On the inverses of Kasami and Bracken-Leander exponents

We explicitly determine the binary representation of the inverse of all Kasami exponents $K_r=2^{2r}-2^r+1$ modulo $2^n-1$ for all possible values of $n$ and $r$. This includes as an important special case the APN Kasami exponents with $\gcd(r,n)=1$. As a corollary, we determine the algebraic degree of the inverses of the Kasami functions. In particular, we show that the inverse of an APN Kasami function on $\mathbb{F}_{2^n}$ always has algebraic degree $\frac{n+1}{2}$ if $n\equiv 0 \pmod 3$. For $n\not\equiv 0 \pmod 3$ we prove that the algebraic degree is bounded from below by $\frac{n}{3}$. We consider Kasami exponents whose inverses are quadratic exponents or Kasami exponents. We also determine the binary representation of the inverse of the Bracken-Leander exponent $BL_r=2^{2r}+2^r+1$ modulo $2^n-1$ where $n=4r$ and $r$ odd. We show that the algebraic degree of the inverse of the Bracken-Leander function is $\frac{n+2}{2}$.

invariant under cyclotomic equivalence. If d and d ′ are cyclotomic equivalent then the binary representation of d ′ is just a cyclic shift of the binary representation of d. Additionally, if d ′ is invertible modulo 2 n − 1 then d ′−1 ≡ 2 −r d −1 (mod 2 n − 1). To fully classify the APN monomials, it is thus necessary to determine the inverse of the known APN exponents (if they exist). It is known that APN exponents are invertible if and only if n is odd (see e.g. [1,Proposition 9.19.]). Determining the explicit binary representations of the inverses of the known APN exponents is thus an interesting problem. The precise binary representations immediately also give the algebraic degree of the function x → x d −1 . This has been done for all known APN exponents except for the Kasami exponents (see Table 1). This paper will close this gap and find an explicit expression for the inverses of all Kasami exponents (if they exist). We will also deal with the non-APN Kasami exponents.
In [9], a method to find the inverse of a fixed exponent d modulo 2 n − 1 for arbitrary n was given. This technique was used to determine the inverses of the second Kasami exponent K 2 = 13. Unfortunately, it is unclear how to use this approach to determine the inverses of all (infinitely many) Kasami exponents. In fact, just determining the binary weight of the inverses of Kasami exponents is mentioned as an open problem in [9].
As mentioned earlier, invertible APN exponents do not exist in even dimension. In fact, no APN permutations in even dimension n = 6 have been discovered yet, so permutations in even dimension with differential uniformity 4 are of great interest and have been the subject of much research. In this case, it is also interesting to consider monomials with differential uniformity 4. For a complete list of known families of 4−differentially uniform permutation monomials in even dimension see Table 2. In the third section, we will also determine the binary representation of the inverse of the Bracken-Leander function. With this, the inverses of all known exponents that produce monomials with differential uniformity 2 in odd dimension or 4 in even dimension are determined.

Exponent
Conditions Algebraic Degree Inverse determined in Gold 2 r + 1 t odd, gcd(r, n) = 2 2 [9] Kasami 2 2r − 2 r + 1 t odd, gcd(r, n) = 2 r + 1 This paper Inverse 2 n − 2 n − 1 Obvious Bracken-Leander 2 2r + 2 r + 1 4r = n, r odd 3 This paper Table 2: List of exponents yielding 4 differentially uniform permutations over F 2 n with n = 2t up to inversion and cyclotomic equivalence Our approach in this paper is new and uses as the key tool the modular add-with-carry approach that was first formally introduced by Hollmann and Xiang [6]. Theorem 1 ([6], Theorem 13) Let a, s ∈ {1, . . . , 2 n − 2} and d ∈ N. We denote by a = (a n−1 , . . . , a 0 ) and s = (s n−1 , . . . , s 0 ) the binary expansions of a and s. Let d = j t j 2 j with t j ∈ Z. Further, let t + = j,tj >0 t j and t − = j,tj <0 t j . The following are equivalent: There exists a sequence c = (c n−1 , . . . , c 0 ) with c i ∈ {t − , . . . , t + − 1} (called the carry sequence) such that holds for all i. Here, the indices are seen as elements in Zn.
The carry sequence in (b) is unique.
The basic idea of finding the inverse of some value d modulo 2 n − 1 is now quite simple: We use Theorem 1 and set s = 1. Then we try to find sequences a and c that satisfy Eq. (1). While we apply the approach in this paper only to the Kasami and Bracken-Leander exponents, the idea can in principle be used for arbitrary values of d. However, the corresponding sequences a and c are highly dependent on the choice of d, so a general treatment seems to be impossible. Still, this approach gives a good framework to find inverses in Z 2 n −1 .
Theorem 2 Let a, s ∈ {1, . . . , 2 n − 2} and Kr be the r-th Kasami exponent. We denote by a = (a n−1 , . . . , a 0 ) and s = (s n−1 , . . . , s 0 ) the binary expansions of a and s. The following are equivalent: holds for all i. Here, the indices are seen as elements in Zn.

