On Almost Perfect Nonlinear Functions

抄録

A function $F:\mathbb{F}_2^n\ ightarrow \mathbb{F}_2^n$ is almost perfect nonlinear (APN) if, for every a ≠ 0, b in $\mathbb{F}_2^n$, the equation $F(x)+F(x+a)=b$ has at most two solutions in $\mathbb{F}_2^n$. When used as an S-box in a block cipher, it contributes optimally to the resistance to differential cryptanalysis. The function F is almost bent (AB) if the minimum Hamming distance between all its component functions $v\cdot F$, $v\in \F_2^n \setminus \{0\}$ (where “·” denotes any inner product in $\mathbb{F}_2^n $) and all affine Boolean functions on $\mathbb{F}_2^n $ takes the maximal value $2^{n-1}-2^{\frac{n-1}{2}}$. AB functions exist for n odd only and contribute optimally to the resistance to the linear cryptanalysis. Every AB function is APN, and in the n odd case, any quadratic APN function is AB. The APN and AB properties are preserved by affine equivalence: $F\sim F'$ if $F'=A_1\circ F\circ A_2$, where A₁, A₂ are affine permutations. More generally, they are preserved by CCZ-equivalence, that is, affine equivalence of the graphs of $F$: $\{(x,F(x)) \ | \ x\in \F_{2^n}\}$ and of F'. Until recently, the only known constructions of APN and AB functions were CCZ-equivalent to power functions F(x)=x^d over finite fields ($\mathbb{F}_{2^n}$ being identified with $\mathbb{F}_2^n$ and an inner product being x · y = tr(xy) where tr is the trace function). Several recent infinite classes of APN functions have been proved CCZ-inequivalent to power functions. In this paper, we describe the state of the art in the domain and we also present original results. We indicate what are the most important open problems and make some new observations about them. Many results presented are from joint works with Lilya Budaghyan, Gregor Leander and Alexander Pott.