A matrix approach for constructing quadratic APN functions

Transcription

1 Noname manuscript No (will be inserted by the editor) A matrix approach for constructing quadratic APN functions Yuyin Yu Mingsheng Wang Yongqiang Li Received: date / Accepted: date Abstract We find a correspondence between quadratic APN functions and a special kind of matrices Based on this result, we have developed efficient algorithms to construct quadratic APN functions Up to now, we have found more than 470 classes of new CCZ-inequivalent quadratic APN functions on F 2 7, which is 20 times more than known ones And we also have found more than 1000 classes of new CCZ-inequivalent quadratic APN function on F 2 8 Keywords APN quadratic functions EA-equivalence CCZ-equivalence 1 Introduction Permutations with low differentially uniform are useful in cryptography For example, the Advanced Encryption Standard (AES) [11] chooses a differentially 4 uniform permutation as its S-box In 2009, Dillon et al [3,12,4] found an APN [20] permutation in dimension six, which is the first APN permutation in even dimension Their idea can be summarized as checking whether there is a permutation CCZ-equivalent to the given APN function Thus, if we want to find new APN permutations in even dimensions, we must find new APN functions first An APN function is new if it is CCZ-inequivalent to any known ones For a long time, finding new APN functions is an important topic in cryptography In recent years, most of the new found APN functions are quadratic Related work appeared in [1]-[8], [12]-[17], [23] For a systematic knowledge of APN functions, the readers can turn to [9] Our aim is to find as many new APN functions as possible, especially on F 2 8 Then, we will check wether these new APN functions are CCZ-equivalent to some Y Yu M Wang Y Li State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing , China yuyuyin@163com;mingsheng wang@yahoocomcn;yongqlee@gmailcom Y Yu University of Chinese Academy of Sciences, Beijing, China

2 2 Yuyin Yu et al permutations If some function is CCZ-equivalent to a permutation, then there must exist an APN permutation Our idea results from the following lemma, which is Theorem 23 in [19] Lemma 1 [19] Let {θ 1, θ 2,, θ n } be any given basis of F 2 n over F 2, and let L(x) be linearized polynomial over F 2 n Then there exists a unique vector (β 1, β 2,, β n ) F n 2 n such that n n n L(x) = Tr(θ j x)β j = ( β j θj 2i 1 )x 2i 1 j=1 i=1 j=1 Moreover, let k be an integer such that 0 k n, then dim F2 (Ker(L)) = k if and only if Rank F2 {β 1, β 2,, β n } = n k Based on this lemma, we can build a correspondence between quadratic APN functions and a special kind of matrix Using the nice structure of such matrices we can design some efficient algorithms to construct quadratic APN functions Our main contributions can be concluded as follows We find one to one correspondence between restricted quadratic APN functions and QAMs, and we also list many properties of the QAMs without proof in this paper Based on these properties, we have designed some efficient algorithms to search the new APN functions Up to now, we have found more than 470 new CCZinequivalent APN functions on F 2 7, and more than 1000 new CCZ-inequivalent quadratic APN functions on F 2 8 The number of CCZ-inequivalent quadratic APN functions on F 2 8 is still increasing quickly We have checked all these new APN functions on F 2 8, none of them is CCZ-equivalent to a permutation Our work is just a beginning, we think that more useful results will be obtained in the future 2 Notation Let