Algebraic properties of the maps \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\chi _n$$\end{document}χn

The Boolean map \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\chi _n :\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n,\ x \mapsto y$$\end{document}χn:F2n→F2n,x↦y defined by \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y_i = x_i + (x_{i+1}+1)x_{i+2}$$\end{document}yi=xi+(xi+1+1)xi+2 (where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i\in \mathbb {Z}/n\mathbb {Z}$$\end{document}i∈Z/nZ) is used in various permutations that are part of cryptographic schemes, e.g., Keccak-f (the SHA-3-permutation), ASCON (the winner of the NIST Lightweight competition), Xoodoo, Rasta and Subterranean (2.0). In this paper, we study various algebraic properties of this map. We consider \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\chi _n$$\end{document}χn (through vectorial isomorphism) as a univariate polynomial. We show that it is a power function if and only if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=1,3$$\end{document}n=1,3. We furthermore compute bounds on the sparsity and degree of these univariate polynomials, and the number of different univariate representations. Secondly, we compute the number of monomials of given degree in the inverse of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\chi _n$$\end{document}χn (if it exists). This number coincides with binomial coefficients. Lastly, we consider \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\chi _n$$\end{document}χn as a polynomial map, to study whether the same rule (\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y_i = x_i + (x_{i+1}+1)x_{i+2}$$\end{document}yi=xi+(xi+1+1)xi+2) gives a bijection on field extensions of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_2$$\end{document}F2. We show that this is not the case for extensions whose degree is divisible by two or three. Based on these results, we conjecture that this rule does not give a bijection on any extension field of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_2$$\end{document}F2.

We know, from [8], that χ n is invertible if and only if n is odd.Recently, from [20], we know a direct formula for χ −1  n .The order of χ n , and its cycle structure, are also known, see [30].
As χ n is used in so many cryptographic applications, it is important to understand these maps very well.Each of the properties of χ n could be exploited in an attack, or conversely be used to argue for security properties.For instance, in [8] and [9], the differential and correlation properties (related to differential [3] and linear [21] cryptanalysis) have been studied.
In this paper, we study some of the algebraic properties.E.g., the map χ n can be represented by a univariate polynomial through an isomorphism F n 2 ∼ = F 2 n .This representation can be used to attack cryptographic ciphers (see, e.g., [6] and [15]).We study these univariate representations for χ n to give insight in these representations.
The formula for χ −1 n [20] gives rise to a simple question, that we answer in this paper.How many monomials of a certain degree occur in this formula?
Lastly, we might consider using the rule y i = x i + (x i+1 + 1)x i+2 on field extensions (of F 2 ) or finite fields of other characteristic.

Our contributions
We have studied the aforementioned algebraic properties and present the following results.In Sect.4, we discuss univariate polynomial expressions for the maps χ n .In particular, we show that for n = 1, 3, they are not power functions.After that, we compute the number of different representations as a univariate polynomial with coefficients in the base field χ n can take.This number is equal to n • ϕ(n), where n is the number of normal elements in F 2 n and ϕ(n) = #(Z/nZ * ).Lastly, we give bounds on the degree and sparsity of χ n when given as a univariate polynomial.
Secondly, based on [20], we considered that there was no formula known for the number of monomials of a given degree in χ −1  n .We compute those in Sect. 5.They behave according to binomial coefficients, i.e., the number of monomials of degree m > 0 in χ −1  n is equal to Thirdly, in Sect.6, we view χ n as a polynomial map (see [31]), and from that conclude that, if we take the same rule to define a χ (d) n over F 2 d , it cannot be invertible for some d.We show that for even d and all d with d ≡ 0 (mod 3), the map χ (d) n is not invertible, and conjecture that this holds for any d > 1.
We finalize this section by showing that the same rule will not give an invertible map in characteristic p > 2.

