Abstract
We study several criteria for the (non)linearity of Costas permutations, with or without the imposition of additional algebraic structure in the domain and the range of the permutation, aiming to find one that successfully identifies Costas permutations as more nonlinear than randomly chosen permutations of the same order.
1. Introduction
Costas arrays, namely, square arrangements of dots and blanks such that there lies exactly one dot per row and column, and such that no four dots form a parallelogram and no three dots lying on a straight line are equidistant, appeared for the first time in 1965 in the context of SONAR detection [1, 2], when Costas, disappointed by the poor performance of SONAR systems, used them to describe a novel frequency hopping pattern for SONARs with optimal auto-correlation properties. About two decades later, Professor S. Golomb published two generation techniques [3–5] for Costas permutations, both based on the theory of finite fields, known as the Welch and the Golomb method, respectively. These are still the only general construction methods for Costas permutations available today. Despite the intensive mathematical research dedicated to Costas arrays in the last two decades, many key questions about them remain unresolved, and most notably the issue of their existence: do Costas arrays exist for all orders? There is currently no order known for which Costas arrays provably do not exist, while the two smallest orders for which no Costas arrays are known are 32 and 33 [3].
An interesting application of Costas arrays in cryptography was discovered when it was shown that Welch Costas arrays are Almost Perfect Nonlinear (APN) permutations [6]. This prompted further an investigation of the nonlinearity of Welch Costas permutations, in the sense defined in [7, 8], whereby Welch Costas permutations were interpreted as mappings on , the group of integers modulo , and were indeed shown to exhibit high nonlinearity among all such functions/permutations [9]. Costas permutations, however, are not defined over , but rather over , the set of the first nonnegative integers, on which no group structure is imposed. The object of this work is to investigate the correct interpretation and calculation of the (non)linearity of a Costas permutation, and, by extension, of any discrete function, in this context. What does it mean for a discrete function to be linear? How can the concept of linearity be quantified? Can this quantification benefit, in the case of functions on , from the fact that such functions can be extended to functions on ? Assuming that this latter extension exhibits indeed high nonlinearity, can we infer that the original function on is also highly nonlinear (according to some appropriate definition)?
In what follows we will study several (non)linearity criteria, and more specifically their performance on Costas permutations versus collections of random permutations. In order to maintain compatibility between them and to be able to compare them, we will use Costas permutations of order 15 (but also 16 and 27 on some occasions) as a test case and recurrent example. The conclusions drawn have, of course, been verified on a wider range of orders.
2. Costas Permutations, APN Functions, and Linearity
In this section we provide some background information on Costas permutations and APN functions. We will note, in particular, that, though the definitions of Costas and APN permutations appear deceptively similar, there are nonetheless important differences one has to pay attention to.
2.1. The Definitions
In what follows, let denote the set , and the additive group of integers modulo , ; in other words, and differ just by the imposition of an algebraic structure on the latter, which makes it a ring. We are now ready to define the Costas permutation.
Definition 2.1. Consider a bijection; is a Costas permutation if and only if: An alternative yet fully equivalent way to state this condition is to stipulate that, for any and any , the equation has at most one root .
A permutation corresponds to a permutation array by setting the elements of the permutation to denote the positions of the (unique) 1 in the corresponding column of the array, counting from top to bottom: . It is customary to represent the 1s of a permutation array as “dots” and the 0s as “blanks”. From now on the terms “array” and “permutation” will be used interchangeably, in view of this correspondence.
The Costas property is invariant under horizontal and vertical flips, as well as transposition (and therefore also under rotations of the array by multiples of , which can be expressed as combinations of the previous two operations), hence a Costas array gives birth to an equivalence class that contains either eight Costas arrays, or four if the array happens to be symmetric: this Costas array is then considered to be the unique representative of the equivalence class, and normally the array within the equivalence class that comes first in lexicographical order is selected for this purpose.
We now give the definition of the APN function.
Definition 2.2. is APN if and only if, for anyand any, the equation has at most two roots .
The relation of the two definitions becomes clearer if we also look at the definition of the Perfect Nonlinear (PN) function:
Definition 2.3. is PN if and only if, for any and any , the equation has at most one root (hence exactly one root) .
We now see how close Definitions 2.1 and 2.2 are. When we focus exclusively on permutations, thought, we see that a PN permutation is a contradiction in terms: by Definition 2.3, for any , there has to be an such that , hence cannot possibly be a permutation! Consequently, when studying permutations, we can only hope for the next best thing, namely, an APN permutation. Note that the definitions of a Costas permutation and of an APN function show that these two types of functions are far from being “linear”, namely, far from being similar to a “straight line”, since the distance vectors between pairs of points in the function graph are not, in general, allowed to be collinear.
