andsubtractions needed is1
2n(m � 1)mn+1.
Example 2: f(x) = 2x0x1 + x0 + x1 + 1 2 Z4[x0; x1], thenm = 4; n = 2; � =
p�1.The following table is the DFT of�f(x) (using Algorithm 10).
x f(x) �f(x) S(f)(!) !
(0; 0) 1 (0; 1) (0; 0) (0;0) = 0 (0;0)
(0;1) 2 (�1;0) (0; 0) (0;0) = 0 (0;1)
(0;2) 3 (0;�1) (0; 0) (0;0) = 0 (0;2)
(0;3) 0 (1; 0) (0; 0) (0;0) = 0 (0;3)
(1;0) 2 (�1;0) (0; 0) (0;0) = 0 (1;0)
(1;1) 1 (0; 1) (�4; 0) (0;�8) = �8p�1 (1;1)
(1;2) 0 (1; 0) (0; 0) (0;0) = 0 (1;2)
(1;3) 3 (0;�1) (4; 0) (0;8) = 8p�1 (1;3)
(2;0) 3 (0;�1) (0; 0) (0;0) = 0 (2;0)
(2;1) 0 (1; 0) (0; 0) (0;0) = 0 (2;1)
(2;2) 1 (0; 1) (0; 0) (0;0) = 0 (2;2)
(2;3) 2 (�1;0) (0; 0) (0;0) = 0 (2;3)
(3;0) 0 (1; 0) (0; 4) (0;0) = 0 (3;0)
(3;1) 3 (0;�1) (0; 0) (0;8) = 8p�1 (3;1)
(3;2) 2 (�1;0) (0;�4) (0;0) = 0 (3;2)
(3;3) 1 (0; 1) (0; 0) (0;8) = 8p�1 (3;3)
III. T HE BEST LINEAR APPROXIMATION
Now, we turn to another interesting problem about linear approx-imation for any functionf(x) overZm, which is important for boththeory and application in cryptography, signal processing, and otherareas.
306 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999
For any functionf(x) from Znm to Zm, the DFT of�f(x) is
S(f)(!) =x2Z
�f(x)+!�x =f(x)+!�x=0
�0 +f(x)+!�x=1
�1
+ � � �+f(x)+!�x=m�1
�m�1:
Let
Sf(!)i = #fx 2 Znmjf(x) + ! � x = ig; 0 � i � m� 1
then
(Sf(!)0; Sf(!)1; � � � ; Sf (!)m�1) = S!(f)(!)
(see Appendix) is one of the�-representations ofS(f)(!), called thestandard�-representation, which is unique.
First of all, we notice thatm�nSf(!)i = p(f(x) + ! � x = i)is just the probability of
f(x) = i� ! � x = i� !0x0 � !1x1 � � � � � !n�1xn�1
a linear function overZm, for any given! 2 Znm, so we have the
following theorem.
Theorem 2: Let f : Znm ! Zm. If
Sf(�)j = maxfSf(!)ij! 2 Znm; 0 � i � m� 1g
thenj�� �x is the best linear approximation off(x) andm�nSf(�)jis just the probability off(x) = j � � � x. For every i 2 Zm;0 � i � m � 1, the vector~i = (0; � � � ; 1ith; � � � ; 0) (e.g.,~0 = (1; 0; � � � ; 0),~1 = (0; 1; � � � ; 0)) is one of the�-representationsof �i, called the standard�-representation, which is unique. Then wehave the following theorem for the computation of the best linearapproximation.
Theorem 3: Let f : Znm ! Zm be a function. If the input of
Algorithm 1 is ( ~f(0); ~f(1); � � � ; ~f(mn � 1)), where ~f(i) is thestandard�-representation of�f(i), then the output is
( ~S(f)(0); ~S(f)(1); � � � ; ~S(f)(mn � 1))
and
~S(f)(!) = (Sf(!)0; Sf (!)1; � � � ; Sf(!)m�1)
is just the standard�-representation ofS(f)(!) for every! 2 Znm.
Proof: See Appendix.
Example 3: Let
f(x) = 2x0x1 + x0 + x1 + 1 2 Z4[x0; x1]:
We calculate its best linear approximation.
x f(x) ~f(x) ~S(f)(!)!
