# On permutation quadrinomials and 4-uniform BCT

We study a class of general quadrinomials over the field of size 2^2m with odd m and characterize conditions under which they are permutations with the best boomerang uniformity, a new and important parameter related to boomerang-style attacks. This vastly extends previous results from several recent papers.

## Authors

• 11 publications
• 11 publications
• 10 publications
• ### 4-uniform BCT permutations from generalized butterfly structure

As a generalization of Dillon's APN permutation, butterfly structure and...
01/02/2020 ∙ by Nian Li, et al. ∙ 0

• ### Necessities and sufficiencies of a class of permutation polynomials over finite fields

For the finite field F_2^3m, permutation polynomials of the form (x^2^m+...
07/28/2019 ∙ by Xiaogang Liu, et al. ∙ 0

• ### A general construction of permutation polynomials of the form (x^2^m+x+δ)^i(2^m-1)+1+x over _2^2m

Recently, there has been a lot of work on constructions of permutation p...
12/21/2017 ∙ by Libo Wang, et al. ∙ 0

• ### Uniquely-Wilf classes

Two permutations in a class are Wilf-equivalent if, for every size, n, t...
04/11/2019 ∙ by Michael Albert, et al. ∙ 0

• ### New Results about the Boomerang Uniformity of Permutation Polynomials

In EUROCRYPT 2018, Cid et al. BCT2018 introduced a new concept on the cr...
01/17/2019 ∙ by Kangquan Li, et al. ∙ 0

• ### Weighted games of best choice

The game of best choice (also known as the secretary problem) is a model...
02/26/2019 ∙ by Brant Jones, et al. ∙ 0

• ### Improving Accuracy of Permutation DAG Search using Best Order Score Search

The Sparsest Permutation (SP) algorithm is accurate but limited to about...
08/17/2021 ∙ by Joseph D. Ramsey, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

### 1.1 Background

In symmetric key cryptography, Substitution boxes (S-boxes) are basic components to perform substitutions. Being the only source of nonlinearity in many well-known block ciphers such as IDEA, AES and DES [18], they play a central role in obscuring the relationship between the key and ciphertext, the perplexity property depicted by Shannon [32]. The security of such ciphers depends crucially on the quality of the S-boxes used. It is thus important to find new designs of S-boxes with good cryptographic properties with respect to various attacks [3, 19, 26, 39].

Mathematically, S-boxes are vectorial (multi-output) Boolean functions, that is, functions where and are and

-dimensional vector spaces over the binary field

respectively.

Differential attack, proposed by Biham and Shamir [3], is one of the most fundamental cryptanalytic tools to assess the security of block ciphers. For an -bit S-box , the properties for differential propagations of are captured in the DDT (Difference Distribution Table) of which are given by

 DDTF(a,b)=#{x∈Fn2:F(x)+F(x+a)=b}∀a,b∈Fn2.

The differential uniformity of is defined as

 δ(F)=maxa,b∈Fn2,a≠0DDTF(a,b).

Differential uniformity is an important concept in cryptography as it quantifies the degree of security of the cipher with respect to differential attack if is used as an S-box in the cipher. In particular, if , then is called an almost perfect nonlinear (APN) function, which offers maximal resistance to differential attacks.

Boomerang attack is an important cryptanalysis technique introduced by Wagner [39] in 1999 against block ciphers involving S-boxes. It can be considered as an extension of the classical differential attack [3]. In a boomerang attack, the target cipher is regarded as a composition of two sub-ciphers, and two differentials are combined and analyzed for the upper and the lower parts of the cipher. The reader is referred to [1, 2, 4, 5, 11, 15, 16, 33] for more details.

At Eurocrypt 2018, Cid, Huang, Peyrin, Sasaki and Song [10]

introduced a new tool called Boomerang Connectivity Table (BCT) to measure the resistance of a block cipher against the boomerang attack. The BCT can be used to more accurately evaluate the probability of generating a right quartet in boomerang-style attacks, and it provides more useful information when compared with the DDT

[10]. Let be a permutation. The entries of the BCT of are given by

 BCTF(a,b)=#{x∈Fn2:F−1(F(x)+b)+F−1(F(x+a)+b)=a},

where denotes the compositional inverse of . The boomerang uniformity of , introduced by Boura and Canteaut in [6], is defined as

 β(F)=maxa,b∈Fn2∖{0}BCTF(a,b).

The function is called a -uniform BCT function.

