1 Introduction

For n a positive integer, let \({{\mathbb {F}}}_{2^n}\) be the finite field with \(2^n\) elements. By \({{\mathbb {F}}}_{2^n}^\star \) we denote the multiplicative group of \({{\mathbb {F}}}_{2^n}\) and, throughout the paper, \(\zeta \) denotes one of its primitive elements, so that \({{\mathbb {F}}}_{2^n}^\star =\langle \zeta \rangle =\{1,\zeta , \zeta ^2, \zeta ^3, \dots ,\zeta ^{2^n-2}\}\). An (nn)-function is a map from \({{\mathbb {F}}}_{2^n}\) to itself. Such function admits a unique representation as a univariate polynomial of degree at most \(2^n-1\), that is

$$\begin{aligned} F(x)=\sum _{j=0}^{2^n-1}a_jx^j, \qquad a_j\in {{\mathbb {F}}}_{2^n}. \end{aligned}$$

The kernel of F is defined as \(\ker (F)=\{ u\in {{\mathbb {F}}}_{2^n}\ s.t.\ F(u)=0 \}\).

The function F is

  • linear if \(F(x)=\sum _{i=0}^{n-1}c_ix^{2^i}\);

  • affine if it is the sum of a linear function and a constant;

  • DO (Dembowski-Ostrom) polynomial if \(F(x)=\sum _{0\le i<j<n}a_{ij}x^{2^i+2^j}\), with \(a_{ij}\in {{\mathbb {F}}}_{2^n}\);

  • quadratic if it is the sum of a DO polynomial and an affine function.

A function F is called differentially \(\delta \)-uniform, for \(\delta \) a positive integer, if for any pair \((a,b)\in {{\mathbb {F}}}_{2^n}^2\), with \(a\ne 0\), the equation \(F(x+a)-F(x)=b\) admits at most \(\delta \) solutions. When F is used as an S-box inside a cryptosystem, the differential uniformity measures its contribution to the resistance to the differential attack [3]. The smaller is \(\delta \), the better is the resistance to this attack.

Over fields of characteristic 2, the solutions of the equation \(F(x+a)-F(x)=b\), that is, \(F(x+a)+F(x)=b\), go by pairs \(\{x, x+a\}\), and \(\delta \) is even. The best resistance is then achieved by differentially 2-uniform functions. Such functions are also called almost perfect nonlinear; in short, APN. The simplest known example of APN function is Gold function, \({{\mathscr {G}}}_{i}(x)=x^{2^i+1}\), that is APN whenever i is coprime with n.

APN functions have connections to optimal objects in other fields such as geometry, sequence design and combinatorics.

There are several equivalence relations of functions for which differential uniformity, and thus the APN property, is preserved. Two functions F and \(F'\) from \({{\mathbb {F}}}_{2^n}\) to itself are called:

  • affine equivalent if \(F' = A_1 \circ F \circ A_2\) where \(A_1,A_2:{{\mathbb {F}}}_{2^n}\rightarrow {{\mathbb {F}}}_{2^n}\) are affine permutations;

  • EA-equivalent if \(F' =F'' + A\), where the map \(A:{{\mathbb {F}}}_{2^n}\rightarrow {{\mathbb {F}}}_{2^n}\) is affine and \(F''\) is affine equivalent to F;

  • CCZ-equivalent [12] if there exists some affine permutation \({\mathscr {L}}\) of \({{\mathbb {F}}}_{2^n}\times {{\mathbb {F}}}_{2^n}\) such that the image of the graph of F is the graph of \(F'\), that is, \({\mathscr {L}}(G_F) = G_{F'}\), where \(G_F = \{(x,F(x)) \,:\, x \in {{\mathbb {F}}}_{2^n}\}\) and \(G_{F'} = \{(x,F'(x)) \,:\, x \in {{\mathbb {F}}}_{2^n}\}\).

CCZ-equivalence is the most general known equivalence relation for functions which preserves differential uniformity, while affine and EA-equivalences are its particular cases. We refer the reader to [5] and [11] for a more comprehensive overview on vectorial Boolean functions.

Inspired by the notion of isotopic equivalence, originally defined by Albert [1] in the study of presemifields and semifields, a new construction method for APN functions, called isotopic shift, was introduced in [6].

Given p a prime number, \(F\in {{\mathbb {F}}}_{p^n}[x]\) a function, and \(L\in {{\mathbb {F}}}_{p^n}[x]\) a linear map, the isotopic shift of F by L is defined as the map:

$$\begin{aligned} F_L(x)=F(x+L(x))-F(x)-F(L(x)). \end{aligned}$$
(1)

As we have shown in [6], for the case \(p=2\), an isotopic shift of an APN function can lead to APN functions CCZ-inequivalent to the original map. In particular, all existing quadratic APN functions over \({{\mathbb {F}}}_{2^6}\), which are 13 up to CCZ-equivalence, can be obtained from \(x^3\) by isotopic shift. Moreover, a new family of quadratic APN functions, which generates a new APN function for \(n=9\), is constructed by isotopic shift of Gold functions [6]. In [7], the isotopic shift construction has been investigated for the case of planar functions (\(p>2\)), i.e. differentially 1-uniform functions. Also here, given a planar function, it is possible to obtain an inequivalent planar function from its isotopic shifts.

