Doubly Perfect Nonlinear Boolean Permutations

Doubly P erfect Nonlinear Bo olean P erm utations Laurent Poinsot LIPN CNRS UMR 7030, Institut Galil ´ ee - Un ivers it´ e P aris-Nord, 99, av enue Jean-Baptiste Cl ´ ement, 93430 Villetaneuse, F rance Abstract. Due to implementatio n constrai nts the XOR operation is widely u sed in order to com bine plaintext and key bit-strings in secret- key block ciphers. This c hoice directly induces the classical version of the differential att ack by t h e use of XOR-kind differences. While very natural, there are many a lternatives to the XOR. Eac h of them inducin g a new form for its corresponding differential attac k (u sing the appropriate notion of difference) and therefore blo ck-ciphers need to use S-b oxes that are resistant against t hese nonstand ard differential cryp tanalysis. In th is contri b u tion we study the fun ct ions that offer th e b est resistance against a d ifferenti al attac k b ased on a finite field m ultiplication. W e also show that in some p articular cases, there are robust p ermutations which offers the b est resistant against both m ultiplication and exp onentia tion based differential att acks. W e call them doubly p erfe ct nonline ar p ermutations . Keyw ords: finite field, p erfect nonlinear function, group action. 1 In tro duction Shannon has intro duced in [13 ] the notions o f diffusion and c onfusion which have bee n mainly accepted and successfully used by cryptolo g ists as guidelines in their work to design secret-key ciphers. These notions accurately set up a category of ”nice” cryptogr aphic ob jects na mely the iterative blo ck-ciphers such as the Data and Adv a nced E nc r yption Standards (see [3 , 4]). Such an algor ithm works as an iteration of a certain pr o cedure called the round function. This functions is made in t wo pieces, a linear and a nonlinear parts, whose roles are to satisfy Shannon’s diffusio n a nd confusio n. Diffusion r efers to a sens itivit y to the initial conditions: a small dev iation in the input should ca use a larg e c hange at the output. The linear par t of the round-function is devoted to provide a go o d level of diffusion. The goal of confusion is to hide the alg ebraic relations b etw een the plaintext a nd the secret-key in order to make harder the s tatistical attac ks. This is exa ctly the r ole ass umed b y the nonlinear pa rt, a lso called S -b oxes . One of the ma jor a tta cks fo r which the S-boxes sho uld b e highly resistant is the differ ential cryptanalysis [1] or its ”dual” counter-part the line ar att ack [5]. The differ en- tial cryptanalys is is in trinsica lly related to the fashion the plaintexts and the round-keys are com bined at each step. As to interlo ck plaintexts with keys, the X OR or comp onent-wise mo dulo -tw o sum (or the addition in characteristic 2 ) is usually chosen b eca us e of its implemen tation efficient nature. A block-cipher is then vulnerable to the differen tial a ttack if there is a nonzero X OR difference of t wo plaintexts such that the differ ence in output is statistically distinguishable from a random v ariable tha t follows a (discrete) unifor m la w. The S-b oxes that offer the bes t resis tance ag ainst such an a ttack are the p erfe ct nonline ar func- tions [7]. As very particular com binator ial ob jects, p erfect nonlinear functions do not exist in e very config urations. F