n be a positive integer, F 2 n be a finite fields with 2 n elements, and F 2 n[x] be the ring of polynomial in variable x Definition 1 A mapping F : F 2 n F 2 n is called differentially δ(f ) uniform if δ(f ) = max # F (a, b), a F 2 n,b F 2 n where F (a, b) = {x F 2 n : F (x+a)+f (x) = b} and # F (a, b) is the cardinality of the set F (a, b) If δ(f ) = 2, we can say that F is APN (Almost perfect nonlinear) Definition 2 Suppose F and F are two functions from F 2 n to F 2 n Then 1) F and F are EA-equivalent (Extended affine equivalent) if F (x) = A 1 (F (A 2 (x))) + A 3 (x), where A 1 and A 2 are affine permutations on F 2 n, and A 3 is an affine function on F 2 n 2) F and F are CCZ-equivalent (Carlet-Charpin-Zinoviev equivalent) if there is an affine permutation which maps G F to G F, where G F = {(x, F (x)) : x F 2 n} is the graph of F, and G F is the graph of F

3 A matrix approach for constructing quadratic APN functions 3 According to Yoshiara s results [21], two quadratic APN functions are CCZ-equivalent if and only if they are EA-equivalent Definition 3 Quadratic functions without linear or constant terms are called restricted quadratic functions in this paper Definition 4 [18] Two bases {α 1,, α n } and {θ 1, θ 2,, θ n } of F 2 n over F 2 are said to be dual basis if for 1 u, j n we have { 0 for u j, Tr(α u θ j ) = 1 for u = j We will use the following convention and notation throughout the paper (i) For positive numbers r, s, F r s 2 denote the space of r s matrices over F n 2 n For a matrix A, A[i] denote the ith row of A, and A[i, j] the (i, j) element of A Moreover, B = Submatrix(A, 1, 1, r, c) denotes the r c submatrix of A which consists of the first r rows and the first c columns (ii) Suppose {α 1, α 2,, α n } is a basis of F 2 n over F 2, and {θ 1, θ 2,, θ n } is its dual basis Let M α F n n 2 and M n θ F n n 2 with M α[i, u] = α n u 2i 1 and M θ [i, u] = θu 2i 1 for 1 u, i n Then MαM t θ = (Tr(α u θ j )) n n for 1 u, j n So MαM t θ = I n, where I n is the identity matrix of size n Thus M 1 θ = Mα t (Mα t is the transpose of M α ) (iii) Let η 1, η 2,, η m be m elements on F 2 n (m, n 1), and B = (η 1, η 2,, η m ) F m 2 n Span(B) = Span(η 1, η 2,, η m ) denotes the subspace spanned by {η 1, η 2,, η m } over F 2 Rank F2 {η 1, η 2,, η m } is the dimension of Span(B) over F 2, which we call the rank of B ( over F 2 ) Suppose η i = n j=1 λ i,jα j for 1 i m, where λ i,j F 2 for all i, j Define a m n matrix Λ = (λ i,j ) m n Then Rank F2 {η 1, η 2,, η m } equals to the rank of Λ Definition 5 Let H = (h u,v ) n n be a n n matrix defined on F 2 n Then the matrix H is called a QAM (quadratic APN matrix) if 1) H is symmetric and the elements in its main diagonal are all zeros; 2) Every nonzero linear combination of the n rows (or columns since H is symmetric) of H has rank n 1 3 The Correspondence between Restricted Quadratic APN Function and QAMs Let F (x) = 1 t<i n c i,t x 2i 1 +2 t 1 F 2 n[x] be a restricted quadratic function, and C F be the n n matrix such that C F [t, i] = C F [i, t] = c i,t for 1 t < i n and C F [i, i] = 0 for 1 i n Given a basis α = {α 1,, α n } for F 2 n over F 2, and let M = M α, Θ = M θ For any restricted quadratic function F (x), let H = M t C F M Then H is a symmetric matrix over F 2 n with main diagonal elements zeros Conversely, for a symmetric matrix H with main diagonal elements all zeros, we can define a unique restricted quadratic function F (x) such that H = M t C F M F (x) is called the quadratic function defined by H relative to the ordered basis α Based on Lemma 1, we can build a one to one correspondence between restricted quadratic APN functions and QAMs