In the present paper we further study the isotopic shift construction over fields of even characteristic. Firstly, we verify that, over \({{\mathbb {F}}}_{2^6}\), any quadratic APN map can be obtained as an isotopic shift of any other quadratic APN map. Then, we consider different generalizations of the isotopic shift construction when the initial function is a monomial with a Gold exponent. In [6], we studied the APN property of the isotopic shift of \({{\mathscr {G}}}_{i} (x)=x^{2^i+1}\) over \({{\mathbb {F}}}_{2^n}\), with \(n=km\), given by

$$\begin{aligned} {{\mathscr {G}}}_{i,L}(x)=xL(x)^{2^i}+x^{2^i}L(x), \end{aligned}$$
(2)

where L is a \(2^m\)-polynomial, that is \(L(x)=\sum _{i=0}^{k-1}A_ix^{2^{im}}\) for some \(A_i\in {{\mathbb {F}}}_{2^n}\). This construction provides a new APN function over \({{\mathbb {F}}}_{2^9}\).

In the present work, we study the APN property of \(xL_1(x)^{2^i}+x^{2^i}L_2(x)\) where both \(L_1\) and \(L_2\) are \(2^m\)-polynomials. From this construction, we obtain fifteen new APN functions for \(n=9\). Moreover, we cover some of the functions in the lists given in [16] and [19] which are not contained in any of the known infinite families.

To show the inequivalence between some of the obtained maps, we introduce in Proposition 3.2 a new EA-invariant (such invariant was also noticed independently in [17]). Note that for quadratic APN functions, CCZ-equivalence coincides with EA-equivalence [23].

Finally, we consider the case when the isotopic shift of \({{\mathscr {G}}}_{i} (x)\) is obtained using a function L not necessarily linear. In this case we obtain that all the known power APN functions in odd dimension, except the Dobbertin function, can be obtained as the nonlinear shifts of Gold functions.

2 Further results on the isotopic linear shift over \({{\mathbb {F}}}_{2^n}\)

Before considering generalizations of the isotopic shift, we extend a result obtained in [6].

We have shown that, given a quadratic APN function F, if the isotopic shift \(F_L\) by a linear map L is APN, then the map L is either a permutation or a 2-to-1 map. From the isotopic shifts of the Gold function \(x^3\), with both choices for L being a permutation and a 2-to-1 map, we obtained (computationally) all the quadratic APN functions over \({{\mathbb {F}}}_{2^6}\) (up to EA-equivalence). That is, for any given quadratic APN function F over \({{\mathbb {F}}}_{2^6}\) there exist a permutation L and a 2-to-1 map \(L'\) such that the isotopic shifts \({{\mathscr {G}}}_{1,L}(x)\) and \({{\mathscr {G}}}_{1,L'}(x)\) are EA-equivalent to F. The same result was computationally obtained for any quadratic APN map over \({{\mathbb {F}}}_{2^6}\) listed in [16, Table 5] (see also [4]) in place of \({{\mathscr {G}}}_{1}\). Up to EA-equivalence (and thus CCZ-equivalence) the list is complete and, since for two quadratic maps the EA-equivalence implies EA-equivalence of the isotopic shifts (see [6, Corollary 3.2]), we can state the following result.

Proposition 2.1

Over \({{\mathbb {F}}}_{2^6}\) for any two quadratic APN maps F and G, there exist a linear permutation L and a linear 2-to-1 map \(L^\prime \) such that \(F_L\) and \(F_{L^\prime }\) are EA-equivalent to G.

We conclude with the observation that the isotopic shift can lead to an APN function also starting from a non-APN function.

Remark 2.1

Consider \({{\mathbb {F}}}_{2^6}\) and the function \(F(x)=x^5\), which is not APN. With \(L(x)=\zeta x^8\) we construct the APN map

$$\begin{aligned} F_L(x)=x^4L(x)+xL(x)^4=\zeta x^{12}+\zeta ^4 x^{33}, \end{aligned}$$

where \(F_L(x)=M(x^3)\) for the linear permutation \(M(x)=\zeta x^4+\zeta ^4x^{32}\).

3 Generalized isotopic shift of Gold functions

In this section we generalize the isotopic shift construction for the case of Gold functions.

3.1 On the generalized linear shift over \({{\mathbb {F}}}_{2^n}\)

In [6], we showed that the isotopic shift can be a useful construction method for APN functions. Let \(n=km\), where m and k are any positive integers. An \({{\mathbb {F}}}_{2^{m}}\)-polynomial is a linear map given by \(L(x)=\sum _{j=0}^{k-1}A_jx^{2^{jm}}\), for some \(A_j\in {{\mathbb {F}}}_{2^n}\). The construction \({{\mathscr {G}}}_{i,L}(x)\) as in (2) leads to a family of APN functions, providing, in particular, for \(n=9\) (\(k,m=3\)) a new APN function and for \(n=8\) (\(k=4\), \(m=2\)) a function equivalent to \(x^9+{{\,\mathrm{Tr}\,}}(x^3)\), which is not contained in any infinite family.

