1 Introduction

Zero-knowledge (ZK) proof systems were introduced by Goldwasser et al. [14] in 1989. In this system, a prover P convinces a verifier V that a certain statement z is true while keeping some elements of a computation secret. With a ZK protocol, V can verify that the result of this computation is correct without even knowing some of the details of the computation, e.g., its intermediate values or any potentially secret inputs.

Cryptographic hash functions are often used as part of the ZK protocol, e.g., by compressing multiple public inputs to a single hash. Modern cryptographic hash functions such as SHA2, SHA3 and BLAKE are designed over finite fields of even characteristic, while ZK protocols often operate over the prime field \({\mathbb {F}}_p\) for some large prime p. Therefore, efficient hash functions which are designed over \({\mathbb {F}}_p\), for some large prime p, were needed. In view of this, many cryptographic hash functions such as MiMCHash [1], Rescue-Prime [2, 24], Reinforced Concrete [3], Anemoi [5], Poseidon [15] and Grendel [23], to name a few, have been proposed in the literature which operate on the prime field \({\mathbb {F}}_p\) for some large prime p. These cryptographic primitives are called arithmetization-oriented primitives. Except for Anemoi [5] and Grendel [23], all of these primitives use low-degree non-linear functions such as power maps. The non-linear function of Grendel [23] is defined via the Legendre symbol whereas Anemoi [5] is defined via the so-called Flystel structure. As the concept of arithmetization-oriented primitives is new, a rigorous cryptanalysis of such primitives is yet to be done.

One of the main design requirements of an arithmetization-oriented hash function is that it should be efficient in verification. Thus, in order for a function F to be arithmetization-oriented, it is necessary that verifying whether \(y = F(x)\) can be done using few multiplications in a specific field. One way to achieve this is to use a function F such that F(x) can be evaluated using a small number of multiplications. Cryptographic hash functions MiMC-Hash [1] and Poseidon [15] work in this way, i.e., they use the power map \(x^d,~d \in \{3, 5\}\) as a round function which can be evaluated easily. However, using a low degree round function may imply vulnerability to some algebraic attacks [9]. As a consequence, these algorithms have to use a high number of rounds. To overcome this, the designers of Rescue-Prime [2, 24] adopted a different strategy which was based on the fact that for a permutation F checking \(y=F(x)\) is equivalent to checking \(x=F^{-1}(y)\). The authors chose \(\alpha \in {\mathbb {F}}_p\), where \(\gcd (\alpha , p-1)=1\), in such a way that the evaluation of \(x^{\alpha }\) is efficient and its compositional inverse \(x^{\frac{1}{\alpha }}\) has a very high algebraic degree. It allows them to use \(x^{\alpha }\) for verification and both \(x^{\alpha }\) and \(x^{\frac{1}{\alpha }}\) in their round function. As a consequence, much fewer rounds were needed to prevent algebraic attacks. The designers of Anemoi [5] observed that the idea of using a low degree permutation for the verification purpose (for cheap verification) and its compositional inverse (which is of high algebraic degree) as a round function can be generalised using the so-called CCZ-equivalence [10]. The idea was to use a low degree function for the verification and some permutation of high algebraic degree in its CCZ-class as a round function. In view of this, finding permutations with good cryptographic properties (including a high algebraic degree) that are CCZ-equivalent to functions with a low number of multiplications is an intriguing problem.

In this paper we shall focus on a cryptographic property of functions over finite fields called differential uniformity. Let \({\mathbb {F}}_q\) be the finite field with \(q=p^n\) elements, where p is a prime number and n is a positive integer. We denote by \({\mathbb {F}}_q^*\) the multiplicative cyclic group of nonzero elements of the finite field \({\mathbb {F}}_q\). The ring of polynomials in indeterminate x over \({\mathbb {F}}_q\) is denoted by \({\mathbb {F}}_q[x]\). Let F be a function from the finite field \({\mathbb {F}}_q\) to itself. Using Lagrange’s interpolation formula, F can be uniquely represented by a polynomial in \({\mathbb {F}}_q[x]\) of degree at most \(q-1\). Therefore, throughout this paper we shall use the term function and polynomial for F, interchangeably. A polynomial \(F(x) \in {\mathbb {F}}_q[x]\) is called a permutation polynomial over \({\mathbb {F}}_q\) if the induced mapping \(x \mapsto F(x)\) is a bijection of \({\mathbb {F}}_q\). A function F is called differentially \(\delta \)-uniform if for every \(a \in {\mathbb {F}}_q^*\) and every \(b \in {\mathbb {F}}_q\), the equation \(F(x+a)-F(x)=b\) admits at most \(\delta \) solutions. When used as a substitution box in a block cipher, the differential uniformity of a function F quantifies its resistance against the differential attack (see [21]). Lower the differential uniformity, higher is the immunity of the function against differential attacks. The lowest possible differential uniformity of a function is 1 and in this case we say that the function is perfect nonlinear. Perfect nonlinear functions are commonly known as planar functions, and were first introduced by Dembowski and Ostrom [11] in connection to the study of projective planes. It is well-known that planar functions can never be permutations. Therefore, the minimum differential uniformity that a permutation function can have over finite fields of odd characteristic is 2 and such functions are known as almost perfect nonlinear (APN). To the best of our knowledge, a systematic study of APN functions in odd characteristic starts with the seminal work of Helleseth, Rong and Sandberg [16], where the authors gave several infinite classes of APN power maps. These infinite classes of APN power functions were based on the computational results over fields of small orders popularly known as Helleseth-Rong-Sandberg (HRS) tables. The entries in the HRS tables which were not explained in the infinite class of families were the basis of investigation of many infinite families of APN power mappings in characteristic 3 and 5 (see [12, 18, 30, 31]). It is worth mentioning here that all the infinite families of APN power mappings obtained in [12, 18, 30, 31] are in the case of characteristic 3 or 5. Thus, over fields of characteristic \(p\ge 7\), the only known infinite classes of APN power maps are due to Helleseth, Rong and Sandberg [16] (see Table 1).

In [5], the authors gave the following definition of arithmetization-oriented function in terms of CCZ-equivalence: A subfunction is arithmetization-oriented if it is CCZ-equivalent to a function that can be verified efficiently. In this paper, we shall study arithmetization-oriented APN permutations, i.e., those APN permutations over prime fields which are CCZ-equivalent to a function with a low number of multiplications. More precisely, we investigate APN permutations in the CCZ-classes of known families of APN power functions over prime field \({\mathbb {F}}_p\). Moreover, we present a class of binomials having differential uniformity at most 5 defined via the quadratic character over finite fields of odd characteristic. Computationally it is confirmed that the latter family contains new APN functions for some small parameters. We conjecture it to contain an infinite subfamily of APN functions.

The paper is organised in the following way. In Sect. 2, we give a brief survey of APN functions over finite fields of odd characteristic. In Sect. 3, we study different equivalence relations over prime fields and investigate arithmetization-oriented functions in the CCZ-classes of known families of APN power maps. We present a class of binomials having differential uniformity at most 5 over finite field \({\mathbb {F}}_q\), in Sect. 4. Finally, we summarize the paper with an open problem in Sect. 5.

