APN Permutations

From Boolean
Jump to navigation Jump to search

Characterization of Permutations

Component Functions

An (𝑛,𝑛)-function 𝐹 is a permutation if and only if all of its components 𝐹λ for Ξ» ∈ 𝔽*2𝑛 are balanced.

Autocorrelation Functions of the Directional Derivatives

The characterization in terms of the component functions given above can be equivalently expressed as

[math]\displaystyle{ \sum_{a \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

for any Ξ» ∈ 𝔽*2𝑛.

Equivalently [1], 𝐹 is a permutation if and only if

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

for any Ξ» ∈ 𝔽*2𝑛.

Characterization of APN Permutations

[2] Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension [math]\displaystyle{ 3n }[/math], with [math]\displaystyle{ n }[/math] odd and [math]\displaystyle{ gcd(n,3)=1 }[/math].[3]

3. Dillon's permutation in dimension 6.[4]

4. Two sporadic quadratic APN permutations in dimension 9.[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For 𝑛 even we have also that no component can be partially-bent[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An (𝑛,𝑛)-function 𝐹 is an APN permutation if and only if [1]

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}(D_af_\lambda) = -2^n }[/math]

and

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \mathcal{F}^2(D_af_\lambda) = 2^{2n} }[/math]

for any π‘Ž ∈ 𝔽*2𝑛.

On APN Power Functions

For [math]\displaystyle{ n }[/math] odd, all power APN functions and the known APN binomials are permutations. When [math]\displaystyle{ n }[/math] is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function [math]\displaystyle{ F(x)=x^d }[/math] over [math]\displaystyle{ \mathbb{F}_{2^n} }[/math] is APN, then for every [math]\displaystyle{ x\in \mathbb{F}_{2^n} }[/math] we have [math]\displaystyle{ x^d=1 }[/math] if and only if [math]\displaystyle{ x^3=1 }[/math], that is, [math]\displaystyle{ F^{-1}(1)=\mathbb{F}_4\cap\mathbb{F}_{2^n}^*. }[/math]

If [math]\displaystyle{ n }[/math] is odd, then [math]\displaystyle{ gcd(d,2^n-1)=1 }[/math] and, if [math]\displaystyle{ n }[/math] is even, then [math]\displaystyle{ gcd(d,2^n-1)=3 }[/math].

Consequently, APN power functions are permutations if [math]\displaystyle{ n }[/math] is odd, and are three-to-one over [math]\displaystyle{ \mathbb{F}_{2^n}^* }[/math] if [math]\displaystyle{ n }[/math] is even.[7]

APN Permutations and Codes

Let [math]\displaystyle{ F:\mathbb{F}_{2^n}\rightarrow\mathbb{F}_{2^n} }[/math] be APN, with [math]\displaystyle{ F(0)=0 }[/math].

[math]\displaystyle{ F }[/math] is CCZ-equivalent to an APN permutation if and only if [math]\displaystyle{ C_F^{\perp} }[/math] is a double simplex code (i.e. [math]\displaystyle{ C_F^{\perp}=C_1\oplus C_2 }[/math], where [math]\displaystyle{ C_1, C_2 }[/math] are [math]\displaystyle{ [2^n-1,n,2^{n-1}]- }[/math]codes).

An APN Permutation of Dimension 6

In his paper [8], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of [math]\displaystyle{ n=4 }[/math]:

Let [math]\displaystyle{ F\in\mathbb{F}_{2^n}[x] }[/math] be a permutation polynomial with [math]\displaystyle{ n=2m }[/math]. Then:

1. If [math]\displaystyle{ n=4 }[/math], then [math]\displaystyle{ F }[/math] is not APN.

2. If [math]\displaystyle{ F\in\mathbb{F}_{2^m}[x] }[/math], then [math]\displaystyle{ F }[/math] is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree [math]\displaystyle{ n-2 }[/math] and nonlinearity [math]\displaystyle{ 2^{n-1}-2^{n/2} }[/math]) in dimension 6[4].

