APN Permutations: Difference between revisions

From Boolean
Jump to navigation Jump to search
(Created page with "= Characterization of Permutations = == Component Functions == An <math>(n,n)</math>-function <math>F</math> is a permutation if and only if all of its components <math>F_\l...")
 
 
(62 intermediate revisions by 2 users not shown)
Line 3: Line 3:
== Component Functions ==
== Component Functions ==


An <math>(n,n)</math>-function <math>F</math> is a permutation if and only if all of its components <math>F_\lambda</math> for <math>\lambda \in \mathbb{F}_{2^n}^*</math> are balanced.
An <math>(n,n)</math>-function <math>F</math> is a permutation if and only if all of its components <math>f_λ</math> for <math>\lambda\in\mathbb{F}^*_{2^n}</math> are balanced.


== Autocorrelation Functions of the Directional Derivatives ==
== Autocorrelation Functions of the Directional Derivatives ==
For any boolean function <math>f</math>, we denote by <math>\mathcal{F}(f)</math> the following value related to the Fourier (or Walsh) transform of <math>f</math>: <div><math>\mathcal{F}(f)=\sum_{x\in\mathbb{F}_{2^n}}(-1)^{f(x)}=2^n-2wt(f).</math></div>


The characterization in terms of the component functions given above can be equivalently expressed as
The characterization in terms of the component functions given above can be equivalently expressed as
Line 11: Line 13:
<div><math>\sum_{a \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n</math></div>
<div><math>\sum_{a \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n</math></div>


for any <math>\lambda \in \mathbb{F}_{2^n}^*</math>.
for any <math>λ\in\mathbb{F}^*_{2^n}</math>.


Equivalently <ref name="bercanchalai2006"> Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, ''On Almost Perfect Nonlinear Functions Over GF(2^n)'', IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70</ref>, <math>F</math> is a permutation if and only if
Equivalently <ref name="bercanchalai2006"> Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, ''On Almost Perfect Nonlinear Functions Over GF(2^n)'', IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70</ref>, <math>F</math> is a permutation if and only if
Line 17: Line 19:
<div><math>\sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n</math></div>
<div><math>\sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n</math></div>


for any <math>\lambda \in \mathbb{F}_{2^n}^*</math>.
for any <math>a\in\mathbb{F}^*_{2^n}</math>.


= Characterization of APN Permutations =
= Characterization of APN Permutations =
Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:<ref name="BT"> Bartoli, D., Timpanella, M. <i>On a conjecture on APN permutations.</i> Cryptogr. Commun. 14, 925–931 (2022)</ref>
1. APN monomial functions in odd dimension.
2. One infinite family of quadratic polynomials in dimension <math>3n</math>, with <math>n</math> odd and <math>gcd(n,3)=1</math>.<ref name="BCL"> Budaghyan, L., Carlet, C., Leander, G.: <i>Two classes of quadratic APN binomials inequivalent to power
functions.</i> IEEE Trans. Inf. Theory 54(9), 4218–4229 (2008)</ref>
3. Dillon's permutation in dimension 6.<ref name="Dillon">Browning, K., Dillon, J.F., McQuistan, M., Wolfe, A.J.: <i>An APN permutation in dimension six.</i> In: Post-proceedings of the 9-th International conference on Finite Fields and their applications, American
Mathematical Society, vol. 518, pp. 33–42 (2010)</ref>
4. Two sporadic quadratic APN permutations in dimension 9.<ref name="BL">Beierle, C., Leander, G.: <i>New instances of quadratic APN functions</i>, arXiv:2009.07204 (2020)</ref>
==On the component functions==
Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)
For <math>n</math> even we have also that no component can be partially-bent<ref name="CalSalVil"> Marco Calderini, Massimiliano Sala, Irene Villa, ''A note on APN permutations in even dimension'', Finite Fields and Their Applications, vol. 46, 1-16, 2017</ref>.
This implies that, in even dimension, no component can be of degree 2.


