hadamard matrices
TRANSCRIPT
Cryptogr. Commun. (2010) 2:129–154DOI 10.1007/s12095-010-0032-0
Hadamard matrices and their applications:Progress 2007–2010
K. J. Horadam
Received: 27 August 2009 / Accepted: 2 June 2010 / Published online: 26 June 2010© Springer Science+Business Media, LLC 2010
Abstract We survey research progress in Hadamard matrices, especially cocyclicHadamard matrices, their generalisations and applications, made over the past threeyears. Advances in 20 specific problems and several new research directions areoutlined. Two new problems are presented.
Keywords Hadamard matrix · Cocyclic matrix · Generalised Hadamard matrix ·Relative difference set · Hadamard code · Presemifield · APN function
1 Introduction
The purpose of this paper is to outline some of the rapid progress made over thepast three years in research into Hadamard matrices, especially cocyclic Hadamardmatrices, their generalisations and applications. Much of this recent progress is dueto Warwick de Launey and his collaborators and their students. The paper covers20 of the 90 numbered Research Problems (RP 1–RP 90) listed in the author’s bookHadamard Matrices and Their Applications [34], and significant other work.
The paper arises from an invited talk presented at the International Conferenceon Design Theory and Applications, Galway, Ireland, July 1–3, 2009, which incor-porated the 2nd International Workshop on Hadamard and Cocyclic Matrices andApplications. As well as providing the first detailed survey of progress for three yearsit contains new and unpublished results on Generalised Hadamard matrices, theFive-fold Constellation and equivalence classes of nonlinear functions over groups.
Dedicated to Warwick de Launey for his 50th birthday.
K. J. Horadam (B)RMIT University, Melbourne, VIC 3001, Australiae-mail: [email protected]
130 Cryptogr. Commun. (2010) 2:129–154
Discussion of progress on RPs 1 and 7, 9, 16 and 21, 30, 33, 38–44, 50, 53, 66, and73–75 is interleaved with interesting developments in other directions. The tightlyfocussed RPs 16, 39, 53, 74 and 75 have been solved, and RP 30 has been solvedup to a coarser equivalence. RP 21 is effectively solved here. Allied to the solutionof RPs 16 and 21 are corrections to two lemmas on generalised Hadamard matricesin [34] (Lemmas 4.10.1 and 7.26.2). Particular cases of the broader framework RPs43, 50, 66 are solved, and RPs 33 and 73 are solved in some cases and have beenrevised.
Although there are still no orders known in which no cocyclic Hadamard matrixexists, many examples of non-cocyclic constructions of Hadamard matrices havebeen found. An extension of the Five-fold Constellation to distance-regular graphs isproposed as a new RP (RP 91). We clarify the definition of equivalence for relativedifference sets (RDSs), and so correct minor errors in [34, Chapters 8.2, 9.2.2]. Weclose with new work, including a new RP (RP 92), on partitioning CCZ equivalenceclasses of functions into EA classes.
Organisation is as follows. Section 2 covers progress made on various forms of theHadamard Conjecture, applications to binary Hadamard codes, and generalisationsto multilevel and higher-dimensional Hadamard matrices. Generalised Hadamardmatrices receive the most detailed treatment: Craigen and de Launey’s solution ofRP 16 and of the allied problems presented here leads us to effective solution ofRP 21.
Section 3 covers progress made on cocyclic Hadamard matrices, their extensionsto coupled G-cocyclic Hadamard matrices and the four other equivalent combinato-rial and algebraic objects of the Five-fold Constellation. We propose an enlargementof the Constellation to include equivalent graphs. Section 4 is devoted to ourimproved understanding of equivalence of semiregular RDSs and how it propagatesaround the Constellation. The way this equivalence relation interacts with coarserequivalences, such as presemifield isotopism and CCZ equivalence of cryptographicfunctions, has proved very exciting, as well as being of considerable practicalinterest.
Terminology and notation follows that of [34]. Throughout, we will use theabbreviations HM, CHM, GHM and HDHM for a Hadamard matrix, cocyclicHadamard matrix, generalised Hadamard matrix and higher-dimensional Hadamardmatrix, respectively.
2 Hadamard matrices, applications and generalisations
2.1 Hadamard matrices
A HM of order k is a k × k matrix H with entries from {±1} such that HH� = kIk ;that is, for which the dot product of any pair of distinct rows is 0. The order isnecessarily 1, 2 or a multiple of 4.
2.1.1 The Hadamard conjecture: RP 1 and RP 7
The Hadamard Conjecture is that HMs of all orders 4n exist. There is still no reasonto believe it does not hold, and further existence results, dealing both with specific
Cryptogr. Commun. (2010) 2:129–154 131
orders and with asymptotic existence (as n → ∞) and density of existence of HMs,have emerged recently.
Asymptotic results give, for each odd natural number m, a value t0 for t in terms ofm such that HMs of orders m 2t exist for all t ≥ t0. The Hadamard Conjecture wouldbe confirmed by showing t0 = 2 for all m, but only values of t0 growing logarithmicallywith m are as yet known. The current lowest known value of t0, due to Craigen[20], is t0 = 2 + 6� 1
16 log2((m − 1)/2)�. In terms of logarithmic lower bounds, we mayrephrase this asymptotic approach to confirmation of the Hadamard Conjecture as:show that for any ε > 0, there is an integer M such that for all m > M, there existHMs of order m 22+�ε log2 m�.
The associated density results aim to show that, for x ∈ Z+, the number of orders
less than x in which HMs are known to exist, as a fraction of the number of positiveintegers 1, 2, 4n less than x, approaches 1 as x → ∞. If S(x) is the number of k ≤x ∈ Z
+ such that a HM of order k exists, the Hadamard Conjecture is equivalentto the conjecture “S(x) = � x
4 � + 2 for every x ≥ 2”. Again, this may be rephrased interms of logarithmic lower bounds. Let ε > 0 and let H(x) denote the number ofodd m ∈ Z
+, m ≤ x for which there is a HM of order 2�m, for some � ≤ 2 + ε log2 m,� ∈ Z
+. de Launey has shown that H(x) has positive density in Z+.
Theorem 1 (de Launey [22, Theorem 1.1]) There exists c1(ε) > 0 (dependent onlyon ε) such that for all suf f iciently large x, H(x) > c1(ε)x.
If the Hadamard Conjecture is correct then c1(ε) may be taken to equal 1/2.de Launey’s proof adapts a number-theoretic argument of Erdos and Odlyzko to
show that there are enough Paley HMs that their Kronecker product with SylvesterHMs will give the result.
He suggested that more complicated arguments counting product constructions ofPaley HMs would result in a greater density, and possibly that c1(ε) can be taken veryclose to 1/2. Subsequently, he and Gordon [23], using results of Kevin Ford, show thisdoes result in greater density, but only by a factor of exp(c log log log x)2. The densityof the Paley and Sylvester HMs alone imply S(x) ≥ (x/ log x) (3/2 + o(1)).
Theorem 2 [23, Theorem 1.3] For all ε > 0, there is an element xε ∈ N such that, forall x > xε , S(x) ≥ (x/ log x) exp{(c − ε)(log log log x)2} for c = 0.8178 . . . .
RP 7 [34, p. 25] asks if HMs exist for the 4 orders then unknown (in 2006) less than1,000. In 2007 Dragomir Djokovic [28] constructed several HMs of order 764 = 4 ·191 of Goethals–Seidel type, leaving existence in orders 668, 716 and 892 unknown.He lists the 13 orders less than 2,000 for which existence of HMs is unknown, whichsuggests that, to provide a greater computational challenge, RP 7 should be replacedby the corresponding problem for unknown orders less than 2,000.
Research Problem 7′ Do Hadamard matrices of orders 4n exist, for n = 167,
179, 223, 251, 283, 311, 347, 359, 419, 443, 479, 487 and 491?
Note that these n are all primes congruent to 3 (mod 4), so that we might also askthe following more general question.
132 Cryptogr. Commun. (2010) 2:129–154
Research Problem 7′′ Do Hadamard matrices of orders 4p exist for all primes p ≡ 3(mod 4)?
2.1.2 The cocyclic Hadamard conjecture: RP 38
The cocyclic Hadamard Conjecture is that there exists a cocyclic HM (see Section 3for the definition) of every order 4n ∈ Z
+. Its confirmation would automaticallyconfirm the Hadamard Conjecture.
de Launey and Kharaghani [24] show that for m an odd positive integer, a cocyclicHM of order m 2t exists whenever t ≥ t0 = 10 + 8� log2 m
10 �, compared to the earliert ≥ �8 log2 m� found by de Launey and Smith [25]. This exponent t0 is only twice thevalue 5 + 4� log2 m
10 � found by Craigen et al. [19] for HMs in general.Their proof involves modifying the method which gave the asymptotic bound in
[19], to ensure that in each step a cocyclic complex HM can replace the complex HM.The most difficult step requires all the machinery of [25]. While this is a substantialimprovement on the value found in [25], it is still a long way from Craigen’s currentbest t0 for HMs in general.
Nonetheless, de Launey [22] notes that his first density theorem (Theorem 1)applies equally to cocyclic Hadamard matrices, because he uses Paley HMs andSylvester HMs in his construction; these are cocyclic; and the Kronecker productpreserves the cocyclic property.
2.2 Applications
2.2.1 Binary Hadamard codes: RP 9
RP 9 [34, p. 41] asks for the F2-rank to be determined for the codes consisting of therows of binarised HMs, for HMs from well-known families.
Phelps et al. [46, 47] have concentrated instead on determining invariants, includ-ing the rank, of the binary codes Cm consisting of the 2m codewords formed from therows and their complements, of an arbitrary binarised HM of order m. This rank is 1more than the rank sought in RP 9.
They introduce the kernel of a binary code C as K(C) = {x ∈ Fm2 | x + C = C}.