Notations and conventions
We write F 2 for the finite field of two elements and F m for a (finite) field of m elements.Additionally, we have the notation F n 2 for the standard n-dimensional F 2 -vector space, obtained as the Cartesian product of n copies of F 2 .
We write 0 n for the zero vector of n zeroes, and 1 n for the all-one vector of n ones.In general if we write any string of bits s in the form s n , we mean the concatenation of that string to itself n times.
The number of 1s in a sequence or vector x is called the Hamming weight and is denoted as wt(x).
We consider a basis to be an ordered set that is linearly independent and spanning.Therefore, we write them as tuples.
Thus [ [ v 1 , . . ., v n ] ] = [ [ v 2 , v 1 , v 3 , . . ., v n ] ] give rise to isomorphic vector spaces, although we do consider the bases (v 1 , . . ., v n ) and We write lg for the binary logarithm and R * for the group of units of the ring R. For a polynomial ring in one indeterminate X with coefficients in R, we write R[X ] and likewise for a polynomial ring over n indeterminates X 1 , . . ., X n , we write R[X 1 , . . ., X n ].
For any positive integer n, we denote the number of elements in Z/nZ * by ϕ(n), the Euler totient function.

n and preliminary results
In this paper we study the maps χ n : where the indices are taken modulo n.
We see that each χ n is a map of (algebraic) degree 2.

Shift maps and shift-invariant maps
A class of maps that is of interest with respect to χ is the class of shift maps.
Definition 2 (Shift maps) For any n ≥ 1 and any k ≥ 0 we can define two maps τ k n and τ −k n on F n 2 , by iterating We have By induction, we can relax the criterium for shift-invariance: Using that τ n n = id, one can find the following generalization of Lemma 1.
Proof Since gcd(k, n) = 1, there exist integers a, l such that ak = 1 + ln.By induction to a, we know that . Since τ n n = id, we find that τ (1+ln) n = τ n and we are done by Lemma 1.

Lemma 3 For each n, χ
As an example, we give a graph of χ 5 in Fig. 1.Since χ 5 is shift invariant, for every input, the output can be deduced from this graph.

Invertibility and order
From [8], we know that χ n is invertible if and only if n is odd.Furthermore, we have a formula for the order of χ n , as a bijection in the group of bijections on F n 2 , in this case.
In particular, we find that repeating χ n for 2 lg( n+1 2 ) − 1 times, then this gives a way for computing the inverse.A direct formula for the inverse is determined in [20].

Univariate representations of n
We can choose any isomorphism as depicted in Fig. 2.This χ u n can be written as a univariate polynomial with coefficients in F 2 n by using Lagrange interpolation on all inputs.(See [32] and [19] (Thm 1.71).)With Lagrange interpolation on all pairs (x i , χ n (x i )) one will find a polynomial f (X ) ∈ F 2 n [X ] that satisfies f (x i ) = χ n (x i ) for all x i and has degree < q n .Note that by performing the interpolation on all inputs, one does not have to compute inverses, as: Fig. 2 The schematics for the univariate χ n where γ is some generator of X ] are functionally equivalent if their corresponding polynomial functions t → f (t) and t → g(t) satisfy f (t) = g(t) for all t ∈ F q n .It is straightforward that this is an equivalence relation.Equivalently, two polynomials f (X ), g(X ) ∈ F q n [X ] are functionally equivalent if and only if f (X ) ≡ g(X ) (mod X q n − X ).(See [19] 7.2) Thus, there always is a representative of degree < q n .We now give an example where we use Lagrange interpolation to find a polynomial representation of χ 3 : ) be an ordered basis, then an isomorphism of vector spaces can be found as Then χ u 3 := φ •χ 3 •φ −1 is given by: 0 → 0, 1 → α 3 , α → α 4 , α 2 → α 6 , α 3 → 1, α 4 → α, α 5 → α 5 and α 6 → α 2 .By using Lagrange interpolation, we find