4 4 Yuyin Yu et al Theorem 1 Let F (x) = 1 t<i n c i,t x 2i 1 +2 t 1 F 2 n[x], C F and M be defined as above, and H = M t C F M Then, δ(f ) 2 k if and only if any nonzero linear combination of the n rows of H has rank at least n k In particular, F is APN on F 2 n if and only if H is a QAM Proof Let D a (x) = F (x+a)+f (x)+f (a) Note that D a (x) is a linear polynomial on x, so we have δ(f ) = 2 k if and only if max{dim F2 (Ker(D a )) a F 2n} = k (1) Expanding D a (x) we can get D a (x) = n i 1 ( c i,t a 2t 1 + i=1 t=1 n t=i+1 c t,i a 2t 1 )x 2i 1 (2) {θ 1, θ 2,, θ n } is the given basis of F 2 n, so according to Lemma 1, there exists a unique vector (β 1 (a), β 2 (a),, β n (a)) F n 2 n such that D a (x) = n Tr(θ j x)β j (a) = j=1 i=1 j=1 where β j (a) (1 j n) are some linear polynomials on a By Lemma 1 and (3), we have so n n ( β j (a)θj 2i 1 )x 2i 1, (3) dim F2 (Ker(D a )) = k iff Rank F2 {β 1 (a), β 2 (a),, β n (a)} = n k (4) Hence by (1) and (4), we have δ(f ) = 2 k iff min {Rank F2 {β 1 (a), β 2 (a),, β n (a)}} = n k (5) a F 2 n Comparing (2) with (3), it can be concluded that a 20 β 1 (a) a 21 C F = Θ β 2 (a), β n (a) a 2n 1 β 1 (a) β 2 (a) = Θ 1 C F β n (a) a 2n 1 a 20 a 21 a 2n 1 = M t C F a 20 a 21 a 2n 1 (6) Let a = a 1 α 1 + a 2 α a n α n, where a i F 2 for all 1 i n, thus we have a 20 α 1 α 2 α n a 1 a 1 a 21 α = 1 2 α2 2 αn 2 a 2 = M a 2 α1 2n 1 α2 2n 1 αn 2n 1 a n a n

5 A matrix approach for constructing quadratic APN functions 5 Based on the above results, (6) is equal to β 1 (a) a 1 a 1 β 2 (a) = M t a 2 C F M = H a 2 (7) β n (a) a n a n The rightmost expression of (7) can be understood as a nonzero linear combination of the columns of H, so, based on (5) and (7) we have δ(f ) 2 k iff { any nonzero linear combination of the n columns of H has rank at least n k (8) Note that D a (x) = D a (x + a) So δ(f ) must be even, that is, δ(f ) = 1 will never happen Since H is symmetric, we have δ(f ) = 2 iff { any nonzero linear combination of the n rows of H has rank at least n 1 (9) The matrix H which is associated with F (x) in Theorem 1 is called the matrix of F (x) relative to the ordered basis {α 1,, α n } Note that M is an invertible matrix on F 2 n, so the correspondence between restricted quadratic APN functions and QAMs is one to one It seems that another similar approach have been considered by Knuth and Edel, the readers can turn to Edel s ppt [13] for details Theorem 1 is very useful when we want to study the differential properties of the quadratic functions, and it can be generalized to F p n, where p is any prime and n is a positive integer In this paper, we use only this theorem to study the quadratic APN functions on F 2 n 4 Properties of QAMs We will introduce some properties of the QAMs in this section Let F (x) be a given restricted quadratic function First we should like to inquire what happens to corresponding matrices when the ordered basis is changed Let α = {α 1,, α n } and β = {β 1,, β n } be two ordered bases for F 2 n over F 2 Assume H α and H β are corresponding matrices for F (x) relative to the α, β, respectively How are the matrices H α and H β related? As we know, there is a unique invertible n n matrix P such that (β 1,, β n ) = (α 1,, α n )P Hence we have M β = M α P So we have H β = M t βc F M β = P t H α P Conversely, assume that H, H are two n n symmetric matrices with main diagonal elements all zeros such that H = P t HP for an invertible matrix P over F 2 Let F (x) be the quadratic function defined by H relative to the ordered basis α Let γ = {γ 1,, γ n } be defined by (γ 1,, γ n ) = (α 1,, α n )P Then γ is a basis for F 2 n, and F (x) is also the quadratic function defined by H relative to