The F2-dimension of K(C) is denoted ker(C). When m = 16 these invariants dis-tinguish between 5 inequivalent codes, one for each equivalence class of HMs:(rank(C16), ker(C16)) = (5, 5), (6, 3), (7, 2), (8, 2), (8, 1). The last two derive from thetwo inequivalent transpose HMs, showing that the column behaviour of a HM canbe essentially different from its row behaviour.
Given a HM of order 4s, s > 1 odd, they construct Hadamard codes of lengthm = 2ts, t ≥ 3, with any rank, r ∈ {4s + t − 3, ..., m/2}, and any possible ker k ∈{1, ..., t − 1}.
2.2.2 Multilevel Hadamard matrices
A multilevel Hadamard matrix (MHM) of order n is an n × n matrix H consistingof real elements {±ai, 1 ≤ i ≤ n} (not necessarily all distinct), for which HH� =H� H = (
∑ni=1 a2
i )In. (If a1 = · · · = an = 1, a MHM is a HM. If the ai are insteadrequired to be real variables, these are real orthogonal designs. )
MHMs were introduced by Trinh et al. [51] in 2006 and restricted to integerentries, as a way to construct multilevel zero-correlation zone sequences, which have
Cryptogr. Commun. (2010) 2:129–154 133
been studied for use in approximately synchronized code division multiple accesssystems.
Adams et al. [1] have solved the open question concerning the maximum numberof distinct elements permissible in an order n MHM by proving the existence of afull rate order n MHM (i.e. with n elements of distinct absolute value) for all n. Theygive a construction of full rate circulant MHMs for all n �= 4, and prove that no fullrate circulant MHM is possible if n = 4.
2.3 Generalised Hadamard matrices
A GHM GH(w, v/w)1 over a group N of order w, where w|v, is a v × v matrix Hwith entries from N such that in the integral group ring ZN,
HH∗ = vIv + v/w
(∑
u∈N
u
)
(Jv − Iv) . (1)
Here M∗ is the transpose of the matrix of inverse elements of M, also calledthe transinverse or conjugate, that is, M∗ = (M(−1))� = (M�)(−1), where [mij](−1) =[(mij)
−1].Equivalently, H is a GHM over N if and only if HH∗ = vIv over the quotient ring
ZN/〈∑u∈N u〉. The “only if” direction is immediate. The converse follows from thefact that for distinct rows i, j of H,
∑vk=1 hik(h jk)
−1 is a sum of elements of N, so if it isof the form g(
∑u∈N u) for some g ∈ ZN then g can be replaced by a positive integer
with no loss of generality. A counting argument shows this integer is the constantv/w.
The number of equivalence classes of GHMs of order 16 has only recently beendetermined.
Example 3 (Gibbons and Mathon [32, Table V]) The numbers of inequivalentGH(2i, 24−i) of order 16 up to duality (and, including duals) over all N.
N i = 1 i = 2 i = 3 i = 4Z
i2 4(5) 130(226) 53(86) 18(32)
Z4 13(13)
D8 1(1)
Total 4(5) 143(239) 54(87) 18(32)
Case i = 1 is all HMs of order 16. Case i = 4 is all GH(16, 1), which exist only overthe elementary abelian group Z
42. Up to duality, the corresponding divisible designs
can be extended to 10 of the 13 known projective planes of order 16.
2.3.1 The transpose of a GHM: RP 16
RP 16 [34, p. 72] asks if we can find a GHM (necessarily over a nonabelian group N)whose transpose is not a GHM, or prove that no such matrix exists. This turns outto be very easy: the answer was known much earlier to Craigen and de Launey, andpossibly others. In [17] they show every GHM with entries in a nonabelian group
1Also denoted GH(v, N), or GH(v, m) when N is a group of mth roots of unity.
134 Cryptogr. Commun. (2010) 2:129–154
N has either a transpose which is not a GHM or its transpose is a GHM but it isequivalent (by left multiplication on a single row) to a GHM whose transpose isnot a GHM. They describe small examples of group developed GH(8, 8) over thedihedrals D8 or quaternions Q8 to show the result is not vacuous. The GH(8, 2) overD8 of Example 1 will also suffice.
Craigen and de Launey propose the following revision of the problem.
Research Problem 16′ Is every GHM equivalent to one whose transpose is also aGHM?
2.3.2 The matrix of inverses of a GHM
A variant of their solution to RP 16 may be applied to the corresponding questionabout H(−1). When N is abelian, transposing both sides of (1) gives
H(−1)(H(−1)
)∗ = vIv + v/w
(∑
u∈N
u
)
(Jv − Iv) ,
so that H(−1) is a GHM whenever H is. For nonabelian N this is not the case, soLemma 4.10.1 of [34] (which states that it is true for all N) is incorrect.
Lemma 4 (Craigen and de Launey [18]) For every GHM H with entries in a non-abelian group N, either H(−1) is not a GHM or H(−1) is a GHM but H is equivalent(by right multiplication on a single column) to a GHM K for which K(−1) is not aGHM.
Proof Let x, y be elements of N that do not commute, so x−1 yx �= y. Let H be aGHM over N such that H(−1) is also a GHM and let (h−1
il )1≤l≤v and (h−1jl )1≤l≤v be
distinct rows of H(−1). Then∑v
l=1(hil)−1h jl has every element of N as a term v/w
times. In particular, there is a term equal to y. Without loss of generality, we canassume this term is the first one, i.e. h−1
i1 h j1 = y.Let K be the matrix obtained by postmultiplying the entries of the first column
of H by x, so K is a GHM equivalent to H. Thus in K(−1)(K(−1))∗,∑v
l=1(kil)−1k jl =
(x−1 yx) + ∑vl=2(hil)
−1h jl .Therefore y does not appear as a term in this entry of K(−1)(K(−1))∗ the same
number of times as the other elements of N, and K(−1) is not a GHM. ��
2.3.3 The transinverse of a GHM
In [17] Craigen and de Launey state that a v × v matrix H over N is a GHM if andonly if H∗ is a GHM. As this is a basic result, of which I was unaware, details of theirproof are provided for the reader’s convenience. They use the following elementaryresult.
Lemma 5 Let A be an m-dimensional unital algebra, with identity e, over the f ield F.If a ∈ A and ab = e then b is a two-sided inverse of a.
Cryptogr. Commun. (2010) 2:129–154 135
Proof The set {e, a, a2, . . . , am} is linearly dependent over F, so a satisfies somenonzero polynomial f (x) with coefficients in F of minimal degree d (no greaterthan m). We can write f (x) = ce + g(x)x, where g(x) = c1e + ∑d
i=2 cixi and c, ci ∈ F.If f (0) = 0 then a is a (right) zero-divisor (by minimality of the degree of f (x)),which contradicts ab = e. So ce �= 0 ∈ A, ce = −g(a)a = a(−g(a)) and −g(a)ab =cb = −g(a). It follows that b = −c−1g(a) and ba = e. ��
Theorem 6 (Craigen and de Launey [17, 18]) Let H be a v × v matrix over N. ThenH is a GHM if and only if H∗ is a GHM.
Proof The group algebra QN is a w-dimensional Q-algebra and therefore thequotient ring R = QN/〈∑u∈N u〉 is a (w − 1)-dimensional Q-algebra. The ring A ofall v × v matrices over R is a (w − 1)v2-dimensional Q-algebra (with identity Iv).
Let H be a GHM. By the remarks following (1), 1v
H∗ is a right inverse of Hin A. By Lemma 5 it is a two-sided inverse. Since H∗ H = vIv mod R, the argumentfollowing (1) applies, and H∗ H = vIv mod ZN/〈∑u∈N u〉 as required. ��
2.3.4 Generalised Butson HMs: RP 21
The results above for GHMs have implications for Generalised Butson HadamardMatrices (GBHMs). These are defined [34, Definition 4.35] to be v × v matrices Mover N, where N is a subgroup of the group of units R∗ of a ring R with unity 1and characteristic not dividing v, which satisfy MM∗ = M∗M = vIv , where M∗ is thetransinverse of M.
RP 21 [34, p. 85] asks, for a ring R with unity 1, group of units R∗ and characteristicnot dividing v, if there is a v × v matrix M with entries from a subgroup N ≤ R∗ suchthat MM∗ = vIv , must it follow that M∗M = vIv ?
We note that if R is a k-dimensional S-algebra for some commutative ring Swith unity, and v is invertible in S, then v−1 M∗ is a right inverse of M in the kv2-dimensional unital S-algebra A of v × v matrices over R. The proof of Lemma 5carries through to show there exists c ∈ S such that c1 �= 0 ∈ R and M(cM∗) =(cM∗)M = v(cIv). Consequently we have a positive answer to RP 21 in a sufficientlygeneral case to consider it effectively solved.
Corollary 7 Suppose MM∗ = vIv as in RP 21. If R is a k-dimensional S-algebra forsome commutative ring S with unity, and v is invertible in S, there exists c ∈ S suchthat c1 �= 0 ∈ R and cM∗M = v(cIv). If c1 is not a zero divisor in R then M∗M = vIv .
The corresponding questions for the transpose and the matrix of inverses of M aresolved in the negative in the same way as RP 16 and Lemma 4, respectively.
We need only show there exist matrices M with entries from a nonabeliansubgroup N ≤ R∗ such that MM∗ = vIv . For instance, for D8 = 〈a, b : a4 = b 2 =e, ba = a3b〉, set R = ZD8/P, where P is the two-sided ideal P = 〈1a2 + 1e〉. Thesubset N = {±1e + P, ±1a + P, ±1b + P, ±1ab + P} in R is an isomorphic copy ofD8 and
∑u∈N u = 0 in R. Let H be a GH(8, 8) over D8, so by Theorem 6, so is H∗.
Let M be the image of H under this isomorphism, so by (1), M is both a GHM and aGBHM.