Power functions
A special kind of polynomials are those whose representative consists of a single monomial.
Definition 4 (Power functions) A power function is a polynomial function that can be represented by a single monomial in F q n [X ].We write (•) e : F q n → F q n for a power function, here e ≥ 0.
Since F * q n is cyclic of order q n − 1, we find that t q n −1 = 1 for all t ∈ F * q n , hence t q n = t for all t ∈ F q n .Therefore, we only need to consider power functions with 0 ≤ e < q n − 1.A power function is not necessarily a permutation polynomial.
The set of all bijective power functions forms a group of order ϕ(q n −1), which we denote as Pow(F 2 n ).It is isomorphic to the automorphism group of F * q n , denoted as Aut(F * q n ) (see [1] or [19] Ex 2.20).
It is also easy to express the order of a power function, as in the group of bijective power functions.
Proposition 2 (Order of power function) The order of the power function (•) e on F q n is given by the (multiplicative) order of e in Z/(q n − 1)Z.

Normal bases
Definition 5 (Normal basis [26]) Consider F q ⊂ F q n .Then β ∈ F q n is called a normal element of F q n over F q if the set {β, β q , β q 2 , . . ., β q n−1 } is a linearly independent set.When considered as a tuple, this tuple is called a normal basis of F q n over F q .
(1, 0, 1) ( 0, 0, 1) Each element in a normal basis is a normal element.In [17] it is first proven that every finite extension field has a normal basis.In [26] the result is extended to giving the number of normal elements.In the following, when we will omit the over F q and write β is a normal element of F q n , or S is a normal basis of F q n , when it is clear that they are considered over Therefore the tuple (α 3 , α 6 , α 5 ) is a normal basis.These normal elements are roots of With any choice of a normal element (and its corresponding normal basis) one obtains an isomorphism between F n q and F q n , as follows: With the isomorphism φ β , taking the qth power in F q n of an element corresponds to a shift of the coordinates in F n q in the following way: Lemma 4 ([28] Lemma 5) Let β be a normal element of F q n .Let φ β be as in (1).Then φ β (τ (x)) = φ β (x) q .We now give an example of the representation of χ 3 as a univariate polynomial.
Example 3 Consider the map χ 3 .Let α 3 be a normal element in F 2 3 as in Example 2. We define χ u 3 := φ α 3 • χ 3 • φ −1 α 3 with its inputs and outputs as given in columns 3 and 4 of Table 1.By using Lagrange interpolation we find that χ u 3 (t) = t 6 for all t.We saw that χ u 3 (X ) ∈ F 2 [X ] in the previous example.We prove the more general theorem that any shift-invariant map has a univariate representation with coefficients in the base field.
Theorem 2 Let F : F n q → F n q be a shift-invariant map.Let β be a normal element of F q n and φ β as in (1).Consider the map F u : F q n → F q n defined by Proof By Lemma 4 we find that F u (X q ) = F u (X ) q since F is shift invariant.If we then write F u ∈ F q n [X ] as m i=0 a i X i for some m, then we have Hence, a q i = a i for all i = 0, . . ., m and thus Since χ n is a shift-invariant map, we have the following immediate corollary:

The map u n is only a power function for n = 1, 3
The map χ 1 is the identity function, hence is equivalent to the power function with e = 1.We also found that for a suitable choice of normal basis, χ u 3 (X ) = X 6 , a power function.It is easy to see that for even n there is no power function equivalent to χ u n (X ).
Lemma 5 For any even n, there is no normal basis representation such that χ u n is a power function.
Proof Suppose that there exists a normal basis representation such that χ u n is a power function.Since χ n ((01) n/2 ) = 0 n , there needs to exist some nonzero α ∈ F 2 n with α s = 0 for some integer s, a contradiction.
If n > 3 is a Mersenne-exponent, i.e., 2 n − 1 is a prime number, then it is also easy to show that χ u n is not a power function.
Proposition 3 (Excluding Mersenne-exponents) If n > 3 is such that 2 n − 1 is a prime number, then there exists no normal basis representation of χ n such that χ u n is a power function.
Proof Since the order of a group element is preserved under isomorphism, we inspect the order of χ n and power functions.Since 2 n − 1 is a prime number, then ϕ(2 n − 1) = 2 n − 2. Therefore, the only possibilities for the order of a power function are divisors of 2 n − 2. By Theorem 1, the order of χ n is divisible by 4 for all n > 3. The expression 2 n − 2 has at most one factor 2, so there exists no power function that is equivalent to χ n .
For the general case, we can prove that χ u n is not a power function by computing differential probabilities.