or instance if one works in finite elemen- tary Ab elian 2-groups, which in prac tice is usually the case, precisely b eca use of the in volutiv e nature of the addition, p er fect nonlinear p ermutations can no t exist. Since, yet in pra ctice the plaintexts and ciphertexts hav e the same length, we can not use p erfect no nlinear per mutations as S-b oxes. So in many ca ses blo ck-ciphers exploit s ubo ptimally different ially re s istant functions, such as al- most p erfe ct nonline ar [6 ] or even differ ential ly 4 -uniform [8 ] functions. W e make tw o s imple obser v a tions. W e ha ve seen ab ov e that b y nature, the XOR prohibits the existence of per fect nonlinear p ermutations. Mo reov er apart from the X OR op er ation, the combination la w of plaintexts and keys can take man y forms. While really efficien t by nature the XOR is a very specific case of group action a nd it co uld b e interesting to use another o ne. Roughly sp eaking (more details are given in subsection 2 .2) a gro up action is nothing but a particula r external op era tion of a group on a s et (as the sc a lar mu ltiplicatio n of vectors). The set in ques tio n is the colle ction of all the p o ssible plaintexts. The set of (round) keys is endow ed with a g roup structure a nd op erates on the messag e s . Such a very g eneral block-cipher could b e vulnerable to a mo dified differ ent ia l attack whic h should b e no more related to the X OR differences but to the ap- propriate group action differences. In [12] is presented the a lg orithm o f a such an attack. Therefore the determination o f the best resistant S- boxes or in other terms the adapted co ncept of p er fect nonlinea r functions, is needed. The theo- retic description of such functions covers the following contributions [9–1 1] and the mo st importa nt definitions and relev ant r esults up on them are r ecalled in section 2 . W e earlier say tha t altoug h natural, the X OR is not the only way to combine bit-strings. In the finite field setting the mult iplica tio n also may b e used. The S-b oxes that maximally resist agains t a differential attack based on the multi- plication r ather than the addition ar e called multiplic atively p erfe ct n online ar functions and in this paper we prove the existence of p er mutations with such a cryptog raphic prop erty in man y situa tio ns (and in most cases than cla ssical per fect nonlinear functions). In addition, in s ome very par ticular cas es, the m ul- tiplicative gro up I K ∗ of a finite field I K in characteristic tw o can be equipp ed with a nother m ultiplication, whic h is dis tr ibutive on the class ical one. With this second multiplication (which is mere ly an exp onentiation), I K ∗ turns to b e a finite fie ld itself (but no more of characteristic tw o). This pa pe r has as its ma jor goal the co nstruction of Boo lean permutations over I K which ar e p erfect nonlin- ear with resp ect to b oth multiplications o f the new field. They are ca lled doubly p erfe ct n online ar Bo ole an p ermut ations and can be seen as r elev ant alter na tives to the use of almost perfect nonlinear permutations. 