On the Fourier Spectra of the Infinite Families of Quadratic APN Functions

On the F ourier Sp ectra of the Infinite F amilies of Quadratic APN F unctions Carl Brack en 1 , Zhengba ng Zha 2 1 Department of Mathemat ics, Nat i onal Universit y o f Irela nd Ma yn o o th, Co. Kildar e 2 Coll ege of Mathemat i cs and E conometri cs, Hunan Uni v ersity Changsha 41 0 082, Chin a No v emb er 4, 2018 Abstract It is w ell kno wn that a quadratic function defined on a finite field of o d d degree is almost b en t (AB) if and only if it is almost p erf ec t nonlinear (APN). F or the even degree case th ere is no apparent rela- tionship b et we en the v alues in the F ourier sp ectrum o f a function and the APN prop ert y . In this article w e co mpute the F ourier sp ectrum of the quadr anomial f amily of APN functions fr om [5]. With this resu lt, all kn o wn infi nite families of APN functions no w h a v e their F ourier sp ectra and hence their nonlinearities computed. 1 In tro d uction Highly nonlinear functions on finite fields a re in teresting from the p oint of view o f cryptograph y as they provide optimum resistance to linear and differ- en tial atta c ks. A function t hat has the APN (resp. AB) prop ert y , as defined 1 b elo w, has optimal resistance to a differen tia l (resp. linear) attack . F or more on relations b et w een linear and differen tial cryptanalysis, see [13]. Highly nonlinear functions are also of in terest fr om the p oint of view of co ding theory . The w eigh t distribution of a certain error- correcting co de is equiv a len t to the F o urier sp ectrum (including m ultiplicities) of f . The co de ha ving three particular we ig h ts is equiv alen t to the AB prop erty , when n is o dd. The minim um distance of the dual co de b eing 5 is equiv alen t to the APN prop ert y holding for f . F or the rest of the pap er, let L = GF (2 n ) a nd let L ∗ denote the set of non-zero elemen ts of L . Let T r : L → GF (2) denote the trace map from L to GF (2). Definition 1 A function f : L → L is s aid to b e almost p erfect nonlin- ear (A PN) if for any a ∈ L ∗ , b ∈ L , we h ave |{ x ∈ L : f ( x + a ) − f ( x ) = b }| ≤ 2 . Definition 2 Given a function f : L → L , the F ourier transform of f is the function b f : L × L ∗ → Z given by b f ( a, b ) = X x ∈ L ( − 1) T r( ax + bf ( x )) . The F ourier s p e ctrum of f is the set of integers Λ f = { b f ( a, b ) : a, b ∈ L, b 6 = 0 } . The nonlinearity of a f unction f on a field L = GF (2 n ) is defined a s N L ( f ) := 2 n − 1 − 1 2 max x ∈ Λ f | x | . The nonlinearit y of a function meas ures its distance to the se t of all affine maps o n L . W e thu s call a function maximal ly nonline ar if its nonlinearit y is as large as possible. If n is o dd, its nonlinearity is upp er-b ounded by 2 2 n − 1 − 2 n − 1 2 , while for n ev en a conjectured upp er b ound is 2 n − 1 − 2 n 2 − 1 . F or o dd n , w e sa y that a function f : L − → L is almost b ent (AB) when its F ourier sp ectrum is { 0 , ± 2 n +1 2 } , in whic h case it is clear from the upp er b ound that f is maximally nonlinear. W e ha ve the following connection (for o dd n ) b et w een the AB and APN prop ert y: ev ery AB function on L is also APN [13], and, con v ersely , if f is quadratic and APN, then f is AB [1 2 ]. In particular, quadratic APN functions hav e optimal resistance to b oth linear and differen tial attac ks. On the other hand, there app ears to b e no relat io n b et w een the nonlinearit y N L ( f ) and t he APN prop erty of a f unction f when n is ev en. The r eader is referred to [10] for a comprehensiv e surv ey on APN and AB functions. 