1 Introduction

Let p be a prime and \(q=p^n\). A map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called differentially d-uniform (abbreviated d-uniform), if

$$\begin{aligned} d=\max _{a\ne 0,b\in \mathbb {F}_q} |\{x\in \mathbb {F}_q: f(x+a)-f(x)=b\}|. \end{aligned}$$

A 1-uniform map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called planar, that is f is planar if \(f(x+a)-f(x)\) is a permutation for any \(a\in \mathbb {F}_q^*\). Planar maps exist if and only if q is odd. A map f is called almost perfect nonlinear (APN) if f is 2-uniform. Observe that if q is even, then an equation \(f(x+a)+f(x)=b\) has always an even number of solutions, since x solves it if and only if \(x+a\) does so. In particular, there are no 1-uniform maps for q even, and the APN maps have the smallest possible uniformity on binary fields. APN maps and more generally maps in characteristic 2 with low uniformity are an important research object in cryptography, mainly because they provide good resistance to differential attacks, when used as an S-box of a block cipher. For a thorough survey detailing the importance of such maps for cryptography, we refer to [5]. Moreover, maps with low uniformity are intimately connected to certain codes [10, 11]. Planar maps can be used for the construction of various structures in combinatorics and algebra, for example difference sets, projective planes and semifields [31].

A celebrated result of Ding and Yuan, obtained in [23], shows that image sets of planar maps yield skew Hadamard difference sets which are inequivalent to the Paley–Hadamard difference sets. This disproved a longstanding conjecture on the classification of skew Hadamard difference sets and motivated an interest to a better understanding of image sets of planar maps, see for example [20, 28, 37]. The image sets of d-uniform maps with \(d>1\) can also be used to construct optimal combinatorial objects, as shown in [13]. However, the case \(d>1\) is less studied compared to \(d=1\), although also \(d=1\) is far from being completely understood, too. Here, we extend some of results on the image sets of planar maps with \(d=1\) to cover a general d. The behavior of the image sets of d-uniform maps and proofs are more complex for \(d>1\). This is simply explained by the fact that the preimage distribution of a difference map \(f_a: x\mapsto f(x+a)-f(x)\) is not unique and more difficult to control when \(d>1\). The smaller values d are easier to handle.

A polynomial/map \(f \in \mathbb {F}_q[x]\) is called Dembowski–Ostrom (DO), if it can be written as

$$\begin{aligned} f(x) = \sum _{i,j=0}^{n-1}a_{ij}x^{p^i+p^j} \end{aligned}$$

when q is odd and

$$\begin{aligned} f(x) = \sum _{\begin{array}{c} i,j=0\\ i\ne j \end{array}}^{n-1}a_{ij}x^{2^i+2^j} \end{aligned}$$

when q even. Note that \(x^2\) is a DO polynomial for any odd q, but not for even q. Maps obtained as the sum of a DO map with an \(\mathbb {F}_p\)-affine one are called quadratic.

Let \({\text {Im}}(f)\) denote the image set of a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\). A map f is called k-to-1, if every element in the image of f has exactly k preimages. If k is a divisor of \(q-1\), we call a map f k-divisible, if it can be written as \(f(x)=f'(x^k)\) for a suitable polynomial \(f'\). It is easy to see that f is k-divisible if and only if \(f(x)=f(\theta x)\) for all \(x\in \mathbb {F}_q\) and all \(\theta \in \mathbb {F}_q^*\) whose order divides k. Further, we call a map f almost-k-to-1, if there is a unique element in \({\text {Im}}(f)\) with exactly 1 preimage and all other images have exactly k preimages.

In Sect. 2, we show that a d-uniform map f satisfies

$$\begin{aligned} |{\text {Im}}(f)| \ge \left\lfloor \frac{q}{d+1} \right\rfloor +1. \end{aligned}$$

This lower bound is sharp for several classes of d-uniform maps when \(d+1\) divides \(q-1\). However, we expect that the lower bound can be improved for other cases. We give several results on the preimage distribution of d-uniform maps. In particular, we show that if the \({\text {Im}}(f)\) of a d-uniform map f is small, then the majority of elements in \({\text {Im}}(f)\) have exactly \(d+1\) preimages.

In Sects. 36, we consider in more detail the case \(d=2\), that is APN maps, on binary fields. For an APN map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) the lower bound is

$$\begin{aligned} |{\text {Im}}(f)|\ge {\left\{ \begin{array}{ll} \frac{2^n+1}{3} &{} n \text { is odd,} \\ \frac{2^n+2}{3} &{} n \text { is even}. \end{array}\right. } \end{aligned}$$

The first published proof for this bound appears in [14, Lemma 5], where a lower bound on the differential uniformity via image set size is presented. Since the study of image sets of APN maps was not a goal of [14], the lower bound in it remained unnoticed by most of researchers on APN maps. A systematic study of the image sets of APN maps originates from [22]. Beside the lower bound, in [22] several properties and examples of the image sets of APN maps are presented. In this paper, we develop the study of image sets of APN maps further. Our results indicate that the APN maps with minimal image size play a major role for understanding fundamental properties of APN maps. We believe that a deeper analysis of the image sets of APN maps is an interesting research direction which will allow progress on several current challenges on APN maps.

At the beginning of our studies, we were quite certain that having an image set of the minimal size \((2^n+1)/3\), resp. \((2^n+2)/3\), is a rare property and not many of the known APN maps will satisfy it. Despite our intuition, we found that if n is even then the opposite is the case and most of the known infinite constructions yield 3-to-1 APN maps. Remarkably, the bivariate APN maps constructed in [24, 39] are also almost 3-to-1, as we show in Theorems 4 and 5. These families contain a large number of inequivalent APN maps as shown in [25]. If n is odd then the lower bound \((2^n+1)/3\) seems to be not sharp.

Presently, the only known primary univariate families of APN maps are monomials \(x\mapsto x^k\) or DO polynomials. These maps serve as a basis for a handful known secondary constructions of APN maps [5, 31]. Whereas the image sets of monomial maps are multiplicative subgroups extended with the zero element and so they are uniquely determined by \(\gcd (q-1,k)\), the behavior of the image sets of DO polynomials is complex and not very well understood yet. In Sect. 4, we compute the image size of several families of APN DO polynomials.

A map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is called crooked if for any non-zero \(a\in \mathbb {F}_{2^n}\) the set

$$\begin{aligned}D_a(f):= \{f(x+a)-f(x) : x\in \mathbb {F}_{2^n}\}\end{aligned}$$

is an affine hyperplane, that is an affine subspace of dimension \(n-1\). It is easy to see that a quadratic APN map is crooked. The crooked permutations for n odd were introduced in [2]. In [27] the definition of crooked maps from [2] was extended to the one given here.

Given a map \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), the Boolean functions \(f_\lambda (x) = {{\,\mathrm{Tr}\,}}(\lambda f(x))\) with \(\lambda \in \mathbb {F}_{2^n}^*\) are called the component functions (or briefly components) of f. The Walsh transform of f is defined by

$$\begin{aligned} W_f(b,a)=\sum _{x \in \mathbb {F}_{2^n}}(-1)^{{{\,\mathrm{Tr}\,}}(bf(x)+ax)} \in \mathbb {Z}, \end{aligned}$$

where \(a,b \in \mathbb {F}_{2^n}, b\ne 0\). The multiset \(\{*W_f(b,a) :b \in \mathbb {F}_{2^n}^*, a \in \mathbb {F}_{2^n}*\}\) is called the Walsh spectrum of f and \(\{*|W_f(b,a)| :b \in \mathbb {F}_{2^n}^*, a \in \mathbb {F}_{2^n}*\}\) is called the extended Walsh spectrum of f.

We call \(f_\lambda \) a balanced component of f, if it takes the values 0 and 1 equally often, that is both \(2^{n-1}\) times. Hence \(f_\lambda \) a balanced component of f if and only if \(W_f(\lambda ,0)=0\). A component function \(f_\lambda \) is called plateaued with amplitude t for an integer \(t \ge 0\) if \(W_f(\lambda ,a) \in \{0,\pm 2^{\frac{n+t}{2}}\}\) for all \(a \in \mathbb {F}_{2^n}\). For n even, a plateaued component with \(t=0\) is called a bent component.

If all component functions of f are plateaued, then f is called component-wise plateaued. For n odd, the map f is called almost bent if all its components \(f_\lambda \) are plateaued with amplitude \(t=1\). It is well known that an almost bent map is necessarily APN, and there are APN maps, which are not almost bent. However, if f is component-wise plateaued, then it is APN if and only if it is AB.

Let \(\mathcal{DO}\mathcal{}, \mathcal {Q}, \mathcal {C}, \mathcal {CWP}, \mathcal {APN}\) denote the set of DO, quadratic, crooked and component-wise plateaued, APN maps of \(\mathbb {F}_{2^n}\), respectively. Given a set A we denote by \(A_{property}\) the subset of elements in A satisfying the property. If it is known that the subset B is a pure subset of A, we write \(B\subsetneq A\), otherwise \(B \subseteq A\). The maps considered in this paper are related as follows:

$$\begin{aligned} \mathcal{DO}\mathcal{} \subsetneq \mathcal {Q} \subsetneq \mathcal {CWP} \end{aligned}$$

and

$$\begin{aligned} \mathcal{DO}\mathcal{}_{APN} \subsetneq \mathcal {Q}_{APN} \subseteq \mathcal {C} \subsetneq \mathcal {CWP}_{APN} \subsetneq \mathcal {APN}, \end{aligned}$$

see e.g. [2, 9, 17, 27, 31]. It is conjectured in [27] that \(\mathcal {C} = \mathcal {Q}_{APN}\).

If n is even, many of the currently known APN maps have the extended Walsh spectrum described in the next definition.

Definition 1

Let \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) and n even. We say that the map f has the classical Walsh spectrum if its extended Walsh spectrum consists of the values 0 with multiplicity \((2^n-1)\cdot 2^{n-2}\), \(2^{n/2}\) with multiplicity \((2/3)(2^n-1)(2^n)\) and \(2^{(n+2)/2}\) with multiplicity \((1/3)(2^n-1)(2^{n-2})\).

The Parseval equation states

$$\begin{aligned} \sum _{a\in \mathbb {F}_{2^n}}W_f(b,a)^2 =2^{2n} \end{aligned}$$

for any \(b \in \mathbb {F}_{2^n}\). It implies, in particular, that a component-wise plateaued map f with \((2/3)(2^n-1)\) bent components and \((1/3)(2^n-1)\) plateaued components with amplitude \(t=2\) has always the classical Walsh spectrum.

