A Few More Quadratic APN Functions

A F ew More Quadratic APN F unctions Carl Brac k en ∗ & Eimear Byrne † & Nady a Markin ‡ & Gar y McGuire § Sc ho ol o f Mathematical Sciences Univ ersit y College D ublin Ireland No v em ber 1, 2018 Abstract W e present t w o infinite families of APN functions on GF (2 n ) where n is divisible by 3 but no t 9 . Our fa milies contain t wo already known families as sp ecia l cases. W e also discuss the inequiv alence pro of (b y computation) which shows that these functions ar e new. 1 In tro duction Let L = GF (2 n ) for some p ositiv e intege r n . A fun ction f : L − → L is s aid to b e almost p erfe ct nonline a r (APN) on L if the n um b er of solutions in L of the equation f ( x + q ) + f ( x ) = p is at most 2, f or all p, q ∈ L , q 6 = 0. Equiv ale nt ly , f is APN if the set { f ( x + q ) + f ( x ) : x ∈ L } has size 2 n − 1 for eac h q ∈ L ∗ . Clearly , as L h as ∗ Researc h su pp orted by Irish Researc h Council for Science, Engineering and T echnology P ostdo ctoral F el low ship † Researc h supp orted by the Claude Shannon Institute, Science F oundation Ireland Gran t 06/MI/006 ‡ Researc h supp orted by the Claude Shannon Institute, Science F oundation Ireland Gran t 06/MI/006 § Researc h supp orted by the Claude Shannon Institute, Science F oundation Ireland Gran t 06/MI/006 1 c haracteristic 2, the num b er of solutions to th e ab o v e equation m ust b e an ev en n um b er f or an y fun ction f on L . APN functions w ere in tro duced in [13] b y Nyberg, wh o defined them as the map p ings with highest resistance to differential cryp tanalysis. In other w ords, APN fu nctions are those for which the p laintext difference x − y yields the ciphertext d ifference f ( x ) − f ( y ) with probabilit y 1 / 2 n − 1 . Since Nyb erg’s c haracterizat ion, many pap ers ha v e b een w ritten on APN functions, although not many different families of su c h functions are kno wn. The main result of this pap er is a construction of a n ew family of APN functions. Tw o fun ctions f , g : L − → L are called extende d affine (EA) equiv ale nt if there exist affine p ermutations A 1 , A 2 and an affin e map A suc h that g = A 1 ◦ f ◦ A 2 + A . Un til r ecen tly , all kno wn APN fu nctions were EA equiv a len t to one of a short list of monomial functions, n amely the Gold, Kasami-W elc h, in v erse, W elc h, Niho and Dobb ertin functions. F or some time it was conjectured that th is list w as the complete list of APN fu nctions up to E A equiv a lence. A more general n otion of equiv al ence has b een su ggested in [10], which is referred to as Carlet-Charp in-Zino viev (CCZ) equiv alence. Tw o functions are called CCZ equiv ale nt if the graph of one can b e obtained from the graph of the other by an affine p erm utation of the p ro du ct sp ace. EA equiv alence is a sp ecial case of CCZ equ iv alence. W e sa y that f : L − → L is differentiall y m − u niform if the p olynomial f ( x + q ) + f ( x ) + p has at most m ro ots in L , for any p , q ∈ L , q 6 = 0. Th en f is APN on L if and only if it is differentia lly 2-uniform on L . Differen tial uniformity , and resistance to linear and different ial attac ks, are inv arian ts of CCZ equiv al ence. In [7], Pr op osition 3, the authors express n ecessary and sufficien t condi- tions for EA equiv alence of fun ctions in terms of C CZ equiv a lence an d use this to construct sev eral examples of APN functions that are