A note on the properties of associated Boolean functions of quadratic APN functions
aa r X i v : . [ c s . D M ] M a y A note on the properties of associated Booleanfunctions of quadratic APN functions
A. Gorodilova
Sobolev Institute of Mathematics, Novosibirsk, RussiaNovosibirsk State University, Novosibirsk, RussiaE-mail: [email protected]
Abstract.
Let F be a quadratic APN function of n variables. The associated Boolean function γ F in 2 n variables ( γ F ( a, b ) = 1 if a = and equation F ( x ) + F ( x + a ) = b has solutions)has the form γ F ( a, b ) = Φ F ( a ) · b + ϕ F ( a ) + 1 for appropriate functions Φ F : F n → F n and ϕ F : F n → F . We summarize the known results and prove new ones regarding properties ofΦ F and ϕ F . For instance, we prove that degree of Φ F is either n or less or equal to n − F is n −
2. We show that this conjecture is based on two other conjectures ofindependent interest.
Keywords.
A quadratic APN function, the associated Boolean function, degree of a function.
Let F n be the n -dimensional vector space over F . Let denote the zero vector of F n and denote the vector with all 1s. By + we denote the coordinate-wise sum modulo 2 for vectorsfrom F n . Let x · y = x y + . . . + x n y n denote the inner product of vectors x = ( x , . . . , x n ) , y =( y , . . . , y n ) ∈ F n ; x (cid:22) y if x i y i for all i = 1 , . . . , n ; and wt( x ) = P ni =1 x i denote the Hamming weight of x ∈ F n . A set M ⊆ F n forms a linear subspace if x + y ∈ M for any x, y ∈ M ; the dimension of M , dim( M ), is the maximal number of linearly independent over F vectors from M . We consider vectorial Boolean functions F : F n → F m , F = ( f , . . . , f m ),where f i : F n → F , i = 1 , . . . , m , is a coordinate function of F . The algebraic normal form (ANF) of F is the following unique representation: F ( x ) = P I ∈P ( N ) a I (cid:0) Q i ∈ I x i (cid:1) , where P ( N )is the power set of N = { , . . . , n } and a I ∈ F m . The algebraic degree of F is degree of itsANF: deg( F ) = max {| I | : a I = , I ∈ P ( N ) } . Function of algebraic degree at most 1 arecalled affine (they are linear in case of F ( ) = ). Functions of algebraic degree 2 are called quadratic . The Walsh transform W f : F n → Z of a Boolean function f : F n → F is definedas W f ( u ) = P x ∈ F n ( − f ( x )+ u · x . For F the Walsh spectrum consists of all
Walsh coefficients W F v ( u ), u ∈ F n , v ∈ F m , v = , where F v = v · F is a component Boolean function of F .A function F from F n to itself is called almost perfect nonlinear (APN) (according toK. Nyberg[7]) if for any a, b ∈ F n , a = , equation F ( x ) + F ( x + a ) = b has at most 2 so-lutions. APN functions are of special interest for using as S-boxes in block ciphers due to their1ptimal differential characteristics. Despite the fact that APN functions are intensively studied(see, for example, the book [2] of L. Budaghyan, surveys [8] of A. Pott, [4] of M. M. Glukhov, [10]of M. E. Tuzhilin), there are a lot of open problems on finding new constructions, classifications,etc.In [3] C. Carlet, P. Charpin and V. Zinoviev introduced the associated Boolean function γ F : F n → F for a given vectorial Boolean function F from F n to itself; γ F ( a, b ) = 1 if andonly if a = and equation F ( x ) + F ( x + a ) = b has solutions.Two functions are called differentially equivalent [5] (or γ -equivalent according to K. Bouraet al [1]) if their associated Boolean functions coincide. The problem of describing the differentialequivalence class of an APN function remains open even for quadratic case. That is why we areinterested in obtaining some properties of γ F . We will focus on quadratic APN functions.Let F be a quadratic APN function. Then the set B a ( F ) = { F ( x ) + F ( x + a ) | x ∈ F n } is alinear subspace of dimension n − a ∈ F n . Using this fact, γ F can be uniquely represented in the form γ F ( a, b ) = Φ F ( a ) · b + ϕ F ( a ) + 1 , where Φ F : F n → F n , ϕ F : F n → F are defined from B a ( F ) = { y ∈ F n : Φ F ( a ) · y = ϕ F ( a ) } for all a = ; and Φ F ( ) = , ϕ F ( ) = 1. Note that B a ( F ) is a linear subspace if and only if ϕ F ( a ) = 0. It is easy to see that ( F ( x ) + F ( x + a ) + F ( a ) + F ( )) · Φ F ( a ) = 0 for all x ∈ F n bydefinition.In this note we study the properties of functions Φ F and ϕ F . ϕ F and Φ F In this section we summarize known results and present new ones about properties of Φ F and ϕ F . As it usually happens the cases of even and odd number of variables are different. Φ F According to [6], let us denote A Fv = { a ∈ F n | Φ F ( a ) = v } . Theorem 1 ([3, 6]) . Let F be a quadratic APN function of n variables.1. If n is odd, then Φ F is a permutation.2. If n is even, then the preimage Φ F of any nonzero vector is a linear subspace of evendimension together with the zero vector. Note that theorem 1 (1) means also that γ F is a bent function of MaioranaMcFarland type(readers may find details regarding bent functions in [9]). Corollary 1.
