The multivariate method strikes again: New power functions with low differential uniformity in odd characteristic

Let f(x) = xd be a power mapping over Fn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\mathbb {F}_{n}$\end{document} and Ud\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\mathcal {U}_{d}$\end{document} the maximum number of solutions x∈Fn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$x\in \mathbb {F}_{n}$\end{document} of Δf,c(x):=f(x+c)−f(x)=a, wherec,a∈Fnandc≠0\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}${\Delta }_{f,c}(x):=f(x+c)-f(x)=a\text {, where }c,a\in \mathbb {F}_{n}\text { and } c\neq 0$\end{document}. f is said to be differentially k-uniform if Ud=k\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\mathcal {U}_{d} =k$\end{document}. The investigation of power functions with low differential uniformity over finite fields Fn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\mathbb {F}_{n}$\end{document} of odd characteristic has attracted a lot of research interest since Helleseth, Rong and Sandberg started to conduct extensive computer search to identify such functions. These numerical results are well-known as the Helleseth-Rong-Sandberg tables and are the basis of many infinite families of power mappings xdn,n∈ℕ,\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$x^{d_{n}},n \in \mathbb {N},$\end{document} of low uniformity (see e.g. Dobbertin et al. Discret. Math. 267, 95–112 2003; Helleseth et al. IEEE Trans. Inform Theory, 45, 475–485 1999; Helleseth and Sandberg AAECC, 8, 363–370 1997; Leducq Amer. J. Math. 1(3) 115–123 1878; Zha and Wang Sci. China Math. 53(8) 1931–1940 2010). Recently the crypto currency IOTA and Cybercrypt started to build computer chips around base-3 logic to employ their new ternary hash function Troika, which currently increases the cryptogrpahic interest in such families. Especially bijective power mappings are of interest, as they can also be employed in block- and stream ciphers. In this paper we contribute to this development and give a family of power mappings xdn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$x^{d_{n}}$\end{document} with low uniformity over Fn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\mathbb {F}_{n}$\end{document}, which is bijective for p ≡ 3 mod 4. For p = 3 this yields a family xdn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$x^{d_{n}}$\end{document} with 3≤Udn≤4,\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$3\leq \mathcal {U}_{d_{n}}\leq 4,$\end{document} where the family of inverses has a very simple description. These results explain “open entries” in the Helleseth-Rong-Sandberg tables. We apply the multivariate method to compute the uniformity and thereby give a self-contained introduction to this method. Moreover we will prove for a related family of low uniformity introduced in Helleseth and Sandberg (AAECC, 8 363–370 1997) that it yields permutations.


Introduction
We assume that the reader is familiar with basic facts on finite fields. Lidl et al. [13] is a good reference. The finite field with p n elements is denoted by F n . The cyclic group of invertible elements is denoted by F × n and a generator ω of this group is called a primitive element. Throughout this paper p denotes an odd prime.  is called the difference spectrum. 4. We say that two mappings f and g have the same difference properties if the difference spectrum is equal up to a permutation, i.e. for all a, c ∈ F n there exist b, d ∈ F n with N f (c, a) = N g (d, b) and vice versa. 5. The (differential) uniformity of f is U f := max{N f (c, a)|a, c ∈ F n , c = 0}. 6. A mapping f is called (differentially) k-uniform if U f = k. 7. If f is a power mapping x d we will use the notation d,c (x), N d (c, a) and U d . Remark 1.1 If k = 1, then f is called perfect nonlinear (PN) or planar. It is well-known that such functions exist only over finite field of odd characteristic. For an example see e.g. [4]. If k = 2, then f is called almost perfect nonlinear (APN). This is the best that can be achieved for even characteristic (see e.g. [7]).
When classifying mappings according to the above properties it is common to focus on the difference properties. The following equivalence relation from [2] is the most common and general known equivalence relation preserving the difference properties of two functions f and g. Definition 1.2 Two mappings f, g from F n to itself are called Carlet-Charpin-Zinovievequivalent (CCZ-equivalent) if for some affine permutation L of F 2 n the graph L( f ) is equal to h , where the graph is defined as M := {(x, f (x))|x ∈ F n } for a mapping M.
For power mappings we have the following simplification by Dempwolff [5]. Theorem 1.3 Let F n be a finite field of characteristic p and x k and x l be power functions on F n . Then x k and x l are CCZ-equivalent, if and only if there exists a positive integer 0 ≤ m < n, such that l = p m k mod (p n − 1) or kl = p m mod (p n − 1).

