Abstract
We consider image sets of differentially duniform maps of finite fields. We present a lower bound on the image size of such maps and study their preimage distribution. Further, we focus on a particularly interesting case of APN maps on binary fields \(\mathbb {F}_{2^n}\). We show that APN maps with the minimal image size are very close to being 3to1. We prove that for n even the image sets of several important families of APN maps are minimal, and as a consequence they have the classical Walsh spectrum. Finally, we present upper bounds on the image size of APN maps. For a nonbijective almost bent map f, these results imply \(\frac{2^n+1}{3}+1 \le {\text {Im}}(f) \le 2^n2^{(n1)/2}\).
Introduction
Let p be a prime and \(q=p^n\). A map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called differentially duniform (abbreviated duniform), if
A 1uniform map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called planar, that is f is planar if \(f(x+a)f(x)\) is a permutation for any \(a\in \mathbb {F}_q^*\). Planar maps exist if and only if q is odd. A map f is called almost perfect nonlinear (APN) if f is 2uniform. Observe that if q is even, then an equation \(f(x+a)+f(x)=b\) has always an even number of solutions, since x solves it if and only if \(x+a\) does so. In particular, there are no 1uniform maps for q even, and the APN maps have the smallest possible uniformity on binary fields. APN maps and more generally maps in characteristic 2 with low uniformity are an important research object in cryptography, mainly because they provide good resistance to differential attacks, when used as an Sbox of a block cipher. For a thorough survey detailing the importance of such maps for cryptography, we refer to [5]. Moreover, maps with low uniformity are intimately connected to certain codes [10, 11]. Planar maps can be used for the construction of various structures in combinatorics and algebra, for example difference sets, projective planes and semifields [31].
A celebrated result of Ding and Yuan, obtained in [23], shows that image sets of planar maps yield skew Hadamard difference sets which are inequivalent to the Paley–Hadamard difference sets. This disproved a longstanding conjecture on the classification of skew Hadamard difference sets and motivated an interest to a better understanding of image sets of planar maps, see for example [20, 28, 37]. The image sets of duniform maps with \(d>1\) can also be used to construct optimal combinatorial objects, as shown in [13]. However, the case \(d>1\) is less studied compared to \(d=1\), although also \(d=1\) is far from being completely understood, too. Here, we extend some of results on the image sets of planar maps with \(d=1\) to cover a general d. The behavior of the image sets of duniform maps and proofs are more complex for \(d>1\). This is simply explained by the fact that the preimage distribution of a difference map \(f_a: x\mapsto f(x+a)f(x)\) is not unique and more difficult to control when \(d>1\). The smaller values d are easier to handle.
A polynomial/map \(f \in \mathbb {F}_q[x]\) is called Dembowski–Ostrom (DO), if it can be written as
when q is odd and
when q even. Note that \(x^2\) is a DO polynomial for any odd q, but not for even q. Maps obtained as the sum of a DO map with an \(\mathbb {F}_p\)affine one are called quadratic.
Let \({\text {Im}}(f)\) denote the image set of a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\). A map f is called kto1, if every element in the image of f has exactly k preimages. If k is a divisor of \(q1\), we call a map f kdivisible, if it can be written as \(f(x)=f'(x^k)\) for a suitable polynomial \(f'\). It is easy to see that f is kdivisible if and only if \(f(x)=f(\theta x)\) for all \(x\in \mathbb {F}_q\) and all \(\theta \in \mathbb {F}_q^*\) whose order divides k. Further, we call a map f almostkto1, if there is a unique element in \({\text {Im}}(f)\) with exactly 1 preimage and all other images have exactly k preimages.
In Sect. 2, we show that a duniform map f satisfies
This lower bound is sharp for several classes of duniform maps when \(d+1\) divides \(q1\). However, we expect that the lower bound can be improved for other cases. We give several results on the preimage distribution of duniform maps. In particular, we show that if the \({\text {Im}}(f)\) of a duniform map f is small, then the majority of elements in \({\text {Im}}(f)\) have exactly \(d+1\) preimages.
In Sects. 3–6, we consider in more detail the case \(d=2\), that is APN maps, on binary fields. For an APN map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) the lower bound is
The first published proof for this bound appears in [14, Lemma 5], where a lower bound on the differential uniformity via image set size is presented. Since the study of image sets of APN maps was not a goal of [14], the lower bound in it remained unnoticed by most of researchers on APN maps. A systematic study of the image sets of APN maps originates from [22]. Beside the lower bound, in [22] several properties and examples of the image sets of APN maps are presented. In this paper, we develop the study of image sets of APN maps further. Our results indicate that the APN maps with minimal image size play a major role for understanding fundamental properties of APN maps. We believe that a deeper analysis of the image sets of APN maps is an interesting research direction which will allow progress on several current challenges on APN maps.
At the beginning of our studies, we were quite certain that having an image set of the minimal size \((2^n+1)/3\), resp. \((2^n+2)/3\), is a rare property and not many of the known APN maps will satisfy it. Despite our intuition, we found that if n is even then the opposite is the case and most of the known infinite constructions yield 3to1 APN maps. Remarkably, the bivariate APN maps constructed in [24, 39] are also almost 3to1, as we show in Theorems 4 and 5. These families contain a large number of inequivalent APN maps as shown in [25]. If n is odd then the lower bound \((2^n+1)/3\) seems to be not sharp.
Presently, the only known primary univariate families of APN maps are monomials \(x\mapsto x^k\) or DO polynomials. These maps serve as a basis for a handful known secondary constructions of APN maps [5, 31]. Whereas the image sets of monomial maps are multiplicative subgroups extended with the zero element and so they are uniquely determined by \(\gcd (q1,k)\), the behavior of the image sets of DO polynomials is complex and not very well understood yet. In Sect. 4, we compute the image size of several families of APN DO polynomials.
A map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is called crooked if for any nonzero \(a\in \mathbb {F}_{2^n}\) the set
is an affine hyperplane, that is an affine subspace of dimension \(n1\). It is easy to see that a quadratic APN map is crooked. The crooked permutations for n odd were introduced in [2]. In [27] the definition of crooked maps from [2] was extended to the one given here.
Given a map \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), the Boolean functions \(f_\lambda (x) = {{\,\mathrm{Tr}\,}}(\lambda f(x))\) with \(\lambda \in \mathbb {F}_{2^n}^*\) are called the component functions (or briefly components) of f. The Walsh transform of f is defined by
where \(a,b \in \mathbb {F}_{2^n}, b\ne 0\). The multiset \(\{*W_f(b,a) :b \in \mathbb {F}_{2^n}^*, a \in \mathbb {F}_{2^n}*\}\) is called the Walsh spectrum of f and \(\{*W_f(b,a) :b \in \mathbb {F}_{2^n}^*, a \in \mathbb {F}_{2^n}*\}\) is called the extended Walsh spectrum of f.
We call \(f_\lambda \) a balanced component of f, if it takes the values 0 and 1 equally often, that is both \(2^{n1}\) times. Hence \(f_\lambda \) a balanced component of f if and only if \(W_f(\lambda ,0)=0\). A component function \(f_\lambda \) is called plateaued with amplitude t for an integer \(t \ge 0\) if \(W_f(\lambda ,a) \in \{0,\pm 2^{\frac{n+t}{2}}\}\) for all \(a \in \mathbb {F}_{2^n}\). For n even, a plateaued component with \(t=0\) is called a bent component.
If all component functions of f are plateaued, then f is called componentwise plateaued. For n odd, the map f is called almost bent if all its components \(f_\lambda \) are plateaued with amplitude \(t=1\). It is well known that an almost bent map is necessarily APN, and there are APN maps, which are not almost bent. However, if f is componentwise plateaued, then it is APN if and only if it is AB.
Let \(\mathcal{DO}\mathcal{}, \mathcal {Q}, \mathcal {C}, \mathcal {CWP}, \mathcal {APN}\) denote the set of DO, quadratic, crooked and componentwise plateaued, APN maps of \(\mathbb {F}_{2^n}\), respectively. Given a set A we denote by \(A_{property}\) the subset of elements in A satisfying the property. If it is known that the subset B is a pure subset of A, we write \(B\subsetneq A\), otherwise \(B \subseteq A\). The maps considered in this paper are related as follows:
and
see e.g. [2, 9, 17, 27, 31]. It is conjectured in [27] that \(\mathcal {C} = \mathcal {Q}_{APN}\).
If n is even, many of the currently known APN maps have the extended Walsh spectrum described in the next definition.
Definition 1
Let \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) and n even. We say that the map f has the classical Walsh spectrum if its extended Walsh spectrum consists of the values 0 with multiplicity \((2^n1)\cdot 2^{n2}\), \(2^{n/2}\) with multiplicity \((2/3)(2^n1)(2^n)\) and \(2^{(n+2)/2}\) with multiplicity \((1/3)(2^n1)(2^{n2})\).
The Parseval equation states
for any \(b \in \mathbb {F}_{2^n}\). It implies, in particular, that a componentwise plateaued map f with \((2/3)(2^n1)\) bent components and \((1/3)(2^n1)\) plateaued components with amplitude \(t=2\) has always the classical Walsh spectrum.
Our results in Sects. 4 and 5, especially Theorem 4 and Corollary 8, show that for n even it holds
The last inclusion, with our observation that the main known families of quadratic APN maps are almost3to1, gives a natural explanation that they have the classical Walsh spectrum. Note that there are sporadic APN quadratic maps with nonclassical Walsh spectra, see e.g. [3] for such examples.
An important outcome of Sect. 5, more exactly of (12) and Corollary 8, is the following theorem, providing a simple to check sufficient criterion for an APN map to have the classical Walsh spectrum.
Theorem 1
Let n be even and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a componentwise plateaued APN map satisfying

