On APN and almost APN functions - UMR6206 …iml.univ-mrs.fr/~rodier/ParisVIII.pdf · On APN and almost APN functions Yves Aubry1 Gregor Leander2 Franc¸ois Rodier3 1Imath – Toulon

On APN and almost APN functions

Yves Aubry1 Gregor Leander2 Francois Rodier3

1Imath – Toulon2Technical University of Danemark

3IML – Marseille

1

Outline

1 APN functions

2 Bounds on APN polynomialsA first boundA second boundOther examples

3 Functions x−1 + g(x)

4 Differentially 4-uniform functionsAESMonomials functions with δ ≤ 4Polynomials functions with δ ≤ 4

5 Proofs

6 Conclusion

2

Outline

1 APN functions




5 Proofs

6 Conclusion

3

Boolean functions.

Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.

Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.

4

Boolean functions.

Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.

Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.

4

Boolean functions.

Vectorial Boolean functions are useful in private keycryptography for designing block ciphers.Two main attacks on these ciphers are differential attacksand linear attacks.An important criterion on boolean functions is a highresistance to the differential cryptanalysis.Kaisa Nyberg has introduced in 1993 the notion ofdifferential uniformity and almost perfect nonlinearity (APN)to characterize those functions which have the betterresistance to differential attacks.

4

Differentially δ-uniform functions

Let us consider a (vectorial) Boolean function f : Fm2 −→ Fm

2 .

If we use the function f in a S-box of a cryptosystem, theefficiency of differential cryptanalysis is measured by themaximum of the cardinality of the set of elements x in Fm

2 suchthat

f (x + a)− f (x) = b

where a and b are elements in Fm2 and a 6= 0.

Definition

The function f is called a differentially δ-uniform function if

max06=a∈Fm

2 b∈Fm2

| {x |f (x + a)− f (x) = b} |= δ

5

Differentially δ-uniform functions

Let us consider a (vectorial) Boolean function f : Fm2 −→ Fm

2 .

If we use the function f in a S-box of a cryptosystem, theefficiency of differential cryptanalysis is measured by themaximum of the cardinality of the set of elements x in Fm

2 suchthat

f (x + a)− f (x) = b

where a and b are elements in Fm2 and a 6= 0.

Definition

The function f is called a differentially δ-uniform function if

max06=a∈Fm

2 b∈Fm2

| {x |f (x + a)− f (x) = b} |= δ

5

APN functions

δ(f ) = maxa 6=0,b

| {x ∈ Fm2 |f (x + a)− f (x) = b} | .

Since δ is obviously even and is nonzero, the least value of δ is2.

Differentially 2-uniform functions are called almost perfectnonlinear functions :

Definition

The function f is said to be APN (almost perfect nonlinear)if for every a 6= 0 in Fm

2 and b ∈ Fm2 ,

there exists at most 2 elements x of Fm2 such that

f (x + a) + f (x) = b.

6

APN functions

δ(f ) = maxa 6=0,b

| {x ∈ Fm2 |f (x + a)− f (x) = b} | .



Definition


2 and b ∈ Fm2 ,


f (x + a) + f (x) = b.

6

APN functions

δ(f ) = maxa 6=0,b

| {x ∈ Fm2 |f (x + a)− f (x) = b} | .



Definition


2 and b ∈ Fm2 ,


f (x + a) + f (x) = b.

6

APN functions

δ(f ) = maxa 6=0,b

| {x ∈ Fm2 |f (x + a)− f (x) = b} | .



Definition


2 and b ∈ Fm2 ,


f (x + a) + f (x) = b.

6

APN power functionsUp to now, the study of APN functions was especially devotedto the power functions.

The following functions f (x) = xd are APN on F2m , where d isgiven by:

d = 2h + 1 where gcd(h,m) = 1 (Gold functions).

d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).

The Gold and Kasami functions are the only known where d isindependent from m and which give APN functions for aninfinity of values of m.