In the following, we generalize the isotopic shift construction. This generalization provides further new APN functions, as it will be shown below.

Given two positive integers km, let us consider the finite field \({{\mathbb {F}}}_{2^n}\) with \(n=km\). Denoting \(d=\gcd (2^m-1,\frac{2^{km}-1}{2^m-1})\), let \(d^\prime \) be the positive integer with the same prime factors as d, satisfying \(\gcd (2^m-1,\frac{2^{km}-1}{(2^m-1)d^\prime })=1\). Now, let \(U=\langle \zeta ^{d^\prime (2^m-1)} \rangle \) be the multiplicative subgroup of \({{\mathbb {F}}}_{2^n}^\star \) of order \(\big (\frac{2^{km}-1}{2^m-1}\big )/d^\prime \). Note that it is possible to write every element \(x\in {{\mathbb {F}}}_{2^n}^\star \) as \(x=ut\) with \(u\in W\) and \(t\in {{\mathbb {F}}}_{2^m}^\star \), where \(W=\{\zeta ^sy : y\in U,\ 0\le s\le {d^\prime -1}\}\). Indeed, let \(\mathbb {F}_{2^{mk}}^\star =\langle \zeta \rangle \), we have \(x=\zeta ^{d^\prime z+j}\), for some integers z and j where \(0\le j\le d^\prime -1\). For ease of notation, set \(l=\frac{2^{mk}-1}{(2^m-1)d^\prime }\). Since \(\gcd (2^m-1,l)=1\), for any such z, there exist integers r and s such that \(z=r(2^m-1)+sl\). Hence we have

$$\begin{aligned} x=\zeta ^{d^\prime z+j} = \zeta ^{d^\prime r(2^m-1)}\zeta ^j\zeta ^{d^\prime sl} = ut, \end{aligned}$$

where, denoting \(y=\zeta ^{d^\prime r(2^m-1)}\in U\), we have \(u=y\zeta ^j\in W\) and \(t=\zeta ^{d^\prime sl}=\zeta ^{s(\frac{2^{mk}-1}{2^m-1})}\in \mathbb {F}_{2^{m}}^\star \). Since \(|\{(u,t) : u\in W, t\in \mathbb {F}_{2^{m}}^\star \}|=|W|\cdot |\mathbb {F}_{2^{m}}^\star |=(d^\prime |U|)\cdot (2^m-1)=d^\prime \cdot \frac{2^{mk}-1}{d^\prime (2^m-1)}\cdot (2^m-1)=2^{mk}-1=|\mathbb {F}_{2^{mk}}^\star |\), two distinct elements in \(\mathbb {F}_{2^{mk}}^\star \) cannot have the same representation, so u and t are unique.

Then it is possible to obtain the following generalization of [6, Theorem 6.3].

Theorem 3.1

Let \(n=km\) for \(m>1\). Let \(L_1(x)=\sum _{j=0}^{k-1}A_jx^{2^{jm}}\) and \(L_2(x)= \sum _{j=0}^{k-1}B_jx^{2^{jm}}\) be two \({{\mathbb {F}}}_{2^m}\)-polynomials. Then, let i be such that \(\gcd (i,m)=1\) and \(F\in {{\mathbb {F}}}_{2^n}[x]\) the function given by:

$$\begin{aligned} F(x)=xL_1(x)^{2^i}+x^{2^i}L_2(x). \end{aligned}$$
(3)

Then F is APN over \({{\mathbb {F}}}_{2^n}\) if and only if each of the following statements holds for any \(v\in W\):

  • \((\frac{L_1(v)}{v})^{2^i}\ne \frac{L_2(v)}{v}\);

  • If \(u\in W\setminus \{1\}\) and \((\frac{L_1(uv)}{uv})^{2^i}=\frac{L_2(v)}{v}\), then \((\frac{L_1(v)}{v})^{2^i}\ne \frac{L_2(uv)}{uv}\);

  • If \(u\in W\setminus \{1\}\) and \((\frac{L_1(uv)}{uv})^{2^i}\ne \frac{L_2(v)}{v}\), then \(\frac{L_1(v)^{2^i}(uv)+L_2(uv)v^{2^i}}{L_1(uv)^{2^i}v+L_2(v)(uv)^{2^i}}\not \in {{\mathbb {F}}}_{2^m}^\star \).

