Differential biases, $c$ -differential uniformity, and their relation to differential attacks

Daniele Bartoli, Lukas Kölsch, and Giacomo Micheli D. Bartoli is with University of Perugia. Email: [email protected]. Kölsch and G. Micheli are with University of South Florida and the Center for Cryptographic Research at USF. Email: {koelsch,gmicheli}@usf.edu

Abstract

Differential cryptanalysis famously uses statistical biases in the propagation of differences in a block cipher to attack the cipher. In this paper, we investigate the existence of more general statistical biases in the differences. To this end, we discuss the $c$ -differential uniformity of S-boxes, which is a concept that was recently introduced in Ellingsen et. al. [IEEE Transactions on Information Theory, vol. 66, no. 9 (2020)] to measure certain statistical biases that could potentially be used in attacks similar to differential attacks. Firstly, we prove that a large class of potential candidates for S-boxes necessarily has large $c$ -differential uniformity for all but at most $B$ choices of $c$ , where $B$ is a constant independent of the size of the finite field $q$ . This result implies that for a large class of functions, certain statistical differential biases are inevitable.

In a second part, we discuss the practical possibility of designing a differential attack based on weaknesses of S-boxes related to their $c$ -differential uniformity.

Index Terms:

Differential attack, Substitution-Permutation Network,

c

-Differential Uniformity.

I Introduction

I-A Background on block ciphers and differential cryptanalysis

Block ciphers

A block cipher is a symmetric encryption scheme that transforms an $n$ -bit plaintext into an $n$ -bit ciphertext using a secret key. Block ciphers (like AES) constitute the majority of all symmetric ciphers in use today, and are a staple of modern cryptography. A classical construction of block ciphers is iterative, meaning that the entire cipher is a sequence of (generally simple and almost identical) round functions, see Figure 1 for a schematic illustration. A standard choice for a round function is a Substitution-Permutation Network (SPN), which consisting of a linear layer, sometimes called the permutation part and a substitution layer (usually several so called S-boxes running in parallel), with a key addition in between the rounds, see Figure 2 for a conceptual visualization.

Figure 1: An iterated (key-alternating) block cipher with

r

rounds and subkeys

k_{i}

that encrypts a plaintext

m

into a ciphertext

c

Figure 2: A high-level view of one round of an SPN with an S-box

S

, linear layer

L

and round key

k_{i}

Differential cryptanalysis

One of the most important attacks against block ciphers is the so-called differential attack introduced in [1], which also serves as a basis for more advanced attacks like boomerang attacks [2], rectangle attacks [3], or differential-linear attacks [4].

Let us briefly recall the main idea behind the classical differential attack. The attack uses that differences of plain texts propagate with different probabilities through the encryption process.

A cipher vulnerable to a differential attack has a (strongly) non-uniform distribution of differences that can then be exploited by a differential attack. The concept of difference used here is usually the XOR (i.e. addition in $\mathbb{F}_{2}^{n}$ ). The main reason for this is that the most standard design for SPNs uses key additions, i.e. the key is simply added to the message in between all rounds.

Clearly, we have $(x+\Delta+k)-(x+k)=(x+\Delta)-x$ , so the key addition process does not impact the propagation of differences at all. Further, the differences are also not impacted by the linear layer of SPNs, so the only part that has direct influence is the S-box layer, which makes both analysis and design considerably easier. For a function $F\colon\mathbb{F}_{2}^{n}\rightarrow\mathbb{F}_{2}^{n}$ , the differential attack thus considers the following distribution of probabilities, where $\Delta_{I}$ , $\Delta_{O}$ are the differences of plain and cipher texts, respectively:

P_{\Delta_{I},\Delta_{O}}=P_{x}(F(x+\Delta_{I})=\Delta_{O}+F(x)).

(1)

The main idea behind the differential attack is then that, because the key does not impact the propagation of differences, differences can be broken down over all rounds, so differential trails $(\Delta_{0},\dots,\Delta_{r})$ can be constructed which capture the probability that an input difference $\Delta_{0}$ propagates through an $r$ -round block cipher to an output difference $\Delta_{r}$ via intermediate differences $\Delta_{i}$ after the $i$ -th round. With the tacit assumption of uniformity, the differential analysis of the cipher can thus be broken down to analysing its constitutive rounds, which, in the case of an successful attack, allows the attacker to guess the key given enough plaintext - ciphertext pairs. To combat these differential attacks, the probabilities in Eq. (1) should be as uniform as possible.

Differential uniformities of S-boxes

As described above, the resistance of an SPN relies on its non-linear part, i.e. the choice of the S-box. The behaviour of an S-box $F$ with regard to differential attacks is measured by its Difference Distribution Table (DDT) and differential uniformity $\delta(F)$ which are defined as

	$\displaystyle\operatorname{DDT}_{F}[a,b]$	$\displaystyle=\#\{x\in\mathbb{F}_{2^{n}}\colon F(x+a)+F(x)=b\},$		(2)
	$\displaystyle\delta_{F}$	$\displaystyle=\max_{a\in{\mathbb{F}_{2}^{n}}^{*},b\in\mathbb{F}_{2}^{n}}\operatorname{DDT}_{F}[a,b].$		(3)

The lower the differential uniformity of $F$ , the better is its resistance against a differential attack.¹¹1Of course, the choice of the linear layer is also important for the resistance against a differential attack to maximize the number of active S-boxes. The best possible differential uniformity for S-boxes over binary finite fields is 2, those S-boxes are called almost perfect nonlinear (APN).

Alternative differences and $c$ -differential uniformities

The basic idea of the differential attack can be transferred to another group operation that substitutes the role of the XOR/addition. For example, multiplicative differentials were considered in [5]. Instead of investigating the propagation on pairs $(x,x+\Delta)$ , this kind of differential attack considers pairs $(x,\alpha\cdot x)$ , where the multiplication is the multiplication in the ring $\mathbb{Z}_{n}$ . These kind of attacks were motivated by a number of ciphers that did not just use a simple key addition, but instead relied on modular multiplication as a primitive operation. The authors of [6] use this motivation to consider a notion that tracks some statistical behaviour of the propagation of differences and is clearly inspired by the definition of the differential uniformity in (3). The definition uses a more general setting (not restricting to characteristic $2$ ), and uses the well known isomorphism (as vector spaces) of $\mathbb{F}_{p}^{n}$ and $\mathbb{F}_{p^{n}}$ .

Definition I.1.

[6, Definition 1] Let $F:\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ , and $c\in\mathbb{F}_{p^{n}}$ . For $a,b\in\mathbb{F}_{p^{n}}$ , we let the entries of the $c$ -Difference Distribution Table ( $c$ -DDT) be defined by ${}_{c}\operatorname{DDT}_{F}[a,b]=\#{\{x\in\mathbb{F}_{p^{n}}:F(x+a)-cF(x)=b\}}$ . We call the quantity

{}_{c}\delta_{F}=\max\left\{{{}_{c}\operatorname{DDT}}_{F}[a,b]\,:\,a,b\in\mathbb{F}_{p^{n}},\text{ and }a\neq 0\text{ if $c=1$}\right\}

the $c$ -differential uniformity of $F$ .

In characteristic $2$ , the case $c=1$ clearly recovers the usual definition of DDT and differential uniformity in (2) and (3). Again, the function $F$ has minimal statistical bias if the $c$ -differential uniformity is as low as possible. If a function $F$ achieves the minimal possible $c$ -differential uniformity $1$ , we call it perfect $c$ -nonlinear (PcN).

Remark I.2.

Since our investigations in this paper are largely independent of the characteristic of the underlying finite field, following [6], we chose to discuss the $c$ -differential uniformity and its related concepts in full generality in all positive characteristics. We want to note that while symmetric cryptography in odd characteristic remains a rarity, there are some recent developments in this direction [7].

The new notion of $c$ -differential uniformity has led to much new research, counting more than a dozen papers in less than two years dedicated to it (see e.g. [8, 9, 10], and in particular the survey paper [11] and the references therein), usually focusing on determining the $c$ -differential uniformity of functions $F\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ that have seen use or are possible candidates for S-boxes. Despite the considerable attention that the $c$ -differentials have received, a practical analysis has so far been lacking.

I-B Our Contribution and organization of the paper

The study of the $c$ -differential uniformity serves as an example of two important and much more general questions for the design of block ciphers:

•

Is it possible to give general conditions when statistical biases for functions of a certain pattern are guaranteed?
•

If we know that a function has a statistical bias of a certain form, can we find a framework to analyze the possibility of a practical attack using this bias?

In this paper, we are going to give answers to these two questions using the example of biases encoded by $c$ -differential uniformities.

We want to emphasize that the purposes of this paper is to show that certain differential biases are essentially inevitable, and to provide a general discussion on whether it is possible to mount attacks based on those biases. It remains an open question whether these biases (that provably exist) can be used to mount a specific attack on a cipher that is currently in use.

Broadly speaking, the contribution of this paper is thus twofold: In Section II, we show that for a wide class of functions $F\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ the $c$ -differential uniformity is actually the worst possible for almost all $c$ . More precisely, we show in Theorem II.18 that in characteristic $2$ there is an explicit constant $B$ , independent of the size of the finite field $\mathbb{F}_{q}$ , such that for all $c$ ’s outside a set of size $B$ any function of odd degree whose first and second Hasse derivative is non-zero has worst possible $c$ -differential uniformity. Note that functions with second Hasse derivative equal to zero are highly non-generic and can be completely characterized (see Remark II.19). The proofs in this section use novel techniques for this line of research, relying on the theory of algebraic function fields, Galois theory, and algebraic geometry.

The results of Section II indicate that in many cases, some extreme statistical biases in the $c$ -differences are actually inevitable. This result of course leads to the obvious question whether or how one can use those biases to mount an attack on a cipher.

In Section III, we discuss the possibility of constructing such an attack. In particular, we investigate what kind of cipher could be theoretically vulnerable to an attack based on a statistical weakness in the $c$ -differential uniformity and we relate the $c$ -differential uniformity to a special kind of "regular" differential attack. To do this, we introduce a general form of differential uniformity using a (more arbitrary) binary operation $\circ$ replacing the usual XOR. We in particular investigate the interaction of these generalized differences with the linear layer and the key addition process of a standard SPN.

