Almost perfect nonlinear families which are not equivalent to permutations
Introduction
Let be a finite field of characteristic 2. A function is said to be almost perfect nonlinear (or APN for short) if for all the image sets of the derivatives attain the maximal cardinality, i.e., There are many known families of (possibly parametrized) polynomials which are APN on an infinite number of fields. Known APN monomial families are listed in Table 1. The reader is referred to [19, Section 5.3] for a list of known families of APN functions.
When the degree is odd, all APN monomials are permutations of , and if n is even, they are 3-to-1 on (see [5, Proposition 17] for the otherwise unpublished argument by Dobbertin). APN functions are studied mainly due to their cryptographical importance as S-Boxes. Highly nonlinear permutations are used in cryptography as S-Boxes in Substitution-Permutation Networks (SPN). The existence of APN permutations on even-degree extensions of is therefore interesting for practical purposes as well. There are no APN permutations on and [14]. It was conjectured in [14] that there are no APN permutations on even-degree extensions of . However, Browning et al. [3] showed existence of APN permutations on . This is the only known APN permutation (up to CCZ-equivalence) on any even-degree extension of . The problem of finding APN permutations on even-degree extensions of is named as “The (Still) Big APN Problem” in the same paper and is deemed to be the major problem in the area. It is especially interesting for the finite field for cryptographic purposes: the AES uses the inverse function (which is not APN on even-degree extensions of , but ‘almost’ APN), optimality of which in terms of differential cryptanalysis might be proved by showing that no APN permutation exists on or vice versa.
The authors of [3] start with a previously known [2] quadratic APN function κ on where u is a generator of . The function κ is not a permutation (note that quadratic APN functions are not permutations on even-degree extensions of , see Section 3 for details). Then they use a method, which they called “doubly-simplex codes,” employing CCZ-equivalence to get an equivalent function G which is actually a permutation. They performed a computer based search for all known APN functions for . The only function (among all known functions at the time) CCZ-equivalent to a permutation for turned out to be the κ function on .
Our aim here is to prove that such a method using CCZ-equivalence would not work for several infinite families of APN functions (including Gold and Kasami) on infinite number of extensions of . No such negative result exists in the literature for an infinite family of APN functions. We will show that (see Table 1), Theorem 1 The following monomial APN functions are not CCZ-equivalent to permutations. Gold functions on , n even, Kasami functions on , n divisible by 4.
Another widely used equivalence for APN functions is EA-equivalence. If the function F with which we start is a component-wise plateaued function, it is easy to see using [1, Corollary 3] that an EA-equivalent function G cannot be a permutation on even-degree extensions of (see Section 3 for the argument). The original idea used in [3] employs CCZ-equivalence instead of EA-equivalence for this particular reason. Therefore we are also interested only in CCZ-equivalence. Being quadratic, Gold functions are plateaued. The fact that Kasami APN functions are plateaued was proved in [8], [22]. Note that almost all known infinite families of APN functions on even-degree extensions of are quadratic, hence component-wise plateaued. One notable exception is the Dobbertin exponent, for which EA-equivalence to permutations is an interesting problem.
Several attempts have been made to find APN permutations. Many of these works concentrate on functions that are generalizations of κ in larger degree extensions of , with the hope to find an APN permutation. It turned out these generalizations cannot be APN. For instance, Canteaut et al. showed the so-called “generalized butterflies” stemming from where and m odd, are not APN if (see [4] and the references therein for progress of results in this direction). A direct polynomial generalization of κ-like functions , where for any m were shown to be APN if and only if either F is EA-equivalent to Gold or and F is EA-equivalent to κ in [13]. Note that between quadratic functions EA-equivalence coincides with CCZ-equivalence [21].
In Section 2, we recall the standard definitions and notions dealing with (vectorial) Boolean functions, e.g., Walsh transform, equivalences. In Section 3, we will explain our approach and give some technical lemmas which will be required later. In Section 4, we prove inequivalence results for Gold and Kasami families in the case of doubly-even-degree extensions of , i.e., the extension degree is congruent to 0 modulo 4. We will prove a lemma in Section 4 on the maximum dimension of an -subspace in cubes which is interesting also for other purposes. And finally in Section 5, we give an inequivalence proof for the Gold family on oddly-even-degree extensions of , i.e., the extension degree is even but congruent to 2 modulo 4.
