A Highly Nonlinear Differentially 4 Uniform Power Mapping That Permutes Fields of Even Degree

A Highly Nonlinear Differen tially 4 Uniform P o we r Mapping That P erm utes Fields of Ev en Degree Carl Brac ken 1 , Gregor Leander 2 1 Departmen t of Mathematics, Natio nal Univ ersit y of Ireland Ma yno oth, Co. Kildare, Ireland 2 Departmen t of Mathematics, T ec hnical Univ ersit y Denmark Cop enhagen, Denmark Septem b er 4, 20 18 Abstract F unctions with lo w differen tial u n iformit y can b e used as the s-b oxes of symmetric cry ptosystems as they hav e go o d resistance to differential attac ks. The AES (Adv anced Encryption Standard) uses a differen tially- 4 uniform function called the in vers e function. Any function used in a symmetric cryptosystem should b e a p erm utation. Also, it is required that the fun ction is highly nonlinear so that it is resistant to Matsui’s linear attac k . In this article w e demonstrate that th e highly nonlinear p ermutation f ( x ) = x 2 2 k +2 k +1 , disco vered by Hans Dobb ertin [7], has differential un iformit y of four and hence, with resp ect t o differenti al and linear cryptanalysis, is just as suitable for use in a symmetric cryptosystem as the inv erse function. 1 In tro duction F unctions with a low differential unifor mit y are interesting from the po int of view of cryptogr a phy as they provide go o d r esistance to differential attac ks [11]. F o r a function to b e used as an s-b ox of a symmetric c r yptosystem it should be a p ermutation and defined on a field with even degr ee. It is also essential that the function has hig h nonlinear it y so that it is res istant to Matsui’s linea r attack [10]. The low est p ossible differential uniformity is 2 and functions with this prop erty ar e called APN (almost p erfect nonlinear ). There has bee n m uc h recent work and pr o gress o n AP N functions (see [2],[3],[4],[5],[6]). How ever, at present there a re no known APN p ermutations defined on fields of even deg r ee and it is actually the most impo rtant open questio n in this field if such functions exist. This is why the AES (adv anced encr yption s tandard) uses a differentially 4 uniform function, namely the inv erse function. 1 F o r the rest o f the pap er , let L = F 2 n for n > 0 and let L ∗ denote the s et o f non-zero elements of L . Let T r : L → F 2 denote the trace map from L to F 2 . F o r p ositive integers r , k by T r r k k we denote the r elative trace map from F 2 rk to F 2 k and by T r r the absolute tra ce from F 2 r to F 2 . Definition 1 A fu n ction f : L → L ∗ is said to b e differ en t ial ly δ uniform. if for any a ∈ L ∗ , b ∈ L , we have |{ x ∈ L : f ( x + a ) + f ( x ) = b }| ≤ δ. Definition 2 Given a function f : L → L , t he F ourier transform of f is the function b f : L × L ∗ → Z given by b f ( a, b ) = X x ∈ L ( − 1) T r( ax + bf ( x )) . The F ourier s p e ctrum of f is the set of integers Λ f = { b f ( a, b ) : a, b ∈ L, b 6 = 0 } . The nonlinear ity of a function f on a field L = F 2 n is defined a s N L ( f ) := 2 n − 1 − 1 2 max x ∈ Λ f | x | . The no nlinea rity