This function is CCZ-equivalent to the Kim function [math]\displaystyle{ \kappa(x)=x^3+x^{10}+ux^{24} }[/math] (where [math]\displaystyle{ u }[/math] is a primitive element of [math]\displaystyle{ \mathbb{F}_{2^6} }[/math]), whose associated code [math]\displaystyle{ C^{\perp}_F }[/math] is therefore a double simplex code. It was used later in the cryptosystem Fides[9], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction[10]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables[11].

The Big Open APN Problem

The question of existence of APN permutations in even dimension [math]\displaystyle{ n\geq 8 }[/math] remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in [math]\displaystyle{ \mathbb{F}_{2^{n/2}} }[/math], or in [math]\displaystyle{ \mathbb{F}_{2^4} }[/math] for [math]\displaystyle{ n }[/math] divisible by 4; [8]

4. Functions whose univariate representation coefficients satisfy [math]\displaystyle{ \sum_{i=0}^{(2^n-1)/3}a_{3i}=0 }[/math]; [12]

5. Functions having at least one partially-bent component[6].

  1. ↑ 1.0 1.1 Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, On Almost Perfect Nonlinear Functions Over GF(2^n), IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70
  2. ↑ Bartoli, D., Timpanella, M. On a conjecture on APN permutations. Cryptogr. Commun. 14, 925–931 (2022)
  3. ↑ Budaghyan, L., Carlet, C., Leander, G.: Two classes of quadratic APN binomials inequivalent to power functions. IEEE Trans. Inf. Theory 54(9), 4218–4229 (2008)
  4. ↑ 4.0 4.1 Browning, K., Dillon, J.F., McQuistan, M., Wolfe, A.J.: An APN permutation in dimension six. In: Post-proceedings of the 9-th International conference on Finite Fields and their applications, American Mathematical Society, vol. 518, pp. 33–42 (2010)
  5. ↑ Beierle, C., Leander, G.: New instances of quadratic APN functions, arXiv:2009.07204 (2020)
  6. ↑ 6.0 6.1 Marco Calderini, Massimiliano Sala, Irene Villa, A note on APN permutations in even dimension, Finite Fields and Their Applications, vol. 46, 1-16, 2017
  7. ↑ H. Dobbertin. Private Communication, 1998.
  8. ↑ 8.0 8.1 X.-D. Hou. Affinity of Permutations of [math]\displaystyle{ \mathbb{F}_2^n }[/math]. Proceedings of Workshop on Coding and Cryptography WCC 2003, pp. 273-280, 2003. Completed version in Discrete Applied Mathematics 154 (2), pp. 313-325, 2006.
  9. ↑ B. Bilgin, A. Bogdanov, M. Knezevic, F. Mendel and Q. Wang. Fides: lightweight authenticated cipher with side-channel resistance for constrained hardware. Proceedings of International Workshop Cryptographic Hardware and Embedded Systems CHES 2013, Lecture Notes in Computer Science 8086, pp. 142-158, 2013.
  10. ↑ L. Perrin, A. Udovenko, A. Biryukov. Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. Proceedings of CRYPTO 2016, Lecture Notes in Computer Science 9815, part II, pp. 93-122, 2016.
  11. ↑ L. Perrin, A. Canteaut, S. Tian. If a generalized butterfly is APN then it operates on 6 bits. Special Issue on Boolean Functions and Their Applications 2018, Cryptography and Communications 11 (6), pp. 1147-1164, 2019.
  12. ↑ A. Canteaut. Differential cryptanalysis of Feistel ciphers and differentially uniform mappings. Proceedings of Selected Areas on Cryptography, SAC 1997, pp. 172-184, 1997.
Retrieved from "http://boolean.wiki.uib.no/index.php?title=APN_Permutations&oldid=637"