6 6 Yuyin Yu et al ordered basis γ Now let F (x) be the quadratic function defined by H relative to α, then how are the functions F (x) and F (x) related? We use the following two theorems to explain this problem and another similar problem Theorem 2 Let H F n n 2n be a symmetric matrix with main diagonal elements all zeros, and P F n n 2 be an invertible matrix Suppose H = P t HP, then the quadratic functions defined by H and H relative to an ordered basis α are EAequivalent Especially, H is a QAM if and only if H is a QAM Theorem 3 Let H = (h u,v ) F n n 2n be a symmetric matrix with main diagonal elements all zeros, and L be a linear permutation on F 2 n Let H = (h u,v) F n n 2 n such that h u,v = L(h u,v ) for all 1 u, v n Then the quadratic functions defined by H and H relative to α are EA-equivalent In particalar, H is a QAM if and only if H is a QAM We get the following results from our experiments, which prove the correctness of Algorithm 1 Lemma 2 Let H F n n 2n be a symmetric matrix with main diagonal elements all zeros Then every nonzero linear combination of the n rows of H has rank at most n 1 Definition 6 Let H F m k 2n (m, k n) H is called proper if every nonzero linear combination of the m rows of H has rank at least k 1 Theorem 4 Let A = (a i,j ) F r c 2 n (1 r < c n) such that a i,j = a j,i and a i,i = 0 for 1 i, j r Let A[, k] be the k-th column of A, and b = c k=1 λ ka[, k], where λ k F 2 for 1 k c Assume t = Rank F2 {b[1], b[2],, b[r]} If A is proper, then we have: i) If (λ r+1,, λ c ) = 0, then t = r 1; ii) If (λ r+1,, λ c ) 0, then t = r According to Theorem 4, we get the following corollary Corollary 1 Let H = (h u,v ) n n be an n n symmetric matrix over F 2 n, and A = Submatrix(H, 1, 1, r, c) Suppose B = A t = Submatrix(H, 1, 1, c, r) Then A is proper implies that B is also proper Corollary 1 is useful in our algorithm for constructing QAMs Our algorithm can be summarized as Guess and determine The basic idea is: every submatrix of a QAM must be proper (See Definition 6) So, if a matrix has a submatrix which is not proper, it cannot be a QAM Based on this corollary, we can exclude some improper candidates in advance when we haven t known the whole values of the matrix We know that every QAM is symmetric So we will know the values of A = Submatrix(H, 1, 1, r, c) and B = A t = Submatrix(H, 1, 1, c, r) at the same time, but according to Corollary 1 We only need to check whether A is proper Thus we can avoid some unnecessary checking in our searching algorithm

7 A matrix approach for constructing quadratic APN functions 7 5 An Algorithm for Constructing QAMs 51 A Problem and the Algorithm In this section, we introduce a problem and next we describe how to construct QAMs through solving this problem Problem 1 Let e i be a vector of length n with e i [i] = 1 and e i [j] = 0 for i j The problem is, how to find x = (x 1,, x n 1 ) F n 1 2n which satisfies λ 1 x λ n 1 x n 1 S λ1 e 1 + +λ n 1 e n 1, (10) for all (λ 1,, λ n 1 ) F n 1 2 \{0}, where S λ1 e 1 + +λ n 1 e n 1 are some subsets of F 2 n (10) consists of 2 n 1 1 conditions, we need to find all the qualified x As a matter of fact, Problem 1 is the core part for constructing QAMs Given an n n QAM matrix H over F 2 n, we wish to reassign the values of the last column of H to get some new QAMs Let A = Submatrix(H, 1, 1, n 1, n 1), it is easy to see that A is proper By Lemma 