2 Known classes of APN functions in odd characteristic

In the study of the differential uniformity of functions over finite fields, we often classify them with respect to some equivalence relations which preserve the differential uniformity of the functions. It is then sufficient to consider the differential uniformity of a single representative from each equivalence class. Two functions \(F, G:{\mathbb {F}}_q \rightarrow {\mathbb {F}}_q\) are called linear (affine) equivalent if there exist linear (affine) permutations \(A_1, A_2: {\mathbb {F}}_q \rightarrow {\mathbb {F}}_q\) such that \(G = A_2 \circ F \circ A_1\). We say that F and G are extended affine (EA) equivalent if there exist affine permutations \(A_1, A_2: {\mathbb {F}}_q \rightarrow {\mathbb {F}}_q\) and an affine function \(A: {\mathbb {F}}_q \rightarrow {\mathbb {F}}_q\) such that \(G = A_2 \circ F \circ A_1 +A\). The most general equivalence relation, known so far, which preserves the differential uniformity is the Carlet-Charpin-Zinoviev (CCZ) equivalence [10]. Two functions F and G are called CCZ-equivalent if there exists an affine permutation \({{\mathcal {A}}}: {\mathbb {F}}_q \times {\mathbb {F}}_q \rightarrow {\mathbb {F}}_q \times {\mathbb {F}}_q\) which maps the graph \({{\mathcal {G}}}_F:= (x, F(x))\) to the graph \({{\mathcal {G}}}_G:= (x, G(x))\). Thus, we can classify functions over finite fields in CCZ-equivalence classes and then each CCZ-equivalence class can be further classified into EA-equivalent classes. Thus, the CCZ-class of a function F always contains the EA-class of the function F. It is well-known [8] that if F is a permutation then its CCZ-class also contains the EA-class of \(F^{-1}\), the compositional inverse of the function F. This property of CCZ-equivalence motivated the designers of Anemoi [5] to use CCZ-equivalence in the design of arithmetization-oriented functions.

In this section, we give a brief survey of known classes of APN functions, upto CCZ-equivalence, over finite fields of odd characteristic. The simplest kind of functions over finite fields are the monomials \(x^d\), where d is a positive integer. Table 1 gives the known classes of APN power functions \(x^d\) over finite fields \({\mathbb {F}}_{p^n}\) of odd characteristic.

Table 1 Known classes of APN power maps \(x^d\) over \({\mathbb {F}}_{p^n}\), \(p>2\)
Full size table

We say a class of APN functions F over \({\mathbb {F}}_{p^n}\) or an infinite family of APN functions if either it is APN over \({\mathbb {F}}_{p^n}\) for infinitely many values of n, or it is APN over \({\mathbb {F}}_{p^n}\) for infinitely many primes p. In arithmetization-oriented primitives we are mainly interested in functions which are APN for infinitely many primes p. One may note, from Table 1, that the infinite families of APN power maps \(C_i, 1 \le i \le 6\), given by Helleseth, Rong and Sandberg [16], are the only families of APN power maps which are APN for infinitely many extensions n and infinitely many primes p.

Until 2007, only known classes of APN functions over finite fields of odd characteristic were power maps. The first infinite class of non-monomial APN functions was a class of APN binomials in characteristic 3 introduced by Ness and Helleseth [20]. More precisely, the authors showed that the binomials

$$\begin{aligned} F(x)=x^{p^n-2}+ux^{\frac{p^n-3}{2}} \in {\mathbb {F}}_{p^n}[x], \end{aligned}$$
(2.1)

where \(p=3,~n \ge 3\) is odd and \(u \in {\mathbb {F}}_{3^n}\) such that \(\chi (u+1)=\chi (u-1)=\chi (u)\), is APN. Here, \(\chi : {\mathbb {F}}_q \rightarrow \{0, 1, -1 \}\) is the quadratic character of the finite field \({\mathbb {F}}_q\) defined as follows:

$$\begin{aligned} \chi (a) = {\left\{ \begin{array}{ll} 0~& ~\text{ if }~ a=0; \\ 1~& ~\text{ if }~ x^2=a~\text{ has } \text{ a } \text{ solution }~x \in {\mathbb {F}}_q; \\ -1~& ~\text{ if }~ x^2=a~\text{ has } \text{ no } \text{ solution }~x \in {\mathbb {F}}_q.\\ \end{array}\right. } \end{aligned}$$

The binomial F is known as Ness-Helleseth function. Later, Zeng et al. [27] showed that the Ness-Helleseth function F is APN for all \(p^n \equiv 3 \pmod 4\), \(p^n >7\) and \(u \in {\mathbb {F}}_{p^n}\) satisfies either of the following conditions:

$$\begin{aligned} {\left\{ \begin{array}{ll} \chi (u+1)=\chi (u-1)= -\chi (5u+3);~\text{ or }\\ \chi (u+1)=\chi (u-1)= -\chi (5u-3). \end{array}\right. } \end{aligned}$$

The authors also showed that the Ness-Helleseth function is CCZ-inequivalent to all other known APN power functions when \(p\ge 7\).

In 2013, Zha and Hu [28] proposed a method to construct APN functions by modifying only one value of a known PN function. As a result, the authors showed that the binomial \(F(x)=x^{p^n-1}+ux^2\), \(u \in {\mathbb {F}}_{p^n}^*\) over \({\mathbb {F}}_{p^n}\) is APN if and only if

$$\begin{aligned} {\left\{ \begin{array}{ll} \chi (u)=-1~\text{ and }~p^n\equiv 1 \pmod 4;~or\\ \chi (u)=1~\text{ and }~p^n\equiv 3 \pmod 4. \end{array}\right. } \end{aligned}$$

By using the idea of some known construction methods of quadratic APN functions over finite fields of even characteristic [4, 7], Zha et al. [29] gave a general construction of APN polynomials of the form

$$\begin{aligned} F(x) = c_{30}x^3+c_{03}x^{3q} + \sum _{i=0}^2 \sum _{j=0}^2 c_{ij}x^{i+qj} \in {\mathbb {F}}_{q^2}[x]. \end{aligned}$$
(2.2)

After APN power maps \(C_1\) and \(C_6\) in Table 1, this was the third class of APN functions over finite field \({\mathbb {F}}_{p^n}\), with n even. The authors also showed that similar to \(C_1\) and \(C_6\) in Table 1, F is also not a permutation. Some non-monomial APN functions in odd characteristic constructed via the switching method can be found in [26].

3 CCZ-equivalence and Arithmetization-oriented APN functions

In this section, we study EA-equivalence and CCZ-equivalence over prime fields. We know that over the finite field \({\mathbb {F}}_p\), affine functions are of the form \(ax+b\), \(a \ne 0\) which are always permutations. Therefore, over prime fields, two functions F and G are EA-equivalent if and only if there exist affine functions \(A_1=a_1x+b_1\), \(A_2=a_2x+b_2\) and \(A_3= a_3x+b_3\) such that

$$\begin{aligned} G = (a_1x+b_1)\circ F(a_2x+b_2) + a_3x+b_3 = a_1F(a_2x+b_2)+a_3x+b_1+b_3, \end{aligned}$$

where \(a_1,a_2 \in {\mathbb {F}}_p^*\). If \(a_3=0=b_3\) then F and G are called affine equivalent. If \(a_3=b_1=b_2=b_3=0\) then F and G are called linear equivalent.