136 Cryptogr. Commun. (2010) 2:129–154
Then M is equivalent to a matrix K which satisfies KK∗ = 8I8 but whosetranspose and matrix of inverses do not satisfy this equation (in both cases because asingle term in
∑u∈N u is varied so the sum cannot equal 0).
2.3.5 Butson matrices and codes
Over the past few years a considerable volume of work dealing with signals overnon-binary alphabets has been published in the engineering literature. Some of it,mentioned only briefly here, derives from application or modification of Butsonmatrices. These Butson matrices are also GBHMs, with R = C and N ≤ C
×, thegroup of the complex unit circle.
In [42], McGuire and Ward provide a general construction of Butson matricesfrom finite Frobenius rings, which generalises those of Pinnawala and Rao cited in[34, Section 9.1.4.2], though it does not produce any new equivalence classes.
Theorem 8 [42, Theorem 13] Let A be a f inite Frobenius ring with generatingcharacter χ and let B be a nondegenerate pairing of a f inite left A-module L and af inite right A-module R. Then H(B) = [χ(B(x, y))]L×R is a Butson matrix equivalentto the Fourier Transform matrix FC, where C = (R,+). Two such matrices (possiblyfrom dif ferent rings) are equivalent if and only if the additive groups of the rightmodules are isomorphic.
They then obtain codes meeting the Plotkin bound from the rows of the Butsonmatrix in the usual fashion [42, Theorem 14]. They observe that if a two-sidedmodule is used, χ(B(x, y)) is a cocycle (see (2) below) and so is χ( f (x)(y)) for anyadditive isomorphism f : R → HomA(R, A). Then the resulting matrices and codesare cocyclic.
Stepanov has written a sequence of papers, starting with the Fourier Transformmatrix Fn for each of n = 3, 4, 6, and finding a suitable smaller k × l matrix withentries from the same group of roots of unity with which to repeatedly tensor it. Hethen analyses the error-correcting and decoding performance of codes derived fromthe rows of the iterated tensor products (which are not GHMs). See for instance [50].
Rifa and co-authors [8, 49] have also been working on the ranks, kernels andintersection numbers of what they call Z2Z4-additive Hadamard codes, which are theadditive dual codes of the Z2Z4-additive extended perfect codes (see for example[8, 49]). These include the quaternary or Z4-additive Hadamard codes (cf. [34,Chapter 4.4.3]).
I misinterpreted earlier work by M. H. Lee and co-authors, and in [34, Section4.5.1] I called a normalised GBHM a “jacket” matrix if it was permutation equivalentto a GBHM with last row and column each consisting of ±1. Those authors nowdescribe a jacket matrix loosely as an n × n matrix J with entries from an unspecifiedset of (necessarily invertible) elements, such that J−1 = 1
c J∗ for some (invertible)constant c. The particular jacket matrices they introduce and prove to be cocyclic arealready known. They are (tensor products of) Fourier Transform matrices FC overabelian groups C (cf. [34, Example 6.2.5]).
To avoid confusion, in future I will use the term bordered GBHMs for the matricesdefined in [34, Section 4.5.1].
Cryptogr. Commun. (2010) 2:129–154 137
2.4 Higher dimensional Hadamard matrices
A proper HDHM of order v and dimension n is an n-coordinate v × v × · · · × v arrayA = [a(i1, . . . , in)] of ±1s such that every (two-dimensional) v × v submatrix is a HM.
The study of proper HDHMs, more general HDHMs, their properties and theirapplications, remains seriously under-developed. However, there has been moreinterest recently. The second edition of Yang’s specialist text [52] has just appeared,while Adams et al. [1] have constructed higher dimensional MHMs from MHMs (seeSection 2.2.2).
2.4.1 Equivalence of HDHMs: RP 30
The original definition of equivalence of HDHMs, due to Ma [41], mimics thedefinition of equivalence of HMs by allowing negation of hyperplanes (subarraysof dimension n − 1) and swapping pairs of parallel hyperplanes.
RP 30 [34, p. 100] is to determine the number of equivalence classes of propern-dimensional Hadamard matrices of order 2.
de Launey and Stafford [26] have revisited and coarsened Ma’s definition of equiv-alence of HDHMs. Call their definition DS equivalence, for ease of reference. Theyallow Ma’s operations, and also allow swapping pairs of indexes. In the 2-dimensionalcase this would correspond to allowing H ∼ H�, which is unconventional. It wouldalso cause problems with the definition of equivalence for error-correcting codes,which fits naturally with the standard definition of equivalence of HMs (and ofGHMs for non-binary codes). For example, the binary codes derived from the twoorder 16 inequivalent transpose HMs have kernels with different dimensions (seeSection 2.2.1).
However, using DS equivalence, they solve RP 30. They show there is only 1 DSequivalence class. All proper n-dimensional Hadamard matrices of order 2 are DS-equivalent to the matrix obtained by applying the construction
a(i1, . . . , in) =∏
1≤ j<k≤n
h(i j, ik
)
(the Product Construction) to H = [h(i1, i2)] for H the Sylvester HM of order 2.They then prove this result does not extend above order 2. They show there is
a constant c > 1 such that any Hadamard matrix H of order v > 2 gives rise viathe Product Construction to cv inequivalent proper three-dimensional Hadamardmatrices of order v. For v = 4, they exhibit three pairwise inequivalent families ofProduct Construction matrices, one for each of three distinct H equivalent to theSylvester HM of order 4. This corrects Ma [41, Corollary 4.4] (quoted as Corollary5.20 in [34]) which claims the number of equivalence classes is the same as for H, inany higher dimension.
In spite of these results, a different approach to classifying HDHMs may well beneeded, as there are real problems surfacing with the computational complexity ofthe classification of HDHMs by equivalence class, as there is for HMs. de Launey andStafford argue that a classification program based on automorphism groups ratherthan equivalence classes may provide more insight, and propose a research problemfor HDHMs [26, Research Project 2, p. 38] with this in mind.
138 Cryptogr. Commun. (2010) 2:129–154
3 Cocyclic Hadamard matrices
If N is a (left) G-module with G-action given by the homomorphism2 ε : G →Aut(N), a cocycle is a map ψ : G × G → N satisfying
ψ(g, h)ψ(gh, k) = ψ(h, k)ε(g)ψ(g, hk), (2)
for all g, h, k ∈ G. We always assume ψ is normalised, ie. ψ(g, 1) = 1 = ψ(1, g). Acoboundary ∂φ is a cocycle of the form3
∂φ(g, h) = φ(g)φ(h)ε(g)φ(gh)−1 (3)
for some mapping φ : G → N which has φ(1) = 1. If ε is trivial it is usually sup-pressed. If N ∼= {±1}, ε is necessarily trivial.
If C is a trivial G-module, the cocycles form a finite abelian group Z 2(G, C) underpointwise multiplication, and the coboundaries form a subgroup B2(G, C). Thequotient group H2(G, C) = Z 2(G, C)/B2(G, C) is the second cohomology group.
If C is a trivial G-module, a v × v matrix M with entries in C is a G-cocyclic matrixover C if there is a cocycle ψ : G × G → C and an ordering G = {1 = g1, g2, . . . , gv}such that M is Hadamard equivalent to the matrix
Mψ = [ψ(gi, g j)
]1≤i, j≤v
. (4)
If C is a trivial G-module, a G-cocyclic GHM over C is any matrix M for whichthere exists a cocycle ψ ∈ Z 2(G, C) such that Mψ in (4) is a GHM. This happens ifand only if, for each g �= 1, Mψ is uniformly distributed over C on each row:
|h ∈ G : ψ(g, h) = u| = v/w, ∀u ∈ C. (5)
In this case, ψ is termed orthogonal. When C = {±1} and ψ is orthogonal, any suchM is a cocyclic Hadamard matrix (CHM).
There are more complicated definitions for cocycles over arbitrary left modules Nand for the more general factor pairs. See [34] for details.
In this most general case the corresponding matrices are called coupled G-cocyclic. As a consequence of Lemma 4 it is still not known if the transpose of acoupled G-cocyclic GHM over a nonabelian group N is itself a GHM, since theargument given in Lemma 7.26.2 of [34] to show this, is incorrect.
3.1 Cocyclic HMs and GHMs
Theoretical progress on the Cocyclic Hadamard Conjecture (RP 38) has beendiscussed in Section 2.1.2.
From the computational point of view the existence question for cocyclic GHMshas two parts. The first is whether a cocyclic GHM exists in a particular order (and,if so, indexed by which groups G of that order); and the second is, if a cocyclic GHM
2The “opposite” multiplication in Aut(N) is needed: σ1σ2 = σ1 ◦ σ2.3The formula in [34, Def. 6.2] is ∂φ(g, h) = φ(g)−1(φ(h)ε(g))−1φ(gh); that is, the coboundary ∂(φ−1)
according to (3). Both definitions of ∂φ are in use. Each is correct, if applied consistently.
Cryptogr. Commun. (2010) 2:129–154 139
exists, how many cocyclic GHMs exist, either in total or up to Hadamard equiva-lence class or some other classification, such as by index group or automorphismgroup.
One approach to these questions is to begin with a cocycle and decide if theresulting matrix (4) is Hadamard. For this we need to know how to compute cocycles.
3.1.1 Computation of cocycles: RP 33
RP 33 [34, p. 128] fixes a finite group G of order v and asks for more computationallyefficient algorithms for listing a minimal set of generators for its universal coefficientgroup. The intention behind the question is to provide, for any finite abelian group C,a minimal set of generators of the finite abelian group Z 2(G, C) of cocycles over Gwith coefficients in C and trivial action, or else algorithms for listing such a set whichpermit computation in higher order groups, or have lower computational complexity,than the three algorithms described in [34, 6.3].
In practice, researchers have reversed the rôles of the groups involved. They havefixed C and studied generators of Z 2(G, C) for families of groups G. Therefore itmakes sense at this point to revise RP 33.