2 Classical and generalized situations 2.1 Notations and con v ent i o ns In this co ntribution the ter m function has the same meaning as the expr ession total function . If X is a finite set then | X | is its cardina lity and Id X its identit y map. F or f : X → Y and y ∈ Y we define as usually the fibre f − 1 ( { y } ) = { x ∈ X | f ( x ) = y } . F or a additive group ( G, + , 0) (resp. a multip lica tive group ( G, ., 1)) w e defin e G ∗ = G \ { 0 } ( r e sp. G ∗ = G \ { 1 } ). F or a unitar y ring ( R, + , 0 , ., 1) we hav e R ∗ = R \ { 0 } a nd R ∗∗ = R ∗ \ { 1 } = R \ { 0 , 1 } . Mor eov er the group of units of R ( i.e. the gr oup of invertible e le men ts of the ring) is denoted U ( R ) and obviously U ( R ) ∗ = U ( R ) \ { 1 } . In or der to simplify the notations we sometimes identify a group (o r a ring) with its underlying set. The ring o f int eg e rs mo dulo n is denoted ( Z Z n , + , 0 , ., 1) and its under lying set is iden tified with the pa rticular system of representativ es of residue cla sses { 0 , 1 , . . . , n − 1 } . The finite field of character isitic p with p m elements is denoted GF ( p m ). A prime field GF ( p ) is ident ified w ith Z Z p and therefore with { 0 , 1 , . . . , p − 1 } . Finally Aut ( G ) denotes the set of all gro up automor phisms of a gr oup G . 2.2 Group actions Essential to everything that we sha ll discuss in this pap er is the notion of gr oup actions. Let G b e a gr oup and X a nonempty set. W e say that G acts on X if there is a group homomorphism φ : G → S ( X ), wher e S ( X ) is the gro up of p er mu tatio ns ov er X . Usually for ( g , x ) ∈ G × X , w e use the following conv enient notation g .x := φ ( g )( x ) (1) and so we hide any explicit r eference to the morphis m φ . An action is calle d faithful if the corr esp onding ho momorphism φ is one-to-one. It is called r e gular if for each ( x, y ) ∈ X 2 there is one and o nly one g ∈ G such that g .x = y . A regular action is also faithful. Example 1. – A gro up G acts on itself b y (left) transla tion: g .x := g x for ( g , x ) ∈ G 2 ( G is here wr itten multiplicatively). This a ction is regular ; – A subgro up H o f a gr oup G als o a cts on G by transla tion: h.x := hx for ( h, x ) ∈ H × G . This action is faithful a nd if H is a prop er subgr oup, then the a ction is not r egular; – The multiplicativ e gr oup I K ∗ of a field I K acts on I K by the multip lica tion law of the group. This action is faithful but not regular since 0 is fixe d by every elements of I K ∗ . More generally the actio n of I K ∗ on a I K-v ector space by scalar m ultiplication is also a faithful action (in this cas e the n ull vector is fixed by any scalar multiplication). 2.3 Group action p erfect nonline arit y Let X and Y be tw o finite no nempt y sets. A function f is called b alanc e d if for each y ∈ Y , |{ x ∈ X | f ( x ) = y }| = | X | | Y | . (2) With the concept of g roup a ctions we now hav e all the ingredients to r ecall the notion o f g roup action per fect no nlinearity (see [1 0 ]). Definition 1. Let G b e a finite group that acts faithfully o n a finite nonempty set X . Let H b e a finite gro up (wr itten additively). A function f : X → H is called p erfe ct nonline ar (by resp ect to the action of G on X ) or G -p erfe ct nonline ar if for each α ∈ G ∗ , the derivative of f in dir e ction α d α f : X → H x 7→ f ( α.x ) − f ( x ) (3) is balanced or in other w or ds for eac h α ∈ G ∗ and eac h β ∈ H , |{ x ∈ X | d α f ( x ) = β }| = | X | | H | . (4) As we can see o ur definition coincides with the clas s ical one (see [2 ]) in the classical s ituations ( G acts on itself b y left translation). 