2 New F amilies of Quadratic APN fu n ctions Recen tly , the first no n- monomial families of APN functions ha ve b een dis- co ve r ed. Below w e list the new families of non mono mia l functions kno wn at the time of writing. 1. f ( x ) = x 2 s +1 + α x 2 ik +2 mk + s , where n = 3 k , ( k , 3) = ( s, 3 k ) = 1 , k ≥ 3, i ≡ sk mo d 3, m ≡ − i mo d 3, α = t 2 k − 1 and t is primitive (see Budaghy an, Carlet, F elk e, Leander [8]). 2. f ( x ) = x 2 s +1 + α x 2 ik +2 mk + s , where n = 4 k , ( k , 2) = ( s, 2 k ) = 1, k ≥ 3, i ≡ sk mo d 4, m = 4 − i , α = t 2 k − 1 and t is primitiv e (see Budagh y a n, Carlet, Leander [7]) . This family generalizes an example found for n = 12 b y Edel, Kyuregh yan, P ott [15]. 3 3. f ( x ) = α x 2 s +1 + α 2 k x 2 k + s +2 k + β x 2 k +1 + k − 1 X i =1 γ i x 2 k + i +2 i , where n = 2 k , α and β are primitive elemen ts of GF (2 n ), and γ i ∈ GF (2 k ) for each i , and ( k , s ) = 1, k is o dd, s is o dd (see Brack en, Byrne, Markin, McGuire [2]). 4. f ( x ) = x 3 + T r ( x 9 ) , o ver GF (2 n ) , an y n (see Budagh y an, Carlet, Leander [9]). 5. f ( x ) = α 2 k x 2 − k +2 k + s + α x 2 s +1 + v x 2 − k +1 + w α 2 k +1 x 2 k + s +2 s where n = 3 k , α is primitiv e in G F (2 n ), v , w ∈ GF (2 k ) and v w 6 = 1, ( s, 3 k ) = 1 , (3 , k ) = 1 and 3 divide s k + s (see Brac k en, Byrne, Markin, McGuire [5]). In [1] the F our ier sp ectra of families (1) and (2) are computed. The determination of the F o urier sp ectra of families ( 3 ) and (4) has b een giv en in [3] and [4], resp ectiv ely . In this pap er w e calculate the F ourier spectra of family (5) . W e will show here that the F ourier spectra of this family of functions are 5-v alued { 0 , ± 2 n 2 , ± 2 n +2 2 } for fields of eve n degree a nd 3- v alued { 0 , ± 2 n +1 2 } f o r fields of o dd degree. In this sense they resem ble the Gold functions x 2 d +1 , ( d, n ) = 1, as indeed do a ll fiv e APN functions listed ab o v e. F or fields of o dd degree, our result pro vides another pro of of the APN prop ert y . This do es not hold for fields o f ev en degree; as w e stated earlier, there app ears to b e no relatio n b et wee n the F ourier sp ectrum a nd the APN prop ert y for fields of ev en degree. Th us, the fact that f has a 5-v alued F ourier sp ectrum for fields of ev en degree do es not f ollo w from the fa ct that f is a quadratic APN function. Indeed, there is one example kno wn (due to Dillon 4 [14]) of a quadratic APN function on a field of ev en degree whose F o ur ier sp ectrum is more t ha n 5-v alued; if u is primitiv e in G F (2 6 ) then g ( x ) = x 3 + u 11 x 5 + u 13 x 9 + x 17 + u 11 x 33 + x 48 is a quadratic APN f unction on GF (2 6 ) whose F ourier transform t ak es sev en distinct v alues. 