Our results in Sects. 4 and 5, especially Theorem 4 and Corollary 8, show that for n even it holds

$$\begin{aligned} \mathcal{DO}\mathcal{}_{\text {3-divisible,APN}} \subsetneq \mathcal{DO}\mathcal{}_{\text {alm.3-to-1}} \subsetneq \mathcal {Q}_{\text {alm.3-to-1}} \subsetneq \mathcal {CWP}_{\text {alm.3-to-1}} \subsetneq \mathcal {APN}_{\text {cl.\,Walsh\,sp.}}. \end{aligned}$$

The last inclusion, with our observation that the main known families of quadratic APN maps are almost-3-to-1, gives a natural explanation that they have the classical Walsh spectrum. Note that there are sporadic APN quadratic maps with non-classical Walsh spectra, see e.g. [3] for such examples.

An important outcome of Sect. 5, more exactly of (12) and Corollary 8, is the following theorem, providing a simple to check sufficient criterion for an APN map to have the classical Walsh spectrum.

Theorem 1

Let n be even and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a component-wise plateaued APN map satisfying

  • \(f(0)=0\),

  • every \(y \in {\text {Im}}(f)\setminus \{0\}\) has at least 3 preimages.

Then f is almost-3-to-1 and has the classical Walsh spectrum.

Theorem 1 follows from a more general result on the Walsh spectrum of special component-wise plateaued maps, presented in Theorem 7. The fact that almost-3-to-1 component-wise plateaued maps have the classical Walsh spectrum was already observed in [9]. However, to our knowledge, it was never applied to show that a particular APN family has the classical Walsh spectrum.

In Sect. 5, we also study connections between the image set of an almost bent map and its components. As a consequence, we show that any almost bent map has a balanced component function.

We conclude our paper with upper bounds on the image size of special APN maps \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), presented in Sect. 6. For n odd, our results imply that a non-bijective almost bent map f satisfies

$$\begin{aligned} |{\text {Im}}(f)| \le 2^n - 2^{(n-1)/2}. \end{aligned}$$

In the case of n even, we observe that if f is a component-wise plateaued APN map, then

$$\begin{aligned} |{\text {Im}}(f)| < 2^n-\sqrt{\frac{2}{3}(2^n-1)}+1/2. \end{aligned}$$

To our knowledge, these are the only currently known non-trivial upper bounds on the image size of APN maps.

2 Images of d-uniform maps

In this section, we extend some of the results from [20, 28, 37] on the image sets of planar maps with \(d=1\) to cover a general d. The behavior of the image sets of d-uniform maps and the proofs are more complex for \(d>1\). This is simply explained by the fact that the preimage distribution of a difference map \(f_a: x\mapsto f(x+a)-f(x)\) is not unique and more difficult to control when \(d>1\).

Let \({\text {Im}}(f)\) be the image set of a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\). For \(r\ge 1\) we denote by \(M_r(f)\) the number of \(y\in \mathbb {F}_q\) with exactly r preimages. Further, let N(f) denote the number of pairs \((x,y)\in \mathbb {F}_q^2\), such that \(f(x)=f(y)\). Note \(N(f)\ge q\) and \(N(f) =q\) exactly when f is a permutation on \(\mathbb {F}_q\). Let m be the degree of the map f, that is the degree of its univariate polynomial representation of degree not exceeding \(q-1\). Then \(M_r(f) = 0\) for every \(r>m\). The following identities follow directly from the definition of \(M_r(f)\) and N(f)

$$\begin{aligned} \sum _{r=1}^m M_r(f)&= |{\text {Im}}(f)| \end{aligned}$$
(1)
$$\begin{aligned} \sum _{r=1}^m rM_r(f)&= q \end{aligned}$$
(2)
$$\begin{aligned} \sum _{r=1}^m r^2M_r(f)&= N(f) . \end{aligned}$$
(3)

The quantities \(M_r(f)\) and N(f) appear naturally when studying the image sets of maps on finite fields, see for example [12, 20, 28, 32, 34]. The oldest such reference known to the authors of this paper is [32].

The next two lemmas can be obtained easily from [34, Lemma 1]. We give a detailed proof here to make clear the connection to the concept of d-uniformity and to point out some interesting boundary cases. A map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called k-to-1, if every element in the image of f has exactly k preimages, that is if \(M_r(f) =0\) for any \(0<r\ne k\).

Lemma 1

Any map \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) fulfills

$$\begin{aligned}|{\text {Im}}(f)|\ge \frac{q^2}{N(f)},\end{aligned}$$

with equality if and only if f is k-to-1.

Proof

It follows from the Cauchy-Schwarz inequality with (1), (2) and (3) that

$$\begin{aligned} q^2=\left( \sum _{r=1}^m r M_r(f)\right) ^2 \le \left( \sum _{r=1}^m r^2M_r(f)\right) \left( \sum _{r=1}^m M_r(f)\right) =N(f)|{\text {Im}}(f)|. \end{aligned}$$

The equality above holds if and only if there is a \(k \in \mathbb {R}\) such that \(r\sqrt{M_r(f)}=k\sqrt{M_r(f)}\) for all \(1\le r\le m\), that is when \(M_r(f)=0\) for \(r\ne k\) and \(M_k(f)=|{\text {Im}}(f)|\). \(\square \)

The following proof is an adaption for any d of [28, Lemma 2], where planar maps with \(d=1\) were considered.

Lemma 2

Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be d-uniform. Then

$$\begin{aligned} N(f) \le q+d\cdot t_0(f), \end{aligned}$$

where \(t_0(f)\) is the number of elements \(a\ne 0\) in \(\mathbb {F}_q\) for which \(f(x+a)-f(x)=0\) has a solution x in \(\mathbb {F}_q\). The equality holds if and only if for every non-zero \(a \in \mathbb {F}_q\) the equation \(f(x+a)-f(x)=0\) has either 0 or exactly d solutions.

Proof

Note that

$$\begin{aligned} N(f)&= |\{(u, v)\in \mathbb {F}_q^2: f(u) = f(v)\}| \\&= |\{(u, v)\in \mathbb {F}_q^2: f(u)-f(v) = 0\}| \\&= |\{(a, v)\in \mathbb {F}_q^2: f(v+a)-f(v) = 0\}|. \end{aligned}$$

For \(a=0\) every pair (0, v) with \(v\in \mathbb {F}_q\) contributes to N(f). If \(a\ne 0\), then \(f(v+a)-f(v)=0\) has at most d solutions because f is d-uniform. Therefore

$$\begin{aligned} N(f)\le q+ d\cdot t_0(f). \end{aligned}$$

\(\square \)

Observe that for a planar map \(N(f) = 2q-1\), since \(f(v+a)-f(v)=0\) has a unique solution for every non-zero a. Generalizing this, a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called zero-difference d-balanced if the equation \(f(x+a)-f(x)=0\) has exactly d solutions for every non-zero a, see [13]. Hence \(N(f) = q + (q-1)d = (d+1)q-d\) for a zero-difference d-balanced map.

Corollary 1

Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be d-uniform. Then

$$\begin{aligned} N(f) \le (d+1)q-d. \end{aligned}$$

The equality holds if and only if f is zero-difference d-balanced.

Proof

The statement follows from Lemma 2 and \(t_0(f) \le q-1\). \(\square \)

Remark 1

Several of the results in this paper hold for any map f with \(N(f)\le (d+1)q-d\), and not only for d-uniform ones. Some of our proofs can easily be adapted if \(N(f)=kq\pm \varepsilon \) is known.

From Lemma 1 and Corollary 1 we get

$$\begin{aligned} |{\text {Im}}(f)|&\ge \left\lceil \frac{q^2}{N(f)}\right\rceil \ge \left\lceil \frac{q^2}{(d+1)q-d}\right\rceil \ge \left\lceil \frac{q}{d+1}\right\rceil . \end{aligned}$$
(4)

Theorem 2 extends [28, Theorem 2] to cover an arbitrary d. Besides of giving a different proof for the lower bound in (4), it additionally provides information on the possible preimage distribution of a d-uniform map. For a map \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) and \(S\subseteq \mathbb {F}_q\), \(a\in \mathbb {F}_q\), we denote by \(f^{-1}(S)\) the preimage of S under f and by \(\omega (a)\) the size of \(f^{-1}(\{a\})\).

Theorem 2

Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be d-uniform. Then

$$\begin{aligned} |{\text {Im}}(f)|\ge \left\lfloor \frac{q}{d+1} \right\rfloor +1. \end{aligned}$$
(5)

Set \(\varepsilon = (d+1)\cdot |{\text {Im}}(f)| - q\), or equivalently

$$\begin{aligned} |{\text {Im}}(f)| = \frac{q+\varepsilon }{d+1}. \end{aligned}$$

Then \(\varepsilon \ge 1 \) and

$$\begin{aligned} \sum _{y\in {\text {Im}}(f)}(\omega (y)-(d+1))^2 \le (d+1)(\varepsilon -1) + 1. \end{aligned}$$
(6)

Proof

By Corollary 1

$$\begin{aligned} \sum _{y\in {\text {Im}}(f)}(\omega (y))^2 = \sum _{y\in \mathbb {F}_q} (\omega (y))^2 = N(f) \le (d+1)q-d. \end{aligned}$$

Since

$$\begin{aligned}\sum _{y\in {\text {Im}}(f)}\omega (y) = q,\end{aligned}$$

we get

$$\begin{aligned} 0&\le \sum _{y\in {\text {Im}}(f)}(\omega (y)-(d+1))^2 = \sum _{y\in {\text {Im}}(f)}((\omega (y))^2-2(d+1)\omega (y)+(d+1)^2) \\&= N(f)-2(d+1)q+(d+1)^2|{\text {Im}}(f)| \le (d+1)q-d-2(d+1)q+(d+1)^2|{\text {Im}}(f)| \\&= -(d+1)q-d+(d+1)^2|{\text {Im}}(f)|. \end{aligned}$$

Hence

$$\begin{aligned} (d+1)^2|{\text {Im}}(f)| \ge (d+1)q+d \end{aligned}$$

and

$$\begin{aligned} |{\text {Im}}(f)|\ge \left\lceil \frac{(d+1)q+d}{(d+1)^2}\right\rceil = \left\lceil \frac{q}{d+1}+\frac{d}{(d+1)^2}\right\rceil , \end{aligned}$$

proving (5). Now let

$$\begin{aligned}|{\text {Im}}(f)| = \frac{q+\varepsilon }{d+1}\end{aligned}$$

for some \(\varepsilon \). Then (5) forces \(\varepsilon \ge 1\). To complete the proof note that

$$\begin{aligned} \sum _{y\in {\text {Im}}(f)}(\omega (y)-(d+1))^2&\le -(d+1)q-d+(d+1)^2\frac{q+\varepsilon }{d+1}\\&= \varepsilon d -d + \varepsilon =(d+1)(\varepsilon -1) + 1. \end{aligned}$$

\(\square \)

The lower bound in Theorem 2 is sharp. Indeed if \(d+1\) is a divisor of \(q-1\), then the map \(m(x)= x^{d+1}\) reaches the lower bound of Theorem 2 and it is d-uniform. To see that m(x) is d-uniform observe that for any non-zero a the difference map \(m(x+a)-m(x) = (x+a)^{d+1}-x^{d+1}\) has degree d and if \(\theta \ne 1\) with \(\theta ^{d+1}=1\) then \(x:= (\theta -1)^{-1}\) satisfies \((x+1)^{d+1}-x^{d+1} =0\).

