Almost perfect nonlinear families which are not equivalent to permutations

https://doi.org/10.1016/j.ffa.2020.101707Get rights and content

Abstract

An important problem on almost perfect nonlinear (APN) functions is the existence of APN permutations on even-degree extensions of F2 larger than 6. Browning et al. (2010) gave the first known example of an APN permutation on the degree-6 extension of F2. The APN permutation is CCZ-equivalent to the previously known quadratic Kim κ-function (Browning et al. (2009)). Aside from the computer based CCZ-inequivalence results on known APN functions on even-degree extensions of F2 with extension degrees less than 12, no theoretical CCZ-inequivalence result on infinite families is known. In this paper, we show that Gold and Kasami APN functions are not CCZ-equivalent to permutations on infinitely many even-degree extensions of F2. In the Gold case, we show that Gold APN functions are not equivalent to permutations on any even-degree extension of F2, whereas in the Kasami case we are able to prove inequivalence results for every doubly-even-degree extension of F2.

Introduction

Let F be a finite field of characteristic 2. A function F:FF is said to be almost perfect nonlinear (or APN for short) if for all aF× the image sets of the derivativesxF(x)+F(x+a) attain the maximal cardinality, i.e.,|{F(x)+F(x+a):xF}|=|F|2. There are many known families of (possibly parametrized) polynomials which are APN on an infinite number of fields. Known APN monomial families are listed in Table 1. The reader is referred to [19, Section 5.3] for a list of known families of APN functions.

When the degree n=[F:F2] is odd, all APN monomials are permutations of F, and if n is even, they are 3-to-1 on F× (see [5, Proposition 17] for the otherwise unpublished argument by Dobbertin). APN functions are studied mainly due to their cryptographical importance as S-Boxes. Highly nonlinear permutations are used in cryptography as S-Boxes in Substitution-Permutation Networks (SPN). The existence of APN permutations on even-degree extensions of F2 is therefore interesting for practical purposes as well. There are no APN permutations on F22 and F24 [14]. It was conjectured in [14] that there are no APN permutations on even-degree extensions of F2. However, Browning et al. [3] showed existence of APN permutations on F26. This is the only known APN permutation (up to CCZ-equivalence) on any even-degree extension of F2. The problem of finding APN permutations on even-degree extensions of F2 is named as “The (Still) Big APN Problem” in the same paper and is deemed to be the major problem in the area. It is especially interesting for the finite field F28 for cryptographic purposes: the AES uses the inverse function (which is not APN on even-degree extensions of F2, but ‘almost’ APN), optimality of which in terms of differential cryptanalysis might be proved by showing that no APN permutation exists on F28 or vice versa.

The authors of [3] start with a previously known [2] quadratic APN function κ on F26κ(x)=x3+x10+ux24, where u is a generator of F26×. The function κ is not a permutation (note that quadratic APN functions are not permutations on even-degree extensions of F2, see Section 3 for details). Then they use a method, which they called “doubly-simplex codes,” employing CCZ-equivalence to get an equivalent function G which is actually a permutation. They performed a computer based search for all known APN functions for n<12. The only function (among all known functions at the time) CCZ-equivalent to a permutation for n<12 turned out to be the κ function on F26.

Our aim here is to prove that such a method using CCZ-equivalence would not work for several infinite families of APN functions (including Gold and Kasami) on infinite number of extensions of F2. No such negative result exists in the literature for an infinite family of APN functions. We will show that (see Table 1),

Theorem 1

The following monomial APN functions are not CCZ-equivalent to permutations.

  • Gold functions on F2n, n even,

  • Kasami functions on F2n, n divisible by 4.

Another widely used equivalence for APN functions is EA-equivalence. If the function F with which we start is a component-wise plateaued function, it is easy to see using [1, Corollary 3] that an EA-equivalent function G cannot be a permutation on even-degree extensions of F2 (see Section 3 for the argument). The original idea used in [3] employs CCZ-equivalence instead of EA-equivalence for this particular reason. Therefore we are also interested only in CCZ-equivalence. Being quadratic, Gold functions are plateaued. The fact that Kasami APN functions are plateaued was proved in [8], [22]. Note that almost all known infinite families of APN functions on even-degree extensions of F2 are quadratic, hence component-wise plateaued. One notable exception is the Dobbertin exponent, for which EA-equivalence to permutations is an interesting problem.