CCZ equiv a len t to the Gold functions, b u t not EA equiv alent to any monomial function. This sho w ed that the original conjecture is false. Th e new question w as wh ether all APN functions are CCZ equiv alent to one on the list. In 2006 a sp oradic example of a b inomial APN function that is n ot CCZ equiv alent to any p o w er mapping w as giv en in [12]. A family of APN binomials on fields F 2 n , where n is d ivisible by 3 but not 9, wa s presented in [3]. In [4] these ha v e b een sh o wn to b e EA inequiv alen t to any monomial function, and CCZ inequiv alen t to the Gold or K asami-W e lc h functions. 2 F or the case n = 6, in [11] Dillon pr esen ted a list of CCZ inequiv alen t APN functions on GF (2 n ), f ound by computer searc h. Belo w w e list all the infi nite families of non-monomial APN fu nctions kno wn at the time of writing. These families are all pairw ise CCZ inequiv- alen t. 1. f ( x ) = x 2 s +1 + αx 2 ik +2 mk + s , where n = 3 k , ( k , 3) = ( s, 3 k ) = 1, k ≥ 3, i ≡ sk mo d 3, m ≡ − i mo d 3, α = t 2 k − 1 and t is primitiv e (see Budagh y an, Carlet, F elk e, Leander [3]). 2. f ( x ) = x 2 s +1 + αx 2 ik +2 mk + s , where n = 4 k , ( k , 2) = ( s, 2 k ) = 1, k ≥ 3, i ≡ sk mo d 4, m = 4 − i , α = t 2 k − 1 and t is primitiv e (see Budaghy an, Carlet, Leander [5]). This family generalizes an example found for n = 12 by Edel, Kyu regh y an, P ott [12 ]. 3. f ( x ) = αx 2 s +1 + α 2 k x 2 k + s +2 k + β x 2 k +1 + k − 1 X i =1 γ i x 2 k + i +2 i , where n = 2 k , α and β are primitiv e elemen ts of GF (2 n ), and γ i ∈ GF (2 k ) for eac h i , and ( k, s ) = 1, k is o dd, s is o dd (see Brac k en, Byrne, Markin, McGuire [1]). 4. f ( x ) = x 3 + T r ( x 9 ) , o v er GF (2 n ) , any n (see Budaghy a n, Carlet, Leander [6]). 5. f ( x ) = ux 2 − k +2 k + s + u 2 k x 2 s +1 + v x 2 k + s +2 s , where n = 3 k , u is primitiv e, v ∈ GF (2 k ) , ( s, 3 k ) = 1 , (3 , k ) = 1 and 3 divides k + s (see Brac k en, Byrne, Markin, McGuire [1]). 3 6. F ( x ) = u 2 k x 2 − k +2 k + s + ux 2 s +1 + v x 2 − k +1 where n = 3 k , s and k are p ositiv e in tegers with k + s divisible by three and ( s, 3 k ) = (3 , k ) = 1, u is a pr imitiv e elemen t of GF (2 3 k ) and v ∈ GF (2 k ) (this pap er). 7. F ( x ) = u 2 k x 2 − k +2 k + s + ux 2 s +1 + v x 2 − k +1 + w u 2 k +1 x 2 k + s +2 s where n = 3 k , s and k are p ositiv e in tegers with k + s divisible by three and ( s, 3 k ) = (3 , k ) = 1, u is a pr imitiv e elemen t of GF (2 3 k ) and v , w ∈ GF (2 k ) with v w 6 = 1 (this pap er). In general, esta blishing CCZ equ iv a lence of arbitrary f unctions is ex- tremely difficult. T here are, how e ve r, a n umber of in v arian ts of CCZ equiv- alence that can b e u seful in the classificatio n of functions. A nice link with co ding theory is that a pair of fu nctions f and g on L are CCZ equiv alen t on L if and only if the binary co d es with parit y c hec k m atrices H f =   1 · · · 1 x 1 · · · x 2 n f ( x 1 ) · · · f ( x 2 n )   , H g =   1 · · · 1 x 1 · · · x 2 n g ( x ) · · · g ( x 2 n )   are equiv alen t ov er GF (2), see [1]. Here x i , f ( x i ) and g ( x i ) are expressions of x i , f ( x i ) and g ( x i ) resp ectiv ely as b inary vec tors of length n in L viewed as a GF (2) v ector space and L = { x 1 , ..., x 2 n } . In this p ap er w e introd uce a new f amily of APN fu nctions on fields of order 2 3 k where k is not d ivisible by 3. Th e family of p olynomials has the