Remark 1.2
It is well-known that a power mapping x d is a permutation over F n iff gcd(d, p n − 1) = 1. The inverse is given by Note, that the latter condition in the above theorem means that x p n−m k and x l are inverse to each other. Moreover the theorem states that if x d is a permutation with inverse x d −1 then these mappings have the same difference properties.
The following lemma is well-known (see e.g. [7]) Lemma 1.4 For a power mapping x d over F n the difference spectrum is completely determined by considering d, 1 Classifying mappings of low uniformity up to CCZ-equivalence is of interest in cryptography since differential and linear cryptanalysis exploit weaknesses of the uniformity of the functions which are used in AES and many other block ciphers. Helleseth, Rong and Sandberg conducted extensive computer search in the 90s to classify k-uniform power mappings. These numerical results are well-known as the Helleseth-Rong-Sandberg tables (H-R-S tables). Several inifinite families of mappings have been discovered since then and their uniformity determined in a series of papers thereby explaining some of these entries (see e.g. [7,9,10,14,15]).
For applications in cryptography, one would like to employ mappings f for which U f is as small as possible. The proprietary hash function Curl employed in the cryptocurrency IOTA for example makes use of ternary S-Boxes and is vulnerable to differential cryptanalysis. After being broken the IOTA foundation developed in cooporation with Cybercrypt the ternary hash function Troika as its substitute and initiated a crypto challenge over 200.000 e. As the foundation is currently developing new computer chips built around base-3 logic, mappings with low uniformity over F 3 n have become cryptographically relevant (see [11]). In this context research on bijective power mappings with low uniformity over F n and F 3 n in particular is of interest as they can be also employed in SPN-or stream ciphers. As mentioned before planar functions have the lowest possible uniformity of one and therefore cannot be bijective. Thus bijective mappings have necessarily a uniformity of at least two. That these can be still cryptograhically strong is well demonstrated for characteristic 2 by the block cipher AES.

Our contribution
In this paper we contribute to this development and give a family of power mappings x d n with low uniformity over F n , which is bijective for p ≡ 3 mod 4 and n odd. In case of p = 3 we get a bijective family x d n of uniformity U d n ≤ 4, where the family x d −1 n of inverses has a very simple description and is thus of particular interest for this new direction in cryptography. As a side result we will get that the mapping x d n , d n = p n −1 2 +2 is bijective for p ≡ 3 mod 4 and n odd. Its uniformity was computed in [10].

Organization
This paper is organized as follows. In the next section we will introduce our results. Then we will give the mathematical background required for the proofs. In Section 4 we will introduce the multivariate method from [8] and compute the uniformity as well as the bijectivity in several subsections. In the final section we will discuss further research.

New power mappings of low uniformity
In this paper, we prove the following theorems. is even for p ≡ 1 mod 4 the exponent d n is even and thus x d n = (−x) d n . Therefore x d n cannot be a permutation in this case.
For p = 3 we have The uniformity for p = 5 in theorem 2.1 and for the family in theorem 2.2 was already proven in [8], whereas the explicit and simple description of the family of inverses in theorem 2.2 is new. Note that swapping n ≡ 1 mod 4 and n ≡ 3 mod 4 in the definition of d n gives the mapping introduced in [7] proven to be APN in [14]. This mapping is no longer bijective. Statement 4 of theorem 2.1 cannot be narrowed in general and this theorem explains the following open entries in the H-R-S tables as Table 1 shows. d in Table 1 is the cyclotomic cosetleader defined as min {d · p i mod (p n − 1)|0 ≤ i ≤ n − 1} .
As this family explains open entries in the H-R-S table it is not CCZ-equivalent to known ones. It can also be seen as a generalization for odd n of the family x d n , d n = p n −1 2 + 2 treated in [10]. Therefore it is not surprising that we will also prove the following theorem It was shown in [10] that its uniformity is 4. In [8] it was shown that the family from theorem 2.2 is not CCZ-equivalent to known ones.

