Quadratic almost perfect nonlinear functions with many terms

Quadratic Almost Perfect Nonlinear Functions With Many Terms Carl Bracken 1 Eimear Byrne 2 Nadya Markin 3 Gary McGuire 2 School of Mathematical Sciences University College Dublin Ireland Abstract We introduce a new infinite family of multiterm functions that are APN on GF (22k ) for odd k. Key words: almost perfect nonlinear, bent function, CCZ equivalence, Fourier spectrum Email addresses: [email protected] (Carl Bracken), [email protected] (Eimear Byrne), [email protected] (Nadya Markin), [email protected] (Gary McGuire). 1 Research supported by Irish Research Council for Science, Engineering and Technology Postdoctoral Fellowship. 2 Research supported by the Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006. 3 Postdoctoral fellow funded by the Claude Shannon Institute. Preprint submitted to Elsevier 30 March 2007 1 Introduction Let L = F2n , the finite field with 2n elements for some positive integer n. A function f : L −→ L is said to be almost perfect nonlinear (APN) if the number of roots in L of the polynomial f (x + a) + f (x) + b is at most 2, for all a, b ∈ L, a 6= 0. If the number of roots in L is at most δ, we say f is differentially δ-uniform. Thus APN is the same as differentially 2-uniform. A differentially 1-uniform function is also called a perfect nonlinear function; these do not exist in characteristic 2. APN functions were introduced in [8] by Nyberg, who defined them as the mappings with highest resistance to differential cryptanalysis. Since then many papers have been written on APN functions, although not many different families of such functions are known. Indeed, a recent result of Voloch [10] shows that APN functions asymptotically have density 0 in the set of all functions, in a certain sense. Two functions f, g : L −→ L are called extended affine (EA) equivalent if there exist affine permutations A1 , A2 and an affine map A such that g = A1 ◦ f ◦ A2 + A. The differential uniformity of a function is an invariant of EA equivalence. However, a bijective function is not necessarily EA equivalent to its inverse, even though they have the same differential uniformity. Until recently, all known APN functions were EA equivalent to one of a short list of monomial functions, namely the Gold, Kasami-Welch, inverse, Welch, Niho and Dobbertin functions. For some time it was conjectured that this list was the complete list of APN functions up to EA equivalence. A more general notion of equivalence has been suggested in [5], which is referred to as Carlet-Charpin-Zinoviev (CCZ) equivalence. Two functions are called CCZ equivalent if the graph of one can be obtained from the graph of the other by an affine permutation of the product space. Differential uniformity and resistance to linear, differential and algebraic attacks are invariants of CCZ equivalence, and any permutation is CCZ equivalent to its inverse. EA equivalence is a special case of CCZ equivalence. In [3], Proposition 3, the authors express necessary and sufficient conditions for EA equivalence of functions in terms of CCZ equivalence and use this to construct several examples of APN functions that are CCZ equivalent to the Gold functions but EA inequivalent to any monomial function. This showed that the original conjecture is false. The new question was whether all APN functions are CCZ equivalent to one on the list. 2 In 2006 a sporadic example of a binomial APN function that is CCZ inequivalent to any power mapping was given in [7]. A family of APN binomials on fields F2n where n is divisible by 3 but not 9 was presented in [1]. In [2] these have been shown to be EA inequivalent to any monomial function, and CCZ inequivalent to the Gold or Kasami-Welch