PN functions, APN functions and difference sets Alexander Pott - - PowerPoint PPT Presentation

PN functions, APN functions and difference sets

Alexander Pott

Otto-von-Guericke-University Magdeburg

January 28, 2015

1 / 1

One example ...

F(x) = x2 defined on Fq with q odd: F(x + a) − F(x) = 2xa + a2 is a permutation for all a = 0.

Problem

Find functions F such that F(x + a) − F(x) are permutation polynomials for all a = 0. Not possible if q even.

2 / 1

... one more example ...

F(x) = x3 defined on Fq with q even: F(x + a) + F(x) = x2a + a2x + a3 is 2 to 1-mapping for all a = 0.

Problem

Find functions F such that F(x + a) − F(x) are 2 to 1-mappings for all a = 0. Note: Only additive properties are needed.

3 / 1

And now the two important definitions:

A function F : Fq → Fq is planar or perfect nonlinear (PN), if x → F(x + a) − F(x) is a permutation for all a = 0. A function F : Fq → Fq is almost perfect nonlinear (APN) if x → F(x + a) − F(x) is 2 to 1 for all a = 0 and q is even.

4 / 1

Codes

  1 x F(x)  

x∈F n

2

∈ F(2n+1,2n)

2

row space generates a code: weights are Walsh coefficients dual code has minimum weight 6 F(a) + F(x + a) + F(y + a) + F(x + y + a) = 0 for all distinct a, x, y (wipe out all 2-dimensional affine subspaces).

5 / 1

Some infinite families: q = pn

Example (p odd)

xpk+1 is planar on Fpn if n/ gcd(n, k) is odd.

Example (p = 2)

x2k+1 is APN on F2n if gcd(n, k) = 1.

Example (p = 3, Coulter, Matthews 1997; Ding,Yuan 2006)

x10 ± x6 − x2 is planar on F3n.

Example (p = 2, Budaghyan, Carlet, Leander 2009)

x3 + tr(x9) is APN on F2n.

Example (p = 2)

x−1 is APN on F2n if n is odd.

6 / 1

Motivation

planar, perfect nonlinear: Consider GF := {(x, F(x)) : x ∈ Fq} ⊆ Fq × Fq the graph of F. The lines GF + (g, h) (translates of GF) form a “residual” of a projective plane. If F(x) = x2, the plane is Desarguesian. almost perfect nonlinear: Functions might be useful as S-boxes in cryptography.

7 / 1

quadratic vs. non-quadratic

F is called a Dembowski-Ostrom polynomial or quadratic if F(x + a) − F(x) is affine: F(x) =

• i,j

αi,jxpi+pj +

• j

βjxpj + γ. Linear and constant terms are not important for F(x + a) − F(x). Until 2006, only few families of non-quadratic APN monomials were known, and only the classical quadratic monomials x2k+1.

8 / 1

Banff 2006

This changed dramatically in 2006 (Edel, P., Kyureghyan; Bierbrauer; Dillon McQuistan, Wolfe), where several new quadratic APN’s were constructed:

Example

◮ x → x3 + x10 + αx24 on F26 ◮ more on F26 ◮ x → x3 + βx25+22 on F210 ◮ x → x3 + γx29+24 on F212

α, β, γ must be choosen properly.

9 / 1

Workflow

• 1. Find some examples.
• 2. Conjecture a family.
• 3. Proof conjecture.
• 4. Show inequivalence.

10 / 1

The “trans-characteristic” construction

There are now quite a few infinite families of APN functions and of planar functions, sometimes with similar proofs in even and odd characteristic. A very interesting example: x2s+1 + αx2k+22k+s is APN on F23n (Budaghyan, Carlet, Leander 2008) and xps+1 + βxpk+22k+s is planar on Fp3n. (Zha, Kyureghyan, Wang 2009) α, β must be choosen properly.

