Infinite families of APN permutations in constrained trivariate classes over $\mathbb{F}_{2^m}$

Inﬁnite families of APN p erm utations in constrained triv ariate classes o v er F 2 m Daniele Bartoli 1 , P antelimon St ˘ anic˘ a 2 1 Departmen t of Mathematics and Computer Science, Univ ersit y of P erugia, 06123 P erugia, Italy; daniele.bartoli@unipg.it 2 Applied Mathematics Departmen t, Nav al P ostgraduate School, Mon terey , CA 93943, USA; pstanica@nps.edu Marc h 17, 2026 Keyw ords : APN functions, APN p erm utations, CCZ-equiv alence, ﬁnite ﬁelds, algebraic curv es. Mathematics Sub ject Classiﬁcation 2020 : 11T06, 11T71, 12E20, 14G15, 94A60. Abstract The construction of p erm utation p olynomials o ver ﬁnite ﬁelds with simple algebraic structure in multiple v ariables is a challenging problem with signiﬁcant applications in cryptograph y and co ding theory . Recently , Li and Kaleyski (IEEE, T rans. Inf. Th., 2024) generalized t wo sporadic quadratic APN p erm utations from dimension 9 into inﬁnite families of triv ariate functions with co eﬃcien ts in F 2 . In this paper we extend this w ork b y in v estigating generalizations of b oth families where the scalar co eﬃcient is allow ed to range freely ov er F ∗ 2 m . F or the family G a ( x, y , z ) = ( x q +1 + ax q z + yz q , x q z + y q +1 , xy q + ay q z + z q +1 ) , with a ∈ F ∗ 2 m , q = 2 i , gcd( i, m ) = 1, and m o dd, w e pro v e that the p ermutation prop ert y is characterized by the absence of ro ots in F ∗ 2 m of an asso ciated one-v ariable p olynomial, and that this ro ot condition is also equiv alent to the APN prop erty . This yields a quan- titativ e low er b ound on the num b er of go o d parameters: if d = q 2 + q + 1, then at least 2 m +1 − ( d − 1)( d − 2)2 m/ 2 − d d v alues of a ∈ F ∗ 2 m giv e APN p erm utations G a . In the binary case q = 2, we prov e that a = 1 is go o d whenever 7 ∤ m , recov ering the Li–Kaleyski family and yielding APN p erm utations in that range. F or the generalized second family H a ( x, y , z ) = ( x q +1 + axy q + yz q , xy q + z q +1 , x q z + y q +1 + ay q z ) , w e obtain the analogous ro ot criterion and show that its deﬁning one-v ariable p olynomial is ro ot-equiv alent to that of G a . Consequen tly , the same parameters a pro duce APN p erm utations in b oth families. 1 W e also establish strong non-equiv alence results. First, G a (resp. H a ) is diagonally equiv alent to the Li–Kaleyski representativ e G 1 (resp. H 1 ) of Li–Kaleyski (IEEE T rans. Inform. Theory , 2024) if and only if a q 2 + q +1 = 1; for m > 4, m  = 6, 7 ∤ m , diagonal non-equiv alence implies CCZ non-equiv alence via the monomial restriction theorem of Shi et al. (DCC, 2025). In particular, when q = 2 and 7 ∤ m , ev ery go o d parameter a  = 1 yields APN p erm utations CCZ-inequiv alent to those of Li–Kaleyski (IEEE T rans. Inform. Theory , 2024). Second, for m > 4, m  = 6, and 7 ∤ m , no mem b er of the G a -family is CCZ-equiv alen t to an y member of the H b -family for the same q . Th us the t wo families pro vide genuinely new, mutually inequiv alent sources of APN p ermutations on F 2 3 m . 1 In tro duction and to ols from algebraic geometry Let q = 2 i for some p ositiv e in tegers m and i with gcd( i, m ) = 1, and consider the extension F 2 m of F q . A function F : F n 2 m → F n 2 m is almost p erfe ct nonline ar (APN) if for ev ery a ∈ F n 2 m \ { 0 } and ev ery b ∈ F n 2 m , the equation F ( x + a ) + F ( x ) = b has at most tw o solutions. Over ﬁelds of even characteristic, tw o is the minimum p ossible diﬀerential uniformity [6], making APN functions optimal against diﬀerential cryptanalysis. When such a function is sim ultaneously a p ermutation it is an ideal S-b o x building blo ck, combining optimal diﬀerential resistance with in vertibilit y . Constructing APN p ermutations is notoriously diﬃcult: only a handful of inﬁnite families are kno wn, and the question of their existence in every even dimension remains op en. This area gained new momentum when Beierle and Leander [5] discov ered tw o sp oradic APN p erm utations o ver F 2 9 b y computer search. An initial generalization attempt b y Beierle, Carlet, Leander, and P errin [4] considered the triv ariate form C u ( X , Y , Z ) = ( X 3 + uY 2 Z, Y 3 + uX Z 2 , Z 3 + uX 2 Y ) and conjectured it yields no new p erm utations or APN functions for m > 3; the APN part was settled by Bartoli and Timpanella [3], and the p ermutation part w as resolved for all o dd m ≥ 23 in the companion pap er [2]. The decisive p ositive step came from Li and Kaleyski [10], who successfully generalized b oth Beierle–Leander instances into t wo inﬁnite families of APN p ermutations ov er F 2 3 m with scalar co eﬃcients from F 2 . The presen t pap er studies the corresponding triv ariate families when the scalar coeﬃcient is allo w ed to range ov er all of F ∗ 2 m . Our main con tribution is a ro ot-theoretic analysis of the resulting parametric families G a and H a . F or G a , with a ∈ F ∗ 2 m , q = 2 i , gcd( i, m ) = 1, and m o dd, we show that the p ermutation prop ert y is characterized by the absence of ro ots in F ∗ 2 m of an asso ciated one-v ariable p olynomial, and that this same ro ot condition is equiv alent to the APN prop ert y . Th us the triv ariate APN/p ermutation problem is reduced to a univ ariate ro ot-exclusion problem. W e then derive a quantitativ e low er b ound on the n umber of go o d parameters a yielding APN p erm utations G a , and in the binary case q = 2 we prov e that a = 1 is go o d whenever 7 ∤ m by com bining our framework with the Li–Kaleyski ro ot criterion. F or H a , we obtain the analogous ro ot criterion and pro ve that the corresp onding one-v ariable conditions for G a and H a are ro ot-equiv alent; consequen tly , the same parameters a yield APN p erm utations in b oth families. W e further establish strong non-equiv alence results. Theorem 4.2 shows that G a (resp. H a ) is diagonally equiv alent to the Li–Kaleyski representativ e G 1 (resp. H 1 ) of [10] if and 2 only if a q 2 + q +1 = 1; for m > 4, m  = 6, 7 ∤ m , diagonal non-equiv alence implies CCZ non- equiv alence via the monomial restriction theorem of Shi et al. [12]. In particular, when q = 2 and 7 ∤ m , the condition gcd(7 , 2 m − 1) = 1 forces a 7  = 1 for all a  = 1, so ev ery go o d parameter a  = 1 yields APN p ermutations CCZ -inequiv alent to those of [10]. Theorem 4.5 sho ws that, for m > 4, m  = 6, 7 ∤ m , no mem b er of the G a -family is CCZ-equiv alent to an y member of the H b -family (for the same q ). Thus the t wo families are not only new but m utually inequiv alent inﬁnite sources of APN p ermutations on F 2 3 m . Our ﬁrst companion pap er [2] establishes the aﬃne reduction to a canonical four-parameter form, derives the necessary non-p ermutation conditions via algebraic geometry , provides a complete classiﬁcation for m = 3, and resolves the Beierle–Carlet–Leander–Perrin conjecture for o dd m ≥ 23. Results from [2] that we need are stated explicitly b elo w; their full pro ofs are not rep eated here. The pap er is organized as follo ws. Section 1 also collects the algebraic geometry tools used throughout. Section 2 recalls the p ermutation characterization for G a from [2], establishes the p olynomial equiv alences, prov es the APN equiv alence, and deriv es the existence results for APN p ermutations (including a quantitativ e b ound for q > 2 and the binary case q = 2 when 7 ∤ m ). Section 3 treats the second family H a in full, establishes when G a and H a are CCZ-equiv alent to the Li–Kaleyski representativ es G 1 and H 1 (Theorem 4.2), and prov es that no member of the G a -family is CCZ-equiv alent to any member of the H b -family for the same q (Theorem 4.5). Section 5 summarizes the main ﬁndings and collects op en problems. App endix A and the co des a v ailable at [13] pro vide the computational v eriﬁcation. T o ols from algebraic geometry W e work with v arieties ov er F 2 , the algebraic closure of F 2 . W e use standard notation A r and P r for aﬃne and pro jective r -space. A v ariet y is absolutely irr e ducible if it is irreducible o ver F 2 , i.e., cannot b e decomp osed as a union of t wo prop er sub v arieties even after passing to the algebraic closure. The t w o main results w e imp ort are as follows. Theorem 1.1 ([7, Theorem 7.1]) . L et V ⊆ A n ( F q ) b e an absolutely irr e ducible variety deﬁne d over F q of dimension r > 0 and de gr e e δ . If q > 2( r + 1) δ 2 , then   # V ( F q ) − q r   ≤ ( δ − 1)( δ − 2) q r − 1 / 2 + 5 δ 13 / 3 q r − 1 . In p articular, V has at le ast one F q -r ational p oint when q is lar ge enough r elative to δ . Lemma 1.2 ([1, Lemma 2.1]) . L et H b e a pr oje ctive hyp ersurfac e and X an F q -r ational pr oje ctive variety of dimension n − 1 in P n ( F q ) . If the interse ction X ∩ H c ontains a non- r ep e ate d absolutely irr e ducible F q -c omp onent, then so do es X itself. 2 Characterization of the ﬁrst generalized family G a 2.1 The ﬁrst class and equiv alen t p olynomials Throughout, m ≥ 3 is an o dd in teger, i is a p ositive integer with gcd( i, m ) = 1, and q = 2 i . Since m is o dd and all c haracteristics are 2, every element of F 2 m has a unique q -th ro ot and 3 the F rob enius x 7→ x q is a bijection on F 2 m . Deﬁnition 2.1. F or a ∈ F ∗ 2 m , deﬁne G a : F 3 2 m → F 3 2 m b y G a ( x, y , z ) =  x q +1 + ax q z + y z q , x q z + y q +1 , xy q + ay q z + z q +1  . When a = 1 this is the ﬁrst Li–Kaleyski family F 1 ; see [10]. The function G a is a degree-2 p olynomial map ov er F 3 2 m with the following symmetry: if σ denotes the co ordinate swap ( x, y , z ) 7→ ( z , y , x ), then σ ◦ G a ◦ σ = G a , as one v eriﬁes directly b y c hecking that the ﬁrst and third comp onents of G a ( z , y , x ) are the third and ﬁrst comp onen ts of G a ( x, y , z ) resp ectively , while the second comp onen t is unchanged. This symmetry will play a role in the pro ofs b elo w. The p ermutation and APN prop erties of G a are b oth controlled by a single p olynomial in F 2 m [ T ]. Sev eral p olynomial forms arise naturally , and the next prop osition shows they are all ro ot-equiv alent. Prop osition 2.2. L et a ∈ F ∗ 2 m . Consider the fol lowing p olynomials in F 2 m [ T ] : P a ( T ) = T q 2 + q +1 + ( aT q + 1) q +1 , P ′ a ( T ) = T q 2 + q +1 + aT q 2 + q + 1 , Q a ( T ) = T q 2 + q +1 + aT + 1 , Q a q ( T ) = T q 2 + q +1 + a q T + 1 , R a ( T ) = T q 2 + q +1 + ( aT + 1) q +1 , S a ( T ) = T q 2 + q +1 + a q T q +1 + 1 . Each p olynomial evaluates to 1 at T = 0 , so none has 0 as a r o ot. Mor e over, any one of them has a r o ot in F ∗ 2 m if and only if al l of them do (we c al l such, r o ot-e quivalent). Pr o of. W e establish the equiv alences through a c hain of