7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).

d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).

d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).

d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)

d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7



d = 2h + 1 where gcd(h,m) = 1 (Gold functions).d = 22h − 2h + 1 where gcd(h,m) = 1 (Kasami functions).d = 2(m−1)/2 + 3 with m odd ( Welch functions).d = 2(m−1)/2 + 2(m−1)/4 − 1, where m ≡ 1 (mod 4),d = 2(m−1)/2 + 2(3m−1)/4 − 1, where m ≡ 3 (mod 4) (Nihofunctions).d = 2m − 2, for m odd; (inverse function)d = 24m/5 + 23m/5 + 22m/5 + 2m/5 − 1, where m is divisibleby 5 (Dobbertin functions).


7

CCZ equivalence

Carlet, Charpin and Zinoviev have defined an equivalencerelation between Boolean functions.

For a function f of Fm2 in itself we denote by Gf the graph of the

function f :Gf = {(x , f (x)) | x ∈ Fm

2 }.

Definition

The functions f , f ′ : Fm2 −→ Fm

2 are equivalent in the sense ofCarlet-Charpin-Zinoviev (CCZ equivalence)if there exist a linear permutation L : F2m

2 −→ F2m2 such that

L(Gf ) = Gf ′ .

Proposition

If f and f ′ are CCZ equivalent, then f is APN if and only if f ′ is.

8

CCZ equivalence

Carlet, Charpin and Zinoviev have defined an equivalencerelation between Boolean functions.

For a function f of Fm2 in itself we denote by Gf the graph of the

function f :Gf = {(x , f (x)) | x ∈ Fm

2 }.

Definition

The functions f , f ′ : Fm2 −→ Fm

2 are equivalent in the sense ofCarlet-Charpin-Zinoviev (CCZ equivalence)if there exist a linear permutation L : F2m

2 −→ F2m2 such that

L(Gf ) = Gf ′ .

Proposition

If f and f ′ are CCZ equivalent, then f is APN if and only if f ′ is.

8

APN function not equivalent to a power function

First example:

In 2005, Edel, Kyureghyan and Pott proved that the function

F210 −→ F210

x 7−→ x3 + ωx36

where ω is a primitive cube root of unity in F∗210 was APN andnot CCZ equivalent to a power function.

A number of people (Budaghyan, Carlet, Felke, Leander,Bracken, Byrne, Markin, McGuire, Dillon. . . ) showed thatcertain quadratic polynomials were APN and not CCZequivalent to known power functions.

9


First example:


F210 −→ F210

x 7−→ x3 + ωx36



9


First example:


F210 −→ F210

x 7−→ x3 + ωx36



9

Toward the classification of APN functions

Some results toward the classification of APN functionsgiven by polynomials have been proved

by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.

by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .

We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform) and not to bealmost APN (i.e. not differentially 4-uniform)

10



by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.

by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .


10



by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.

by VolochMany binomials are not APN functions over an extension ofthe base field.. . .


10



by Berger, Canteaut, Charpin, Laigle-ChapuyThey prove that a large class of quadratic functions cannotbe APN.by Byrne and McGuireMany quadratic functions, are not APN functions over anextension of the base field.by Brinkman and Leander,APN functions with at most 5 variables are equivalent topower functions.by VolochMany binomials are not APN functions over an extension ofthe base field.. . .


10




We will give here some criteria for a Boolean function notto be APN (i.e. not differentially 2-uniform)

and not to bealmost APN (i.e. not differentially 4-uniform)

10





10

Result on monomials

We will generalize this result on monomials by Anne Canteaut.

Proposition

Suppose that the curve

xd + yd + 1 + (x + y + 1)d

(x + y)(x + 1)(y + 1)= 0

is absolutely irreducible over F2. The mapping x 7−→ xd is notAPN over Fq, q ≥ 32, if

d ≤ q1/4 + 4.5

11

Equivalent polynomials

A q-affine polynomial is a polynomial whose monomials are ofdegree 0 or a power of 2.

Proposition

The class of APN functions is invariant by addition of a q-affinepolynomial.

More generally, if g is a q-affine polynomial, then

δ(f + g) = δ(f ).

We choose for f a polynomial mapping from F2m in itself whichhas no term of degree a power of 2 and with no constant term.

12



Proposition

The class of APN functions is invariant by addition of a q-affinepolynomial. More generally, if g is a q-affine polynomial, then

δ(f + g) = δ(f ).


12



Proposition

The class of APN functions is invariant by addition of a q-affinepolynomial. More generally, if g is a q-affine polynomial, then

δ(f + g) = δ(f ).