\(f(0)=0\),

every \(y \in {\text {Im}}(f)\setminus \{0\}\) has at least 3 preimages.
Then f is almost3to1 and has the classical Walsh spectrum.
Theorem 1 follows from a more general result on the Walsh spectrum of special componentwise plateaued maps, presented in Theorem 7. The fact that almost3to1 componentwise plateaued maps have the classical Walsh spectrum was already observed in [9]. However, to our knowledge, it was never applied to show that a particular APN family has the classical Walsh spectrum.
In Sect. 5, we also study connections between the image set of an almost bent map and its components. As a consequence, we show that any almost bent map has a balanced component function.
We conclude our paper with upper bounds on the image size of special APN maps \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), presented in Sect. 6. For n odd, our results imply that a nonbijective almost bent map f satisfies
In the case of n even, we observe that if f is a componentwise plateaued APN map, then
To our knowledge, these are the only currently known nontrivial upper bounds on the image size of APN maps.
Images of duniform maps
In this section, we extend some of the results from [20, 28, 37] on the image sets of planar maps with \(d=1\) to cover a general d. The behavior of the image sets of duniform maps and the proofs are more complex for \(d>1\). This is simply explained by the fact that the preimage distribution of a difference map \(f_a: x\mapsto f(x+a)f(x)\) is not unique and more difficult to control when \(d>1\).
Let \({\text {Im}}(f)\) be the image set of a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\). For \(r\ge 1\) we denote by \(M_r(f)\) the number of \(y\in \mathbb {F}_q\) with exactly r preimages. Further, let N(f) denote the number of pairs \((x,y)\in \mathbb {F}_q^2\), such that \(f(x)=f(y)\). Note \(N(f)\ge q\) and \(N(f) =q\) exactly when f is a permutation on \(\mathbb {F}_q\). Let m be the degree of the map f, that is the degree of its univariate polynomial representation of degree not exceeding \(q1\). Then \(M_r(f) = 0\) for every \(r>m\). The following identities follow directly from the definition of \(M_r(f)\) and N(f)
The quantities \(M_r(f)\) and N(f) appear naturally when studying the image sets of maps on finite fields, see for example [12, 20, 28, 32, 34]. The oldest such reference known to the authors of this paper is [32].
The next two lemmas can be obtained easily from [34, Lemma 1]. We give a detailed proof here to make clear the connection to the concept of duniformity and to point out some interesting boundary cases. A map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called kto1, if every element in the image of f has exactly k preimages, that is if \(M_r(f) =0\) for any \(0<r\ne k\).
Lemma 1
Any map \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) fulfills
with equality if and only if f is kto1.
Proof
It follows from the CauchySchwarz inequality with (1), (2) and (3) that
The equality above holds if and only if there is a \(k \in \mathbb {R}\) such that \(r\sqrt{M_r(f)}=k\sqrt{M_r(f)}\) for all \(1\le r\le m\), that is when \(M_r(f)=0\) for \(r\ne k\) and \(M_k(f)={\text {Im}}(f)\). \(\square \)
The following proof is an adaption for any d of [28, Lemma 2], where planar maps with \(d=1\) were considered.
Lemma 2
Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be duniform. Then
where \(t_0(f)\) is the number of elements \(a\ne 0\) in \(\mathbb {F}_q\) for which \(f(x+a)f(x)=0\) has a solution x in \(\mathbb {F}_q\). The equality holds if and only if for every nonzero \(a \in \mathbb {F}_q\) the equation \(f(x+a)f(x)=0\) has either 0 or exactly d solutions.
Proof
Note that
For \(a=0\) every pair (0, v) with \(v\in \mathbb {F}_q\) contributes to N(f). If \(a\ne 0\), then \(f(v+a)f(v)=0\) has at most d solutions because f is duniform. Therefore
\(\square \)
Observe that for a planar map \(N(f) = 2q1\), since \(f(v+a)f(v)=0\) has a unique solution for every nonzero a. Generalizing this, a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called zerodifference dbalanced if the equation \(f(x+a)f(x)=0\) has exactly d solutions for every nonzero a, see [13]. Hence \(N(f) = q + (q1)d = (d+1)qd\) for a zerodifference dbalanced map.
Corollary 1
Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be duniform. Then
The equality holds if and only if f is zerodifference dbalanced.
Proof
The statement follows from Lemma 2 and \(t_0(f) \le q1\). \(\square \)
Remark 1
Several of the results in this paper hold for any map f with \(N(f)\le (d+1)qd\), and not only for duniform ones. Some of our proofs can easily be adapted if \(N(f)=kq\pm \varepsilon \) is known.
From Lemma 1 and Corollary 1 we get
Theorem 2 extends [28, Theorem 2] to cover an arbitrary d. Besides of giving a different proof for the lower bound in (4), it additionally provides information on the possible preimage distribution of a duniform map. For a map \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) and \(S\subseteq \mathbb {F}_q\), \(a\in \mathbb {F}_q\), we denote by \(f^{1}(S)\) the preimage of S under f and by \(\omega (a)\) the size of \(f^{1}(\{a\})\).
Theorem 2
Let \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be duniform. Then
Set \(\varepsilon = (d+1)\cdot {\text {Im}}(f)  q\), or equivalently
Then \(\varepsilon \ge 1 \) and
Proof
By Corollary 1
Since
we get
Hence
and
proving (5). Now let
for some \(\varepsilon \). Then (5) forces \(\varepsilon \ge 1\). To complete the proof note that
\(\square \)
The lower bound in Theorem 2 is sharp. Indeed if \(d+1\) is a divisor of \(q1\), then the map \(m(x)= x^{d+1}\) reaches the lower bound of Theorem 2 and it is duniform. To see that m(x) is duniform observe that for any nonzero a the difference map \(m(x+a)m(x) = (x+a)^{d+1}x^{d+1}\) has degree d and if \(\theta \ne 1\) with \(\theta ^{d+1}=1\) then \(x:= (\theta 1)^{1}\) satisfies \((x+1)^{d+1}x^{d+1} =0\).
Equation (6) shows that a duniform map having small image set is close to being \((d+1)\)to1. For \(\varepsilon =1\), for instance, Eq. (6) implies that only one element in \({\text {Im}}(f)\) does not have exactly \(d+1\) preimages. The following observation quantifies the relation between d and \(\varepsilon \). Let \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) and
where \(d\ge 1\) and \(\varepsilon \in \mathbb {Z}\). Define
Then we have
implying
The next result provides further information on the possible preimage distribution of a duniform map. It is is a generalization of [20, Theorem 1].
Proposition 1
Let \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) be duniform. Then
and
The equality in (8) holds if and only if \(N(f)=(d+1)qd\) and \(M_r(f)=0\) for all \(r \ge d+2\); and the equality in (9) holds if and only if \(N(f)=(d+1)qd\) and \(M_r(f)=0\) for \(r>d+2\). The latter case reduces to
Proof
Let m be the degree of f. By Corollary 1, we have \(N(f)\le (d+1)qd\). Using (2) and (3) we get
so that
As the right hand side is nonnegative, hence we have
with equality if and only if \(M_r(f)=0\) for all \(r \ge d+2\) and \(N(f) = (d+1)qd\). Note that for \(r\ge d+2\), it holds that \(r^2(d+1)r\ge r\), so that (10) turns into
Adding \(\sum _{r=1}^{d+1}rM_r(f)\) on both sides of (11) and using (2) gives
For equality to hold, we need equality in (11). The first equality in (11) holds if and only if \(N(f)=(d+1)qd\), the second equality holds if and only if
that is \(M_r(f)=0\) for \(r> d+2\). In that case
\(\square \)
Next, we demonstrate a few applications of Theorem 2.
Corollary 2
Let \(d+1\) be a divisor of \(q1\) and \(f:\mathbb {F}_q\rightarrow \mathbb {F}_q\) be \((d+1)\)divisible and duniform. Then f is almost\((d+1)\)to1.
Proof
Since f is \((d+1)\)divisible, we have \({\text {Im}}(f)\le \frac{q1}{d+1} +1 = \frac{q+d}{d+1}\). By Theorem 2 we have \({\text {Im}}(f)\ge \frac{q+d}{d+1}\) and therefore \({\text {Im}}(f)= \frac{q+d}{d+1}\), implying that f is almost\((d+1)\)to1. \(\square \)
For a nonzero \(a\in \mathbb {F}_q\) we define
which we call a differential set of f in direction a. It is wellknown and easy to see that the differential sets of quadratic maps are \(\mathbb {F}_p\)affine subspaces. The next result shows, among other properties, that the differential sets of \((d+1)\)divisible DO polynomials are \(\mathbb {F}_p\)linear subspaces. Lemma 3 can be partly deduced from Proposition 3 and Corollary 1 and their proofs in [13]. We include its proof for the convenience of the reader.
Lemma 3
Let \(q=p^n\) with p prime, \(d+1\) be a divisor of \(q1\) and \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) be a \((d+1)\)divisible DO polynomial which is almost\((d+1)\)to1. Then