explicit substitutions, eac h preserving the ro ot lo cus in F ∗ 2 m . Step 1: P a ↔ P ′ a . Expanding ( aT q + 1) q +1 giv es P a ( T ) = T q 2 + q +1 + a q +1 T q 2 + q + a q T q 2 + aT q + 1 . Let P ∗ a ( T ) := T q 2 + q +1 P a (1 /T ) b e the recipro cal p olynomial. A direct computation yields P ∗ a ( T ) = 1 + a q +1 T + a q T q +1 + aT q 2 +1 + T q 2 + q +1 = T ( T q + a ) q +1 + 1 . Since the map T 7→ T − 1 is a bijection of F ∗ 2 m , P a has a ro ot in F ∗ 2 m if and only if P ∗ a do es. W e no w show that P ∗ a and P ′ a are ro ot-equiv alen t on F ∗ 2 m . Supp ose U ∈ F ∗ 2 m satisﬁes P ∗ a ( U ) = 0. Set W := U q + a . Then W  = 0 (otherwise P ∗ a ( U ) = U · 0 q +1 + 1 = 1  = 0). F rom P ∗ a ( U ) = U ( U q + a ) q +1 + 1 = 0 4 w e get U W q +1 = 1 , hence U = W − ( q +1) . Substituting into W = U q + a gives W = W − q ( q +1) + a . Multiplying b y W q 2 + q (whic h is v alid since W  = 0) yields W q 2 + q +1 + aW q 2 + q + 1 = 0 , i.e. P ′ a ( W ) = 0 . Th us ev ery nonzero ro ot of P ∗ a pro duces a nonzero ro ot of P ′ a . Con v ersely , supp ose W ∈ F ∗ 2 m satisﬁes P ′ a ( W ) = 0, i.e. W q 2 + q +1 + aW q 2 + q + 1 = 0 . Deﬁne U := W − ( q +1) ∈ F ∗ 2 m . Dividing the equation by W q 2 + q giv es W + a + W − q ( q +1) = 0. Since U q = W − q ( q +1) , this b ecomes W = U q + a . Therefore P ∗ a ( U ) = U ( U q + a ) q +1 + 1 = U W q +1 + 1 = W − ( q +1) W q +1 + 1 = 1 + 1 = 0 . So P ′ a has a nonzero ro ot if and only if P ∗ a do es, and hence (via recipro cit y) if and only if P a do es. Step 2: P ′ a ↔ Q a . Observe that Q a is the recipro cal of P ′ a : T q 2 + q +1 P ′ a (1 /T ) = 1 + aT + T q 2 + q +1 = Q a ( T ) . Hence P ′ a ( T 0 ) = 0 iﬀ Q a (1 /T 0 ) = 0, and the map T 0 7→ 1 /T 0 is a bijection on F ∗ 2 m . Therefore P ′ a and Q a ha ve ro ots in F 2 m sim ultaneously . Step 3: Q a ↔ Q a q . The F rob enius automorphism x 7→ x q is a bijection on F 2 m . If T 0 ∈ F ∗ 2 m satisﬁes Q a ( T 0 ) = 0, i.e., T q 2 + q +1 0 + aT 0 + 1 = 0, then raising b oth sides to the q -th p o wer giv es ( T q 0 ) q 2 + q +1 + a q T q 0 + 1 = 0, i.e., Q a q ( T q 0 ) = 0. Since T q 0 ∈ F ∗ 2 m and the map T 0 7→ T q 0 is a bijection, Q a has a ro ot in F ∗ 2 m iﬀ Q a q do es. Step 4: Q a ↔ R a . Supp ose R a ( T 0 ) = 0 for some T 0 ∈ F ∗ 2 m , i.e., T q 2 + q +1 0 + ( aT 0 + 1) q +1 = 0. Dividing b y T q +1 0 (whic h is nonzero) and setting U 0 = T − 1 0 ∈ F ∗ 2 m : U − q 2 0 + ( a + U 0 ) q +1 = 0 . Multiplying b y U q 2 0 and expanding ( a + U 0 ) q +1 = ( a q + U q 0 )( a + U 0 ) giv es 1 + a q +1 U q 2 0 + aU q 2 + q 0 + a q U q 2 +1 0 + U q 2 + q +1 0 = 0 , whic h is precisely P a ( U 0 ) = 0. By Steps 1–2, P a ( U 0 ) = 0 implies Q a has a ro ot in F ∗ 2 m . The argumen t rev erses (replacing T 0 b y U − 1 0 ), completing the equiv alence. Step 5: S a ↔ Q a . Since S a (0) = 1, all ro ots of S a in F 2 m are nonzero. Set F a ( T ) := T q 2 + q +1 + a q T q 2 + 1. Then T q 2 + q +1 S a (1 /T ) = F a ( T ), so S a and F a are ro ot-equiv alen t o ver F ∗ 2 m . Now let u ∈ F ∗ 2 m . Then F a ( u ) = 0 if and only if u q 2 + q +1 + a q u q 2 + 1 = 0. Raising b oth sides to the q -th p ow er and using u q 3 = u gives u q 2 + q +1 + a q 2 u + 1 = 0, i.e., Q a q 2 ( u ) = 0. Con versely , if Q a q 2 ( u ) = 0, then raising to the q 2 -th p ow er yields u q 2 + q +1 + a q u q 2 + 1 = 0, 5 that is, F a ( u ) = 0. Hence F a and Q a q 2 are ro ot-equiv alent ov er F ∗ 2 m . By Step 3, Q a q 2 and Q a are ro ot-equiv alent. Therefore S a and Q a are ro ot-equiv alent ov er F 2 m . Com bining all ﬁve steps yields the claimed equiv alence, and the pro of of the prop osition is sho wn. W e recall the following result from the companion pap er, which characterizes when G a is a p erm utation. Theorem 2.3 ([2, Theorem 4.2]) . L et m ≥ 3 b e o dd, gcd( i, m ) = 1 , and a ∈ F ∗ 2 m . The function G a is a p ermutation on F 3 2 m if and only if the p olynomial Q a ( T ) = T q 2 + q +1 + aT + 1 has no r o ot in F 2 m . The pro of in [2] pro ceeds b y analyzing the collision system G a ( x + α, y + β , z + γ ) = G a ( x, y , z ) for ( α, β , γ )  = (0 , 0 , 0). After algebraic elimination one reduces to a homogeneous p olynomial L ( x, y , α, β ) of degree q 3 +2 q 2 +2 q +1 in the v ariables ( x, y , α, β ) (with γ eliminated via one of the equations), which factors as L ( x, y , α, β ) = Y θ ∈ Θ F θ ( x, y , α, β ) , where Θ = { θ ∈ F 2 : θ q 2 + q +1 + a q θ q 2 + q + 1 = 0 } is the ro ot set of P ′ a q (ro ot-equiv alen t to Q a b y Prop osition 2.2), and each factor F θ is sho wn to b e absolutely irreducible b y the Jacobian criterion. The three cases Θ ∩ F 2 m  = ∅ , Θ ⊆ F 2 2 m \ F 2 m , and Θ ∩ ( F 2 2 m \ F 2 m )  = ∅ are handled separately using the Lang–W eil b ound (Theorem 1.1) and the Aubry–McGuire– Ro dier lemma (Lemma 1.2) to guarantee the existence of F 2 m -rational p oin ts on F θ in the ﬁrst and third cases, yielding a non-trivial collision and hence non-p erm utation. In particular, in the rational-ro ot case Θ ∩ F 2 m  = ∅ , the same geometric argumen t applied to the corresp onding diﬀeren tial slice yields, for suﬃciently large m , more than the tw o trivial solutions in one direction, and hence failure of the APN prop ert y . W e refer to [2] for a related argument; the pro of there is self-contained and complete. The follo wing classical fact will b e needed several times. Lemma 2.4 (T race Criterion) . L et gcd( i, m ) = 1 . The Artin–Schr eier e quation t q + t = 1 has no solution in F 2 m if and only if m is o dd. Pr o of. The equation t q + t = c is solv able in F 2 m if and only if T r F 2 m / F 2 k ( c ) = 0, where k = gcd( i, m ) = 1, so the relev ant trace is T r F 2 m / F 2 ( c ) = P m − 1 j =0 c 2 j . F or c = 1 ∈ F 2 , this equals P m − 1 j =0 1 = m (mo d 2). Hence T r(1) = 1  = 0 when m is o dd, meaning no solution exists; when m is even, T r(1) = 0 and solutions do exist. Hence the claim follows. 2.2 The equiv alence b et ween APN and p ermutation prop ert y W e now show that, for the family G a , the APN prop erty is equiv alent to the p ermutation prop ert y , and b oth are gov erned by the same univ ariate ro ot condition. Recall that G a ( x, y , z ) =  x q +1 + ax q z + y z q , x q z + y q +1 , xy q + ay q z + z q +1  , 6 where q = 2 i , gcd( i, m ) = 1, m is o dd, and a ∈ F ∗ 2 m , and that Q a ( T ) = T q 2 + q +1 + aT + 1 , and denote D u G a ( x ) := G a ( x + u ) + G a ( x ) + G a ( u ) . Theorem 2.5. L et m ≥ 3 b e o dd, q = 2 i , gcd( i, m ) = 1 , and a ∈ F ∗ 2 m . F or every nonzer o dir e ction d = ( A, B , C ) ∈ F 3 2 m \ { 0 } , the kernel size | k er D d G a | satisﬁes the fol lowing. (a) Axis dir e ctions. If exactly one of A, B , C is nonzer o, then | k er D d G a | = 2 . (b) T yp e 1 ( C = 0 , AB  = 0 ). | k er D ( A,B , 0) G a | = 2 m if Q a q ( A/B ) = 0 , and = 2 , otherwise. (c) T yp e 2 ( B = 0 , AC  = 0 ). | k er D ( A, 0 ,C ) G a | = 2 m if Q a ( C / A ) = 0 , and = 2 , otherwise. Equivalently, for (0 , B , C ) with B C  = 0 : the kernel has size 2 m iﬀ Q a ( C /B ) = 0 , and = 2 , otherwise. (d) T yp e 3 ( AB C  = 0 ). | k er D ( A,B ,C ) G a | ≥ 2 m if Q a has r o ots in F 2 m , and = 2 , otherwise. Pr o of. W e ﬁrst derive the general kernel system. Expanding G a ( x + d ) + G a ( x ) + G a ( d ) = 0 comp onen t by comp onen t and retaining only cross-terms (all pure-quadratic terms cancel in c haracteristic 2), one obtains A q x + ( A + aC ) x q + C q y + aA q z + B z q = 0 , (E1) C x q + B q y + B y q + A q z = 0 , (E2) B q x + ( A + aC ) y q + ( aB q + C q ) z + C z q = 0 . (E3) P art (a): Axis directions ( A, B , C ) = ( A, 0 , 0) . The system reduces to A q x + Ax q + aA q z = 0, A q z = 0, Ay q = 0. Hence z = 0, y = 0, and Ax q = A q x has precisely tw o solutions in F 2 m , i.e., | k er D (1 , 0 , 0) G a | = 2. Similar argumen ts apply to the other tw o cases. P art (b): Type 1, d = ( A, B , 0) with AB  = 0 . Setting C = 0 in (E1)–(E3), implies A q x + Ax q + aA q z + B z q = 0 , B q y + B y q + A q z = 0 , B q x + Ay q + aB q z = 0 . F rom the third equation, x = AB − q y q + az . F rom the second equation, y q = B q − 1 y + A q B − 1 z . (1) Raising (1) to the q -th p ow er, y q 2 = B q 2 − q y q + A q 2 B − q z q . Substituting x q = A q B − q 2 y q 2 + a q z q and all of the ab o v e into the ﬁrst equation, the co eﬃcients of y and z each v anish in c haracteristic 2 (each app ears exactly twice with equal co eﬃcients), leaving the Master Equation  A q 2 + q +1 B − ( q 2 + q ) + Aa q + B  z q = 0 . (2) 7 Dividing b y B  = 0 and setting D := A/B ∈ F ∗ 2 m , renders Q a q ( D ) · z q = 0. If Q a q ( A/B )  = 0, then z = 0 is forced. With z = 0, Equation (1) gives B q y + B y q = 0, i.e., ( y /B ) q = y /B , so y ∈ F 2 · B . F or each such y , x = AB − 1 y is uniquely determined. Hence | ker D ( A,B , 0) G a | = 2. If Q a q ( A/B ) = 0, Equation (2) imp oses no condition on z . F or each z ∈ F 2 m , Equation (1) is an Artin–Schreier equation in y ; since ker( y 7→ y q + y ) = F 2 , exactly 2 m − 1 v alues of z yield t wo solutions y (and the other 2 m − 1 yield none), and each admissible pair ( y , z ) determines a unique x . Th us, the k ernel has size 2 · 2 m − 1 = 2 m . P art (c): Type 2, d = ( A, 0 , C ) with AC  = 0 . Setting B = 0 in (E1)–(E3), renders A q x + ( A + aC ) x q + C q y + aA q z = 0 , C x q + A q z = 0 , ( A + aC ) y q + C q z + C z q = 0 . F rom the second equation, we get x q = A q C − 1 z . (3) W e assume A + aC  = 0 (if A + aC = 0, substituting A = aC into the ﬁrst equation determines y from x and z directly , and the same conclusion holds). F rom the third equation, y q = ( A + aC ) − 1  C q z + C z q  . (4) F rom the ﬁrst equation, substituting (3), x = ( A/C ) z + A − q C q y . (5) Raising (3) to the q -th p ow er, we get x q 2 = A q 2 C − q z q . Raising (5) to the q 2 -th p o wer and substituting (4), x q 2 = A q 2 C q 2 z q 2 + A − q 3 C q 3 ( A + aC ) q  C q 2 z q + C q z q 2  . Equating the tw o expressions for x q 2 , the co eﬃcien t of z q 2 cancels in characteristic 2, and the co eﬃcien t of z q giv es (after m ultiplying through b y A q 3 C q ( A + aC ) q ), transforms into A q 2 + q 3 ( A + aC ) q = C q 3 + q 2 + q . W riting t := C / A and dividing b y A q 3 + q 2 + q : (1 + at ) q = t q ( q 2 + q +1) . T aking q -th ro ots via the F rob enius bijection on F 2 m (bijectiv e since gcd( i, m ) = 1), 1 + at = t q 2 + q +1 ⇐ ⇒ t q 2 + q +1 + at + 1 = 0 , i.e., Q a ( t ) = 0 with t = C / A . If Q a ( C / A )  = 0, the co eﬃcient of z q in the consistency condition is nonzero, yielding an equation z q ( q − 1) = R for some R ∈ F ∗ 2 m . Since gcd( q ( q − 1) , 2 m − 1) = 1 (as gcd( q − 1 , 2 m − 1) = 2 gcd( i,m ) − 1 = 1 and gcd( q , 2 m − 1) = 1), the map z 7→ z q ( q − 1) is a bijection on F ∗ 2 m , giving a unique nonzero solution z 0 . Note that ( A, 0 , C ) is alwa ys in the kernel. Indeed, substituting ( x, y , z ) = ( A, 0 , C ) gives      A q A + ( A + aC ) A q + C q · 0 + aA q C = 0 , C A q + A q C = 0 , ( A + aC ) · 0 + C q C + C C q = 0 , 8 so ( A, 0 , C ) ∈ k er D ( A, 0 ,C ) G a . Thus, z 0 = C and | k er D ( A, 0 ,C ) G a | = 2. If Q a ( C / A ) = 0, b oth the z q - and z q 2 -co eﬃcien ts in the consistency equation v anish sim ultaneously , imp osing no condition on z ; the Artin–Schreier coun t gives | k er | = 2 m . F or direction (0 , B , C ) with B C  = 0: the σ -symmetry gives | ker D (0 ,B ,C ) G a | = | k er D ( C,B , 0) G a | . P art (b) applied to ( C , B , 0) shows the kernel exceeds size 2 iﬀ Q a q ( C /B ) = 0. Since Q a and Q a q are ro ot-equiv alent (Prop osition 2.2, Step 3), this is equiv alen t to Q a ( C /B ) = 0. P art (d): Type 3, d = ( A, B , C ) with AB C  = 0 . Starting from (E1)–(E3), we use (E2) and its q -th p o wer to eliminate z and z q , yielding R 1 : A q 2 +2 q x + A q 2 + q +1 x q + A q B C q x q 2 + ( aA q 2 + q B q + A q 2 + q C q ) y + ( aA q 2 + q B + A q B q 2 +1 ) y q + A q B B q y q 2 = 0 , R 2 : A q 2 + q B q x + ( aA q 2 B q C + A q 2 C q +1 ) x q + A q C q +1 x q 2 + ( aA q 2 B 2 q + A q 2 B q C q ) y + ( A q 2 + q +1 + aA q 2 + q C + A q B q 2 C + aA q 2 B B q + A q 2 B C q ) y q + A q B q C y q 2 = 0 . Eliminating x q 2 b et w een R 1 and R 2 giv es R 3 : A q ( A q C + B q +1 ) x + C ( A q +1 + aB q +1 + B C q ) x q + ( A q C + B q +1 )( aB q + C q ) y + B ( A q +1 + aB q +1 + B C q ) y q = 0 . 