Equation (6) shows that a d-uniform map having small image set is close to being \((d+1)\)-to-1. For \(\varepsilon =1\), for instance, Eq. (6) implies that only one element in \({\text {Im}}(f)\) does not have exactly \(d+1\) preimages. The following observation quantifies the relation between d and \(\varepsilon \). Let \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) and

$$\begin{aligned}|{\text {Im}}(f)| = \frac{q+\varepsilon }{d+1},\end{aligned}$$

where \(d\ge 1\) and \(\varepsilon \in \mathbb {Z}\). Define

$$\begin{aligned} D = \{y\in {\text {Im}}(f): \omega (y)\ne d+1\}. \end{aligned}$$

Then we have

$$\begin{aligned} q = \sum _{y\in {\text {Im}}(f)} \omega (y) = \sum _{y\in {\text {Im}}(f)\setminus D} \omega (y) + \sum _{y\in D} \omega (y) = \left( \frac{q+\varepsilon }{d+1}-|D|\right) (d+1) + \sum _{y\in D} \omega (y), \end{aligned}$$

implying

$$\begin{aligned} \sum _{y\in D}\omega (y) = |D|(d+1)-\varepsilon . \end{aligned}$$
(7)

The next result provides further information on the possible preimage distribution of a d-uniform map. It is is a generalization of [20, Theorem 1].

Proposition 1

Let \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) be d-uniform. Then

$$\begin{aligned} \sum _{r=1}^d r(d+1-r)M_r(f)\ge d \end{aligned}$$
(8)

and

$$\begin{aligned} \sum _{r=1}^{d+1}r(d+2-r)M_r(f) \ge q+d. \end{aligned}$$
(9)

The equality in (8) holds if and only if \(N(f)=(d+1)q-d\) and \(M_r(f)=0\) for all \(r \ge d+2\); and the equality in (9) holds if and only if \(N(f)=(d+1)q-d\) and \(M_r(f)=0\) for \(r>d+2\). The latter case reduces to

$$\begin{aligned} \sum _{r=1}^d r(d+1-r)M_r(f) = (d+2)M_{d+2}(f)+d. \end{aligned}$$

Proof

Let m be the degree of f. By Corollary 1, we have \(N(f)\le (d+1)q-d\). Using (2) and (3) we get

$$\begin{aligned} \sum _{r=1}^m r^2M_r(f) = N(f) \le (d+1)q-d = (d+1)\sum _{r=1}^m rM_r(f) - d, \end{aligned}$$

so that

$$\begin{aligned} \sum _{r=1}^{d+1} (r(d+1)-r^2)M_r(f) -d\ge \sum _{r=d+2}^m (r^2-(d+1)r)M_r(f). \end{aligned}$$
(10)

As the right hand side is non-negative, hence we have

$$\begin{aligned} \sum _{r=1}^d r(d+1-r)M_r(f)\ge d, \end{aligned}$$

with equality if and only if \(M_r(f)=0\) for all \(r \ge d+2\) and \(N(f) = (d+1)q-d\). Note that for \(r\ge d+2\), it holds that \(r^2-(d+1)r\ge r\), so that (10) turns into

$$\begin{aligned} \sum _{r=1}^{d+1} r(d+1-r)M_r(f)\ge \sum _{r=d+2}^m (r^2-(d+1)r)M_r(f)+d\ge \sum _{r=d+2}^m rM_r(f) + d. \end{aligned}$$
(11)

Adding \(\sum _{r=1}^{d+1}rM_r(f)\) on both sides of (11) and using (2) gives

$$\begin{aligned} \sum _{r=1}^{d+1} r(d+2-r)M_r(f) \ge \sum _{r=1}^m rM_r(f) +d = q+d. \end{aligned}$$

For equality to hold, we need equality in (11). The first equality in (11) holds if and only if \(N(f)=(d+1)q-d\), the second equality holds if and only if

$$\begin{aligned} \sum _{r=d+2}^m (r^2-(d+1)r)M_r(f) = \sum _{r=d+2}^m rM_r(f), \end{aligned}$$

that is \(M_r(f)=0\) for \(r> d+2\). In that case

$$\begin{aligned} \sum _{r=1}^d r(d+1-r)M_r(f) = (d+2)M_{d+2}(f)+d. \end{aligned}$$

\(\square \)

Next, we demonstrate a few applications of Theorem 2.

Corollary 2

Let \(d+1\) be a divisor of \(q-1\) and \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be \((d+1)\)-divisible and d-uniform. Then f is almost-\((d+1)\)-to-1.

Proof

Since f is \((d+1)\)-divisible, we have \(|{\text {Im}}(f)|\le \frac{q-1}{d+1} +1 = \frac{q+d}{d+1}\). By Theorem 2 we have \(|{\text {Im}}(f)|\ge \frac{q+d}{d+1}\) and therefore \(|{\text {Im}}(f)|= \frac{q+d}{d+1}\), implying that f is almost-\((d+1)\)-to-1. \(\square \)

For a non-zero \(a\in \mathbb {F}_q\) we define

$$\begin{aligned}D_a(f):= \{f(x+a)-f(x) : x\in \mathbb {F}_q\},\end{aligned}$$

which we call a differential set of f in direction a. It is well-known and easy to see that the differential sets of quadratic maps are \(\mathbb {F}_p\)-affine subspaces. The next result shows, among other properties, that the differential sets of \((d+1)\)-divisible DO polynomials are \(\mathbb {F}_p\)-linear subspaces. Lemma 3 can be partly deduced from Proposition 3 and Corollary 1 and their proofs in [13]. We include its proof for the convenience of the reader.

Lemma 3

Let \(q=p^n\) with p prime, \(d+1\) be a divisor of \(q-1\) and \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) be a \((d+1)\)-divisible DO polynomial which is almost-\((d+1)\)-to-1. Then

  1. (a)

    f is zero-difference d-balanced;

  2. (b)

    f is d-uniform and all its differential sets are \(\mathbb {F}_p\)-linear subspaces;

  3. (c)

    \(d=p^i\) for some \(i\ge 0\).

Proof

First we prove statements (a) and (b): Since f is a DO polynomial, it is d-uniform in the case it is zero-difference d-balanced. Next, we show that for any non-zero a the equation \(f_a(x) = f(x+a)-f(x) =0\) has a solution (equivalently, \(D_a(f)\) is a linear subspace). Indeed, let \(1\ne \theta \in \mathbb {F}_q\) be a zero of \(x^{d+1}-1\) and set \(x=(\theta -1)^{-1}a\). This x fulfills \(x+a = \theta x\), and hence \(f_a(x) = f(\theta x)-f(x) =0\). In particular, \(f_a(x)=0\) hast at least d solutions. On the other side, since f is \((d+1)\)-divisible and almost-\((d+1)\)-to-1, the equation \(f(x+a)=f(x)\) is fulfilled if and only if \(x+a = \theta x\) for an element \(\theta \) satisfying \(\theta ^{d+1}=1\). This implies that a solution x must be given by \(a(\theta -1)^{-1}\). And hence there are at most d solution for \(f_a(x)=0\).

The statement in (c) follows from (b). Indeed, the differential sets of f are linear subspaces of size \(p^n/d\), and hence \(d=p^i\) for some \(i \ge 0\). \(\square \)

A fascinating property of DO planar polynomials proved in [20, 38] is: A DO polynomial is planar if and only if it is almost-2-to-1. Observe that for an odd q a DO polynomial is always 2-divisible. Corollary 1 in [13] proves an analog of this result for the d-uniform case; Corollary 3 is a reformulation of it using the terminology introduced in this paper.

Corollary 3

Let \(d+1\) be a divisor of \(q-1\). A \((d+1)\)-divisible DO polynomial f is d-uniform if and only if f is almost-\((d+1)\)-to-1.

Proof

It follows directly from Corollary 2 and Lemma 3. \(\square \)

3 Image sets of APN maps of binary finite fields

In the following sections we study the image sets of APN maps on binary fields. Such maps are of particular interest because of their applications in cryptography and combinatorics. For an APN map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), the lower bound of Theorem 2 reduces to

$$\begin{aligned} |{\text {Im}}(f)|\ge {\left\{ \begin{array}{ll} \frac{2^n+1}{3} &{} n \text { is odd,} \\ \frac{2^n+2}{3} &{} n \text { is even}. \end{array}\right. } \end{aligned}$$
(12)

The first published proof for (12) appears in [14, Lemma 5], where a lower bound on the differential uniformity via image set size is presented. Since the study of image sets of APN maps was not a goal of [14], the lower bound in it remained unnoticed by most of researchers on APN maps. A systematic study of the image sets of APN maps was originated in [22]. Lower bound (12) is proved there by methods of linear programming, which is a novel approach for studying image sets of maps on finite fields. The arguments proving Lemma 5 in [14] are similar to ours presented for Lemmas 1 and 2. These are more or less standard for studying image sets of maps with special additive properties on finite sets, see [28, 32, 34, 37]. The ideas from [14, 22] are developed further in [15], especially to compare APN maps with affine ones.

Results of Sect. 2 show that APN maps meeting (12) must have a very special preimage distribution. For the APN maps on \(\mathbb {F}_{2^n}\), Proposition 1 reduces to:

Corollary 4

Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be APN. Then

  1. (a)
    $$\begin{aligned} M_1(f)+M_2(f)\ge 1, \end{aligned}$$

    and hence there is at least one element with exactly 1 or 2 preimages. For n even, the inequality is sharp if and only if f is almost-3-to-1. For n odd, the inequality is sharp if and only if there is a unique element in \({\text {Im}}(f)\) with exactly two preimages and the remaining elements have exactly three preimages.

  2. (b)
    $$\begin{aligned} 3M_1(f) + 4M_2(f) + 3M_3(f) \ge 2^n+2. \end{aligned}$$

    The equality holds if and only if \(N(f)=3\cdot 2^n-2\) and \(M_r(f)=0\) for \(r>4\), in which case

    $$\begin{aligned} M_1(f)+M_2(f) = 2M_4(f)+1. \end{aligned}$$

Proof

The inequalities as well as the equality case in (b) follow directly from Proposition 1. Let \(M_1(f)+M_2(f) = 1\). Then \(M_r(f) = 0\) for every \(r\ge 4\) by Proposition 1. To complete the proof note that the value \(2^n \pmod 3\) forces \((M_1(f),M_2(f)) =(1,0)\) resp. \((M_1(f),M_2(f)) =(0,1)\) depending on the parity of n. \(\square \)

The observation that an APN map must have at least one element with exactly 1 or 2 preimages was already given in [22].