== Autocorrelation Functions of the Directional Derivatives ==
== Autocorrelation Functions of the Directional Derivatives ==
Line 28: Line 48:
and
and
<div><math>\sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}^2(D_af_\lambda) = 2^{2n}</math></div>
<div><math>\sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}^2(D_af_\lambda) = 2^{2n}</math></div>
for any <math>a \in \mathbb{F}_{2^n}^*</math>.
for any <math>a\in\mathbb{F}^*_{2^n}</math>.
 
==On APN Power Functions==
 
For <math>n</math> odd, all power APN functions and the known APN binomials are permutations. When <math>n</math> is even, no APN function exists in a class of permutations including power permutations.
 
Specifically:
 
If a power function <math>F(x)=x^d</math> over <math>\mathbb{F}_{2^n}</math> is APN, then for every <math>x\in \mathbb{F}_{2^n}</math> we have <math>x^d=1</math> if and only if <math>x^3=1</math>, that is, <math>F^{-1}(1)=\mathbb{F}_4\cap\mathbb{F}_{2^n}^*.</math>
 
If <math>n</math> is odd, then <math>gcd(d,2^n-1)=1</math> and, if <math>n</math> is even, then <math>gcd(d,2^n-1)=3</math>.
 
Consequently, APN power functions are permutations if <math>n</math> is odd, and are three-to-one over <math>\mathbb{F}_{2^n}^*</math> if <math>n</math> is even.<ref name="Dobbertin"> H. Dobbertin. <i>Private Communication</i>, 1998.</ref>
 
==APN Permutations and Codes==
 
Any linear subspace <math>C</math> of <math>\mathbb{F}_2^n</math> of dimension <math>k</math> is called a <i>binary linear code of length</i> <math>n</math> <i>and dimension</i> <math>k</math> and is denoted by <math>[n,k,d]</math>, where <math>d</math> is the minimum Hamming distance of <math>C</math>.
 
Any linear <math>[n,k,d]-</math>code <math>C</math> is associated with its <i>dual</i> <math>[n,n-k,d^{\perp}]-</math>code, denoted by <math>C^{\perp}</math> and defined as <math>C^{\perp}=\{x\in\mathbb{F}_2^n\;|\;c\cdot x=0, \;\forall c\in C\}.</math>
 
Let <math>\mathcal{H}</math> be a binary <math>(r\times n)</math> matrix. We say that a linear binary code <math>C</math> of length <math>n</math> is defined by the <i>parity check matrix</i> <math>\mathcal{H}</math> if <math>C=\{c\in\mathbb{F}_2^n\;|\;c\mathcal{H}^t=0\},</math> where <math>\mathcal{H}^t</math> is the transposed matrix of <math>\mathcal{H}</math>.
 
APN (and AB) properties were expressed in terms of codes in <ref name="CCZ">Carlet, Claude & Charpin, Pascale & Zinoviev, Victor. (1998). <i>Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems.</i> Designs, Codes and Cryptography, vol. 15, p. 125-156.</ref>. In particular, we mention the following result:
 
 
<strong>Theorem.</strong> Let <math>F</math> be a function on <math>\mathbb{F}_{2^m}</math> such that <math>F(0) = 0</math> and let <math>C_F</math> be the
<math>[2^m − 1,k,d]-</math>code defined by the parity check matrix
 
<div><math>\mathcal{H}_F=\begin{pmatrix}
1 & \alpha & \alpha^2 & \cdots & \alpha^{2^m-2}\\
F(1) & F(\alpha) & F(\alpha^2) & \cdots & F(\alpha^{2^m-2})
\end{pmatrix}</math></div>
 
where each entry is viewed as a binary vector and <math>\alpha</math> is the primitive element of <math>\mathbb{F}_{2^m}.</math> Then:
 
1. The code <math>C_F</math> is such that <math>3 \leq d \leq 5</math>.
 
2. <math>F</math> is APN if and only if <math>d = 5</math>.
 
3. <math>F</math> is AB if and only if the weight of every codeword in <math>C_F^{\perp}</math> lies in <math>\{0, 2^{m-1}, 2^{m-1}\pm 2^{m-1/2}\}</math>.
 