(0; 0) 1 (0;1; 0; 0) (1;1; 1; 1) (4; 4; 4; 4) (0;0)
(0;1) 2 (0;0; 1; 0) (1;1; 1; 1) (4;4; 4; 4) (0;1)
(0;2) 3 (0;0; 0; 1) (1;1; 1; 1) (4;4; 4; 4) (0;2)
(0;3) 0 (1;0; 0; 0) (1;1; 1; 1) (4;4; 4; 4) (0;3)
(1;0) 2 (0;0; 1; 0) (0;2; 0; 2) (4;4; 4; 4) (1;0)
(1;1) 1 (0;1; 0; 0) (0;0; 4; 0) (0; 4; 0; 12) (1;1)
(1;2) 0 (1;0; 0; 0) (0;2; 0; 2) (4;4; 4; 4) (1;2)
(1;3) 3 (0;0; 0; 1) (4;0; 0; 0) (0; 12;0; 4) (1;3)
(2;0) 3 (0;0; 0; 1) (1;1; 1; 1) (4;4; 4; 4) (2;0)
(2;1) 0 (1;0; 0; 0) (1;1; 1; 1) (4;4; 4; 4) (2;1)
(2;2) 1 (0;1; 0; 0) (1;1; 1; 1) (4;4; 4; 4) (2;2)
(2;3) 2 (0;0; 1; 0) (1;1; 1; 1) (4;4; 4; 4) (2;3)
(3;0) 0 (1;0; 0; 0) (0;4; 0; 0) (4;4; 4; 4) (3;0)
(3;1) 3 (0;0; 0; 1) (2;0; 2; 0) (0; 12;0; 4) (3;1)
(3;2) 2 (0;0; 1; 0) (0;0; 0; 4) (4;4; 4; 4) (3;2)
(3;3) 1 (0;1; 0; 0) (2;0; 2; 0) (0; 12;0; 4) (3;3)
We have
Sf(1; 1)3 = Sf (1; 3)1 = Sf (3; 1)1 = Sf(3; 3)1 = 12
= maxfSf(!)ij! 2 Znm; 0 � i � m� 1g:
Thus
3� x0 � x1 = 3x0 + 3x1 + 3
1� x0 � 3x1 = 3x0 + x1 + 1
1� 3x0 � x1 = x0 + 3x1 + 1
and
1� 3x0 � 3x1 = x0 + x1 + 1
are all best linear approximations off(x), and the probability off(x) = i � ! � x is 12=16 = 3=4 for each
(i; !) 2 f(3; (1; 1)); (1; (1; 3)); (1; (3; 1)); (1; (3; 3))g:
Example 4: f(x) = 2x3 + 3 2 Z6[x]; m = 6; n = 1.
~f(0) = (0;0; 0; 1; 0; 0) (0; 2; 0; 2; 0; 2) = ~S(f)(0)
~f(1) = (0;0; 0; 0; 0; 1) (3; 0; 0; 3; 0; 0) = ~S(f)(1)
~f(2) = (0;1; 0; 0; 0; 0) (0; 2; 0; 2; 0; 2) = ~S(f)(2)
~f(3) = (0;0; 0; 1; 0; 0) (1; 1; 1; 1; 1; 1) = ~S(f)(3)
~f(4) = (0;0; 0; 0; 0; 1) (0; 0; 0; 6; 0; 0) = ~S(f)(4)
~f(5) = (0;1; 0; 0; 0; 0) (1; 1; 1; 1; 1; 1) = ~S(f)(5)
Since Sf (4)3 = 6, the best linear approximation off(x) is3 � 4x = 2x + 3 and the probability off(x) = 2x + 3 is 1, i.e.,f(x) = 2x + 3.
In the case ofm = 2k, let
S0f(!)i = Sf(!)i � Sf (!)i+k; 0 � i � k � 1
then(S0f (!)0; � � � ; S0
f(!)k�1) is the standard�=2-representation ofS(f)(!). If
jS0f(�)j j = maxfjS0f(!)ik! 2 Znm; 0 � i � k � 1g � mn=2
then j � � � x or j + k � � � x is the best linear approximationaccording toS0f (�)j � 0 or S0f(�) < 0. And we may use Algorithm1 0 to obtain the best approximation (see Examples 2–4).