Research Problem 33′ Let C be a family of finite abelian groups and G a familyof finite groups. Determine a minimal set of generators for the group of cocyclesZ 2(G, C), for C ∈ C, G ∈ G, or else find algorithms for listing such a set which permitcomputation in higher order groups, or have lower computational complexity, thanthe three algorithms described in [34, 6.3].
Good progress has been made on RP 33′ when C = {Znp}, the family of elementary
abelian groups. As we see next, the cases C = G ∈ {Zn2} and C = Z2, G ∈ {D4t, Z
22 ×
Zt} have been solved.When G = {Zn
p}, Farmer [30, Theorems 3.1, 3.2] has recently identified a basisof two-variable polynomials over GF(pn) for the subgroup B2(Zn
p, Znp) of cobound-
aries, and a recursive derivation in terms of that for B2(Zn−1p , Z
n−1p ).
We give the coboundary recursion for p = 2. This means the case G = C ∈ {Zn2}
of RP 33′ is solved, as we have a complete description of a polynomial basis for thegroup of cocycles Z 2(Zn
2, Zn2) [30, Theorem 4.5].
Theorem 9 [30, Theorem 3.4] Let w2(k) denote the binary weight of k. For n > 1and 2n−1 < k < 2n, the coboundaries ck = ck(x, y) over Z
n2 can be def ined recursively:
ck =⎧⎨
⎩
(xk−2n−1 + ck−2n−1
)y2n−1 + x2n−1
(yk−2n−1 + ck−2n−1
), w2(k) ≥ 3
x2ry2n−1 + x2n−1
y2r, k = 2n−1 + 2r, r = 0, . . . , n − 2.
The second cohomology group H2(G, C) = Z 2(G, C)/B2(G, C) has been morestudied in other application areas than has the group of cocycles Z 2(G, C). To takeadvantage of this, RP 33′ can be split into two parts: computation of a full set ofrepresentatives of H2(G, C), and computation of a minimal set of generators ofB2(G, C).
The Sevilla Group (Alvarez, Armario, Frau, Gudiel, Guemes, Osuna, Martin,Real) have concentrated on C = {±1} ∼= Z2.
140 Cryptogr. Commun. (2010) 2:129–154
Alvarez et al. [4] have proved for groups G of small orders, that their homologicalreduction technique (Algorithm 3 in Chapter 6.3 of [34]), implemented in Mathe-matica, computes a full set of representatives of H2(G, Z2) faster than the Flannery-O’Brien module in Magma does (Algorithm 2 in Chapter 6.3 of [34]).
To find a minimal set of generators of B2(G, Z2), they use the v − 1 normalised“delta” functions δi : G = {g1 = 1, g2, . . . , gv} → {±1}, where δi(g j) = (−1)δij , i =2, . . . , v, which generate the group of normalised functions from G to {±1}. The cor-responding coboundaries ∂δi(g, h) = δi(g)δi(h)δi(gh)−1, which can then be computedfrom the group multiplication in G, form a generating set of size v − 1 for B2(G, Z2).After writing each coboundary as a length v2 row vector, row reduction of these v − 1rows gives a minimal set of generators [4, Lemma 1].
This means the cases G ∈ {D4t} and G ∈ {Z22 × Zt} (amongst others) are solved,
as in both cases they can find a minimal set of v − 3 generators of B2(G, Z2) and 3representatives of H2(G, Z2) efficiently [3, 4].
3.1.2 Computational search for CHMs: RPs 2(a), 6 and 38
From their minimal generating set for B2(G, Z2), the Sevilla Group derive a basisof coboundary matrices. They have concentrated on the families {D4t, t odd} ofdihedral groups, from which the Ito CHMs arise (RP 6, [34, p. 24]), and {Z2
2 ×Zt, t odd}, from which the Williamson CHMs arise (RP 2(a), [34, p. 16]).
Their approach is to analyse the distribution of −1s in these basis matricescompared with those in the fixed inflation and transgression matrices, to provideformal reductions of the number of basis elements which can contribute to a CHM.This then cuts down the search space for CHMs, in some cases quite dramatically.
This allows them to design better search algorithms such as “guided reproduction”genetic algorithms [5], and to isolate “centrally distributed” subtypes of coboundaries[2] with higher likelihood (experimentally confirmed) of forming CHMs, and thusof providing experimental evidence supporting the Cocyclic Hadamard Conjecture(RP 38).
3.1.3 Non-cocyclic constructions of HMs: RPs 39,40,41,42 and 43
RPs 39, 40, 41 and 42 [34, Chapter 6.5.1] each ask if a specific construction techniquewhich gives HMs is cocyclic. We discuss them in turn, below. Ó Catháin [43] haspartial solutions to RPs 40–42, and, with Stafford [45], has solved RP 39. He takesthe automorphism group approach to finding CHMs, championed by de Launey,which is a consequence of a relationship between each CHM and a regular groupaction on its associated design (part of the Five-fold Constellation of Subsection 3.2following). Given a construction of a HM, he enumerates and analyses the subgroupsof its automorphism group which act regularly on an associated design and containa specified central involution. This is sufficient to determine whether the HM iscocyclic.
Because the automorphism group of a HM is the same as that of its transposeas well as of any equivalent matrix, this characterises cocyclicity, up to transposeequivalence. Note that if the cocyclic matrix Mψ in (4) is a HM then its transpose(Mψ)� is a HM which is Hadamard equivalent to the CHM Mψ∗ where ψ∗ is the dualof ψ . The transpose of a CHM found this way can then be checked for Hadamardinequivalence.
Cryptogr. Commun. (2010) 2:129–154 141
Ó Catháin distinguishes between constructions of Hadamard matrices that alwaysproduce cocyclic matrices, those which produce a mixture of cocyclic and non-cocyclic matrices and those which never produce cocyclic matrices, which he refersto as strongly cocyclic, weakly cocyclic, and non-cocyclic, respectively.
RP 39 asks if the twin prime power difference set construction of HMs (which iscocyclic in order 16) is cocyclic for higher orders. Ó Catháin shows in [43] it is non-cocyclic for all 9 higher orders < 1000, and remarks that this is surprising, as thePaley constructions, which use single prime powers in a similar fashion, are stronglycocyclic. He and Stafford [45] have just succeeded in proving the twin prime powerconstruction is non-cocyclic in all orders > 16.
RP 40 asks if the Goethals-Seidel construction of HMs is cocyclic, and in [43]Ó Catháin shows it is not cocyclic in order 28, and in a partial search of orders 36,44 and 52 none of the Goethals-Seidel HMs he found were cocyclic. He concludesthat the Goethals-Seidel construction is at best weakly cocyclic and conjectures it isnon-cocyclic.
For RP 41, he shows the Kimura construction of HMs, when generated fromdihedral groups of small order, gives no cocyclic HMs, so this construction is at bestweakly cocyclic. He conjectures it is non-cocyclic..
By way of contrast, for RP 42, Ó Catháin finds the twin circulant cores con-struction of HMs has the weak cocyclic property for all the orders (24 to 40) heinvestigated.
RP 43 (also in [34, Chapter 6.5.1]) asks if there are CHMs in each equivalenceclass of HMs of order > 20, and if not, what proportion of the equivalence classes arecocyclic. Ó Catháin [43, 44] has shown that the answer to the first part is no, for orders24, 28, 32 and 36. He classifies all CHMs of order at most 36. His computationalevidence is that 20 is probably the highest order for which each equivalence classof HMs contains a CHM, and as the order increases, the proportion of equivalenceclasses containing a CHM drops dramatically. The following table appears in [44]. Init, column 2 gives the number of equivalence classes of CHMs (where appropriate asa fraction of the number of equivalence classes of HMs of that order). Column 3 givesthe number of isomorphism types of index groups G of CHMs (where appropriateas a fraction of the number of isomorphism types of that order) and column 4 gives
the number of isomorphism types E appearing in extensions Z2ı� E
π� G (whereappropriate as a fraction of the number of isomorphism types of extensions of Z2 bygroups G of that order).
Equivalence classes of CHMs [44]Order Cocyclic Index groups Extension groups2 1 1 24 1 2 3/58 1 3/5 9/1412 1 3/5 3/1516 5 13/14 45/5120 3 2/5 3/1424 16/60 8/15 14/5228 6/487 2/4 2/1332 100/> 3 × 106 49/51 261/26736 35/> 18 × 106 12/14 21/50
142 Cryptogr. Commun. (2010) 2:129–154
Ó Catháin’s results confirm the approach of the Sevilla Group: that to find CHMsit is more productive to focus on those index groups G ∈ {D4t} and G ∈ {Z2
2 × Zt}which are represented in all small orders.
3.1.4 Tensor products and orthogonality: RP 44
The tensor product cocycle is defined for two cocycles with trivial action from theKronecker product of their respective cocyclic matrices, by using (4). A decadeago Hughes, Perera and the author (see [34, Theorem 6.9]) showed that this tensorproduct cocycle is orthogonal if and only if the factors are orthogonal. However notensor product construction of more general cocycles which preserved this result hadbeen found.
RP 44 [34, p. 151] is to extend the tensor product construction to cocycles withnontrivial action, or to the more general factor pairs in such a way as to preserve thisresult.
Galati [31] had found a particular solution: a skew tensor square of a factor pairover an abelian group with itself, which is orthogonal if and only if the factor pair isorthogonal.
In 2008 Chen [14] found a generalisation of the tensor product (for cocycles withtrivial action) which also has the necessary property and may be extensible.
Definition 10 Let Gi, i = 1, 2 be finite groups and C a finite abelian group. Let ψi ∈Z 2(Gi, C), i = 1, 2. Let b : G1 × G2 → C be a homomorphism in each coordinate.The twisted Kronecker product ψ1 ⊗b ψ2 : (G1 × G2) × (G1 × G2) → C of ψ1 andψ2 twisted by b is
ψ1 ⊗b ψ2 ((h1, k1) , (h2, k2)) = ψ1(h1, h2) b(h2, k1) ψ2(k1, k2) .