Proof

We need that, for any \(a\in {{\mathbb {F}}}_{2^n}^\star \), the function \(\varDelta _a(x)=F(x+a)+F(x)+F(a)+F(0)\) is a 2-to-1 map, or equivalently, that \(\ker (\varDelta _a(ax))=\{0,1\}\). As showed before, we can rewrite \(a=st\) and \(x=uv\) with \(s,u\in {{\mathbb {F}}}_{2^m}^\star \) and \(t,v\in W\). Hence, since \(L_1\) and \(L_2\) are \({{\mathbb {F}}}_{2^m}\)-polynomials, we have:

$$\begin{aligned} \varDelta _a(ax) =&L_1(a)^{2^i}ax+L_2(a)(ax)^{2^i}+L_1(ax)^{2^i}a+L_2(ax)a^{2^i}\\ =&s^{2^i}L_1(t)^{2^i}st\cdot uv+sL_2(t)s^{2^i}t^{2^i}\cdot u^{2^i}v^{2^i}+s^{2^i}u^{2^i}L_1(tv)^{2^i}st+suL_2(tv)s^{2^i}t^{2^i}\\ =&us^{2^i+1}[(L_1(t)^{2^i}tv+L_2(tv)t^{2^i})+u^{2^i-1}(L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t)]. \end{aligned}$$

Without loss of generality we can assume that \(s=1\). So, F is APN over \({{\mathbb {F}}}_{2^n}\) if and only if \(u=0\) or \(u=v=1\) are the only solutions to \(\varDelta _{t}(uvt)=0\) for any \(t\in U\).

If \(v=1\), then

$$\begin{aligned} \varDelta _t(tx)=u(L_1(t)^{2^i}t+L_2(t)t^{2^i})[1+u^{2^i-1}]. \end{aligned}$$

Since \(\gcd (i,m)=1\), \(x^{2^i-1}\) is a permutation over \({{\mathbb {F}}}_{2^m}\) and thus \(\ker (\varDelta _t(tx))=\{0,1\}\) if and only if \(\frac{L_1(t)^{2^i}}{t^{2^i}}\ne \frac{L_2(t)}{t}\).

Assume now that \(v\ne 1\). Then, if \(L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t=0\), we have:

$$\begin{aligned} \varDelta _t(tx)=u[(L_1(t)^{2^i}tv+L_2(tv)t^{2^i})]. \end{aligned}$$

This implies \(\frac{L_1(t)^{2^i}}{t^{2^i}}\ne \frac{L_2(tv)}{tv}\).

If \(L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t\ne 0\), then

$$\begin{aligned}{}[(L_1(t)^{2^i}tv+L_2(tv)t^{2^i})+u^{2^i-1}(L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t)]=0 \end{aligned}$$

implies \(u^{2^i-1}=\frac{L_1(t)^{2^i}tv+L_2(tv)t^{2^i}}{L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t}\). Since \(x^{2^i-1}\) is a permutation over \({{\mathbb {F}}}_{2^m}\) this equation admits a solution different from zero if and only if \(\frac{L_1(t)^{2^i}tv+L_2(tv)t^{2^i}}{L_2(t)t^{2^i}v^{2^i}+L_1(tv)^{2^i}t}\) is contained in \({{\mathbb {F}}}_{2^m}^\star \). \(\square \)

The obtained APN function (3) is of the form

$$\begin{aligned} F(x)=(A_0^{2^i}+B_0)x^{2^i+1}+\sum _{j=1}^{k-1}[A_j^{2^i}x^{2^{i+jm}+1}+B_jx^{2^{jm}+2^i}]. \end{aligned}$$

Let us see now necessary conditions on the linear functions \(L_1\) and \(L_2\) for F to be APN.

Proposition 3.1

Let \(n, L_1, L_2\) and F be as in Theorem 3.1. If F is APN over \({{\mathbb {F}}}_{2^n}\), then the following statements hold:

  1. (i)

    \(\ker (L_1(x)+rx)\cap \ker (L_2(x)+r^{2^i}x)=\{0\}\) for any \(r\in {{\mathbb {F}}}_{2^n}\);

  2. (ii)

    \(|\ker (L_1(x)^{2^i}+rx)\cap \ker (L_2(x)+w^{2^i}x^{2^i})|\le 2\) for any \(r,w\in {{\mathbb {F}}}_{2^n}\);

  3. (iii)

    If \(\ker (L_1)\cap \ker (L_2(x)+x)\ne \{0\}\), then \(\ker (L_1(x)+x)\cap \ker (L_2)=\{0\}\);

  4. (iv)

    \(\ker (L_1(x)+rx^{2^j})\cap \ker (L_2(x)+r^{2^i}x^{(2^j-1)2^i+1})=\{0\}\) for any \(r\in {{\mathbb {F}}}_{2^n}\) and \(j\ge 0\).

Proof

For any nonzero a, we define the function \(\varDelta _a(x) =F(x+a)+F(x)+F(a)+F(0)\) and, with \(t\in {{\mathbb {F}}}_{2^m}\), we have

$$\begin{aligned} \varDelta _a(x)&= a L_1(x)^{2^i} + x L_1(a)^{2^i} + x^{2^i} L_2(a) + a^{2^i} L_2(x),\\ \varDelta _a(at)&= (t+t^{2^i})(aL_1(a)^{2^i}+a^{2^i}L_2(a)). \end{aligned}$$

Suppose there exists a non-zero \(a\in \ker (L_1(x)+rx)\cap \ker (L_2(x)+r^{2^i}x)\). We clearly have \(a{{\mathbb {F}}}_{2^m}\subseteq \ker (\varDelta _a)\), but since \(m> 1\), this contradicts \(|\ker (\varDelta _a)|=2\). This establishes (i).