3 Doubly p erfect nonlinear Bo olean p erm utations In the finite fields settings there are tw o ma in natural gr oup actions, namely additive and m ultiplicative translations. The first one is the standa rd used as plaintext and k ey combination pro ces s and has b een widely studied in terms of (classical) p er fect nonlinearity and/or bentness. In this contribution we fo cus on the s econd one: w e construct p erfect nonlinear functions b y respec t to m ultipli- cation rather than addition called multiplic atively p erfe ct nonline ar functions . Moreov er in very particular cases, multiplication can be seen a s an addition of a new finite field. In this pap er w e exhibit some p erfect nonlinear functions b y resp ect to b oth original and new m ultiplications called doubly p erfe ct n online ar functions . 3.1 Multipli cativ ely p erfect nonlinear functions Let us be gin with a lemma who s e pro of is a triviality . Lemma 1. L et G and H b e two fin ite gro ups (written multiplic atively). L et λ b e a gr oup homomorphi sm fr om G to H . F or e ach β ∈ λ ( G ) , | λ − 1 ( { β } ) | = | ker λ | . (5) Let d and m b e tw o nonzer o integers. W e denote by V ( p, m, d ) any d di- mensional vector space ov er the finite field GF ( p m ). W e use the same symbo ls ”+” (resp. ” − ”) to denote both additions (resp. substr a ctions) of V ( p, m, d ) and GF ( p m ) a nd α.v is the scala r multiplication of v ∈ V ( p, m, d ) by α ∈ GF ( p m ). Lemma 2. L et d, e , m, n > 0 b e any inte gers. L et λ b e a gr oup homomorphism fr om ( V ( p, m, d ) , +) to ( V ( p, n, e ) , +) . L et G b e a sub gr oup of the gr oup GF ( p m ) ∗ . Then for e ach β ∈ λ ( V ( p, m, d )) and for e ach α ∈ G ∗ , |{ v ∈ V ( p, m, d ) | d α λ ( v ) = β }| = | λ − 1 ( { β } ) | = | ker λ | . (6) The proo f of the previo us lemma is not difficult and th us is not given here. Theorem 1. L et d, e , m, n > 0 b e any inte gers such that d m ≥ e n . L et λ b e a gr oup epimorphism 1 fr om ( V ( p, m, d ) , +) onto ( V ( p, n, e ) , +) . Then λ is GF ( p m ) ∗ -p erfe ct nonline ar. Pr o of. Since λ is onto, every β ∈ V ( p, n, e ) belo ng to λ ( V ( p, m, d )). Accord- ing to le mma 2 with G = GF ( p m ) ∗ , for e ach β ∈ V ( p, n, e ) and for ea ch α ∈ GF ( p m ) ∗∗ = GF ( p m ) \ { 0 , 1 } , |{ v ∈ V ( p, m, d ) | d α λ ( v ) = β }| = | λ − 1 ( { β } ) | = | ker λ | . But { λ − 1 ( { β } ) } β ∈ V ( p,n,e ) is a par tition of V ( p, m, d ). Ther efore we have | V ( p, m, d ) | = X β ∈ V ( p,n,e ) | λ − 1 ( { β } ) | = | ker λ || V ( p, n, e ) | . So | ker λ | = | V ( p,m,d ) | | V ( p,n, e ) | = p md − ne . ⊓ ⊔ In clas sical situatio ns it is well-known that if a function f : V (2 , m, d ) → V (2 , n, e ) is bent then md is an even in teger and md ≥ 2 ne . Replacing addi- tion by multiplication a llows us to find ”b ent” function even if md is a n o dd int eg e r and/or 2 ne > md ≥ ne . When md = ne (and p = 2), almost per fect nonlinear (APN) functions a re r elev a nt fo r cryptogra phic purp oses. They are defined (see [6]) by the fact that the equa tio n d α f ( x ) = β with x as an unknown has at most tw o s olutions for each α 6 = 0 and ea ch β . The only known examples of APN per mutations nee d md to be an odd in teger . In o ur ca se by construction any GF ( p m )-linear iso mo rphism of V ( p, m, d ) is a GF ( p m ) ∗ -p erfect nonlinea r; so it is also the case for p = 2 and md an ev en in teger . 