12

Outline

1 APN functions




5 Proofs

6 Conclusion

13

Characterization of APN polynomials

Let q = 2m and let f be a polynomial mapping of Fq in itself.

Proposition

The function f : Fq −→ Fq is APN if and only if the surface

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2) = 0

has all of its rational points contained in the surface

(x0 + x1)(x2 + x1)(x0 + x2) = 0.

14


Let q = 2m and let f be a polynomial mapping of Fq in itself.

Proposition

The function f : Fq −→ Fq is APN if and only if the surface

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2) = 0

has all of its rational points contained in the surface

(x0 + x1)(x2 + x1)(x0 + x2) = 0.

14

A first bound for the degree of an APN polynomial

We have the following result:

Theorem

Let f be a polynomial mapping from Fq to Fq, d its degree.

Suppose that the surface X with affine equation

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is absolutely irreducible.

Then, if 9 ≤ d < 0.45q1/4 + 0.5 , f is not APN.

15

Apercu de la demonstration

La surface X a un nombre de points rationnels borne parune expression dependant de d (par le theoreme deLang-Weil)

Si f est APN et d trop grand, alors la surface X a trop depoints rationnels pour etre contenue dans la surface(x0 + x1)(x2 + x1)(x0 + x2) = 0.

16


La surface X a un nombre de points rationnels borne parune expression dependant de d (par le theoreme deLang-Weil)Si f est APN et d trop grand, alors la surface X a trop depoints rationnels pour etre contenue dans la surface(x0 + x1)(x2 + x1)(x0 + x2) = 0.

16

Irreducibility of X

Criterion for the surface X to be irreducible.

Proposition

Let f be a polynomial of Fq to itself, d its degree. Let ussuppose that d is not a power of 2 and that the curve X∞ withhomogeneous equation

xd0 + xd

1 + xd2 + (x0 + x1 + x2)

d

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is absolutely irreducible.Then the surface X of affine equation

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0


17

Proof – The curve X∞ with homogeneous equation

xd0 + xd

1 + xd2 + (x0 + x1 + x2)

d

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is the intersection of the surface X of affine equation

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

with the plane at infinity.Since the curve X∞ is absolutely irreducible it is the same forthe surface X .

18

Irreducibility of X∞

Janwa, McGuire and Wilson have studied the curve X∞ andhave deduced a certain number of cases where it is absolutelyirreducible.

Proposition

The curve X∞ is absolutely irreducible for

d ≡ 3 (mod 4)

ord ≡ 5 (mod 8) and d > 13.

19

A second bound

We can improve the bound for some cases.

Theorem

Let f be a polynomial mapping from Fq to Fq, d its degree.Let us suppose that d is not a power of 2 and that the surface X

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

has only a finite number of singular points.Then if 10 ≤ d < q1/4 + 4, f is not APN.

20

Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-Lachaud

Des conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson

Proposition

The surface X has only a finite number of singular points. forthe values of d = 2l + 1 where

l is an odd integer such as there exists an integer r with2r ≡ −1 (mod l).l is a prime number larger than 17 such as the order of 2modulo l is (l − 1)/2.

In particular the first condition is satisfied if l is a prime numbercongruent to ±3 modulo 8.

21

Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-LachaudDes conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson

Proposition




21

Amelioration de la borne de Lang et Weil par Deligne etpar Ghorpade-LachaudDes conditions suffisantes pour qu’il n’y ait qu’un nombrede points singulier fini ont ete donnees par Janwa etWilson

Proposition




21

Binomials I

Improvement of a Proposition by Voloch

Proposition

Let f (x) = xd + ax r ,wherea ∈ F∗q ,r < d are integers, not both even, and not a power of 2and such that (d − 1, r − 1) be a power of 2.

Then, if 9 ≤ d < 0,45q1/4 + 0,5 , f is not APN.

Example

For instance the binomial x36 + ax3 with a 6= 0 can be APN onlyif m ≤ 24.(It is APN for m = 10 and certain a).

22

Binomials I

Improvement of a Proposition by Voloch

Proposition

Let f (x) = xd + ax r ,wherea ∈ F∗q ,r < d are integers, not both even, and not a power of 2and such that (d − 1, r − 1) be a power of 2.

Then, if 9 ≤ d < 0,45q1/4 + 0,5 , f is not APN.

