1 Introduction

A vectorial Boolean function, or (n,m)-function, is a function F from the vector space \({\mathbb {F}}_{2}^{n}\) to \({\mathbb {F}}_{2}^{m}\). When m = 1, F is simply called a Boolean function. Vectorial Boolean functions and Boolean functions have a crucial role in the design of secure cryptographic primitives, such as block ciphers. In this context, a vectorial Boolean function is also called an S-box. Most modern block ciphers, such as the AES, implement S-boxes which are (n,n)-functions permuting the space \({\mathbb {F}}_{2}^{n}\). We refer the reader to [10] for an overview on vectorial Boolean functions.

In the following, we shall identify the vector space \({\mathbb {F}}_{2}^{n}\) to the finite field \({\mathbb {F}}_{2^{n}}\) with 2n elements. Moreover, \({\mathbb {F}}_{2^{n}}^{\star }\) will denote the multiplicative group of \({\mathbb {F}}_{2^{n}}\).

Among the most efficient attacks on block ciphers there is the differential attack, introduced by Biham and Shamir [2]. In [19], Nyberg introduced the notion of differential uniformity which measures the resistance of an S-box to this attack. In particular, a vectorial Boolean function F is called differentially δ-uniform if the equation F(x) + F(x + a) = b has at most δ solutions for any non-zero a and for all b. Since if x is a solution, then also x + a is a solution of the equation, the smallest possible value for δ is 2. Functions achieving such differential uniformity are called almost perfect nonlinear (APN). APN functions have optimal resistance to differential attacks.

In 1999, Wagner [22] introduced the boomerang attack, which is an important cryptanalysis technique against block ciphers. This attack can be seen as an extension of classical differential attacks. In fact, it combines two differentials for the upper part and the lower part of the cipher. Since Wagner’s seminal paper, many improvements and variants of boomerang attacks have been proposed (see for instance [1, 3, 14]).

In order to evaluate the feasibility of boomerang-style attacks, in EUROCRYPT 2018, Cid et al. [11] introduced a new cryptanalysis tool: the Boomerang Connectivity Table (BCT).

In 2018, Boura and Canteaut [4] introduced a parameter for cryptographic S-boxes called boomerang uniformity which is defined as the maximum value in the BCT.

Boura and Canteaut showed that the boomerang uniformity is invariant only with respect to affine equivalence and inverse transformation. They also gave the classification of all differentially 4-uniform permutations of 4 bits. Moreover, they obtained the boomerang uniformities for two classes of differentially 4-uniform functions, the inverse function and the the Gold functions over \({\mathbb {F}}_{2^{n}}\) for n even.

Recently, Li et al. [16] gave an equivalent definition to compute the BCT (and the boomerang uniformity) and provided a characterization by means of the Walsh transform of functions with a fixed boomerang uniformity. Moreover, they gave an upper bound for the boomerang uniformity of quadratic permutations, and provided also a class of quadratic permutations (related to the Gold functions), defined for n even, with differential 4-uniformity and boomerang 4-uniformity. Still in [16], the boomerang uniformity of a 4-uniform permutation obtained from the inverse function swapping the image of 0 and 1 (introduced in [23]) is also obtained.

Another recent paper of Mesnager et al. [18] studies the boomerang uniformity of quadratic permutations. In particular, from their results it is possible to obtain the boomerang uniformity of the Gold functions and the class studied in [16], and also the boomerang uniformity of the binomials studied in [6].

In this paper we further study the boomerang uniformity of certain classes of 4-uniform functions. In particular, we consider the Bracken-Leander cubic function \(x^{2^{2k}+2^{k}+1}\) defined over \({\mathbb {F}}_{2^{4k}}\) ([5]) and we show that the boomerang uniformity is upper bounded by 24. Using the software MAGMA it is possible to verify that in small dimension this upper bound can be attained. We also compute the boomerang uniformities for three classes of differentially 4-uniform permutations of maximal algebraic degree n − 1, obtained in [17, 23] from modifying the inverse function.

2 Preliminaries

Any function F from \({\mathbb {F}}_{2^{n}}\) to itself can be represented as a univariate polynomial of degree at most 2n − 1, that is

$$F(x)=\sum\limits_{i=0}^{2^{n}-1}a_{i}x^{i}.$$

The 2-weight of an integer 0 ≤ i ≤ 2n − 1, denoted by w2(i), is the (Hamming) weight of its binary representation. It is well known that the algebraic degree of a function F is given by

$$\deg(F)=\max\{w_{2}(i) \mid a_{i}\ne 0\}.$$

The function F is:

  • linear if \(F(x)={\sum }_{i=0}^{n-1}c_{i}x^{2^{i}}\);

  • affine if it is the sum of a linear function and a constant;

  • DO (Dembowski-Ostrom) polynomial if \(F(x)={\sum }_{0\leq i< j<n}a_{ij}x^{2^{i}+2^{j}}\), with \(a_{ij}\in {\mathbb {F}}_{2^{n}}\);

  • quadratic if it is the sum of a DO polynomial and an affine function.

For any m ≥ 1 such that m|n we can define the (linear) trace function from \({\mathbb {F}}_{2^{n}}\) to \({\mathbb {F}}_{2^{m}}\) by

$$ {\text{Tr}_{m}^{n}}(x)=\sum\limits_{i=0}^{n/m-1}x^{2^{im}}. $$

When m = 1 we will denote \({\text {Tr}_{1}^{n}}(x)\) by Tr(x).

For any function \(F:{\mathbb {F}}_{2^{n}}\to {\mathbb {F}}_{2^{n}}\) we denote the Walsh transform in \(a,b\in {\mathbb {F}}_{2^{n}}\) by

$$ \mathscr{W}_{F}(a,b)=\sum\limits_{x\in {\mathbb{F}}_{2^{n}}}(-1)^{\text{Tr}(ax+bF(x))}. $$

With Walsh spectrum we refer to the set of all possible values of the Walsh transform. The Walsh spectrum of a vectorial Boolean function F is strictly related to the notion of nonlinearity of F, denoted by \(\mathscr {NL}(F)\), indeed we have

$$ \mathscr{N}\mathscr L(F)=2^{n-1}-\frac{ 1}{2} \max_{a\in{\mathbb{F}}_{2^{n}},b\in{\mathbb{F}}_{2^{n}}^{\star}}|\mathscr{W}_{F}(a,b)|. $$

The derivative of F in the direction of \(a\in {\mathbb {F}}_{2^{n}}\) is defined as DaF(x) = F(x + a) + F(x). Let

$$\delta_{F}=\max_{a\in{\mathbb{F}}_{2^{n}}^{\star},b\in {\mathbb{F}}_{2^{n}}}|\{x : D_{a}F(x)=b\}|,$$

the map F is called differentially δF-uniform.

When F is used as an S-box inside a block cipher, the differential uniformity measures its contribution to the resistance to the differential attack [2]. The smaller δF is the better is the resistance of F to this attack. In even characteristic, the best resistance belongs to functions that are differentially 2-uniform, these functions are called almost perfect nonlinear or APN.

In [11], Cid et al. introduced the concept of Boomerang Connectivity Table for a permutation F over \({\mathbb {F}}_{2^{n}}\). Next, in [4] the authors introduced the notion of boomerang uniformity.

Definition 1

Let F be a permutation over \({\mathbb {F}}_{2^{n}}\), and a,b in \({\mathbb {F}}_{2^{n}}\).

The Boomerang Connectivity Table (BCT) of F is given by a 2n × 2n table T, in which the entry for the position (a,b) is given by

$$T (a, b) = |\{x\in{\mathbb{F}}_{2^{n}} : F^{-1}(F (x) + a) + F^{-1}(F (x + b) + a) = b\}|.$$

Moreover, for any \(a, b \in {\mathbb {F}}_{2^{n}}^{\star }\), the value

$$\beta_{F} = \max_{a,b\in{\mathbb{F}}_{2^{n}}^{\star}}|\{x\in{\mathbb{F}}_{2^{n}} : F^{-1}(F (x) + a) + F^{-1}(F (x + b) + a) = b\}|$$

is called the boomerang uniformity of F, or we call F a boomerangβF-uniform function.

