Fourier Spectra of Binomial APN Functions

F ourier Sp ectra of B inomial A PN F unctions Carl Brack en ∗ Eimear Byrne † Nadya Markin ‡ Gary McGuire § Octob er 24, 2018 Abstract In th is pap er w e compute the F ourier sp ectra of some recen tly dis- co v ered binomial APN functions. One consequence of this is the de- termination of t he nonlinearit y of the functions, whic h measures their resistance to linear cryptanalysis. Another consequence is that certain error-correcting codes related to these functions ha v e the same wei gh t distribution as the 2 -err o r - correcting BCH c o de. F urthermore, for field extensions of F 2 of od d degree, our results provide an alternativ e pro of of the APN prop erty of the f u nctions. ∗ School of Mathematical Sciences, Univ ersity College Dub lin, Ireland. ( carlbr acken@ yahoo .com ) Research suppo rted by Irish Resear ch Council fo r Sci- ence, E ngineering and T e chnology Postdo ctoral F ellowship. † School of Mathematical Sciences, Univ ersity College Dub lin, Ireland. ( ebyrne @ucd.i e ) Rese arch suppo rted by the Claude Shannon Institute, Science F oundation Ireland Gr ant 06/ MI/006. ‡ School of Mathematical Sciences, Univ ersity College Dub lin, Ireland. ( nadyao markin @gmai l.com ) Postdo ctor al F ellow s uppo rted by the Claude Shannon Institute, Science F oundation Irela nd Grant 0 6 /MI/00 6. § School of Mathematical Sciences, Univ ersity College Dub lin, Ireland. ( gary.m cguire @ucd. ie ) Research s uppo rted by the Claude Shannon Institute, Sci- ence F o undation Ireland Grant 06 /MI/00 6. 1 2 1 In tro duc t ion Highly nonlinear functions on finite fields are in teresting fro m the p oint o f view of cryptography as they provid e optim um resistance to linear and differ- en tial attacks . A function that has the APN (r esp. AB) prop erty , as defined b elo w, has optimal resistance to a differential (resp. lin ear) at t a c k. F or mo r e on relatio ns b etw een linear a nd differen tial cryptanalysis, see [11]. Highly nonlinear functions are also of interes t from the p oint of view o f co ding t heory . The w eigh t distribution of a certain error- correcting co de is equiv alen t to the F ourier sp ectrum (including multiplic ities) o f f . The co de ha ving three particular w eights is equiv alen t to the AB prop ert y , when n is o dd. The minimum distance of the dual co de b eing 5 is equiv alent to the APN prop ert y holding for f . W e give more details on the connections to co ding theory in Section 2. F or the rest of t he pap er, let L = GF (2 n ) and let L ∗ denote the set o f non-zero elemen ts of L . Let T r : L → GF (2) denote the trace map fr om L to G F (2). Definition 1 A function f : L → L is said to b e almost p erfect nonlin- ear ( APN) if for any a ∈ L, b ∈ L ∗ , we have |{ x ∈ L : f ( x + a ) − f ( x ) = b }| ≤ 2 . Definition 2 Given a function f : L → L , the F ourier transform of f is the function b f : L × L ∗ → Z g i v e n by b f ( a, b ) = X x ∈ L ( − 1) T r( ax + bf ( x )) . The F ourier sp e ctrum of f is the set o f in t egers Λ f = { b f ( a, b ) : a, b ∈ L, b 6 = 0 } . 3 The nonlinearity of a function f on a field L = GF (2 n ) is defined as N L ( f ) := 2 n − 1 − 1 2 max x ∈ Λ f | x | . The nonlinearit y of a function measures its distance to the set of a ll affine maps o n L . W e th us call a function maximal ly nonline ar if its nonlinearit y is as large as p ossible. If n is o dd, its no nlinearity is upp er-b ounded by 2 n − 1 − 2 n − 1 2 , while for n ev en an upp er b ound is 2 n − 1 − 2 n 2 − 1 . F or o dd n , w e sa y that a function f : L − → L is alm ost b ent (AB) when its F ourier sp ectrum is { 0 , ± 2 n +1 2 } , in whic h case it is clear from the upp er b ound that f is maximally nonlinear. W e ha v e the following connection (for o dd n ) b et wee n the AB a nd APN prop erty : eve ry AB