Generalized isotopic shift construction for APN functions

In this work we give several generalizations of the isotopic shift construction, introduced recently by Budaghyan et al. (IEEE Trans Inform Theory 66:5299–5309, 2020), when the initial function is a Gold function. In particular, we derive a general construction of APN functions which covers several unclassified APN functions for n=8\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=8$$\end{document} and produces fifteen new APN functions for n=9\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=9$$\end{document}.

so that F 2 n = ζ = {1, ζ, ζ 2 , ζ 3 , . . . , ζ 2 n −2 }. An (n, n)-function is a map from F 2 n to itself. Such function admits a unique representation as a univariate polynomial of degree at most 2 n − 1, that is The kernel of F is defined as ker(F) = {u ∈ F 2 n s.t. F(u) = 0}. The function F is linear if F(x) = n−1 i=0 c i x 2 i ; affine if it is the sum of a linear function and a constant; -DO (Dembowski-Ostrom) polynomial if F(x) = 0≤i< j<n a i j x 2 i +2 j , with a i j ∈ F 2 n ; quadratic if it is the sum of a DO polynomial and an affine function.
A function F is called differentially δ-uniform, for δ a positive integer, if for any pair (a, b) ∈ F 2 2 n , with a = 0, the equation F(x + a) − F(x) = b admits at most δ solutions. When F is used as an S-box inside a cryptosystem, the differential uniformity measures its contribution to the resistance to the differential attack [3]. The smaller is δ, the better is the resistance to this attack.
Over fields of characteristic 2, the solutions of the equation F(x + a) − F(x) = b, that is, F(x + a) + F(x) = b, go by pairs {x, x + a}, and δ is even. The best resistance is then achieved by differentially 2-uniform functions. Such functions are also called almost perfect nonlinear; in short, APN. The simplest known example of APN function is Gold function, G i (x) = x 2 i +1 , that is APN whenever i is coprime with n.
APN functions have connections to optimal objects in other fields such as geometry, sequence design and combinatorics.
There are several equivalence relations of functions for which differential uniformity, and thus the APN property, is preserved. Two functions F and F from F 2 n to itself are called: -affine equivalent if F = A 1 • F • A 2 where A 1 , A 2 : F 2 n → F 2 n are affine permutations; -EA-equivalent if F = F + A, where the map A : F 2 n → F 2 n is affine and F is affine equivalent to F; -CCZ-equivalent [12] if there exists some affine permutation L of F 2 n × F 2 n such that the image of the graph of F is the graph of F , that is, L (G F ) = G F , where G F = {(x, F(x)) : x ∈ F 2 n } and G F = {(x, F (x)) : x ∈ F 2 n }.
CCZ-equivalence is the most general known equivalence relation for functions which preserves differential uniformity, while affine and EA-equivalences are its particular cases. We refer the reader to [5] and [11] for a more comprehensive overview on vectorial Boolean functions. Inspired by the notion of isotopic equivalence, originally defined by Albert [1] in the study of presemifields and semifields, a new construction method for APN functions, called isotopic shift, was introduced in [6].
Given p a prime number, F ∈ F p n [x] a function, and L ∈ F p n [x] a linear map, the isotopic shift of F by L is defined as the map: As we have shown in [6], for the case p = 2, an isotopic shift of an APN function can lead to APN functions CCZ-inequivalent to the original map. In particular, all existing quadratic APN functions over F 2 6 , which are 13 up to CCZ-equivalence, can be obtained from x 3 by isotopic shift. Moreover, a new family of quadratic APN functions, which generates a new APN function for n = 9, is constructed by isotopic shift of Gold functions [6]. In [7], the isotopic shift construction has been investigated for the case of planar functions ( p > 2), i.e. differentially 1-uniform functions. Also here, given a planar function, it is possible to obtain an inequivalent planar function from its isotopic shifts.
In the present paper we further study the isotopic shift construction over fields of even characteristic. Firstly, we verify that, over F 2 6 , any quadratic APN map can be obtained as an isotopic shift of any other quadratic APN map. Then, we consider different generalizations of the isotopic shift construction when the initial function is a monomial with a Gold exponent. In [6], we studied the APN property of the isotopic shift of G i (x) = x 2 i +1 over F 2 n , with n = km, given by where L is a 2 m -polynomial, that is L(x) = k−1 i=0 A i x 2 im for some A i ∈ F 2 n . This construction provides a new APN function over F 2 9 .
In the present work, we study the APN property of where both L 1 and L 2 are 2 m -polynomials. From this construction, we obtain fifteen new APN functions for n = 9. Moreover, we cover some of the functions in the lists given in [16] and [19] which are not contained in any of the known infinite families.
To show the inequivalence between some of the obtained maps, we introduce in Proposition 3.2 a new EA-invariant (such invariant was also noticed independently in [17]). Note that for quadratic APN functions, CCZ-equivalence coincides with EA-equivalence [23].
Finally, we consider the case when the isotopic shift of G i (x) is obtained using a function L not necessarily linear. In this case we obtain that all the known power APN functions in odd dimension, except the Dobbertin function, can be obtained as the nonlinear shifts of Gold functions.

