The simplest method for constructing APN polynomials EA-inequivalent to power functions

Transcription

1 The siplest ethod for constructing APN polynoials EA-inequivalent to power functions Lilya Budaghyan Abstract The first APN polynoials EA-inequivalent to power functions have been constructed in [7, 8] by applying CCZ-equivalence to the Gold APN functions. It is a natural question whether it is possible to construct APN polynoials EA-inequivalent to power functions by using only EA-equivalence and inverse transforation on a power APN function: this would be the siplest ethod to construct APN polynoials EA-inequivalent to power functions. In the present paper we prove that the answer to this question is positive. By this ethod we construct a class of APN polynoials EA-inequivalent to power functions. On the other hand it is shown that the APN polynoials fro [7, 8] cannot be obtained by the introduced ethod. Keywords: Affine equivalence, Alost bent, Alost perfect nonlinear, CCZ-equivalence, Differential unifority, Nonlinearity, S-box, Vectorial Boolean function 1 Introduction A function F : F 2 F 2 is called alost perfect nonlinear (APN) if, for every a 0 and every b in F 2, the equation F(x)+F(x+a) = b adits at ost two solutions (it is also called differentially 2-unifor). Vectorial Boolean functions used as S-boxes in block ciphers ust have low differential unifority to allow high resistance to the differential cryptanalysis (see [2, 28]). In this sense APN functions are optial. The notion of APN function is closely connected to the notion of alost bent (AB) function. A function F : F 2 F 2 is called AB if the iniu Haing distance between all the Boolean functions v F, v F 2 \{0}, and all affine Boolean functions on F 2 is axial. AB functions exist for odd only and oppose an optiu resistance to the linear cryptanalysis (see [26, 14]). Besides, every AB function is APN [14], and in the odd case, any quadratic function is APN if and only if it is AB [13]. The APN and AB properties are preserved by soe transforations of functions [13, 28]. If F is an APN (resp. AB) function, A 1, A 2 are affine perutations and A is affine then the Departent of Matheatics, University of Trento, I Povo (Trento), ITALY; e-ail: lilia.b@ail.ru 1

2 function F = A 1 F A 2 + A is also APN (resp. AB); the functions F and F are called extended affine equivalent (EA-equivalent). Another case is the inverse transforation, that is, the inverse of any APN (resp. AB) perutation is APN (resp. AB). Until recently, the only known constructions of APN and AB functions were EA-equivalent to power functions F(x) = x d over finite fields (F 2 being identified with F 2 ). Table 1 gives all known values of exponents d (up to ultiplication by a power of 2 odulo 2 1, and up to taking the inverse when a function is a perutation) such that the power function x d over F 2 is APN. For odd the Gold, Kasai, Welch and Niho APN functions fro Table 1 are also AB (for the proofs of AB property see [10, 11, 21, 22, 24, 28]). Table 1 Known APN power functions x d on F 2. Functions Exponents d Conditions Proven in Gold 2 i + 1 gcd(i, ) = 1 [21, 28] Kasai 2 2i 2 i + 1 gcd(i, ) = 1 [23, 24] Welch 2 t + 3 = 2t + 1 [18] Niho 2 t + 2 t 2 1, t even = 2t + 1 [17] 2 t + 2 3t+1 2 1, t odd Inverse 2 2t 1 = 2t + 1 [1, 28] Dobbertin 2 4t + 2 3t + 2 2t + 2 t 1 = 5t [19] In [13], Carlet, Charpin and Zinoviev introduced an equivalence relation of functions, ore recently called CCZ-equivalence, which corresponds to the affine equivalence of the graphs of functions and preserves APN and AB properties. EA-equivalence is a particular case of CCZ-equivalence and any perutation is CCZ-equivalent to its inverse [13]. In [7, 8], it is proven that CCZ-equivalence is ore general, and applying CCZ-equivalence to the Gold appings classes of APN functions EA-inequivalent to power functions are constructed. These classes are presented in Table 2. When is odd, these functions are also AB. Table 2 Known APN functions EA-inequivalent to power functions on F 2. Functions Conditions Alg. degree 4 x 2i +1 + (x 2i + x + tr(1) + 1)tr(x 2i +1 + xtr(1)) gcd(i, ) = 1 3 divisible by 6 [x + tr /3 (x 2(2i +1) + x 4(2i +1) ) + tr(x)tr /3 (x 2i +1 + x 22i (2 i +1) )] 2i +1 gcd(i, ) = 1 4 n x 2i +1 + tr /n (x 2i +1 ) + x 2i tr /n (x) + x tr /n (x) 2i odd 1 +[tr /n (x) 2i +1 + tr /n (x 2i +1 ) + tr /n (x)] 2 i +1 (x 2 i + tr /n (x) 2i + 1) divisible by n n + 2 +[tr /n (x) 2i +1 + tr /n (x 2i +1 ) + tr /n (x)] 2 i +1 (x + tr/n (x)) gcd(i, ) = 1 2 i These new results on CCZ-equivalence have solved several probles (see [7, 8]) and have also raised soe interesting questions. One of these questions is whether the known 2