When b is the trivial map the construction is the tensor product ψ1 ⊗ ψ2 and whenG1 = G2 is abelian, ψ1 = ψ2 and b = ψ1(ψ
�1 )−1 the construction is Galati’s skew
tensor square ψ1 � ψ1.
Theorem 11 [14, Theorem 3.2] The twisted Kronecker product cocycle ψ1 ⊗b ψ2 isorthogonal if and only if both cocycles ψ1, ψ2 are orthogonal.
3.1.5 Orthogonality and multiplicative cocycles: RP 73
A cocycle which is a homomorphism in either (and hence the other) coordinate istermed multiplicative. If a multiplicative cocycle is orthogonal, then C and G areboth elementary abelian p-groups for the same prime p. For p = 2, LeBel (see [34,9.3.1.1]) showed that all orthogonal cocycles in Z 2(Zt
2, Zn2) are multiplicative for 2 ≤
n ≤ t ≤ 3, and claimed to show the same for t = 4. This was the basis of RP 73, whichasks, for 2 ≤ n ≤ t < ∞, if all orthogonal cocycles in Z 2(Zt
2, Zn2) are multiplicative.
Dillon [27] has since informed me that he has found examples computationallywhich contradict LeBel’s argument for the case n < t = 4, but he has also establishedcomputationally that the claim is correct for n = t = 4. That is, for p = 2 and 2 ≤ n =t ≤ 4, there are no non-multiplicative orthogonal cocycles.
More generally, Dillon has solved RP 73 in the negative as follows. Let t = 2n,let K = GF(2n) and let L = K[ξ ] be a quadratic extension of K. Let π be a
Cryptogr. Commun. (2010) 2:129–154 143
normalised permutation of K and consider the coboundary defined by the functionf : L → K, f (x + yξ) = π(x)y. The mapping Tr(b π(x)y) : L → Z2 is bent for anyb �= 0 ∈ K and any π . Therefore (see [34, 9.2.2], for instance) f is vectorial bent (i.e.Perfect Nonlinear) and ∂ f is orthogonal. By setting π to be a suitable non-quadraticpermutation, such as the inversion function π(x) = x2n−2 for any n > 2, we get a non-multiplicative orthogonal coboundary.
Therefore it makes sense at this point to revise RP 73.
Research Problem 73′ Are all orthogonal cocycles in Z 2(Zn2, Z
n2) multiplicative, for
all n ≥ 2?
3.2 The Five-fold Constellation
For finite groups G and N there are always 3 correspondences, between an extension
Nı� E
π� G of N by G, a factor pair (ψ, ε) of N by G (that is, a two-variablefunction ψ : G × G → N and an action ε of G on N by automorphisms, satisfyingadditional conditions), and a transversal {tg : g ∈ G} of the normal subgroup ι(N)
in E with respect to π (that is, a complete set of coset representatives of ι(N) in Esatisfying π(tg) = g, ∀g ∈ G). If N is abelian, the factor pair is a cocycle as in (2). Fulldetails appear in [34, Chapter 7].
A factor pair is constructed from a transversal as follows.
If Nı� E
π� G is an extension of N by G and T = {tx : x ∈ G} is a transversal ofı(N) in E with respect to π , then (ψT , εT ) defined by
εT (x) = ı−1 ◦ tx ◦ ı, (6)
ψT (x, y) = ı−1(
txtyt−1xy
), (7)
for all x, y ∈ G, is a factor pair of N by G.
Of particular interest are extensions Nı� E
π� G satisfying an additional combi-natorial property: that a transversal of ı(N) in E with respect to π is a semiregularrelative difference set in E relative to ı(N) (which requires |N| to divide |G|). Arelative difference set ((v,w, k, λ)-RDS) in a finite group E of order vw relative to anormal subgroup K of order w, is a k-element subset R = {r1, . . . , rk} of E such thatthe sequence of quotients
ri r−1j , ri, r j ∈ R, i �= j (8)
lists each element of E\K exactly λ times and lists no element from K. The subgroupK is called the forbidden subgroup. An RDS R is normalised if R contains theidentity of E, central if K lies in the centre ζ(E) of E and semiregular when k = v.
In this case there are mutual equivalences [34, Theorems 7.29, 7.40] betweenfive objects, which we call the Five-fold Constellation and visualise as a completegraph on 5 vertices. Suppressing the inner pentagram for simplicity, these verticesare pictured in Fig. 1 [34, Fig. 7.1]. They represent:
1. a coupled G-cocyclic GHM over N2. an orthogonal factor pair of N by G3. a semiregular RDS in E relative to ı(N)
144 Cryptogr. Commun. (2010) 2:129–154
Fig. 1 The Five-foldConstellation 1
2
34
5
bs
bcs
c
ns
n
4. a semiregular divisible design with regular group E and class regular normalsubgroup ı(N)
5. a base sequence (a generalised form of Perfect Nonlinear function) φ : G → N.
The outer pentagon (labelled n, for N normal in E) is the most general case. Theinner pentagons represent the case N is (c) central in E and N is (b) binary (∼= Z2).The shadow pentagons (dashed lines labelled s, for splitting) refer to the special casethat the extension is split, that is, E is a semidirect product N �� G.
3.2.1 Orthogonal cocycles and relative dif ference sets
As a consequence of the equivalences we have in the Constellation, many newexistence and construction techniques for these objects have been found. We list justa few which result from the work in earlier sections.
1. de Launey [22] notes that his first density theorem (Theorem 1) for cocyclicHadamard matrices is an asymptotic existence result for central (4t, 2, 4t, 2t)-RDSs.
2. Chen rewrites his factorisation theorem (Theorem 11) using the Constellation[14, Theorem 1.2].Let N be central in E; let G1, G2 be subgroups of E such that 〈G1, G2〉 =E, [G1, G2] ≤ N and G1 ∩ G2 = N; and let Ri be a transversal of N in Gi, i =1, 2.Then R1 R2 is a semiregular RDS in E relative to N if and only if Ri is asemiregular RDS in Gi, i = 1, 2, relative to N.
Cryptogr. Commun. (2010) 2:129–154 145
3.2.2 A Six-fold Constellation? RP 91
There need be nothing canonical about having 5 equivalent objects in the Constella-tion. As Craigen [16] says “perhaps we will see several other ‘stars’ added to thoseof the present constellation, which may be merely the most visible points of light in alarger galaxy”.
For instance, there are several ways of relating HMs to graphs, with applicationsin statistical mechanics, quantum cryptography and graph complexity.
In particular, it is known (see [9, 1.8]) that a HM of order 4n is equivalentto a Hadamard graph4 (that is, a distance-regular graph with intersection array{4n, 4n − 1, 2n, 1; 1, 2n, 4n − 1, 4n}; or, equally, an antipodal distance-regular graphof diameter 4 whose antipodal quotient is complete bipartite).
In [36] I asked how this equivalence could be specialised to CHM. In answer,Peter Cameron [12] says a HM is a CHM if and only if the equivalent Hadamardgraph admits a group of automorphisms acting regularly on each bipartite block.
In [21] antipodal distance-regular graphs are constructed which are equivalent tocertain GHMs, and the extended Preparata codes are found from walks on the graphsin this family.
This leads me to formalise the following new problem.
Research Problem 91 Generalise the equivalence between a CHM and a Hadamardgraph admitting a group of automorphisms acting regularly on each bipartite block,to coupled G-cocyclic GHMs over N. Are there natural applications of these graphsin coding, cryptography or complexity?
4 Bundles: propagating equivalence classes of RDSs
There are natural definitions of equivalence for each type of object in the Constella-tion which arise from their individual contexts, and they do not all match. For GHMsit is Hadamard equivalence; for extensions it is equivalence of short exact sequences;and for cocycles it is cohomology.
It has proved remarkably profitable to study the matching equivalence classesof each type of object in the Constellation that are found by propagating theequivalence classes of RDSs around it. A few subtle errors have persisted in thisanalysis, so more detailed background and clarification is presented next.
Equivalence for RDSs was originally defined by Pott [48, p. 198]. Observe thata translate eRd of an RDS R in E relative to K by fixed elements e, d of E is anRDS relative to K with the same parameters, and in fact we need only consider one-sided translation. Similarly, an automorphism α of E takes a normal subgroup Kof E to α(K) and an RDS R in E relative to K to an RDS α(R) relative to thenormal subgroup α(K), with the same parameters. Moreover, α(R) cannot be anRDS relative to any other normal subgroup K′ �= α(K) since if k′ ∈ K′ \ α(K) thenk′ ∈ E \ α(K) and so is a difference of elements in α(R) λ times.
4A different definition of Hadamard graph (due to Ito [39]) is the graph with vertex set V4n = {0, 1}4n
and edge set E4n = {(u, v) ∈ V24n | dH(u, v) = 2n}, where dH(u, v) is the Hamming distance between
u and v.
146 Cryptogr. Commun. (2010) 2:129–154
Though [48] does not state explicitly that the forbidden subgroup for α(R) is α(K),this condition is necessary to the definition of equivalence of RDSs. That is, if R, R′are RDSs relative to normal subgroups K, K′ in E, respectively, R ∼ R′ ⇔ ∃ α ∈Aut(E), e ∈ E : α(K) = K′ and α(R) = e R′.
Given any normal subgroup K in E, there is an extension K ↪→ Eη
� E/K,where η is the natural quotient map. Any α ∈ Aut(E) which maps K to K′ alsodefines the commuting isomorphism α : E/K → E/K′ with α(dK) = α(d)K′, d ∈ E,
which ensures the natural extensions K ↪→ Eη
� E/K and K′ ↪→ Eη′� E/K′ are
equivalent.A normalised semiregular RDS R relative to K is a normalised transversal of K in
E relative to η, with η(r) = rK, r ∈ R. Although not all such transversals are RDSs,we apply the same conditions to define equivalence of normalised transversals.