Corollary 4 along with identity (7) and inequality (6) yield the possible preimage distributions of an APN map meeting lower bound (12). Recall that for \(a \in \mathbb {F}_{2^n}\) we denote by \(\omega (a)\) the size of the set \(f^{-1}(\{a\})\).

Theorem 3

Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n} \) be APN.

If n is odd and

$$\begin{aligned}|{\text {Im}}(f)| = \frac{2^n+1}{3},\end{aligned}$$

then \(\omega (y_0)=2\) for one element \(y_0\in {\text {Im}}(f)\) and \(\omega (y)=3\) for \(y\in {\text {Im}}(f)\setminus \{y_0\}\).

If n is even and

$$\begin{aligned}|{\text {Im}}(f)| = \frac{2^n+2}{3},\end{aligned}$$

then one of the following cases must occur:

  1. 1.

    \(\omega (y_0)=1\) for one element \(y_0\in {\text {Im}}(f)\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0\}\), that is f is almost-3-to-1.

  2. 2.

    \(\omega (y_i)=2\) for two elements \(y_0, y_1\in {\text {Im}}(f)\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0, y_1\}\).

  3. 3.

    \(\omega (y_i)=2\) for three elements \(y_0, y_1, y_2\in {\text {Im}}(f)\), \(\omega (y_3)=4\) for a unique \(y_3\in {\text {Im}}(f)\setminus \{y_0, y_1, y_2\}\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0, \ldots , y_3\}\).

Proof

We apply (6) and (7) to prove the statements on the preimage distribution. Set \(D = \{y\in {\text {Im}}(f): \omega (y)\ne 3\}\). If n is odd, by (6) we get

$$\begin{aligned}\sum _{y\in D}(\omega (y)-3)^2 \le 1.\end{aligned}$$

Hence there is at most one \(y_0 \in {\text {Im}}(f)\) such that \(\omega (y)\ne 3\) and it must satisfy \(\omega (y_0) \in \{2,4\}\). Corollary 4 completes the proof. Let n be even. Then from (6) and (7) we get

$$\begin{aligned} \sum _{y\in D}(\omega (y)-3)^2 \le 4 \end{aligned}$$
(13)

and

$$\begin{aligned} \sum _{y\in D}\omega (y) = 3|D|-2. \end{aligned}$$
(14)

Clearly, if \(|D|=1\), then f is almost-3-to-1. If \(|D|=2\), then \(\omega (y)=2\) for every \(y \in D\). Note that \(|D|=3\) is not possible, since \(\omega (y)\in \{2,4\}\) for all \(y \in D\), contradicting Eq. (14) since \(3|D|-2\) is odd in this case. If \(|D|=4\), we have again \(\omega (y)\in \{2,4\}\) for all \(y \in D\) and the only solution to Eq. (14) is \(\omega (y)=2\) for 3 elements and \(\omega (y)=4\) for one element. \(|D|>4\) violates Eq. (13), so we exhausted all possibilities. \(\square \)

The APN monomials meet lower bound (12) when n is even. We present several further such families later in this paper. In fact, it turns out that for even n many of the known infinite families of APN maps satisfy the lower bound with equality. All of these examples of APN maps are almost-3-to-1.

Open Problem 1

Let n be even and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n} \) be APN map with \(|{\text {Im}}(f)| = (2^n+2)/3\). Can f have the preimage distribution described in case 2. or 3. of Theorem 3?

Numerical results suggest that there are no APN maps meeting (12) for n odd. We show later in this paper that the image sizes of almost bent maps never fulfill this lower bound. The APN maps with smallest sizes which we found are

  • for \(n=7\) the map \(x \mapsto x^3+x^{64}+x^{16}+x^4\) with the image size \(57=2^6-7\);

  • for \(n=11\) the map \(x \mapsto x^3 +x^{256} \) with the image size \(1013=2^{10}-11\).

In [22], it is shown that the APN binomial \(b(x)= x^3+x^4\) is 2-to-1 if n is odd. This binomial is studied in [26]: Among other results, it is shown there that for an even n the image set of \(b(x)=x^3+x^4\) satisfies \(M_1(b) = 2(2^n-1)/3, ~ M_2(b)=1\) and \(M_4(b)=(2^n-4)/12\), and hence \(|{\text {Im}}(b)|= 3\cdot 2^{n-2}\).

Lower bound (12) can be used to prove several structural results for APN maps. For example, it gives an easy proof for the following well-known property of monomial APN maps.

Corollary 5

Let \(q=2^n\) and \(f(x)=x^k\) be APN on \(\mathbb {F}_{q}\). Then \(\gcd (k, q-1)=1\) if n is odd and \(\gcd (k, q-1)=3\) if n is even.

Proof

Since

$$\begin{aligned}|{\text {Im}}(f)\setminus \{0\}| = \frac{q-1}{\gcd (k, q-1)},\end{aligned}$$

we get with (12) that \(\gcd (k, q-1)\le 3\). For n odd, we get \(\gcd (k, q-1)=1\). Now let n be even and \(\gcd (k, q-1)=1\). Then f is an APN permutation on all subfields of \(\mathbb {F}_q\). In particular, it must be an APN permutation on \(\mathbb {F}_4\). It is easy to check that such a permutation does not exist. Hence \(\gcd (k, q-1)=3\). \(\square \)

Next, we present an interesting consequence of (12) which could be helpful for performing numerical searches as well as theoretical studies of 3-divisible APN polynomials. In particular, it could be used for classifying exceptional APN 3-divisible polynomials.

Corollary 6

Let \(n=2^im\) with \(i\ge 1\) and \(m\ge 3\) odd. Suppose \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) is a 3-divisible APN polynomial over the subfield \(\mathbb {F}_{2^m}\), that is \(f \in \mathbb {F}_{2^m}[x]\). Then f is an APN permutation on the subfield \(\mathbb {F}_{2^m}\).

Proof

Note that since the coefficients of f are from the subfield \(\mathbb {F}_{2^m}\), it defines an APN map on \(\mathbb {F}_{2^m}\). Further, since f is APN and 3-divisible, it is almost-3-to-1 on \(\mathbb {F}_{2^n}\) by (12). Moreover, \(f(x)=f(\theta x)=f(\theta ^2 x)\) for \(\theta \in \mathbb {F}_4\setminus \mathbb {F}_2\) and any \(x \in \mathbb {F}_{2^n}\). The statement now follows from the fact that \(\mathbb {F}_4\) is not contained in \(\mathbb {F}_{2^m}\). \(\square \)

The following characterization for APN 3-divisible DO polynomials is a direct consequence of Corollary 3:

Corollary 7

Let n be even and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a 3-divisible DO polynomial. Then f is APN if and only if f is almost-3-to-1.

We take a closer look at 3-divisible APN maps in the next section.

Next, we show that Zhou-Pott APN quadratic maps, constructed in [39], provide examples of almost-3-to-1 APN maps which are not 3-divisible.

Theorem 4

Let \(m, i\ge 2\) even, \(\gcd (k, m)=1\) and \(\alpha \in \mathbb {F}_{2^m}\) not a cube.

  1. (a)

    Let \(f:\mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\rightarrow \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) be defined by

    $$\begin{aligned} f(x,y) = (x^{2^k+1}+\alpha y^{(2^k+1)2^i}, xy). \end{aligned}$$
    (15)

    Then

    1. (a1)

      f is almost-3-to-1. More precisely, for a given \((u,v) \in \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\), it holds \(f(x,y) = f(u,v)\) if and only if \((x,y)=(\theta u, \theta ^2 v)\) with \(\theta \in \mathbb {F}_4^*\).

    2. (a2)

      The map corresponding to f(xy) on \(\mathbb {F}_{2^{2m}}\) has a univariate representation which is not a DO polynomial.

    3. (a3)

      f is an APN map with the classical Walsh spectrum.

  2. (b)

    Let \(g:\mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\rightarrow \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) be given by

    $$\begin{aligned} g(x,y) = (x^{2^k+1}+\alpha y^{2^k+1}, xy^{2^{m-i}}). \end{aligned}$$
    (16)

    Then

    1. (b1)

      g is almost-3-to-1.

    2. (b2)

      The map corresponding to g(xy) on \(\mathbb {F}_{2^{2m}}\) has a univariate representation which is a DO polynomial that is not 3-divisible.

    3. (b3)

      g is an APN map with the classical Walsh spectrum.

Proof

Note that \(\gcd (2^{2m}-1, 2^k+1) =3\) and 3 is a divisor of both \(2^m-1\) and \(2^i-1\).

  1. (a)

    Let \((x,y),(u,v)\in \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) with \(f(x,y)=f(u,v)\). Then we have

    $$\begin{aligned} x^{2^k+1}+\alpha y^{(2^k+1)2^i}&= u^{2^k+1}+\alpha v^{(2^k+1)2^i} \\ xy&= uv. \end{aligned}$$

    First suppose \(v=0\), and hence \(x=0\) or \(y=0\). For \(x=0\), we get

    $$\begin{aligned} \alpha y^{(2^k+1)2^i} = u^{2^k+1}, \end{aligned}$$

    which forces \(y=u=0\), since \(\alpha \) is a non-cube. For \(x, u \ne 0\) and \(y=0\) we get

    $$\begin{aligned} x^{2^k+1} = u^{2^k+1}, \end{aligned}$$

    which is satisfied if and only if \(x = \theta u\) with \(\theta \in \mathbb {F}_4^*\). Now let \(v\ne 0\). Setting \(u=\frac{xy}{v}\) and rearranging the first equation we get

    $$\begin{aligned} x^{2^k+1}+\left( \frac{xy}{v}\right) ^{2^k+1} = \alpha (y^{2^k+1}+v^{2^k+1})^{2^i} \end{aligned}$$

    or equivalently

    $$\begin{aligned} x^{2^k+1}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) = \alpha v^{(2^k+1)2^i}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i}. \end{aligned}$$

    If \(1+\left( \frac{y}{v}\right) ^{2^k+1}\ne 0\), we can divide by it and obtain

    $$\begin{aligned} x^{2^k+1} = \alpha v^{(2^k+1)2^i}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i-1}. \end{aligned}$$
    (17)

    Note that (17) has no solution, since \(x^{2^k+1}\), \( v^{(2^k+1)2^i}\) and \(\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i-1}\) are all cubes and \(\alpha \) is not a cube. Finally, observe that \(\left( \frac{y}{v}\right) ^{2^k+1}= 1\) holds if and only if \(y =\theta v\) with \(\theta \in \mathbb {F}_4^*\). This completes the proof for (a1). Next, we show (a2), that the corresponding to f(xy) map on \(\mathbb {F}_{2^{2m}}\) is not given by a univariate DO polynomial. Let \((u_1, u_2)\) be an ordered basis of \(\mathbb {F}_{2^{2m}}\) over \(\mathbb {F}_{2^m}\) and \((v_1, v_2)\) its dual basis. Then an element z of \(\mathbb {F}_{2^{2m}}\) has the representation \((v_1z+\overline{v_1z})u_1 + (v_2z+\overline{v_2z})u_2\), where \(\overline{a} = a^{2^m}\). Thus we get

    $$\begin{aligned} f(z)&= f(v_1z+\overline{v_1z}, v_2z+\overline{v_2z}) \\&= \left( (v_1z+\overline{v_1z})^{2^k+1}+\alpha (v_2z+\overline{v_2z})^{(2^k+1)2^i}\right) u_1 \\&\quad + (v_1z+\overline{v_1z})\cdot (v_2z+\overline{v_2z}) u_2 \\&= \ldots +( (v_1\overline{v_2} + \overline{v_1}v_2)z^{2^m+1}+ v_1v_2z^2 + \overline{v_1v_2}z^{2\cdot 2^m})u_2. \end{aligned}$$

    Since \(k\ne 0\), there will be no term \(z^2\) in the summand for \(u_1\), and hence the polynomial f(z) contains a non-zero term with \(z^2\), showing that it is not a DO polynomial. Finally, (a1) and Theorem 1 imply (a3).