11 / 1

An important result by Menichetti 1977

Theorem

A planar function on Fpn with n prime is equivalent to xpi+1 if p is sufficiently large. The result by Zha, Kyureghyan, Wang shows that this cannot be true for composite (odd!) numbers. If n is even, it seems easier to find APN/PN functions, sometimes using bivariate methods Fq2 = F 2

q (APN: Carlet 2011; P.

Zhou 2013).

12 / 1

My favorite problem

Finding new examples of quadratic planar or APN functions seems to be less interesting now.

Problem

Show that

◮ there is no polynomial fp such that the number of (quadratic)

planar or APN functions on Fn

p is smaller than fp(n) for all n. ◮ Show that the number of APN functions grows quickly in n

(no Menichetti bound).

13 / 1

PN/semifields (from Lavrauw, Polverino)

14 / 1

non-monomial APN (from G¨

• lo˘

glu)

# Polynomial Conditions Proved in B.1 X2s+1 + A2t−1X2it+2rt+s n = 3t, gcd(t, 3) = gcd(s, 3t) = 1, t ≥ 3, i ≡ st (mod 3), r = 3 − i, A ∈ F is primitive [13] B.2 X2s+1 + A2t−1X2it+2rt+s n = 4t, gcd(t, 2) = gcd(s, 2t) = 1, t ≥ 3, i ≡ st (mod 4), r = 4 − i, A ∈ F is primitive [14] B.3 AX2s+1 +A2mX2m+s+2m +BX2m+1 + m−1

i=1 ciX2m+i+2i

n = 2m, m odd, ci ∈ F2m, gcd(s, m) = 1, s is odd, A, B ∈ F primitive [6] B.4 AX2n−t+2t+s + A2tX2s+1 + bX2t+s+2s n = 3t, gcd(s, 3t) = 1, gcd(3, t) = 1, 3|(t+s), A ∈ F primitive, b ∈ F2t [6] B.5 A2tX2n−t+2t+s + AX2s+1 + bX2n−t+1 n = 3t, gcd(s, 3t) = gcd(3, t) = 1, 3|(t+s), A ∈ F primitive, b ∈ F2t [7] B.6 A2tX2n−t+2t+s +AX2s+1+bX2n−t+1+ cA2t+1X2t+s+2s n = 3t, gcd(s, 3t) = gcd(3, t) = 1, 3|(t+s), A ∈ F primitive, b, c ∈ F2t, bc = 1 [7] B.7 X22k+2k + BXq+1 + CXq(22k+2k) n = 2m, m odd, C is a (q−1)st power but not a (q− 1)(2i + 1)st power, CBq + B = 0 [12] B.8 X(X2k + Xq + CX2kq) + X2k(CqXq + AX2kq) + X(2k+1)q n = 2m, gcd(n, k) = 1, C satisfies Theorem 11, A ∈ F\ F2m [12] B.9 X3 + trn

1 (X9)

[15] B.10 X2k+1 + trn

m(X)2k+1

n = 2m = 4t, gcd(n, k) = 1 here B.11 Bivariate construction Theorem 1 of [17] n = 2m [17] B.12 Bivariate construction Theorem 9 of [40] n = 4m [40] Table 2: Known infinite families of APN multinomials on F2n

If xg = yh then Tr(xg) = Tr(yh) = 0 implies g = h = 1 and therefore x = y. If Tr(xg) = Tr(yh) = 0, then Tr(xg) = Tr(yh) = x = y and therefore h = g. There is another decomposition of F∗ which is well-known and usually called the polar-coordinate decomposition. Any X ∈ F∗ can be written as X = xu where x ∈ K∗ and u ∈ Pq−1. If xu = yv then (xu)q−1 = (yv)q−1 means u2 = v2 and therefore x = y. For g ∈ T1, we have gq = g + 1. For any fixed g ∈ T1, we can write any h ∈ T1 as h = g + a for a unique a ∈ K. Similarly, for any fixed g ∈ T1, any X ∈ F can be written as X = ag + b where a, b ∈ K. 5

15 / 1

Construction method: Switching or Projection

Theorem (Budaghyan, Carlet, Leander 2009)

x3 + tr(x9) is APN.