1. If A q +1 + aB q +1 + B C q = 0 and A q C + B q +1  = 0, then from R 3 one gets A q x = ( aB q + C q ) y , whic h implies B x = Ay . Substituting into R 1 , w e obtain: ( A q 2 + q +1 + aA q 2 B q +1 + B q 2 + q +1 )( B q 2 y q + B q y q 2 ) = 0 . This equation has either 2 or 2 m solutions, dep ending on whether Q a ( A/B ) is zero or not. Consequently , the same holds for the en tire system. 2. If A q +1 + aB q +1 + B C q  = 0 and A q C + B q +1 = 0, then R 3 implies B ( A q 2 + q +1 + aA q 2 B q +1 + B q 2 + q +1 )( B q x q + A q y q ) = 0. Since A q +1 + aB q +1 + B C q  = 0 and A q C + B q +1 = 0 implies ( A q 2 + q +1 + aA q 2 B q +1 + B q 2 + q +1 )  = 0, w e ha ve B x = Ay . Substituting in to R 1 yields: A q 2 + q B q 2 ( A q 2 + q +1 + aA q 2 B q +1 + B q 2 + q +1 )( B q y + B y q ) = 0 . As the middle term is non-zero, y ∈ { 0 , B } , resulting in exactly tw o solutions for the system. 3. If A q +1 + aB q +1 + B C q = 0 and A q C + B q +1 = 0, then A q 2 + q +1 + aA q 2 B q +1 + B q 2 + q +1 = 0, which o ccurs only when Q a ( A/B ) v anishes. In this case, R 1 and R 2 collapse (up to non-zero factors) to A q 2 + q B q +1 x + A q 2 +1 B q +1 x q + B q 2 + q +2 x q 2 + A q 2 + q +1 B q y + A q 2 + q +1 B y q + A q 2 B q 2 + q +2 y q 2 = 0 . 9 Let j 1 and j 2 b e the dimensions o v er F 2 of the k ernels of the linearized p olynomials in x and y . Since gcd( i, m ) = 1, j 1 , j 2 ≤ 2. The images hav e rank m − j 1 and m − j 2 , meeting in an F 2 -space of dimension at least m − j 1 − j 2 . F or eac h element in this intersection, there are 2 j 1 preimages for x and 2 j 2 for y , totaling at least 2 m pairs ( x, y ). Th us, w e assume henceforth that A q +1 + aB q +1 + B C q  = 0  = A q C + B q +1 . (6) Eliminating x q 2 b et w een R 1 and R q 3 giv es R 4 : ( A 2 q 2 +3 q C q + a q A q 2 +2 q B q 2 + q C q + A q 2 +2 q B q C q 2 + q ) x + ( A 2 q 2 +2 q +1 C q + a q A q 2 + q +1 B q 2 + q C q + A q 2 + q +1 B q C q 2 + q + A 2 q 2 + q B C 2 q + A q 2 + q B q 2 + q +1 C q ) x q + ( aA 2 q 2 +2 q B q C q + A 2 q 2 +2 q C 2 q + aa q A q 2 + q B q 2 +2 q C q + aA q 2 + q B 2 q C q 2 + q + a q A q 2 + q B q 2 + q C 2 q + A q 2 + q B q C q 2 +2 q ) y + ( aA 2 q 2 +2 q B C q + A q 2 +2 q B B q 2 C q + aa q A q 2 + q B q 2 + q +1 C q + aA q 2 + q B q +1 C q 2 + q + a q A q 2 + q B B q 2 C 2 q + A q 2 + q B C q 2 +2 q ) y q = 0 . The equations R 3 and R 4 are linearly dep endent if and only if: H := A q 2 + q +1 + a q AB q 2 + q + AB q C q 2 + aA q 2 + q C + A q B q 2 C + A q 2 B C q + B q 2 + q +1 + a q +1 B q 2 + q C + aB q C q 2 +1 + a q B q 2 C q +1 + C q 2 + q +1 = 0 . Note that H ( A, B , C ) = Y λ : Q a ( λ )=0 ( A + B λ + C ( λ q +1 + a )) , and thus there exist triples ( A, B , C ) ∈ F 3 2 m \ { (0 , 0 , 0) } such that H ( A, B , C ) = 0 if and only if Q a has ro ots in F 2 m . Case H  = 0 ( R 3 and R 4 linearly indep enden t). Combining R 3 and R 4 to eliminate x q yields: A q B q x + ( aB 2 q + B q C q ) y + ( A q +1 + aB q +1 + B C q ) y q = 0 , whic h expresses x as an F 2 -linear combination of y and y q . Substituting this into R 3 , the resulting equation factors as: C A q ( A q +1 + aB q +1 + B C q ) q +1 ( B q 2 y q + B q y q 2 ) = 0 . Giv en that C  = 0 and A q  = 0, at least one of the remaining factors must v anish. The third factor ( A q +1 + aB q +1 + B C q ) is non-zero by condition (6). Thus, we must hav e: B q 2 y q + B q y q 2 = 0 , whic h implies ( y /B ) q 2 − q = 1. Since gcd( q 2 − q , 2 m − 1) = 1 (as gcd( i, m ) = 1), this equation yields y ∈ { 0 , B } . F or each such y , (E2) uniquely determines z , and subsequently (E3) uniquely determines x . This results in | k er D ( A,B ,C ) G a | = 2. 10 Case H = 0 (which is equiv alen t to Q a ha ving ro ots in F 2 m ) . In this case, R 3 and R 4 are linearly dep endent, so only R 3 remains. As analyzed previously , R 3 pro vides at least 2 m solutions ( x, y ) to the system. Corollary 2.6. The p olynomial Q a has no r o ot in F ∗ 2 m if and only if | ker D d G a | = 2 for every nonzer o d ∈ F 3 2 m . No w, w e put all of these together to show our ﬁrst main result. Theorem 2.7. L et m ≥ 3 b e o dd, q = 2 i , gcd( i, m ) = 1 , a ∈ F ∗ 2 m , and G a ( x, y , z ) =  x q +1 + ax q z + y z q , x q z + y q +1 , xy q + ay q z + z q +1  on F 2 3 m . The fol lowing ar e e quivalent: (i) Q a ( T ) = T q 2 + q +1 + aT + 1 has no r o ot in F 2 m . (ii) G a is a p ermutation on F 3 2 m . (iii) G a is APN on F 3 2 m . Pr o of. By [2, Theorem 4.2] (equiv alen tly , Theorem 2.3), (i) and (ii) are equiv alent. It remains to pro v e the equiv alence b et w een (i) and (iii). (iii) ⇒ (i). W e prov e the con trap ositiv e. If Q a has a ro ot in F 2 m , then G a is not APN since | ker D d G a | > 2. (i) ⇒ (iii). Assume that Q a has no ro ot in F 2 m . By Corollary 2.6, | k er D d G a | = 2 for any d . Th us the n umber of solutions of D d G a ( x, y , z ) = ( α, β , γ ) is at most 2 for each α, β , γ ∈ F 2 m and G a is APN. 2.3 Existence of APN p erm utations in every o dd dimension divisible by 3 W e now show that go od v alues of a (those for whic h Q a has no ro ots) exist for ev ery o dd m . Prop osition 2.8. L et m ≥ 3 b e o dd, q = 2 i with gcd( i, m ) = 1 , and a ∈ F ∗ 2 m . Deﬁne the line arize d p olynomial L a ( S ) := S q 3 + aS q + S ∈ F 2 m [ S ] . Then the fol lowing hold: 1. If L a has a nonzer o r o ot in F 2 m , then Q a ( T ) = T q 2 + q +1 + aT + 1 has a r o ot in F ∗ 2 m . 2. If gcd( i, m ) = 1 (e quivalently, gcd( q − 1 , 2 m − 1) = 1 ), then the c onverse also holds. Henc e in this c ase, Q a has a r o ot in F ∗ 2 m ⇐ ⇒ L a has a nonzer o r o ot in F 2 m . 11 Pr o of. (1) Assume S ∈ F ∗ 2 m satisﬁes L a ( S ) = 0, i.e., S q 3 + aS q + S = 0. Since gcd( i, m ) = 1, the map S 7→ S q − 1 is a bijection of F ∗ 2 m . Set T := S q − 1 ∈ F ∗ 2 m . Dividing L a ( S ) = 0 b y S gives S q 3 − 1 + aS q − 1 + 1 = 0. Note that S q 3 − 1 = ( S q − 1 ) q 2 + q +1 = T q 2 + q +1 . Th us T q 2 + q +1 + aT + 1 = 0, i.e., Q a ( T ) = 0. Hence Q a has a ro ot in F ∗ 2 m . (2) Conv ersely , assume gcd( i, m ) = 1 and let T ∈ F ∗ 2 m satisfy Q a ( T ) = 0, i.e., T q 2 + q +1 + aT + 1 = 0. Since gcd( q − 1 , 2 m − 1) = gcd(2 i − 1 , 2 m − 1) = 2 gcd( i,m ) − 1 = 1, the map S 7→ S q − 1 is a bijection of F ∗ 2 m . Therefore there exists S ∈ F ∗ 2 m suc h that S q − 1 = T . Then T q 2 + q +1 = ( S q − 1 ) q 2 + q +1 = S q 3 − 1 . Substituting into Q a ( T ) = 0 gives S q 3 − 1 + aS q − 1 + 1 = 0. Multiplying by S yields S q 3 + aS q + S = 0, i.e., L a ( S ) = 0. Thus L a has a nonzero ro ot in F 2 m . This pro ves the claims. Prop osition 2.9. L et m b e o dd with gcd( i, m ) = 1 . The p olynomial Q 1 ( T ) = T q 2 + q +1 + T + 1 has no r o ots in F 2 m if and only if gcd( m, 7) = 1 . Pr o of. By Prop osition 2.8, Q 1 has a ro ot in F ∗ 2 m iﬀ L 1 ( S ) = S q 3 + S q + S has a nonzero ro ot in F 2 m . F or a = 1, all F rob enius-t wisted companion matrices C k are equal (since a q k = 1), so A L ( m ) = C m 0 where C 0 =  0 0 1 1 0 1 0 1 0  . The characteristic p olynomial of C 0 o ver F 2 is T 3 + T + 1, whic h is irreducible of order 7 (the multiplicativ e order of its ro ots in F 2 3 ). Hence C m 0 = I 3 iﬀ 7 | m . Therefore det( A L ( m ) − I 3 ) = 0 iﬀ 7 | m , i.e., Q 1 has a ro ot in F 2 m iﬀ 7 | m . The stated condition follows. This reco v ers [10, Prop. 4], and our claim follows. F or the case a = 1, the authors of [10] analyzed the linearized p olynomial L 1 ( S ) = S q 3 + S q + S via the matrix metho d of McGuire–Sheek ey [11], and prov ed that it has no nonzero ro ot precisely when gcd( m, 7) = 1. It is natural to ask whether the same metho d extends to L a ( S ) = S q 3 + aS q + S, a ∈ F ∗ 2 m . F or a general σ -linearized p olynomial, the kernel is controlled b y the pro duct A L = C L C σ L · · · C σ m − 1 L , σ ( x ) = x q , where C L is the companion matrix; see [11]. In our case, C L =   0 0 1 1 0 a 0 1 0   , C σ k L =   0 0 1 1 0 a q k 0 1 0   . When a = 1, all factors are equal, so A L = C m L , which is exactly the situation treated in [10]. F or general a , how ever, the F rob enius conjugates a, a q , . . . , a q m − 1 app ear in diﬀerent factors, so the pro duct no longer reduces to a matrix p o wer. Thus the argument for a = 1 do es not extend directly . This already explains the main diﬃculty: the matrix approach isolates the bad parameters through the condition det( A L − I 3 ) = 0, but it do es not b y itself yield a conv enien t closed 12 description in terms of the single parameter a . It is therefore preferable to return to the equiv alen t one-v ariable c riterion from Prop osition 2.8, namely that L a has a nonzero ro ot if and only if Q a ( T ) = T q 2 + q +1 + aT + 1 has a ro ot in F ∗ 2 m . The adv an tage of Q a is that the bad-parameter set can then b e describ ed exactly as the image of a rational function, as follows. Prop osition 2.10. L et d := q 2 + q + 1 and g : F ∗ 2 m − → F 2 m , g ( u ) := u d + 1 u . Then, for a ∈ F ∗ 2 m , the fol lowing ar e e quivalent: (i) Q a ( T ) = T d + aT + 1 has a r o ot in F ∗ 2 m ; (ii) a ∈ g ( F ∗ 2 m ) . Conse quently, the set of go o d p ar ameters is B m,q := { a ∈ F ∗ 2 m : Q a has no r o ot in F ∗ 2 m } = F ∗ 2 m \ g ( F ∗ 2 m ) . Pr o of. Let u ∈ F ∗ 2 m . Then Q a ( u ) = u d + au + 1 . Hence Q a ( u ) = 0 ⇐ ⇒ a = u d + 1 u = g ( u ) . Therefore Q a has a ro ot in F ∗ 2 m if and only if a lies in the image of g . T o study the size of g ( F ∗ 2 m ), it is natural to consider the collision curve g ( x ) = g ( y ). Clearing denominators gives x d y + xy d + x + y = 0 . Since x d y + xy d + x + y = ( x + y )   xy d − 2 X j =0 x d − 2 − j y j + 1   , the diagonal comp onent x + y = 0 splits oﬀ, and the residual curve is Γ : xy d − 2 X j =0 x d − 2 − j y j + 1 = 0 . Lemma 2.11. The curve Γ is absolutely irr e ducible. 