function on L is also APN [11], and, con vers ely , if f is quadratic and APN, then f is AB [10]. In particular, quadratic APN functions hav e optimal resistance to b oth linear and differen tial attac ks. On the other hand, there app ears to b e no relat io n b et wee n the nonlinearity and the APN prop ert y of a function when n is ev en. The reader is referred to [8 ] for a comprehensiv e surv ey on APN and AB functions. Recen tly , the first non-mono mia l families of APN functions ha v e b een disco v ered. Belo w w e list the families of quadratic functions kno wn at the time of writing. W e remark that, in a sense to b e qualified in the next section, these families are all pa ir wise inequiv a len t. 1. f ( x ) = x 2 s +1 + α x 2 ik +2 mk + s , where n = 3 k , ( k , 3) = ( s, 3 k ) = 1, k ≥ 3, i ≡ sk mo d 3, m ≡ − i mo d 3, α = t 2 k − 1 and t is primitive (see Budaghy a n, Carlet, F elk e, Leander [6]). 2. f ( x ) = x 2 s +1 + α x 2 ik +2 mk + s , 4 where n = 4 k , ( k , 2) = ( s, 2 k ) = 1, k ≥ 3, i ≡ sk mo d 4, m = 4 − i , α = t 2 k − 1 and t is primitive (see Budag h y an, Carlet, Leander [5]). This family generalizes an example found for n = 1 2 b y Edel, Kyureghy a n, P ott [13]. 3. f ( x ) = αx 2 s +1 + α 2 k x 2 k + s +2 k + β x 2 k +1 + k − 1 X i =1 γ i x 2 k + i +2 i , where n = 2 k , α and β a re primitiv e elemen ts of GF (2 n ), and γ i ∈ GF (2 k ) fo r eac h i , and ( k , s ) = 1 , k is o dd, s is o dd (see Brack en, Byrne, Markin, McGuire [1]). 4. f ( x ) = x 3 + T r ( x 9 ) , o ver GF (2 n ) , any n (see Budagh yan, Carlet, Leander [7]). 5. f ( x ) = ux 2 − k +2 k + s + u 2 k x 2 s +1 + v x 2 k + s +2 s , where n = 3 k , u is primitive , v ∈ GF (2 k ) , ( s, 3 k ) = 1 , (3 , k ) = 1 and 3 divides k + s (see Brack en, Byrne, Markin, McGuire [1]). In this pap er w e calculate t he F ourier sp ectra of families (1) and (2 ). The determination of the F ourier sp ectra of families (3 ) and (4) has b een giv en in [2] and [3], resp ective ly , using other metho ds. The F ourier sp ectrum for family (5) has not yet b een found, and is a n op en problem. W e will show here that the F ourier sp ectra of the functions (1) and (2) are 5- v alued for fields of ev en degree and 3-v alued fo r fields o f o dd degree. In this sense they resem ble the Gold functions x 2 d +1 , ( d, n ) = 1. F or fields of o dd degree, our result pro vides another pro of o f the APN prop erty . This do es not hold for fields of ev en degree; as w e stated earlier, there a pp ears to b e no relation b et w een the F ourier sp ectrum and the APN prop erty for fields of ev en degree. Th us, 5 the fact that f has a 5-v alued F ourier sp ectrum fo r fields of ev en degree do es not follow from the fact that f is a quadratic APN f unction. Indeed, there is o ne example known (due to D illon [12]) of a quadratic APN function on a field of ev en degree whose F ourier sp ectrum is more than 5-v alued; if u is primitiv e in GF (2 6 ) then g ( x ) = x 3 + u 11 x 5 + u 13 x 9 + x 17 + u 11 x 33 + x 48 is a quadratic APN function o n GF (2 6 ) whose F ourier tra nsform tak es sev en distinct v alues. The lay out of this pa p er is as fo llo ws. In Section 2 we review the con- nections b et we en APN f unctions, nonlinearity , and co ding theory . Section 3 giv es the pro of of the F ourier sp ectrum for family (1), and Section 4 giv es the pro of for family (2) . In Section 5 w e simply state for completeness the results fr o m o ther pap ers on families (3) and (4 ), and Section 6 has some op en problems fo r further w ork. 2 Preliminaries on Co ding Theory Fix a basis of L o v er F 2 . F or eac h elemen t x ∈ L w e write x = ( x 1 , ..., x n ) to denote the ve cto r of co efficien ts of x with resp ect to this basis. Giv en a map f : L − → L , w e write f ( x ) to denote the represen tatio n of f ( x ) ∈ L a s a vec tor in F n 