3 classes of APN power functions are CCZ-inequivalent. Partly the answer is given in [5]: it is proven that in general the Gold functions are CCZ-inequivalent to the Kasai and Welch functions, and that for different paraeters 1 i, j 1 the Gold functions 2 x 2i +1 and x 2j +1 are CCZ-inequivalent. Another interesting question is the existence of APN polynoials CCZ-inequivalent to power functions. Exaples of APN polynoials CCZ-inequivalent to power functions have been constructed in [20, 16, 27] and infinite classes of such functions in [3, 4, 5, 6]. In the present paper we consider the natural question whether it is possible to construct APN polynoials EA-inequivalent to power functions by applying only EA-equivalence and the inverse transforation on a power APN function. We prove that the answer is positive and construct a class of AB functions EAinequivalent to power functions by applying this ethod to the Gold AB functions. It should be entioned that the functions fro Table 2 cannot be obtained by this ethod. It can be illustrated, for instance, by the fact that for = 5 the functions fro Table 2 and for even the Gold functions are EA-inequivalent to perutations [7, 8, 29], therefore, the inverse transforation cannot be applied in these cases and the ethod fails. 2 Preliinaries Let F 2 be the -diensional vector space over the field F 2. Any function F fro F 2 to itself can be uniquely represented as a polynoial on variables with coefficients in F 2, whose degree with respect to each coordinate is at ost 1: F(x 1,..., x ) = u F 2 c(u) ( i=1 ) x u i i, c(u) F 2. This representation is called the algebraic noral for of F and its degree d (F) the algebraic degree of the function F. Besides, the field F 2 can be identified with F 2 as a vector space. Then, viewed as a function fro this field to itself, F has a unique representation as a univariate polynoial over F 2 of degree saller than 2 : F(x) = 2 1 i=0 c i x i, c i F 2. For any k, 0 k 2 1, the nuber w 2 (k) of the nonzero coefficients k s {0, 1} in the binary expansion 1 s=0 2s k s of k is called the 2-weight of k. The algebraic degree of F is equal to the axiu 2-weight of the exponents i of the polynoial F(x) such that c i 0, that is, d (F) = ax 0 i 1,ci 0 w 2 (i) (see [13]). A function F : F 2 F 2 is linear if and only if F(x) is a linearized polynoial over F 2, that is, 1 i=0 c i x 2i, c i F 2. 3