Several attempts have been made to find APN permutations. Many of these works concentrate on functions that are generalizations of κ in larger degree extensions of F2, with the hope to find an APN permutation. It turned out these generalizations cannot be APN. For instance, Canteaut et al. showed the so-called “generalized butterflies” stemming fromP(x,y)=(x+αy)2k+1+βy2k+1 where PF2m[x,y] and m odd, are not APN if m>3 (see [4] and the references therein for progress of results in this direction). A direct polynomial generalization of κ-like functions F:F22mF22m, whereF(x)=x3+ax32m+bx2m+2+cx1+2m+1,a,b,cF2m, for any m were shown to be APN if and only if either F is EA-equivalent to Gold or m=3 and F is EA-equivalent to κ in [13]. Note that between quadratic functions EA-equivalence coincides with CCZ-equivalence [21].

In Section 2, we recall the standard definitions and notions dealing with (vectorial) Boolean functions, e.g., Walsh transform, equivalences. In Section 3, we will explain our approach and give some technical lemmas which will be required later. In Section 4, we prove inequivalence results for Gold and Kasami families in the case of doubly-even-degree extensions of F2, i.e., the extension degree is congruent to 0 modulo 4. We will prove a lemma in Section 4 on the maximum dimension of an F2-subspace in cubes which is interesting also for other purposes. And finally in Section 5, we give an inequivalence proof for the Gold family on oddly-even-degree extensions of F2, i.e., the extension degree is even but congruent to 2 modulo 4.

Section snippets

Preliminaries

The characteristic of the finite fields in this paper will always be 2. The degree of a finite field F is denoted by [F:F2]. The set of cubes will play a crucial role. We denote the set of cubes byCF:={x3:xF}, and by CF×, the set of nonzero cubes CF{0}. Actually S× will always mean S×=S{0}.

The absolute trace of xF istr(x)=i=0n1x2i. When necessary we will use the notation trF to avoid any confusion. If F is an extension of degree m of a subfield K with order q we denote bytrF/K(x)=i=0m1xq

The approach

Now, we explain the approach of the paper. From now on, we will work on even-degree extensions of F2, i.e.,[F:F2]=2m=n. What we will do in the following is to prove a necessary condition for an APN function to be CCZ-equivalent to a permutation, so that we can derive a contradiction. Since L in the definition of CCZ-equivalence has to be nonsingular (see the Remark 6), we must haverankA+rankBn=2m,rankC+rankDn=2m. Therefore (at least) one ofrankCm, andrankDm, should hold. If an APN function F

Doubly-even dimension

In this section we consider finite fields which are a quadratic extension of a finite field of even-degree m,[F:K]=2,[K:F2]=meven andq=2m.

We will prove a theorem (Theorem 19) which states that if the non-bent components of a vectorial Boolean function F:FF are in cubes CF, then F cannot be CCZ-equivalent to a permutation on F when m is even. It is well known that the non-bent components of Kasami and Gold APN functions are precisely the cubes CF× (see Table 2).

The following lemma, which gives

Oddly-even dimension

In this section we consider finite fields which are a quadratic extension of a finite field of odd degree m, i.e.,[F:K]=2,[K:F2]=modd andq=2m. We will prove that the Gold APN functions on such extensions are not equivalent to permutations of F. Theorem 19 relied on Lemma 16, that there are no F2-vector spaces of dimension m in cubes when m is even. For the odd m case, Lemma 16 does not give us a direct negative result. It is easy to see that (see Remark 17 above) cK where cCF× are maximal F2

Conclusion

In this paper we have proved that Gold APN functions are not CCZ-equivalent to permutations on all even-degree extensions, and Kasami APN functions are not CCZ-equivalent to permutations on doubly-even extension degrees. We have left one case open.

Problem 29

Are Kasami APN functions equivalent to permutations when n2(mod4)?

One may ask whether the “APN assumption” is necessary when proving those negative results. That is to say, since the fact that d is an APN exponent on the extension degree 2m implies

Acknowledgements

The authors would like to thank Petr Lisoněk for useful discussions. This research initiated when the first author was visiting Katholieke Universiteit Leuven. Most of the work was done when the first author visited the second author at University of Toulon. He is thankful for the hospitality he received in both places. We also would like to thank the referees whose comments have improved the presentation of the paper.

This work was supported by the GAČR Grant 18-19087S - 301-13/201843.

References (22)

  • C. Carlet

    Vectorial Boolean functions for cryptography

  • View full text