Affinity of permutations of F n 2

Transcription

1 Discrete Applied Mathematics 54 (6) Affinity of permutations of F n Xiang-dong Hou Department of Mathematics and Statistics, Wright State University, Dayton, OH 45435, USA Received 5 June 3; received in revised form August 3; accepted March 5 Available online 6 September 5 Abstract It was conjectured that if n is even, then every permutation of F n is affine on some -dimensional affine subspace of Fn. We prove that the conjecture is true for n = 4, for quadratic permutations of F n and for permutation polynomials of F n with coefficients in F n/. The conjecture is actually a claim about (AGL(n, ), AGL(n, ))-double cosets in permutation group S(F n ) of Fn.Wegivea formula for the number of (AGL(n, ), AGL(n, ))-double cosets in S(F n ) and classify the (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ). 5 Elsevier B.V. All rights reserved. Keywords: Almost perfect nonlinear function; General affine group; General linear group; Permutation group; Quadratic function. Introduction Let F q be the finite field with q elements. In a bloc cipher, the ciphertext of a plaintext x F n is obtained by applying a composition of several round functions to x; each round function is a permutation of F n. Let σ : Fn Fn be such a round function. To resist differential cryptanalysis, the distribution of the values of the function σ(x + a)+ σ(x) should be as uniform as possible for every = a F n [9]. A function σ : Fn Fn is called almost perfect nonlinear (APN) if for every a,b F n with a =, the equation σ(x + a) + σ(x) = b has either or solutions x F n []. Therefore, ideal candidates for round functions are permutations of Fn which are APN. When n is odd, such permutations exist. For an easy example, one can identify F n with F n and let σ(x) = x3 []. For a survey of nown APN power functions, see Dobbertin [4]. For even n, no APN permutation of F n is nown. The following conjecture is sometimes referred to as the APN conjecture. Conjecture.. If n is even and σ is a permutation of F n, then σ is not APN. address: xhou@mail.cas.usf.edu. Research supported by NSA Grant MDA Current address: Department of Mathematics, University of South Florida, Tampa, FL 336, USA 66-8X/$ - see front matter 5 Elsevier B.V. All rights reserved. doi:.6/j.dam.5.3.

2 34 X.-d. Hou / Discrete Applied Mathematics 54 (6) The author became aware of the conjecture at theyacc conference in where he had a discussion with Canteaut and Dobbertin []. The problem was implicitly studied in [].In[3], the existence of APN permutations of F n for even n was raised as an open problem. Conjecture. can be formulated in terms of affinity of permutations of F n on -dimensional affine subspaces. Recall that for affine spaces A and B over F, a map σ : A B is called affine if σ(a + a + a 3 ) = σ(a ) + σ(a ) + σ(a 3 ) for all a,a,a 3 A. We observe that σ : F n Fn is APN if and only if σ is not affine on any -dimensional affine subspace of F n. In fact, assume that σ is affine on a -dimensional affine subspace {a,a,a 3,a + a + a 3 } F n. Let σ(a i ) = b i ( i 3). Then σ(a + a + a 3 ) = b + b + b 3. It follows that σ(x + a + a ) + σ(x) = b + b for all x A. Hence σ is not APN. On the other hand, assume that for some a F n \{}, there exist distinct elements x,x,x 3 F n such that σ(x i + a) + σ(x i ) = σ(x j + a) + σ(x j ) for all i, j 3. Since either x + x = a or x + x 3 = a, we may assume that x + x = a. Thus A ={x,x,x + a,x + a} is a -dimensional affine subspace of F n. Since σ(x + a) + σ(x ) = σ(x + a) + σ(x ), σ is affine on A. Therefore, Conjecture. is equivalent to Conjecture.. Let n be even and let σ be a permutation of F n. Then there is a -dimensional affine subspace A of Fn such that σ(a) is a -dimensional affine subspace of F n. We now introduce some notation. Let { } A b AGL(n, ) = : A GL(n, ), b F n be the general affine group. The action of AGL(n, ) on F n is given by A b (x) = Ax + b for x F n. Let S(F n ) be the group of all permutations of Fn. For any X Fn, the stabilizer of X in S(Fn ) is S X ={σ S(F n ) : σ X = id}. We observe that Conjecture. is equivalent to Conjecture.3. Let A ={(x,x,,...,) T : x i F } F n. When n is even, S(F n ) = AGL(n, ) S A AGL(n, ). (.) (In (.), the multiplication is the operation of the group S(F n ).) To see that Conjecture.3 implies Conjecture., note that every σ S(F n ) can be written as σ = h τ g where g, h AGL(,n) and τ S A. Then σ maps a -dimensional affine subspace g (A ) to a -dimensional affine subspace h(a ). To see that Conjecture. implies Conjecture.3, assume that σ S(F n ) such that σ(a ) = A for some -dimensional subspaces A and A. Then there exist g, h AGL(n, ) such that g(a ) = A and h(a ) = A, hence h σ g(a ) = A. Furthermore, we can choose h suitably such that h σ g A = id, i.e., h σ g S A. In this paper, we report some partial results on the above conjectures and suggest a group theoretic approach to the problem.