 
A binary linear <math>[2^k-1,k,2^{k-1}]-</math>code <math>C</math> in <math>\mathbb{F}_2^n</math> is called <i>simplex</i>. Simplex codes constitute a family of linear error-correcting or error-detecting block codes, easily implemented as polynomial codes (i.e. codes whose encoding and decoding algorithms may be conveniently expressed in terms of polynomials over a base field).
 
A <math>2k-</math>dimensional code <math>C</math> is called a <i>double simplex code</i> if it can be written as a direct sum of two simplex <math>[2^k-1,k,2^{k-1}]-</math>codes. The following result provides a connection between APN permutations and double simplex codes:
 
<strong>Theorem.</strong><ref name="Dillon2">Browning, K.A. & Dillon, J.F. & Kibler, R.E. & McQuistan, M.T.. (2009). <i>APN polynomials and related codes.</i> Journal of Combinatorics, Information & System Sciences. 34.</ref> Let <math>F:\mathbb{F}_{2^n}\rightarrow\mathbb{F}_{2^n}</math> be APN, with <math>F(0)=0</math>.
 
<math>F</math> is CCZ-equivalent to an APN permutation if and only if <math>C_F^{\perp}</math> is a double simplex code, i.e. <math>C_F^{\perp}=C_1\oplus C_2</math>, where <math>C_1, C_2</math> are simplex <math>[2^n-1,n,2^{n-1}]-</math>codes.
 
==An APN Permutation in Dimension 6==
 
In his paper <ref name="Hou">X.-D. Hou. <i>Affinity of Permutations of <math>\mathbb{F}_2^n</math>.</i> Proceedings of Workshop on Coding and Cryptography WCC 2003, pp. 273-280, 2003. Completed version in Discrete Applied Mathematics 154 (2), pp. 313-325, 2006.</ref>, Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of <math>n=4</math>:
 
Let <math>F\in\mathbb{F}_{2^n}[x]</math> be a permutation polynomial with <math>n=2m</math>. Then:
 
1. If <math>n=4</math>, then <math>F</math> is not APN.
 
2. If <math>F\in\mathbb{F}_{2^m}[x]</math>, then <math>F</math> is not APN.
 
The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree <math>n-2</math> and nonlinearity <math>2^{n-1}-2^{n/2}</math>) in dimension 6.
 
This function is CCZ-equivalent to the Kim function <math>\kappa(x)=x^3+x^{10}+ux^{24}</math> (where <math>u</math> is a primitive element of <math>\mathbb{F}_{2^6}</math>) and it is given by the polynomial
<center><math>g(x)=w^{45}x^{60}+w^{41}x^{58}+w^{43}x^{57}+w^{4}x^{56}+w^{50}x^{54}+w^{20}x^{53}+w^{45}x^{52}+w^{20}x^{51}+w^{23}x^{50}+w^{36}x^{49}+w^{56}x^{48}+w^{21}x^{46}+w^5x^{45}+w^{21}x^{44}</math></center>
<center><math>+w^{28}x^{43}+w^3x^{42}+w^{59}x^{41}+w^{58}x^{40}+w^{57}x^{39}+w^{53}x^{38}+w^{37}x^{37}+w^{40}x^{36}+w^{18}x^{35}+w^{41}x^{34}+w^{54}x^{33}+w^3x^{32}+w^{49}x^{30}+w^{41}x^{29}</math></center>
<center><math>+w^{42}x^{28}+w^{50}x^{27}+w^{53}x^{26}+w^{58}x^{25}+w^9x^{24}+x^{23}+w^{28}x^{22}+w^3x^{21}+w^{21}x^{20}+w^{52}x^{19}+w^{60}x^{17}+w^{59}x^{16}+w^{10}x^{15}+w^{42}x^{13}</math></center>
<center><math>+w^8x^{12}+w^{35}x^{11}+w^{44}x^{10}+w^{45}x^8+w^8x^7+w^{61}x^6+w^{59}x^5+w^{20}x^4+w^{12}x^3+w^{37}x^2+w^2x</math></center>
 
where <math>w=u^{-2}</math>.<ref name="Dillon"></ref>
 
It was used later in the cryptosystem Fides<ref name="BBKMW">B. Bilgin, A. Bogdanov, M. Knezevic, F. Mendel and Q. Wang. <i>Fides: lightweight authenticated cipher with side-channel resistance for constrained hardware.</i> Proceedings of International  Workshop Cryptographic Hardware and Embedded Systems CHES 2013, Lecture Notes in Computer Science 8086, pp. 142-158, 2013.</ref>, which has been subsequently broken due to its weaknesses in the linear component.
 
Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the <i>butterfly construction</i><ref name="PUB">L. Perrin, A. Udovenko, A. Biryukov. <i>Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem.</i> Proceedings of CRYPTO 2016, Lecture Notes in Computer Science 9815, part II, pp. 93-122, 2016.</ref>. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables<ref name="PST">L. Perrin, A. Canteaut, S. Tian. <i>If a generalized butterfly is APN then it operates on 6 bits.</i> Special Issue on Boolean Functions and Their Applications 2018, Cryptography and Communications 11 (6), pp. 1147-1164, 2019.</ref>.
 
==The Big Open APN Problem==
 
The question of existence of APN permutations in even dimension <math>n\geq 8</math> remains open. There exist nonexistent results within the following classes:
 
1. Plateaued functions (when APN, they have bent components);
 
2. A class of functions including power functions;
 
3. Functions whose univariate representation coefficients lie in <math>\mathbb{F}_{2^{n/2}}</math>, or in <math>\mathbb{F}_{2^4}</math> for <math>n</math> divisible by 4; <ref name="Hou"></ref>
 
4. Functions whose univariate representation coefficients satisfy <math>\sum_{i=0}^{(2^n-1)/3}a_{3i}=0</math>; <ref name="Canteaut"> A. Canteaut. <i>Differential cryptanalysis of Feistel ciphers and differentially uniform mappings.</i> Proceedings of Selected Areas on Cryptography, SAC 1997, pp. 172-184, 1997.</ref>
 
5. Functions having at least one partially-bent component<ref name="CalSalVil"></ref>.
 
=References=

Latest revision as of 14:28, 21 November 2024

Characterization of Permutations

Component Functions

An [math]\displaystyle{ (n,n) }[/math]-function [math]\displaystyle{ F }[/math] is a permutation if and only if all of its components [math]\displaystyle{ f_λ }[/math] for [math]\displaystyle{ \lambda\in\mathbb{F}^*_{2^n} }[/math] are balanced.

Autocorrelation Functions of the Directional Derivatives

For any boolean function [math]\displaystyle{ f }[/math], we denote by [math]\displaystyle{ \mathcal{F}(f) }[/math] the following value related to the Fourier (or Walsh) transform of [math]\displaystyle{ f }[/math]:

[math]\displaystyle{ \mathcal{F}(f)=\sum_{x\in\mathbb{F}_{2^n}}(-1)^{f(x)}=2^n-2wt(f). }[/math]

The characterization in terms of the component functions given above can be equivalently expressed as

[math]\displaystyle{ \sum_{a \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

for any [math]\displaystyle{ λ\in\mathbb{F}^*_{2^n} }[/math].

Equivalently [1], [math]\displaystyle{ F }[/math] is a permutation if and only if

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

for any [math]\displaystyle{ a\in\mathbb{F}^*_{2^n} }[/math].

Characterization of APN Permutations

Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:[2]

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension [math]\displaystyle{ 3n }[/math], with [math]\displaystyle{ n }[/math] odd and [math]\displaystyle{ gcd(n,3)=1 }[/math].[3]

3. Dillon's permutation in dimension 6.[4]

4. Two sporadic quadratic APN permutations in dimension 9.[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For [math]\displaystyle{ n }[/math] even we have also that no component can be partially-bent[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An [math]\displaystyle{ (n,n) }[/math]-function [math]\displaystyle{ F }[/math] is an APN permutation if and only if [1]

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

and

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}^2(D_af_\lambda) = 2^{2n} }[/math]

for any [math]\displaystyle{ a\in\mathbb{F}^*_{2^n} }[/math].