Theorem (G¨

• lo˘

glu 2015)

x2k+1 + [trn

m(x)]2k+1

is APN on F22m if gcd (k, 2m) = 1 and m is even.

16 / 1

The BIG open problem

Browning, Dillon, McQuistan, Wolfe 2010 found an APN permutation in F26. They used the APN x → x3 + x10 + αx24, α primitive.

Problem

Are there other examples of APN permutations in F2n if n is even? It is easy to find APN permutations if n is odd.

17 / 1

Yu, Wang, Li 2013/2014

Quadratic APN function gives rise to a vector space of symmetric matrices Tα with 0-diagonal corresponding to bilinear forms (x, y) → tr(α · (F(x + y) + F(x) + F(y) + F(0)). Change some positions of these matrices carefully. Yu, Wang, Li constructed many new quadratic APN functions for n = 7, 8. Note: In the planar case, these matrices have full rank (symplectic semifield). In the APN case, different ranks may occur if n is even. Edel 2010 gave conditions when such vector spaces correspond to APN functions. Applicable to planar functions?

18 / 1

Semifields

Semifields on F n

p are n-dimensional vector spaces of invertible

matrices containing In. If p is odd, sometimes all symmetric. Then they can be described by planar functions. If p = 2, symmetric is not possible (no planar functions).

19 / 1

Walsh spectrum

The ranks of the symmetric Tα : (x, y) → tr(α · (F(x + y) + F(x) + F(y) + F(0)) determine the Walsh spectrum of F. Which rank distributions are possible? More generally (including non-quadratic case): Determine

• x,y

(−1)tr(αx+βF(x)) : α, β ∈ F2n, β = 0.

Result

◮ F quadratic APN and n odd: Walsh spectrum is known

(almost bent functions). Not known for non-quadratic APN.

◮ n even: Walsh spectrum is not known, even for quadratic

APN (mostly 5-valued). If n is even, only one APN is known with n even and not 5-valued spectrum: Ranks of Tα are 2, 4 and 6.

20 / 1

Composing two functions

Theorem (Weng, Zeng 2010)

If π : Fq → Fq is injective on squares and π(0) = 0, then F(x) = π(x2) is planar provided that it is Dembowski-Ostrom (quadratic).

Proof.

x2 is planar, π((x + a)2) − π(x2) = 0 has at most one solution, which is sufficient since π(x2) is quadratic (which means π((x + a)2) − π(x2) is affine).

Example (Coulter, Matthews 1997, Ding, Yuan 2006)

x5 ± x3 − x is permutation on F3n if n = 2 or n odd. Hence x10 ± x6 − x2 is planar (Polhill, Chen 2011).

21 / 1

The APN analogue, 2014

Theorem (Carlet, Gong, Tan)

If π : Fq → Fq is injective on cubes and π(0) = 0, then F(x) = π(x3) is APN provided that it is Dembowski-Ostrom (quadratic).

Example

x + tr(x3) is permutation on F2n if n is even. Hence x3 + tr(x9) is APN.

22 / 1

Monomial APN’s xd on F2n

d Condition Gold 2k + 1 gcd(k, n) = 1 Kasami 22k − 2k + 1 gcd(k, n) = 1 Welch 2t + 3 n = 2t + 1 Niho 2t + 2

t 2 − 1, t even

n = 2t + 1 2t + 2

3t+1 2

− 1, t odd inverse function 22t − 2 n = 2t + 1 Dobbertin 24t + 23t + 22t + 2t − 1 n = 5t

23 / 1

One sporadic non-quadratic APN

Edel, P. 2009 found some u such that x3 + u17(x17 + x18 + x20 + x24) + u14(tr(u52x3 + u6x5 + u19x7 + u28x11 + u2x13) + tr8

2((u2x)9) + tr4 2(x21))

in F26 is APN, where x3 + u17(x17 + x18 + x20 + x24) is APN (switching) Brinkmann, Leander

24 / 1

One family of non-quadratic planar functions

Theorem (Coulter, Matthews 1997)

In F3n, the mapping x(3a+1)/2 with gcd(a, n) = 1, a odd, is planar.

