1 Introduction

Let \(\mathbb {F}_{2^n}\) denote the finite field with 2n elements for some positive integer n, and let \(\mathbb {F}_{2^n}^{*}\) denote its multiplicative group. The vector space of dimension n over \(\mathbb {F}_{2}\) will be denoted by \(\mathbb {F}_{2}^{n}\). An (n,m)-function, or vectorial Boolean function, is any mapping from \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{m}\) or, equivalently, from \(\mathbb {F}_{2^n}\) to \(\mathbb {F}_{2^{m}}\). We typically assume that m = n, i.e. we concentrate on functions from a finite field of characteristic two to itself; however, the approach given in the present paper can be applied to an arbitrary pair of dimensions (n,m).

In the particular case of n = m, we can conveniently represent (n,n)-functions by univariate polynomials over \(\mathbb {F}_{2^n}\); more precisely, any (n,n)-function F can be written as \(F(x) = {\sum }_{i = 0}^{2^{n}-1} c_{i} x^{i}\) for some coefficients \(c_{i} \in \mathbb {F}_{2^n}\). This form, called the univariate representation of F, always exists, and is unique. In the general case, any (n,m)-function F can be represented uniquely as a multivariate polynomial of the form \(F(x) = {\sum }_{u \in \mathbb {F}_{2}^{n}} a_{u} {\prod }_{i = 1}^{n} x_{i}^{u_{i}}\) for \(a_{u} \in \mathbb {F}_{2}^{m}\), where vi denotes the i-th component of the vector \(v = (v_{1}, v_{2}, \dots , v_{n}) \in \mathbb {F}_{2}^{n}\). We will not concern ourselves too deeply with the choice of representation here, as it is typically only important when defining and classifying (n,m)-functions. However, when illustrating some of the concepts of the EA-equivalence test with examples, we will mostly use (n,n)-functions and the univariate representation.

As suggested above, the finite field \(\mathbb {F}_{2^n}\) can be identified with the vector space \(\mathbb {F}_{2}^{n}\), and so the elements of \(\mathbb {F}_{2^n}\) can be identified with binary vectors of n bits; thus, (n,m)-functions can be understood as transformations that take an n-bit sequence as input, and produce an m-bit sequence as output. Thanks to this interpretation, vectorial Boolean functions naturally find applications in the theory and practice of various areas of mathematics and computer science. In particular, vectorial Boolean functions are used in modern block ciphers in the role of so-called “S-boxes”, or “substitution boxes”, and typically constitute the only non-linear part of the cipher. Consequently, the security of the cipher directly depends on the properties of the underlying S-boxes, which motivates the study of vectorial Boolean functions with respect to their cryptographic properties. It is also intuitively clear that (n,n)-functions constitute one of the most practically significant cases, since in cryptography one typically wants to replace a bit sequence with a different bit sequence of the same length.

A basic property of any (n,m)-function, which also has cryptographic implications, is its algebraic degree. Given an (n,m)-function with ANF \(F(x) = {\sum }_{u \in \mathbb {F}_{2}^{n}} u {\prod }_{i = 1}^{n} x_{i}^{u_{i}}\), the algebraic degree of F is defined as the largest degree of any term \(x_{i}^{u_{i}}\) that has a non-zero coefficient au. In other words, the algebraic degree of F is the multivariate degree of its ANF. Thus, for instance, F(x) = x1x2x4 + x2x3 would have algebraic degree 3. In the case of an (n,n)-function given by its univariate representation, the algebraic degree also has a natural interpretation. Given a positive integer i, the binary weight of i is the number of non-zero entries in its binary representation; for example, 19 is written as 10011 in binary, and hence has binary weight 3. The algebraic degree of \(F(x) = {\sum }_{i = 0}^{2^{n}-1} c_{i} x^{i}\) is the largest binary weight of any exponent i with ci≠ 0. Functions of algebraic degree 1, 2, and 3, are called affine, quadratic, and cubic, respectively. An affine function A with A(0) = 0 is called linear. An affine (n,n)-function A satisfies A(x) + A(y) + A(z) = A(x + y + z) for any \(x,y,z \in \mathbb {F}_{2^n}\); similarly, a linear (n,n)-function L satisfies L(x) + L(y) = L(x + y) for any \(x,y \in \mathbb {F}_{2^n}\). It is desirable for vectorial Boolean functions used as S-boxes to have a high algebraic degree, since the latter indicates a good resistance to higher-order differential attacks [10, 14].

Two of the most important cryptographic properties of (n,m)-functions are the differential uniformity and the nonlinearity. Suppose that F is an (n,m)-function for some positive integers n and m. Let δF(a,b) denote the number of solutions \(x \in \mathbb {F}_{2}^{n}\) to the equation F(x + a) + F(x) = b for any \(0 \ne a \in \mathbb {F}_{2}^{n}\) and any \(b \in \mathbb {F}_{2}^{m}\). The multiset \(\{ \delta _{F}(a,b) : 0 \ne a \in \mathbb {F}_{2}^{n}, b \in \mathbb {F}_{2}^{m} \}\) is called the differential spectrum of F. The largest value in the differential spectrum is denoted by δF and is called the differential uniformity of F.

The existence of a large number of solutions x to some equation of the form F(x) + F(a + x) = b for some a≠ 0 and b makes the function F vulnerable to differential cryptanalysis [2]. The value of δF should thus be as low as possible. Since x + a is a solution to the aforementioned equation whenever x is, the minimum possible value of δF is 2; the class of (n,n)-functions attaining this optimal value is called the class of almost perfect nonlinear (APN), and has been an object of intense study since its introduction by Nyberg in the 90’s [16].

The nonlinearity \(\mathcal {N}{\mathscr{L}}(F)\) of F is simply the minimum Hamming distance between any component function of F and any affine (n,1)-function, the component functions of F being the (n,1)-functions Fc of the form Fc(x) = Trm(cF(x)), where \(\text {Tr}_{m} : \mathbb {F}_{2^{m}} \rightarrow \mathbb {F}_{2}\) is the absolute trace defined by \(\text {Tr}_{m}(x) = {\sum }_{i = 0}^{m-1} x^{2^{i}}\) for any \(x \in \mathbb {F}_{2^n}\); when the dimension m is clear from context, we will sometimes write just Tr instead of Trm. The nonlinearity should be high in order to resist linear cryptanalysis [15].

When studying “linear properties” of functions, such as their nonlinearity, it is useful to adapt some linear-algebraic notions from the vector space \(\mathbb {F}_{2}^{n}\) even in the case when we are working with the finite field \(\mathbb {F}_{2^n}\). The linear span of a set \(S \subseteq \mathbb {F}_{2^n}\) is simply the set of all possible linear combinations of the elements in S, i.e. if \(S = \{ s_{1}, s_{2}, \dots , s_{k} \}\) for some positive integer k and for \(s_{i} \in \mathbb {F}_{2^n}\), then \(\text {Span}(S) = \{ c_{1} s_{1} + c_{2} s_{2} + {\dots } + c_{k} s_{k} : c_{1}, c_{2}, \dots , c_{k} \in \mathbb {F}_{2} \}\); obviously, the span can be defined in the same way in the case of the vector space \(\mathbb {F}_{2}^{n}\). Having formalized the linear span, it is straightforward to carry over other notions from \(\mathbb {F}_{2}^{n}\), such as that of linear independence, and that of a basis of \(\mathbb {F}_{2^n}\) (being a linearly independent set \(B \subseteq \mathbb {F}_{2^n}\) with \(\text {Span}(B) = \mathbb {F}_{2^n}\)).