We shall now recall the definition of CCZ-equivalence. Two functions F and G from \({\mathbb {F}}_{p^n}\) to itself are said to be CCZ-equivalent if there exists an affine permutation \({{\mathcal {A}}}\) of \({\mathbb {F}}_{p^n} \times {\mathbb {F}}_{p^n}\) such that

$$\begin{aligned} {{\mathcal {A}}}(\{(x, F(x)), x \in {\mathbb {F}}_{p^n} \})=\{(x, G(x)), x \in {\mathbb {F}}_{p^n} \}. \end{aligned}$$
(3.1)

Let \({{\mathcal {L}}}\) be the linear part of the affine permutation \({{\mathcal {A}}}\). Then [6, Lemma 3.1] shows that the affine permutation \({{\mathcal {A}}}\) simply adds constants to the input and output of the CCZ-equivalent function obtained by applying \({{\mathcal {L}}}\). Thus CCZ-equivalent functions obtained by applying affine permutation \({{\mathcal {A}}}\) and linear permutation \({{\mathcal {L}}}\) are in the same affine class. Therefore, in what follows, we shall always consider \({{\mathcal {A}}}\) to be a linear function and shall denote it by \({{\mathcal {L}}}\). Recall that, any linear function \({{\mathcal {L}}}: {\mathbb {F}}_{p^n} \times {\mathbb {F}}_{p^n} \rightarrow {\mathbb {F}}_{p^n} \times {\mathbb {F}}_{p^n}\) can be described in the following way:

$$\begin{aligned} {{\mathcal {L}}}= \begin{bmatrix} L_1 & L_2\\ L_3 & L_4 \end{bmatrix}, \end{aligned}$$
(3.2)

where \(L_i\) are linear maps over \({\mathbb {F}}_{p^n}\) for \(1 \le i \le 4\), and

$$\begin{aligned} {{\mathcal {L}}}(x,y)= \begin{bmatrix} L_1 & L_2\\ L_3 & L_4 \end{bmatrix}\cdot \begin{bmatrix} x \\ y \end{bmatrix} = (L_1(x)+L_2(y), L_3(x)+L_4(y)). \end{aligned}$$

In general, given a function \(F: {\mathbb {F}}_{p^n} \rightarrow {\mathbb {F}}_{p^n}\) and a linear permutation \({{\mathcal {L}}}\) of \({\mathbb {F}}_{p^n} \times {\mathbb {F}}_{p^n}\), there does not always exist a function G such that Eq. (3.1) holds. Let \(F_1, F_2\) be mappings from \({\mathbb {F}}_{p^n} \rightarrow {\mathbb {F}}_{p^n}\) defined as follows:

$$\begin{aligned} \begin{aligned} F_1 (x) \mapsto L_1(x)+L_2(F(x)),\\ F_2 (x) \mapsto L_3(x)+L_4(F(x)). \end{aligned} \end{aligned}$$

Then it is necessary for G to be well-defined that the mapping \(F_1\) is a permutation. We can then define the function \(G:{\mathbb {F}}_{p^n} \rightarrow {\mathbb {F}}_{p^n}\) as

$$\begin{aligned} G=F_2 \circ F_1^{-1}(x) = L_3(F_1^{-1}(x))+(L_4\circ F)( F_1^{-1}(x)). \end{aligned}$$

It is easy to observe that when \(L_2 =0\), then \(F_1\) is a permutation if and only if the linear function \(L_1\) is a permutation. Let \(L_1^{-1}\) be the compositional inverse of \(L_1\) then \(L_1^{-1}\) is also linear and the function G is given by

$$\begin{aligned} G = (L_4 \circ F +L_3 ) \circ L_1^{-1} = L_4 \circ F \circ L_1^{-1} +L_3 \circ L_1^{-1}. \end{aligned}$$

Thus, G is EA-equivalent to F. Also, one may note that when \(L_1=0\) then \(F_1\) is a permutation if and only if both \(L_2\) and F are permutations of \({\mathbb {F}}_{p^n}\). Let \(L_2\) and F be permutations of \({\mathbb {F}}_{p^n}\) and \(L_2^{-1}\) and \(F^{-1}\) be their compositional inverses, respectively. Then \(F_1^{-1} = F^{-1} \circ L_2^{-1}\), where \(L_2^{-1}\), being the compositional inverse of a linear function, is a linear function. Therefore, G is given by

$$\begin{aligned} G = (L_4 \circ F +L_3 ) \circ ( F^{-1} \circ L_2^{-1}) = L_4 \circ L_2^{-1} +L_3 \circ F^{-1} \circ L_2^{-1}. \end{aligned}$$

Thus, G is EA-equivalent to \(F^{-1}\). From here we see that the CCZ-class of a function F always contains the EA-class of F and the EA-class of \(F^{-1}\) (if inverse exist) [8].

Another important property of CCZ-equivalence is that it does not preserves the algebraic degree of the function. This was the motivation for the designers of Anemoi [5] to use CCZ-equivalence to construct arithmetization-oriented functions. Let G be a function with a low number of multiplications and suppose it is CCZ-equivalent to a function F whose evaluation involves large number of multiplications than G, i.e., there exists linear function \({{\mathcal {L}}}\) such that \( {{\mathcal {L}}}(\{(x, F(x)), x \in {\mathbb {F}}_{p^n} \})=\{(x, G(x)), x \in {\mathbb {F}}_{p^n} \}\). Then verifying \(y=F(x)\) is equivalent to verifying that \(L_1(x)+L_2(y)= G( L_3(x)+L_4(y))\) which only involves linear functions and G. Arithmetization-oriented primitives designed in the recent years such as MiMCHash [1], Rescue-Prime [2, 24], Reinforced Concrete [3] and Poseidon [15] use low-degree non-linear functions as power maps \(x \mapsto x^d\) with \(d \in \{3,5\}\). The non-linear function of Grendel [23] is defined as \(x^d \cdot \chi (x)\), where \(\chi \) is the quadratic character of the finite field \({\mathbb {F}}_p\) (the authors used the term Legendre symbol for quadratic characters over prime fields). The non-linear function of Anemoi [5] is defined via the flystel structure which is inspired from the butterfly structure [22] and a Feistel network. It gives a pair of functions called open flystel and closed flystel which are CCZ-equivalent to each other. The open flystel is a permutation whereas the closed flystel is not necessarily a permutation. In order to provide more choices for the non-linear functions of arithmetization-oriented primitives, we investigate functions over prime fields with the following properties:

  1. (i)

    Optimal differential uniformity,

  2. (ii)

    Simple algebraic structure,

  3. (iii)

    CCZ-equivalent to a permutation with high algebraic degree.

We call such functions arithmetization-oriented APN functions. In the remainder of this section, we investigate permutations in the CCZ-classes of known classes of APN power functions over prime field \({\mathbb {F}}_p\).

It is easy to observe that the linear maps over \({\mathbb {F}}_p\) are of the form \(x \mapsto \alpha x\) for some \(\alpha \in {\mathbb {F}}_p\). Therefore, any linear permutation \({{\mathcal {L}}}: {\mathbb {F}}_p \times {\mathbb {F}}_p \rightarrow {\mathbb {F}}_p \times {\mathbb {F}}_p\) can be represented as

$$\begin{aligned} {{\mathcal {L}}}= \begin{bmatrix} \alpha _1 & \alpha _2\\ \alpha _3 & \alpha _4 \end{bmatrix}, \end{aligned}$$

where \(\alpha _i \in {\mathbb {F}}_p\) for \(1 \le i \le 4\) and \(\alpha _1 \alpha _4 - \alpha _3 \alpha _2 \in {\mathbb {F}}_p^*\). Let \(F(x)=x^d,~d>1\) be a power map over \({\mathbb {F}}_p\). Since the trivial cases \(\alpha _1 \alpha _2 =0\) has already been considered, we shall always assume that \(\alpha _1 \alpha _2 \ne 0\). Notice that when \(F(x)=x^d\) then \(F_1(x)=\alpha _2 x^d + \alpha _1 x\) is a binomial. Also, if \(F_1\) permutes \({\mathbb {F}}_p\) then so does \(\alpha _2^{-1} F_1\). Therefore, without loss of generality, we may assume that \(\alpha _2=1\). Thus, in order to find functions CCZ-equivalent to \(x^d\) but EA-inequivalent to both \(x^d\) and its inverse (if \(x^{\frac{1}{d}}\) exists) over \({\mathbb {F}}_p\), we need to find permutation binomials of the form \(x^d + ax \in {\mathbb {F}}_p[x]\) with \(a \ne 0\). We now recall the following lemma concerning the non-existence of certain types of permutation binomials.