We finish our paper with a conclusion and some interesting practical and theoretical questions related to our results.

II On the $c$ -differential uniformity of low degree polynomials

Whereas most of the papers that appeared so far in the literature on $c$ -differential uniformities deal with monomials (see e.g. [12, 6, 8, 13, 14, 15, 16]), in this section, we investigate necessary constraints on polynomials with low (i.e. good) $c$ -differential uniformity. We start with a basic overview over the tools we employ to get the result.

II-A Tools and Notation

Global Function Fields and Galois Theory

We give a brief overview on function fields and Galois theory to the extent that is needed for this section. We broadly follow the notation from [17].

Let $\mathbb{F}_{q}(t)$ be the rational function field in the variable $t$ over the finite field of order $q$ . A function field $F$ is an algebraic extension of $\mathbb{F}_{q}(t)$ . The field of constants $k_{F}$ of $F$ is the subfield of elements of $F$ that are algebraic over $\mathbb{F}_{q}$ .

A valuation ring $\mathcal{O}$ is a subring of $F$ that contains $\mathbb{F}_{q}$ , is different from $F$ , and such that if $x\not\in\mathcal{O}$ , then $1/x\in\mathcal{O}$ . A place $P$ is the unique maximal ideal of a valuation ring $\mathcal{O}$ and it is principal. The valuation ring attached whose maximal ideal is the place $P$ is denoted by $\mathcal{O}_{P}$ .

Fix a place $P$ . Each element $z\in F\setminus\{0\}$ can be uniquely written as $z=t^{n}u$ , where $t$ is a prime element for a place $P$ and $u\in\mathcal{O}_{P}$ is invertible. We associate to $P$ a function $v_{P}:F\to\mathbb{Z}\cup\{\infty\}$ , called valuation at $P$ , defined as $v_{P}(z)=n$ , if $z=t^{n}u\in F\setminus\{0\}$ , and $v_{P}(z)=\infty$ , if $z=0$ .

An inclusion $F\subseteq L$ of function fields is said to be a function field extension, and we will denote it by $L:F$ . The degree of $L:F$ is simply the integer $[L:F]:=\dim_{F}(L)$ . If $P$ is a place of $F$ , there are $Q_{1},\dots,Q_{\ell}$ places of $L$ above $P$ , i.e. places of $L$ that contain $P$ . The relative degree of $Q_{i}$ over $P$ is the integer $f(Q_{i}\mid P)=[\mathcal{O}_{Q_{i}}/Q_{i}:\mathcal{O}_{P}/P]$ .

The ramification index $e(Q_{i}\mid P):=e$ of $Q_{i}$ over $P$ is a natural number such that

v_{Q_{i}}(x)=e\cdot v_{P}(x),\quad\forall x\in F.

We say that $Q_{i}\mid P$ is ramified if $e(Q_{i}\mid P)>1$ , and unramified if $e(Q_{i}\mid P)=1$ . The fundamental equality for function field extensions states

\sum^{\ell}_{i=1}f(Q_{i}\mid P)e(Q_{i}\mid P)=[L:F].

A finite separable extension of fields $M\supseteq F$ is said to be Galois if $\operatorname{Aut}_{F}(M):=\{f\in\operatorname{Aut}(M):\;f(x)=x\;\forall x\in F\}$ has size $[M:F]$ . Let us recall that every splitting field $M$ of a separable polynomial in $F[x]$ is a Galois extension of $F$ . Moreover, every Galois extension of $F$ can be seen as a splitting field of some polynomial in $F[x]$ .

Definition II.1.

Let $M:F$ be a Galois extension of function fields and let $R$ be a place of $M$ lying over a place $P$ of $F$ . Then we define the decomposition group as

D(R\mid P)=\{g\in G\mid g(R)=R\}

and the inertia group as

I(R\mid P)=\{g\in D(R\mid P)\mid v_{R}(g(s)-s)\geq 1\quad\forall s\in\mathcal{O}_{R}\}.

The following result is useful to connect the action of the Galois group on the roots to the intermediate splitting of places. See [18, Satz 1].

Lemma II.2.

Let $L:K$ be a finite separable extension of function fields, let $M$ be its Galois closure and $G:=\operatorname{Gal}(M:K)$ be its Galois group. Let $P$ be a place of $K$ and $\mathcal{Q}$ be the set of places of $L$ lying above $P$ . Let $R$ be a place of $M$ lying above $P$ . Then we have the following:

1.

There is a natural bijection between $\mathcal{Q}$ and the set of orbits of $H:=\mathrm{Hom}_{K}(L,M)$ under the action of the decomposition group $D(R\mid P)=\{g\in G\,\mid\,g(R)=R\}$ .
2.

Let $Q\in\mathcal{Q}$ and let $H_{Q}$ be the orbit of $D(R\mid P)$ corresponding to $Q$ . Then $|H_{Q}|=e(Q\mid P)f(Q\mid P)$ where $e(Q\mid P)$ and $f(Q\mid P)$ are ramification index and relative degree, respectively.
3.

The orbit $H_{Q}$ partitions further under the action of the inertia group $I(R\mid P)$ into $f(Q\mid P)$ orbits of size $e(Q\mid P)$ .

It follows immediately that

Corollary II.3.

If $L:F$ is ramified at $P$ then $D(R\mid P)$ is non-trivial. In particular, $L:F$ is ramified at $P$ if and only if $M:F$ is ramified at $P$ .

Notice that if $M:K$ is a Galois extension of function fields over $\mathbb{F}_{q}$ , then $kM:kK$ is Galois for any extension $k$ of $\mathbb{F}_{q}$ (including $k=\overline{\mathbb{F}}_{q})$ . It is well known, see for example [17], that the geometric Galois group is generated by the inertia groups.

Lemma II.4.

Let $L:K$ be a finite separable extension of function fields, let $M$ be its Galois closure and let $G:=\operatorname{Gal}(\overline{\mathbb{F}}_{q}M:\overline{\mathbb{F}}_{q}K)$ . Then $G$ is generated by the inertia groups $I(R\mid P)$ , i.e.

G=\langle I(R\mid P):\;P\;\text{place of $K$,}\quad R\mid P,\quad R\;\text{place of $M$}\rangle.

The following result can be deduced from [19].

Theorem II.5.

[20, Theorem 3.3] Let $p$ be a prime number, $m$ a positive integer, and $q=p^{m}$ . Let $L:F$ be a separable extension of global function fields over $\mathbb{F}_{q}$ of degree $n$ , $M$ be the Galois closure of $L:F$ , and suppose that the field of constants of $M$ is $\mathbb{F}_{q}$ . There exists an explicit constant $C\in\mathbb{R}^{+}$ depending only on the genus of $M$ and the degree of $L:F$ such that if $q>C$ then $L:F$ has a totally split place.

The following corollary shows that we can deduce arithmetic information (splitting over $\mathbb{F}_{q}$ ) from geometric information (splitting over $\overline{\mathbb{F}}_{q}$ , i.e. ramification).

Corollary II.6.

Let $p$ be a prime number, $m$ a positive integer, and $q=p^{m}$ . Let $L:F$ be a separable extension of global function fields over $\mathbb{F}_{q}$ of degree $n$ , $M$ be the Galois closure of $L:F$ . Then if $\operatorname{Gal}(\overline{\mathbb{F}}_{q}M:\overline{\mathbb{F}}_{q}F)=S_{n}$ , we have that $L:F$ has a totally split place (over $\mathbb{F}_{q}$ ).

Proof.

It is a standard fact that the Galois group of $\overline{\mathbb{F}}_{q}M:\overline{\mathbb{F}}_{q}F$ is equal to the Galois group of $M:k_{F}F$ , where $k_{F}$ is the constant field of $M$ . Therefore, since $S_{n}=\operatorname{Gal}(M:k_{F}F)\leq\operatorname{Gal}(M:F)\leq S_{n}$ , we have that $k_{F}=\mathbb{F}_{q}$ by the Galois correspondence, and the final claim follows using Theorem II.5.

∎

The following result follows from [21, Proposition 1, Page 275].

Proposition II.7.

Let $G$ be a transitive subgroup of $S_{n}$ generated by transpositions. Then $G=S_{n}$ .

Curves and Varieties over Finite Fields

As a notation, $\mathbb{P}^{r}(\mathbb{F}_{q})$ and $\mathbb{A}^{r}(\mathbb{F}_{q})$ denote the projective and the affine space of dimension $r\in\mathbb{N}$ over the finite field $\mathbb{F}_{q}$ , $q$ a prime power. In the cases $r=2$ and $r=3$ we denote by $\ell_{\infty}:=\mathbb{P}^{2}(\mathbb{F}_{q})\setminus\mathbb{A}^{2}(\mathbb{F}_{q})$ and $H_{\infty}:=\mathbb{P}^{3}(\mathbb{F}_{q})\setminus\mathbb{A}^{3}(\mathbb{F}_{q})$ the line and the plane at infinity respectively. A variety and more specifically a curve, i.e. a variety of dimension 1, is described by a certain set of equations with coefficients in a finite field $\mathbb{F}_{q}$ . We say that a variety $\mathcal{V}$ is absolutely irreducible if there are no varieties $\mathcal{V}^{\prime}$ and $\mathcal{V}^{\prime\prime}$ defined over the algebraic closure of $\mathbb{F}_{q}$ and different from $\mathcal{V}$ such that $\mathcal{V}=\mathcal{V}^{\prime}\cup\mathcal{V}^{\prime\prime}$ . If a variety $\mathcal{V}\subset\mathbb{P}^{r}(\mathbb{F}_{q})$ is defined by homogeneous polynomials $F_{i}(X_{0},\ldots,X_{r})=0$ , for $i=1,\ldots,s$ , an $\mathbb{F}_{q}$ -rational point of $\mathcal{V}$ is a point $(x_{0}:\ldots:x_{r})\in\mathbb{P}^{r}(\mathbb{F}_{q})$ such that $F_{i}(x_{0},\ldots,x_{r})=0$ , for $i=1,\ldots s$ . A point is affine if $x_{0}\neq 0$ . The set of the $\mathbb{F}_{q}$ -rational points of $\mathcal{V}$ is usually denoted by $\mathcal{V}(\mathbb{F}_{q})$ . We denote by the same symbol homogenized polynomials and their dehomogenizations, if the context is clear. For a more comprehensive introduction to algebraic varieties and curves we refer to [22, 23].