2 , and w e consider the 2 n × (2 n − 1) bina r y matrix A f = " · · · x · · · · · · f ( x ) · · · # where the columns are ordered with resp ect to some ordering of the nonzero elemen ts of L The function f is APN if and only if the binary error-correcting co de of length 2 n − 1 with A f as parit y che c k matrix has minim um distance 5 . This is b ecause co dew ords of w eight 4 corresp ond to solutions of a + b + c + d = 0 f ( a ) + f ( b ) + f ( c ) + f ( d ) = 0 6 and this system has no non trivial solutions if and only if f is APN. W e refer the reader to [9] fo r more o n the connection b etw een co ding theory and APN functions. The dual co de has A f as a generator matrix. The w eigh ts w in this co de corresp ond t o v alues V in the F ourier sp ectrum of f via V = n − 2 w . Th us, when w e compute the F ourier sp ectrum of an APN function, as we do in this pap er, w e ar e computing the weigh ts o ccurring in the co de. Supp ose f is APN. Let C f denote the co de with generator matrix A f . Let a w denote the num b er of times the we igh t w o ccurs in C f . Let b j denote the n umber of co dew ords of w eigh t j in C ⊥ f . If there are fiv e or few er weigh ts in C f , the MacWilliams (o r Pless) identities yield fiv e independent equations b 0 = 1, b 1 = b 2 = b 3 = b 4 = 0, for the unknowns a V , whic h can b e solv ed uniquely . Th us the distribution of v alues is determined for an APN function whenev er there a r e fiv e or few er v alues in its F ourier sp ectrum. In particular, if Λ f ⊆ { 0 , ± 2 n 2 , ± 2 n +2 2 } fo r eve n n , or Λ f ⊆ { 0 , ± 2 n +1 2 } for o dd n , then the distribution is completely determined. This is indeed the case for the functions studied in this pap er. Solving for the distribution in this case m ust yield the same v alues and distribution as the double-error - correcting BCH co de, whic h corresp onds to the APN function x 3 . This function has Λ f = { 0 , ± 2 n 2 , ± 2 n +2 2 } for ev en n , a nd Λ f = { 0 , ± 2 n +1 2 } fo r o dd n , Consider the extended co de of C ⊥ f , whic h has parity c hec k matrix P f =     1 · · · 1 1 1 · · · x · · · 0 · · · f ( x ) · · · 0     . Tw o functions f and g a re said to b e CCZ equiv alen t if and o nly if the co des with parit y c hec k matrices P f and P g are equiv alent (as binary co des). This is not the original definition of CCZ equiv alence, but it is a n equiv alen t definition, as was sho wn in [1]. The new APN functions presen t ed in the introduction are known to b e pairwise CCZ-inequiv alen t. O ne consequence of t he results in t his pap er is that further in v ariants (b eyond the co de w eigh t distribution) are needed to sho w that families (1)-(4) are inequiv alent. 7 3 F amily (1), B inomials o v er G F ( 2 3 k ) W e will mak e g o o d use of the following standard result fro m Galo is theory , whic h a llows us to b ound the n umber of solutions of a linearized p olynomial. W e include a pro of for the con v enience o f the reader. Lemma 1 L et F b e a fiel d and let K , H b e finite Galois extensions of F of de gr e es n and s r esp e ctively, whos e interse ction is F . L et M = K H b e the c omp ositum of K and H . L et k 1 , . . . , k t b e F -line arly indep endent elem ents of K . Then k 1 , . . . , k t ar e H -li n e arly indep endent whe n r e gar de d as elements of M . Pro of: Since K and H are Ga lois extensions of F and K T H = F , we ha ve [ M : H ] = [ K : F ] = n . Let { k 1 , . . . , k n } b e an F - basis of K a s a v ector space o ver F , { h 1 , . . . , h s } an F - basis of H as a v ector space ov er F . Then the set { k i · h j | 1 ≤ i ≤ n, 1 ≤ j ≤ s } generates M as a v ector space ov er F . It is clear that the set { k 1 · h 1 , . . . , k n · h 1 } g enerates M as a v ector space ov er the field H . Without loss of generalit y we can assume that h 1 = 1. Since [ M : H ] = n , we conclude that { k 1 , . . . , k n } is indeed a basis of M ov er H . Let { k 1 , . . . , k t } b e a set of F -linearly indep enden t elemen ts of K . W e can extend this set to a basis { k 1 , . . . , k t , . . . , k n } . Since this set f orms an H -ba sis of M , its subset { k 1 , . . . , k t } is a fortiori linearly indep enden t ov er H .  