Modifications of bijective S-Boxes with linear structures

Various systematic modifications of vectorial Boolean functions have been used for finding new previously unknown classes of S-boxes with good or even optimal differential uniformity and nonlinearity. In this paper, a new general modification method is given that preserves the bijectivity property of the function in case the inverse of the function admits a linear structure. A previously known construction of such a modification based on bijective Gold functions in odd dimension is a special case of the new method.


Introduction
Differential uniformity is one of the most extensively studied cryptographic property of vectorial Boolean functions. By definition, an APN function is differentially δ-uniform with δ = 2, which is the lowest attainable value of δ. Differential uniformity is motivated by differential cryptanalysis: the lower differential uniformity, the smaller probabilities of differentials. Another property of a Boolean function of cryptanalytic interest is nonlinearity, that is, the minimum Hamming distance to all affine Boolean functions. All components of an APN function have also high nonlinearity, but already a 4-uniform function can have affine components, in which case the function is said to have null nonlinearity. An early example of such a phenomenon was achieved by replacing one component of an APN function by all-zero Boolean function [10].
APN permutations are known to exist in all odd dimensions. Their existence in even dimension is unknown with the exceptions of dimensions 2 and 4, where no APN permutations exist, and dimension 6, where only one APN permutation has been found so far. In the hunt of new examples, researchers are using various smart heuristics. For example, one can start from a known highly nonlinear permutation and search over its modifications.
Beierle and Leander suggested that a differentially 4-uniform permutation with a linear component could be a good starting point when constructing a 4-uniform 2-1 function, which in turn could be extended to a 4-uniform, or possibly even to an APN permutation [1]. Further, they give a construction of a differentially 4-uniform permutation with null linearity. In odd dimension, their construction is based on Gold functions, while in even dimension the starting point is the finite field inversion function. Charpin and Kyureghyan studied permutation polynomials of the shape

Related work
where γ ∈ F 2 n , and G(X) and H (X) are polynomials over the finite field F 2 n [3]. They characterised the polynomials of this shape in the case where G(X) is a permutation polynomial based on the known properties of the support of the Walsh transform of a Boolean function with a linear structure of type 0. A linear structure of a Boolean function is an element which, when added to the input, either keeps the value the same for all inputs, or flips the value for all inputs. In the former case, the linear structure is said to be of type 0, while in the latter case, it is said to be of type 1.
In terms of functions over F 2 n the characterisation by Charpin and Kyureghyan can be stated as follows: A function of the shape where γ ∈ F 2 n , G is a permutation over F 2 n , and H is a function from F 2 n to F 2 n , is a permutation if and only if there is a function R : F 2 n → F 2 n such that H = R • G and γ is a linear structure of type 0 of the Boolean function x → Tr (R(x)). This result was generalised to the case of odd characteristic by [4] and later applied to monomial functions with linear structures to obtain infinite families of sparse permutation polynomials [5].
By applying this result to the case where G is the identity function one obtains that for a given Boolean function g, the mapping is a permutation if and only if γ is a linear structure of type 0 of g. The fact that π is an involution was later used in construction of infinite families of involutions [6].

Contribution of this paper
The permutation π discussed above is in the core of our construction. When composed with a function, the permutation π changes half of the components of the function by adding the Boolean function g to them, while the second half of the components remain intact.
In this paper, we study conditions under which the components of a permutation can be changed in such a way that one component becomes linear. We show that this can be achieved if the inverse of the permutation has a component that admits a linear structure of type 1. It is well known that the components of certain Gold functions have linear structures of type 1. Interestingly, when applied to the inverse of a Gold function in odd dimension, our construction is identical to the one given by [1].
Outline We start by introducing the most important notation and definitions in Section 2.
For unexplained terminology we refer to [2]. In Section 3 we recall the properties of the Walsh transform of a Boolean function admitting a linear structure. A linear structure gives rise to a specific involution as will be shown in Section 4. Our general construction of the bijective modifications of S-Boxes is given in Section 5 followed by an application to Gold functions in Section 6 and conclusions in Section 7.