Lemma 3.1

[19, Theorem 1.3] If \(x^m+ax^n\) permutes the prime field \({\mathbb {F}}_p\), where \(m> n > 0\) and \(a \in {\mathbb {F}}_p^*\). Then \(\gcd (m-n, p-1) > \sqrt{p}-1\).

The following theorem gives a condition on the exponent d for which the CCZ-class of the power map \(x^d\) contains at most two EA-classes, namely, the EA-class of \(x^d\) and the EA-class of its compositional inverse (if it exists).

Theorem 3.2

Let \(F(x)=x^d\), \(1<d<p\) be a power map over the prime field \({\mathbb {F}}_p\). If \(\gcd (d-1, p-1) \le \sqrt{p} -1\) then for F, the CCZ-equivalence class coincides with the EA-equivalence classes of F and \(F^{-1}\) (if \(F^{-1}\) exists).

Proof

Result directly follow from the previous discussions and Lemma 3.1. \(\square \)

We shall now use Theorem 3.2 to investigate permutations in the CCZ-classes of known classes of APN power maps over \({\mathbb {F}}_p\). We consider \(p>7\) to avoid some extra conditions in certain cases and the cases for \(p=3,5,7\) can be easily verified using SageMath [25]. The following table gives, up to the CCZ-equivalence, the known classes of APN power maps over prime fields \({\mathbb {F}}_p,~p>7\).

Table 2 APN power maps \(x^d\) over \({\mathbb {F}}_p,~p>7\)
Full size table

The following theorem shows that for all the APN power maps in Table 2, the CCZ-equivalence class coincides with the EA-equivalence class, if \(x^d\) is not a permutation; and contains exactly two EA-classes, namely, the EA-class of \(x^d\) and the EA-class of its compositional inverse, if \(x^d\) is a permutation.

Theorem 3.3

Let \(F(x)=x^d\) be an APN power map given in Table 2. Then, the CCZ-class of \(x^d\)

  1. (i)

    coincides with the EA-class of \(x^d\) if \(\gcd (d, p-1) >1\),

  2. (ii)

    consists of exactly two EA-classes, namely, EA-class of \(x^d\) and EA-class of \(x^{\frac{1}{d}}\), if \(\gcd (d, p-1)=1\).

Proof

From Theorem 3.2, we know that if \(\gcd (d-1, p-1) \le \sqrt{p} -1\) then for the power map \(x^d\), the CCZ-equivalence class consists of the EA-equivalence class of \(x^d\) and the EA-equivalence class of \(x^{\frac{1}{d}}\), (if it exists). Now, we show that in all the five classes given in Table 2, \(\gcd (d-1, p-1) \le \sqrt{p} -1\).

Case 1 \(d=3\). In this case \(\gcd (d-1,p-1) = \gcd (2,p-1)=2 < \sqrt{p} -1\) for all \(p>7\).

Case 2 \(d=p-2\) and \(p \equiv 2 \pmod 3\). In this case

$$\begin{aligned} \gcd (d-1,p-1) = \gcd (p-3,p-1) = \gcd (2,p-1)=2< \sqrt{p} -1, \end{aligned}$$

for all \(p>7\).

Case 3 \(\displaystyle d= \frac{p-3}{2}\) and \(p \equiv 3~\text{ or }~7 \pmod {20}\). It is easy to observe that since \(p \equiv 3~\text{ or }~7 \pmod {20}\), we have \(p \equiv 3 \pmod 4\) and hence \(p-5 \equiv 2 \pmod 4\) and \(p-1 \equiv 2 \pmod 4\) which further implies that \(\gcd (p-5, p-1) = \gcd (4, p-1) = 2\). Therefore,

$$\begin{aligned} \gcd (d-1,p-1) =\gcd \left( \frac{p-5}{2}, p-1 \right) =1< \sqrt{p} -1, \end{aligned}$$

for all \(p>7\) and the second last equality holds as \(\displaystyle \frac{p-5}{2}\) is odd.

Case 4 \(\displaystyle d= \frac{3p-1}{4}\) and \(p \equiv 3 \pmod {8}\). Notice that, since \(p \equiv 3 \pmod {8}\), we have \(p -1 \equiv 2 \pmod 8\) and \(3p-5 \equiv 4 \pmod 8\). Hence, \(\gcd (3p-5, p-1) = \gcd (2(p-2), p-1) = 2\). Therefore,

$$\begin{aligned} \gcd (d-1,p-1) =\gcd \left( \frac{3p-5}{4}, p-1 \right) =1< \sqrt{p} -1, \end{aligned}$$

for all \(p>7\) and the second last equality holds as \(\displaystyle \frac{3p-5}{4}\) is odd.

Case 5 \(\displaystyle d= \frac{p+1}{4}\) and \(p \equiv 7 \pmod {8}\). One may note that, since \(p \equiv 7 \pmod {8}\), we have \(p -1 \equiv 6 \pmod 8\) and \(p-3 \equiv 4 \pmod 8\). Hence, \(\gcd (p-3, p-1) = \gcd (2, p-1) = 2\). Therefore,

$$\begin{aligned} \gcd (d-1,p-1) =\gcd \left( \frac{p-3}{4}, p-1 \right) =1 < \sqrt{p} -1, \end{aligned}$$

for all \(p>7\) and the second last equality holds as \(\displaystyle \frac{p-3}{4}\) is odd. \(\square \)

A well-known strategy for finding APN permutations is to start with any non-permutation APN function and then finding a permutation in its CCZ-class. The following theorem gives a list of all APN permutations that can be obtained from the CCZ-classes of APN power maps given in Table 2.

Theorem 3.4

Let \(F(x)=x^d\) be an APN power map given in Table (2) and let G be a function CCZ-equivalent to F. Then G is a permutation if and only if \(p\equiv 2 \pmod 3\) and either

  1. (i)

    G is affine equivalent to \(x^3\); or

  2. (ii)

    G is affine equivalent to \(x^{\frac{2p-1}{3}}\); or

  3. (iii)

    G is affine equivalent to \(x^{p-2}\).

Proof

Let \(\gcd (d, p-1)>1\), where d is an exponent given in Table 2. Then, from Theorem 3.3, the CCZ-class of \(x^d\) is the same as the EA-class of \(x^d\). Let G be a function which is EA-equivalent to \(x^d\) then G will be of the form \(G(x)=a'(ax+b)^d+b'x+c\), where \(aa' \ne 0\). Also, notice that G(x) is a permutation polynomial if and only if its affine equivalent polynomial \(G'(x)=x^d+b''x\) is a permutation polynomial for some \(b'' \in {\mathbb {F}}_p\). From Theorem 3.3, we have seen that for all the exponents d in Table 2, \(\gcd (d-1, p-1) \le \sqrt{p} -1\) therefore, from Lemma 3.1, \(G'\) is never a permutation for any exponent d in Table 2. Thus, when \(\gcd (d, p-1)>1\) then there is no permutation function in the CCZ-classes of the APN power maps given in Table 2.