Definition 12 [34, Def. 8.1] Let T, T ′ be normalised transversals of the isomorphicnormal subgroups K, K′, respectively, in E. Define T and T ′ to be equivalent, writtenT ∼ T ′, if there exist α ∈ Aut(E) and e ∈ E such that α(K) = K′ and α(T) = e T ′.
For transversals as well as RDSs, it is sufficient to consider left-sided translationonly, since Td = d d−1(T), where d−1 is the inner automorphism d−1(e) = d−1ed ofE. If N ∼= K ∼= K′ and G ∼= E/K ∼= E/K′, consider the commuting diagram
Nı−−−−→ K
↪→−−−−→ Eπ−−−−→ G
α
⏐⏐� α
⏐⏐�
Nı′−−−−→ K′ ↪→−−−−→ E
π ′−−−−→ G
(9)
to see that α ∈ Aut(E) induces γ ∈ Aut(N) and θ ∈ Aut(G), where ı′ ◦ γ = α ◦ ı andπ ′ ◦ α = θ ◦ π .
Equivalence between the transversals T, T ′ defines an equivalence relation be-tween the corresponding factor pairs (ψT , εT ), (ψ
T′ , εT′ ) of N by G, constructed using(6) and (7). The equivalence classes of factor pairs are called bundles and the bundlecontaining (ψ, ε) is denoted B((ψ, ε)) (or B(ψ) when ε is trivial).
4.1 Bundles and equivalence classes of RDSs
When N is abelian, a great deal of progress has been made using the reverse equiva-lence between bundles of cocycles and equivalence classes of semiregular RDSs. Thereader should keep in mind that bundles are not the same as cohomology classes;indeed, the partitions of the group of cocycles induced by transversal equivalenceand by cohomology cut across each other. Cohomology classes, being cosets, all havethe same cardinality, but this is not in general true of bundles.
Cryptogr. Commun. (2010) 2:129–154 147
When further, ε ≡ 1, so N = C is central in the extension group E, the bundleB(ψ) = B((ψ, 1)) of ψ ∈ Z 2(G, C) is
B(ψ) = {γ ◦ (ψ · s) ◦ (θ × θ) : γ ∈ Aut(C), θ ∈ Aut(G), s ∈ G},
where ψ · s(x, y) = ψ(s, y)−1ψ(sx, y) is the shift action of s on ψ (which effectsmultiplication by e in Definition 12).
RP 50 [34, p. 177] is a general classification program for equivalence classesof central semiregular RDSs based on identifying the corresponding bundle oforthogonal cocycles.
One special case occurs when we restrict to the multiplicative cocycles, whichare precisely those for which the shift action is trivial, i.e. ψ · s = ψ, ∀ s ∈ G. Thisproperty of cocycles is preserved by equivalence and the corresponding transversalsare also termed multiplicative.
If a multiplicative cocycle is orthogonal, then C and G are both elementary abelianp-groups for the same prime p. So each bundle of orthogonal multiplicative cocy-cles determines an equivalence class of multiplicative semiregular RDSs, and viceversa.
Multiplicative RDSs and presemif ields: RP 50, RP 53, RP 74 and RP 75 When C =G = Z
np, every orthogonal multiplicative cocycle on Z
np is a multiplication function on
a presemifield of order pn with underlying abelian group ∼= Znp, and vice versa. Each
equivalence class of multiplicative central (pn, pn, pn, 1)-RDSs relative to Znp in E
with E/Znp
∼= Znp corresponds exactly to a strong isotopism class of presemifields of
order pn.RP 53 [34, p. 181] asks if the number of equivalence classes of central (pn, pn,
pn, 1)-RDS, when C = G = Znp, is always a power of p. RP 53 is true for n = 1: there
is only one isotopism class of presemifields (of GF(p)), containing p0 = 1 bundle;and RP 53 is supported by computational evidence for pn < 16.
RP 74 [34, p. 219] asks for the number of bundles when n = 2, and if it is always atleast p. When n = 2 the only presemifield isotopism class is again that of GF(p2).
Horadam and Farmer [38] solve RP 74 and prove that RP 53 is true for n = 2.There are exactly p bundles (presemifield strong isotopism classes) over GF(p2),only one of which is commutative. Representatives of each class are listed. Further,in [29] it is shown that there are always at least 3(p − 1) bundles over GF(p3).
However RP 53 is solved in the negative for p = 2. In [37] Horadam and Farmeralso show there are 1446 equivalence classes of central (16, 16, 16, 1)-RDSs relativeto Z
42; this is not a power of 2. Even if RP 53 is restricted to isotopism classes of fields,
the number of RDS equivalence classes is not a power of 2, as even though there are1, 2, 4, 32 bundles over GF(2), GF(4), GF(8), GF(16), respectively, there are 2094bundles over GF(32).
RP 75 [34, p. 221] asks for the number of bundles in the presemifield isotopismclass of each of the non-commutative semifields V and W of order 16.
RP 75 is solved in [37], as part of the computation of all bundles over all threesemifields of order 16 (including GF(16)). There are 224 bundles in the presemifieldisotopism class of semifield W and 1190 in that of semifield V. Representativepresemifield multiplications are computed for each bundle.
148 Cryptogr. Commun. (2010) 2:129–154
RP 50 is solved for the taxonomic class 〈16, 16, Z42, E, Z
42, i, j〉 with i =
GF(16), W, V and for each i, the representative 32, 224, 1190 presemifield multi-plications, respectively.
4.2 Bundles in the splitting case
In [33] I initiated a study of splitting factor pairs. In the case of most interest to us, asplitting factor pair has the form (∂φ, φ) for some φ in the set C1(G, N) of normalisedfunctions G → N, i.e. φ(1) = 1. Here
∂φ(x, y) = φ(x)φ(y)φ(xy)−1, x, y ∈ G , (10)
which measures how much φ differs from a homomorphism, while φ : G → Aut(N)
is the G-action induced by φ on N by inner automorphisms:
φ(x)(a) = aφ(x) = φ(x)aφ(x)−1, a ∈ N, x ∈ G, (11)
so if N is abelian, the action is trivial and we have the case ε = 1 of (3).Then two functions φ, ϕ ∈ C1(G, N) are (bundle) equivalent, written φ ∼b ϕ, if
their corresponding splitting factor pairs are equivalent, i.e.
φ ∼b ϕ ⇔ B((
∂φ, φ)) = B ((∂ϕ, ϕ)) . (12)
The equivalence class b(φ) of φ is also called a bundle.
Correction to [34, 8.2, 9.2.2] A minor error was made in [33] in the fundamentaldefinition of the bundle of a function, which has been repeated in [34, 37]. The errormatters only if N is nonabelian. We correct it here.
In [33, p. 90] and [34, p.170] it is stated that the group Hom1(G, N) of 1-crossedmappings; that is, the normalised mappings φ : G → N for which the splitting factorpair (∂φ, φ) equals the trivial factor pair (1, 1), is Hom(G, N). However, Hom(G, N)
consists of the functions which satisfy equality on the first coordinate only. Equalityon the second coordinate forces φ : G → ζ(N), where ζ(N) is the centre of N.Therefore Hom1(G, N) = Hom(G, ζ(N)).
Hence the formula for the bundle of φ must be amended.
Definition 13 Let φ ∈ C1(G, N). The bundle of φ is b(φ) ={(γ ◦ (φ · s) ◦ θ) f : f ∈ Hom(G, ζ(N)), θ ∈ Aut(G), γ ∈ Aut(N), s ∈ G
},
where φ · s(x) = φ(s)−1φ(sx) is the shift action of s on φ.
In [33, Eq. (21) and Theorem 3.3], [34, Definition 8.18 and Theorem 9.22.3] and[37, Def. 1], Hom(G, N) must be replaced by Hom(G, ζ(N)).
Un-normalised functions are in the same affine bundle b( f ) if their normalisationsare in the same bundle; that is, for f, f ′ : G → N,
f ∼b f ′ ⇔ b( f ) = b( f ′) ⇔ b( f · 1) = b( f ′ · 1). (13)
I argue that affine bundles are the most appropriate equivalence classes for functionsbetween groups.
The first reason for this is the Constellation (Fig. 1): the splitting case s givesa suite of correspondences between generalised Perfect Nonlinear (PN) functions
Cryptogr. Commun. (2010) 2:129–154 149
[34, Theorem 7.35] and four other stars [34, Theorem 7.30]. The second is that sub-optimal measures of nonlinearity, such as the difference distribution of a function,are also preserved by bundles. The third is that affine bundle equivalence coarsenstypes of function equivalence which have arisen in other contexts: equivalence ofplanar functions, affine equivalence of Boolean functions and linear equivalence ofcryptographic functions.
Bundles and EA classes of nonlinear functions: RP 66 In cryptography, we wantto collect functions over GF(pn) into equivalence classes which preserve measuresof two types: differential uniformity (a combinatorial and geometric condition) andnonlinearity (a discrete Fourier spectrum condition). Optimal functions for theformer measure are called PN (Perfect Nonlinear) if p is odd, and APN (AlmostPerfect Nonlinear) if p = 2. When p is odd, PN functions coincide with planarfunctions over Z
np.
Two types of measure-preserving equivalence have emerged as most effectivefor classifying functions f (x) over GF(2n). The first of these is extended affine(EA) equivalence [10]. The definition generalises immediately to functions overGF(pn), for p any prime. EA equivalence preserves the differential uniformity, thenonlinearity, the resistance to algebraic cryptanalysis, and the algebraic degree of afunction.