Preliminaries
The univariate polynomial ring over a finite field is denoted by F n [x]. The polynomial ring in two variables x, y over F n is denoted by F n [x, y]. We will need the following facts about quadratic characters. A detailed treatment on the theory of characters can be found in [12] or [13].
The quadratic character over F n is the mapping χ p n : F n → {−1, 0, 1} ⊂ C which can be by common abuse of language represented by the power mapping χ p n (x) = x p n −1 2 . This mapping has the following properties The following two propositions play a central role in this paper.
If p is clear from the context we will just write χ n .

Proposition 3.2 If the equation
n has a p − 1-th root α over F n then it has exactly p − 1 roots. These are given by ω i α, i = 0, . . . , p − 2, ω a primitive element of F p × .
Proof As a = 0 the same is true for the solution α. Obviously ω i α, i = 0, . . . , p − 2 are p − 1 pairwise different solutions of x p−1 = a or x p−1 − a = 0 respectively. As a polynomial of degree p − 1 has at most p − 1 zeros the assertion follows.
The Weil estimate (see [13], p. 225, [1], p. 183) on character sums given in the next theorem is particularly useful to prove that certain character sums are non-zero, which are often encountered when computing the uniformity of power mappings.
be a polynomial with m distinct zeros in its splitting field, which is not a square of another polynomial, then With T r n we denote the trace function from F n onto F p , which is given by The trace is linear and its kernel, which will be of interest here, has been parametrized by Hilbert in its famous theorem Hilbert 90 which is given below.
The proof based on the multivariate method requires to determine the zeros of multivariate equations in two unknowns which explains its name. Systematic methods for solving such equations are given in e.g. classical elimination theory. An important algebraic tool in this theory is the well-known resultant of f (x, y) and g(x, y), f, g ∈ F n [x, y] with respect to y, which we denote by res(f, g, y). We will make use of the next proposition which states how the resultant can be used for determining the solutions of a system of polynomial equations.

Proposition 3.5 Given
and therefore the system of equations has a solution (α, β) over a proper field extension only if res(f, g, y)(α) = 0.
For further reading on the resultant and elimination theory we refer to [3].

The multivariate method: Proof of Theorem 2.1
In this section we prove theorem 2.1 and thereby giving a simple and self-contained introduction to the multivariate method.

The multivariate representation
Recall that by theorem 1.3 and lemma 1.4 we can restrict to consider The first step is to express this equation as a system of multivariate equations.
To this end we denote the conjugation (Galois automorphism) x → x p n+1 2 by x * and set y := x * . Then it is y * = x p over F n and y = x over F p . The latter property will be very useful later. Analogously we set a * = b.
We get x d n = χ n (x)yx and the -mapping can be represented by By conjugation of F 1 with * we get as χ n x ± 1 2 * = χ n x ± 1 2 . We make a case distinction according to the 4 possible values of χ n (x + 1 2 ), χ n (x − 1 2 ) to get the sought for representation.
The above case distinction does not capture the cases x = ± 1 2 as χ n 1 2 − 1 2 = χ n − 1 2 + 1 2 = 0. We have Cryptography and Communications (2020) 12: 41-57 and χ n − 1 2 by proposition 3.1. This gives the exceptional cases a = ±1. We will see that a = ± 1 2 will lead to exceptional cases as well. These lie all in the base field F p . From now on we assume a ∈ F n \ F p and treat a ∈ F p in Section 4.4.
The principle of the multivariate method is now to compute the solutions of F i1 , F i2 , i = 1, . . . , 4 with elementary elimination theory. Thereby we are only interested in solutions of the form (α, α * ). We call F i1 , F i2 , i = 1, . . . , 4 fundamental equations and the above solutions suitable in the sequel as exactly these yield solutions of d n ,1 (x − 1 2 ) = a when the corresponding character condition is fulfilled. In this case the solution is called an actual solution. It will turn out that identifying suitable solutions for this type of power mappings can be done by uniform techniques and usually gives a tight upper bound on the uniformity. This makes the multivariate method to a powerful universal tool to study the uniformity. The problem of determining if the corresponding character condition is fulfilled for a suitable solution, i.e. if it is an actual solution, is much harder in general. The corresponding underlying mathematical problem to do so is easier described by the notion of a suitable solution as we will see. This explains why we distinguish between these types of solutions (see also Section 5).
One possibility to determine suitable solutions is to compute the resultant res(F i,1 , F i,2 , y) (by abuse of language) of the left hand side of the fundamental equations with respect to y. This can be seen as follows.
By proposition 3.5 the equation d n ,1 (x − 1 2 ) = a has a suitable solution α only if α is a zero of one of the above res(F i,1 , F i,2 , y). Then one shows which of the zeros α yield suitable solutions. Moreover as long as we do not encounter an exceptional case for the quadratic character any solution belongs exactly to one of the four cases. Therefore the above resultants are called fundamental polynomials. In general the resultant can be computed very easily with the help of computer algebra systems like magma.
Note that all suitable solutions (α, α * ) of F i1 , F i2 , when considered as a system of multivariate equations yield a zero α of the resultant but not the other way around. There might exist zeros α of the resultant which do not extend to solutions of F i1 , F i2 at all. All other zeros α extend to a solution (α, β) of F i1 , F i2 but β is not necessarily equal to α * . Therefore not all zeros of res(F i,1 , F i,2 , y) yield suitable solutions and not all suitable solutions result in actual solutions. In principle any univariate polynomial φ i (x) with φ i (α) = 0 for all actual solutions (α, α * ) of F i1 can be employed in the multivariate method. Therefore we call φ i (x) a fundamental polynomial in the sequel. Here we compute such a φ i (x) by hand e.g.

The contribution of φ 1 and φ 4 , a ∈ F n \ F p
It follows β 1 − β 2 = 0 and thus β 1 = β 2 , which contradicts our assumption. Now consider the linear mapping L : x → x + x * over F n . Any element α in the preimage of L −1 (a), a ∈ F p n \ F p yields a suitable solution of x + y = x + x * = a and vice versa. It follows that #L −1 (a) ≤ 1. Moreover the mapping is equal to 2x over F p as in this case x * = x.. Thus the mapping is injective over the whole field F n and therefore L is a permutation. From this it follows that φ 1 contributes exactly one suitable solution (over the whole field F n ).
A direct consequence is that the fundamental (6) has exactly one suitable solution as well, which is equal to − (α + β) where α + β denotes the suitable solution of (3). We have From this it follows together with proposition 3.1 and the fact that the suitable solutions of (3) and (6) differ by a sign: 1. If p ≡ 3 mod 4 then for all a ∈ F n \ F p there exists exactly one α + β 0 , β 0 ∈ F p of φ 1 (x), which yields a suitable solution of the fundamental (3) and the corresponding − (α + β 0 ) extends to the only suitable solution of the fundamental (6). Moreover it is χ n (−1) = −1 and therefore α + β 0 , − (α + β 0 ) yield 2 actual solutions iff χ n (α + β 0 − 1 2 ) = χ n (α + β 0 + 1 2 ) = 1 and 0 otherwise. 2. If p ≡ 1 mod 4 then for all a ∈ F n \ F p there exists exactly one zero α + β 0 of φ 1 (x), which yields a suitable solution of the fundamental (3) and the corresponding − (α + β 0 ) extends to the only suitable solution of the fundamental (6).

The contribution of φ 2 and φ 3 , a ∈ F n \ F p
We have that p n+1 2 − 1 is always divisible by p − 1 which follows directly from the general identity . By proposition 3.2 φ 2 splits over F n as follows Analogously we have Plugging into the left hand side of the fundamental (4) and making use of xy = x 2 over F p gives Thus fundamental (4) is fulfilled iff ω 2i a − 1 2 p n −1 Moreover since x 2 is 2-to-1 over F p (16) has exactly two solutions. These are denoted by ±ω i n . It follows that the possible suitable solutions of the fundamental (4) are Analogously one shows that the fundamental (5) has two suitable solutions iff χ n − 1 2 a + 1 2 = 1. In this case the two suitable solutions of the fundamental (5) are Recall that χ n −x − 1 2 = χ n (−1)χ n x + 1 2 and χ n −x + 1 2 = χ n (−1)χ n x − 1 2 . Thus we get in dependence of p mod 4 : 1. If p ≡ 3 mod 4 then the fundamental (4) has exactly two suitable solutions iff χ n 1 2 a − 1 2 = 1.
We have χ n (−1) = −1 and therefore the suitable solutions yield actual solutions iff additionally the character condition is fulfilled for one and thus both solutions given in (17) and 0 actual solutions otherwise.
Analogously one gets that the fundamental (5)

Exceptions a ∈ F p
Over the base field F p it is b = a. Applying the multivariate method by taking this into account yields Obviously all zeros of φ 1 , . . . , φ 4 lie in F p . Note that for a = ±1 we enter the exceptional cases for the character conditions treated in (7) and (8). We conclude that if a ∈ F p then the preimage Thus we can restrict to consider x d n over F p . As x d n = χ 1 (x)x 2 over F p we can apply theorem 3 and the remark on p. 368 of [10], which together state that

Combining all results
From what we have proven so far we get: If p ≡ 3 mod 4 then

Proof of the permutation property
At first we will show that x d n , where is the inverse of x d n . We will prove the case n ≡ 3 mod 4 by showing that d n · d n = 1 mod 3 n − 1. From this the assertion follows for this case. We have which is even as n−1 2 is odd for n ≡ 3 mod 4. Therefore d n is odd. We have As d n is odd it is x 3 n −1 2 d n = χ n (x) d n = χ n (x). We get that The second term of the sum is equal to We have that 3 n+1 2 + 1 is even and therefore Thus (25) simplifies to 1 + 3 n −1 2 mod 3 n − 1. The addition of both simplifications gives as requested. The case n ≡ 1 mod 4 is proven analogously.

Proof of 3 ≤ U d n ≤ 4
A direct computation shows that the U d 1 = 3. The proof for n > 1 is exactly as in the general case. Therefore we restrict to prove that φ 2 and φ 3 never contribute a suitable solution at the same time. Then from what we have proven in Sections 4.3 and 4.4 adapted to p = 3 it follows that 3 ≤ U d n ≤ 4.
In the case p = 3 the zeros of φ 2 and φ 3 are the roots ± (a + 1) Therefore φ 2 contributes two actual solutions only if χ n (b − a) = 1. Similarly one shows, that φ 3 contributes two actual solutions only if χ n (a − 1) = 1 and χ n b−a a−1 = −1, which leads to χ n (b − a) = −1. We conclude that φ 2 and φ 3 never contribute actual solutions at the same time as long as a = ±1. This case is covered by the above direct computation as again we have that d n ,1 (x − 1 2 ) −1 (a) ⊂ F 3 for a ∈ F 3 . As the mapping has uniformity 3 over F 3 it follows that U d n ∈ {3, 4}. This proves the corollary.
A question arising is if we are able to compute the exact uniformity for n > 1. In [8] it was shown that from what we have proven so far we get that U d n = 4 for F 3 n , n > 1 iff the following character sum is non-zero. 1 2 5 α∈F n (1 + χ n (α + 1))(1 + χ n (α − 1))(1 − χ n (α)) · Standard techniques to prove that such a character sum is non-zero make use of the Weil bound (see theorem 3.3). This bound is useless as the degree of the conjugation x → is to high. It is an open problem how to evaluate such kind of character sums. It is conjectured that this sum is non-zero.

Further research
In this paper we gave a general family of low uniformity which is bijective for p ≡ 3 mod 4. If p = 3 the family has uniformity of at most 4 and its inverse family has a simple and closed description. To compute the uniformity we made use of the multivariate method and showed that it is a universal tool to do so. The advantage of this approach is that it yields concrete paramterizations for the solutions of d n ,1 x − 1 2 = a. This is particularly useful if one wants to compute the cross-correlation. An example is the proof given in [6] for ternary decimations of Welch and Niho type. Many families of low uniformity can be represented as in this paper by power mappings, where a conjugation of the form p n+1 2 or p n 2 is involved as well as the quadratic character χ p n . Computing good upper bounds the uniformity by the multivariate method is often an almost routine matter whereas determining the exact uniformity leads to the problem of showing that a character sum as given in (26) is nonzero. Standard techniques to do so make use of the Weil bound. This is very often not applicable for the character sums arising from that kind of power mappings. An approach to show that such kind of character sums are non-zero would be an enormous step forward in the theory of computing the uniformity of power mappings in odd characteristic. Another approach to compute the exact uniformity for the mappings given in theorem 2.2 could be to analyze if the technique to treat the -mapping in the proof given in [6] for the ternary decimations of Welch and Niho type can be adapted. This proof made extensively use of the fact that these decimations yield permutations x d n with a simple description for the inverse.
For applications in cryptography it is also of interest to analyze if the mappings presented here are strong against linear cryptanalysis and related attacks when employed in a blockor stream cipher. To compute the cross-correlation would be a fruitful next step in this direction.