2.2. Construction Methods for Costas Permutations
We will denote the finite field of elements by , where is, in general, a power of a prime. Recall that , is a prime, is the finite field .
Algorithm 2.4 (Exponential Welch Construction ). Let be a prime, a primitive root of the finite field , and ; the exponential Welch permutation of order corresponding to and is defined by
The inverse of an Exponential Welch permutation (corresponding to the transpose of the corresponding Costas array) is a Logarithmic Welch permutation, which is itself a Costas permutation. The two permutation sets are distinct for [10], implying that there are distinct Welch Costas permutations of order . Here denotes Euler's totient function: , , is the number of positive integers less than and relatively prime to . In particular, there are no self-inverse -permutations (i.e., corresponding to symmetric Welch Costas arrays) for .
Algorithm 2.5 (Golomb Construction ). Let , where is a prime and , and let , be primitive roots of the finite field ; the Golomb permutation of order corresponding to and is defined through the equation
There are distinct -permutations of order [3].
2.3. A Comprehensive Example
Consider the -permutation resulting from , , and . The values corresponding to are, in that order, 0, 1, 3, 7, 4, 9, 8, 6, 2, and 5. As mentioned above, is an APN permutation when construed as a function from to : in this case, all additions take place in arithmetic modulo 10, and we write, for example, that . Note that, after generating , we forget all about the prime number used to generate it (in this case ): henceforth, all modulo operations take place in arithmetic modulo , which is the size of the group , in both the domain and the range.
Considering, however, as a Costas permutation from [] to []; we see that is undefined, because is undefined. On the other hand, , because addition takes place now in the usual integer arithmetic, in both the domain and the range.
2.4. Linearity
What does it mean for a function to be linear? In general, we will assume that both the domain and the range of the function are subsets of a ring , and we will call linear if and only if there exist three constants such that for all , where addition and multiplication are as defined in . It is important to note that, occasionally, can be chosen in more than one way: for example, in the example shown in Section 2.3 we may choose either or , and this leads to different functions , neither of which is linear, however.
As another example, consider defined on [10], where the values corresponding to are, in this order, 0, 2, 4, 6, 8, 10, 1, 3, 5, 7, and 9. This function is not linear under -arithmetic. Since [10] is closed under arithmetic modulo 11, however, we may choose , in which case for all , and is, therefore, linear.
3. Linearity Measures for Discrete Functions
How can we quantify the linearity of a discrete function, and especially of a Costas permutation, in a meaningful way? There are essentially two different ways to proceed, according to whether we are willing/able to introduce some sort of an algebraic structure to the problem or not. Note that we will follow the convention of labeling the criteria we study below by or , according to whether an increase in the value returned by the criterion implies increased linearity or nonlinearity for the tested function, respectively.
3.1. Linearity without Algebraic Structure
3.1.1. Least Squares
In this version of the problem we are given a set of points , on the plane as an input, and we are asked to determine how closely they correspond to the graph of a linear function. The obvious course of action is to fit a line of the form , , according to some fitting criterion, and determine the error of the approximation. The smaller the error, the more “linear” is. Perhaps the most frequently used fitting method used in such cases is the familiar least squares approximation.
3.1.2. Nonmodular Phases
Within the same context, an alternative, completely different concept of linearity can be defined based on the distance vectors between pairs of points , , , where, without loss of generality we may assume that whenever : the function is linear if and only if all such distance vectors have the same phase on the plane. A way to quantify this idea in a continuous way is to determine the unit vector with each such phase, sum the vectors, and find the length of the vector sum. In other words, we consider As there are such vectors in total, the length of the vector sum will be when is linear and less than that otherwise. The normalized is then a number between 0 and 1: the larger it is, the more linear is. In particular, since each phase is confined to , we may substitute by . Given that we can write
3.1.3. The Log-Ratio
In order to obtain a more sensitive measure of linearity, we observe that if , we would get For a general function , these two expressions yield two estimates for , namely, and , where we assume without loss of generality. The log-ratio is a kind of condition number for : the larger it is, the more nonlinear is, so we can use this log-ratio as a measure of the nonlinearity of .
3.2. Linearity with Algebraic Structure
Let us reformulate the ideas presented above regarding distance vectors and their phases in the special case of a function . An indication of the linearity of is the degree to which a constant multiple of approximates (a constant multiple of) the difference , the approximation holding for all pairs , : in other words, we consider the functions and we determine whether any specific choice of the parameters and leads to values that lie uniformly “close to” 0 for all pairs , according to some proximity criterion.
A possible proximity criterion is again to apply “phase modulation”, namely, to allow the values of to multiply the phase of complex exponential , which represents a vector of unit length, and then find the length of the aggregate vectors and choose the longest one. This we define as the (square of the) linearity of : Clearly, is linear if and only if .