3 The F ourier Sp ectrum of F amily (5) W e shall mak e use of the f o llo wing lemma, a pro of of whic h can b e found in [1]. Lemma 1 L et s b e an inte ger satisfying ( s, n ) = 1 and let f ( x ) = d X i =0 r i x 2 si b e a p olynomial in L [ x ] . Then f ( x ) ha s at mos t 2 d zer o es in L . Theorem 2 L et f ( x ) = α 2 k x 2 − k +2 k + s + αx 2 s +1 + v x 2 − k +1 + w α 2 k +1 x 2 k + s +2 s , wher e n = 3 k , α is primitive in GF (2 n ) , v , w ∈ GF ( 2 k ) and v w 6 = 1 , ( s, 3 k ) = 1 , (3 , k ) = 1 and 3 divid es k + s The F ourier sp e ctrum of f ( x ) is { 0 , ± 2 n +1 2 } wh en n is o dd and { 0 , ± 2 n 2 , ± 2 n +2 2 } wh en n is even. Pro of: The F ourier sp ectrum of f is give n b y b f ( a, b ) = X x ∈ L ( − 1) T r ( ax + bf ( x )) . Squaring giv es b f ( a, b ) 2 = X x ∈ L X y ∈ L ( − 1) T r( ax + bf ( x )+ ay + bf ( y )) = X x ∈ L X u ∈ L ( − 1) T r( ax + bf ( x )+ a ( x + u )+ bf ( x + u )) , from the substitution y = x + u . This b ecomes b f ( a, b ) 2 = X u ( − 1) T r ( au + bf ( u )) X x ( − 1) T r ( xL b ( u )) , 5 where L b ( u ) := αbu 2 s + α 2 − s b 2 − s u 2 − s + α 2 − k b 2 k u 2 − k + s + α 2 − s b 2 − k − s u 2 k − s + v b 2 k u 2 k + v bu 2 − k + w 2 − s b 2 − k − s α 2 − s +2 − k − s u 2 − k + w 2 − s b 2 − s α 2 k − s +2 − s u 2 k . Using the fa ct t ha t P x ( − 1) T r ( cx ) is 0 when c 6 = 0 and 2 n otherwise, w e obtain b f ( a, b ) 2 = 2 n X u ∈ K ( − 1) T r ( au + bf ( u ) , where K denotes the ke r nel of L b ( u ). If the size of the k ernel is at most 4, then clearly 0 ≤ X u ∈ K ( − 1) T r ( au + bf ( u )) ≤ 4 . Since b f ( a, b ) is an in teger, this sum can only b e 0, 2, or 4 if n is eve n, and 1 or 3 if n is o dd. The set of p ermissible v alues of b f ( a, b ) is then { 0 , 2 n +1 2 , − 2 n +1 2 } when n is o dd and { 0 , 2 n/ 2 , − 2 n/ 2 , 2 n +2 2 , − 2 n +2 2 } when n is ev en. b f ( a, b ) ∈    { 0 , ± 2 n +1 2 } 2 ∤ n { 0 , ± 2 n 2 , ± 2 n +2 2 } 2 | n. W e mus t no w demonstrate that | K | ≤ 4, whic h is sufficien t to complete the pro of. No w supp ose that L b ( u ) = 0. This giv es b 2 − k L b ( u ) = b 2 − k − 2 k − s α 2 − s ( b 2 − s +2 k − s u 2 − s + b 2 k − s +2 − k − s u 2 k − s + w 2 − s b 2 − s +2 k − s α 2 k − s u 2 k + w 2 − s b 2 k − s +2 − k − s α 2 − k − s u 2 − k ) + α 2 − k b 2 k +2 − k u 2 − k + s + αb 2 − k +1 u 2 s + v b 2 k +2 − k u 2 k + v b 2 − k +1 u 2 − k = 0 . (1) Next we let θ = α 2 − s b 2 − k − 2 k − s , t ( u ) = b 2 − s +2 k − s ( u 2 − s + w 2 − s α 2 k − s u 2 k ) a nd r ( u ) = b 2 k +2 − k ( v u 2 k + α 2 − k u 2 − k + s ) . Equation (1) no w b ecomes b 2 − k L b ( u ) = r ( u ) + r ( u ) 2 k + θ ( t ( u ) + t ( u ) 2 k ) = 0 (2) 6 F or conv enience w e will write r ( u ) and t ( u ) as r and t . W e ha v e, t 2 k + s = b 2 k +2 − k ( u 2 k + w α 2 − k u 2 − k + s ) . This implies t 2 k + s + w r = b 2 k +2 − k (1 + v w ) u 2 k . (3) W e also get v t 2 k + s + r = b 2 k +2 − k (1 + v w ) α 2 − k u 2 − k + s . (4) Equation (3) implies u = b − 1 − 2 k (1 + v w ) − 1 ( t 2 s + w r 2 − k ) , while Equation (4) gives u = b − 2 − k − s − 2 − s (1 + v w ) − 2 − s α − 2 − s ( v 2 − s t 2 − k + r 2 k − s ) . Com bining these tw o expressions fo r u