form F ( x ) = u 2 k x 2 − k +2 k + s + ux 2 s +1 + v x 2 − k +1 + w u 2 k +1 x 2 k + s +2 s with certain constrain ts on the in tegers s, k and on u, v , w ∈ GF (2 3 k ) (see Theorem 2.1, or F amily 7 in the in tro du ction). Curious ly , setting w = 0 giv es a d ifferen t f amily of trinomial APN fun ctions (F amily 6, see Section 3). The la y out of this p ap er is as fo llo ws. In the next section w e show that our p olynomials are indeed APN fu nctions on GF (2 3 k ). Using cod e equiv alence, in Section 3 we explain the fact that th ese fu n ctions are not CCZ equiv alen t to an y known APN functions when n = 12, and are therefore new. 4 2 New A PN functions The follo wing theorem constru ct quadr atic qu adrinomial APN fun ctions on GF (2 n ) whenever n is divisib le by 3 but not 9. A quadr atic monomial is one of the form x 2 i +2 j for some in tegers i and j . Observe that if f ( x ) = x 2 i +2 j , then f ( x + q ) + f ( x ) + f ( q ) = x 2 i q 2 j + x 2 j q 2 i is a linear function in x , whose k ernel has th e same size as any of its trans- lates, suc h as th e solution set of f ( x ) + f ( x + q ) = p in L , for any p ∈ L . Because of th is prop erty , pro ving whether or not a quadratic p olynomial is APN is m ore tangible than on e that is not quadratic. F or this reason, all of the recen tly disco v ered families of APN functions hav e b een qu adratic. W e will show that our p olynomial F ( x ) is APN by computing the size of the k ernel of the corresp onding linear map F ( x + q ) + F ( x ) + F ( q ) . Theorem 2.1 L et s and k b e p ositive i nte gers with k + s divisible by thr e e and ( s, 3 k ) = (3 , k ) = 1 . L e t u b e a primitive element of GF (2 3 k ) and let v , w ∈ GF (2 k ) with v w 6 = 1 . Then the function F ( x ) = u 2 k x 2 − k +2 k + s + ux 2 s +1 + v x 2 − k +1 + w u 2 k +1 x 2 k + s +2 s is APN over GF (2 3 k ) . Pro of: W e s h o w that for every p and q (with q 6 = 0) in GF (2 3 k ) the equation F ( x ) + F ( x + q ) = p has at most t wo solutions b y coun ting the n u m b er of solutions to the equa- tion F ( x ) + F ( x + q ) + F ( q ) = 0 . This giv es F ( x ) + F ( x + q ) + F ( q ) = u 2 k ( x 2 k + s q 2 − k + q 2 k + s x 2 − k ) + u ( x 2 s q + q 2 s x ) + v ( x 2 − k q + q 2 − k x ) + w u 2 k +1 ( x 2 s q 2 k + s + q 2 s x 2 k + s ) = 0 . Replace x with xq to obtain u 2 k q 2 − k +2 k + s ( x 2 k + s + x 2 − k ) + uq 2 s +1 ( x 2 s + x ) + v q 2 − k +1 ( x 2 − k + x ) + w u 2 k +1 q 2 k + s +2 s ( x 2 s + x 2 k + s ) = 0 , 5 and collect terms in x to get ∆( x ) := ( v q 2 − k +1 + uq 2 s +1 ) x + ( v q 2 − k +1 + u 2 k q 2 − k +2 k + s ) x − k +( w u 2 k +1 q 2 k + s +2 s + uq 2 s +1 ) x 2 s + ( w u 2 k +1 q 2 k + s +2 s + u 2 k q 2 − k +2 k + s ) x k + s = 0 . W e w rite ∆( x ) = Ax + B x 2 − k + C x 2 s + D x 2 k + s where A = v q 2 − k +1 + uq 2 s +1 , B = v q 2 − k +1 + u 2 k q 2 − k +2 k + s , C = wu 2 k +1 q 2 k + s +2 s + uq 2 s +1 , D = w u 2 k +1 q 2 k + s +2 s + u 2 k q 2 − k +2 k + s . Clearly 0 is a ro ot of ∆ ( x ). Moreo ve r ∆ (1) = A + B + C + D = 0. If we sho w that 0 and 1 are the only sol utions of ∆( x ) = 0, then we will h a ve pro v ed that F ( x ) is APN on GF (2 3 k ). First we d emonstrate that none of A, B , C or D v anish for any q ∈ GF (2 3 k ) ∗ . If A = 0 we hav e u = v q 2 − k − 2 s whic h imp lies u 2 k = v q 1 − 2 k + s . By hypothesis, k + s is divisible by 3, so that 1 − 2 k + s is divisible by 7, and hence q 1 − 2 