A note on the differential spectrum of a class of locally APN functions

Let ${\mathbb{F}}_{q}$ be the finite field with $q$ elements, where $q$ is a prime power. We denote by ${\mathbb{F}}_{q}^{*}:={\mathbb{F}}_{q}\setminus\{0\}$. Any cryptographic function $F:{\mathbb{F}}_{q}\rightarrow{\mathbb{F}}_{q}$ can be uniquely represented as a univariate polynomial of degree less than $q$. For a function $F$, the main tools to study $F$ regarding the differential attack [2] are the difference distribution table (DDT for short) and the differential uniformity introduced by Nyberg [26] in 1994. The DDT entry at point $(a,b)$ for any $a,b\in{\mathbb{F}}_{q}$, denoted by $\delta_{F}(a,b)$, is defined as

$$\delta_{F}(a,b)=\#\{x\in{\mathbb{F}}_{q}:\mathbb{D}_{a}F(x)=b\},$$

where $\mathbb{D}_{a}F(x)=F(x+a)-F(x)$ is the derivative function of $F$ at the element $a$. Note that when $a=0$ and $b=0$, the equation $\mathbb{D}_{a}F(x)=b$ has $q$ solutions in ${\mathbb{F}}_{q}$, which means $\delta_{F}(0,0)=q$. Besides, when $a=0$ and $b\in{\mathbb{F}}_{p^{n}}^{*}$, the equation $\mathbb{D}_{a}F(x)=b$ has no solutions, which means $\delta_{F}(a,b)=0$. Therefore, for any polynomial, the DDT entries in the line $a=0$ are trivial. The differential uniformity of $F$, denoted by $\Delta_{F}$, is defined as

$$\Delta_{F}=\mathrm{max}\left\{\delta_{F}(a,b):a\in{\mathbb{F}}_{q}^{*},b\in{\mathbb{F}}_{q}\right\}.$$

Generally speaking, the smaller the value of $\Delta_{F}$, the stronger the resistance of $F$ used in S-boxes against the differential attack. A cryptographic function $F$ is called differentially $k$-uniform if $\Delta_{F}=k$. Particularly when $\Delta_{F}=1$, $F$ is called a planar function [12] or a perfect nonlinear (abbreviated as PN) function [25]. When $\Delta_{F}=2$, $F$ is called an almost perfect nonlinear (abbreviated as APN) function [26], which is of the lowest possible differential uniformity over ${\mathbb{F}}_{2^{n}}$ as in such finite fields, no PN functions exist. Readers may refer to [4], [7], [14], [15], [16], [24], [29], [40], [47], [48] and references therein for some of the new developments on PN and APN functions. Apart from the concepts of PN and APN, a power function $F$ over ${\mathbb{F}}_{p^{n}}$ is said to be locally-APN if

$$\mathrm{max}\left\{\delta_{F}(1,b)|b\in{\mathbb{F}}_{p^{n}}\setminus{\mathbb{F}}_{p}\right\}=2.$$

This definition was first introduced in [17] for the case $p=2$ and generalized in [37] for odd $p$. For a general function $F$, we can also give the concept of locally APN.

In [4], the concept of the differential spectrum of a power function was introduced. The differential spectrum of a cryptographic function, compared with the differential uniformity, provides much more detailed information. In particular, the value distribution of the DDT is given directly by the differential spectrum. What’s more, the differential spectrum has many applications such as in sequences [3], [13], coding theory [9], [10], combinatorial design [32] etc. However, to determine the differential spectrum of a cryptographic function is usually a difficult problem. Power functions with known differential spectra are summarized in Table I.

For a polynomial function that is not a power function, the investigation of its differential spectrum is much more difficult. There are only a few cryptographic functions whose differential spectra were known [22], [27], [34], [36]. One of the focus of this paper is to explore a class of binomials studied in [8]. In [8], the differential uniformity of $f_{u}(x)=x^{\frac{p^{n}+3}{2}}+ux^{2}$ with $u\in{\mathbb{F}}_{p^{n}}\setminus\{0,\pm 1\}$ has been investigated. In this paper, we determine the differential spectrum of such $f_{u}(x)$ when $u\in\{\pm 1\}$, that is, $f_{\pm 1}(x)=x^{\frac{p^{n}+3}{2}}\pm x^{2}$.

This paper is organized as follows. Section II presents certain quadratic character sums that are essential for the computation of the aimed differential spectrum. In Section III, properties of the differential spectrum of any function are given. In Section IV, the number of solutions of several systems of equations over finite fields are investigated, which will be used in Section V, in which the differential spectrum of $f_{\pm 1}$ is determined. Section VI concludes this paper.