Let \(\gcd (d, p-1)=1\), where d is an exponent given in Table 2. Then, from Theorem 3.3, the CCZ-class consists of the EA-classes of \(x^d\) and \(x^{\frac{1}{d}}\). One may note that, in this case, any function that is affine equivalent to \(x^d\) or \(x^{\frac{1}{d}}\) will also be a permutation. Also, it is easy to verify that if \(p \equiv 1 \pmod 3\) then for all the exponents d in Table 2, \(\gcd (d, p-1)>1\) and if \(p \equiv 2 \pmod 3\) then \(d \in \{3, p-2\}\) are the only exponents such that \(\gcd (d, p-1)=1\). Note that the compositional inverse of \(x^3\) is given by \(x^{\frac{2p-1}{3}}\) and the function \(x^{p-2}\) is self-inverse. We now show that any function G that is EA-equivalent but not affine-equivalent to \(x^d\), where \(d \in \{3, \frac{2p-1}{3}, p-2\}\) is not a permutation. This is equivalent to showing that for \(d \in \{3, \frac{2p-1}{3}, p-2\}\), there is no permutation binomial \(x^d+b''x\) with \(b'' \ne 0\). From Lemma 3.1, \(x^d+b''x\) is not a permutation for all \(d \in \{3, \frac{2p-1}{3}, p-2\}\). This completes the proof. \(\square \)

Remark 3.5

Any APN permutation over the prime field \({\mathbb {F}}_p,~p>7\), that is not affine equivalent to \(x^3, x^{\frac{2p-1}{3}}\) or \(x^{p-2}\), is CCZ-inequivalent to all the known APN power functions in odd characteristic.

4 Some new APN and differentially low-uniform functions over \({\mathbb {F}}_q\)

In this section, we present a new infinite class of binomials over finite fields of odd characteristic having differential uniformity at most 5. In [20], Ness and Helleseth introduced a family of APN binomials

$$\begin{aligned} f(x)=x^{p^n-2} +u x^{\frac{p^n-3}{2}} \in {\mathbb {F}}_{p^n}[x], \end{aligned}$$
(4.1)

where \(p=3,~n \ge 3\) is odd and the element \(u \in {\mathbb {F}}_{p^n}^*\) satisfies \(\chi (u+1) = \chi (u-1) = \chi (u)\). Later, Zeng et al [27] showed that F is APN over \({\mathbb {F}}_{p^n}\), where \(p^n \equiv 3 \pmod 4\), \(p^n \ge 7\) and the element \(u \in {\mathbb {F}}_{p^n}^*\) satisfies

$$\begin{aligned} {\left\{ \begin{array}{ll} \chi (u+1) & = \chi (u-1) = -\chi (5u+3);~\text{ or }\\ \chi (u+1) & = \chi (u-1) = -\chi (5u-3). \end{array}\right. } \end{aligned}$$

In  [28], Zha and Hu showed that the binomial \(F(x)=x^{p^n-1}+ux^2\), \(u \in {\mathbb {F}}_{p^n}^*\) over \({\mathbb {F}}_{p^n}\) is APN if and only if

$$\begin{aligned} {\left\{ \begin{array}{ll} \chi (u)=-1~\text{ and }~p^n\equiv 1 \pmod 4;~or\\ \chi (u)=1~\text{ and }~p^n\equiv 3 \pmod 4. \end{array}\right. } \end{aligned}$$

We performed a computer search for all the APN binomials of the form \(x^{d_2}+ux^{d_1}\) over prime field \({\mathbb {F}}_p\) for \(5 \le p \le 97\). In Table 3, we have listed all the values of \(D=(d_2, d_1)\) for which binomial \(x^{d_2}+ux^{d_1}\) is APN over prime field \({\mathbb {F}}_p\) for some \(u \in {\mathbb {F}}_p^*\). Here, \(D_1= (3,2)\), \(D_2= (p^n-1,2)\), \(D_3= \left( p^n-2, \frac{p^n-3}{2} \right) \), \(D_4= \left( \frac{p^n+3}{2}, 2\right) \) and \(D= (d_2,d_1)\). We give necessary and sufficient conditions on \(u \in {\mathbb {F}}_p^*\) for which binomials corresponding to \(D_1\) are APN in Remark 4.1. One may note that the class of APN binomials corresponding to \(D_2\) and \(D_3\) are the binomials given by Zha and Hu [28] and the generalised Ness-Helleseth function, respectively. For the class of binomials corresponding to \(D_4\), we have proved in Theorem 4.2 that its differential uniformity is \(\le 5\). We leave open the problem of explicitly finding conditions on u and p for which the binomial corresponding to \(D_4\) is APN.

Table 3 Exponents \((d_2,d_1)\) for which \(x^{d_2}+ux^{d_1}\) is APN over \({\mathbb {F}}_p\) for some \(u \ne 0\)
Full size table

The first class of APN binomials, corresponding to \(D_1\), turned out to be EA-equivalent to \(x^3\) as can be seen in the following remark.

Remark 4.1

Let \(p>3\) be an odd prime. Then the binomial \(F(x)=x^3+ux^2\), \(u \in {\mathbb {F}}_{p^n}^*\) is APN over \({\mathbb {F}}_{p^n}\).

Proof

We know that the function \(x^3\) is APN over \({\mathbb {F}}_{p^n}\) for all \(p>3\). Also, notice that

$$\begin{aligned} x^3+ux^2 = \left( x+\frac{u}{3}\right) ^3 -\frac{u^2x}{3}-\frac{u^3}{27}. \end{aligned}$$

Therefore, F is EA-equivalent to \(x^3\) for all \(u \in {\mathbb {F}}_{p^n}^*\) and hence is APN. \(\square \)

The following theorem shows that the binomial corresponding to \(D_4\) has differential uniformity \(\le 5\). The motivation for constructing differentially low-uniform permutations using quadratic characters arises from their application in the nonlinear layers of certain arithmetization-oriented hash functions like Grendel [23]. Quadratic characters are beneficial because they correspond to a high-degree power map, \(\chi (x) = x^{\frac{q-1}{2}}\), which significantly increases the algebraic degree of the function. Additionally, there are efficient algorithms [13] for computing quadratic characters over prime fields, making their evaluation easy.

Theorem 4.2

Let \(p \equiv 3 \pmod 4\) be a prime number and n be an odd positive integer. Then the differential uniformity of the binomial \(F(x)=x^{\frac{p^n+3}{2}}+ux^2\), \(u \in {\mathbb {F}}_{p^n} \backslash \{ 0,1,-1\}\) is less than or equal to 5.

Proof

Recall that the differential uniformity of F is given by the maximum number of solutions of the following equation

$$\begin{aligned} \begin{aligned}&(x+a)^{\frac{p^n+3}{2}}+u(x+a)^2-x^{\frac{p^n+3}{2}}-ux^2 = b \\ \implies&\chi (x+a)(x+a)^2 - \chi (x)x^2 +u((x+a)^2-x^2)=b\\ \implies&(\chi (x+a) - \chi (x))x^2 +(u+\chi (x+a))(2ax+a^2)=b, \end{aligned} \end{aligned}$$
(4.2)

where \(a,b \in {\mathbb {F}}_{p^n}\), \(a\ne 0\). We shall now consider three cases, namely, \(x=0\), \(x=-a\) and \(x \not \in \{ 0, -a\}\).