k + s is a 7th p ow er in GF (2 3 k ). Since 3 do es not divide k , 7 d o es not divide 2 k − 1, so th e map x 7→ x 7 is a p ermutation on GF (2 k ). Then v ∈ GF (2 k ) can b e exp ressed as a 7th p o wer. T his means that u 2 k and hence u is a 7th p o wer in GF (2 3 k ). This gives a con tradiction as 7 is a divisor of 2 3 k − 1 and w e c hose u to b e p rimitiv e in GF (2 3 k ). W e deduce that A 6 = 0. S imilar arguments sh o w that B , C and D are all nonzero. Next w e define the linearized p olynomial: L θ ( T ) := T + θ T 2 k + θ 2 k +1 T 2 − k . When T = θ x + x 2 − k and θ is a (2 k − 1)-th p o wer, a routine calculation v erifies that L θ ( T ) = 0 for all x ∈ GF (2 3 k ) . O bserve that A B = v q 2 − k +1 + uq 2 s +1 v q 2 − k +1 + u 2 k q 2 − k +2 k + s = v + uq 2 s − 2 − k v + u 2 k q 2 k + s − 1 = ( v + uq 2 s − 2 − k ) 1 − 2 k , whic h giv es L A B  A B x + x 2 − k  = 0 . (1) No w ∆( x ) B = ( A B x + x 2 − k ) + ( C B x 2 s + D B x k + s ) = 0 . 6 Applying this to Equation 1 giv es L A B  ∆( x ) B  = L A B  C B x 2 s + D B x 2 k + s  = 0 . W e compu te this as ( B 2 − k +2 k C + D 2 − k A 2 k +1 ) x 2 s + ( B 2 − k +2 k D + B 2 − k AC 2 k ) x 2 k + s +( B 2 − k AD 2 k + A 2 k +1 C 2 − k ) x 2 − k + s = 0 . W e sub stitute in the v alues of A, B , C , and D an d after simplification w e obtain the follo wing ( v w + 1) uq 2 k +1+2 s ( v q 2 − k + uq 2 s )( u 2 k q 2 k + s +2 k + u 2 − k q 2 − k + s +1 ) x 2 s +( v w + 1) u 2 k q 2 k +1+2 k + s ( v q 2 − k + uq 2 s )( uq 2 k +2 s + u 2 − k q 2 − k + s +2 − k ) x 2 k + s +( v w + 1) u 2 − k q 2 k +1+2 − k + s ( v q 2 − k + uq 2 s )( u 2 k q 2 k + s +2 − k + uq 2 s +1 ) x 2 − k + s = 0 . As w e c hose v and w suc h that v 6 = w − 1 and as A 6 = 0 w e can divide the equation by ( v w + 1) q 2 k +1 ( v q 2 − k + uq 2 s ) u 2 − k +1 q 2 − k + s +2 s +1 and tak e the expression to the 2 − s p ow er to obtain (1 + a − 2 k − s ) x + ( a 2 − s + a − 2 k − s ) x k + (1 + a 2 − s ) x 2 − k = 0 , (1) where a = u 2 k − 1 q 2 − k +2 k + s − 2 s − 1 . No w we consider L C D ( ∆( x ) D ) = 0. W e kno w L C D ( x 2 s + C D x 2 k + s ) = 0, as C D = wu 2 k +1 q 2 k + s +2 s + uq 2 s +1 wu 2 k +1 q 2 k + s +2 s + u 2 k q 2 − k +2 k + s = ( w + u − 1 q 2 − k − 2 s ) 2 k − 1 . This implies L C D ( A D x + B D x 2 − k ) = 0, whic h w e compute as ( C 2 − k +2 k A + C 2 − k D B 2 k ) x + ( C 2 − k D A 2 k + D 2 k +1 B 2 − k ) x k +( C 2 − k +2 k B + D 2 k +1 A − k ) x 2 − k = 0 . A similar computation to the one used ab o v e will yield (1 + a − 2 − k ) x + (1 + a ) x 2 k + ( a + a − 2 − k ) x 2 − k = 0 . (2) 7 No w we com bine equations (1) and (2) suc h that the terms in x 2 − k cancel. This will giv e ((1 + a − 2 k − s )( a + a − 2 − k ) + (1 + a − 2 − k )(1 + a − s )) x + (( a 2 − s + a − 2 k − s )( a + a − 2 − k ) + (1 + a )(1 + a − s )) x 2 k = 0 whic h is the same as ((1 + a − 2 k − s )( a + a − 2 − k ) + (1 + a − 2 − k )(1 + a 2 − s ))( x + x 2 k ) = 0 . If we sho w that (1 + a − 2 k − s )( a + a − 2 − k ) + (1 + a − 2 − k )(1 + a 2 − s ) 6 = 0 for all p ossible v alues of a then w e could conclude that x ∈ GF (2 k ). T o this end w e consider the expression (1 + a − 2 k − s )( a + a − 2 − k ) = (1 + a − 2 − k )(1 + a 2 − s ) . Rearranging w e obtain a = (1 + a − 1 ) 2 − k (1 + a − 1 ) 2 k − s (1 + a ) 2 − s (1 + a ) 2 k . This imp lies a is a (2 k + s − 1)-th p o w er whic h in turn implies that it is a sev enth p ow er. As a = u 2 k − 1 q 2 − k +2 k + s − 2 s − 1 = u 2 k − 1 q (2 k + s − 1)(1 − 2 − k ) w e see that if a is a sev en th p ow er then so is u 2 k − 1 but this is not p ossible as k is not divisible by three and u is primitiv e. W e can now state that all s olutions to ∆( x ) = 0 are in GF (2 k ). Applyin g this to our original expression for ∆( x ) giv es ( uq 2 s +1 + u 2 k q 2 − k +2 k + s )( x + x 2 s ) = 0 . If uq 2 s +1 + u 2 k q 2 − k +2 k + s = 0 then a = 1, b ut 1 is a sev en th p ow er, hence ( x + x 2 s ) = 0 whic h imp lies x = 0 or 1 as s is relativ ely p rime to 3 k . 3 Equiv alence It r emains to show that the new f amily of APN fu nctions intro d uced in this pap er is indeed “new”. W e therefore need to demonstrate th at these f unc- tions are not CCZ equ iv alen t to an y known APN fun ction. Unfortunately no tec hniques curr ently exist for pro ving this by h and, and we resort to a demonstration by computer for small v alues of n . W e attempt to s ho w that the corresp ondin g error-correcting co des are inequiv alent, whic h is necessary and s ufficien t as we said in the introd uction, and is pro ved in [1]. 8 One standard metho d of p r o ving t w o cod es to b e inequiv alent is to show that th ey ha v e a differen t weigh t distribution (if this is the case) . Ho w ev er, all the evidence shows that these co des all ha v e the same weig ht distribution as the co de for the function x 3 (w e ha v e pro v ed this for F amily 5 in [2]). W e will use other in v arian ts. Our quadrinomial F amily 7 F ( x ) = u 2 k x 2 − k +2 k + s + ux 2 s +1 + v x 2 − k +1 + w u 2 k +1 x 2 k + s +2 s actually conta ins as a sp ecial case three of the families listed in the in- tro duction, t w o of which are already kno wn. These are the b in omial F amily 1 when v = w = 0, and the trinomial F amily 5 when v = 0 , w 6 = 0. F amily 7 also con tains F amily 6 as a sp ecial case. W e claim that these four f amilies are p airwise CC Z inequiv alent . F or smaller dimensions than 12, CCZ equ iv alence can b e dir ectly deter- mined b y testing equiv alence of the assso ciated co d es w ith Magma. F or the case n = 6 the p olynomials in tro du ced h ere take one of the follo wing forms: ux 3 + v u 5 x 10 + v x 17 + u 4 x 24 ux 3 + v x 17 + u 4 x 24 ux 3 + v u 5 x 10 + u 4 x 24 ux 3 + u 4 x 24 , for some pr imitiv e elemen t u ∈ GF (2 6 ) and v ∈ GF (4). In the fir st 3 cases, the p olynomials are C CZ equiv alent to x 3 + x 10 + ux 24 , whic h app ears in Dillon’s list, and in the last instance the p olynomial is CCZ equiv alen t to x 3 . Therefore, n = 6 is not a su fficien tly large v alue of n to distinguish our four families, but do es d istin gu ish family 1 from f amilies 5,6,7. The next smallest p ossible v alue of n to consider is n = 12, so k = 4. Example functions (with s = 5) fr om the four families are in the follo wing table. 9 F unction Class u 16 x 768 + ux 33 + x 257 + u 290 x 544 Theorem 2.1 NEW (F amily 7) u 16 x 768 + ux 33 + x 257 Theorem 2.1 with v 6 = 0, w = 0 NEW (F amily 6) u 16 x 768 + ux 33 + u 290 x 544 Theorem 2.1 with v = 0, w 6 = 0 (F amily 5) u 16 x 768 + ux 33 Theorem 2.1 v = w = 0 (F amily 1) Magma has a b uilt in test for co d e equiv alence, wh ic h is s u fficien t for n < 12. This test inv olv es p erforming a bac ktrac k searc h using the action of the automorphism group of th e co d e on the w ords of minimum w eigh t. Ho wev er, for n = 12 eac h of these co des has 1,397,76 0 words