In this section, we will introduce some results on the quadratic character sums over the finite field ${\mathbb{F}}_{q}$. Let $\chi(\cdot)$ be the quadratic multiplicative character of ${\mathbb{F}}_{q}$, which is defined as

$$\chi(x)=\left\{\begin{array}[]{cl}1,&\mbox{if }x\mbox{ is a square in }{\mathbb{F}}_{q}^{*},\\ -1,&\mbox{if }x\mbox{ is a nonsquare in }{\mathbb{F}}_{q}^{*},\\ 0,&\mbox{if }x=0.\end{array}\right.$$

Let ${\mathbb{F}}_{q}[x]$ be the polynomial ring over ${\mathbb{F}}_{q}$. We consider the character sum of the form

$\displaystyle\sum_{x\in{\mathbb{F}}_{q}}\chi(f(x))$

(1)

with $f\in{\mathbb{F}}_{q}[x]$. The case of $\deg(f)=1$ is trivial, and for $\deg(f)=2$, the following explicit formula was established in [21].

Nevertheless, for a polynomials $f$ with degree $3$ or higher, computing $\sum\limits_{x\in{\mathbb{F}}_{q}}\chi(f(x))$ or deriving a specific formula thereof is generally challenging. The subsequent lemma provides lower and upper bounds for any multiplicative character sum.

However, sometimes we need the exact value of the character sum $\sum\limits_{x\in{\mathbb{F}}_{q}}\chi(f(x))$. For the case $deg(f(x))=3$, such a sum can be calculated by considering ${\mathbb{F}}_{p^{n}}$-rational points of elliptic curves over ${\mathbb{F}}_{p}$. More precisely, assume that $f$ is a cubic function over ${\mathbb{F}}_{p^{n}}$ and denote

$$\Gamma_{p,n}=\sum\limits_{x\in{\mathbb{F}}_{p^{n}}}\chi(f(x)).$$

To evaluate $\Gamma_{p,n}$, several primary concepts from the theory of elliptic curves shall be taken into consideration. More details on the terminologies and notation can be found in [30]. Let $E/{\mathbb{F}}_{p}$ be the elliptic curve $E:y^{2}=f(x)$ over ${\mathbb{F}}_{p^{n}}$, and $N_{p,n}$ denote the number of $F_{p^{n}}$-rational points (with the extra point at infinity) on the curve $E/{\mathbb{F}}_{p}$. From Subsection 1.3 and Theorem 2.3.1 in [30, Chapter V], $N_{p,n}$ can be assessed by $\Gamma_{p,n}$. To be more exact, for every $n\geqslant 1$,

$$N_{p,n}=p^{n}+1+\Gamma_{p,n}.$$

Furthermore,

$$\Gamma_{p,n}=-\alpha^{n}-\beta^{n},$$

(2)

where $\alpha$ and $\beta$ are the complex solutions of the quadratic equation $T^{2}+\Gamma_{p,1}T+p=0$. With an exploration, $\Gamma_{p,n}$ can be determined by $\Gamma_{p,1}$ directly and explicitly. We have

$$\Gamma_{p,n}=\frac{(-1)^{n+1}}{2^{n-1}}\sum_{k=0}^{\lfloor\frac{n}{2}\rfloor}(-1)^{k}\binom{n}{2k}(\Gamma_{p,1})^{n-2k}(4p-(\Gamma_{p,1})^{2})^{k}.$$

(3)

Moreover, when $\Gamma_{p,1}=0$, we have

$$\Gamma_{p,n}=\left\{\begin{array}[]{ll}(-1)^{\frac{n}{2}+1}\cdot 2\cdot p^{\frac{n}{2}},&n~{}\text{is even};\\ 0,&n~{}\text{is odd}.\\ \end{array}\right.$$

(4)

We define a specific character sum

$$\lambda_{p,n}=\sum\limits_{x\in{\mathbb{F}}_{p^{n}}}\chi(x(x^{2}-2x-1)),$$

which will be used in the sequel. In the following examples, we give the exact value of $\lambda_{p,n}$ for a given $p$.

The key to determine $\lambda_{p,n}$ is to calculate the value of $\lambda_{p,1}$. For the convenience, we list the values of $\lambda_{p,1}$ for all primes $3\leqslant p\leqslant 1039$ with $p\equiv 3~{}(mod~{}4)$ in Table II, which are computed by MAGMA.

At last, we present several results below concerning the exact values of specific character sums used in Section V.

First, we give the definition of the differential spectrum of a cryptographic function.

Sometimes we ignore the zeros in the differential spectrum. We remark that our definition of the differential spectrum is a little different from that in [34]. In our definition of $\omega_{i}$, we consider all the pairs $(a,b)\in{\mathbb{F}}_{q}\times{\mathbb{F}}_{q}$, including $a=0$. The values of $\omega_{i}(i>\Delta_{F})$ can be obtained easily. That is, $\omega_{\Delta_{F}+1}=\cdots=\omega_{q-1}=0$ and $\omega_{q}=1$.

From [15], it is known that the differential spectrum of a power function satisfies several identities. It is natural to consider how it behaves with respect to the differential spectrum of any function. In this section, we give some identities of the differential spectrum of a general cryptographic function. Let $f$ be a polynomial over ${\mathbb{F}}_{q}$ with differential uniformity $\Delta_{f}$. We have the following theorem.