IV. SPECTRAL CHARACTERIZATION OF
CORRELATION-IMMUNE FUNCTIONS
Correlation immunity of functions is another important problem incryptography and other areas. A functionf : Zn
m ! Zm is calledkth-order correlation-immune,1 � k � n, if
p(f(x) = c; (xi ; � � � ; xi ) = (a1; � � � ; ak)) = m�kp(f(x) = c)
for any c 2 Zm; i1; � � � ; ik � f1; � � � ; ng and (a1; � � � ; ak)2 Zkm;
wherex = (x1; � � � ; xn) andx1; � � � ; xn are independent equiprob-able random variables.
Let R = C[x]=(xm�1) and� = x+(xm�1) be the residue classof x in R (note: � is not a complex), thenR = C[�] andC � R,where we identifya 2 C with the classa+(xm�1) 2 R, especiallywe have� + (xm � 1) = � 2 R and�m = 1 = �m; �m(�) = 0,but �m(�) 6= 0. Since�m = 1 and g(�) 6= 0 for any g(x) 2 Q[x]with deg (g) < m, each� 2 C[�] can be uniquely represented as� = a0+a1�+� � �+am�1�
m�1, whereai 2 C for all 0 � i � m�1.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 307
A spectral characterization of correlation-immune functions is studiedin terms of the DFT of�f(x), which is
~Sf(!) =x2Z
&f(x)�!�x; ! 2 Znm:
Obviously, ~Sf(!)2Z[�; �], a subring ofC[�]. For any�2Z[�; �];� = a0 + a1� + � � � + am�1�
m�1; ai 2 Z[�]; (a0; � � � am�1) isthe �-representation of�. If the input of Algorithm 1 is the�-representations of(�f(0); �f(1); � � � ; &f(m �1)), then the output isthe �-representations of the DFT of�f(x).
Lemma 1:!2Z
�!�!�a=0 for all a2Zk
m, where�! 2C[�];
if and only if �! = 0 for all ! 2 Zkm.
Proof: If!2Z
�!�!�a = 0 for all a 2 Zk
m, then
a2Z !2Z
�!�!�a ��� �a =
!2Z
�!a2Z
�!�a��� �a
=mk�� = 0
and �� = 0 for all � 2 Zkm.
The proof of the other direction is straightforward.
Theorem 4: Let f : Znm ! Zm, then f(x) is kth-order
correlation-immune if and only if~Sf(!) = 0 for all 1 �W (!) � k,whereW (!) = #f!ij!i 6= 0g and! = (!1; !2; � � � ; !n).
Proof: f is kth-order correlation-immune if and only if
mk &f(x) =x2Z
&f(x) (3)
wherex0 = (xi ; � � � ; xi ) for all fi1; � � � ; ikg � f1; 2; � � � ; ngand all a 2 Zk
m.Since
mk &f(x) =x2Z
&f(x)
! 2Z
�! �(x �a)
=x 2Z
&f(x) 1 +! 6=0
�! �(x �a)
=x2Z
&f(x) +x2Z
&f(x)
! 6=0
�! �(x �a)
(3) holds if and only if
x2Z
&f(x)
! 6=0
�! �(x �a) =! 6=0 x2Z
&f(x)�! �x ��! �a
= 0; for all a 2 Zkm:
Namely,
x2Z
&f(x)�! �x = 0; for all 0 6= !0 2 Zkm
(see Lemma 1), i.e.,
x2Z
&f(x)�!�x = 0; for all 1 � W (!) � k:
APPENDIX
PROOF OF THEOREM 3
Let ring R = Q[x]=(xm � 1) = Q[�], where� = x + (xm � 1).Then�m = 1, but g(�) 6= 0 for anyg(x) 2 Q[x] with deg (g) < m,so each� 2 Q[�] can be uniquely represented as
� = a0 + a1� + � � �+ am�1�m�1
whereai 2 Q. Since the representation is unique, we can identify� 2 Q[�] with the vector(a0; a1; � � � ; am�1) 2 Qm, called thevector representation of�, and identifyQ[�] with Qm. The operationsin Q[�] are similar to those inQ[�], e.g.,�� = T�, the right circularshift.
Let
~Sf (!) =x2Z
&f(x)�!�x =x2Z
&f(x)+!�x:
Then on the one hand
~Sf (!) =Sf(!)0 + Sf(!)1& + � � �+ Sf(!)m�1&m�1
=(Sf(!)0; Sf (!)1; � � � ; Sf(!)m�1)
which is just the standard�-representation ofS(f)(!), and�f(x) =~f(x) is just the standard�-representation of�f(x), on the other hand
~Sf (0)~Sf (1)...~Sf (mn � 1)
= ~Mn
~f(0)~f(1)...~f(mn � 1)
(4)
where
~M1 =
1 1 1 � � � 11 & &2 � � � &m�1
1 &2 &4 � � � &2(m�1)
......