A useful tool for analyzing vectorial Boolean functions is the Walsh transform, which is an integer valued function \(W_{F} : \mathbb {F}_{2}^{n} \times \mathbb {F}_{2}^{m} \rightarrow \mathbb {Z}\) associated with \(F : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\), and given by the prescription

$$ W_{F}(a,b) = \sum\limits_{x \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{m}(bF(x)) + \text{Tr}_{n}(ax)} $$

for \(a \in \mathbb {F}_{2}^{n}, b \in \mathbb {F}_{2}^{m}\). In the case of (n,n)-functions, we can more succinctly write

$$ W_{F}(a,b) = \sum\limits_{x \in \mathbb{F}_{2^n}} \chi(bF(x) + ax), $$

where χ(x) = (− 1)Tr(x). The values of WF are called Walsh coefficients, and the multiset \(\{ W_{F}(a,b) : a \in \mathbb {F}_{2}^{n} ,b \in \mathbb {F}_{2}^{m} \}\) is called the Walsh spectrum of F. The multiset of the absolute values of F, i.e. the multiset \(\{ |W_{F}(a,b)| : a \in \mathbb {F}_{2}^{n} ,b \in \mathbb {F}_{2}^{m} \},\) is called the extended Walsh spectrum of F.

Due to the huge number of (n,m)-functions even for small values of n and m, their classification is typically only performed up to some equivalence relation that preserves the properties being studied. In the case of cryptographically optimal vectorial Boolean functions, the most general equivalence relation preserving both the differential uniformity and the nonlinearity is the so-called Carlet-Charpin-Zinoviev-equivalence, or CCZ-equivalence [9]. Two (n,m)-functions F and G are said to be CCZ-equivalent if there is an affine permutation \(\mathcal {A}\) of \(\mathbb {F}_{2}^{n} \times \mathbb {F}_{2}^{m}\) mapping the graph \({\Gamma }_{F} = \{ (x,F(x)) : x \in \mathbb {F}_{2}^{n} \}\) of F to the graph ΓG of G.

Testing whether two given functions F and G are CCZ-equivalent is usually done by means of the equivalence of linear codes [5, 13]. More precisely, a particular linear code \(\mathcal {C}_{F}\) is associated with F, and a particular linear code \(\mathcal {C}_{G}\) is associated with G; F and G are then CCZ-equivalent if and only if \(\mathcal {C}_{F}\) and \(\mathcal {C}_{G}\) are equivalent. Testing whether two given linear codes are equivalent has the advantage that it is usually already implemented in most mathematical software, such as the Magma programming language that we use for most of our computations [4].

Unfortunately, computationally testing CCZ-equivalence in this way can reliably be performed only when the dimensions m and n are relatively small; in the case of (n,n)-functions, this means n ≤ 9, since for higher values of n, the memory consumption becomes overwhelming, and the test cannot be performed in a lot of cases. Furthermore, the current implementation of Magma can give false negatives due to insufficient memory; in other words, if the equivalence test outputs “false”, we have no reliable way of determining whether this is due to insufficient memory, or due to a successfully completed exhaustive search proving the inequivalence of the linear codes (and hence, vectorial Boolean functions) in question.

Ruling out e.g. CCZ-equivalence can be facilitated by means of invariants, i.e. properties or statistics that are preserved under CCZ-equivalence. The differential spectrum and the extended Walsh spectrum are invariant under CCZ-equivalence, i.e. if two (n,m)-functions F and G are CCZ-equivalent, then their differential spectra and extended Walsh spectra are the same. Unfortunately, the Walsh spectra and differential spectra of all known APN functions are the same (with some rare exceptions in the case of the Walsh spectrum), rendering these invariants nearly useless in practice. Other invariants, such as the Γ-rank and Δ-rank have been introduced [12], that can take different values for distinct CCZ-classes of functions, and can therefore be used to rule out CCZ-equivalence in some cases. The major drawback of these invariants is that they require significant computational resources, meaning that, on the one hand, their calculation takes a long time, e.g. around ten days for a single Γ-rank over \(\mathbb {F}_{2^{10}}\), and, on the other hand, computing these invariants for \(\mathbb {F}_{2^n}\) with n > 10 is impossible at the moment due to overwhelming memory requirements.

A special case of CCZ-equivalence is extended affine equivalence, or EA-equivalence. Two (n,m)-functions F and G are said to be EA-equivalent if there exist affine functions \(A_{1} : \mathbb {F}_{2}^{m} \rightarrow \mathbb {F}_{2}^{m}\), \(A_{2} : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}\), and \(A : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\) such that

$$ A_{1} \circ F \circ A_{2} + A = G, $$
(1)

with A1 and A2 being bijective. We will refer to A1 as the outer permutation and to A2 as the inner permutation throughout the paper. CCZ-equivalence is strictly more general than EA-equivalence combined with taking inverses [7], but in certain cases, such as for quadratic and monomial functions, checking whether two functions (or, potentially, their inverses) are EA-equivalent is enough to decided CCZ-equivalence: two quadratic APN functions are CCZ-equivalent if and only if they are EA-equivalent [18]; and two power functions are CCZ-equivalent if and only if they are cyclotomic equivalent [11]. Recall that two power functions F(x) = xd and G(x) = xe over \(\mathbb {F}_{2^n}\) are said to be cyclotomic equivalent if e ≡ 2kd mod (2n − 1) or e− 1 ≡ 2kd mod (2n − 1); furthermore, cyclotomic equivalence is a special case of EA-equivalence and taking inverses. This is particularly interesting when one takes into account that all known APN functions (which fall into more than 20000 distinct CCZ-equivalence classes) are CCZ-equivalent to a monomial or quadratic function, with only a single exception in dimension n = 6. Thus, from a practical point of view, being able to test functions for EA-equivalence is virtually as useful as being able to test them for CCZ-equivalence, at least as far as the classification of APN functions is concerned.

Surprisingly, despite its simple definition, the only known algorithm to date for computationally testing the EA-equivalence of two given functions is one by means of associated linear codes, much like in the case of CCZ-equivalence [13]; the associated codes used in this approach are of a somewhat more complicated form than the ones used in the CCZ-equivalence test, and so this approach is even more restrictive with respect to computational resources and memory requirements. Indeed, testing EA-equivalence for quadratic functions (which coincides with CCZ-equivalence) is typically done by testing them for CCZ-equivalence. Algorithms for testing the EA-equivalence of two functions in some other special cases (grouped under the umbrella term “restricted EA-equivalence”) have previously been studied in [3], [8], and [17].

