on apn and almost apn functions - umr6206 …iml.univ-mrs.fr/~rodier/parisviii.pdf · on apn and...
TRANSCRIPT
On APN and almost APN functions
Yves Aubry1 Gregor Leander2 Francois Rodier3
1Imath – Toulon2Technical University of Danemark
3IML – Marseille
1
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
2
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
3
Boolean functions.
Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.
Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.
4
Boolean functions.
Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.
Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.
4
Boolean functions.
Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.
4
Differentially δ-uniform functions
Let us consider a (vectorial) Boolean function f : Fm2 −→ Fm
2 .
If we use the function f in a S-box of a cryptosystem, theefficiency of differential cryptanalysis is measured by themaximum of the cardinality of the set of elements x in Fm
2 suchthat
f (x + a)− f (x) = b
where a and b are elements in Fm2 and a 6= 0.
Definition
The function f is called a differentially δ-uniform function if
max06=a∈Fm
2 b∈Fm2
| {x |f (x + a)− f (x) = b} |= δ
5
Differentially δ-uniform functions
Let us consider a (vectorial) Boolean function f : Fm2 −→ Fm
2 .
If we use the function f in a S-box of a cryptosystem, theefficiency of differential cryptanalysis is measured by themaximum of the cardinality of the set of elements x in Fm
2 suchthat
f (x + a)− f (x) = b
where a and b are elements in Fm2 and a 6= 0.
Definition
The function f is called a differentially δ-uniform function if
max06=a∈Fm
2 b∈Fm2
| {x |f (x + a)− f (x) = b} |= δ
5
APN functions
δ(f ) = maxa 6=0,b
| {x ∈ Fm2 |f (x + a)− f (x) = b} | .
Since δ is obviously even and is nonzero, the least value of δ is2.
Differentially 2-uniform functions are called almost perfectnonlinear functions :
Definition
The function f is said to be APN (almost perfect nonlinear)if for every a 6= 0 in Fm
2 and b ∈ Fm2 ,
there exists at most 2 elements x of Fm2 such that
f (x + a) + f (x) = b.
6
APN functions
δ(f ) = maxa 6=0,b
| {x ∈ Fm2 |f (x + a)− f (x) = b} | .
Since δ is obviously even and is nonzero, the least value of δ is2.
Differentially 2-uniform functions are called almost perfectnonlinear functions :
Definition
The function f is said to be APN (almost perfect nonlinear)if for every a 6= 0 in Fm
2 and b ∈ Fm2 ,
there exists at most 2 elements x of Fm2 such that
f (x + a) + f (x) = b.
6
APN functions
δ(f ) = maxa 6=0,b
| {x ∈ Fm2 |f (x + a)− f (x) = b} | .
Since δ is obviously even and is nonzero, the least value of δ is2.
Differentially 2-uniform functions are called almost perfectnonlinear functions :
Definition
The function f is said to be APN (almost perfect nonlinear)if for every a 6= 0 in Fm
2 and b ∈ Fm2 ,
there exists at most 2 elements x of Fm2 such that
f (x + a) + f (x) = b.
6
APN functions
δ(f ) = maxa 6=0,b
| {x ∈ Fm2 |f (x + a)− f (x) = b} | .
Since δ is obviously even and is nonzero, the least value of δ is2.
Differentially 2-uniform functions are called almost perfectnonlinear functions :
Definition
The function f is said to be APN (almost perfect nonlinear)if for every a 6= 0 in Fm
2 and b ∈ Fm2 ,
there exists at most 2 elements x of Fm2 such that
f (x + a) + f (x) = b.
6
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).
d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).
d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).
d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).
d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)
d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.
The following functions f (x) = xd are APN on F2m , where d isgiven by:
d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).
The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.
7
CCZ equivalence
Carlet, Charpin and Zinoviev have defined an equivalencerelation between Boolean functions.
For a function f of Fm2 in itself we denote by Gf the graph of the
function f :Gf = {(x , f (x)) | x ∈ Fm
2 }.