For (ii), suppose \(\{0,a,b\}\subset \ker (L_1(x)^{2^i}+rx)\cap \ker (L_2(x)+w^{2^i}x^{2^i})\). Then

$$\begin{aligned} \varDelta _a(b)=a(rb)+b(ra)+a^{2^i}(w^{2^i}b^{2^i})+b^{2^i}(w^{2^i}a^{2^i})=0. \end{aligned}$$

Next suppose \(a\in \ker (L_1)\cap \ker (L_2(x)+x)\). Then we have \(\varDelta _a(x)=a(L_1(x)+x)^{2^i}+a^{2^i}L_2(x)\). Clearly any \(b\in \ker (L_1(x)+x)\cap \ker (L_2)\) satisfies \(\varDelta _a(b)=0\). Since f is APN, \(\ker (\varDelta _a)=\{0,a\}\), so that \(\ker (L_1(x)+x)\cap \ker (L_2)\subset \{0,a\}\). However, \(\ker (L_1)\cap \ker (L_1(x)+x)=\{0\}\), so that no non-zero element of \({{\mathbb {F}}}_{2^n}\) can lie in both \(\ker (L_1)\cap \ker (L_2(x)+x)\) and \(\ker (L_1(x)+x)\cap \ker (L_2)\). This establishes (iii).

For (iv), suppose \(a\in \ker (L_1(x)+rx^{2^j})\cap \ker (L_2(x)+r^{2^i}x^{(2^j-1)2^i+1})\) is non-zero. Then for any \(t\in {{\mathbb {F}}}_{2^m}\) we have

$$\begin{aligned} \varDelta _a(ta)&=(t+t^{2^i})(aL_1(a)^{2^i}+a^{2^i}L_2(a))\\&= (t+t^{2^i})(ar^{2^i}a^{2^j2^i}+a^{2^i}r^{2^i}a^{(2^j-1)2^i+1}) =0, \end{aligned}$$

so that \(a{{\mathbb {F}}}_{2^m}\subseteq \ker (\varDelta _a)\), a contradiction. \(\square \)

3.2 The case \(n=8\)

Applying the construction of Theorem 3.1 in dimension 8 with \(k=4\) and \(m=2\), restricting the coefficients of \(L_1\) and \(L_2\) to the subfield \({{\mathbb {F}}}_{2^4}\) we obtained several APN functions given in [16, Table 9] and one in [19, Table 6] which have not been previously identified as a part of any APN family. The functions mentioned are listed in Table 1.

The following results were obtained for \(n=8\).

  • Considering generalized isotopic shifts of \(x^3\) it is possible to obtain maps EA-equivalent to nos. 1.2, 1.5, 1.7, 1.8, 1.10, 1.11, 1.12, 1.16, 1.17, 3.1 in Table 9 [16] and to no. 9 in Table 6 of [19].

  • Considering generalized isotopic shifts of \(x^9\) it is also possible to obtain maps EA-equivalent to no. 1.3 Table 9 [16].

Table 1 APN polynomials over \({\mathbb {F}}_{2^8}\) derived from Theorem 3.1
Full size table

Remark 3.1

The function no. 9 in Table 6 [19] has the same CCZ-invariants (\(\varGamma \)-rank, \(\varDelta \)-rank and \({\mathscr {M}}_{G_F}\)) as the function number 1.9 in Table 9 of [16] (we note that the value of the \(\varGamma \)-rank given in [19] is not correct, indeed this function has \(\varGamma \)-rank = 14034).

Since two quadratic APN functions are CCZ-equivalent if and only if they are EA-equivalent [23], the CCZ-inequivalence between these two functions can be obtained by checking another invariant with respect to the EA-equivalence that we shall introduce in the next subsection.

3.3 A new EA-equivalence invariant

Let \(S(F)=\{b\in {{\mathbb {F}}}_{2^n}\,:\,\exists \,a\in {{\mathbb {F}}}_{2^n}\text { s.t. } {\mathscr {W}}_F(a,b)=0\}\), where \({\mathscr {W}}_F(a,b)=\sum _{x\in {{\mathbb {F}}}_{2^n}}(-1)^{{{\,\mathrm{Tr}\,}}(ax+bF(x))}\) is the Walsh coefficient of F in a and b. This set was used in [8] to study some relations between the CCZ-equivalence and the EA-equivalence.

It is easy to check that:

  • if \(F'(x)=F(x)+L(x)\) with L linear, then \(b\in S(F)\) if and only if \(b\in S(F')\).

  • If \(F'(x)=A_1\circ F\circ A_2(x)\) with \(A_1,A_2\) affine permutations, then \(b\in S(F)\) if and only if \({\bar{A}}_1^*(b)\in S(F')\), where \({\bar{A}}_1^*\) is the adjoint operator of the linear map \(A_1(x)+A_1(0)\).

From this we have the following.

Proposition 3.2

Let \(N_i\) be the number of the \({{\mathbb {F}}}_{2}\)-vector subspaces of \({{\mathbb {F}}}_{2^n}\) contained in S(F) of dimension i. Then, the values \(N_i\) for \(i=1,...,n\) are EA-invariant.