4 The su of a linear function and a constant is called an affine function. Let F be a function fro F 2 to itself and A 1, A 2 : F 2 F 2 be affine perutations. The functions F and A 1 F A 2 are then called affine equivalent. Affine equivalent functions have the sae algebraic degree (i.e. the algebraic degree is affine invariant). As recalled in Introduction, we say that the functions F and F are extended affine equivalent if F = A 1 F A 2 + A for soe affine perutations A 1, A 2 and an affine function A. If F is not affine, then F and F have again the sae algebraic degree. Two appings F and F fro F 2 to itself are called Carlet-Charpin-Zinoviev equivalent (CCZ-equivalent) if the graphs of F and F, that is, the subsets G F = {(x, F(x)) x F 2 } and G F = {(x, F (x)) x F 2 } of F 2 F 2, are affine equivalent. Hence, F and F are CCZ-equivalent if and only if there exists an affine autoorphis L = (L 1, L 2 ) of F 2 F 2 such that y = F(x) L 2 (x, y) = F (L 1 (x, y)). Note that since L is a perutation then the function L 1 (x, F(x)) has to be a perutation too (see [5]). As shown in [13], EA-equivalence is a particular case of CCZ-equivalence and any perutation is CCZ-equivalent to its inverse. For a function F : F 2 F 2 and any eleents a, b F 2 we denote δ F (a, b) = {x F 2 : F(x + a) + F(x) = b}. F is called a differentially δ-unifor function if ax a F 2,b F 2 δ F (a, b) δ. Note that δ 2 for any function over F 2. Differentially 2-unifor appings are called alost perfect nonlinear. For any function F : F 2 F 2 we denote λ F (a, b) = ( 1) tr(bf(x)+ax), a, b F 2, x F 2 where tr(x) = x + x 2 + x x 2 1 is the trace function fro F 2 into F 2. The set Λ F = {λ F (a, b) : a, b F 2, b 0} is called the Walsh spectru of the function F and the ultiset { λ F (a, b) : a, b F 2 n, b 0} is called the extended Walsh spectru of F. The value N L(F) = ax λ F (a, b) 2 a F 2,b F 2 equals the nonlinearity of the function F. The nonlinearity of any function F satisfies the inequality N L(F) ([14, 30]) and in case of equality F is called alost bent or axiu nonlinear. Obviously, AB functions exist only for n odd. It is proven in [14] that every AB function is APN and its Walsh spectru equals {0, ± }. If is odd, every APN apping which is quadratic (that is, whose algebraic degree equals 2) is AB [13], but this is not true for nonquadratic cases: the Dobbertin and the inverse APN functions are not AB (see [11, 13]). 4

5 When is even, the inverse function x 2 2 is a differentially 4-unifor perutation [28] and has the best known nonlinearity [25], that is (see [11,?]). This function has been chosen as the basic S-box, with = 8, in the Advanced Encryption Standard (AES), see [15]. A coprehensive survey on APN and AB functions can be found in [12]. It is shown in [13] that, if F and G are CCZ-equivalent, then F is APN (resp. AB) if and only if G is APN (resp. AB). More generally, CCZ-equivalent functions have the sae differential unifority and the sae extended Walsh spectru (see [7]). Further invariants for CCZ-equivalence can be found in [20] (see also [16]) in ters of group algebras. 3 The new construction In this section we show that it is possible to construct APN polynoials EA-inequivalent to power functions by applying only EA-equivalence and the inverse transforation on a power APN function. We shall illustrate it on the Gold AB functions and in order to do it we need the following result fro [7, 8]. Proposition 1 ([7, 8]) Let F : F 2 F 2, F(x) = L(x 2i +1 ) + L (x), where gcd(i, ) = 1 and L, L are linear. Then F is a perutation if and only if, for every u 0 in F 2 and every v such that tr(v) = tr(1), the condition L(u 2i +1 v) L (u) holds. Further we use the following notations for any divisor n of tr /n (x) = x + x 2n + x 22n... + x 2n(/n 1), tr n (x) = x + x x 2n 1. Theore 1 Let 9 be odd and divisible by 3. Then the function F (x) = (x 1 2 i +1 + tr/3 (x + x 22i )) 1, with 1 i, gcd(i, ) = 1, is an AB perutation over F 2. The function F EA-inequivalent to the Gold functions and to their inverses, that is, to x 2j +1 and x 1 any 1 j. is 2 j +1 for Proof. To prove that the function F is an AB perutation we only need to show that the function F 1 (x) = x 1 2 i +1 + tr/3 (x + x 22i ) is a perutation. Since the function x 2i +1 is a perutation when is odd and gcd(i, ) = 1 then F 1 is a perutation if and only if the function F(x) = F 1 (x 2i +1 ) = x + tr /3 (x 2i +1 + x 22s (2 i +1) ), with s = i od 3, is a perutation. By Proposition 1 the function F is a perutation if for every v F 2 such that tr(v) = 1 and every u F 2 the condition tr /3(u 2i +1 v+(u 2i +1 v) 22s ) u holds. Obviously, if u / F 2 then tr 3 /3 (u 2i +1 v+(u 2i +1 v) 22s ) u. For any u F 2 the condition tr 3 /3 (u 2i +1 v+ (u 2i +1 v) 22s ) u is equivalent to u 2i +1 tr /3 (v) + (u 2i +1 tr /3 (v)) 22s u. Therefore, F is a 5

