Background and definition

Almost perfect nonlinear (APN) functions are the class of (𝑛,𝑛) Vectorial Boolean Functions that provide optimum resistance to against differential attack. Intuitively, the differential attack against a given cipher incorporating a vectorial Boolean function 𝐹 is efficient when fixing some difference 𝛿 and computing the output of 𝐹 for all pairs of inputs (𝑥₁,𝑥₂) whose difference is 𝛿 produces output pairs with a difference distribution that is far away from uniform.

The formal definition of an APN function 𝐹 : 𝔽_2^𝑛 → 𝔽_2^𝑛 is usually given through the values

${\displaystyle \Delta _{F}(a,b)=|\{x\in \mathbb {F} _{2^{n}}:F(x)+F(a+x)=b\}|}$

which, for 𝑎≠0, express the number of input pairs with difference 𝑎 that map to a given 𝑏. The existence of a pair ${\displaystyle (a,b)\in \mathbb {F} _{2^{n}}^{*}\times \mathbb {F} _{2^{n}}}$ with a high value of Δ_{𝐹(𝑎,𝑏)} makes the function 𝐹 vulnerable to differential cryptanalysis. This motivates the definition of differential uniformity as

${\displaystyle \Delta _{F}=\max\{\Delta _{F}(a,b):a\in \mathbb {F} _{2^{n}}^{*},b\in \mathbb {F} _{2^{n}}\}}$

which clearly satisfies Δ_𝐹 ≥ 2 for any function 𝐹. The functions meeting this lower bound are called almost perfect nonlinear (APN).

The characterization by means of the derivatives below suggests the following definition: a v.B.f. 𝐹 is said to be strongly-plateuaed if, for every 𝑎 and every 𝑣, the size of the set ${\displaystyle \{b\in \mathbb {F} _{2}^{n}:D_{a}D_{b}F(x)=v\}}$ does not depend on 𝑥, or, equivalently, the size of the set ${\displaystyle \{b\in \mathbb {F} _{2}^{n}:D_{a}F(b)=D_{a}F(x)+v\}}$ does not depend on 𝑥.

Characterizations

Walsh transform^[1]

Any (𝑛,𝑚)-function 𝐹 satisfies

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{m}}^{*}}W_{F}^{4}(a,b)\geq 2^{2n}(3\cdot 2^{n+m}-2^{m+1}-2^{2n})}$

with equality characterizing APN functions.

In particular, for (𝑛,𝑛)-functions we have

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{n}}^{*}}W_{F}^{4}(a,b)\geq 2^{3n+1}(2^{n}-1)}$

with equality characterizing APN functions.

Sometimes, it is more convenient to sum through all 𝑏 ∈ 𝔽_2^𝑚 instead of just the nonzero ones. In this case, the inequality for (𝑛,𝑚)-functions becomes

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{m}}}W_{F}^{4}(a,b)\geq 2^{2n+m}(3\cdot 2^{n}-2)}$

and the particular case for (𝑛,𝑛)-functions becomes

${\displaystyle \sum _{a,b\in \mathbb {F} _{2^{n}}}W_{F}^{4}(a,b)\geq 2^{3n+1}(3\cdot 2^{n-1}-1)}$

with equality characterizing APN functions in both cases.

Autocorrelation functions of the directional derivatives ^[2]

Given a Boolean function 𝑓 : 𝔽_2^𝑛 → 𝔽₂, the autocorrelation function of 𝑓 is defined as

${\displaystyle {\mathcal {F}}(f)=\sum _{x\in \mathbb {F} _{2^{n}}}(-1)^{f(x)}=2^{n}-2wt(f).}$

Any (𝑛,𝑛)-function 𝐹 satisfies

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}}{\mathcal {F}}(D_{a}f_{\lambda })=2^{2n+1}}$

for any 𝑎 ∈ 𝔽*_2^𝑛 . Equality occurs if and only if ${\displaystyle F}$ is APN.

This allows APN functions to be characterized in terms of the sum-of-square-indicator ${\displaystyle \nu (f)}$ defined as

${\displaystyle \nu (f)=\sum _{a\in \mathbb {F} _{2^{n}}}{\mathcal {F}}^{2}(D_{a}F)=2^{-n}\sum _{a\in \mathbb {F} _{2^{n}}}{\mathcal {F}}^{4}(f+\varphi _{a})}$

for ${\displaystyle \varphi _{a}(x)={\rm {Tr}}(ax)}$.

Then any (𝑛,𝑛) function 𝐹 satisfies

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}\nu (f_{\lambda })\geq (2^{n}-1)2^{2n+1}}$

and equality occurs if and only if 𝐹 is APN.

Similar techniques can be used to characterize permutations and APN functions with plateaued components.