Characterization of Permutations

Component Functions

An ${\displaystyle (n,n)}$-function ${\displaystyle F}$ is a permutation if and only if all of its components Failed to parse (syntax error): {\displaystyle f_λ} for ${\displaystyle \lambda \in \mathbb {F} _{2^{n}}^{*}}$ are balanced.

Autocorrelation Functions of the Directional Derivatives

For any boolean function ${\displaystyle f}$, we denote by ${\displaystyle {\mathcal {F}}(f)}$ the following value related to the Fourier (or Walsh) transform of ${\displaystyle f}$:

${\displaystyle {\mathcal {F}}(f)=\sum _{x\in \mathbb {F} _{2^{n}}}(-1)^{f(x)}=2^{n}-2wt(f).}$

The characterization in terms of the component functions given above can be equivalently expressed as

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any Failed to parse (syntax error): {\displaystyle λ\in\mathbb{F}^*_{2^n}} .

Equivalently ^[1], ${\displaystyle F}$ is a permutation if and only if

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any ${\displaystyle a\in \mathbb {F} _{2^{n}}^{*}}$.

Characterization of APN Permutations

Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:^[2]

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension ${\displaystyle 3n}$, with ${\displaystyle n}$ odd and ${\displaystyle gcd(n,3)=1}$.^[3]

3. Dillon's permutation in dimension 6.^[4]

4. Two sporadic quadratic APN permutations in dimension 9.^[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For ${\displaystyle n}$ even we have also that no component can be partially-bent^[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An ${\displaystyle (n,n)}$-function ${\displaystyle F}$ is an APN permutation if and only if ^[1]

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

and

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}^{2}(D_{a}f_{\lambda })=2^{2n}}$

for any ${\displaystyle a\in \mathbb {F} _{2^{n}}^{*}}$.

On APN Power Functions

For ${\displaystyle n}$ odd, all power APN functions and the known APN binomials are permutations. When ${\displaystyle n}$ is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function ${\displaystyle F(x)=x^{d}}$ over ${\displaystyle \mathbb {F} _{2^{n}}}$ is APN, then for every ${\displaystyle x\in \mathbb {F} _{2^{n}}}$ we have ${\displaystyle x^{d}=1}$ if and only if ${\displaystyle x^{3}=1}$, that is, ${\displaystyle F^{-1}(1)=\mathbb {F} _{4}\cap \mathbb {F} _{2^{n}}^{*}.}$

If ${\displaystyle n}$ is odd, then ${\displaystyle gcd(d,2^{n}-1)=1}$ and, if ${\displaystyle n}$ is even, then ${\displaystyle gcd(d,2^{n}-1)=3}$.

Consequently, APN power functions are permutations if ${\displaystyle n}$ is odd, and are three-to-one over ${\displaystyle \mathbb {F} _{2^{n}}^{*}}$ if ${\displaystyle n}$ is even.^[7]

APN Permutations and Codes

Any linear subspace ${\displaystyle C}$ of ${\displaystyle \mathbb {F} _{2}^{n}}$ of dimension ${\displaystyle k}$ is called a binary linear code of length ${\displaystyle n}$ and dimension ${\displaystyle k}$ and is denoted by ${\displaystyle [n,k,d]}$, where ${\displaystyle d}$ is the minimum Hamming distance of ${\displaystyle C}$.

Any linear ${\displaystyle [n,k,d]-}$code ${\displaystyle C}$ is associated with its dual ${\displaystyle [n,n-k,d^{\perp }]-}$code, denoted by ${\displaystyle C^{\perp }}$ and defined as ${\displaystyle C^{\perp }=\{x\in \mathbb {F} _{2}^{n}\;|\;c\cdot x=0,\;\forall c\in C\}.}$

Let ${\displaystyle {\mathcal {H}}}$ be a binary ${\displaystyle (r\times n)}$ matrix. We say that a linear binary code ${\displaystyle C}$ of length ${\displaystyle n}$ is defined by the parity check matrix ${\displaystyle {\mathcal {H}}}$ if ${\displaystyle C=\{c\in \mathbb {F} _{2}^{n}\;|\;c{\mathcal {H}}^{t}=0\},}$ where ${\displaystyle {\mathcal {H}}^{t}}$ is the transposed matrix of ${\displaystyle {\mathcal {H}}}$.

APN (and AB) properties were expressed in terms of codes in ^[8]. In particular, we mention the following result:

Theorem. Let ${\displaystyle F}$ be a function on ${\displaystyle \mathbb {F} _{2^{m}}}$ such that ${\displaystyle F(0)=0}$ and let ${\displaystyle C_{F}}$ be the Failed to parse (syntax error): {\displaystyle [2^m − 1,k,d]-} code defined by the parity check matrix

${\displaystyle {\mathcal {H}}_{F}={\begin{pmatrix}1&\alpha &\alpha ^{2}&\cdots &\alpha ^{2^{m}-2}\\F(1)&F(\alpha )&F(\alpha ^{2})&\cdots &F(\alpha ^{2^{m}-2})\end{pmatrix}}}$

where each entry is viewed as a binary vector and ${\displaystyle \alpha }$ is the primitive element of ${\displaystyle \mathbb {F} _{2^{m}}.}$ Then:

1. The code ${\displaystyle C_{F}}$ is such that ${\displaystyle 3\leq d\leq 5}$.

2. ${\displaystyle F}$ is APN if and only if ${\displaystyle d=5}$.

