A class of APcN power functions over finite fields of even characteristic

07/14/2021 βˆ™ by Ziran Tu, et al. βˆ™ Alibaba Cloud βˆ™ Southwest Jiaotong University βˆ™ 0 βˆ™

In this paper, we investigate the power functions F(x)=x^d over the finite field 𝔽_2^4n, where n is a positive integer and d=2^3n+2^2n+2^n-1. It is proved that F(x)=x^d is APcN at certain c's in 𝔽_2^4n, and it is the second class of APcN power functions over finite fields of even characteristic. Further, the c-differential spectrum of these power functions is also determined.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Let , be two positive integers and denote the finite field with elements. An S-box is a vectorial Boolean function from to , also called an -function. The security of most modern block ciphers deeply relies on cryptographic properties of their S-boxes since S-boxes usually are the only nonlinear elements of these cryptosystems. It is therefore significant to employ S-boxes with good cryptographic properties in order to resist various kinds of cryptanalytic attacks.

Differential attack [1] is one of the most fundamental cryptanalytic approaches targeting symmetric-key primitives and is the first statistical attack for breaking iterated block ciphers. The differential uniformity of S-boxes, which was introduced by Nyberg in [7], can be used to measure how well the S-box used in a cipher could resist the differential attack.

Definition 1.

Let be the finite field of elements. A function defined over is called differentially -uniform, where and

We call the function perfect nonlinear (PN) or almost perfect nonlinear (APN), if or

, respectively. It is well-known that PN functions only exists for an odd prime power

. Thus, when is even, APN functions have the best resistance to differential attacks. To analyze the ciphers using modular multiplication as primitive operations more effectively, the authors in [4] proposed the concept of multiplicative differential. Very recently, based on this new type of differential, Ellingsen, Felke, Riera, Stǎnicǎ and Tkachenko gave the definition of -differential uniformity in [5]:

Definition 2.

Let be a prime power and be the finite field with elements. Given a function , the (multiplicative) -derivative of with respect to is defined as

Denote

and

Then is called differentially -uniform.

Note that if or , then is just a shift of or trivially . If , then becomes the usual derivative and the -differential uniformity becomes differential uniformity in Definition 1. Similarly, we call a function perfect -nonlinear (PcN) or almost perfect -nonlinear (APcN), if or , respectively. It is worth noting that PcN functions exist for even , which is a big difference between PN and PcN properties. So far as we know, there are only very few results about PcN and APcN functions. The -differential property of some power functions including Inverse functions, Gold functions, etc., have been investigated [6, 11, 13, 14]. In [11] the authors give a necessary and sufficient condition for the Gold functions to be PcN, they further conjectured that all the PcN functions in are linear functions, Gold functions and their inverses. Several ideas including the AGW criterion, cyclotomic method, the perturbing and swapping method [3, 8, 10] have been used to construct functions with low -differential uniformity.

In this paper, we prove that this special power permutation over is APcN on satisfying , where . By introducing two parameters and satisfying , we transform the APcN problem into solving a two-equation system on and . Then a new variable is used to induce an equation with algebraic degree four, which help us give the final proof. To the best of our knowledge, there are only two classes of APcN power functions over the finite fields with even characteristic, the first one is the well-known Inverse functions, the second one is the power functions proposed in this paper.

2 Preliminaries

Let be a prime power, and are two finite fields with . Then can be seen as a subfield of and the relative trace from to is defined as

If , we call the above trace Absolute. Given a finite field , let be a positive integer and , define

which is constituted by all th root of unity in . A very important such set is the unit circle of when , which is exactly defined as

The following lemma describes exactly the conditions that a quadratic equation has one or two solutions in the unit circle.

Lemma 1.

[9] Let be an even positive integer and satisfy . Then the quadratic equation has

(1) both solutions in the unit circle if and only if

(2) exactly one solution in the unit circle, if and only if

An important fact about the unit circle is the polar-decomposition of elements, i.e., each element in can be uniquely written as

where and . Let be a power function on . Note that , where is defined as Definition 2. Hence the differential characteristics of are completely determined by the values of for . Let be defined as follows:

The -differential spectrum of at the point is the set of with :

3 The APcN property of the power functions

From now on, we always assume that is a positive integer, and . We further assume that , and we will prove that at all such ’s the power function is APcN. Note that for such , we have , due to that and are two solutions in of the quadratic equation . The polar decomposition for any , with and , will be frequently used in later discussions, and we always denote for convenience. To be preparations, several useful propositions are given as follows:

Proposition 1.

(1) For , if , then

(2) For satisfying , indicates .

Proof.

(1) Let for some , then if and only if . The denominator

where due to . The numerator equals

Then

(2) From (1), if and only if

in which the middle part equals

then due to the facts and . ∎

Proposition 2.

For all , define

(3.1)

If for some , then .

Proof.

The proof is proceeded as follows:

If , then gives that , due to for . The assumptions and also indicate that . Now assume that and . If there exists some such that , then , which means that

satisfies . Note that if and only if

by expanding the above equality we have

which implies . By substituting with , we have

which gives

(3.2)

We substitute into and obtain that

Since all the coefficients belong to and , we have that if and only if

(3.3)

and

(3.4)

By plugging (3.2) into (3.4), we get

which means that and then . That is to say, we have . Then (3.3) gives

which contradicts.

This completes the proof. ∎

Proposition 3.

Assume that . Define

Then for any , and are not zero at the same time.

Proof.

Firstly observe that if , then , and . Similarly gives that . If and , it suffices to show due to . Since means , which gives that , and then

due to . Now assume that , the decomposition indicates that and . Note that gives

(3.5)

If , then we have

By squaring the second equality and plugging into which with (3.5), we obtain that

and then , which contradicts with the assumption . ∎

Proposition 4.

For , if , then

Proof.

By Proposition 1, it suffices to show . The proposition obviously holds if . Assume with and . The conditions give that

(3.6)
(3.7)

and

(3.8)

Note that if , then (3.7) gives , and then (3.8) does not hold due to . So we must have . By equations (3.6) and (3.7), we get

The combination of (3.6) and (3.8) gives that

which is equivalent to

Denote , from and , we have

for some . Obviously . Then

together with , we get , i.e,

If , the condition implies