6 perutation if for every u, w F 2, tr 3 3 (w) = 1 the condition u 2i +1 w + (u 2i +1 w) 22s u is satisfied. Then F is a perutation if x+x 2i +1 +x 22s (2 i +1) is a perutation on F 2 3 and that was easily checked by a coputer. We have d (x 2i +1 ) = 2 and it is proven in [28] that d (x 1 2 i +1 ) = +1. We show below that d (F ) = 4 for 9. Since the function F has algebraic degree different fro 2 and +1 2 then it is EA-inequivalent to the Gold functions and to their inverses. Since F (x) = F1 1 (x) = [F(x 1 2 i +1 )] 1 = [F 1 ] 2i +1 then to get the representation of the function F we need the representation of the function F 1. The following coputations are helpful to show that F 1 = F F. tr /3 [(x + tr /3 (x 2i +1 + x 22s (2 i +1) )) 2i +1 ] = tr /3 (x 2i +1 ) + tr /3 (x 2s ) tr /3 (x 2i +1 + x 22s (2 i +1) ) since Then + tr /3 (x) tr /3 (x 2i +1 + x 2s (2 i +1) ) + tr /3 (x 2i +1 + x 22s (2 i +1) ) tr /3 (x 2i +1 + x 2s (2 i +1) ), tr /3 ((x 2i +1 + x 22s (2 i +1) ) 2i ) = tr /3 ((x 2i +1 + x 22s (2 i +1) ) 2s ) = tr /3 (x 2s (2 i +1) + x 23s (2 i +1) ) = tr /3 (x 2s (2 i +1) + x 2i +1 ). tr /3 [(x + tr /3 (x 2i +1 + x 22s (2 i +1) )) 2i +1 + (x + tr /3 (x 2i +1 + x 22s (2 i +1) )) 22s (2 i +1) ] = tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr /3 (x 2s ) tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr /3 (x) tr /3 (x 22s (2 i +1) + x 2s (2 i +1) ) + tr /3 (x) tr /3 (x 2i +1 + x 2s (2 i +1) ) + tr /3 (x 22s ) tr /3 (x 22s (2 i +1) + x (2i +1) ) + tr /3 (x 2i +1 + x 22s (2 i +1) ) tr /3 (x 2i +1 + x 2s (2 i +1) ) + tr /3 (x 22s (2 i +1) + x 2s (2 i +1) ) tr /3 (x 22s (2 i +1) + x (2i +1) ) = tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr /3 (x + x 2s + x 22s ) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 = tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 and F F(x) = x + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 and, since tr (tr /3 (x 2i +1 + x 22s (2 i +1) )) = 0, (F F) F(x) = x + tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr (x)[tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 ] + [tr /3 (x 2i +1 + x 22s (2 i +1) ) + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 ] 2 = x + tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2 + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 4 = x + tr 3 (tr /3 (x 2i +1 + x 22s (2 i +1) )) = x + tr (x 2i +1 + x 22s (2 i +1) )) = x. 6 2