  2. (b)

    Note that g(xy) is obtained from f(xy) by a linear bijective transformation \((x,y) \mapsto (x, y^{2^{m-i}})\). In particular, g(xy) is almost 3-to-1, too. Next, we describe the univariate representation of the corresponding to g(xy) map on \(\mathbb {F}_{2^{2m}}\). Again, let \((u_1, u_2)\) be a basis of \(\mathbb {F}_{2^{2m}}\) over \(\mathbb {F}_{2^m}\) and \((v_1, v_2)\) its dual basis. Then we get

    $$\begin{aligned} g(z)&= g(v_1z+\overline{v_1z}, v_2z+\overline{v_2z}) \\&= \left( (v_1z+\overline{v_1z})^{2^k+1}+\alpha (v_2z+\overline{v_2z})^{(2^k+1)}\right) u_1 \\&\quad + (v_1z+\overline{v_1z})\cdot (v_2z+\overline{v_2z})^{2^{m-i}} u_2, \end{aligned}$$

    which is a DO polynomial. Finally, note that \(g(x,y) \ne g(\theta x, \theta y)\) for \(\theta \in \mathbb {F}_4 \setminus \mathbb {F}_2\), and hence the DO polynomial g(z) is not 3-divisible, proving (b2). Theorem 1 and (b1) yield (b3). \(\square \)

The property that the Zhou-Pott APN maps have the classical Walsh spectrum is proved in [1] using Bezout’s theorem on intersection points of two projective plane curves. We would like to note however that the proof method of [1] applies to a larger family of APN maps, including examples which are not almost-3-to-1.

In  [13] a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called \(\delta \)-vanishing if for any non-zero a the equation \(f(x+a)-f(x) =0\) has \(t_a\) solutions, where \( 0 < t_a \le \delta \). Note that any zero-difference d-balanced map is d-vanishing. Problem 1 in  [13] asks whether any quadratic \(\delta \)-vanishing map must be d-divisible with a suitable d. Theorem 4 shows that the answer to this question is negative. Indeed, the Zhou-Pott maps f(xy) and g(xy) are quadratic APN maps which are not 3-divisible. These maps are almost-3-to-1 and hence \(N(f)=N(g)=3q-2\), and then by Corollary 1 they are zero-difference 2-balanced.

The Zhou-Pott construction of APN maps was recently generalized in  [24]. Next, we use Theorem 1 to show that the APN maps of this construction are almost-3-to-1 as well, and hence they have the classical Walsh spectrum.

Theorem 5

Define the following maps on \(\mathbb {F}_{2^m} \times \mathbb {F}_{2^m}\)

$$\begin{aligned}f_1(x,y)=(x^{2^k+1}+xy^{2^k}+y^{2^k+1},x^{2^{2k}+1}+x^{2^{2k}}y+y^{2^{2k}+1})\end{aligned}$$

where \(\gcd (3k,m)=1\) and

$$\begin{aligned}f_2(x,y)=(x^{2^k+1}+xy^{2^k}+y^{2^k+1},x^{2^{3k}}y+xy^{2^{3k}}),\end{aligned}$$

where \(\gcd (3k,m)=1\) and m is odd. Then \(f_1\) and \(f_2\) are almost-3-to-1 APN maps with the classical Walsh spectrum.

Proof

The APN property of these maps was proven in [24]. For the rest, we check the conditions of Theorem 1. The first condition is clearly satisfied in both cases. We start with \(f_1\): Direct computations show that

$$\begin{aligned} f_1(y,x+y)&= (y^{2^k+1}+y(x+y)^{2^k}+(x+y)^{2^k+1},y^{2^{2k}+1}+y^{2^{2k}}(x+y)+(x+y)^{2^{2k}+1}) \\&=(x^{2^k+1}+xy^{2^k}+y^{2^k+1},x^{2^{2k}+1}+x^{2^{2k}}y+y^{2^{2k}+1})=f_1(x,y). \end{aligned}$$

A similar calculation yields \(f_1(x,y)=f_1(x+y,x)\). Thus every \(y \in {\text {Im}}(f_1)\setminus \{0\}\) has at least three preimages. Both conditions of Theorem 1 are satisfied for \(f_1\), completing the proof for \(f_1\). Consider now \(f_2\): Similarly to the first case, we have

$$\begin{aligned} f_2(y,x+y)&=(y^{2^k+1}+y(x+y)^{2^k}+(x+y)^{2^k+1},y^{2^{3k}}(x+y)+y(x+y)^{2^{3k}}) \\&=(x^{2^k+1}+xy^{2^k}+y^{2^k+1},x^{2^{3k}}y+xy^{2^{3k}})=f_2(x,y), \end{aligned}$$

and similarly \(f_2(x,y)=f_2(x+y,x)\), so both conditions of Theorem 1 are again satisfied. \(\square \)

A further large family of inequivalent almost-3-to-1 APN maps has been found by Faruk Göloğlu and the first author, and will be published soon.

4 3-Divisible APN maps

By Corollary 7, every APN DO polynomial \(f'(x^3)\) on \(\mathbb {F}_{2^n}\), n even, is an example with the preimage distribution described in Case 1. of Theorem 3. Prominent examples for such APN maps are \(x\mapsto x^3\) and \(x\mapsto x^3 +{{\,\mathrm{Tr}\,}}(x^9)\). These maps are APN for any n. If n is odd, then \(x\mapsto x^3\) is a permutation and \(x\mapsto x^3 +{{\,\mathrm{Tr}\,}}(x^9)\) is 2-to-1, as we will see later in this section.

The substitution of \(x^3\) in a polynomial of shape \(f'(x) = L_1(x) + L_2(x^3)\), where \(L_1, L_2\) are linearized polynomials, results in a DO polynomial \(f(x) = f'(x^3) = L_1(x^3) + L_2(x^9)\). Hence for even n by Corollary 7 such a map is APN if and only if it is almost 3-to-1. In particular, any permutation of shape \(L_1(x) + L_2(x^3)\) yields directly an APN DO polynomial if n is even. Observe that \(x^3\) and \( x^3+ {{\,\mathrm{Tr}\,}}(x^9)\) are also of this type. These and further APN DO polynomials \(L_1(x^3) + L_2(x^9)\) are studied in [6, 7]. Corollary 7 suggests a unified approach for understanding such APN maps.

The next lemma describes special maps of shape \(L_1(x) + L_2(x^3)\), which are obtained from more general results given in [18, 19]. We apply it to construct and explain APN maps of form \(L_1(x^3) + L_2(x^9)\).

Lemma 4

Let \(\alpha , \beta , \gamma \) be non-zero elements in \(\mathbb {F}_{2^n}\). Further, let \(\gamma \not \in \{ x^2+\alpha x ~|~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\).

  1. (a)

    Then \( l(x) = x^2 + \alpha x + \gamma {{\,\mathrm{Tr}\,}}(\beta x) \) is permutation on \(\mathbb {F}_{2^n}\).

  2. (b)

    If n is even, then \( f'(x) = x^2 + \alpha x +\gamma {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^3+\beta x) \) is permutations on \(\mathbb {F}_{2^n}\).

  3. (c)

    If n is odd, then the map \(h(x) = x + \alpha ^{-1}{{\,\mathrm{Tr}\,}}(\alpha ^3x^3)\) is 2-to-1.

Proof

(a) The map l(x) is bijective by Theorem 5 in [19]. (b) The map \(f'(x)\) is bijective on \(\mathbb {F}_{2^n}\) by Theorem 6 in [19]. (c) follows from Theorem 3 in [18]. \(\square \)

The permutation \(f'(x)\) yields the following family of APN 3-divisible DO polynomials.

Theorem 6

Let \(\alpha , \beta , \gamma \) be non-zero elements in \(\mathbb {F}_{2^n}\) with n even. Further, let \(\gamma \not \in \{ x^2+\alpha x ~|~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\), then

$$\begin{aligned} f(x) = f'(x^3) = x^6 + \alpha x^3 +\gamma {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9+\beta x^3) \end{aligned}$$

is APN.

Proof

By Lemma 4 the 3-divisible DO map \(f(x) = f'(x^3)\) is almost 3-to-1, and hence by Corollary 7 it is APN. \(\square \)

An APN map constructed in Theorem 6 is affine equivalent to one of form \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9)\) studied in [7]. Indeed, the map \(f'(x)\) can be written as

$$\begin{aligned} f'(x) = x^2 + \alpha x + \gamma {{\,\mathrm{Tr}\,}}(\beta x) + \gamma {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^3) = l(x)+\gamma {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^3), \end{aligned}$$

where l(x) is linear over \(\mathbb {F}_2\). By Lemma 4, the map l(x) is bijective. Then \(l^{-1}\) composed with \(f'(x)\) yields

$$\begin{aligned} l^{-1} \circ f'(x) = x + {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^3)l^{-1}(\gamma ), \end{aligned}$$

and thus

$$\begin{aligned} l^{-1} \circ f'(x^3) = x^3 + {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9)l^{-1}(\gamma ) = x^3+\alpha {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9), \end{aligned}$$
(18)

where for the last equality we used \(l(\alpha ) = \gamma \). Note that this reduction remains true for n odd, showing that the examples of Theorem 6 are APN for any n since \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9)\) are so.

As we mentioned earlier, the polynomials \(x^3\) and \(x^3+{{\,\mathrm{Tr}\,}}(x^9)\) define APN maps on \(\mathbb {F}_{2^n}\) for odd and even n. For n odd, the first map is a permutation and the second is 2-to-1, as the next proposition shows.

