PN functions, APN functions and difference sets Alexander Pott - PowerPoint PPT Presentation

PN functions, APN functions and difference sets Alexander Pott Otto-von-Guericke-University Magdeburg January 28, 2015 1 / 1

One example ... F ( x ) = x 2 defined on F q with q odd: F ( x + a ) − F ( x ) = 2 xa + a 2 is a permutation for all a � = 0. Problem Find functions F such that F ( x + a ) − F ( x ) are permutation polynomials for all a � = 0 . Not possible if q even. 2 / 1

... one more example ... F ( x ) = x 3 defined on F q with q even: F ( x + a ) + F ( x ) = x 2 a + a 2 x + a 3 is 2 to 1-mapping for all a � = 0. Problem Find functions F such that F ( x + a ) − F ( x ) are 2 to 1 -mappings for all a � = 0 . Note: Only additive properties are needed. 3 / 1

And now the two important definitions: A function F : F q → F q is planar or perfect nonlinear (PN), if x �→ F ( x + a ) − F ( x ) is a permutation for all a � = 0. A function F : F q → F q is almost perfect nonlinear (APN) if x �→ F ( x + a ) − F ( x ) is 2 to 1 for all a � = 0 and q is even. 4 / 1

Codes   1 ∈ F (2 n +1 , 2 n ) x   2 F ( x ) x ∈ F n 2 row space generates a code: weights are Walsh coefficients dual code has minimum weight 6 F ( a ) + F ( x + a ) + F ( y + a ) + F ( x + y + a ) � = 0 for all distinct a , x , y (wipe out all 2-dimensional affine subspaces). 5 / 1

Some infinite families: q = p n Example ( p odd) x p k +1 is planar on F p n if n / gcd( n , k ) is odd. Example ( p = 2) x 2 k +1 is APN on F 2 n if gcd( n , k ) = 1. Example ( p = 3, Coulter, Matthews 1997; Ding,Yuan 2006 ) x 10 ± x 6 − x 2 is planar on F 3 n . Example ( p = 2, Budaghyan, Carlet, Leander 2009 ) x 3 + tr( x 9 ) is APN on F 2 n . Example ( p = 2) x − 1 is APN on F 2 n if n is odd. 6 / 1

Motivation planar, perfect nonlinear: Consider G F := { ( x , F ( x )) : x ∈ F q } ⊆ F q × F q the graph of F . The lines G F + ( g , h ) (translates of G F ) form a “residual” of a projective plane. If F ( x ) = x 2 , the plane is Desarguesian. almost perfect nonlinear: Functions might be useful as S -boxes in cryptography. 7 / 1

quadratic vs. non-quadratic F is called a Dembowski-Ostrom polynomial or quadratic if F ( x + a ) − F ( x ) is affine: α i , j x p i + p j + β j x p j + γ. � � F ( x ) = i , j j Linear and constant terms are not important for F ( x + a ) − F ( x ). Until 2006, only few families of non-quadratic APN monomials were known, and only the classical quadratic monomials x 2 k +1 . 8 / 1

Banff 2006 This changed dramatically in 2006 ( Edel, P., Kyureghyan; Bierbrauer; Dillon McQuistan, Wolfe ), where several new quadratic APN’s were constructed: Example ◮ x �→ x 3 + x 10 + α x 24 on F 2 6 ◮ more on F 2 6 ◮ x �→ x 3 + β x 2 5 +2 2 on F 2 10 ◮ x �→ x 3 + γ x 2 9 +2 4 on F 2 12 α, β, γ must be choosen properly. 9 / 1

Workflow 1. Find some examples. 2. Conjecture a family. 3. Proof conjecture. 4. Show inequivalence. 10 / 1

The “trans-characteristic” construction There are now quite a few infinite families of APN functions and of planar functions, sometimes with similar proofs in even and odd characteristic. A very interesting example: x 2 s +1 + α x 2 k +2 2 k + s is APN on F 2 3 n ( Budaghyan, Carlet, Leander 2008 ) and x p s +1 + β x p k +2 2 k + s is planar on F p 3 n . ( Zha, Kyureghyan, Wang 2009 ) α, β must be choosen properly. 11 / 1