Since EA-equivalence is a special case of CCZ-equivalence, any CCZ-invariant is also an EA-invariant. As mentioned above, the extended Walsh spectrum and differential spectrum are practically useless in the case of APN functions, as they almost always take the same value in the APN case, while the Γ- and Δ-rank involve somewhat laborious computations. EA-equivalence being less general than CCZ-equivalence, it is natural to expect to have properties that are EA-invariant but not CCZ-invariant. One such property is the algebraic degree, which is preserved by EA-equivalence, but not by CCZ-equivalence. Unfortunately, this is not terribly useful for classifying APN function either since, as mentioned above, nearly all known instances of APN functions are quadratic.

In this paper, we present an approach for computationally testing the EA-equivalence of two (n,m)-functions by first guessing the outer permutation A1, applying its inverse to (1) to obtain a relation of the form \(F \circ A_{2} + A^{\prime } = G^{\prime }\), and then solving the latter for A2 and \(A^{\prime }\). In the case of (n,n)-functions with n even, our approach allows the set of possible affine permutations A1 to be drastically reduced (as opposed to exhaustive search), which makes the entire procedure computationally feasible. Our approach has the advantage that it can be broken down into a multitude of small independent steps, which makes the resulting algorithm easily parallelizable. Unlike the CCZ-equivalence test and EA-equivalence test described in [13], which rely on testing the equivalence of a pair of linear codes (and therefore require specialized and rather complex algorithms), our approach uses only basic arithmetics and linear algebra, and can be easily implemented in any general-purpose programming language, and ran on any computer. Furthermore, each of the individual steps comprising the algorithm has a concrete and meaningful input and output that can be monitored and verified. This precludes the possibility of false positives or negatives as in the case of the current CCZ-equivalence test.

2 A family of EA-invariants

Let m,n,k be positive integers, and t be an element of \(\mathbb {F}_{2}^{n}\). We denote by \(\mathcal {T}_{k}(t)\) the set of all k-tuples of elements from \(\mathbb {F}_{2}^{n}\) that add up to t, i.e.

$$ \mathcal{T}_{k}(t) = \{ (x_{1}, x_{2}, \dots, x_{k} ) \in (\mathbb{F}_{2}^{n})^{k} \mid \sum\limits_{i = 1}^{k} x_{i} = t \}. $$

If A is an affine (n,n)-permutation, then the image of any k-tuple \((x_{1}, x_{2}, \dots , x_{k} )\) from \(\mathcal {T}_{k}(t)\) is a k-tuple \((A(x_{1}), A(x_{2}), \dots , A(x_{k}) )\), the sum of whose elements is

$$ A(x_{1}) + A(x_{2}) + {\dots} + A(x_{k}) = \begin{cases} A(x_{1} + x_{2} + {\dots} + x_{k}) & k \text{ odd}; \\ A(x_{1} + x_{2} + {\dots} + x_{k}) + A(0) & k \text{ even}. \end{cases} $$

Equivalently, A is a one-to-one mapping from \(\mathcal {T}_{k}(t)\) to \(\mathcal {T}_{k}(t^{\prime })\), where \(t^{\prime } = A(t)\) when k is odd, and \(t^{\prime } = A(t) + A(0)\) when k is even. In particular, a linear A always permutes \(\mathcal {T}_{k}(0)\).

For any (n,m)-function F, let \({{\Sigma }_{k}^{F}}(t)\) denote the multiset of all sums of the form \(F(x_{1}) + F(x_{2}) + {\dots } + F(x_{k})\) for all k-tuples \((x_{1}, x_{2}, \dots , x_{k} ) \in \mathcal {T}_{k}(t)\). Symbolically:

$$ {{\Sigma}_{k}^{F}}(t) = \left\{ \sum\limits_{i = 1}^{k} F(x_{i}) : (x_{1}, x_{2}, \dots, x_{k} ) \in \mathcal{T}_{k}(t) \right\}. $$

The multiplicities of \({{\Sigma }_{k}^{F}}(0)\) are then an EA-invariant for any even value of k.

Proposition 1

Let F and G be (n,m)-functions with A1FA2 + A = G for some affine functions \(A_{1} : \mathbb {F}_{2}^{m} \rightarrow \mathbb {F}_{2}^{m}, A_{2} : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}, A : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\) with A1,A2 bijective. Let k be a positive integer. Then

$$ {{\Sigma}_{k}^{G}}(0) = \begin{cases} \{ A_{1}(s) + A(0) : s \in {{\Sigma}_{k}^{F}}(A_{2}(0)) \} & k \text{ odd}; \\ \{ A_{1}(s) + A_{1}(0) : s \in {{\Sigma}_{k}^{F}}(0) \} & k \text{ even}. \end{cases} $$

In particular, the multiplicities of \({{\Sigma }_{k}^{F}}(0)\) and \({{\Sigma }_{k}^{G}}(0)\) (that is, the number of times that each element occurs in each multiset) are the same when k is even.

Proof

Consider a k-tuple \((x_{1}, x_{2}, \dots , x_{k} )\) with \(x_{1} + x_{2} + {\dots } + x_{k} = 0\). The sum of the images of xi under A2 is \(A_{2}(x_{1}) + A_{2}(x_{2}) + {\dots } + A_{2}(x_{k})\), which becomes \(A_{2}(x_{1} + x_{2} + {\dots } + x_{k})\) for odd values of k, and \(A_{2}(x_{1} + x_{2} + {\dots } + x_{k}) + A_{2}(0)\) for even values of k. Since \(x_{1} + x_{2} + {\dots } + x_{k} = 0\) by assumption, the sum \(A_{2}(x_{1}) + {\dots } + A_{2}(x_{k})\) is then A2(0) for odd k, and 0 for even k. Thus, computing all sums of the form \(F \circ A_{2} (x_{1}) + F \circ A_{2} (x_{2}) + {\dots } + F \circ A_{2}(x_{k})\) for \((x_{1}, x_{2}, \dots , x_{k} ) \in \mathcal {T}_{k}(0)\) is equivalent to computing all sums of the form \(F(x_{1}) + F(x_{2}) + {\dots } + F(x_{k})\) for \((x_{1}, x_{2}, \dots , x_{k} ) \in \mathcal {T}_{k}(q)\), with q = 0, resp. q = A2(0) for k even, resp. k odd. Thanks to the affinity of A1, computing the sums of values of A1FA2 amounts to computing the corresponding sums of values of FA2, and then taking their image under A1, up to the addition of the constant A1(0) in the case of even k. Finally, the sum \(A(x_{1}) + A(x_{2}) + {\dots } + A(x_{k})\) of the images of \(x_{1}, \dots , x_{k}\) under A is equal to A(0) for k odd, and is equal to 0 for k even. Computing the sums of values of G = A1FA2 + A is thus the same as computing the sums of values of A1FA2, up to the addition of the constant A(0) in the case of odd k. The particular statement follows immediately from the above by observing that the elements of \({{\Sigma }_{k}^{G}}(0)\) are simply the images of the elements in \({{\Sigma }_{k}^{F}}(0)\) under the linear part of the permutation A1. □

Recall that the majority of known APN functions are quadratic, and that testing the equivalence of quadratic (n,n)-functions represents the case of highest practical interest. One very useful observation that we can make in the quadratic case is that we can assume A1(0) = A2(0) = 0, which (as we see later), greatly simplifies the complexity of the entire EA-equivalence test; and, in particular, means that the multiplicities of \({{\Sigma }_{k}^{F}}(0)\) are an EA-invariant for quadratic functions in the case of odd values of k as well.