13 Pr o of. Consider the birational morphism ( x, y ) 7→ ( xy , y ) applied to g ( x ) + g ( y ) = 0. Recall that a birational morphism provides a bijection b et w een absolutely irreducible comp onen ts of curv es. This gives x d y d +1 + xy d +1 + xy + y = y ( x d y d + xy d + x + 1) . The factor y corresp onds to the factor ( x + y ) in g ( x ) + g ( y ). The second factor is absolutely irreducible, since φ ( u ) := u d + v + 1 v d + v satisﬁes Eisenstein’s criterion for function ﬁelds (see [14, Prop osition 3.1.15]), considering as place P in F 2 ( v ) the unique zero of v . In fact, v P (1) = 0 , v P  v + 1 v d + v  = − 1 , gcd( d, − 1) = 1 , and, applying [14, Prop osition 3.1.15(2)], Γ is absolutely irreducible. Theorem 2.12. L et m ≥ 3 b e o dd, q = 2 i with gcd( i, m ) = 1 , and d = q 2 + q + 1 . Deﬁne g : F ∗ 2 m → F 2 m by g ( u ) = u d +1 u , and let B m,q := F ∗ 2 m \ g ( F ∗ 2 m ) b e the set of go o d p ar ameters. Then |B m,q | ≥ 2 m + 1 − ( d − 1)( d − 2)2 m/ 2 − d d , and for every a ∈ B m,q , the function G a is an APN p ermutation on F 3 2 m . Pr o of. Let C i := { v ∈ F 2 m : # g − 1 ( v ) = i } for i ≥ 0. Clearly , the sets C i partition F 2 m , so P i # C i = 2 m . F or a ﬁxed v ∈ C i with i > 0, there exist u 1 , . . . , u i ∈ F 2 m suc h that g ( u 1 ) = · · · = g ( u i ) = v . These corresp ond to i 2 pairs ( u j 1 , u j 2 ) on the curve C g : g ( x ) + g ( y ) = 0. Let Γ b e the curve deﬁned by the p olynomial ϕ ( x, y ) = g ( x )+ g ( y ) x + y = 0. The F 2 m -rational aﬃne p oints of Γ corresp ond to the i 2 − i non-diagonal pairs for eac h v ∈ C i . Thus, the n umber of aﬃne rational p oints is: #Γ( F 2 m ) aﬀ = X i ( i 2 − i )# C i . Note that #Γ( F 2 m ) aﬀ d ≤ X i ≥ 2 ( i − 1)# C i ≤ #Γ( F 2 m ) aﬀ 2 and C 1 + X i ≥ 2 iC i = 2 m . Th us C 1 + X i ≥ 2 C i = 2 m − X i ≥ 2 iC i + C 2 + · · · C d 14 = 2 m − X i ≥ 2 ( i − 1) C i ≤ 2 m − #Γ( F 2 m ) aﬀ d , whic h sho ws that C 0 = 2 m − P i ≥ 1 C i ≥ #Γ( F 2 m ) aﬀ d . Now, to get a lo wer bound on #Γ( F 2 m ) aﬀ , it is enough to observ e that Γ has degree d and then its genus g satisﬁes 2 g ≤ ( d − 1)( d − 2). Applying the Hasse-W eil b ound and accoun ting for the p oints at inﬁnit y (at most d ), we ha ve: #Γ( F 2 m ) aﬀ ≥ 2 m + 1 − ( d − 1)( d − 2)2 m/ 2 − d, and th us C 0 ≥ 2 m + 1 − ( d − 1)( d − 2)2 m/ 2 − d d , whic h completes the pro of. T able 1: Num b er of “go o d” a ∈ F ∗ 2 m for which G a is an APN p erm utation ( Q a ro ot-free). The coun t is indep enden t of i for ﬁxed o dd m with gcd( i, m ) = 1. m i q = 2 i | F ∗ 2 m | # goo d a a = 1 go o d? 3 1 2 7 7 y es 3 2 4 7 7 y es 5 1 2 31 11 y es 5 2 4 31 11 y es 7 1 2 127 35 no (7 | 7) 7 2 4 127 35 no 9 1 2 511 385 y es 11 1 2 2047 595 y es 3 The second generalized family H a of APN functions Deﬁnition 3.1. F or a ∈ F ∗ 2 m , deﬁne H a : F 3 2 m → F 3 2 m b y H a ( x, y , z ) =  x q +1 + axy q + y z q , xy q + z q +1 , x q z + y q +1 + ay q z  . Theorem 3.2. Supp ose that q = 2 i , gcd( i, m ) = 1 . Then H a is APN if and only if P ′ a ( T ) = T q 2 + q +1 + T q 2 + q a + 1 has no r o ot s in F 2 m . Pr o of. Letting v = ( x, y , z ) and d = ( A, B , C ), the generic diﬀerential system D d H a ( v ) = 0 in c haracteristic 2 yields three equations: E ′ 1 = H 1 ( x + A, y + B , z + C ) + H 1 ( x, y , z ) + H 1 ( A, B , C ) = 0 E ′ 2 = H 2 ( x + A, y + B , z + C ) + H 2 ( x, y , z ) + H 2 ( A, B , C ) = 0 E ′ 3 = H 3 ( x + A, y + B , z + C ) + H 3 ( x, y , z ) + H 3 ( A, B , C ) = 0 . The three base diﬀerentials obtained by imp osing D d H i ( v ) = H i ( x + A, y + B , z + C ) + H i ( x, y , z ) + H i ( A, B , C ) = 0 in c haracteristic 2 are explicitly: E ′ 1 = ( A q + aB q ) x + Ax q + C q y + aAy q + B z q 15 E ′ 2 = B q x + Ay q + C q z + C z q E ′ 3 = C x q + B q y + ( B + aC ) y q + ( A q + aB q ) z . In what follows we supp ose that P ′ a ( T ) has no ro ots in F 2 m and w e will show that at H a is APN. Let us consider the sp ecial cases where one or more of the parameters A, B , C are equal to zero. W e analyze the simpliﬁed generic diﬀerential system E ′ 1 = 0, E ′ 2 = 0, and E ′ 3 = 0 directly for each case. 1. Case: ( A, B , C ) = ( A, 0 , 0) with A  = 0 . The diﬀerential system drastically simpliﬁes to: E ′ 1 = A q x + Ax q + aAy q = 0 E ′ 2 = Ay q = 0 E ′ 3 = A q z = 0 . F rom E ′ 2 and E ′ 3 , since A  = 0, it immediately follo ws that y = 0 and z = 0. Substituting y = 0 in to E ′ 1 lea ves A q x + Ax q = 0. Dividing b y A q +1 , this b ecomes ( x/ A ) q + ( x/ A ) = 0. This equation admits exactly tw o solutions for x , yielding exactly t w o solutions for the triplet ( x, y , z ). 2. Case: ( A, B , C ) = (0 , B , 0) with B  = 0 . The system reduces to: E ′ 1 = aB q x + B z q = 0 E ′ 2 = B q x = 0 E ′ 3 = B q y + B y q + aB q z = 0 . F rom E ′ 2 , since B  = 0, we hav e x = 0. Substituting x = 0 into E ′ 1 giv es B z q = 0, which forces z = 0. Finally , substituting z = 0 into E ′ 3 lea ves B q y + B y q = 0, or equiv alen tly y q B + y B q = 0. This admits exactly t w o solutions for y , yielding t w o solutions for ( x, y , z ). 3. Case: ( A, B , C ) = (0 , 0 , C ) with C  = 0 . The system reduces to: E ′ 1 = C q y = 0 E ′ 2 = C q z + C z q = 0 E ′ 3 = C x q + aC y q = 0 . F rom E ′ 1 , since C  = 0, w e hav e y = 0. Substituting y = 0 into E ′ 3 yields C x q = 0, whic h forces x = 0. The remaining equation E ′ 2 is z q C + z C q = 0, which admits exactly t wo solutions for z , yielding t wo solutions for ( x, y , z ). 4. Case: ( A, B , C ) = ( A, B , 0) with A, B  = 0 . The system b ecomes: E ′ 1 = ( A q + aB q ) x + Ax q + aAy q + B z q = 0 16 E ′ 2 = B q x + Ay q = 0 E ′ 3 = B q y + B y q + ( A q + aB q ) z = 0 F rom E ′ 2 , w e can cleanly eliminate x by isolating it as x = A B q y q . By taking the q -th p o w er, x q = A q B q 2 y q 2 . Substituting these in to E ′ 1 giv es: ( A q + aB q ) A B q y q + A A q B q 2 y q 2 + aAy q + B z q = 0 . Then z q = A q +1 B 1+ q + q 2 ( B q 2 y q + B q y q 2 ) . No w, taking the q -th p o wer of E ′ 3 , w e obtain ( E ′ 3 ) q = B q 2 y q + B q y q 2 + ( A q 2 + a q B q 2 ) z q = 0. Substituting our relation for z q in to this equation reduces the entire system to an explicit univ ariate p olynomial in y : ( B q 2 y q + B q y q 2 ) + ( A q 2 + a q B q 2 ) A q +1 B 1+ q + q 2 ( B q 2 y q + B q y q 2 ) = 0 . F actoring out the common binomial yields: ( B q 2 y q + B q y q 2 ) 1 + A 1+ q + q 2 + a q A q +1 B q 2 B 1+ q + q 2 ! = 0 . By our non-degeneracy assumptions on the ﬁeld and q (which imply the constan t factor is non-zero), the system reduces to B q 2 y q + B q y q 2 = 0. Recognizing that this is exactly ( B q y + B y q ) q = 0, the p olynomial b ounds the kernel dimension, again yielding exactly t wo solutions for y . 5. Case: ( A, B , C ) = ( A, 0 , C ) with A, C  = 0 . The system ev aluates to: E ′ 1 = A q x + Ax q + C q y + aAy q = 0 E ′ 2 = Ay q + C q z + C z q = 0 E ′ 3 = C x q + aC y q + A q z = 0 . F rom E ′ 3 , we can isolate z directly as z = C A q x q + aC A q y q . T o simplify the substitution, w e can use E ′ 1 to replace Ax q . Multiplying our expression for z by A q +1 , w e get: A q +1 z = C ( Ax q ) + aAC y q . Substituting Ax q = A q x + C q y + aAy q from E ′ 1 in to this equation yields z = C A x + C q +1 A q +1 y 17 T aking the q -th p ow er gives z q = C q A q x q + C q 2 + q A q 2 + q y q . No w, substitute b oth z and z q in to E ′ 2 : Ay q + C q  C A x + C q +1 A q +1 y  + C C q A q x q + C q 2 + q A q 2 + q y q ! = 0 . Grouping the terms with x and x q together, C q +1 A q +1 ( A q x + Ax q ) + Ay q + C 2 q +1 A q +1 y + C q 2 + q +1 A q 2 + q y q = 0 . (7) W e can once again use E ′ 1 to substitute the quantit y ( A q x + Ax q ) = C q y + aAy q , C q +1 A q +1 ( C q y + aAy q ) + Ay q + C 2 q +1 A q +1 y + C q 2 + q +1 A q 2 + q y q = 0 . Expanding this, we notice that the y terms C 2 q +1 A q +1 y + C 2 q +1 A q +1 y cancel p erfectly . W e are left with an equation strictly in y q , a C q +1 A q + A + C q 2 + q +1 A q 2 + q ! y q = 0 . By our non-degeneracy assumptions, the co eﬃcien t is non-zero, which forces y = 0. Substituting y = 0 back into E ′ 1 lea ves A q x + Ax q = 0, an equation that has exactly t wo solutions for x . Since z is uniquely determined b y x and y , the system is restricted to exactly tw o solutions. 6. Case: ( A, B , C ) = (0 , B , C ) with B , C  = 0 . The system simpliﬁes to: E ′ 1 = aB q x + C q y + B z q = 0 E ′ 2 = B q x + C q z + C z q = 0 E ′ 3 = C x q + B q y + ( B + aC ) y q + aB q z = 0 . F rom E ′ 2 , w e isolate x completely in terms of z , x = C q B q z + C B q z q . T aking the q -th p o w er yields x q = C q 2 B q 2 z q + C q B q 2 z q 2 . Next, we substitute our expression for x into E ′ 1 to isolate y , C q y = aB q  C q B q z + C B q z q  + B z q = aC q z + ( aC + B ) z q . Dividing b y C q , w e obtain y (and subsequen tly y q ) en tirely in terms of z , y = az + aC + B C q z q = ⇒ y q = a q z q + a q C q + B q C q 2 z q 2 . 