(a)
f is zerodifference dbalanced;

(b)
f is duniform and all its differential sets are \(\mathbb {F}_p\)linear subspaces;

(c)
\(d=p^i\) for some \(i\ge 0\).
Proof
First we prove statements (a) and (b): Since f is a DO polynomial, it is duniform in the case it is zerodifference dbalanced. Next, we show that for any nonzero a the equation \(f_a(x) = f(x+a)f(x) =0\) has a solution (equivalently, \(D_a(f)\) is a linear subspace). Indeed, let \(1\ne \theta \in \mathbb {F}_q\) be a zero of \(x^{d+1}1\) and set \(x=(\theta 1)^{1}a\). This x fulfills \(x+a = \theta x\), and hence \(f_a(x) = f(\theta x)f(x) =0\). In particular, \(f_a(x)=0\) hast at least d solutions. On the other side, since f is \((d+1)\)divisible and almost\((d+1)\)to1, the equation \(f(x+a)=f(x)\) is fulfilled if and only if \(x+a = \theta x\) for an element \(\theta \) satisfying \(\theta ^{d+1}=1\). This implies that a solution x must be given by \(a(\theta 1)^{1}\). And hence there are at most d solution for \(f_a(x)=0\).
The statement in (c) follows from (b). Indeed, the differential sets of f are linear subspaces of size \(p^n/d\), and hence \(d=p^i\) for some \(i \ge 0\). \(\square \)
A fascinating property of DO planar polynomials proved in [20, 38] is: A DO polynomial is planar if and only if it is almost2to1. Observe that for an odd q a DO polynomial is always 2divisible. Corollary 1 in [13] proves an analog of this result for the duniform case; Corollary 3 is a reformulation of it using the terminology introduced in this paper.
Corollary 3
Let \(d+1\) be a divisor of \(q1\). A \((d+1)\)divisible DO polynomial f is duniform if and only if f is almost\((d+1)\)to1.
Proof
It follows directly from Corollary 2 and Lemma 3. \(\square \)
Image sets of APN maps of binary finite fields
In the following sections we study the image sets of APN maps on binary fields. Such maps are of particular interest because of their applications in cryptography and combinatorics. For an APN map \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\), the lower bound of Theorem 2 reduces to
The first published proof for (12) appears in [14, Lemma 5], where a lower bound on the differential uniformity via image set size is presented. Since the study of image sets of APN maps was not a goal of [14], the lower bound in it remained unnoticed by most of researchers on APN maps. A systematic study of the image sets of APN maps was originated in [22]. Lower bound (12) is proved there by methods of linear programming, which is a novel approach for studying image sets of maps on finite fields. The arguments proving Lemma 5 in [14] are similar to ours presented for Lemmas 1 and 2. These are more or less standard for studying image sets of maps with special additive properties on finite sets, see [28, 32, 34, 37]. The ideas from [14, 22] are developed further in [15], especially to compare APN maps with affine ones.
Results of Sect. 2 show that APN maps meeting (12) must have a very special preimage distribution. For the APN maps on \(\mathbb {F}_{2^n}\), Proposition 1 reduces to:
Corollary 4
Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be APN. Then

(a)
$$\begin{aligned} M_1(f)+M_2(f)\ge 1, \end{aligned}$$
and hence there is at least one element with exactly 1 or 2 preimages. For n even, the inequality is sharp if and only if f is almost3to1. For n odd, the inequality is sharp if and only if there is a unique element in \({\text {Im}}(f)\) with exactly two preimages and the remaining elements have exactly three preimages.

(b)
$$\begin{aligned} 3M_1(f) + 4M_2(f) + 3M_3(f) \ge 2^n+2. \end{aligned}$$
The equality holds if and only if \(N(f)=3\cdot 2^n2\) and \(M_r(f)=0\) for \(r>4\), in which case
$$\begin{aligned} M_1(f)+M_2(f) = 2M_4(f)+1. \end{aligned}$$
Proof
The inequalities as well as the equality case in (b) follow directly from Proposition 1. Let \(M_1(f)+M_2(f) = 1\). Then \(M_r(f) = 0\) for every \(r\ge 4\) by Proposition 1. To complete the proof note that the value \(2^n \pmod 3\) forces \((M_1(f),M_2(f)) =(1,0)\) resp. \((M_1(f),M_2(f)) =(0,1)\) depending on the parity of n. \(\square \)
The observation that an APN map must have at least one element with exactly 1 or 2 preimages was already given in [22].
Corollary 4 along with identity (7) and inequality (6) yield the possible preimage distributions of an APN map meeting lower bound (12). Recall that for \(a \in \mathbb {F}_{2^n}\) we denote by \(\omega (a)\) the size of the set \(f^{1}(\{a\})\).
Theorem 3
Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n} \) be APN.
If n is odd and
then \(\omega (y_0)=2\) for one element \(y_0\in {\text {Im}}(f)\) and \(\omega (y)=3\) for \(y\in {\text {Im}}(f)\setminus \{y_0\}\).
If n is even and
then one of the following cases must occur:

1.
\(\omega (y_0)=1\) for one element \(y_0\in {\text {Im}}(f)\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0\}\), that is f is almost3to1.

2.
\(\omega (y_i)=2\) for two elements \(y_0, y_1\in {\text {Im}}(f)\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0, y_1\}\).

3.
\(\omega (y_i)=2\) for three elements \(y_0, y_1, y_2\in {\text {Im}}(f)\), \(\omega (y_3)=4\) for a unique \(y_3\in {\text {Im}}(f)\setminus \{y_0, y_1, y_2\}\) and \(\omega (y)=3\) for all \(y\in {\text {Im}}(f)\setminus \{y_0, \ldots , y_3\}\).
Proof
We apply (6) and (7) to prove the statements on the preimage distribution. Set \(D = \{y\in {\text {Im}}(f): \omega (y)\ne 3\}\). If n is odd, by (6) we get
Hence there is at most one \(y_0 \in {\text {Im}}(f)\) such that \(\omega (y)\ne 3\) and it must satisfy \(\omega (y_0) \in \{2,4\}\). Corollary 4 completes the proof. Let n be even. Then from (6) and (7) we get
and
Clearly, if \(D=1\), then f is almost3to1. If \(D=2\), then \(\omega (y)=2\) for every \(y \in D\). Note that \(D=3\) is not possible, since \(\omega (y)\in \{2,4\}\) for all \(y \in D\), contradicting Eq. (14) since \(3D2\) is odd in this case. If \(D=4\), we have again \(\omega (y)\in \{2,4\}\) for all \(y \in D\) and the only solution to Eq. (14) is \(\omega (y)=2\) for 3 elements and \(\omega (y)=4\) for one element. \(D>4\) violates Eq. (13), so we exhausted all possibilities. \(\square \)
The APN monomials meet lower bound (12) when n is even. We present several further such families later in this paper. In fact, it turns out that for even n many of the known infinite families of APN maps satisfy the lower bound with equality. All of these examples of APN maps are almost3to1.
Open Problem 1
Let n be even and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n} \) be APN map with \({\text {Im}}(f) = (2^n+2)/3\). Can f have the preimage distribution described in case 2. or 3. of Theorem 3?
Numerical results suggest that there are no APN maps meeting (12) for n odd. We show later in this paper that the image sizes of almost bent maps never fulfill this lower bound. The APN maps with smallest sizes which we found are