yields θ z ( t 2 s + w r 2 − k ) = v 2 − s t 2 − k + r 2 k − s , where z = (1 + v w ) 2 − s − 1 ( b 2 − k +2 k +1 ) 2 − s − 1 . Not e z ∈ GF (2 k ). W e rearrange and multiply by θ + θ 2 − k to obtain ( θ + θ 2 − k )( w z θ 2 k r + v 2 − s t ) = ( θ + θ 2 − k )( θ 2 k z t 2 k + s + r 2 − k − s ) . (5) W e claim that θ + θ 2 − k is not zero. If θ = θ 2 − k then α 2 k − 1 = b (2 k + s − 1)(2 k − 2 − k ) . As k + s is divisible b y 3, 2 k + s − 1 is divisible b y sev en. This implies α is a sev en th p o w er contradicting its primitiv e status and the claim is prov en. F rom Equation ( 2) w e hav e r + r 2 k = θ ( t + t 2 k ) F rom this equation a nd using the f act that relativ e tr a ce mapping fro m GF (2 3 k ) to GF (2 k ) (denoted b y T r k ) is zero for an y field elemen t of the form δ + δ 2 k , we deriv e t he following T r k ( θ ( t + t 2 k )) = T r k ( θ − 1 ( r + r 2 k )) = 0 . 7 As T r k ( cg ) = cT r k ( g ) for c ∈ GF (2 k ) and θ 2 − k +2 k +1 ∈ GF (2 k ) w e can say T r k (( θ + θ 2 − k ) t ) = T r k ( θ 2 k ( θ + θ 2 − k ) r ) = 0 . (6) Therefore the left hand side of Equation (5) has relativ e trace of zero, whic h implies the righ t ha nd side of Equation (5) has relative trace of zero also. That is, T r k (( θ + θ 2 − k )( θ 2 k z t 2 k + s + r 2 − k − s )) = 0 . W e write this as z (( θ + θ 2 − k ) θ 2 k t 2 k + s + ( θ + θ 2 − k ) 2 k θ 2 − k t 2 − k + s + ( θ + θ 2 − k ) 2 − k θ t 2 s ) = ( θ + θ 2 − k ) r 2 − k − s + ( θ + θ 2 − k ) 2 k r 2 − s + ( θ + θ 2 − k ) 2 − k r 2 k − s . (7) F rom Equation ( 6) w e obtain t 2 − k + s = ( θ + θ 2 − k ) 2 s − 2 − k + s t 2 s + ( θ + θ 2 − k ) 2 k + s − 2 − k + s t 2 k + s , r 2 − k − s = θ 2 k − s − 2 − s ( θ + θ 2 − k ) 2 − s − 2 − k − s r 2 − s + θ 2 − k − s − 2 − s ( θ + θ 2 − k ) 2 k − s − 2 − k − s r 2 k − s . Substituting these expressions for t 2 − k + s and r 2 − k − s in to Equation (7) w e get z ((( θ + θ 2 − k ) θ 2 k + ( θ + θ 2 − k ) 2 k θ 2 − k ( θ + θ 2 − k ) 2 k + s − 2 − k + s ) t 2 k + s + (( θ + θ 2 − k ) 2 − k θ + ( θ + θ 2 − k ) 2 k θ 2 − k ( θ + θ 2 − k ) 2 s − 2 − k + s ) t 2 s ) = (( θ + θ 2 − k ) 2 k + ( θ + θ 2 − k ) θ 2 k − s − 2 − s ( θ + θ 2 − k ) 2 − s − 2 − k − s ) r 2 − s + (( θ + θ 2 − k ) 2 − k + ( θ + θ 2 − k ) θ 2 − k − s − 2 − s ( θ + θ 2 − k ) 2 k − s − 2 − k − s ) r 2 k − s . W e multiply a cross b y ( θ + θ 2 − k ) 2 − k − s +2 − k + s θ 2 − s and o btain z ( θ + θ 2 − k ) 2 − k − s θ 2 − s ((( θ + θ 2 − k ) 2 − k + s +1 θ 2 k + ( θ + θ 2 − k ) 2 k + s +2 k θ 2 − k ) t 2 k + s +(( θ + θ 2 − k ) 2 − k + s +2 − k θ + ( θ + θ 2 − k ) 2 s +2 k θ 2 − k ) t 2 s ) = ( θ + θ 2 − k ) 2 − k + s ((( θ + θ 2 − k ) 2 − k − s +2 k θ 2 − s + ( θ + θ 2 − k ) 2 − s +1 θ 2 k − s ) r 2 − s +(( θ + θ 2 − k ) 2 − k − s +2 − k θ 2 − s + ( θ + θ 2 − k ) 2 k − s +1 θ 2 − k − s ) r 2 k − s ) . 