7 Therefore, F 1 (x) = F F(x) = x + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2. Thus, we have F (x) = [F 1 (x)] 2i +1 = [x + tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + (tr /3 (x 2i +1 +x 22s (2 i +1) )) 2 ] 2i +1 = x 2i +1 + tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s +1 +(tr /3 (x 2i +1 + x 22s (2 i +1) )) 2(2s +1) + x 2i tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) +x tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s + x 2i tr /3 (x 2(2i +1) + x 22s+1 (2 i +1) ) +x (tr /3 (x 2(2i +1) + x 22s+1 (2 i +1) )) 2s + tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s +2 + tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s+1 +1 = x 2i +1 + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2(2s +1) +x 2i tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) ) + x tr (x) tr /3 (x 2i +1 + x 2s (2 i +1) ) +x 2i tr /3 (x 2(2i +1) + x 22s+1 (2 i +1) ) + x tr /3 (x 2(2i +1) + x 2s+1 (2 i +1) ) + tr (x)[(tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s +1 + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s +2 + (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s+1 +1 ]. The only ite in this su which can give algebraic degree greater than 4 is the last ite. We have (tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s +1 +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s +2 +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s+1 +1 = (tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s +1 +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 4(2s +1) +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 22s, since 2 s+1 +1 = 2 s + 2 = { { 4 if s = 1 12 = 5 (od 2 6 if s = 2, 4(2s + 1) = 3 1) if s = 1 20 = 6 (od 2 3 1) if s = 2, { { 5 if s = 1 4 if s = 1 9 = 2 (od 2 3 1) if s = 2, 22s = 16 = 2 (od 2 3 1) if s = 2. On the other hand, (tr /3 (x 2i +1 + x 22s (2 i +1) )) 2s +1 = tr /3 (x 2i +1 + x 22s (2 i +1) ) tr /3 (x 2i +1 + x 2s (2 i +1) ) = tr /3 (x 2i +1 ) 2 + (tr /3 (x 2i +1 )) 22s +1 + (tr /3 (x 2i +1 )) 2s +1 + (tr /3 (x 2i +1 )) 22s +2 s = (tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 + (tr /3 (x 2i +1 )) 3 + (tr /3 (x 2i +1 )) 2 (1) Using (1) we get (tr /3 (x 2i +1 +x 22s (2 i +1) )) 2s +1 +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 4(2s +1) +(tr /3 (x 2i +1 +x 22s (2 i +1) )) 22s = (tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 + (tr /3 (x 2i +1 )) 3 + (tr /3 (x 2i +1 )) 2 + [(tr /3 (x 2i +1 )) 3 7

8 +(tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 + tr /3 (x 2i +1 )] + (tr /3 (x 2i +1 )) 2 + (tr /3 (x 2i +1 )) 4 = tr /3 (x 2i +1 ) + (tr /3 (x 2i +1 )) 4. Hence, applying (1) and (2) we get (2) F (x) = x 2i +1 + [(tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 + (tr /3 (x 2i +1 )) 3 + (tr /3 (x 2i +1 )) 2 ] 2 +x 2i tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) + x tr (x) tr /3 (x 2i +1 + x 2s (2 i +1) ) +x 2i tr /3 (x 2(2i +1) + x 22s+1 (2 i +1) ) + x tr /3 (x 2(2i +1) + x 2s+1 (2 i +1) ) + tr (x)[tr /3 (x 2i +1 ) + (tr /3 (x 2i +1 )) 4 ] = x 2i +1 + (tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 +(tr /3 (x 2i +1 )) 3 + (tr /3 (x 2i +1 )) 4 + x 2i tr (x) tr /3 (x 2i +1 + x 22s (2 i +1) ) +x tr (x) tr /3 (x 2i +1 + x 2s (2 i +1) ) + x 2i tr /3 (x 2(2i +1) + x 22s+1 (2 i +1) ) +x tr /3 (x 2(2i +1) + x 2s+1 (2 i +1) ) + tr (x) tr /3 (x 2i +1 + x 4(2i +1) ). Below we consider all ites in the su presenting the function F which ay give the algebraic degree 4: [(tr /3 (x 2i +1 )) 6 + (tr /3 (x 2i +1 )) 5 + (tr /3 (x 2i +1 )) 3 ] +[x 2i tr (x)(tr /3 (x 2i +1 + x 22s (2 i +1) ) + x tr (x)(tr /3 (x 2i +1 + x 2s (2 i +1) )]. For siplicity we take i = 1. Obviously, all the ites in the second bracket of the algebraic degree 4 have the for x 2j +2 k +2 l +2 r, where r < l < k < j 1, r 1. Therefore, if we find an ite of algebraic degree 4 in the first bracket of the for x 2j +2 k +2 l +2 r, where 2 r < l < k < j 1, which does not cancel, then this ite does not vanish in the whole su. We have tr /3 (x 3 ) = x x x x = (tr /3 (x 3 )) 2 = x x x x = (tr /3 (x 3 )) 4 = x x x x = (tr /3 (x 3 )) 3 = (tr /3 (x 3 )) 2 tr /3 (x 3 ) = (tr /3 (x 3 )) 5 = 3 2 j=0 x 23k k, x 23k k+1, 3 2 x 23k k+2 + x , x 23k k +2 3i i+1, (3) i, x 23j j k k + x k k, (4) 8