On APN Power Functions

For [math]\displaystyle{ n }[/math] odd, all power APN functions and the known APN binomials are permutations. When [math]\displaystyle{ n }[/math] is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function [math]\displaystyle{ F(x)=x^d }[/math] over [math]\displaystyle{ \mathbb{F}_{2^n} }[/math] is APN, then for every [math]\displaystyle{ x\in \mathbb{F}_{2^n} }[/math] we have [math]\displaystyle{ x^d=1 }[/math] if and only if [math]\displaystyle{ x^3=1 }[/math], that is, [math]\displaystyle{ F^{-1}(1)=\mathbb{F}_4\cap\mathbb{F}_{2^n}^*. }[/math]

If [math]\displaystyle{ n }[/math] is odd, then [math]\displaystyle{ gcd(d,2^n-1)=1 }[/math] and, if [math]\displaystyle{ n }[/math] is even, then [math]\displaystyle{ gcd(d,2^n-1)=3 }[/math].

Consequently, APN power functions are permutations if [math]\displaystyle{ n }[/math] is odd, and are three-to-one over [math]\displaystyle{ \mathbb{F}_{2^n}^* }[/math] if [math]\displaystyle{ n }[/math] is even.[7]

APN Permutations and Codes

Any linear subspace [math]\displaystyle{ C }[/math] of [math]\displaystyle{ \mathbb{F}_2^n }[/math] of dimension [math]\displaystyle{ k }[/math] is called a binary linear code of length [math]\displaystyle{ n }[/math] and dimension [math]\displaystyle{ k }[/math] and is denoted by [math]\displaystyle{ [n,k,d] }[/math], where [math]\displaystyle{ d }[/math] is the minimum Hamming distance of [math]\displaystyle{ C }[/math].

Any linear [math]\displaystyle{ [n,k,d]- }[/math]code [math]\displaystyle{ C }[/math] is associated with its dual [math]\displaystyle{ [n,n-k,d^{\perp}]- }[/math]code, denoted by [math]\displaystyle{ C^{\perp} }[/math] and defined as [math]\displaystyle{ C^{\perp}=\{x\in\mathbb{F}_2^n\;|\;c\cdot x=0, \;\forall c\in C\}. }[/math]

Let [math]\displaystyle{ \mathcal{H} }[/math] be a binary [math]\displaystyle{ (r\times n) }[/math] matrix. We say that a linear binary code [math]\displaystyle{ C }[/math] of length [math]\displaystyle{ n }[/math] is defined by the parity check matrix [math]\displaystyle{ \mathcal{H} }[/math] if [math]\displaystyle{ C=\{c\in\mathbb{F}_2^n\;|\;c\mathcal{H}^t=0\}, }[/math] where [math]\displaystyle{ \mathcal{H}^t }[/math] is the transposed matrix of [math]\displaystyle{ \mathcal{H} }[/math].

APN (and AB) properties were expressed in terms of codes in [8]. In particular, we mention the following result:


Theorem. Let [math]\displaystyle{ F }[/math] be a function on [math]\displaystyle{ \mathbb{F}_{2^m} }[/math] such that [math]\displaystyle{ F(0) = 0 }[/math] and let [math]\displaystyle{ C_F }[/math] be the [math]\displaystyle{ [2^m − 1,k,d]- }[/math]code defined by the parity check matrix

[math]\displaystyle{ \mathcal{H}_F=\begin{pmatrix} 1 & \alpha & \alpha^2 & \cdots & \alpha^{2^m-2}\\ F(1) & F(\alpha) & F(\alpha^2) & \cdots & F(\alpha^{2^m-2}) \end{pmatrix} }[/math]

where each entry is viewed as a binary vector and [math]\displaystyle{ \alpha }[/math] is the primitive element of [math]\displaystyle{ \mathbb{F}_{2^m}. }[/math] Then:

1. The code [math]\displaystyle{ C_F }[/math] is such that [math]\displaystyle{ 3 \leq d \leq 5 }[/math].

2. [math]\displaystyle{ F }[/math] is APN if and only if [math]\displaystyle{ d = 5 }[/math].