Proposition 2

Let F,G be quadratic (n,n)-functions for some positive integer n, and suppose that A1FA2 + A = G for some affine (n,n)-functions A1,A2,A with A1, A2 bijective. Furthermore, let c1 = A1(0), c2 = A2(0), and L1(x) = A1(x) + c1, L2(x) = A2(x) + c2 so that L1 and L2 are linear. Then there exists an affine (n,n)-function \(A^{\prime }\) such that

$$ L_{1} \circ F \circ L_{2} + A^{\prime} = G. $$

Proof

We can assume that F is purely quadratic, i.e. of the form \(F(x) = {\sum }_{0 \le i < j < n} c_{ij} x^{2^{i} + 2^{j}}\) for some coefficients \(c_{ij} \in \mathbb {F}_{2^n}\). The composition FA2 expands to

$$ \begin{array}{@{}rcl@{}} F(A_{2}(x)) & =& F(L_{2}(x) + c_{2}) = \sum\limits_{ij} c_{ij} (L_{2}(x) + c_{2})^{2^{i} + 2^{j}} \\ & =& \sum\limits_{ij} c_{ij} L_{2}(x)^{2^{i} + 2^{j}} + \sum\limits_{ij} c_{ij} (c_{2}^{2^{j}} L_{2}(x)^{2^{i}} + c_{2}^{2^{i}} L_{2}(x)^{2^{j}} + c_{2}^{2^{i} + 2^{j}}) \\ & =& F(L_{2}(x)) + A^{\prime\prime}(x), \end{array} $$

where \(A^{\prime \prime }(x) = {\sum }_{ij} c_{ij} (c_{2}^{2^{j}} L_{2}(x)^{2^{i}} + c_{2}^{2^{i}} L_{2}(x)^{2^{j}} + c_{2}^{2^{i} + 2^{j}})\) is an affine function. Then the composition A1FA2 becomes

$$ A_{1}(F(A_{2}(x))) = L_{1}((F \circ L_{2})(x) + A^{\prime\prime}(x) ) + c_{1} = L_{1} \circ F \circ L_{2}(x) + AA^{\prime\prime\prime}(x), $$

where \(AA^{\prime \prime \prime }(x) = L_{1}(A^{\prime \prime }(x)) + c_{1}\). Finally, taking \(A^{\prime } = AA^{\prime \prime \prime }(x) + A(x)\), we have

$$ L_{1} \circ F \circ L_{2} + A^{\prime} = G $$

as desired. □

As suggested above, Proposition 2 implies that the multiplicities of \({{\Sigma }_{k}^{F}}(0)\) are an invariant for both odd and even values of k in the quadratic case. Note that the condition of the function being quadratic is necessary, as witnessed by e.g. F(x) = x15 and G(x) = (x + α)15 over \(\mathbb {F}_{2}six\), where α is a primitive element of \(\mathbb {F}_{2}six\): the elements of the finite field in question fall into three distinct classes based on their multiplicities in \({{\Sigma }_{3}^{F}}(0)\), but into five distinct classes based on their multiplicities in \({{\Sigma }_{3}^{G}}(0)\).

Corollary 3

Following the notation and hypothesis of Proposition 1, if F and G are in addition quadratic, then the multiplicities of \({{\Sigma }_{k}^{F}}(0)\) and \({{\Sigma }_{k}^{G}}(0)\) are the same for any value of k.

The complexity of computing the multiplicities of \({{\Sigma }_{k}^{F}}(t)\) for an (n,m)-function F increases exponentially with each increment of k. Fortunately, computing the multiplicities via the Walsh transform of F results in a complexity that does not depend on the value of k.

Proposition 4

Let F be an (n,m)-function, k be a positive integer, \(t \in \mathbb {F}_{2}^{n}\) and \(s \in \mathbb {F}_{2}^{m}\). Let \({M_{k}^{F}}(t,s)\) denote the number of k-tuples \((x_{1}, x_{2}, \dots , x_{k} )\) such that \(x_{1} + x_{2} + {\dots } + x_{k} = t\) and \(F(x_{1}) + F(x_{2}) + {\dots } + F(x_{k}) = s\). Then

$$ 2^{m+n} {M_{k}^{F}}(t,s) = \sum\limits_{a \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{n}(at)} \sum\limits_{b \in \mathbb{F}_{2}^{m}} (-1)^{\text{Tr}_{m}(bs)} {W_{F}^{k}}(a,b). $$
(2)

Proof

From the definition of the Walsh transform, the expression

$$ \sum\limits_{a \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{n}(at)} \sum\limits_{b \in \mathbb{F}_{2}^{m}} (-1)^{\text{Tr}_{m}(bs)} {W_{F}^{k}}(a,b) $$

expands to

$$ \sum\limits_{a \in \mathbb{F}_{2}^{n}, b \in \mathbb{F}_{2}^{m}} \sum\limits_{x_{1}, \dots, x_{k} \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{m}(b(s + {\sum}_{i = 1}^{k} F(x_{i}))) + \text{Tr}_{n}(a(t + {\sum}_{i = 1}^{k} x_{i})) }. $$

By changing the order of summation, this becomes

$$ \sum\limits_{b \in \mathbb{F}_{2}^{m}} \sum\limits_{x_{1}, \dots, x_{k} \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{m}(b(s + {\sum}_{i = 1}^{k} F(x_{i})))} \sum\limits_{a \in \mathbb{F}_{2}^{n}} (-1)^{\text{Tr}_{n}(a(t + {\sum}_{i = 1}^{k} x_{i})) }. $$

The statement then follows by recalling that \({\sum }_{a \in \mathbb {F}_{2}^{n}} (-1)^{\text {Tr}_{n}(ax)}\) evaluates to 0 for any \(0 \ne x \in \mathbb {F}_{2}^{n}\), and evaluates to 2n for x = 0. □

Finding the multiplicity of a given element \(s \in \mathbb {F}_{2}^{m}\) in \({{\Sigma }_{k}^{F}}(t)\) now amounts to computing the Walsh coefficients WF(a,b) of F, raising them to the power k, and combining them according to (2). We note that for the purposes of testing EA-equivalence, we always assume t = 0, and hence (2) simplifies to \(2^{m + n} {M_{k}^{F}}(0,s) = {\sum }_{a \in \mathbb {F}_{2}^{n}, b \in \mathbb {F}_{2}^{m}} (-1)^{\text {Tr}_{m}(bs)} {W_{F}^{k}}(a,b)\). Furthermore, the Walsh coefficients WF(a,b) can be precomputed for all F from a known set of EA-representatives, allowing the computations to be sped up at the cost of storing the precomputed result.