2, any nonzero linear combination of the n 1 rows of A has rank n 2 ( ) Let c = (x 1,, x n 1 ) t, and H A c = c t We want to choose suitable c 0 to make H a QAM Actually, by Theorem 4 (ii), we need only to choose c = (x 1,, x n 1 ) t to satisfy (10), where S λ1 e 1 + +λ n 1 e n 1 = F 2 n\span(λ 1 A[1] + + λ n 1 A[n 1]) We can shrink S e1 in (10) Let V = Span(A[1, 1], A[1, 2],, A[1, n 1]), in (10), S e1 = F 2 n\v, which equals to (V + a 1 ) (V + a 2 ) (V + a 2 ) for some a i F 2 n, 1 i 3 because of dim(v ) = n 2 Since x 1 S e1, there exists y V such that x 1 = y + a i for some i, ie, a i = x 1 + y Since y V and A[1, 1] = 0, y = λ 2 A[1, 2] + + λ n 1 A[1, n 1] for some λ i F 2, i = 2,, n 1 So we may perform suitable column transformations to change x 1 into a i, and perform the corresponding row transformations to change H [n, 1] into a i Since we consider only to find CCZ-inequivalent functions, so by Theorem 2, we may take S e1 = {a 1, a 2, a 3 } Because in the above transformation, we do not use the first column, therefore based on the same reason as the S e1, we may take S e2 = {b 1,, b l }, where l = 2 n 1 2 n 3 Further, given a QAM H, we may also reassign the values of the last two columns of H to get some new QAMs This can also be reduced to Problem 1, the difference is that we must apply the problem twice Similarly, we can reassign more columns of H, so this method can generate all CCZ-inequivalent quadratic APN functions if we change enough columns In view of the above discussions, an algorithm for solving problem 1 is important for our approach for constructing new quadratic functions In the following, we describe an algorithm for solving Problem 1 Algorithm 1 Step 1 Initialization Given a QAM H over F 2 n, let A=Submatrix(H, 1, 1, n 1, n 1) Let e t F n 1 2 with e t [t] = 1, and e t [j] = 0 for j t Let S(λ 1 1,,λ n 1 ) = F 2 n\span(λ 1A[1] + + λ n 1 A[n 1]) for all (λ 1, λ 2,, λ n 1 ) F n 1 2 \{0} Let i = 1

8 8 Yuyin Yu et al Step 2 For each x i Se i i, do Step 3 Step 3 If i = n 1, then do Step 5, else do Step 4 Step 4 Let H[i, n] = H[n, i] = x i For all (λ i+1,, λ n 1 ) F n 1 i 2 \{0}, define S i+1 λ = Sλ i Sλ e i i, where λ=(0,, 0, λ i+1,, λ n 1 ) F n 1 2 Then let i := i + 1, turn to Step 2 Step 5 Let H[n 1, n] = H[n, n 1] = x n 1, then output H 52 An Example Algorithm 1 is the core part of our program, if we want to find new APN functions on F 2 n for n 8, then we must change the values of a QAM for at least two columns (and rows) We give an example in the following It is well-known that x 3 is a restricted quadratic APN function on F 2 n Let n = 8, g be the default primitive element used in Magma, and C be an 8 8 matrix such that C[1, 2] = C[2, 1] = 1 and C[i, t] = 0 for all the other values Suppose the M defined in Definition 4 is an 8 8 matrix such that M[i, j] = (g 11 ) 2i 1 +2 j 1 for 1 i, j n (Note that {(g 11 ), (g 11 ) 2,, (g 11 ) 2n 1 } is a basis of F 2 8 over F 2 ) Then we can get the corresponding QAM of x 3 : 0 g 34 g 81 g 83 g 170 g 106 g 84 g 17 g 34 0 g 68 g 162 g 166 g 85 g 212 g 168 g 81 g 68 0 g 136 g 69 g 77 g 170 g 169 H = M t CM = g 83 g 162 g g 17 g 138 g 154 g 85 g 170 g 166 g 69 g 17 0 g 34 g 21 g 53 g 106 g 85 g 77 g 138 g 34 0 g 68 g 42 g 84 g 212 g 170 g 154 g 21 g 68 0 g 136 g 17 g 168 g 169 g 85 g 53 g 42 g Reassign the values of the last two columns (and rows), we can get a new QAM 0 g 34 g 81 g 83 g 170 g 106 g 84 1 g 34 0 g 68 g 162 g 166 g 85 g 212 g 233 g 81 g 68 0 g 136 g 69 g 77 g 170 g 165 H = g 83 g 162 g g 17 g 138 g 64 g 68 g 170 g 166 g 69 g 17 0 g 34 g 235 g 250 g 106 g 85 g 77 g 138 g 34 0 g 151 g 81 g 84 g 212 g 170 g 64 g 235 g g g 233 g 165 g 68 g 250 g 81 g The corresponding APN function of H is F (x) = g 145 x g 173 x g 239 x g 141 x g 197 x g 35 x g 92 x g 7 x 96 + g 176 x 80 + g 99 x 72 + g 135 x 68 + g 182 x 66 + g 34 x 65 + g 117 x 48 + g 36 x 40 + g 108 x 36 + g 160 x 34 + g 187 x 33 + g 3 x 24 + g 27 x 20 + g 156 x 18 + g 215 x 17 + g 99 x 12 + g 188 x 10 + g x 9 + g 137 x 6 + g 225 x 5 + g 206 x 3, which is CCZ-inequivalent to x 3 So we have got a new APN functions over F 2 8