Case 1 Let \(x=0\). In this case Eq. (4.2) reduces to

$$\begin{aligned} (u+\chi (a))a^2=b. \end{aligned}$$

Case 2 Let \(x=-a\). In this case Eq. (4.2) reduces to

$$\begin{aligned} -(u-\chi (a))a^2=b. \end{aligned}$$

Case 3 Let \(x \not \in \{ 0, -a\}\). In this case \(\chi (x+a), \chi (x) \in \{1, -1\}\) and we shall consider four subcases.

Subcase 3.1 Let \(\chi (x+a)=1=\chi (x)\). In this case Eq. (4.2) reduces to \((u+1)(2ax+a^2) = b\), which has a unique solution

$$\begin{aligned} x = \frac{b-(u+1)a^2}{2a(u+1)}. \end{aligned}$$

Notice that this x will be a solution of Eq. (4.2) if and only if

$$\begin{aligned} \chi \left( \frac{b-(u+1)a^2}{2a(u+1)} \right) =1=\chi \left( \frac{b+(u+1)a^2}{2a(u+1)} \right) . \end{aligned}$$

Subcase 3.2 Let \(\chi (x+a)=-1=\chi (x)\). In this case Eq. (4.2) reduces to \((u-1)(2ax+a^2) = b\), which has a unique solution

$$\begin{aligned} x = \frac{b-(u-1)a^2}{2a(u-1)}. \end{aligned}$$

This solution x will be a solution of Eq. (4.2) if and only if

$$\begin{aligned} \chi \left( \frac{b-(u-1)a^2}{2a(u-1)} \right) =-1=\chi \left( \frac{b+(u-1)a^2}{2a(u-1)} \right) . \end{aligned}$$

Subcase 3.3 Let \(\chi (x+a)=-1\) and \(\chi (x)=1\). In this case Eq. (4.2) reduces to

$$\begin{aligned} \begin{aligned}&-2x^2+(u-1)(2ax+a^2) = b\\ \implies&x^2 - a(u-1) x+ \frac{b-(u-1)a^2}{2}=0. \end{aligned} \end{aligned}$$
(4.3)

Let \(x_1, x_2\) be the two solutions of Eq. (4.3), then

$$\begin{aligned} x_1x_2 = \frac{b-(u-1)a^2}{2}. \end{aligned}$$

One may note that both \(x_1\) and \(x_2\) can be a solution of Eq. (4.2) only if

$$\begin{aligned} \chi (x_1x_2) = \chi \left( \frac{b-(u-1)a^2}{2}\right) = 1. \end{aligned}$$

It is easy to observe that both \(x_1+a\) and \(x_2+a\) will be a solution of the equation

$$\begin{aligned} x^2 - a(u+1)x + \frac{b+(u+1)a^2}{2}=0, \end{aligned}$$

and hence

$$\begin{aligned} (x_1+a)(x_2+a)= \frac{b+(u+1)a^2}{2}. \end{aligned}$$

Again, both \(x_1\) and \(x_2\) can be solution of Eq. (4.2) only if

$$\begin{aligned} \chi ((x_1+a)(x_2+a))= \chi \left( \frac{b+(u+1)a^2}{2}\right) =1. \end{aligned}$$

From here we conclude that we can have

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi \left( \frac{b-(u-1)a^2}{2}\right) = 1= \chi \left( \frac{b+(u+1)a^2}{2}\right) ,\\ \text{ at } \text{ most } \text{1 } \text{ solution }~& ~ \text{ otherwise }, \end{array}\right. } \end{aligned}$$

of Eq. (4.2) from this subcase.

Subcase 3.4 Let \(\chi (x+a)=1\) and \(\chi (x)=-1\). In this case Eq. (4.2) reduces to

$$\begin{aligned} \begin{aligned}&2x^2+(u+1)(2ax+a^2) = b\\ \implies&x^2 +a(u+1)x + \frac{-b+(u+1)a^2}{2}=0. \end{aligned} \end{aligned}$$
(4.4)

Let \(x_1, x_2\) be the two solutions of Eq. (4.4), then

$$\begin{aligned} x_1x_2 = \frac{-b+(u+1)a^2}{2}. \end{aligned}$$

One may note that both \(x_1\) and \(x_2\) can be a solution of Eq. (4.2) only if

$$\begin{aligned} \chi \left( \frac{b-(u+1)a^2}{2} \right) =-1. \end{aligned}$$

It is easy to observe that \(x_1+a\) and \(x_2+a\) will be a solution of the Eq.

$$\begin{aligned} x^2 + a(u-1)x + \frac{-b-(u-1)a^2}{2}=0, \end{aligned}$$

and hence

$$\begin{aligned} (x_1+a)(x_2+a)= \frac{-b-(u-1)a^2}{2}. \end{aligned}$$

Again, both \(x_1\) and \(x_2\) can be solution of Eq. (4.2) only if

$$\begin{aligned} \chi \left( \frac{b+(u-1)a^2}{2} \right) =-1 \end{aligned}$$

From here we conclude that we can have

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi \left( \frac{b-(u+1)a^2}{2} \right) =-1= \chi \left( \frac{b+(u-1)a^2}{2} \right) ,\\ \text{ at } \text{ most } \text{1 } \text{ solution }~& ~ \text{ otherwise }, \end{array}\right. } \end{aligned}$$

of Eq. (4.2) from this subcase.

We shall now consider different possibilities for the number of solutions of Eq. (4.2). Let \((u+\chi (a))a^2=b\). Then \(x=0\) will be a solution of Eq. (4.2) from Case 1. Notice that, in this case, \(x=-a\) can not be a solution of Eq. (4.2), as \(u \ne 0\). Now consider the solution from Subcase 3.1 which is given by

$$\begin{aligned} x = \frac{(\chi (a)-1)a}{2(u+1)} = {\left\{ \begin{array}{ll} 0~& ~\text{ if }~\chi (a)=1,\\ \frac{-a}{(u+1)}~& ~\text{ if }~\chi (a)=-1. \end{array}\right. } \end{aligned}$$

Thus, we have a solution \(\displaystyle x= -\frac{a}{u+1}\) of Eq. (4.2) from the Subcase 3.1 if and only if \(\chi (a)=-1\), \( \chi (u+1)=1\) and \(\chi (u)=-1\). Now consider the solution from the Subcase 3.2, which reduces to

$$\begin{aligned} x = \frac{(\chi (a)+1)a}{2(u-1)}= {\left\{ \begin{array}{ll} \frac{a}{(u-1)}~& ~\text{ if }~\chi (a)=1\\ 0~& ~\text{ if }~\chi (a)=-1. \end{array}\right. } \end{aligned}$$

Thus, we have a solution \(\displaystyle x= \frac{a}{u-1}\) of Eq. (4.2) from the Subcase 3.2 if and only if \(\chi (a)=1\), \( \chi (u-1)=-1\) and \(\chi (u)=1\). Now consider the solutions from Subcase 3.3, i.e, the solution of Eq.

$$\begin{aligned} x^2 - a(u-1) x+ \frac{(\chi (a)+1)a^2}{2}=0. \end{aligned}$$
(4.5)

We shall now consider two different cases, namely, \(\chi (a)=1\) and \(\chi (a)=-1\). Let \(\chi (a)=1\) then Eq. (4.5) reduces to

$$\begin{aligned} x^2 - a(u-1) x+ a^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solutions of the above equation. Since \(\chi (x_1x_2) = \chi (a^2)=1\) therefore either both or none from \(x_1, x_2\) will be a solution of Eq. (4.2). It is easy to observe that \(x_1+a\) and \(x_2+a\) will be a solution of the equation

$$\begin{aligned} x^2 - a(u+1)x + (u+1)a^2=0. \end{aligned}$$

Consider \(\chi ((x_1+a)(x_2+a)) = \chi ((u+1)a^2)= \chi (u+1)\). From here, we conclude the following