Definition
The functions f , f ′ : Fm2 −→ Fm
2 are equivalent in the sense ofCarlet-Charpin-Zinoviev (CCZ equivalence)if there exist a linear permutation L : F2m
2 −→ F2m2 such that
L(Gf ) = Gf ′ .
Proposition
If f and f ′ are CCZ equivalent, then f is APN if and only if f ′ is.
8
CCZ equivalence
Carlet, Charpin and Zinoviev have defined an equivalencerelation between Boolean functions.
For a function f of Fm2 in itself we denote by Gf the graph of the
function f :Gf = {(x , f (x)) | x ∈ Fm
2 }.
Definition
The functions f , f ′ : Fm2 −→ Fm
2 are equivalent in the sense ofCarlet-Charpin-Zinoviev (CCZ equivalence)if there exist a linear permutation L : F2m
2 −→ F2m2 such that
L(Gf ) = Gf ′ .
Proposition
If f and f ′ are CCZ equivalent, then f is APN if and only if f ′ is.
8
APN function not equivalent to a power function
First example:
In 2005, Edel, Kyureghyan and Pott proved that the function
F210 −→ F210
x 7−→ x3 + ωx36
where ω is a primitive cube root of unity in F∗210 was APN andnot CCZ equivalent to a power function.
A number of people (Budaghyan, Carlet, Felke, Leander,Bracken, Byrne, Markin, McGuire, Dillon. . . ) showed thatcertain quadratic polynomials were APN and not CCZequivalent to known power functions.
9
APN function not equivalent to a power function
First example:
In 2005, Edel, Kyureghyan and Pott proved that the function
F210 −→ F210
x 7−→ x3 + ωx36
where ω is a primitive cube root of unity in F∗210 was APN andnot CCZ equivalent to a power function.
A number of people (Budaghyan, Carlet, Felke, Leander,Bracken, Byrne, Markin, McGuire, Dillon. . . ) showed thatcertain quadratic polynomials were APN and not CCZequivalent to known power functions.
9
APN function not equivalent to a power function
First example:
In 2005, Edel, Kyureghyan and Pott proved that the function
F210 −→ F210
x 7−→ x3 + ωx36
where ω is a primitive cube root of unity in F∗210 was APN andnot CCZ equivalent to a power function.
A number of people (Budaghyan, Carlet, Felke, Leander,Bracken, Byrne, Markin, McGuire, Dillon. . . ) showed thatcertain quadratic polynomials were APN and not CCZequivalent to known power functions.
9
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.
by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)
10
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.
by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)
10
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.
by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)
10
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)
10
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform)
and not to bealmost APN (i.e. not differentially 4-uniform)
10
Toward the classification of APN functions
Some results toward the classification of APN functionsgiven by polynomials have been proved
by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .
We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)
10
Result on monomials
We will generalize this result on monomials by Anne Canteaut.
Proposition
Suppose that the curve
xd + yd + 1 + (x + y + 1)d
(x + y)(x + 1)(y + 1)= 0
is absolutely irreducible over F2. The mapping x 7−→ xd is notAPN over Fq, q ≥ 32, if
d ≤ q1/4 + 4.5
11
Equivalent polynomials
A q-affine polynomial is a polynomial whose monomials are ofdegree 0 or a power of 2.
Proposition
The class of APN functions is invariant by addition of a q-affinepolynomial.
More generally, if g is a q-affine polynomial, then
δ(f + g) = δ(f ).
We choose for f a polynomial mapping from F2m in itself whichhas no term of degree a power of 2 and with no constant term.
12
Equivalent polynomials
A q-affine polynomial is a polynomial whose monomials are ofdegree 0 or a power of 2.
Proposition
The class of APN functions is invariant by addition of a q-affinepolynomial. More generally, if g is a q-affine polynomial, then
δ(f + g) = δ(f ).