Proof

If \(F'\) is EA-equivalent to F, then there exist \(A_1\), \(A_2\) affine permutations and L linear such that \(F'(x)=A_1\circ F\circ A_2(x)+L(x)\). From the arguments above, denoting \({\bar{A}}_1(x)=A_1(x)+A_1(0)\) we have that \(S(F')={\bar{A}}^*(S(F))\). \(\square \)

Remark 3.2

We computed the values \(N_i\) for the two functions and we got \(N_1=86\), \(N_2=340\) and \(N_3=4\) for the new function, and \(N_1=86\), \(N_2=340\) and \(N_3=8\) for the function number 1.9. Thus from Proposition 3.2 we have that the two functions are not EA-equivalent.

Remark 3.3

Note that when n is odd, a quadratic APN function F is Almost Bent (i.e. for all \(b\in {{\mathbb {F}}}_{2^n}^\star \) we have \(\{{\mathscr {W}}_{F}(a,b)\,:\,a \in {{\mathbb {F}}}_{2^n}\}=\{0,\pm 2^{(n+1)/2}\}\)), which implies \(S(F)={{\mathbb {F}}}_{2^n}\). Thus, such invariant cannot be used for testing the CCZ-equivalence of quadratic APN functions in the case n odd.

Remark 3.4

In fact, this EA-invariant was tackled independently by Göloğlu and Pavl\(\mathring{\text {u}}\) in [17]. In their work, they focused on plateaued functions and looked at the subspaces in the set \(\{b\,:\, {\mathscr {W}}_{F}(0,b)\ne \pm 2^{n/2}\}\) (n even). For plateaued functions, this set coincides with S(F).

3.4 The case \(n=9\)

For the case \(k=m=3\) we consider the generalized linear shift as in (3) with \(L_1\) and \(L_2\) having coefficients in the subfield \({\mathbb {F}}_{2^3}\). In Table 2 we list all known APN functions for \(n=9\), as reported in [6, Table 1]. In Table 3, we list all new APN functions obtained from Theorem 3.1. We can observe that the family of Theorem 3.1 covers the only known example of APN function for \(n=9\), function 8.1 of Table 11 in [16], which has not been previously identified as a part of an APN family. Hence, currently, we do not have any known example of APN functions for \(n=9\) which would not be covered by an APN family. Note that this latter function was not obtained from the approach studied in [16] (it does not belong to a switching class of a previously known APN map). Finally, Table 3 indicates 15 new APN functions all obtained from Theorem 3.1. In both tables we include, for each function, the CCZ-invariants \(\varGamma \)-rank, \(\varDelta \)-rank and \(|{\mathscr {M}}_{G_F}|\).

The CCZ-inequivalence of some of these functions was obtained by checking with MAGMA the equivalence of some linear code which can be associated to an APN function (see [4]).

Table 2 Previously known CCZ-inequivalent APN polynomials over \({\mathbb {F}}_{2^9}\) and their relation to previously known families of APN functions
Full size table
Table 3 APN polynomials over \({\mathbb {F}}_{2^9}\) derived from Theorem 3.1
Full size table

3.5 Isotopic shifts with nonlinear functions

In this section we consider the case when the function used in the shift is not necessarily linear.

In [6], it has been proved that, in even dimension, an isotopic shift of the Gold function with a linear function defined over \({\mathbb {F}}_2[x]\) cannot be APN. In the following, we show that for any quadratic function F in even dimension, we cannot obtain APN functions by shifting F with a polynomial whose coefficients belong to \({\mathbb {F}}_2\).

Proposition 3.3

For two integers k and m let \(n=km\) and \(q=2^k\). Consider a function \(F\in {{\mathbb {F}}}_{2^n}[x]\) of the form

$$\begin{aligned} F(x)=\sum _{i<j}b_{ij}x^{q^i+q^j}+\sum _ib_ix^{2^i}+c, \end{aligned}$$

If n is even or \(k>1\), then any isotopic shift \(F_L\) with \(L\in {{\mathbb {F}}}_{2^k}[x]\) cannot be APN. In particular, this holds for any quadratic function \(F\in {{\mathbb {F}}}_{2^n}[x]\) with n even and \(L\in {{\mathbb {F}}}_{2}[x]\).

Proof

For F and L as outlined, we have

$$\begin{aligned} F_L(x)=\sum _{i<j}b_{ij}[x^{q^i}L(x)^{q^j}+x^{q^j}L(x)^{q^i}]+c \end{aligned}$$

and \(L(x^q)=L(x)^q\). Note that for any \(x\in {{\mathbb {F}}}_{2^k}\), \(F_L(x) = c\). For \(a\in {{\mathbb {F}}}_{2^n}\), we set \(\varDelta _a(x)=F_L(x+a)+F_L(x)+F_L(a)+F_L(0)\).