Section snippets
Preliminaries
The characteristic of the finite fields in this paper will always be 2. The degree of a finite field is denoted by . The set of cubes will play a crucial role. We denote the set of cubes by and by , the set of nonzero cubes . Actually will always mean .
The absolute trace of is When necessary we will use the notation to avoid any confusion. If is an extension of degree m of a subfield with order q we denote by
The approach
Now, we explain the approach of the paper. From now on, we will work on even-degree extensions of , i.e., What we will do in the following is to prove a necessary condition for an APN function to be CCZ-equivalent to a permutation, so that we can derive a contradiction. Since in the definition of CCZ-equivalence has to be nonsingular (see the Remark 6), we must have Therefore (at least) one of and should hold. If an APN function F
Doubly-even dimension
In this section we consider finite fields which are a quadratic extension of a finite field of even-degree m,
We will prove a theorem (Theorem 19) which states that if the non-bent components of a vectorial Boolean function are in cubes , then F cannot be CCZ-equivalent to a permutation on when m is even. It is well known that the non-bent components of Kasami and Gold APN functions are precisely the cubes (see Table 2).
The following lemma, which gives
Oddly-even dimension
In this section we consider finite fields which are a quadratic extension of a finite field of odd degree m, i.e., We will prove that the Gold APN functions on such extensions are not equivalent to permutations of . Theorem 19 relied on Lemma 16, that there are no -vector spaces of dimension m in cubes when m is even. For the odd m case, Lemma 16 does not give us a direct negative result. It is easy to see that (see Remark 17 above) where are maximal
Conclusion
In this paper we have proved that Gold APN functions are not CCZ-equivalent to permutations on all even-degree extensions, and Kasami APN functions are not CCZ-equivalent to permutations on doubly-even extension degrees. We have left one case open.
Problem 29 Are Kasami APN functions equivalent to permutations when ?
One may ask whether the “APN assumption” is necessary when proving those negative results. That is to say, since the fact that d is an APN exponent on the extension degree 2m implies
Acknowledgements
The authors would like to thank Petr Lisoněk for useful discussions. This research initiated when the first author was visiting Katholieke Universiteit Leuven. Most of the work was done when the first author visited the second author at University of Toulon. He is thankful for the hospitality he received in both places. We also would like to thank the referees whose comments have improved the presentation of the paper.
This work was supported by the GAČR Grant 18-19087S - 301-13/201843.
References (22)
- et al.
New cyclic difference sets with Singer parameters
Finite Fields Appl.
(2004) Almost perfect nonlinear power functions on : the Niho case
Inf. Comput.
(1999)Affinity of permutations of
Discrete Appl. Math.
(2006)The weight enumerators for several classes of subcodes of the 2nd order binary Reed-Muller codes
Inf. Control
(1971)On subsets of with dth power differences
Discrete Math.
(1999)Plateaudness of Kasami APN functions
Finite Fields Appl.
(2017)- et al.
On almost perfect nonlinear functions over
IEEE Trans. Inf. Theory
(2006) - et al.
APN polynomials and related codes
J. Comb. Inf. Syst. Sci.
(2009) - et al.
An APN permutation in dimension six
- et al.
If a generalised butterfly is APN then it operates on 6 bits
IACR Cryptol. ePrint Arch.
(2018)
Vectorial Boolean functions for cryptography
Cited by (8)
Classification of (q, q)-Biprojective APN Functions
2023, IEEE Transactions on Information TheoryA Complete Characterization of the APN Property of a Class of Quadrinomials
2021, IEEE Transactions on Information TheoryKim-type APN functions are affine equivalent to Gold functions
2021, Cryptography and CommunicationsOn CCZ-equivalence of the inverse function
2021, IEEE Transactions on Information TheoryOn CCZ-inequivalence of some families of almost perfect nonlinear functions to permutations
2021, Cryptography and Communications