Proposition 2

Let \(\alpha , \beta , \gamma \) be non-zero elements in \(\mathbb {F}_{2^n}\) with n odd. Further, let \(\gamma \not \in \{ x^2+\alpha x ~|~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\), then

$$\begin{aligned} f(x) = x^6 + \alpha x^3 +\gamma {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9+\beta x^3) \end{aligned}$$

is APN and 2-to-1.

Proof

Note that the reduction in (18) remains true for n odd, since by Lemma 4 the map l(x) is bijective for n odd. This implies that f(x) is APN, since \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9)\) is so, as shown in [7]. To complete the proof note that \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{-3}x^9) = h(x^3)\), where h(x) is the map considered in Lemma 4(c). \(\square \)

Next, we observe that for n odd there are APN DO polynomials of shape \(L_1(x^3)+L_2(x^9)\), that are neither bijective nor have image size \(2^{n-1}\). For a divisor t of n we denote by \({{\,\mathrm{Tr}\,}}_{2^n/2^t}(x)\) the trace map from \(\mathbb {F}_{2^n}\) into the subfield \(\mathbb {F}_{2^t}\), that is

$$\begin{aligned} {{\,\mathrm{Tr}\,}}_{2^n/2^t}(x) = \sum _{k=0}^{n/t}x^{\left( {2^t}\right) ^k}. \end{aligned}$$

In [7], it is shown that for any non-zero \(a \in \mathbb {F}_{2^{3m}}\), m arbitrary, the DO polynomials

$$\begin{aligned} f(x) = f'(x^3) = x^3+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^9+a^6x^{18}) \end{aligned}$$

and

$$\begin{aligned} g(x) = g'(x^3) = x^3+a^{-1}({{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^9+a^6x^{18}))^2 \end{aligned}$$

define APN maps on \(\mathbb {F}_{2^{3m}}\). Moreover, the maps \(f'\) and \(g'\) are bijective when m is even. For m odd, the image sets of these maps contain \(5\cdot 2^{3m-3}\) elements, as Propositions 3 and 4 show.

Proposition 3

Let m be an odd integer and \(a\in \mathbb {F}_{2^{3m}}^*\) be arbitrary. Then the APN map \(f:\mathbb {F}_{2^{3m}} \rightarrow \mathbb {F}_{2^{3m}}\) given by

$$\begin{aligned} f(x) = x^3+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^9+a^6x^{18}) \end{aligned}$$

satisfies \(M_1(f) = 2^{3m-1}\), \(M_4(f)=2^{3m-3}\). In particular, \(|{\text {Im}}(f)|=5\cdot 2^{3m-3}\).

Proof

We consider the equation \(f(x)=f(y)\) on \(\mathbb {F}_{2^{3m}}\). Since \(x\mapsto x^3\) is a permutation on \(\mathbb {F}_{2^n}\) with n odd, it is sufficient to look at \(f'(x)=f'(y)\), where

$$\begin{aligned} f'(x) = x+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^3+a^6x^6), \end{aligned}$$

and \(f(x)=f'(x^3)\). Suppose \(f'(x)=f'(y)\). Then

$$\begin{aligned} x+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^3+a^6x^6) = y+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3y^3+a^6y^6) \end{aligned}$$

or equivalently,

$$\begin{aligned} {{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^3+a^6x^6 + a^3y^3+a^6y^6) = a(x+y). \end{aligned}$$
(19)

In particular, \(f'(x) = f'(y)\) only if \(a(x+y) \in \mathbb {F}_8\). Let \(z=x+y\). Taking the absolute trace on both sides of (19), we get

$$\begin{aligned} {{\,\mathrm{Tr}\,}}_{2^3/2}(az)={{\,\mathrm{Tr}\,}}_{2^{3m}/2}(a^3x^3+(a^3x^3)^2 + a^3(x+z)^3+(a^3(x+z)^3)^2) = 0. \end{aligned}$$

Let \(\beta \in \mathbb {F}_8\) with \(\beta ^3=\beta +1\), then

$$\begin{aligned} {{\,\mathrm{Tr}\,}}_{2^3/2}(\beta )={{\,\mathrm{Tr}\,}}_{2^3/2}(\beta ^2)={{\,\mathrm{Tr}\,}}_{2^3/2}(\beta ^4)=0, \end{aligned}$$

so that

$$\begin{aligned} az\in \{0, \beta , \beta ^2, \beta ^4\}. \end{aligned}$$

If \(az=0\) we have \(z=0\) and \(x=y\). So let \(z=a^{-1}\beta ^k\) with \(k\in \{1,2,4\}\). Note that \(x\mapsto x^k\) is a linear permutation on \(\mathbb {F}_{2^{3m}}\). We have

$$\begin{aligned}&a^3x^3+a^6x^6+a^3(x+z)^3+a^6(x+z)^6 \\&\quad =a^3x^3+a^6x^6+a^3(x^3+x^2z+xz^2+z^3)+a^6(x^6+x^4z^2+x^2z^4+z^6)\\&\quad =a^3x^2z+a^3xz^2+a^3z^3+a^6x^4z^2+a^6x^2z^4+a^6z^6 \\&\quad =a^2x^2\beta ^k+ax\beta ^{2k}+\beta ^{3k}+a^4x^4\beta ^{2k}+a^2x^2\beta ^{4k}+\beta ^{6k} \\&\quad =(\beta ^{3k}+\beta ^{6k})+ax\beta ^{2k}+a^2x^2(\beta ^k+\beta ^{4k})+a^4x^4\beta ^{2k}. \end{aligned}$$

As \(\beta ^3=\beta +1\), we get \(\beta ^6=\beta ^2+1\) and therefore \(\beta ^3+\beta ^6=\beta ^2+\beta =\beta ^4\). Further, \(\beta +\beta ^4=\beta ^2\), so that

$$\begin{aligned} a^3x^3+a^6x^6+a^3(x+z)^3+a^6(x+z)^6 =\beta ^{4k}+\beta ^{2k}(ax+(ax)^2+(ax)^4). \end{aligned}$$
(20)

We now need to ensure that (19) holds. Using (20) and m odd this turns into

$$\begin{aligned} \beta ^k&={{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(\beta ^{4k}+\beta ^{2k}(ax+(ax)^2+(ax)^4)) \\&=\beta ^{4k}+\beta ^{2k}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(ax+(ax)^2+(ax)^4) = \beta ^{4k}+\beta ^{2k}{{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax). \\&=(\beta ^4+\beta ^2{{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax))^k \end{aligned}$$

Using again that \(x\mapsto x^k\) is a permutation and that \(\beta ^4=\beta ^2+\beta \) we obtain

$$\begin{aligned} \beta ^2({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)+1)=0, \end{aligned}$$

which has a solution x if and only if \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\).

Concluding, we have \(f'(x)=f'(x+z)\) if and only if \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\) and \(z\in \{0, a^{-1}\beta , a^{-1}\beta ^2, a^{-1}\beta ^4\}\). Since there are \(2^{3m-1}\) elements x with \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\), we get \(M_4(f)=2^{3m-3}\). The map \(f'\) is injective on the hyperplane \(\{x \in \mathbb {F}_{2^{3m}} ~|~ {{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=0 \}\), yielding \(M_1(f)=2^{3m-1}\). \(\square \)

The proof of next result is almost identical to the one of Proposition 3:

Proposition 4

Let m be an odd integer and \(a\in \mathbb {F}_{2^{3m}}^*\) be arbitrary. Then the APN map \(f:\mathbb {F}_{2^{3m}} \rightarrow \mathbb {F}_{2^{3m}}\) given by

$$\begin{aligned} g(x) = x^3+a^{-1}{{\,\mathrm{Tr}\,}}_{2^{3m}/2^3}(a^3x^9+a^6x^{18})^2 \end{aligned}$$

satisfies \(M_1(g) = 2^{3m-1}\), \(M_4(g)=2^{3m-3}\). In particular, \(|{\text {Im}}(g)|=5\cdot 2^{3m-3}\).

5 Image sets of component-wise plateaued maps

The next theorem shows that almost-\((2^r+1)\)-to-1 component-wise plateaued maps have a very special Walsh spectrum. The key step in its proof is the fact that the components of such maps have weights divisible by \({2^r+1}\). This together with Lemma 5 and some basic identities for Walsh values allow to control the Walsh spectrum of f. Our proof is an adaption of the one of Theorem 2 from [13], where \((p^r+1)\)-divisible quadratic maps of finite fields with an arbitrary characteristic p are considered. The following fact is well known.

Lemma 5

Let \(i,r \in \mathbb {N}\) be arbitrary. Then

  • \(\gcd (2^i-1,2^r+1) = {\left\{ \begin{array}{ll} 2^{\gcd (i,r)} +1 &{} \text {if } i/\gcd (i,r) \text { is even} \\ 1 &{} \text {else.} \end{array}\right. }\)

  • \(\gcd (2^i+1,2^r+1) = {\left\{ \begin{array}{ll} 2^{\gcd (i,r)} +1 &{} \text {if } i/\gcd (i,r) \text { and } r/\gcd (i,r)\text { are odd} \\ 1 &{} \text {else.} \end{array}\right. }\)

Theorem 7

Let \(n=2rm\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost-\((2^r+1)\)-to-1 component-wise plateaued map with \(f(0)=0\) and \(\omega (0)=1\), i.e. 0 be the unique element with precisely one preimage. Then f has \((2^r/(2^r+1))\cdot (2^n-1)\) bent components and \((2^n-1)/(2^r+1)\) components with amplitude \(t=2r\). Moreover,

$$\begin{aligned} W_f(b,0) \in \{(-1)^{m}2^{rm},(-1)^{m+1}2^{r(m+1)}\} \end{aligned}$$

for any \(b \in \mathbb {F}_{2^n}^*\).