3. [math]\displaystyle{ F }[/math] is AB if and only if the weight of every codeword in [math]\displaystyle{ C_F^{\perp} }[/math] lies in [math]\displaystyle{ \{0, 2^{m-1}, 2^{m-1}\pm 2^{m-1/2}\} }[/math].


A binary linear [math]\displaystyle{ [2^k-1,k,2^{k-1}]- }[/math]code [math]\displaystyle{ C }[/math] in [math]\displaystyle{ \mathbb{F}_2^n }[/math] is called simplex. Simplex codes constitute a family of linear error-correcting or error-detecting block codes, easily implemented as polynomial codes (i.e. codes whose encoding and decoding algorithms may be conveniently expressed in terms of polynomials over a base field).

A [math]\displaystyle{ 2k- }[/math]dimensional code [math]\displaystyle{ C }[/math] is called a double simplex code if it can be written as a direct sum of two simplex [math]\displaystyle{ [2^k-1,k,2^{k-1}]- }[/math]codes. The following result provides a connection between APN permutations and double simplex codes:

Theorem.[9] Let [math]\displaystyle{ F:\mathbb{F}_{2^n}\rightarrow\mathbb{F}_{2^n} }[/math] be APN, with [math]\displaystyle{ F(0)=0 }[/math].

[math]\displaystyle{ F }[/math] is CCZ-equivalent to an APN permutation if and only if [math]\displaystyle{ C_F^{\perp} }[/math] is a double simplex code, i.e. [math]\displaystyle{ C_F^{\perp}=C_1\oplus C_2 }[/math], where [math]\displaystyle{ C_1, C_2 }[/math] are simplex [math]\displaystyle{ [2^n-1,n,2^{n-1}]- }[/math]codes.

An APN Permutation in Dimension 6

In his paper [10], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of [math]\displaystyle{ n=4 }[/math]:

Let [math]\displaystyle{ F\in\mathbb{F}_{2^n}[x] }[/math] be a permutation polynomial with [math]\displaystyle{ n=2m }[/math]. Then:

1. If [math]\displaystyle{ n=4 }[/math], then [math]\displaystyle{ F }[/math] is not APN.

2. If [math]\displaystyle{ F\in\mathbb{F}_{2^m}[x] }[/math], then [math]\displaystyle{ F }[/math] is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree [math]\displaystyle{ n-2 }[/math] and nonlinearity [math]\displaystyle{ 2^{n-1}-2^{n/2} }[/math]) in dimension 6.

This function is CCZ-equivalent to the Kim function [math]\displaystyle{ \kappa(x)=x^3+x^{10}+ux^{24} }[/math] (where [math]\displaystyle{ u }[/math] is a primitive element of [math]\displaystyle{ \mathbb{F}_{2^6} }[/math]) and it is given by the polynomial

[math]\displaystyle{ g(x)=w^{45}x^{60}+w^{41}x^{58}+w^{43}x^{57}+w^{4}x^{56}+w^{50}x^{54}+w^{20}x^{53}+w^{45}x^{52}+w^{20}x^{51}+w^{23}x^{50}+w^{36}x^{49}+w^{56}x^{48}+w^{21}x^{46}+w^5x^{45}+w^{21}x^{44} }[/math]
[math]\displaystyle{ +w^{28}x^{43}+w^3x^{42}+w^{59}x^{41}+w^{58}x^{40}+w^{57}x^{39}+w^{53}x^{38}+w^{37}x^{37}+w^{40}x^{36}+w^{18}x^{35}+w^{41}x^{34}+w^{54}x^{33}+w^3x^{32}+w^{49}x^{30}+w^{41}x^{29} }[/math]
[math]\displaystyle{ +w^{42}x^{28}+w^{50}x^{27}+w^{53}x^{26}+w^{58}x^{25}+w^9x^{24}+x^{23}+w^{28}x^{22}+w^3x^{21}+w^{21}x^{20}+w^{52}x^{19}+w^{60}x^{17}+w^{59}x^{16}+w^{10}x^{15}+w^{42}x^{13} }[/math]
[math]\displaystyle{ +w^8x^{12}+w^{35}x^{11}+w^{44}x^{10}+w^{45}x^8+w^8x^7+w^{61}x^6+w^{59}x^5+w^{20}x^4+w^{12}x^3+w^{37}x^2+w^2x }[/math]

where [math]\displaystyle{ w=u^{-2} }[/math].[4]

It was used later in the cryptosystem Fides[11], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction[12]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables[13].

