An infinite family of 0-APN monomials with two parameters

We consider an infinite family of exponents e(l, k) with two parameters, l and k, and derive sufficient conditions for e(l, k) to be 0-APN over F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb F}_{2^n}$$\end{document}. These conditions allow us to generate, for each choice of l and k, an infinite list of dimensions n where xe(l,k)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x^{e(l,k)}$$\end{document} is 0-APN much more efficiently than in general. We observe that the Gold and Inverse exponents, as well as the inverses of the Gold exponents can be expressed in the form e(l, k) for suitable l and k. We characterize all cases in which e(l, k) can be cyclotomic equivalent to a representative from the Gold, Kasami, Welch, Niho, and Inverse families of exponents. We characterize when e(l, k) can lie in the same cyclotomic coset as the Dobbertin exponent (without considering inverses) and provide computational data showing that the Dobbertin inverse is never equivalent to e(l, k). We computationally test the APN-ness of e(l, k) for small values of l and k over F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb F}_{2^n}$$\end{document} for n≤100\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n \le 100$$\end{document}, and sketch the limits to which such tests can be performed using currently available technology. We conclude that there are no APN monomials among the tested functions, outside of the known classes.


Introduction
We consider vectorial Boolean functions, i.e. mappings over the vector space F n 2 or, equivalently, the finite field F 2 n , where n is some positive integer.The differential uniformity is one of the most important properties of vectorial Boolean functions from a cryptographic point of view since it measures their resistance to attacks such as differential cryptanalysis.More precisely, the differential uniformity ∆ F of a vectorial Boolean function F is desired to be as low as possible.It is simple to see that ∆ F ≥ 2 for any vectorial Boolean function F .The best possible functions are thus the ones with ∆ F = 2, which are called almost perfect nonlinear (APN).These functions are of interest since they also correspond to optimal objects and constructions in other fields of mathematics and computer science, including combinatorics, algebra, and coding theory.For instance, APN functions can be related to linear codes with prescribed parameters [10].The study of APN and PN functions, including finding new instances of such functions and investigating their properties, is thus interesting and relevant from multiple points of view.
Unfortunately, APN functions are generally difficult to find and analyze.To date, we know many instances of APN functions (see e.g.[27], [1]) but very little can be said about their structure in general.We refer the reader to [9,13] for a detailed overview of cryptographic Boolean functions.Some of the oldest known instances of APN functions are monomials, or power functions, i.e. functions that can be expressed as polynomials of the form F (x) = x d over F 2 n for some positive integer d.Due to their relatively simple structure, these are some of the most studied and best understood vectorial Boolean functions, although the area is still riddled with open questions and unsolved problems.
Due to the general difficulty of constructing and analyzing APN functions, weaker notions of APN-ness have been introduced, such as that of partial APN-ness (pAPNness) [7] which we focus on in this paper.This means that any APN function is pAPN, but not necessarily vice-versa; and so this weaker notion can be used as a "stepping stone" in formulating constructions of APN functions and analyzing their properties.In particular, one of the motivations behind the notion of partial APNness is the possibility of learning more about the structure of APN permutations.We note that the existence of APN permutations over F 2 n with even n (typically referred to as the "big APN problem") is one of the oldest and most important questions in the field of cryptographic Boolean functions; and that, while APN permutations over F 2 n with odd n are known (for instance, all monomial APN functions are of this form), we still know very few examples and constructions of such functions.
In addition to the "big APN problem", one of the most important open questions in the area is the existence of APN monomials inequivalent to the six known families [17].In the aforementioned paper, it is conjectured that these six known families exhaust all possible cases up to equivalence.According to [9], this conjecture has been computationally verified over F 2 n for all n up to 34, and also up to 42 in the case of even n.Computationally searching for new APN monomials becomes very difficult for large values of n, since not only does the verification of the APN property require more effort, but the number of exponents that need to be checked grows exponentially with n.Finding constructions of 0-APN monomials can thus also be useful for approaching this conjecture, since instead of examining all exponents over F 2 n , only a smaller (and more promising set) has to be considered.
While certainly more tractable than APN functions, the behavior of 0-APN monomials is far from trivial, too.In the case of monomials, it is known that x d is 0-APN over F 2 n for infinitely many dimensions n, and that the set of dimensions can be characterized by computing the factorization of the polynomial x d + (x + 1) d + 1 over F 2 [x] [6].This is, however, difficult to do theoretically, and computationally, it is only feasible for relatively small values of d; for instance, the Magma algebra system [4] that we use for most of our computations struggles with computing such a factorization already for d ≥ 10 7 .While this number may seem large, we recall that if APN exponents distinct from representatives of the known families exist, they must be over finite fields F 2 n with n ≥ 35, which involves exploring exponents much larger than this.
In this paper, we define an infinite family of exponents e(l, k) = l−1 j=0 2 jk with two parameters l and k (that can take any positive integers as values), and give sufficient conditions that n has to satisfy in order for x e(l,k) to be 0-APN over F 2 n .For every choice of l and k, our conditions produce infinitely many dimensions n for which the exponent is 0-APN.Furthermore, we discuss how, with the help of some very simple computations, we can characterize the set of all dimensions n for which x e(l,k) is 0-APN.Generating dimensions that satisfy our conditions requires minimal computational effort and amounts to computing the greatest common divisors of some integers.This is possible even for very large exponents of the form e(l, k), e.g. a list of 24242 dimensions n between 1 and 100000 for which e(100, 100) ≈ 10 2980 is 0-APN can be computed in a few seconds on Magma.One of the advantages of our construction is that it becomes very easy to find dimensions where x e(l,k) is 0-APN; and, as remarked above, only a bit of additional computation is needed in order to characterize the set of all such dimensions.Another advantage is that the algebraic degree of e(l, k) is easily predictable, e.g.deg(e(l, k)) = l when gcd(k, n) = 1 and l < n, which allows us to characterize with relative ease when the exponents e(l, k) are cyclotomic equivalent to representatives from the known monomial APN families.We mathematically treat all cases, except that of the Dobbertin inverse, where the computations are too technical: the method that we use in our inequivalence proofs depends on the application of Lemma 4.1 to a set of integers describing the binary decomposition of the exponent of the monomial.Part of the lemma's hypothesis is that all these integers are distinct modulo n, and this requires the degenerate cases when two or more of them are congruent modulo n to be treated separately before the lemma can be applied.Handling these cases is conceptually straightforward, but quite lengthy and technical in practice, especially when the number of cases that need to be considered is large.In the case of the inverse Dobbertin exponent, there is a substantial blowup in the number of cases than need to be handled, which would require a lengthy proof spanning tens of pages or even more.Instead of supplying a heavy and technical proof of this form, we provide computational data for n ≤ 200 showing that e(l, k) can never be equivalent to the inverse of the Dobbertin function except in trivially small dimensions.The range n ≤ 200 covers all dimensions where the problem of finding new APN monomials can be handled in practice using our current knowledge and resources.Furthermore, we note that the "missing" case of the Dobbertin inverse only concerns odd dimensions n that are multiples of 5, while the theoretical characterizations from the remaining theorems give a complete description of the equivalence to the known families for all other values of n.
We show that the Gold and Inverse APN functions can always be represented in the form e(l, k) for suitable choices of l and k.Moreover, via [24], the inverse of the Gold function x → x 2 r +1 over F 2 n , n odd, gcd(n, r) = 1, is given by e(2r, n+1 2 ) = n−1 2 i=0 2 2ir .Furthermore, we show that representatives from the remaining families are never cyclotomic equivalent to e(l, k) except for small dimensions.
Finally, we consider the exponents e(l, k) for small values of l and k, and computationally check for which dimensions n below 100 they are APN.We do not find any new APN exponents, but we see that the computation load needed to test APNness grows very quickly with the size of the exponent e(l, k), even more so than with the dimension n.We provide more detailed comments about our computational experiments in Section 5.
Unfortunately, our current computational methods are insufficient to check APN-ness of the exponents in high dimensions.We leave the computational exploration of the e(l, k) exponents as a problem for future work.

