Differentially 4-uniform bijections by permuting the inverse function

Abstract

Block ciphers use substitution boxes (S-boxes) whose aim is to create confusion into the cryptosystems. Functions used as S-boxes should have low differential uniformity, high nonlinearity and algebraic degree larger than 3 (preferably strictly larger). They should be fastly computable; from this viewpoint, it is better when they are in even number of variables. In addition, the functions should be bijections in a substitution-permutation network. Almost perfect nonlinear (APN) functions have the lowest differential uniformity 2 and the existence of APN bijections over \(\mathbb {F}_{2^n}\) for even \(n\ge 8\) is a big open problem. In the present paper, we focus on constructing differentially 4-uniform bijections suitable for designing S-boxes for block ciphers. Based on the idea of permuting the inverse function, we design a construction providing a large number of differentially 4-uniform bijections with maximum algebraic degree and high nonlinearity. For every even \(n\ge 12\), we mathematically prove that the functions in a subclass of the constructed class are CCZ-inequivalent to known differentially 4-uniform power functions and to quadratic functions. This is the first mathematical proof that the functions in an infinite class of differentially 4-uniform bijections are CCZ-inequivalent to known differentially 4-uniform power functions and to quadratic functions. We also get a naive lower bound on the nonlinearity of our functions, which can be very high in some cases, and obtain improved lower bounds on the nonlinearity for three special subcases of functions which are extremely large.

Appendix

Proof of Lemma 3

For every \(a\in \mathbb {F}_{2^n}\), if \(x\not =0\) and \(x\not =a\), Eq. 3 is equivalent to the equation:

$$\begin{aligned} bx^2+abx+a=0,&x,x+a\in \mathbb {F}_{2^n}\setminus U, \end{aligned}$$

(15)

if \(x\not =1\) and \(x\not =a+1\), Eq. 4 is equivalent to the equation:

$$\begin{aligned} bx^2+abx+ab+a+b=0,&x,x+a\in U, \end{aligned}$$

(16)

if \(x\not =1\) and \(x\not =a\), Eq. 5 is equivalent to the equation:

$$\begin{aligned} bx^2+b(a+1)x+ab+a+1=0,&x\in U,x+a\in \mathbb {F}_{2^n}\setminus U, \end{aligned}$$

(17)

and if \(x\not =0\) and \(x\not =a+1\), Eq. 6 is equivalent to the equation:

$$\begin{aligned} bx^2+b(a+1)x+a+1=0,&x\in \mathbb {F}_{2^n}\setminus U,x+a\in U. \end{aligned}$$

(18)

Note that the root \(\lambda \) of the equation \(bx^2+abx+a=0\), if exist, is one-to-one corresponding to the root \(\lambda +1\) of the equation \(bx^2+abx+ab+a+b=0\) plus 1. Since \(U\) is stable under the addition by 1, Eqs. 15 and 16 cannot have solutions simultaneously. Therefore, the sum of the numbers of solutions of (15) and (16) is at most 2.

Similarly, the sums of the roots in the equations \(bx^2+b(a+1)x+ab+a+1=0\) and \(bx^2+b(a+1)x+a+1=0\) both equal \(a+1\). If \(\gamma \) is a solution of (17), then \(\gamma +a +1\) is not a solution of (17) because of \(\gamma +a\in \mathbb {F}_{2^n}\setminus U\); and so does for the solution \(\gamma \) of (18). That is, each equation has at most one solution. Then, the sum of the numbers of solutions of (17) and (18) is at most 2.

1. (1)

   Note that \(0,1\not \in U\) since \(tr_1^n(1)=0\). Clearly, \(x=1,a+1\) do not satisfy \(x,x+a\in U\), which indicate that Eq. 4 has the same solutions as Eq. 16. Recall that the sum of the numbers of solutions of (15) and (16) is at most 2. Then, the sum of the numbers of solutions of (3) and (4) is at most 4 since in contrast to Eqs. 15, 3 may have two more solutions \(x=0,a\).

   1. (1.1)

      If \(ab\not =1\), obviously \(0,a\) are not solutions of (3). Thus, the sum of the numbers of solutions of (3) and (4) is at most 2.

   2. (1.1)

      If \(a\in U\) and \(b(a+1)=1\), we have again \(ab\not =1\) since \(b\not =0\). Thus, Eqs. 3 and 4 are equivalent to (15) and (16), respectively. By dividing \(ab\) in \(b(a+1)=1\), we have \(1+a^{-1}=(ab)^{-1}\) and hence \(tr_1^n((ab)^{-1})=tr_1^n(1+a^{-1})=tr_1^n(a^{-1})=1\), which implies that (15) has no solution by Lemma 1. Moreover, by \(b(a+1)=1\), the equality (16) becomes \(bx^2+abx+a+1=0\), which has no solution by Lemma 1 due to \(tr_1^n(b(a+1)(ab)^{-2})=tr_1^n((ab)^{-2})=1\). Therefore, (3) and (4) have no solution.

2. (2)

   Since \(1\not \in U\), we have that \(1\) and \(a+1\) are not solutions of (5) and (6) respectively. Hence, the sum of the numbers of solutions of (5) and (6) is at most 4, which is at most 2 more than that of (17) and (18).

   1. (2.1)

      If \(b(a+1)\not =1\) or \(a\not \in U\), clearly \(1,a\) are not solutions of (5) and \(0,a+1\) are not solutions of (6). Then Eqs. 5 and 6 have the same solutions as Eqs. 17 and 18. Hence, the sum of the numbers of solutions of (5) and (6) is at most 2, according to the observation above.