If \(k>1\), then \(\varDelta _a(x)=0\) for all \(x,a\in {{\mathbb {F}}}_{2^k}\), so that \(F_L\) is not APN. If \({{\mathbb {F}}}_{4}=\{0,1,\alpha ,\alpha +1\}\subseteq {{\mathbb {F}}}_{2^n}\), then consider \(\varDelta _\alpha (x)\). Clearly \(\varDelta _\alpha (0)=0\), while it is easily observed that \(\varDelta _\alpha (\alpha +1)=\varDelta _\alpha (1)\). We have

$$\begin{aligned} \varDelta _\alpha (\alpha +1) =&F_L(\alpha +1) + F_L(\alpha ) + F_L(1)+ c\\ =&\sum _{i<j}b_{ij}[ L(\alpha +1)^{q^i}(\alpha +1)^{q^j}+(\alpha +1)^{q^i}L(\alpha +1)^{q^j}\\&\qquad +L(\alpha )^{q^i}\alpha ^{q^j}+\alpha ^{q^i}L(\alpha )^{q^j}]\\ =&\sum _{i<j} b_{ij}[ L(\alpha +1)(\alpha +1)^{q^{j-i}}+(\alpha +1)L(\alpha +1)^{q^{j-i}}\\&\qquad +L(\alpha )\alpha ^{q^{j-i}}+\alpha L(\alpha )^{q^{j-i}}]^{q^i}. \end{aligned}$$

When \(j-i\) is odd and \({{\mathbb {F}}}_{4}\not \subseteq {{\mathbb {F}}}_{2^k}\), the term in the sum is zero as \(\alpha ^{q^{j-i}}=\alpha ^2=\alpha +1\), \(L(\alpha )^{q^{j-i}}=L(\alpha +1)\) and \(L(\alpha +1)^{q^{j-i}}=L(\alpha )\). If \(j-i\) even or \({{\mathbb {F}}}_{4}\subseteq {{\mathbb {F}}}_{2^k}\), then the term in the sum is again zero due to the fact that \(\alpha ^{q^{j-i}}=\alpha \) and \(L(\alpha )^{q^{j-i}}=L(\alpha )\). In either case, we have \(\varDelta _\alpha (x)=0\) for \(x=0,1,\alpha +1\), so \(F_L\) is not APN. \(\square \)

3.5.1 Nonlinear shift for the Gold functions

If we consider an isotopic shift of a Gold function without the restriction that L(x) is a linear function, then \(L(x)=\sum _{j=0}^{2^n-1} c_jx^j\) and the isotopic shift will be of the form

$$\begin{aligned} {{\mathscr {G}}}_{i,L}(x)=x^{2^i}L(x)+xL(x)^{2^i}. \end{aligned}$$
(4)

We have \({{\mathscr {G}}}_{i,L}(x^2)^{2^{-1}}=x^{2^i}M(x)+xM(x)^{2^i}\), where \(M(x)=\sum c_j^{2^{-1}}x^j\), and also \(\zeta ^{-2^i-1}{{\mathscr {G}}}_{i,L}(\zeta x)=x^{2^i}N(x)+xN(x)^{2^i}\), where \(N(x)=\sum c_j\zeta ^{j-1}x^j\). Hence we obtain the following.

Proposition 3.4

Let \({{\mathbb {F}}}_{2^n}^\star =\langle \zeta \rangle \). Assume that \({{\mathscr {G}}}_{i,L}\) is constructed with \(L(x)=\sum _{j=0}^{2^n-1}c_jx^{j}\). Then, for any integers kt, we have that \({{\mathscr {G}}}_{i,L}\) is linear equivalent to \({{\mathscr {G}}}_{i,M}\), where \(M(x)=\sum _{j=0}^{2^n-1}(c_j\zeta ^{k(j-1)})^{2^t}x^{j}\).

As for the linear shifts, it is possible to restrict the search of one possible non-zero coefficient of the function.

In the following table we recall the list of known APN power maps (the list was conjectured to be complete in [14]).

Table 4 Known APN power functions \(x^d\) over \({\mathbb {F}}_{2^n}\)
Full size table

In odd dimension it is possible to obtain all the power APN functions, except the Dobbertin functions, as the isotopic shifts of a Gold function by a monomial.

Theorem 3.2

Over \({{\mathbb {F}}}_{2^n}\) with n an odd integer, let F be any known APN power function outside the class of Dobbertin functions. Then there exists a monomial \(L(x)=ax^d\) and a Gold function \({{\mathscr {G}}}_{i}=x^{2^i+1}\) such that the shift \({{\mathscr {G}}}_{i,L}\) is EA-equivalent to F.

Proof

As shown in Table 4, excluding the Dobbertin function, the known APN power functions are the Gold functions, the Kasami functions, the Welch function, the Niho functions and the inverse function. In the following we will show that it is possible for any of the mentioned functions, to construct an isotopic shift of a Gold function that is EA-equivalent to it.

  1. 1.

