Towards a deeper understanding of APN functions and related longstanding problems

This dissertation is dedicated to the properties, construction and analysis of APN and AB functions. Being cryptographically optimal, these functions lack any general structure or patterns, which makes their study very challenging. Despite intense work since at least the early 90's, many important questions and conjectures in the area remain open. We present several new results, many of which are directly related to important longstanding open problems; we resolve some of these problems, and make significant progress towards the resolution of others. More concretely, our research concerns the following open problems: i) the maximum algebraic degree of an APN function, and the Hamming distance between APN functions (open since 1998); ii) the classification of APN and AB functions up to CCZ-equivalence (an ongoing problem since the introduction of APN functions, and one of the main directions of research in the area); iii) the extension of the APN binomial $x^3 + \beta x^{36}$ over $F_{2^{10}}$ into an infinite family (open since 2006); iv) the Walsh spectrum of the Dobbertin function (open since 2001); v) the existence of monomial APN functions CCZ-inequivalent to ones from the known families (open since 2001); vi) the problem of efficiently and reliably testing EA- and CCZ-equivalence (ongoing, and open since the introduction of APN functions). In the course of investigating these problems, we obtain i.a. the following results: 1) a new infinite family of APN quadrinomials (which includes the binomial $x^3 + \beta x^{36}$ over $F_{2^{10}}$); 2) two new invariants, one under EA-equivalence, and one under CCZ-equivalence; 3) an efficient and easily parallelizable algorithm for computationally testing EA-equivalence; 4) an efficiently computable lower bound on the Hamming distance between a given APN function and any other APN function; 5) a classification of all quadratic APN polynomials with binary coefficients over $F_{2^n}$ for $n \le 9$; 6) a construction allowing the CCZ-equivalence class of one monomial APN function to be obtained from that of another; 7) a conjecture giving the exact form of the Walsh spectrum of the Dobbertin power functions; 8) a generalization of an infinite family of APN functions to a family of functions with a two-valued differential spectrum, and an example showing that this Gold-like behavior does not occur for infinite families of quadratic APN functions in general; 9) a new class of functions (the so-called partially APN functions) defined by relaxing the definition of the APN property, and several constructions and non-existence results related to them.Doktorgradsavhandlin

New links between nonlinearity and differential uniformity

International audienceIn this paper some new links between the nonlinearity and differential uniformity of some large classes of functions are established. Differentially two-valued functions and quadratic functions are mainly treated. A lower bound for the nonlinearity of monomial δ-uniform permutations is obtained, for any δ, as well as an upper bound for differentially two-valued functions. Concerning quadratic functions, significant relations between nonlinearity and differential uniformity are exhibited. In particular, we show that the quadratic differentially 4-uniform permutations should be differentially two-valued and possess the best known nonlinearity

Analysis, classification and construction of optimal cryptographic Boolean functions

Modern cryptography is deeply founded on mathematical theory and vectorial Boolean functions play an important role in it. In this context, some cryptographic properties of Boolean functions are defined. In simple terms, these properties evaluate the quality of the cryptographic algorithm in which the functions are implemented. One cryptographic property is the differential uniformity, introduced by Nyberg in 1993. This property is related to the differential attack, introduced by Biham and Shamir in 1990. The corresponding optimal functions are called Almost Perfect Nonlinear functions, shortly APN. APN functions have been constructed, studied and classified up to equivalence relations. Very important is their classification in infinite families, i.e. constructing APN functions that are defined for infinitely many dimensions. In spite of an intensive study of these maps, many fundamental problems related to APN functions are still open and relatively few infinite families are known so far. In this thesis we present some constructions of APN functions and study some of their properties. Specifically, we consider a known construction, L1(x^3)+L2(x^9) with L1 and L2 linear maps, and we introduce two new constructions, the isotopic shift and the generalised isotopic shift. In particular, using the two isotopic shift constructing techniques, in dimensions 8 and 9 we obtain new APN functions and we cover many unclassified cases of APN maps. Here new stands for inequivalent (in respect to the so-called CCZ-equivalence) to already known ones. Afterwards, we study two infinite families of APN functions and their generalisations. We show that all these families are equivalent to each other and they are included in another known family. For many years it was not known whether all the constructed infinite families of APN maps were pairwise inequivalent. With our work, we reduce the list to those inequivalent to each other. Furthermore, we consider optimal functions with respect to the differential uniformity in fields of odd characteristic. These functions, called planar, have been valuable for the construction of new commutative semifields. Planar functions present often a close connection with APN maps. Indeed, the idea behind the isotopic shift construction comes from the study of isotopic equivalence, which is defined for quadratic planar functions. We completely characterise the mentioned equivalence by means of the isotopic shift and the extended affine equivalence. We show that the isotopic shift construction leads also to inequivalent planar functions and we analyse some particular cases of this construction. Finally, we study another cryptographic property, the boomerang uniformity, introduced by Cid et al. in 2018. This property is related to the boomerang attack, presented by Wagner in 1999. Here, we study the boomerang uniformity for some known classes of permutation polynomials.Doktorgradsavhandlin

