Characterization of Permutations

Component Functions

An (𝑛,𝑛)-function 𝐹 is a permutation if and only if all of its components 𝐹_λ for λ ∈ 𝔽*_2^𝑛 are balanced.

Autocorrelation Functions of the Directional Derivatives

The characterization in terms of the component functions given above can be equivalently expressed as

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any λ ∈ 𝔽*_2^𝑛.

Equivalently ^[1], 𝐹 is a permutation if and only if

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any λ ∈ 𝔽*_2^𝑛.

Characterization of APN Permutations

^[2] Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension ${\displaystyle 3n}$, with ${\displaystyle n}$ odd and ${\displaystyle gcd(n,3)=1}$.^[3]

3. Dillon's permutation in dimension 6.^[4]

4. Two sporadic quadratic APN permutations in dimension 9.^[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For 𝑛 even we have also that no component can be partially-bent^[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An (𝑛,𝑛)-function 𝐹 is an APN permutation if and only if ^[1]

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

and

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}^{2}(D_{a}f_{\lambda })=2^{2n}}$

for any 𝑎 ∈ 𝔽*_2^𝑛.

On APN Power Functions

For ${\displaystyle n}$ odd, all power APN functions and the known APN binomials are permutations. When ${\displaystyle n}$ is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function ${\displaystyle F(x)=x^{d}}$ over ${\displaystyle \mathbb {F} _{2^{n}}}$ is APN, then for every ${\displaystyle x\in \mathbb {F} _{2^{n}}}$ we have ${\displaystyle x^{d}=1}$ if and only if ${\displaystyle x^{3}=1}$, that is, ${\displaystyle F^{-1}(1)=\mathbb {F} _{4}\cap \mathbb {F} _{2^{n}}^{*}.}$

If ${\displaystyle n}$ is odd, then ${\displaystyle gcd(d,2^{n}-1)=1}$ and, if ${\displaystyle n}$ is even, then ${\displaystyle gcd(d,2^{n}-1)=3}$.

Consequently, APN power functions are permutations if ${\displaystyle n}$ is odd, and are three-to-one over ${\displaystyle \mathbb {F} _{2^{n}}^{*}}$ if ${\displaystyle n}$ is even.^[7]

The Big Open APN Problem

In his paper ^[8], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of ${\displaystyle n=4}$:

Let ${\displaystyle F\in \mathbb {F} _{2^{n}}[x]}$ be a permutation polynomial with ${\displaystyle n=2m}$. Then:

1. If ${\displaystyle n=4}$, then ${\displaystyle F}$ is not APN.

2. If ${\displaystyle F\in \mathbb {F} _{2^{m}}[x]}$, then ${\displaystyle F}$ is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation in dimension 6^[4].

That is the function ${\displaystyle F(x)=ux^{3}+ux^{10}+u^{2}x^{24},}$ where ${\displaystyle u}$ is a primitive element of ${\displaystyle \mathbb {F} _{2^{6}}}$. ${\displaystyle F}$ is CCZ-equivalent to the Kim function ${\displaystyle \kappa (x)=x^{3}+x^{10}+ux^{24}}$.

The question of existence of APN permutations in even dimension ${\displaystyle n\geq 8}$ remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in ${\displaystyle \mathbb {F} _{2^{n/2}}}$, or in ${\displaystyle \mathbb {F} _{2^{4}}}$ for ${\displaystyle n}$ divisible by 4; ^[8]

4. Functions whose univariate representation coefficients satisfy ${\displaystyle \sum _{i=0}^{(2^{n}-1)/3}a_{3i}=0}$; ^[9]

5. Functions having at least one partially-bent component^[6].