The carry sequence in (b) is unique.
We extend the definition of the weight of a sequence to the sum of all of its elements. For binary sequences, this corresponds exactly to its binary weight. In particular, this allows us to talk about the weight of the carry sequence. Using this convention, the following Lemma gives an additional condition on the carry sequence. Lemma 1 ([6], Lemma 5) With the notation of Theorem 2, we have the following: (b) wt(c) + wt(s) = wt(a). In particular, for s = 1 we have wt(c) = wt(a) − 1.
We use Theorem 2 and set s = 1. Then we try to find sequences c and a that satisfy Eq. (2). In many cases, educated guesses based on experimental results for low values of n and the necessary conditions in Lemma 1 are enough to find the inverse. In particular, the carry sequence c often has a strong and visible structure. Since the carry sequence uniquely determines the sequence a, the strategy for the proofs is to find/guess the structure of the carry sequence and then construct the inverse from the carry sequence.
The following Proposition shows when a Kasami exponent is invertible modulo 2 n − 1. n gcd(r,n) is odd, -n gcd(r,n) is even, r is even and gcd(r, n) = gcd(3r, n).
We first deal with the case gcd(r, n) = 1, then with the case n gcd(r,n) odd and finally with the case n gcd(r,n) even. Technically, the case gcd(r, n) = 1 is included in the case n gcd(r,n) odd. However, we single out this case for two reasons: Firstly, it is particularly interesting since those Kasami exponents are precisely the APN exponents. Secondly, the case n gcd(r,n) odd is very technical, but can be described much easier by applying the results for the special case gcd(r, n) = 1.

2.1
The case gcd(r, n) = 1 We first deal with the APN Kasami exponents Kr = 2 2r − 2 r + 1 over F 2 n with gcd(r, n) = 1. For this case, the modular add-with-carry approach was already applied in [10] to determine the support of the Walsh support of the Kasami function x → x Kr . While our objective here is different, we will reuse some notation used in [10], in particular the notion of r-ordered sequences.
By Proposition 1, Kr is invertible if and only if n is odd. We denote by e the least positive residue of the inverse of r modulo n. Observe that Kr and K n−r are cyclotomic equivalent exponents on F 2 n . Indeed, (2 2(n−r) − 2 n−r + 1)2 2r ≡ 2 2r − 2 r + 1 (mod 2 n − 1). Then K −1 r ≡ 2 −2r K −1 n−r (mod 2 n − 1), so it suffices to determine the inverse of one of these two values. Since n is odd, we can thus assume without loss of generality that e is odd. Since gcd(r, n) = 1 we can reorder the sequences a and c in Theorem 2 in the following way: This ordering is technically a decimation of the sequence by −r. Since we will be using this ordering a lot, we will denote this ordering simply as the r-ordering of a sequence. Using r-ordered sequences, the key equation in Theorem 2 takes on the following simpler form: holds for all i ∈ Zn, i = 0.

The carry sequence in (b) is unique.
Experimental results show that the inverses of the APN Kasami exponents often have binary weight n+1 2 . In this case, Lemma 1 immediately shows that the r-ordered carry sequence has weight n−1 2 and must be a cyclic shift of the sequence (0, 0, 1, 0, 1, . . . , 0, 1). Since the carry sequence of the inverse uniquely determines the inverse, these cases can then be solved with comparatively little effort.
In this section, we will always use r-ordered sequences to represent inverses of Kasami exponents because this notation makes the description much easier. Consequently, the inverses will be written in the form K −1 r ≡ n−1 i=0 a i 2 −ir (mod 2 n − 1) for a sequence a = (a 0 , . . . , a n−1 ). Of course, a translation into the more standard binary representation is easy by reordering the sequence a, i.e. K −1 r ≡ n−1 i=0 a −ie 2 i (mod 2 n − 1) (recall that e denotes the inverse of r modulo n).