   2. (2.2)

      If \(ab=1\), then we have \(b(a+1)\not =1\) since \(b\not =0\). It follows from above that Eqs. 5 and 6 have the same solutions as Eqs. 17 and 18. Assume that \(\lambda \) is a solution of (17), then \(\lambda \in U\) and hence \(tr_1^n(\lambda ^{-1})=1\). Therefore, (17) has no solution, according to Lemma 2. Assume that \(\gamma \) is a solution of (18), then we have that \(\gamma \not \in U\) and \(\gamma +a\in U\). It is easy to verify that \(\gamma +a\) is a solution of (17), a contradiction. That is, (18) has no solution. Therefore, we deduce that both (17) and (18) have no solution.

Proof of Lemma 12

Define \(A_0=\{x\in \mathbb {F}_{2^n}\,|\, (tr_1^n(x), tr_1^n(x^{-1}),tr_1^n((1+x)^{-1}))=(1,0,0)\}\), \(A_1=\{x\in \mathbb {F}_{2^n}\,|\, (tr_1^n(x), tr_1^n(x^{-1}),tr_1^n((1+x)^{-1}))=(1,0,1)\}\), \(A_2=\{x\in \mathbb {F}_{2^n}\,|\, (tr_1^n(x), tr_1^n(x^{-1}),tr_1^n((1+x)^{-1}))=(1,1,0)\}\) and \(A_3=\{x\in \mathbb {F}_{2^n}\,|\, (tr_1^n(x), tr_1^n(x^{-1}), tr_1^n((1+x)^{-1}))=(1,1,1)\}\). Obviously, \(|U_{m_1}|=|A_3|\) according to (10), and \(\sum _{i=0}^4|A_i|=2^{n-1}\) due to \(\mathrm {wt}(tr_1^n(x))=2^{n-1}\).

Note that \(\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x+x^{-1}+(x+1)^{-1})}=2^n-2\mathrm {wt}(tr_1^n(x+x^{-1}+(x+1)^{-1})) =2^n-2\big (\mathrm {wt}(tr_1^n(x))+\mathrm {wt}(tr_1^n(x^{-1}+(x+1)^{-1}))-2|\{x\in \mathbb {F}_{2^n}\,|\,tr_1^n(x)=tr_1^n(x^{-1}+(x+1)^{-1}) =1\}|\big ) =-2\mathrm {wt}(tr_1^n(x^{-1}+(x+1)^{-1}))+4(|A_1|+|A_2|)\). Then, \(4(|A_1|+|A_2|)=\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x+x^{-1}+(x+1)^{-1})}+2\mathrm {wt}(tr_1^n(x^{-1}+(x+1)^{-1}))\). Recall that in the proof of Corollary 2, we have already proven \(|\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x^{-1}+(1+x)^{-1})}|\le 2^{n/2+1}\). Hence, we have then \(2^n-2^{n/2+1}\le 2\mathrm {wt}(tr_1^n(x^{-1}+(x+1)^{-1}))\le 2^n+2^{n/2+1}\). Besides, by Corollary 1, \(-2^{n/2+2}-4\le \sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x+x^{-1}+(x+1)^{-1})}\le 2^{n/2+2}+4\). Therefore,

$$\begin{aligned} 2^{n-2}-3\cdot 2^{n/2-1}-1\le |A_1|+|A_2|\le 2^{n-2}+3\cdot 2^{n/2-1}+1 \end{aligned}$$

by \(\sum _{i=0}^4|A_i|=2^{n-1}\) which gives

$$\begin{aligned} 2^{n-2}-3\cdot 2^{n/2-1}-1\le |A_0|+|A_3|\le 2^{n-2}+3\cdot 2^{n/2-1}+1 \end{aligned}$$

(19)

Note that

$$\begin{aligned} \sum _{x\in \mathbb {F}_{2^n}, tr_1^n(x)=1}(-1)^{tr_1^n(x^{-1})}&= \frac{1}{2}\left( \sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x^{-1})}-\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x^{-1}+x)}\right) \\&= -\frac{1}{2}\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n(x^{-1}+x)} \end{aligned}$$

and

$$\begin{aligned} \sum _{x\in \mathbb {F}_{2^n}, tr_1^n(x)=1}(-1)^{tr_1^n(x^{-1})}=|A_0|+|A_1|-|A_2|-|A_3|. \end{aligned}$$

Then, by Lemma 4, we have

$$\begin{aligned} -2^{n/2}\le |A_0|+|A_1|-|A_2|-|A_3|\le 2^{n/2} \end{aligned}$$

(20)

Similarly, we have \(\sum _{x\in \mathbb {F}_{2^n}, tr_1^n(x)=1}(-1)^{tr_1^n((x+1)^{-1})}=-\frac{1}{2}\sum _{x\in \mathbb {F}_{2^n}}(-1)^{tr_1^n((x+1)^{-1}+x)}\) and then

$$\begin{aligned} -2^{n/2}\le |A_0|+|A_2|-|A_1|-|A_3|\le 2^{n/2}. \end{aligned}$$

(21)

Combining (19)–(21), we get \(2^{n-3}-5\cdot 2^{n/2-2}\le |A_3|\le 2^{n-3}+5\cdot 2^{n/2-2}\), which implies \(2^{n-3}-5\cdot 2^{n/2-2}\le |U_{m_1}|\le 2^{n-3}+5\cdot 2^{n/2-2}\). By \(U_{\max }=U_{m_0}\cup U_{m_1}\) and \(2^{n-2}-2^{n/2-1}\le |U_{\max }|\le 2^{n-2}+2^{n/2-1}\), we have \(2^{n-3}-7\cdot 2^{n/2-2}\le |U_{m_0}|\le 2^{n-3}+7\cdot 2^{n/2-2}\), which completes the proof.