o f a function measure s its distance to the set of all affine maps o n L . W e thus call a function maximal ly n online ar if its nonlinearity is as large as p ossible . If n is o dd, its nonlinearity is upp er -b ounded b y 2 n − 1 − 2 n − 1 2 , while for n even a conjecture d upp er b o und is 2 n − 1 − 2 n 2 − 1 . F or odd n , we say that a function f : L − → L is almost b ent (AB) when its F ourier sp ectrum is { 0 , ± 2 n +1 2 } , in which case it is clear from the upp er b o und that f is maximally nonlinear. In an article of Ha ns Dobb ertin [7] he o ffers a list of p ow er mappings that per mute fields of even degree and meet the conjectured nonlinearity b ound of 2 n − 1 − 2 n 2 − 1 . F ollo wing Dobb ertin’s terminolo gy we shall refer to such mapping as highly nonlinear p ermutations. In [7] Dobber tin conjectured that this list was complete and noted that this had b een verified for n ≤ 22. The inverse function (used in AES) is highly nonlinea r and hence is o n the list. One of the functions on Dobber tin’s list is the p ow er mapping f ( x ) = x 2 2 k +2 k +1 , defined on F 2 4 k , with k o dd. In this ar ticle we show tha t this function ha s differ ent ial uniformity of 4. W e also provide another pro o f of this functions nonlinear ity prop e rty . This means that this function has the same resistance to both the linea r and differential attacks as the inv ers e function. 2 2 Differen tial Uniformit y of f ( x ) = x 2 2 k +2 k +1 As mentioned above there ar e no known p ermutations of even degree fields with differential uniformity o f t w o. The following theor em s hows that x 2 2 k +2 k +1 has the next b est (and b e st known) differen tial uniformity , which is four. Theorem 1 L et f ( x ) = x 2 2 k +2 k +1 b e define d on F 2 4 k . Then f ( x ) has differ en - tial uniformity of four. Pro of. W e nee d to demonstra te that the equatio n x 2 2 k +2 k +1 + ( x + a ) 2 2 k +2 k +1 = b has no more than four solutions for all a ∈ F 2 4 k ∗ and all b ∈ F 2 4 k . Expansion of this expressio n y ields ax 2 2 k +2 k + a 2 k x 2 2 k +1 + a 2 2 k x 2 k +1 + a 2 k +1 x 2 2 k + a 2 2 k +1 x 2 k + a 2 2 k +2 k x + a 2 2 k +2 k +1 = b . Next we r eplace x with xa and divide by a 2 2 k +2 k +1 and obtain x 2 2 k +2 k + x 2 2 k +1 + x 2 k +1 + x 2 2 k + x 2 k + x + c = 0 (1) where c = a − 2 2 k − 2 k − 1 b + 1. Let T r 4 k k denote the r elative trace ma p from F 2 4 k to F 2 k . As T r 4 k k ( x 2 2 k +2 k + x 2 2 k +1 + x 2 k +1 + x 2 2 k + x 2 k ) = 0, Eq uation (1) implies T r 4 k k ( x + c ) = 0. Whic h is eq uiv alent to x + x 2 k + x 2 2 k + x 2 3 k = t (2) where t = T r 4 k k ( c ). W e note that t ∈ F 2 k . Equation (1) now b ecomes x ( x 2 k + x 2 2 k ) + x 2 2 k +2 k + x 2 3 k + t + c = 0 . Whic h implies x ( x + x 2 3 k + t ) + x 2 2 k +2 k + x 2 3 k + t + c = 0 . F r om which we obtain x 2 + x 2 3 k +1 + xt + x 2 2 k +2 k + x 2 3 k + t + c = 0 . (3) W e raise Equatio n (3 ) by 2 2 k and get x 2 2 k +1 + x 2 k +2 2 k + x 2 2 k t + x 2 3 k +1 + x 2 k + t + c 2 2 k = 0 . (4) 3 Now we add Equations (3) a nd (4) and make use of (2). This