for \(n=7\) the map \(x \mapsto x^3+x^{64}+x^{16}+x^4\) with the image size \(57=2^67\);

for \(n=11\) the map \(x \mapsto x^3 +x^{256} \) with the image size \(1013=2^{10}11\).
In [22], it is shown that the APN binomial \(b(x)= x^3+x^4\) is 2to1 if n is odd. This binomial is studied in [26]: Among other results, it is shown there that for an even n the image set of \(b(x)=x^3+x^4\) satisfies \(M_1(b) = 2(2^n1)/3, ~ M_2(b)=1\) and \(M_4(b)=(2^n4)/12\), and hence \({\text {Im}}(b)= 3\cdot 2^{n2}\).
Lower bound (12) can be used to prove several structural results for APN maps. For example, it gives an easy proof for the following wellknown property of monomial APN maps.
Corollary 5
Let \(q=2^n\) and \(f(x)=x^k\) be APN on \(\mathbb {F}_{q}\). Then \(\gcd (k, q1)=1\) if n is odd and \(\gcd (k, q1)=3\) if n is even.
Proof
Since
we get with (12) that \(\gcd (k, q1)\le 3\). For n odd, we get \(\gcd (k, q1)=1\). Now let n be even and \(\gcd (k, q1)=1\). Then f is an APN permutation on all subfields of \(\mathbb {F}_q\). In particular, it must be an APN permutation on \(\mathbb {F}_4\). It is easy to check that such a permutation does not exist. Hence \(\gcd (k, q1)=3\). \(\square \)
Next, we present an interesting consequence of (12) which could be helpful for performing numerical searches as well as theoretical studies of 3divisible APN polynomials. In particular, it could be used for classifying exceptional APN 3divisible polynomials.
Corollary 6
Let \(n=2^im\) with \(i\ge 1\) and \(m\ge 3\) odd. Suppose \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) is a 3divisible APN polynomial over the subfield \(\mathbb {F}_{2^m}\), that is \(f \in \mathbb {F}_{2^m}[x]\). Then f is an APN permutation on the subfield \(\mathbb {F}_{2^m}\).
Proof
Note that since the coefficients of f are from the subfield \(\mathbb {F}_{2^m}\), it defines an APN map on \(\mathbb {F}_{2^m}\). Further, since f is APN and 3divisible, it is almost3to1 on \(\mathbb {F}_{2^n}\) by (12). Moreover, \(f(x)=f(\theta x)=f(\theta ^2 x)\) for \(\theta \in \mathbb {F}_4\setminus \mathbb {F}_2\) and any \(x \in \mathbb {F}_{2^n}\). The statement now follows from the fact that \(\mathbb {F}_4\) is not contained in \(\mathbb {F}_{2^m}\). \(\square \)
The following characterization for APN 3divisible DO polynomials is a direct consequence of Corollary 3:
Corollary 7
Let n be even and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be a 3divisible DO polynomial. Then f is APN if and only if f is almost3to1.
We take a closer look at 3divisible APN maps in the next section.
Next, we show that ZhouPott APN quadratic maps, constructed in [39], provide examples of almost3to1 APN maps which are not 3divisible.
Theorem 4
Let \(m, i\ge 2\) even, \(\gcd (k, m)=1\) and \(\alpha \in \mathbb {F}_{2^m}\) not a cube.

(a)
Let \(f:\mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\rightarrow \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) be defined by
$$\begin{aligned} f(x,y) = (x^{2^k+1}+\alpha y^{(2^k+1)2^i}, xy). \end{aligned}$$(15)Then

(a1)
f is almost3to1. More precisely, for a given \((u,v) \in \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\), it holds \(f(x,y) = f(u,v)\) if and only if \((x,y)=(\theta u, \theta ^2 v)\) with \(\theta \in \mathbb {F}_4^*\).

(a2)
The map corresponding to f(x, y) on \(\mathbb {F}_{2^{2m}}\) has a univariate representation which is not a DO polynomial.

(a3)
f is an APN map with the classical Walsh spectrum.

(a1)

(b)
Let \(g:\mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\rightarrow \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) be given by
$$\begin{aligned} g(x,y) = (x^{2^k+1}+\alpha y^{2^k+1}, xy^{2^{mi}}). \end{aligned}$$(16)Then

(b1)
g is almost3to1.

(b2)
The map corresponding to g(x, y) on \(\mathbb {F}_{2^{2m}}\) has a univariate representation which is a DO polynomial that is not 3divisible.

(b3)
g is an APN map with the classical Walsh spectrum.

(b1)
Proof
Note that \(\gcd (2^{2m}1, 2^k+1) =3\) and 3 is a divisor of both \(2^m1\) and \(2^i1\).

(a)
Let \((x,y),(u,v)\in \mathbb {F}_{2^m}\times \mathbb {F}_{2^m}\) with \(f(x,y)=f(u,v)\). Then we have
$$\begin{aligned} x^{2^k+1}+\alpha y^{(2^k+1)2^i}&= u^{2^k+1}+\alpha v^{(2^k+1)2^i} \\ xy&= uv. \end{aligned}$$First suppose \(v=0\), and hence \(x=0\) or \(y=0\). For \(x=0\), we get
$$\begin{aligned} \alpha y^{(2^k+1)2^i} = u^{2^k+1}, \end{aligned}$$which forces \(y=u=0\), since \(\alpha \) is a noncube. For \(x, u \ne 0\) and \(y=0\) we get
$$\begin{aligned} x^{2^k+1} = u^{2^k+1}, \end{aligned}$$which is satisfied if and only if \(x = \theta u\) with \(\theta \in \mathbb {F}_4^*\). Now let \(v\ne 0\). Setting \(u=\frac{xy}{v}\) and rearranging the first equation we get
$$\begin{aligned} x^{2^k+1}+\left( \frac{xy}{v}\right) ^{2^k+1} = \alpha (y^{2^k+1}+v^{2^k+1})^{2^i} \end{aligned}$$or equivalently
$$\begin{aligned} x^{2^k+1}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) = \alpha v^{(2^k+1)2^i}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i}. \end{aligned}$$If \(1+\left( \frac{y}{v}\right) ^{2^k+1}\ne 0\), we can divide by it and obtain
$$\begin{aligned} x^{2^k+1} = \alpha v^{(2^k+1)2^i}\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i1}. \end{aligned}$$(17)Note that (17) has no solution, since \(x^{2^k+1}\), \( v^{(2^k+1)2^i}\) and \(\left( 1+\left( \frac{y}{v}\right) ^{2^k+1}\right) ^{2^i1}\) are all cubes and \(\alpha \) is not a cube. Finally, observe that \(\left( \frac{y}{v}\right) ^{2^k+1}= 1\) holds if and only if \(y =\theta v\) with \(\theta \in \mathbb {F}_4^*\). This completes the proof for (a1). Next, we show (a2), that the corresponding to f(x, y) map on \(\mathbb {F}_{2^{2m}}\) is not given by a univariate DO polynomial. Let \((u_1, u_2)\) be an ordered basis of \(\mathbb {F}_{2^{2m}}\) over \(\mathbb {F}_{2^m}\) and \((v_1, v_2)\) its dual basis. Then an element z of \(\mathbb {F}_{2^{2m}}\) has the representation \((v_1z+\overline{v_1z})u_1 + (v_2z+\overline{v_2z})u_2\), where \(\overline{a} = a^{2^m}\). Thus we get
$$\begin{aligned} f(z)&= f(v_1z+\overline{v_1z}, v_2z+\overline{v_2z}) \\&= \left( (v_1z+\overline{v_1z})^{2^k+1}+\alpha (v_2z+\overline{v_2z})^{(2^k+1)2^i}\right) u_1 \\&\quad + (v_1z+\overline{v_1z})\cdot (v_2z+\overline{v_2z}) u_2 \\&= \ldots +( (v_1\overline{v_2} + \overline{v_1}v_2)z^{2^m+1}+ v_1v_2z^2 + \overline{v_1v_2}z^{2\cdot 2^m})u_2. \end{aligned}$$Since \(k\ne 0\), there will be no term \(z^2\) in the summand for \(u_1\), and hence the polynomial f(z) contains a nonzero term with \(z^2\), showing that it is not a DO polynomial. Finally, (a1) and Theorem 1 imply (a3).