Differential probabilities
In this paragraph, we discuss differential probabilities, and with that show that χ n is only a power function for n = 1, 3. Differential probabilities were studied in [3] as a way of breaking the cipher DES [24].
Definition 6 (Differential probability) Let f : G → H be a map between finite (additive) groups G and H . Let g ∈ G and h ∈ H be arbitrary.Then we define the differential probability of f at (g, h) as Since we have mostly characteristic 2 in this section, the −-signs can be replaced by , then we compute DP χ 3 (g, h) for all g, h ∈ F 3  2 and put them in a table, where the rows are indexed by g and columns are indexed by h.The dashes represent 0. Each entry in the table, DDT gh , represents #F 3  2 • DP χ 3 (g, h) (see Table 2).Such a table we call a differential distribution table.
In the next proposition we will show that the DDT is an invariant for (Boolean) functions.

Proposition 4 [Differential probabilities under linear isomorphisms] Let G
φ ∼ = H be isomorphic groups.Let f : G → G be a map and let f : H → H be the map induced through the isomorphism.
for all g, h ∈ H .
One can similarly prove the following equalities for differential probabilities: Table 3 The DDT of t → t 6  Output difference where the L and A are affine maps and A is, moreover, an invertible affine map.The differential properties of χ n have been studied extensively (see [8,9]).We say h is compatible with a g if DP χ n (g, h) = 0.
In the following, we will write a and b instead of g, h to coincide with the standard notation, where a denotes an input difference, i.e., a = a + a * , and b = b + b * an output difference.We will use the following result: Proposition 5 (Differential probabilities for χ [8]) Let n > 1 be an arbitrary odd integer and a ∈ F n 2 .Then for any b ∈ F n 2 compatible with a , we have , where where r a is the number of 001-subsequences in a .
Since we have been unable to find a complete proof of this result in the literature, 1 we include our own proof in Appendix 1.
For power functions, the differential probabilities have also been studied, in e.g., [4]: Proposition 6 (Differential probabilities for power functions [4]) In particular, if we compute DP f (1, b ) for all b , we can use the above proposition to deduce the remainder of the differential distribution table.As a direct corollary, we see that the number of occurrences of 0 is the same in every row (except the first), and the same holds for the number of occurrences of 2, 4, . ... Example 5 (Differential distribution table of t → t 6 ) Let F 8 be determined by X 3 + X + 1 and consider (•) 6 : F 8 → F 8 .Then in Table 3, one sees the differential distribution table for (•) 6 .
We can now use what we know about differential properties of χ n and power functions to prove: Theorem 3 [χ n is not a power function for n = 1, 3] Let n = 1, 3 be a positive integer.Then there exists no way to write χ u n as a power function.
Proof Let n = 1, 3 be an arbitrary odd positive integer.(The even case has been proven in Lemma 5.) Consider any isomorphism from F n 2 to F 2 n under which χ n would become χ u n .By Proposition 4, we find that their differential distribution should be similar.Set a = 110 n−2 and a = 10 n−1 .Then we find that DP χ n (a , b ) = 1  8 and DP χ n (a , b ) = 1 4 for all b that are compatible with a , a respectively, by Proposition 5. Whereas, by Proposition 6, we have that each row of the DDT should have the same number of occurrences of 0, 2, 4, . ... Therefore, χ u n cannot be a power function.
Definition 7 (Extended affine equivalence) Let F and G be two Boolean functions from We say that F and G are extended affine equivalent if there exist: -an affine permutation A of F n 2 ; -an affine permutation B of F m 2 ; and -an affine map C : We obtain, by using the properties for differential probability listed after Proposition 4, as a direct corollary to Theorem 3: Corollary 2 Let n = 1, 3 be a positive integer.Let F be any extended affine equivalent of χ n .Then F u is not a power function.