3. ${\displaystyle F}$ is AB if and only if the weight of every codeword in ${\displaystyle C_{F}^{\perp }}$ lies in ${\displaystyle \{0,2^{m-1},2^{m-1}\pm 2^{m-1/2}\}}$.

A binary linear ${\displaystyle [2^{k}-1,k,2^{k-1}]-}$code ${\displaystyle C}$ in ${\displaystyle \mathbb {F} _{2}^{n}}$ is called simplex. Simplex codes constitute a family of linear error-correcting or error-detecting block codes, easily implemented as polynomial codes (i.e. codes whose encoding and decoding algorithms may be conveniently expressed in terms of polynomials over a base field).

A ${\displaystyle 2k-}$dimensional code ${\displaystyle C}$ is called a double simplex code if it can be written as a direct sum of two simplex ${\displaystyle [2^{k}-1,k,2^{k-1}]-}$codes. The following result provides a connection between APN permutations and double simplex codes:

Theorem.^[9] Let ${\displaystyle F:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2^{n}}}$ be APN, with ${\displaystyle F(0)=0}$.

${\displaystyle F}$ is CCZ-equivalent to an APN permutation if and only if ${\displaystyle C_{F}^{\perp }}$ is a double simplex code, i.e. ${\displaystyle C_{F}^{\perp }=C_{1}\oplus C_{2}}$, where ${\displaystyle C_{1},C_{2}}$ are simplex ${\displaystyle [2^{n}-1,n,2^{n-1}]-}$codes.

An APN Permutation in Dimension 6

In his paper ^[10], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of ${\displaystyle n=4}$:

Let ${\displaystyle F\in \mathbb {F} _{2^{n}}[x]}$ be a permutation polynomial with ${\displaystyle n=2m}$. Then:

1. If ${\displaystyle n=4}$, then ${\displaystyle F}$ is not APN.

2. If ${\displaystyle F\in \mathbb {F} _{2^{m}}[x]}$, then ${\displaystyle F}$ is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree ${\displaystyle n-2}$ and nonlinearity ${\displaystyle 2^{n-1}-2^{n/2}}$) in dimension 6.

This function is CCZ-equivalent to the Kim function ${\displaystyle \kappa (x)=x^{3}+x^{10}+ux^{24}}$ (where ${\displaystyle u}$ is a primitive element of ${\displaystyle \mathbb {F} _{2^{6}}}$) and it is given by the polynomial

${\displaystyle g(x)=w^{45}x^{60}+w^{41}x^{58}+w^{43}x^{57}+w^{4}x^{56}+w^{50}x^{54}+w^{20}x^{53}+w^{45}x^{52}+w^{20}x^{51}+w^{23}x^{50}+w^{36}x^{49}+w^{56}x^{48}+w^{21}x^{46}+w^{5}x^{45}+w^{21}x^{44}}$

${\displaystyle +w^{28}x^{43}+w^{3}x^{42}+w^{59}x^{41}+w^{58}x^{40}+w^{57}x^{39}+w^{53}x^{38}+w^{37}x^{37}+w^{40}x^{36}+w^{18}x^{35}+w^{41}x^{34}+w^{54}x^{33}+w^{3}x^{32}+w^{49}x^{30}+w^{41}x^{29}}$

${\displaystyle +w^{42}x^{28}+w^{50}x^{27}+w^{53}x^{26}+w^{58}x^{25}+w^{9}x^{24}+x^{23}+w^{28}x^{22}+w^{3}x^{21}+w^{21}x^{20}+w^{52}x^{19}+w^{60}x^{17}+w^{59}x^{16}+w^{10}x^{15}+w^{42}x^{13}}$

${\displaystyle +w^{8}x^{12}+w^{35}x^{11}+w^{44}x^{10}+w^{45}x^{8}+w^{8}x^{7}+w^{61}x^{6}+w^{59}x^{5}+w^{20}x^{4}+w^{12}x^{3}+w^{37}x^{2}+w^{2}x}$

where ${\displaystyle w=u^{-2}}$.^[4]

It was used later in the cryptosystem Fides^[11], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction^[12]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables^[13].

The Big Open APN Problem

The question of existence of APN permutations in even dimension ${\displaystyle n\geq 8}$ remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in ${\displaystyle \mathbb {F} _{2^{n/2}}}$, or in ${\displaystyle \mathbb {F} _{2^{4}}}$ for ${\displaystyle n}$ divisible by 4; ^[10]

4. Functions whose univariate representation coefficients satisfy ${\displaystyle \sum _{i=0}^{(2^{n}-1)/3}a_{3i}=0}$; ^[14]

5. Functions having at least one partially-bent component^[6].

References