(b)
Note that g(x, y) is obtained from f(x, y) by a linear bijective transformation \((x,y) \mapsto (x, y^{2^{mi}})\). In particular, g(x, y) is almost 3to1, too. Next, we describe the univariate representation of the corresponding to g(x, y) map on \(\mathbb {F}_{2^{2m}}\). Again, let \((u_1, u_2)\) be a basis of \(\mathbb {F}_{2^{2m}}\) over \(\mathbb {F}_{2^m}\) and \((v_1, v_2)\) its dual basis. Then we get
$$\begin{aligned} g(z)&= g(v_1z+\overline{v_1z}, v_2z+\overline{v_2z}) \\&= \left( (v_1z+\overline{v_1z})^{2^k+1}+\alpha (v_2z+\overline{v_2z})^{(2^k+1)}\right) u_1 \\&\quad + (v_1z+\overline{v_1z})\cdot (v_2z+\overline{v_2z})^{2^{mi}} u_2, \end{aligned}$$which is a DO polynomial. Finally, note that \(g(x,y) \ne g(\theta x, \theta y)\) for \(\theta \in \mathbb {F}_4 \setminus \mathbb {F}_2\), and hence the DO polynomial g(z) is not 3divisible, proving (b2). Theorem 1 and (b1) yield (b3). \(\square \)
The property that the ZhouPott APN maps have the classical Walsh spectrum is proved in [1] using Bezout’s theorem on intersection points of two projective plane curves. We would like to note however that the proof method of [1] applies to a larger family of APN maps, including examples which are not almost3to1.
In [13] a map \(f:\mathbb {F}_q \rightarrow \mathbb {F}_q\) is called \(\delta \)vanishing if for any nonzero a the equation \(f(x+a)f(x) =0\) has \(t_a\) solutions, where \( 0 < t_a \le \delta \). Note that any zerodifference dbalanced map is dvanishing. Problem 1 in [13] asks whether any quadratic \(\delta \)vanishing map must be ddivisible with a suitable d. Theorem 4 shows that the answer to this question is negative. Indeed, the ZhouPott maps f(x, y) and g(x, y) are quadratic APN maps which are not 3divisible. These maps are almost3to1 and hence \(N(f)=N(g)=3q2\), and then by Corollary 1 they are zerodifference 2balanced.
The ZhouPott construction of APN maps was recently generalized in [24]. Next, we use Theorem 1 to show that the APN maps of this construction are almost3to1 as well, and hence they have the classical Walsh spectrum.
Theorem 5
Define the following maps on \(\mathbb {F}_{2^m} \times \mathbb {F}_{2^m}\)
where \(\gcd (3k,m)=1\) and
where \(\gcd (3k,m)=1\) and m is odd. Then \(f_1\) and \(f_2\) are almost3to1 APN maps with the classical Walsh spectrum.
Proof
The APN property of these maps was proven in [24]. For the rest, we check the conditions of Theorem 1. The first condition is clearly satisfied in both cases. We start with \(f_1\): Direct computations show that
A similar calculation yields \(f_1(x,y)=f_1(x+y,x)\). Thus every \(y \in {\text {Im}}(f_1)\setminus \{0\}\) has at least three preimages. Both conditions of Theorem 1 are satisfied for \(f_1\), completing the proof for \(f_1\). Consider now \(f_2\): Similarly to the first case, we have
and similarly \(f_2(x,y)=f_2(x+y,x)\), so both conditions of Theorem 1 are again satisfied. \(\square \)
A further large family of inequivalent almost3to1 APN maps has been found by Faruk Göloğlu and the first author, and will be published soon.
3Divisible APN maps
By Corollary 7, every APN DO polynomial \(f'(x^3)\) on \(\mathbb {F}_{2^n}\), n even, is an example with the preimage distribution described in Case 1. of Theorem 3. Prominent examples for such APN maps are \(x\mapsto x^3\) and \(x\mapsto x^3 +{{\,\mathrm{Tr}\,}}(x^9)\). These maps are APN for any n. If n is odd, then \(x\mapsto x^3\) is a permutation and \(x\mapsto x^3 +{{\,\mathrm{Tr}\,}}(x^9)\) is 2to1, as we will see later in this section.
The substitution of \(x^3\) in a polynomial of shape \(f'(x) = L_1(x) + L_2(x^3)\), where \(L_1, L_2\) are linearized polynomials, results in a DO polynomial \(f(x) = f'(x^3) = L_1(x^3) + L_2(x^9)\). Hence for even n by Corollary 7 such a map is APN if and only if it is almost 3to1. In particular, any permutation of shape \(L_1(x) + L_2(x^3)\) yields directly an APN DO polynomial if n is even. Observe that \(x^3\) and \( x^3+ {{\,\mathrm{Tr}\,}}(x^9)\) are also of this type. These and further APN DO polynomials \(L_1(x^3) + L_2(x^9)\) are studied in [6, 7]. Corollary 7 suggests a unified approach for understanding such APN maps.
The next lemma describes special maps of shape \(L_1(x) + L_2(x^3)\), which are obtained from more general results given in [18, 19]. We apply it to construct and explain APN maps of form \(L_1(x^3) + L_2(x^9)\).
Lemma 4
Let \(\alpha , \beta , \gamma \) be nonzero elements in \(\mathbb {F}_{2^n}\). Further, let \(\gamma \not \in \{ x^2+\alpha x ~~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\).

(a)
Then \( l(x) = x^2 + \alpha x + \gamma {{\,\mathrm{Tr}\,}}(\beta x) \) is permutation on \(\mathbb {F}_{2^n}\).

(b)
If n is even, then \( f'(x) = x^2 + \alpha x +\gamma {{\,\mathrm{Tr}\,}}(\alpha ^{3}x^3+\beta x) \) is permutations on \(\mathbb {F}_{2^n}\).