In this paper we will mostly make use of hypersurfaces, i.e varieties in $\mathbb{P}^{r}(\mathbb{F}_{q})$ of dimension $r-1$ , and specifically curves ( $r=2$ ) and surfaces ( $r=3$ ). Any hypersurface is defined by a unique homogeneous $f(X_{0},\ldots,X_{r})$ polynomial in $r+1$ variables. For the sake of convenience, for a hypersurface $\mathcal{W}:f(X_{0},\ldots,X_{r})=0$ we will also make use of its affine equation $f(1,X_{1}\ldots,X_{r})=0$ .

Singular points of algebraic curves and surfaces can be investigated via the so-called Hasse derivative; see also [22, Page 148].

Definition II.8 ([24]).

Let $F(X_{1},\ldots,X_{r})\in\mathbb{F}_{q}[X_{1},\ldots,X_{r}]$ be a polynomial. For any $\alpha_{1},\ldots,\alpha_{r}\in\overline{\mathbb{F}}_{q}$ , $F(X_{1}+\alpha_{1},\ldots,X_{r}+\alpha_{r})$ can be written uniquely as

F(X_{1}+\alpha_{1},\ldots,X_{r}+\alpha_{r})=\sum_{(i_{1},\ldots,i_{r})\in\mathbb{N}^{r}}F^{(i_{1},\ldots,i_{r})}(\alpha_{1},\ldots,\alpha_{r})X_{1}^{i_{1}}\cdots X_{r}^{i_{r}},

for some polynomials $F^{(i_{1},\ldots,i_{r})}(X_{1},\ldots,X_{r})\in\mathbb{F}_{q}[X_{1},\ldots,X_{r}]$ . For a given multi-index $i=(i_{1},\ldots,i_{r})\in\mathbb{N}^{r}$ , we define the $i$ -th Hasse derivative of $F(X_{1},\ldots,X_{r})$ as the polynomial $F^{(i_{1},\ldots,i_{r})}(X_{1},\ldots,X_{r})\in\mathbb{F}_{q}[X_{1},\ldots,X_{r}]$ .

It can be seen that for any monomial $X_{1}^{j_{1}}\cdots X_{r}^{j_{r}}$ its $i=(i_{1},\ldots,i_{r})$ -th Hasse derivative is

\binom{i_{1}}{j_{1}}\cdots\binom{i_{r}}{j_{r}}X_{1}^{j_{1}-i_{1}}\cdots X_{r}^{j_{r}-i_{r}}

and vanishes if $i_{k}>j_{k}$ for some $k$ ; see also [25].

As a notation, if a polynomial $f$ is univariate, we denote its derivatives as $f^{\prime}$ , $f^{\prime\prime}$ , ….

Let $F(X,Y)\in\mathbb{F}_{q}[X,Y]$ be a polynomial defining an affine plane curve $\mathcal{C}$ , let $P=(u,v)\in\mathbb{A}^{2}(\mathbb{F}_{q})$ be a point in the plane, and write

F(X+u,Y+v)=F_{0}(X,Y)+F_{1}(X,Y)+F_{2}(X,Y)+\cdots,

where $F_{i}$ is either zero or homogeneous of degree $i$ .

The multiplicity of $P\in\mathcal{C}$ , written as $m_{P}(\mathcal{C})$ , is the smallest integer $m$ such that $F_{m}\neq 0$ and $F_{i}=0$ for $i<m$ ; the polynomial $F_{m}$ is the tangent cone of $\mathcal{C}$ at $P$ . A linear divisor of the tangent cone is called a tangent of $\mathcal{C}$ at $P$ . The point $P$ is on the curve $\mathcal{C}$ if and only if $m_{P}(\mathcal{C})\geq 1$ . If $P$ is on $\mathcal{C}$ , then $P$ is a simple point of $\mathcal{C}$ if $m_{P}(\mathcal{C})=1$ , otherwise $P$ is a singular point of $\mathcal{C}$ . A quick criterion to decide whether an affine point $P$ is singular is the following: $P$ is singular if and only if $F(P)=F^{(1,0)}(P)=F^{(0,1)}(P)=0$ .

It is possible to define in a similar way the multiplicity of an ideal point of $\mathcal{C}$ , that is a point of the curve lying on the line at infinity.

Given two plane curves $\mathcal{A}$ and $\mathcal{B}$ and a point $P$ on the plane, the intersection number $I(P,\mathcal{A}\cap\mathcal{B})$ of $\mathcal{A}$ and $\mathcal{B}$ at the point $P$ can be defined by seven axioms. We do not include its precise and long definition here. For more details, we refer to [26] and [22] where the intersection number is defined equivalently in terms of local rings and in terms of resultants, respectively.

Concerning the intersection number, the following two classical results can be found in most of the textbooks on algebraic curves.

Lemma II.9.

Let $\mathcal{A}$ and $\mathcal{B}$ be two plane curves. For any affine point $P$ , the intersection number satisfies the inequality

I(P,\mathcal{A}\cap\mathcal{B})\geq m_{P}(\mathcal{A})m_{P}(\mathcal{B}),

with equality if and only if the tangents at $P$ to $\mathcal{A}$ are all distinct from the tangents at $P$ to $\mathcal{B}$ .

Theorem II.10 (Bézout’s Theorem).

Let $\mathcal{A}$ and $\mathcal{B}$ be two projective plane curves over an algebraically closed field $\mathbb{K}$ , having no component in common. Let $A$ and $B$ be the polynomials associated with $\mathcal{A}$ and $\mathcal{B}$ respectively. Then

\sum_{P}I(P,\mathcal{A}\cap\mathcal{B})=\deg A\cdot\deg B,

where the sum runs over all points in the projective plane $\mathbb{P}^{2}(\mathbb{K})$ .

Concerning surfaces in $\mathbb{P}^{3}(\mathbb{F}_{q})$ , i.e. variety of dimension 2 defined by a homogeneous polynomial $F(X,Y,Z,T)\in\mathbb{F}_{q}[X,Y,Z,T]$ , the same definitions for singular points and multiplicity hold. In particular a point $P$ is singular for a surface $\mathcal{S}:F(X,Y,Z,T)=0$ if and only if

F(P)=F^{(1,0,0,0)}(P)=F^{(0,1,0,0)}(P)=F^{(0,0,1,0)}(P)=F^{(0,0,0,1)}(P)=0.

The following is a simple result about the irreducibility of plane sections of absolutely irreducible surfaces. We include here its proof for the sake of clarity.

Proposition II.11.

Let $\mathcal{S}\subset\mathbb{P}^{3}(\mathbb{F}_{q})$ be an absolutely irreducible surface and consider a plane $\pi$ . A singular point $O$ for the curve $\pi\cap\mathcal{S}$ is either a singular point for $\mathcal{S}$ or $\pi$ is the tangent plane to $\mathcal{S}$ at $O$ . In particular, if $\pi\cap\mathcal{S}$ is reducible then either $\pi$ is the tangent plane at some point of $\pi\cap\mathcal{S}$ or $\pi$ contains a singular point of $\mathcal{S}$ .

Proof.

Without loss of generality we can suppose that $O$ is the origin and $\pi:Z=0$ and that $\mathcal{C}:=\pi\cap\mathcal{S}:F(X,Y)=0$ , for some polynomial $F\in\mathbb{F}_{q}[X,Y]$ with $F(0,0)=F^{(1,0)}(0,0)=F^{(0,1)}(0,0)=0$ . This means that the affine equation of $\mathcal{S}$ is of type $F(X,Y)+ZH(X,Y,Z)=0$ for some $H(X,Y,Z)\in\mathbb{F}_{q}[X,Y,Z]$ . Now, either there exists a constant term in $H(X,Y,Z)$ and thus $O$ is nonsingular for $\mathcal{S}$ and $\pi$ is the tangent plane at $O$ to $\mathcal{S}$ or $H(X,Y,Z)$ possesses monomials of degree at least one and thus $O$ is a singular point for $\mathcal{S}$ .

The second part of the claim directly follows, observing that if $\mathcal{C}:=\pi\cap\mathcal{S}$ is reducible then the curve $\mathcal{C}$ possesses singular points (possibly defined over $\overline{\mathbb{F}}_{q}$ ).

∎

Finally, we include here references for estimates on the number of $\mathbb{F}_{q}$ -rational points of algebraic varieties over finite fields. The most celebrated result is the Hasse-Weil Theorem.

Theorem II.12.

[Hasse-Weil bound for curves] Let $\mathcal{C}\subset\mathbb{P}^{n}(\mathbb{F}_{q})$ be a projective absolutely irreducible non-singular curve of genus $g$ defined over $\mathbb{F}_{q}$ . Then

q+1-2g\sqrt{q}\leq\#\mathcal{C}(\mathbb{F}_{q})\leq q+1+2g\sqrt{q}.

(4)

If $\mathcal{C}$ is a non-singular plane curve, then $g=(d-1)(d-2)/2$ , where $d$ is the degree of the curve $\mathcal{C}$ , and (4) reads

q+1-(d-1)(d-2)\sqrt{q}\leq\#\mathcal{C}(\mathbb{F}_{q})\leq q+1+(d-1)(d-2)\sqrt{q}.

(5)

If the curve $\mathcal{C}$ is singular, there is some ambiguity in defining what an $\mathbb{F}_{q}$ -rational point of $\mathcal{C}$ actually is. Clearly, if $\mathcal{C}$ is non-singular, then there is a bijection between $\mathbb{F}_{q}$ -rational places (or branches) of the function field associated with $\mathcal{C}$ and $\mathbb{F}_{q}$ -rational points of $\mathcal{C}$ . In the singular case, this is no more true. We refer the interested readers to [22, Section 9.6] where other relations are investigated. We point out that actually the bound (5) holds even for singular (absolutely irreducible) curves; [27, Corollary 2.5].