Two functions f, f ′ : Znp → Z
np are EA equivalent if f ′ = γ1 ◦ f ◦ γ2 + γ for some
affine functions γ1, γ2, γ over Znp, where γ1, γ2 are permutations.
With Farmer, I have shown that over Zn2 , EA classes and affine bundles (13)
coincide, and our proof [38, Lemma 1] generalises immediately to odd primes.
Lemma 14 Two functions f, f ′ : Znp → Z
np are EA-equivalent if and only if b( f ) =
b( f ′).
RP 66 [34, p. 208] asks for new bundles of planar functions (and thus, when G =N = Z
np, for p odd, for new EA classes of PN functions).
Kyureghyan and Pott [40] list 6 currently known families of EA-inequivalent pla-nar functions, of which 5 are Dembowski-Ostrom polynomials. If a planar functionon Z
np, p odd, is a Dembowski-Ostrom polynomial, the corresponding coboundaries
are multiplicative, and vice versa, and the classification of EA classes of planarfunctions is equivalent to the classification of strong isotopism classes of commutativepresemifields of order pn. Coulter and Henderson [15] have shown this classificationis the same as the classification of isotopism classes of commutative semifields oforder pn. We note the 6th (Coulter-Matthews) family is not Dembowski-Ostrom anddoes not define semifields.
Zha et al. [53] find a family of new planar functions by generalisation from newAPN functions, thus obtaining the first provably new construction of commutativesemifields in arbitrary odd characteristic. Very recently, Bierbrauer [6, 7] has in-troduced a large family of functions and a general method which can be used toprove that parametric subfamilies are PN, and obtains a new construction of planarfunctions [7, Theorem 5]. He has informed me that an uncertainty which has surfacedabout interpretation of a result of Menichetti’s means more detail is needed todemonstrate the semifields in [6, Theorem 7] are new.
150 Cryptogr. Commun. (2010) 2:129–154
4.3 Generalisations of bundles
In this final subsection, we describe two equivalences which are coarser than RDSand bundle equivalence but which are of independent interest.
4.3.1 Bundles and equivalence classes of (4t, 2, 4t, 2t)-RDS: RP 50
Ó Catháin and Röder’s results [44] for RP 43 (see Section 3.1.3) have consequencesfor the classification of central (4t, 2, 4t, 2t)-RDSs. Such RDSs are equivalent toCHMs, and by [34, Corollaries 8.12 and 8.13] there is a set surjection from the setof bundles of central (4t, 2, 4t, 2t)-RDSs to the set of Hadamard equivalence classesof CHMs.
Their approach to finding all the classes of CHMs is to extend the definition ofequivalence class of RDSs (given at the beginning of Section 4) to allow antiautomor-phisms (permutations with α(xy) = α(y)α(x)) of E to act as well as automorphisms.The group AntiAut(E) consisting of the automorphisms and antiautomorphismscontains Aut(E) as a normal subgroup of index at most 2, and the transpose H�of a CHM H will determine a RDS equivalent under an antiautomorphism tothat determined by H [44, Theorem 9]. They compute all these extended RDSequivalence classes then check H and H� for Hadamard equivalence, to count allclasses of CHMs. Their counts of extended RDS classes, combined with the numberof inequivalent pairs H, H� should lead to a complete classification of (4t, 2, 4t, 2t)-RDS classes for t ≤ 9.
4.3.2 Bundles and CCZ equivalence classes: RP 92
The second important equivalence for classifying functions for cryptographic value isCarlet-Charpin-Zinoviev (CCZ) equivalence [13], [10, Definition 1]. The definitiongeneralises immediately to functions over Z
np, for p any prime. CCZ equivalence
preserves the differential uniformity, the nonlinearity and the resistance to algebraiccryptanalysis, but not necessarily the algebraic degree of a function.
Two functions f, f ′ : Znp → Z
np are CCZ equivalent if there exists an automor-
phism α : Z2np → Z
2np and an element e ∈ Z
2np such that
α({( f (x), x), x ∈ Z
np}
)= e + {( f ′(x), x), x ∈ Z
np}. (14)
Kyureghyan and Pott [40] have given a simple proof that each CCZ class of PNfunctions over Z
np, p odd, is a single EA class, so the two equivalences coincide in
this particular case.It is known that EA equivalence implies CCZ equivalence [10, Proposition 3] and
the converse is known not to hold in general. In particular, a permutation over Zn2
and its inverse are CCZ equivalent but instances where they are EA-inequivalent areknown. Consequently [33, Corollary 3, p.95] which claim contrary results, repeatedin [34, Corollary 9.23, Theorem 9.24] and [37], are wrong.
It remains very difficult to tell in general when CCZ equivalent functions are EA-inequivalent. It is known that two CCZ equivalent functions are EA equivalent ifand only if there exists an α ∈ Aut(Z2n
p ) of a particularly simple form, but many otherautomorphisms α not of this form will satisfy (14).
Cryptogr. Commun. (2010) 2:129–154 151
The need to make inroads on this problem has become more acute after break-throughs in the study of APN and PN functions. Until recently, the main focus ofsearch for such functions was amongst the power functions f (x) = xd defined overGF(pn). However, in the past few years there has been a proliferation of discoveriesof new families of APN and PN functions EA-inequivalent to any power functions.Some of the functions found have very intricate form, so proving EA inequivalenceto known families becomes a very daunting task. Some of the APN functions are alsoCCZ-inequivalent to any power functions: recent surveys appear in [11, 40].
We can study the general version of this problem, for arbitrary functions f :G → N. The graph of f is the set S f = {( f (x), x), x ∈ G} ⊂ N × G. It is normalisedif f (1) = 1. This definition is consistent with the usual definition [10, p. 1143]provided we switch first and second components. This can be done with no loss ofgenerality.
We see immediately that the graph Sφ of a normalised function φ is a splittingsemiregular RDS relative to N × {1} if and only if φ is PN. We also see that it is acomplete set of coset representatives of N × {1} in N × G. This additional structuremeans we can associate to it at least one transversal in N × G. Thus we can usetransversals as a common link between EA and CCZ equivalence.
Definition 15 Two functions φ, ϕ ∈ C1(G, N) are graph equivalent, written φ ∼g ϕ,if their graphs Sφ and Sϕ are equivalent; that is, if there exist α ∈ Aut(N × G) and e ∈N × G such that α(Sφ) = e Sϕ . The graph bundle g(φ) of φ is its graph equivalenceclass. Thus g(φ) =
{ϕ ∈ C1(G, N) : ∃ e ∈ N × G, α ∈ Aut(N × G) : α(Sφ) = e Sϕ} . (15)
Two functions f, f ′ : G → N are affine graph equivalent if their normalisationsf · 1, f ′ · 1 ∈ C1(G, N) are graph equivalent. The corresponding equivalence class off is its affine graph bundle g( f ). Because S f = ( f (1), 1)S f ·1 we see that
f ∈ g( f ′) ⇔ f · 1 ∈ g( f ′ · 1), (16)
so restricting to normalised functions does not lead to any loss of information.Generalising [35, Lemma 2] from p = 2 to any prime, we have:
Example 16 Let G = N = Znp and let f : G → G. Then the affine graph bundle g( f )
of f equals the CCZ-equivalence class of f .
Prima facie, the definition of equivalence for graphs is similar to that for transver-sals. As we have established, however, transversal equivalence also requires thecommuting diagram (9). Two examples illustrate the difference.
In the first example, a function is equivalent to itself under a nontrivial graphequivalence but because the extensions are equivalent, the graph equivalence is atransversal equivalence.
Example 17 In (9) let N = G be abelian and E = G × G. Let K = G × {1},ı(a) = (a, 1) and π((a, x)) = x. Let K′ = {(a, a) : a ∈ G} ∼= K, ı′(a) = (a, a) andπ ′((a, x)) = a−1x, so K′ is normal in G × G and ker π ′ = im ı′. Then S1 is a transversalT1 = {tx = (1, x), x ∈ G} of K with respect to π and since π ′(tx) = π(tx) = x, S1 isalso the transversal T1 of K′ with respect to π ′. The mapping α(a, x) = (a, ax) is an
152 Cryptogr. Commun. (2010) 2:129–154
automorphism of G × G, with α(ı(G)) = ı′(G) and α = id on T1. Thus S1 ∼ S1 andT1 ∼ T1 by a nontrivial equivalence.
In Example 17 the identity factor pair (ψT1 , εT1) = (1, 1) results from the con-struction in (6) and (7) whichever subgroup T1 is transversal to.
In the second example, two graphs are equivalent but are not, in general, equiva-lent as transversals.
Example 18 In (9) let N = G and E = G × G. Let K = G × {1}, ı(a) = (a, 1) andπ((a, x)) = x. Let K′ = {1} × G, ı′(x) = (1, x) and π ′((a, x)) = a.
Let φ : G → G be a normalised permutation with inverse inv(φ). The graphsSφ and Sinv(φ) are transversals Tφ = {tx = (φ(x), x), x ∈ G} and Tinv(φ) = {t′x =(inv(φ)(x), x), x ∈ G}, respectively, of K with respect to π . Under the permutationx �→ φ(x), Sinv(φ) is also the transversal T = {t∗x = (x, φ(x)), x ∈ G} of K′ with respectto π ′. The mapping α((a, x)) = (x, a) is an automorphism of G × G with α(ı(G)) =ı′(G) and α(Tφ) = T. Thus Sφ ∼ Sinv(φ) but Tφ ∼ T.
In Example 18 the splitting factor pairs for Tφ and T resulting fromthe construction in (6) and (7) both equal (∂φ, φ) while that for Tinv(φ) is(∂(inv(φ)), inv(φ)).
We close with a new RP.
Research Problem 92 Given G, N and a normalised function φ : G → N, charac-terise the partition of the graph bundle g(φ) into bundles. In particular, for G =N = Z
np, characterise the partition of the CCZ class g(φ) into EA classes.