Remark 5

We note that, in the case of APN functions, the multiset of the multiplicities of \({{\Sigma }_{3}^{F}}(0)\) is essentially the same as the multiset \({{\Pi }_{F}^{0}}\) studied in [6]. The latter, given an (n,n)-function F, is defined as the multiset

$$ {{\Pi}_{F}^{0}} = \{ \# \{ a \in \mathbb{F}_{2^n} \mid (\exists x \in \mathbb{F}_{2^n}) F(x) + F(a+x) + F(a) = b \} : b \in \mathbb{F}_{2^n} \}. $$

The equation F(x) + F(a + x) + F(a) = b has either 0 or 2 solutions for any \(0 \ne a \in \mathbb {F}_{2^n}\) and any \(b \in \mathbb {F}_{2^n}\) if F is APN. Thus, an equivalent invariant would be the multiset

$$ \{ F(x) + F(a+x) + F(a) : a,x \in \mathbb{F}_{2^n} \}, $$

and it is easy to see that this can equivalently be rewritten as

$$ \{ F(x_{1}) + F(x_{2}) + F(x_{3}) : (x_{1}, x_{2}, x_{3}) \in \mathbb{F}_{2^n}^{3} \mid x_{1} + x_{2} + x_{3} = 0 \}, $$

which is essentially the same as \({{\Sigma }_{3}^{F}}(0)\). As pointed out in [6], the multiset \({{\Pi }_{F}^{0}}\) is a CCZ-invariant for quadratic APN functions.

3 Guessing the outer permutation

Suppose that we are given two EA-equivalent functions F and G from \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{m}\) for some positive integers n,m, so that A1FA2 + A = G for some affine functions \(A_{1} : \mathbb {F}_{2}^{m} \rightarrow \mathbb {F}_{2}^{m}\), \(A_{2} : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}\) and \(A : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\), with A1 and A2 bijective. Let c1 = A1(0) and c = A(0) so that L1(x) = A1(x) + c1 and L(x) = A(x) + c are the linear parts of A1 and A, respectively. We note that if A1FA2 + A = G, then also \(A_{1}^{\prime } \circ F \circ A_{2} + A^{\prime } = G\) where \(A_{1}^{\prime }(x) = A_{1}(x) + {\Delta }\) and \(A^{\prime }(x) = A(x) + {\Delta }\) for any \({\Delta } \in \mathbb {F}_{2}^{m}\). In particular, we can always assume that c1 = 0 without loss of generality, so that A1 is linear. In the following, we will write simply G = L1FA2 + A.

By Proposition 1, for even values of k, we have

$$ {{\Sigma}_{k}^{G}}(0) = \{ L_{1}(a) : a \in {{\Sigma}_{k}^{F}}(0) \}. $$

Besides justifying that the multiset of multiplicities of \({{\Sigma }_{k}^{F}}(0)\) is an EA-invariant for any positive even integer k, the above relation gives us some information about L1; namely, it implies that if L1(x) = y for some \(x,y \in \mathbb {F}_{2}^{m}\), then the multiplicity of x in \({{\Sigma }_{k}^{F}}(0)\) should be the same as that of y in \({{\Sigma }_{k}^{G}}(0)\). If the elements of \(\mathbb {F}_{2}^{m}\) are partitioned according to the multiplicities of F as

$$ \mathbb{F}_{2}^{m} = K_{1} \oplus K_{2} \oplus {\dots} \oplus K_{s} $$

for some positive integer s, so that all elements in Ki for every 1 ≤ is have the same multiplicity in \({{\Sigma }_{k}^{F}}(0)\), and elements in Ki and Kj have distinct multiplicities for ij; and, similarly, as

$$ \mathbb{F}_{2}^{m} = C_{1} \oplus C_{2} \oplus {\dots} \oplus C_{s} $$

according to the multiplicities of G, then we must have

$$ L_{1}(K_{i}) = C_{i} $$

for all 1 ≤ is. We will say that any permutation L1 satisfying L1(Ki) = Ci for all i respects the two partitions of \(\mathbb {F}_{2}^{m}\). Consequently, we obtain conditions that can be used to restrict the possible choices for L1. Intuitively, the larger the number of classes s in the partition of \(\mathbb {F}_{2}^{m}\), the fewer linear permutations L1 can satisfy the conditions thus obtained. In particular, if all elements of \(\mathbb {F}_{2}^{m}\) occur with the same multiplicity, we do not obtain any information on L1. This is clearly the case when F is a permutation. Furthermore, the same appears to be true for all APN (n,n)-functions with odd n (regardless of whether they are permutations or not), which is why we concentrate on fields of even extension degree in our work.

All linear permutations L respecting the partitions \(\mathbb {F}_{2}^{m} = K_{1} \oplus {\dots } \oplus K_{s}\) and \(\mathbb {F}_{2}^{m} = C_{1} \oplus {\dots } \oplus C_{s}\) can now be found by trying to guess the values of L on a basis of \(\mathbb {F}_{2}^{m}\), and backtracking whenever some assignment violates these partitions. An algorithmic description of this procedure is provided below under Algorithm 1 and Algorithm 2. The former presents the general framework for partitioning \(\mathbb {F}_{2}^{m}\) according to the multiplicities of sums of values of F and G, while the latter describes the process of reconstructing all linear permutations that respect the constructed partitions. We remark that the algorithm is described for the particular case of k = 4 (which is what we have mostly used in practice for our computational experiments), but the principle trivially generalizes to any value of k. We also note that computing the number \({M_{k}^{F}}(0,s)\) of k-tuples whose values under F add up to a given \(s \in \mathbb {F}_{2}^{m}\) can be done via the values of the Walsh transform as described in Proposition 4; this is particularly useful if the selected value of k is large, or if a precomputed table of the Walsh coefficients for one (or both) of the tested functions is available.

figure a

Let us take a closer look at Algorithm 1. We first fix an even value of k, for instance k = 4. Given two (n,n)-functions, F and G, that we would like to test for equivalence, we begin by computing the multiplicities of the elements in the multisets \({{\Sigma }_{k}^{F}}(0)\) and \({{\Sigma }_{k}^{G}}(0)\). The number of times that the element \(s \in \mathbb {F}_{2}^{m}\) appears in \({{\Sigma }_{k}^{F}}(0)\) is denoted by \({M_{k}^{F}}(0,s)\) (this means that \({M_{k}^{F}}(0,s)\) k-tuples \((x_{1}, x_{2}, {\dots } x_{k})\) with \(x_{1} + x_{2} + {\dots } + x_{k} = 0\) satisfy \(F(x_{1}) + F(x_{2}) + {\dots } + F(x_{k}) = s\)).