Roughly speaking, S-boxes with smaller value provide stronger security against boomerang-style attacks. It was known in [10] that , and if , then , hence APN permutations offer maximal resistance to both differential and boomerang attacks. However, given the difficulty of finding APN permutations in even dimension (This is the Big APN Problem [9]), in even dimension which is the most interesting for real applications, we are contented with the next best, that is, permutations with .

Compared with an abundance of differentially -uniform permutations in the literature (see [7, 8, 13, 14, 28] for primary constructions and [29, 31, 34, 35] and the references therein for constructions via the inverse function), it seems much harder to find permutations with -uniform BCT in even dimension. Currently only six families of such permutations have been discovered (see [6, 20, 21, 23, 27, 36] for details).

In particular, in [36] the authors studied a class of quadrinomial permutations of the form

 F(x)=x3q+a1x2q+1+a2xq+2+a3x3∈Fq2[x],∀a1,a2,a3∈Fq2

where is an odd power of , and derived general conditions on the coefficients ’s under which is a permutation and , and very recently, in [21] and independently in [23] the authors considered the generalized butterfly structure (see [12, 24, 30]) and showed that the closed butterfly yields permutations with -uniform BCT under suitable conditions. It was pointed out in [21, 23] that the closed butterfly can be equivalently expressed as the univariate form

 c0z(2k+1)q+c1z2kq+1+c2zq+2k+c3z2k+1,z∈Fq2 (1.1)

for some special .

The objective of this paper is to study quadrinomials of the form (1.1) for much more general coefficients ’s and investigate conditions under which they become permutations with -uniform BCT.

### 1.2 Statement of the main result

Throughout this paper, let and be both odd integers such that . Let . For any , denote . For any , we consider a general quadrinomial of the form

 fc–(x) = c0¯¯¯x2k+1+c1¯¯¯x2kx+c2¯¯¯xx2k+c3x2k+1. (1.2)

Denote

 θ1=c0¯¯c0+c1¯¯c1+c2¯¯c2+c3¯¯c3,θ2=¯¯c0c1+¯¯c2c3,θ3=c0¯¯c2+c1¯¯c3,θ4=c1¯¯c1+c4¯¯c4,

and define

 Γ = {c–∈F42n:θ1≠0,Trm1(θ4θ1)=1,(θ2θ1)2k=¯¯¯θ3θ1}. (1.3)

The set can be partitioned as , where

 Γi = {c–∈Γ:Trm1(θ2¯¯¯θ2θ21)=i},i=0,1. (1.4)

Our main result is stated as follows.

###### Theorem 1.

Let the setting be as above, and , and be defined by (1.2), (1.3) and (1.4) respectively.

1. If , then is a permutation on ;

2. If , then ;

3. If , then .

###### Remark 1.

In the setting of Therorem 1, if is even, is odd, and is still of the form (1.2), then letting , we can obtain

 fc–(x)2k′=c′0¯¯¯x2k′+1+c′1¯¯¯x2k′x+c′2¯¯¯xx2k′+c′3x2k′+1,

where

 c′0=c2k′2,c′1=c2k′0,c′2=c2k′3,c′3=c2k′1.

Noting that is odd and , denoting and appealing to Theorem 1, we can still obtain similar conditions to 1)-3) under which we can conclude that is a permutation; and . For the sake of simplicity, we omit the details.

###### Remark 2.

Similar to [37], by using affine equivalence, the coefficients ’s of the quadrinomial in (1.2) may be simplified: if , we may assume that ; by considering for some , we may assume that . Actually when , and , the function was originally studied in [36, 37, 38]. In fact in this case 1) coinsides with the main result of [37] and 2) coinsides with the main result of [36]. On the other hand, using the special parametrization appearing in the papers, one can easily verify that [23, Theorem 2] and [21, Theorem 1.1] can be derived from (1) and (2) of Theorem 1.

###### Remark 3.

Our computer experiments seem to indicate that if is a permutation over , then it is necessary that . When , this is indeed the case and was recently proved in [22]. For a general , however, the method used there does not seem to work. We will come back to this question in the near future. If this “necessity property” were proved, then Theorem 1 indicates that is a permutation with -uniform BCT if and only if , that is, the set completely charaterizes permutaitons with -uniform BCT. This may be another reason why we would expect that [23, Theorem 2] and [21, Theorem 1.1] can be derived from (1) and (2) of Theorem 1.

###### Remark 4.

Finally, for two permutations and over , it is known that if or and are affine equivalent [6]; and if both and are quadratic and extended affine equivalent, then if [27]. We have checked that for , all the functions for are affine equivalent to the Gold function , which is known to be a permutation of with -uniform BCT. It might be interesting to know if this holds for a general odd , or if there are permutations with -uniform BCT which are not affinely equivalent to the Gold function. In Table 1 we list all known permutations over with for even .