gives ( x + x 2 2 k ) 2 + ( t + 1)( x + x 2 2 k ) + c 2 k + c 2 3 k = 0 . (5) The remainder of the pro o f is divided into tw o cases. They are t = 1 and t 6 = 1. If t = 1 then Equation (5) implies x + x 2 2 k = c 2 k − 1 + c 2 3 k − 1 . W e let r = c 2 k − 1 + c 2 3 k − 1 . Therefore x 2 2 k = x + r . Pla cing this int o Equa tio n (1) yields ( x + r ) x 2 k + ( x + r ) x + x 2 k +1 + x 2 k + c + r = 0 . Whic h we wr ite as x 2 + r ( x + x 2 k ) + x 2 k + r + c = 0 . (6) Raising Equa tio n (6 ) by 2 k we obtain x 2 k +1 + r 2 k ( x 2 k + x + r ) + x + r + r 2 k + c 2 k = 0 . (7) Next we a dd Equations (6) and (7) to get ( x + x 2 k ) 2 + ( r + r 2 k + 1)( x + x 2 k ) + r 2 k +1 + c + c 2 k + r 2 k = 0 . (8) Note that r + r 2 k = x + x 2 k + x 2 2 k + x 2 3 k = t , hence if t = 1 E quation (8) bec omes ( x + x 2 k ) 2 + r 2 k +1 + c + c k + r 2 k = 0 . This implies x + x 2 k = s where s = p r 2 k +1 + c + c k + r 2 k . Now we replac e x 2 k by x + s in Equation (6) and obtain x 2 + x + r s + s + r + c = 0 , which can have no mor e tha n tw o so lutions in x . Next we co nsider the ca se t 6 = 1. W e replace x with ( t + 1) z in Equation (5) and get ( t + 1) 2 (( z + z 2 2 k ) 2 + ( z + z 2 2 k )) + c 2 k + c 2 3 k = 0 . Now let y = z + z 2 2 k so we have ( t + 1) 2 ( y 2 + y ) + c 2 k + c 2 3 k = 0 . This equation has a t most tw o solutions in y . They a re o f the for m y = p a nd y = p + 1 for some fixed p . This implies that z 2 2 k = z + p or z 2 2 k = z + p + 1 . Note that p ∈ F 2 2 k . 4 If z 2 2 k = z + p then Equa tion (1) b ecomes ( t + 1) 2 (( z + p ) z 2 k + ( z + p ) z + z 2 k +1 ) + ( t + 1)( z 2 k + p ) + c = 0 , which gives ( t + 1) 2 (( z + z 2 k ) p + z 2 ) + ( t + 1)( z 2 k + p ) + c = 0 . (9) W e raise Equatio n (9 ) by 2 k and obtain ( t + 1) 2 (( z + z 2 k + p ) p 2 k + z 2 k +1 ) + ( t + 1)( z + p + p 2 k ) + c 2 k = 0 . (10) Next we a dd Equations (9) and (10) to g et ( t + 1) 2 (( p + p 2 k )( z + z 2 k ) + ( z + z 2 k ) 2 + p 2 k +1 ) + ( t + 1 )( z + z 2 k + p 2 k ) + c + c 2 k = 0 , which b ecomes ( t + 1) 2 ( z + z 2 k ) 2 + (( t + 1) 2 ( p + p 2 k ) + ( t + 1))( z + z 2 k ) +( t + 1) 2 p 2 k +1 + ( t + 1) p 2 k + c + c 2 k = 0 . (11) Recall t = x + x 2 k + x 2 2 k + x 2 3 k = ( t + 1 )( z + z 2 k + z 2 2 k + z 2 3 k ). Also p + p 2 k = z + z 2 k + z 2 2 k + z 2 3 k , hence p + p 2 k = t t +1 . Therefore Eq uation (11) b ecomes ( t + 1) 2 (( z + z 2 k ) 2 + ( z + z 2 k )) + ( t + 1) 2 p 2 k +1 +( t + 1) p 2 k + c + c 2 k = 0 . (12) It can easily b e verified that if we had a ssumed z 2 2 k = z + p + 1 then the same computations as ab ov e would a ls o yield Equation (12), s o this cas e need not be consider ed. Next we let z + z 2 k = w and write Equa tion (12) as ( t + 1) 2 ( w 2 + w ) + ( t + 1) 2 p 2 k +1 + ( t + 1) p 2 k + c + c 2 k = 0 . This eq uation has at most t w o solutions in w which ta ke the form w = q and w = q + 1 for so me fixed q . This implies that z 2 k = z + q or z 2 k = z + q + 1. If z 2 k = z + q then z 2 2 k = z + q + q 2 k and Equation (1) b ecomes ( t + 1) 2 (( z + q + q 2 k )( z + q ) + ( z + q + q 2 k ) z + ( z + q ) z ) + ( t + 1)( z + q 2 k ) + c = 0 . This simplifies to ( t + 1) 2 z 2 + ( t + 1) z + ( t + 1 ) 2 ( q 2 k +1 + q 2 ) + ( t + 1) q 2 k + c = 0 , which is the same as x 2 + x + ( t + 1) 2 ( q 2 k +1 + q 2 ) + ( t + 1) q 2 k + c = 0 . 