Let F be a quadratic APN function. Then Φ F takes an odd number of distinctnonzero values. roof. By definition of Φ F , we have Φ F ( ) = .If n is odd, then Φ F is a permutation [3]. Hence, the proposition holds.Let n be even. It is known [6] that the preimage set A Fv = { x ∈ F n | Φ F ( x ) = v } for anynonzero v ∈ F n represents a linear subspace of even dimension together with the zero vector.Let Φ F ∈ { , v , . . . , v m } , where v i , i = 1 , . . . , m , are pairwise distinct nonzero vectors. We needto prove that m is odd.We have that2 n − | A Fv | + . . . + | A Fv m | = 2 λ − . . . + 2 λ m − λ + . . . + 2 λ m − m, where λ i , i = 1 , . . . , m , is a nonzero even number. Since 2 n − m is also odd. ϕ F Proposition 1.
Let F be a quadratic APN function of n variables, n is even. Then deg( ϕ F ) = n ,or, equivalently, wt( ϕ F ) is odd. Proof.
It is known [6] that A Fv ∪ { } is a linear subspace of even dimension if n is even for anynonzero v ∈ F n . Also [6], there exists c v ∈ F n such that ϕ F | A Fv = c v · x | A Fv . Hence, wt( ϕ F | A Fv )is an even number equal to 0 or 2 dim( A Fv ∪{ } ) − for any nonzero v and ϕ F ( ) = 1 by definition.Thus, wt( ϕ F ) is odd. It is widely known that wt( f ) is odd if and only if deg( f ) = n for anyBoolean function of n variables.The case of odd n remains open. Based on our computational experiments for all knownquadratic APN functions of not more than 11 variables, we can formulate the following Conjecture 1.
Let F be a quadratic APN function of n variables, n is odd. Then deg( ϕ F ) < n ,or, equivalently, wt( ϕ F ) is even. Φ F Theorem 2 ([5]) . Let F be a quadratic APN function of n variables, n ≥ , n is odd. Then deg(Φ F ) ≤ n − . The following theorem contains a similar bound for even n . Theorem 3.
Let F be a quadratic APN function in n variables, n ≥ , n is even. Then eachcoordinate function of Φ F is represented as (Φ F ) i ( x ) = f i ( x ) + λ i (cid:0) x . . . x n + x x . . . x n + . . . + x x . . . x n − + x . . . x n (cid:1) , where deg( f i ) ≤ n − and λ i ∈ F . Proof.
Let L : F n → F n be a linear function. Then it is easy to see that γ F + L ( a, b ) = γ F ( a, b + L ( a )) = ( b + L ( a )) · Φ F ( a )+ ϕ F ( a )+1 = b · Φ F ( a )+ ϕ F ( a )+ L ( a ) · Φ F ( a )+1 . Hence, Φ F + L = Φ F and ϕ F + L = ϕ F + L · Φ F . By proposition 1, deg( ϕ F ) = deg( ϕ F + L ) = n ,since F + L is also a quadratic APN function. Thus, deg( L · Φ F ) < n for any linear function L .3uppose that deg(Φ F ) = n . This means that there exists a coordinate function (Φ F ) i ofdegree n . Let us represent(Φ F ) i ( x ) = f i ( x ) + a x . . . x n + a x x . . . x n + . . . + a n x x . . . x n − + x . . . x n , where deg( f i ) ≤ n − a , . . . , a n ∈ F . • If a j = 0, then deg( L · Φ F ) = n for L = (0 , . . . , , x j , , . . . , x j is the i -thcoordinate function of L . Hence, we get a contradiction. • If a j = 1 for all j , then it is easy to see that we will always have deg( L · Φ F ) < n for anylinear function L .Suppose that deg(Φ F ) = n −
1. Similarly,(Φ F ) i ( x ) = f i ( x ) + a x . . . x n + a x x . . . x n + . . . + a n x x . . . x n − , where at least one coefficient is equal to 1, say a j . Then deg( L · Φ F ) = n for L = (0 , . . . , , x j , , . . . , x j is the i -th coordinate function of L . Hence, we get a contradiction.Thus, (Φ F ) i is of degree not more than n − n − n areincluded in the ANF of (Φ F ) i . Remark 1.
For all known quadratic APN functions of not more than 11 variables, we compu-tationally verified that • for even n , the case deg((Φ F ) i ) = n is not realized; • any component function of Φ F has degree exactly n − . Based on our computational experiments we can formulate the following
Conjecture 2.