Concerning algebraic varieties of dimension larger than one, the first estimate on the number of $\mathbb{F}_{q}$ -rational points was given by Lang and Weil [28] in 1954.

Theorem II.13.

[Lang-Weil Theorem] Let $\mathcal{V}\subset\mathbb{P}^{N}(\mathbb{F}_{q})$ be an absolutely irreducible variety of dimension $n$ and degree $d$ . Then there exists a constant $C$ depending only on $N$ , $n$ , and $d$ such that

\left|\#\mathcal{V}(\mathbb{F}_{q})-\sum_{i=0}^{n}q^{i}\right|\leq(d-1)(d-2)q^{n-1/2}+Cq^{n-1}.

(6)

Although the constant $C$ was not computed in [28], explicit estimates have been provided for instance in [29, 30, 31, 32, 33, 34] and they have the general shape $C=f(d)$ provided that $q>g(n,d)$ , where $f$ and $g$ are polynomials of (usually) small degree. We refer to [29] for a survey on these bounds.

II-B Results on the $c$ -differential uniformity

In what follows we will consider polynomials $f(x)\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ , $q=p^{n}$ , which are not monomials. Note that the polynomials $f(x)\in\mathbb{F}_{q}[x^{p}]$ are not a good choice for an S-box because the map $x\mapsto x^{p}$ is linear.

The first result we show concerns the 2-transitivity of the geometric Galois group of $F=f(x+a)-cf(x)-t\in\mathbb{F}_{q}(t)[X]$ .

Lemma II.14.

Let $q=p^{n}$ , $p$ a prime, and $f\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ , with $d=\deg(f)$ , $p\nmid d(d-1)$ , and suppose that $f(x)$ is not a monomial. Then, the number of $c\in\mathbb{F}_{q}$ for which there exists $a\in\mathbb{F}_{q}^{*}$ such that the geometric Galois group of $F=f(x+a)-cf(x)-t\in\mathbb{F}_{q}(t)[X]$ is not 2-transitive is bounded by an explicit constant $B$ independent of $q$ .

Proof.

It is well known that the geometric Galois group of $F$ is 2-transitive if and only if the curve $(F(X)-F(Y))/(X-Y)=0$ is absolutely irreducibile; see for instance [35, Theorem 6.11].

Consider the surface

\displaystyle\mathcal{W}_{c}

\displaystyle:

\displaystyle\frac{f(X+Z)-cf(X)-f(Y+Z)+cf(Y)}{X-Y}=0.

Note that since $f(x)$ is not a monomial, $\mathcal{W}_{c}$ is actually a surface and not a curve.

The intersection $\mathcal{W}_{c}\cap H_{\infty}$ with the hyperplane at infinity is the curve

\displaystyle\mathcal{C}

\displaystyle:

\displaystyle\frac{(X+1)^{d}-cX^{d}-(Y+1)^{d}+cY^{d}}{(X-Y)}=0

and by [36, Theorems 4.1 and 4.2] whenever $c\notin N_{d-1}:=\{\xi^{i}(1-xi^{j})/(1-\xi^{k}):i,j,k\in\{0,\ldots,d-2\},k,j\neq 1\}$ , where $\xi$ is a primitive $(d-1)$ -th root of unity in $\overline{\mathbb{F}}_{q}$ , $\mathcal{C}_{c}$ is nonsingular and therefore absolutely irreducible.

This shows that for any $c\notin N_{d-1}$ the surface $\mathcal{W}_{c}$ is absolutely irreducible.

From now on we pick up $c\notin N_{d-1}$ . We want to bound the total number of singular points of $\mathcal{W}_{c}$ . First note that they are only affine since $\mathcal{C}_{c}$ is nonsingular.

A point $P=(\alpha,\alpha,\gamma)$ is singular for $\mathcal{W}_{c}$ only if it is of multiplicity three for $\varphi(X,Y,Z):=f(X+Z)-cf(X)-f(Y+Z)+cf(Y)=0$ , since $P$ is of multiplicity one for the denominator $X-Y=0$ . This happens only if

	$\displaystyle\varphi(P)$	$\displaystyle=$	$\displaystyle\varphi^{(1,0,0)}(P)=\varphi^{(0,1,0)}(P)=\varphi^{(0,0,1)}(P)=\varphi^{(2,0,0)}(P)=\varphi^{(0,2,0)}(P)$
		$\displaystyle=$	$\displaystyle\varphi^{(1,1,0)}(P)=\varphi^{(0,1,1)}(P)=\varphi^{(1,0,1)}(P)=\varphi^{(0,0,2)}(P)=0.$

In particular

\varphi^{(1,0,1)}(P)=f^{\prime\prime}(\alpha+\gamma)=0=f^{\prime\prime}(\alpha+\gamma)-cf^{\prime\prime}(\alpha)=\varphi^{(2,0,0)}(P)

and thus $f^{\prime\prime}(\alpha+\gamma)=f^{\prime\prime}(\alpha)=0$ and there are at most $(d-2)^{2}$ possibilities for $(\alpha,\alpha,\gamma)$ .

Consider now singular points of $\mathcal{W}_{c}$ off $X-Y=0$ . In particular, they satisfy

\begin{cases}f(X+Z)-cf(X)-f(Y+Z)+cf(Y)=0\\ f^{\prime}(X+Z)-cf^{\prime}(X)=0\\ f^{\prime}(Y+Z)-cf^{\prime}(Y)=0.\end{cases}

Such a system defines a variety $\mathcal{U}_{c}$ which is the intersection of three surfaces in $\mathbb{P}^{3}(\mathbb{F}_{q})$ and $\mathcal{U}_{c}$ is of dimension $0$ . To see this it is enough to observe that $\mathcal{U}_{c}\cap H_{\infty}$ is precisely the set of of singular points of $\mathcal{C}$ which is empty. This means that $\mathcal{U}_{c}$ cannot be of dimension larger than $0$ otherwise $\#(H_{\infty}\cap\mathcal{U}_{c})$ would be positive. This shows that for any $c\notin N_{d-1}$ the number of singular points of $\mathcal{W}_{c}$ is $O(1)$ .

Now we bound the number of tangent planes to $\mathcal{W}_{c}$ of the type $\pi_{z}:Z=z$ . Clearly, if $\pi_{z}$ is tangent at $P=(\alpha,\beta,z)\in\mathcal{W}_{c}$ then in particular

\begin{cases}f(\alpha+z)-cf(\alpha)-f(\beta+z)+cf(\beta)=0\\ f^{\prime}(\alpha+z)-cf^{\prime}(\alpha)=0\\ f^{\prime}(\beta+z)-cf^{\prime}(\beta)=0,\end{cases}

if $\alpha\neq\beta$ and

f^{\prime\prime}(\alpha+z)-cf^{\prime\prime}(\alpha)=0=f^{\prime}(\alpha+z)-cf^{\prime}(\alpha)

if $\alpha=\beta$ . In the former case we already saw that the number of solutions $(\alpha,\beta,z)$ is finite. In the latter case the two plane curves

f^{\prime\prime}(X+Z)-cf^{\prime\prime}(Z)=0

and

f^{\prime}(X+Z)-cf^{\prime}(Z)=0

do not share any component since their intersections with the line $\ell_{\infty}$ are disjoint and thus by Bézout’s Theorem the number of intersection points, and thus the number of $(\alpha,\alpha,z)$ is $O(1)$ . This shows that there is $O(1)$ of $z\in\overline{\mathbb{F}}_{q}$ such that $\pi_{z}$ is tangent to $\mathcal{W}_{c}$ . The claim now follows from Proposition II.11.

∎

Remark II.15.

Note that in the lemma above the constant $B$ can be taken as $(d-2)^{3}$ .

As a byproduct of the lemma above we can easily deal with the case ${}_{c}\delta_{F}=1$ .

Corollary II.16.

Let $q=p^{n}$ , $p$ a prime, and $f\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ , with $d=\deg(f)$ , $p\nmid d(d-1)$ , and suppose that $f(x)$ is not a monomial. Then, the number of $c\in\mathbb{F}_{q}$ for which $f$ can be P $c$ N is bounded by an explicit constant $B$ independent of $q$ .

Proof.

Consider again the surface

\displaystyle\mathcal{W}_{c}

\displaystyle:

\displaystyle\frac{f(X+Z)-cf(X)-f(Y+Z)+cf(Y)}{X-Y}=0.

In the proof of Lemma II.14 it has already been proved that $\mathcal{W}_{c}$ is absolutely irreducible whenever $c$ does not belong to a specific set of values of size at most $(d-2)^{3}$ . By Lang-Weil Theorem the number of affine $\mathbb{F}_{q}$ -rational points of $\mathcal{W}_{c}$ is lower-bounded by

q^{2}-A(d)q^{3/2},

where $A(d)$ is an absolute constant depending only on the degree of $\mathcal{W}_{c}$ . The set of parallel planes $\pi_{a}:Z-a=0$ , $a\in\mathbb{F}_{q}$ , partition the set of its affine $\mathbb{F}_{q}$ -rational points and thus there exists at least an $\overline{a}\in\mathbb{F}_{q}^{*}$ such that $\#(\pi_{\overline{a}}\cap\mathcal{W}_{c})\geq q-A(d)q^{1/2}$ . This means that the curve

\displaystyle\mathcal{C}_{c,\overline{a}}

\displaystyle:

\displaystyle\frac{f(X+a)-cf(X)-f(Y+a)+cf(Y)}{X-Y}=0

has at least $q-A(d)q^{1/2}$ affine points and thus, since the line $X-Y=0$ is not a component of $\mathcal{C}_{c,\overline{a}}$ , $\mathcal{C}_{c,\overline{a}}$ possesses at least $q-A(d)q^{1/2}-d$ affine $\mathbb{F}_{q}$ -rational points off $X-Y=0$ and thus $f(X+a)-cf(X)$ is not a permutation polynomial and $f$ is not P $c$ N.