Design and analysis of bent functions using M\mathcal{M}-subspaces

In this article, we provide the first systematic analysis of bent functions $f$ on $\mathbb{F}_2^{n}$ in the Maiorana-McFarland class $\mathcal{MM}$ regarding the origin and cardinality of their $\mathcal{M}$-subspaces, i.e., vector subspaces on which the second-order derivatives of $f$ vanish. By imposing restrictions on permutations $\pi$ of $\mathbb{F}_2^{n/2}$, we specify the conditions, such that Maiorana-McFarland bent functions $f(x,y)=x\cdot \pi(y) + h(y)$ admit a unique $\mathcal{M}$-subspace of dimension $n/2$. On the other hand, we show that permutations $\pi$ with linear structures give rise to Maiorana-McFarland bent functions that do not have this property. In this way, we contribute to the classification of Maiorana-McFarland bent functions, since the number of $\mathcal{M}$-subspaces is invariant under equivalence. Additionally, we give several generic methods of specifying permutations $\pi$ so that $f\in\mathcal{MM}$ admits a unique $\mathcal{M}$-subspace. Most notably, using the knowledge about $\mathcal{M}$-subspaces, we show that using the bent 4-concatenation of four suitably chosen Maiorana-McFarland bent functions, one can in a generic manner generate bent functions on $\mathbb{F}_2^{n}$ outside the completed Maiorana-McFarland class $\mathcal{MM}^\#$ for any even $n\geq 8$. Remarkably, with our construction methods it is possible to obtain inequivalent bent functions on $\mathbb{F}_2^8$ not stemming from two primary classes, the partial spread class $\mathcal{PS}$ and $\mathcal{MM}$. In this way, we contribute to a better understanding of the origin of bent functions in eight variables, since only a small fraction, of which size is about $2^{76}$, stems from $\mathcal{PS}$ and $\mathcal{MM}$, whereas the total number of bent functions on $\mathbb{F}_2^8$ is approximately $2^{106}$

On upper bounds for algebraic degrees of APN functions

We study the problem of existence of APN functions of algebraic degree $n$ over \ftwon. We characterize such functions by means of derivatives and power moments of the Walsh transform. We deduce some non-existence results which mean, in particular, that for most of the known APN functions $F$ over \ftwon the function $x^{2^n-1}+F(x)$ is not APN, and changing a value of $F$ in a single point results in non-APN functions

Value Distributions of Perfect Nonlinear Functions

In this paper, we study the value distributions of perfect nonlinear functions, i.e., we investigate the sizes of image and preimage sets. Using purely combinatorial tools, we develop a framework that deals with perfect nonlinear functions in the most general setting, generalizing several results that were achieved under specific constraints. For the particularly interesting elementary abelian case, we derive several new strong conditions and classification results on the value distributions. Moreover, we show that most of the classical constructions of perfect nonlinear functions have very specific value distributions, in the sense that they are almost balanced. Consequently, we completely determine the possible value distributions of vectorial Boolean bent functions with output dimension at most 4. Finally, using the discrete Fourier transform, we show that in some cases value distributions can be used to determine whether a given function is perfect nonlinear, or to decide whether given perfect nonlinear functions are equivalent.Comment: 28 pages. minor revisions of the previous version. The paper is now identical to the published version, outside of formattin

Permutation rotation-symmetric S-boxes, liftings and affine equivalence

In this paper, we investigate permutation rotation-symmetric (shift-invariant) vectorial Boolean functions on n bits that are liftings from Boolean functions on k bits, for k≤n. These functions generalize the well-known map used in the current Keccak hash function, which is generated via the Boolean function on 3 variables, x1+(x2+1)x3. We provide some general constructions, and also study the affine equivalence between rotation-symmetric S-boxes and describe the corresponding relationship between the Boolean function they are associated with

On the differential equivalence of APN functions

C.~Carlet, P.~Charpin, V.~Zinoviev in 1998 defined the associated Boolean function $\gamma_F(a,b)$ in $2n$ variables for a given vectorial Boolean function $F$ from $\mathbb{F}_2^n$ to itself. It takes value~$1$ if $a\neq {\bf 0}$ and equation $F(x)+F(x+a)=b$ has solutions. This article defines the differentially equivalent functions as vectorial functions having equal associated Boolean functions. It is an open problem of great interest to describe the differential equivalence class for a given Almost Perfect Nonlinear (APN) function. We determined that each quadratic APN function $G$ in $n$ variables, $n\leq 6$, that is differentially equivalent to a given quadratic APN function $F$, can be represented as $G = F + A$, where $A$ is affine. For the APN Gold function $F$, we completely described all affine functions $A$ such that $F$ and $F+A$ are differentially equivalent. This result implies that the class of APN Gold functions up to EA-equivalence contains the first infinite family of functions, whose differential equivalence class is non-trivial