We choose for f a polynomial mapping from F2m in itself whichhas no term of degree a power of 2 and with no constant term.
12
Equivalent polynomials
A q-affine polynomial is a polynomial whose monomials are ofdegree 0 or a power of 2.
Proposition
The class of APN functions is invariant by addition of a q-affinepolynomial. More generally, if g is a q-affine polynomial, then
δ(f + g) = δ(f ).
We choose for f a polynomial mapping from F2m in itself whichhas no term of degree a power of 2 and with no constant term.
12
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
13
Characterization of APN polynomials
Let q = 2m and let f be a polynomial mapping of Fq in itself.
Proposition
The function f : Fq −→ Fq is APN if and only if the surface
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2) = 0
has all of its rational points contained in the surface
(x0 + x1)(x2 + x1)(x0 + x2) = 0.
14
Characterization of APN polynomials
Let q = 2m and let f be a polynomial mapping of Fq in itself.
Proposition
The function f : Fq −→ Fq is APN if and only if the surface
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2) = 0
has all of its rational points contained in the surface
(x0 + x1)(x2 + x1)(x0 + x2) = 0.
14
A first bound for the degree of an APN polynomial
We have the following result:
Theorem
Let f be a polynomial mapping from Fq to Fq, d its degree.
Suppose that the surface X with affine equation
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible.
Then, if 9 ≤ d < 0.45q1/4 + 0.5 , f is not APN.
15
Apercu de la demonstration
La surface X a un nombre de points rationnels borne parune expression dependant de d (par le theoreme deLang-Weil)
Si f est APN et d trop grand, alors la surface X a trop depoints rationnels pour etre contenue dans la surface(x0 + x1)(x2 + x1)(x0 + x2) = 0.
16
Apercu de la demonstration
La surface X a un nombre de points rationnels borne parune expression dependant de d (par le theoreme deLang-Weil)Si f est APN et d trop grand, alors la surface X a trop depoints rationnels pour etre contenue dans la surface(x0 + x1)(x2 + x1)(x0 + x2) = 0.
16
Irreducibility of X
Criterion for the surface X to be irreducible.
Proposition
Let f be a polynomial of Fq to itself, d its degree. Let ussuppose that d is not a power of 2 and that the curve X∞ withhomogeneous equation
xd0 + xd
1 + xd2 + (x0 + x1 + x2)
d
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible.Then the surface X of affine equation
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible.
17
Proof – The curve X∞ with homogeneous equation
xd0 + xd
1 + xd2 + (x0 + x1 + x2)
d
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is the intersection of the surface X of affine equation
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
with the plane at infinity.Since the curve X∞ is absolutely irreducible it is the same forthe surface X .
18
Irreducibility of X∞
Janwa, McGuire and Wilson have studied the curve X∞ andhave deduced a certain number of cases where it is absolutelyirreducible.
Proposition
The curve X∞ is absolutely irreducible for
d ≡ 3 (mod 4)
ord ≡ 5 (mod 8) and d > 13.
19
A second bound
We can improve the bound for some cases.
Theorem
Let f be a polynomial mapping from Fq to Fq, d its degree.Let us suppose that d is not a power of 2 and that the surface X
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
has only a finite number of singular points.Then if 10 ≤ d < q1/4 + 4, f is not APN.
20
Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-Lachaud
Des conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson
Proposition
The surface X has only a finite number of singular points. forthe values of d = 2l + 1 where
l is an odd integer such as there exists an integer r with2r ≡ −1 (mod l).l is a prime number larger than 17 such as the order of 2modulo l is (l − 1)/2.
In particular the first condition is satisfied if l is a prime numbercongruent to ±3 modulo 8.
21
Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-LachaudDes conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson
Proposition
The surface X has only a finite number of singular points. forthe values of d = 2l + 1 where
l is an odd integer such as there exists an integer r with2r ≡ −1 (mod l).l is a prime number larger than 17 such as the order of 2modulo l is (l − 1)/2.
