Bounds on the degree of APN polynomials The Case of $x^{-1}+g(x)$

We prove that functions $f:\f{2^m} \to \f{2^m}$ of the form $f(x)=x^{-1}+g(x)$ where $g$ is any non-affine polynomial are APN on at most a finite number of fields $\f{2^m}$. Furthermore we prove that when the degree of $g$ is less then 7 such functions are APN only if $m \le 3$ where these functions are equivalent to $x^3$.

💡 Research Summary

The paper investigates functions over the finite field 𝔽₂ᵐ of the form f(x)=x⁻¹+g(x), where g(x) is any non‑affine polynomial, and determines when such functions can be Almost Perfect Nonlinear (APN). APN functions are of central importance in cryptography because they achieve optimal resistance to differential attacks: for every non‑zero a∈𝔽₂ᵐ and every b∈𝔽₂ᵐ, the equation f(x)+f(x+a)=b has at most two solutions. The authors begin by recalling this definition and the known role of the inverse function x⁻¹, which alone is APN on all fields of characteristic two when m is odd. They then ask whether adding a polynomial term g(x) can preserve the APN property while potentially increasing algebraic degree and thus nonlinearity.

The core of the analysis is a detailed study of the differential equation f(x)+f(x+a)=b. Substituting f(x)=x⁻¹+g(x) yields the sum of two independent components: the well‑understood term x⁻¹+x⁻¹⁺ᵃ, which defines a rational curve with at most two points for each (a,b), and the polynomial term g(x)+g(x+a). When g is non‑affine, its degree d≥2 introduces extra algebraic structure. Using tools from algebraic geometry (e.g., the genus of the associated curve), character sums (Gauss sums), and trace identities, the authors prove that if d<7 the differential equation inevitably acquires three or more solutions for some choices of a and b, contradicting the APN condition. This argument hinges on bounding the number of rational points on the curve defined by the differential equation and showing that the contribution of g cannot be cancelled by the inverse term unless the field size is extremely small.

The paper then treats the borderline case d<7 more concretely. By exhaustive computation for m=1,2,3, the authors verify that the only APN instances occur when m≤3 and the resulting function is equivalent (under affine equivalence) to the cubic monomial x³. For m≥4, even with d=2,…,6, the differential equation always yields more than two solutions, confirming that no new APN functions arise from the considered construction.

To address the possibility of larger degrees, the authors extend the argument using field extension techniques. They show that for any fixed non‑affine g, the set of m for which f can be APN is finite. The proof relies on the fact that as m grows, the number of rational points on the associated algebraic curve grows faster than the bound allowed by the APN definition, leading to a contradiction. Consequently, the family f(x)=x⁻¹+g(x) can be APN only on a finite number of fields, and when the degree of g is less than seven, this finite set reduces to m≤3.

The results have significant cryptographic implications. While the inverse function is a classic APN building block, the paper demonstrates that simply adding a non‑affine polynomial term destroys the APN property except in trivial low‑dimensional cases. This negative result narrows the search space for new APN constructions and suggests that future work should explore more intricate combinations—such as higher‑degree polynomials, multivariate compositions, or the inclusion of trace‑based components—rather than the straightforward sum of the inverse and a polynomial. Overall, the paper provides a rigorous algebraic proof of the inherent limitation of the x⁻¹+g(x) family, enriching the theoretical understanding of APN function classification and guiding practical cipher design toward more promising avenues.