    Consider the Kasami function \(x^{2^{2t}-2^{t}+1}\). If t is odd, then let i be an integer such that \(n=2i+t\). Then, considering \(L(x)=ax^{2^{n-i}+2^{n-i+1}\ldots +2^{n-i+t-1}}\) we have

    $$\begin{aligned} \begin{aligned} {{\mathscr {G}}}_{i,L}(x)&=a^{2^i}x^{2^t}+ax^{2^{n-i}+2^{n-i+1}\ldots +2^{n-i+t-1}+2^i}\\&=a^{2^i}x^{2^t}+ax^{2^{i}(2^{t}+2^{t+1}\ldots +2^{2t-1}+1)}\\&=a^{2^i}x^{2^t}+ax^{2^{i}(2^{2t}-2^{t}+1)}. \end{aligned} \end{aligned}$$

    If t is even, let i be an integer such that \(t=2i\). Then, with \(L(x)=ax^{{2^i+2^{i+1}+\ldots +2^{3i-1}}}\) we have \({{\mathscr {G}}}_{i,L}(x) =a^{2^i}x^{2^{2t}-2^{t}+1}+ax^{2^{3i}}\).

  2. 2.

    For the inverse function, \(x^{2^n-2}\), considering \(L(x)=ax^{2^{2t}-2}\), where t is such that \(n=2t+1\), we have \({{\mathscr {G}}}_{1,L}(x)=a^2x^{2(2^n-2)}+ax^{2^{2t}}\).

  3. 3.

    Let \(n=2t+1\) and consider the Welch function \(x^{2^t+3}\). If t is odd, then consider i such that \(t=2i-1\). With \(L(x)=ax^{2^i+2^{i+1}}\) we obtain \({{\mathscr {G}}}_{i,L}(x)=a^{2^i}x^{2^{2i}(2^{2i-1}+3)}+ax^{2^{i+2}}\). If t is even, then consider i such that \(t=2i\). Using \(L(x)=ax^{2^{3i+1}+2^{3i+2}}\) we obtain \({{\mathscr {G}}}_{i,L}(x)=a^{2^i}x^{4}+ax^{2^{3i+1}(2^{2i}+3)}\).

  4. 4.

    For \(n=2t+1\), with t odd, let \(t=2i-1\). Then, with \(L(x)=ax^{2^n-2^i}\) we obtain that

    $$\begin{aligned} \begin{aligned} {{\mathscr {G}}}_{i,L}(x)&=a^{2^i}x^{2^i-2^{2i}+1}+ax= a^{2^i}x^{2^{2i}(2^{-i}+2^{-2i}-1)}+ax\\&=a^{2^i}x^{2^{2i}(2^{3i-1}+2^{2i-1}-1)}+ax=a^{2^i}x^{2^{2i}(2^{(3t+1)/2}+2^t-1)}+ax\end{aligned} \end{aligned}$$

    is equivalent to the Niho function (indeed \((3t+1)/2=(6i-3+1)/2=3i-1\)). If t is even, let \(t=2i\). Then with \(L(x)=ax^{2^{n-i}+2^{n-i+1}\ldots +2^{n-1}}\)

    $$\begin{aligned} \begin{aligned} {{\mathscr {G}}}_{i,L}(x)&=a^{2^i}x^{2^i}+ax^{2^{n-i}+2^{n-i+1}\ldots +2^{n-1}+2^i}\\&=a^{2^i}x^{2^i}+ax^{2^{n-i}(1+2\ldots +2^{i-1}+2^{2i})}\\&=a^{2^i}x^{2^i}+ax^{2^{n-i}(2^{i}-1+2^{2i})} \end{aligned} \end{aligned}$$

    is equivalent to the Niho function.

  5. 5.

    Let \(n=2i+1\) and j be an integer such that \(\gcd (n,j)=1\). Then with \(L(x)=ax^{2^{i+j}-2^i}\)

    $$\begin{aligned} \begin{aligned} {{\mathscr {G}}}_{i,L}(x)&=a^{2^i}x^{2^{2i+j}-2^{2i}+1}+ax^{2^{i+j}}=a^{2^i}x^{2^{2i}(2^j+2^{-2i}-1)}+ax^{2^{i+j}}\\&=a^{2^i}x^{2^{2i}(2^j+1)}+ax^{2^{i+j}} \end{aligned} \end{aligned}$$

    is equivalent to the Gold function with parameter j.\(\square \)

Remark 3.5

From computational results, for n even, it seems that it is not possible to obtain APN functions as the isotopic shifts of a Gold map by (non-linear) monomials. The search has been performed for \(n=4,6,8,10\), considering also non-APN Gold exponents.

Problem 3.1

Is it possible to obtain the Dobbertin function as an isotopic shift of a Gold function by a non-linear L?

Problem 3.2

Is it possible to obtain the same result for n an even integer and L a non-linear multinomial?

4 Conclusions

Starting from the work [6], we introduced some generalizations of the isotopic shift construction for the case when the initial function is a Gold power function. In particular, using a generalized form of the isotopic shift with \({{\mathbb {F}}}_{2^m}\)-polynomials, we were able to construct a general family of quadratic APN functions. This allowed us to classify into a family some of the previously known unclassified examples of APN functions for \(n=8,9\), and to provide new APN functions on \({{\mathbb {F}}}_{2^9}\). The computations performed were restricted to linear maps with coefficients in the subfield. We expect that, without such restriction, it is possible to find new APN functions.

We also investigated the case of constructing an isotopic shift with a nonlinear function. In this case, for any odd n, we can obtain all known power APN functions (except the Dobbertin ones) using a nonlinear monomial function.