......
1 &m�1 &2(m�1) � � � &(m�1)(m�1)
and ~Mn = ~Mn�1 ~M1.Similarly to (2) and Theorem 1, (4) shows that if the input of Algo-
rithm 1 is the vector representations of(&f(0); &f(1); � � � ; &f(m �1)),i.e., &f(i) = ~f(i) for all i 2 [0; mn � 1], then the output is
( ~Sf(0); ~Sf(1); � � � ; ~Sf(mn � 1))
and ~Sf(!) is just the standard�-representation ofS(f)(!) for every! 2 Zn
m.
REFERENCES
[1] H. Chrestenson, “A class of generalized Walsh function,”Pacific J.Math., vol. 5, pp. 17–23, May 1955.
[2] G. Z. Xiao and C. Morage, “Characterization of Fourier spectrum overAbelian groups,”J. Electron. Sci., vol. 20, no. 7, pp. 36–42, 1992 (inChinese).
[3] C. S. Ding and G. Z. Xiao,Stream Cipher and their Applications.Beijing: Nat. Defense Industrial Press, 1994 (in Chinese).
[4] C. K. Wu, “Spectral analysis of some independence of multivaluedlogical functions from their variables,”J. Electron. Sci., vol. 15, no.1, pp. 17–25, 1993 (in Chinese).
[5] S. Q. Li and B. S. Zheng, “A sufficient and necessary condition onthe correlation-immunity of multivalued logical functions,” inCHI-NACRYPT’94. Beijing: Science Press, 1994, pp. 257–264 (in Chinese).
[6] K. Gopalakrishnah and D. R. Stinson, “Three characterization of spec-trum of non-binary correlation-immune and resilient functions,”Des.,Codes Cryptogr., vol. 5, pp. 241–251, 1995.
[7] R. Lidl and H. Neidereiter,Finite Fields. Reading, MA: Addison-Wesley, 1983.
[8] M. X. Zhang and G. Z. Xiao, “Characterization of spectrum of multival-ued logical functions with correlation-immunity,”Acta Electron. Sinica,vol. 39, no. 9, pp. 772–773, 1994 (in Chinese).
308 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999
[9] G. Z. Xiao and J. L. Massey, “A spectral characterization of correlation-immune combining functions,”IEEE Trans. Inform. Theory, vol. 34, pp.569–571, May 1988.
[10] A. V. Oppenheim and R. W. Schafer,Digital Signal Processing. En-glewood Cliffs, NJ: Prentice Hall, 1975.
[11] M. Bellanger,Digital Processing of Signals. New York: Wiley, 1984.
On the Capacity of Generalized Write-OnceMemory with State Transitions Describedby an Arbitrary Directed Acyclic Graph
Fang-Wei Fu and A. J. Han Vinck,Senior Member, IEEE
Abstract—The generalized write-once memory introduced by Fiat andShamir is a q-ary information storage medium. Each storage cell isexpected to store one ofq symbols, and the legal state transitions aredescribed by an arbitrary directed acyclic graph. This memory modelcan be understood as a generalization of the binary write-once memorywhich was introduced by Rivest and Shamir. During the process ofupdating information, the contents of a cell can be changed from a0-state to a 1-state but not vice versa. We study the problem of reusinga generalized write-once memory forT successive cycles (generations).We determine the zero-error capacity region and the maximum totalnumber of information bits stored in the memory for T consecutivecycles for the situation where the encoder knows and the decoder doesnot know the previous state of the memory. These results extend theresults of Wolf, Wyner, Ziv, and K orner for the binary write-oncememory.
Index Terms—Capacity, directed acyclic graph, information, WOM-codes, write-once memory.