functions. Dillon [6] presented a family of hexanomials whose members are differentially 4-uniform. Motivated by this family, we introduce a new class of APN functions on fields of order 22k where k is odd. Let k and s be a pair of odd coprime integers. The polynomials we have discovered are bx2 s +1 k + b2 x 2 k+s +2k + cx2 k+s +2s + k−1 X ri x 2 i+k +2i (1) i=0 where b, c ∈ F22k , and ri ∈ F2k for each i. These polynomials have coefficients in F22k , and have up to k+3 nonzero coefficients, depending on the choice of the ri , some or all of which could be 0. They are motivated by Dillon’s polynomials, and are defined on different fields to the binomials in [1] in general. Let Tr denote the trace map from L to F2 . The Fourier transform of any real-valued function F defined on L is the function Fb defined by Fb (a) = X F (x)(−1)Tr(ax) x∈L for a ∈ L. The Fourier spectrum of F is the set {Fb (a) : a ∈ L} of values of Fb . To a Boolean function f : L −→ F2 we associate the real-valued function F = (−1)f . When we refer to the Fourier spectrum of f , we mean the Fourier spectrum of the associated function F = (−1)f . For arbitrary f , computing its Fourier spectrum is often difficult. Bent functions were introduced in [9] by Rothaus in 1976 as Boolean functions having maximal distance to the set of all affine Boolean functions (the first order Reed-Muller code). Equivalently, q the bent functions on L are precisely those whose Fourier spectrum is {± |L|}. In Section 2 we prove that the trace of (1) is a bent function. In Section 3 we show that if b, c ∈ / F2k , and b is not a cube, then a polynomial of the form (1) is APN. In a later article we will discuss the inequivalence of these APN functions to power mappings. The existence of a bijective APN function on F2n for n even is an open question. We remark that the polynomials (1) are not bijective. It is easy to verify that k s f (αβ) = f (αβ + β) where α2 + α + 1 = 0 and β = b−(2 +1) . 3 Notation: For the remainder, let n be a positive integer. Let k and s be odd relatively prime integers. Let L and K be the finite fields of orders 2n and 22k respectively. 2 Proof of Bent Property An interesting property of the polynomials f (x) = bx 2s +1 2k 2k+s +2k +b x + cx 2k+s +2s k−1 X + ri x 2 i+k +2i i=0 is that Tr(f (x)) is a bent function on K. We include a proof below using standard techniques. Theorem 1 Let f (x) = bx2 s +1 k + b2 x 2 k+s +2k + cx2 k+s +2s + k−1 X rj x 2 k+j +2j j=0 be a function on K with c ∈ / F2k and rj ∈ F2k for each j. Then the Boolean function Tr(f (x)) is bent. Proof: We need to show that the Fourier transform Fb (r), of F (x) = Tr(f (x)), is limited to the two values ±2k . By definition X Fb (r) = Squaring gives 2 Fb (r) = x∈K XX y (−1)Tr(rx+f (x)) . (−1)Tr(rx+f (x)+ry+f (y)) . x Replacing y with x + u we have 2 Fb (r) = XX u (−1)Tr(ru+f (x)+f (x+u)) = x X (−1)Tr(ru+f (u)) u X (−1)Tr(∆u (x)) , x where ∆u (x) = f (u) + f (x) + f (x + u). k Since rj2 = rj for each j, we may write ∆u (x) = c(x2 k+s s s u2 + x 2 u2 k−1 X k+s rj x 2 s s s s k ) + b(x2 u + xu2 ) + (b(x2 u + xu2 ))2 + j+k j u2 + (rj x2 j=0 4 j+k j u2 )2 k  so taking trace gives the simplification Tr(∆u (x)) = Tr(c(x2 k+s s s u2 + x 2 u 2 k+s )). Simplifying gives 2 Fb (r) = X where A = c2 Tr(ru+Au2 (−1) k +1 ) u −s X Tr(xL(u)) (−1) x + k−1 X k ! k / F2k , L(u) 6= 0 rj2 , L(u) = (c + c2 )2 u2 . Since c ∈ −j −s j=0 except when u = 0. This means that the inner sum is 0 except when u = 0. 2 Hence Fb (r) = 22k and the proof is complete. ⊔ ⊓ In [4] it is noted that Tr(vf (x)) will be bent for at least 32 (2n − 1) values of v for any quadratic APN function on L. The same argument as in the proof of the previous theorem shows that T r(vf (x)) is bent for v ∈ F2k . 