In particular the first condition is satisfied if l is a prime numbercongruent to ±3 modulo 8.
21
Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-LachaudDes conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson
Proposition
The surface X has only a finite number of singular points. forthe values of d = 2l + 1 where
l is an odd integer such as there exists an integer r with2r ≡ −1 (mod l).l is a prime number larger than 17 such as the order of 2modulo l is (l − 1)/2.
In particular the first condition is satisfied if l is a prime numbercongruent to ±3 modulo 8.
21
Binomials I
Improvement of a Proposition by Voloch
Proposition
Let f (x) = xd + ax r ,wherea ∈ F∗q ,r < d are integers, not both even, and not a power of 2and such that (d − 1, r − 1) be a power of 2.
Then, if 9 ≤ d < 0,45q1/4 + 0,5 , f is not APN.
Example
For instance the binomial x36 + ax3 with a 6= 0 can be APN onlyif m ≤ 24.(It is APN for m = 10 and certain a).
22
Binomials I
Improvement of a Proposition by Voloch
Proposition
Let f (x) = xd + ax r ,wherea ∈ F∗q ,r < d are integers, not both even, and not a power of 2and such that (d − 1, r − 1) be a power of 2.
Then, if 9 ≤ d < 0,45q1/4 + 0,5 , f is not APN.
Example
For instance the binomial x36 + ax3 with a 6= 0 can be APN onlyif m ≤ 24.(It is APN for m = 10 and certain a).
22
Binomials IIExtension of a lemma by Byrne and McGuire
Proposition
Let f (x) = xd + ax r , where a ∈ F∗q3 ≤ r < d, are two integers.
Let φs be the polynomialxs
0 + xs1 + xs
2 + (x0 + x1 + x2)s
(x0 + x1)(x2 + x1)(x0 + x2)
Let us suppose that (φd , φr ) = 1 and thateither φd decomposes in distinct factors on F2 and r ≥ 5;or φr decomposes in distinct factors on F2.
Then, if 9 ≤ d < 0.45q1/4 + 0.5 , f is not APN.
Example
This proposition shows that the polynomial x13 + ax7 with a 6= 0can be APN only if m ≤ 19, because the polynomial φ7 isirreducible and does not divide φ13.
23
Binomials IIExtension of a lemma by Byrne and McGuire
Proposition
Let f (x) = xd + ax r , where a ∈ F∗q3 ≤ r < d, are two integers.
Let φs be the polynomialxs
0 + xs1 + xs
2 + (x0 + x1 + x2)s
(x0 + x1)(x2 + x1)(x0 + x2)
Let us suppose that (φd , φr ) = 1 and thateither φd decomposes in distinct factors on F2 and r ≥ 5;or φr decomposes in distinct factors on F2.
Then, if 9 ≤ d < 0.45q1/4 + 0.5 , f is not APN.
Example
This proposition shows that the polynomial x13 + ax7 with a 6= 0can be APN only if m ≤ 19, because the polynomial φ7 isirreducible and does not divide φ13.
23
Polynomials of degree 3 or 5
It is enough to look at the polynomials of the form a5x5 + a3x3.
These polynomials are linear combination of two monomials ofthe form x2i+1.
They cannot be APN except if a3 or a5 is zero.In this case, they are Gold functions.
24
Polynomials of degree 6
Proposition
Let f (x) = x6 + a5x5 + a3x3 be a polynomial of degree 6.
The polynomial f is APN if and only if a3 = a5 = 0.
Then it is equivalent to a Gold function.
ProofThe surface X is absolutely irreducible, except if a3 = a3
5.The surface X has only isolated singularities if 0 6= a3 6= a3
5.One deduce that f can be APN only if m ≤ 4.
25
Polynomials of degree 6
Proposition
Let f (x) = x6 + a5x5 + a3x3 be a polynomial of degree 6.
The polynomial f is APN if and only if a3 = a5 = 0.
Then it is equivalent to a Gold function.
