 # A class of APcN power functions over finite fields of even characteristic

In this paper, we investigate the power functions F(x)=x^d over the finite field 𝔽_2^4n, where n is a positive integer and d=2^3n+2^2n+2^n-1. It is proved that F(x)=x^d is APcN at certain c's in 𝔽_2^4n, and it is the second class of APcN power functions over finite fields of even characteristic. Further, the c-differential spectrum of these power functions is also determined.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Let , be two positive integers and denote the finite field with elements. An S-box is a vectorial Boolean function from to , also called an -function. The security of most modern block ciphers deeply relies on cryptographic properties of their S-boxes since S-boxes usually are the only nonlinear elements of these cryptosystems. It is therefore significant to employ S-boxes with good cryptographic properties in order to resist various kinds of cryptanalytic attacks.

Differential attack  is one of the most fundamental cryptanalytic approaches targeting symmetric-key primitives and is the first statistical attack for breaking iterated block ciphers. The differential uniformity of S-boxes, which was introduced by Nyberg in , can be used to measure how well the S-box used in a cipher could resist the differential attack.

###### Definition 1.

Let be the finite field of elements. A function defined over is called differentially -uniform, where and

 δF(a,b)=#{x∈Fq:F(x+a)−F(x)=b}.

We call the function perfect nonlinear (PN) or almost perfect nonlinear (APN), if or

, respectively. It is well-known that PN functions only exists for an odd prime power

. Thus, when is even, APN functions have the best resistance to differential attacks. To analyze the ciphers using modular multiplication as primitive operations more effectively, the authors in  proposed the concept of multiplicative differential. Very recently, based on this new type of differential, Ellingsen, Felke, Riera, Stǎnicǎ and Tkachenko gave the definition of -differential uniformity in :

###### Definition 2.

Let be a prime power and be the finite field with elements. Given a function , the (multiplicative) -derivative of with respect to is defined as

 cDaF(x)=F(x+a)−cF(x).

Denote

 cΔF(a,b)=#{x∈Fq:cDaF(x)=b}

and

 cΔF=maxa,b∈FqcΔF(a,b).

Then is called differentially -uniform.

Note that if or , then is just a shift of or trivially . If , then becomes the usual derivative and the -differential uniformity becomes differential uniformity in Definition 1. Similarly, we call a function perfect -nonlinear (PcN) or almost perfect -nonlinear (APcN), if or , respectively. It is worth noting that PcN functions exist for even , which is a big difference between PN and PcN properties. So far as we know, there are only very few results about PcN and APcN functions. The -differential property of some power functions including Inverse functions, Gold functions, etc., have been investigated [6, 11, 13, 14]. In  the authors give a necessary and sufficient condition for the Gold functions to be PcN, they further conjectured that all the PcN functions in are linear functions, Gold functions and their inverses. Several ideas including the AGW criterion, cyclotomic method, the perturbing and swapping method [3, 8, 10] have been used to construct functions with low -differential uniformity.

In this paper, we prove that this special power permutation over is APcN on satisfying , where . By introducing two parameters and satisfying , we transform the APcN problem into solving a two-equation system on and . Then a new variable is used to induce an equation with algebraic degree four, which help us give the final proof. To the best of our knowledge, there are only two classes of APcN power functions over the finite fields with even characteristic, the first one is the well-known Inverse functions, the second one is the power functions proposed in this paper.

## 2 Preliminaries

Let be a prime power, and are two finite fields with . Then can be seen as a subfield of and the relative trace from to is defined as

 Trnm(x)=x+xqm+xq2m+⋯+xq(nm−1)m.

If , we call the above trace Absolute. Given a finite field , let be a positive integer and , define

 μs={x∈F∗q:xs=1},

which is constituted by all th root of unity in . A very important such set is the unit circle of when , which is exactly defined as

 μq+1={x∈F∗q2:xq+1=1}.

The following lemma describes exactly the conditions that a quadratic equation has one or two solutions in the unit circle.

###### Lemma 1.

 Let be an even positive integer and satisfy . Then the quadratic equation has

(1) both solutions in the unit circle if and only if

 b=a1−2m and Trm1(ba2)=Trm1(1a1+2m)=1;

(2) exactly one solution in the unit circle, if and only if

 b≠a1−2m and (1+b1+2m)(1+a1+2m+b1+2m)+a2b2m+a2m+1b=0.