Further results on the isotopic linear shift over F n
Before considering generalizations of the isotopic shift, we extend a result obtained in [6].
We have shown that, given a quadratic APN function F, if the isotopic shift F L by a linear map L is APN, then the map L is either a permutation or a 2-to-1 map. From the isotopic shifts of the Gold function x 3 , with both choices for L being a permutation and a 2-to-1 map, we obtained (computationally) all the quadratic APN functions over F 2 6 (up to EA-equivalence). That is, for any given quadratic APN function F over F 2 6 there exist a permutation L and a 2-to-1 map L such that the isotopic shifts G 1,L (x) and G 1,L (x) are EA-equivalent to F. The same result was computationally obtained for any quadratic APN map over F 2 6 listed in [16, Table 5] (see also [4]) in place of G 1 . Up to EA-equivalence (and thus CCZ-equivalence) the list is complete and, since for two quadratic maps the EAequivalence implies EA-equivalence of the isotopic shifts (see [6,Corollary 3.2]), we can state the following result. Proposition 2.1 Over F 2 6 for any two quadratic APN maps F and G, there exist a linear permutation L and a linear 2-to-1 map L such that F L and F L are EA-equivalent to G.
We conclude with the observation that the isotopic shift can lead to an APN function also starting from a non-APN function.

Remark 2.1
Consider F 2 6 and the function F(x) = x 5 , which is not APN. With L(x) = ζ x 8 we construct the APN map

Generalized isotopic shift of Gold functions
In this section we generalize the isotopic shift construction for the case of Gold functions.

On the generalized linear shift over F 2 n
In [6], we showed that the isotopic shift can be a useful construction method for APN functions. Let n = km, where m and k are any positive integers. An F 2 m -polynomial is a linear map given by (2) leads to a family of APN functions, providing, in particular, for n = 9 (k, m = 3) a new APN function and for n = 8 (k = 4, m = 2) a function equivalent to x 9 + Tr(x 3 ), which is not contained in any infinite family.
In the following, we generalize the isotopic shift construction. This generalization provides further new APN functions, as it will be shown below.
Given two positive integers k, m, let us consider the finite field F 2 n with n = km.
Since gcd(2 m − 1, l) = 1, for any such z, there exist integers r and s such that z = r (2 m − 1) + sl. Hence we have Then it is possible to obtain the following generalization of [6, Theorem 6.3].
Then, let i be such that gcd(i, m) = 1 and F ∈ F 2 n [x] the function given by: Then F is APN over F 2 n if and only if each of the following statements holds for any v ∈ W : Proof We need that, for any a ∈ F 2 n , the function is a 2-to-1 map, or equivalently, that ker(Δ a (ax)) = {0, 1}. As showed before, we can rewrite a = st and x = uv with s, u ∈ F 2 m and t, v ∈ W . Hence, since L 1 and L 2 are F 2 m -polynomials, we have: Without loss of generality we can assume that The obtained APN function (3) is of the form Let us see now necessary conditions on the linear functions L 1 and L 2 for F to be APN. (iv) ker(L 1 (x) + r x 2 j ) ∩ ker(L 2 (x) + r 2 i x (2 j −1)2 i +1 ) = {0} for any r ∈ F 2 n and j ≥ 0.