Proof

Let \(b\in \mathbb {F}_{2^n}^*\) be arbitrary. Since f is component-wise plateaued, \(W_f(b,0)\) takes the values 0 or \(\pm 2^{rm+s}\) with \(s\ge 0\). Note that since f is almost-\((2^r+1)\)-to-1 with \(f(0)=0\) and \(\omega (0)=1\), the value \(|\{x \in \mathbb {F}_{2^n}^* :{{\,\mathrm{Tr}\,}}(bf(x))=c\}|\) is divisible by \(2^r+1\) for any \(c \in \mathbb {F}_2\). Thus

$$\begin{aligned} W_f(b,0)= & {} |\{x \in \mathbb {F}_{2^n}^* :{{\,\mathrm{Tr}\,}}(bf(x))=0\}|-|\{x \in \mathbb {F}_{2^n}^* :{{\,\mathrm{Tr}\,}}(bf(x))=1\}|+1 \\\equiv & {} 1 \pmod {2^r+1}. \end{aligned}$$

This shows, in particular, that \(W_f(b,0) \ne 0\). Further, by Lemma 5, \(2^{rm+s} \equiv 1 \pmod {2^r+1}\) if and only if r|s and \(m+(s/r)\) is even. Similarly, \(-2^{rm+s} \equiv 1 \pmod {2^r+1}\) if and only if r|s and \(m+(s/r)\) is odd. Hence \(W_f(b,0) =(-1)^{m+k}2^{r(m+k)}\) for a suitable \(k\ge 0\). Define

$$\begin{aligned} N_k=|\{b \in \mathbb {F}_{2^n}^* :|W_f(b,0)|=2^{r(m+k)}\}| \end{aligned}$$

for an integer \(k \ge 0\). Since \(f(x)=0\) holds only for \(x=0\), we have

$$\begin{aligned} \sum _{b\in \mathbb {F}_{2^n}} W_f(b,0) = 2^n, \end{aligned}$$

which directly implies

$$\begin{aligned} \sum _{b\in \mathbb {F}_{2^n}^*} W_f(b,0) = 0. \end{aligned}$$

Substituting the possible values for \(W_f(b,0)\) in the above equation, we get

$$\begin{aligned} 2^{rm}(N_0-2^{r}N_1+2^{2r}N_2-2^{3r}N_3+\dots )= 0, \end{aligned}$$

implying

$$\begin{aligned} N_0-2^{r}N_1+2^{2r}N_2-2^{3r}N_3+\dots = 0. \end{aligned}$$
(21)

Now since f is almost-\((2^r+1)\)-to-1, for every fixed non-zero x there are exactly \((2^r+1)\) elements \(a \in \mathbb {F}_{2^n}\) satisfying \(f(x)+f(x+a)=0\), and for \(x=0\) only \(a=0\) solves it. Thus we get

$$\begin{aligned} \sum _{b \in \mathbb {F}_{2^n}} (W_f(b,0))^2&= \sum _{b \in \mathbb {F}_{2^n}} \sum _{x \in \mathbb {F}_{2^n}}\sum _{a \in \mathbb {F}_{2^n}} (-1)^{{{\,\mathrm{Tr}\,}}(b(f(x)+f(x+a)))} \\&=2^n((2^r+1) \cdot (2^n-1)+1)=2^{2n+r}+2^{2n}-2^{n+r}. \end{aligned}$$

In particular,

$$\begin{aligned} \sum _{b \in \mathbb {F}_{2^n}^*} (W_f(b,0))^2 = 2^{2n+r}-2^{n+r}. \end{aligned}$$

Again, substituting the possible values for \(W_f(b,0)\), we get

$$\begin{aligned} 2^n(N_0+2^{2r}N_1+2^{4r}N_2+2^{6r}N_3+ \dots )= 2^{2n+r}-2^{n+r}, \end{aligned}$$

which immediately leads to

$$\begin{aligned} N_0+2^{2r}N_1+2^{4r}N_2+2^{6r}N_3+ \dots = 2^{n+r}-2^r. \end{aligned}$$
(22)

Clearly, we also have

$$\begin{aligned} N_0+N_1+N_2+\dots = 2^n-1. \end{aligned}$$
(23)

Adding Eq. (21) \((2^r-1)\)-times to Eq. (22), we get

$$\begin{aligned} 2^rN_0+2^rN_1+(2^{2r}(2^r-1)+2^{4r})N_2+(2^{6r}-(2^r-1)2^{3r})N_3+\dots = 2^{n+r}-2^r. \end{aligned}$$
(24)

Observe that all coefficients in Eq. (24) are positive. Now, subtracting Eq. (23) \(2^r\)-times from Eq. (24) yields

$$\begin{aligned} (2^{2r}(2^r-1)+2^{4r}-2^r)N_2+(2^{6r}-(2^r-1)2^{3r}-2^r)N_3+\dots = 0. \end{aligned}$$

Here, all coefficients are again positive, so we conclude \(N_2=N_3=\dots = 0\). From Eq. (21) and Eq. (23) we then immediately deduce that \(N_0 =(2^r/(2^r+1))(2^n-1)\) and \(N_1 = (2^n-1)/(2^r+1)\). \(\square \)

Note that the conditions \(f(0)=0\) and \(\omega (0)=1\) are not restrictive when we consider the extended Walsh spectrum: Indeed, otherwise we consider \(f(x+c)+d\) with suitable \(c,d \in \mathbb {F}_{2^n}\), which is also component-wise plateaued and has the same extended Walsh spectrum as f:

$$\begin{aligned} W_{f(x+c)+d}(b,a)&= \sum _{x \in \mathbb {F}_{2^n}}(-1)^{{{\,\mathrm{Tr}\,}}(b(f(x+c)+d)+ax)} \\&= (-1)^{{{\,\mathrm{Tr}\,}}(bd)}\sum _{x \in \mathbb {F}_{2^n}}(-1)^{{{\,\mathrm{Tr}\,}}(bf(x)+a(x+c))} \\&= (-1)^{{{\,\mathrm{Tr}\,}}(bd+ac)}W_{f}(b,a). \end{aligned}$$

The two boundary cases \(m=1\) and \(r=1\) of Theorem 7 imply interesting extremal cases. For \(m=1\), we get that a component-wise plateaued almost-\((2^{n/2}+1)\)-to-1 map on \(\mathbb {F}_{2^n}\) has \(2^n-2^{n/2}\) bent components, which is the maximum number of bent components that a map on \(\mathbb {F}_{2^n}\) can have [30]. For \(m=1\) the following result holds, too:

Proposition 5

Let \(r\in \mathbb {N}\), \(n=2r\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost-\((2^r+1)\)-to-1 map. Then f is component-wise plateaued if and only if it has \(2^n-2^{n/2}\) bent components.

Proof

One direction is covered by Theorem 7. Assume that f has \(2^n-2^{n/2}\) bent components. As mentioned before, we can assume without loss of generality that \(f(0)=0\) and \(\omega (0)=1\). By the proof of Theorem 7 we have \(W_f(b,0) \equiv 1 \pmod {2^{n/2}+1}\) for all \(b \in \mathbb {F}_{2^n}^*\). Hence if b defines a bent component, then \(W_f(b,0)=-2^{n/2}\). Thus

$$\begin{aligned} 0&=\sum _{b\in \mathbb {F}_{2^n}^*} W_f(b,0) \\&=-(2^n-2^{n/2})2^{n/2}+\sum _{b \text { not bent}} W_f(b,0), \end{aligned}$$

implying \(\sum _{b \text { not bent}} W_f(b,0)=2^{n}(2^{n/2}-1)\). The sum has \(2^{n/2}-1\) terms and each term is less or equal to \(2^n\), so necessarily it must hold \(W_f(b,0)=2^n\) for every \(b \in \mathbb {F}_{2^n}^*\) that does not define a bent component. Then, by Parseval’s equation, \(W_f(b,a)=0\) for these b and every \(a \in \mathbb {F}_{2^n}^*\), so these components are also plateaued. \(\square \)

For \(r>1\) the almost-\((2^r+1)\)-to-1 maps considered in Proposition 5 are never APN. This follows directly from (12).

The case \(r=1\) of Theorem 7 shows that almost-3-to-1 component-wise plateaued maps are APN and they have the classical Walsh spectrum:

Corollary 8

Let \(n=2m\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost-3-to-1 component-wise plateaued map. Then f is an APN map with the classical Walsh spectrum. Moreover, if \(f(0)=0\) and \(\omega (0)=1\), i.e. 0 is the only element with precisely one preimage, then

$$\begin{aligned} W_f(b,0) \in \{(-1)^{m}2^m,(-1)^{m+1}2^{m+1}\} \end{aligned}$$

for any \(b \in \mathbb {F}_{2^n}^*\).

Proof

The result follows from Theorem 7 for \(r=1\) and [4, Corollary 3], which shows that if a component-wise plateaued map f has \((2/3)(2^n-1)\) bent components and \((1/3)(2^n-1)\) components with amplitude \(t=2\) then it is APN. \(\square \)

In [9, Corollary 10 and 11] it is proven that if n is even, then all almost-3-to-1 plateaued maps of \(\mathbb {F}_{2^n}\) have the same Walsh spectrum as the cube function \(x\mapsto x^3\). This is exactly the statement of Corollary 8, too. The precise Walsh spectrum of the cube function is determined by Carlitz [16] via a refined evaluation of certain Gauss sums. The proof of Theorem 7 implies an elementary proof for Carlitz’s result on the value of the cubic exponential sum \(S(b)=\sum _{x \in \mathbb {F}_{2^n}} (-1)^{{{\,\mathrm{Tr}\,}}(bx^3)}\). The latter is the key step for obtaining the Walsh spectrum of the cube function in [16].

The quadratic (not necessarily APN) maps as well as the crooked maps are component-wise plateaued. Hence Corollary 8 implies

Corollary 9

Let \(n=2m\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\).

  1. (a)

    If f is almost-3-to-1 crooked map, then f has the classical Walsh spectrum.

  2. (b)

    If f is almost-3-to-1 quadratic map, then it is APN with the classical Walsh spectrum.

Note that Corollaries 7 and 9 confirm Conjecture 1 stated in [33], that for even n all APN maps of the form \(f(x)=L_1(x^3)+L_2(x^9)\) have the classical Walsh spectrum.

By Corollary 9, the EA-class of a quadratic APN map with non-classical Walsh spectrum do not contain an almost-3-to-1 map. The following related question is yet open:

Open Problem 2

Let n be even. Is there any APN DO map \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) with the classical Walsh spectrum, such that \(f+l\) is not almost-3-to-1 for any \(\mathbb {F}_2\)-linear map (equivalently, such that there is no almost-3-to-1 map in the EA-class of f)?

Almost-3-to-1 APN maps with non-classical Walsh spectra exist; an example is the Dobbertin map \(x \mapsto x^d\) on \(\mathbb {F}_{2^n}\) where 10|n, \(n=5g\) and \(d=2^{4g}+2^{3g}+2^{2g}+2^{g}-1\) [8].

We conclude this section with some observations on the almost bent maps on \(\mathbb {F}_ {2^n}\) with n odd. We use them in the next section to give an upper bound on the image size of such maps. The next lemma describes a direct connection between N(f) and the number \(N_0\) of balanced component functions of almost bent maps.