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi (u+1)=1,\\ 0~& ~ \text{ otherwise }. \end{array}\right. } \end{aligned}$$

Let \(\chi (a)=-1\) then we have only one solution \(x= a(u-1)\) of Eq. (4.5) as \(x \ne 0\). Notice that \(x= a(u-1)\) will also be a solution of Eq. (4.2) if and only if \( \chi (u-1)=-1\) and \(\chi (u)=1\). We shall now consider the solutions from Subcase 3.4 which, in this case, reduces to

$$\begin{aligned} x^2 +a(u+1)x + \frac{(1-\chi (a))a^2}{2}=0. \end{aligned}$$
(4.6)

Again, we shall consider two cases, namely, \(\chi (a)=1\) and \(\chi (a)=-1\), respectively. Let \(\chi (a)=1\) then we have only one solution \(x= -a(u+1)\) of Eq. (4.6), as \(x\ne 0\). It is easy to see that this solution will also be a solution of Eq. (4.2) if and only if \( \chi (u+1)=1\) and \(\chi (u)=-1\). Let \(\chi (a)=-1\) then Eq. (4.6) reduces to

$$\begin{aligned} x^2 +a(u+1)x +a^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solutions of the above equation. Since \(\chi (x_1x_2) = \chi (a^2)=1\) either both or none from \(x_1, x_2\) will be a solution of Eq. (4.2). It is easy to observe that \(x_1+a\) and \(x_2+a\) will be a solution of the equation

$$\begin{aligned} x^2 + a(u-1)x -(u-1)a^2=0. \end{aligned}$$

Consider \(\chi ((x_1+a)(x_2+a)) = \chi (-(u-1)a^2)= -\chi (u-1)\). From here, we conclude the following

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi (u-1)=-1,\\ 0~& ~ \text{ otherwise }. \end{array}\right. } \end{aligned}$$

We summarize the above discussion in the first two rows of Table 4.

Let \((\chi (a)-u)a^2=b\). Then \(x=-a\) will be a solution of Eq. (4.2) from Case 2. We have already seen that \(x=0\) can not be a solution of Eq. (4.2), as \(u \ne 0\). Now consider the solution from Subcase 3.1 which is given by

$$\begin{aligned} x = \frac{(\chi (a)-2u-1)a}{2(u+1)} = {\left\{ \begin{array}{ll} \frac{-ua}{(u+1)}~& ~\text{ if }~\chi (a)=1,\\ -a~& ~\text{ if }~\chi (a)=-1. \end{array}\right. } \end{aligned}$$

Thus, we have a solution \(\displaystyle x= -\frac{ua}{u+1}\) of Eq. (4.2) from the Subcase 3.1 if and only if \(\chi (a)=1\), \( \chi (u+1)=1\) and \(\chi (u)=-1\). Now consider the solution from the Subcase 3.2, which reduces to

$$\begin{aligned} x = \frac{(\chi (a)-2u+1)a}{2(u-1)}= {\left\{ \begin{array}{ll} -a~& ~\text{ if }~\chi (a)=1,\\ \frac{-ua}{(u-1)}~& ~\text{ if }~\chi (a)=-1. \end{array}\right. } \end{aligned}$$

Thus, we have a solution \(\displaystyle x= \frac{-ua}{u-1}\) of Eq. (4.2) from the Subcase 3.2 if and only if \(\chi (a)=-1\), \( \chi (u-1)=-1\) and \(\chi (u)=1\). Now consider the solutions from Subcase 3.3, i.e, the solution of equation

$$\begin{aligned} x^2 - a(u-1) x+ \frac{(\chi (a)-2u+1)a^2}{2}=0. \end{aligned}$$
(4.7)

We shall now consider two different cases, namely, \(\chi (a)=1\) and \(\chi (a)=-1\). Let \(\chi (a)=1\) then Eq. (4.7) reduces to

$$\begin{aligned} x^2 - a(u-1) x-(u-1) a^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solutions of the above equation. Since \(\chi (x_1x_2) = \chi (-(u-1)a^2)=-\chi (u-1)\), we infer the following

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi (u-1)=-1,\\ \text{ at } \text{ most } \text{ one } \text{ solutions } \text{ if }~& ~\chi (u-1)=1, \end{array}\right. } \end{aligned}$$

of Eq. (4.2). It is easy to observe that \(x_1+a\) and \(x_2+a\) will be a solution of the equation

$$\begin{aligned} x^2 - a(u+1)x + a^2=0. \end{aligned}$$

Consider \(\chi ((x_1+a)(x_2+a)) = \chi (a^2)= 1\). Therefore, either both \(x_1, x_2\) or none will be a solution of Eq. (4.2). Let \(\chi (a)=-1\) then Eq. (4.7) reduces to

$$\begin{aligned} x^2 - a(u-1) x-ua^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solutions of the above equation, then \(x_1+a, x_2+a\) will be the solutions of the following equation

$$\begin{aligned} x^2- a(u+1) x=0. \end{aligned}$$

Since \(x_1, x_2 \ne -a\), \(x \ne 0\) in the above solution. Therefore, we have \(x_1+a = a(u+1)\). One may note that this \(x_1\) will be a solution of Eq. (4.2) if and only if \(\chi (a(u+1))=-1 \implies \chi (u+1)=1\) and \(\chi (au)=1 \implies \chi (u)=-1\). We shall now consider the solutions from Subcase 3.4 which, in this case, reduces to

$$\begin{aligned} x^2 +a(u+1)x + \frac{(-\chi (a)+2u+1)a^2}{2}=0. \end{aligned}$$
(4.8)

Again, we shall consider two cases, namely, \(\chi (a)=1\) and \(\chi (a)=-1\), respectively. Let \(\chi (a)=1\) then Eq. (4.8) reduces to

$$\begin{aligned} x^2 +a(u+1)x + ua^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solution of the above equation. Then \(x_1+a, x_2+a\) will be the solution of the following equation

$$\begin{aligned} x^2+ a(u-1)x=0. \end{aligned}$$

Since \(x_1, x_2 \ne -a\), we have only one solution \(x_1+a=-a(u-1)\). It is easy to see that \(x_1\) is a solution of Eq. (4.2) if and only if \(\chi (-a(u-1))=1 \implies \chi (u-1)=-1\) and \(\chi (-au)=-1 \implies \chi (u)=1\). Let \(\chi (a)=-1\) then Eq. (4.8) reduces to

$$\begin{aligned} x^2 +a(u+1)x +(u+1)a^2=0. \end{aligned}$$

Let \(x_1, x_2\) be the solutions of the above equation. Since \(\chi (x_1x_2) = \chi ((u+1)a^2)= \chi (u+1)\), we have

$$\begin{aligned} {\left\{ \begin{array}{ll} \text{ at } \text{ most } \text{ two } \text{ solutions } \text{ if }~& ~\chi (u+1)=1,\\ \text{ at } \text{ most } \text{ one } \text{ solutions } \text{ if }~& ~\chi (u+1)=-1. \end{array}\right. } \end{aligned}$$

of Eq. (4.2). It is easy to observe that \(x_1+a\) and \(x_2+a\) will be a solution of the equation

$$\begin{aligned} x^2 + a(u-1)x +a^2=0. \end{aligned}$$

Since \(\chi ((x_1+a)(x_2+a)) = \chi (a^2)= 1\), either both or none from \(x_1, x_2\) will be a solution of Eq. (4.2). We summarize the above discussion in the third and fourth row of Table 4.