(c)
If n is odd, then the map \(h(x) = x + \alpha ^{1}{{\,\mathrm{Tr}\,}}(\alpha ^3x^3)\) is 2to1.
Proof
(a) The map l(x) is bijective by Theorem 5 in [19]. (b) The map \(f'(x)\) is bijective on \(\mathbb {F}_{2^n}\) by Theorem 6 in [19]. (c) follows from Theorem 3 in [18]. \(\square \)
The permutation \(f'(x)\) yields the following family of APN 3divisible DO polynomials.
Theorem 6
Let \(\alpha , \beta , \gamma \) be nonzero elements in \(\mathbb {F}_{2^n}\) with n even. Further, let \(\gamma \not \in \{ x^2+\alpha x ~~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\), then
is APN.
Proof
By Lemma 4 the 3divisible DO map \(f(x) = f'(x^3)\) is almost 3to1, and hence by Corollary 7 it is APN. \(\square \)
An APN map constructed in Theorem 6 is affine equivalent to one of form \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{3}x^9)\) studied in [7]. Indeed, the map \(f'(x)\) can be written as
where l(x) is linear over \(\mathbb {F}_2\). By Lemma 4, the map l(x) is bijective. Then \(l^{1}\) composed with \(f'(x)\) yields
and thus
where for the last equality we used \(l(\alpha ) = \gamma \). Note that this reduction remains true for n odd, showing that the examples of Theorem 6 are APN for any n since \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{3}x^9)\) are so.
As we mentioned earlier, the polynomials \(x^3\) and \(x^3+{{\,\mathrm{Tr}\,}}(x^9)\) define APN maps on \(\mathbb {F}_{2^n}\) for odd and even n. For n odd, the first map is a permutation and the second is 2to1, as the next proposition shows.
Proposition 2
Let \(\alpha , \beta , \gamma \) be nonzero elements in \(\mathbb {F}_{2^n}\) with n odd. Further, let \(\gamma \not \in \{ x^2+\alpha x ~~ x \in \mathbb {F}_{2^n}\}\) and \({{\,\mathrm{Tr}\,}}(\beta \alpha )=1\), then
is APN and 2to1.
Proof
Note that the reduction in (18) remains true for n odd, since by Lemma 4 the map l(x) is bijective for n odd. This implies that f(x) is APN, since \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{3}x^9)\) is so, as shown in [7]. To complete the proof note that \(x^3 + \alpha {{\,\mathrm{Tr}\,}}(\alpha ^{3}x^9) = h(x^3)\), where h(x) is the map considered in Lemma 4(c). \(\square \)
Next, we observe that for n odd there are APN DO polynomials of shape \(L_1(x^3)+L_2(x^9)\), that are neither bijective nor have image size \(2^{n1}\). For a divisor t of n we denote by \({{\,\mathrm{Tr}\,}}_{2^n/2^t}(x)\) the trace map from \(\mathbb {F}_{2^n}\) into the subfield \(\mathbb {F}_{2^t}\), that is
In [7], it is shown that for any nonzero \(a \in \mathbb {F}_{2^{3m}}\), m arbitrary, the DO polynomials
and
define APN maps on \(\mathbb {F}_{2^{3m}}\). Moreover, the maps \(f'\) and \(g'\) are bijective when m is even. For m odd, the image sets of these maps contain \(5\cdot 2^{3m3}\) elements, as Propositions 3 and 4 show.
Proposition 3
Let m be an odd integer and \(a\in \mathbb {F}_{2^{3m}}^*\) be arbitrary. Then the APN map \(f:\mathbb {F}_{2^{3m}} \rightarrow \mathbb {F}_{2^{3m}}\) given by
satisfies \(M_1(f) = 2^{3m1}\), \(M_4(f)=2^{3m3}\). In particular, \({\text {Im}}(f)=5\cdot 2^{3m3}\).
Proof
We consider the equation \(f(x)=f(y)\) on \(\mathbb {F}_{2^{3m}}\). Since \(x\mapsto x^3\) is a permutation on \(\mathbb {F}_{2^n}\) with n odd, it is sufficient to look at \(f'(x)=f'(y)\), where
and \(f(x)=f'(x^3)\). Suppose \(f'(x)=f'(y)\). Then
or equivalently,
In particular, \(f'(x) = f'(y)\) only if \(a(x+y) \in \mathbb {F}_8\). Let \(z=x+y\). Taking the absolute trace on both sides of (19), we get
Let \(\beta \in \mathbb {F}_8\) with \(\beta ^3=\beta +1\), then
so that
If \(az=0\) we have \(z=0\) and \(x=y\). So let \(z=a^{1}\beta ^k\) with \(k\in \{1,2,4\}\). Note that \(x\mapsto x^k\) is a linear permutation on \(\mathbb {F}_{2^{3m}}\). We have
As \(\beta ^3=\beta +1\), we get \(\beta ^6=\beta ^2+1\) and therefore \(\beta ^3+\beta ^6=\beta ^2+\beta =\beta ^4\). Further, \(\beta +\beta ^4=\beta ^2\), so that
We now need to ensure that (19) holds. Using (20) and m odd this turns into
Using again that \(x\mapsto x^k\) is a permutation and that \(\beta ^4=\beta ^2+\beta \) we obtain
which has a solution x if and only if \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\).
Concluding, we have \(f'(x)=f'(x+z)\) if and only if \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\) and \(z\in \{0, a^{1}\beta , a^{1}\beta ^2, a^{1}\beta ^4\}\). Since there are \(2^{3m1}\) elements x with \({{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=1\), we get \(M_4(f)=2^{3m3}\). The map \(f'\) is injective on the hyperplane \(\{x \in \mathbb {F}_{2^{3m}} ~~ {{\,\mathrm{Tr}\,}}_{2^{3m}/2}(ax)=0 \}\), yielding \(M_1(f)=2^{3m1}\). \(\square \)
The proof of next result is almost identical to the one of Proposition 3:
Proposition 4
Let m be an odd integer and \(a\in \mathbb {F}_{2^{3m}}^*\) be arbitrary. Then the APN map \(f:\mathbb {F}_{2^{3m}} \rightarrow \mathbb {F}_{2^{3m}}\) given by
satisfies \(M_1(g) = 2^{3m1}\), \(M_4(g)=2^{3m3}\). In particular, \({\text {Im}}(g)=5\cdot 2^{3m3}\).
Image sets of componentwise plateaued maps
The next theorem shows that almost\((2^r+1)\)to1 componentwise plateaued maps have a very special Walsh spectrum. The key step in its proof is the fact that the components of such maps have weights divisible by \({2^r+1}\). This together with Lemma 5 and some basic identities for Walsh values allow to control the Walsh spectrum of f. Our proof is an adaption of the one of Theorem 2 from [13], where \((p^r+1)\)divisible quadratic maps of finite fields with an arbitrary characteristic p are considered. The following fact is well known.
Lemma 5
Let \(i,r \in \mathbb {N}\) be arbitrary. Then

\(\gcd (2^i1,2^r+1) = {\left\{ \begin{array}{ll} 2^{\gcd (i,r)} +1 &{} \text {if } i/\gcd (i,r) \text { is even} \\ 1 &{} \text {else.} \end{array}\right. }\)

\(\gcd (2^i+1,2^r+1) = {\left\{ \begin{array}{ll} 2^{\gcd (i,r)} +1 &{} \text {if } i/\gcd (i,r) \text { and } r/\gcd (i,r)\text { are odd} \\ 1 &{} \text {else.} \end{array}\right. }\)
Theorem 7
Let \(n=2rm\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost\((2^r+1)\)to1 componentwise plateaued map with \(f(0)=0\) and \(\omega (0)=1\), i.e. 0 be the unique element with precisely one preimage. Then f has \((2^r/(2^r+1))\cdot (2^n1)\) bent components and \((2^n1)/(2^r+1)\) components with amplitude \(t=2r\). Moreover,
for any \(b \in \mathbb {F}_{2^n}^*\).
Proof
Let \(b\in \mathbb {F}_{2^n}^*\) be arbitrary. Since f is componentwise plateaued, \(W_f(b,0)\) takes the values 0 or \(\pm 2^{rm+s}\) with \(s\ge 0\). Note that since f is almost\((2^r+1)\)to1 with \(f(0)=0\) and \(\omega (0)=1\), the value \(\{x \in \mathbb {F}_{2^n}^* :{{\,\mathrm{Tr}\,}}(bf(x))=c\}\) is divisible by \(2^r+1\) for any \(c \in \mathbb {F}_2\). Thus
This shows, in particular, that \(W_f(b,0) \ne 0\). Further, by Lemma 5, \(2^{rm+s} \equiv 1 \pmod {2^r+1}\) if and only if rs and \(m+(s/r)\) is even. Similarly, \(2^{rm+s} \equiv 1 \pmod {2^r+1}\) if and only if rs and \(m+(s/r)\) is odd. Hence \(W_f(b,0) =(1)^{m+k}2^{r(m+k)}\) for a suitable \(k\ge 0\). Define
for an integer \(k \ge 0\). Since \(f(x)=0\) holds only for \(x=0\), we have
which directly implies
Substituting the possible values for \(W_f(b,0)\) in the above equation, we get
implying
Now since f is almost\((2^r+1)\)to1, for every fixed nonzero x there are exactly \((2^r+1)\) elements \(a \in \mathbb {F}_{2^n}\) satisfying \(f(x)+f(x+a)=0\), and for \(x=0\) only \(a=0\) solves it. Thus we get
In particular,
Again, substituting the possible values for \(W_f(b,0)\), we get
which immediately leads to
Clearly, we also have
Adding Eq. (21) \((2^r1)\)times to Eq. (22), we get
Observe that all coefficients in Eq. (24) are positive. Now, subtracting Eq. (23) \(2^r\)times from Eq. (24) yields
Here, all coefficients are again positive, so we conclude \(N_2=N_3=\dots = 0\). From Eq. (21) and Eq. (23) we then immediately deduce that \(N_0 =(2^r/(2^r+1))(2^n1)\) and \(N_1 = (2^n1)/(2^r+1)\). \(\square \)
Note that the conditions \(f(0)=0\) and \(\omega (0)=1\) are not restrictive when we consider the extended Walsh spectrum: Indeed, otherwise we consider \(f(x+c)+d\) with suitable \(c,d \in \mathbb {F}_{2^n}\), which is also componentwise plateaued and has the same extended Walsh spectrum as f:
The two boundary cases \(m=1\) and \(r=1\) of Theorem 7 imply interesting extremal cases. For \(m=1\), we get that a componentwise plateaued almost\((2^{n/2}+1)\)to1 map on \(\mathbb {F}_{2^n}\) has \(2^n2^{n/2}\) bent components, which is the maximum number of bent components that a map on \(\mathbb {F}_{2^n}\) can have [30]. For \(m=1\) the following result holds, too:
Proposition 5
Let \(r\in \mathbb {N}\), \(n=2r\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost\((2^r+1)\)to1 map. Then f is componentwise plateaued if and only if it has \(2^n2^{n/2}\) bent components.
Proof
One direction is covered by Theorem 7. Assume that f has \(2^n2^{n/2}\) bent components. As mentioned before, we can assume without loss of generality that \(f(0)=0\) and \(\omega (0)=1\). By the proof of Theorem 7 we have \(W_f(b,0) \equiv 1 \pmod {2^{n/2}+1}\) for all \(b \in \mathbb {F}_{2^n}^*\). Hence if b defines a bent component, then \(W_f(b,0)=2^{n/2}\). Thus
implying \(\sum _{b \text { not bent}} W_f(b,0)=2^{n}(2^{n/2}1)\). The sum has \(2^{n/2}1\) terms and each term is less or equal to \(2^n\), so necessarily it must hold \(W_f(b,0)=2^n\) for every \(b \in \mathbb {F}_{2^n}^*\) that does not define a bent component. Then, by Parseval’s equation, \(W_f(b,a)=0\) for these b and every \(a \in \mathbb {F}_{2^n}^*\), so these components are also plateaued. \(\square \)
For \(r>1\) the almost\((2^r+1)\)to1 maps considered in Proposition 5 are never APN. This follows directly from (12).
The case \(r=1\) of Theorem 7 shows that almost3to1 componentwise plateaued maps are APN and they have the classical Walsh spectrum:
Corollary 8
Let \(n=2m\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) be an almost3to1 componentwise plateaued map. Then f is an APN map with the classical Walsh spectrum. Moreover, if \(f(0)=0\) and \(\omega (0)=1\), i.e. 0 is the only element with precisely one preimage, then
for any \(b \in \mathbb {F}_{2^n}^*\).
Proof
The result follows from Theorem 7 for \(r=1\) and [4, Corollary 3], which shows that if a componentwise plateaued map f has \((2/3)(2^n1)\) bent components and \((1/3)(2^n1)\) components with amplitude \(t=2\) then it is APN. \(\square \)
In [9, Corollary 10 and 11] it is proven that if n is even, then all almost3to1 plateaued maps of \(\mathbb {F}_{2^n}\) have the same Walsh spectrum as the cube function \(x\mapsto x^3\). This is exactly the statement of Corollary 8, too. The precise Walsh spectrum of the cube function is determined by Carlitz [16] via a refined evaluation of certain Gauss sums. The proof of Theorem 7 implies an elementary proof for Carlitz’s result on the value of the cubic exponential sum \(S(b)=\sum _{x \in \mathbb {F}_{2^n}} (1)^{{{\,\mathrm{Tr}\,}}(bx^3)}\). The latter is the key step for obtaining the Walsh spectrum of the cube function in [16].
The quadratic (not necessarily APN) maps as well as the crooked maps are componentwise plateaued. Hence Corollary 8 implies
Corollary 9
Let \(n=2m\) and \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\).