Linear structures
We consider the vector space F n 2 of dimension n over F 2 where n is a positive integer. A vector x ∈ F n 2 can be represented as an n-tuple x = (x 1 , . . . , x n ) of coordinates x i ∈ F 2 , i = 1, . . . , n. For two vectors x = (x 1 , . . . , x n ) ∈ F n 2 and y = (y 1 , . . . , y n ) ∈ F n 2 we define an inner product denoted as x · y by setting We denote by '⊕' the addition in F n 2 , while we omit a product sign when denoting multiplication by an element in F 2 . The zero element in F n 2 is denoted by 0 n , where the subscript is omitted if n = 1.
Let f : F n 2 → F 2 be a Boolean function. Then f is said to have a linear structure if there is a vector w ∈ F n 2 , w = 0 n , such that where δ ∈ F 2 is a constant [8]. Then we say that w is a linear structure of type δ of f . Let us denote by W a complemented subspace of {0, w}. Then F n 2 = {0, w} ⊕ W and any x ∈ F n 2 has a unique expression of the form Then the function f can be written as for a suitable λ ∈ F n 2 and a Boolean function g : F n 2 → F 2 , which is independent of the part u ∈ {0, w} of the input x ∈ F n 2 , see e.g. [2]. On the other hand, a Boolean function of the form (1) has a linear structure w, and moreover, meaning that the type of the linear structure is determined by λ · w. The vector λ in the representation is not unique as any λ satisfying λ · w = δ can be used there. In particular, we can choose λ = 0 for type 0 linear structure. The function g is not unique either and depends on the choice of the complemented subspace W of {0, w}.

Balancedness and linear structures
A Boolean function f : F n 2 → F 2 is said to be balanced if the size of its support is equal to 2 n−1 . This is equivalent to saying that the Walsh transform of f at 0 n is equal to 0. All nonconstant linear functions are balanced, and therefore, any function f of the form (1) with λ·w = 1 is balanced. The following result is a straightforward consequence of this property.

Proposition 1
Suppose that a Boolean function f : F n 2 → F 2 has a linear structure w. Let γ ∈ F n 2 and assume that one of the following two conditions holds: 1. w is of type 0 and γ · w = 1, or 2. w is of type 1 and γ · w = 0.
Proof Let us express the function f in the form (1). Then Both conditions 1 or 2 make this happen.
Recalling that the value of the Walsh transform of x → f (x) ⊕ γ · x at 0 n is equal to the value of the Walsh transform of f at γ we see that the following result is equivalent to Proposition 29 of [2].

Corollary 1
Suppose that a Boolean function f : F n 2 → F 2 has a linear structure w. Then the following statements hold: Proof The "only if" parts of the statements are given by Proposition 1. Let us assume now that the function x → f (x) ⊕ γ · x is balanced for all γ such that γ · w = 1. If then w is of type 1, it follows by Proposition 1 that this function is balanced also for all γ such that γ ·w = 1, that is, for all γ ∈ F n 2 , which is impossible by Parseval's theorem. It follows that w is of type 0 as claimed. The proof of the "if" part of the second statement is analogical.

Permutations related to linear structures
Let F : F n 2 → F m 2 be a vectorial Boolean function. Given a vector β ∈ F m 2 , β = 0, we define a component of F as the Boolean function and denote this function by β · F . A vectorial Boolean function from F n 2 to F n 2 is a permutation (bijection) if and only if all its components are balanced. For a proof of this known fact, see e.g. [10], Appendix.
Given a non-zero vector w ∈ F n 2 , the orthogonal complement of {0, w}, denoted as {0, w} ⊥ , is a vector subspace of dimension n − 1 of F n 2 consisting of all x ∈ F n 2 such that w · x = 0. Assume that we have a function π : F n 2 → F n 2 such that all its components γ · π are given, where γ ∈ {0, w} ⊥ . Then it suffices to give one component of π , say α · π , where α · w = 1 to determine the entire function π : F n 2 → F n 2 . We use this approach for two alternative constructions of a permutation related to a linear structure of a Boolean function. The results of Theorem 1 and Corollary 2 follow also from Theorem 2 of [3]. The proofs are given here in the linear algebraic setting to illustrate the properties of our construction.
Theorem 1 Let f : F n 2 → F 2 be a Boolean function with a linear structure w. We define a function π : F n 2 → F n 2 by setting for all γ ∈ {0, w} ⊥ . The remaining components are defined by first fixing an α / ∈ {0, w} ⊥ , that is, α · w = 1.

If w is of type 0, we set
Then π is a permutation.
Proof In the second case, as follows from Proposition 1, the Boolean function x → f (x) ⊕ γ · x is balanced for all γ ∈ {0, w} ⊥ . Then all components of π are balanced, and hence, π is a bijection.
In the first case, we observe that w is a linear structure of type 1 of the function x → f (x) ⊕ α · x, and then apply the result of the second case to this function.

Corollary 2
In the context of Theorem 1, the permutation π has the following representations: The permutation π is not only a permutation but an involution, see also [6]. To prove it, let us start with the following property.

Lemma 1
Let w be a linear structure of type δ of a Boolean function f , α ∈ F n 2 satisfying α · w = 1, and π the permutation constructed as in Theorem 1. Then from where we see that the equality f (π(x)) = α · x holds for all x.

Corollary 3 In the context of Theorem 1, the permutation π is an involution.
Proof If the linear structure is of type 0, then by Lemma 1 and Corollary 2 we get If the linear structure is of type 1, we get similarly as above and recalling α · π = f that

Modifications of S-Boxes
Let F : F n 2 → F n 2 be a bijective S-box. Let us assume that one of its components, say β · F , has a linear structure of type 1 and let us construct the permutation π for this Boolean function. Then one component of π equals β · F meaning that one component of π • F −1 is linear. By the construction of π we also see that 2 n−1 other components of π • F −1 are just components of F −1 . In this way, we obtain a bijective modification of F −1 where one component has been replaced by a linear function. For a linear structure of type 0 the corresponding replacement does not give a linear function. We state the result as the following theorem.
Theorem 2 Let F : F n 2 → F n 2 be a bijective vectorial Boolean function and assume that one of its components, say β · F has a linear structure w. Let α ∈ F n 2 be such that α · w = 1. Then F −1 can be modified in such a way that the new function is also a permutation, all components γ · F −1 with γ ∈ {0, w} ⊥ remain intact, and the component α · F −1 is replaced if the linear structure w is of type 0, or 2. by the linear function x → β · x, if the linear structure w is of type 1.
Proof Let us recall the constructions of a bijective function π given in Theorem 1 and apply them to the Boolean function f = β · F and the given α. Since in both cases π is bijective, also π • F −1 is bijective. We also observe that γ · π • F −1 = γ · F −1 for all γ ∈ {0, w} ⊥ . So those components of F −1 remain unchanged. Let us now consider the component α · F −1 .
1. If the linear structure w of β · F is of type 0, then for all x ∈ F n 2 . 2. If the linear structure w of β · F is of type 1, then for all x ∈ F n 2 . Hence in both cases, the composition π • F −1 gives the claimed bijective modification of F −1 .
Recalling that π is an involution we get the following corollary.

Corollary 4 In the context of Theorem 2 we have
This gives a modification of the original permutation F . By Lemma 1, the component β · (F • π ) of this modification is equal to β · F if the linear structure is of type 0, that is, this component remains unchanged, while in the case of type 1 we have for all x ∈ F n 2 , that is, this component of F , which has a linear structure, is changed to a linear function.

Application to APN gold functions
Let F 2 n be an extension field of F 2 of dimension n. The absolute trace function Tr : F 2 n → F 2 is then defined as The trace function is a linear function, and any linear function L : F 2 n → F 2 can be given in a form The identification F n 2 , ⊕ = (F 2 n , +) induces a linear space structure to F 2 n . Using a suitable linear isomorphism the identification of vectors in F n 2 and field elements in F 2 n can be done in such a way that where we omit a product sign for field multiplication. The power monomials x → x 2 i +1 , x ∈ F 2 n , where i is a positive integer, are known as Gold functions. Gold functions are differentially 2 s -uniform, where s = gcd(i, n), and permutations if and only if n/s is odd [7,9]. The nonlinearity of a Gold function is equal to and its algebraic degree is equal to 2.
Let us denote by F the Gold function x → x 2 i +1 with n/s odd. Then the inverse F −1 is also a power permutation with the exponent d = (2 i + 1) −1 . The inverse F −1 has the same differential uniformity and nonlinearity as F . Its algebraic degree is equal to the Hamming weight of the binary representation of d which in general is higher than 2.
Beierle and Leander studied Gold functions with s = 1 and n odd. They showed that the inverse of such a Gold function, which is APN and has high nonlinearity, can be modified by replacing one component by a linear function in such a way that the resulting modification is also a permutation [1]. In such a modification, in general, the differential unifomity is at most doubled, see e.g. [10], and in the APN case, strictly doubled to become 4. Since the algebraic degree of all components is the same, lowering the degree of one component does not change the algebraic degree. As a result, they obtained an example of a permutation with differential uniformity 4, high algebraic degree, and null nonlinearity.
Using the notation of [1] this construction is given as where α ∈ F 2 n is any element with Tr(α) = 1. To prove that G α,d is a bijection, they and show that G α,d is an involution and hence a permutation.
Next we show that this result, with an identical construction of the modification, can be obtained by application of Theorem 2.
It is easy to see that the component x → Tr (F (x)) has a linear structure w = 1 of type 1. Indeed, which has the absolute trace Tr(1) = 1 for all x ∈ F 2 n and odd n. We fix an α ∈ F 2 n with Tr(α) = 1. It follows that Tr(αw) = Tr(α) = 1. Then the permutation π given in Theorem 1 for f (x) = Tr(F (x)) can be expressed as follows using the representation of π given in Corollary 2. We observe that π = G α,d and conclude that G α,d = π • F −1 . Let us also note that the inverse of G α,d given as gives another example of a differentially 4-uniform permutation with a linear component Tr (F • π(x)) = αx .
The proof of the bijectivity of the function G α,d by [1] depends heavily on the form of the Gold function and many arithmetical properties of the field F n 2 . Our approach to this modification is more general and works for any permutation from the linear space F n 2 to F n 2 that has a component with a linear structure. The modification F • π , which can be applied even if F is not a permutation, remains to be studied.

Conclusions
In this paper, we presented a new general method of how, given a permutation that has a component with a linear structure of type 1, one can construct a permutation from F n 2 to F n 2 with null nonlinearity. We also showed that the bijective transform, with the help of which the modification of the permutation is done, is the same as the one appeared already in [1] in the context of APN Gold functions in odd dimension. Against this background our main contribution is the discovery of the connection between the existence of linear structures of type 1 and this modification method. This connection also allowed us to generalise the method and extend its applicability beyond bijective APN Gold functions in odd dimension. Note that the modification is independent of the APN property, and when applying it, the differential uniformity is at most doubled. For APN functions, it is strictly doubled, but in general it may remain less. Potential applications to be studied are bijective Gold functions in even dimension, which in the best case are differentially 4-uniform, and more generally, permutations with partially bent components.
Finally, let us note that the existence of a linear structure of type 1 of the inverse permutation is also a necessary condition for the modification made with the help of the involution π as described in Theorem 2 and its second point. For the details including discussion about the example of [1] in even dimension we refer to [11].