3 Proof of APN Property We shall now prove that the polynomials (1) are APN under certain conditions. Theorem 2 Let f be the function on K defined by f (x) = bx2 s +1 k + b2 x 2 k+s +2k + cx2 k+s +2s + k−1 X ri x 2 i+k +2i i=0 where b, c ∈ / F2k , b is not a cube, and ri ∈ F2k for each i. Then f is APN over K. Proof: To prove that f is APN we must show that the equation f (x) + f (x + q) = p (2) has at most two solutions for all p ∈ K and all q ∈ K ∗ . Equation 2 gives the expression 5 bx2 s +1 k + b2 x 2 k+s +2k + cx2 k+s +2s k−1 X + ri x 2 i+k +2i + b(x + q)2 s +1 i=0 k +b2 (x + q)2 k+s +2k + c(x + q)2 k+s +2s + k−1 X ri (x + q)2 i+k +2i = p. i=0 Replacing x with xq and rearranging we obtain Ax + Bx 2k 2s + Cx + Dx 2k+s + k−1 X Rj (x2 k+j j + x2 ) = E (3) j=1 where A = r0 q 2 k k +1 D = b2 q 2 + bq 2 k+s +2k s +1 , B = r0 q 2 + cq 2 k+s +2s k +1 k + b2 q 2 k+s +2k , C = bq 2 s +1 , E = f (q) + p, and Rj = rj q 2 + cq 2 k+j +2j k+s +2s , , for each j. As Equation (3) is affine, for the purposes of counting the number of its solutions we may assume E = 0. Define s k ∆(x) := Ax + Bx2 + Cx2 + Dx2 k+s + k−1 X Rj (x2 k+j j + x2 ). j=1 Then f is APN on K if and only the equation ∆(x) = 0 has at most two solutions in K. Obviously 0 is a solution of ∆(x) = 0, and 1 is a solution of ∆(x) = 0 because ∆(1) = A + B + C + D = 0. We will now show there are no other solutions in K. Consider k k s ∆(x) + (∆(x))2 = (C + D2 )(x2 + x2 k+s k ) = (c + c2 )q 2 k+s +2s s (x2 + x2 s k+s As q 6= 0 and c ∈ / F2k , the above expression with ∆(x) = 0 implies x2 +x2 0, which means x ∈ F2k . We can now write s ). k+s = s ∆(x) = (A + B)x + (C + D)x2 = (A + B)(x + x2 ) = 0. Since (2k, s) = 1 it remains to show that A + B 6= 0. Suppose that A + B = 0. Then s k k+s k bq 2 +1 + b2 q 2 +2 = 0, 6 which implies b2 k −1 = q (2 k+s −1)(2k −1) . Using the fact that 3 divides 2t − 1 if and only if t is even, and recalling that we chose b not to be a cube, we see that the left-hand side of this equation is not a cube. As k + s is even, the right hand side of this expression is a cube. Hence A + B 6= 0. Acknowledgement: We thank John Dillon for sharing the slides from his talk at Banff. References [1] L. Budaghyan, C. Carlet, P. Felke, and G. Leander, ”An infinite class of quadratic APN functions which are not equivalent to power mappings”, Proceedings of ISIT 2006, Seattle, USA, July 2006. [2] L. Budaghyan, C. Carlet, G. Leander, ”A class of quadratic APN binomials inequivalent to power functions, preprint. [3] L. Budaghyan, C. Carlet, A. Pott, ” New constructions of almost bent and almost perfect nonlinear functions”, IEEE Transactions on Information Theory, Vol. 52, No. 3, pp. 1141-1152, March 2006. [4] C. Carlet, ”Boolean Functions for Cryptography and Error Correcting Codes”, to appear as a chapter of the monography Boolean methods and models, Cambridge University Press (Ed. Peter Hammer and Yves Crama). [5] C. Carlet, P. Charpin, V.Zinoviev, ”Codes, bent functions and permutations suitable for DES-like cryptosystems ”, Designs, Codes and Cryptography, Vol. 15, No. 2, pp 125–156, 1998. [6] John Dillon, slides from talk given at ”Polynomials over Finite Fields and Applications”, held at Banff International Research Station, November 2006. [7] Y. Edel, G. Kyureghyan, A. Pott, ”A new APN function which is not equivalent to a power mapping”, IEEE Transactions on Information Theory, Vol. 52, Issue 2, pp. 744-747, Feb. 2006. [8] K. Nyberg, ”Differentially uniform mappings for cryptography”, Advances in Cryptology-EUROCRYPT 93, Lecture Notes in Computer Science, SpringerVerlag, pp. 55-64, 1994. [9] O. Rothaus, ”On bent functions,” Journal of Combinatorial Theory Series A, Vol. 20, pp. 181-199, 1976. [10] J. F. Voloch, Symmetric Cryptography and Algebraic Curves, preprint. 7