Let F be a quadratic APN function of n variables, n ≥ . Then deg( v · Φ F ) = n − for any nonzero v ∈ F n . deg(Φ F ) = n − hold? In this section we study the following question: “Is conjecture 2 true or not?”.For example, consider an APN Gold function F ( x ) = x k +1 , gcd( n, k ) = 1 (the function isgiven as a function over the finite field of order 2 n ). Its associated Boolean function is known [3]: γ F ( a, b ) = tr (( a k +1 ) − b ) + tr (1) + 1 (here tr is the absolute trace function in the finite field oforder 2 n ). So, we have Φ F ( a ) = ( a k +1 ) − , Φ F (0) = 0, and as it is easy to see deg(Φ F ) = n − F ( x ) = x d is equal to the 2-weight of theinteger d modulo 2 n ).We wonder whether conjecture 2 is true or not for arbitrary n . Let us focus on the case ofodd n since in this case we have the bound of theorem 2. For even case, the consideration couldbe rather similar but with assumption that deg(Φ F ) is not equal to n , that is only a conjectureup to now. 4 tep 1. Let F be a quadratic APN function of n variables, n is odd, n ≥ v be a nonzerovector from F n . We need to prove that deg( v · Φ F ) = n − v ∈ F n .We use the following widely known equality for counting the ANF coefficients of a Booleanfunction f of n variables: g f ( a ) = (cid:16) wt( a ) − − wt( a ) − n − X b (cid:22) ( a + ) W f ( b ) (cid:17) mod 2 . (1)We need to show now that there exists a vector a v with wt( a v ) = n − g v · Φ F ( a v ) = 1.Equivalently, that there exist coordinates i, j , 1 i = j n , such that X b (cid:22) ( a v + ) W v · Φ F ( b ) = W v · Φ F ( ) + W v · Φ F ( e i ) + W v · Φ F ( e j ) + W v · Φ F ( e i + e j )is not divided by 16 according to (1). Here e i is the vector with 1 in the i -th coordinate and 0sin other coordinates. Let us introduce the following sets: M i = { x ∈ F n | v · Φ F ( x ) = 0 , x · e i = 0 } ; M j = { x ∈ F n | v · Φ F ( x ) = 0 , x · e j = 0 } ; M ij = { x ∈ F n | v · Φ F ( x ) = 0 , x · ( e i + e j ) = 0 } . Then, we have X b (cid:22) ( a v + ) W v · Φ F ( b ) = 4 | M i | − n + 4 | M j | − n + 4 | M ij | − n = 4( | M i | + | M j | + | M ij | ) − · n = 4(2 n − + 2 | M ij | ) − · n = 8 | M ij | − n − , where M ij = { x ∈ F n | v · Φ F ( x ) = 0 , x · e i = 0 , x · e j = 0 } . Step 2.
Thus, we need to prove that there exist coordinates i, j , 1 i = j n , suchthat | M ij | is odd (since we consider n ≥ M = { x ∈ F n | v · Φ F ( x ) = 0 } = S ℓ ∈ I A ℓ , where A ℓ is a linear subspace of dimension 2, and A ℓ ∩ A k = { } , ℓ, k ∈ I , ℓ = k . Since Φ F is a permutation, then | M | = 2 n − and | I | = (2 n − − / A ℓ = { , x ℓ , y ℓ , x ℓ + y ℓ } . Then for any distinct coordinates i, j of x ℓ , y ℓ , x ℓ + y ℓ we have the following situations (without permutations of rows): ij ij ij ij ijx ℓ
00 00 00 00 01 y ℓ
00 or 01 or 10 or 11 or 10 x ℓ + y ℓ
00 01 10 11 11Hence, the number of x ℓ , y ℓ , x ℓ + y ℓ together with that belong to the set M ij is equal to1 + 3 · N ij + 1 · N ij + 0 · N ij , where N ij + N ij + N ij = | I | = (2 n − − /
3, and N ijk , k = 0 , , A ℓ , ℓ ∈ I , having exactly k vectors with both coordinates i and j equal to 0.Thus, | M ij | is odd if and only if N ij is odd. Step 3.
Now, we need to prove that there exist coordinates i, j , 1 i = j n , such that N ij is odd. We found the following interesting property (computationally verified for n = 5)that we formulate as a conjecture. 5 onjecture 3. Let M = S ℓ ∈ I A ℓ , where A ℓ is a linear subspace of dimension 2, and A ℓ ∩ A k = { } , ℓ, k ∈ I , ℓ = k , | I | = (2 n − − / . Then the set M is a hyperplane { x ∈ F n | x m = 0 } for some coordinate m if and only if the number of subspaces A ℓ without elements having bothcoordinates i and j equal to is even for any distinct coordinates i, j . Step 4.
If conjecture 3 is true, then we need to prove that M = { x ∈ F n | v · Φ F ( x ) = 0 } cannot be a hyperplane { x ∈ F n | x m = 0 } for some coordinate m . Conjecture 4.
Let F be a quadratic APN function in n variables, n ≥ . Then { x ∈ F n | v · Φ F ( x ) = 0 } is not a linear subspace. We computationally verified this property for all known quadratic APN functions for n =5 , . . . ,
11 and formulate the conjecture.Thus, by proving conjectures 3 and 4, we can prove the starting conjecture 2. Unfortunately,each of them remains open up to now.
Conclusion