Using these multiplicities, we partition \(\mathbb {F}_{2}^{m}\) in two ways: using the multiplicities \(\{ {M_{k}^{F}}(0,s) : s \in \mathbb {F}_{2}^{m} \}\), and using the multiplicities \(\{ {M_{k}^{G}}(0,s) : s \in \mathbb {F}_{2}^{m} \}\). More precisely, we write \(\mathbb {F}_{2}^{m}\) as \(\mathbb {F}_{2}^{m} = K_{1} \oplus K_{2} \oplus {\dots } \oplus K_{s}\), with \(K_{1}, K_{2}, \dots , K_{s}\) being disjoint sets of elements; two elements s1 and s2 are in the same block Ki of the partition if and only if \({M_{k}^{F}}(0,s_{1}) = {M_{k}^{F}}(0,s_{2})\), i.e. if s1 and s2 occur with the same multiplicity in \({{\Sigma }_{k}^{F}}(0)\). Equivalently, we could say that the multiplicities \({M_{k}^{F}}(0,s)\) induce an equivalence relation, in which two elements \(s_{1}, s_{2} \in \mathbb {F}_{2}^{m}\) are equivalent precisely when \({M_{k}^{F}}(0,s_{1}) = {M_{k}^{F}}(0,s_{2})\); the blocks \(K_{1}, K_{2}, \dots , K_{s}\) are then the equivalence classes of this equivalence relation. In the same way that \(K_{1}, K_{2}, \dots , K_{s}\) is the partition induced by \({{\Sigma }_{k}^{F}}(0)\), \(C_{1}, C_{2}, \dots , C_{s^{\prime }}\) is the partition induced by \({{\Sigma }_{k}^{G}}(0)\).

If F and G are EA-equivalent, then the number of blocks in both partitions must be the same, and the individual blocks must have the same sizes. Thus, if \(s \ne s^{\prime }\), or if the multiset \(\{ \# K_{i} : i = 1, 2, \dots , s \}\) is not equal to \(\{ \# C_{i} : i = 1, 2, \dots , s \}\), we can immediately conclude that F and G are not EA-equivalent. Otherwise, we can rearrange the blocks \(K_{1}, K_{2}, \dots , K_{s}\) and \(C_{1}, C_{2}, \dots , C_{s}\) in such a way that #Ki = #Ci for \(i = 1, 2, \dots , s\). At this point, we know that if F and G are equivalent via L1FA2 + A = G, then L1 must map Ki to Ci for \(i = 1,2, {\dots } s\). This additional information allows us to significantly reduce the number of linear permutations L1 that needs to be considered.

The set of all linear permutations preserving the partitions can be found using Algorithm 2. The latter is essentially an exhaustive search that tries to guess the values of L1 on a basis \(B = \{ b_{1}, b_{2}, \dots , b_{m} \}\) of \(\mathbb {F}_{2}^{m}\). After we have guessed the values of L1 on \(b_{1}, b_{2}, \dots , b_{i}\) for some im, we know the values of L1 on all elements of \(\mathbb {F}_{2}^{m}\) generated by \(\{ b_{1}, b_{2}, \dots , b_{i} \}\). For any such element x, we can find the indices \(j,j^{\prime }\) such that xKj and \(L_{1}(x) \in C_{j^{\prime }}\). If \(j \ne j^{\prime }\), then L1 does not respect the partitions, and so we backtrack, attempting a different guess for bi. If we do not find any contradiction of this type, we proceed to guessing the value of bi+ 1. We continue in this manner until we have exhausted all possibilities.

figure b

The partitions \(\mathbb {F}_{2}^{m} = K_{1} \oplus K_{2} \oplus {\cdots } \oplus K_{s}\) can be precomputed for representatives from e.g. all known EA-classes of APN functions; in particular, we refer to our computational results described in Section 5 where we describe how we provide such pre-computed results for all currently known APN functions over \(\mathbb {F}_{2^n}\) up to dimension n = 10. When using Algorithms 1 and 2 to find all possibilities for the outer permutation L1 in L1FA2 + A = G, however, we need to know the partitions according to both F and G, which makes the precomputation of the permutations L1 impossible.

Nonetheless, we can observe that the set of linear permutations L1 mapping Ki to Ci for every 1 ≤ is is simply a coset in the symmetric group of \(\mathbb {F}_{2}^{m}\) of the subgroup of linear permutations mapping Ki to Ki for 1 ≤ is. The latter can be precomputed for known EA-representatives, and hence finding a single linear permutation mapping every Ki to Ci with 1 ≤ is allows us to reconstruct all such permutations by composing it with the precomputed ones. This can be formalized as follows.

Proposition 6

Let n be a positive integer, and \(\mathbb {F}_{2}^{n} = K_{1} \oplus K_{2} \oplus {\cdots } \oplus K_{s}\) and \(\mathbb {F}_{2}^{n} = C_{1} \oplus C_{2} \oplus {\cdots } \oplus C_{s}\) be two partitions of the elements of \(\mathbb {F}_{2}^{n}\) such that #Ki = #Ci for every 1 ≤ is. Let \(\mathcal {K}\) be the set of all linear permutations L of \(\mathbb {F}_{2}^{n}\) such that L(Ki) = Ki for all 1 ≤ is, and let \(\mathcal {P}\) be the set of all linear permutations L of \(\mathbb {F}_{2}^{n}\) such that L(Ki) = Ci for 1 ≤ is. Then \(\mathcal {K}\) is a subgroup of the symmetric group of \(\mathbb {F}_{2}^{n}\), and \(\mathcal {P}\) is a coset of \(\mathcal {K}\).

Proof

The composition of two linear permutations is clearly a linear permutation itself, and so is the inverse of a linear permutation. Furthermore, if L1 and L2 are linear permutations that permute some set \(K_{i} \subseteq \mathbb {F}_{2}^{n}\), then their composition and their inverses do so as well. Thus, \(\mathcal {K}\) is closed under composition and taking inverses, and is a subgroup of the symmetric group of \(\mathbb {F}_{2}^{n}\).

Now, suppose that L is a linear permutation of \(\mathbb {F}_{2}^{n}\) mapping some subset \(K_{i} \subseteq \mathbb {F}_{2}^{n}\) onto some \(C_{i} \subseteq \mathbb {F}_{2}^{n}\). Then KL is also a linear permutation mapping Ki onto Ci for any \(K \in \mathcal {K}\). Thus, KKL maps \(\mathcal {K}\) to \(\mathcal {P}\), and is clearly invertible since L is a permutation. Consequently, \(\mathcal {P}\) is a coset of \(\mathcal {K}\) represented by L. □

Besides delegating a large portion of the work in constructing \(\mathcal {P}\) to the precomputation of \(\mathcal {K}\), Proposition 6 allows us to estimate the complexity of testing EA-equivalence between a function F (which we can assume is a known EA-representative) and another function G inducing a partition of \(\mathbb {F}_{2}^{m}\) compatible with the one induced by F.

Furthermore, it is clear that the size of the group \(\mathcal {K}\) of linear permutations that preserve the partition \(\mathbb {F}_{2}^{m} = K_{1} \oplus {\dots } \oplus K_{s}\) induced by the multiplicities in \({{\Sigma }_{F}^{k}}(0)\) is an EA-invariant. What makes this interesting, is that it is more discriminating than the sizes of the partition classes: for instance, the APN functions F(x) = x3 and G(x) = x3 + α11x6 + αx9 over \(\mathbb {F}_{2}six\) (where α is primitive in \(\mathbb {F}_{2}six\)) both partition \(\mathbb {F}_{2}six\) into three classes of size 1, 21, and 42, respectively; but the group of linear permutations preserving the partition of F(x) contains 1008 elements, while the group of linear permutations preserving the partition of G has 336 elements. Thus, precomputing the groups \(\mathcal {K}\) of linear permutations preserving the partition for representatives from the known classes of APN functions has the additional advantage that it allows us to rule out equivalence in more cases (using a stronger invariant). We note that the actual elements of the group \(\mathcal {K}\) are not, in general, invariant under EA-equivalence.

