Unicyclic strong permutations

Abstract

In this paper, we study some properties of a certain kind of permutation σ over \(\mathbb {F}_{2}^{n}\), where n is a positive integer. The desired properties for σ are: (1) the algebraic degree of each component function is n − 1; (2) the permutation is unicyclic; (3) the number of terms of the algebraic normal form of each component is at least 2^n− 1. We call permutations that satisfy these three properties simultaneously unicyclic strong permutations. We prove that our permutations σ always have high algebraic degree and that the average number of terms of each component function tends to 2^n− 1. We also give a condition on the cycle structure of σ. We observe empirically that for n even, our construction does not provide unicylic permutations. For n odd, n ≤ 11, we conduct an exhaustive search of all σ given our construction for specific examples of unicylic strong permutations. We also present some empirical results on the difference tables and linear approximation tables of σ.

Appendices

Appendix A: Empirical evidence for Assumption 1

In Tables 8, 9, 10, and 11, the column entitled i refers to the coefficients of Xⁱ of an irreducible polynomial of degree d. The column entitled “Ratios” gives the ratios of the number of irreducible polynomials of degree d with a Xⁱ term.

Table 8 Average proportions by terms of irreducible polynomials

Table 9 Average proportions by terms of irreducible polynomials (continued)

Table 10 Average proportions by terms of irreducible polynomials (continued)

Table 11 Average proportions by terms of irreducible polynomials (continued)

In order to make this article concise, we jump from degree 13 to 26 up to 29 inclusively.

Appendix B: Differentials and correlations

Example 1 gives two unicyclic permutations that are APN except for a fixed set of 2¹⁵ pairs giving differentials of size 2¹⁵.

Example 1

The following two examples give unicyclic permutations σ that are APN aside from 2¹⁵ (c, d) pairs each giving 2¹⁵ solutions to σ(X ⊕ c) ⊕ σ(X) = d. A summary of both difference tables is given in Table 12. We present these examples for interest and further study, but we make no claims on their suitability for cryptography.

Table 12 Summary of the difference tables of two unicyclic strong permutations from (7) and (8)

$$ \begin{array}{@{}rcl@{}} Q_{1}(X) & =& 1 + X + X^{7} + X^{10} + X^{15} \end{array} $$

(7)

$$ \begin{array}{@{}rcl@{}} P_{1,b}(X) & =& 1 + X^{3} + X^{5} + X^{7} + X^{11} + X^{12} + X^{13} \\ Q_{2}(X) &= &1 + X^{2} + X^{3} + X^{7} + X^{8} + X^{12} + X^{13} + X^{14} + X^{15} \\ P_{2,b}(X) &=& X^{2} + X^{5} + X^{6} + X^{7} + X^{8} + X^{11} + X^{12} + X^{14} \end{array} $$

(8)

Example 2

Let n = 17 and let Q and P_b be as follows,

$$ \begin{array}{@{}rcl@{}} Q(X) &=& 1 + X + X^{4} + X^{8} + X^{11} + X^{12} + X^{13} + X^{14} + X^{15} + X^{16} + X^{17}, \\ P_{b}(X) &=& 1 + X^{16}. \end{array} $$

The difference table for σ defined with Q and P_b is

Table 13

Example 3

Let n = 19 and let Q and P_b be as follows,

$$ \begin{array}{@{}rcl@{}} Q(X) &=& 1 + X^{5} + X^{7} + X^{8} + X^{9} + X^{11} + X^{13} + X^{16} + X^{17} + X^{18} + X^{19},\\ P_{b}(X) &=& 1 + X^{18}. \end{array} $$

The difference table for σ defined with Q and P_b is

Differentials	Counts
0	137444193323
2	137428735987
4	4977558
6	75
524288	1

Example 4 gives a comparison of a particular unicyclic permutation with a uniformly randomly sampled permutation.

Example 4

Let n = 15 and let Q and P_b be as follows,

$$ \begin{array}{@{}rcl@{}} Q(X) &=& 1 + X^{3} + X^{4} + X^{5} + X^{7} + X^{14} + X^{15}, \\ P_{b}(X) &=& 1 + X^{14}. \end{array} $$

The linear approximation table for σ defined with Q and P_b is

Table 15

Comparing with a uniform random permutation, we obtain

Table 16

Appendix C: An example with intermediate round computations

For 1 ≤ i ≤ n, let

$$ \begin{array}{@{}rcl@{}} P_{a^{(i)}}(X)&=&\left( P_{a^{(i-1)}}(X)+P_{b}(X)\right)^{-2^{i-1}}. \end{array} $$

In Table 13, we give the sequence a = a⁽⁰⁾ → a⁽¹⁾ →⋯ → a⁽ⁿ⁾; columns entitled a⁽ⁱ⁾ contain the output of the partial computations a⁽ⁱ⁾ = σ_i− 1σ_i− 2⋯σ₀. In each column, we give an underlined boldfaced entry that signifies a cycle that is not of maximal length up to the given column/round. For instance, after two rounds, we have a fixed point since σ₁σ₀(59) = 59, and after four rounds we have a cycle of length three since σ₃σ₂σ₁σ₀(0) = 23, σ₃σ₂σ₁σ₀(23) = 35, and σ₃σ₂σ₁σ₀(35) = 0.

Table 13 Intermediate round computations for P_b(X) = 1 + X⁵ and Q(X) = 1 + X + X⁴ + X⁵ + X⁶

As expected, since the degree is even (n = 6), the resulting composition is not unicyclic although the initial round corresponding to σ₀ is unicyclic.