The rest of this paper is organized as follows: in Section 2 we collect some solvability criteria on certain equations over finite fields which will be used repeatedly in the paper; in Section 3 we present some identities and relations involving the ’s and ’s from the quarinomial ; in Section 4 we discuss in details the solvability of the difference equation ; in Section 5 which is the longest section of the paper, we prove the main result, dealing with Parts (1), (3) and (2) of Theorem 1 individually in three seperate subsections.

## 2 Preliminaries

The following three results will be used repeatedly in the rest of the paper.

###### Lemma 1.

([25]) Let be a positive integer. For any and , the equation

 x2+ax+b=0

is solvable (with two solutions) in if and only if

 Trn1(ba2)=0.

Here is the absolute trace map from to the binary field .

###### Lemma 2.

([17]) Let be positive integers such that . For any , the equation

 x2k+x=a

has either 0 or 2 solutions in . Moreover, it is solvable with two solutions in if and only if .

###### Lemma 3.

([23]) Let be odd integers such that . Let . For any , define

 Lτ,ν(x)=x2k+τ¯¯¯x+(τ+1)x+ν.

Denote by the number of solutions of in . Then . More precisely, let and be defined by the equations

 λ2k−1=1+τ+¯¯¯τ,Δ=νλ2k,μ2k+μ=τλ.

Then

1. if and only if one of the following conditions is satisfied:
(i) and ;
(ii) , and .

2. if and only if , , and .

If and , then the set of four solutions of in is given by .

###### Remark 5.

When , Lemma 3 reduces to [36, Lemma 3] which played a central role in computing the boomerang uniformity in the paper. Comparing with [36, Lemma 3], our criteria seems a little simpler.

## 3 Some identities

Before proceeding to the proof of the main result, in this section we collect some useful identities and relations which play important roles in the rest of the paper.

Recall the setting of Theorem 1 in Section 1 for all the notions , etc.

### 3.1 For c–∈Γ

We first assume that , and the function is given in (1.2). Since and

 Trm1(θ4θ1)=1,Trn1(θ4θ1)=0,

we can find such that

 ξ2k+ξ=θ4θ1. (3.1)

We fix such an element . It is known that

 ξ∈F2n∖F2m,ξ+¯¯¯ξ=1. (3.2)
###### Lemma 4.

If , then we have

1. ;

2. ;

3. ;

4. ;

5. ;

6. .

###### Proof.

Identities (1)-(5) can be verified by a routine computation. Only (6) requires some explanation.

Since , we let . Dividing on both sides of Identity (1) of Lemma 4 and using the relation , we obtain

 t2k+t+θ4θ1+(θ4θ1)2=0.

Since and , by using from (3.1), the above equation has two roots which are given by

 t=ξ+ξ2 or t=¯¯¯ξ+ξ2.

It is easy to see that

 Trm1(ξ+ξ2)=m−1∑i=0ξ2i+m−1∑i=0ξ2i+1=ξ+¯¯¯ξ=1,

and . Thus if and if . This completes the proof of (6). ∎

### 3.2 For c–∈Γ0

Next we assume that . First, identity (6) of Lemma 4 becomes

 θ2¯¯¯θ2θ21=¯¯¯ξ+ξ2.

Next, for any , define

 M(a) := θ1a¯¯¯a+¯¯¯θ2¯¯¯a2+θ2a2, (3.3)

and

 η(a) := ξa+¯¯¯θ2¯¯¯aθ1. (3.4)

Define (this is to avoid confusion which might result from using the more standard notation ). It is easy to see that

 η(2)(a) := ¯¯¯ξa+¯¯¯θ2¯¯¯aθ1=η(a)+a, η(3)(a) := η∘η(2)(a)=a.

Define

 Za := {a,η(a),η(2)(a)}. (3.5)
###### Lemma 5.

If , then for any , we have

• ;

• for any .

###### Proof.

(1). Suppose for some . Obviously . Let be the unique element of satisfying . Thus , and we obtain

 0=M(a)2=x4+¯¯¯x4+θ21θ2¯¯¯θ2x2¯¯¯x2.

Letting , we have

 y2+θ21θ2¯¯¯θ2y+1=0. (3.6)

Since , we have , Lemma 1 implies that (3.6) is solvable with . From , we find , that is, , and hence . This clearly contradicts (3.6) since we know that .