To give some basic idea of how efficient these processes are, we have computed the groups \(\mathcal {K}\) for representatives from all switching classes of APN functions over \(\mathbb {F}_{2^n}\) with n ∈{6,8} [12]. The results are presented in Table 1 below. The first column gives the dimension n of \(\mathbb {F}_{2^n}\). The functions are indexed in the second column in the same way as in [12]. The next two columns give the time in seconds for computing the partition of \(\mathbb {F}_{2^n}\) according to the quadruple sums of F directly and using the Walsh transform, respectively (including the time in seconds for precomputing the Walsh coefficients). The following column gives the time for computing all linear permutations preserving the corresponding partition. The last column gives the number of linear permutations found in each case, which is a direct measure of the complexity of an EA-equivalence test by our method, as the approach for guessing the inner permutation (described in the following Section 4) has to be applied to every possible choice of the outer permutation.

Table 1 Computational experiments for finding the outer permutation
Full size table

We note that the running times are highly dependent on the programming language, implementation, and computational equipment used, and the ones presented in the paper are given only for illustrative purposes.

For comparison, there are 27998208 linear permutations of \(\mathbb {F}_{2^{6}}\), and 132640470466560 linear permutations of \(\mathbb {F}_{2^{8}}\).

4 Guessing the inner permutation

If, in addition to the (n,m)-functions F and G, we know the linear permutation L1 in the relation L1FA2 + A = G, we can apply its inverse, \(L_{1}^{-1}\) to both sides, obtaining

$$ F \circ A_{2} + A^{\prime} = G^{\prime}, $$
(3)

where \(A^{\prime } = L_{1}^{-1} \circ A\) and \(G^{\prime } = L_{1}^{-1} \circ G\). A pair of affine (n,m)-functions \(A_{2}, A^{\prime }\) satisfying the above relation then exists if and only if F is EA-equivalent to G.

Once again, let us write \(c = A^{\prime }(0)\) and c2 = A2(0), and L2 = A2 + c2 and A = L + c for the linear parts of A2 and A, respectively. Substituting 0 for x in (3) yields \(F(c_{2}) + c = G^{\prime }(0)\). Since we know \(G^{\prime }\), and hence also \(G^{\prime }(0)\), this means that any choice of c2 uniquely determines c. It is thus enough to loop over all possible choices of \(c_{2} \in \mathbb {F}_{2}^{n}\) and take \(c = F(c_{2}) + G^{\prime }(0)\) in order to exhaust all possibilities for \((c_{2},c^{\prime })\). As observed in Proposition 2, if F and G are quadratic, then we can assume that c2 = 0 and \(c = G^{\prime }(0)\) without loss of generality; for functions of higher algebraic degree, we have to consider all possible values of c2. In the following, we assume that we have guessed the constants c2 and c, and rewrite (3) as

$$ F \circ L_{2} + L^{\prime} = G^{\prime\prime}, $$
(4)

where \(G^{\prime \prime }(x) = G^{\prime }(x+c_{2}) + c\). It now remains to look for a pair of functions \(L_{2} : \mathbb {F}_{2}^{m} \rightarrow \mathbb {F}_{2}^{m}\) and \(L : \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{m}\) satisfying (4).

To guess the permutation L2, we observe that, given some k-tuple \((x_{1}, x_{2}, \cdots , x_{k} ) \in \mathcal {T}_{k}(0)\), by Proposition 1, we have

$$ G^{\prime\prime}(x_{1}) + {\cdots} + G^{\prime\prime}(x_{k}) = F(L_{2}(x_{1})) + {\cdots} + F(L_{2}(x_{k})), $$

and thus, if some element \(x_{i} \in \mathbb {F}_{2}^{n}\) is part of a k-tuple whose sum under G is t, then its image L2(xi) under L2 must be part of some k-tuple whose sum under F is t. We state this formally as follows.

Proposition 7

Let F and G be (n,m)-functions for some positive integers n,m such that FL2 + L = G for L2,L linear and L2 bijective. Let k be a positive integer, and, for any \(t \in \mathbb {F}_{2}^{m}\), denote

$$ {O_{k}^{F}}(0,t) = \{ (x_{1}, x_{2}, \cdots, x_{k} ) \in \mathcal{T}_{k}(0) \mid F(x_{1}) + F(x_{2}) + {\cdots} + F(x_{k}) = t \}. $$

Then, if \((x_{1}, x_{2}, {\cdots } x_{k} ) \in \mathcal {T}_{k}(0)\) with G(x1) + ⋯ + G(xk) = t, we must have \(L_{2}(x_{i}) \in {M_{k}^{F}}(0,t)\) for all 1 ≤ ik. Consequently,

$$ L_{2}(x) \in \bigcap_{t \in {{\sum}_{k}^{G}}(0,x)} \left( \bigcup {O_{k}^{F}}(0,t) \right), $$
(5)

where

$$ {{\Sigma}_{k}^{G}}(0,x) = \{ G(x_{1}) + {\dots} + G(x_{k}) : (x_{1}, \dots, x_{k} ) \in \mathcal{T}_{k}(0) \mid x \in (x_{1}, {\dots} x_{k} ) \}. $$

Using (5) for k = 3, we can significantly reduce the domains of L2(x) for \(x \in \mathbb {F}_{2}^{m}\), i.e. the ranges of possible values that L2(x) can take. A large number of the domains end up consisting of three elements (although we do obtain larger domains in some cases). Since guessing L2 amounts to guessing its values on a basis of \(\mathbb {F}_{2}^{m}\), the elements of the basis can be chosen in such a way that the Cartesian product of the respective domains is small. In most cases, we can indeed choose the basis elements in such a way that all domains consist of three elements, and thus end up with only 3n possibilities for L2.

In addition, assuming that e.g. F is a known representative, some precomputations are possible; namely, the sets \({O_{k}^{F}}(0,t)\) can be precomputed for k = 3 and all values of t. Alternatively, the roles of F and G in (4) can be swapped by composing both sides with the inverse of L2 from the right, in which case the sets \({{\Sigma }_{k}^{F}}(0,x)\) can be precomputed for k = 3 and for all \(x \in \mathbb {F}_{2}^{m}\).

We note that for values of k greater than 3, it seems to always be possible to express all elements in \(\mathbb {F}_{2^n}\) as the sum of four values of F for an APN function F, in which case \({{\sum }_{k}^{G}}(0,x) = \mathbb {F}_{2}^{m}\) for all \(x \in \mathbb {F}_{2}^{m}\), and consequently the domains of all \(x \in \mathbb {F}_{2}^{m}\) end up being the entire field \(\mathbb {F}_{2}^{m}\). Since the definitions of \(\mathcal {T}_{k}(0)\) and \({{\sum }_{k}^{F}}(0)\) only make sense for values of k greater than 2, k = 3 remains the only practically useful choice for the value of k (at least in the case of APN functions).