An important fact about the unit circle is the polar-decomposition of elements, i.e., each element in can be uniquely written as

 x=λy,

where and . Let be a power function on . Note that , where is defined as Definition 2. Hence the differential characteristics of are completely determined by the values of for . Let be defined as follows:

 ωc,i=#{b∈Fq:cΔF(1,b)=i}.

The -differential spectrum of at the point is the set of with :

 S={ωc,0,ωc,1,⋯,ωc,cΔF}.

## 3 The APcN property of the power functions

From now on, we always assume that is a positive integer, and . We further assume that , and we will prove that at all such ’s the power function is APcN. Note that for such , we have , due to that and are two solutions in of the quadratic equation . The polar decomposition for any , with and , will be frequently used in later discussions, and we always denote for convenience. To be preparations, several useful propositions are given as follows:

###### Proposition 1.

(1) For , if , then

 Trn1(Tr4nn(cv1+q)Tr4nn(c1+qv2q))=1.

(2) For satisfying , indicates .

###### Proof.

(1) Let for some , then if and only if . The denominator

 Tr4nn(c1+qv2q)=(Tr4nn(d1+qvq))2 = (dq+1vq+dq2+qvq2+dq3+q2vq3+d1+q3v)2 = (ν+νq)2,

where due to . The numerator equals

 Tr4nn(d2vq+1) = d2vq+1+d2qvq2+q+d2q2vq3+q2+d2q3v1+q3 = (d1+q3v+dq2+qvq2)(dq+1vq+dq3+q2vq3) = ν1+q.

Then

 Trn1(ν1+q(ν+νq)2)=1.

(2) From (1), if and only if

 ν=d1+q3(bq+bq2)+dq2+q(bq3+b)=0,

in which the middle part equals

 d1−q(bq+b−1)+d−1+q(b−q+b) = d1−q(bq+b−1+d2(q−1)(b−q+b)) = d1−q(bq+b−1+cq−1(b−q+b)) = d1−qb−q−1(1+bq+1)(bq+cq−1b),

then due to the facts and . ∎

###### Proposition 2.

For all , define

 C1(k)=(1+k4)(1+bq+q3)+(k3+k)(cq+c−q+(c+c−1)bq+q3)C0(k)=Tr4nn(b)+k(Tr4nn(bc)+Tr4nn(b)Tr4nn(c))+k2(Tr4nn(b)+Tr4nn(c1+q(bq2+bq3)))+k3Tr4nn(cbq2). (3.1)

If for some , then .

###### Proof.

The proof is proceeded as follows:

If , then gives that , due to for . The assumptions and also indicate that . Now assume that and . If there exists some such that , then , which means that

 u≜k+k−1=cq+c−q+(c+c−1)bq+q31+bq+q3

satisfies . Note that if and only if

 cq+c−q+(c+c−1)bq+q31+bq+q3=c+c−1+(cq+c−q)b1+q21+b1+q2,

by expanding the above equality we have

 (1+b1+q2)(cq+c−q+(c+c−1)bq+q3)+(1+bq+q3)(c+c−1+(cq+c−q)b1+q2) = (c+c−1+cq+c−q)(1+b1+q+q2+q3)=0,

which implies . By substituting with , we have

 u1+q = (cq+c−q+(c+c−1)bq+q3)(c+c−1+(cq+c−q)b1+q2)(1+bq+q3)(1+b1+q2) = (c+c−1)2bq+q3+(cq+c−q)2b1+q2bq+q3+b1+q2 = (c+c−1)2z2q+(cq+c−q)2z2z2q+z2,

which gives

 u=(c+c−1)zq+(cq+c−q)zzq+z. (3.2)

We substitute into and obtain that

 C0(k) = Tr4nn(b)+k(Tr4nn(bc)+Tr4nn(b)Tr4nn(c)) +(uk+1)(Tr4nn(b)+Tr4nn(c1+q(bq2+bq3)))+((u2+1)k+u)Tr4nn(cbq2) = Tr4nn(c1+q(bq2+bq3))+uTr4nn(cbq2) +k(Tr4nn(bc)+Tr4nn(b)Tr4nn(c)+u(Tr4nn(b)+Tr4nn(c1+q(bq2+bq3))) +(1+u2)Tr4nn(cbq2)).

Since all the coefficients belong to and , we have that if and only if

 Tr4nn(c1+q(bq2+bq3))+uTr4nn(cbq2)=0 (3.3)

and

 Tr4nn(bc)+Tr4nn(b)Tr4nn(c)+uTr4nn(b)+Tr4nn(cbq2) (3.4) = Tr4nn(c(bq+bq3))+uTr4nn(b)=0.