We recall that two functions F and \(F^{\prime }\) from \({\mathbb {F}}_{2^{n}}\) to itself are called:

  • affine equivalent if \(F^{\prime } = A_{1} \circ F \circ A_{2}\) where the mappings \(A_{1},A_{2}:{\mathbb {F}}_{2^{n}}\to {\mathbb {F}}_{2^{n}}\) are affine permutations;

  • extended affine equivalent (EA-equivalent) if \(F^{\prime } =F^{\prime \prime } + A\), where the mappings \(A:{\mathbb {F}}_{2^{n}}\to {\mathbb {F}}_{2^{n}}\) is affine and \(F^{\prime \prime }\) is affine equivalent to F;

  • Carlet-Charpin-Zinoviev equivalent (CCZ-equivalent) if for some affine permutation \({\mathscr{L}}\) of \({\mathbb {F}}_{2^{n}}\times {\mathbb {F}}_{2^{n}}\) the image of the graph of F is the graph of \(F^{\prime }\), that is, \({\mathscr{L}}(G_{F}) = G_{F^{\prime }}\), where \(G_{F} = \{(x,F(x)) : x \in {\mathbb {F}}_{2^{n}}\}\) and \(G_{F^{\prime }} = \{(x,F^{\prime }(x)) : x \in {\mathbb {F}}_{2^{n}}\}\).

The nonlinearity and the differential uniformity are invariant for all these equivalence relations, while the boomerang uniformity is invariant for affine equivalence but not for EA- and CCZ-equivalence (see [4]).

It has been proved in [11] that δFβF for any function F. Moreover, δF = 2 if and only if βF = 2. So, APN permutations offer an optimal resistance to both differential and boomerang attacks.

For odd values of n there are known families of APN permutations. While, for n even, no APN permutation exists for n = 4 and, up to CCZ-equivalence, there exists only one example of APN permutation over \({\mathbb {F}}_{2^{6}}\) ([7]), and with respect to the affine equivalence (for which the boomerang uniformity is invariant) these known APN permutations can be divided in 4 affine equivalence classes [8]. The existence of more APN permutations on an even number of bits remains an open problem.

So, it is interesting to study the boomerang uniformity of non-APN permutations, and in particular of the differentially 4-uniform functions. As is well-known, for an even integer n there are five classes of primarily constructed differentially 4-uniform permutations over \({\mathbb {F}}_{2^{n}}\), which are listed in Table 1.

Table 1 Primarily-constructed differentially 4-uniform permutations over \({\mathbb {F}}_{2^{n}}\) (n even)
Full size table

The boomerang uniformity of Gold and Inverse functions have been determined in [4]. For the Bracken-Tan-Tan the boomerang uniformity was obtained from the results in [18].

As it was noted in [16], the entry T(a,b) of the BCT can be given by the number of solutions of the system

$$ \left\{\begin{array}{lll} F^{-1}(x+a)+F^{-1}(y+a)=b\\ F^{-1}(x)+F^{-1}(y)=b. \end{array}\right. $$

Since the BCT of F, T, and the BCT of F− 1, \(T^{\prime }\), are such that \(T(a,b)=T^{\prime }(b,a)\), the boomerang uniformity of F is given by the maximum number of solutions of the system

$$ \left\{\begin{array}{lll} F(x+a)+F(y+a)=b\\ F(x)+F(y)=b, \end{array}\right. \text{ or equivalently } \left\{\begin{array}{lll} F(x+a)+F(y+a)=F(x)+F(y)\\ F(x)+F(y)=b. \end{array}\right. $$

Letting y = x + α, it is equivalent to

$$ \left\{\begin{array}{lll} D_{a} D_{\alpha} F(x)=0\\ D_{\alpha} F(x)=b. \end{array}\right. $$
(1)

Thus, the boomerang uniformity of F is given by

$$ \beta_{F} = \max_{a,b\in{\mathbb{F}}_{2^{n}}^{\star}}|\{(x,\alpha)\in{\mathbb{F}}_{2^{n}}^{2} : (x,\alpha) \text{ is a solution of (1)}\}|. $$

Note that, using this equivalent definition for the boomerang uniformity, it is possible to consider also maps which are not permutations. We will denote by Sa,b the number of solutions of System (1) for any \(a,b\in {\mathbb {F}}_{2^{n}}\).

For power functions we have the following.

Proposition 1 (16)

Let F(x) = xd be defined over \({\mathbb {F}}_{2^{n}}\). Then the boomerang uniformity of F is given by \(\max \limits _{b\in {\mathbb {F}}_{2^{n}}^{\star }}S_{1,b}\).

Thus, the boomerang uniformity for a power function can be checked fixing a = 1.

3 On the Bracken-Leander map

In this section, we will give an upper bound on the boomerang uniformity of the Bracken-Leander permutation. Using the software MAGMA we are able also to show that this upper bound can be attained.

For an odd integer k, let q = 2k and consider the finite field with 24k elements \({\mathbb {F}}_{2^{4k}}={\mathbb {F}}_{q^{4}}\). Over this field consider the differentially 4-uniform permutation

$$F(x)=x^{2^{2k}+2^{k}+1}=x^{q^{2}+q+1}.$$

In the following we will show that

Theorem 1

Let k > 1 odd. The Bracken-Leander permutation \(F(x)=x^{2^{2k}+2^{k}+1}\) defined over \({\mathbb {F}}_{2^{4k}}\) is such that βF ≤ 24.

Before proving Theorem 1 we will prove two lemmata.

Lemma 1

Let k > 1 be odd and q = 2k. The Bracken-Leander permutation \(F(x)=x^{2^{2k}+2^{k}+1}\) defined over \({\mathbb {F}}_{q^{4}}\) is such that

$$ S_{1,b}\le \left\{\begin{array}{lll} 4 & \text{ if } b\in{\mathbb{F}}_{q^{2}}^{\star}\text{ and }\text{Tr}^{2k}_{1}(b)=0\\ 6 & \text{ if } b\in{\mathbb{F}}_{q^{2}}^{\star}\text{ and }\text{Tr}^{2k}_{1}(b)=1\\ 4m+4& \text{ if } b\notin{\mathbb{F}}_{q^{2}}, \end{array}\right. $$

where m is the number of the solutions \(\alpha \in {\mathbb {F}}_{q^{2}}\setminus {\mathbb {F}}_{q}\) of

$$ b^{q^{2}}+b=\alpha^{q+1}\frac{(\alpha^{2q}+\alpha)(\alpha+1)}{(\alpha^{q}+\alpha)^{2}}. $$

Proof

We want to study the number of solutions, for \(b\in {\mathbb {F}}_{q^{4}}^{\star }\), of

$$\left\{\begin{array}{lll} D_{1} D_{\alpha} F(x)=0\\ D_{\alpha} F(x)=b. \end{array}\right.$$

In particular, we have the following

$$ \begin{array}{@{}rcl@{}} D_{\alpha} F(x)&=& (x+\alpha)^{q^{2}+q+1}+x^{q^{2}+q+1}\\ &=& x^{q^{2}+q}\alpha+x^{q^{2}+1}\alpha^{q}+x^{q+1}\alpha^{q^{2}}+x^{q^{2}}\alpha^{q+1}+x^{q}\alpha^{q^{2}+1}+x\alpha^{q^{2}+q}+\alpha^{q^{2}+q+1}. \end{array} $$

And therefore

$$ \begin{array}{@{}rcl@{}} D_{1}D_{\alpha} F(x)& = &(x^{q^{2}}+x^{q}+1)\alpha+(x^{q^{2}}+x+1)\alpha^{q}+(x^{q}+x+1)\alpha^{q^{2}}+\alpha^{q+1}\\ &&+\alpha^{q^{2}+1}+\alpha^{q^{2}+q}\\ &= & y^{q}(\alpha+\alpha^{q})+y(\alpha^{q}+\alpha^{q^{2}})+\alpha+\alpha^{q}+\alpha^{q^{2}}+\alpha^{q+1}+\alpha^{q^{2}+1}+\alpha^{q^{2}+q}, \end{array} $$

where y = xq + x. Hence, we have that \(y^{q}+y=x^{q^{2}}+x\) is an element of \({\mathbb {F}}_{q^{2}}\), so \(y^{q^{3}}=y^{q^{2}}+y^{q}+y\). For simplicity, let us denote R = D1DαF(x) = 0. Thus

$$ \begin{array}{@{}rcl@{}} R^{q} = & y^{q^{2}}(\alpha^{q}+\alpha^{q^{2}})+y^{q}(\alpha^{q^{2}}+\alpha^{q^{3}})+\alpha^{q}+\alpha^{q^{2}}+\alpha^{q^{3}}+\alpha^{q^{2}+q}+\alpha^{q^{3}+q}+\alpha^{q^{3}+q^{2}}, \end{array} $$

and using the fact that \(y^{q^{3}}=y^{q^{2}}+y^{q}+y\)

$$ R^{q^{2}} = y^{q^{2}}(\alpha^{q^{2}}+\alpha)+y^{q}(\alpha^{q^{2}}+\alpha^{q^{3}})+y(\alpha^{q^{2}}+\alpha^{q^{3}})+\alpha^{q^{2}}+\alpha^{q^{3}}+\alpha+\alpha^{q^{3}+q^{2}}+\alpha^{q^{2}+1}+\alpha^{q^{3}+1}. $$