of minium um w eigh t and this is b eyond the capability of the Leon pac k age PE R M f or co d e equiv alence that is used in Magma and other sys tems. John Cannon, Gabi Neb e and Allan Steel prov ed these co des to b e in- equiv alen t us ing a differen t approac h. Firstly , the delta 2-rank of the four APN functions w as determined. The fi r st th r ee fu n ctions were foun d to hav e delta 2-rank 7900 while the fourth h as delta 2-rank 7816. Hence the fourth APN function is CCZ in equiv alen t to the fi rst thr ee. All four fun ctions were then shown to b e p airwise CCZ in equ iv alen t usin g a new in v arian t b ased on com b in atorial prop erties of the words of minimum we igh t of the co d es. All computations were done using Magma. W e r efer the reader to [8] for details. In conclusion, [8] sho ws that our APN functions are new. Ac knowledgemen ts W e th ank John Cannon, Gabriele Neb e, and Allan Steel for their w ork on APN functions and Magma. References [1] C. Brac k en, E . Byrne, N. Markin, G. McGuire, “New families of quadratic almost p erfect nonlinear trinomials and multi nomials,” to ap- p ear Finite Fields and their A pplic ations , av ailable online 20 F ebruary 2008. 10 [2] C. Brac k en, E. Byrne, N. Markin, G. McGuire, “De termining the Non- linearit y of a New F amily of APN F unctions,” Pr o c. AAECC-17 Con- ference, S . Boztas, H.-F. Lu eds, LNCS 4851, Dec 2007, 72-79 . [3] L. Bud agh y an, C . Carlet, P . F elk e, and G. Leander, “An infinite class of quadratic APN fun ctions wh ich are not equiv alen t to p o wer mapp ings”, Pr o c e e dings of ISIT 2006 , Seattle , USA, July 2006. [4] L. Budagh y an, C. Carlet, G. Leander, “A class of quadratic APN b ino- mials in equiv alen t to p o wer functions,” preprint. [5] L. Bud agh y an, C . Carlet, G. Leander, “Another class of quadratic APN binomials ov er F 2 n : the case n divisible b y 4,” Pr o c e e dings of WCC 07 , pp. 49– 58, V ersailles, F rance, April 200 7. [6] L. Budaghy an, C. C arlet, G. Leander, “Constructing new APN fun c- tions fr om kno wn on es”, p reprint su bmitted to Finite Fields and A p- plic ations . [7] L. Budagh ya n, C. Carlet, A. Pott , “New constructions of almost b en t and almost p erfect nonlinear fun ctions”, IEEE T r ansactions on Infor- mation The ory , V ol. 52, No. 3, pp. 1141-1152 , Marc h 2006. [8] J. Cannon, G. Neb e, A. Steel, New tec h niques for co de equiv alence in Magma, p reprint. [9] C. Carlet, “Boolean F unctions for Cry p tograph y and Er r or Correcting Co des”, to app ear as a c h apter of th e monography Bo ole an metho ds and mo dels , Cam br idge Universit y Press (Ed. Pe ter Hammer and Yv es Crama). [10] C. C arlet, P . Charpin, V.Zinovie v, “Co des, b ent f u nctions and p er- m utations suitable for DES-lik e cryptosystems ”, Designs, Co des and Crypto gr aphy , V ol. 15, No. 2, pp 12 5–156, 1998 . [11] Jo hn Dillon, slid es fr om talk giv en at “Polynomia ls ov er Finite Fields and Applications”, held at Banff In tern ational Researc h Station, No vem b er 200 6. [12] Y . Ed el, G. K yureghy an, A. Pott, “A new APN function whic h is n ot equiv alen t to a p o wer mapping”, IEEE T r ansactions on Information The ory , V ol. 52, Iss u e 2, pp. 744-747, F eb. 2006. 11 [13] K. Nyb erg, “Differen tially uniform mapp ings for cryptograph y”, A d- vanc e s in Cryp tolo gy- EUROCR YPT 93, L e ctur e Notes in Computer Scienc e , Springer-V erlag, pp . 55-64, 199 4. 12