3.2 Doubly p erfect nonlinear Bo olean p e rm utations The g roup of units GF ( p m ) ∗ of the finite field GF ( p m ) ca n b e equipped with another multip lica tion that turns it into a unitary commut ative ring. Indeed let γ b e a primitiv e ro ot of GF ( p m ). The exp onential e γ : ( Z Z p m − 1 , + ) → GF ( p m ) ∗ i 7→ γ i (7) is a gro up isomorphism (in the remainder we alw ays s uppo se that such a primi- tive ro ot γ is fixed). W e can use it to turn GF ( p m ) ∗ int o a commutativ e unitary 1 A group epimorphism is a group homomorphism whic h is onto. ring, isomor phic to the ring of modulo p m − 1 integers, b y 2 γ i × γ j = γ ij . W e call such a structur e ( GF ( p m ) , + , 0 , ., 1 , × , γ ) a char acteristic ( p, p m − 1) field-ring (which means that ( GF ( p m ) , + , 0 , ., 1 ) is a characteristic 2 field a nd ( GF ( p m ) ∗ , ., 1 , × , γ ) is a characteristic p m − 1 ring i.e. γ p m − 1 = 1, γ i 6 = 1 for all 0 < i < p m − 1 ) or double-field when ( GF ( p m ) ∗ , ., 1 , × , γ ) is also a field. The m ultiplicative identit y of the ring ( GF ( p m ) ∗ , ., 1 , × , γ ) is γ 1 = γ and the c la ssi- cal rules of distributivity , absorption and asso cia tivity take the following fo rms γ i × ( γ j γ k ) = ( γ i × γ j )( γ i × γ k ), 1 × γ i = 1, γ i × ( γ j × γ k ) = ( γ i × γ j ) × γ k . The g roup o f units of this ring, U ( GF ( p m ) ∗ ), is equal to { γ i | i ∈ U ( Z Z p m − 1 ) } = { γ i | ( i, p m − 1) = 1 } (where ( i, j ) is the greatest common divis or of i and j ) and if γ i is invertible with resp ect to × ( i.e. γ i is a unit), ( γ i ) − 1 = γ 1 i . If i 6 = 0 is not congruent with 1 modulo p m − 1, then it is a ze r o diviso r in Z Z p m − 1 : it exists j ∈ Z Z ∗ p m − 1 such that ij = 0, therefore γ i is itself a zero divisor 3 in GF ( p m ) ∗ bec ause γ i × γ j = γ ij = γ 0 = 1. This ring is an integral domain if a nd o nly if ( Z Z p m − 1 , + , 0 , ., 1) is itself an in teg r al domain o r equiv alently a (finite) field. So ( GF ( p m ) ∗ , ., 1 , × , γ ) is a finite field if and only if p m − 1 is a prime integer. If p is an o dd prime n umber then the only po s sible choice is p = 3 a nd m = 1 (since 3 1 − 1 = 2 ) because in the o ther case p m − 1 > 2 and is even. The following lemma giv es a constraint on m when p = 2. Lemma 3. L et k ∈ I N ∗ , k > 1 . L et m ∈ I N ∗ . If m is not a prime inte ger then so is k m − 1 . Pr o of. Supp ose that m = r s where b oth r and s a re int eg ers greater or equa l to 2. W e will prove that k r s − 1 = ( k r − 1 ) s X i =1 k r ( s − i ) by induction on the integer s . If s = 2 then k 2 r − 1 = ( k r − 1)( k r + 1). Let s ∈ I N ∗ such that s ≥ 2. Suppose tha t for all integer l such that 1 < l ≤ s , k r l − 1 = ( k r − 1) l X i =1 k r ( l − i ) . Let us prov e that k r ( s +1) − 1 = ( k r − 1) s +1 X i =1 k r ( s +1 − i ) . W e hav e k r ( s +1) − 1 = k r ( s +1) − k r + k r − 1 = k r ( k r s − 1) + ( k r − 1) = k r ( k r − 1) s X i =1 k r ( s − i ) + ( k r − 1) (b y induction hypo thesis) (8) = ( k r − 1) s X i =1 k r ( s +1 − i ) + 1 ! = ( k r − 1) s +1 X i =1 k r ( s +1 − i ) . (9) 2 More rigorously γ i × γ j = e γ ( e − 1 γ ( γ i ) e − 1 γ ( γ j )) = e γ ( ij ). In fact any calculation in the exp onent should b e understo o d mo dulo p m − 1. 