18 Finally , w e substitute x q , y , and y q in to E ′ 3 . Notice what happ ens to the linear z terms when w e substitute y , B q y + aB q z = B q  az + aC + B C q z q  + aB q z . The terms aB q z + aB q z = 0 cancel eac h other out in characteristic 2! This means the resulting equation will hav e no linear z term, only z q and z q 2 . Substituting the rest in to E ′ 3 yields: C C q 2 B q 2 z q + C q B q 2 z q 2 ! + B q  aC + B C q z q  + ( B + aC )  a q z q + a q C q + B q C q 2 z q 2  = 0 . Grouping b y p o w ers of z , we obtain a univ ariate p olynomial strictly in z q and z q 2 : C q 2 +1 B q 2 + B q ( aC + B ) C q + a q ( B + aC ) ! z q +  C q +1 B q 2 + ( B + aC )( a q C q + B q ) C q 2  z q 2 = 0 . Let this b e written as K 1 z q + K 2 z q 2 = 0, where K 1 = C q 2 +1 B q 2 + B q ( aC + B ) C q + a q ( B + aC ) , K 2 = C q +1 B q 2 + ( B + aC )( a q C q + B q ) C q 2 . W e claim that ( K 1 , K 2 )  = (0 , 0). Indeed, writing u = C /B ∈ F ∗ 2 m and multiplying K 1 b y the nonzero scalar B q 2 /C , we get B q 2 C K 1 = u q 2 + u − q ( au + 1) + a q (1 + au ) = u − q − 1  u q 2 + q +1 + ( au + 1) q +1  = u − q − 1 R a ( u ) . Th us, if K 1 = 0, then R a ( u ) = 0, which con tradicts Prop osition 2.2 together with our assumption that P ′ a has no ro ot in F 2 m . Therefore ( K 1 , K 2 )  = (0 , 0). If K 2 = 0, then necessarily K 1  = 0, and the ab o v e equation reduces to K 1 z q = 0, so z = 0. If K 2  = 0, then dividing by K 2 yields an equation of the form z q 2 + K z q = 0. Applying the inv erse F rob enius automorphism on F 2 m , this is equiv alent to z q + Lz = 0 for some L ∈ F 2 m . Since gcd( i, m ) = 1, this equation has at most tw o solutions. Hence in all cases there are at most tw o p ossibilities for z . Since x and y are uniquely determined b y z , there are exactly tw o solutions for ( x, y , z ). Let us consider the case A, B , C  = 0. W e use E ′ 2 to eliminate x and obtain R 1 and R 2 . By isolating x = Ay q + C q z + C z q B q from E ′ 2 and raising it to the q -th p o wer to obtain x q , we p erform the substitutions in E ′ 1 and E ′ 3 (sim ulating the resultant computation to clear the denominators). W e explicitly obtain: R 1 = B q 2  B q C q y + A q +1 y q + C q ( A q + aB q ) z + ( B q +1 + A q C + aB q C ) z q  + AB q  A q y q 2 + C q 2 z q + C q z q 2  , R 2 = B q 2 ( B q y + ( B + aC ) y q + ( A q + aB q ) z ) + C  A q y q 2 + C q 2 z q + C q z q 2  . 19 1. Case: A q C + B q +1 + B q C a = 0 and AB q + C q +1 = 0 . This w ould imply A q = C q 2 + q /B q 2 and C q 2 + q +1 + B q 2 + q +1 + B q 2 + q C a = 0, whic h is not p ossible by our as- sumption (dividing by B q 2 + q +1 , and letting u := C /B , we get u q 2 + q +1 + au + 1 = 0, that is Q a ( u ) = 0, whic h is not p ossible via our assumption and Prop osition 2.2). 2. Case: A q C + B q +1 + B q C a = 0 and AB q + C q +1  = 0 . W e also compute R 3 = Res( R 1 , R 2 , y q 2 ) A q B q 2 , whic h, written explicitly , yields R 3 = ( AB 2 q + B q C q +1 ) y + ( A q +1 C + AB q +1 + aAB q C ) y q + ( A q +1 B q + aAB 2 q + A q C q +1 + aB q C q +1 ) z + ( B q +1 C + A q C 2 + aB q C 2 ) z q . After substituting a = ( A q C + B q +1 ) / ( B q C ) and a q = ( A q 2 C q + B q + q 2 ) / ( B q 2 C q ), a Magma computation sho ws that R 3 = B 2 q ( AB q + C q +1 )( y C + z B ). By our assumption, AB q + C q +1  = 0, which implies y C + z B = 0. By using this relation and its q -th and q 2 -th p o w ers to sequen tially eliminate the v ariables y , y q , and y q 2 from our ﬁrst reduced equation, the entire system collapses to the condition z q C q 2 + z q 2 C q = 0 . By our assumptions on q , this equation admits only tw o solutions for z , which conse- quen tly yields exactly t w o solutions for ( x, y , z ). 3. Case: A q C + B q +1 + B q C a  = 0 and AB q + C q +1 = 0 . W e compute R 3 again as in the previous case. After substituting A = C q +1 /B q and A q = C q + q 2 /B q 2 , w e get that R 3 = C  B 1+ q + q 2 + B q + q 2 C a + C 1+ q + q 2  ( y q C q + z q B q ) . Recall the non-degeneracy condition B 1+ q + q 2 + B q + q 2 C a + C 1+ q + q 2  = 0. Under this assumption, we obtain y q C q + z q B q = 0. Substituting this constraint (along with y C + z B = 0 and its p o wers) into the equations to eliminate y completely , the system reduces directly to z C q + z q C = 0. Once again, b y our assumptions on q , this b ounds the system to exactly tw o solutions in z , resulting in tw o solutions for ( x, y , z ). 4. Case: A q C + B q +1 + B q C a  = 0 and AB q + C q +1  = 0 . W e pro ceed by eliminating y q 2 b et w een the equations R ( q ) 3 and R 2 to deﬁne a new p olynomial R 4 , and subsequen tly eliminate y q b et w een R 3 and R 4 to obtain R 5 . Up to nonzero factors, R 4 is: R 4 = y A q 2 B q C q + y B 2 q + q 2 + y B q + q 2 C q a q + y q A q B q 2 C + y q A q 2 B C q + y q A q 2 C q +1 a + y q B 1+ q + q 2 + y q B q 2 +1 C q a q + y q B q + q 2 C a + y q B q 2 C q +1 a q +1 + y q C 1+ q + q 2 + z A q + q 2 C q + z A q B q + q 2 20 + z A q B q 2 C q a q + z A q 2 B q C q a + z B 2 q + q 2 a + z B q + q 2 C q a q +1 + z q A q + q 2 C + z q A q B q 2 C a q + z q B q C q 2 +1 . And R 5 factorizes (c hec ked by hand and via Magma) into the pro duct of A 1+ q + q 2 + A q +1 B q 2 a q + AB q C q 2 + A q B q 2 C + A q 2 B C q + A q 2 C q +1 a + B 1+ q + q 2 + B q 2 +1 C q a q + B q + q 2 C a + B q 2 C q +1 a q +1 + C 1+ q + q 2 , and (8) y B q C q + z A q C q + z B q C q a + z q A q C + z q B q +1 + z q B q C a. (9) Let H = A 1+ q + q 2 + A q +1 B q 2 a q + AB q C q 2 + A q B q 2 C + A q 2 B C q + A q 2 C q +1 a + B 1+ q + q 2 + B q 2 +1 C q a q + B q + q 2 C a + B q 2 C q +1 a q +1 + C 1+ q + q 2 . By direct Magma computations H = Y λ ∈ F 2 : λ q 2 + q +1 + λ q 2 a q = 1  λ q +1 A + λ q B + ( λ q a + 1) C  . By our initial assumption, there are no λ ∈ F 2 m satisfying λ q 2 + q +1 + λ q 2 a q = 1 and there are not ( A, B , C ) ∈ F 2 m , AB C  = 0, making H v anish. Thus H  = 0. W e can then divide R 5 b y H to obtain R 6 := y B q C q + z A q C q + z B q C q a + z q A q C + z q B q +1 + z q B q C a = 0 . No w we eliminate y and y q from R 3 using R 6 , obtaining the pro duct of the factors B q , ( A q 2 C q + B q + q 2 + B q 2 C q a q ), ( A q C + B q +1 + B q C a ), A , and ( z q C q 2 + z q 2 C q ). Since w e are in the case where the parameters do not n ullify the ﬁrst factors, this forces z q C q 2 + z q 2 C q = 0 . By our assumptions on q , this yields only t wo solutions in z , and consequently tw o solutions in ( x, y , z ). Supp ose now that T q 2 + q +1 + T q 2 + q a + 1 has a solution in F 2 m . F ollo wing the case ( A, B , C ) = ( A, 0 , C ) with A, C  = 0, we can easily ﬁnd pairs ( A, C ) ∈ F 2 2 m , A, C  = 0, suc h that A q 2 C q +1 a + A q 2 + q +1 + C q 2 + q +1 = 0 and thus the ab o v e equation v anishes. Since A q x + Ax q has rank m − 1 and Ay q + C 2 q +1 A q +1 y + C q 2 + q +1 A q 2 + q y q has rank at least m − 1, there are at least 2 m pairs satisfying Equation (7) and thus the function H a is not APN. The theorem is shown. Theorem 3.3. Supp ose that q = 2 i , gcd( i, m ) = 1 . Then H a is a p ermutation if and only if P ′ a ( T ) = T q 2 + q +1 + T q 2 + q a + 1 has no r o ots in F 2 m . 21 Pr o of. Let H a ( v ) = ( F 1 ( v ) , F 2 ( v ) , F 3 ( v )) where v = ( x, y , z ). T o prov e that H a is a p erm utation p olynomial ov er F 3 2 m , w e must show that the p olar deriv ative D w H a ( v ) = H a ( v + w ) + H a ( v ) = 0 implies w = (0 , 0 , 0), where w = ( α, β , γ ). Since the characteristic is 2, the condition D w H a ( v ) = 0 yields the following system of equations xα q + αx q + α q +1 + a ( xβ q + αy q + αβ q ) + y γ q + β z q + β γ q = 0 (10) xβ q + αy q + αβ q + z γ q + γ z q + γ q +1 = 0 (11) x q γ + α q z + α q γ + y β q + β y q + β q +1 + a ( y q γ + β q z + β q γ ) = 0 . (12) W e pro ceed by analyzing tw o main cases based on the v alue of β . 1. β = 0. Substituting β = 0 into equation (11) yields: z γ q + γ z q + γ q +1 = 0 . If γ  = 0, dividing by γ q +1 giv es ( z /γ ) + ( z /γ ) q + 1 = 0, which implies that the absolute trace T r(1) = 0. Since m is o dd and gcd( i, m ) = 1, this is a contradiction. Thus, we m ust ha ve γ = 0. Substituting β = 0 and γ = 0 into equation (10) pro vides: xα q + αx q + α q +1 = 0 . By the exact same trace argumen t ov er F 2 m , this equation only admits the solution α = 0. Therefore, if β = 0, the only p ossible solution is the trivial one, w = (0 , 0 , 0). 2. β  = 0 and z β q 2 + γ y q 2 = 0. First, supp ose γ = 0. Then z β q 2 = 0, which implies z = 0 since β  = 0. Substituting γ = 0 and z = 0 in to (11) yields xβ q + αy q + αβ q = 0 = ⇒ x = α ( y q + β q ) β q . Substituting these v alues in to (12) lea v es: y β q + β y q + β q +1 = 0 . Dividing by β q +1 giv es ( y /β ) q + ( y/β ) + 1 = 0, which implies T r(1) = 0. Since m is o dd and gcd( i, m ) = 1, this is a contradiction. Th us, w e m ust ha ve γ  = 0. Since b oth β  = 0 and γ  = 0, the condition z β q 2 + γ y q 2 = 0 can b e rewritten as: z γ =  y β  q 2 . Let u = y /β . Then we can parameterize y and z as y = uβ and z = u q 2 γ . 22 Substitute y = uβ and z = u q 2 γ in to equation (11): xβ q = αu q β q + αβ q + u q 2 γ q +1 + u q 3 γ q +1 + γ q +1 β q . No w substitute y = uβ , z = u q 2 γ , and x q in to equation (12) one gets γ q 2 + q β q 2 ( u q 3 + u q 4 + 1) + β q +1 γ ( u + u q + 1) + aβ q ( u q + u q 2 + 1) = 0 . Let W = u + u q + 1. Note that W  = 0, b ecause W = 0 would imply T r(1) = 0, which is imp ossible for o dd m . Thus γ q 2 + q β q 2 W q 3 + β q +1 γ W + aβ q W q = 0 ⇐ ⇒ γ q 2 + q +1 β q 2 + q +1 W q 3 − 1 + a γ β W q − 1 + 1 = 0 . Deﬁne a new v ariable S = γ β W q − 1 and th us S q 2 + q +1 + aS + 1 = 0 . This is exactly the p olynomial P a (1 /S ) = 0. If P a has no ro ots in F 2 m then we got a con tradiction. 3. β  = 0 and z β q 2 + γ y q 2  = 0. By (11) we deduce x = αy q + αβ q + z γ q + γ z q + γ q +1 β q and th us the remaining equation reads R 1 := y γ q β q + q 2 + az γ q β q + q 2 + z α q γ q β q 2 + α q +1 y q β q 2 + αz q β q γ q 2 + α q +1 y q 2 β q + α q +1 β q + q 2 + αz q 2 β q γ q + αβ q γ q + q 2 + z q β 1+ q + q 2 + γ q β 1+ q + q 2 + aγ z q β q + q 2 + aγ q +1 β q + q 2 + γ z q α q β q 2 + α q γ q +1 β q 2 = 0 and R 2 := y β q + q 2 + az β q + q 2 + z α q β q 2 + y q β 1+ q 2 + β 1+ q + q 2 + aγ y q β q 2 + aγ β q + q 2 + γ γ q 2 z q + γ α q y q 2 + γ q +1 z q 2 + γ 1+ q + q 2 = 0 . F rom this last expression we deduce α q = y β q + q 2 + az β q + q 2 + y q β 1+ q 2 + β 1+ q + q 2 + aγ y q β q 2 + aγ β q + q 2 + γ γ q 2 z q + γ q +1 z q 2 + γ 1+ q + q 2 z β q 2 + γ y q 2 , 23 and combining with the other equation (after dividing b y a suitable p ow er of β ) w e obtain (w e used Magma to simplify) R 3 := y 1+ q + q 2 β q + q 2 + q 3 + y 1+ q + q 3 β q +2 q 2 + y q +1 β q +2 q 2 + q 3 + a q y 1+ q 2 z q β q + q 2 + q 3 + a q y 1+ q 3 z q β q +2 q 2 + a q y z q β q +2 q 2 + q 3 + y z q + q 2 β q + q 2 γ q 3 + y z q + q 3 β q + q 2 γ q 2 + y z q β q + q 2 γ q 2 + q 3 + y 1+2 q 2 β 2 q + q 3 + y 1+ q 2 + q 3 β 2 q + q 2 + y β 2 q +2 q 2 + q 3 + y β 2 q +2 q 2 + q 3 + a q y 1+2 q 2 β q + q 3 γ q + a q y 1+ q 2 + q 3 β q + q 2 γ q + a q y 1+ q 3 β q +2 q 2 γ q + a q y β q +2 q 2 + q 3 γ q + y 1+ q 2 z q 2 β q γ q + q 3 + y 1+ q 2 z q 3 β q γ q + q 2 + y 1+ q 2 β q γ q + q 2 + q 3 + y z q 2 β q + q 2 γ q + q 3 + y z q 3 β q + q 2 γ q + q 2 + y β q + q 2 γ q + q 2 + q 3 + ay q + q 2 z β q + q 2 + q 3 + ay q + q 3 z β q +2 q 2 + ay q z β q +2 q 2 + q 3 + aa q y q 2 z 1+ q β q + q 2 + q 3 + aa q y q 3 z 1+ q β q +2 q 2 + aa q z 1+ q β q +2 q 2 + q 3 + az 1+ q + q 2 β q + q 2 γ q 3 + az 1+ q + q 3 β q + q 2 γ q 2 + az 1+ q β q + q 2 γ q 2 + q 3 + ay 2 q 2 z β 2 q + q 3 + ay q 2 + q 3 z β 2 q + q 2 + ay q 3 z β 2 q +2 q 2 + az β 2 q +2 q 2 + q 3 + aa q y 2 q 2 z β q + q 3 γ q + aa q y q 2 + q 3 z β q + q 2 γ q + aa q y q 3 z β q +2 q 2 γ q + aa q z β q +2 q 2 + q 3 γ q + ay q 2 z 1+ q 2 β q γ q + q 3 + ay q 2 z 1+ q 3 β