Number of different univariate polynomial representations of n .
A priori, since we make several choices, there could be many different univariate representations of χ n for each n.In this section, we go over the choices we make and discuss how they affect the outcome of the univariate representation.In order, we discuss the choice of representation of the field, i.e., the irreducible polynomial of degree n that defines F 2 n .After that, we treat how different normal elements may give rise to different univariate polynomial representations.Each normal element β has a canonical ordered basis, yielding an isomorphism φ β as in Eq. 1.But there might be basis transformations, that shuffle the basis elements.This will provide a different isomorphism from F n 2 to F 2 n , and in some cases it will give a univariate polynomial in the base field.

Choosing an irreducible polynomial to create the field extension
It is a well-known result that for any prime power there exists (up to isomorphism) a unique field with that many elements.Does this "up to isomorphism" interfere with the univariate expression of a map?The isomorphism φ β is defined by the normal element.This normal element is defined by being a root of a polynomial.In fact, if the degree of this polynomial is d, then there are d roots, all of which are normal elements.
Then there exists some β ∈ F g that is a normal element as a root of h(X ).Furthermore, β, β 2 , . . ., β 2 deg f −1 are all roots of h(X ).
For the second statement we note that (a + b) 2 n is cyclic for any n, we find that any normal element generates the entire group.As the isomorphism ψ maps normal elements to linear combinations between powers of the same normal element, we therefore find that the "up to isomorphism" indeed does not influence the univariate expression of a map.

Choice of the normal element
We have a choice on the normal elements that we make in defining a univariate expression.This choice of normal element influences the resulting univariate expression, in particular, if β, γ are two distinct normal elements such that γ is not in any normal basis containing β, then we get different univariate polynomials.
From [19] (Thm 3.73), or [26], we obtain the following formula for the number of distinct normal elements: Theorem 4 (Number of normal elements) Let q be a prime power and m ≥ 1 an integer.There exist precisely q (X m − 1)/m normal elements in F q m (w.r.t.F q ).
Here, q ( f ) denotes the number of polynomials in F q [X ] that are coprime to f and have a smaller degree than deg( f ).
We will denote the number of normal elements in F 2 n (w.r.t.F 2 ) by n.Thus, n = 2 (X n − 1)/n.
Then we can define the isomorphism as the isomorphism corresponding to the one in (1) when the basis is re-ordered.(Note that the isomorphism given in (1) is the one where σ is the identity permutation.)A priori therefore, there are n! different univariate representations when the normal basis is fixed.We indicate that a left-shift over the basis elements corresponds with the permutation In the case that a map F is shift invariant, we can immediately reduce the number of representations to (n − 1)!: Lemma 6 Let β be a normal element in F q n and F : F n q → F n q a shift-invariant map.Let φ := φ β be as in (1) and k ∈ {1, . . ., n−1} be arbitrary.Consider the isomorphism ψ := φ τ k .Write F u ψ for the corresponding univariate representation of F. Then F u ψ = F u φ .
Proof Using the Lagrange interpolation formula, we get as required.
x i+k mod n β q i+k mod n , we find that the univariate expression is invariant under a shift of the coefficients, as expected.Thus we can assume, without loss of generality, that σ (0) = 0.The same result holds when we have a re-ordered normal basis, thus for φ σ β .
We will now investigate which re-orderings yield univariate expressions with coefficients in the base field.In the proof of Theorem 2 we use Lemma 4. Therefore it is prudent to look for ismorphisms under which taking a qth power corresponds to some shift coprime in length to the dimension of the domain ofF.(See Lemma 2.) Let gcd(k, n) = 1.We want to solve the equation φ σ β • τ k = (•) q • φ σ β for σ ∈ S n .We first illustrate this with an example.

Example 6
Let q be an arbitrary prime power, n = 5 and k = 3.We have the following commuting diagram by hypothesis: From this diagram we find the following equations Therefore, we easily obtain σ = (1 3 4 2).
Lemma 7 Consider a finite field extension F q n of F q with a normal element β.Let 0 ≤ k ≤ n − 1 be such that gcd(k, n) = 1.Then there exists a unique σ such that Proof Write x for the vector (x 0 , . . ., x n−1 ).We have φ σ β ( x) = n−1 i=0 x i β q σ (i) and x j β q σ ( j+k mod n) .
We conclude that given an irreducible polynomial and a normal element, there are ϕ(n) = #(Z/nZ * ) different univariate polynomial representations with coefficients in the prime field.
Taking into account the number of different normal elements, we obtain: Theorem 5 Let n > 0 be an arbitrary odd integer.Then there are n Some numbers of different univariate polynomial representations of χ n :

Bounds on degrees and sparsity
Irrespective of any choices, we can easily give bounds on the degree of the univariate expression and the sparsity of the univariate expressions.
We have various notions of degree.For instance, if we write χ 3 as in Definition 1, we see that χ 3 has degree 2. However, if we consider χ 3 as a univariate polynomial as in Example 1, we see that χ 3 (X ) has degree 6.In order to make some sense of this, we explain the several different notions of degree.
Let F : F n 2 → F m 2 be a (Boolean) map in its algebraic normal form, that is, each F i is given as a multivariate polynomial in n indeterminates, that is a sum of monomials.Then, the degree of a coordinate function F i is the maximum of the degrees of its monomials.A monomial X e 1 1 • • • X e r r has degree e 1 + . . .+ e r .Then the algebraic degree of F, denoted by deg a (F), is the maximum of the degrees of each of the coordinate functions F i .
When m = 1, the algebraic degree corresponds with the usual degree.
A second notion of degree is applicable to a map F : F 2 n → F 2 n that is given by a univariate polynomial.Write F(X ) = 2 n −1 j=0 c j X j .Then the 2-degree of F is given by where w 2 ( j) is the Hamming-weight of j in its binary expansion.The usual degree of a polynomial is the same as above, for the degree of a coordinate function.

Example 7
We continue from Example 1.We see that the exponents of X where there is a non-zero coefficient are 6, 5, 4, 3, 1.The list of their respective w 2 ( j) is 2, 2, 1, 2, 1. Hence we see that the 2-degree of χ u 3 is 2.
We see that in the example, the 2-degree of χ u 3 is the same as the algebraic degree of χ 3 .This holds in general (see [5]).
The bounds that we are going to prove in this section are on the regular degree of the univariate polynomial.Since we know that χ n has algebraic degree 2, we know that its 2-degree should be 2 as well.This means that the only powers of t in χ u n (t) have Hammingweight at most 2. The largest possible such number is then 2 n−1 + 2 n−2 , since the powers of t are already bounded by 2 n − 1. Likewise the lowest possible degree for χ u n (t) is 3.We have By the same line of reasoning, we have an immediate formula for the sparsity of χ u n (t), by the 2-degree.We obtain that the number of monomials in χ u n (t) is at most n 1 + n 2 .Each possible exponent can be written in a binary sequence of length n.We allow only those where there is one 1, or two 1s, as there is no constant term in the ANF of χ n .
In Appendix 2, we give a table of the minimum and maximum sparsity of (actually occurring) univariate expressions of χ n , as well as the minimum and maximum occurring degrees.
We furthermore list the univariate polynomial representations of χ n for n ≤ 7.

Monomial count of −1 n
We find in [20] that the inverse of χ −1 n has a nice expression: For odd n > 0, the formula for χ −1 n is given by: again, the indices are computed modulo n.The degree of χ −1 n is thus (n + 1)/2.
For some use-cases, having this formula and its degree is enough as exhibited in [20].However, for several cases, like algebraic attacks, one might use the monomial count, e.g., [12].In any case, it is an interesting number to compute, and it turns out to follow a beautiful formula.We investigate in this section the total monomial count, and the number of monomials of a given degree in any one of the coordinates of χ −1 n .In the following, we write M e ( f i ) for the set of monomials of degree e in the component f i .
From Theorem 6, we can determine the following: For the proof, we use the following combinatorial lemma, which is a repeated application of Pascal's Rule [27], and is very similar to the Hockey Stick Identity [18]: Table 5 The numbers m i monomials of degree i, for each summand j.
Lemma 8 Let n be a positive integer.Then for all 0 ≤ k < n we have Remark 2 Using the rule n k = n n−k we also get the following formula: By working through the summation symbol, we find the numbers as in Table 5.
For instance, to count the number of monomials of degree h−3 that occur in the summation when j = 2, we note that we have h−1 terms in the product, where at each time we have either the constant 1-term, or the degree-1-term y i−2k .To get a degree of h − 3, we need to have precisely two times the constant 1-term, or -in other wordsh − 3 times the degree-1-term y i−2k (varying indices).The number of possibilities is then given by h−1 h−3 .Or, to count the number of monomials of degree 3 that occur when j = 4, we have in the product exactly h −3 terms.Of those, precisely two times we must choose, the degree-1-term, or, precisely h − 5 times the constant term.
Finally, m i = #M(χ −1 n,i ) is the sum of all numbers in the column of m i .By Lemma 8, or, equivalently, the formula in the remark after this lemma, we then find the desired equalities, except for m 1 , where we need to add the single degree-1-monomial y i .
Since we have determined the number of monomials of each degree 1 ≤ m < n+1 2 , we can immediately deduce the total number of monomials in any coordinate of χ −1 n .Corollary 3 (Monomials in χ −1 n ) Let n > 0 be odd, then the total number of monomials in any coordinate of χ −1 n is equal to

as a polynomial map
In this section, we investigate whether the function rule determined by y i → x i + (x i+1 + 1)x i+2 , will yield invertible maps on other finite fields.We therefore take the most general form of a map that has this function rule; polynomial maps.
Definition 8 (Polynomial map) F be an arbitrary field, and F[X 1 , . . ., X n ] be the polynomial ring in n indeterminates.A polynomial map is a map where each We can observe the related polynomial map of χ n in n indeterminates.Here the field F that we look into is F 2 .This is given by A polynomial map is invertible if there exists a polynomial map G : k n → k n such that for all 1 ≤ i ≤ n.By checking the determinant of the Jacobian of n , we can check whether n is invertible.For χ n we have the following form for the Jacobian: Proposition 9 (χ n is not invertible as a polynomial map) The polynomial map n is not invertible on F 2 .
Proof The determinant det(Jac n ) contains a term (−1) n+1 X 2 • det(M n,1 ), where M n,1 is the minor where the nth row and first column are deleted from the Jacobian.This factor does not cancel out, as can be seen from the shape of the matrix.

Remark 3
The (in)famous Jacobian Conjecture states that a polynomial map is invertible if and only if the determinant of its Jacobian is invertible.Here, we used the easy-to-prove necessary condition.
Definition 9 (χ n on field extensions) Let F 2 k be a field extension of F 2 of degree k.We define χ (k) n as the polynomial function indicated by the polynomial map n on the field F 2 k .
Note that with this definition χ (1) n = χ n .Since n is not invertible, while χ n is invertible on F n 2 , for odd n, it means that for some finite extension of F 2 , the polynomial function χ (k) n is not invertible.This is due to the following result: Proposition 10 ([31] Thm 4.2.1)Let K be an algebraically closed field.Let F : K n → K n be a polynomial function that is invertible.Then F is invertible as a polynomial map.
The previous example generalizes for any odd n > 1.Since χ n is not invertible for even n, we immediately have χ (k) n is not invertible either, for any k > 1.

Proof of Proposition 5
We include here the proof of Proposition 5, since we have not been able to find one in the literature.
Proposition 12 [Differential probabilities for χ [8]] Let n > 1 be an arbitrary odd integer.Let a ∈ F n 2 be arbitrary.Then for any compatible b ∈ F n 2 we have DP χ n (a , b ) = 2 −w(a ) , where where r a is the number of 001-subsequences in a .
Proof We can express b in terms of a and a (here a is either of the two inputs that together have input difference a ) as follows (see [8] Sect.6.9): When the differential probability DP(a , b ) = 2 −w(a ) , then the dimension of the kernel of D a is equal to n − w(a ).Therefore the rank of D a will be equal to w(a ).
We will prove this by on the Hamming weight of a , which we now denote as k: P(k) : For all n > k and all a ∈ F n 2 such that wt(a ) = k, we have rk D a = w(a ).We start with the base case P(0).Then for any n > 0, we have rk D 0 n = 0 since D 0 n is the zero-matrix.Indeed, DP(0, b ) = 2 0 = 1 for all compatible b (of which there is only b = 0).The case P( 1) is similar, as we may assume that a 0 = 1 and a i = 0 for i = 0.It is immediate that rk D a = 2.When n ≥ 3, we have r a = 1 and wta = 1, hence w(a ) = 2 = rk D a .
We now explore how we can extend an input difference a ∈ F n−2 2 with wta = k to an input difference c with wtc = k + 1.Consider the largest index i for which a i = 1.
By the shift-invariance of χ n and the properties of differential probability for linear maps, we can assume that i = n − 3.
With (0) we denote that we concatenate another zero if is even, and do not concatenate it if is odd.Note that this lists all possibilities to extend an input difference a to a longer sequence c with wtc = wta + 1.Consider some a ∈ F n−2 2 such that wta = k with a n−3 = 1.We will show that P(k + 1) is true, for case 1.We now assume each of these cases separately.
a. We have wtc = wtd +1 and r c = r d .Thus, we have to show that rkD c = rk D d +1.
For that, we consider the following submatrix of D a : sub.D a := We then note that all other coordinates of D a do not change when we go from D d to D c .We have: The given columns are extended upwards and downwards with 0s We have: and thus Therefore, case 1. has been shown.2. The other two cases go in a similar fashion, by noting the two preceding and succeeding bits down and choosing the right submatrices.In the full version of this paper, see [29], we have included cases 2 and 3. 3. See 2.
By the above case distinction, we have proven half of the proposition by means of induction.
For the other half, namely that w(a ) = n − 1, when a = 1 n , we just need to show that the rank of D a = n − 1.This follows by doing elementary row reductions.The echelon form will consist of an (n − 1) × (n − 1) identity matrix I n−1 , with an (n − 1) × 1 all-one column to the right of it, and an all-zero row below all this.

Actual sparsity and degree
Here, we list the actual numbers for the minimum sparsity, maximum sparsity, minimum degree and maximum degree for univariate representations of χ n for several n.
Below those, we also give tables for the exact different univariate representations for χ n .
Similarly, we write a tuple of non-negative integers for the resulting polynomials.

F 2 m
⊂ F 2 l if and only if m | l, hence we only have to check k = 2 and k = 3, as those examples work immediately in any extension of F 2 2 or F 2 3 .

1 .
Let c = a 10 and d = a 00.Both D c and D d are n × n matrices.By the induction hypothesis, we know that rk D d = wtd + r d .We make a case distinction: a.Either d starts with 0 l 1 for l > 1; b. or d starts with 01; c. or d starts with 1.
the matrix D a .The same holds for the rows, that are extended leftwards with 0s, 123 except for the one, which has a n−1 in its first position.There we, thus, have sub.D d := case, a n−1 = 0, hence this submatrix is independent on the other blocks in D a .It is immediately clear by looking at the first three rows of the submatrices, that rk D c = rk D d + 1. b.This case is identical to 1a. c.We have wtc = wtd +1 and r c = r d −1.Thus, we have to show that rk D c = rk D d .

Table 1
The maps χ 3 and χ u

Table 6
The true bounds on and degree for univariate expressions for χ n