ProofThe surface X is absolutely irreducible, except if a3 = a3
5.The surface X has only isolated singularities if 0 6= a3 6= a3
5.One deduce that f can be APN only if m ≤ 4.
25
Polynomials of degree 7
Proposition
Let f be a polynomial of degree 7.
For m ≥ 3, the polynomial f can be APN only if it isCCZ-equivalent to the polynomial x7 on F32.
Then it is equivalent to a Welsh function.
Proof –
The surface X has only isolated singularities.One deduce that f can be APN only if m ≤ 6.One deduce the proposition from the work of M. Brinkman andG. Leander and with an exhaustive research for m = 6.
26
Polynomials of degree 7
Proposition
Let f be a polynomial of degree 7.
For m ≥ 3, the polynomial f can be APN only if it isCCZ-equivalent to the polynomial x7 on F32.
Then it is equivalent to a Welsh function.
Proof –
The surface X has only isolated singularities.One deduce that f can be APN only if m ≤ 6.One deduce the proposition from the work of M. Brinkman andG. Leander and with an exhaustive research for m = 6.
26
Polynomials of degree 9
Proposition
Let f be a polynomial of degree 9.
The polynomial f cannot be APN for an infinity of m except if itis equivalent to the polynomial x9.Then it is CCZ-equivalent to a Gold function.
Otherwise the polynomial f can be APN only for m = 6.Then it is equal to a Dillon’s function f = x9 + a6x6 + a3x3 or toa CCZ-equivalent function.
27
Proof –One can limit our study to a few families of polynomials.
The function x9 is a Gold function.
The only other case where the surface X is reducible is whenf (x) = x9 + a6x6 + a3x3 with a3 = a2
6 6= 0.Then X is a union of two degree 3 surfaces.
For most of the cases, the surface X has only a finite number ofsingularities. The function f can only be APN if m ≤ 13.
An exhaustive search proves the proposition for the remainingcases.The only APN function we find is a functionf = x9 + a6x6 + a3x3 for m = 6 already obtained by Dillon.
28
Numerical examples
When the surface X is irreducible, the function f can be APNonly if m ≤ mmax where mmax is given by the following table.
d ≤ 7 9 10 12 15 17 21 23 29 36 41 49mmax 15 16 17 18 19 20 21 22 23 24 25 26
When moreover the surface X has only a finite number ofsingularities, the function f can be APN only if m ≤ mmax wheremmax is given by the following table.
d ≤ 7 9 10 12 13 15 17 20 23 26 30 36mmax 6 9 10 11 12 13 14 15 16 17 18 19
29
Numerical examples
When the surface X is irreducible, the function f can be APNonly if m ≤ mmax where mmax is given by the following table.
d ≤ 7 9 10 12 15 17 21 23 29 36 41 49mmax 15 16 17 18 19 20 21 22 23 24 25 26
When moreover the surface X has only a finite number ofsingularities, the function f can be APN only if m ≤ mmax wheremmax is given by the following table.
d ≤ 7 9 10 12 13 15 17 20 23 26 30 36mmax 6 9 10 11 12 13 14 15 16 17 18 19
29
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
30
Mappings x−1 + g(x)
Proposition
Let g be a polynomial mapping from Fq in itself, d its degree.Then, if 5 ≤ d < 0.45q1/4 − 4.5 , f = xq−2 + g is not APN.
Proof
The surface X is of degree q − 5.We study instead the surface X ′
g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1
The surface X ′ is irreducible.If f is APN then X ′(Fq) ≤ 8dq + 4.
Example
The functions xq−2 + axd for a 6= 0, exponents d up to 29 andnot a power of 2 are not APN.
31
Mappings x−1 + g(x)
Proposition
Let g be a polynomial mapping from Fq in itself, d its degree.Then, if 5 ≤ d < 0.45q1/4 − 4.5 , f = xq−2 + g is not APN.
Proof
The surface X is of degree q − 5.