q γ q + q 2 + ay q 2 z β q γ q + q 2 + q 3 + az 1+ q 2 β q + q 2 γ q + q 3 + az 1+ q 3 β q + q 2 γ q + q 2 + az β q + q 2 γ q + q 2 + q 3 + y q z 1+ q 2 β q 2 + q 3 γ q + y q + q 3 z β q 2 γ q + q 2 + y q z β q 2 + q 3 γ q + q 2 + y q 2 z 1+ q β q + q 3 γ q 2 + z 1+ q + q 2 β q + q 2 + q 3 + a q y q 2 z 1+ q β q 3 γ q + q 2 + a q y q 3 z 1+ q β q 2 γ q + q 2 + a q z 1+ q β q 2 + q 3 γ q + q 2 + z 1+ q γ q + q 2 + q 3 + z 1+ q + q 3 γ q +2 q 2 + z 1+ q γ q +2 q 2 + q 3 + y q 2 z 1+ q 2 β q + q 3 γ q + y q 2 z β q 3 γ q + q 2 + y q 3 z 1+ q 2 β q 2 γ q + z 1+ q 2 β q 2 + q 3 γ q + y q 3 z β q 2 γ q + q 2 + z β q 2 + q 3 γ q + q 2 + a q y q 2 z 1+ q 2 β q 3 γ 2 q + a q y q 2 z β q 3 γ 2 q + q 2 + a q y q 3 z 1+ q 2 β q 2 γ 2 q + a q z 1+ q 2 β q 2 + q 3 γ 2 q + a q y q 3 z β q 2 γ 2 q + q 2 + a q z β q 2 + q 3 γ 2 q + q 2 + z 1+2 q 2 γ 2 q + q 3 + z 1+ q 2 + q 3 γ 2 q + q 2 + z γ 2 q +2 q 2 + q 3 + z γ 2 q +2 q 2 + q 3 + y q 2 +2 q β 1+ q 2 + q 3 + y 2 q + q 3 β 1+2 q 2 + y 2 q β 1+2 q 2 + q 3 + a q y q + q 2 z q β 1+ q 2 + q 3 + a q y q + q 3 z q β 1+2 q 2 + a q y q z q β 1+2 q 2 + q 3 + y q z q + q 2 β 1+ q 2 γ q 3 + y q z q + q 3 β 1+ q 2 γ q 2 + y q z q β 1+ q 2 γ q 2 + q 3 + y q +2 q 2 β 1+ q + q 3 + y q + q 2 + q 3 β 1+ q + q 2 + y q β 1+ q + q 2 + q 3 + a q y q +2 q 2 β 1+ q 3 γ q + a q y q + q 2 + q 3 β 1+ q 2 γ q + a q y q + q 3 β 1+2 q 2 γ q + a q y q β 1+2 q 2 + q 3 γ q + y q z q 2 β 1+ q γ q + q 3 + y q z q 3 β 1+ q γ q + q 2 + y q β 1+ q γ q + q 2 + q 3 + y q z q 2 β 1+ q 2 γ q + q 3 + z q 3 β 1+ q 2 γ q + q 2 + β 1+ q 2 γ q + q 2 + q 3 + a q y q 2 z 2 q β 1+ q 2 + q 3 + a q y q 3 z 2 q β 1+2 q 2 + a q z 2 q β 1+2 q 2 + q 3 + z 2 q + q 2 β 1+ q 2 γ q 3 + z 2 q + q 3 β 1+ q 2 γ q 2 + z 2 q β 1+ q 2 γ q 2 + q 3 + y 2 q 2 β 1+2 q + q 3 + y q 2 + q 3 β 1+2 q + q 2 + y q 3 β 1+2 q +2 q 2 + β 1+2 q +2 q 2 + q 3 + a q y 2 q 2 β 1+ q + q 3 γ q + a q y q 2 + q 3 β 1+ q + q 2 γ q + a q y q 3 β 1+ q +2 q 2 γ q + a q β 1+ q +2 q 2 + q 3 γ q + y q 2 z q 2 β 1+ q γ q + q 3 + y q 2 z q 3 β 1+ q γ q + q 2 + y q 2 β 1+ q γ q + q 2 + q 3 + z q 2 β 1+ q + q 2 γ q + q 3 + z q 3 β 1+ q + q 2 γ q + q 2 + β 1+ q + q 2 γ q + q 2 + q 3 + ay q 2 +2 q γ β q 2 + q 3 + ay 2 q + q 3 γ β 2 q 2 + ay 2 q γ β 2 q 2 + q 3 + aa q y q + q 2 z q γ β q 2 + q 3 + aa q y q + q 3 z q γ β 2 q 2 + aa q y q z q γ β 2 q 2 + q 3 + ay q z q + q 2 γ β q 2 γ q 3 + ay q z q + q 3 γ β q 2 γ q 2 + ay q z q γ β q 2 γ q 2 + q 3 + ay q +2 q 2 γ β q + q 3 + ay q + q 2 + q 3 γ β q + q 2 + ay q γ β q + q 2 + q 3 + aa q y q +2 q 2 γ 1+ q β q 3 + aa q y q + q 2 + q 3 γ 1+ q β q 2 + aa q y q + q 3 γ 1+ q β 2 q 2 + aa q y q γ 1+ q β 2 q 2 + q 3 + ay q z q 2 γ 1+ q + q 3 + ay q z q 3 γ 1+ q + q 2 + ay q γ 1+ q + q 2 + q 3 + ay q z q 2 γ 1+ q β q 2 γ q 3 + ay q γ 1+ q β q 2 z q 3 + ay q γ 1+ q β q 2 γ q 2 + q 3 + aa q y q 2 z 2 q γ β q 2 + q 3 + aa q y q 3 z 2 q γ β 2 q 2 + aa q z 2 q γ β 2 q 2 + q 3 + az 2 q + q 2 γ β q 2 γ q 3 + az 2 q + q 3 γ β q 2 γ q 2 + az 2 q γ β q 2 γ q 2 + q 3 + ay 2 q 2 γ β 2 q + q 3 + ay q 2 + q 3 γ β 2 q + q 2 + ay q 3 γ β 2 q +2 q 2 + aγ β 2 q +2 q 2 + q 3 + aa q y 2 q 2 γ 1+ q β q + q 3 + aa q y q 2 + q 3 γ 1+ q β q + q 2 + aa q y q 3 γ 1+ q β q +2 q 2 + aa q γ 1+ q β q +2 q 2 + q 3 + ay q 2 z q 2 γ 1+ q + q 3 + ay q 2 z q 3 γ 1+ q + q 2 + ay q 2 γ 1+ q + q 2 + q 3 + az q 2 γ 1+ q β q 2 γ q 3 24 + aγ 1+ q β q 2 z q 3 + aγ 1+ q β q 2 γ q 2 + q 3 + y q + q 2 z q γ 1+ q 2 β q 3 + y q + q 3 z q γ 1+ q 2 β q 2 + y q z q γ 1+ q 2 β q 2 + q 3 + y q + q 2 γ 1+ q γ q 2 y q 3 + y q z q 2 γ 1+ q β q 2 y q 3 + y q z q 2 γ 1+ q β q 2 + q 3 + y q γ 1+ q β q 2 γ q 2 y q 3 + y q γ 1+ q β q 2 + q 3 γ q 2 + a q y q 2 z 2 q γ 1+ q 2 β q 3 + a q y q 3 z 2 q γ 1+ q 2 β q 2 + a q z 2 q γ 1+ q 2 β q 2 + q 3 + z q 2 +2 q γ 1+ q 2 + q 3 + z 2 q + q 3 γ 1+ q 2 + q 2 + z 2 q γ 1+ q 2 + q 2 + q 3 + y q 2 z q β q γ 1+ q 2 β q 3 + y q 2 z q β q γ 1+ q 2 y q 3 + y q z q β q + q 2 γ 1+ q 2 y q 3 + z q β q + q 2 γ 1+ q 2 + q 3 + a q y q 2 z q + q 2 γ 1+ q β q 3 + a q y q 3 z q + q 2 γ 1+ q β q 2 + a q z q + q 2 γ 1+ q β q 2 + q 3 + z 2 q 2 + q γ 1+ q + q 3 + z q + q 2 + q 3 γ 1+ q + q 2 + z q γ 1+ q +2 q 2 + q 3 + y q 2 z q 2 β q γ 1+ q β q 3 + y q 2 β q γ 1+ q + q 2 β q 3 + z q 2 β q + q 2 γ 1+ q y q 3 + z q 2 β q + q 2 + q 3 γ 1+ q + β q + q 2 γ 1+ q + q 2 y q 3 + β q + q 2 + q 3 γ 1+ q + q 2 + a q y q 2 z q 2 γ 1+2 q β q 3 + a q y q 2 γ 1+2 q + q 2 β q 3 + a q z q 2 β q 2 γ 1+2 q y q 3 + a q z q 2 β q 2 + q 3 γ 1+2 q + a q β q 2 γ 1+2 q + q 2 y q 3 + a q β q 2 + q 3 γ 1+2 q + q 2 + z 2 q 2 γ 1+2 q + q 3 + z q 2 + q 3 γ 1+2 q + q 2 + z q 3 γ 1+2 q +2 q 2 + γ 1+2 q +2 q 2 + q 3 = 0 . No w, R 3 = Y λ ∈ Λ  y q β + y β q + β q +1 + λ ( y q γ + γ β q + z β q ) + ( aλ q + λ q +1 )( z γ q + γ q +1 + z q γ )  , (13) where Λ := n λ ∈ F 2 : a q +1 λ q 2 + aλ q + q 2 + a q λ 1+ q 2 + λ 1+ q + q 2 + 1 = 0 o . Note that λ ∈ F 2 m if and only if  1 λ  q 2 + q +1 +  a λ + 1  q +1 = 0 , that is, P a (1 /λ ) = 0. Thus, all the factors in (13) are deﬁned o ver F 2 m if and only if P a ( T ) has ro ots in F 2 m . Also, eac h factor y q β + yβ q + β q +1 + λ ( y q γ + γ β q + z β q ) + ( aλ q + λ q +1 )( z γ q + γ q +1 + z q γ ) is absolutely irreducible. W e distinguish tw o cases: (a) a  = λ . The partial deriv ativ es with resp ect to y , z , β , γ are            β q = 0 λβ q + ( aλ q + λ q +1 ) γ q = 0 y q + β q = 0 λ ( y q + β q ) + ( aλ q + λ q +1 )( γ q + z q ) = 0 . Since λ  = 0, the only p ossible solution to the abov e system is (0 , 0 , 0 , 0). Thus, the h yp ersurface in P 3 ( F 2 ) deﬁned b y the ab o ve equation is non-singular and therefore absolutely irreducible. (b) a = λ . Then the factor reads y q β + y β q + β q +1 + λ ( y q γ + γ β q + z β q ), whic h is clearly absolutely irreducible since it is of degree 1 in z and gcd( y q β + y β q + β q +1 + λ ( y q γ + γ β q ) , λβ q ) = 1. 25 Supp ose that there exists a λ ∈ Λ ∩ F 2 m . Then the corresp onding factor y q β + y β q + β q +1 + λ ( y q γ + γ β q + z β q ) + ( aλ q + λ q +1 )( z γ q + γ q +1 + z q γ ) is absolutely irreducible, and if m is large enough, there exist ( α , β , γ , x, y , z ) ∈ F 2 m with αβ γ  = 0 satisfying the three equations (10), (11), and (12), meaning H a is not a p ermutation. Supp ose no w that Λ ∩ F 2 m = ∅ (that is, T q 2 + q +1 + aT q 2 + q + 1 has no ro ots in F 2 m ). First, note that { 1 , λ, aλ q + λ q +1 } are linearly indep enden t ov er F 2 m . Supp ose on the con trary that aλ q + λ q +1 = Aλ + B , with A, B ∈ F 2 m . Then A q +1 λ + B A q + aB q + λB q + 1 = 0 . Since λ / ∈ F 2 m , we must ha ve A q +1 = B q and B A q + aB q + 1 = 0, yielding q √ A q +1 A q + aA q +1 + 1 = 0 , and so q √ A is a solution to T q 2 + q +1 + aT q 2 + q + 1 = 0, which is a contradiction. Thus, the F 2 m -solutions of y q β + y β q + β q +1 + λ ( y q γ + γ β q + z β q ) + ( aλ q + λ q +1 )( z γ q + γ q +1 + z q γ ) = 0 must satisfy y q β + y β q + β q +1 = y q γ + γ β q + z β q = z γ q + γ q +1 + z q γ = 0 , whic h is a contradiction to β  = 0, since y q β + y β q + β q +1 = 0 yields β = 0 b ecause m is o dd. Therefore, in this case, the system (10), (11), (12) has no non-trivial solutions in F 2 m , and H a is a p ermutation. The theorem is shown. Corollary 3.4. L et m ≥ 3 b e o dd, gcd( i, m ) = 1 , q = 2 i , a ∈ F ∗ 2 m and H a ( x, y , z ) =  x q +1 + axy q + y z q , xy q + z q +1 , x q z + y q +1 + ay q z  on F 2 3 m . The fol lowing ar e e quivalent: (i) R a ( T ) = T q 2 + q +1 + ( aT + 1) q +1 ∈ F 2 m [ T ] has no r o ot in F 2 m . (ii) H a is a p ermutation on F 3 2 m . (iii) H a is APN on F 3 2 m . Mor e over, R a is r o ot-e quivalent to Q a (Pr op osition 2.2 ), so the same values of a that make G a an APN p ermutation also make H a an APN p ermutation. Corollary 3.5. Assume q = 2 i with gcd( i, m ) = 1 and m ≥ 3 o dd. Then ther e exist at le ast 2 m +1 − ( d − 1)( d − 2)2 m/ 2 − d d elements in F 2 m such that b oth G a and H a ar e APN. Pr o of. By Theorem 2.12, there exist at least 2 m +1 − ( d − 1)( d − 2)2 m/ 2 − d d n umber of a ∈ F ∗ 2 m suc h that G a is APN. By the ro ot-equiv alence established earlier for the families G a and H a , the same parameter a also gives that H a is APN. 4 Diagonal equiv alence to the Li–Kaleyski represen tatives W e contin ue by asking when the generalized families G a and H a are equiv alent to the Li– Kaleyski represen tatives F 1 = G 1 and F 2 = H 1 . Recall that tw o functions F , G : F 3 2 m → F 3 2 m are aﬃnely e quivalent if there exist aﬃne bijections A 1 ( u ) = L 1 ( u )+ c 1 and A 2 ( x ) = L 2 ( x )+ c 2 suc h that G = A 1 ◦ F ◦ A 2 . If c 1 = c 2 = 0, this reduces to line ar e quivalenc e . In the present 26 section we do not attempt to solv e the full aﬃne-equiv alence problem for the families G a and H a . Instead, w e restrict to F 2 m -linear maps and, within that class, to the diagonal sub class. This is natural b ecause b oth families are built from co ordinatewise monomials of the form x q i x j , so diagonal scalings are the ﬁrst symmetries to test; moreov er, this already suﬃces to sho w that man y go od parameters yield functions inequiv alent to the corresp onding Li–Kaleyski represen tativ es. Accordingly , throughout this section we consider diagonal bijections A 1 ( u, v , w ) = ( µu, ν v , ρw ) , A 2 ( x, y , z ) = ( λ 1 x, λ 2 y , λ 3 z ) , with µ, ν, ρ, λ 1 , λ 2 , λ 3 ∈ F ∗ 2 m . R emark 4.1 (Aﬃne v ersus linear equiv alence) . Two functions F , G : F 3 2 m → F 3 2 m are aﬃnely e quivalent if G = A 1 ◦ F ◦ A 2 for aﬃne bijections A j ( x ) = L j ( x ) + c j . Since G a ( 0 ) = H a ( 0 ) = 0 for all a , any aﬃne equiv alence G 1 = A 1 ◦ G a ◦ A 2 imp oses constraints on the translation parts c 1 , c 2 . W e show here that these translations must v anish, reducing aﬃne equiv alence to linear equiv alence. Indeed, G 1 is homogeneous of degree q + 1 (algebraic degree 2 ov er F 2 ), so it contains no linear or degree- q terms. Consider the expansion of G a ( N x + c 2 ). T erms of the form ( x i + c 2 i ) q +1 expand to x q +1 i + x q i c 2 i + x i c q 2 i + c q +1 2 i . The presence of x q i c 2 i (degree q ) and x i c q 2 i (degree 1) implies that if c 2  = 0 , the comp osition A 1 ( G a ( A 2 ( x ))) would contain linear and degree- q terms that cannot b e cancelled by G 1 ( x ). Explicitly , collecting the co eﬃcien ts of the linear terms in y = N x from the expansion of G a ( y + c 2 ) yields the system   c q 21 c q 23 ac q 21 0 c q 22 c q 21 c q 22 0 ac q 22 + c q 23   y =   0 0 0   . F or this to hold for all y , w e must hav e c 21 = c 22 = c 23 = 0, i.e., c 2 = 0 . Substituting c 2 = 0 in to the constan t terms gives L 1 ( G a ( 0 )) + c 1 = 0 . Since G a ( 0 ) = 0 , this forces c 1 = 0 . An analogous argument holds for the family H a . Th us, we restrict our attention to line ar equiv alences ( A 