9 (tr /3 (x 3 )) 6 = 3 2 j=0 x 23j j k k+1 + x k k+1. (5) Note that all exponents of weight 4 in (3)-(5) are saller than 2. If 9 then it is obvious that the ite x does not vanish in (4) and it definitely differs fro all ites in (3) and (5). Hence, the function F has the algebraic degree 4 when 9 and that copletes the proof of the theore. It is proven in [5] that the Gold functions are CCZ-inequivalent to the Welch function for all 9. Therefore, the function F of Theore 1 is CCZ-inequivalent to the Welch function. Further, the inverse and the Dobbertin APN functions are not AB (see [13, 11]) and, therefore, the AB function F is CCZ-inequivalent to the. The algebraic degree of the Kasai function x 4i 2 i +1, 2 i n 1, gcd(i, ) = 1, is equal to i + 1. Thus, its 2 algebraic degree equals 4 if and only if i = 3. Since the function F is defined only for divisible by 3 then for i = 3 we would have gcd(i, ) 1. On the other hand, if Gold and Kasai functions are CCZ-equivalent then it follows fro the proof of Theore 5 of [5] that the Gold function is EA-equivalent to the inverse of the Kasai function which ust be quadratic in this case. Thus, if F was EA-equivalent to the inverse of a Kasai function then F would be quadratic. Thus, F cannot be EA-equivalent to the Kasai functions or to their inverses. Proposition 2 The function of Theore 1 is EA-inequivalent to the Welch, Kasai, inverse, Dobbertin functions and to their inverses. For = 2t + 1 the Niho function has the algebraic degree t + 1 if t is odd and the algebraic degree (t + 2)/2 if t is even. Therefore, its algebraic degree equals 4 if and only if = 7, 13. Proposition 3 The function of Theore 1 is EA-inequivalent to the Niho function. We do not have a general proof of EA-inequivalence of F and the inverse of the Niho function but for = 9 the Niho function coincides with the Welch functions and therefore its inverse cannot be EA-equivalent to the function F. Thus, for = 9 the function F is EA-inequivalent to any power function. Corollary 1 For = 9 the function of Theore 1 is EA-inequivalent to any power function. When is odd and divisible by 3 the APN functions fro Table 2 have the algebraic degree different fro 4. Thus we get the following proposition. Proposition 4 The function of Theore 1 is EA-inequivalent to any APN function fro Table 2. 9

10 Acknowledgents We would like to thank Claude Carlet for any valuable discussions and for detailed and insightful coents on the several drafts of this paper. The ain part of this work was carried out while the author was with Otto-von-Guericke University Magdeburg and the research was supported by the State of Saxony Anhalt, Gerany. References [1] T. Beth and C. Ding. On alost perfect nonlinear perutations. Advances in Cryptology-EUROCRYPT 93, Lecture Notes in Coputer Science, 765, Springer- Verlag, New York, pp , [2] E. Biha and A. Shair. Differential Cryptanalysis of DES-like Cryptosystes. Journal of Cryptology, vol. 4, No.1, pp. 3-72, [3] L. Budaghyan, C. Carlet, G. Leander. Constructing new APN functions fro known ones. Preprint, [4] L. Budaghyan, C. Carlet, G. Leander. Another class of quadratic APN binoials over F 2 n: the case n divisible by 4. Subitted to the Workshop on Coding and Cryptography 2007, available at [5] L. Budaghyan, C. Carlet, G. Leander. A class of quadratic APN binoials inequivalent to power functions. Subitted to IEEE Trans. Infor. Theory, available at [6] L. Budaghyan, C. Carlet, P. Felke, G. Leander. An infinite class of quadratic APN functions which are not equivalent to power appings. Proceedings of the IEEE International Syposiu on Inforation Theory 2006, Seattle, USA, Jul [7] L. Budaghyan, C. Carlet, A. Pott. New Classes of Alost Bent and Alost Perfect Nonlinear Functions. IEEE Trans. Infor. Theory, vol. 52, no. 3, pp , March [8] L. Budaghyan, C. Carlet, A. Pott. New Constructions of Alost Bent and Alost Perfect Nonlinear Functions. Proceedings of the Workshop on Coding and Cryptography 2005, P. Charpin and Ø. Ytrehus eds, pp , [9] A. Canteaut, P. Charpin and H. Dobbertin. A new characterization of alost bent functions. Fast Software Encryption 99, LNCS 1636, L. Knudsen edt, pp Springer-Verlag, [10] A. Canteaut, P. Charpin and H. Dobbertin. Binary -sequences with three-valued crosscorrelation: A proof of Welch s conjecture. IEEE Trans. Infor. Theory, 46 (1), pp. 4-8,