3 X.-d. Hou / Discrete Applied Mathematics 54 (6) Section contains some miscellaneous results. We prove that Conjecture. is true for n = 4. We also show that the normalizers of AGL(n, ) and GL(n, ) in S(F n ) are themselves. In Section 3, we prove that Conjecture. is true for permutation polynomials of F n with coefficients in F n/. In Section 4, we study the affinity of elements in S(F n ) using directional derivatives. In particular, we show that Conjecture. is true for permutations of F n with at least n quadratic component functions. Conjecture. for quadratic permutations of F n was proved by Nyberg in [8]. Recall the if H and K are subgroups of a group G and g G, the (H, K)-double coset with representative g is HgK. Eq. (.) means that every (AGL(n, ), AGL(n, ))-double coset in S(F n ) has a representative in S A. This suggests the importance of the structure of (AGL(n, ), AGL(n, ))-double cosets in S(F n ). In Section 5, we give a formula for computing the number of (AGL(n, q), AGL(n, q))-double cosets in S(F n q ). The number of (AGL(4, ), AGL(4, ))- double cosets in S(F 4 ) is 3; the number of (AGL(5, ), AGL(5, ))-double cosets in S(F5 ) is astronomical. In Section 6, we find the representatives for the 3 (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ) using a computer. This classification answers all questions about affinity of permutations of F 4.. Miscellaneous results Since there are counter examples to Conjectures..3 for odd n, one might hope to use them to build a counter example to the conjectures for even n. However, the following proposition shows that this approach is not liely to be easy. Proposition.. Let A ={[ v ]:v Fn } F n. Assume that σ S(Fn ) such that σ(a) = A. Then σ is not APN. Proof. Assume to the contrary that σ is not affine on any -dimensional subspace. Let () () σ =, σ =, v F n v α(v) v β(v), where α and β are permutations of F n. Then α and β are not affine on any -dimensional subspace of F n. Fix any = a F n. The map v α(v) + α(v + a) is -to- from F n to F n \{}. (Otherwise, α would be affine on a -dimensional affine subspace of F n.) Let D(α) ={α(v) + α(v + a) : v F n } F n \{}. Then D(α) = n. In the same way, D(β) F n \{} and D(β) = n. Hence D(α) D(β) =, i.e., α(u) + α(u + a) = β(v) + β(v + a) for some u, v F n. Then σ is affine on the -dimensional affine subspace { },,,. u u + a v v + a By a -frame, we mean an affinely independent subset X F n with X = +, i.e., a ( + )-element subset of F n which spans a -dimensional affine subspace. If X and Y are two -frames of Fn, then any bijection σ : X Y can be extended to an element in AGL(n, ). Lemma.. (i) Let σ S(F n ). Then there exists an n-frame X Fn such that σ(x) is also an n-frame. (ii) Let e,...,e n be the standard basis of F n and let e = F n. Then S(F n ) = AGL(n, ) S {e,e,...,e n } AGL(n, ), where S {e,e,...,e n } is the stabilizer of {e,e,...,e n }.