9 A matrix approach for constructing quadratic APN functions 9 53 Experimental results We have implemented the algorithm in this paper In this subsection we will report experiment results using our algorithm (i) Dillon [12] listed 18 classes of CCZ-inequivalent APN functions over F 2 7 Edel [16] found a new class of APN function and this list expanded to 19 classes With our method, firstly we can construct a 7 7 QAM H from x 3, then reassign the values H[3, 6], H[3, 7], H[4, 5], H[4, 6], H[4, 7], H[5, 6], H[5, 7] and H[6, 7] (during this process, we must keep H symmetric) Using this idea we can get more than 470 classes of CCZ-inequivalent quadratic APN functions, these functions are all CCZ-inequivalent to the known ones Similar method can be used on F 2 6 According to Edel s results [14], there is only 13 classes of CCZ-inequivalent quadratic APN functions Our program shows that it is only need to change 8 (2 4) elements of a QAM and get all the 13 classes of CCZ-inequivalent quadratic APN functions This method is an early version of our program, which works efficiently on F 2 n for n 7, but when n 8, it becomes very slow (ii) For now, the set model introduced in Problem 1 is the most efficient method for finding new QAMs It should be noted that we must change the last two columns (and rows) of a known QAM to get new QAMs when n 8 Fortunately, Algorithm 1 can be implemented in parallel, and we are running our program in many computers now Up to now, we have found more than 1000 classes of CCZinequivalent quadratic APN functions on F 2 8, and they are all CCZ-inequivalent to the 23 classes of known ones introduced by Dillon [12] and Edel [16] We have checked all these new APN functions with the method introduced in [4], none of them is CCZ-equivalent to a permutation Checking the equivalence of APN functions is equal to check the equivalence of some corresponding codes [3] Our program about checking CCZ-equivalence is based on this result 6 Conclusion We find a one to one correspondence between restricted quadratic APN functions and QAMs Based on this correspondence, we propose the notion of proper matrix The most important part of our algorithm is how to keep the matrix proper during the construction process Algorithm 1 is the core part of our searching program As a matter of fact, we have designed some slower algorithms before Algorithm 1, and the APN functions on F 2 7 are all found by these algorithms There is much redundant calculation in these algorithms, so we omit them We find many properties about QAMs and proper matrices, and we have listed them in section 4 The process of finding these properties is essentially the process of speeding our algorithms Thus, the readers must have a profound understanding of these properties in order to understand Algorithm 1 Up to now, we have constructed more than 470 and 1000 classes of new CCZinequivalent quadratic APN functions on F 2 7 and F 2 8 respectively (See the appendices of [22]) We think our lists are not complete, especially the list on F 2 8, which is far from complete So we will add some new quadratic APN functions in the lists in the future Certainly we will also check whether the new APN functions are CCZ-equivalent to some permutations Our idea is just a beginning Much related