The case n = 8
Applying the construction of Theorem 3.1 in dimension 8 with k = 4 and m = 2, restricting the coefficients of L 1 and L 2 to the subfield F 2 4 we obtained several APN functions given in [16, Table 9] and one in [19, Table 6] which have not been previously identified as a part of any APN family. The functions mentioned are listed in Table 1.
The following results were obtained for n = 8.

Remark 3.1
The function no. 9 in Table 6 [19] has the same CCZ-invariants (Γ -rank, Δ-rank and M G F ) as the function number 1.9 in Table 9 of [16] (we note that the value of the Γ -rank given in [19] is not correct, indeed this function has Γ -rank = 14034). Since two quadratic APN functions are CCZ-equivalent if and only if they are EAequivalent [23], the CCZ-inequivalence between these two functions can be obtained by checking another invariant with respect to the EA-equivalence that we shall introduce in the next subsection.

A new EA-equivalence invariant
This set was used in [8] to study some relations between the CCZ-equivalence and the EA-equivalence.
It is easy to check that:  Proof If F is EA-equivalent to F, then there exist A 1 , A 2 affine permutations and L linear such that

Remark 3.2
We computed the values N i for the two functions and we got N 1 = 86, N 2 = 340 and N 3 = 4 for the new function, and N 1 = 86, N 2 = 340 and N 3 = 8 for the function number 1.9. Thus from Proposition 3.2 we have that the two functions are not EA-equivalent.

Remark 3.3
Note that when n is odd, a quadratic APN function F is Almost Bent (i.e. for all b ∈ F 2 n we have {W F (a, b) : a ∈ F 2 n } = {0, ±2 (n+1)/2 }), which implies S(F) = F 2 n . Thus, such invariant cannot be used for testing the CCZ-equivalence of quadratic APN functions in the case n odd. [17]. In their work, they focused on plateaued functions and looked at the subspaces in the set {b : W F (0, b) = ±2 n/2 } (n even). For plateaued functions, this set coincides with S(F).

The case n = 9
For the case k = m = 3 we consider the generalized linear shift as in (3) with L 1 and L 2 having coefficients in the subfield F 2 3 . In Table 2 we list all known APN functions for n = 9, as reported in [6, Table 1]. In Table 3, we list all new APN functions obtained from Theorem 3.1. We can observe that the family of Theorem 3.1 covers the only known example of APN function for n = 9, function 8.1 of Table 11 in [16], which has not been previously identified as a part of an APN family. Hence, currently, we do not have any known example of APN functions for n = 9 which would not be covered by an APN family. Note that this latter function was not obtained from the approach studied in [16] (it does not belong to a switching class of a previously known APN map). Finally, Table 3 indicates 15 new APN functions all obtained from Theorem 3.1. In both tables we include, for each function, the CCZ-invariants Γ -rank, Δ-rank and |M G F |.
The CCZ-inequivalence of some of these functions was obtained by checking with MAGMA the equivalence of some linear code which can be associated to an APN function (see [4]).

Isotopic shifts with nonlinear functions
In this section we consider the case when the function used in the shift is not necessarily linear.
In [6], it has been proved that, in even dimension, an isotopic shift of the Gold function with a linear function defined over F 2 [x] cannot be APN. In the following, we show that for any quadratic function F in even dimension, we cannot obtain APN functions by shifting F with a polynomial whose coefficients belong to F 2 .