We study instead the surface X ′
g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1
The surface X ′ is irreducible.If f is APN then X ′(Fq) ≤ 8dq + 4.
Example
The functions xq−2 + axd for a 6= 0, exponents d up to 29 andnot a power of 2 are not APN.
31
Mappings x−1 + g(x)
Proposition
Let g be a polynomial mapping from Fq in itself, d its degree.Then, if 5 ≤ d < 0.45q1/4 − 4.5 , f = xq−2 + g is not APN.
Proof
The surface X is of degree q − 5.We study instead the surface X ′
g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1
The surface X ′ is irreducible.If f is APN then X ′(Fq) ≤ 8dq + 4.
Example
The functions xq−2 + axd for a 6= 0, exponents d up to 29 andnot a power of 2 are not APN.
31
Mappings x−1 + g(x)
Proposition
Let g be a polynomial mapping from Fq in itself, d its degree.Then, if 5 ≤ d < 0.45q1/4 − 4.5 , f = xq−2 + g is not APN.
Proof
The surface X is of degree q − 5.We study instead the surface X ′
g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1
The surface X ′ is irreducible.If f is APN then X ′(Fq) ≤ 8dq + 4.
Example
The functions xq−2 + axd for a 6= 0, exponents d up to 29 andnot a power of 2 are not APN.
31
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
32
Advanced Encryption Standard
The S-box used by AES is f : F82 −→ F8
2 defined by
f (x) = x−1
for x 6= 0 and f (0) = 0.
We have: δ(f ) = 4.
More generally, the same function on Fm2 defined for x 6= 0 by
f (x) = x−1 = x2m−2
has δ(f ) = 2 for m odd and δ(f ) = 4 for m even (Nyberg (1993)).
33
Advanced Encryption Standard
The S-box used by AES is f : F82 −→ F8
2 defined by
f (x) = x−1
for x 6= 0 and f (0) = 0.
We have: δ(f ) = 4.
More generally, the same function on Fm2 defined for x 6= 0 by
f (x) = x−1 = x2m−2
has δ(f ) = 2 for m odd and δ(f ) = 4 for m even (Nyberg (1993)).
33
Advanced Encryption Standard
The S-box used by AES is f : F82 −→ F8
2 defined by
f (x) = x−1
for x 6= 0 and f (0) = 0.
We have: δ(f ) = 4.
More generally, the same function on Fm2 defined for x 6= 0 by
f (x) = x−1 = x2m−2
has δ(f ) = 2 for m odd and δ(f ) = 4 for m even (Nyberg (1993)).
33
Differentially 4-uniform functions
from Bracken and LeanderThe following functions are differentially 4-uniform
f (x) = g(x) + Tr(h(x))where g(x) is any APN function and h(x) is any function onthe field.f (x) = A(g(x))where A is any 2-to-1 affine mapping and g(x) is APN.f (x) = g(A(x))where A is any 2-to-1 affine mapping and g(x) is APN
f (x) = x2n−1−1
when n is even this function is differentially 4 uniform. It isAPN when n is odd.f (x) = x2n−1−1 + x5
where n is odd.f (x) = x22k+2k+1 on F24k
34
Characterization of APN polynomials
Let f be a polynomial mapping of Fq in itself. We have thefollowing result:
Proposition
The function f : Fq −→ Fq is AAPN (differentially 4-uniform) ifand only if the set of points (x , y , z, t) such that{
f (x) + f (y) + f (z) + f (x + y + z) = 0f (x) + f (y) + f (t) + f (x + y + t) = 0
is contained in the surface(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
35
Characterization of APN polynomials
Let f be a polynomial mapping of Fq in itself. We have thefollowing result:
Proposition
The function f : Fq −→ Fq is AAPN (differentially 4-uniform) ifand only if the set of points (x , y , z, t) such that{
f (x) + f (y) + f (z) + f (x + y + z) = 0f (x) + f (y) + f (t) + f (x + y + t) = 0
is contained in the surface(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
35
Monomials functions with δ ≤ 4
Let f be a monomial of degree d .The polynomials
Pf (x , y , z) =f (x) + f (y) + f (z) + f (x + y + z)
(x + y)(x + z)(y + z)
Pf (x , y , t) =f (x) + f (y) + f (t) + f (x + y + t)
(x + t)(y + t)(z + t)
are homogeneous polynomials.
36
Monomials functions with δ ≤ 4
Theorem
Consider the Boolean function f : Fq −→ Fq defined byf (x) = xd .Suppose that the polynomial Pf (x , y , z) is absolutelyirreducible.If 5 ≤ d < q1/4 + 4.6 then the differential uniformity of f is atleast 6.
37
Apercu de la demonstration
On considere la courbe X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
dans l’espace projectif a 3 dimensions.
La courbe projective X est reductible.Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.
La courbe projective X
0
a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X
0
a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
38
Apercu de la demonstration
On considere la courbe X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
dans l’espace projectif a 3 dimensions.La courbe projective X est reductible.
Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.
La courbe projective X
0
a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X
0
a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
38
Apercu de la demonstration
On considere la courbe X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
dans l’espace projectif a 3 dimensions.La courbe projective X est reductible.Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.La courbe projective X 0 a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X 0 a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
38
Application numerique
Pour les exposants inferieurs ou egaux a 57 tels qued ≥ q1/4 + 4,6:
x7 et x11 sont AAPN sur F24 .Sur F26 les monomes de degres 5, 13, 17, 19, 31, 41, 47,55.Sur F27 les monomes de degres 19, 25, 47.Sur F28 les monomes de degres 5, 13, 21.Sur F29 les monomes de degre 45.Sur F210 les monomes de degres 13, 17, 21, 29.Sur F214 les monomes de degres 13, 17.
Les monomes en rouge sont equivalents a x−1.Les monomes en vert sont equivalents aux exposants de Goldet de Kasami.Les monomes x7 sur F24 et x21 sur F28 sont donnes parBrinkman et Leander.
39
Polynomials functions with δ ≤ 4
Theorem
Let f be a polynomial mapping of Fq in itself, d its degree.Suppose that the surface S of affine equation
Pf (x , y , z) =f (x) + f (y) + f (z) + f (x + y + z)
(x + y)(x + z)(y + z)= 0 (1)
is absolutely irreducible. Then, if 9 ≤ d < 0.45q1/4 + 0.5, thedifferential uniformity of f is at least 6.
40
Apercu de la demonstration
On considere la surface affine X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
et le complete X dans l’espace projectif a 4 dimensions.
La surface projective X est reductible.Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.
La surface projective X
0
a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X
0
a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
41
Apercu de la demonstration
On considere la surface affine X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
et le complete X dans l’espace projectif a 4 dimensions.
La surface projective X est reductible.
Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.
La surface projective X
0
a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X
0
a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
41
Apercu de la demonstration
On considere la surface affine X definie par les equations
Pf (x , y , z) = Pf (x , y , t) = 0
et le complete X dans l’espace projectif a 4 dimensions.
La surface projective X est reductible.Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.La surface projective X 0 a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X 0 a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.
41
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
42
A first bound for the degree of an APN polynomial
Lemma
Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN
and if the affine surface X
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible, then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.
43
A first bound for the degree of an APN polynomial
Lemma
Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN and if the affine surface X
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible,
then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.
43
A first bound for the degree of an APN polynomial
Lemma
Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN and if the affine surface X
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible, then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.
43
X : f (x0)+f (x1)+f (x2)+f (x0+x1+x2)(x0+x1)(x2+x1)(x0+x2)
= 0
Proof –
The intersection of the surface X with the plane x0 + x1 = 0 is acurve of degree d − 3.
This curve has at most (d − 3)q + 1 rational points from Serre’sbound.
The same for the plane at infinity.