Then

$$ \begin{array}{@{}rcl@{}} 0 &=& R^{q}+R^{q^{2}}\\ &= & y^{q^{2}}(\alpha^{q}+\alpha)+y(\alpha^{q}+\alpha)^{q^{2}}+\alpha^{q}+\alpha+\alpha^{q^{2}+q}+\alpha^{q^{3}+q}+\alpha^{q^{2}+1}+\alpha^{q^{3}+1}\\ & = & y^{q^{2}}(\alpha^{q}+\alpha)+y(\alpha^{q}+\alpha)^{q^{2}}+\alpha^{q}+\alpha+(\alpha^{q}+\alpha)^{q^{2}+1}. \end{array} $$

Since \(y^{q^{2}}(\alpha ^{q}+\alpha )+y(\alpha ^{q}+\alpha )^{q^{2}}\in {\mathbb {F}}_{q^{2}}\) and \((\alpha ^{q}+\alpha )^{q^{2}+1}\in {\mathbb {F}}_{q^{2}}\) then also \((\alpha ^{q}+\alpha )\in {\mathbb {F}}_{q^{2}}\). Then, we can rewrite the equation as

$$ \begin{array}{@{}rcl@{}} 0\!& = &\! y^{q^{2}}(\alpha^{q}+\alpha)+y(\alpha^{q}+\alpha)+\alpha^{q}+\alpha+(\alpha^{q}+\alpha)^{2} = (\alpha^{q}+\alpha)(y^{q^{2}}+y+\alpha^{q}+\alpha+1)\\ \!&= &\! (\alpha^{q}+\alpha)(x^{q^{3}}+x^{q^{2}}+x^{q}+x+\alpha^{q}+\alpha+1). \end{array} $$

Therefore one of the following conditions is satisfied:

  1. 1.

    αq + α = 0, that is, \(\alpha \in \mathbb {F}_{q}\);

  2. 2.

    \(\text {Tr}_{k}^{4k}(x)=x^{q^{3}}+x^{q^{2}}+x^{q}+x=\alpha ^{q}+\alpha +1\).

Case 1: :

\(\alpha \in \mathbb {F}_{q}\).

We have R = α + α2 = 0, hence \(\alpha \in {\mathbb {F}}_{2}\). We do not consider the case α = 0, therefore for α = 1 we know that the equation DαF(x) = b admits at most 4 solutions. So, for any b the number of solutions of type (x,α) with \(\alpha \in {\mathbb {F}}_{q}\) is at most 4.

Case 2: :

\(\text {Tr}_{k}^{4k}(x)=x^{q^{3}}+x^{q^{2}}+x^{q}+x=\alpha ^{q}+\alpha +1\).

In this case, we need to compute the number of solutions (x,α) with \(\alpha \notin {\mathbb {F}}_{q}\). Since \(\text {Tr}_{k}^{4k}(x)\in {\mathbb {F}}_q\), we have that \(\alpha ^{q}+\alpha \in {\mathbb {F}}_q^{\star }\). Therefore, \(\alpha ^{q^{2}}+\alpha =0\), so we have \(\alpha \in {\mathbb {F}}_{q^{2}}{\tiny \setminus }{\mathbb {F}}_q\).

Then, we have \(R=(\alpha ^{q}+\alpha )(y^{q}+y)+\alpha ^{q}+\alpha ^{2} = (\alpha ^{q}+\alpha )(x^{q^{2}}+x)+\alpha ^{q}+\alpha ^{2} \), and the system that we have to analyse is the following

$$ \left\{\begin{array}{lll} \alpha\in{\mathbb{F}}_{q^{2}} \setminus\mathbb{F}_{q}\\ \text{Tr}_{k}^{4k}(x)=\alpha^{q}+\alpha+1\\ (\alpha^{q}+\alpha)(x^{q^{2}}+x)=\alpha^{q}+\alpha^{2}\\ D_{\alpha} F(x) =b. \end{array}\right. $$
(2)

It is clear that, for a fixed α, if \(\bar {x}\) is a solution of the first three equations in (2), then all the other solutions (for these equations) are \(\bar {x}+w\) for any \(w\in {\mathbb {F}}_{q^{2}}\). Moreover, since αq + α≠ 0, denoting by \(\gamma =\frac {\alpha ^{q}+\alpha ^{2}}{\alpha ^{q}+\alpha }\), we have \(x^{q^{2}}=x+\gamma \). The last equation is

$$ \begin{array}{@{}rcl@{}} b = D_{\alpha} F(x) &= & x^{q^{2}+q}\alpha+x^{q^{2}+1}\alpha^{q}+x^{q+1}\alpha+x^{q^{2}}\alpha^{q+1}+x^{q}\alpha^{2}+x\alpha^{q+1}+\alpha^{q+2}\\ &= & (x+\gamma)x^{q}\alpha+(x+\gamma)x\alpha^{q}+x^{q+1}\alpha+(x+\gamma)\alpha^{q+1}+x^{q}\alpha^{2}\\ &&+x\alpha^{q+1}+\alpha^{q+2}\\ &= & x^{q}\alpha(\gamma+\alpha)+x^{2}\alpha^{q}+x\alpha^{q}\gamma+\alpha^{q+1}(\gamma+\alpha). \end{array} $$

For \(w\in {\mathbb {F}}_{q^{2}}\), there exist unique \(r,s\in \mathbb {F}_{q}\) such that w = rα + s. Hence, we have

$$ \begin{array}{@{}rcl@{}} D_{\alpha} F(x+w) &=& (x^{q}+r\alpha^{q}+s)\alpha(\gamma+\alpha)+(x^{2}+r^{2}\alpha^{2}+s^{2})\alpha^{q}+(x+r\alpha+s)\alpha^{q}\gamma\\ &&+\alpha^{q+1}(\gamma+\alpha)\\ &= & D_{\alpha} F(x) + \gamma(r\alpha^{q+1}+s\alpha+r\alpha^{q+1}+s\alpha^{q}) +r\alpha^{q+2}+s\alpha^{2}\\ &&+r^{2}\alpha^{q+2}+s^{2}\alpha^{q}\\ &= & D_{\alpha} F(x) + \gamma s(\alpha+\alpha^{q}) +\alpha^{q+2}(r+r^{2})+s(\alpha^{2}+s\alpha^{q})\\ &= & D_{\alpha} F(x) + (\alpha^{q}+\alpha^{2}) s +\alpha^{q+2}(r+r^{2})+s(\alpha^{2}+s\alpha^{q})\\ &= & D_{\alpha} F(x) + \alpha^{q}(s+s^{2}) +\alpha^{q+2}(r+r^{2}). \end{array} $$

Then, DαF(x + w) = DαF(x) = b if and only if αq(s + s2) + αq+ 2(r + r2) = 0. Since α≠ 0, we have that (s + s2) + α2(r + r2) = 0 if and only if both s + s2 and r + r2 are zero (\(r,s\in \mathbb {F}_{q}\) and \(\alpha \not \in \mathbb {F}_{q}\)). Hence, fixed \(\alpha \in \mathbb {F}_{q^{2}}\setminus \mathbb {F}_{q}\), if \(\bar {x}\) is a solution of DαF(x) = b, then we can have only three more solutions, which are \(\bar {x}+\alpha ,\bar {x}+1,\bar {x}+\alpha +1\).

Consider now the following

$$ \begin{array}{@{}rcl@{}} b^{q^{2}}+b &=& x^{q^{3}}\alpha(\gamma+\alpha)+x^{2q^{2}}\alpha^{q}+x^{q^{2}}\alpha^{q}\gamma+\alpha^{q+1}(\gamma+\alpha) +x^{q}\alpha(\gamma+\alpha)\\&&+x^{2}\alpha^{q}+x\alpha^{q}\gamma+\alpha^{q+1}(\gamma+\alpha)\\ &=& (x+\gamma)^{q} \alpha(\gamma+\alpha)+(x+\gamma)^{2}\alpha^{q}+(x+\gamma)\alpha^{q}\gamma+\alpha^{q+1}(\gamma+\alpha) \\&&+x^{q}\alpha(\gamma+\alpha)+x^{2}\alpha^{q}+x\alpha^{q}\gamma+\alpha^{q+1}(\gamma+\alpha)\\ &= & \gamma^{q}\alpha(\gamma+\alpha)= \frac{\alpha+\alpha^{2q}}{\alpha^{q}+\alpha}\alpha\frac{\alpha^{q}(\alpha+1)}{\alpha^{q}+\alpha}= \alpha^{q+1}\frac{(\alpha^{2q}+\alpha)(\alpha+1)}{(\alpha^{q}+\alpha)^{2}}. \end{array} $$

Now, if \(b\in {\mathbb {F}}_{q^{2}}\) we have either γ = 0 or γ = α.

  • If γ = 0, then from (2) we obtain αq = α2, \(x\in {\mathbb {F}}_{q^{2}}\) and αq + α + 1 = 0, implying that \(\alpha \in \mathbb {F}_{4}\setminus \mathbb {F}_{2}\).

  • If γ = α then \(\frac {\alpha ^{q}+\alpha ^{2}}{\alpha ^{q}+\alpha }+\alpha =\frac {\alpha ^{q}(\alpha +1)}{\alpha ^{q}+\alpha }=0\). This leads to α = 1 (already studied).

Thus, for the case \(b\in {\mathbb {F}}_{q^{2}}\), we need to count the number of solutions x of the following systems:

$$(I)\left\{\begin{array}{lll} D_{1} D_{1} F(x)=0\\ D_{1} F(x)=b, \end{array}\right.\quad(II)\left\{\begin{array}{lll} x^{q^{2}}+x=0\\ D_{1} D_{\omega} F(x)=0\\ D_{\omega} F(x)=b, \end{array}\right.\quad(III)\left\{\begin{array}{lll} x^{q^{2}}+x=0\\ D_{1} D_{\omega^{2}} F(x)=0\\ D_{\omega^{2}} F(x)=b, \end{array}\right.$$

where ω is a primitive element of \({\mathbb {F}}_{4}\).

Since we have the restriction \(x^{q^{2}}+x=0\), solving System (II) and (III) is equivalent to solve the systems

$$(II^{\prime}) \left\{\begin{array}{lll} D_{1} D_{\omega} G(x)=0\\ D_{\omega} G(x)=b, \end{array}\right.\quad(III^{\prime}) \left\{\begin{array}{lll} D_{1} D_{\omega^{2}} G(x)=0\\ D_{\omega^{2}} G(x)=b, \end{array}\right.$$

defined over \({\mathbb {F}}_{q^{2}}\), where \(G(x)=F_{|_{{\mathbb {F}}_{q^{2}}}}(x)=x^{q+2}\).

Note that, for all these systems the equations involving the second derivative are satisfied for any \(x\in {\mathbb {F}}_{q^{2}}\). Moreover, the function \(G:{\mathbb {F}}_{q^{2}}\to {\mathbb {F}}_{q^{2}}\) is a Gold function with boomerang uniformity 4 (see [4]) and we can have that at most one system between \((II^{\prime })\) and \((III^{\prime })\) admits 4 solutions.

Suppose now that \(b\in {\mathbb {F}}_{q^{2}}\) and one between System (II) or (III) admits 4 solutions. We need to determine the number of solutions of System (I), that is, we need to study the number of solutions of D1F(x) = b. Let us consider, therefore, the proof of Theorem 1 in [5], in which the authors study the differential uniformity of F. According to their notation, we have \(c=b+1\in {\mathbb {F}}_{q^{2}}\) and t = Tr(x) = Tr(c) = 0. If we consider now Equation (5) in [5] we have the following condition:

$$ \begin{array}{@{}rcl@{}} 0=&(x+x^{q^{2}})^{2}+(t+1)(x+x^{q^{2}})+c^{q}+c^{q^{3}}=(x+x^{q^{2}})^{2}+(x+x^{q^{2}}). \end{array} $$

Hence \(x+x^{q^{2}}=0,1\). The only possibility is \(x^{q^{2}}=x+1\), otherwise we would obtain a solution \(x\in {\mathbb {F}}_{q^{2}}\) of D1G(x) = b in contradiction with the boomerang uniformity of G. This restriction leads us to

$$ \begin{array}{@{}rcl@{}} D_{1}F(x)&=& x^{q^{2}+q}+x^{q^{2}+1}+x^{q+1}+x^{q^{2}}+x^{q}+x+1\\ &=&(x+1)x^{q}+(x+1)x+x^{q+1}+x+1+x^{q}+x+1=x^{2}+x\\ 0&=&x^{2}+x+b. \end{array} $$

This last equation implies that we have, for α = 1, at most 2 solutions. Moreover, since from x2 = x + b we obtain that \(x^{q^{2}}=x+\text {Tr}^{2k}_{1}(b)\), we can have these two more solutions if and only if \(\text {Tr}^{2k}_{1}(b)=1\). Hence, in total we can have at most 6 solutions when \(\text {Tr}^{2k}_{1}(b)=1\).

On the other hand, if \(b\in {\mathbb {F}}_{q^{2}}\) and \(\text {Tr}^{2k}_{1}(b)=0\) we can have only solutions \(x\in {\mathbb {F}}_{q^{2}}\) for all the three systems. Therefore, since \(G(x)=F_{|_{{\mathbb {F}}_{q^{2}}}}(x)\) we can have at most only one of the systems admitting 4 solutions.

For \(b\not \in {\mathbb {F}}_{q^{2}}\), let m be the number of roots of the equation \(b^{q^{2}}+b=\alpha ^{q+1}\frac {(\alpha ^{2q}+\alpha )(\alpha +1)}{(\alpha ^{q}+\alpha )^{2}}\) such that \(\alpha \in {\mathbb {F}}_{q^{2}}\setminus \mathbb {F}_{q}\). Then, for any of these roots we can have 4 possible x plus the 4 possible solutions when α = 1. Hence, we have S1,b ≤ 4 ⋅ (m + 1). □

Remark 1

For the case \(b\in {\mathbb {F}}_{q^{2}}\) it is possible to show that six solutions are possible. Consider b = ω, where ω is a primitive element of \({\mathbb {F}}_{4}\). First of all, it is easy to check that any \(x\in {\mathbb {F}}_{4}\) is a solution of System (II) in the proof of Lemma 1. Moreover, we have that \(\text {Tr}^{2k}_{1}(b)=1\), so there exist two solutions in \({\mathbb {F}}_{q^{4}}\setminus {\mathbb {F}}_{q^{2}}\) of System (I) in Lemma 1. So, we have that S1,ω = 6.

Lemma 2

Let k > 1 odd and q = 2k. For any \(b\in {\mathbb {F}}_{q^{4}}\setminus {\mathbb {F}}_{q^{2}}\) the equation

$$ b^{q^{2}}+b=\alpha^{q+1}\frac{(\alpha^{2q}+\alpha)(\alpha+1)}{(\alpha^{q}+\alpha)^{2}} $$

admits at most 5 solutions \(\alpha \in {\mathbb {F}}_{q^{2}}\setminus \mathbb {F}_{q}\).

Proof

Consider the equation

$$ b^{q^{2}}+b=\alpha^{q+1}\frac{(\alpha^{2q}+\alpha)(\alpha+1)}{(\alpha^{q}+\alpha)^{2}}. $$
(3)

Then, we have also the relation

$$ \text{Tr}_{k}^{4k}(b)=\alpha^{q+1}\frac{(\alpha^{q+1}+1)}{\alpha^{q}+\alpha}. $$
(4)

Let \(d=b^{q^{2}}+b\) and \(e=\text {Tr}_{k}^{4k}(b)=d^{q}+d\in \mathbb {F}_{q}\).

If \(d\in \mathbb {F}_{q}\), then e = 0 and therefore αq+ 1 = 1 and αq = α− 1. This leads to

$$d=1\cdot\frac{(\frac{1}{\alpha^{2}}+\alpha)(\alpha+1)}{\frac{1}{\alpha^{2}}+\alpha^{2}}=\frac{1+\alpha^{3}}{\alpha^{2}}(\alpha+1)\frac{\alpha^{2}}{(1+\alpha)^{4}}=\frac{1+\alpha^{3}}{(1+\alpha)^{3}}=\frac{\alpha^{2}+\alpha+1}{1+\alpha^{2}}.$$

Hence α2(d + 1) + α + 1 + d = 0, that has at most 2 solutions in \(\mathbb {F}_{q^{2}}\setminus \mathbb {F}_{q}\) if and only if \({\text {Tr}^{k}_{1}}(d)=0\). Indeed, if \({\text {Tr}^{k}_{1}}(d)=1\) we would have \({\text {Tr}^{k}_{1}}(d^{2}+1)=0\) and thus the equation admits 2 solutions in \({\mathbb {F}}_{q}\).

Now, consider the case \(d\not \in \mathbb {F}_{q}\) and thus e≠ 0. Denoting by \(\gamma =\frac {\alpha ^{q}+\alpha ^{2}}{\alpha ^{q}+\alpha }\), we have d = γqα(γ + α) and

$$ \begin{array}{@{}rcl@{}} e= d^{q}+d = \gamma^{q+1}(\alpha^{q}+\alpha)+\gamma\alpha^{2q}+\gamma^{q}\alpha^{2}. \end{array} $$

Since \(d\in {\mathbb {F}}_{q^{2}}\setminus \mathbb {F}_{q}\) we can write α as \(\alpha =rd+s, \text { with }r,s\in \mathbb {F}_{q}, r\neq 0\). Therefore, we have αq + α = r(dq + d) = re. From d(αq + α)2 = αq+ 1(α2q + α)(α + 1) (3) we get

$$ \begin{array}{@{}rcl@{}} s^{5}&=& s^{4}rd^{q}+s^{3}(r^{2}e^{2}+1)+s^{2}(r^{3}d^{q}e^{2}+r^{2}e^{2}+rd^{q})\\ & &+ s(r^{4}d^{2q+2}+r^{3}e^{3}+r^{2}d^{2})+r^{5}d^{3q+2}+r^{4}d^{q+1}e^{2}+r^{3}d^{q+2}+r^{2}de^{2}. \end{array} $$
(5)

From e(αq + α) = αq+ 1(αq+ 1 + 1) (4) we get

$$ s^{4}=s^{2}(r^{2}e^{2}+1)+sre+re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1}. $$
(6)

To simplify the equation, let us introduce the variable A = re + 1. Then we can rewrite (5) as

$$ \begin{array}{@{}rcl@{}} s^{5}& = & s^{4}rd^{q}+s^{3}A^{2}+s^{2}(rd^{q}A^{2}+A^{2}+1) + s(r^{4}d^{2q+2}+r^{3}e^{3}+r^{2}d^{2})\\&&+r^{5}d^{3q+2}+r^{4}d^{q+1}e^{2}+r^{3}d^{q+2}+r^{2}de^{2}, \end{array} $$

and (6) as

$$ \begin{array}{@{}rcl@{}} s^{4}= & s^{2}A^{2}+sre+re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1}. \end{array} $$

Substituting the second one in the first one we obtain

$$ \begin{array}{@{}rcl@{}} 0&=&s(s^{2}A^{2}+sre+re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1})+(s^{2}A^{2}+sre+re^{2}+r^{4}d^{2q+2}\\ &&+r^{2}d^{q+1})rd^{q}+ s^{3}A^{2}+s^{2}(rd^{q}A^{2}+A^{2}+1) + s(r^{4}d^{2q+2}+r^{3}e^{3}+r^{2}d^{2})\\ &&+r^{5}d^{3q+2}+r^{4}d^{q+1}e^{2}+r^{3}d^{q+2}+r^{2}de^{2}\\ &= & s^{3}A^{2}+s^{2}re+s(re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1}) + s^{2}A^{2}rd^{q}+sr^{2}d^{q}e+r^{2}d^{q}e^{2}\\ &&+r^{5}d^{3q+2}+r^{3}d^{2q+1}+ s^{3}A^{2}+s^{2}(rd^{q}A^{2}+A^{2}+1) + s(r^{4}d^{2q+2}+r^{3}e^{3}+r^{2}d^{2})\\ &&+r^{5}d^{3q+2}+r^{4}d^{q+1}e^{2}+r^{3}d^{q+2}+r^{2}de^{2}\\ &= &s^{2}(A^{2}+A) + s(re^{2}+r^{3}e^{3}+r^{2}e^{2}) + r^{2}e^{3}+r^{4}d^{q+1}e^{2}+r^{3}d^{q+1}e\\ &= &s^{2}reA + sre^{2}(1+rA) + r^{2}e(e^{2}+rd^{q+1}A)\\ &=& re[s^{2}A + se(1+rA) + r(e^{2}+rd^{q+1}A)]. \end{array} $$

Since r,e≠ 0, denoting by B = e(1 + rA) and by C = r(e2 + rdq+ 1A) we have

$$ \begin{array}{@{}rcl@{}} 0=&s^{2}A+sB+C. \end{array} $$
(7)

Replacing (7), hence s2A = sB + C, into (6) (s4 = s2A2 + sre + K, with K = re2 + r4d2q+ 2 + r2dq+ 1) we have

$$ s^{4}= A(sB+C)+sre+K= s(AB+re)+AC+K. $$

Thus raising (7) to the power of two and substituing s4 we obtain

$$ s^{2}B^{2} = s(A^{3}B+A^{2}re)+A^{3}C+A^{2}K+C^{2}. $$

Using (7) (multiplied by B2) we obtain

$$ As^{2}B^{2} = sB^{3}+B^{2}C= s(A^{4}B+A^{3}re)+A^{4}C+A^{3}K+AC^{2},$$

which implies

$$ 0 =s(B^{3}+A^{4}B+A^{3}re)+B^{2}C+A^{4}C+A^{3}K+AC^{2}= s\bar{D}+\bar{E}. $$

Therefore

$$ \begin{array}{@{}rcl@{}} \bar{D}&= & B^{3}+A^{4}B+A^{3}re=(e+reA)^{3}+A^{4}(e+reA)+A^{3}re\\ &= & e[e^{2}+A re^{2}+A^{2}],\\ \bar{E}& = & B^{2}C+A^{4}C+A^{3}K+AC^{2}\\ &= & (e^{2}+A^{2}r^{2}e^{2})(re^{2}+Ar^{2}d^{q+1})+A^{4}(re^{2}+Ar^{2}d^{q+1})\\ &&+ A^{3}(re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1})+A(r^{2}e^{4}+A^{2}r^{4}d^{2q+2})\\ &= & e[A^{2}r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}]. \end{array} $$

Let \(D=\bar {D}e^{-1}\) and \(E=\bar {E}e^{-1}\), then Ds = E with

$$ D= e^{2}+A re^{2}+A^{2} \text{ and } E= A^{2}r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}. $$

Using this last relation inside (7) we have

$$ \begin{array}{@{}rcl@{}} 0& = &D^{2}(s^{2}A+sB+C)\\ &= & D^{2}s^{2}A+D^{2}sB+D^{2}C\\ &= & E^{2}A+DEB+D^{2}C. \end{array} $$

Now, since

$$ \begin{array}{@{}rcl@{}} AE^{2} &= &A^{5}r^{4}e^{4}+A^{3}r^{4}d^{2q+2}e^{2}+A^{3}r^{4}e^{6}+Ar^{2}e^{6},\\ BDE &= & A^{5}(r^{3}e^{3}+r^{3}e^{4}+r^{2}e^{4}+d^{q+1}r^{2}e^{2})+ A^{4}(r^{3}d^{q+1}e^{2}+r^{2}e^{3}),\\ &&+ A^{3}(r^{2}e^{4}+r^{2}e^{5})+A^{2}re^{4}+A(r^{2}e^{6}+r^{2}d^{q+1}e^{4})+re^{6},\\ CD^{2} &=&A^{5}r^{2}d^{q+1}+A^{4}re^{2}+A^{3}r^{4}d^{q+1}e^{4}+A^{2}r^{3}e^{6}+Ar^{2}d^{q+1}e^{4}+re^{6},\\ \end{array} $$

we obtain

$$ \begin{array}{@{}rcl@{}} 0&=&A^{5}(r^{4}e^{4}+r^{3}e^{4}+r^{3}e^{3}+r^{2}d^{q+1}e^{2}+r^{2}d^{q+1}+re^{2})\\ &&+A^{4}(r^{3}d^{q+1}e^{2}+re^{4})+ A^{3}(r^{4}d^{2q+2}e^{2}+r^{4}d^{q+1}e^{4}+r^{2}e^{5})\\ &=&A^{3}rP(r), \end{array} $$
(8)

with

$$ \begin{array}{@{}rcl@{}} P(r)& = & A^{2}(r^{3}e^{4}+r^{2}e^{4}+r^{2}e^{3}+rd^{q+1}e^{2}+rd^{q+1}+e^{2})\\&& + A(r^{2}d^{q+1}e^{2}+e^{4})+r^{3}d^{2q+2}e^{2}+r^{3}d^{q+1}e^{4}+re^{5}\\ &= & r^{5}e^{6}+r^{4}(e^{5}+e^{6})+r^{3}(e^{4}+d^{q+1}(e^{2}+e^{3})+d^{2q+2}e^{2})\\ &&+r^{2}(e^{3}+d^{q+1}e^{2})+rd^{q+1}(e^{2}+1)+e^{4}+e^{2}. \end{array} $$

We need to find solutions of (8) related to some \(\alpha \in {\mathbb {F}}_{q^{2}}\setminus {\mathbb {F}}_{q}\) that satisfies (3). Equation (8) is satisfied if either one of the following conditions is true

  1. 1.

    A = 0,

  2. 2.

    r = 0, not acceptable since \(\alpha \not \in \mathbb {F}_{q}\),

  3. 3.

    P(r) = 0.

Assume that A = 0 is a possible solution, therefore \(r=\frac {1}{e}\) (it is related to an α for which (3) holds). From (7) we obtain that se + re2 = 0, therefore s = 1. From (6) we have

$$ \begin{array}{@{}rcl@{}} s^{4} &= & s^{2}A^{2}+sre+re^{2}+r^{4}d^{2q+2}+r^{2}d^{q+1}\\ 1 &= & 0+1+e+\frac{d^{2q+2}}{e^{4}}+\frac{d^{q+1}}{e^{2}}\\ d^{2q+2}& = &e^{2}d^{q+1}+e^{5}. \end{array} $$

Hence, we obtain that

$$ \begin{array}{@{}rcl@{}} r^{4}d^{2q+2}e^{2}+r^{4}d^{q+1}e^{4}+r^{2}e^{5}& = & r^{4}d^{q+1}e^{4}+r^{4}e^{7}+r^{4}d^{q+1}e^{4}+r^{2}e^{5}\\ &= &r^{2}e^{5}(r^{2}e^{2}+1) = r^{2}e^{5}A^{2} \end{array} $$

and using this equality we have that (8) becomes

$$ \begin{array}{@{}rcl@{}} 0=E^{2}A+DEB+D^{2}C&= & A^{5}(r^{4}e^{4}+r^{3}e^{4}+r^{3}e^{3}+r^{2}d^{q+1}e^{2}+r^{2}d^{q+1}+re^{2})\\ &&+A^{4}(r^{3}d^{q+1}e^{2}+re^{4})+ A^{3}(r^{4}d^{2q+2}e^{2}+r^{4}d^{q+1}e^{4}+r^{2}e^{5})\\ &=& A^{5}(r^{4}e^{4}+r^{3}e^{4}+r^{3}e^{3}+r^{2}d^{q+1}e^{2}+r^{2}d^{q+1}+re^{2})\\ &&+A^{4}(r^{3}d^{q+1}e^{2}+re^{4})+ A^{5}r^{2}e^{5}\\ &= & A^{4}r[A(r^{3}e^{4}+r^{2}e^{4}+r^{2}e^{3}+rd^{q+1}e^{2}+rd^{q+1}+e^{2}+re^{5})\\ &&+ r^{2}d^{q+1}e^{2}+e^{4}]\\ &= & A^{4}rQ(r), \end{array} $$

where Q(r) is a polynomial of degree at most 4. Therefore, if b is such that among the solution of (3) there is one for which A = 0, then at most we have 5 possible solutions r of (8).

Otherwise, if A = 0 is not a possible solution, then P(r) can have at most 5 different roots. Hence, in total we have at most 5 different possible r.

We need to check, how many s there exist for any of these r. From the equation Ds = E we know that, given a fixed r, unless D = 0, there exists only one possible s. We need to study the case D = A2 + Are2 + e2 = 0. From (7), that is, As2 + Bs + C = 0 we obtain that we can have at most two s for any r (in the case D = 0).

If A = 0, then (7) admits at most one solution since B = Are + e = e≠ 0. Also if A≠ 0 and B = 0, then the equation admits only one solution. In particular, (7) admits two solutions if and only if B≠ 0 and \(\text {Tr}\left (\frac {AC}{B^{2}}\right )=0\). Hence, we need to study the system

$$\left\{\begin{array}{lll} 0\neq & A\\ 0\neq & B = Are+e\\ 0 =& D = A^{2}+Are^{2}+e^{2}= A^{2}+eB\\ 0 =&E = A^{2}r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}=re^{2}B+eC+B^{2}+e^{2}A. \end{array}\right.$$

Then, we have A2 = Are2 + e2 and (substituting A) r2(e2 + e3) = re2 + e2 + 1, that leads to the restriction e≠ 1. Using these relations inside E we obtain

$$ \begin{array}{@{}rcl@{}} 0&= & A^{2}r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}\\ &= & (Are^{2}+e^{2})r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}\\ &= & Ar^{3}e^{4}+r^{2}e^{4}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}\\ &= & r^{4}e^{5}+r^{3}e^{4}+r^{2}e^{4}+r^{3}d^{q+1}e^{2}+r^{2}d^{q+1}e+r^{3}e^{4}+r^{2}e^{3}+re^{3}\\ &= & re(r^{3}e^{4}+ re^{3}+r^{2}d^{q+1}e+rd^{q+1}+re^{2}+e^{2}), \end{array} $$
(9)

which implies r3e4 + re3 + r2dq+ 1e + rdq+ 1 + re2 + e2 = 0 and thus

$$ \begin{array}{@{}rcl@{}} 0&=&(r^{3}e^{4}+ re^{3}+r^{2}d^{q+1}e+rd^{q+1}+re^{2}+e^{2})(e^{2}+e)\\ &= &re^{3}r^{2}(e^{2}+e^{3})+ r(e^{5}+e^{4})+d^{q+1}r^{2}(e^{3}+e^{2})\\&&+rd^{q+1}(e^{2}+e)+r(e^{4}+e^{3})+e^{3}+e^{4}\\ &= &re^{3}(re^{2}+e^{2}+1)+ r(e^{5}+e^{4})+d^{q+1}(re^{2}+e^{2}+1)\\&&+rd^{q+1}(e^{2}+e)+r(e^{4}+e^{3})+e^{3}+e^{4}\\ &= &r^{2}e^{5}+ d^{q+1}(e^{2}+1)+rd^{q+1}e+e^{3}(e+1)\\ 0&= &(r^{2}e^{5}+ d^{q+1}(e^{2}+1)+rd^{q+1}e+e^{3}(e+1))(e+1). \end{array} $$

Using the substitution r2(e2 + e3) = re2 + e2 + 1 we have

$$ \begin{array}{@{}rcl@{}} 0&=&e^{3}(re^{2}+e^{2}+1)+ d^{q+1}(e+1)^{3}+rd^{q+1}(e^{2}+e)+e^{3}(e+1)^{2}\\ &= &r(e^{5}+d^{q+1}(e^{2}+e))+ d^{q+1}(e+1)^{3}. \end{array} $$

Hence, we have only one possible r that satisfies the system. Now, from r2(e2 + e3) + re2 + e2 + 1 = 0 we have also

$$ \begin{array}{@{}rcl@{}} 0&= & (r^{2}(e^{2}+e^{3})+re^{2}+e^{2}+1)(e^{4}+d^{q+1}(e+1))\\ &= & red^{q+1}(e+1)^{3}+re^{2}d^{q+1}(e+1)^{3}+ed^{q+1}(e+1)^{3}+e^{4}(e+1)^{2}+d^{q+1}(e+1)^{3}\\ &= &(e+1)^{2}(rd^{q+1}e(e+1)^{2}+d^{q+1}(e+1)^{2}+e^{4})\\ &= &(e+1)^{2}[(e+1)(re^{5}+d^{q+1}(e+1)^{3})+d^{q+1}(e+1)^{2}+e^{4}]\\ &= &(e+1)^{2}[re^{5}(e+1)+d^{q+1}(e+1)^{4}+d^{q+1}(e+1)^{2}+e^{4}]\\ &= &(e+1)^{2}e^{2}[re^{3}(e+1)+d^{q+1}(e+1)^{2}+e^{2}] \end{array} $$

and thus re3(e + 1) = dq+ 1(e + 1)2 + e2. Moreover, from re3(e + 1) + dq+ 1(e + 1)2 + e2 = 0, we can obtain

$$ \begin{array}{@{}rcl@{}} 0 &= & [re^{3}(e+1)+d^{q+1}(e+1)^{2}+e^{2}](e^{4}+d^{q+1}(e+1))\\ &= & e^{2}d^{q+1}(e+1)^{4}+d^{q+1}e^{4}(e+1)^{2}+e^{6}+d^{2q+2}(e+1)^{3}\\ &&+d^{q+1}e^{2}(e+1)\\ &= & e^{3}d^{q+1}(e+1)+e^{6}+d^{2q+2}(e+1)^{3}\\ d^{2q+2}(e+1)^{3} &= & e^{3}d^{q+1}(e+1)+e^{6}. \end{array} $$

From the two equations above we have also re3(1 + e) = dq+ 1(1 + e)2 + e2 and d2q+ 2(1 + e)3 = dq+ 1e3(1 + e) + e6. We know that e≠ 0,1 therefore

$$r= \frac{d^{q+1}(e+1)}{e^{3}}+\frac{1}{e(e+1)}.$$

Hence,

$$ \begin{array}{@{}rcl@{}} A &= & re+1\\ &= & \frac{d^{q+1}(e+1)}{e^{2}}+\frac{e}{(e+1)}\\ A^{2} &= & \frac{d^{2q+2}(e+1)^{2}}{e^{4}}+\frac{e^{2}}{(e+1)^{2}}= \frac{d^{q+1}}{e}+\frac{e^{3}}{(e+1)^{2}}\\ 0 &= & D = A^{2}+Are+e^{2}\\ &= & \frac{d^{q+1}}{e}+\frac{e^{3}}{(e+1)^{2}} + \left( \frac{d^{q+1}(e+1)}{e^{2}}+\frac{e}{(e+1)}\right)\left( \frac{d^{q+1}(e+1)}{e^{2}}+\frac{1}{(e+1)}\right)+e^{2}\\ &= & \frac{d^{q+1}}{e}+\frac{e^{3}}{(e+1)^{2}} + \frac{d^{2q+2}(e+1)^{2}}{e^{4}}+ \frac{d^{q+1}(e+1)}{e^{2}}+\frac{e}{(e+1)^{2}}+e^{2}\\ &= & \frac{d^{q+1}}{e}+\frac{e^{3}}{(e+1)^{2}} + \frac{d^{q+1}}{e}+\frac{e^{2}}{(e+1)}+ \frac{d^{q+1}(e+1)}{e^{2}}+\frac{e}{(e+1)^{2}}+e^{2}\\ &= &d^{q+1} (\frac{e+1}{e^{2}}) + e+e^{2}+\frac{e^{2}}{e+1} = d^{q+1}\cdot \frac{e+1}{e^{2}} + \frac{e(e^{2}+e+1)}{e+1} \\ d^{q+1}&= & \frac{e^{3}(e^{2}+e+1)}{(e+1)^{2}}. \end{array} $$

Therefore

$$r=\frac{e^{2}+e+1}{e+1}+\frac{1}{e(e+1)}= \frac{(e+1)^{2}}{e}$$

and A = re + 1 = e2. Then

$$ 0 =E =A^{2}r^{2}e^{2}+Ar^{2}d^{q+1}e+Ar^{2}e^{3}+re^{3}= (e+1)^{3}\cdot e^{2}. $$

This last result is not possible since e≠ 0,1. So, the system admits no solutions.

Therefore we have that when \(\alpha \in {\mathbb {F}}_{q^{2}}\setminus {\mathbb {F}}_q\), (3) admits at most 5 distinct values.□

Proof

of Theorem 1 Since F is a power function, from Proposition 1 we can consider a = 1, and thus \(\beta _{F} = \max \limits _{b\in {\mathbb {F}}_{q^{4}}^{\star }}S_{1,b}\). From Lemmas 1 and 2 we have immediately that βFF ≤ 24. □

From the proof of Lemmas 1 and 2 we can distinguish five cases for the upper bound on the values S1,b. In particular, we obtain the following.

Proposition 2

Let k > 1 be odd and q = 2k. The Bracken-Leander permutation \(F(x)=x^{2^{2k}+2^{k}+1}\) defined over \({\mathbb {F}}_{q^{4}}\) is such that

$$S_{1,b}\le \left\{\begin{array}{lll} 4 & \text{ if } b\in{\mathbb{F}}_{q^{2}}^{\star}\text{ and }\text{Tr}^{2k}_{1}(b)=0\\ 6 & \text{ if } b\in{\mathbb{F}}_{q^{2}}^{\star}\text{ and }\text{Tr}^{2k}_{1}(b)=1\\ 4& \text{ if } b\notin{\mathbb{F}}_{q^{2}},\text{Tr}^{4k}_{2k}(b)\in{\mathbb{F}}_{q}\text{ and }{\text{Tr}_{1}^{k}}(\text{Tr}^{4k}_{2k}(b))=1\\ 12& \text{ if } b\notin{\mathbb{F}}_{q^{2}},\text{Tr}^{4k}_{2k}(b)\in{\mathbb{F}}_{q}\text{ and }{\text{Tr}_{1}^{k}}(\text{Tr}^{4k}_{2k}(b))=0\\ 24& \text{ otherwise}. \end{array}\right. $$

Using Lemma 1 we evaluated (with the help of MAGMA) the boomerang uniformity for the Bracken-Leander permutation up to dimension n = 60. From Table 2 we can see that for the values 7 ≤ k ≤ 15 the upper bound for the boomerang uniformity is attained.

Table 2 Boomerang uniformity of the function \(x^{2^{2k}+2^{k}+1}\) over \({\mathbb {F}}_{2^{4k}}\)
Full size table

4 On the inverse function modified

In the past years, several constructions of differentially 4-uniform bijective functions, based on modifying the inverse function, have been proposed (see for instance [17, 20, 21, 23, 24]). In particular, in [17, 23], the authors modified the inverse functions composing it with some cycle, and studied when it could be possible to obtain a differentially 4-uniform permutation. In the following we will study the boomerang uniformity of some of the functions studied in [17] and in [23].

Given m + 1 pairwise different elements of \({\mathbb {F}}_{2^{n}}\), αi for 0 ≤ im, consider the cycle π = (α0,α1,...,αm) over \({\mathbb {F}}_{2^{n}}\) defined as

$$\pi(x) = \left\{\begin{array}{lll} \alpha_{i+1} & x = \alpha_{i}\\ x & x \not\in\lbrace \alpha_{i} | 0\leq i\leq m\rbrace, \end{array}\right. $$

where αm+ 1 = α0.

In [23] the authors study the case of cycle of length two (that is π a transposition), while in [17] they consider the more general case of functions of type

$$\pi(x)^{-1} = \left\{\begin{array}{lll} \alpha_{i+1}^{-1} & x = \alpha_{i}\\ x^{-1} & x \not\in\lbrace \alpha_{i} | 0\leq i\leq m\rbrace. \end{array}\right. $$

From [23] we have that:

Lemma 3

Let n = 2k be an even integer. Then the following statements hold.

  1. 1.

    Suppose π = (0,1) is a transposition over \({\mathbb {F}}_{2^{n}}\). Then the differential uniformity of π(x)− 1 equals 4 if and only if k is odd.

  2. 2.

    Suppose π = (1,c) is a transposition over \({\mathbb {F}}_{2^{n}}\). Then the differential uniformity of π(x)− 1 equals 4 if and only if \(\text {Tr}(c)=\text {Tr}(\frac {1}{c})=1\).

In [17] it has been proved the following:

Lemma 4

Suppose π = (α0,…,αm) is a cycle over \({\mathbb {F}}_{2^{n}}\). Then the following statements hold.

  1. 1.

    If 0 ∈ π, then π(x)− 1 is affine equivalent to π1(x)− 1, where π1 is a cycle over \({\mathbb {F}}_{2^{n}}\) of the type (0,1,β1,…,βm− 1).

  2. 2.

    If 0∉π, then π(x)− 1 is affine equivalent to π1(x)− 1, where π1 is a cycle over \({\mathbb {F}}_{2^{n}}\) of the type (1,β1,…,βm).

Recalling that the boomerang uniformity is invariant for affine equivalence, when m = 1 we need to consider, up to affine equivalence, only two types of permutations π(x)− 1:

  • π = (0,1),

  • π = (1,c), with c≠ 0,1.

In [16] Li et al. studied the boomerang uniformity of π(x)− 1 with π = (0,1). They obtained the following result.

Theorem 2

Let F(x) = π(x)− 1, for π = (0,1), and n ≥ 3. Then the boomerang uniformity of F is \(\beta _{F}= \left \{\begin {array}{lll} 10, & if\ n \equiv 0\ (mod\ 6),\\ 8, & if\ n \equiv 3\ (mod\ 6),\\ 6, & if\ n \not \equiv 0\ (mod\ 3). \end {array}\right .\)

Considering the case π = (1,c) we obtain the following.

Theorem 3

Let n be even and F(x) = π(x)− 1 with π = (1,c) be a differentially 4-uniform function over \({\mathbb {F}}_{2^{n}}\). Then,

  • if \(c\notin {\mathbb {F}}_{4}\)

    $$\beta_{F}=\left\{\begin{array}{lll} 10 &\text{if $n\equiv 0 \mod 4$}\\ 8 &\text{if $n\equiv 2 \mod 4$}. \end{array}\right. $$

  • if \(c\in {\mathbb {F}}_{4}\setminus {\mathbb {F}}_{2}\) (thus n ≡ 2 mod 4) βF = 6.

The proof of Theorem 3 relies just on the study of all the possible cases that we can obtain in System (1) and on the, well-known, characterization of the solutions of the equation x− 1 + (x + a)− 1 = b (see for instance [19]). For such a reason the proof is omitted, but we redirect the interested reader to [9].

From Theorems 2 and 3 we obtain the following corollary.

Corollary 1

Let n = 2k and π = (α1,α2). Consider the function F(x) = π(x)− 1 defined over \({\mathbb {F}}_{2^{n}}\) and suppose that F is differentially 4-uniform. Then,

  • if 0 ∈ π, then k is odd and

    $$ \beta_{F}= \left\{\begin{array}{lll} 10, & \text{ if } n \equiv0\ (mod\ 6),\\ 6, &\text{ otherwise}. \end{array}\right. $$

  • if 0∉π, then

    • if \(\frac {\alpha _{2}}{\alpha _{1}}\notin {\mathbb {F}}_{4}^{\star }\), then

      $$\beta_{F}=\left\{\begin{array}{lll} 10 &\text{if }n\equiv 0 \mod 4,\\ 8 &\text{if }n\equiv 2 \mod 4. \end{array}\right. $$

    • if \(\frac {\alpha _{2}}{\alpha _{1}}\in {\mathbb {F}}_{4}^{\star }\), then k is odd and βF = 6.

Proof

If 0 ∈ π then from Lemma 4 we have that F(x) = π(x)− 1 is affine equivalent to π0(x)− 1 where π0(x) = (0,1). So from Theorem 2 and since in the case n ≡ 3 mod 6 F cannot be differentially 4-uniform we have our claim.

Suppose now that α1,α2≠ 0. From Lemma 4 we have that \(\alpha _{1}^{-1}\pi (\alpha _{1}x)=\pi _{1}(x)\) where π1(x) = (1,β1) with \(\beta _{F 1}=\frac {{\alpha }_{2}}{{\alpha }_{1}}\), and thus F(x) = π(x)− 1 is affine equivalent to π1(x)− 1 = α1π(α1x)− 1. From Theorem 3 we obtain the claim. □

In [17], the authors extend the results obtained in [23] by composing the inverse function with cycles of order greater than two. In particular from their results we have the following differentially 4-uniform functions.

Lemma 5

Let n = 2k with k > 1. Let \(c\in \mathbb {F}_{4}\setminus \mathbb {F}_{2}\), then the functions F(x) = π(x)− 1 with π = (0,1,c) and G(x) = π(x)− 1 with π = (1,c,c2) are differentially 4-uniform if and only if k is odd.

Using a similar analysis as in Theorem 3 we can get the following results.

Theorem 4

Let n = 2k with k > 1 odd. Let F(x) = π(x)− 1 with π = (0,1,c) and \(c\in \mathbb {F}_{4}\setminus \mathbb {F}_{2}\), be a differentially 4-uniform function over \(\mathbb {F}_{2^{n}}\). Then,

$$\beta_{F}=\left\{\begin{array}{lll} 8 &\text{if }n\equiv 0 \mod 6,\\ 6 &\text{otherwise}. \end{array}\right. $$

Theorem 5

Let n = 2k with k > 1 odd. Let F(x) = π(x)− 1 with π = (1,c,c2) and \(c\in \mathbb {F}_{4}\setminus \mathbb {F}_{2}\), be a differentially 4-uniform function over \(\mathbb {F}_{2^{n}}\). Then,

$$\beta_{F}=\left\{\begin{array}{lll} 8 &\text{if }n\equiv 0 \mod 6,\\ 6 &\text{otherwise}. \end{array}\right. $$

As for Theorem 3, we redirect the interested reader to [9] for the proofs of Theorems 4 and 5.

Using the same arguments as in the proof of Corollary 1, we have the following.

Corollary 2

Let n = 2k with k odd and π = (α1,α2,α3) with \(\alpha _{1},\alpha _{2},\alpha _{3}\in \gamma {\mathbb {F}}_{4}\) for some \(\gamma \in {\mathbb {F}}_{2^{n}}^{\star }\). Consider the function F(x) = π(x)− 1 defined over \({\mathbb {F}}_{2^{n}}\) and suppose that F is differentially 4-uniform. Then,

$$\beta_{F}=\left\{\begin{array}{lll} 8 &\text{if }n\equiv 0 \mod 6,\\ 6 &\text{otherwise}. \end{array}\right. $$

5 Conclusions

In this paper we studied the boomerang uniformity of some classes of differentially 4-uniform permutations defined over \({\mathbb {F}}_{2^{n}}\) with n even. In particular, we obtained an upper bound for the boomerang uniformity of the cubic functions introduced by Bracken and Leander [5] and the boomerang uniformity for some of the functions studied in [17, 23].

From the results in [16, 18] we have that from quadratic permutations it is possible to obtain functions with optimal BCT, that is function with δF = βF. However, for cryptographic applications, quadratic functions could be weak with respect to higher order differential attacks [15]. So it would be interesting to construct optimal functions with degree greater than two and which are, in particular, 4-uniform.

In [4], it has been proved that if n ≡ 2 mod 4, then the inverse function is optimal (δF = βF = 4). However, for the case n ≡ 0 mod 4, which is widely used in cryptographic algorithm, from the results obtained in this paper and in the previous ones [4, 16, 18] we can not find any permutations over \({\mathbb {F}}_{2^{n}}\) with boomerang uniformity 4. So, an interesting open problem is to investigate the existence of a permutation having boomerang uniformity 4 over \({\mathbb {F}}_{2^{n}}\) with n ≡ 0 mod 4.