1 , A 2 linear) and, within that class, to the diagonal sub class. The main p oint is that b oth families lead to the same numerical condition on the param- eter a . Theorem 4.2. F or a ∈ F ∗ 2 m , the fol lowing ar e e quivalent: (i) G 1 = A 1 ◦ G a ◦ A 2 for some diagonal F 2 m -line ar bije ctions A 1 , A 2 ; (ii) H 1 = A 1 ◦ H a ◦ A 2 for some diagonal F 2 m -line ar bije ctions A 1 , A 2 ; (iii) a q 2 + q +1 = 1 . Henc e the set of p ar ameters a ∈ F ∗ 2 m for which either G a is diagonal ly e quivalent to G 1 or H a is diagonal ly e quivalent to H 1 is pr e cisely the sub gr oup { a ∈ F ∗ 2 m : a q 2 + q +1 = 1 } , 27 which has or der d 0 := gcd( q 2 + q + 1 , 2 m − 1) . Conse quently, whenever |B m,q | > d 0 , ther e exist go o d p ar ameters a such that b oth G a and H a ar e APN p ermutations, but neither is diagonal ly e quivalent to its Li–Kaleyski r epr esentative. Pr o of. W e treat the tw o families separately . Step 1: the family G a . Recall that G a ( x, y , z ) =  x q +1 + ax q z + y z q , x q z + y q +1 , xy q + ay q z + z q +1  . Computing G a ( λ 1 x, λ 2 y , λ 3 z ) gives  λ q +1 1 x q +1 + aλ q 1 λ 3 x q z + λ 2 λ q 3 y z q , λ q 1 λ 3 x q z + λ q +1 2 y q +1 , λ 1 λ q 2 xy q + aλ q 2 λ 3 y q z + λ q +1 3 z q +1  . Applying A 1 ( u, v , w ) = ( µu, ν v , ρw ) and comparing with G 1 ( x, y , z ) =  x q +1 + x q z + y z q , x q z + y q +1 , xy q + y q z + z q +1  yields the co eﬃcient system µλ q +1 1 = 1 , µaλ q 1 λ 3 = 1 , (E1–E2) µλ 2 λ q 3 = 1 , ν λ q 1 λ 3 = 1 , (E3–E4) ν λ q +1 2 = 1 , ρλ 1 λ q 2 = 1 , (E5–E6) ρaλ q 2 λ 3 = 1 , ρλ q +1 3 = 1 . (E7–E8) W e ﬁrst pro v e necessity . F rom (E1), (E5), and (E8) we obtain µ = λ − ( q +1) 1 , ν = λ − ( q +1) 2 , ρ = λ − ( q +1) 3 . Dividing (E2) by (E1) gives µaλ q 1 λ 3 µλ q +1 1 = 1 , hence λ 3 = λ 1 /a. Lik ewise, dividing (E7) b y (E8) giv es ρaλ q 2 λ 3 ρλ q +1 3 = 1 , hence λ q 3 = aλ q 2 . No w set r := λ 1 /λ 2 . Since λ 3 = λ 1 /a , the relation λ q 3 = aλ q 2 b ecomes ( λ 1 /a ) q = aλ q 2 , so r q = a q +1 . On the other hand, dividing (E2) by (E4) gives µaλ q 1 λ 3 ν λ q 1 λ 3 = 1, hence aµ = ν . Substituting the expressions for µ and ν yields aλ − ( q +1) 1 = λ − ( q +1) 2 , equiv alently λ q +1 1 = aλ q +1 2 , that is, r q +1 = a . Dividing this last iden tity by r q = a q +1 giv es r = a − q . Raising to the q -th p o w er, we obtain r q = a − q 2 . Since also r q = a q +1 , it follows that a − q 2 = a q +1 , and therefore a q 2 + q +1 = 1. W e no w pro ve suﬃciency . Assume that a q 2 + q +1 = 1. Cho ose an y λ 2 ∈ F ∗ 2 m , and deﬁne λ 1 := a − q λ 2 , λ 3 := λ 1 /a = a − q − 1 λ 2 . 28 Then λ q 3 = a − q 2 − q λ q 2 . Because a q 2 + q +1 = 1, we hav e a − ( q 2 + q ) = a , and hence λ q 3 = aλ q 2 . Moreo ver, if r := λ 1 /λ 2 = a − q , then r q +1 = a − q ( q +1) = a − ( q 2 + q ) = a . Thus the relations λ 3 = λ 1 /a , λ q 3 = aλ q 2 , and λ q +1 1 = aλ q +1 2 all hold. No w deﬁne µ := λ − ( q +1) 1 , ν := λ − ( q +1) 2 , ρ := λ − ( q +1) 3 . Then (E1), (E5), and (E8) hold by deﬁnition. Also, µaλ q 1 λ 3 = λ − ( q +1) 1 aλ q 1 ( λ 1 /a ) = 1, so (E2) holds; similarly , µλ 2 λ q 3 = λ − ( q +1) 1 λ 2 ( aλ q 2 ) = aλ q +1 2 λ − ( q +1) 1 = 1, b ecause λ q +1 1 = aλ q +1 2 , so (E3) holds. Next, ν λ q 1 λ 3 = λ − ( q +1) 2 λ q 1 ( λ 1 /a ) = λ − ( q +1) 2 λ q +1 1 /a = 1, again b ecause λ q +1 1 = aλ q +1 2 , so (E4) holds. Finally , ρλ 1 λ q 2 = λ − ( q +1) 3 λ 1 λ q 2 = ( λ 1 /a ) − ( q +1) λ 1 λ q 2 = a q +1 λ − q 1 λ q 2 = 1, since λ q 1 = a q +1 λ q 2 , and ρaλ q 2 λ 3 = λ − ( q +1) 3 aλ q 2 λ 3 = aλ q 2 λ − q 3 = aλ q 2 / ( aλ q 2 ) = 1, so (E6) and (E7) hold as well. Hence G 1 = A 1 ◦ G a ◦ A 2 . W e conclude that G 1 is diagonally equiv alent to G a if and only if a q 2 + q +1 = 1. Step 2: the family H a . Recall that H a ( x, y , z ) =  x q +1 + axy q + y z q , xy q + z q +1 , x q z + y q +1 + ay q z  . Computing H a ( λ 1 x, λ 2 y , λ 3 z ) gives  λ q +1 1 x q +1 + aλ 1 λ q 2 xy q + λ 2 λ q 3 y z q , λ 1 λ q 2 xy q + λ q +1 3 z q +1 , λ q 1 λ 3 x q z + λ q +1 2 y q +1 + aλ q 2 λ 3 y q z  . Applying A 1 and comparing with H 1 ( x, y , z ) =  x q +1 + xy q + y z q , xy q + z q +1 , x q z + y q +1 + y q z  giv es the system µλ q +1 1 = 1 , µaλ 1 λ q 2 = 1 , (H1–H2) µλ 2 λ q 3 = 1 , ν λ 1 λ q 2 = 1 , (H3–H4) ν λ q +1 3 = 1 , ρλ q 1 λ 3 = 1 , (H5–H6) ρλ q +1 2 = 1 , ρaλ q 2 λ 3 = 1 . (H7–H8) Again w e ﬁrst pro v e necessity . F rom (H1), (H5), and (H7) we obtain µ = λ − ( q +1) 1 , ν = λ − ( q +1) 3 , ρ = λ − ( q +1) 2 . Dividing (H2) b y (H1) giv es µaλ 1 λ q 2 µλ q +1 1 = 1, hence λ q 1 = aλ q 2 . Dividing (H8) by (H7) gives ρaλ q 2 λ 3 ρλ q +1 2 = 1, hence λ 3 = λ 2 /a . Set r := λ 1 /λ 2 . Then λ q 1 = aλ q 2 b ecomes r q = a . Next, dividing (H4) by (H5) gives ν λ 1 λ q 2 ν λ q +1 3 = 1, so λ 1 λ q 2 = λ q +1 3 . Substituting λ 3 = λ 2 /a yields λ 1 λ q 2 = ( λ 2 /a ) q +1 , hence λ 1 = λ 2 a − ( q +1) , that is, r = a − ( q +1) . Raising this last identit y to the q -th p o w er gives r q = a − ( q 2 + q ) . Since also r q = a , we conclude that a = a − ( q 2 + q ) , and therefore a q 2 + q +1 = 1. Con versely , assume that a q 2 + q +1 = 1. Cho ose an y λ 2 ∈ F ∗ 2 m , and deﬁne λ 1 := a − ( q +1) λ 2 , λ 3 := a − 1 λ 2 . Then clearly λ 3 = λ 2 /a . Also, λ q 1 = a − ( q 2 + q ) λ q 2 = aλ q 2 , b ecause a q 2 + q +1 = 1. Th us the tw o k ey relations obtained ab o ve hold. No w deﬁne µ := λ − ( q +1) 1 , ν := λ − ( q +1) 3 , ρ := λ − ( q +1) 2 . 29 Then (H1), (H5), and (H7) hold by deﬁnition. F urther, µaλ 1 λ q 2 = λ − ( q +1) 1 aλ 1 λ q 2 = aλ q 2 /λ q 1 = 1, so (H2) holds. Also, µλ 2 λ q 3 = λ − ( q +1) 1 λ 2 ( a − q λ q 2 ) = a − q λ q +1 2 λ − ( q +1) 1 . Since λ 1 = λ 2 a − ( q +1) , w e hav e λ q +1 1 = λ q +1 2 a − ( q 2 +2 q +1) , and hence µλ 2 λ q 3 = a − q a q 2 +2 q +1 = a q 2 + q +1 = 1, so (H3) holds. Next, ν λ 1 λ q 2 = λ − ( q +1) 3 λ 1 λ q 2 = ( a − 1 λ 2 ) − ( q +1) λ 1 λ q 2 = a q +1 λ 1 /λ 2 = 1, b e- cause λ 1 /λ 2 = a − ( q +1) , so (H4) holds. Moreov er, ρλ q 1 λ 3 = λ − ( q +1) 2 ( aλ q 2 )( a − 1 λ 2 ) = 1, and ρaλ q 2 λ 3 = λ − ( q +1) 2 aλ q 2 ( a − 1 λ 2 ) = 1, so (H6) and (H8) hold as w ell. Therefore H 1 = A 1 ◦ H a ◦ A 2 . W e conclude that H 1 is diagonally equiv alen t to H a if and only if a q 2 + q +1 = 1. Com bining Steps 1 and 2 prov es the equiv alence of (i), (ii), and (iii). The subgroup statemen t is immediate, since the solutions of a q 2 + q +1 = 1 in the cyclic group F ∗ 2 m form the unique subgroup of order gcd( q 2 + q + 1 , 2 m − 1). The ﬁnal assertion follo ws b ecause an y go od parameter a ∈ B m,q outside this subgroup yields APN p erm utations G a and H a that are not diagonally equiv alent to G 1 and H 1 , resp ectiv ely . R emark 4.3 . The v alue of d 0 = gcd( q 2 + q + 1 , 2 m − 1) dep ends strongly on ( m, i ). F or q = 2, one has q 2 + q + 1 = 7, so d 0 = gcd(7 , 2 m − 1), whic h equals 7 if 7 | m and 1 otherwise. F or example, if m = 9 and i = 3 (so q = 8), then 2 9 − 1 = 511 = 7 · 73 and q 2 + q + 1 = 73, hence d 0 = 73. Th us exactly 73 v alues of a ∈ F ∗ 2 9 yield diagonal equiv alence to the corresp onding represen tative at a = 1. R emark 4.4 (CCZ, EA, and EL Equiv alence for Quadratic APN F unctions) . F or general ( n, n )-functions, the equiv alence notions satisfy the strict hierarc h y EL ⇒ EA ⇒ CCZ , where EL (extended linear, ∼ EL ), EA (extended aﬃne, ∼ EA ), and CCZ (Carlet–Charpin– Zino viev, ∼ CCZ ) equiv alence are deﬁned as in [12]. How ever, for quadr atic APN functions with F ( 0 ) = G ( 0 ) = 0 , these notions c oincide . Sp eciﬁcally: (i) By [12, Prop osition 1] (attributed to Y oshiara [15]), for quadratic APN functions on F 2 n with n ≥ 2, CCZ-equiv alence implies EA-equiv alence. Since EA alw ays implies CCZ, w e ha ve F ∼ CCZ G ⇐ ⇒ F ∼ EA G. (ii) By [12, Prop osition 2] (attributed to Kasp ers–Zhou [16]), if F and G are EA-equiv alent quadratic functions with F ( 0 ) = G ( 0 ) = 0 , then they are EL-equiv alen t. Thus F ∼ EA G ⇐ ⇒ F ∼ EL G. Com bining (i) and (ii), for the APN members of our families G a and H a (whic h are quadratic and satisfy G a ( 0 ) = H a ( 0 ) = 0 ), w e obtain F ∼ CCZ G ⇐ ⇒ F ∼ EA G ⇐ ⇒ F ∼ EL G. Therefore, any CCZ-in v ariant that separates tw o maps also prov es they are not EL-equiv alen t, and con v ersely , proving EL-inequiv alence suﬃces to establish CCZ-inequiv alence. 30 F urthermore, by [12, Theorem 8], for ( q , q , q )-tripro jective p olynomial triples with m > 2, m  = 4 , 6, and 7 ∤ m , an y EL-equiv alence mapping m ust b e monomial (a comp osition of co ordinate p erm utations, diagonal scalings, and F rob enius twists). This dramatically restricts the search space for equiv alence maps. Our Theorem 4.2 establishes that G a is diagonal ly equiv alen t to G 1 if and only if a q 2 + q +1 = 1. F or m = 5 ( q = 2), this condition holds only for a = 1 (since gcd(7 , 31) = 1), yet T able 1 shows 11 go od parameters yield APN p erm utations. Computational veriﬁcation conﬁrms that no non-diagonal monomial maps exist b et w een G a and G 1 for the remaining 10 go o d parameters with a 7  = 1. Consequen tly , these 10 functions are EL-inequiv alen t (hence CCZ-inequiv alent) to the Li–Kaleyski representativ e G 1 . An analogous statemen t holds for the family H a . W e no w address the natural question of whether any member of the G a -family can b e EL-equiv alen t to any member of the H b -family for the same F r ob enius p ar ameter q . (Note that Theorem 11 of [12] sho ws G 1 ( q ) ∼ EL H 1 ( q − 1 ) with diﬀer ent parameters; the same- q question is entirely distinct.) Theorem 4.5. L et 3 < m  = 4 , 6 , 7 ∤ m , gcd( i, m ) = 1 , and q = 2 i . Then for every p air of go o d p ar ameters a, b ∈ F ∗ 2 m , the APN p ermutations G a and H b ar e not EL-e quivalent. In p articular, no memb er of the G a -family is CCZ-e quivalent to any memb er of the H b -family ( for the same q ) . Pr o of. Since b oth families consist of quadratic APN p ermutations v anishing at 0 , EL-, EA-, and CCZ-equiv alence coincide (see the remark preceding this theorem). Supp ose for contra- diction that H b  L ( x )  = A 2  G a ( x )  for all x ∈ F 3 2 m , (14) for some inv ertible F 2 -linear maps L and A 2 . By [12, Theorem 8], b oth maps are monomial (sho wn under our conditions on m ): L − 1 is a 3 × 3 matrix ov er F 2 m (the scalar case t = 0; the F rob enius case is identical and we omit it), and A 2 is a p erm utation matrix with F ∗ 2 m -scalings. W rite L − 1 with ro w vectors L k = ( ℓ 3 k − 2 , ℓ 3 k − 1 , ℓ 3 k ) for k = 1 , 2 , 3, and let π ∈ S 3 b e the p erm utation underlying A 2 , with nonzero entries w π (1) , w π (2) , w π (3) ∈ F ∗ 2 m . Step 1: matching the pure monomials determines the output p erm utation. In H b ( L ( x )), the pure monomials x q +1 , y q +1 , z q +1 app ear