If f is APN, the surface X has no other rational points thanthose in the union of the plane x0 + x1 = 0, x2 + x1 = 0 andx0 + x2 = 0 or the plane at infinity.
So it has an most 4((d − 3)q + 1) rational points.
44
Theorem
Let f be a polynomial mapping from Fq to Fq, d its degree.
Suppose that the surface X with affine equation
f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)
(x0 + x1)(x2 + x1)(x0 + x2)= 0
is absolutely irreducible.
Then, if 9 ≤ d < 0.45q1/4 + 0.5 , f is not APN.
45
Proof of the theorem
From an improvement of Lang-Weil’s bound byGhorpade-Lachaud, we deduce
|#X (Fq)− q2 − q − 1| ≤ (d − 4)(d − 5)q3/2 + 18d4q.
Hence
#X (Fq) ≥ q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q.
Therefore, if
q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q > 4((d − 3)q + 1),
then #X (Fq) > 4((d − 3)q + 1), so f is not APN.
This condition is true for
q1/2 > 13.51− 5d + 4.773d2
46
Proof of the theorem
From an improvement of Lang-Weil’s bound byGhorpade-Lachaud, we deduce
|#X (Fq)− q2 − q − 1| ≤ (d − 4)(d − 5)q3/2 + 18d4q.
Hence
#X (Fq) ≥ q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q.
Therefore, if
q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q > 4((d − 3)q + 1),
then #X (Fq) > 4((d − 3)q + 1), so f is not APN.
This condition is true for
q1/2 > 13.51− 5d + 4.773d2
46
Monomials functions with δ ≤ 4
Theorem
Consider the Boolean function f : Fq −→ Fq defined byf (x) = xd .Suppose that the polynomial Pf (x , y , z) is absolutelyirreducible.If 5 ≤ d < q1/4 + 4.6 then the differential uniformity of f is atleast 6.
47
Proposition
If f is AAPN, then the number of rational points on the curve X0is at most 6(d − 3).
Proof.
If f is AAPN, then the rational points of the curve X0 arecontained in the surface V which is a union of planes and theplane x + y + z + t = 0, that is in a union of lines.Consequently each line cannot contain more that d − 3 points,therefore V contains at most 6(d − 3) rational points in X0.
48
Proposition
If f is AAPN, then the number of rational points on the curve X0is at most 6(d − 3).
Proof.
If f is AAPN, then the rational points of the curve X0 arecontained in the surface V which is a union of planes and theplane x + y + z + t = 0, that is in a union of lines.Consequently each line cannot contain more that d − 3 points,therefore V contains at most 6(d − 3) rational points in X0.
48
Proof of the theorem
According to Aubry and Perret, the number of rational points ofthe absolutely irreducible curve X0 verifies:
|#X0(Fq)− (q + 1)| ≤ (d − 4)(d − 5)q1/2.
Hence#X0(Fq) ≥ q + 1− (d − 4)(d − 5)q1/2.
Therefore, if q + 1− (d − 4)(d − 5)q1/2 > 6(d − 3), thenX0(Fq) 6⊂ V , so X (Fq) 6⊂ V , and the differential uniformity of f isat least 6.This condition is verified for
q ≥ d4 − 18d3 + 121d2 − 348d + 362
or 5 ≤ d < q1/4 + 4.6
49
Outline
1 APN functions
2 Bounds on APN polynomialsA first boundA second boundOther examples
3 Functions x−1 + g(x)
4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4
5 Proofs
6 Conclusion
50
Criteria for Boolean functions
We have shown that many polynomials cannot be APN orAAPN
if their degrees are too large with respect to the number ofvariables
It is a consequence of bounds of the Weil type on somesurfaces on finite fields.
51
Some perspectives
To get numerical valuesTo study Boolean functions with δ = 6 . . .To study polynomial functions of degree 10, . . .To study polynomial functions of low degrees plus aquadratic function.Can one get better bounds on m and d by studying thespecial form of the surface X (for instance the symmetry ofthe equation in x0, x1, x2)?
52