I. INTRODUCTION
A write-once memory (WOM) is a binary information storagemedium. During the process of updating information, the contentsof a cell can be changed from a0-state to a1-state but notviceversa. This class of WOM includes punch cards and digital opticaldiscs in which binary data is represented by blanks (0’s) and dots(1’s). Due to the updating technology, the dots cannot be removed.Rivest and Shamir [1] showed that, if the encoder knows and thedecoder does not know the previous state of the memory, WOM canbe reused very efficiently by using the same code for every updatingcycle. Wolf, Wyner, Ziv, and K¨orner [2] studied the WOM from aninformation-theoretical point of view. They determined the capacityregion and the maximum total number of information bits stored inthe memory for fixedT successive cycles by using arbitrary codesfor every cycle. Cohen, Godlewski, and Merkx [3] presented a class
Manuscript received July 21, 1997; revised June 10, 1998. This work wassupported in part by the Chinese Education Ministry, the National NaturalScience Foundation of China, and the University of Essen, and was doneduring October 1996–October 1997, while F.-W. Fu was visiting the Institutefor Experimental Mathematics, University of Essen, 45326 Essen, Germany.
F.-W. Fu is with the Department of Mathematics, Nankai University, Tianjin300071, China.
A. J. Han Vinck is with the Institute for Experimental Mathematics,University of Essen, 45326 Essen, Germany.
Communicated by K. Zeger, Editor at Large.Publisher Item Identifier S 0018-9448(99)00084-X.
of linear coset codes for the WOM. Cohen and Zemor [4] presenteda construction method for the error-correcting WOM codes.
Fiat and Shamir [5] studied the generalized write-once memory,which is a q-ary information storage medium. Each storage cell isexpected to store one ofq symbols, and the legal state transitionsare described by an arbitrary directed acyclic graph. They extendedthe results of Rivest and Shamir [1] for the binary WOM to thegeneralized WOM, in the case when the encoder and decoder usethe same code for every cycle. Heegard [6] investigated the noisyWOM and presented an inner bound for the"-error capacity region.He showed that in some cases the inner bound is exactly the"-error capacity region. Kuznetsov and Vinck [7] studied the generaldefective channel with informed encoder as a generalization of amemory with defects. They presented lower and upper bounds forthe maximum transmission rate. As a corollary, they derived thecapacities of the binary WOM and other constrained memories.
In this correspondence, we study the problem of reusing a gener-alized WOM for T successive cycles. We determine the zero-errorcapacity region and the maximum total number of information bitsstored in the memory forT successive cycles for the situation wherethe encoder knows and the decoder does not know the previous stateof the memory, and different codes are allowed to be used in everycycle. These results extend the results of Wolf, Wyner, Ziv, andKorner for the binary WOM to the generalized WOM.
II. DEFINITIONS, NOTATIONS, AND MODEL
In this section, we first give the mathematical model of thegeneralized WOM with notations as in [5]. Then we give someexamples of the generalized WOM and conclude with the definitionsof WOM codes, the capacity region, and the maximum total numberof information bits stored in the memory forT successive cycles.Below we first introduce some concepts and notations of a directedgraph.
A directed graph is a pair(V ; E), whereV is the set of verticesand E � V � V is the set of edges. A directed edge froms to s0
is denoted bys ! s0: A path from s to s0 is a sequence of zeroor more edges inE of the form s = s1 ! s2 ! � � � ! sk = s0:
The notations =) s0 is used to represent the fact that there exists apath froms to s0: A cycle is a nonempty path from a vertex to itself.A directed graph which does not contain cycles is a directed acyclicgraph, abbreviated as DAG. A rooted DAG is a triple(V; E ; r) suchthat (V; E) is a DAG, the rootr 2 V, and for anys 2 V there is apath fromr to s: In the sequel, we only consider rooted DAG’s. WeassumeV = f0; 1; � � � ; q � 1g%; and0 is the root.
A generalized WOM is aq-ary information storage medium. Eachstorage cell is expected to store one ofq symbols, and the legalstate transitions are described by a rooted directed acyclic graph(V; E), abbreviated as(V; E)-WOM. During the process of updatinginformation we can updates to s0 if and only if s =) s0: Thismemory model can be seen as a generalization of the binary write-once memory.
Remark: The writing (updating) constraints here are described bythe paths (not edges) of a rooted DAG(V; E): We adopt this pointof view from the original paper by Fiat and Shamir [5].
Example 1: V = f0; 1g; E = f0 ! 1g; the (V; E)-WOM is abinary WOM. A storage cell in a “0” state may be left unchanged, orupdated to the “1” state. A storage cell in a “1” state is then foreverstuck at the “1” state.
0018–9448/99$10.00 1999 IEEE