Problem

Find more non-quadratic planar or APN mappings.

25 / 1

Equivalence

The graph GF = {(x, F(x)) : x ∈ Fq} of a planar function gives rise to a projective plane, the graph of an APN function to a semi-biplane (points are joined by 0 or 2 lines). Let L, L′ denote linear permutations. Two functions F and F ′ are

◮ isomorphic if the corresponding incidence structures are

isomorphic.

◮ EA equivalent if

F = L ◦ F ′ ◦ L′ + affine

◮ CCZ or graph equivalent if

GF = L(GF ′) + constant

26 / 1

We know...

Isomorphism is related to isotopy of semifields. Isomorphism gives good invariants for APN using automorphism groups:

◮ Quadratic functions have goup of order 23n. ◮ Power mappings have cyclic group of order 2n − 1.

Problem

◮ Investigate isomorphism for (quadratic) APN. ◮ Find pairs (F, F ′) wich are CCZ but not EA equivalent and

both are non-quadratic.

◮ Find good invariants! APN world can still learn from

semifields?

27 / 1

Projective planes of even order?

We know that we can construct planes of odd order from planar

• functions. Is there an analogue for the even case?

Definition

A set R in a group G with normal subgroup N is an (m, n, k, λ)-relative difference set (RDS) if

◮ |R| = k. ◮ |G| = mn. ◮ |N| = n ◮ No element in N \ {0} can be written r − r′, r, r′ ∈ R, and

every element in G \ N has exactly one such difference representation. The graph of a planar function is a (q, q, q, 1)-RDS. Any (n, n, n, 1)-RDS gives rise to a projective plane.

28 / 1

Relative difference sets in Z n

4

Example

{(0, 0), (1, 0), (2, 1), (1, 3)} ⊆ Z4 × Z4. is a (4, 4, 4, 1) RDS. Now represent the group Z n

4 as F2n × F2n with addition

(x, y) + (x′, y′) := (x + x′, y + y′ + B(x, x′)) where B : F2n × F2n → F2n is symmetric, bilinear and non-degenerate (this is a commutative pre-semifield).

Example

B(x, y) = x · y

29 / 1

Modified planar functions

Theorem (Zhou 2012)

The existence of an RDS in Z n

4 is equivalent to the existence of a

function F : F2n → F2n such that F(x + a) + F(x) + B(a, x) are permutations for all a = 0.

◮ If F is quadratic, then the plane is a semifield plane. ◮ If B(x, y) = x · y and F = 0, the plane is Desarguesian.

Problem

Find non-quadratic modified planar functions, perhaps using switching.

30 / 1

Kantor 2003

We have many planar functions to begin with:

Theorem

K = K0 ⊃ K1 ⊃ · · · ⊃ Kn of characteristic 2 with [K : Kn] odd. Let tri be the relative trace from K to Ki. Then, for all nonzero ζ1, . . . , ζn ∈ K, the mapping F : K → K given by F(x) =

• x

n

• i=1

tri(ζix) 2 is modified planar with respect to B(x, y) = x · y. Examples are inequivalent.

31 / 1

Conclusions

◮ Find lower bounds for number of PN/APN functions. ◮ Constructions:

◮ Switching ◮ Composing functions ◮ The Chinese approach ◮ trans-characteristic approach

◮ Walsh spectrum of APN functions. ◮ APN permutations if n is even. ◮ non-quadratic (modified) PN/APN functions. ◮ Find good invariants for equivalence classes.

32 / 1