∎

Remark II.17.

In the corollary above the constant $B$ arises from Lang-Weil Theorem and thus it can be computed applying the results in [29, 30, 31, 32, 33, 34]. For instance, applying [29, Theorem 7.1] one can see that $B$ can be chosen as $\max\{6.3d^{13/3},(d-2)^{2}\}$ .

Our main result of this section is the following.

Theorem II.18 (Main Result).

Let $q=p^{n}$ , $p$ a prime, and $f\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ , $f$ not a monomial, with $d=\deg(f)$ . Suppose that one of the following holds:

1.

$p=2$ , $d$ is odd, and both the Hasse derivatives $f^{\prime}$ and $f^{\prime\prime}$ do not vanish;
2.

$p>2$ and $d\not\equiv 0,1\pmod{p}$ .

The number of $c\in\mathbb{F}_{q}$ for which ${}_{c}\delta_{F}<\deg(f)$ is bounded by an explicit constant $B$ independent of $q$ .

Remark II.19.

•

As it will be clear from the proofs of the ancillary results below, the constant $B$ in the statement of Theorem II.18 is smaller than $4d^{2}$ .
•

The condition on the Hasse derivatives in Theorem II.18 is not very restrictive. Indeed, the polynomials that violate these conditions can be classified explicitly: The polynomials $f$ in $\mathbb{F}_{2^{n}}[x]$ such that the first Hasse derivative is zero live in $\mathbb{F}_{2^{n}}[x^{2}]$ , and the ones for which the second Hasse derivative is zero are exactly the ones of the form

$x\left(\sum^{s}_{i=0}a_{i}x^{i}\right)^{4}+\left(\sum^{s}_{i=0}b_{i}x^{i}\right)^{4}.$

For instance, note that a sufficient condition for which both Hasse derivatives $f^{\prime}$ and $f^{\prime\prime}$ do not vanish is the existence of at least one monomial in $f(x)$ of degree $i\equiv 3\pmod{4}$ .
•

Theorem II.18 states that if $\deg(f)$ is small compared to the field size $q$ , it is inevitable that there exist many $c\in\mathbb{F}_{q}$ such that ${}_{c}\delta_{F}=\deg(f)$ , which is the maximal possible (and thus worst) $c$ -uniformity. Note that $\deg(f)$ here refers to the degree of $f$ as a polynomial and not to the algebraic degree (which is in the characteristic 2 case equivalent to the highest binary weight of a monomial of $f$ ). This means that this result even applies to functions with high algebraic degree since it is clearly possible that a function with high algebraic degree has comparatively low degree as a polynomial.

The proof of Theorem II.18 involves the two surfaces

	$\displaystyle\mathcal{W}_{1}$	$\displaystyle:$	$\displaystyle\frac{f^{\prime}(X+Z)(f(Y)-f(X))-(f(Y+Z)-f(X+Z))f^{\prime}(X)}{(X-Y)Z}=0,$
	$\displaystyle\mathcal{W}_{2}$	$\displaystyle:$	$\displaystyle\frac{f^{\prime}(Y+Z)f^{\prime}(X)-f^{\prime}(X+Z)f^{\prime}(Y)}{(X-Y)Z}=0.$

Note that at this first step we strongly need that the polynomial $f$ is not a monomial, otherwise $\mathcal{W}_{1}$ and $\mathcal{W}_{2}$ are curves, being defined by a homogeneous polynomial in three variables, and our arguments do not apply.

Proposition II.20.

Let $q=p^{n}$ , $p\nmid d$ . The two surfaces $\mathcal{W}_{1}$ and $\mathcal{W}_{2}$ do not share any component.

Proof.

Consider the two curves $\mathcal{C}_{1}:=\mathcal{W}_{1}\cap H_{\infty}$ and $\mathcal{C}_{2}:=\mathcal{W}_{2}\cap H_{\infty}$ . Then

\mathcal{C}_{1}:\frac{(X+1)^{d-1}(Y^{d}-X^{d})-X^{d-1}((Y+1)^{d}-(X+1)^{d})}{X-Y}=0

and

\mathcal{C}_{2}:\frac{(Y+1)^{d-1}X^{d-1}-(X+1)^{d-1}Y^{d-1}}{X-Y}=0.

It is readily seen that $\mathcal{C}_{2}$ factorizes as

\prod_{\xi}\Big{(}(Y+1)X-\xi(X+1)Y\Big{)}=0,

where $\xi$ runs over the set of the $d-1$ -th roots of unity distinct from $1$ .

Let $\ell_{\xi}:(Y+1)X-\xi(X+1)Y=0$ be one of the components of $\mathcal{C}_{2}$ . In order to show that $\ell_{\xi}\not\subset\mathcal{C}_{2}$ , consider

\begin{cases}(Y+1)X-\xi(X+1)Y=0\\ (X+1)^{d-1}(Y^{d}-X^{d})-X^{d-1}((Y+1)^{d}-(X+1)^{d})=0.\\ \end{cases}

Since $(Y+1)X-\xi(X+1)Y=0$ , $(Y+1)^{d-1}X^{d-1}=(X+1)^{d-1}Y^{d-1}$ and thus $(Y+1)^{d}X^{d-1}=(X+1)^{d-1}Y^{d-1}(Y+1)$ . So

	$\displaystyle(X+1)^{d-1}(Y^{d}-X^{d})-X^{d-1}((Y+1)^{d}-(X+1)^{d})=$
	$\displaystyle(X+1)^{d-1}(Y^{d}-X^{d})-(X+1)^{d-1}Y^{d-1}(Y+1)+X^{d-1}(X+1)^{d}=$
	$\displaystyle(X+1)^{d-1}\Big{(}(Y^{d}-X^{d})-Y^{d-1}(Y+1)+X^{d-1}(X+1)\Big{)}=$
	$\displaystyle(X+1)^{d-1}\Big{(}X^{d-1}-Y^{d-1}\Big{)}\not\equiv 0.$

Since $\mathcal{C}_{1}$ and $\mathcal{C}_{2}$ do not share any component, so do the surfaces $\mathcal{W}_{1}$ and $\mathcal{W}_{2}$ .

∎

Proposition II.21.

Let $q>(2d-2)(2d-3)+1$ , $q=p^{n}$ , $f(x)\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ not a monomial, $p\nmid d=\deg(f)$ . There exists a set $\Theta_{c}\subset\mathbb{F}_{q}$ of size at most $(2d-2)(2d-3)$ such that for any $c\in\mathbb{F}_{q}\setminus\Theta_{c}$ there exists at least an $a_{c}\in\mathbb{F}_{q}^{*}$ such that $f(x+a_{c})-cf(x)=t$ has at most one multiple root in $\overline{\mathbb{F}}_{q}$ for any fixed $t\in\overline{\mathbb{F}}_{q}$ .

Proof.

Consider the system

\begin{cases}f(x_{1}+a)-cf(x_{1})=t\\ f(x_{2}+a)-cf(x_{2})=t\\ f^{\prime}(x_{1}+a)-cf^{\prime}(x_{1})=0\\ f^{\prime}(x_{2}+a)-cf^{\prime}(x_{2})=0\\ a(x_{1}-x_{2})\neq 0.\end{cases}

The solutions $(\overline{x_{1}},\overline{x_{2}},\overline{a},\overline{c},\overline{t})$ of this system correspond to values $\overline{a},\overline{c},\overline{t}$ for which there exist two multiple roots of $f(x+\overline{a})-\overline{c}f(x)=\overline{t}$ .

The above system is equivalent to

\begin{cases}f(x_{1}+a)-cf(x_{1})=t\\ \frac{f(x_{2}+a)-f(x_{1}+a)}{f(x_{2})-f(x_{1})}=c\\ a(x_{1}-x_{2})\neq 0\\ \frac{f^{\prime}(x_{1}+a)(f(x_{2})-f(x_{1}))-(f(x_{2}+a)-f(x_{1}+a))f^{\prime}(x_{1})}{a(x_{1}-x_{2})}=0\\ \frac{f^{\prime}(x_{2}+a)f^{\prime}(x_{1})-f^{\prime}(x_{1}+a)f^{\prime}(x_{2})}{a(x_{1}-x_{2})}=0.\\ \end{cases}

(7)

The last two equations define the surfaces $\mathcal{W}_{1}$ and $\mathcal{W}_{2}$ considered in Proposition II.20. Since such surfaces do not share any component, their intersection is of dimension one (i.e. union of curves) and of degree at most $(2d-2)(2d-3)$ .

Thus, apart from a small (at most $(2d-2)(2d-3)$ ) number of $a$ , the intersection $W_{1}\cap W_{2}\cap(Z=a)$ consists of at most $(2d-2)(2d-3)$ points (on the algebraic closure $\overline{\mathbb{F}}_{q}$ ). Since $q>(2d-2)(2d-3)+1$ , there exists $\overline{a}\in\mathbb{F}_{q}^{*}$ for which the total number of solutions $(x_{1},x_{2},c,t)$ of System (7) is upped bounded by $(2d-2)(2d-3)$ . Let $\Theta$ be the set of all the solutions of System (7) for such an $\overline{a}$ and consider $\Theta_{c}:=\{c\in\mathbb{F}_{q}:\exists(\overline{x_{1}},\overline{x_{2}},c,\overline{t})\in\Theta\}$ . Clearly $\#\Theta_{c}\leq\#\Theta\leq(2d-2)(2d-3)$ . Thus, for any $c\in\mathbb{F}_{q}\setminus\Theta_{c}$ we have that $f(x+\overline{a})-cf(x)=t$ has at most one multiple root $x_{1}$ for any fixed $t\in\overline{\mathbb{F}}_{q}$ and the claim follows.

∎

Proposition II.22.