Lemma 6

Let n be odd and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be almost bent. Set

$$\begin{aligned} N_0&=|\{b \in \mathbb {F}_{2^n}^* :W_f(b,0)=0\}|\\ N_+&= |\{b \in \mathbb {F}_{2^n}^* :W_f(b,0)=2^{(n+1)/2}\}|\\ N_-&= |\{b \in \mathbb {F}_{2^n}^* :W_f(b,0)=-2^{(n+1)/2}\}|. \end{aligned}$$

Then these three values are determined by N(f) in the following way:

$$\begin{aligned} N_0&=2^n-1+2^{n-1}-N(f)/2\\ N_+&= N(f)/4 -2^{n-2}+2^{(n-3)/2}(\omega (0)-1)\\ N_-&= N(f)/4 -2^{n-2}-2^{(n-3)/2}(\omega (0)-1). \end{aligned}$$

Proof

Clearly, we have

$$\begin{aligned} N_0+N_++N_- = 2^n-1. \end{aligned}$$
(25)

Further, we have

$$\begin{aligned} \sum _{b \in \mathbb {F}_{2^n}} (W_f(b,0))^2&= \sum _{b \in \mathbb {F}_{2^n}} \sum _{x \in \mathbb {F}_{2^n}}\sum _{y \in \mathbb {F}_{2^n}} (-1)^{{{\,\mathrm{Tr}\,}}(b(f(x)+f(y)))} \\&=2^n N(f), \end{aligned}$$

which implies

$$\begin{aligned} \sum _{b \in \mathbb {F}_{2^n}^*} (W_f(b,0))^2 = 2^n N(f) - 2^{2n}. \end{aligned}$$

Rewriting this equation yields

$$\begin{aligned} 2^{n+1}(N_++N_-) = 2^n N(f) - 2^{2n} \end{aligned}$$

or, equivalently,

$$\begin{aligned} N_++N_-= N(f)/2 - 2^{n-1}. \end{aligned}$$
(26)

Moreover, we have

$$\begin{aligned}\sum _{b\in \mathbb {F}_{2^n}} W_f(b,0) = 2^n\cdot \omega (0),\end{aligned}$$

which directly implies

$$\begin{aligned}\sum _{b\in \mathbb {F}_{2^n}^*} W_f(b,0) = 2^n\cdot (\omega (0)-1),\end{aligned}$$

which yields

$$\begin{aligned} 2^{(n+1)/2}(N_+-N_-) = 2^n\cdot (\omega (0)-1), \end{aligned}$$

and

$$\begin{aligned} N_+-N_- = 2^{(n-1)/2}\cdot (\omega (0)-1). \end{aligned}$$
(27)

Subtracting Eq. (26) from Eq. (25) yields

$$\begin{aligned} N_0 = 2^n+2^{n-1}-N(f)/2-1. \end{aligned}$$

Similarly adding Eqs. (26) and (27) we get that N(f) must be divisible by 4 and that

$$\begin{aligned} N_+ = N(f)/4-2^{n-2}+2^{(n-3)/2}(\omega (0)-1). \end{aligned}$$

The value of \(N_-\) then follows immediately from Eq. (25). \(\square \)

Lemma 6 directly implies

Corollary 10

Let n be odd and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be almost bent. Then

  1. (a)

    N(f) is divisible by 4.

  2. (b)

    The number of balanced component functions of f is odd. In particular, every almost bent function has at least one balanced component function.

  3. (c)

    \(N(f) \le 3\cdot 2^n-4\) and f is not zero-difference 2-balanced.

  4. (d)
    $$\begin{aligned}|{\text {Im}}(f)| > \frac{2^n+1}{3}.\end{aligned}$$

Proof

Statement (a) holds since \(N_+\) and \(N_-\) in Lemma 6 are integers. Then (b) is a direct consequence of (a) and Lemma 6. Using Corollary 1 and (a), we get that \(N(f) \le 3\cdot 2^n-4\) and hence f is not zero-difference 2-balanced. Theorem 3 with (c) imply (d), since if the lower bound is fulfilled then necessarily \(N(f)=3\cdot 2^n-2\). \(\square \)

Remark 2

Any crooked map is almost bent if n is odd [27]. Property (c) in Corollary 10 implies that at least one differential set of a crooked map on \(\mathbb {F}_{2^n}\) with n odd is a complement of a hyperplane. Equivalently, for n odd there is no crooked map such that all its difference sets are hyperplanes. To the contrary, if n is odd then there are bijective crooked maps, for which necessarily all differential sets are complements of hyperplanes. Interestingly, this property is the other way around if n is even. Then crooked maps, for which all differential sets are hyperplanes, do exist (for instance, \(x\mapsto x^3\) or more generally any 3-divisible APN DO map as observed in Lemma 3 (b)). But there are no crooked maps with all their differential sets being complements of hyperplanes. The latter is a consequence of the non-existence of bijective crooked maps in even dimension [27].

6 Upper bounds on the image sets of APN maps

In previous sections we used the value N(f) to obtain a lower bound for the image size of some special maps f. In [21] an upper bound for \(|{\text {Im}}(f)|\) depending on N(f) is found. The upper bound from [21] is valid for maps between arbitrary finite sets, however we state it here only for the binary finite fields.

Lemma 7

[21, Theorem 2] Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\). Then

$$\begin{aligned} |{\text {Im}}(f)| \le 2^n-\frac{2N(f)-2^{n+1}}{1+\sqrt{4N(f)-2^{n+2}+1}}=2^n-\frac{1}{2}(\sqrt{4N(f)-2^{n+2}+1}-1). \end{aligned}$$

\(\square \)

The equality

$$\begin{aligned} \frac{2N(f)-2^{n+1}}{1+\sqrt{4N(f)-2^{n+2}+1}} = \frac{1}{2}(\sqrt{4N(f)-2^{n+2}+1}-1) \end{aligned}$$

is not mentioned in [21], but it can be verified easily by expanding the fraction with \(1-\sqrt{4N(f)-2^{n+2}+1}\).

The next lemma observes that if n is even, then Lemma 7 implies an upper bound on the image size of f depending on the number of its bent components.

Lemma 8

Let n be even and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be a map with u bent component functions. Then \(N(f) \ge u+2^n\) and

$$\begin{aligned} |{\text {Im}}(f)| \le 2^n-\frac{1}{2}(\sqrt{4u+1}-1). \end{aligned}$$

Proof

We use again the relation

$$\begin{aligned} 2^n N(f) = \sum _{b \in \mathbb {F}_{2^n}} W_f(b,0)^2 = 2^{2n}+\sum _{b \in \mathbb {F}_{2^n}^*} W_f(b,0)^2. \end{aligned}$$

If \(x \mapsto {{\,\mathrm{Tr}\,}}(bf(x))\) is bent, then \(W_f(b,0)^2 = 2^n\), so

$$\begin{aligned} 2^nN(f) \ge 2^{2n}+u \cdot 2^n, \end{aligned}$$

implying \(N(f) \ge u +2^n\). The rest follows from Lemma 7. \(\square \)

The upper bound of Lemma 8 is interesting for maps having a large number u of bent components. We apply it to get an upper bound for the image size of component-wise plateaued APN maps in Corollary 11.

For an odd n, we use Lemma 6 to give an upper bound on the image size of almost bent maps. Recall that \(M_r(f)\) denotes the number of \(y \in \mathbb {F}_{2^n}\) with exactly r preimages, where \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) and \(r \ge 1\).

Theorem 8

Let \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be an almost bent map and \(k = \max \{ r ~|~ M_r(f) \ne 0\}\). Then

$$\begin{aligned} |{\text {Im}}(f)| \le 2^n - \frac{k-1}{k}2^{(n+1)/2}. \end{aligned}$$
(28)

In particular, if f is not a permutation, then

$$\begin{aligned} |{\text {Im}}(f)| \le 2^n - 2^{(n-1)/2}. \end{aligned}$$
(29)

Proof

Set \(M_r = M_r(f)\). By Eqs. (2) and (3)

$$\begin{aligned} N(f)-2^n = \sum _{r=1}^k r(r-1)M_r \le k \sum _{r=1}^k (r-1)M_r, \end{aligned}$$

implying

$$\begin{aligned} \sum _{r=1}^k (r-1)M_r \ge \frac{N(f)-2^n}{k}. \end{aligned}$$
(30)

Set \(f'(x) = f(x) - c\), where \(c \in \mathbb {F}_{2^n}\) has exactly k preimages under f. Clearly, \(f'\) is also almost bent and it satisfies \(N(f) = N(f')\) and \(|{\text {Im}}(f)| = |{\text {Im}}(f')|\), and additionally 0 has exactly k preimages under \(f'\). We apply Lemma 6 to \(f'\). Then

$$\begin{aligned}0 \le N_- = N(f)/4 -2^{n-2}-(k-1)2^{(n-3)/2}, \end{aligned}$$

which leads to

$$\begin{aligned}N(f) - 2^n \ge (k-1)2^{(n+1)/2}.\end{aligned}$$

Then, using Eq. (30),

$$\begin{aligned} |{\text {Im}}(f)|&= \sum _{r=1}^k M_r = \sum _{r=1}^k r M_r - \sum _{r=1}^k (r-1) M_r \\&= 2^n - \sum _{r=1}^k (r-1) M_r \le 2^n- \frac{N(f)-2^n}{k} \le 2^n - \frac{k-1}{k}2^{(n+1)/2}. \end{aligned}$$

If f is not a permutation, then \(k>1\) and \(\frac{k-1}{k}\ge 1/2\), completing the proof. \(\square \)

Remark 3

  1. (1)

    The upper bound in (28) is sharp for \(k=1\), since there are bijective almost bent maps. The proof of Theorem 8 shows that almost bent maps fulfilling with equality the bound in (29) must satisfy \(M_1(f)= 2^n-2^{(n+1)/2}\) and \(M_2(f)=2^{(n-1)/2}\). However, we believe that the bound in (29) is not sharp.

  2. (2)

    The bound of Theorem 8 is similar in style to the well-known general upper bound on the image size of maps by Wan [35], stating that if \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is not bijective then

    $$\begin{aligned}|{\text {Im}}(f)| \le 2^n-\frac{2^n-1}{d},\end{aligned}$$

    where d is the degree of f. Another bound similar to Wan’s bound appears in [29]: If \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is not bijective and has index \(l>1\) then

    $$\begin{aligned}|{\text {Im}}(f)| \le 2^n-\frac{2^n-1}{l}.\end{aligned}$$

    See [36] for more details and the definition of the index of maps. For almost bent maps with known small degree or index, these upper bounds are stronger than the one in Theorem 8.

Theorem 8 and Lemma 8 yield an upper bound on the image size for component-wise plateaued APN maps.

Corollary 11

Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be a component-wise plateaued APN map, and non-bijective if n is odd. Then

$$\begin{aligned}|{\text {Im}}(f)| \le {\left\{ \begin{array}{ll} 2^n - 2^{(n-1)/2} &{} n \text { is odd,} \\ 2^n-\frac{1}{2}(\sqrt{\frac{8}{3}(2^n-1)+1}-1)< 2^n-\sqrt{\frac{2}{3}(2^n-1)}+1/2 &{} n \text { is even}. \end{array}\right. } \end{aligned}$$

Proof

The statement for n odd follows from Theorems 8, since every component-wise plateaued APN map is almost bent. The upper bound for n even is a direct consequence from Lemma 8 and the fact that a component-wise plateaued APN map has at least \((2/3)(2^n-1)\) bent component functions [4, Corollary 3]. \(\square \)