3 More formally w e should say a × -divisor of 1. ⊓ ⊔ An integer of the fo rm 2 q − 1 where q is a prime num b er is called a Mersenne num- b er . When a Mersenne n umber is itself a prime in teger , it is called a Mersenne prime 4 . So given a Mers enne prime p = 2 q − 1, ( GF (2 q ) ∗ , ., 1 , × , γ ) is iso morphic to the prime field ( GF ( p ) , + , 0 , ., 1) (which is iden tified with ( Z Z p , + , 0 , ., 1)) a nd ( GF (2 q ) , + , 0 , ., 1 , × , γ ) is a c har acteristic (2 , p ) double-field ( i.e. ( GF (2 q ) , + , 0 , ., 1 ) is a characteristic 2 field and ( GF (2 q ) ∗ , ., 1 , × , γ ) is a characteristic p field). W e now c hara cterize the existence of so me subgr oups of units in rings whic h will be useful in the sequel. Lemma 4. L et R b e a non-trivial u n itary ring 5 . Then − 1 is invertible in R . Pr o of. It is obvious since ( − 1)( − 1) = 1. ⊓ ⊔ Lemma 5. L et n > 1 . The gr oup of units U ( Z Z n ) c ontains at le ast one sub gr oup G su ch that for every i ∈ G ∗ (i.e. i 6 = 1 and i ∈ G ), i − 1 ∈ U ( Z Z n ) if and only if n is e qual to 2 or is an o dd int e ger. Pr o of. If n = 2 then G = U ( Z Z 2 ) = { 1 } is a group with the go o d prop erties. Let suppo se that n > 2 is an even integer. Then i belo ngs to U ( Z Z n ) if and only if ( i, n ) = 1 . There fo re i is an odd integer. Then i − 1 is eq ual to z ero or is an ev en int eg e r and it is in vertible in none of the tw o cases. Now let supp ose that n is an o dd integer. Then 2 is invertible mo dulo n . Since according to lemma 4 (since n > 1 , Z Z n is non-trivial), − 1 is a unit, − 2 = 2 ( − 1) = − 1 − 1 is also inv ertible. The group G = h− 1 i = { ± 1 } sa tisfies the assumptions of the lemma. ⊓ ⊔ W e should note that in the particular case where n is a prime num ber p , Z Z ∗ p = U ( Z Z p ) is such a group G . If n = 2 m − 1 then n is o dd so there is at least o ne subgroup G of Z Z 2 m − 1 such that ∀ i ∈ G ∗ , i − 1 ∈ U ( Z Z 2 m − 1 ). I f p is an o dd prime then p m − 1 is an even num ber . So unless the trivial case p = 3 and m = 1, U ( Z Z p m − 1 ) do es not contain any s uch group G . Lemma 6. L et γ i ∈ U (( GF ( p m ) ∗ , ., 1 , × , γ )) . Then the map λ × γ i : GF ( p m ) ∗ → GF ( p m ) ∗ γ j 7→ γ i × γ j . (10) is a gr oup automorphism of ( GF ( p m ) ∗ , ., 1) . Pr o of. Since × is distributive o n . , λ × γ i is a gr oup endomorphism of ( GF ( p m ) ∗ , ., 1)). Let γ j such that γ ij = 1. This is equiv alent to ij = 0. But γ i ∈ U ( GF ( p m ) ∗ ) so i ∈ U ( Z Z p m − 1 ) and then ij = 0 if a nd only if j = 0 . So γ j = γ 0 = 1 and λ × γ i is one-to-one also is on to. It is th us an element of A u t (( GF ( p m ) ∗ , ., 1 )). ⊓ ⊔ 4 F or instance 3 = 2 2 − 1, 5 = 2 3 − 1, 31 = 2 5 − 1 and 127 = 2 7 − 1 are Mersenne prime num b ers. 5 R is not reduced to 0. Lemma 7. L et G b e a sub gr oup of ( U ( GF ( p m ) ∗ ) , × , γ ) . Then G acts faithful ly (by gr oup automorphism) on ( GF ( p m ) ∗ , ., 1) by ρ ( γ i ) : γ j 7→ γ i × γ j . Pr o of. W e define ρ : G → Aut (( GF ( p m ) ∗ , ., 1 )) γ i 7→ λ × γ i : ( γ j 7→ γ i × γ j ) . (11) (By lemma 6 we already know that for each γ i ∈ G , w e have ρ ( γ i ) = λ × γ i ∈ Aut (( GF ( p m ) ∗ , ., 1 )).) Let’s pr ov e that is a gro up action on GF ( p m ) ∗ . Let γ i and γ j be elements of G . Let γ k ∈ GF ( p m ) ∗ . ρ ( γ i × γ j )( γ k ) = ρ ( γ ij )( γ k ) = γ ij × γ k = γ ij k = γ i × ( γ j × γ k ) = ( ρ ( γ i ) ◦ ρ ( γ j ))( γ k ). Then ρ is a group homomor phism from G to Aut ( GF ( p m ) ∗ , ., 1 )). Finally let γ i ∈ G such that ρ ( γ i ) = Id GF ( p m ) ∗ . F or any k ∈ Z Z p m − 1 , γ ik = γ k . So ik = k and in particular i 1 = 1, therefor e i = 1 a nd γ i = γ 1 = γ . W e deduce that ρ is one- to-one and the action is thus faithful. ⊓ ⊔ Definition 2. Let G be a gr o up and X b e an y (nonempt y) set. The restriction to G ∗ of a map f : G → X is denoted f ∗ . Theorem 2. L et m ∈ I N ∗ such that m > 1 . L et G b e a s u b gr ou p of U ( Z Z 2 m − 1 ) such that for e ach i ∈ G ∗ , i − 1 ∈ U ( Z Z 2 m − 1 ) (such a gr oup exists ac c or ding to lemma 5 sinc e 2 m − 1 > 1 by assumption and is an o dd numb er). L et λ b e a field automorphism fr om GF (2 m ) to itself. Then we have 1. λ is ( GF (2 m ) ∗ , ., 1) -p erfe ct n online ar fr om GF (2 m ) to GF (2 m ) ; 2. λ ∗ is ( γ G , × , γ ) - p erfe ct nonline ar fr om GF (2 m ) ∗ to GF (2 m ) ∗ wher e γ G = e γ ( G ) . Pr o of. 1. This result is clear by applying theorem 1 with GF (2 m ) c onsidered a s a one - dimensional v ector s space ov er itself; 2. Since γ G = e γ ( G ), γ G is a subgr oup of the gr oup of units of GF (2 m ) ∗ . By lemma 7, γ G acts faithfully on GF (2 m ) ∗ by group automorphis m. Be - cause λ is a field homomo r phism, λ ( GF (2 m ) ∗ ) ⊆ GF (2 m ) ∗ and therefore λ ∗ : GF (2 m ) ∗ → GF (2 m ) ∗ is a gr o up ho momorphism. Moreover λ ∗ is onto. Indeed for y ∈ GF (2 m ) ∗ there is x ∈ GF (2 m ) such that λ ( x ) = y . Since y 6 = 0 , x 6 = 0 and therefore λ ∗ ( x ) = y . So λ ∗ is a gro up epimorphism (and then a group automo r phism). Let β ∈ GF (2 m ) ∗ = λ ( GF (2 m ) ∗ ). Let γ i ∈ ( γ G ) ∗ (so i 6 = 1). Let’s prov e that { γ j ∈ GF (2 m ) ∗ | d γ i λ ∗ ( γ j ) = β } = γ 1 j × λ − 1 ( { β } ). W e hav e d γ i λ ∗ ( γ j ) = β ⇔ λ ∗ ( γ i × γ j ) λ ∗ ( γ j ) = β ⇔ λ ( ( γ i × γ j ) γ j ) = β (because λ is a field homo morphism) ⇔ λ (( γ i × γ j )( γ − j )) = β ⇔ λ (( γ i × γ j )( γ − 1 × γ j )) = β ⇔ λ (( γ i γ − 1 ) × γ j ) = β (b y distributivit y) ⇔ λ ( γ i − 1 × γ j ) = β ⇔ γ i − 1 × γ j ∈ λ − 1 ( { β } ) . (12) Since γ i ∈ ( γ G ) ∗ ⇔ i ∈ G ∗ and by assumption on G , i − 1 is in vert- ible mo dulo 2 m − 1. Then γ i − 1 ∈ U ( GF (2 m ) ∗ ). According to lemma 6, λ × γ i − 1 ∈ Aut (( GF ( 2 m ) ∗ , ., 1 )). Ther efore γ i − 1 × γ j ∈ λ − 1 ( { β } ) ⇔ γ j ∈ ( λ × γ i − 1 ) − 1  λ − 1 ( { β } )  = γ 1 i − 1 × λ − 1 ( { β } ). Since λ × γ 1 i − 1 is a p ermutation we ha ve | λ − 1 ( { β } ) | = | γ 1 i − 1 × λ − 1 ( { β } ) | . Becaus e β ∈ GF ( p m ) ∗ , we ha ve λ − 1 ( { β } ) = ( λ ∗ ) − 1 ( { β } ) and by lemma 1, we deduce that | γ 1 i − 1 × λ − 1 ( { β } ) | = | ( λ ∗ ) − 1 ( { β } ) | = | ker λ ∗ | with ker λ ∗ = { x ∈ GF (2 m ) ∗ | λ ∗ ( x ) = 1 } = { x ∈ GF (2 m ) ∗ | λ ( x ) = 1 } . In a ddition { λ − 1 ( { β } ) } β ∈ GF ( p m ) ∗ is a par tition of GF (2 m ) ∗ . Therefore w e ha ve | GF (2 m ) ∗ | = X β ∈ GF (2 m ) ∗ | λ − 1 ( β ) | = | ker λ ∗ || GF (2 m ) ∗ | . (13) Then for each γ i ∈ ( γ G ) ∗ (or eq uiv alently for each i ∈ G ∗ ) and fo r each β ∈ GF (2 m ) ∗ , |{ γ j ∈ GF (2 m ) ∗ | d γ i λ ∗ ( γ j ) = β }| = | k er λ ∗ | = 1. ⊓ ⊔ Definition 3. Let p = 2 q − 1 b e a Mersenne prime n umber. A function f : GF (2 q ) → GF (2 q ) such that f ( α ) 6 = 0 for a ll inv er tible α ∈ GF (2 q ) is called doubly p erfe ct nonline ar if 1. f is ( GF (2 q ) ∗ , ., 1)-p erfect nonlinear fro m GF (2 q ) to itself; 2. f ∗ is ( GF (2 q ) ∗∗ , × , γ )- per