By plugging (3.2) into (3.4), we get

 Tr4nn(c(bq+bq3))(zq+z)+((c+c−1)zq+(cq+c−q)z)Tr4nn(b) = Tr4nn(c(λq+λ−q)zq)(zq+z)+((c+c−1)zq+(cq+c−q)z)Tr4nn(λz) = ((λq+λ−q)zq(c+c−1)+(λ+λ−1)z(cq+c−q))(z+zq) +((c+c−1)zq+(cq+c−q)z)((λ+λ−1)z+(λq+λ−q)zq) = zq+1((λq+λ−q)(c+c−1)+(λ+λ−1)(cq+c−q) +(λ+λ−1)(c+c−1)+(λq+λ−q)(cq+c−q)) = zq+1Tr4nn(c)Tr4nn(λ)=0,

which means that and then . That is to say, we have . Then (3.3) gives

 Tr4nn(c1+q(z+zq))(z+zq)+((c+c−1)zq+(cq+c−q)z)Tr4nn(cz) = Tr4nn(c1+q)(z+zq)2+((c+c−1)zq+(cq+c−q)z)((c+c−1)z+(cq+c−q)zq) = zq+1Tr4nn(c2)≠0,

This completes the proof. ∎

###### Proposition 3.

Assume that . Define

 A1 = Tr4nn(c(v+vq)), A2 = cq+c−q+(c+c−1)bq+q3.

Then for any , and are not zero at the same time.

###### Proof.

Firstly observe that if , then , and . Similarly gives that . If and , it suffices to show due to . Since means , which gives that , and then

 A1 = Tr4nn(cq+1vq)=Tr4nn(cq+1(bq2+bq3))=Tr4nn(cq+1(b+b−1)) = (b+b−1)Tr4nn(cq+1)≠0,

due to . Now assume that , the decomposition indicates that and . Note that gives

 z2q=cq+c−qc+c−1. (3.5)

If , then we have

 (c+c−1)(bq+bq3)+(cq+c−q)(b+bq2) = (c+c−1)(λq+λ−q)zq+(cq+c−q)(λ+λ−1)z=0.

By squaring the second equality and plugging into which with (3.5), we obtain that

 (c+c−1)2(λq+λ−q)2cq+c−qc+c−1+(cq+c−q)2(λ+λ−1)2c+c−1cq+c−q=0,

and then , which contradicts with the assumption . ∎

###### Proposition 4.

For , if , then

 Tr4nn(cv1+q)=Tr4nn(c1+qv2q)=0.
###### Proof.

By Proposition 1, it suffices to show . The proposition obviously holds if . Assume with and . The conditions give that

 (ρ+ρ−1)y+(ρq+ρ−q)yq=0, (3.6)
 (cρ+c−1ρ−1+cqρ−1+c−qρ)y+(cqρq+c−qρ−q+cρq+c−1ρ−q)yq=0 (3.7)

and

 (cq−1ρ−1+c−q+1ρ)y+(cq+1ρq+c−1−qρ−q)yq=0. (3.8)

Note that if , then (3.7) gives , and then (3.8) does not hold due to . So we must have . By equations (3.6) and (3.7), we get

 (ρ+ρ−1)(cqρq+c−qρ−q+cρq+c−1ρ−q)+(ρq+ρ−q)(cρ+c−1ρ−1+cqρ−1+c−qρ) = ρq+1(cq+c−q)+ρq−1(c+c−1)+ρ−q+1(c+c−1)+ρ−q−1(cq+c−q) = Tr4nn((c+c−1)ρq−1)=0.

The combination of (3.6) and (3.8) gives that

 (ρ+ρ−1)(c1+qρq+c−1−qρ−q)+(ρq+ρ−q)(cq−1ρ−1+c−q+1ρ)=0,

which is equivalent to

 Tr4nn((ρ+ρ−1)c1+qρq)=Tr4nn((c+c−1)cqρq−1)=0.

Denote , from and , we have

 (c+c−1)(ξ+ξ−1) = α (c+c−1)(cqξ+c−qξ−1) = β

for some . Obviously . Then

 cqξ+c−qξ−1=βα(ξ+ξ−1),

together with , we get , i.e,

 c=αξq(ξ+ξ−1)(ξq+ξ−q)+βα.

If , the condition implies

 1 = (αξq(ξ+ξ−1)(ξq+ξ−q)+βα)(αξ−q(ξ+ξ−1)(ξq+ξ−q