Since is an integer function, and remembering that our ultimate goal is to introduce algebraic structure in the problem at some point, it makes sense to confine and to integer values as well. Choosing further , , we effectively impose a modulo addition and consider instead of : Sometimes [9] it even makes sense to generalize the previous expression slightly and use two different integer parameters and as follows: though we will mostly focus on the simple case from now on.
So far we have not related and ; how should we choose for a given ? A first possibility is dictated by the extension of to a function on , that is, , in which case the obvious choice would be . Alternatively, considering still as a function on , both and , range from to included, so the range includes distinct values and hence it suffices to choose , if our goal is to avoid any fold-over of values within this range. Finally, note that if is a -permutation, it makes sense to choose either , as both the domain and the range contain elements, or and , as these parameters reflect the natural modulo arithmetic in the domain and the range, respectively (both cases were studied in [9]).
Let us finish this discussion by mentioning that has already been proposed as a measure of the nonlinearity of in the literature [7, 8], though, in our opinion, the presentation therein was much less straightforward and intuitive than the one given here.
4. Results
In this section we discuss the results obtained for each (non)linearity criterion through simulation. Simulation has been used extensively in recent times for the study of the properties of Costas arrays (see, e.g., [12, 13]).
4.1. Least Squares
When is a Costas permutation of order , linear least squares fitting fails to reveal any meaningful information, precisely because the points are very dispersed on the square, owing to the Costas property. Computer simulations confirm our expectations in that the line fitted by least squares is invariably either horizontal or vertical, while the line fitted by orthogonal least squares, namely the variant of the method where the sum of the square distances of the points from the fitted line is minimized, yields invariably either or as the fitted line. To conclude, Costas arrays are so far from being linear that it makes no sense to measure how far from linearity they are using this criterion.
4.2. Nonmodular Phases
The real part of the vector sum (3.4) is in general much larger than the imaginary part, precisely because we always choose , so the real parts of the summands add constructively. This, in turn, implies that this criterion is not sensitive enough. For example, Figure 1 shows the histograms of over all Costas arrays of order 15 and over an equinumerous collection of randomly chosen permutations of order 15: though the histograms look different, the range of the former lies entirely within the range of the latter, so this criterion is not sensitive enough to determine that Costas permutations are more nonlinear than random permutations.
(a)
(b)
4.3. The Log-Ratio
What if is used instead of ? The log-ratio histograms for all Costas permutations of order 15 and an equinumerous collection of random permutations of order 15, as well as the log-ratio histograms for all Costas permutations of order 16 and for all algebraically constructed Costas permutations of order 16 are shown in Figure 2. Costas permutations are indeed found to be more nonlinear than random ones, even if only slightly so: though the random permutations histogram contains a few outliers at higher values, its main body lies clearly at smaller values compared to the Costas permutations histogram. Similarly, algebraically constructed Costas permutations are observed to be, on average, some of the most linear Costas permutations.
(a)
(b)
(c)
(d)
4.4. Linearity with Algebraic Structure
We computed the linearity of several families of Costas permutations, using as the measure of linearity, being the order of the Costas permutation. More specifically, we focused on the families of all Costas permutations of order 27 and below (Table 1), and on the families of - and -permutations generated in , (Table 2). For each family we recorded the minimal and maximal linearities found, the mean linearity and the standard deviation.
As a general observation, the linearity histograms for all families are well approximated by Gaussian distributions (see, e.g., Figure 3), provided the families contain enough Costas permutations (at least a few hundred). Furthermore, the mean linearities and for - and -permutations of order , respectively, seem to increase asymptotically linearly with (see Figure 4): . Furthermore, it is clear from Figure 3 that successfully distinguishes Costas permutations from random permutations, assigning on average smaller linearity to the former.
(a)
(b)
(c)
(a)
(b)
(c)
5. Conclusion
We proposed various (non)linearity measures for Costas permutations, divided in two broad categories, according to whether we are willing to impose some algebraic structure on the domain and the range or not. Amongst the measures that do not take advantage of any algebraic structure, the linear least squares fit was found inappropriate, as it was completely insensitive to the input, the nonmodular phases criterion was found not to be sensitive enough, while the log-ratio performed adequately in terms of distinguishing Costas permutations from randomly chosen permutations of the same order and correctly deciding that the former are more nonlinear than the latter; it also suggested that algebraically constructed Costas permutations are amongst the most linear Costas permutations. On the other hand, when the difference vectors are combined with an underlying modulo structure, the resulting criterion is sensitive enough to recognize that Costas permutations are less linear than randomly chosen permutations of the same order.