Let $q>\max\{2d-4,(d-1)^{2}\}$ , $q=p^{n}$ , $f(x)\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ not a monomial, $d=\deg(f)$ , and $p\nmid d(d-1)$ . There exists a set $\Theta^{\prime}_{c}\subset\mathbb{F}_{q}$ of size at most $2d-4$ such that for any $c\in\mathbb{F}_{q}\setminus\Theta^{\prime}_{c}$ there exists at least an $a_{c}\in\mathbb{F}_{q}^{*}$ such that $f(x+a_{c})-cf(x)=t$ has no root in $\overline{\mathbb{F}}_{q}$ of multiplicity larger than $2$ for any fixed $t\in\overline{\mathbb{F}}_{q}$ .

Proof.

Consider the system

\begin{cases}f(x+a)-cf(x)=t\\ f^{\prime}(x+a)-cf^{\prime}(x)=0\\ f^{\prime\prime}(x+a)-cf^{\prime\prime}(x)=0\\ a\neq 0.\end{cases}

Any solution $(\overline{x},\overline{a},\overline{t},\overline{c})$ provides values $\overline{a},\overline{t},\overline{c}$ such that $f(x+\overline{a})-\overline{c}f(x)=\overline{t}$ has a root of multiplicity at least three.

The system above is equivalent to

\begin{cases}f(x+a)-cf(x)=t\\ f^{\prime}(x+a)-cf^{\prime}(x)=0\\ a\neq 0\\ \frac{f^{\prime}(x)f^{\prime\prime}(x+a)-f^{\prime}(x+a)f^{\prime\prime}(x)}{a}=0.\\ \end{cases}

(8)

The last equation in System (8) is a non-vanishing equation of degree $2d-4$ for any $a$ . To see this, let $f(x)=x^{d}+\alpha x^{d-1}+\cdots$ and thus

	$\displaystyle f^{\prime}(x)$	$\displaystyle=$	$\displaystyle dx^{d-1}+\alpha(d-1)x^{d-2}+\cdots,$
	$\displaystyle f^{\prime\prime}(x)$	$\displaystyle=$	$\displaystyle d(d-1)x^{d-2}+\alpha(d-1)(d-2)x^{d-3}+\cdots,$

and the leading coefficient of

f^{\prime}(x)f^{\prime\prime}(x+a)-f^{\prime}(x+a)f^{\prime\prime}(x)

is $-ad^{2}(d-1)\neq 0$ .

Note that $f^{\prime}(x+a)-cf^{\prime}(x)$ and $f^{\prime\prime}(x)$ are non-vanishing polynomials. The number of $a$ for which $f^{\prime}(x+a)$ and $f^{\prime}(x)$ share a factor is upperbounded by $(\deg(f^{\prime}))^{2}\leq(d-1)^{2}$ . Let $\overline{a}\in\mathbb{F}_{q}^{*}$ be such that $f^{\prime}(x+a)$ and $f^{\prime}(x)$ do not share any factor.

For this fixed $\overline{a}$ , System (8) admits at most $2d-4$ solutions $(\overline{x},\overline{a},\overline{t},\overline{c})$ and the claim follows.

∎

Proposition II.23.

Let $q=2^{h}>\max\{2d-4,(d-1)^{2}\}$ and $f(x)\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{2}]$ not a monomial. Suppose that both the Hasse derivatives $f^{\prime}$ and $f^{\prime\prime}$ do not vanish. There exists a set $\Theta^{\prime}_{c}\subset\mathbb{F}_{q}$ of size at most $2d-4$ such that for any $c\in\mathbb{F}_{q}\setminus\Theta^{\prime}_{c}$ there exists at least an $a_{c}\in\mathbb{F}_{q}^{*}$ such that $f(x+a_{c})-cf(x)=t$ has no root in $\overline{\mathbb{F}}_{q}$ of multiplicity larger than $2$ for any fixed $t\in\overline{\mathbb{F}}_{q}$ .

Proof.

The argument is the same as in the proof of Proposition II.22. Now

	$\displaystyle f^{\prime}(x)$	$\displaystyle=$	$\displaystyle\alpha_{r}x^{r}+\alpha x^{r-2}+\cdots,$
	$\displaystyle f^{\prime\prime}(x)$	$\displaystyle=$	$\displaystyle\alpha_{s}x^{s}+\beta x^{s-1}+\cdots,$

where $r+1$ and $s+2$ are the largest degrees not divisible by $2$ and equivalent to $3\pmod{4}$ , respectively. So, the leading coefficient of

f^{\prime}(x)f^{\prime\prime}(x+a)-f^{\prime}(x+a)f^{\prime\prime}(x)

is $a\alpha_{s}\alpha_{r}\neq 0$ and the claim follows.

∎

Combining Propositions II.21, II.22, and II.23 we have the following.

Proposition II.24.

Let $q>(2d-1)(2d-3)$ , $q=p^{n}$ , and $f(x)\in\mathbb{F}_{q}[x]\setminus\mathbb{F}_{q}[x^{p}]$ not a monomial, $d=\deg(f)$ , with

1.

$p\nmid d(d-1)$ if $p$ is odd;
2.

the Hasse derivatives $f^{\prime}$ and $f^{\prime\prime}$ do not vanish if $p=2$ .

There exists a set $\Psi_{c}\subset\mathbb{F}_{q}$ of size at most $(2d-1)(2d-3)$ such that for any $c\in\mathbb{F}_{q}\setminus\Psi_{c}$ there exists at least an $a_{c}\in\mathbb{F}_{q}^{*}$ such that $f(x+a_{c})-cf(x)=t$ has either all distinct roots or precisely one double root in $\overline{\mathbb{F}}_{q}$ for any fixed $t\in\overline{\mathbb{F}}_{q}$ .

We are now ready to prove the main theorem of this section.

Proof of Theorem II.18.

Using Corollary II.6 it is enough to prove that the number of pairs $(a,c)\in\mathbb{F}_{q}^{*}\times\mathbb{F}_{q}$ such that the geometric Galois group of $F=f(x+a)-cf(x)-t\in\mathbb{F}_{q}(t)[X]$ is not the symmetric group $\mathcal{S}_{n}$ , is $O(1)$ .

Observe that thanks to Lemma II.2 combined with Proposition II.24 we have that the inertia groups of the Galois group of $F$ are all isomorphic to $C_{2}$ and generated by single transpositions. Since $G$ is generated by its inertia groups thanks to Lemma II.4, $G=\textrm{Gal}(F\mid\overline{\mathbb{F}}_{q})$ is a transitive subgroup of $S_{n}$ generated by transpositions (since $F$ is irreducible for any fixed pair $(a,c)$ ). Proposition II.7 now implies that $G=S_{n}$ . Therefore we obtain that $G=\textrm{Gal}(F\mid\mathbb{F}_{q})=S_{n}$ as well, from which the claim follows thanks to Corollary II.6.

∎

III The feasibility of differential attacks based on the c-differential uniformity

The focus in the research on $c$ -differential uniformity has so far been almost purely on determining the $c$ -differential uniformity of specific functions. The actual use case has been mostly neglected, which is surprising given that a clear attack based on bad $c$ -differential uniformities has not been presented yet.

While the "standard" differential uniformity measures the probability of a difference propagating through the S-box (indeed $DDT_{F}[a,b]$ is indeed the probability of a difference $a$ turning into a difference $b$ times $2^{n}$ ), it is not immediately clear what kind of statistical bias the $c$ -differential uniformity measures. Clearly, the distribution of the values of $F(x+a)-cF(x)$ is also a measure of differential bias (since it compares the inputs of $x$ and $x+a$ ), but the output is for $c\neq 1$ not a usual difference itself, so the construction of a differential trail that tracks the propagation through several rounds of the cipher is not readily possible. The $c$ -differential uniformity thus does not measure a propagation of usual differences.

Unlike the multiplicative differentials [5] mentioned as inspiration for the $c$ -differential uniformity in [6], the $c$ -differential uniformity also does not measure the propagation of multiplicative "differences" of the form $(x,\alpha x)$ through the cipher since, as mentioned, the input difference used is actually the regular addition. It is however possible to find a kind of "difference" such that the $c$ -differential uniformity does measure the propagation of this "difference", as we present now.

III-A A general differential attack

Instead of using the usual difference $a-b$ (which, in the case of the usual $\mathbb{F}_{2}^{n}$ setting, boils down to the XOR $a\oplus b$ ), other binary operation can of course be used, for instance in the case of the multiplicative differentials from [5] mentioned above, this is the modular multiplication. So let $\circ\colon\mathbb{F}_{p}^{n}\times\mathbb{F}_{p}^{n}\rightarrow\mathbb{F}_{p}^{n}$ be a binary operation. We can then consider the propagation of pairs of those generalized differences $(x,x\circ a)$ and, identical to the usual differential attack, we can attempt to use biases in the probabilities of the propagation of those differences.

Generalizing the usual differential uniformity of a function $F\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ , we can define the $\circ$ -differential uniformity and the $\circ$ -DDT.

Definition III.1.

Let $F\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ be a function. We define for all $a,b\in\mathbb{F}_{p^{n}}$

{}_{\circ}\operatorname{DDT}_{F}[a,b]=\#\{x\in\mathbb{F}_{p^{n}}\colon F(x\circ a)=b\circ F(x)\}

and

{}_{\circ}\delta_{F}={\max_{x\circ a\neq x,b\in{\mathbb{F}_{p^{n}}}}}{{}_{\circ}\operatorname{DDT}_{F}[a,b]}.

Clearly, for $\circ=+$ one recovers the usual DDT and differential uniformity. But, more interestingly, this framework actually also allows us to recover the $c$ -differential uniformity. Indeed, setting $a\circ_{c}b:=a+cb$ for all $a,b\in\mathbb{F}_{p^{n}}$ and a fixed $c\in\mathbb{F}_{p^{n}}$ , we get

F(x\circ_{c}a)=b\circ_{c}F(x)\Leftrightarrow F(x+ca)=b+cF(x)\Leftrightarrow F(x+ca)-cF(x)=b.