Preliminaries
Let n be a natural number.We denote by F 2 n the finite field with 2 n elements, and by F n 2 the vector space of dimension n over F 2 .The set of non-zero elements of We concentrate on the case n = m.Any (n, n)-function can be uniquely represented as a univariate polynomial over F 2 n of the form A monomial function, or power function, is any (n, n)-function with univariate representation F (x) = x d for some natural number d.The algebraic degree of F , denoted deg(F ), is the largest (Hamming) weight of i (that is, wt(i), which is the number of nonzero bits in the binary representation of i), where a i = 0.
The differential uniformity of F : that is, as the largest number of solutions x to F (a + x) + F (x) = b for any choice of a, b with a = 0.The differential uniformity is a measurement of the resistance provided by the function to differential cryptanalysis [3], and should be as low as possible.The number of solutions x to any equation of the form F (a + x) + F (x) = b is even, and so the optimal value of the differential uniformity is 2. If ∆(F ) = 2, we say that F is almost perfect nonlinear (APN).
The large number of vectorial Boolean functions makes it necessary to consider e.g.APN functions up to some suitable notion of equivalence in order to reduce the number of instances that have to be treated.Such an equivalence relation should leave the differential uniformity invariant, and should be as general as possible (in the sense that its equivalence classes should be as large as possible) in order to leave a small number of representatives that have to be considered.At present, the most general known equivalence relation used in practice is Carlet-Charpin-Zinoviev (CCZ) equivalence.Two (n, n)-functions F and G are said to be CCZ-equivalent if there is an affine permutation In the particular case of monomial functions, however, CCZ-equivalence reduces to a much simpler notion of equivalence.We say that F, G : F 2 n → F 2 n with F (x) = x d and G(x) = x e are cyclotomic equivalent if there exists a natural number a such that either 2 a d is in the cyclotomic coset of e modulo 2 n − 1, i.e.
Table 1: Known infinite families of APN power functions over F 2 n provided of course that gcd(d, 2 n − 1) = 1 so that the inverse d −1 exists.We know that two monomials are CCZ-equivalent if and only if they are cyclotomic equivalent [14,26].Testing cyclotomic equivalence, in contrast to the more general CCZ-equivalence, is quite simple, and amounts to checking whether a small number of modular equations hold.For natural numbers n, k, we will denote by n Mod k the least positive residue of n modulo k, e.g.11 Mod 3 = 2.
At present, we know of six infinite families of APN monomials; these are summarized in Table 1.In [17], it is conjectured that no other APN monomials exist over F 2 n up to cyclotomic equivalence.In [9], it is reported that this has been computationally verified for n ≤ 34, and for n ≤ 42 in the case of even n.Despite this, the question of whether the list in Table 1 is exhaustive up to cyclotomic equivalence remains open, and is one of the oldest and hardest unresolved questions in the area of APN functions.It is sometimes referred to as Dobbertin's conjecture.
Finding new instances of APN functions is challenging, especially when APNness is combined with other desirable properties, e.g.being bijective or being a monomial function.For this reason, various weaker notions of APN-ness have been defined in the literature (see [6,11], for example).Following [6], we say that a function F : F 2 n → F 2 n is x 0 -APN for some x 0 ∈ F 2 n if any y, z ∈ F 2 n satisfying F (x 0 ) + F (y) + F (z) + F (x 0 + y + z) = 0 necessarily satisfy (x 0 + y)(x 0 + z)(y + z) = 0.It is straightforward to verify that a function is APN if and only if it is x 0 -APN for all x 0 ∈ F 2 n .
In the case of monomials, it is shown [7] that if a monomial is x 0 -APN for some x 0 = 0, then it is also x 1 -APN for any x 1 = 0, and that 1-APN-ness implies 0-APNness for monomials.This means that a monomial can be either: APN; 0-APN but not 1-APN; not 0-APN.In this sense, 0-APN-ness is a natural intermediate step towards constructions of APN monomials.
One potential strategy for approaching Dobbertin's conjecture is to describe constructions of 0-APN monomials over fields F 2 n of high dimension n.As outlined in the introduction, in this work we introduce an infinite family of exponents which are particularly tractable from the point of view of 0-APN-ness and cyclotomic equivalence to the known families.

An infinite family of 0-APN exponents with two parameters
In this section, we introduce the exponents e(l, k) and provide sufficient conditions on n in order for x e(l,k) to be 0-APN over F 2 n .We recall that any monomial x d is 0-APN over infinitely many dimensions n, but in general it can be difficult to characterize these dimensions n without doing computations such as factorizing the polynomial x d + (x + 1) d + 1 over F 2 (see [8]), which can be a computationally hard task for large values of d.The class of exponents e(l, k) has the advantage of being significantly more tractable in this sense.As outlined in the introduction, we are able to find 24242 dimensions n for which e(100, 100) ≈ 10 2980 is 0-APN in a few seconds on Magma, while factorizing x d + (x + 1) d + 1 is computationally infeasible already for d ≥ 10 7 .
The sufficient conditions can be formulated in two ways.In the proof of Theorem 3.2, we show that if the expression F (x) + F (1 + x) + F (1) for F (x) = x e(l,k) vanishes for some x ∈ F 2 n , then x is in F 2 gcd(lk,n) , or it satisfies (x/(x+1)) e(l−1,k) = 1.Consequently, if gcd(lk, n) = 1 and gcd(e(l − 1, k), 2 n − 1) = 1, then both of these cases imply that x is a trivial solution, i.e. x ∈ F 2 .
The second condition, viz.gcd(e(l − 1, k), 2 n − 1) = 1, can be replaced by requiring that gcd(jk, n) = 1 for all j ∈ {2, . . ., l} as explained in the remark following the theorem.This "cascading" condition is less general in the sense that it is not satisfied by all dimensions n for which x e(l,k) is 0-APN according to Theorem 3.2.Nonetheless, it is somewhat simpler to evaluate and allows us to easily construct an infinite sequence of dimensions n over which x e(l,k) is 0-APN even more easily.The exponent e(l, k) can also be expressed as e(l, k) = 2 lk − 1 2 k − 1 from the formula for the sum of a geometric progression.Theorem 3.2.Let n, l, k be natural numbers such that gcd(kl, n) = 1 and gcd(e(l − 1, k), 2 n − 1) = 1.Then x e(l,k) is 0-APN over F 2 n .Proof.Denote e = e(l, k).Suppose that x ∈ F 2 n satisfies x e + (x + 1) e + 1 = 0.For natural numbers a ≤ b, let [a, b] = {a, a + 1, . . ., b}, and let PI denote the power set of a discrete set I. Furthermore, let x 2 kI denote i∈I x 2 ki .Then x e +(x+1) e +1 = 0 can be written as x 2 kI = 0. ( Raising this to the power 2 k yields x 2 kI = 0.
Summing the two expressions causes all terms x 2 kI corresponding to subsets I that contain neither 0 nor l to cancel out, leaving us with x 2 kI = 0.
Remark 3.3.The proof above could have also been continued by adding (2) to its 2 k -th power; this would have produced the same equation as if we had added the derivative x e(l−1,k) + (x + 1) e(l−1,k) + 1 to its 2 k -th power since the extra term 1 would have canceled out.By induction on l, we would have obtained the condition that if gcd(ik, n) = 1 for i = 2, 3, . . ., l, then x e(l,k) must be 0-APN.We have tested these conditions computationally, and, as expected, we observed that the condition in the statement of Theorem 3.2 always produces a set of dimensions n that subsumes those given by the alternative condition described in this remark.This is why we have formulated the theorem only in terms of this more general condition, but we state the second condition as a corollary.
In particular, if gcd(jk, n) = 1 for all j ∈ {2, 3, . . ., l}, then x e(l,k) is 0-APN over F 2 n .Remark 3.5.The sufficient conditions of Corollary 3.4 allow us to explicitly determine the set of dimensions n such that x e(l,k) over F 2 n is 0-APN.We can see that for any choice of l and k, there are only finitely many dimensions m = gcd(jk, n) such that x e(l,k) + (x + 1) e(l,k) + 1 vanishes on F 2 m but on no proper subfield of F 2 m .Consequently, e(l, k) is a 0-APN exponent over F 2 n for any n that is not a multiple of one of these dimensions m.
For instance, the exponent e(3, 2) = 21 can only violate the 0-APN-ness on F 2 6 , F 2 4 or F 22 (or any extension field thereof ).Hence, x 21 is 0-APN over F 2 n for any n that is not divisible by 2, 4 and 6.Furthermore, we can computationally verify that x 21 is 0-APN over F 2 2 and F 2 4 , and that it is not 0-APN over F 2 6 .Thus, x 21 is 0-APN over F 2 n whenever n is not a multiple of 6.We remark that a proof of the same fact is given for x 21 in [6] using the factorization of x 21 + (x + 1) 21 + 1.The framework described in this remark allows this proof to be easily generalized to any function of the form x e(l,k) , and allows us to characterize the values of n for which x e(l,k) is 0-APN for large values of d for which it is not computationally feasible to factor The conditions gcd(kl, n) = 1 and gcd(e(l − 1, k), 2 n − 1) = 1 are sufficient for x e(l,k) to be 0-APN over F 2 n but are not necessary in general.The same is true for the "cascading" conditions formulated in Corollary 3.4.In particular, we can observe that the particular statement of the corollary can never be applied to finite fields F 2 n of even extension degree n since gcd(2k, n) = 2, and this violates the conditions in the corollary whenever l > 1.
The conditions of the corollary can be refined for instance as follows.Let d = e(l, k).If gcd(kl, n) = 2, then we can see that x d + (x + 1) d + 1 = 0 can only have x ∈ F 4 as a root, and x d is not 0-APN only in the case when x ∈ F 4 \ F 2 .Clearly, this happens precisely when 3 ∤ d.If the exponent is a multiple of 3, therefore, the restriction gcd(kl, n) = 1 can be relaxed to gcd(kl, n) ≤ 2.
A similar approach can be applied in general for gcd(kl, n) = m by imposing the restriction that x d + (x + 1) d + 1 does not vanish on F 2 gcd(m,n) .For a fixed m, this essentially means that d (mod 2 m − 1) must be a 0-APN exponent in F 2 m .
A trivial case is when the exponent d satisfies d (mod 2 m − 1) ≡ 0 for some m > 2 dividing n.When this happens, the function x d coincides with the indicator function 1 0 (x) = x 2 m −1 over F 2 m , and so it is always 0-APN but can never be an APN function (except if m = 2).Since the primary motivation for our study is the possibility of identifying new APN monomials, all such cases can be excluded from consideration.
Remark 3.6.To see how discriminating the condition in Theorem 3.2 is, we can perform a simple computational experiment as follows: pick some values of k and l, and generate all dimensions n in some range that satisfy the conditions in Theorem 3.2; by computing the number of roots of x e + (x + 1) e + 1 = 0 for e = e(l, k), we check whether x e is 0-APN over F 2 n for all n in the range, then compare the two sets.Generating all e(l, k) satisfying the conditions of Theorem 3.2 with l, k ≤ 6, we found that all 0-APN monomials of the form e(l, k) were covered by our theorem in dimensions 2 ≤ n ≤ 100.
Another consideration that we should take into account is the size of the image set of x e(l,k) .It is known that any APN monomial In particular, x e(l,k) is a permutation if and only if gcd(l, n) = 1, and it is a 3-to-1 function if and only if gcd(l, n) = 2.
Proof.Since gcd(A, B) = gcd(CA, B) for C with gcd(C, B) = 1, we have that gcd(e(l, k), which shows our proposition.

Equivalence to known monomial families
In this section, we study when the exponent e(l, k) can be cyclotomic equivalent to an exponent from one of the known families.Recall that two exponents e and d are cyclotomic equivalent modulo n if either e or e −1 is in the cyclotomic coset of d modulo 2 n − 1.For each of the infinite APN families, we treat the two cases separately.In the case of the Dobbertin family, a characterization using our current techniques is too cumbersome due to the large number of degenerate cases that need to be treated before applying Lemma 4.1, and so we supply computational data instead showing that e(l, k) can not be equivalent to the Dobbertin inverse for n ≤ 200 except for n = 5 and n = 10.We refer the reader to the discussion at the end of Section 1 for more details about why we have made this decision.Below, we shall have arguments dealing with the set (or rather, multiset, since we allow for potential repetitions of elements) of exponents in a sum of powers of 2 and we make the convention that if the set contains two "copies" of the same element j, then the set is compressed by replacing the two copies of j by j + 1.For instance, the expression 2 a + 2 b + 2 c , for some natural numbers a, b, c corresponds to the set of exponents {a, b, c}, and if a = b so that 2 a + 2 b + 2 c = 2 a+1 + 2 c , then the set compresses to {a + 1, c}.If S is a set of integers, we will also used the shorthand notation S Mod n = {s Mod n : s ∈ S}.
Similarly, we will write In the sequel, we make use of the following simple observation.It is based on the well-known fact that the binary weight of any two integers in the same cyclotomic coset modulo 2 n − 1 is the same. Then Proof.Suppose that (3) holds and consider the left-hand side.Since 2 ai ≡ 2 ai Mod n (mod 2 n − 1), we can assume that a i < n for all i.Since by assumption all a i are distinct modulo n, the weight of the sum on the left-hand side will remain unchanged after this modulation, and we will once again have M terms.Similarly, we can modulate the sum on the right-hand side, and thus assume that b i < n for all i.Since all the powers of 2 on the left-hand side are distinct, their sum cannot be greater than 2 n − 1; the same is true for the right-hand side, and so the assumption that the two sums are congruent in fact implies that they are equal.The claim then follows by the uniqueness of the binary expansion.
In many of the following proofs, we will use the fact that we know the algebraic weight of an exponent d from one of the known families, and we would like to select a value of l such that wt(e(l, k) Mod (2 n − 1)) = wt(d).Following Theorem 3.2, we will focus on the cases when gcd(n, k) = 1 and gcd(n, k) = 2.To begin with, we can observe that if l < n and gcd(n, k) = 1, then wt(e(l, k)) = l since all of the exponents 2 jk in e(l, k) = j 2 jk are distinct modulo n.Observation 4.2.Let n, l, k be natural numbers such that l < k and gcd(l, k) = 1.Then wt(e(l, k) Mod (2 n − 1)) = l.
The situation when gcd(k, n) = 2 is slightly more complicated, and it is addressed by the following Lemma 4.4.Note that in the first few cases we only characterize the weight of e(l, k) modulo 2 n − 1 since this is what we need in the subsequent characterizations.However, in the last case, we show that e(3n/2 + m, 2t) not only has the same weight, but is in fact congruent to e(m, 2t) modulo 2 n − 1.This shows that there is no need to consider values of l in e(l, 2t) greater than 3n/2 up to equivalence.
Before proving Lemma 4.4, we first prove the following auxiliary result.It is useful on its own (by reducing the number of values of k that have to be considered up to equivalence), and is also used in the proof of Lemma 4.4.Proof.We show (i) first.Let We now multiply the above for K = m − k by 2 X with the aforementioned X.We use the fact that 2m = n ≡ 0 (mod n), and obtain The claim (ii) follows similarly, by taking Lemma 4.4.Let gcd(n, 2t) = 2, the following statements are true: 1. wt (e (m, 2t)) = m for any 0 < m < n 2 ; 2. wt e n 2 + m, 2t = n 2 for any 0 < m < n 2 ; 3. wt (e (n + m, 2t)) = n 2 + m for any 0 < m < n 2 ; 4. e 3n 2 + m, 2t ≡ e (m, 2t) (mod 2 n − 1) for any 0 < m < n 2 .Proof.
1.The first claim is straightforward.
2. Since gcd(n, t) = 1 then e n 2 + m, 2t and e n 2 + m, 2 have the same weight, so it suffices to find the weight of e n 2 + m, 2 .Assuming 0 < m < n 2 , we notice We note that and so and that It follows that e(n + m, 2) has weight n 2 + m.The general case of t > 1 is treated in the following way.Observe that To prove our claim, we will argue that the first sum compresses to precisely n/2 terms, all of which have odd exponents.For that, we will show that given 0 ≤ j 1 < n/2, there is a unique n/2 ≤ j 2 < n (j 2 cannot be in the interval [0, n/2), as we will see below) such that 2 2tj1 ≡ 2 2tj2 (mod 2 n −1) (the situation is similar if we start with n/2 ≤ j 1 < n).Via Lemma 4.3, we know that one can take 2t < n/2, so we will assume that from here on in our argument.Since gcd(n, 2t) = 2, then gcd(n, t) = 1.First, given 0 ≤ j 1 < n/2, we can take The existence is shown, and next, we show uniqueness (via a Dirichlet principle type argument).If there exist two values j 2 < j 3 , say, such that for a given 0 ≤ j 1 < n/2, we have 2 2tj1 ≡ 2 2tj2 ≡ 2 2tj3 (mod 2 n − 1), then n | 2t(j 2 − j 1 ) and n | 2t(j 3 − j 1 ) and consequently, n | 2t(j 3 − j 2 ).However, because gcd(n, t) = 1, it is not possible that both j 2 , j 3 belong to the interval [n/2, n), since then j 3 − j 2 < n/2 and n/2 cannot divide their difference.In the same way, neither j 2 , nor j 3 can belong to the interval [0, n/2) since then n/2 could not divide the difference j 2 − j 1 , or, j 3 − j 1 .
4. Assuming 0 < m < n 2 , we note that Recalling n = 2k, we see that Notice that for some q ∈ N. We note that gcd(2 2t − 1, 2 2k − 1) = 3, and so for some q ′ ∈ N. It follows that The lemma is shown.
Observation 4.5.The binary decomposition of −a modulo 2 n −1 is the complement of that of a.

Gold and Inverse case
We can see that representatives from some of the known infinite families of APN monomials can be expressed in the form e(l, k).This can be observed quite easily using the formula for the sum of a geometric progression.In particular, the Gold functions x 2 k +1 can clearly be expressed as e(2, k).The inverse function can be written as e(n − 1, 1) = We have also observed that in some cases, e.g. for l = (n − 1)/2 and k = 2, or for l = (n − 1)/2 + 1 and k = 1, e(l, k) is equivalent to a Gold function, which is not surprising since the inverse of the Gold function x 2 r +1 over F 2 n , n odd, gcd(n, r) = 1, is given by e(2r, n+1 2 ) = n−1 2 i=0 2 2ir .

Welch case
We note that the Welch exponent is only defined for odd dimensions n.Since we assume gcd(k, n) ≤ 2 for e(l, k) in Theorem 3.2 and the following remark, this leaves us with gcd(k, n) = 1 as the only possibility.By Observation 4.2 we know that wt(e(l, k) Mod (2 n − 1)) = l, and since the weight of the Welch exponent 2 t + 2 + 1 is 3, it is enough to consider e(3, k).
Theorem 4.6.Let n be a natural number.Let W = 2 t +2+1 be the Welch exponent, where t > 1 is some natural number.Suppose t > 2. Then W and e(3, i) never lie in the same cyclotomic coset modulo 2 n − 1 for any 0 < i < n with n = 2t + 1.
Case 3: If i + a ≥ n, then let k = i + a − n.We thus have {k + i, k, a} = {t, 1, 0}.Surely, only k, a could be 0. Once again, we split into sub-cases: 1. if k = 0, then we have {i, a} = {t, 1}.We have two possibilities: and so once again t = 0.
We now concentrate on the inverse Welch exponent.
Theorem 4.7.Let W = 2 t + 2 + 1 be the Welch exponent for some natural number t > 2. Then W −1 (mod 2 n − 1) is never congruent to e(l, k) for any l < n and any k over F 2 n with n = 2t + 1.
Proof.We assume that for n > 5 and so, t > 2, there are some positive integers a < n, k < n, 1 ≤ l < n such that e(l, k)(2 t + 2 + 1) ≡ 2 a (mod 2 n − 1). ( If k = 1, we get the congruence The left-hand side of the above congruence can be written as and so we have If l + 1 < t (so, l + t − 1 < n), we get a contradiction by uniqueness of the binary expansion.
None of these values of S modulo 2 n − 1 can have Hamming weight 1.
If l + 1 ≥ t + 3, arranging the sums to see how the cascading ("merger" of powers of 2) works, we obtain (writing l + 1 = t + s, 3 ≤ s, t + 1 ≤ s, the upper bound comes from l < n) where we used above that l + t (mod n) = l + t− n = l − t− 1, and t+ s = l + 1.Since t ≥ 1, l − t − 1 falls either in the set of indices {0}, {2, . . ., t − 1}, or {t + 1, . . ., l − 1} and since the gaps between these sets are of length 2, the cascading compression cannot jump into a different set.Thus, the expression S (mod 2 n − 1) cannot have Hamming weight 1.
We now take 1 < k < n.Equation ( 5) is equivalent to If k(l − 1) + t < n and t ≡ 0, 1 (mod k), we get a contradiction by the uniqueness of the binary expansion, since the exponents are sitting in different residue classes modulo k.We next assume that k(l − 1) + t < n, t ≡ 0 (mod k), say t = ks, s ≥ 1.
Since k(l − 1) + t < n = 2t + 1, that is, k(l − 1) < ks + 1, then s > l − 1, and so, there is no compression in (7), and the claim follows via the uniqueness of the binary decomposition.The case of k(l − 1) + t < n, t ≡ 1 (mod k) follows similarly.We now let k(l − 1) + t ≥ n, that is, k(l − 1) ≥ t + 1.In the same way as above, if t ≡ 0, 1 (mod k), reducing all exponents modulo n, we see that they cannot overlap (hence no compression in the sum) since they belong to different residue classes modulo k.We now take t ≡ 0 (mod k) (one treats similarly t ≡ 1 (mod k)), t = ks, s ≥ 1 and, since k(l − 1) ≥ t + 1 = ks + 1, then 1 ≤ s < l − 1 .Thus, recalling that a Mod N denotes the least positive residue of a modulo N , and again working modulo k, we see that this cannot have Hamming weight 1.
Thus, the result holds.
To conclude the discussion, we observe that for t = 1 the Welch exponent is 2 t + 3 = 5, and can be expressed as e(2, 2), while for t = 2, the Welch exponent is 2 t + 3 = 7.Its inverse, 7 −1 ≡ 9 (mod 2 5 − 1), can be expressed as e(2, 3).As the above theorems demonstrate, these are the only cases in which the Welch exponent can be expressed as e(l, k).

Kasami case
The Kasami exponents on F 2 n are defined as 2 2t − 2 t + 1 with gcd(t, n) = 1.The algebraic degree of the Kasami exponent is known (and easily shown) to be t + 1.
If gcd(i, n) = 1, this means that we need to consider l = t + 1.Since the Kasami exponents are defined for both even and odd n, it is possible that we have gcd(i, n) = 2 in addition to gcd(i, n) = 1.According to Lemma 4.4, however, even if gcd(i, n) = 2, it is still sufficient to consider l = t + 1 due to t < n/2 which we can always assume up to equivalence.Theorem 4.8.Let t, n be natural numbers such that t > 2, gcd(t, n) = 1 and let K t = 2 2t − 2 t + 1 be the Kasami exponent for t < n/2.Then K t is never congruent to e(t + 1, i) modulo 2 n − 1 for any i < n such that gcd(i, n) = 1.
Proof.Let us assume that there is some a < n such that for some i < n.Depending on which of the exponents in {2t + a, t + a, a} need to be modulated, we examine several cases, applying Lemma 4.1 in each case.Case 1: If 2t + a < n, then all exponents are already less than n.The exponent on the left-hand side of (8) modulo 2 n − 1 is thus simply 2 2t+a − 2 t+a + 2 a , which can be expressed as The set of exponents of this expression is The set of exponents of e(t + 1, i) = t j=0 2 ji is B = {0, i, 2i, . . ., (t − 1)i, ti} Mod n.
Note that all elements in B must be distinct modulo n due to gcd(i, n) = 1, and so we can apply Lemma 4.1.Since 0 ∈ B, we must also have 0 ∈ A. If 0 = a + t + j for some j > 0, then we get a contradiction because we would have a + t < 0. If 0 = a + t, then a = t = 0, but the Kasami function is only defined for t > 0. Thus, we must have a = 0 and t = 0.The set A then becomes There must be α, β in 0 ≤ α, β ≤ t such that αi ≡ t (mod n) and βi ≡ t + 1 (mod n).Then either α − β or β − α is in the range between 0 and t, so either (α − β)i Mod n or (β − α)i Mod n belongs to A. But (β − α)i ≡ 1 / ∈ A, and so we must have (α − β)i ≡ −1 = n − 1 ∈ A, which is impossible under t < n/2.Case 2: If t + a < n ≤ 2t + a, then let k = 2t + a − n.We must have k < t + a, otherwise k = 2t + a − n ≥ t + a, hence t − n ≥ 0, i.e. t ≥ n.Similarly, we can assume k < a under t ≤ n/2.Then k < a < t + a.Using Observation 4.5, we have that the Kasami exponent becomes which gives the set of exponents The set of exponents of e(t + 1, i) is still the same as before, i.e.B = {0, i, 2i, . . ., (t − 1)i, ti} Mod n.
If t ∈ A, then we must have t = a since t ≤ k − 1 means t ≤ 2t + a − n − 1, i.e. t + a ≥ n + 1 which contradicts t + a < n; and t ≥ t + a implies a = 0 which contradicts that same assumption.If a = t, then the set of exponents becomes Now, take some γ, δ such that 0 ≤ γ, δ ≤ t and γi ≡ 1 (mod n) and δi ≡ t (mod n).Then either t − 1 or n + 1 − t must be in A, and we can verify that this is impossible: if t − 1 ≤ k − 1, then t ≤ 3t − n, i.e. 2t ≥ n contradicting t < n/2; if t − 1 = t or t−1 ≥ 2t, then we immediately get a contradiction as well.Similarly, n+1−t ≤ k−1 means n + 1 − t ≤ 3t − 1, i.e. 4t ≥ 2n + 2 contradicting the choice of t; n + 1 − t = t leads to 2t = n + 1, violating that same hypothesis; and n + 1 − t ≥ t + a means n ≥ 3t−1, but together with 3t ≥ n and gcd(t, n) = 1 this leads to 3t = n+1 so that The former case is clearly impossible except potentially for trivial values of t.In the latter case, we must have n + 2 − 2t ≥ 2t, i.e. n + 2 = 3t + 1 ≥ 4t, which again implies a contradiction.
If n − t ∈ A, we derive a contradiction in a similar manner.Case 3: Note that k < a since otherwise we get t + a − n ≥ a, i.e. t ≥ n.We need to examine two sub-cases depending on whether k + a needs to be modulated or not.Case 3-1: If k + a < n, then the above becomes giving the set of exponents A = {k, k + 1, . . ., a − 1} ∪ {k + a} which has to be congruent with B = {ti, (t − 1)i, . . ., 2i, i, 0} Mod n.
As before, if 0 = k + j for some j > 0, then we immediately get a contradiction due to k, j ≥ 0. So k = 0, i.e. t + a = n.The above sets become Clearly, we must have a = t in order for equality to hold (by comparing the number of terms), but then t + a > n and k + a < n cannot hold simultaneously.Case 3-2: Thus we have q < k < a.The Kasami exponent is thus The set of exponents is Since 0 ∈ A due to 0 ∈ B, the only possibility is q = 0, i.e. k + a = n.Comparing the sizes of A and B, we get a − 1 − k + 1 + 1 = t + 1, i.e. a − k = t, hence n = 2t, which contradicts gcd(t, n) = 1.This concludes the proof of this case.
While the inverse of the Kasami power function is known (see [23,Theorem 3.10], as well as [22], for further clarification), it seems complicated to investigate its cyclotomic equivalence to some e(l, k), since the inverse formula depends upon the inverse of the Kasami exponent 2 2t − 2 t + 1 modulo 2 r − 1, where r is the least positive residue of n modulo 6k, and that is not explicit.
However, we find a way around that and are able to show the following theorem.
Theorem 4.9.The inverse of the Kasami exponent Proof.Suppose that the Kasami exponent K t = (2 2t − 2 t + 1) satisfies (2 2t − 2 t + 1)e(l, i) ≡ 2 a (mod 2 n − 1) for some a, l, i, n satisfying the appropriate hypotheses.This means that We first make some interesting observations.If t = 1, the Kasami function is also a Gold function, and we have already treated that case.If t = n − 1 (which is coprime to n), we first observe that the Kasami function is then Thus, the inverse of K n−1 is in the cyclotomic class of e n+1 2 , 2 .We therefore assume that 1 < t < n − 1. Multiplying both sides of ( 9) by 2 i − 1 and regrouping the terms on both sides yields We will apply Lemma 4.1 to the exponents on the left-hand and right-hand side of the above identity.In order to do so, we first need to treat the cases when one or more of the integers in the exponent sets are congruent to each other modulo n.
We consider the elements in B = {2t, li+t, a+i, 0}.If not all of them are distinct modulo n, then we must be in one of the following cases.Case 1: If 0 ≡ 2t (mod n), then t ≡ 0 (mod n) due to n being odd, which contradicts 2 2t − 2 t + 1 being APN.Case 2: If li + t ≡ 0 (mod n), then the integers in A and B become (after compression) We now consider several cases depending on whether the elements in the reduced set A are congruent to each other modulo n or not.Case 2.1: If all the elements in A are distinct modulo n, then the same must be true for those in B. We can now apply Lemma 4.1, which implies that A ≡ B (mod n).Thus, t + 1 must be congruent to one of the elements in B. Surely, since 1 Case 2.2: Suppose now that t + 1 ≡ −t (mod n).Then the sets A and B become Since A consists of at most two distinct powers of 2 modulo n, then at least two of the integers in B must be congruent to each other as well.
• If a + i ≡ −1 (mod n), then we get A = {1 − t, a} and B = {0, 1}.The elements in B are clearly not congruent modulo n, and so we must have a = 1 and 1 − t ≡ 0 (mod n), i.e. t = 1.This leads us to the Gold case once again.
Case 2.3: Suppose now that t + 1 ≡ a (mod n).The sets A and B become Once again, since A contains at most two distinct elements modulo n, then the same must be true for B.
If the two integers in A are congruent to each other, then the same must be true for the ones in B, so that a + 1 ≡ −t (mod n) and a + i ≡ 0 (mod n), hence 2a − 2 ≡ 0 (mod n), i.e. a ≡ 1 (mod n) and therefore t ≡ 0 (mod n) from t + 1 ≡ a (mod n).Otherwise, by Lemma 4.1, either t ≡ −1 (mod n), or a + 1 ≡ 1 (mod n), which from t + 1 ≡ a (mod n) implies the same.
Case 2.4: If −t ≡ a (mod n), then the sets become At least two of the elements in B must be congruent to each other.
Case 3: If 0 ≡ a + i (mod n), i.e. a ≡ −i (mod n), then we have Once again, we consider sub-cases depending on which of the elements in A coincide modulo n.Case 3.1: If the elements in A, respectively B, are all distinct modulo n, then by Lemma 4.1 we must have a ≡ 0 (mod n), but then 2t ≡ t (mod n) implying t ≡ 0 (mod n).
If some of the elements of B coincide modulo n, then we must have 2t ≡ 1 (mod n), and two of the elements in A must collide two.If t + 1 ≡ −t (mod n), then we obtain 2t ≡ −1 (mod n) in addition to 2t ≡ 1 (mod n), and so 1 ≡ −1 (mod n).If t + 1 ≡ a (mod n), then we get A = {a + 1, t + 1} and B = {0, 2}, and At least two of the elements of B must coincide modulo n in order for this to hold.
• If −1 ≡ a − t (mod n), then we have A = {a + 2, t} and B = {0, 1} which clearly leads to trivial cases or contradictions as before.
This completes the proof.
If 0 = a + j for j > 0, then we immediately get a contradiction.Thus, we must have a = 0 and the set A becomes while the sum of all elements in B is i q(q + 1) 2 = (q 2 + q)i 2 modulo n.Since 2, q are invertible modulo n, we must have q + 3 ≡ (q + 1)i.
If q ≡ 2 (mod 3), then 3 | n, and so 3i does not have an inverse whereas 11 does, which is a contradiction.
Finally, suppose that q ≡ 0 (mod 3), i.e. 3 | q.The inverse of 3 modulo n = 4q+1 is 3 , so that n = 25.We can verify by exhaustive search that the Niho exponent for n = 25 cannot be expressed using e(t, i) for any choice of the parameters t and i.
Finally, if (n + 11)/3 ≥ n, then we have 2n ≤ 11, and so n ≤ 6; the only possibility is n = 1, i.e. t = 0, which is not a valid choice for the Niho family.
As before, we can only have 0 = a or 0 = k.If a = 0, then k = t − n, i.e. n = t − k which cannot happen since t < n by the hypothesis.Thus, we must have k = 0, i.e. a + t = n.From here, we can express a = t + 1 due to n = 2t + 1.We now have A = {0, t + 1, t + 2, . . ., t + t/2}.
There must exist 0 ≤ α, β ≤ t/2 such that αi ≡ t + 1 (mod n) and βi ≡ t + 2 (mod n).Then either α − β or β − α is in the range {0, 1, . . ., t/2}, and so either (α − β)i ≡ −1 (mod n) or (β − α)i ≡ 1 (mod n) must be in A. In other words, either 2t or 1 must belong to A, which is clearly impossible for t > 1.We have thus reached a contradiction.Case 3: If a + t/2 ≥ n, then let k = a + t/2 − n.We must have k + t/2 < a since k + t/2 ≥ a implies a + t/2 − n + t/2 ≥ a, i.e. t ≥ n; and so we have a > k + t/2 > k, and the Niho exponent becomes Using Observation 4.5, we can see that and t = 1, which are both impossible.The other cases can not happen either, since we are dealing with positive integers.
We next assume that k > 1.As in the even Niho case, This congruence can be handled using a similar method based on compressing the exponent sets.In all cases, we obtain contradictions or trivial results only.
We thus have the proof of our theorem.
Once again, we can see that for t = 1, i.e. n = 3, the odd Niho exponents coincide with the Gold exponents, and this is the only case in which they can be expressed as e(l, k).

Dobbertin case
The Dobbertin exponent is D t = 2 4t + 2 3t + 2 2t + 2 t − 1 for n = 5t.Note that in this case we have to consider k with gcd(k, n) = 2 in addition to gcd(k, n) = 1 since the Dobbertin exponent can be defined for even as well as odd dimensions.Nonetheless, by Lemma 4.4, it suffices to consider l = wt(D t ).Theorem 4.14.Let t > 2 be a natural number and n = 5t.Then the Dobbertin exponent D t = 2 4t + 2 3t + 2 2t + 2 t − 1 over F 2 n , can never be cyclotomic equivalent to e(l, k) for t > 2 and any k with gcd(k, n) ≤ 2.
Proof.Let us assume that the Dobbertin exponent is cyclotomic equivalent to e(t + 3, i) for some i.Then there exists some a < n such that 2 4t+a + 2 3t+a + 2 2t+a + 2 t+a − 2 a ≡ e(t + 3, i) (mod n).
As before, we divide the proof into several cases depending on which of the exponents of the terms of the Dobbertin exponent need to be modulated.Case 1: If 4t+ a < n, then no modulation is necessary, and the Dobbertin exponent is of the form giving the set of exponents The set of exponents of e(t + 3, i) is of course B = {0, i, 2i, . . ., (t + 3)i} Mod n.
Taking α and β such that αi ≡ 3t + 1 (mod n) and βi ≡ t (mod n) then leads to a contradiction as before.
One can attempt to treat the inverse Dobbertin exponent with the same method that we have used for the other families.Using [5, Lemma 9], since the inverse Dobbertin exponent D −1 t is in the cyclotomic coset of 2 t +1 2 2t +2 t +1 modulo 2 5t − 1, it would be sufficient to investigate the congruence (2 2t + 2 t + 1)e(l, k) ≡ 2 a (2 t + 1) (mod 2 5t − 1).However, applying Lemma 4.1 requires a very large number of degenerate cases to be treated (significantly more that even in the proof of Theorem 4.9) and would require multiple pages just to write down.On the other hand, the cases that such a proof would handle on top of our other theorems and characterizations is quite modest: Dobbertin exponents only exist for n that are multiples of 5, while inverses only exist for odd n; and so, the only dimensions n that the lack of such a proof would leave untouched are the odd integers n divisible by 5.In ordet to handle this subset of dimensions from the point of view of searching for new APN monomials in practice, we simply ran some computer experiments using SageMath on an i7 MacOS with 16GB of RAM.For n ≤ 200 and k, l ≤ n − 1, the only possible value of t for which we can have equivalence is t = 1, when D 1 = 29 ≡ −2 (mod 2 5 − 1), so D −1 1 ≡ 15 (mod 2 5 − 1) = e (1,4).We note that the interval n ≤ 200 should all dimensions n where the investigation of APN-ness can be performed computationally using the currently available methods and computational resources.

Computationally testing APN-ness for the 0-APN exponents
We ran experiments to check whether the monomials of the form x e(l,i) with 3 ≤ l ≤ 9 and 1 ≤ k ≤ 8 are APN over the field F 2 n for 2 ≤ n ≤ 100.Our results are presented in Table 2 where the entries list the dimensions n for which e(l, k) is an APN exponent over F 2 n .The experiments were run on a server with around 500 GB of RAM and 55 Intel Xeon E5-2690 CPU's using the Magma Computational Algebra System [4].We tested APN-ness by checking whether the polynomial F (x) = x e(l,i) + a e(l,i) + (x + a + 1) e(l,i) + 1 has more than two roots for all possible choices of a ∈ F 2 n \ {0, a}.In our table, the empty cells denote experiments on monomials which did not finish due to time or memory constraints.All APN monomials encountered in our experiment were cyclotomic equivalent to representatives from the known families found in Table 1.
From the table we can observe that the difficulty of testing APN-ness for an exponent d over F 2 n grows not only with the dimension n, but also with d itself.Indeed, for small values of d = e(l, i), we were able to test APN-ness for all n ≤ 100, while for values as small as e(6, 6) ≈ 10 9 , this was no longer possible.This also illustrates the advantage of using 0-APN monomials as an intermediate step in the search of APN monomials, since it is significantly easier to characterize 0-APN-ness or to test it computationally.

Conclusion
We introduced an infinite class of exponents e(l, k) with two parameters l, k ∈ N, and showed how to easily find infinitely many dimensions n for which x e(l,k) is 0-APN for any choice of l and k.We discussed how our theoretical results can be extended with the help of some computations in order to characterize the set of all dimensions n over which x e(l,k) is 0-APN.The introduced class of exponents is significantly more tractable (both from a computational and a mathematical point of view) than in general, and provides a promising set of exponents that may lead to new APN monomials.Taking advantage of this tractable structure of the exponents e(l, k), we characterized precisely when they are cyclotomic equivalent to the known APN families (except in the case of the inverse of the Dobbertin exponents where the proof using our current methods is too technical, so we provided computational data for n ≤ 200 instead).We observed that the Gold functions, their inverses, and the inverse APN function can all be expressed in the form e(l, k) for suitable choices of l and k.
We have also provided some computational data on the APN-ness of this class of exponents and outlined the limits of the available computational equipment when it comes to verifying APN-ness.
We hope that further investigations into the structure and properties of the exponents e(l, k) can provide us with additional conditions that might help us to overcome these technical limitations, and to potentially identify new instances of APN monomials over finite fields of large extension degree.

Definition 3 . 1 .
Let l, k be natural numbers.We define the exponent e(l, k) as e(l, k) =

Lemma 4 . 1 .
Let n, M , a 1 , a 2 , . . ., a M , b 1 , b 2 , . . ., b M , and n be natural numbers such that all a i for 1 ≤ i ≤ M are distinct modulo n, and all b i for 1

Lemma 4 . 3 .
The following are true: (i) Let l, k, m be natural numbers with n = 2m.Then e(l, m − k) and e(l, m + k) are cyclotomic equivalent modulo 2 n − 1. (ii) Let l, k, m be natural numbers with n = 2m + 1.Then e(l, m − k + 1) and e(l, m + k) are cyclotomic equivalent modulo 2 n − 1.
3. From the identity 11 ≡ 3i (mod n) above, we thus get < n, then no modulation is necessary, and this number belongs to the set A; it must thus either be no greater than t/2 − 1, or it must equal t.

Table 2 :
Dimensions n = 2 to 100 where x e(l,i) is APN over F 2 n .