Algorithm 3 describes the approach for reconstructing L2 from (3) suggested by the above considerations. The first part of the algorithm computes the domains \(\mathcal {D}(x)\) for all elements \(x \in \mathbb {F}_{2}^{n}\); we then know that for any \(x \in \mathbb {F}_{2}^{n}\) we must have \(L_{2}(x) \in \mathcal {D}(x)\). All domains are initially set to \(\mathbb {F}_{2}^{n}\), i.e. no restrictions on the value of L2(x) is made. We then compute the sets \({O_{3}^{F}}(t)\) of all triples (x1,x2,x1 + x2) with F(x1) + F(x2) + F(x1 + x2) = t. For any element y1 belonging to a triple (y1,y2,y1 + y2) with G(y1) + G(y2) + G(y1 + y2) = t, we know that L2(y1) must belong to \({O_{3}^{F}}(t)\); we use this to reduce the domain \(\mathcal {D}(y_{1})\) of y1.

figure c

Having computed the domains, the second part of the algorithm consists of finding a basis \(B = \{ b_{1}, b_{2}, \dots , b_{n} \}\) of \(\mathbb {F}_{2}^{n}\), and constructing all linear permutations L2 for which \(L_{2}(b_{i}) \in \mathcal {D}(b_{i})\) for \(i = 1, 2, \dots , n\). Since we assume that FA2 + A = G (with A2 = L2 + c2, where we also guess the value of c2 by going through all possibilities), if the choice of L2 is correct, then A = FA2 + G must be affine. For every possible of choice of L2 and c2, we thus compute A and check whether its algebraic degree is at most 1; if so, then we have found the equivalence between F and G.

Recall that by Proposition 2 we can assume that c2 = 0 if the functions being tested for equivalence are quadratic, which significantly reduces the computation time.

We note that Algorithm 3 will return all affine permutations A2 for which A = FA2 + G is affine. If our goal is to check whether such a permutation exists (which is all that we need for the purposes of the EA-equivalence test), we can immediately terminate as soon as a single such permutation is found. Furthermore, we remark that if (3) is obtained by applying the inverse \(L_{1}^{-1}\) of the outer permutation, and a solution (A2,A) of (3) is found, then this already witnesses that F and G are EA-equivalent.

In order to get an idea of the efficiency of this method, we once again run a number of experiments on representatives from the known APN functions for n = 6 and n = 8. For every pair (F,G) of representatives from the switching classes in [12], we generate a random affine permutation A2 and a random affine function A, and use Algorithm 3 to attempt to reconstruct A2 and A from F and G. In the cases when F and G are not EA-equivalent this, of course, will fail; in the remaining cases (when F and G do belong to the same EA-equivalence class), we stop as soon as we find the first pair of affine functions (A2,A) solving FA2 + A = G. For each combination of F and G, we generate 10 pairs of (A2,A). Table 2 gives the average running time for solving FA2 + A = G for dimensions n = 8. There are 23 switching APN representatives in \(\mathbb {F}_{2^{8}}\), and we index them from 1 to 23 in Table 2 in the same order that they are listed in [12]. In the case of n = 6, the running time does not exceed 0.2 seconds in the worst case; we omit a detailed table of the running times for the sake of brevity. The running times are given in seconds, multiplied by a factor of 100; e.g. deciding that FA2 + A = G is unsolvable when F is 1.1 and G is 1.2 from [12] takes 7.51 seconds.

Table 2 Computation time for reconstructing the inner permutation for n = 8
Full size table

5 Computational results

A recent paper [1] introduces 12 923 new APN functions over \(\mathbb {F}_{2^8}\), in addition to the more than 8000 instances previously found and documented in [19]. For the purposes of measuring how efficient the multiplicities of the elements in \({{\Sigma }_{k}^{F}}(0)\) are as an invariant, and for speeding-up potential EA-equivalence tests, we have computed the exact partitions for k = 4 for all of these functions. We also perform similar computations for all known APN functions up to dimension n = 10. A complete list of these partitions is available online at https://boolean.h.uib.no/mediawiki. Here, we give a summary of the computed data.

In total, we have computed the partition induced by \({{\Sigma }_{k}^{F}}(0)\) for 21105 CCZ-inequivalent functions F. From these, we have obtained 19300 distinct partitions. Of these, the “Gold-like” partition (which splits the field into three partition classes, of size 1, 70, and 185, respectively) is the most frequently occurring, and is induced by 21 functions including, of course, the Gold function x3. The number of partitions that occur only once is 18103; and the remaining partitions occur between two and eleven times.

Most of the partitions contain a large number of classes: indeed, only the “Gold-like” partition described above has three classes, while all other observed partitions have at least 6 classes; the vast majority of functions induce a partition having between 12 and 16 classes, while the largest number of classes, 22, is achieved by only two functions. We recall that a large number of classes intuitively corresponds to a small number of linear permutations respecting the corresponding partition, and consequently to a faster test for EA-equivalence.

In the case of n = 10, we only observe the “Gold-like” partition for all the ten known representatives from the infinite families. However, among the five new functions given in the dataset accompanying [1], we find three that have different (and pairwise distinct) spectra.

For odd dimensions (n = 7 and n = 9), we also compute the partitions induced by the known APN representatives, but these always yield a trivial partition of \(\mathbb {F}_{2^n}\) into a zero and non-zero elements (even when we take into account the newly discovered APN classes from [1]).

6 Conclusion

We have introduced a family of invariants under EA-equivalence, and have shown how their values can be efficiently computed using the Walsh transform. We have experimentally observed that over \(\mathbb {F}_{2^n}\) with even n, these invariants can be used to partition quadratic APN functions into small subclasses, thereby significantly facilitating their classification up to EA- and CCZ-equivalence. We have demonstrated how the values of these invariants can be used to restrict the values of the outer permutation A1 in the relation A1FA2 + A = G for two given (n,m)-functions F and G, and have ran experiments in order to measure how much this approach reduces the search space. We have described how a variation of the same invariants can be used to restrict the values of the images of \(\mathbb {F}_{2^n}\) under the inner permutation, A2, and have combined the above into a computational test for deciding the EA-equivalence of any two (n,m)-functions F and G. Although slower than the standard test for CCZ-equivalence via the permutation equivalence of linear codes, our approach has the advantage that it is easily implementable on any programming language, and can be separated into a multitude of small, independent steps with concrete output, the majority of which can be naturally parallelized and run in different processes or on different computers. Furthermore, this is, to the best of our knowledge, the first efficient algorithm for directly testing the EA-equivalence of two given functions.

One direction for future work would be to investigate the invariants described in Section 2 more closely, and see whether they can be modified in order to provide more efficient restrictions. In the same vein, it would be interesting to investigate the functions for which our experimental results show a large number of choices for the outer permutation A1 following the restriction described in Section 3, and to see whether some of these choices can be ruled out using some other criterion; this would directly impact the efficiency of the entire EA-equivalence test for these functions.

So far, we have implemented the algorithms described in Sections 3 and 4 in the Magma programming language [4] due to the ease of implementation. As pointed out above, our approach is quite simple, and does not depend on anything more complicated than computing linear combinations of binary vectors, and so it should be readily implementable in any general-purpose programming language. We expect that a careful implementation in an efficient language would further reduce the computational time needed for testing EA-equivalence, and make the method even more useful in practice.