Note that for Galois extensions K , H in the lemma ab o ve, ( s, n ) = 1 implies that K T H = F and in the case when the fields K , H , F are finite, w e hav e ( s, n ) = 1 if and only if K T H = F . Corollary 2 L et s b e an inte ger satisfying ( s, n ) = 1 and let f ( x ) = d X i =0 r i x 2 si b e a p olynomial in L [ x ] . Then f ( x ) has at most 2 d zer o e s in L . 8 Let V denote the s et of zero es of f ( x ) in L . W e ma y assume that V 6 = { 0 } . Since f ( x ) is a linearized p o lynomial, V is a vec tor space ov er GF (2) of finite dimension v for some p ositiv e inte ger v . Let V ′ ⊂ GF (2 sn ) denote the v ector space generated by the elemen ts of V o ver the field GF (2 s ). Since ( s, n ) = 1, w e hav e L T GF (2 s ) = GF (2) and b y Lemma 1 , V ′ is a v -dimensional v ector space ov er GF (2 s ). F urthermore, fo r all c ∈ GF (2 s ) and w ∈ GF (2 sn ) w e ha ve f ( cw ) = cf ( w ). Therefore all the elemen ts of V ′ are also zero es of f ( x ). Since the dimension of V o ve r GF (2 ) is v , the size of V ′ is 2 sv and it follo ws that there a r e at least 2 sv zero es ot f ( x ) in GF (2 sn ). On the other hand, p olynomial o f degree 2 ds can hav e at most 2 ds solutions. W e conclude that v ≤ d .  Theorem 3 L et f ( x ) = x 2 s +1 + α x 2 ik +2 mk + s , wher e n = 3 k , ( k , 3) = ( s, 3 k ) = 1 , k ≥ 3 , i ≡ sk mo d 3 , m ≡ − i mo d 3 , α = t 2 k − 1 and t is pri m itive in L . The F ourier sp e ctrum of f ( x ) is { 0 , ± 2 n +1 2 } when n is o dd and { 0 , ± 2 n 2 , ± 2 n +2 2 } when n is e ven. Pro of: By the restrictions on i, s, k , there are t w o p ossibilities for our function f ( x ): f 1 ( x ) = x 2 s +1 + α x 2 − k +2 k + s sk ≡ − 1 mo d 3 and f 2 ( x ) = x 2 s +1 + α x 2 k +2 − k + s sk ≡ 1 mo d 3 . Let us consider the first case, when f = f 1 . By definition, t he F ourier sp ectrum of f is f W ( a, b ) = X u ( − 1) T r ( ax + bf ( x )) . 9 Squaring giv es f W ( a, b ) 2 = X x ∈ L X u ∈ L ( − 1) T r( ax + bf ( x )+ a ( x + u )+ bf ( x + u )) . This b ecomes f W ( a, b ) 2 = X u ( − 1) T r ( au + bu 2 s +1 + bαu 2 − k +2 k + s ) X x ( − 1) T r ( xL b ( u )) , where L b ( u ) := bu 2 s + ( bu ) 2 − s + ( bα ) 2 k u 2 − k + s + ( bα ) 2 − k − s u 2 k − s . Using the fact that P x ( − 1) T r ( cx ) is 0 when c 6 = 0 and 2 n otherwise, w e obtain f W ( a, b ) 2 = 2 n X u ∈ K ( − 1) T r ( au + bu 2 s +1 + bαu 2 − k +2 k + s ) , where K denotes the k ernel of L b ( u ). If the size o f the k ernel is at most 4, then clearly 0 ≤ X u ∈ K ( − 1) T r ( au + bu 2 s +1 + bαu 2 − k +2 k + s ) ≤ 4 . Since f W ( a, b ) is an integer, this sum can only b e 0, 2 , or 4 if n is eve n, and 1 o r 3 if n is o dd. The set of p ermissible v alues of f W ( a, b ) is then f W ( a, b ) ∈    { 0 , ± 2 n +1 2 } 2 ∤ n { 0 , ± 2 n 2 , ± 2 n +2 2 } 2 | n. W e m ust now demonstrate that | K | ≤ 4, whic h is sufficien t to complete the pro of. Note that since α is a (2 k − 1)-th p o w er, w e hav e α 2 2 k +2 k +1 = 1. No w supp ose that L b ( u ) = 0. Then w e hav e t he following equations: ( bα ) − 2 k L b ( u ) + b 1 − 2 k − 2 − k αL b ( u ) 2 k + b − 2 − k L b ( u ) 2 2 k = 0 , b − 2 − s L b ( u ) + b 2 − k − s − 2 k − s − 2 − s α 2 − k − s L b ( u ) 2 k + b − 2 k − s α − 2 k − s L b ( u ) 2 − k = 0 . 10 Substituting the definition o f L b ( u ) in to equations ab ov e and gathering t he terms g iv es c 1 u 2 − s + c 2 u 2 k − s + c 3 u 2 − k − s = 0 , (1) d 1 u 2 s + d 2 u 2 k + s + d 3 u 2 − k + s = 0 , (2) where c 1 = ( b 2 − s − 2 k α − 2 k + b 2 k − s − 2 − k α 2 k − s ) , c 2 = (( bα ) 2 − k − s − 2 k + b 2 k − s +1 − 2 − k − 2 k α ) , c 3 = ( b 2 − s +1 − 2 k − 2 − k α 2 − s +1 + b 2 − k − s − 2 − k ) , d 1 = ( b 1 − 2 − s + b 2 − k − s +2 − k − 2 − s − 2 k − s α 2 − k − s +2 − k ) , d 2 = ( b 2 − k − s +2 k − 2 − s − 2 k − s α 2 − k − s + b 1 − 2 k − s α 2 − k − s +2 − s +1 ) , d 3 = ( b 2 k − 2 − s α 2 k + b 2 − k − 2 k − s α 2 − k − s +2 − s ) . First w e demonstrate tha t the co efficien ts c i , d j in Equations (1) and ( 2) do not v anish. Supp ose that c 1 = 0. W e then hav e α 2 k − s +2 k = b − 2 k − s +2 − k +2 − s − 2 k and ta king 2 − k -th p ow er of b oth sides yields α 2 − s +1 = b (2 k + s − 1)(2 − s − 2 − k − s ) . Let α = t 2 k − 1 , where t is primitiv e in GF (2 3 k ). Subs tituting t in to the previous equation a nd some rearrangemen t giv es t 2 k − s − 1 = t 2 − s (1 − 2 k + s ) b (2 k + s − 1)(2 − s − 2 − k − s ) . The m ultiplicativ e order of 2 mo dulo 7 is equal to 3, therefore for an y r w e ha v e 7 divides 2 r − 1 if and o nly if r is divisible by 3. Since 3 ∤ k − s , w e conclude tha t 7 ∤ 2 k − s − 1, therefore the left hand side is not a sev en th p o w er, while the righ t hand side is. W e conclude that the co efficien t of u 2 − s in Equation (1) is not 0 and use the same type o f arg umen t to conclude that 11 all the co efficien ts in Equation (1) are non-zero. A similar argumen t holds for Equation (2). W e will next com bine Equation (1) and Equation (2) to obtain an equa- tion o f the form Au + B u 2 k = 0 . Raise Equation (1) to the p ow er of 2 s , Equation (2) to t he p ow er o f 2 − s and com bine the t wo expressions, cancelling the terms in u 2 − k to obtain Au + B u 2 k = 0 , (3) where A = ( c 1 c 3 ) 2 s + ( d 1 d 3 ) 2 − s and B = ( c 2 c 3 ) 2 s + ( d 2 d 3 ) 2 − s . F or no w a ssume that b oth A, B a re no n- zero. W e obtain the follow ing equalities b y applying the appropriate pow ers o f t he F rob enius automorphism to Equation (3): u 2 − k + s = A − 2 − k + s B 2 − k + s u 2 s , u 2 k − s = B − 2 − s A 2 − s u 2 − s . Substituting the tw o iden tities ab o v e to our expression for L b ( u ) = 0 giv es ( b + ( bα ) 2 k A − 2 − k − s B 2 − k − s ) u 2 s + ( b 2 − s + ( bα ) 2 − k − s B − 2 − s A 2 − s ) u 2 − s = 0 . (4) Raising this equation to the p ow er of 2 s giv es a p olynomial of degree 2 2 s whic h is GF (2 s )-linear. By Corollary 2, the dimension of the kernel of this p olynomial o v er GF (2) is a t most 2, unless the lefthand side of Equation (4) is iden tically 0. It therefore remains to sho w that the p olynomial in Equation (4) is not iden tically 0 . Assuming that b ot h co efficien ts are zero, w e g et Ab 2 k − s + ( bα ) 2 − k − s B = 0 , B b + ( bα ) 2 − k A = 0 . W e com bine the equations ab ov e to obtain 12 B b + ( bα ) 2 − k b 2 − k − s − 2 k − s α 2 − k − s B = 0 . So we hav e b 1 − 2 − k +2 k − s − 2 − k − s = α 2 − k − s +2 − k . Substituting α with t 2 k − 1 , rearranging and factoring the p o w ers giv es b (2 k + s − 1)(1 − 2 − k ) t 1 − 2 k + s = t 2 s (2 k − s − 1) . Here we observ e that only the left ha nd side of the ab ov e equation is a sev en th p ow er, thu s obt a ining the desired con tradiction. W e conclude that the size of the k ernel K is less than 4 . This finishes the arg umen t. It finally remains t o sho w that the co efficien ts A, B are non-zero. Setting A to 0 giv es rise t o the equation α 2 k − 2 s +2 k + s = b 1 − 2 − k + s + ( bα ) 2 k +2 k + s b 2 − s +2 k − 2 s + b 2 − k +2 − k − s α 2 − k − 2 s +2 − k − s ! ( bα ) 2 k − s +2 k − 2 s + b 2 − k − s − 2 k − 2 s ( bα ) 2 s +1 + b 2 − k +2 k + s ! . Substituting α with t 2 k − 1 and rearr a nging giv es the equation t 2 k − 2 s +1 (2 k − 1) = t 2 k − 2 s − 2 − k − 2 s (2 3 s − 1) R 2 2 k +2 s − 1 T 1 − 2 2 k +2 s , where R = b 2 − s +2 k − 2 s + b 2 − k +2 − k − s α 2 − k − 2 s +2 − k − s and T = (( bα ) 2 k − s +2 k − 2 s + b 2 − k − s − 2 − k − 2 s ) . Reducing the p o w ers o f 2 mo dulo 3 shows that the right ha nd side of the equation a b o v e is a sev en th p ow er, while the left hand side is not. W e conclude that A 6 = 0. Supp ose B = 0, then the o nly solution of Equation (3) is u = 0. W e can therefore assume that b oth A and B are non- zero. This completes the pro of of the theorem for the case when f = f 1 . When f = f 2 a similar pro of applies. W e in terc hange k and − k in all equations and use the fact that in this case 3 divides k − s . 13 4 F amily (2), B inomials o v er G F ( 2 4 k ) W e no w compute the F ourier sp ectrum f or f amily (2). Theorem 4 L et L = GF (2 n ) and f ( x ) = x 2 s +1 + αx 2 ik +2 mk + s , wher e n = 4 k , ( k , 2) = ( s, 2 k ) = 1 , k ≥ 3 , i ≡ sk mo d 4 , m = 4 − i , α = t 2 k − 1 and t is primitive. Then f has F ourier sp e ctrum { 0 , ± 2 n/ 2 , ± 2 n +2 2 } . Pro of: Since s, k ar e chos en to b e o dd, sk ≡ ± 1 mo d 4. Therefore there are tw o p ossibilities for our function f ( x ): f 1 ( x ) = x 2 s +1 + α x 2 − k +2 k + s sk ≡ − 1 mo d 4 and f 2 ( x ) = x 2 s +1 + α x 2 k +2 − k + s sk ≡ 1 mo d 4 . Let us consider the first case, when f = f 1 . As discussed in the pro o f of the previous theorem, since f is APN, it suffices to demonstrate that the equation L b ( u ) = bu 2 s + ( bu ) 2 − s + ( bα ) 2 mk u 2 2 k + s + ( bα ) 2 ik − s u 2 2 k − s = 0 . has at most four solutions for a ll non- zero b in L . All the solutions o f L b ( u ) = 0 are also solutions o f the equation b − 2 2 k L b ( u ) 2 2 k + ( bα ) − 2 k L b ( u ) = 0 . This giv es ( b 2 2 k +1 + ( bα ) 2 k +2 − k ) u 2 s + ( b 2 2 k +2 − s + ( bα ) 2 k +2 k − s ) u 2 − s + ( b 2 k +2 2 k − s α 2 2 k − s + b 2 2 k +2 − k − s α 2 − k − s ) u 2 2 k − s = 0 . (5) W e also compute b − 2 − s +2 k L b ( u ) 2 2 k + ( bα ) − 2 − k − s L b ( u ) = 0 to obta in ( b 2 2 k − s + ( bα ) 2 − k − s +2 − k ) u 2 s + ( b 2 2 k − s +2 − s + ( bα ) 2 k − s +2 − k − s ) u 2 − s + 14 ( b 2 2 k − s +2 k α 2 k + b 2 2 k +2 − k − s α 2 − k − s ) u 2 2 k + s = 0 . (6) W riting Equation (6) as cu 2 s + d u 2 − s + eu 2 2 k + s = 0 (7) w e see that Equation (5) b ecomes d 2 s u 2 s + c 2 2 k u 2 − s + eu 2 2 k − s = 0 . (8) W e combine Equations (7 ) and (8) to cancel the third term from each expression. This yields the fo llo wing equation G ( u ) := ( e 2 s c 2 − s + e 2 − s c 2 2 k + s ) u + e 2 s d 2 − s u 2 − 2 s + e 2 − s d 2 2 s u 2 2 s = 0 . (9) No w fo r some non-zero v in the k ernel of G ( u ), w e consider the equation G v ( u ) := u G ( u ) + v G ( v ) + ( u + v ) G ( u + v ) = 0 . (10) Substituting gives e 2 s d 2 − s ( u 2 − 2 s v + v 2 − 2 s u ) + e 2 − s d 2 2 s ( u 2 2 s v + v 2 2 s u ) = 0 . (11) Note that k er ( G ( u )) is con tained in k er ( G v ( u )). W e no w sho w that L b ( u ) = 0 has at most f our solutions. This will b e done in fiv e steps, whic h complete the pro of . (i) W e show that d 6 = 0 implies that d 2 s − 1 is not a cub e. Recall that d = b 2 2 k − s +2 − s + b 2 k − s +2 − k − s t 2 2 k − s +2 − s − 2 k − s − 2 − k − s . This im- plies that d 2 s − 1 = t − 2 − s − k (2 2 k +1)(2 s − 1) A 2 s − 1 , where A = b 2 2 k − s +2 − s t 2 k − s +2 − k − s + b 2 k − s +2 − k − s t 2 2 k − s +2 − s . As A = A 2 k , w e ha ve A ∈ GF (2 k ). F urthermore, as k is o dd, all elemen ts of GF (2 k ) 15 are cub es. W e conclude that A 2 s − 1 is a cub e. Now if d 2 s − 1 is a cub e, then so is t (2 2 k +1)(2 s − 1) . But this is imp ossible as (2 2 k + 1)(2 s − 1) is not divisible b y 3 and t is primitive . (ii) W e sho w that if c, d, e 6 = 0 and d 2 s − 1 is not a cub e then (11) has at most four solutions. Assume that the co efficien t s e, c, d are non-zero and that d 2 s − 1 is no t a cub e. No w u 2 2 s v + v 2 2 s u = 0 if and only if u v − 1 ∈ GF (4). Therefore