exclusively in output comp onen ts 1, 3, 2 resp ectively , b ecause L q +1 1 con tributes only to H b, 1 , L q +1 2 only to H b, 3 , and L q +1 3 only to H b, 2 . In G a ( x ), the same pure monomials app ear exclusiv ely in comp onen ts 1, 2, 3 resp ectively . Since A 2 sends output comp onent k of G a to output comp onent π − 1 ( k ) of A 2 ( G a ), matc hing the lo cations of x q +1 , y q +1 , z q +1 in (14) forces π (1) = 1 , π (2) = 3 , π (3) = 2 . A direct c heck shows that each of the other ﬁve p erm utations in S 3 forces either det( L ) = 0 or a = 0, b oth imp ossible. Hence A 2 ( u 1 , u 2 , u 3 ) = ( w 1 u 1 , w 6 u 3 , w 8 u 2 ) , w 1 , w 6 , w 8 ∈ F ∗ 2 m . (15) 31 Step 2: the second comp onen t determines the p ossible shap e of L . The second comp onen t of (14) with A 2 as in (15) reads L 1 · L q 2 + L q +1 3 = w 6 G a, 3 ( x ) = w 6  xy q + ay q z + z q +1  . (16) Crucially , the left-hand side is H b, 2 ( L ( x )) = L 1 L q 2 + L q +1 3 , which is indep endent of b (the parameter b en ters only via H b, 1 and H b, 3 ). Comparing co eﬃcients of all nine degree-2 monomials in x, y , z gives: [ x q +1 ] : ℓ 1 ℓ q 4 + ℓ q +1 7 = 0 , [ x q y ] : ℓ 2 ℓ q 4 + ℓ q 7 ℓ 8 = 0 , [ y q +1 ] : ℓ 2 ℓ q 5 + ℓ q +1 8 = 0 , [ x q z ] : ℓ 3 ℓ q 4 + ℓ q 7 ℓ 9 = 0 , [ z q +1 ] : ℓ 3 ℓ q 6 + ℓ q +1 9 = w 6 , [ xy q ] : ℓ 1 ℓ q 5 + ℓ q 8 ℓ 7 = w 6 , [ y q z ] : ℓ 3 ℓ q 5 + ℓ q 8 ℓ 9 = w 6 a, [ xz q ] : ℓ 1 ℓ q 6 + ℓ q 9 ℓ 7 = 0 , [ y z q ] : ℓ 2 ℓ q 6 + ℓ q 9 ℓ 8 = 0 . (17) W e no w determine all in v ertible solutions of (17), noting that w 6  = 0. Case 1 : ℓ 7  = 0 . F rom the [ x q y ] and [ x q z ] equations, v 3 := ( ℓ 7 , ℓ 8 , ℓ 9 ) = λ q v 1 where v 1 = ( ℓ 1 , ℓ 2 , ℓ 3 ) and λ = ℓ 4 /ℓ 7 . Setting σ = ℓ 6 − λℓ 9 , the [ xz q ] and [ y z q ] equations giv e σ q ℓ 1 = 0 and σ q ℓ 2 = 0. The [ z q +1 ] equation then yields σ q ℓ 3 = w 6  = 0, so σ  = 0 and therefore ℓ 1 = ℓ 2 = 0. But then ℓ 7 = λ q ℓ 1 = 0, con tradicting ℓ 7  = 0. Case 2 : ℓ 7 = 0 , ℓ 1 = 0 . Rows L 1 and L 3 b oth hav e zero ﬁrst co ordinate, so det( L ) = 0. Con tradiction. Case 3 : ℓ 7 = 0 , ℓ 4 = 0 , ℓ 1  = 0 . The [ x q +1 ] equation is automatically satisﬁed. The [ xz q ] equation gives ℓ 1 ℓ q 6 = 0, so ℓ 6 = 0. Then the [ y z q ] equation gives ℓ q 9 ℓ 8 = 0. The [ z q +1 ] equation gives ℓ q +1 9 = w 6  = 0, so ℓ 9  = 0 and hence ℓ 8 = 0. The [ y q +1 ] equation then gives ℓ 2 ℓ q 5 = 0; since L is inv ertible and ℓ 4 = ℓ 6 = ℓ 7 = ℓ 8 = 0, the middle column of L has entries ( ℓ 2 , ℓ 5 , 0), forcing ℓ 2 = 0 for det( L )  = 0. The [ xy q ] equation gives ℓ 1 ℓ q 5 = w 6 = ℓ q +1 9 , and the [ y q z ] equation gives ℓ 3 ℓ q 5 = w 6 a = ℓ 1 ℓ q 5 · a , hence ℓ 3 = aℓ 1 . In summary , the only inv ertible solutions to (17) are L − 1 = diag( ℓ 1 , ℓ 5 , ℓ 9 )   1 0 a 0 1 0 0 0 1   , ℓ 1 , ℓ 5 , ℓ 9 ∈ F ∗ 2 m . (18) Step 3: the ﬁrst comp onent yields the ﬁnal con tradiction. With L − 1 as in (18) we ha ve ℓ 2 = 0, ℓ 4 = 0, ℓ 8 = 0, and ℓ 5  = 0. The [ xy q ]-co eﬃcien t equation arising from the ﬁrst comp onen t of (14) (i.e., H b, 1 ( L ( x )) = w 1 G a, 1 ( x )) reads ℓ q 2 ℓ 1 + b ℓ 1 ℓ q 5 + ℓ 4 ℓ q 8 = 0 . Substituting these v alues gives b ℓ 1 ℓ q 5 = 0. Since ℓ 1 , ℓ 5  = 0, we obtain b = 0, contradicting the assumption that b is a go o d parameter. This con tradiction sho ws that no EL-equiv alence G a ∼ EL H b can exist for go o d pa- rameters a, b . Since EL-, EA-, and CCZ-equiv alence coincide in this setting, the claimed CCZ-inequiv alence follo ws as w ell. 32 R emark 4.6 . The pro of is indep enden t of the v alue of a q 2 + q +1 ; in particular, the assumption a q 2 + q +1  = 1 (which would place G a outside the diagonal class of G 1 ) is not required. The t wo families { G a : a go od } and { H b : b go od } are therefore en tirely disjoint CCZ-classes for ev ery o dd m satisfying the hypotheses. 5 Conclusion and op en problems W e established a ro ot-theoretic c haracterization of the generalized families G a and H a on F 2 3 m , with q = 2 i , gcd( i, m ) = 1, and m o dd. F or G a , the p erm utation prop erty is equiv alen t to the absence of ro ots in F 2 m of the asso ciated p olynomial Q a , and this ro ot condition is also equiv alen t to the APN prop ert y (Theorem 2.7). W e also obtained a quantitativ e low er b ound on the n umber of go o d parameters a (Theorem 2.12), and in the binary case q = 2 with 7 ∤ m we sho wed that a = 1 is go o d. F or H a , we obtained the analogous ro ot criterion and prov ed that its one-v ariable condition is ro ot-equiv alent to that of G a ; hence the same go od parameters yield APN p ermutations in b oth families. First, G a (resp. H a ) is diagonally equiv alent to the Li–Kaleyski represen tative G 1 (resp. H 1 ) of [10] if and only if a q 2 + q +1 = 1 (Theorem 4.2); for m > 4, m  = 6, 7 ∤ m , diagonal non-equiv alence implies CCZ non-equiv alence via [12], and since gcd(7 , 2 m − 1) = 1 when q = 2 and 7 ∤ m , every go o d parameter a  = 1 yields APN p erm utations CCZ-inequiv alent to those of [10]. Second, for m > 4, m  = 6, and 7 ∤ m , no mem b er of the G a -family is CCZ-equiv alen t to any member of the H b -family for the same q (Theorem 4.5). The tw o families therefore constitute genuinely new, mutually inequiv alent inﬁnite sources of APN p erm utations on F 2 3 m . W e close with a list of op en problems: 1. F or q = 2 and odd m with 7 | m : ﬁnd an explicit goo d a ∈ F ∗ 2 m (i.e., a  = 1 with Q a ro ot- free). Computational data sho ws they exist in abundance; an algebraic characterization of the go o d a set in terms of the norm N F 2 m / F 2 ( a ) is desirable. 2. The Type I p ermutations ( a 1 = a 4 = 0) found computationally for m = 3: do they extend to an inﬁnite family for larger m ? Are any of them APN? 3. The trace criterion (Lemma 2.4) fails for ev en m . Do es an analogue of Theorem 2.7 hold in even dimension, p ossibly with a diﬀeren t characterizing p olynomial? 4. Do analogous n -v ariate constructions ( n > 3) yield APN p erm utations, and can the p olynomial ro ot criterion b e generalized to that setting? Ac knowledgmen ts The second-named author (PS) thanks the ﬁrst-named author (DB) for the invitation at the Dipartimen to di Matematica e Informatica, Univ ersit` a degli Studi di Perugia, and great w orking conditions while there. The ﬁrst-named author (DB) thanks the Italian National Group for Algebraic and Geometric Structures and their Applications (GNSA GA–INdAM). 33 References [1] Y. Aubry , G. McGuire, F. Ro dier, A few mor e functions that ar e not APN inﬁnitely often , in: Finite ﬁelds: theory and applications, Contemp. Math. 518 , Amer. Math. So c., Providence, RI, 2010, pp. 23–31. [2] D. Bartoli, M. Pal, P . St˘ anic˘ a, T. T o ccotelli, Non-p ermutation phenomena in trivariate families over F 2 m and r esolution of a c onje ctur e , manuscript, 2025. [3] D. Bartoli, M. Timpanella, On a c onje ctur e on APN p ermutations , Cryptogr. Commun. 14 (2022), 925–931. [4] C. Beierle, C. Carlet, G. Leander, L. Perrin, A further study of quadr atic APN p ermu- tations in dimension nine , Finite Fields Appl. 81 (2022), 102049. [5] C. Beierle, G. Leander, New instanc es of quadr atic APN functions , IEEE T rans. Inf. Theory 68 (1) (2022), 670–678. [6] E. Biham, A. Shamir, Diﬀer ential cryptanalysis of DES-like cryptosystems , J. Cryptol. 4 (1) (1991), 3–72. [7] A. Cafure, G. Matera, Impr ove d explicit estimates on the numb er of solutions of e quations over a ﬁnite ﬁeld , Finite Fields Appl. 12 (2) (2006), 155–185. [8] R. Hartshorne, Algebr aic ge ometry , Graduate T exts in Mathematics, no. 52, Springer- V erlag, New Y ork–Heidelb erg, 1977. [9] J.W.P . Hirschfeld, G. Korc hm´ aros, F. T orres, Algebr aic curves over a ﬁnite ﬁeld , Prince- ton Univ ersit y Press, 2013. [10] K. Li, N. Kaleyski, Two new inﬁnite families of APN functions in trivariate form , IEEE T rans. Inf. Theory 70 (2) (2024), 1436–1452. [11] G. McGuire, J. Sheekey , A char acterization of the numb er of r o ots of line arize d and pr oje ctive p olynomials in the ﬁeld of c o eﬃcients , Finite Fields Appl. 57 (2019), 68–91. [12] C. Shi, J. P eng, H. Kan, and J. Gao, On CCZ-equiv alence of tw o new APN functions in triv ariate form, Designs, Co des and Crypto gr aphy 93 (2025), 4595–4625. [13] P . St˘ anic˘ a, T rivariate p ermutation pr oje ct , Magma and SageMath co des av ailable at https://github.com/pstanica/trivariatePP-APN , 2026. [14] H. Stich tenoth, Algebr aic F unction Fields and Co des , 2nd ed., Graduate T exts in Math- ematics, V ol. 254, Springer, Berlin, 2009. [15] S. Y oshiara, Equivalenc es of quadr atic APN functions , J. Algebraic Combin. 35 (2012), 461–475. [16] C. Kasp ers and Y. Zhou, The numb er of almost p erfe ct nonline ar functions gr ows exp o- nential ly , J. Cryptology 34 (2021), Paper No. 4, 30 pp. 34 A Computational v eriﬁcation W e verify Theorems 2.7 and 3.4 computationally for small parameters using SageMath 10.7; the co de is a v ailable at [13]. F or each test case ( m, i ) with gcd( i, m ) = 1 and m o dd, and for each a ∈ F ∗ 2 m , we: (1) determine whether Q a ( T ) has a ro ot in F 2 m b y ev aluating it on all elements; (2) verify whether G a is a p erm utation by chec king | Im( G a ) | = 2 3 m ; (3) verify the APN prop erty b y exhaustive diﬀeren tial computation. In all cases examined, the three conditions agree 100%, conﬁrming our theorems. T able 2: Computational v eriﬁcation. Correlation b etw een “ G a is a p erm utation/APN” and “ Q a ( T ) has no ro ots” is 100% in all cases. m i q | F ∗ 2 m | # p erm utations Correlation 3 1 2 7 7/7 100% 3 2 4 7 7/7 100% 5 1 2 31 11/31 100% 5 2 4 31 11/31 100% Case m = 3 : all a are go o d. If Q a ( θ ) = 0 for some θ ∈ F ∗ 2 3 , then from θ q 2 + q +1 = aθ + 1 and raising to the q -th p ow er: θ q 3 + q 2 + q = a q θ q + 1. Since θ ∈ F 2 3 = F 2 m w e hav e θ q m = θ , and q 3 = q m (when i = 1 , m = 3; or q 3 = 2 3 = 8 and 2 m = 2 3 = 8, so θ q 3 = θ 2 3 = θ 8 = θ since θ 7 = 1). This means θ q 3 + q 2 + q = θ q 2 + q . Then θ q 2 + q = a q θ q + 1. Combined with θ q 2 + q +1 = aθ +1 we get θ · ( a q θ q +1) = aθ +1, i.e., a q θ q +1 + θ = aθ +1, i.e., a q θ q +1 + θ + aθ + 1 = 0. This is a p olynomial equation of degree q + 1 = 3 in θ , which ma y or may not hav e solutions. A direct chec k ov er F 8 (whic h has characteristic 2 and | F ∗ 8 | = 7) conﬁrms that Q a ( T ) has no ro ots in F 8 for an y a ∈ F ∗ 8 , so all 7 v alues are go o d. Case m = 5 : Exactly 11 of 31 elemen ts a ∈ F ∗ 2 5 are go o d; the remaining 20 hav e Q a with 1 or 3 ro ots in F 2 5 . The v alue a = 1 is go o d (conﬁrming the gcd(5 , 7) = 1 condition). 35

Infinite families of APN permutations in constrained trivariate classes over $\mathbb{F}_{2^m}$

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment