Constructing infinite families of low differential uniformity (n, m)-functions with \(m>n/2\)

Abstract

Little theoretical work has been done on (n, m)-functions when \(\frac{n}{2}<m<n\), even though these functions can be used in Feistel ciphers, and actually play an important role in several block ciphers. Nyberg has shown that the differential uniformity of such functions is bounded below by \(2^{n-m}+2\) if n is odd or if \(m>\frac{n}{2}\). In this paper, we first characterize the differential uniformity of those (n, m)-functions of the form \(F(x,z)=\phi (z)I(x)\), where I(x) is the (m, m)-inverse function and \(\phi (z)\) is an \((n-m,m)\)-function. Using this characterization, we construct an infinite family of differentially \(\Delta \)-uniform \((2m-1,m)\)-functions with \(m\ge 3\) achieving Nyberg’s bound with equality, which also have high nonlinearity and not too low algebraic degree. We then discuss an infinite family of differentially 4-uniform \((m+1,m)\)-functions in this form, which leads to many differentially 4-uniform permutations. We also present a method to construct infinite families of \((m+k,m)\)-functions with low differential uniformity and construct an infinite family of \((2m-2,m)\)-functions with \(\Delta \le 2^{m-1}-2^{m-6}+2\) for any \(m\ge 8\). The constructed functions in this paper may provide more choices for the design of Feistel ciphers.

Appendix A: Complete proof of Proposition 4.6

Proposition 4.6

Let m, l be positive integers and \(1\le k\le m-2\). Let \(U_i\)\((1\le i \le m-k-1)\) be disjoint sets in \({\mathbb {F}}_2^k\) satisfying \(\sum \nolimits _{i=1}^{m-k-1}\#U_i\le 2^{k-2}-l\) and such that, for any \(U_i\), any element in \({\mathbb {F}}_2^k\) appears at least 2l times in the multiset \(\{*\ z_1+z_2| (z_1,z_2)\in U_i\times U_i\ *\}\).

Consider the function \(F:{\mathbb {F}}_2^{m+k}\rightarrow {\mathbb {F}}_{2^m}\) in the form \(F(x,z)=\phi (z)I(x)\), where I(x) is the (m, m)-inverse function and \(\phi :{\mathbb {F}}_2^k\rightarrow {\mathbb {F}}_{2^m}\) is defined as

$$\begin{aligned} \phi (z)=\left\{ \begin{array}{ll} L(z)+c_i, &{} \text{ when } z\in U_i, \\ L(z)+c_0, &{} \text{ when } z\in {\mathbb {F}}_2^k\setminus \bigcup \limits _{i=1}^{m-k-1} U_i, \end{array} \right. \end{aligned}$$

(9)

and satisfies \(Rank\{\phi (z)|z\in {\mathbb {F}}_2^k\}=m\), \(L:{\mathbb {F}}_2^k\rightarrow {\mathbb {F}}_{2^m}\) is linear and \(c_i\ (0\le i \le m-k-1)\) are constants in \({\mathbb {F}}_{2^m}\). Then F is a differentially \(\Delta \)-uniform function with \(\Delta \le 2^{k+1}-4l+2\).

Proof

Let \(U_0={\mathbb {F}}_2^k\setminus \bigcup \nolimits _{i=1}^{m-k-1} U_i\). According to the conditions on \(\phi (z)\) and the fact that \(\{L(z)|z\in {\mathbb {F}}_2^k\}\) is a vector space, we have

$$\begin{aligned} m= & {} \mathrm{Rank}\{\phi (z)|z\in {\mathbb {F}}_2^k\}\\= & {} \mathrm{Rank}\left( \bigcup \limits _{i=0}^{m-k-1} \{L(z)+c_i|z\in U_i\}\right) \\\le & {} \mathrm{Rank}\left( \bigcup \limits _{i=0}^{m-k-1} \{L(z)+c_i|z\in {\mathbb {F}}_2^k\}\right) \\\le & {} \mathrm{Rank}(\mathrm{Span}(\{L(z)|z\in {\mathbb {F}}_2^{k}\}\cup \{c_i|0\le i \le m-k-1\})). \end{aligned}$$

The last step holds since for any i, \(\{L(z)+c_i|z\in {\mathbb {F}}_2^k\}\subseteq \mathrm{Span}(\{L(z)|z\in {\mathbb {F}}_2^{k}\}\cup c_i)\). It is clear that the span of a set does not change its rank, then

$$\begin{aligned} m\le & {} \mathrm{Rank}(\mathrm{Span}(\{L(z)|z\in {\mathbb {F}}_2^{k}\}\cup \{c_i|0\le i \le m-k-1\}))\\= & {} \mathrm{Rank}(\{L(z)|z\in {\mathbb {F}}_2^{k}\}\cup \{c_i|0\le i \le m-k-1\})\\= & {} \mathrm{Rank}(\{L(z)|z\in {\mathbb {F}}_2^k\}\cup \mathrm{Span}\{c_i|0\le i \le m-k-1\})\\= & {} \mathrm{Rank}\{L(z)|z\in {\mathbb {F}}_2^k\}+\mathrm{Rank}(\mathrm{Span}\{c_i|0\le i \le m-k-1\})\\&- \,\mathrm{Rank}(\{L(z)|z\in {\mathbb {F}}_2^k\}\cap \mathrm{Span}\{c_i|0\le i \le m-k-1\})\\\le & {} k+(m-k)-0=m. \end{aligned}$$

Thus the last inequality is an equality, we have

$$\begin{aligned}&\mathrm{Rank}\{L(z)|z\in {\mathbb {F}}_2^k\}=k, \end{aligned}$$

(10)

$$\begin{aligned}&\mathrm{Rank}(\mathrm{Span}\{c_i|0\le i \le m-k-1\})=m-k, \end{aligned}$$

(11)

and

$$\begin{aligned} \mathrm{Rank}(\{L(z)|z\in {\mathbb {F}}_2^k\}\cap \mathrm{Span}\{c_i|0\le i \le m-k-1\})=0. \end{aligned}$$

(12)

For one thing, \(c_i\ne 0\) because of (11) for any \(0\le i \le m-k-1\). Moreover, according to (12), we have \(c_i\notin \{L(z)|z\in {\mathbb {F}}_2^k\}\) for any \(0\le i \le m-k-1\), which means \(\phi (z)\) does not vanish for any \(z\in {\mathbb {F}}_2^k\). For another, assume that there exists \(z_{i_1}\ne z_{i_2}\in {\mathbb {F}}_2^k\) such that \(\phi (z_{i_1})=\phi (z_{i_2})\), then \(L(z_{i_1})+c_{i_1}=L(z_{i_2})+c_{i_2}\). If \(c_{i_1}=c_{i_2}\), notice that L(z) is a linear injection according to (10), then \(z_{i_1}=z_{i_2}\), a contradiction. If \(c_{i_1}\ne c_{i_2}\), then \(0\ne c_{i_1}+c_{i_2}\in \{L(z)|z\in {\mathbb {F}}_2^k\}\). According to (12), then \(c_{i_1}+c_{i_2}\notin \mathrm{Span}\{c_i|0\le i \le m-k-1\}\), a contradiction. Thus \(\phi (z)\) is an injection. Then we only need to verify the last condition in Proposition 3.1, that is, for any \(d\in {\mathbb {F}}_2^k\), \(t\in {\mathbb {F}}^*_{2^m}\),

$$\begin{aligned} \begin{array}{ll}2^{k+1}-4l+2\ge 2^{k+1}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} \\ \qquad - \, \#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z+d)\}.\end{array} \end{aligned}$$

(13)

Notice that \(U_i\)\((1\le i \le m-k-1)\) are disjoint sets satisfying \(\sum \nolimits _{i=1}^{m-k-1}\#U_i\le 2^{k-2}-l\), then \(\#U_0\ge 2^k-(2^{k-2}-l)= 3*2^{k-2}+l\), we have for any \(d\in {\mathbb {F}}_2^k\),

$$\begin{aligned} \#\{z|z,z+d\in U_0\}\ge 2^{k-1}+2l. \end{aligned}$$

(14)

The reason of (14) is

$$\begin{aligned}&\#\{z|z,z+d\in U_0\}\\&\quad =\#\left( \{z|z\in U_0\}\bigcap \{z|z+d\in U_0\}\right) \\&\quad =\#\{z|z\in U_0\}+\#\{z|z+d\in U_0\}-\#\left( \{z|z\in U_0\}\bigcup \{z|z+d\in U_0\}\right) \\&\quad \ge \#\{z|z\in U_0\}+\#\{z|z+d\in U_0\}-\#\{z|z\in {\mathbb {F}}_2^k\}\\&\quad = 2\#U_0-2^k\\&\quad \ge 2^{k-1}+2l. \end{aligned}$$

For any \(d\in {\mathbb {F}}_2^k\) and \(t\in {\mathbb {F}}^*_{2^m}\), if \(t+L(d)=0\), notice that \(\phi (z)=L(z)+c_0\) for any \(z\in U_0\), then we have

$$\begin{aligned}&\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}\\&\quad \ge \#\{z|z,z+d\in U_0,t=\phi (z)+\phi (z+d)\}\\&\quad =\#\{z|z,z+d\in U_0\}\\&\quad \ge 2^{k-1}+2l. \end{aligned}$$

Then (13) holds in this case since

$$\begin{aligned}&2^{k+1}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} \\&\qquad - \, \#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z+d)\}\\&\quad \le 2^{k+1}-2\times 0-\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+1+1\\&\quad \le 2^{k+1}-(2^{k-1}+2l)+2\\&\quad \le 2^{k+1}-4l+2, \end{aligned}$$

the last step follows from \(0\le \#U\le 2^{k-2}-l\). Thus we only need to consider the case \(d\in {\mathbb {F}}_2^k\), \(t\in {\mathbb {F}}^*_{2^m}\) satisfying \(t+L(d)\ne 0\).

Since \(\mathrm{Rank}\{\phi (z)|z\in {\mathbb {F}}_2^k\}=m\) leads to \(\mathrm{Span}\{\phi (z)|z\in {\mathbb {F}}_2^k\}^\perp =\{0\}\), we have \(\gamma \notin \mathrm{Span}\{\phi (z)|z\in {\mathbb {F}}_2^k\}^\perp \) for any \(\gamma \in {\mathbb {F}}^*_{2^m}\). Hence, for any \(\gamma \in {\mathbb {F}}^*_{2^m}\), there exists \(\beta \in \mathrm{Span}\{\phi (z)|z\in {\mathbb {F}}_2^k\}\) such that \(\mathrm{Tr}_m(\gamma \beta )=1\). That is, for any \(\gamma \in {\mathbb {F}}^*_{2^m}\), there exists \(z\in {\mathbb {F}}_2^k\) such that \(\mathrm{Tr}_m(\phi (z)\gamma )=1\).

For any \(d\in {\mathbb {F}}_2^k\) and \(t\in {\mathbb {F}}^*_{2^m}\) satisfying \(t+L(d)\ne 0\), \(\frac{t}{(t+L(d))^2}\) does not vanish and the mappings \(z\rightarrow \frac{(L(z)+c_i)t}{(t+L(d))^2}\) are affine functions since L(z) is linear, where \(0\le i \le m-k-1\). Let us apply the observation above with \(\gamma =\frac{t}{(t+L(d))^2}\). Then there exists \(z_0\in {\mathbb {F}}_2^k\) such that \(\mathrm{Tr}_m\left( \frac{\phi (z_0)t}{(t+L(d))^2}\right) =1\). The rest of the proof is divided into two cases \(z_0\in U_0\) and \(z_0\notin U_0\).

Case 1\(z_0\in U_0\).

Then \(\phi (z_0)=L(z_0)+c_0\). Since there exists \(z\in {\mathbb {F}}_2^k\) such that \(\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\) and \(z\rightarrow \frac{(L(z)+c_0)t}{(t+L(d))^2}\) is an affine function, we can apply Fact 1 and we deduce:

$$\begin{aligned} \#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} \ge 2^{k-1}. \end{aligned}$$

(15)

In this case, we will only consider those z satisfying \(z,z+d\in U_0\). Then

$$\begin{aligned} \mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) \end{aligned}$$

for these z.

Further, for any \(d\in {\mathbb {F}}_2^k\) and \(t\in {\mathbb {F}}^*_{2^m}\) satisfying \(t+L(d)\ne 0\), we have

$$\begin{aligned}&2^{k+1}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} \\&\qquad - \, \#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z+d)\}\\&\quad \le 2^{k+1}-2\#\left\{ z\bigg |z,z+d\in U_0,\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} -0+1+1\\&\quad = 2^{k+1}-2\#\left\{ z\bigg |z,z+d\in U_0,\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} +2\\&\quad = 2^{k+1}-2\#\left( \{z|z,z+d\in U_0\}\bigcap \left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} \right) +2\\&\quad = 2^{k+1}-2\#\{z|z,z+d\in U_0\}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} \\&\qquad + \, 2\#\left( \{z|z,z+d\in U_0\}\bigcup \left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} \right) +2\\&\quad \le 2^{k+1}-2\#\{z|z,z+d\in U_0\}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z){+}c_0)t}{(t+L(d))^2}\right) {=}1\right\} + \, 2\#\{z\in {\mathbb {F}}_2^k\}+2\\&\quad \le 2^{k+1}-2(2^{k-1}+2l)-2^k+2^{k+1}+2\\&\quad = 2^{k+1}-4l+2. \end{aligned}$$

The last inequality follows from (14) and (15).

Case 2\(z_0\notin U_0\).

Then there exists \(1\le i \le m-k-1\) such that \(z_0\in U_i\). Thus \(\phi (z_0)=L(z_0)+c_i\), which means there exists \(z\in {\mathbb {F}}_2^k\) such that \(\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\). Since \(z\rightarrow \frac{(L(z)+c_i)t}{(t+L(d))^2}\) is an affine function, we have

$$\begin{aligned} \#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\right\} =2^{k-1}\ or\ 2^k, \end{aligned}$$

according to Fact 1. The rest of the proof is divided into two subcases.

Subcase 2.1\(\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\right\} =2^{k-1}\).

Then

$$\begin{aligned} \#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =0\right\} =2^{k-1}. \end{aligned}$$

This means

$$\begin{aligned}&\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) =1\right\} \\&\quad =\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =\mathrm{Tr}_m\left( \frac{(c_0+c_i)t}{(t+L(d))^2}\right) +1\right\} \\&\quad = 2^{k-1} \end{aligned}$$

no matter constant \(\mathrm{Tr}_m\left( \frac{(c_0+c_i)t}{(t+L(d))^2}\right) +1\) equals 0 or 1.

Notice that both (14) and (15) also hold in this subcase, similar to Case 1, we only consider those z satisfying \(z,z+d\in U_0\). Then

$$\begin{aligned} \mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =\mathrm{Tr}_m\left( \frac{(L(z)+c_0)t}{(t+L(d))^2}\right) \end{aligned}$$

for these z.

Thus for any \(d\in {\mathbb {F}}_2^{k}\) and \(t\in {\mathbb {F}}^*_{2^m}\) satisfying \(t+L(d)\ne 0\),

$$\begin{aligned}&2^{k+1}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} \\&\qquad - \, \#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z+d)\}\\&\quad \le 2^{k+1}-4l+2 \end{aligned}$$

for the same reason as in Case 1.

Subcase 2.2\(\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\right\} =2^k\).

Then for any \(z\in {\mathbb {F}}_2^k\), \(\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\). In this subcase, we will only consider those z satisfying \(z,z+d\in U_i\), then for these z, we have

$$\begin{aligned} \mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) . \end{aligned}$$

Since for any \(d\in {\mathbb {F}}_2^k\) appears at least 2l times in the multiset \(\{*\ z_1+z_2| (z_1,z_2)\in U_i\times U_i\ *\}\) for any \(U_i\), then there are at least 2l different \(z_1\in U_i\) such that \(z_2=z_1+d\in U_i\). This means for any \(d\in {\mathbb {F}}_2^k\),

$$\begin{aligned} \#\{z|z,z+d\in U_i\}\ge 2l. \end{aligned}$$

Thus for any \(d\in {\mathbb {F}}_2^k\) and \(t\in {\mathbb {F}}^*_{2^m}\) satisfying \(t+L(d)\ne 0\), we have

$$\begin{aligned}&2^{k+1}-2\#\left\{ z\in {\mathbb {F}}_2^k\bigg |\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} \\&\qquad - \, \#\{z\in {\mathbb {F}}_2^k|t=\phi (z)+\phi (z+d)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z)\}+\#\{z\in {\mathbb {F}}_2^k|t=\phi (z+d)\}\\&\quad \le 2^{k+1}-2\#\left\{ z\bigg |z,z+d\in U_i,\mathrm{Tr}_m\left( \frac{\phi (z)t}{(t+\phi (z)+\phi (z+d))^2}\right) =1\right\} -0+2\\&\quad = 2^{k+1}-2\#\left\{ z\bigg |z,z+d\in U_i,\mathrm{Tr}_m\left( \frac{(L(z)+c_i)t}{(t+L(d))^2}\right) =1\right\} +2\\&\quad = 2^{k+1}-2\#\{z|z,z+d\in U_i\}+2\\&\quad \le 2^{k+1}-4l+2. \end{aligned}$$

All in all, \(\Delta \le 2^{k+1}-4l+2\) according to Proposition 3.1. \(\square \)

Appendix B: \((2m - 2,m)\)-functions with low differential uniformity in the form \(F(x,z) = \phi (z)I(x)\) when m = 5,6,7

A differentially 14-uniform (8, 5)-function: Let \(F_{8,5}(x,z)=\phi (z)I(x)\), where I(x) is the inverse function on \({\mathbb {F}}_{2^5}\) and \(\phi :{\mathbb {F}}_2^3\rightarrow {\mathbb {F}}_{2^5}\) is presented by Table 1:

Table 1 Differentially 14-uniform (8, 5)-function

where \(\alpha \) is a defining element of \({\mathbb {F}}_{2^5}\).

A differentially 30-uniform (10, 6)-function: Let \(F_{10,6}(x,z)=\phi (z)I(x)\), where I(x) is the inverse function on \({\mathbb {F}}_{2^6}\) and \(\phi :{\mathbb {F}}_2^4\rightarrow {\mathbb {F}}_{2^6}\) is presented by Table 2:

Table 2 Differentially 30-uniform (10, 6)-function

where \(\alpha \) is a defining element of \({\mathbb {F}}_{2^6}\).

A differentially 58-uniform (12, 7)-function: Let \(F_{12,7}(x,z)=\phi (z)I(x)\), where I(x) is the inverse function on \({\mathbb {F}}_{2^7}\) and \(\phi :{\mathbb {F}}_2^5\rightarrow {\mathbb {F}}_{2^7}\) is presented by Table 3:

Table 3 Differentially 58-uniform (12, 7)-function

where \(\alpha \) is a defining element of \({\mathbb {F}}_{2^7}\).