# Almost Perfect Nonlinear (APN) Functions

Jump to: navigation, search

# Background and definition

Almost perfect nonlinear (APN) functions are the class of ${\displaystyle (n,n)}$ Vectorial Boolean Functions that provide optimum resistance to against differential attack. Intuitively, the differential attack against a given cipher incorporating a vectorial Boolean function ${\displaystyle F}$ is efficient when fixing some difference ${\displaystyle \delta }$ and computing the output of ${\displaystyle F}$ for all pairs of inputs ${\displaystyle (x_{1},x_{2})}$ whose difference is ${\displaystyle \delta }$ produces output pairs with a difference distribution that is far away from uniform.

The formal definition of an APN function ${\displaystyle F:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2^{n}}}$ is usually given through the values

${\displaystyle \Delta _{F}(a,b)=|\{x\in \mathbb {F} _{2^{n}}:F(x)+F(a+x)=b\}|}$

which, for ${\displaystyle a\neq 0}$, express the number of input pairs with difference ${\displaystyle a}$ that map to a given ${\displaystyle b}$. The existence of a pair ${\displaystyle (a,b)\in \mathbb {F} _{2^{n}}^{*}\times \mathbb {F} _{2^{n}}}$ with a high value of ${\displaystyle \Delta _{F}(a,b)}$ makes the function ${\displaystyle F}$ vulnerable to differential cryptanalysis. This motivates the definition of differential uniformity as

${\displaystyle \Delta _{F}=\max\{\Delta _{F}(a,b):a\in \mathbb {F} _{2^{n}}^{*},b\in \mathbb {F} _{2^{n}}\}}$

which clearly satisfies ${\displaystyle \Delta _{F}\geq 2}$ for any function ${\displaystyle F}$. The functions meeting this lower bound are called almost perfect nonlinear (APN).

# Characterizations

## Walsh transform[1]

Any ${\displaystyle (n,m)}$-function ${\displaystyle F}$ satisfies

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{m}}^{*}}W_{F}^{4}(a,b)\geq 2^{2n}(3\cdot 2^{n+m}-2^{m+1}-2^{2n})}$

with equality characterizing APN functions.

In particular, for ${\displaystyle (n,n)}$-functions we have

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{n}}^{*}}W_{F}^{4}(a,b)\geq 2^{3n+1}(2^{n}-1)}$

with equality characterizing APN functions.

Sometimes, it is more convenient to sum through all ${\displaystyle b\in \mathbb {F} _{2^{m}}}$ instead of just the nonzero ones. In this case, the inequality for ${\displaystyle (n,m)}$-functions becomes

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}},b\in \mathbb {F} _{2^{m}}}W_{F}^{4}(a,b)\geq 2^{2n+m}(3\cdot 2^{n}-2)}$

and the particular case for ${\displaystyle (n,n)}$-functions becomes

${\displaystyle \sum _{a,b\in \mathbb {F} _{2^{n}}}W_{F}^{4}(a,b)\geq 2^{3n+1}(3\cdot 2^{n-1}-1)}$

with equality characterizing APN functions in both cases.

## Autocorrelation functions of the directional derivatives [2]

Given a Boolean function ${\displaystyle f:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2}}$, the autocorrelation function of ${\displaystyle f}$ is defined as

${\displaystyle {\mathcal {F}}(f)=\sum _{x\in \mathbb {F} _{2^{n}}}(-1)^{f(x)}=2^{n}-2wt(f).}$

Any ${\displaystyle (n,n)}$-function ${\displaystyle F}$ satisfies

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}}{\mathcal {F}}(D_{a}f_{\lambda })=2^{2n+1}}$

for any ${\displaystyle a\in \mathbb {F} _{2^{n}}^{*}}$. Equality occurs if and only if ${\displaystyle F}$ is APN.

This allows APN functions to be characterized in terms of the sum-of-square-indicator ${\displaystyle \nu (f)}$ defined as

${\displaystyle \nu (f)=\sum _{a\in \mathbb {F} _{2^{n}}}{\mathcal {F}}^{2}(D_{a}F)=2^{-n}\sum _{a\in \mathbb {F} _{2^{n}}}{\mathcal {F}}^{4}(f+\varphi _{a})}$

for ${\displaystyle \varphi _{a}(x)={\rm {Tr}}(ax)}$.

Then any ${\displaystyle (n,n)}$ function ${\displaystyle F}$ satisfies

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}\nu (f_{\lambda })\geq (2^{n}-1)2^{2n+1}}$

and equality occurs if and only if ${\displaystyle F}$ is APN.

Similar techniques can be used to characterize permutations and APN functions with plateaued components.

# Characterization of Plateaued Functions

## Characterization by the Derivatives [3]

### First characterization

Using the fact that two integer-valued functions over ${\displaystyle \mathbb {F} _{2}^{m}}$ are equal precisely when their Fourier transforms are equal, one can obtain the following characterization.

Let ${\displaystyle F}$ be an ${\displaystyle (n,m)}$-function. Then:

- ${\displaystyle F}$ is plateaued if and only if, for every ${\displaystyle v\in \mathbb {F} _{2}^{m}}$, the size of the set

${\displaystyle \{(a,b)\in (\mathbb {F} _{2}^{n})^{2}:D_{a}D_{b}F(x)=v\}}$

does not depend on ${\displaystyle x}$;

- ${\displaystyle F}$ is plateaued with single amplitude if and only if the size of the above set depends neither on ${\displaystyle x}$ nor on ${\displaystyle v}$ when ${\displaystyle v\neq 0}$.

Moreover:

- for any ${\displaystyle (n,m)}$-function ${\displaystyle F}$, the value distribution of ${\displaystyle D_{a}D_{b}F(x)}$ equals the value distribution of ${\displaystyle D_{a}F(b)+D_{a}F(x)}$ as ${\displaystyle (a,b)}$ ranges over ${\displaystyle (\mathbb {F} _{2}^{n})^{2}}$;

- if two plateuaed functions have the same distribution, then for every ${\displaystyle u}$, their component functions at ${\displaystyle u}$ have the same amplitude.

### Characterization in the Case of Unbalanced Components

Let ${\displaystyle F}$ be an ${\displaystyle (n,m)}$-function. Then ${\displaystyle F}$ is plateuaed with all components unbalanced if and only if, for every ${\displaystyle v,x\in \mathbb {F} _{2}^{n}}$, we have

${\displaystyle |\{(a,b)\in (\mathbb {F} _{2}^{n})^{2}:D_{a}D_{b}F(x)=v\}|=|\{(a,b)\in (\mathbb {F} _{2}^{n})^{2}:F(a)+F(b)=v\}|.}$

Moreover, ${\displaystyle F}$ is plateuaed with single amplitude if and only if, in addition, this value does not depend on ${\displaystyle v}$ for ${\displaystyle v\neq 0}$.

1. Florent Chabaud, Serge Vaudenay, Links between differential and linear cryptanalysis, Workshop on the Theory and Application of Cryptographic Techniques, 1994 May 9, pp. 356-365, Springer, Berlin, Heidelberg
2. Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, On Almost Perfect Nonlinear Functions Over GF(2^n), IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70
3. Carlet C. Boolean and vectorial plateaued functions and APN functions. IEEE Transactions on Information Theory. 2015 Nov;61(11):6272-89.