⊓ ⊔
The Kasami APN functions and their inverses are also almost bent functions. It is known that the algebraic degree of almost bent functions is at most n+1 2 [2]. We have shown that the inverses of the Kasami APN functions defined by the exponents considered in Proposition 2 attain this bound.
The only case left to check is e = 6k + 3 (recall that we could assume e odd without loss of generality). This case is a lot more involved and has to be divided into several subcases. The key difference to the cases considered above is that wt(K −1 r ) < n+1 2 for e = 6k +3, so finding the correct carry sequence is more complicated. However, the strategy of the proof remains the same: Based on experimental results, we guess a carry sequence that then determines the inverse.
⊓ ⊔ Note that Proposition 3 lists all possible options. Indeed, the cases t = 6u and t = 6u + 3 do not occur because in these cases n = se + t is divisible by 3, so e = 6k + 3 is never invertible modulo n.
Corollary 1 Let n ∈ N and Kr be the r-th Kasami exponent with gcd(n, r) = 1. Let K −1 r be the inverse of Kr modulo 2 n − 1. Then wt(K −1 r ) = n+1 2 for n ≡ 0 (mod 3). Moreover, we have The lower bound is attained if and only if e = 3.
Proof If n ≡ 0 (mod 3) then e is not divisible by 3 since gcd(e, n) = 1. The result then follows from Proposition 2.
For the other cases, using the notation of Proposition 3, the binary weight wt(K −1 r ) is minimal when s is maximal. For n = se + t with 0 < t < e this clearly implies minimizing e, so e = 3 and t ∈ {1, 2}. For these cases we have and the result follows.

⊓ ⊔
It is known that a vectorial Boolean function f is always CCZ-equivalent to its inverse f −1 . It is however not clear when a function is EA-equivalent to its inverse. Since EA equivalence preserves the algebraic degree, we get the following easy corollary.

The case
n gcd(n,r) odd We now deal with the Kasami exponents Kr with gcd(n, r) > 1 and n gcd(n,r odd. While these Kasami exponents are not APN, they still have some interesting properties. For example, for gcd(r, n) = 2 and n 2 odd, the function x → x Kr (and thus also its inverse) is a permutation with differential uniformity 4 (see Table 2).
Since gcd(n, r) > 1, we cannot use the r-ordering of sequences that we used in the previous section. We expand the concept in a natural way.
Since the r-matrices are constructed from sequences, we use the slightly unusual convention of indexing from 0, i.e. the first row/column will be called row/column 0. With this convention, the r-ordered sequences considered in the previous section are just a special case of r-matrices with only one row. Again in accordance to the notation used in the previous section, we denote by e the least positive residue of the inverse of r gcd(n,r) modulo n gcd(n,r) . Since gcd(n, r) = gcd(n − r, r), n gcd(n,r) odd and Kr is cyclotomic equivalent to K n−r , it suffices to determine the inverses of Kr where e is odd.
Using r-matrices, Theorem 2 takes on the following form.
with c i,j ∈ {−1, 0, 1} such that the following equations hold: The carry sequence (and thus its associated r-matrix) in (b) is unique.
Proof The Theorem follows immediately from Theorem 2 and the definition of the r-matrix. The predecessor of the values c −k1r is determined as follows: Observe that c −k1r−1 = c gcd(n,r)−1−k2r if and only if −k 1 r − 1 ≡ gcd(n, r) − 1 − k 2 r (mod n), which is equivalent to −(k 1 − k 2 ) r gcd(n,r) ≡ 1 (mod n gcd(n,r) ), so the predecessor of c −k1r is c gcd(n,r)−1−k2r with k 2 = k 1 + e.