Since $c$ is fixed, a simple transformation $a\mapsto a/c$ then immediately relates the $c$ -DDT with the $\circ$ -DDT for this choice of $\circ$ , and the respective differential uniformities are identical. In this sense, the $c$ -differential uniformity is just a new special case of differential uniformity for this specific choice of the binary operation $\circ$ . The $c$ -differential uniformity thus seems to be just a tool to measure the resistance of a cipher against a specific differential attack based on this operation. We want to note that the general form of differential as described in Definition III.1 was analysed in a series of papers [37, 38] with the idea to find specific binary operations that can lead to efficient differential attacks (or, possibly, for a malicious designer, to a "hidden", non-public binary operation that serves as a trapdoor to a cipher resistant against the usual attacks). However, the authors in those papers only analyse a subclass of binary operations that excludes the specific binary operation $\circ$ that we identified as being related to the $c$ -differential uniformity here.

III-B The differential attack based on weak $c$ -differential uniformity

Let us now consider a potential differential attack using this specific binary operation $\circ_{c}$ defined via $a\circ_{c}b=a+cb$ for all $a,b\in\mathbb{F}_{p^{n}}$ and $c\in\mathbb{F}_{p^{n}}^{*}$ . As explained briefly in the introduction on the classic differential attack earlier, the differential attack is possible for many block ciphers since they use simple key addition as a primitive operation, which means that differences propagate in the same way regardless of the key. Moreover, differences propagate also unchanged through the linear layer. We now check if/when those two properties are satisfied by $\circ_{c}$ .

We start with a consideration of the linear layer. The following result states that a linear layer applied to the input of the function does not change its $c$ -differential uniformity, however a linear layer applied to the output generally does.

Theorem III.2.

Let $F\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ be a function and $A\colon\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ be an $\mathbb{F}_{p}$ -affine permutation, where $A=L+s$ and $L$ is the linear part of $A$ . Then

{}_{c}\operatorname{DDT}_{F}[a,b]={{}_{c}\operatorname{DDT}_{F\circ A}[L(a),b]}

and in particular

{}_{c}\delta_{F}={{}_{c}\delta_{F\circ A}}.

Moreover, if $A$ is affine over $\mathbb{F}_{p^{l}}$ where $l=[\mathbb{F}_{p}(c)\colon\mathbb{F}_{p}]$ , then

{}_{c}\operatorname{DDT}_{F}[a,b]={{}_{c}\operatorname{DDT}_{A\circ F}[a,L^{-1}(b-(1-c)s)]}

and

{}_{c}\delta_{F}={{}_{c}\delta_{A\circ F}}.

However, generally ${}_{c}\delta_{F}\neq{{}_{c}\delta_{A\circ F}}$ if $c\notin\mathbb{F}_{p}$ .

Proof.

Clearly, $(F\circ A)(x+a)-c(F\circ A)(x)=b$ if and only if $F(L(x)+L(a)+s)-cF(L(x)+s)=b$ , and the first results follows since $L$ is a permutation.

On the other hand, $(A\circ F)(x+a)-c(A\circ F)(x)=b$ if and only if

F(x+a)+L^{-1}(s)-L^{-1}(cL(F(x))+cs)=F(x+a)-L^{-1}(cL(F(x)))+L^{-1}((1-c)s)=L^{-1}(b).

If $L(cx)=cL(x)$ for all $x$ , then $L^{-1}(cL(x))=cx$ and ${}_{c}\operatorname{DDT}_{F}[a,b]={{}_{c}\operatorname{DDT}_{A\circ F}[a,L^{-1}(b-(1-c)s)]}$ . We check when $L(cx)=cL(x)$ occurs. Writing $L$ as a polynomial $L=\sum_{i=0}^{n-1}a_{i}x^{p^{i}}$ , we get

	$\displaystyle L(cx)$	$\displaystyle=\sum_{i=0}^{n-1}c^{p^{i}}a_{i}x^{p^{i}}$
	$\displaystyle cL(x)$	$\displaystyle=\sum_{i=0}^{n-1}ca_{i}x^{p^{i}}.$

Comparing coefficients yields $c^{p^{i}}=c$ for all $i$ with $a_{i}\neq 0$ . $c^{p^{i}}=c$ is equivalent to $c\in\mathbb{F}_{p^{i}}$ or $i=0$ , so we conclude that $L(cx)=cL(x)$ for all $x\in\mathbb{F}_{p^{n}}$ if and only if $a_{i}=0$ unless $i=0$ or $c\in\mathbb{F}_{p^{i}}$ which implies that $a_{i}=0$ unless $i=0$ or $l|i$ . This shows that $L$ is linear over $\mathbb{F}_{p^{l}}$ .

If this condition does not hold, it is easy to construct examples by computer search that show ${}_{c}\delta_{F}\neq_{c}\delta_{A\circ F}$ .

∎

Theorem III.2 shows that unless one picks very specific linear layers or $c\in\mathbb{F}_{p}$ (which in the $\operatorname{char}2$ case most interesting for applications only holds for $c=1$ , i.e. the classical differential uniformity), the $c$ -differential uniformity is actually affected by the choice of the linear layer. In particular, unlike the classical differential attack, the resistance of the cipher cannot be broken down to the S-box level, since linear layers used in block ciphers are of course generally not linear over extension fields.

Let us now consider the interaction of the $\circ$ -differences with the process of key addition. For the classical differences, the key addition does not impact any differences since

(x+\Delta)+k-(x+k)=\Delta

(9)

for any choice of $x,k,\Delta$ . For our binary operation $\circ_{c}$ , let $\overline{\circ_{c}}\colon\mathbb{F}_{p^{n}}\times\mathbb{F}_{p^{n}}\rightarrow\mathbb{F}_{p^{n}}$ , defined as $a\overline{\circ_{c}}b:=a-cb$ , be the "inverse" of $\circ_{c}$ in the sense that $(a\circ_{c}b)\overline{\circ_{c}}b=a$ for all $a,b\in\mathbb{F}_{p^{n}}$ . We now consider the differences with respect to $\circ_{c}$ by substituting $+$ and $-$ of the classical differences in Eq. (9) with $\circ_{c}$ and $\overline{\circ_{c}}$ (while of course keeping the regular addition for the key addition). This yields

((x\circ_{c}\Delta)+k)\overline{\circ_{c}}(x+k)=x+c\Delta+k-c(x+k)=c\Delta-(c-1)(x+k).

It is immediate to see that the differences now are neither independent from the subkey $k$ nor from the message $x$ if $c\neq 1$ .

So, in closing, it seems that a differential attack based on $\circ_{c}$ -differences (attempting to abuse high $c$ -differential uniformity) has several practical challenges as both the linear layers and the key addition process used in the vast majority of block ciphers make such an attack considerably harder than an attack relying on the classical concept of differences. For block ciphers that do not use a simple key addition but possibly another primitive operation, differential attacks based on different binary operations as lined out in this section might be of practical interest.

Regardless, the $c$ -differential uniformities still measure biases in the distribution of differences and it might still theoretically be possible to construct an attack different than the one considered here to abuse this bias. However, it seems to be clear that an analysis would be made considerably more difficult by the fact that linear layers play a more significant role than in the classical differential attack and its derivatives.

IV Conclusions and open problems

Our main contribution concerns the $c$ -differential uniformity of polynomials and states that for a generic polynomial there exists only a thin set of instances of $c\in\mathbb{F}_{q}$ for which ${}_{c}\delta_{F}$ is not the worst possible. Our investigation involves techniques from both Algebraic Geometry in positive characteristic and Galois Theory and tells us that in order to avoid the differential biases encoded in the $c$ -differential uniformity, polynomials need to respect specific constraints on their degree structure.

More generally, we show that extreme statistical differential biases for a big class of functions are inevitable. While our analysis in Section III indicates that constructing attacks based on those biases is not easy, it remains open if other attacks exploiting $c$ -differential uniformities are possible.

An obvious question is if it is possible to extend the techniques we used in this paper to analyze other statistical biases, in particular it would be interesting to see if results of the form of Theorem II.18 can be achieved.

An interesting theoretical open question concerns the possibility to obtain similar results involving weaker constraints, for instance dropping the condition $p\nmid\deg(f)$ in Theorem II.18.

In Section III, we discussed a general differential attack with an arbitrary binary operation replacing the XOR. In [37], the authors investigate a similar generalized attack (starting from a different motivation), and argue that for some specific binary operations, there are enough weak keys that allow the exploitation of certain biases. While the results are not applicable to the case of $c$ -differential uniformities, it would be interesting if the operations investigated in [37] behave similarly to the $c$ -differential uniformity as described in this paper.

V Acknowledgments

The first author is supported by the Italian National Group for Algebraic and Geometric Structures and their Applications (GNSAGA - INdAM). The second and third authors are supported by NSF grant 2127742.