4 36 X.-d. Hou / Discrete Applied Mathematics 54 (6) Proof. (i) By induction, we show that for every n, there exists a -frame X F n such that σ(x ) is also a -frame. The claim is obviously true for =,. Assume that <nand that X is a -frame of F n such that σ(x ) is also a -frame of F n. Let X af be the affine span of X and consider the map Since σ : F n \ X af F n \σ(x ). σ(f n \ X af ) + F n \ σ(x ) af =( n )> n ( + ) = F n \σ(x ), we have σ(f n \ X af ) (F n \ σ(x ) af ) =, i.e., there exists x F n \ X af such that σ(x) / σ(x ) af. Put X + = X {x}. Then both X + and σ(x + ) are ( + )-frames in F n. (ii) For each σ S(F n ), by (i), there is an n-frame {x,...,x n } F n such that {σ(x ),...,σ(x n )} is also an n-frame. Choose g, h AGL(n, ) such that g(e i ) = x i and h(f (x i )) = e i for all i n. Then h σ g S {e,...,e n }, hence σ AGL(n, ) S {e,...,e n } AGL(n, ). Theorem.3. Conjecture. is true for n = 4. Proof. By Lemma. (ii), we only have to prove Conjecture. for σ S {e,e,...,e 4 }, i.e., for permutations of F 4 which stabilize e i ( i 4). There are! such permutations and the claim is easily verified using a computer. The theorem also follows from the classification of (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ) in Section 6. For σ, τ S(F n ), we say σ and τ are equivalent (σ τ) ifσ and τ are in the same (AGL(n, ), AGL(n, ))-double coset of S(F n ). Corollary.4. Letnbeeven, σ S(F n ), and identify Fn with F n. Then σ is not APN if one of the following is true. (i) σ τ for some permutation polynomial τ of F n such that τ F [x]. (ii) 4 n and σ τ for some permutation polynomial of τ of F n such that τ F 4[x]. Proof. (i) is obvious since τ maps F to F. (ii) Observe that τ maps F 4 to F 4. Hence τ F 4 S(F 4). By Theorem.3, τ F 4 is not APN, hence τ is not APN. Proposition.5. The normalizer of AGL(n, ) in S(F n ) is AGL(n, ). Proof. Since AGL(, )=S(F ), we may assume that n 3.Assume to the contrary that there is a σ S(Fn )\AGL(n, ) such that σ AGL(n, )σ = AGL(n, ). Then there exists a -dimensional affine subspace A F n such that σ(a) is not a -dimensional affine subspace, i.e., σ(a) is a 3-frame. By Lemma. (i), there is a 3-frame X F n such that σ (X) is also a 3-frame. Choose a g AGL(n, ) such that g(σ(a)) = X. Since σ g σ(a) = σ (X), which is not affine, we have σ g σ / AGL(n, ), which is a contradiction. Proposition.6. The normalizer of GL(n, ) in S(F n ) is GL(n, ). Proof. Again we may assume n 3. Let σ S(F n ) such that σ GL(n, )σ = GL(n, ). First we have σ() =. (Otherwise, choose g GL(n, ) such that g(σ()) = σ(). Then σ g σ() =, which is a contradiction.) Assume to the contrary that σ / GL(n, ). Then there exist a,b F n \{}, a = b, such that σ(a), σ(b), σ(a + b) are linearly independent. The number of 3-element linearly independent subsets of F n \{} is 3! (n )( n )( n 4), which is greater than ( n 3 ). Thus there is a 3-element linearly independent subset X F n \{} such that σ (X) is also a 3-element linearly independent subset. Choose g GL(n, ) such that g({σ(a), σ(b), σ(a + b)}) = X. Since σ g σ({a,b,a + b}) = X,wehaveσ g σ / GL(n, ), which is a contradiction.