8 Letting P ( θ ) = ( θ + θ 2 − k ) 2 − k + s +1 θ 2 k + ( θ + θ 2 − k ) 2 k + s +2 k θ 2 − k , t he ab ov e equation b ecomes z ( θ + θ 2 − k ) 2 − k − s θ 2 − s ( P ( θ ) t 2 k + s + P ( θ ) 2 − k t 2 s ) = ( θ + θ 2 − k ) 2 − k + s ( P ( θ ) 2 − k − s r 2 − s + P ( θ ) 2 k − s r 2 k − s ) . (8) W e claim that P ( θ ) is a non zero elemen t of GF (2 k ). Setting P ( θ ) equal to zero yields ( θ + θ 2 − k ) 2 − k + s +1 θ 2 k = ( θ + θ 2 − k ) 2 k + s +2 k θ 2 − k . This implies θ 2 k − 2 − k = ( θ + θ 2 − k ) (2 k + s − 1)(1 − 2 k ) . Therefore θ 2 k − 2 − k is a sev en th p ow er. But θ 2 k − 2 − k = ( α b 2 k (2 k + s − 1) ) 2 k − 2 − k , whic h w ould require α to b e a sev en th p o w er also, whic h its not. Hence P ( θ ) 6 = 0. T o see that P ( θ ) ∈ G F (2 k ), w e multiply the express ion out and refactor as fo llo ws. P ( θ ) = ( θ + θ 2 − k ) 2 − k + s ( θ + θ 2 − k ) θ 2 k + ( θ + θ 2 − k ) 2 k + s ( θ + θ 2 − k ) 2 k θ 2 − k . This implies P ( θ ) = ( θ 2 − k + s + θ 2 k + s )( θ 2 k +1 + θ 2 − k +2 k ) + ( θ 2 s + θ 2 k + s )( θ 2 − k +1 + θ 2 − k +2 k ) , whic h b ecomes P ( θ ) = θ 2 s ( θ 2 − k +1 + θ 2 − k +2 k ) + θ 2 k + s ( θ 2 k +1 + θ 2 − k +1 ) + θ 2 − k + s ( θ 2 k +2 − k + θ 2 k +1 ) . W e can write this as P ( θ ) = T r k ( θ 2 s ( θ 2 − k +1 + θ 2 − k +2 k )) , hence P ( θ ) ∈ GF (2 k ) and the claim is prov en. No w Equation (8) b ecomes z ( θ + θ 2 − k ) 2 − k − s − 2 − k + s P ( θ ) 1 − 2 − s ( t + t 2 k ) 2 s = θ − 2 − s ( r + r 2 k ) 2 − s . 9 Using Equation (2 ) and ra ising b y 2 s w e obtain an equation in ( t + t 2 k ), z 2 s ( θ + θ 2 − k ) 2 − k − 2 − k +2 s P ( θ ) 2 s − 1 ( t + t 2 k ) 2 2 s + ( t + t 2 k ) = 0 , whic h by Lemma 1 can hav e no more than tw o solutions for ( t + t 2 k ) when n is o dd and no more than four solutions for ( t + t 2 k ) when n is ev en. This restriction on ( t + t 2 k ) is crucial and will b e used to complete the pro of, but first w e consider the following t w o expressions whic h come from Equations (3) and (4) resp ectiv ely , B u = t 2 s + w r 2 − k , α 2 − s B 2 − k − s u = v 2 − s t 2 − k + r 2 k − s , where B = (1 + v w ) b 2 k +1 . F rom these w e obtain B u + B 2 k u 2 k = ( t + t 2 k ) 2 s + w ( r + r 2 k ) 2 − k , α 2 − s B 2 − k − s u + α 2 k − s B 2 − s u 2 k = v 2 − s ( t + t 2 k ) 2 − k + ( r + r 2 k ) 2 k − s . Next w e eliminate the u 2 k term in these equations to giv e the following ( α 2 k − s B 2 − s +1 + α 2 − s B 2 − k − s +2 k ) u = B 2 k ( v 2 − s ( t + t 2 k ) 2 − k + ( r + r 2 k ) 2 k − s ) + α 2 k − s B 2 − s (( t + t 2 k ) 2 s + w ( r + r 2 k ) 2 − k ) . (9) W e let D = α 2 k − s B 2 − s +1 + α 2 − s B 2 − k − s +2 k and note that D is not zero as D = 0 implies α 2 k − s − 2 − s = B 2 − k − s +2 k − 2 − s − 1 = B (2 k + s − 1)(2 − s − 2 − k − s ) , whic h again con tradicts the fact tha t α is primitiv e. Therefore w e ma y write Equation (9) as u = D − 1 ( B 2 k ( v 2 − s ( t + t 2 k ) 2 − k + ( r + r 2 k ) 2 k − s ) + α 2 k − s B 2 − s (( t + t 2 k ) 2 s + w ( r + r 2 k ) 2 − k )) . W e no w use Equation (2) to subs titute the r + r 2 k terms for θ ( t + t k ) and w e obtain u = D − 1 ( B 2 k ( v 2 − s ( t + t 2 k ) 2 − k + ( θ ( t + t k )) 2 k − s ) + α 2 k − s B 2 − s (( t + t 2 k ) 2 s + w ( θ ( t + t k )) 2 − k )) . Recall t + t 2 k can only tak e t w o v alues when n is o dd and four when n is ev en, hence the ab o ve equation show s that u mu st hav e at least the same restrictions and the pro of is complete. 