Let \(\{(a,b) \in {\mathbb {F}}_{p^n}^* \times {\mathbb {F}}_{p^n} \mid b \ne \pm (u \pm 1)a^2 \}\) then we do not have solutions from Case 1 and Case 2. Now suppose we have a solution from Subcase 3.1 then we have

$$\begin{aligned} \chi \left( \frac{b-(u+1)a^2}{2a(u+1)} \right) = 1 = \chi \left( \frac{b+(u+1)a^2}{2a(u+1)} \right) . \end{aligned}$$
(4.9)

If we have a solution from Subcase 3.2, then we have

$$\begin{aligned} \chi \left( \frac{b-(u-1)a^2}{2a(u-1)} \right) = -1 = \chi \left( \frac{b+(u-1)a^2}{2a(u-1)}\right) . \end{aligned}$$
(4.10)

We now show that for any fixed \((a,b) \in {\mathbb {F}}_{p^n}^* \times {\mathbb {F}}_{p^n}\), if we have a solution from Subcase 3.1 and Subcase 3.2, simultaneously then we can not have at most 2 solutions from Subcase 3.3 and at most 2 solutions from Subcase 3.4, simultaneously. Assume that for any fixed \((a,b) \in {\mathbb {F}}_{p^n}^* \times {\mathbb {F}}_{p^n}\), we have solutions from Subcases 3.1 and 3.2, simultaneously, i.e., both Eqs. (4.9) and (4.10) hold. Now, we have at most two solutions from the Subcase 3.3 only if

$$\begin{aligned}&~\chi \left( \frac{b-(u-1)a^2}{2}\right) = 1= \chi \left( \frac{b+(u+1)a^2}{2}\right) \nonumber \\ \implies&~\chi \left( \frac{b-(u-1)a^2}{2a (u-1)}\right) \chi (a (u-1))= 1= \chi \left( \frac{b+(u+1)a^2}{2a(u+1)} \right) \chi (a(u+1)) \nonumber \\ \implies&~ - \chi (a (u-1))= 1= \chi (a(u+1)) \nonumber \\ \end{aligned}$$
(4.11)

Similarly, we have at most two solution from the Subcase 3.4 only if

$$\begin{aligned}&~\chi \left( \frac{b-(u+1)a^2}{2} \right) =-1= \chi \left( \frac{b+(u-1)a^2}{2} \right) \nonumber \\ \implies&~\chi \left( \frac{b-(u+1)a^2}{2a (u+1)}\right) \chi (a (u+1))= -1= \chi \left( \frac{b+(u-1)a^2}{2a(u-1)} \right) \chi (a(u-1)) \nonumber \\ \implies&~ \chi (a (u+1))= -1= - \chi (a(u-1)) \nonumber \\ \end{aligned}$$
(4.12)

It is easy to observe that for any fixed u and a, Eqs. (4.11) and (4.12) can not hold simultaneously. We summarize the above discussion in the last four rows of Table 4. \(\square \)

Table 4 Number of solutions from different cases and subcases related to Theorem 4.2
Full size table

Remark 4.3

From [17, Theorem 4.7], the binomial in Theorem 4.2 is a permutation polynomial if and only if \(\chi (u^2-1)=-1\).

The following table lists values for the prime p, positive integer n and variable \(u \in {\mathbb {F}}_{p^n} \backslash \{0,1,-1\}\) for which the binomials \(x^{\frac{p^n+3}{2}}+ux^2\) are APN over \({\mathbb {F}}_{p^n}\) with \(p^n <500\). Here, v denotes the values of u for which \(x^{\frac{p^n+3}{2}}+ux^2\) is also a permutation and g is the default primitive element of the finite field in SageMath.

Table 5 APN binomials of the form \(x^{\frac{p^n+3}{2}}+ux^2\) over \({\mathbb {F}}_{p^n}\) with \(p^n < 500\)
Full size table

We shall now show that the APN permutations in Table 5 are new. From Theorem 3.4 we know that any APN permutation over the prime field \({\mathbb {F}}_p\) is CCZ-equivalent to a power map \(x^d\) if and only if it is affine equivalent to \(x^3\) or \(x^{\frac{2p-1}{3}}\) or \(x^{p-2}\). Since affine equivalence preserves the algebraic degree and none of the APN permutations in Table 5 has algebraic degree equal to \(3, \frac{2p-1}{3}\) or \(p-2\), we conclude that the APN permutations in Table 5 are CCZ-inequivalent to all the known classes of APN power maps.

In order to show the inequivalence of the binomial permutations in Table 5 with the Ness-Helleseth binomials, we shall use an invariance for the CCZ-equivalence, called the differential spectrum. Let F be a function from \({\mathbb {F}}_{p^n}\) to itself having differential uniformity equal to \(\delta \). Let \(0 \le i \le \delta \) and \(w_i = |\{(a,b) \in {\mathbb {F}}_{p^n}^* \times {\mathbb {F}}_{p^n} \mid \Delta _F(a,b)=i \} |\) then the differential spectrum of F, denoted by \(DS_F\), is defined as \(DS_F:= \{w_i >0 \mid 0 \le i \le \delta \}\). For the APN permutations \(x^{11}+ux^2\), \(u \in \{4,15 \}\) over \({\mathbb {F}}_{19}\) the differential spectrum is given by \(\{w_0=108, w_1=126, w_2=108 \}\) and is different from the differential spectrum of all the Ness-Helleseth binomials over \({\mathbb {F}}_{19}\) given in Table 6.

Table 6 Differential spectrum of Ness-Helleseth binomials over \({\mathbb {F}}_{19}\)
Full size table

In order to show the inequivalence of the binomial permutations over \({\mathbb {F}}_{23}\) and \({\mathbb {F}}_{31}\) given in Table 5, the differential spectrum strategy does not work. Therefore, we adopted the strategy described before Lemma 3.1. First, we showed that for all the Ness-Helleseth binomials over \({\mathbb {F}}_{23}\) and \({\mathbb {F}}_{31}\), the CCZ-equivalence coincides with the EA-equivalence. Since the EA-equivalence preserves the algebraic degree and the algebraic degree of the APN permutations over \({\mathbb {F}}_{23}\) and \({\mathbb {F}}_{31}\) in Table 5 are different from the algebraic degree of Ness-Helleseth binomials, we conclude that the APN permutations in Table 5 are inequivalent to Ness-Helleseth binomials.

Based on computational results over fields of small orders we propose the following conjecture.

Conjecture 4.4

The family of binomials given in Theorem 4.2 contains an infinite subfamily of APN permutations.

5 Conclusion

In this paper, we investigated arithmetization-oriented APN permutations. More precisely, we showed that for the known classes of APN power functions over prime fields the CCZ-class consists of the EA-classes of APN power maps and their compositional inverses, if they exist. Moreover, we gave a class of binomials having differential uniformity at most 5 defined via the quadratic character over finite fields of odd characteristic. Experimental results show that these functions are new APN function for certain values of u and p. We have conjectured that these binomials contain an infinite subfamily of APN permutations. We leave open the problem of explicitly finding conditions on u and p for which the binomial corresponding to \(D_4\) is APN. The APN function cases corresponding to D in the last column of Table 3 correspond to new unclassified cases. We hope that this paper will attract researchers in discrete mathematics to construct new arithmetization-oriented APN permutations.