5 If on the other hand z 2 k = z + q + 1, then we would obtain x 2 + x + ( t + 1) 2 ( q 2 k +1 + q 2 k + q 2 + q ) + ( t + 1)( q + 1) 2 k + c = 0 . Clearly , this pair of equations will allow no more than four so lutions in x and the pro of is co mplete.  Note that w e did not need to a ssume that k is o dd to derive the differential uniformity of four , howev er it is easy to see that the function is not a p ermutation if k is even as g .c.d. (2 4 k − 1 , 2 2 k + 2 k + 1) = 1 if and only if k is o dd. 3 Nonlinearit y of f ( x ) = x 2 2 k +2 k +1 In this section we g ive a slightly different pro of of the fact tha t x 2 2 k +2 k +1 has NL( f ) = 2 n − 1 − 2 n 2 − 1 . Most imp or ta nt ly , our pro of also covers the ca se wher e the function is not a p ermutation, i.e., when k is even. T echnically , the main difference to Dobb ertin’s pro of in [7] is that w e are not going to use an F 2 k basis of F 2 4 k to expr ess elements in F 2 4 k but r ather a F 2 2 k basis. This change makes s o me of the “lengthy but routine” c omputations, as Dobbe r tin states it, easier. Theorem 2 L et f ( x ) = x 2 2 k +2 k +1 b e define d on F 2 4 k . Then NL( f ) = 2 n − 1 − 2 n 2 − 1 . Pro of. W e have to show that for any non-zero b and any a the absolute v alue of the F o urier coe fficient b f ( a, b ) is smaller or equal to 2 2 k +1 . There a re tw o cases to cons ider. If k is o dd, then f is a bijection and it is therefo r e enough to study the case b = 1 . If k is even, then gcd(2 2 k + 2 k + 1 , 2 4 k − 1) = 3 and up to equiv alence ther e are tw o different b to consider, namely the case b = 1 and b any non-cub e. Here we remark that in the case k even we can alwa y s c ho ose a non cube in F 2 k with out loss of gener ality . Thus, in bo th ca ses it is enough to study b ∈ F 2 r . Moreover, w e can r estrict the case to elemen ts b ∈ F 2 k such that T r k ( b ) = 1. Let γ be any non-zero element in F 2 k such that T r k ( γ ) = 1. F or simplicity we denote by g γ 2 ( x ) = T r( γ 2 x 2 2 k +2 k +1 ) (we use γ 2 instead of γ to av o id dea ling with squar e r o ots later on) . F urthermore, let α ∈ F 2 2 k be an ele ment fulfilling the equation α 2 + γ α + γ 3 = 0. As T r k ( γ ) = 1 the po lynomial α 2 + α + γ = 0 is irreducible ov er F 2 k and by r e placing α b y αγ − 1 and m ultiplying acr o ss by γ 2 we see that the p oly nomial α 2 + γ α + γ 3 = 0 is irreducible a s well. Therefor e α / ∈ F 2 k and further more it holds tha t α 2 k + α = γ . Thus, T r 2 k ( α ) = T r k ( α 2 k + α ) = T r k ( γ ) = 1 . 