(a)
If f is almost3to1 crooked map, then f has the classical Walsh spectrum.

(b)
If f is almost3to1 quadratic map, then it is APN with the classical Walsh spectrum.
Note that Corollaries 7 and 9 confirm Conjecture 1 stated in [33], that for even n all APN maps of the form \(f(x)=L_1(x^3)+L_2(x^9)\) have the classical Walsh spectrum.
By Corollary 9, the EAclass of a quadratic APN map with nonclassical Walsh spectrum do not contain an almost3to1 map. The following related question is yet open:
Open Problem 2
Let n be even. Is there any APN DO map \(f:\mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\) with the classical Walsh spectrum, such that \(f+l\) is not almost3to1 for any \(\mathbb {F}_2\)linear map (equivalently, such that there is no almost3to1 map in the EAclass of f)?
Almost3to1 APN maps with nonclassical Walsh spectra exist; an example is the Dobbertin map \(x \mapsto x^d\) on \(\mathbb {F}_{2^n}\) where 10n, \(n=5g\) and \(d=2^{4g}+2^{3g}+2^{2g}+2^{g}1\) [8].
We conclude this section with some observations on the almost bent maps on \(\mathbb {F}_ {2^n}\) with n odd. We use them in the next section to give an upper bound on the image size of such maps. The next lemma describes a direct connection between N(f) and the number \(N_0\) of balanced component functions of almost bent maps.
Lemma 6
Let n be odd and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be almost bent. Set
Then these three values are determined by N(f) in the following way:
Proof
Clearly, we have
Further, we have
which implies
Rewriting this equation yields
or, equivalently,
Moreover, we have
which directly implies
which yields
and
Subtracting Eq. (26) from Eq. (25) yields
Similarly adding Eqs. (26) and (27) we get that N(f) must be divisible by 4 and that
The value of \(N_\) then follows immediately from Eq. (25). \(\square \)
Lemma 6 directly implies
Corollary 10
Let n be odd and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be almost bent. Then

(a)
N(f) is divisible by 4.

(b)
The number of balanced component functions of f is odd. In particular, every almost bent function has at least one balanced component function.

(c)
\(N(f) \le 3\cdot 2^n4\) and f is not zerodifference 2balanced.

(d)
$$\begin{aligned}{\text {Im}}(f) > \frac{2^n+1}{3}.\end{aligned}$$
Proof
Statement (a) holds since \(N_+\) and \(N_\) in Lemma 6 are integers. Then (b) is a direct consequence of (a) and Lemma 6. Using Corollary 1 and (a), we get that \(N(f) \le 3\cdot 2^n4\) and hence f is not zerodifference 2balanced. Theorem 3 with (c) imply (d), since if the lower bound is fulfilled then necessarily \(N(f)=3\cdot 2^n2\). \(\square \)
Remark 2
Any crooked map is almost bent if n is odd [27]. Property (c) in Corollary 10 implies that at least one differential set of a crooked map on \(\mathbb {F}_{2^n}\) with n odd is a complement of a hyperplane. Equivalently, for n odd there is no crooked map such that all its difference sets are hyperplanes. To the contrary, if n is odd then there are bijective crooked maps, for which necessarily all differential sets are complements of hyperplanes. Interestingly, this property is the other way around if n is even. Then crooked maps, for which all differential sets are hyperplanes, do exist (for instance, \(x\mapsto x^3\) or more generally any 3divisible APN DO map as observed in Lemma 3 (b)). But there are no crooked maps with all their differential sets being complements of hyperplanes. The latter is a consequence of the nonexistence of bijective crooked maps in even dimension [27].
Upper bounds on the image sets of APN maps
In previous sections we used the value N(f) to obtain a lower bound for the image size of some special maps f. In [21] an upper bound for \({\text {Im}}(f)\) depending on N(f) is found. The upper bound from [21] is valid for maps between arbitrary finite sets, however we state it here only for the binary finite fields.
Lemma 7
[21, Theorem 2] Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\). Then
\(\square \)
The equality
is not mentioned in [21], but it can be verified easily by expanding the fraction with \(1\sqrt{4N(f)2^{n+2}+1}\).
The next lemma observes that if n is even, then Lemma 7 implies an upper bound on the image size of f depending on the number of its bent components.
Lemma 8
Let n be even and \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be a map with u bent component functions. Then \(N(f) \ge u+2^n\) and
Proof
We use again the relation
If \(x \mapsto {{\,\mathrm{Tr}\,}}(bf(x))\) is bent, then \(W_f(b,0)^2 = 2^n\), so
implying \(N(f) \ge u +2^n\). The rest follows from Lemma 7. \(\square \)
The upper bound of Lemma 8 is interesting for maps having a large number u of bent components. We apply it to get an upper bound for the image size of componentwise plateaued APN maps in Corollary 11.
For an odd n, we use Lemma 6 to give an upper bound on the image size of almost bent maps. Recall that \(M_r(f)\) denotes the number of \(y \in \mathbb {F}_{2^n}\) with exactly r preimages, where \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) and \(r \ge 1\).
Theorem 8
Let \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be an almost bent map and \(k = \max \{ r ~~ M_r(f) \ne 0\}\). Then
In particular, if f is not a permutation, then
Proof
Set \(M_r = M_r(f)\). By Eqs. (2) and (3)
implying
Set \(f'(x) = f(x)  c\), where \(c \in \mathbb {F}_{2^n}\) has exactly k preimages under f. Clearly, \(f'\) is also almost bent and it satisfies \(N(f) = N(f')\) and \({\text {Im}}(f) = {\text {Im}}(f')\), and additionally 0 has exactly k preimages under \(f'\). We apply Lemma 6 to \(f'\). Then
which leads to
Then, using Eq. (30),
If f is not a permutation, then \(k>1\) and \(\frac{k1}{k}\ge 1/2\), completing the proof. \(\square \)
Remark 3

(1)
The upper bound in (28) is sharp for \(k=1\), since there are bijective almost bent maps. The proof of Theorem 8 shows that almost bent maps fulfilling with equality the bound in (29) must satisfy \(M_1(f)= 2^n2^{(n+1)/2}\) and \(M_2(f)=2^{(n1)/2}\). However, we believe that the bound in (29) is not sharp.

