Characterization of Permutations

Component Functions

An (𝑛,𝑛)-function 𝐹 is a permutation if and only if all of its components 𝐹_λ for λ ∈ 𝔽*_2^𝑛 are balanced.

Autocorrelation Functions of the Directional Derivatives

The characterization in terms of the component functions given above can be equivalently expressed as

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any λ ∈ 𝔽*_2^𝑛.

Equivalently ^[1], 𝐹 is a permutation if and only if

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any λ ∈ 𝔽*_2^𝑛.

Characterization of APN Permutations

^[2] Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension ${\displaystyle 3n}$, with ${\displaystyle n}$ odd and ${\displaystyle gcd(n,3)=1}$.^[3]

3. Dillon's permutation in dimension 6.^[4]

4. Two sporadic quadratic APN permutations in dimension 9.^[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For 𝑛 even we have also that no component can be partially-bent^[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An (𝑛,𝑛)-function 𝐹 is an APN permutation if and only if ^[1]

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

and

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}^{2}(D_{a}f_{\lambda })=2^{2n}}$

for any 𝑎 ∈ 𝔽*_2^𝑛.

On APN Power Functions

For ${\displaystyle n}$ odd, all power APN functions and the known APN binomials are permutations. When ${\displaystyle n}$ is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function ${\displaystyle F(x)=x^{d}}$ over ${\displaystyle \mathbb {F} _{2^{n}}}$ is APN, then for every ${\displaystyle x\in \mathbb {F} _{2^{n}}}$ we have ${\displaystyle x^{d}=1}$ if and only if ${\displaystyle x^{3}=1}$, that is, ${\displaystyle F^{-1}(1)=\mathbb {F} _{4}\cap \mathbb {F} _{2^{n}}^{*}.}$

If ${\displaystyle n}$ is odd, then ${\displaystyle gcd(d,2^{n}-1)=1}$ and, if ${\displaystyle n}$ is even, then ${\displaystyle gcd(d,2^{n}-1)=3}$.

Consequently, APN power functions are permutations if ${\displaystyle n}$ is odd, and are three-to-one over ${\displaystyle \mathbb {F} _{2^{n}}^{*}}$ if ${\displaystyle n}$ is even.^[7]

APN Permutations and Codes

Let ${\displaystyle F:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2^{n}}}$ be APN, with ${\displaystyle F(0)=0}$.

${\displaystyle F}$ is CCZ-equivalent to an APN permutation if and only if ${\displaystyle C_{F}^{\perp }}$ is a double simplex code (i.e. ${\displaystyle C_{F}^{\perp }=C_{1}\oplus C_{2}}$, where ${\displaystyle C_{1},C_{2}}$ are ${\displaystyle [2^{n}-1,n,2^{n-1}]-}$codes).

An APN Permutation of Dimension 6

In his paper ^[8], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of ${\displaystyle n=4}$:

Let ${\displaystyle F\in \mathbb {F} _{2^{n}}[x]}$ be a permutation polynomial with ${\displaystyle n=2m}$. Then:

1. If ${\displaystyle n=4}$, then ${\displaystyle F}$ is not APN.

2. If ${\displaystyle F\in \mathbb {F} _{2^{m}}[x]}$, then ${\displaystyle F}$ is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree ${\displaystyle n-2}$ and nonlinearity ${\displaystyle 2^{n-1}-2^{n/2}}$) in dimension 6^[4].

This function is CCZ-equivalent to the Kim function ${\displaystyle \kappa (x)=x^{3}+x^{10}+ux^{24}}$ (where ${\displaystyle u}$ is a primitive element of ${\displaystyle \mathbb {F} _{2^{6}}}$), whose associated code ${\displaystyle C_{F}^{\perp }}$ is therefore a double simplex code. It was used later in the cryptosystem Fides^[9], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction^[10]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables^[11].

The Big Open APN Problem

The question of existence of APN permutations in even dimension ${\displaystyle n\geq 8}$ remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in ${\displaystyle \mathbb {F} _{2^{n/2}}}$, or in ${\displaystyle \mathbb {F} _{2^{4}}}$ for ${\displaystyle n}$ divisible by 4; ^[8]

4. Functions whose univariate representation coefficients satisfy ${\displaystyle \sum _{i=0}^{(2^{n}-1)/3}a_{3i}=0}$; ^[12]

5. Functions having at least one partially-bent component^[6].