Example

For instance the binomial x36 + ax3 with a 6= 0 can be APN onlyif m ≤ 24.(It is APN for m = 10 and certain a).

22

Binomials IIExtension of a lemma by Byrne and McGuire

Proposition

Let f (x) = xd + ax r , where a ∈ F∗q3 ≤ r < d, are two integers.

Let φs be the polynomialxs

0 + xs1 + xs

2 + (x0 + x1 + x2)s

(x0 + x1)(x2 + x1)(x0 + x2)

Let us suppose that (φd , φr ) = 1 and thateither φd decomposes in distinct factors on F2 and r ≥ 5;or φr decomposes in distinct factors on F2.


Example

This proposition shows that the polynomial x13 + ax7 with a 6= 0can be APN only if m ≤ 19, because the polynomial φ7 isirreducible and does not divide φ13.

23

Binomials IIExtension of a lemma by Byrne and McGuire

Proposition

Let f (x) = xd + ax r , where a ∈ F∗q3 ≤ r < d, are two integers.

Let φs be the polynomialxs

0 + xs1 + xs

2 + (x0 + x1 + x2)s

(x0 + x1)(x2 + x1)(x0 + x2)

Let us suppose that (φd , φr ) = 1 and thateither φd decomposes in distinct factors on F2 and r ≥ 5;or φr decomposes in distinct factors on F2.


Example

This proposition shows that the polynomial x13 + ax7 with a 6= 0can be APN only if m ≤ 19, because the polynomial φ7 isirreducible and does not divide φ13.

23

Polynomials of degree 3 or 5

It is enough to look at the polynomials of the form a5x5 + a3x3.

These polynomials are linear combination of two monomials ofthe form x2i+1.

They cannot be APN except if a3 or a5 is zero.In this case, they are Gold functions.

24

Polynomials of degree 6

Proposition

Let f (x) = x6 + a5x5 + a3x3 be a polynomial of degree 6.

The polynomial f is APN if and only if a3 = a5 = 0.

Then it is equivalent to a Gold function.

ProofThe surface X is absolutely irreducible, except if a3 = a3

5.The surface X has only isolated singularities if 0 6= a3 6= a3

5.One deduce that f can be APN only if m ≤ 4.

25


Proposition

Let f (x) = x6 + a5x5 + a3x3 be a polynomial of degree 6.

The polynomial f is APN if and only if a3 = a5 = 0.

Then it is equivalent to a Gold function.

ProofThe surface X is absolutely irreducible, except if a3 = a3

5.The surface X has only isolated singularities if 0 6= a3 6= a3

5.One deduce that f can be APN only if m ≤ 4.

25


Proposition

Let f be a polynomial of degree 7.

For m ≥ 3, the polynomial f can be APN only if it isCCZ-equivalent to the polynomial x7 on F32.

Then it is equivalent to a Welsh function.

Proof –

The surface X has only isolated singularities.One deduce that f can be APN only if m ≤ 6.One deduce the proposition from the work of M. Brinkman andG. Leander and with an exhaustive research for m = 6.

26


Proposition


For m ≥ 3, the polynomial f can be APN only if it isCCZ-equivalent to the polynomial x7 on F32.

Then it is equivalent to a Welsh function.

Proof –

The surface X has only isolated singularities.One deduce that f can be APN only if m ≤ 6.One deduce the proposition from the work of M. Brinkman andG. Leander and with an exhaustive research for m = 6.

26


Proposition


The polynomial f cannot be APN for an infinity of m except if itis equivalent to the polynomial x9.Then it is CCZ-equivalent to a Gold function.

Otherwise the polynomial f can be APN only for m = 6.Then it is equal to a Dillon’s function f = x9 + a6x6 + a3x3 or toa CCZ-equivalent function.

27

Proof –One can limit our study to a few families of polynomials.

The function x9 is a Gold function.

The only other case where the surface X is reducible is whenf (x) = x9 + a6x6 + a3x3 with a3 = a2

6 6= 0.Then X is a union of two degree 3 surfaces.

For most of the cases, the surface X has only a finite number ofsingularities. The function f can only be APN if m ≤ 13.