5 X.-d. Hou / Discrete Applied Mathematics 54 (6) Permutation polynomials of F m with coefficients in F m Theorem 3.. If σ is a permutation polynomial of F m such that σ F m[x], then σ is not APN. Proof. Assume to the contrary that σ is APN. Let ρ be the generator of the Galois group Gal(F m/f m). Then we have σ ρ = ρ σ. The set F m\f m is partitioned into ρ-orbits of size. The ρ-orbit of x F m\f m, i.e., {x,ρ(x)}, is denoted by [x]. Fix an x F m\f m and let y = Tr F m /F m (x ). Put A ={[x + x] :x F m} and define : A F m\{}, [x + x] Tr F m /F m (σ(x + x)). We claim that is. Otherwise, there exist x,y F m such that [x + x] = [x + y],but ([x + x]) = ([x + y]). Let A ={x + x,ρ(x + x),x + y,ρ(x + y)}. Then (x + x) + ρ(x + x) + (x + y) + ρ(x + y) = and σ(x + x) + σ(ρ(x + x)) + σ(x + y) + σ(ρ(x + y)) = σ(x + x) + ρ(σ(x + x)) + σ(x + y) + ρ(σ(x + y)) = ([x + x]) + ([x + y]) =. Hence both A and σ(a) are -dimensional affine subspaces, which is a contradiction. Also put B ={{x,x + y }:x F m} and define ψ : B F m\{}, {x,x + y } σ(x) + σ(x + y ). we claim that ψ is also. Otherwise, there exist x,y F m such that {x,x + y } = {y,y + y },butψ({x,x + y }) = ψ({y,y + y }). Let B ={x,x + y,y,y+ y }. Since σ(x) + σ(x + y ) + σ(y) + σ(y + y ) = ψ({x,x + y }) + ψ({y,y + y }) =, both B and σ(b) are -dimensional affine subspaces, which is a contradiction. Since A = B = m and (A) ψ(b) F m\{}, we must have (A) ψ(b) =, namely, there exist x,y F m such that ([x + x]) = ψ({y,y + y }). Let C ={x + x,ρ(x + x),y,y+ y }. It is easy to see that both C and σ(c) are -dimensional affine subspaces, which is impossible. 4. Quadratic permutations of F n It is well nown that the F -algebra of all functions from F n to F is P n = F [X,...,X n ]/(X X,...,X n X n). Also recall that the rth order Reed Muller code of length n is R(r, n) ={f P n : deg f r}. Forf P n, its Hamming weight, denoted by f, is the cardinality of f ({}). We remind the reader that in this paper, both the cardinality of a set and the Hamming weight of a boolean function are denoted by. The meaning of the notation should be clear from the context.

6 38 X.-d. Hou / Discrete Applied Mathematics 54 (6) Let σ = (f,...,f n ) T be a function from F n to Fn where f i P n. We define deg σ = max deg f i. i n When n is odd, the counter example to the conjectures, σ(x) = x 3 : F n F n, is a quadratic permutation of F n. Thus it is natural to as if the conjectures are true for quadratic permutations of F n when n is even. We will see that the answer is positive. Let f : F n F be any function and let a F n. We define D a f : F n F, x f(x+ a) + f(x). Lemma 4.. Let σ = (f,...,f n ) T : F n Fn be APN, and let e = (,,...,) T F n. If D e f is a constant, then (D e f,...,d e f n ) T :{} F n F n is a bijection. Proof. Assume the contrary. Then there exist a,b {} F n, a = b, such that f i (a + e ) + f i (a) = f i (b + e ) + f i (b) for i n. But since f (a + e ) + f (a) = (D e f )(a) = (D e f )(b) = f (b + e ) + f (b), wehave σ(a + e ) + σ(a) = σ(b + e ) + σ(b), i.e., σ is affine on the -dimensional affine subspace {a,b,a + e,b+ e }. This is a contradiction. For any f P n, define N(f)={a F n : D af = constant}. Clearly, N(f) is a subspace of F n. Corollary 4.. Let σ = (f,...,f n ) T : F n Fn be APN. Then N(f ) N(f ) ={}. Proof. Otherwise, we may assume that e N(f ) N(f ). Then both D e f and D e f are constants, which is impossible by Lemma 4.. Theorem 4.3. Let n be even and let σ = (f,...,f n ) T S(F n ) such that dim F [( f,...,f n +R(, n))/r(,n)], (4.) where f,...,f n is the linear span of f,...,f n. Then σ is not APN. Note: Inequality (4.) means that there is an element f P n such that f,...,f n are all in R(,n) (f + R(, n)). For the proof of Theorem 4.3, we assume that the reader is familiar with the basic facts about binary quadratic functions (cf. [7, Chapter 5]). For each f R(,n), its homogeneous part of degree corresponds to an n n symmetric matrix A over F whose diagonal entries are. The quadratic ran of f, denoted by ran(f ), is ran(a).itis well nown that ran(f ) is even and that dim N(f)=n ran(f ).Ifn is even and ran(f )=n, then f = n ± n. Proof of Theorem 4.3. Of course, we may assume that n 4. Because of (4.), after a suitable linear transformation on (f,...,f n ) T, we may assume that f,...,f n R(,n). For any = (c,...,c n ) F n,wehave ran(c f + +c n f n ) n. (Otherwise, the Hamming weight of n i= c if i is n i= c if i = n ± n = n. Then σ = (f,...,f n ) T cannot be a permutation of F n, which is a contradiction.) Therefore dim N(c f + +c n f n ) for all = (c,...,c n ) F n.