6 This implies that the poly nomial x 2 + x + α is irreducible ov er F 2 2 k and finally every element in F 2 4 k can b e repr esented by y + ω a , where y , a ∈ F 2 2 k and ω ∈ F 2 4 k with ω 2 + ω + α = 0. Using this ex pression for x we compute g γ 2 ( x ) = g γ 2 ( y + ω a ) = T r( γ 2 ( y + ω a ) 2 2 k +2 k +1 ) = T r( γ 2 y 2 2 k +2 k +1 ) + T r( γ 2 ( y 2 2 k +2 k ( ω a ) + y 2 2 k +1 ( ω a ) 2 k + y 2 k +1 ( ω a ) 2 2 k )) + T r( γ 2 ( y 2 2 k ( ω a ) 2 k +1 + y 2 k ( ω a ) 2 2 k +1 + y ( ω a ) 2 2 k +2 k )) + T r( γ 2 ( ω a ) 2 2 k +2 k +1 ) = A + B + C + D . First we no te that A = 0 as γ 2 and y are in F 2 2 k . F ur thermore B can b e simplified, B = T r( γ 2 y 2 k +1 ( ω a ) + γ 2 y 2 ( ω a ) 2 k + γ 2 y 2 k +1 ( ω a ) 2 2 k ) = T r( γ 2 y 2 k +1 (( ω a ) + ( ω a ) 2 2 k ) + γ 2 y 2 ( ω a ) 2 k ) = T r( γ 2 y 2 ( ω a ) 2 k ) . where the last equality follows as γ 2 y 2 k +1 (( ω a ) + ( ω a ) 2 2 k ) is in F 2 2 k . Now consider the term C . W e first rema rk that γ 2 y 2 k ( ω a ) 2 2 k +1 is in the subfield F 2 2 k and th us C = + T r ( γ 2 ( y 2 2 k ( ω a ) 2 k +1 + y ( ω a ) 2 2 k +2 k )) = T r( γ 2 y (( ω a ) 2 k +1 + ( ω a ) 2 2 k +2 k )) . Therefore g ( x ) = g ( y + ω a ) = T r( y  γ ( ω a ) 2 k − 1 + γ 2 ( ω a ) 2 k +1 + γ 2 ( ω a ) 2 2 k +2 k  + γ 2 ( ω a ) 2 2 k +2 k +1 ) . The impo rtant obser v ation is that this ex pression is linear in y . Thus, the func- tion b elongs to the genera lized Maiora na McF arland type of functions. Next, we compute an expression of g using the absolute trace on F 2 2 k deno ted by T r 2 k . F o r this we mak e use of the fo llowing equations ω + ω 2 2 k = 1 and ω 2 2 k +2 k +1 + ( ω 2 2 k +2 k +1 ) 2 2 k = α that follow fro m the fact that the tw o so lutions of x 2 + x + α = 0 7 are ω a nd ω 2 2 k . g ( y + ω a ) = T r 2 k ( y  γ a 2 k − 1 ( ω + ω 2 2 k ) 2 k − 1 + γ 2 ( a ( ω + ω 2 2 k )) 2 k +1  ) + T r 2 k ( γ 2 a 2 2 k +2 k +1 ( ω 2 2 k +2 k +1 + ( ω 2 2 k +2 k +1 ) 2 2 k )) = T r 2 k ( y  γ a 2 k − 1 + γ 2 a 2 k +1  + αγ 2 a 2 k +2 ) . F r om now on the pro of contin ues very muc h like Dobb ertin’s o riginal pro of. W e denote by µ ( y ) = ( − 1) T r 2 k ( y ) and π ( a ) = γ a 2 k − 1 + γ 2 a 2 k +1 . W e compute b g ( u + ω v ) = X y ,a ∈ F 2 2 k µ ( y π ( a ) + αγ 2 a 2 k +2 + uy + v a ) = X a µ ( αγ 2 a 2 k +2 + v a ) X y µ ( y ( π ( a ) + u )) = 2 2 k X a,π ( a )= u µ ( αγ 2 a 2 k +2 + v a ) . F o r any u we have to study the s e t M = { a | π ( a ) = u } and in par ticular its po ssible size. First note tha t π ( a ) = π ( a + c ) implies 0 = π ( a ) + π ( a + c ) + ( π ( a ) + π ( a + c )) 2 k = γ ( c 2 k − 1 + c 2 2 k − 1 ) = γ ( c + c 2 k ) 2 k − 1 and we conclude c ∈ F 2 k . Therefor e, we can equiv a lently study the set { c 2 ∈ F 2 k | π ( a 0 + c 2 ) = u } where a 0 is an element in M . Note that we use c 2 instead of c to ge t r id of the power 2 k − 1 . Co nsidering the equation π ( a 0 ) + π ( a 0 + c 2 ) = 0 we get the fo llowing eq uation for c c 4 + ( a 2 k 0 + a 0 ) c 2 + γ − 1 c = 0 (13) which immediately implies | M | ∈ { 0 , 1 , 2 , 4 } . As b ( g )( u + ω v ) ≤ 2 2 k | M | the only case we need to care ab out for proving the theor em is the case | M | = 4. In this case the set M consists of elements M = { a 0 , a 0 + c 0 , a 0 + c 1 , a 0 + c 0 + c 1 } 8 where c 0 , c 1 are solutions of (13) and thus c 0 c 1 ( c 0 + c 1 ) = γ − 1 . Next we compute X a ∈ M T r 2 k ( αγ 2 a 2 k +2 + v a ) = T r 2 k ( αγ 2 ( a 2 k +2 0 + ( a 0 + c 0 ) 2 k +2 +( a 0 + c 1 ) 2 k +2 + ( a 0 + c 0 + c 1 ) 2 k +2 )) = T r 2 k ( αγ 2 ( c 0 c 2 1 + c 1 c 2 0 )) = T r 2 k ( αγ 2 ( c 0 c 1 ( c 0 + c 1 ))) = T r 2 k ( αγ ) = T r k ( γ ( α + α 2 k )) = T r k ( γ 2 ) = 1 which implies b g ( u + ω v ) = X a ∈ M µ ( αa 2 k +2 + v a ) = ± 2 2 k +1 .  