An important result by Menichetti 1977 Theorem A planar function on F p n with n prime is equivalent to x p i +1 if p is sufficiently large. The result by Zha, Kyureghyan, Wang shows that this cannot be true for composite (odd!) numbers. If n is even, it seems easier to find APN/PN functions, sometimes using bivariate methods F q 2 = F 2 q (APN: Carlet 2011; P. Zhou 2013 ). 12 / 1

My favorite problem Finding new examples of quadratic planar or APN functions seems to be less interesting now. Problem Show that ◮ there is no polynomial f p such that the number of (quadratic) planar or APN functions on F n p is smaller than f p ( n ) for all n. ◮ Show that the number of APN functions grows quickly in n (no Menichetti bound). 13 / 1

PN/semifields (from Lavrauw, Polverino ) 14 / 1

non-monomial APN (from G¨ olo˘ glu ) # Polynomial Conditions Proved in n = 3 t , gcd ( t, 3) = gcd ( s, 3 t ) = 1, t ≥ 3, i ≡ st X 2 s +1 + A 2 t − 1 X 2 it +2 rt + s B.1 [13] (mod 3), r = 3 − i , A ∈ F is primitive n = 4 t , gcd ( t, 2) = gcd ( s, 2 t ) = 1, t ≥ 3, i ≡ st X 2 s +1 + A 2 t − 1 X 2 it +2 rt + s B.2 [14] (mod 4), r = 4 − i , A ∈ F is primitive AX 2 s +1 + A 2 m X 2 m + s +2 m + BX 2 m +1 + n = 2 m , m odd, c i ∈ F 2 m , B.3 gcd ( s, m ) = 1, s is odd, [6] � m − 1 i =1 c i X 2 m + i +2 i A, B ∈ F primitive n = 3 t , gcd ( s, 3 t ) = 1, AX 2 n − t +2 t + s + A 2 t X 2 s +1 + bX 2 t + s +2 s B.4 gcd (3 , t ) = 1, 3 | ( t + s ), A ∈ F [6] primitive, b ∈ F 2 t = 3 t , gcd ( s, 3 t ) = n A 2 t X 2 n − t +2 t + s + AX 2 s +1 + bX 2 n − t +1 B.5 gcd (3 , t ) = 1, 3 | ( t + s ), A ∈ F [7] primitive, b ∈ F 2 t = 3 t , gcd ( s, 3 t ) = A 2 t X 2 n − t +2 t + s + AX 2 s +1 + bX 2 n − t +1 + n B.6 gcd (3 , t ) = 1, 3 | ( t + s ), A ∈ F [7] cA 2 t +1 X 2 t + s +2 s primitive, b, c ∈ F 2 t , bc � = 1 n = 2 m , m odd, C is a X 2 2 k +2 k + BX q +1 + CX q (2 2 k +2 k ) ( q − 1)st power but not a ( q − B.7 [12] 1)(2 i + 1)st power, CB q + B � = 0 X ( X 2 k + X q + CX 2 k q ) + X 2 k ( C q X q + n = 2 m , gcd ( n, k ) = 1, C B.8 satisfies Theorem 11, A ∈ F \ [12] AX 2 k q ) + X (2 k +1) q F 2 m X 3 + tr n B.9 1 ( X 9 ) [15] X 2 k +1 + tr n m ( X ) 2 k +1 B.10 n = 2 m = 4 t , gcd ( n, k ) = 1 here Bivariate construction Theorem 1 of B.11 n = 2 m [17] [17] Bivariate construction Theorem 9 of B.12 n = 4 m [40] [40] Table 2: Known infinite families of APN multinomials on F 2 n If xg = yh then Tr ( xg ) = Tr ( yh ) = 0 implies g = h = 1 and therefore x = y . If Tr ( xg ) = Tr ( yh ) � = 0, then Tr ( xg ) = Tr ( yh ) = x = y and therefore h = g . There is another decomposition of F ∗ which is well-known and usually called the polar-coordinate decomposition. Any X ∈ F ∗ can be written as X = xu where x ∈ K ∗ and u ∈ P q − 1 . If xu = yv then ( xu ) q − 1 = ( yv ) q − 1 means u 2 = v 2 and therefore x = y . For g ∈ T 1 , we have g q = g + 1. For any fixed g ∈ T 1 , we can write any h ∈ T 1 as h = g + a for a unique a ∈ K . Similarly, for any fixed g ∈ T 1 , any X ∈ F can be written as X = ag + b where a, b ∈ K . 5 15 / 1