An exhaustive search proves the proposition for the remainingcases.The only APN function we find is a functionf = x9 + a6x6 + a3x3 for m = 6 already obtained by Dillon.

28

Numerical examples

When the surface X is irreducible, the function f can be APNonly if m ≤ mmax where mmax is given by the following table.

d ≤ 7 9 10 12 15 17 21 23 29 36 41 49mmax 15 16 17 18 19 20 21 22 23 24 25 26

When moreover the surface X has only a finite number ofsingularities, the function f can be APN only if m ≤ mmax wheremmax is given by the following table.

d ≤ 7 9 10 12 13 15 17 20 23 26 30 36mmax 6 9 10 11 12 13 14 15 16 17 18 19

29

Numerical examples

When the surface X is irreducible, the function f can be APNonly if m ≤ mmax where mmax is given by the following table.

d ≤ 7 9 10 12 15 17 21 23 29 36 41 49mmax 15 16 17 18 19 20 21 22 23 24 25 26

When moreover the surface X has only a finite number ofsingularities, the function f can be APN only if m ≤ mmax wheremmax is given by the following table.

d ≤ 7 9 10 12 13 15 17 20 23 26 30 36mmax 6 9 10 11 12 13 14 15 16 17 18 19

29

Outline

1 APN functions




5 Proofs

6 Conclusion

30

Mappings x−1 + g(x)

Proposition

Let g be a polynomial mapping from Fq in itself, d its degree.Then, if 5 ≤ d < 0.45q1/4 − 4.5 , f = xq−2 + g is not APN.

Proof

The surface X is of degree q − 5.We study instead the surface X ′

g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1

The surface X ′ is irreducible.If f is APN then X ′(Fq) ≤ 8dq + 4.

Example

The functions xq−2 + axd for a 6= 0, exponents d up to 29 andnot a power of 2 are not APN.

31


Proposition


Proof

The surface X is of degree q − 5.

We study instead the surface X ′

g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1


Example


31


Proposition


Proof


g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1


Example


31


Proposition


Proof


g(x0) + g(x1) + g(x2) + g(x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)x0x1x2(x0 +x1 +x2) = 1


Example


31

Outline

1 APN functions




5 Proofs

6 Conclusion

32

Advanced Encryption Standard

The S-box used by AES is f : F82 −→ F8

2 defined by

f (x) = x−1

for x 6= 0 and f (0) = 0.

We have: δ(f ) = 4.

More generally, the same function on Fm2 defined for x 6= 0 by

f (x) = x−1 = x2m−2

has δ(f ) = 2 for m odd and δ(f ) = 4 for m even (Nyberg (1993)).

33



2 defined by

f (x) = x−1

for x 6= 0 and f (0) = 0.



f (x) = x−1 = x2m−2


33



2 defined by

f (x) = x−1

for x 6= 0 and f (0) = 0.



f (x) = x−1 = x2m−2


33

Differentially 4-uniform functions

from Bracken and LeanderThe following functions are differentially 4-uniform

f (x) = g(x) + Tr(h(x))where g(x) is any APN function and h(x) is any function onthe field.f (x) = A(g(x))where A is any 2-to-1 affine mapping and g(x) is APN.f (x) = g(A(x))where A is any 2-to-1 affine mapping and g(x) is APN

f (x) = x2n−1−1

when n is even this function is differentially 4 uniform. It isAPN when n is odd.f (x) = x2n−1−1 + x5

where n is odd.f (x) = x22k+2k+1 on F24k

34


Let f be a polynomial mapping of Fq in itself. We have thefollowing result:

Proposition

The function f : Fq −→ Fq is AAPN (differentially 4-uniform) ifand only if the set of points (x , y , z, t) such that{

f (x) + f (y) + f (z) + f (x + y + z) = 0f (x) + f (y) + f (t) + f (x + y + t) = 0

is contained in the surface(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

35


Let f be a polynomial mapping of Fq in itself. We have thefollowing result:

Proposition

The function f : Fq −→ Fq is AAPN (differentially 4-uniform) ifand only if the set of points (x , y , z, t) such that{

f (x) + f (y) + f (z) + f (x + y + z) = 0f (x) + f (y) + f (t) + f (x + y + t) = 0

is contained in the surface(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

35

Monomials functions with δ ≤ 4

Let f be a monomial of degree d .The polynomials

Pf (x , y , z) =f (x) + f (y) + f (z) + f (x + y + z)

(x + y)(x + z)(y + z)

Pf (x , y , t) =f (x) + f (y) + f (t) + f (x + y + t)

(x + t)(y + t)(z + t)

are homogeneous polynomials.