4 Closing Remarks and Op en Problems W e hav e demonstr ated that the function f ( x ) = x 2 2 k +2 k +1 has the same re- sistance to b oth differential and linear attacks as the inverse function. The fact that it ca n p ermute the field when k is o dd means it could be used in a cryptosystem acting o n 1 2 bits. W e now list all the known highly no nlinear p er - m utations with differential uniformit y of 4 . F o r p ow er mappings we conjecture this list to b e complete. f ( x ) Conditions Ref. x 2 s +1 n = 2 k , k o dd [8] g cd ( n, s ) = 2 x 2 2 s − 2 s +1 n = 2 k , k o dd [9] g cd ( n, s ) = 2 x − 1 n even [1] x 2 2 k +2 k +1 n = 4 k , k o dd This article . 9 Op en Problem 1 Find mor e highly nonline ar p ermutations of even de gr e e fields with differ ential un iformity of 4. Op en Problem 2 Find a funct ion, define d on a field of even de gr e e, with higher nonline arity than 2 n − 1 − 2 n 2 − 1 or pr ove that such a function c an ’t ex - ist. References [1] Thoma s Beth, Cuns he ng Ding, “O n almos t p erfect nonlinear p ermuta- tions”, EUROCR YPT , (199 3), 65–7 6. [2] C. Br ack en, E . Byrne, N. Markin, G. McGuire, “New families of quadr atic almost p er fect nonlinear trinomials a nd multinomials”, Finite Fields and Their Applic ations , V o l. 14, Issue 3 , July 2008 , 703–71 4 . [3] C. Br ack en, E. Byrne, N. Markin, G. McGuir e, “A few more quadratic APN functions”, Crypto gr aphy and Commun ic ations , to app ear . [4] L. Buda ghy an, C. Carlet, G. Leander, “Co nstructing new APN functions from known ones”, Finite Fields and Their Applic ations , to a pp ea r. [5] L. Budaghy a n, C. Car le t, P . F elke, and G. Leander, “An infinite class of quadratic APN functions which are not equiv a lent to p ow er mapping s ”, Pr o c e e dings of IS IT 2006 , Seattle, USA, J uly 2006 . [6] L. Buda ghy an, C. Ca rlet, G. Lea nder, “ Another class of quadratic APN binomials ov er F 2 n : the case n divisible by 4,” Pr o c e e dings of WCC 07 , pp. 49–58 , V ersa ille, F r ance, April 200 7 . [7] H. Dobb er tin, “O ne-to-one highly nonlinear p ower functions on GF(2 n )”, Appl. Algebr a Eng. Commun. Comput , 9 , (1998 ), 1 39-15 2. [8] R. Gold, Maximal r ecursive sequences with 3 v a lued cr oss-co rrelatio n func- tions, IEEE T ra ns.inform.the ory , 14 , (1 968), 154-1 56. [9] T. K asami, W eig ht distributions of B-C-H co des, Combinatorial Mathe- matics and applic ations. c h. 20 (1969) [10] M. Matsui, Linear Cry ptanalysis Metho d for DES Cipher, EURO- CR YP T9 3, LNCS 76 5, pp.386-39 7, Spring er-V erlag, 199 4. [11] K. Nybe rg, “Differentially uniform mappings for cryptogr a phy”, A dvanc es in Cryptolo gy-EUR OCR YPT 93, L e ctu re Notes in Computer Scienc e , Springer-V erlag, pp. 55-6 4, 19 94. 10