Acknowledgements I am most grateful to the referees for comprehensive and expert reviews whichgreatly assisted me to clarify and polish this survey.
References
1. Adams, S.S., Crawford, M., Greeley, C., Lee, B., Murugan, M.K.: Multilevel and multidimen-sional Hadamard matrices. Des. Codes Cryptogr. 51, 245–252 (2009)
2. Alvarez, V., Armario, J.A., Frau, M.D., Gudiel, F., Osuna, A.: Rooted trees searching for cocyclicHadamard matrices over D4t , AAECC-19. In: Bras-Amoros, M., Hoholdt, T. (eds.) LNCS,vol. 5527, pp. 204–214. Springer, Berlin (2009)
3. Alvarez, V., Armario, J.A., Frau, M.D., Real, P.: A system of equations for describing cocyclicHadamard matrices. c 16(4), 276–290 (2008)
4. Alvarez, V., Armario, J.A., Frau, M.D., Real, P.: J. Symb. Comput. 44, 558–570 (2009)5. Alvarez, V., Frau, M.D., Osuna, A.: A Heuristic Procedure with Guided Reproduction for
Constructing Cocyclic Hadamard Matrices, ICANNGA 2009. In: Kolehmainen, M. et al., (eds.)LNCS, vol. 5495, pp. 150–160. Springer, Berlin (2009)
6. Bierbrauer, J.: New commutative semifields and their nuclei. In: Bras-Amorós, M., Hoholdt, T.(eds.). AAECC 2009. LNCS, vol. 5527, pp. 179–185 (2009)
7. Bierbrauer, J.: New semifields, PN and APN functions. Des. Codes Cryptogr. 54, 189–200 (2010)8. Borges, J., Phelps, K.T., Rifa, J.: The rank and kernel of extended 1-perfect Z4-linear codes and
additive non-Z4-linear codes. IEEE Trans. Inf. Theory 49(8), 2028–2034 (2003)9. Brouwer, A.E., Cohen, A.M., Neumaier, A.: Distance-regular Graphs. Springer, Heidelberg,
Berlin (1989)
Cryptogr. Commun. (2010) 2:129–154 153
10. Budaghyan, L., Carlet, C., Pott, A.: New classes of almost bent and almost perfect nonlinearpolynomials. IEEE Trans. Inf. Theory 52, 1141–1152 (2006)
11. Budaghyan, L., Carlet, C., Leander, G.: Another class of quadratic APN binomials over F2n : thecase n divisible by 4. In: Proceedings, International Workshop on Coding and Cryptography,INRIA-Rocquencourt, France, 16–20 April 2007, pp. 49–58
12. Cameron, P.: Personal Communication. 2 July 200913. Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for
DES-like cryptosystems. Des. Codes Cryptogr. 15, 125–156 (1998)14. Chen, Y.-Q.: Twisted product of cocycles and factorization of semi-regular relative difference
sets. J. Comb. Des. 16, 431–441 (2008)15. Coulter, R.S., Henderson, M.: Commutative presemifields and semifields. Adv. Math. 217,
282–304 (2008)16. Craigen, R.: Mathematical Reviews. MR2265694 (2008d:05036)17. Craigen, R., de Launey, W.: Generalized Hadamard matrices whose transposes are not general-
ized Hadamard matrices. J. Comb. Des. 17, 456–458 (2009)18. Craigen, R., de Launey, W.: Personal Correspondence. 27 July 200919. Craigen, R., Holzmann, W.H., Kharaghani, H.: On the asymptotic existence of complex
Hadamard matrices. J. Comb. Des. 5, 319–327 (1997)20. Craigen, R., Kharaghani, H.: Hadamard matrices and Hadamard designs. In: Colbourn, C.J.,
Dinitz, J.H. (eds.) Handbook of Combinatorial Designs, 2nd edn, pp. 273–280. CRC Press, BocaRaton (2007)
21. de Caen, D., Mathon, R., Moorhouse, G.E.: A family of antipodal distance-regular graphs relatedto the classical Preparata codes. J. Algebr. Comb. 4, 317–327 (1995)
22. de Launey, W.: On the asymptotic existence of Hadamard matrices. J. Comb. Theory, A 116,1002–1008 (2009)
23. de Launey, W., Gordon, D.M.: On the density of the set of known Hadamard orders. Cryptogr.Comm. (2010, CCDS special issue). doi:10.1007/s12095-010-0028-9
24. de Launey, W., Kharaghani, H.: On the asymptotic existence of cocyclic Hadamard matrices.J. Comb. Theory, A 116, 1140–1153 (2009)
25. de Launey, W., Smith, M.J.: Cocyclic orthogonal designs and the asymptotic existence of cocyclicHadamard matrices and maximal size relative difference sets with forbidden subgroup of size 2.J. Comb. Theory, A 93, 37–92 (2001)
26. de Launey, W., Stafford, R.M.: Automorphisms of higher-dimensional Hadamard matrices.J. Comb. Des. 16, 507–544 (2008)
27. Dillon, J.F.: Personal Correspondence. 27 February and 15 March 201028. Djokovic, D.Z.: Hadamard matrices of order 764 exist. Combinatorica 28(4) 487–489
(2008)29. Farmer, D.G., Horadam, K.J.: Presemifield bundles over GF(p3). In: Proc. ISIT 2008, pp. 2613–
2616. IEEE, Toronto (2008)30. Farmer, D.G., Horadam, K.J.: A polynomial approach to cocycles over elementary abelian
groups. J. Aust. Math. Soc. 85, 177–190 (2008)31. Galati, J.C.: A group extensions approach to relative difference sets. J. Comb. Des. 12, 279–298
(2004)32. Gibbons, P.B., Mathon, R.: Enumeration of generalised Hadamard matrices of order 16 and
related designs. J. Comb. Des. 17, 119–135 (2009)33. Horadam, K.J.: A theory of highly nonlinear functions, AAECC-16. In: Fossorier, M. et al., (eds.)
LNCS, vol. 3857, pp. 87–100. Springer, Berlin (2006)34. Horadam, K.J.: Hadamard Matrices and Their Applications. Princeton University Press,
Princeton, NJ (2007)35. Horadam, K.J.: EA and CCZ equivalence of functions over GF(2n). In: von zur Gathen, J., et al.
(eds.) Proc. WAIFI 2008. LNCS, vol. 5130, pp. 134–143. Springer, Berlin (2008)36. Horadam, K.J.: Orbiting round the Five-fold Constellation (invited lecture). In: Group Theory,
Combinatorics and Computation 2009. International Conference in Honour of Professor CherylPraeger’s 60th Birthday, Perth, 5 January 2009
37. Horadam, K.J., Farmer, D.G.: Bundles, presemifields and nonlinear functions. In: Augot, D.,Sendrier, N., Tillich J.-P. (eds.) Proc. International Workshop on Coding and Cryptography,pp. 197–206. Versailles, France (2007)
38. Horadam, K.J., Farmer, D.G.: Bundles, presemifields and nonlinear functions. Des. CodesCryptogr. 49, 79–94 (2008)
39. Ito, N.: Hadamard graphs I; II. Graphs Comb. 1, 57–64; 331–337 (1985)
154 Cryptogr. Commun. (2010) 2:129–154
40. Kyureghyan, G.M., Pott, A.: Some theorems on planar mappings. In: von zur Gathen, J., et al.(eds.) Proc. WAIFI 2008. LNCS, vol. 5130, pp. 117–122. Springer, Berlin (2008)
41. Ma, K.: Equivalence classes of n-dimensional proper Hadamard matrices. Australas. J. Combin.25, 3–17 (2002)
42. McGuire, G., Ward, H.N.: Cocyclic Hadamard matrices from forms over finite Frobenius rings.Linear Algebra App. 430, 1730–1738 (2009)
43. Ó Catháin P.: Group Actions on Hadamard Matrices, M. Litt. Thesis, National University ofIreland, Galway (2008)
44. Ó Catháin, P., Röder, M.: The cocyclic Hadamard matrices of order less than 40. Des. CodesCryptogr. (2010). doi:10.1007/s10623-010-9385-9
45. Ó Catháin, P., Stafford, R.M.: On twin prime power Hadamard matrices. Cryptogr. Comm.(2010, CCDS special issue). doi:10.1007/s12095-010-0030-2
46. Phelps, K.T., Rifa, J., Villanueva, M.: Rank and kernel of binary Hadamard codes. IEEE Trans.Inf. Theory 51(11), 3931–3937 (2005)
47. Phelps, K.T., Rifa, J., Villanueva, M.: Hadamard codes of length 2ts (s odd): Rank and kernel,AAECC-16. In: Fossorier, M., et al. (eds.) LNCS, vol. 3857, pp. 328–337. Springer, Berlin (2006)
48. Pott, A.: A survey on relative difference sets. In: Groups, Difference Sets and the Monster,pp. 195–232. de Gruyter, New York (1996)
49. Rifa, J., Solov’eva, F.I., Villanueva, M.: On the intersection of Z2Z4-additive Hadamard codes.IEEE Trans. Inf. Theory 55(4), 1766–1774 (2009)
50. Stepanov, S.A.: A new class of nonlinear senary codes. Probl. Inf. Transm. 42(2), 114–122 (2006)51. Trinh, Q.K., Fan, P., Gabidulin, E.M.: Multilevel Hadamard matrices and zero correlation zone
sequences. Electron. Lett. 42(13), 748–750 (2006)52. Yang, Y.X., Niu, X.X., Xu, C.Q.: Theory and Applications of Higher Dimension Hadamard
Matrices, 2nd edn. Chapman and Hall (2010). ISBN: 978-1-4398180-7-753. Zha, Z., Kyuraghyan, G., Wang, X.: Perfect nonlinear binomials and their semifields. Finite
Fields Appl. 15, 125–133 (2009)