10 10 Yuyin Yu et al work can be done in the future, such as, finding some QAMs whose corresponding functions are APN on F 2 n for infinite many n, generalizing the matrix approach to construct PN functions, and finding better methods to construct QAMs, etc References 1 Bracken C, Byrne E, Markin N, McGuire G: New families of quadratic almost perfect nonlinear trinomials and multinomials Finite Fields and Their Appl, 14, (2008) 2 Bracken C, Byrne E, Markin N, McGuire G: A few more quadratic APN functions Cryptogr Commun, 3, (2011) 3 Browning K, Dillon J F, McQuistan, M: APN polynomials and related codes Special volume of Journal of Combinatorics, Information and System Sciences, honoring the 75-th birthday of Prof DKRay-Chaudhuri, 34, (2009) 4 Browning K, Dillon J F, McQuistan M T, Wolfe A J: An APN permutation in dimension six Contemaray Mathematics, 58, (2010) 5 Budaghyan L, Carlet C, Pott A: New classes of almost bent and almost perfect nonlinear polynomials IEEE Trans Inf Theory, 52, (2006) 6 Budaghyan L, Carlet C: Classes of quadratic APN trinomials and hexanomials and related structures IEEE Trans Inf Theory, 54, (2008) 7 Budaghyan L, Carlet C, Leander G: Constructing new APN functions from known ones Finite Fields and Their Appl, 15, (2009) 8 Budaghyan L, Carlet C, Leander G: Two classes of quadratic APN binomials inequivalent to power functions IEEE Trans Inf Theory, 54, (2008) 9 C Carlet: Vectorial Boolean Functions for Cryptography Chapter of the monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering, Y Crama and P Hammer eds, Cambridge University Press, (2010) 10 Carlet C, Charpin P, Zinoviev V: Codes, bent functions and permutations suitable for DES-like cryptosystems Designs, Codes and Cryptography, 15, (1998) 11 Daemen J, Rijmen V: AES Proposal: Rijndael, (1999), [Online] Available: 12 Dillon J F: APN polynomials: an update Fq9, The 9th International Conference on Finite Fields and Appl, Dublin, Ireland, (2009) 13 Edel Y: Geometrical and combinatorial aspects of APN functions Contact Forum: Coding Theory and Cryptography III, Brussels, (2009) [Online] Available: ls/website2009/abstracts/slidesyvesedelpdf 14 Edel Y: Quadratic APN functions as subspaces of alternating bilinear forms Proceedings of the Contact Forum Coding Theory and Cryptography III, Belgium (2009), (2011) 15 Edel Y, Kyureghyan G, Pott A: A new APN function which is not equivalent to a power mapping IEEE Trans Inf Theory, 52, (2006) 16 Edel Y, Pott A: A new almost perfect nonlinear function which is not quadratic Adv Math Commun 3, (2009) 17 Gold R: Maximal recursive sequences with 3-valued recursive cross-correlation functions IEEE Trans Inf Theory, 14, (1968) 18 Lidl R, Niederreiter H: Finite fields Cambridge, UK: Cambridge Univ Press, 58 (1983) 19 Ling S, Qu L: A note on linearized polynomials and the dimension of their kernels Finite Fields and Their Appl, 18, (2012) 20 Nyberg K, Knudsen L R: Provable security against differential cryptanalysis CRYPTO 92, LCNS 740 Springer-Verlag, Yoshiara S: Equivalences of quadratic APN functions J Algebr Comb, 35, (2012) 22 Yu Y, Wang M, Li Y: A Matrix Approach for Constructing Quadratic APN Functions Cryptology eprint Archive, Report 2013/007, [Online] Available: 23 Zha Z, X Wang: Almost Perfect Nonlinear Power Functions in Odd Characteristic IEEE Trans Inf Theory, 57, (2011)