36


Theorem

Consider the Boolean function f : Fq −→ Fq defined byf (x) = xd .Suppose that the polynomial Pf (x , y , z) is absolutelyirreducible.If 5 ≤ d < q1/4 + 4.6 then the differential uniformity of f is atleast 6.

37


On considere la courbe X definie par les equations

Pf (x , y , z) = Pf (x , y , t) = 0

dans l’espace projectif a 3 dimensions.

La courbe projective X est reductible.Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.

La courbe projective X

0

a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X

0

a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

38



Pf (x , y , z) = Pf (x , y , t) = 0

dans l’espace projectif a 3 dimensions.La courbe projective X est reductible.

Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.

La courbe projective X

0

a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X

0

a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

38



Pf (x , y , z) = Pf (x , y , t) = 0

dans l’espace projectif a 3 dimensions.La courbe projective X est reductible.Un de ses composants irreductibles X0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.La courbe projective X 0 a un nombre de points rationnelsborne (par le theoreme de Weil)Si f est APN, alors la courbe projective X 0 a trop de pointsrationnels pour etre contenue dans la courbe projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

38

Application numerique

Pour les exposants inferieurs ou egaux a 57 tels qued ≥ q1/4 + 4,6:

x7 et x11 sont AAPN sur F24 .Sur F26 les monomes de degres 5, 13, 17, 19, 31, 41, 47,55.Sur F27 les monomes de degres 19, 25, 47.Sur F28 les monomes de degres 5, 13, 21.Sur F29 les monomes de degre 45.Sur F210 les monomes de degres 13, 17, 21, 29.Sur F214 les monomes de degres 13, 17.

Les monomes en rouge sont equivalents a x−1.Les monomes en vert sont equivalents aux exposants de Goldet de Kasami.Les monomes x7 sur F24 et x21 sur F28 sont donnes parBrinkman et Leander.

39

Polynomials functions with δ ≤ 4

Theorem

Let f be a polynomial mapping of Fq in itself, d its degree.Suppose that the surface S of affine equation

Pf (x , y , z) =f (x) + f (y) + f (z) + f (x + y + z)

(x + y)(x + z)(y + z)= 0 (1)

is absolutely irreducible. Then, if 9 ≤ d < 0.45q1/4 + 0.5, thedifferential uniformity of f is at least 6.

40


On considere la surface affine X definie par les equations

Pf (x , y , z) = Pf (x , y , t) = 0

et le complete X dans l’espace projectif a 4 dimensions.

La surface projective X est reductible.Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.

La surface projective X

0

a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X

0

a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

41



Pf (x , y , z) = Pf (x , y , t) = 0


La surface projective X est reductible.

Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.

La surface projective X

0

a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X

0

a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

41



Pf (x , y , z) = Pf (x , y , t) = 0


La surface projective X est reductible.Un de ses composants irreductible X 0 a pour equationPf (x , y , z) = 0.C’est l’intersection de X avec le plan x + y + z + t = 0.La surface projective X 0 a un nombre de points rationnelsborne (par le theoreme de Lang-Weil)Si f est APN, alors la surface projective X 0 a trop de pointsrationnels pour etre contenue dans la surface projective(x + y)(x + z)(x + t)(y + z)(y + t)(z + t) = 0.

41

Outline

1 APN functions




5 Proofs

6 Conclusion

42


Lemma

Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN

and if the affine surface X

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is absolutely irreducible, then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.

43


Lemma

Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN and if the affine surface X

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is absolutely irreducible,

then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.

43


Lemma

Let us suppose that the degree d of f is not a power of 2 andd ≥ 5.If f is APN and if the affine surface X

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0

is absolutely irreducible, then the corresponding projectivesurface has at most 4((d − 3)q + 1) rational points.

43

X : f (x0)+f (x1)+f (x2)+f (x0+x1+x2)(x0+x1)(x2+x1)(x0+x2)

= 0

Proof –

The intersection of the surface X with the plane x0 + x1 = 0 is acurve of degree d − 3.