References

[1] E. Biham and A. Shamir, “Differential cryptanalysis of des-like cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, Jan 1991. [Online]. Available: https://doi.org/10.1007/BF00630563
[2] D. Wagner, “The boomerang attack,” in Fast Software Encryption, L. Knudsen, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1999, pp. 156–170.
[3] E. Biham, O. Dunkelman, and N. Keller, “The rectangle attack — rectangling the serpent,” in Advances in Cryptology — EUROCRYPT 2001, B. Pfitzmann, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 340–357.
[4] S. K. Langford and M. E. Hellman, “Differential-linear cryptanalysis,” in Advances in Cryptology — CRYPTO ’94, Y. G. Desmedt, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1994, pp. 17–25.
[5] N. Borisov, M. Chew, R. Johnson, and D. Wagner, “Multiplicative differentials,” in Fast Software Encryption, J. Daemen and V. Rijmen, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2002, pp. 17–33.
[6] P. Ellingsen, P. Felke, C. Riera, P. Stănică, and A. Tkachenko, “C-differentials, multiplicative uniformity, and (almost) perfect c-nonlinearity,” IEEE Transactions on Information Theory, vol. 66, no. 9, pp. 5781–5789, 2020.
[7] S. Kölbl, E. Tischhauser, P. Derbez, and A. Bogdanov, “Troika: a ternary cryptographic hash function,” Designs, Codes and Cryptography, vol. 88, no. 1, pp. 91–117, Jan 2020. [Online]. Available: https://doi.org/10.1007/s10623-019-00673-2
[8] S. U. Hasan, M. Pal, C. Riera, and P. Stănică, “On the c-differential uniformity of certain maps over finite fields,” Designs, Codes and Cryptography, vol. 89, no. 2, pp. 221–239, Feb 2021. [Online]. Available: https://doi.org/10.1007/s10623-020-00812-0
[9] S. U. Hasan, M. Pal, and P. Stănică, “The c-differential uniformity and boomerang uniformity of two classes of permutation polynomials,” IEEE Transactions on Information Theory, vol. 68, no. 1, pp. 679–691, 2022.
[10] Z. Zha and L. Hu, “Some classes of power functions with low c-differential uniformity over finite fields,” Designs, Codes and Cryptography, vol. 89, no. 6, pp. 1193–1210, Jun 2021. [Online]. Available: https://doi.org/10.1007/s10623-021-00866-8
[11] S. Mesnager, B. Mandal, and M. Msahli, “Survey on recent trends towards generalized differential and boomerang uniformities,” Cryptography and Communications, Dec 2021. [Online]. Available: https://doi.org/10.1007/s12095-021-00551-6
[12] D. Bartoli and M. Timpanella, “On a generalization of planar functions,” J. Algebraic Combin., vol. 52, no. 2, pp. 187–213, 2020. [Online]. Available: https://doi.org/10.1007/s10801-019-00899-2
[13] S. Mesnager, C. Riera, P. Stănică, H. Yan, and Z. Zhou, “Investigations on $c$ -(almost) perfect nonlinear functions,” IEEE Transactions on Information Theory, vol. 67, no. 10, pp. 6916–6925, 2021.
[14] X. Wang and D. Zheng, “Several classes of pcn power functions over finite fields,” 2021. [Online]. Available: https://arxiv.org/abs/2104.12942
[15] Z. Tu, X. Zeng, Y. Jiang, and X. Tang, “A class of apcn power functions over finite fields of even characteristic,” 2021. [Online]. Available: https://arxiv.org/abs/2107.06464
[16] Z. Zha and L. Hu, “Some classes of power functions with low c-differential uniformity over finite fields,” Designs, Codes and Cryptography, vol. 89, no. 6, pp. 1193–1210, 2021.
[17] H. Stichtenoth, Algebraic function fields and codes. Springer Science & Business Media, 2009, vol. 254.
[18] B. Van der Waerden, “Die Zerlegungs-und Trägheitsgruppe als Permutationsgruppen,” Mathematische Annalen, vol. 111, no. 1, pp. 731–733, 1935.
[19] M. Kosters, “A short proof of a chebotarev density theorem for function fields,” Mathematical Communications, vol. 22, no. 2, pp. 227–233, 2017.
[20] D. Bartoli and G. Micheli, “Algebraic constructions of complete m-arcs,” Combinatorica, pp. 1–28, 2022.
[21] K.-i. Hashimoto, K. Miyake, and H. Nakamura, Galois theory and modular forms. Springer Science & Business Media, 2003, vol. 11.
[22] J. W. P. Hirschfeld, G. Korchmáros, and F. Torres, Algebraic curves over a finite field, ser. Princeton Series in Applied Mathematics. Princeton University Press, Princeton, NJ, 2008.
[23] R. Hartshorne, Algebraic geometry, ser. Graduate Texts in Mathematics, No. 52. Springer-Verlag, New York-Heidelberg, 1977.
[24] H. Hasse, “Theorie der höheren Differentiale in einem algebraischen Funktionenkörper mit vollkommenem Konstantenkörper bei beliebiger Charakteristik,” J. Reine Angew. Math., vol. 175, pp. 50–54, 1936. [Online]. Available: https://doi.org/10.1515/crll.1936.175.50
[25] D. M. Goldschmidt, Algebraic functions and projective curves, ser. Graduate Texts in Mathematics. Springer-Verlag, New York, 2003, vol. 215. [Online]. Available: https://doi.org/10.1007/b97844
[26] W. Fulton, Algebraic curves, ser. Advanced Book Classics. Addison-Wesley Publishing Company, Advanced Book Program, Redwood City, CA, 1989, an introduction to algebraic geometry, Notes written with the collaboration of Richard Weiss, Reprint of 1969 original.
[27] Y. Aubry and M. Perret, “A Weil theorem for singular curves,” in Arithmetic, geometry and coding theory (Luminy, 1993). de Gruyter, Berlin, 1996, pp. 1–7.
[28] S. Lang and A. Weil, “Number of points of varieties in finite fields,” Amer. J. Math., vol. 76, pp. 819–827, 1954. [Online]. Available: https://doi.org/10.2307/2372655
[29] A. Cafure and G. Matera, “Improved explicit estimates on the number of solutions of equations over a finite field,” Finite Fields Appl., vol. 12, no. 2, pp. 155–185, 2006. [Online]. Available: https://doi.org/10.1016/j.ffa.2005.03.003
[30] S. R. Ghorpade and G. Lachaud, “Corrigenda and addenda: Étale cohomology, Lefschetz theorems and number of points of singular varieties over finite fields [mr1988974],” Mosc. Math. J., vol. 9, no. 2, pp. 431–438, 2009. [Online]. Available: https://doi.org/10.17323/1609-4514-2009-9-2-431-438
[31] ——, “Number of solutions of equations over finite fields and a conjecture of Lang and Weil,” in Number theory and discrete mathematics (Chandigarh, 2000), ser. Trends Math. Birkhäuser, Basel, 2002, pp. 269–291.
[32] R. Lidl and H. Niederreiter, Finite fields, ser. Encyclopedia of Mathematics and its Applications. Addison-Wesley Publishing Company, Advanced Book Program, Reading, MA, 1983, vol. 20, with a foreword by P. M. Cohn.
[33] W. M. Schmidt, Equations over finite fields. An elementary approach, ser. Lecture Notes in Mathematics, Vol. 536. Springer-Verlag, Berlin-New York, 1976.
[34] E. Bombieri, “Counting points on curves over finite fields (d’après S. A. Stepanov),” in Séminaire Bourbaki, 25ème année (1972/1973), Exp. No. 430, 1974, pp. 234–241. Lecture Notes in Math., Vol. 383.
[35] R. Lidl, G. Mullen, and G. Turnwald, “Dickson polynomials. in ser,” Pitman Monographs in Pure and Applied Mathematics. Reading, MA: Addison-Wesley, vol. 65, pp. 15–53, 1993.
[36] D. Bartoli and M. Calderini, “On construction and (non)existence of $c$ -(almost) perfect nonlinear functions,” Finite Fields Appl., vol. 72, pp. Paper No. 101 835, 16, 2021. [Online]. Available: https://doi.org/10.1016/j.ffa.2021.101835
[37] R. Civino, C. Blondeau, and M. Sala, “Differential attacks: using alternative operations,” Designs, Codes and Cryptography, vol. 87, no. 2, pp. 225–247, Mar 2019. [Online]. Available: https://doi.org/10.1007/s10623-018-0516-z
[38] C. Brunetta, M. Calderini, and M. Sala, “On hidden sums compatible with a given block cipher diffusion layer,” Discrete Mathematics, vol. 342, no. 2, pp. 373–386, 2019. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0012365X18303376

Daniele Bartoli was born in Molfetta, Italy, on September 22, 1985. He received the degree in Mathematics from the University of Perugia, Italy, in September 2008 and the Ph.D. degree in Mathematics and Computer Science from the same University in 2012, with a dissertation from coding theory. Currently, he is Associate Professor at the Department of Mathematics and Computer Science, University of Perugia, Perugia, Italy. His research interests are in coding theory, including quantum coding, and Galois geometries.

Lukas Kölsch reveived the Masters Degree from Otto-von-Guericke University Magdeburg in 2017 and the Ph.D. degree in 2020 from University of Rostock, Germany under the supervision of Gohar Kyureghyan. He is currently a postdoctoral scholar at University of South Florida. He is interested in Boolean functions, symmetric cryptography, and Galois geometry.

Giacomo Micheli graduated at the University of Rome “La Sapienza” in July 2012. He completed his Ph.D. with distinction at the Zurich Graduate School in Mathematics in October 2015 under the supervision of Prof. Joachim Rosenthal. He is currently a tenure-track assistant professor at the University of South Florida and Co-Director of the Center for Cryptographic Research at USF.

Differential biases, cc-differential uniformity, and their relation to differential attacks

Abstract

Index Terms:

I Introduction

I-A Background on block ciphers and differential cryptanalysis

Block ciphers

Differential cryptanalysis

Differential uniformities of S-boxes

Alternative differences and cc-differential uniformities

Definition I.1.

Remark I.2.

I-B Our Contribution and organization of the paper

II On the cc-differential uniformity of low degree polynomials

II-A Tools and Notation

Global Function Fields and Galois Theory

Definition II.1.

Lemma II.2.

Corollary II.3.

Lemma II.4.

Theorem II.5.

Corollary II.6.

Proof.

Proposition II.7.

Curves and Varieties over Finite Fields

Definition II.8 ([24]).

Lemma II.9.

Theorem II.10 (Bézout’s Theorem).

Proposition II.11.

Proof.

Theorem II.12.

Theorem II.13.

II-B Results on the cc-differential uniformity

Lemma II.14.

Proof.

Remark II.15.

Corollary II.16.

Proof.

Remark II.17.

Theorem II.18 (Main Result).

Remark II.19.

Proposition II.20.

Proof.

Proposition II.21.

Proof.

Proposition II.22.

Proof.

Proposition II.23.

Proof.

Proposition II.24.

Proof of Theorem II.18.

III The feasibility of differential attacks based on the c-differential uniformity

III-A A general differential attack

Definition III.1.

III-B The differential attack based on weak cc-differential uniformity

Theorem III.2.

Proof.

IV Conclusions and open problems

V Acknowledgments

References

Differential biases, $c$ -differential uniformity, and their relation to differential attacks

Alternative differences and $c$ -differential uniformities

II On the $c$ -differential uniformity of low degree polynomials

II-B Results on the $c$ -differential uniformity

III-B The differential attack based on weak $c$ -differential uniformity