Towards a deeper understanding of APN functions and related longstanding problems

This dissertation is dedicated to the properties, construction and analysis of APN and AB functions. Being cryptographically optimal, these functions lack any general structure or patterns, which makes their study very challenging. Despite intense work since at least the early 90's, many important questions and conjectures in the area remain open. We present several new results, many of which are directly related to important longstanding open problems; we resolve some of these problems, and make significant progress towards the resolution of others. More concretely, our research concerns the following open problems: i) the maximum algebraic degree of an APN function, and the Hamming distance between APN functions (open since 1998); ii) the classification of APN and AB functions up to CCZ-equivalence (an ongoing problem since the introduction of APN functions, and one of the main directions of research in the area); iii) the extension of the APN binomial $x^3 + \beta x^{36}$ over $F_{2^{10}}$ into an infinite family (open since 2006); iv) the Walsh spectrum of the Dobbertin function (open since 2001); v) the existence of monomial APN functions CCZ-inequivalent to ones from the known families (open since 2001); vi) the problem of efficiently and reliably testing EA- and CCZ-equivalence (ongoing, and open since the introduction of APN functions). In the course of investigating these problems, we obtain i.a. the following results: 1) a new infinite family of APN quadrinomials (which includes the binomial $x^3 + \beta x^{36}$ over $F_{2^{10}}$); 2) two new invariants, one under EA-equivalence, and one under CCZ-equivalence; 3) an efficient and easily parallelizable algorithm for computationally testing EA-equivalence; 4) an efficiently computable lower bound on the Hamming distance between a given APN function and any other APN function; 5) a classification of all quadratic APN polynomials with binary coefficients over $F_{2^n}$ for $n \le 9$; 6) a construction allowing the CCZ-equivalence class of one monomial APN function to be obtained from that of another; 7) a conjecture giving the exact form of the Walsh spectrum of the Dobbertin power functions; 8) a generalization of an infinite family of APN functions to a family of functions with a two-valued differential spectrum, and an example showing that this Gold-like behavior does not occur for infinite families of quadratic APN functions in general; 9) a new class of functions (the so-called partially APN functions) defined by relaxing the definition of the APN property, and several constructions and non-existence results related to them.Doktorgradsavhandlin

Analysis, classification and construction of optimal cryptographic Boolean functions

Modern cryptography is deeply founded on mathematical theory and vectorial Boolean functions play an important role in it. In this context, some cryptographic properties of Boolean functions are defined. In simple terms, these properties evaluate the quality of the cryptographic algorithm in which the functions are implemented. One cryptographic property is the differential uniformity, introduced by Nyberg in 1993. This property is related to the differential attack, introduced by Biham and Shamir in 1990. The corresponding optimal functions are called Almost Perfect Nonlinear functions, shortly APN. APN functions have been constructed, studied and classified up to equivalence relations. Very important is their classification in infinite families, i.e. constructing APN functions that are defined for infinitely many dimensions. In spite of an intensive study of these maps, many fundamental problems related to APN functions are still open and relatively few infinite families are known so far. In this thesis we present some constructions of APN functions and study some of their properties. Specifically, we consider a known construction, L1(x^3)+L2(x^9) with L1 and L2 linear maps, and we introduce two new constructions, the isotopic shift and the generalised isotopic shift. In particular, using the two isotopic shift constructing techniques, in dimensions 8 and 9 we obtain new APN functions and we cover many unclassified cases of APN maps. Here new stands for inequivalent (in respect to the so-called CCZ-equivalence) to already known ones. Afterwards, we study two infinite families of APN functions and their generalisations. We show that all these families are equivalent to each other and they are included in another known family. For many years it was not known whether all the constructed infinite families of APN maps were pairwise inequivalent. With our work, we reduce the list to those inequivalent to each other. Furthermore, we consider optimal functions with respect to the differential uniformity in fields of odd characteristic. These functions, called planar, have been valuable for the construction of new commutative semifields. Planar functions present often a close connection with APN maps. Indeed, the idea behind the isotopic shift construction comes from the study of isotopic equivalence, which is defined for quadratic planar functions. We completely characterise the mentioned equivalence by means of the isotopic shift and the extended affine equivalence. We show that the isotopic shift construction leads also to inequivalent planar functions and we analyse some particular cases of this construction. Finally, we study another cryptographic property, the boomerang uniformity, introduced by Cid et al. in 2018. This property is related to the boomerang attack, presented by Wagner in 1999. Here, we study the boomerang uniformity for some known classes of permutation polynomials.Doktorgradsavhandlin