7 X.-d. Hou / Discrete Applied Mathematics 54 (6) We claim that there exist (u,...,u n ), (v,...,v n ) F n \{}, (u,...,u n ) = (v,...,v n ), such that N(u f + +u n f n ) N(v f + +v n f n ) = {}. Otherwise, (c,...,c n ) F n \{} N(c f + +c n f n ) + 3( n )> n, which is a contradiction. Through a suitable linear transformation, we may assume that (u,...,u n ) = (,,...,) and (v,...,v n ) = (,,,...,). Then N(f ) N(f ) = {}. By Corollary 4., σ is affine on a -dimensional affine subspace of F n. Corollary 4.4. Let n be even. If σ S(F n ) and deg σ, then σ is not APN. Remar. Corollary 4.4 also follows from a result of Nyberg [8] which states that for even n, there does not exist APN permutations of F n whose components are partially bent functions. 5. Number of (AGL(n, q), AGL(n, q))-double cosets in S(F n q ) Let p be a prime and q a power of p. In this section we wor with F q instead of F because the q-ary case does not require any extra wor and because the formulas are of more general interest. The group AGL(n, q) AGL(n, q) acts on S(F n q ), the group of all permutations of Fn q :For(g, h) AGL(n, q) AGL(n, q) and σ S(F n q ), (g, h)(σ) = g σ h. The orbits of this action are precisely the (AGL(n, q), AGL(n, q))-double cosets in S(F n q ). By the Burnside Lemma, the number of (AGL(n, q), AGL(n, q))-double cosets in S(F n q ), denoted by N(n, q), isgivenby N(n, q) = cent AGL(n,q) (g) cent AGL(n,q) (h) F(g,h), g,h C where C is a system of representatives of the conjugacy classes of AGL(n, q), cent AGL(n,q) (g) is the centralizer of g in AGL(n, q), and F(g,h)={σ S(F n q ) : gσh = σ}. We have F(g,h) = {σ S(F n q ) : g = σhσ } { if g and h are of different cycle types, = (λ!λ! )( λ λ ) if g and h are both of cycle type (λ, λ,...) q n, where (λ, λ,...) q n means that (λ, λ,...)is a partition of q n, i.e., λ i and λ + λ + =q n. That g is of cycle type (λ, λ,...) means that in the decomposition of g into disjoint cycles, there are λ i cycles of length i. For each λ = (λ, λ,...) q n, put C λ ={g C : g is of cycle type λ}. Then we have N(n, q) = (λ!λ! )( λ λ ) λ=(λ,λ,...) q n g Cλ. (5.) cent AGL(n,q) (g)