w e ha ve exactly four solutions in u , namely u = v w for eac h w ∈ GF (4). If, on the other hand, u 2 2 s v + v 2 2 s u 6 = 0, w e can rearrange (11) to obtain d 2 s − 1 = ( u 2 − 2 s v + v 2 − 2 s u ) 2 2 s − 1 e 2 − s − 2 s d 2 2 s − 1 . Using t he fact that 3 divides 2 r − 1 if and only if r is ev en, w e see that the r igh t hand side of this expression is a cub e while the left hand side is not. Th us, the k ernel of L b has at most four elemen ts. (iii) W e demonstrate that e 6 = 0. F or the sake of contradiction supp ose that e = 0. Then w e hav e b 2 2 k − s +2 k − 2 2 k − 2 − k − s t 2 2 k − s − 2 − s = 1 , and hence ( bt − 1 ) 2 2 k − s +2 k − 2 2 k − 2 − k − s t 2 2 k − s − 2 − s = 1 . F urther rearrangemen t gives ( bt − 1 ) (1 − 2 k )(2 2 k − s +2 k ) = t 2 − s (1 − 2 2 k ) . (12) As 4 divides k + s , 2 k + s ≡ 1 mo d 5 . Also 2 2 k + 1 ≡ 0 mo d 5 f o r a ny o dd k . Therefore 5 divides 2 k + s + 2 2 k and hence 5 divides 2 k + 2 2 k − s . The left ha nd side of (12 ) is a fifth p o wer while the righ t hand side is not b ecause t is primitiv e and 2 − s (1 − 2 2 k ) is not a multiple of 5. W e conclude that e 6 = 0. 16 (iv) W e next rule out the case c = 0 . Supp ose c = 0. Then w e hav e b 2 2 k − s +1 − 2 − k − s − 2 − k t 2 − k − s +2 − k − 2 − s − 1 = 1 , from which w e deriv e ( bt − 1 ) (2 k − 1)(2 − k − 2 2 k − s ) = t 2 − s (2 2 k − 1) . By similar observ ations as b efore we can demonstrate that only the left hand side of the expression ab ov e is a fifth p ow er. This giv es us the desired contradiction and w e conclude that c 6 = 0. (v) W e sho w that if d = 0 t hen L b ( u ) = 0 has at most 4 solutio ns. Supp ose that d = 0. Then Equation (7) b ecomes c 2 2 k u 2 − s + eu 2 2 k − s = 0 . (13) Let H ( u ) := c 2 − s u + e 2 − s u 2 2 k , so that solutions to ( 1 3) comprise t he k ernel of H ( u ). F or some v 6 = 0 in the k ernel of H ( u ), consider the equation H v ( u ) := uH ( u ) + v H ( v ) + ( u + v ) H ( u + v ) = 0 . This yields H v ( u ) = e 2 − s ( u 2 2 k v + v 2 2 k u ) = 0 , from whic h w e obtain u 2 2 k = v 2 2 k − 1 u . Applying this relation to L b ( u ) = 0 giv es us the equa- tion L b ( u ) = ( b + ( bα ) 2 k v 2 2 k + s − 2 s ) u 2 s + ( b 2 − s + ( bα ) 2 − k − s v 2 2 k − s − 2 − s ) u 2 − s = 0 . If b oth co efficien ts in the ab ov e expression are non-zero, then, b y Corol- lary 2, it has a t most four solutions. If exactly o ne o f the co efficien ts is 17 0, then u = 0 is t he unique solution. If b oth co efficien ts v anish, then w e hav e b 2 − s + ( bα ) 2 k − s v 2 2 k − 1 = 0 , and b + ( bα ) 2 − k v 2 2 k − 1 = 0 , F rom whic h w e deriv e v 2 2 k − 1 = b 2 − k − 2 k − s α − 2 k − s = b 1 − 2 − k α − 2 − k whic h implies that e = 0, a previously established contradiction. This completes the pro of of the theorem for the case when f = f 1 . When f = f 2 a near identical pro o f applies. W e simply interc hang e k and − k in all equations and use the fact that in this case 5 divides 2 k − s − 1 to ac hieve the required contradictions concerning fifth p ow ers. ⊔ ⊓ 5 F amilies (3) and ( 4 ) F or pro ofs of the follow ing theorems, which compute the F ourier sp ectra of families (3 ) and (4), see [2] a nd [3] resp ective ly . W e state the results here fo r completeness . Theorem 5 L et n = 2 k an d let f ( x ) = αx 2 s +1 + α 2 k x 2 k + s +2 k + β x 2 k +1 + k − 1 X i =1 γ i x 2 k + i +2 i , wher e α a n d β ar e primitive elements of L , and γ i ∈ GF (2 k ) for e ach i and ( k , s ) = 1 . Then the F ourier sp e c trum o f f ( x ) is { 0 , ± 2 n 2 , ± 2 n +2 2 } . Theorem 6 L et f ( x ) = x 3 + T r ( x 9 ) on L . Then the F ourier sp e ctrum of f ( x ) is { 0 , ± 2 n +1 2 } when n is o dd and { 0 , ± 2 n 2 , ± 2 n +2 2 } when n i s even. 18 6 Closin g remarks and op en problems F or eac h of the ab ov e quadrat ic APN functions considered, the F