10 References [1] C. Brac ke n, E. Byrne, N. Markin, G. McGuire, “O n the F ourier sp ec- trum o f Binomial APN functions”, SIAM journal of Disc r ete Mathem at- ics , to app ear. [2] C. Brac k en, E . Byrne, N. Markin, G. McGuire, “New fa milies of quadratic almost p erfect nonlinear trinomials and m ultinomials”, Finite Fields and Applic ations , V ol. 14, Issue 3, July 2 0 08, 703–714 . [3] C. Brack en, E. Byrne, N. Markin, G. McGuire, “Determining the Non- linearit y of a New F amily of APN F unctions”, Applie d A lgebr a, A lgebr aic A lgorithms and Err or Corr e cting Co des , Lecture Notes in Computer Sci- ence, V o l 4851, Springer- V erlag, 2007, 72 –79. [4] C. Brack en, E. Byrne, N. Markin, G. McGuire, “On the W alsh Sp ectrum of a New APN F unction,” Crypto gr aphy an d Co ding , Lecture Notes in Computer Science, V ol 4887, Springer-V erlag, 2007, 92–98. [5] C. Brack en, E. Byrne, N. Markin, G. McGuire, “A few mor e quadratic APN functions”, Crypto gr aphy and Communic ations , to app ear. [6] L. Budagh y an, C. Carlet and G. Leander, “Tw o classes of quadratic APN binomials inequiv alen t to pow er functions,” I EEE T r ansactions on Inform ation T he ory , V ol. 54, Issue 9 , Sep. 2 008, 4218–4229. [7] L. Budagh yan, C. Carlet, G. Leander, “Another class o f quadratic APN binomials ov er F 2 n : the case n divisible b y 4,” Pr o c e e dings of WCC 07 , V ersailles, F rance, April 2007, 4 9 –58. [8] L. Budag h y an, C. Carlet, P . F elk e, and G. Leander, “An infinite class of quadratic APN functions whic h are not equiv alent to p o w er mappings”, Pr o c e e din gs of ISIT 20 06 , Seattle, USA, July 2006. [9] L. Budaghy an, C. Carlet, G. Leander, “Constructing new APN functions from know n ones”, F inite Fields Appl. , to app ear. 11 [10] C. Carlet, “V ectorial Bo olean functions f or Cryptograph y”, to app ear as a c hapter of the monogr aph Bo ole an metho ds and mo dels , Cam bridge Univ ersit y Press (Ed. P eter Hammer and Yv es Crama), av ailable at h ttp:// www-ro cq.inria.fr/secret/Claude.Carlet/c hap-ve ctorial-fcts.p df . [11] A. Can teaut, P . Charpin, and H. Dobb ertin, “W eight divisibilit y of cyclic co des, highly nonlinear functions on GF(2m) and crosscorrelation of maxim um-length sequences,” SIAM Journal on Discr ete Mathematics , 13 (1) , 2000, 105–138 . [12] C. Carlet, P . Charpin, V. Zino viev, “Co des, b en t functions and p er- m utations suitable fo r DES-lik e cryptosystems ”, Designs, Co des a nd Crypto gr aphy , V ol. 15, No. 2, 1998, 1 25–156. [13] F . Chabaud, S. V audena y . “Links b etw een differen tial and linear crypt- analysis, A dvanc es in Cryptolo gy EUR O CR YPT94 , L ecture Notes in Computer Science, V ol. 950 Spring er-V erlag, 199 5. [14] John D illon, slides from talk giv en at “Polynomials o ve r F inite Fields and Applications”, held at Banff International Researc h Sta tion, No v em- b er 2006 . [15] Y. Edel, G. Kyuregh yan, A. P ott, “A new APN function whic h is not equiv a len t to a p ow er mapping”, IEEE T r ansactions on Information The ory , V ol. 52, Issue 2, F eb. 2006, 7 4 4–747. [16] K. Nyb erg , “D ifferen tially uniform mappings for cryptography”, A d- vanc es in Cryptolo gy EUROCR YPT93 , Lecture Notes in Computer Sci- ence, Springer- V erlag, 1994 , 5 5–64. 12