Characterization of Permutations

Component Functions

An [math]\displaystyle{ (n,n) }[/math]-function [math]\displaystyle{ F }[/math] is a permutation if and only if all of its components [math]\displaystyle{ f_λ }[/math] for [math]\displaystyle{ \lambda\in\mathbb{F}^*_{2^n} }[/math] are balanced.

Autocorrelation Functions of the Directional Derivatives

For any boolean function [math]\displaystyle{ f }[/math], we denote by [math]\displaystyle{ \mathcal{F}(f) }[/math] the following value related to the Fourier (or Walsh) transform of [math]\displaystyle{ f }[/math]:

The characterization in terms of the component functions given above can be equivalently expressed as

for any λ ∈ 𝔽*_2^𝑛.

Equivalently ^[1], 𝐹 is a permutation if and only if

for any [math]\displaystyle{ a }[/math] ∈ 𝔽*_2^𝑛.

Characterization of APN Permutations

Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:^[2]

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension [math]\displaystyle{ 3n }[/math], with [math]\displaystyle{ n }[/math] odd and [math]\displaystyle{ gcd(n,3)=1 }[/math].^[3]

3. Dillon's permutation in dimension 6.^[4]

4. Two sporadic quadratic APN permutations in dimension 9.^[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For 𝑛 even we have also that no component can be partially-bent^[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An [math]\displaystyle{ (n,n) }[/math]-function [math]\displaystyle{ F }[/math] is an APN permutation if and only if ^[1]

and

for any [math]\displaystyle{ a }[/math] ∈ 𝔽*_2^𝑛.

On APN Power Functions

For [math]\displaystyle{ n }[/math] odd, all power APN functions and the known APN binomials are permutations. When [math]\displaystyle{ n }[/math] is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function [math]\displaystyle{ F(x)=x^d }[/math] over [math]\displaystyle{ \mathbb{F}_{2^n} }[/math] is APN, then for every [math]\displaystyle{ x\in \mathbb{F}_{2^n} }[/math] we have [math]\displaystyle{ x^d=1 }[/math] if and only if [math]\displaystyle{ x^3=1 }[/math], that is, [math]\displaystyle{ F^{-1}(1)=\mathbb{F}_4\cap\mathbb{F}_{2^n}^*. }[/math]

If [math]\displaystyle{ n }[/math] is odd, then [math]\displaystyle{ gcd(d,2^n-1)=1 }[/math] and, if [math]\displaystyle{ n }[/math] is even, then [math]\displaystyle{ gcd(d,2^n-1)=3 }[/math].

Consequently, APN power functions are permutations if [math]\displaystyle{ n }[/math] is odd, and are three-to-one over [math]\displaystyle{ \mathbb{F}_{2^n}^* }[/math] if [math]\displaystyle{ n }[/math] is even.^[7]

APN Permutations and Codes

Let [math]\displaystyle{ F:\mathbb{F}_{2^n}\rightarrow\mathbb{F}_{2^n} }[/math] be APN, with [math]\displaystyle{ F(0)=0 }[/math].

[math]\displaystyle{ F }[/math] is CCZ-equivalent to an APN permutation if and only if [math]\displaystyle{ C_F^{\perp} }[/math] is a double simplex code (i.e. [math]\displaystyle{ C_F^{\perp}=C_1\oplus C_2 }[/math], where [math]\displaystyle{ C_1, C_2 }[/math] are [math]\displaystyle{ [2^n-1,n,2^{n-1}]- }[/math]codes).^[8]

An APN Permutation in Dimension 6

In his paper ^[9], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of [math]\displaystyle{ n=4 }[/math]:

Let [math]\displaystyle{ F\in\mathbb{F}_{2^n}[x] }[/math] be a permutation polynomial with [math]\displaystyle{ n=2m }[/math]. Then:

1. If [math]\displaystyle{ n=4 }[/math], then [math]\displaystyle{ F }[/math] is not APN.

2. If [math]\displaystyle{ F\in\mathbb{F}_{2^m}[x] }[/math], then [math]\displaystyle{ F }[/math] is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree [math]\displaystyle{ n-2 }[/math] and nonlinearity [math]\displaystyle{ 2^{n-1}-2^{n/2} }[/math]) in dimension 6^[4].

This function is CCZ-equivalent to the Kim function [math]\displaystyle{ \kappa(x)=x^3+x^{10}+ux^{24} }[/math] (where [math]\displaystyle{ u }[/math] is a primitive element of [math]\displaystyle{ \mathbb{F}_{2^6} }[/math]), whose associated code [math]\displaystyle{ C^{\perp}_F }[/math] is therefore a double simplex code. It was used later in the cryptosystem Fides^[10], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction^[11]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables^[12].

The Big Open APN Problem

The question of existence of APN permutations in even dimension [math]\displaystyle{ n\geq 8 }[/math] remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in [math]\displaystyle{ \mathbb{F}_{2^{n/2}} }[/math], or in [math]\displaystyle{ \mathbb{F}_{2^4} }[/math] for [math]\displaystyle{ n }[/math] divisible by 4; ^[9]

4. Functions whose univariate representation coefficients satisfy [math]\displaystyle{ \sum_{i=0}^{(2^n-1)/3}a_{3i}=0 }[/math]; ^[13]

5. Functions having at least one partially-bent component^[6].

References