8 3 X.-d. Hou / Discrete Applied Mathematics 54 (6) To use formula (5.), we have to now three things: (i) a system C of representatives of the conjugacy classes of AGL(n, q), (ii) cent AGL(n,q) (g) for every g C, and (iii) the cycle type of every g C. Items (i) and (ii) have been determined in [5,6]. For any integer >, let I be the identity matrix and N = be the nilpotent matrix. Put J = I + N.For define A a AGL(, q), A a B b = B b AGL(l, q), [ A ] a B b AGL( + l,q). (5.) Let B() be a system of representatives of conjugacy classes of GL(, q) whose elements have no eigenvalue. For any partition λ = (λ, λ,...), define λ =λ + λ + and T(λ) ={t : λ t > }. Also define J J J J g λ = AGL( λ,q), (5.3) } {{ } λ } {{ } λ and J J g λ,t = }{{} λ Jt ε(t) Jt Jt AGL( λ,q) }{{} for t T(λ), (5.4) λ t where ε(t) = (,...,, ) T F t q.asλ runs through all partitions with λ n, t runs through T(λ) and B runs through B(n λ ), the following elements form a system of representatives of the conjugacy classes of AGL(n, q): g λ B, g λ,t B. (5.5) Thus we can let C be the set of the elements in (5.5). Furthermore, we have [5, Theorems 3. and 3.5], ( ) B cent AGL(n,q) g λ = cent GL(n λ,q)(b) q λ +λ + i q λ i(λ +λ + +iλ i +iλ i+ + ) λ i ( q j ), j=

9 cent AGL(n,q) ( g λ,t X.-d. Hou / Discrete Applied Mathematics 54 (6) ) B GL(n λ,q)(b) qλ t +λ t+ + = cent q λ t i q λ i(λ +λ + +iλ i +iλ i+ + ) λ i ( q j ). In the above, cent GL(n λ,q) (B) is given by the following general formula [6, Theorem 3.6]: Assume that C M m m (F q ) has elementary divisors e,...e }{{}, e,...e,..., where e F }{{} q [x] is irreducible of degree d, then μ cent GL(m,q) (C) = i μ μ q dμ i (μ +μ + +iμ i +iμ i i+ + ) ( q dj ). Now we turn to item (iii) that we need in formula (5.), i.e., the cycle type of every g C. Let (λ, λ,...)be the cycle type of g and put Fix(g) ={x F n q : g(x) = x}. Then we have j= j= Fix(g ) = i iλ i. By the Möbius inversion, we obtain iλ i = ( ) i μ Fix(g ), i where μ is the classical Möbius function. Thus λ i = ( ) i μ Fix(g ). i i Therefore we only have to determine Fix(g ) for each g C and. Observe that for g AGL(, q), h AGL(l, q), x F q, and y Fl q,wehave x g(x) (g h) =, y h(y) where is defined in (5.). In particular, Fix(g h) = Fix(g) Fix(h). (5.6) Lemma 5.. Let i be positive integers. Then ( ) ( ) ( ) (mod p) i if and only if p ν p() >i, where ν p () is the p-adic order of. Proof. Let = a p + a p + ( a i p ) be the p-adic expansion of and define dig p () = (a,a,...). For two integer sequences (a,a,...)and (b,b,...),wesay(a,a,...) (b,b,...)if a j b j for all j. Since ( j ) (mod p) if and only if dig p (j) dig p (), the conclusion follows immediately. For an n n matrix A, put null(a) = n ran(a). Lemma 5.. We have null(j i I)= min{i, p ν p() }.

10 3 X.-d. Hou / Discrete Applied Mathematics 54 (6) Proof. We have J i I = (I + N i ) I = j= ( ) N j j i = The conclusion immediately follows from Lemma 5.. ( ) i ( ) ( ) (. (5.7) ) Lemma 5.3. Let Then g = Jt ε(t) AGL(t, q). { Fix(g q t if p ) = νp() >t, if p νp() t. Proof. Since [ g J = t (I + J t + +Jt ] )ε(t), we see that for x F t q, g (x) = x if and only if (J t I)x = (I + J t + +Jt )ε(t). By Lemma 5., we have Since { Fix(g q min{t,p νp() } if (I + J ) = t + +Jt )ε(t) is in the column space of Jt I, otherwise. I + J t + +Jt = (I + N t ) i = i= i i= j= = j= = i= i=j ( j + ( ) i N j j t ( ) i N j j t ) N j t.

11 We have (I + J t + +J t )ε(t) = X.-d. Hou / Discrete Applied Mathematics 54 (6) ( i= ( ) ( ) ) t N j... j + t = (. ). (5.8) ( ) Comparing (5.8) with (5.7), we see that (I + J t + +Jt )ε(t) is in the column space of Jt ( ) ( ) ( t ) (mod p). By Lemma 5., this happens if and only if pνp() >t. I if and only if Proposition 5.4. Let λ = (λ, λ,...)be a partition such that λ n, t T(λ) and B B(n λ ). Then we have [ ( ) ] B Fix g λ = q i λ i min{i,p νp() }+null(b I), (5.9) [ ( ) ] { B q Fix g λ,t = i λ i min{i,p νp() }+null(b I) if p νp() >t, if p νp() (5.) t. Proof. We only prove (5.) since the proof of (5.9) is similar. Observe that ( [B ] ) Fix = qnull(b I), ( [Ji ] ) Fix = qnull(j (i) I) = q min{i,pνp() } (by Lemma 5.) and ( [Jt ] ) { Fix ε(t) q = min{t,p νp() } if p νp() >t if p νp() t. (by Lemma 5.3) Using (5.6) and (5.4), one can see that (5.) follows immediately form the above equations. Therefore, the three ingredients in (5.) are all determined. We now use (5.) to compute N(4, ). Relevant data of the computation are contained in Table.InTable, g λ, t,b = g λ,t When t is not specified, g λ,t,b means g λ B, λ 4, t T(λ), B B(4 λ ). B, λ 4, B B(4 λ ). In the same way we find that N(5, ) =, 569, 966, 4, 3, 938, 84.

12 34 X.-d. Hou / Discrete Applied Mathematics 54 (6) Table Computation of N(4, )

13 X.-d. Hou / Discrete Applied Mathematics 54 (6) Table Values of n(i) 6. Classification of (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ) To find representatives of (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ), by Lemma. (ii), we only have to search through permutations of F 4 which fix,e,...,e 4. The search is complete when 3 mutually non-equivalent permutations have been found. Note that for σ, τ S(F 4 ), σ τ if and only if σgτ AGL(4, ) for some g AGL(4, ). The indicator functions of all -dimensional subspaces of F 4 generate the Reed Muller code R(, 4). Since dim R(, 4) = =, we can find -dimensional subspaces V,...,V of F 4 such that their indicator functions form a basis of R(, 4). Then σgτ AGL(4, ) if and only if σgτ (x) = for i. x V i In this way, we have found the representatives of the (AGL(4, ), AGL(4, ))-double cosets in S(F 4 ) using a computer. However, the list of the representatives is too long to be included in this paper. Using this classification, we can answer all questions about the affinity of permutations of F 4. In particular, we find that every element in S(F4 ) is affine on at least 5 two-dimensional affine subspaces of F 4. More precisely, let n(i) be the number of (AGL(4, ), AGL(4, ))- double cosets in S(F 4 ) whose elements are affine on exactly i two-dimensional affine subspaces of F4. Table lists all nonzero entries of n(i). Acnowledgements The author thans Professor W.E. Clar for sharing his experiment results. References [] C. Carlet, P. Charpin, V. Zinoviev, Codes, bent functions and permutations suitable for DES-lie cryptosystems, Designs, Codes Cryptogr. 5 (998) [] A. Canteaut, H. Dobbertin, private communication. [3] H. Dobbertin, Almost perfect nonlinear power functions over GF( n ): the Niho case, Inform. Comput. 5 (999) [4] H. Dobbertin, Almost perfect nonlinear power functions on GF(n): a new case for n divisible by 5, Finite Fields Appl. (Augsburg, 999), Springer, Berlin,, pp. 3. [5] X. Hou, AGL(m, ) acting on R(r, m)/r(s, m), J. Algebra 7 (995) [6] X. Hou, GL(m, ) acting on R(r, m)/r(r,m), Discrete Math. 49 (996) 99. [7] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes, vols. I and II, North-Holland, Amsterdam, 977. [8] K. Nyberg, S-boxes and round functions with controllable linearity and differential uniformity, Fast Software Encryption (Leuven, 994), Lecture Notes in Computer Science, vol. 8, Springer, Berlin, 995. [9] D.R. Stinson, Cryptography, Theory and Practice, second ed., Chapman and Hall, New Yor,.