11 [11] A. Canteaut, P. Charpin, H. Dobbertin. Weight divisibility of cyclic codes, highly nonlinear functions on F 2, and crosscorrelation of axiu-length sequences. SIAM Journal on Discrete Matheatics, 13(1), pp , [12] C. Carlet. Vectorial (ulti-output) Boolean Functions for Cryptography. Chapter of the onography Boolean Methods and Models, Y. Craa and P. Haer eds, Cabridge University Press, to appear soon. Preliinary version available at [13] C. Carlet, P. Charpin and V. Zinoviev. Codes, bent functions and perutations suitable for DES-like cryptosystes. Designs, Codes and Cryptography, 15(2), pp , [14] F. Chabaud and S. Vaudenay. Links between differential and linear cryptanalysis, Advances in Cryptology -EUROCRYPT 94, LNCS, Springer-Verlag, New York, 950, pp , [15] J. Daeen and V. Rijen. AES proposal: Rijndael [16] J. F. Dillon. APN Polynoials and Related Codes. Polynoials over Finite Fields and Applications, Banff International Research Station, Nov [17] H. Dobbertin. Alost perfect nonlinear power functions over GF(2 n ): the Niho case. Infor. and Coput., 151, pp , [18] H. Dobbertin. Alost perfect nonlinear power functions over GF(2 n ): the Welch case. IEEE Trans. Infor. Theory, 45, pp , [19] H. Dobbertin. Alost perfect nonlinear power functions over GF(2 n ): a new case for n divisible by 5. D. Jungnickel and H. Niederreiter eds. Proceedings of Finite Fields and Applications FQ5, Augsburg, Gerany, Springer, pp , [20] Y. Edel, G. Kyureghyan and A. Pott. A new APN function which is not equivalent to a power apping. IEEE Trans. Infor. Theory, vol. 52, no. 2, pp , Feb [21] R. Gold. Maxial recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Trans. Infor. Theory, 14, pp , [22] H. Hollann and Q. Xiang. A proof of the Welch and Niho conjectures on crosscorrelations of binary -sequences. Finite Fields and Their Applications 7, pp , [23] H. Janwa and R. Wilson. Hyperplane sections of Ferat varieties in P 3 in char. 2 and soe applications to cyclic codes. Proceedings of AAECC-10, LNCS, vol. 673, Berlin, Springer-Verlag, pp ,

12 [24] T. Kasai. The weight enuerators for several classes of subcodes of the second order binary Reed-Muller codes. Infor. and Control, 18, pp , [25] G. Lachaud and J. Wolfann. The Weights of the Orthogonals of the Extended Quadratic Binary Goppa Codes. IEEE Trans. Infor. Theory, vol. 36, pp , [26] M. Matsui. Linear cryptanalysis ethod for DES cipher. Advances in Cryptology- EUROCRYPT 93, LNCS, Springer-Verlag, pp , [27] N. Nakagawa. Private counications, [28] K. Nyberg. Differentially unifor appings for cryptography, Advances in Cryptography, EUROCRYPT 93, LNCS, Springer-Verlag, New York, 765, pp , [29] K. Nyberg. S-boxes and Round Functions with Controllable Linearity and Differential Unifority. Proceedings of Fast Software Encryption 1994, LNCS 1008, pp , [30] V. Sidelnikov. On utual correlation of sequences. Soviet Math. Dokl., 12, pp ,