⊓ ⊔
Again, we find Ma,r and Mc,r such that Eq. (5)-(7) hold. These verifications become quite tedious (especially since we have to distinguish several cases). However, the basic idea does not change: The r-matrices of the carry sequences have a visible structure that can be used to determine the inverse. It turns out that the inverse of Kr on modulo 2 n − 1 with gcd(r, n) = d is closely related to the inverse of K r d modulo 2 n d − 1 which was already determined in the previous section. To improve readability, we first deal with the case n gcd(n,r) = 6v + 3 for a v ∈ N 0 separately.  In both cases we have wt(K −1 r ) = n−3d+4 2 .
Proof Case (a): The r-matrix of the corresponding carry sequence is where c ′′ = (c 0 , . . . , c n d −1 ) = (0, 1, 0, 1, . . . , 0, 1, 0, 1, 0) and c ′ = (ce − 1, c e+1 , . . . , c n d −1 , c 0 , c 1 , . . . , c e−1 ). Using Theorem 4, we just have to verify Eq. (5) - (7). With this carry sequence, the equations take on the following form: Observe that, by Proposition 2, a 2 is the r-ordered sequence of the inverse of K r d modulo 2 n d − 1 with the corresponding carry sequence c ′′ . Theorem 3 then shows that Eq. (10) and (11) are satisfied. We check Eq. (8) and (9) by hand. In both equations we do not consider the last row of Ma,r and since all but the last row in Ma,r are identical, it suffices to check the first row.

Case (b):
The proof is similar to the proof of the first case. We define the r-matrix of the corresponding carry sequence

⊓ ⊔
Note that the case e = 6k + 3 does not occur because e is invertible modulo n d = 6v + 3. We now deal with the remaining cases n d = 6v + 1 and n d = 6v + 5.
where c ′ = (c 0 , . . . , c n d −1 ) is the r-ordered carry sequence for the inverse of K r d modulo 2 n d − 1 determined in the proofs of Propositions 2 and 3. With this carry sequence, the equations (5)-(7) of Theorem 4 take on the following form: 2c j − c j+e = a 0,j+2 − a 0,j+1 + a 0,j for all j ∈ {1, . . . , The validity of Eq. (12) and (13) follows from Theorem 3 and the choice of a 1 and c ′ . So we only need to verify Eq. (14) for each case. We will show the verification for the first case, the other cases are identical in nature.
Using Lemma 1, we have has a strong structure because its r-matrix has d − 1 identical rows. By the definition of the r-matrix, this means that K −1 r has n d runs of (d − 1) consecutive ones or zeroes. The results presented in this section yield the following result for the binary weight of the inverse of Kasami exponents. For the other cases, using the notation of Proposition 5, the binary weight wt(K −1 r ) is minimal when e is divisible by 3 and s is maximal. For n = se + t with 0 < t < e this clearly implies minimizing e, so e = 3 and t ∈ {1, 2}. With Case (e) and (f) from Proposition 5, we have and the result follows. We now deal with the case n gcd(n,r) even. Proposition 1 implies that if Kr is invertible modulo 2 n − 1 then both n and r are even and n gcd(n,r) is not divisible by 3. We will again denote by e the inverse of r gcd(n,r) modulo n gcd(n,r) . Note that since n gcd(n,r) is even, e must be odd.

Kasami inverses with special structure
We now investigate cases where the inverses of Kasami exponents have some special structure. These cases will also illustrate the results in the previous sections and show how to get from the representation using r-matrices to the "usual" binary representation.
In [9,Proposition 3.13], it was shown that the inverse of Kr modulo 2 5r − 1 is cyclotomic equivalent to the Kasami exponent K 2r . It was conjectured that K −1 r modulo 2 5r b − 1 for b|r and 5 ∤ b is always cyclotomic equivalent to a Kasami exponent. This conjecture can be proven using Proposition 5. Then We now write K −1 r in its usual binary representation. To do this, we write from right to left in the following way: We start with the first column, and then proceed in steps of length e to the left (cyclically). So, for the case e = 1, we start with column 0 of M 1 , then column 4, then 3, then 2 and then 1, resulting in: In the first case, we have K −1 r ≡ 2 2d K 2d (mod 2 n −1) and in the second case K −1 r ≡ 2 2d K d (mod 2 n −1). If e = 2 and e = 4 (corresponding to the values b ≡ 3 (mod 5) and b ≡ 4 (mod 5)) we use the relation K −1 r ≡ 2 −2r K −1 n−r (mod 2 n − 1) and apply the procedure above to K n−r .

⊓ ⊔
In fact, in [9] several nice formulas for the inverses of Kr modulo 2 kr − 1 for small fixed values of k have been found. Our framework gives an explanation why these inverses have a strong structure: We have kr gcd(r,kr) = k, so the r-matrices always have k columns. By Proposition 4 and 5, all but one row in the r-matrix are identical, so we get long runs of zeroes and ones (as observed in Proposition 7). All of these formulas can also be obtained using our framework. In particular, it was shown in [9] that if n = 3r b with b|r and gcd(3, b) = 1 then the inverse of Kr modulo 2 n − 1 has the lowest possible weight 2. Using the results we obtained in the previous sections, we give an alternative proof and show additionally that (apart from sporadic cases for low values of n) these are the only cases where the inverses of Kasami exponents have weight 2. where d = gcd(r, n). We have n−3d+4 2 = 2 if and only if n = 3d. So, n = 3r b for some b with gcd(b, 3) = 1. We differentiate the two possible cases e = 1 and e = 2 corresponding to b ≡ 1 (mod 3) and b ≡ 2 (mod 3), respectively. If e = 1, we are in Case (a) of Proposition 4 and the matrix Ma,r looks as follows: . Here we used that r ≡ n 3 (mod n) since b ≡ 1 (mod 3). If e = 2, we apply the same procedure to K n−r , so K −1 n−r ≡ 2 . Again we get d|2 and the same argument as before yields wt(K −1 r ) > 2. In Proposition 6 the inverses have always binary weight n+2 2 , so no new cases are found.

The Bracken-Leander exponent
We now determine the inverse of the Bracken-Leander exponent BLr = 2 2r + 2 r + 1 modulo 2 4r − 1 with r odd. In this case, the exponent is not independent from the field size. Because of this, finding the inverse is much easier. We again use the modular add-with-carry approach. Theorem 1 applied to the Bracken-Leander exponents yields the following condition for the carry sequence.
Here, the indices are seen as elements in Zn.

The carry sequence in (b) is unique.
Observe that gcd(r, n) = r and n gcd(r,n) = 4. The case here is thus similar to the n gcd(r,n) even case of the Kasami functions. We again use r-matrices so that Eq. (15) and (16) have an easier structure.
The carry sequence (and thus its associated r-matrix) in (b) is unique.
It is easy to derive some strong necessary conditions from the equations. For example Eq. (19) implies that, if c i,j = 0 for some i > 0, then necessarily c i−1,j = a i,j+2 = a i,j+1 = a i,j = 0, which inductively leads to c i ′ ,j = a i ′ ,j+2 = a i ′ ,j+1 = a i ′ ,j = 0 for all 0 < i ′ < i. With some examples for small values of n, it is then quite easy to guess the correct r-matrices for the sequence a and its associated carry sequences c. . For i odd, we have c i,j = 1, c i−1,j = 2 and a i,j = a i,j+1 = a i,j+2 = 0. For i > 0 even, we have c i,j = 2, c i−1,j = 1 and a i,j = a i,j+1 = a i,j+2 = 1, so Eq. (19) is satisfied.

Conclusion
In this paper, we introduced a new approach to find inverses of elements in Z 2 n −1 , using the modular addwith-carry algorithm. We determined the inverse of all Kasami exponents Kr = 2 2r − 2 r + 1 modulo 2 n − 1 (if it exists) as well as the inverse of the Bracken-Leander exponent BLr = 2 2r + 2 r + 1 modulo 2 4r − 1 with r odd. With our contribution, the binary representations of the inverses of all known APN exponents as well as the inverses of all exponents that give rise to 4-differentially uniform permutations in even dimension are found. The more general problem of inverting a given element d in Z 2 n −1 for all n is still not well understood.
It is a natural question if the approach using the modular add-with-carry algorithm can be generalized to other exponents. For every invertible d, we can find a defining set of equations for the binary representation of d −1 and the corresponding carry sequence in the style of Eq. (1) in Theorem 1. The difficulty then lies in finding the sequences that satisfy the equations. This has to be done on a case by case basis. Inversion in Z 2 n −1 is not only interesting for questions relating to differential uniformity. For example, if d is a complete permutation polynomial (CPP) exponent over Fq (i.e. there exists an a ∈ Fq such that ax d and ax d + x are permutation polynomials), then also its inverse d −1 modulo q − 1 is a CPP exponent [11]. Several CPP exponents in even characteristic have been found (e.g. [3], [14], [15]). For a complete classification of CPP exponents, finding explicit formulas for the corresponding inverses is an interesting research problem.
A generalization of the modular add-with-carry approach to tackle the problem of inversion in Z p n −1 for a prime p > 2 (corresponding to inversion of monomials in odd characteristic) is also a possible avenue for further research.