(2)
The bound of Theorem 8 is similar in style to the wellknown general upper bound on the image size of maps by Wan [35], stating that if \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is not bijective then
$$\begin{aligned}{\text {Im}}(f) \le 2^n\frac{2^n1}{d},\end{aligned}$$where d is the degree of f. Another bound similar to Wan’s bound appears in [29]: If \(f :\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) is not bijective and has index \(l>1\) then
$$\begin{aligned}{\text {Im}}(f) \le 2^n\frac{2^n1}{l}.\end{aligned}$$See [36] for more details and the definition of the index of maps. For almost bent maps with known small degree or index, these upper bounds are stronger than the one in Theorem 8.
Theorem 8 and Lemma 8 yield an upper bound on the image size for componentwise plateaued APN maps.
Corollary 11
Let \(f:\mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) be a componentwise plateaued APN map, and nonbijective if n is odd. Then
Proof
The statement for n odd follows from Theorems 8, since every componentwise plateaued APN map is almost bent. The upper bound for n even is a direct consequence from Lemma 8 and the fact that a componentwise plateaued APN map has at least \((2/3)(2^n1)\) bent component functions [4, Corollary 3]. \(\square \)
References
Anbar N., Kalayci T., Meidl W.: Determining the Walsh spectra of Taniguchi’s and related APNfunctions. Finite Fields Appl. 60, Art. 101577 (2019).
Bending T.D., FonDerFlaass D.: Crooked functions, bent functions, and distance regular graphs. Electron. J. Comb. 5(1), R34 (1998).
Beierle C., Leander G.: New instances of quadratic APN functions. arXiv:2009.07204 (2020). Accessed Nov 2020.
Berger T.P., Canteaut A., Charpin P., LaigleChapuy Y.: On almost perfect nonlinear functions over \(\mathbb{F} _2^n\). IEEE Trans. Inf. Theory 52(9), 4160–4170 (2006).
Blondeau C., Nyberg K.: Perfect nonlinear functions and cryptography. Finite Fields Appl. 32, 120–147 (2015).
Budaghyan L., Carlet C., Leander G.: Constructing new APN functions from known ones. Finite Fields Appl. 15(2), 150–159 (2009).
Budaghyan L., Carlet C., Leander G.: On a construction of quadratic APN functions. In: 2009 IEEE Information Theory Workshop, pp. 374–378 (2009).
Canteaut A., Charpin P., Dobbertin H.: Weight divisibility of cyclic codes, highly nonlinear functions on \(\mathbb{F} _{2^m}\), and crosscorrelation of maximumlength sequences. SIAM J. Discret. Math. 13(1), 105–138 (2000).
Carlet C.: Boolean and vectorial plateaued functions and APN functions. IEEE Trans. Inf. Theory 61(11), 6272–6289 (2015).
Carlet C., Charpin P., Zinoviev V.: Codes, bent functions and permutations suitable for DESlike cryptosystems. Des. Codes Cryptogr. 15(2), 125–156 (1998).
Carlet C., Ding C., Yuan J.: Linear codes from perfect nonlinear mappings and their secret sharing schemes. IEEE Trans. Inf. Theory 51(6), 2089–2102 (2005).
Carlet C., Ding C.: Nonlinearities of Sboxes. Finite Fields Appl. 13(1), 121–135 (2007).
Carlet C., Gong G., Tan T.: Quadratic zerodifference balanced functions, APN functions and strongly regular graphs. Des. Codes Cryptogr. 78(3), 629–654 (2016).
Carlet C., Heuser A., Picek S.: Tradeoffs for Sboxes: cryptographic properties and sidechannel resilience. In: Proc. ACNS 2017, Lect. Notes Comput. Sci., vol. 10355, pp. 393–414 (2017).
Carlet C.: Bounds on the nonlinearity of differentially uniform functions by means of their image set size, and on their distance to affine functions. Cryptol. ePrint Archive, Report 2020/1529. Accessed Jan 2021.
Carlitz L.: Explicit evaluation of certain exponential sums. Math. Scand. 44, 5–16 (1979).
Charpin P.: Crooked functions. In: Finite Fields Their Appl., pp. 87–102. Degruyter (2020).
Charpin P., Kyureghyan G.: When does \(G(x) +Tr(H(x))\) permute \(\mathbb{F} _{p^n}\). Finite Fields Appl. 15(5), 615–632 (2009).
Charpin P., Kyureghyan G.: On a class of permutation polynomials over \(\mathbb{F}_{2^n}\). In: International Conference on Sequences and Their Applications  SETA 2008, Lect. Notes Comput. Sci., vol. 5203, pp. 368–376. Springer (2008).
Coulter R.S., Matthews R.W.: On the number of distinct values of a class of functions over a finite field. Finite Fields Appl. 17(3), 220–224 (2011).
Coulter R.S., Senger S.: On the number of distinct values of a class of functions with finite domain. Ann. Comb. 18(2), 233–243 (2014).
Czerwinski I.: On the minimal value set size of APN functions. Cryptology ePrint Archive, Report 2020/705. Accessed Aug 2020.
Ding C., Jin Y.: A family of skew Hadamard difference sets. J. Comb. Theory A 113(7), 1526–1535 (2006).
Göloğlu F.: Goldhybrid APN functions. Preprint (2020). See also https://boolean.w.uib.no/files/2020/09/gologlu_slides.pdf.
Kaspers C., Zhou Y.: A lower bound on the number of inequivalent APN functions. arXiv:2002.00673v2 (2020). Accessed Aug 2021.
Kyureghyan G.M., Müller P., Wang Q.: On the size of Kakeya sets in finite vector spaces. Electron. J. Comb. 20(3), P36 (2013).
Kyureghyan G.M.: Crooked maps in \(\mathbb{F} _{2^n}\). Finite Fields Appl. 13(3), 713–726 (2007).
Kyureghyan G.M., Pott A.: Some theorems on planar mappings. In: Proc. Int. Workshop Arithmetic of Finite Fields, Lect. Notes in Comput. Sci., vol. 5130, pp. 117–122 (2008).
Mullen G.L., Wan D., Wang Q.: Index bounds for value sets of polynomials over finite fields. In: Appl. Algebra Number Theory. Cambridge University Press, pp. 280–296 (2014).
Pott A., Pasalic E., MuratovicRibic A., Bajric S.: On the maximum number of bent components of vectorial functions. IEEE Trans. Inf. Theory 64(1), 403–411 (2018).
Pott A.: Almost perfect and planar functions. Des. Codes Cryptogr. 78(1), 141–195 (2016).
Uchiyama S.: Sur le nombre des valeurs distinctes d’un polynôme á coefficients dans un corps fini. Proc. Jpn. Acad. 30(10), 930–933 (1954).
Villa I.: On APN functions \({L}_1(x^3)+{ L}_2(x^9)\) with linear \({L}_1\) and \({L}_2\). Cryptogr. Commun. 11(1), 3–20 (2019).
Voloch J.: On the number of values taken by a polynomial over a finite field. Acta Arithmetica 52(2), 197–201 (1989).
Wan D.: A \(p\)adic lifting lemma and its applications to permutation polynomials. In: Finite Fields, Coding Theory, and Advances in Communications and Computing, Lect. Notes Pure and Appl. Math., vol. 141, pp. 209–216 (1993).
Wang Q.: Polynomials over finite fields: an index approach. In: Combinatorics and Finite Fields. Difference Sets, Polynomials, Pseudorandomness and Applications, Degruyter, pp. 319–348 (2019).
Weng G., Qiu W., Wang Z., Xiang Q.: PseudoPaley graphs and skew Hadamard difference sets from presemifields. Des. Codes Cryptogr. 44(1–3), 49–62 (2007).
Weng G., Zeng X.: Further results on planar DO functions and commutative semifields. Des. Codes Cryptogr. 63(3), 413–423 (2012).
Zhou Y., Pott A.: A new family of semifields with 2 parameters. Adv. Math. 234, 43–60 (2013).
Acknowledgements
We thank our colleagues for all the comments which help us to improve the presentation of this paper. Our special thank is to Zeying Wang for pointing us an inaccuracy in the earlier version of Proposition 1 and consequently in Corollary 4. We thank Steven Wang and the anonymous reviewer for bringing to our attention references [35, 36] and [32, 34], respectively.
Funding
Open Access funding enabled and organized by Projekt DEAL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by A. Pott.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Kölsch, L., Kriepke, B. & Kyureghyan, G.M. Image sets of perfectly nonlinear maps. Des. Codes Cryptogr. 91, 1–27 (2023). https://doi.org/10.1007/s10623022010944
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623022010944
Keywords
 Image
 value set
 APN map
 differential uniformity
 Walsh spectrum
 quadratic map
 Dembowski–Ostrom polynomial
 plateaued function
 preimage distribution
Mathematics Subject Classification
 11T71
 06E30
 94A60