Proposition 3.3 For two integers k and m let n = km and q
If n is even or k > 1, then any isotopic shift F L with L ∈ F 2 k [x] cannot be APN. In particular, this holds for any quadratic function F ∈ F 2 n [x] with n even and L ∈ F 2 [x].
Proof For F and L as outlined, we have and L(x q ) = L(x) q . Note that for any x ∈ F 2 k , F L (x) = c. For a ∈ F 2 n , we set Δ a (x) = F L (x + a) + F L (x) + F L (a) + F L (0). If k > 1, then Δ a (x) = 0 for all x, a ∈ F 2 k , so that F L is not APN. If F 4 = {0, 1, α, α + 1} ⊆ F 2 n , then consider Δ α (x). Clearly Δ α (0) = 0, while it is easily observed that Δ α (α + Table 2 Previously known CCZ-inequivalent APN polynomials over   All, except for the first one, are either new or correspond to the one known but unclassified case 1) = Δ α (1). We have When j − i is odd and F 4 F 2 k , the term in the sum is zero as α q j−i = α 2 = α + 1, L(α) q j−i = L(α + 1) and L(α + 1) q j−i = L(α). If j − i even or F 4 ⊆ F 2 k , then the term in the sum is again zero due to the fact that α q j−i = α and L(α) q j−i = L(α). In either case, we have Δ α (x) = 0 for x = 0, 1, α + 1, so F L is not APN.

Nonlinear shift for the Gold functions
If we consider an isotopic shift of a Gold function without the restriction that L(x) is a linear function, then L(x) = 2 n −1 j=0 c j x j and the isotopic shift will be of the form We Hence we obtain the following. Proposition 3.4 Let F 2 n = ζ . Assume that G i,L is constructed with L(x) = 2 n −1 j=0 c j x j . Then, for any integers k, t, we have that G i,L is linear equivalent As for the linear shifts, it is possible to restrict the search of one possible non-zero coefficient of the function.
In the following table we recall the list of known APN power maps (the list was conjectured to be complete in [14]).
In odd dimension it is possible to obtain all the power APN functions, except the Dobbertin functions, as the isotopic shifts of a Gold function by a monomial. Theorem 3.2 Over F 2 n with n an odd integer, let F be any known APN power function outside the class of Dobbertin functions. Then there exists a monomial L(x) = ax d and a Gold function G i = x 2 i +1 such that the shift G i,L is EA-equivalent to F. Table 4, excluding the Dobbertin function, the known APN power functions are the Gold functions, the Kasami functions, the Welch function, the Niho functions and the inverse function. In the following we will show that it is possible for any of the mentioned functions, to construct an isotopic shift of a Gold function that is EA-equivalent to it.

Remark 3.5
From computational results, for n even, it seems that it is not possible to obtain APN functions as the isotopic shifts of a Gold map by (non-linear) monomials. The search has been performed for n = 4, 6, 8, 10, considering also non-APN Gold exponents. Problem 3.1 Is it possible to obtain the Dobbertin function as an isotopic shift of a Gold function by a non-linear L? Problem 3.2 Is it possible to obtain the same result for n an even integer and L a non-linear multinomial?

Conclusions
Starting from the work [6], we introduced some generalizations of the isotopic shift construction for the case when the initial function is a Gold power function. In particular, using a generalized form of the isotopic shift with F 2 m -polynomials, we were able to construct a general family of quadratic APN functions. This allowed us to classify into a family some of the previously known unclassified examples of APN functions for n = 8, 9, and to provide new APN functions on F 2 9 . The computations performed were restricted to linear maps with coefficients in the subfield. We expect that, without such restriction, it is possible to find new APN functions.
We also investigated the case of constructing an isotopic shift with a nonlinear function. In this case, for any odd n, we can obtain all known power APN functions (except the Dobbertin ones) using a nonlinear monomial function.