fect nonlinea r from GF (2 q ) ∗ to itself. Since the g roup of field automorphisms of a finite field GF ( p m ) is identical to the Galois gr oup of the deg ree m extension GF ( p m ) ov er its prime field whic h is a cyc lic gro up generated by the F rob enius a utomorphism F p : GF ( p m ) → GF ( p m ) x 7→ x p (14) every field automorphism λ can b e wr itten as F r p for one r such that 0 ≤ r ≤ m − 1. W e no w give a nic e result that asserts the existence of a Bo o lean p er m u- tation ov er GF (2 q ), where p = 2 q − 1 is a Mer senne prime, which is merely b oth ( GF (2 q ) ∗ , ., 1) and ( GF (2 q ) ∗∗ , × , γ )- per fect nonlinear i.e. do ubly p erfect nonlin- ear. Theorem 3. L et p = 2 q − 1 b e a Mersenne prime numb er. L et λ = F r 2 (for any 0 ≤ r ≤ q − 1 ) b e a fi eld automorphi sm of GF (2 q ) . Then λ is a doubly p erfe ct nonline ar p ermu tation. Pr o of. Because p = 2 q − 1 is a pr ime num b er , GF (2 q ) ∗ is isomorphic to the field GF ( p ) = Z Z p . Therefore we c an cho o se G = Z Z ∗ p as a gr oup such tha t fo r ea ch i ∈ G ∗ , i − 1 is in vertible mo dulo p . Then γ G = U ( GF (2 q ) ∗ ) = GF (2 q ) ∗∗ = GF (2 q ) \ { 0 , 1 } . According to theorem 2, λ is ( GF (2 q ) ∗ , ., 1)-p erfect nonlinea r and λ ∗ is ( GF (2 q ) ∗∗ , × , γ )- per fect nonlinea r . ⊓ ⊔ References [1] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptolo gy , 4(1):3-72, 1991. [2] C. Carlet and C. Din g. Highly nonlinear mappings. Journal of Complexity , 20(2):205-24 4, 2004. [3] FIPS 46-3, Data encryption standard, F ederal Information Pro cessing Stan- dards Publication 46-3 (1999), U.S. Department of Commerce/N.I.S.T. [4] FIPS 197, Adv anced encry p tion standard, F ederal Information Processing Standards Publication 197 (2001), U.S. Department of Commerce/N.I.S.T. [5] M. Matsui. Linear cryptanalysis for DES cipher. In A dvanc es in Cryptolo gy - Eur o crypt’93 , vol. 765 of L e ctur e Notes in Computer Scienc e , p p. 386-397, 1994. [6] K. Nyb erg and L. Knudsen. Pro v able securit y against differential cry p tanalysis. In Adv anc es in Cryptolo gy - Crypto’92 , vo l. 740 of L e ctur e Notes in Computer Scienc e , pp. 566-574, 1993. [7] K. N yb erg. Perfect n on linear S -b oxes. In A dvanc es in Cryptolo gy - Eur o- crypt’92 , vo l. 547 of L e ctur e Notes in Computer Scienc e , pp. 378-386, 1992. [8] K. Nyb erg. Differential ly uniform mappings for cryp tography . I n A dvanc es in Cryptolo gy - Eur o crypt’93 , vol. 765 of L e ctur e Notes in Computer Scienc e , pp. 55-64, 1994. [9] L. Poinsot and S. Harari. Generalized Boolean b ent functions. In Pr o gr ess in Cryptolo gy - Indo crypt 2004 , vol. 3348 of L e ctur e Notes in Computer Scienc e , pp. 107-119, 2004. [10] L. Poinso t and S. Harari. Group actions based p erfect nonlinearity . GESTS International T r ansactions on Computer Scienc e and Engine ering , 12(1):1 -14, 2005. [11] L. P oinsot. Non lin´ ea rit´ e parfaite g ´ en´ eralis ´ ee au sens des actions de group e, contri b u tion aux fondements de la solidit´ e cryptographiqu e. PhD thesis, Uni- versi ty of S outh T oulon- V ar, 2005. [12] L. Poinsot. Boolean b ent functions in imp ossible cases: o dd and plane di- mensions. International Journal of Computer Scienc e and Network Se curity , 6(8):18-26, 2006. [13] C. E. S hannon. Communication theory of secrecy sy stems. Bel l System T e ch- nic al Journal , 28:656-715, 1949.