The Big Open APN Problem

The question of existence of APN permutations in even dimension [math]\displaystyle{ n\geq 8 }[/math] remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in [math]\displaystyle{ \mathbb{F}_{2^{n/2}} }[/math], or in [math]\displaystyle{ \mathbb{F}_{2^4} }[/math] for [math]\displaystyle{ n }[/math] divisible by 4; [10]

4. Functions whose univariate representation coefficients satisfy [math]\displaystyle{ \sum_{i=0}^{(2^n-1)/3}a_{3i}=0 }[/math]; [14]

5. Functions having at least one partially-bent component[6].

References

  1. 1.0 1.1 Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, On Almost Perfect Nonlinear Functions Over GF(2^n), IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70
  2. Bartoli, D., Timpanella, M. On a conjecture on APN permutations. Cryptogr. Commun. 14, 925–931 (2022)
  3. Budaghyan, L., Carlet, C., Leander, G.: Two classes of quadratic APN binomials inequivalent to power functions. IEEE Trans. Inf. Theory 54(9), 4218–4229 (2008)
  4. 4.0 4.1 Browning, K., Dillon, J.F., McQuistan, M., Wolfe, A.J.: An APN permutation in dimension six. In: Post-proceedings of the 9-th International conference on Finite Fields and their applications, American Mathematical Society, vol. 518, pp. 33–42 (2010)
  5. Beierle, C., Leander, G.: New instances of quadratic APN functions, arXiv:2009.07204 (2020)
  6. 6.0 6.1 Marco Calderini, Massimiliano Sala, Irene Villa, A note on APN permutations in even dimension, Finite Fields and Their Applications, vol. 46, 1-16, 2017
  7. H. Dobbertin. Private Communication, 1998.
  8. Carlet, Claude & Charpin, Pascale & Zinoviev, Victor. (1998). Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems. Designs, Codes and Cryptography, vol. 15, p. 125-156.
  9. Browning, K.A. & Dillon, J.F. & Kibler, R.E. & McQuistan, M.T.. (2009). APN polynomials and related codes. Journal of Combinatorics, Information & System Sciences. 34.
  10. 10.0 10.1 X.-D. Hou. Affinity of Permutations of [math]\displaystyle{ \mathbb{F}_2^n }[/math]. Proceedings of Workshop on Coding and Cryptography WCC 2003, pp. 273-280, 2003. Completed version in Discrete Applied Mathematics 154 (2), pp. 313-325, 2006.
  11. B. Bilgin, A. Bogdanov, M. Knezevic, F. Mendel and Q. Wang. Fides: lightweight authenticated cipher with side-channel resistance for constrained hardware. Proceedings of International Workshop Cryptographic Hardware and Embedded Systems CHES 2013, Lecture Notes in Computer Science 8086, pp. 142-158, 2013.
  12. L. Perrin, A. Udovenko, A. Biryukov. Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. Proceedings of CRYPTO 2016, Lecture Notes in Computer Science 9815, part II, pp. 93-122, 2016.
  13. L. Perrin, A. Canteaut, S. Tian. If a generalized butterfly is APN then it operates on 6 bits. Special Issue on Boolean Functions and Their Applications 2018, Cryptography and Communications 11 (6), pp. 1147-1164, 2019.
  14. A. Canteaut. Differential cryptanalysis of Feistel ciphers and differentially uniform mappings. Proceedings of Selected Areas on Cryptography, SAC 1997, pp. 172-184, 1997.
Retrieved from "http://boolean.wiki.uib.no/index.php?title=APN_Permutations&oldid=702"