ourier sp ec- trum turned out to b e the same as the Gold functions. The example of D illon on GF (2 6 ) cited in the in tro duction of this pap er is the only known example of a quadrat ic APN f unction that do es not hav e this sp ectrum. This means that the dual co de of this function (as defined in Section 2) has the same minim um distance as t he double error - correcting BCH co de (the dual co de corresp onding to the function x 3 ), but has a differen t we igh t distribution. Op en problem 1 : Find o ther examples of quadratic APN functions for ev en n that do no t ha ve the same F ourier sp ectrum as the Gold function x 3 . In [1] the followin g tr ino mial function (family ( 5) in the intro duction) o ver GF (2 3 k ) was sho wn to b e APN: f ( x ) = ux 2 − k +2 k + s + u 2 k x 2 s +1 + v x 2 k + s +2 s , where u is primitive, v ∈ GF (2 k ) , ( s, 3 k ) = 1 , (3 , k ) = 1 and 3 divides k + s . Op en problem 2 : D etermine the F ourier sp ectrum of the ab ov e APN function. References [1] C. Brack en, E. Byrne, N. Markin, G. McGuire, “ New families of quadratic almost p erfect nonlinear trino mia ls and m ultinomials,” Finite Fields and Applic ations , to app ear. [2] C. Brack en, E. Byrne, N. Markin, G . McGuire, “D etermining the Non- linearit y of a New F amily of APN F unctions,” Applie d Algebr a, Algebr aic A lgorithms and Err or Corr e cting C o des , Lecture Notes in Computer Sci- ence, V ol 485 1, Springer-V erlag, 2007. 19 [3] C. Brac ke n, E. Byrne, N. Markin, G. McGuire, “On the F ourier Sp ec- trum of a New APN F unction,” Crypto gr aphy and Co ding , Lecture Notes in Computer Science, V ol 4887, Springer- V erlag, 2007 . [4] L. Budaghy an, C. Carlet and G. Leander, “A class of quadratic APN binomials inequiv alent to p o w er functions,” preprin t, av ailable at h ttp:// eprint.iacr.org/2006/445.p df. [5] L. Budag h y an, C. Carlet, G. Leander, “Another class of quadratic APN binomials ov er F 2 n : the case n divisible by 4,” Pr o c e e dings of WCC 07 , pp. 49– 58, V ersailles, F rance, April 2007. [6] L. Budaghy an, C. Carlet, P . F elk e, and G. L eander, “An infinite class of quadratic APN f unctions whic h are not equiv alen t to p o w er ma ppings”, Pr o c e e dings of ISIT 2006 , Seattle, USA, July 2006. [7] L. Budagh yan, C. Carlet, G. Leander, “Constructing new APN functions from kno wn ones”, preprint submitted to Finite F ields and Applic ations . [8] C. Carlet, “V ectorial Bo olean functions for Cryptography ”, to app ear as a c ha pter of the monograph Bo ole an metho ds and mo dels , Cambridge Univ ersit y Press (Ed. P eter Ha mmer and Yv es Crama). [9] A. Can teaut, P . C harpin, and H. Dobb ertin, “ W eight divisibilit y of cyc lic co des, highly nonlinear functions o n G F(2m) and crosscorrelation of maxim um-length sequenc es,” SIAM Journal on Discr ete Mathema tics , 13 (1), pp.105–138, 2000. [10] C. Carlet, P . Charpin, V. Zinovie v, “Co des, bent functions a nd p er- m utations suitable for DES- like cryptosystems ”, Designs, Co des and Crypto g r aphy , V ol. 15, No. 2, pp 1 25–156, 199 8 . [11] F. Chabaud, S. V audena y . “Links b et wee n differen tial a nd linear crypt- analysis, Adv ances in Cryptology EUROC R YPT94”, Lecture Notes in Computer Science, V ol. 95 0 Springer-V erlag, 199 5. 20 [12] John Dillon, slides fro m talk giv en at “P o lynomials o ver Finite Fields and Applications”, held at Banff In ternatio na l Rese arc h Station, Nov em- b er 2 006. [13] Y. Edel, G . Kyureghy an, A. P ott , “A new APN function whic h is not equiv alen t to a p ow er ma pping” , IEEE T r ansac tion s on Inform a tion The ory , V ol. 52, Issue 2, pp. 74 4-747, F eb. 2 0 06. [14] K. Nyb erg, “Differen tially uniform mappings for cryptography ”, A d- vanc es in Cryptolo gy-EUROCR YPT 9 3 , L e c tur e Notes in Comp uter Sci- enc e , Springer-V erlag, pp. 55- 64, 1994.