Construction method: Switching or Projection Theorem ( Budaghyan, Carlet, Leander 2009) x 3 + tr ( x 9 ) is APN. Theorem ( G¨ olo˘ glu 2015) x 2 k +1 + [ tr n m ( x )] 2 k +1 is APN on F 2 2 m if gcd ( k , 2 m ) = 1 and m is even. 16 / 1

The BIG open problem Browning, Dillon, McQuistan, Wolfe 2010 found an APN permutation in F 2 6 . They used the APN x �→ x 3 + x 10 + α x 24 , α primitive. Problem Are there other examples of APN permutations in F 2 n if n is even? It is easy to find APN permutations if n is odd. 17 / 1

Yu, Wang, Li 2013/2014 Quadratic APN function gives rise to a vector space of symmetric matrices T α with 0-diagonal corresponding to bilinear forms ( x , y ) �→ tr( α · ( F ( x + y ) + F ( x ) + F ( y ) + F (0)) . Change some positions of these matrices carefully. Yu, Wang, Li constructed many new quadratic APN functions for n = 7 , 8. Note: In the planar case, these matrices have full rank (symplectic semifield). In the APN case, different ranks may occur if n is even. Edel 2010 gave conditions when such vector spaces correspond to APN functions. Applicable to planar functions? 18 / 1

Semifields Semifields on F n p are n -dimensional vector spaces of invertible matrices containing I n . If p is odd, sometimes all symmetric. Then they can be described by planar functions. If p = 2, symmetric is not possible (no planar functions). 19 / 1

Walsh spectrum The ranks of the symmetric T α : ( x , y ) �→ tr( α · ( F ( x + y ) + F ( x ) + F ( y ) + F (0)) determine the Walsh spectrum of F . Which rank distributions are possible? More generally (including non-quadratic case): Determine ( − 1) tr( α x + β F ( x )) : α, β ∈ F 2 n , β � = 0 . � x , y Result ◮ F quadratic APN and n odd: Walsh spectrum is known (almost bent functions). Not known for non-quadratic APN. ◮ n even: Walsh spectrum is not known, even for quadratic APN (mostly 5-valued). If n is even, only one APN is known with n even and not 5-valued spectrum: Ranks of T α are 2, 4 and 6. 20 / 1

Composing two functions Theorem ( Weng, Zeng 2010) If π : F q → F q is injective on squares and π (0) = 0 , then F ( x ) = π ( x 2 ) is planar provided that it is Dembowski-Ostrom (quadratic). Proof. x 2 is planar, π (( x + a ) 2 ) − π ( x 2 ) = 0 has at most one solution, which is sufficient since π ( x 2 ) is quadratic (which means π (( x + a ) 2 ) − π ( x 2 ) is affine). Example ( Coulter, Matthews 1997, Ding, Yuan 2006) x 5 ± x 3 − x is permutation on F 3 n if n = 2 or n odd. Hence x 10 ± x 6 − x 2 is planar ( Polhill, Chen 2011 ). 21 / 1

The APN analogue, 2014 Theorem ( Carlet, Gong, Tan) If π : F q → F q is injective on cubes and π (0) = 0 , then F ( x ) = π ( x 3 ) is APN provided that it is Dembowski-Ostrom (quadratic). Example x + tr( x 3 ) is permutation on F 2 n if n is even. Hence x 3 + tr( x 9 ) is APN. 22 / 1