On the differential equivalence of APN functions

C.~Carlet, P.~Charpin, V.~Zinoviev in 1998 defined the associated Boolean function $\gamma_F(a,b)$ in $2n$ variables for a given vectorial Boolean function $F$ from $\mathbb{F}_2^n$ to itself. It takes value~$1$ if $a\neq {\bf 0}$ and equation $F(x)+F(x+a)=b$ has solutions. This article defines the differentially equivalent functions as vectorial functions having equal associated Boolean functions. It is an open problem of great interest to describe the differential equivalence class for a given Almost Perfect Nonlinear (APN) function. We determined that each quadratic APN function $G$ in $n$ variables, $n\leq 6$, that is differentially equivalent to a given quadratic APN function $F$, can be represented as $G = F + A$, where $A$ is affine. For the APN Gold function $F$, we completely described all affine functions $A$ such that $F$ and $F+A$ are differentially equivalent. This result implies that the class of APN Gold functions up to EA-equivalence contains the first infinite family of functions, whose differential equivalence class is non-trivial

Deciding EA-equivalence via invariants

We define a family of efficiently computable invariants for (n,m)-functions under EA-equivalence, and observe that, unlike the known invariants such as the differential spectrum, algebraic degree, and extended Walsh spectrum, in the case of quadratic APN functions over $\mathbb {F}_{2^n}$ with n even, these invariants take on many different values for functions belonging to distinct equivalence classes. We show how the values of these invariants can be used constructively to implement a test for EA-equivalence of functions from $\mathbb {F}_{2}^{n}$ to $\mathbb {F}_{2}^{m}$; to the best of our knowledge, this is the first algorithm for deciding EA-equivalence without resorting to testing the equivalence of associated linear codes.publishedVersio

Invariants for EA- and CCZ-equivalence of APN and AB functions

An (n,m)-function is a mapping from ${\mathbb {F}_{2}^{n}}$ to ${\mathbb {F}_{2}^{m}}$. Such functions have numerous applications across mathematics and computer science, and in particular are used as building blocks of block ciphers in symmetric cryptography. The classes of APN and AB functions have been identified as cryptographically optimal with respect to the resistance against two of the most powerful known cryptanalytic attacks, namely differential and linear cryptanalysis. The classes of APN and AB functions are directly related to optimal objects in many other branches of mathematics, and have been a subject of intense study since at least the early 90’s. Finding new constructions of these functions is hard; one of the most significant practical issues is that any tentatively new function must be proven inequivalent to all the known ones. Testing equivalence can be significantly simplified by computing invariants, i.e. properties that are preserved by the respective equivalence relation. In this paper, we survey the known invariants for CCZ- and EA-equivalence, with a particular focus on their utility in distinguishing between inequivalent instances of APN and AB functions. We evaluate each invariant with respect to how easy it is to implement in practice, how efficiently it can be calculated on a computer, and how well it can distinguish between distinct EA- and CCZ-equivalence classes.publishedVersio

On the QIC of quadratic APN functions

International audienceVectorial Boolean functions are useful in symmetric cryptography for designing block ciphers among other primitives. One of the main attacks on these ciphers is the differential attack. Differential attacks exploit the highest values in the differential distribution table (DDT). A function is called Almost Perfect Nonlinear (APN) if all entries in the DDT belong to {0, 2}, which is optimal against the differential attack. The search for APN permutations, as well as their classification, has been an open problem for more than 25 years. All these $n$-variable permutations are known for $n$ ≤ 5, but the question remains unsolved for large values of $n$. It has been conjectured for a long time that, when $n$ is even, APN bijective functions do not exist. However, in 2009, Dillon and his coauthors have found an APN permutation of 6 variables. Our aim on this thesis is to find such functions for larger n. Dillon et al.’s approach was finding an APN permutation from a quadratic APN function which are CCZ-equivalent. Two vectorial Boolean functions are “CCZ-equivalent” if there exists an affine permutation that maps the graph of one function to the other. It preserves the differential properties of a function and thus the APN property. Our approach to find APN permutations will be the same. We propose an idea of representing a quadratic vectorial Boolean function using a cubic structure called quadratic indicator cube (QIC). Also, we describe the criteria related to this cube that is necessary and sufficient for a function to be APN. Then we present some algorithms based on backtracking to change the elements of the cube in such a way that if we start from an APN function it remains APN. We implement our modification algorithm in SageMath and then, in order to get better performances, we also implement it in C++. We also use multithreading in order to get better performances. For $n$ = 6 our algorithm outputs 13 EA-equivalence class of functions, which covers all possible classes for $n$ = 6

On Equivalence of Known Families of APN Functions in Small Dimensions

In this extended abstract, we computationally check and list the CCZ-inequivalent APN functions from infinite families on $\mathbb{F}_2^n$ for n from 6 to 11. These functions are selected with simplest coefficients from CCZ-inequivalent classes. This work can simplify checking CCZ-equivalence between any APN function and infinite APN families.Comment: This paper is already in "PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION