Abstract
Boomerang connectivity table is a new tool to characterize the vulnerability of cryptographic functions against boomerang attacks. Consequently, a cryptographic function is desired to have boomerang uniformity as low as its differential uniformity. Based on generalized butterfly structures recently introduced by Canteaut, Duval and Perrin, this paper presents infinite families of permutations of \({\mathbb {F}}_{2^{2n}}\) for a positive odd integer n, which have the best known nonlinearity and boomerang uniformity 4. Both open and closed butterfly structures are considered. The open butterflies, according to experimental results, appear not to produce permutations with boomerang uniformity 4. On the other hand, from the closed butterflies we derive a condition on coefficients \(\alpha , \beta \in {\mathbb {F}}_{2^n}\) such that the functions
where \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\) and \(\gcd (i,n)=1\), permute \({{\mathbb {F}}}_{2^n}^2\) and have boomerang uniformity 4. In addition, experimental results for \(n=3, 5\) indicate that the proposed condition seems to cover all such permutations \(V_i(x,y)\) with boomerang uniformity 4.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Substitution boxes, known as S-boxes for short, are crucial nonlinear building blocks in modern block ciphers. In accordance with known attacks in the literature, S-boxes used in block ciphers are required to satisfy various cryptographic criteria, including high nonlinearity [6], low differential uniformity [17] and bijectivity. In Eurocrypt’18, Cid, Huang, Peyrin, Sasaki and Song [7] introduced a new tool of S-boxes, so-called the boomerang connectivity table (BCT), which analyzes the dependency between the upper part and lower part of a block cipher in a boomerang attack. This new tool quickly attracted researchers’ interest in studying properties and bounds of BCT of cryptographic functions. Boura and Canteaut in [1] investigated the relation between entries in BCT and the difference distribution table (DDT), and introduced the notion of the boomerang uniformity, which is the maximum value in BCT among all nonzero differences of inputs and outputs. They completely characterized the BCTs of 4-bit S-boxes with differential uniformity 4 classified in [10], and also determined the boomerang uniformities of the inverse function and the Gold function. Later, Li, Qu, Sun and Li in [12] provided an equivalent formula to compute the boomerang uniformity of a cryptographic function. Using the new formula, they characterized the boomerang uniformity by means of the Walsh transform, and computed the boomerang uniformities of some permutations with low differential uniformity. Mesnager, Tang and Xiong considered the boomerang uniformity of quadratic permutations in [16], where they presented a characterization of quadratic permutations with boomerang uniformity 4 and showed that the boomerang uniformity of certain quadratic permutations is preserved under extended affine (EA) equivalence. Recently, Calderini and Villa [3] also investigated the boomerang uniformities of some non-quadratic permutations with differential uniformity 4. Very recently, Tian, Boura and Perrin [20] studied the boomerang uniformity of some popular constructions used for building large S-boxes, e.g. for eight variables from smaller ones.
It is shown that the boomerang uniformity of a cryptographic function is greater than or equal to its differential uniformity, and that the lowest possible boomerang uniformity 2 is achieved by almost perfect nonlinear (APN) functions [1, 7]. Clearly, APN permutations operating on even number of variables are most interesting. The problem of existence of APN permutations of \({{\mathbb {F}}}_{2^{2n}}\) is referred to as the BIG APN problem in the community. Nonetheless, by far no other instance for this problem, except for the Dillon APN permutation of \({\mathbb {F}}_{2^6}\), has been found. Hence it is of great interest to construct permutations of \({\mathbb {F}}_{2^{2n}}\) that have high nonlinearity, differential and boomerang uniformity 4. Up to now, there are only three infinite and inequivalent families of permutations over \({{\mathbb {F}}}_{2^{2n}}\) that have boomerang uniformity 4 for odd integers \(n\ge 1\):
-
(1)
\(f(x)=x^{-1}\) over \({{\mathbb {F}}}_{2^{2n}}\) [1];
-
(2)
\(f(x)=x^{2^{2i}+1}\) over \({{\mathbb {F}}}_{2^n}\), where \(\gcd (i,n)=1\) [1];
-
(3)
\( f(x) = \alpha x^{2^{2s}+1}+\alpha ^{2^{2k}}x^{2^{-{2k}}+2^{2k+2s}}\) over \({{\mathbb {F}}}_{2^{2n}}\), where \(n=3k\), \(3\not \mid {k}\), \(3 \mid {(k+s)}\), \(\gcd (3k,s)=1\), and \(\alpha \) is a primitive element of \({{\mathbb {F}}}_{2^{2n}}\) [16].
In Crypto’16, Perrin, Udovenko and Biryukov [19] investigated the only APN permutation over \({{\mathbb {F}}}_{2^6}\) [2] by means of reverse-engineering and proposed the open butterfly and the closed butterfly structures. A generalized butterfly structure was later proposed in [4]. The butterfly structures represent functions over \({{\mathbb {F}}}_{2^n}^2\) in terms of bivariate form. It is shown that the open butterfly structure produces permutations of \({{\mathbb {F}}}_{2^n}^2\), which are CCZ-equivalent to the functions that are derived from the closed structure and are in simpler forms [19]. Since differential uniformity is an invariant under CCZ-equivalence, one may consider to combine open and closed butterfly structures to construct permutations with low differential uniformity. As a matter of fact, by investigating differential uniformity of functions from the closed butterfly structure, researchers constructed several infinite families of differentially 4-uniform permutations over \({{\mathbb {F}}}_{2^n}^2\) with the open butterfly structure [4, 5, 8, 14].
Motivated by recent works on the butterfly structure, this paper aims to construct infinite families of permutations with boomerang uniformity 4 from generalized butterfly structures. The main result of this paper is given as follows.
Theorem 1
Let \(q=2^n\) with n odd, \(\gcd (i,n)=1\) and \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\) with \(\alpha , \beta \in {\mathbb {F}}_q^*\), where \({\mathbb {F}}_q^* = {\mathbb {F}}_q{\setminus } \{0\}\). Then the function
from the closed butterfly structure permutes \({{\mathbb {F}}}_q^2\) and has boomerang uniformity 4 if \((\alpha , \beta )\) is taken from the following set
where \(\varphi _1, \varphi _2, \varphi _3\) are given by
For the statement in Theorem 1, we will compute the boomerang uniformity by directly investigating the bivariate form \(V_i(x,y)\), and prove the permutation property of \(V_i(x,y)\) by examining its univariate polynomial representation over \({{\mathbb {F}}}_{q^2}\).
The rest of this paper is organized as follows. Section 2 firstly recalls the definitions of differential uniformity, boomerang uniformity, butterfly structure and introduces some auxiliary results. Sections 3 and 4 are devoted to proving the permutation property and the boomerang uniformity in Theorem 1, respectively. Finally, Sect. 5 draws a conclusion of our work.
2 Preliminaries
In this section, we assume n is an arbitrary positive integer and \(q=2^n\). Let \(\mathrm{Tr}_q(\cdot )\) denote the absolute trace function over \({{\mathbb {F}}}_q\), i.e., \(\mathrm{Tr}_q(x) = x+x^2+\cdots +x^{2^{n-1}}\) for any \(x\in {{\mathbb {F}}}_q\). For any set E, the nonzero elements of E is denoted by \(E\backslash \{0\}\) or \(E^{*}\).
2.1 Differential uniformity and Boomerang uniformity
The concept of differential uniformity was introduced to reveal the subtleties of differential attacks.
Definition 2
[17] Let f(x) be a function from \({{\mathbb {F}}}_q\) to itself and \(a,b\in {{\mathbb {F}}}_q\). The difference distribution table (DDT) of f(x) is given by a \(q \times q\) table D, in which the entry for the (a, b) position is given by
The differential uniformity of f(x) is given by
It is straightforward for any function from \({\mathbb {F}}_q\) to itself, each entry in its DDT takes an even value and its differential uniformity is no less than 2. A function with the minimum possible differential uniformity 2 is called an almost perfect nonlinear (APN) function.
The concept of boomerang connectivity table of a permutation f from \({{\mathbb {F}}}_{2}^n\) to itself was introduced in [7], which clearly is also suitable for the case \({{\mathbb {F}}}_{2^n}\). Later, Boura and Canteaut introduced the concept of the boomerang uniformity, which is defined by the maximum value in BCT excluding the first row and column.
Definition 3
[1, 7] Let f be an invertible function from \({{\mathbb {F}}}_q\) to itself and \(a,b\in {{\mathbb {F}}}_q\). The boomerang connectivity table (BCT) of f is given by a \(q\times q\) table, in which the entry for the (a, b) position is given by
The boomerang uniformity of f is defined by
It is shown in [1, 7] that \(BCT(a, b) \ge DDT(a, b)\) for any a, b in \({\mathbb {F}}_q\). In [12], Li et al. presented an equivalent formula to compute BCT and the boomerang uniformity without knowing \(f^{-1}(x)\) and f(x) simultaneously as follows.
Proposition 4
[12] Let \(q=2^n\) and \(f(x)\in {{\mathbb {F}}}_q[x]\) be a permutation polynomial over \({{\mathbb {F}}}_q\). Then the BCT of f(x) can be given by a \(q\times q\) table BCT, in which the entry BCT(a, b) for the (a, b) position is given by the number of solutions (x, y) in \({{\mathbb {F}}}_q\times {{\mathbb {F}}}_q\) of the following equation system.
Equivalently, the boomerang uniformity of f(x), given by \(\delta _f\), is the maximum number of solutions in \({{\mathbb {F}}}_q\times {{\mathbb {F}}}_q\) of (4) as \(a,\,b\) run through \({{\mathbb {F}}}_{q}^{*}\).
Let f be a quadratic function from \({{\mathbb {F}}}_q\) to itself with \(f(0)=0\). The associated symmetric bilinear mapping is given by \(S_f(x,y)=f(x+y)+f(x)+f(y)\), where \(x,\, y\in {{\mathbb {F}}}_q.\) For any \(a\in {{\mathbb {F}}}_{q}\), define
Very recently, Mesnager et al. [16] presented a characterization about quadratic permutations with boomerang uniformity 4 using the new formula (4).
Lemma 5
[16] Let \(q=2^n\) and f be a quadratic permutation of \({{\mathbb {F}}}_{q}\) with differential uniformity 4. Then the boomerang uniformity of f equals 4 if and only if \(\mathrm {Im}_{f,a}=\mathrm {Im}_{f,b}\) for any \(a,b\in {{\mathbb {F}}}_{q}^{*}\) satisfying \(S_f(a,b)=0\).
2.2 The butterfly structure
In Crypto’16, Perrin, Udovenko and Biryukov [19] analyzed the only known APN permutation over \({{\mathbb {F}}}_{2^6}\) [2] and discovered that the APN permutation over \({{\mathbb {F}}}_{2^6}\) has a simple decomposition relying on \(x^3\) over \({{\mathbb {F}}}_{2^3}\). Based on the power permutation \(x^e\) over \({{\mathbb {F}}}_{2^n}\), they presented the open butterfly structure and the closed butterfly structure, which were later generalized in [4].
Definition 6
[19] Let \(q=2^n\) and \(\alpha \in {{\mathbb {F}}}_{q}\), e be an integer such that \(x^e\) is a permutation over \({{\mathbb {F}}}_{q}\) and \(R_k[e,\alpha ]\) be the keyed permutation
The following functions
are called the open butterfly structure and closed butterfly structure respectively.
Definition 7
[4] Let \(q=2^n\) and R(x, y) be a bivariate polynomial of \({{\mathbb {F}}}_{q}\) such that \(R_y: x\rightarrow R(x,y)\) is a permutation of \({{\mathbb {F}}}_{q}\) for all y in \({{\mathbb {F}}}_{q}\). The closed butterfly \(V_R\) is the function of \({{\mathbb {F}}}_{q}^2\) defined by
and the open butterfly \(H_R\) is the permutation of \({{\mathbb {F}}}_{q}^2\) defined by
where \(R_y(x)=R(x,y)\) and \(R_{y}^{-1}(R_y(x))=x\) for any x, y.
Define a bivariate polynomial
Since n is odd, it is clear that the mapping \(x\mapsto R_i(x,y)\) is a permutation of \({\mathbb {F}}_q\) for any fixed \(y\in {\mathbb {F}}_q\). According to experimental results, the permutation \(H_{R_i}(x,y)\) from \(R_i(x,y)\) and the open butterfly structure seems not to have boomerang uniformity 4 of \({{\mathbb {F}}}_{2^3}^2\). Hence this paper concentrates on the closed butterfly structure.
Lemma 8
[14] Let n be odd, \(q=2^n\), i be an integer with \(\gcd (i,n)=1,\) \( \alpha ,\beta \in {{\mathbb {F}}}_{q}^{*}\) and \(\beta \ne (\alpha +1)^{2^i+1}\). Then the function
has differential uniformity at most 4.
Recall that the boomerang uniformity of a function is no less than its differential uniformity. The result about \(V_i(x,y)\) in Lemma 8 motivates our study on the coefficients \(\alpha , \beta \) in \({{\mathbb {F}}}_q^*\) that can further result in permutations \(V_i(x,y)\) with boomerang uniformity 4.
2.3 Useful Lemmas
This subsection summarizes some lemmas that will be used for proving the permutation property of the function in Theorem 1.
Lemma 9
[18, 21, 22] Pick \(d,r > 0\) with \(d\mid (q-1)\), and let \(h(x)\in {{\mathbb {F}}}_q[x]\). Then \(f(x)=x^rh\left( x^{\left. (q-1)/d\right. }\right) \) permutes \({\mathbb {F}}_q\) if and only if both
-
(1)
\(\gcd (r,\left. (q-1)/d\right. )=1\) and
-
(2)
\(g(x)=x^rh(x)^{\left. (q-1)/d\right. }\) permutes \(\mu _d\), where \(\mu _d :=\{x\in {{\mathbb {F}}}_q : x^d=1\}\).
Let the unit circle of \({{\mathbb {F}}}_{q^2}\) be defined by
The unit circle of \({{\mathbb {F}}}_{q^2}\) has the following relation with the finite field \({{\mathbb {F}}}_{q}\).
Lemma 10
[9] Let \(\gamma \) be any fixed element in \({{\mathbb {F}}}_{q^2}\backslash {{\mathbb {F}}}_{q}\). Then we have
The following lemma is about the solutions of a linear equation. The proof is easy and we omit it.
Lemma 11
Let \(q=2^n\) and \(\gcd (i,n)=1\). Then for any \(a\in {{\mathbb {F}}}_{q}\), the equation \(x^{2^i}+x=a\) has solutions in \({{\mathbb {F}}}_{q}\) if and only if \(\mathrm{Tr}_q(a)=0\). Moreover, when \(\mathrm{Tr}_q(a)=0\), the equation \(x^{2^i}+x=a\) has exactly two solutions \(x=x_0, x_0+1\) in \({{\mathbb {F}}}_{q}\).
Lemma 12
[15] Let \({\mathbb {R}}\) be a commutative ring with identity. The Dickson polynomial \(D_k(x,a)\) of the first kind of degree k
has the following properties:
-
(1)
\(D_k(x_1+x_2,x_1x_2)=x_1^k+x_2^k\), where \(x_1,\,x_2\) are two indeterminates;
-
(2)
\(D_{k+2}(x,a)=xD_{k+1}(x,a)-aD_k(x,a)\);
-
(3)
\(D_{k\ell }(x,a)=D_{k}\left( D_{\ell }(x,a), a^{\ell } \right) \);
-
(4)
if \({\mathbb {R}}={{\mathbb {F}}}_{2^n}\), then \(D_{2^i}(x,a)=x^{2^i}\).
By the above lemma, the Dickson polynomial of degree \(k=2^i-1\) over \({{\mathbb {F}}}_{2^n}\) can be explicitly given.
Lemma 13
For any positive integer i and element \(a\in {{\mathbb {F}}}_{2^n}\),
Proof
We prove the statement by induction. It is clear that (5) holds for \(i=1\) since \(D_1(x,a)= x\). Suppose that (5) holds for \(i-1\), namely,
By Lemma 12 (3) and (4), we have
In addition, according to Lemma 12 (2),
Thus,
which implies that (5) holds for the i case. Therefore, the desired conclusion follows. \(\square \)
Let \(\gamma \) be a primitive element of \({\mathbb {F}}_{2^2}\), i.e, \(\gamma ^2=\gamma + 1\). Let n be a positive odd integer and \(q=2^n\). The finite field \({{\mathbb {F}}}_{q^2}={{\mathbb {F}}}_q(\gamma )\) and the basis \(1, \gamma \) of \({\mathbb {F}}_{q^2}\) over \({\mathbb {F}}_q\) induces a one-to-one correspondence between \({\mathbb {F}}_q^2\) and \({\mathbb {F}}_{q^2}\) as follows:
According to the one-to-one correspondence between \({\mathbb {F}}_q^2\) and \({\mathbb {F}}_{q^2}\), the closed butterfly structure \(V_i(x,y) = (R_i(x,y), R_i(y,x))\) over \({\mathbb {F}}_q^2\) can be expressed in a univariate \(z=x+\gamma y\) as
By substituting z with \(\gamma z\) when i is odd (resp. \(\gamma ^2 z\) when i is even), the above univariate polynomial can be transformed into
where the coefficients
with
Further, we define
It’s easy to check that \(\varphi _i\)’s, \(i=1,2,3\), match the ones defined in (2).
At the end of this section, we provide a lemma about some properties of the elements \(\varphi _i\)’s which are characterized in Theorem 1.
This result will be heavily used in the proof of the main theorem.
Lemma 14
Let \(q=2^n\) with n odd and \(\gcd (i,n)=1\). Let \(\varphi _1, \varphi _2, \varphi _3, \varphi _4\) be defined by (10) satisfying \(\varphi _{2}^{2^i}=\varphi _{1}\varphi _{3}^{2^i-1}\) and \(\varphi _{3}\ne 0\). For \(\alpha ,\,\beta \ \in {{\mathbb {F}}}_{q}^*\), they have the following properties:
-
(1)
\((\varphi _1+\varphi _3)(\varphi _2+\varphi _3)(\varphi _3+\varphi _4)\varphi _4\ne 0\) and \(\left( \frac{\varphi _3}{\varphi _2+\varphi _3}\right) ^{2^i} = \frac{\varphi _3}{\varphi _1+\varphi _3} \) ;
-
(2)
when i is even, \(\mathrm{Tr}_q\left( \frac{\varphi _4}{\varphi _3}\right) =1\); moreover, the equation
$$\begin{aligned} x^{2^i}+x+\frac{\varphi _3+\varphi _4}{\varphi _3}=0 \end{aligned}$$has two solutions \(\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha \) and \(\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha +1\) in \({{\mathbb {F}}}_q\);
-
(3)
when i is odd, \(\mathrm{Tr}_q\left( \frac{\varphi _4}{\varphi _3}\right) =0\);
-
(4)
\(\mathrm{Tr}_q\left( \frac{\varphi _2}{\varphi _3}\right) =0\).
Proof
Since
and
it is clear that
and
(1) It follows from (13) and (14) that
By the equality \(\varphi _2^{2^i}=\varphi _1\varphi _3^{2^i-1}\), if either \(\varphi _4(\varphi _3+\varphi _4)=0\) or \((\varphi _1+\varphi _3)(\varphi _2+\varphi _3)=0\), then \(\varphi _1+\varphi _2=0\) and \(\varphi _1=\varphi _2=\varphi _3\). The equation \(\varphi _1+\varphi _2=(\alpha ^{2^i}+\alpha )( \alpha ^{2^i+1}+\beta +1)=0\) implies \(\beta =\alpha ^{2^i+1}+1\) or \(\alpha ^{2^i}+\alpha =0\). In fact, if \(\beta =\alpha ^{2^i+1}+1\), then \(\varphi _1+\varphi _3=\alpha ^{2^i+2}+\alpha ^{2^i}+\alpha \beta =\alpha ^{2^i}+\alpha =0\). Thus we always have \(\alpha ^{2^i}+\alpha =0\), equivalently \(\alpha =0, 1\). This implies \(\varphi _1+\varphi _3=\alpha ^{2^i+2}+\alpha ^{2^i}+\alpha \beta = \alpha \beta = 0\), which is in contradiction with the assumption \(\alpha \beta \ne 0\).
In addition, it is clear that the equality \(\varphi _2^{2^i}=\varphi _1\varphi _3^{2^i-1}\) implies
(2) From (11) and (12), we have
It is easy to verify that
Moreover, using \(\left( \frac{\varphi _3}{ \varphi _2+\varphi _3}\right) ^{2^i} = \frac{\varphi _3}{\varphi _1+\varphi _3} \), we have
Thus,
Furthermore, from Lemma 11, the solutions in \({{\mathbb {F}}}_{q}\) of \(x^{2^i}+x=\frac{\varphi _3+\varphi _4}{\varphi _3}\) are \(\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha \) and \(\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha +1\).
(3) From the expressions of \(\varphi _3, \varphi _4\) in (11), (12), it is clear that the values of \(\varphi _4\) for even i and odd i add up to \(\varphi _3\). The fact that \(\mathrm{Tr}_q(1) = 1\) for odd integer n implies that the values of \(\mathrm{Tr}_q\left( \frac{\varphi _{4}}{\varphi _3}\right) \) for even i and odd i add up to 1. The desired assertion directly follows from (2) of this lemma.
(4) From (13) and (14), it is easily seen that
Plugging \(\frac{\varphi _1}{\varphi _3} = \left( \frac{\varphi _2}{\varphi _3}\right) ^{2^i}\) into Eq. (18), we get
By the relation between \(\varphi _3\) and \(\varphi _4\) for even and odd i, it is clear that the expression on the right side of the above equation is independent of the parity of the integer i. W.L.O.G., we can assume that i is even, since the case i odd can be proved by just replacing \(\varphi _4\) by \(\varphi _3+\varphi _4\). Together with (17), we have
Therefore,
or
If Eq. (19) holds, then
If \(\alpha =1\), it is easy to obtain that \(\beta =1\) from the definition of \(\varGamma \). Moreover, \(\varphi _2=0\) and thus \(\mathrm{Tr}_q\left( \frac{\varphi _2}{\varphi _3}\right) =0.\) In the following, we assume that \(\alpha \ne 1\). Then after multiplying Eq. (20) by \(\frac{\alpha ^2+1}{\alpha ^2}\) and simplifying, we get
and thus
It is clear that \(\varphi _2+\varphi _3\ne 0\). By \( \left( \frac{\varphi _3}{\varphi _2+\varphi _3}\right) ^{2^i} = \frac{\varphi _3}{\varphi _1+\varphi _3}\), one has
Since \(\gcd (i,n)=1\), one has \(\frac{\varphi _2+\varphi _3}{\varphi _3}=\frac{1}{\alpha }\) and \(\frac{\varphi _2+\varphi _3}{\varphi _3}=\frac{1}{\alpha }+1\ne \frac{\alpha ^2+\alpha +1}{\alpha ^2+1}\).
Therefore, Eq. (19) does not hold and thus
which implies \(\mathrm{Tr}_q\left( \frac{\varphi _2}{\varphi _3}\right) =0.\) \(\square \)
3 The permutation property of \(V_i(x,y)\)
In this section, we firstly give a general necessary and sufficient condition on the permutation property of the function \(V_i\) from the closed butterfly. Throughout what follows, we always assume n is an odd integer.
Recall that the univariate representation of \(V_i\) have the following form
Below we first present a necessary and sufficient conditions for f(x) to be a permutation of \({\mathbb {F}}_{q^2}\) without imposing any additional restrictions on \(\epsilon _j\).
The following proposition investigates the permutation property of f(x) defined by (22) over \({{\mathbb {F}}}_{q^2}\).
Proposition 15
Let \(q=2^n\), f(x) be defined by (22), \(h(x)=\epsilon _1x^{2^i+1}+\epsilon _2x^{2^i}+\epsilon _3x+\epsilon _4\) and \(g(x)=x^{2^i+1}h(x)^{q-1}\). Define \(\mu _{q+1} = \{ x\in {{\mathbb {F}}}_{q^2} : x^{q+1}=1 \}\) and
Then f(x) permutes \({{\mathbb {F}}}_{q^2}\) if and only if
-
(1)
\(\gcd \left( 2^i+1, q-1 \right) =1\);
-
(2)
\(h(x)=0\) has no solution in \(\mu _{q+1}\);
-
(3)
\(g(x)=1\) if and only if \(x=1\);
-
(4)
there does not exist some \((X,Y)\in T\) such that the following equation holds:
$$\begin{aligned} \varphi _1X^{2^i}+\varphi _2 X + \varphi _3 \left( \sum _{j=0}^{i-1} Y^{2^j} \right) + \varphi _4 =0, \end{aligned}$$(23)where \(\varphi _j\) for \(j=1,2,3,4\) are defined by (10).
Proof
It is clear that \(f(x)=x^{2^i+1}h\left( x^{q-1} \right) \). According to Lemma 9, f(x) permutes \({{\mathbb {F}}}_{q^2}\) if and only if \(\gcd \left( 2^i+1, q-1 \right) =1\) and
permutes \(\mu _{q+1}\), which obviously implies that \(h(x)=0\) has no solution in \(\mu _{q+1}\) and \(g(x)=1\) if and only if \(x=1\). In the following, we assume that the conditions (1),(2) and (3) hold. Therefore, g(x) permutes \(\mu _{q+1}\) if and only if \(g(x)+g(y)=0\) has no solution for \(x,y\in \mu _{q+1}\backslash \{1\}\) with \(x\ne y\). In fact, if \(g(x)+g(y)=0\) for some \(y=x^q\), then we have \(g(x)=g(y)=g(x^q)=g(x)^q=g(x)^{-1}\) and thus \(g(x)=1\), which means that \(x=1\). Thus we can only consider the conditions such that \(g(x)+g(y)=0\) has no solution for \(x,y\in \mu _{q+1}\backslash \{1\}\) with \(y\ne x,x^q\). Next, we prove the necessity and sufficiency of the condition (4).
The sufficiency of (4). Suppose \(g(x)+g(y)=0\), i.e.,
After a routine calculation, we obtain
where \(\varphi _j\)’s for \(j=1,2,3,4\) are defined as in (10). By the previous discussion, we now only need to consider the case that \((x+y)(xy+1)\ne 0\). Therefore, the above equation is equivalent to
Note that
It follows from Lemma 12 (1) that the coefficient of \(\varphi _3\) can be expressed in terms of Dickson polynomial as
In addition, by Lemma 12 (2), (4) and Lemma 13,
Denote \(X=\frac{xy+1}{x+y}\) and \(Y=\frac{xy}{(x+y)^2}\). Then the coefficient of \(\varphi _{3}\) can be written as
It is straightforward that \(g(x) = g(y)\) can be rewritten as
Thus, if there exist some \(x,y\in \mu _{q+1}\) with \(y\ne x,x^q\) such that \(g(x)+g(y)=0\) holds, there must exist some \((X,Y)\in T\) such that Eq. (26) holds. Thus if the condition (4) holds, g(x) permutes \(\mu _{q+1}\).
The necessity of (4). On the contrary, if the condition (4) does not hold, which means that there exist some \((X,Y)\in T\) such that Eq. (26) holds, then there must exist some \(x,y\in \mu _{q+1}\backslash \{1\}\) with \(y\ne x,x^q\) such that \(g(x)+g(y)=0\), which implies that g(x) does not permute \(\mu _{q+1}\).
On combining the sufficiency and necessity, we have proved the desired conclusion. \(\square \)
Proof of the permutation part in Theorem 1.
In the following, we will prove the permutation part in Theorem 1 by verifying the conditions in Proposition 15.
First of all, if \(\alpha =1\), it is easy to obtain that \(\beta =1\) from the definition of \(\varGamma \). In this case, the function
clearly permutes \({{\mathbb {F}}}_{q^2}\). In the following, we assume \(\alpha \ne 1\) and will show the four items of Proposition 15.
(1) Since n is odd and \(\gcd (i,n)=1\), we have \(\gcd (2^i+1,2^n-1)=1\) due to the fact \(\gcd (2^i+1,2^n-1) \mid \gcd (2^{2i}-1,2^n-1) = 2^{\gcd (2i,n)}-1=1\).
(2) Next we show that \(h(x)=0\) has no solution in \(\mu _{q+1}\backslash \{1\}\) (\(h(1)=\sqrt{\varphi _3}\ne 0\) according to the definition). Suppose that there exists some \(x_0\in \mu _{q+1}\backslash \{1\}\) satisfying
Raising Eq. (27) to the q-th power and re-arranging it according to \(x_0^q=x_0^{-1}\), we obtain
Summing \(\epsilon _4 \times (27)\) and \(\epsilon _1 \times (28)\) gives
Computing \(\varphi _4 \times (29) + \varphi _1 \times (29)^q\times x_0^{2^i} \) yields
Furthermore, by computing \((30)\times x_0 + (29) \times \varphi _2\), we obtain
Note that in the above equation \(\varphi _2\varphi _4\ne 0\). Otherwise, we have \(\varphi _1^2+\varphi _2^2=\varphi _4^2\). Recall that \(\varphi _1^2+\varphi _2^2=\varphi _4(\varphi _3+\varphi _4)\) from (13) and (14). Thus we obtain \(\varphi _3\varphi _4=0\), which is in contradiction with \(\varphi _3\ne 0\) in the definition of \(\varGamma \) and \(\varphi _4\ne 0\) in Lemma 14 (1). Thus Eq. (31) becomes
Note that
This implies that Eq. (32) has a solution \(x_0\in {{\mathbb {F}}}_{q}\), which contradicts \(\mu _{q+1}\backslash \{1\}\). Therefore, \(h(x)=0\) has no solution in \(\mu _{q+1}\).
(3) If there exists some \(x_0\in \mu _{q+1}\backslash \{1\}\) such that \(g(x_0)=1\), then we have
According to Lemma 10, we know that for any \(x_0\in \mu _{q+1}\backslash \{1\}\), there exists a unique element \(y_0\in {{\mathbb {F}}}_{q}\) such that \(x_0=\frac{y_0+\gamma }{y_0+\gamma ^2}\), where \(\gamma \in {{\mathbb {F}}}_{2^2}\backslash {{\mathbb {F}}}_2\). By plugging \(x_0=\frac{y_0+\gamma }{y_0+\gamma ^2}\) into Eq. (33) and a routine rearrangement, we obtain
where \(\varepsilon _1, \varepsilon _4\) are defined as in (9) satisfying that \(\varepsilon _1+\varepsilon _4=\epsilon _1+\epsilon _4\) for even i and \(\varepsilon _1+\varepsilon _4=\epsilon _2+\epsilon _3\) for odd i. In other words, \(\varepsilon _1+\varepsilon _4\) corresponds to \(\sqrt{\varphi _4}\) for even i and \(\sqrt{\varphi _3+\varphi _4}\) for odd i. By Lemma 14 (2) and (3), we have
This implies (34) has no solution in \({\mathbb {F}}_q\). Hence \(g(x)=1\) if and only if \(x=1\).
(4) Recall that \(Y=\frac{xy}{x^2+y^2}\) for some \(x,y\in \mu _{q+1}\backslash \{1\}\) with \(x\ne y\). Note that \(\frac{y}{x+y}\in {{\mathbb {F}}}_{q^2}\backslash {{\mathbb {F}}}_{q}\) is a solution to the equation \(z^2+z+Y=0\). This implies \(\mathrm{Tr}_q\left( Y\right) = 1\). It is clear that Eq. (26) required in Proposition 15 is equivalent to
By \(\mathrm{Tr}_q(Y)=1\) we have
on the other hand, the expression on the right hand side satisfies
according to Lemma 14. It is clear that Eq. (26) does not hold for any \(X,Y\in {{\mathbb {F}}}_q\).
Up to now, all the four items in Proposition 15 are confirmed. Hence the function \(V_i(x,y)\) in Theorem 1 permutes \({{\mathbb {F}}}_{q}^2\).
4 The boomerang uniformity of \(V_i(x,y)\)
In this section, we will prove that the function
with \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\) has boomerang uniformity 4 when the pair \((\alpha , \beta )\) is taken from the set \(\varGamma \) as in given in Theorem 1. Here and hereafter, we assume that n is odd, \(q=2^n\) and \((\alpha ,\beta )\in \varGamma \).
First of all, the condition \(\beta \ne (\alpha +1)^{2^i+1}\) in Lemma 8 corresponds to the condition \(\varphi _3\ne 0\) in \(\varGamma \). Hence the differential uniformity of \(V_i\) with \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\) is at most 4 for any \((\alpha ,\beta )\in \varGamma \). Furthermore, Canteaut, Perrin and Tian [5] showed that if \(V_i\) is APN then it operates on 6 bits. Therefore, the differential uniformity of \(V_i\) is equal to 4 in other cases. Since \(V_i\) in Theorem 1 permutes \({{\mathbb {F}}}_{q}^2\) and has differential uniformity 4, we can use Lemma 5 to show the boomerang uniformity of \(V_i\). For any \((a,b)\in {{\mathbb {F}}}_{q}^2\), denote
and
According to Lemma 5, we need to determine \((a_1,b_1), (a_2,b_2)\in {{\mathbb {F}}}_{q}^2\backslash \{(0,0)\}\) satisfying \(S_{V_i,(a_1,b_1)}(a_2,b_2)=(0,0)\), and then to prove that for any such pairs the equation \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\) holds.
4.1 The solutions of \(S_{V_i,(a_1,b_1)}(a_2,b_2)=(0,0)\)
The solution of the equation \(S_{V_i,(a_1,b_1)}(a_2,b_2)=(0,0)\) is studied in the following proposition.
Proposition 16
Let \(V_i\) be defined as in Theorem 1 with \((\alpha ,\beta ) \in \varGamma \) and \(\varphi _j\)’s for \(j=1,2,3,4\) be defined as in (10). Then the elements \((a_1,b_1), (a_2,b_2) \in {{\mathbb {F}}}_{q}^2\backslash \{ (0,0) \}\)such that
satisfy \((a_2,b_2)=X\cdot (a_1,b_1)\), where X is a \(2\times 2\) matrix taken from the following set
Proof
Note that the equation
can be rewritten as
Let \(\varphi _j\)’s for \(j=1,2,3,4\) be defined as in (10). Eliminating the terms \(a_2^{2^i}\) in the above equations by computing \((37.1)\times \left( \left( \alpha ^{2^i+1}+\beta \right) a_1+\alpha ^{2^i}b_1 \right) + (37.2) \times \left( a_1+\alpha b_1 \right) \), we obtain
where the coefficients are given by
\(\varphi _1, \varphi _2, \varphi _3\) are defined as in (10) and \(\varphi _{4}\) corresponds to the case that i is even. Hereafter, we assume \(\varphi _4\) is restricted to the case of even i, i.e, \(\varphi _4=(\alpha ^{2^i+1}+\beta + 1)^2\).
When \(b_1=0\), we have \(a_1\ne 0\), \(\lambda _1=0, \lambda _2 = \left( \varphi _2+\varphi _3 \right) a_1^2 \) and \( \lambda _3 = \left( \varphi _1+\varphi _3\right) a_1^{2^i+1}\). Moreover, Eq. (38) becomes \(\lambda _2 b_2^{2^i} = \lambda _3 b_2\). This together with Lemma 14 (1) implies
Note that in the case of \(b_1=0\), Eq. (37.1) becomes
Therefore, if \(b_2=0\), then \(a_2=a_1\); if \(b_2=\frac{\varphi _2+\varphi _3}{\varphi _3} a_1\), then \(a_2=\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha a_1\) or \(a_2=\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha a_1+a_1\).
When \(b_1\ne 0\), after eliminating the terms \(b_2^{2^i}\) by computing \((37.1)\times \left( (\alpha ^{2^i+1}+\beta ) a_1^{2^i}+ \alpha b_1^{2^i} \right) + (37.2) \times \left( a_1^{2^i}+\alpha ^{2^i}b_1^{2^i} \right) \), we obtain
where
Furthermore, computing \((38)^{2^i}+\lambda _1^{2^i-1}\times (39)\), we eliminate the term \(a_2^{2^i}\) and obtain
Here we note that \(\lambda _2\ne 0\). Otherwise one has \(\left( \varphi _2+\varphi _3 \right) a_1^2 + \varphi _3a_1b_1 + \left( \varphi _2+\varphi _3 \right) b_1^2=0,\) i.e.,
which is in contradiction with the fact \(\mathrm{Tr}_q\left( \frac{\varphi _2}{\varphi _3}\right) =0\) by Lemma 14 (4).
In addition, since the differential uniformity of \(V_i\) is 4, Eq. (40) has three nonzero solutions \(b_2=b_1, {\bar{b}} \) and \({\bar{b}}+b_1\) and we only need to obtain the expression of \({\bar{b}}\). Clearly, \({\tilde{b}}_2=b_1^{2^i-1}\) is a solution of
Hence, Eq. (41) can be written as
where \(c=\frac{\lambda _1^{2^i-1}\eta _3}{\lambda _2^{2^i}b_1^{2^i-1}}\). Now we consider the equation
Let \({\hat{b}}_2=\frac{1}{{\tilde{b}}_2+b_1^{2^i-1}}\). Then Eq. (42) becomes
i.e.,
In addition, we have
where the last two equalities follow from Lemma 14 (1). Moreover,
where \(u=\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha \) due to Lemma 14 (2). Hence, from Eq. (43), we have
which means that there are exactly two solutions in \({{\mathbb {F}}}_{q}\) for Eq. (42). W.L.O.G., we only consider the first expression here. Namely, we get
Thus,
is one solution of Eq. (42). Furthermore, one solution of Eq. (40) is
It follows directly from Eq. (38) that
\(\square \)
4.2 The proof of \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\)
In this subsection, we prove that for any \((a_1,b_1), (a_2,b_2)\in {{\mathbb {F}}}_{q}^2\backslash \{(0,0)\}\) satisfying \(S_{V_i,(a_1,b_1)}(a_2,b_2)=(0,0)\), \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\).
According to Eq. (37.1), we know that for any \((a_1,b_1)\in {{\mathbb {F}}}_{q}^2\), \(S_{V_i,(a_1,b_1)}(x,y)\) can be represented as
where
and
For the three relations between \((a_1,b_1), (a_2,b_2)\in {{\mathbb {F}}}_{q}^2\backslash \{ (0,0) \}\) presented in Proposition 16 such that \(S_{V_i,(a_1,b_1)(a_2,b_2)}=(0,0)\), it is clear that if \(a_2=a_1\) and \(b_2=b_1\), we have \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\). In addition, if we have proved that \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\) holds for the second relation in Proposition 16, then so does it for the third relation since the sum of two same subspace equals to the subspace. Therefore, it suffices to show that \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\) holds for the second relation in Proposition 16. Below we will again restrict \(\varphi _4\) to the case of even i.
Let \(u=\frac{\varphi _2+\varphi _3}{\varphi _3}\alpha \). Then \(u^{2^i}=u+\frac{\varphi _3+\varphi _4}{\varphi _3}\). Moreover, \(a_2= (u+1) a_1+ \frac{\varphi _2+\varphi _3}{\varphi _3} b_1\) and \(b_2= \frac{\varphi _2+\varphi _3}{\varphi _3} a_1+ub_1\). Furthermore, we get
and
Therefore, in \(S_{V_i,(a_2,b_2)}(x,y)\), we have
and
where the explicit expressions of entries in \(A_2\) and \(B_2\) in terms of \(a_1, b_1\) are given as follows:
Note that the determinants of \(A_1\) and \(B_1\) are
and
Now we consider the necessary and sufficient conditions such that \( \mathrm {Det}(A_1)=0\). Clearly, from \( \mathrm {Det}(A_1)=0\), we have \(b_1=0\) or
namely,
and thus \(a_1=\alpha b_1\) or \( \left( \alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} \right) b_1\) due to Lemma 14. Therefore, \( \mathrm {Det}(A_1)=0 \) if and only if \(b_1=0\) or \(a_1=\alpha b_1\) or \( \left( \alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} \right) b_1\). Similarly, \( \mathrm {Det}(B_1)=0 \) if and only if \(a_1=0\) or \(b_1=\alpha a_1\) or \( \left( \alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} \right) a_1\).
It is easy to verify that \(\mathrm {Det}(A_1)=0 \) and \( \mathrm {Det}(B_1)=0 \) holds at the same time if and only if
-
(i)
\( \alpha = 1, a_1= b_1\);
-
(ii)
\(\alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} = 1, a_1=b_1\);
-
(iii)
\(\alpha \left( \alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} \right) = 1, a_1=\alpha b_1\).
If \(\alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} = 1\), then \( \frac{\varphi _2}{\varphi _3} = \frac{\alpha }{\alpha +1}.\) Recall that (21) holds, namely,
Plugging \( \frac{\varphi _2}{\varphi _3} = \frac{\alpha }{\alpha +1}\) into the above equation and simplifying, we obtain \(\alpha =1\), implying \(\frac{\varphi _3}{\varphi _2+\varphi _3}=0\), which is impossible. If \(\alpha \left( \alpha +\frac{\varphi _3}{\varphi _2+\varphi _3} \right) = 1,\) then \(\frac{\varphi _2}{\varphi _3}=\frac{\alpha ^2+\alpha +1}{\alpha ^2+1}=\frac{1}{\alpha +1}+\frac{1}{\alpha ^2+1}+1,\) which is also impossible since \(\mathrm{Tr}_q\left( \frac{\varphi _2}{\varphi _3}\right) =0.\) Therefore, \(\mathrm {Det}(A_1)=0 \) and \( \mathrm {Det}(B_1)=0 \) holds at the same time if and only if \( \alpha = 1, a_1= b_1\), under which it is clear that \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\).
Next, we consider the following two cases:
-
(I)
\(\mathrm {Det}(B_1)\ne 0\);
-
(II)
\(\mathrm {Det}(A_1)\ne 0\).
It is clear that \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\) if there exists some invertible matrix P such that \(PA_1=A_2\) and \(PB_1=B_2\).
As for (i), it suffices to show that
After computing, we know that (44) is
By plugging the expression of \(B_1\) into the above equation and simplifying, we get
Moreover, we have
-
1.
$$\begin{aligned} \tiny&b_{21}b_{14}a_{11}+b_{21}b_{12}a_{13}+b_{22}b_{13}a_{11}+b_{22}b_{11}a_{13}\\&\quad = \left( \varphi _3+\varphi _4\right) a_1^{2^i+2} + \left( \varphi _4\alpha ^{2^i} + \frac{\varphi _4\left( \varphi _2+\varphi _3\right) }{\varphi _3}\beta +\frac{\left( \varphi _2+\varphi _3\right) ^2\left( \varphi _1+\varphi _3\right) }{\varphi _3} \right) a_1^2b_1^{2^i} \\&\qquad + \left( \left( \varphi _2+\varphi _3\right) \alpha ^{2^i}+\frac{\left( \varphi _2+\varphi _3\right) ^2}{\varphi _3}\beta +\frac{\left( \varphi _3+\varphi _4\right) \left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3} \right) a_1b_1^{2^i+1}\\&\qquad +\left( \varphi _3\alpha + \left( \varphi _1+\varphi _3 \right) \beta + \frac{\left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) ^2}{\varphi _3} \right) a_1^{2^i+1}b_1\\&\qquad +\left( \left( \varphi _2+\varphi _3\right) \alpha +\frac{\left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3}\beta \right) a_1^{2^i}b_1^2\\&\quad =\left( \varphi _3+\varphi _4\right) a_1^{2^i+2}+\left( \varphi _1+\varphi _3\right) a_1^2b_1^{2^i}+\frac{\left( \alpha ^2+1\right) \left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3} a_1b_1^{2^i+1} \\&\qquad +\frac{(\alpha ^4+\beta ^2+1)\left( \varphi _2+\varphi _3 \right) }{\varphi _3}a_1^{2^i+1}b_1 + \frac{\left( \alpha ^2+1\right) \left( \varphi _2+\varphi _3\right) ^2}{\varphi _3}a_1^{2^i}b_1^2, \end{aligned}$$
-
2.
$$\begin{aligned} \tiny&b_{23}b_{14}a_{11}+b_{23}b_{12}a_{13}+b_{24}b_{13}a_{11}+b_{24}b_{11}a_{13}\\&\quad = \frac{\left( \varphi _1+\varphi _2\right) ^2\beta }{\varphi _3}a_1^{2^i+2}+\frac{\varphi _4\left( \varphi _1+\varphi _3\right) \beta }{\varphi _3}a_1^2b_1^{2^i} +\frac{\left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) \beta }{\varphi _3}a_1b_1^{2^i+1} \\&\qquad + \left( \varphi _2+\varphi _3\right) \beta a_1^{2^i+1}b_1 + \frac{\left( \varphi _2+\varphi _3\right) ^2\beta }{\varphi _3} a_1^{2^i}b_1^2 \end{aligned}$$
-
3.
$$\begin{aligned} \tiny&b_{23}b_{14}a_{12}+b_{23}b_{12}a_{14}+b_{24}b_{13}a_{12}+b_{24}b_{11}a_{14} \\&\quad = \frac{\left( \varphi _1+\varphi _2\right) ^2\beta }{\varphi _3}a_1^{2^{i+1}+1}+\left( \varphi _1+\varphi _3\right) \beta a_1^{2^i+1}b_1^{2^i} +\frac{\left( \varphi _1+\varphi _3\right) ^2\beta }{\varphi _3}a_1b_1^{2^{i+1}} \\&\qquad + \frac{\varphi _4\left( \varphi _2+\varphi _3\right) \beta }{\varphi _3} a_1^{2^{i+1}}b_1 + \frac{\left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) \beta }{\varphi _3} a_1^{2^i}b_1^{2^i+1}. \end{aligned}$$
-
4.
$$\begin{aligned} \tiny&b_{21}b_{14}a_{12}+b_{21}b_{12}a_{14}+b_{22}b_{13}a_{12}+b_{22}b_{11}a_{14} \\&\quad = \left( \varphi _3+\varphi _4\right) a_1^{2^{i+1}+1} + \left( \varphi _3\alpha ^{2^i} + \left( \varphi _2+\varphi _3\right) \beta +\frac{\left( \varphi _2+\varphi _3\right) ^2\left( \varphi _1+\varphi _3\right) }{\varphi _3} \right) a_1^{2^i+1}b_1^{2^i}\\&\qquad + \left( (\varphi _1+\varphi _3)\alpha ^{2^i} + \frac{\left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3}\beta \right) a_1b_1^{2^{i+1}} \\&\qquad + \left( \frac{\left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) ^2}{\varphi _3} + \varphi _4\alpha +\,\frac{\varphi _4(\varphi _1+\varphi _3)}{\varphi _3}\beta \right) a_1^{2^{i+1}}b_1\\&\qquad +\left( \left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) +\left( \varphi _1+\varphi _3\right) \alpha +\frac{(\varphi _1+\varphi _3)^2}{\varphi _3}\beta \right. \\&\qquad \left. + \frac{\varphi _4\left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3} \right) a_1^{2^i}b_1^{2^{i}+1} \\&\quad = \left( \varphi _3+\varphi _4\right) a_1^{2^{i+1}+1} + \frac{ \left( \alpha ^{2^{i+2}}+\beta ^2+1\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3}a_1^{2^i+1}b_1^{2^i}\\&\qquad +\frac{\left( \alpha ^{2^{i+1}}+1\right) \left( \varphi _1+\varphi _3\right) ^2}{\varphi _3}a_1b_1^{2^{i+1}}\\&\qquad +\left( \varphi _2+\varphi _3\right) a_1^{2^{i+1}}b_1+\frac{\left( \alpha ^{2^{i+1}}+1\right) \left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) }{\varphi _3}a_1b_1^{2^{i+1}}, \end{aligned}$$
Furthermore, after computing and simplifying, we have
-
1.
$$\begin{aligned}&\mathrm {Det}(B_1) a_{21} \\&\quad = \left( \varphi _3+\varphi _4\right) a_1^{2^i+2}+\left( \varphi _1+\varphi _3\right) a_1^2b_1^{2^i}\\&\qquad +\frac{\left( \alpha ^2+1\right) \left( \varphi _2+\varphi _3\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3} a_1b_1^{2^i+1} \\&\qquad +\frac{(\alpha ^4+\beta ^2+1)\left( \varphi _2+\varphi _3 \right) }{\varphi _3}a_1^{2^i+1}b_1 + \frac{\left( \alpha ^2+1\right) \left( \varphi _2+\varphi _3\right) ^2}{\varphi _3}a_1^{2^i}b_1^2, \end{aligned}$$
-
2.
$$\begin{aligned}&\mathrm {Det}(B_1) a_{22} \\&\quad = \left( \varphi _3+\varphi _4\right) a_1^{2^{i+1}+1} + \frac{ \left( \alpha ^{2^{i+2}}+\beta ^2+1\right) \left( \varphi _1+\varphi _3\right) }{\varphi _3}a_1^{2^i+1}b_1^{2^i}\\&\qquad + \frac{\left( \alpha ^{2^{i+1}}+1\right) \left( \varphi _1+\varphi _3\right) ^2}{\varphi _3}a_1b_1^{2^{i+1}}\\&\qquad +\left( \varphi _2+\varphi _3\right) a_1^{2^{i+1}}b_1+\frac{\left( \alpha ^{2^{i+1}}+1\right) \left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) }{\varphi _3}a_1b_1^{2^{i+1}}, \end{aligned}$$
-
3.
$$\begin{aligned}&\mathrm {Det}(B_1) a_{23} \\&\quad = \frac{\left( \varphi _1+\varphi _2\right) ^2\beta }{\varphi _3}a_1^{2^i+2}+\frac{\varphi _4\left( \varphi _1+\varphi _3\right) \beta }{\varphi _3}a_1^2b_1^{2^i} +\frac{\left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) \beta }{\varphi _3}a_1b_1^{2^i+1} \\&\qquad + \left( \varphi _2+\varphi _3\right) \beta a_1^{2^i+1}b_1 + \frac{\left( \varphi _2+\varphi _3\right) ^2\beta }{\varphi _3} a_1^{2^i}b_1^2 \end{aligned}$$
-
4.
$$\begin{aligned}&\mathrm {Det}(B_1) a_{24} \\&\quad = \frac{\left( \varphi _1+\varphi _2\right) ^2\beta }{\varphi _3}a_1^{2^{i+1}+1}+\left( \varphi _1+\varphi _3\right) \beta a_1^{2^i+1}b_1^{2^i} +\frac{\left( \varphi _1+\varphi _3\right) ^2\beta }{\varphi _3}a_1b_1^{2^{i+1}} \\&\qquad + \frac{\varphi _4\left( \varphi _2+\varphi _3\right) \beta }{\varphi _3} a_1^{2^{i+1}}b_1 + \frac{\left( \varphi _1+\varphi _3\right) \left( \varphi _2+\varphi _3\right) \beta }{\varphi _3} a_1^{2^i}b_1^{2^i+1}. \end{aligned}$$
Hence, it follows that
and Eq. (44) holds.
As for (ii), we need to show that
whose proof can be obtained through just changing \(a_1\) and \(b_1\) in the proof of (44).
Therefore, for any \((a_1,b_1), (a_2,b_2)\in {{\mathbb {F}}}_{q}^2\backslash \{(0,0)\}\) satisfying \(B_{V_i,(a_1,b_1)}(a_2,b_2)=(0,0)\), \(\mathrm {Im}_{V_i,(a_1,b_1)}=\mathrm {Im}_{V_i,(a_2,b_2)}\) holds and by Lemma 5, we know that the boomerang uniformity of \(V_i\) is 4.
Remark 17
we are aware that Li, Hu, Xiong and Zeng in [13] are independently working on the same problem as in this paper. Their techniques in the proof are different from ours in the early version [11] of this paper.
Remark 18
It’s worth pointing out that from the experimental results by MAGMA for \(q=2^3, 2^5\), the set \(\varGamma \) in Theorem 1 covers all the coefficients \(\alpha , \beta \in {\mathbb {F}}_q^*\) that yield permutations \(V_i(x,y)\) with boomerang uniformity 4. We therefore propose the following conjecture and invite interested readers to attack it.
Conjecture 19
Let \(q=2^n\) with n odd, \(\gcd (i,n)=1\) and \(V_i := (R_i(x,y), R_i(y,x))\) with \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\). If \(V_i\) is a permutation over \({{\mathbb {F}}}_q^2\) with boomerang uniformity 4, then the coefficients \(\alpha , \beta \) are taken from the set \(\varGamma \) defined as in (1).
5 Conclusions
In this paper, we applied the butterfly structure in constructing cryptographically strong permuations. The open butterfly does not seem to generate permutations with boomerang uniformity 4 according to numerical results. Based on an intensive study on the coefficients of \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\), \(\gcd (i,n)=1\), over \({{\mathbb {F}}}_{2^n}\), we provided a sufficient condition on \(\alpha , \beta \) such that \(V_i(x,y)= (R_i(x,y),R_i(y,x))\) is a permutation over \({{\mathbb {F}}}_{2^{2n}}\) with boomerang uniformity 4. The proposed condition seems to be also necessary according to numeric results and a conjecture on the observation was given.
References
Boura C., Canteaut A.: On the boomerang uniformity of cryptographic sboxes. IACR Trans. Symm. Cryptol. 2018(3), 290–310 (2018).
Browning K., Dillon J., McQuistan M., Wolfe A.: An APN permutation in dimension six. Finite Fields 518, 33–42 (2010).
Calderini M., Villa I.: On the boomerang uniformity of some permutation polynomials. Cryptogr. Commun. 12, 1161–1178 (2019).
Canteaut A., Duval S., Perrin L.: A generalisation of Dillon’s APN permutation with the best known differential and nonlinear properties for all fields of size \(2^{4k+2}\). IEEE Trans. Inf. Theory 63(11), 7575–7591 (2017).
Canteaut A., Perrin L., Tian S.: If a generalised butterfly is APN then it operates on 6 bits. Cryptogr. Commun. 11, 1147–1164 (2019).
Chabaud F., Vaudenay S.: Links between differential and linear cryptanalysis. Lect. Notes Comput. Sci. 950, 356–365 (1995).
Cid C., Huang T., Peyrin T., Sasaki Y., Song L.: Boomerang connectivity table: A new cryptanalysis tool. Lect. Notes Comput. Sci. 10821, 683–714 (2018).
Fu S., Feng X., Wu B.: Differentially 4-uniform permutations with the best known nonlinearity from butterflies. IACR Trans. Symm. Cryptol. 2017(2), 228–249 (2017).
Lahtonen J.: On the odd and the aperiodic correlation properties of the Kasami sequences. IEEE Trans. Inf. Theory 41(5), 1506–1508 (1995).
Leander G., Poschmann A.: On the classification of 4 bit s-boxes. Lect. Notes Comput. Sci. 4547, 159–176 (2007).
Li, K., Li, C., Helleseth, T., Qu, L.: Cryptographically strong permutations from the butterfly structure. arXiv:1912.02640 (2019)
Li K., Qu L., Sun B., Li C.: New results about the boomerang uniformity of permutation polynomials. IEEE Trans. Inf. Theory 65(11), 7542–7553 (2019).
Li, N., Hu, Z., Xiong, M., Zeng, X.: \(4 \)-uniform BCT permutations from generalized butterfly structure. arXiv:2001.00464 (2020)
Li Y., Tian S., Yu Y., Wang M.: On the generalization of butterfly structure. IACR Trans. Symm. Cryptol. 2018(1), 160–179 (2018).
Lidl R., Mullen G.L., Turnwald G.: Dickson polynomials, vol. 65. Chapman & Hall/CRC, New York (1993).
Mesnager S., Tang C., Xiong M.: On the boomerang uniformity of quadratic permutations. Des. Codes Cryptogr. 88, 2233–2246 (2020).
Nyberg K.: Differentially uniform mappings for cryptography. Lect. Notes Comput. Sci. 765, 55–64 (1994).
Park Y.H., Lee J.B.: Permutation polynomials and group permutation polynomials. Bull. Aust. Math. Soc. 63(1), 67–74 (2001).
Perrin L., Udovenko A., Biryukov A.: Cryptanalysis of a theorem: Decomposing the only known solution to the big APN problem. Lect. Notes Comput. Sci. 9815, 93–122 (2016).
Tian S., Boura C., Perrin L.: Boomerang uniformity of popular S-box constructions. Des. Codes Cryptogr. 88(9), 1959–1989 (2020).
Wang, Q.: Cyclotomic mapping permutation polynomials over finite fields. In: S.W. Golomb, G. Gong, T. Helleseth, H. Song (eds.) Sequences, Subsequences, and Consequences, International Workshop,, Lecture Notes in Comput. Sci., vol. 4893, pp. 119–128. Springer (2007)
Zieve M.: On some permutation polynomials over \({{\mathbb{F}}}_q\) of the form \(x^rh(x^{(q-1)/d})\). Proc. Am. Math. Soc. 137(7), 2209–2216 (2009).
Acknowledgements
We would like to thank the editor and the anonymous referees whose valuable comments and suggestions improve both the technical quality and the editorial quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by G. Kyureghyan.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The work of Longjiang Qu was supported by the Nature Science Foundation of China (NSFC) under Grants 61722213, 62032009, National Key R&D Program of China (No.2017YFB0802000), and the Open Foundation of State Key Laboratory of Cryptology. The work of Tor Helleseth and Chunlei Li was supported by the Research Council of Norway (No. 247742/O70 and No. 311646/O70). The work of Chunlei Li was also supported in part by the National Natural Science Foundation of China under Grant (No. 61771021). The work of Kangquan Li was supported by China Scholarship Council.
Rights and permissions
About this article
Cite this article
Li, K., Li, C., Helleseth, T. et al. Cryptographically strong permutations from the butterfly structure. Des. Codes Cryptogr. 89, 737–761 (2021). https://doi.org/10.1007/s10623-020-00837-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-020-00837-5