This curve has at most (d − 3)q + 1 rational points from Serre’sbound.

The same for the plane at infinity.

If f is APN, the surface X has no other rational points thanthose in the union of the plane x0 + x1 = 0, x2 + x1 = 0 andx0 + x2 = 0 or the plane at infinity.

So it has an most 4((d − 3)q + 1) rational points.

44

Theorem

Let f be a polynomial mapping from Fq to Fq, d its degree.

Suppose that the surface X with affine equation

f (x0) + f (x1) + f (x2) + f (x0 + x1 + x2)

(x0 + x1)(x2 + x1)(x0 + x2)= 0



45

Proof of the theorem

From an improvement of Lang-Weil’s bound byGhorpade-Lachaud, we deduce

|#X (Fq)− q2 − q − 1| ≤ (d − 4)(d − 5)q3/2 + 18d4q.

Hence

#X (Fq) ≥ q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q.

Therefore, if

q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q > 4((d − 3)q + 1),

then #X (Fq) > 4((d − 3)q + 1), so f is not APN.

This condition is true for

q1/2 > 13.51− 5d + 4.773d2

46


From an improvement of Lang-Weil’s bound byGhorpade-Lachaud, we deduce

|#X (Fq)− q2 − q − 1| ≤ (d − 4)(d − 5)q3/2 + 18d4q.

Hence

#X (Fq) ≥ q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q.

Therefore, if

q2 + q + 1− (d − 4)(d − 5)q3/2 − 18d4q > 4((d − 3)q + 1),

then #X (Fq) > 4((d − 3)q + 1), so f is not APN.

This condition is true for

q1/2 > 13.51− 5d + 4.773d2

46


Theorem

Consider the Boolean function f : Fq −→ Fq defined byf (x) = xd .Suppose that the polynomial Pf (x , y , z) is absolutelyirreducible.If 5 ≤ d < q1/4 + 4.6 then the differential uniformity of f is atleast 6.

47

Proposition

If f is AAPN, then the number of rational points on the curve X0is at most 6(d − 3).

Proof.

If f is AAPN, then the rational points of the curve X0 arecontained in the surface V which is a union of planes and theplane x + y + z + t = 0, that is in a union of lines.Consequently each line cannot contain more that d − 3 points,therefore V contains at most 6(d − 3) rational points in X0.

48

Proposition

If f is AAPN, then the number of rational points on the curve X0is at most 6(d − 3).

Proof.

If f is AAPN, then the rational points of the curve X0 arecontained in the surface V which is a union of planes and theplane x + y + z + t = 0, that is in a union of lines.Consequently each line cannot contain more that d − 3 points,therefore V contains at most 6(d − 3) rational points in X0.

48


According to Aubry and Perret, the number of rational points ofthe absolutely irreducible curve X0 verifies:

|#X0(Fq)− (q + 1)| ≤ (d − 4)(d − 5)q1/2.

Hence#X0(Fq) ≥ q + 1− (d − 4)(d − 5)q1/2.

Therefore, if q + 1− (d − 4)(d − 5)q1/2 > 6(d − 3), thenX0(Fq) 6⊂ V , so X (Fq) 6⊂ V , and the differential uniformity of f isat least 6.This condition is verified for

q ≥ d4 − 18d3 + 121d2 − 348d + 362

or 5 ≤ d < q1/4 + 4.6

49

Outline

1 APN functions




5 Proofs

6 Conclusion

50

Criteria for Boolean functions

We have shown that many polynomials cannot be APN orAAPN

if their degrees are too large with respect to the number ofvariables

It is a consequence of bounds of the Weil type on somesurfaces on finite fields.

51

Some perspectives

To get numerical valuesTo study Boolean functions with δ = 6 . . .To study polynomial functions of degree 10, . . .To study polynomial functions of low degrees plus aquadratic function.Can one get better bounds on m and d by studying thespecial form of the surface X (for instance the symmetry ofthe equation in x0, x1, x2)?

52

Merci

53

Documents

On APN and almost APN functions - UMR6206 …iml.univ-mrs.fr/~rodier/ParisVIII.pdf · On APN and almost APN functions Yves Aubry1 Gregor Leander2 Franc¸ois Rodier3 1Imath – Toulon