(2). Let . We have

 z=ξa+¯¯¯θ2¯¯¯aθ1,¯¯¯z=¯¯¯ξ¯¯¯a+θ2aθ1,

and

 z¯¯¯z = (ξa+¯¯¯θ2¯¯¯aθ1)(¯¯¯ξ¯¯¯a+θ2aθ1) = a¯¯¯aξ¯¯¯ξ+1θ1(θ2ξa2+¯¯¯θ2¯¯¯ξ¯¯¯a2)+θ2¯¯¯θ2a¯¯¯aθ21.

With some computation, we can obtain that

 M(z) = a¯¯¯a(θ1ξ¯¯¯ξ+θ2¯¯¯θ2θ1)+¯¯¯a2⎛⎜⎝¯¯¯θ2¯¯¯ξ+¯¯¯θ2¯¯¯ξ2+θ2¯¯¯θ22θ21⎞⎟⎠+a2(θ2ξ+θ2ξ2+¯¯¯θ2θ22θ21).

Using (6) of Lemma 4 and the properties of given in (3.1) and (3.2), we can verify that

 θ1ξ¯¯¯ξ+θ2¯¯¯θ2θ1=θ1(ξ¯¯¯ξ+¯¯¯ξ+ξ2)=θ1,
 θ2ξ+θ2ξ2+¯¯¯θ2θ22θ21=θ2(ξ+ξ2+¯¯¯ξ+ξ2)=θ2.

This clearly shows that .

Similarly, by taking , one can also verify that . This completes the proof of (2). Now Lemma 5 is proved. ∎

###### Lemma 6.

If , then for any , we have the identity

 η(2)(z)2k(c2¯¯¯¯¯¯¯¯¯¯η(z)+c3η(z))+¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯η(2)(z)2k(c0¯¯¯¯¯¯¯¯¯¯η(z)+c1η(z))=fc–(z). (3.7)
###### Proof.

For simplicity, denote

 r:=ξ,s:=θ2θ1.

Then

 η(z)=rz+¯¯¯s¯¯¯z,η(2)(z)=¯¯¯rz+¯¯¯s¯¯¯z.

The left hand side of (3.7) is given by

 LHS = (¯¯¯rz+¯¯¯s¯¯¯z)2k(c2(¯¯¯r¯¯¯z+sz)+c3(rz+¯¯¯s¯¯¯z)) +(r¯¯¯z+sz)2k(c0(¯¯¯r¯¯¯z+sz)+c1(rz+¯¯¯s¯¯¯z)) =: A¯¯¯z2k+1+B¯¯¯z2kz+C¯¯¯zz2k+Dz2k+1,

where the coefficients are given by

 A = ¯¯¯s2k(c2¯¯¯r+c3¯¯¯s)+r2k(c0¯¯¯r+c1¯¯¯s)=¯¯¯r(c2¯¯¯s2k+c0r2k)+¯¯¯s(c3¯¯¯s2k+c1r2k), B = ¯¯¯s2k(c2s+c3r)+r2k(c0s+c1r)=s(c2¯¯¯s2k+c0r2k)+r(c3¯¯¯s2k+c1r2k), C = ¯¯¯r2k(c2¯¯¯r+c3¯¯¯s)+s2k(c0¯¯¯r+c1¯¯¯s)=¯¯¯r(c2¯¯¯r2k+c0s2k)+¯¯¯s(c3¯¯¯r2k+c1s2k), D = ¯¯¯r2k(c2s+c3r)+s2k(c0s+c1r)=s(c2¯¯¯r2k+c0s2k)+r(c3¯¯¯r2k+c1s2k).

We claim that and . For and , using the relations

 r=ξ,s=θ2θ1,(¯¯¯θ2θ1)2k=θ3θ1, ξ2k+ξ=θ4θ1,θ2¯¯¯θ2θ21=1+ξ¯¯¯ξ, (3.8)

and recalling (2)-(3) of Lemma 4, we can obtain

 c2¯¯¯s2k+c0r2k = c2(θ3θ1)+c0(θ4θ1+ξ) = c2θ3+c0θ4θ1+c0ξ=c1¯¯¯θ2θ1+c0ξ, c3¯¯¯s2k+c1r2k = c3(θ3θ1)+c1(θ4θ1+ξ) = c3θ3+c1(θ4+θ1)θ1+c1(1+ξ)=c0θ2θ1+c1¯¯¯ξ.

From the above identities and also using (3.8), we can easily verify that

 A = ¯¯¯ξ(c1¯¯¯θ2θ1+c0ξ)+¯¯¯θ2θ1(c0θ2θ1+c1¯¯¯ξ)=c0, B = θ2θ1(c1¯¯¯θ2θ1+c0ξ)+