On the Measurement of the (non)linearity of Costas Permutations

Copyright q 2010 Konstantinos Drakakis. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. We study several criteria for the nonlinearity of Costas permutations, with or without the imposition of additional algebraic structure in the domain and the range of the permutation, aiming to find one that successfully identifies Costas permutations as more nonlinear than randomly chosen permutations of the same order.


Introduction
Costas arrays, namely, square arrangements of dots and blanks such that there lies exactly one dot per row and column, and such that no four dots form a parallelogram and no three dots lying on a straight line are equidistant, appeared for the first time in 1965 in the context of SONAR detection 1, 2 , when Costas, disappointed by the poor performance of SONAR systems, used them to describe a novel frequency hopping pattern for SONARs with optimal auto-correlation properties.About two decades later, Professor S. Golomb published two generation techniques 3-5 for Costas permutations, both based on the theory of finite fields, known as the Welch and the Golomb method, respectively.These are still the only general construction methods for Costas permutations available today.Despite the intensive mathematical research dedicated to Costas arrays in the last two decades, many key questions about them remain unresolved, and most notably the issue of their existence: do Costas arrays exist for all orders?There is currently no order known for which Costas arrays provably do not exist, while the two smallest orders for which no Costas arrays are known are 32 and 33 3 .
An interesting application of Costas arrays in cryptography was discovered when it was shown that Welch Costas arrays are Almost Perfect Nonlinear APN permutations 6 .

Costas Permutations, APN Functions, and Linearity
In this section we provide some background information on Costas permutations and APN functions.We will note, in particular, that, though the definitions of Costas and APN permutations appear deceptively similar, there are nonetheless important differences one has to pay attention to.

The Definitions
In what follows, let n denote the set {0, 1, . . ., n − 1}, and Z n the additive group of integers modulo n, n ∈ N * ; in other words, n and Z n differ just by the imposition of an algebraic structure on the latter, which makes it a ring.We are now ready to define the Costas permutation.
Definition 2.1.Consider a bijection f : n → n ; f is a Costas permutation if and only if: An alternative yet fully equivalent way to state this condition is to stipulate that, for any k ∈ n * and any l ∈ n , the equation 2 has at most one root i.
A permutation f corresponds to a permutation array A f a f i,j by setting the elements of the permutation to denote the positions of the unique 1 in the corresponding column of the array, counting from top to bottom: 1.It is customary to represent the 1s of a permutation array as "dots" and the 0s as "blanks".From now on the terms "array" and "permutation" will be used interchangeably, in view of this correspondence.
The Costas property is invariant under horizontal and vertical flips, as well as transposition and therefore also under rotations of the array by multiples of 90 • , which can be expressed as combinations of the previous two operations , hence a Costas array gives birth to an equivalence class that contains either eight Costas arrays, or four if the array happens to be symmetric: this Costas array is then considered to be the unique representative of the equivalence class, and normally the array within the equivalence class that comes first in lexicographical order is selected for this purpose.
We now give the definition of the APN function.
has at most one root hence exactly one root x.
We now see how close Definitions 2.1 and 2.2 are.When we focus exclusively on permutations, thought, we see that a PN permutation is a contradiction in terms: by Definition 2.3, for any α, there has to be an x such that f x α − f x 0, hence f cannot possibly be a permutation!Consequently, when studying permutations, we can only hope for the next best thing, namely, an APN permutation.Note that the definitions of a Costas permutation and of an APN function show that these two types of functions are far from being "linear", namely, far from being similar to a "straight line", since the distance vectors between pairs of points in the function graph are not, in general, allowed to be collinear.

Construction Methods for Costas Permutations
We will denote the finite field of q elements by F q , where q is, in general, a power of a prime.Recall that Z p , p is a prime, is the finite field F p .Algorithm 2.4 Exponential Welch Construction W 1 p, g, c .Let p be a prime, g a primitive root of the finite field F p , and c ∈ p − 1 ; the exponential Welch permutation of order p − 1 corresponding to g and c is defined by The inverse of an Exponential Welch permutation corresponding to the transpose of the corresponding Costas array is a Logarithmic Welch permutation, which is itself a Costas permutation.The two permutation sets are distinct for p > 5 10 , implying that there are 2 p−1 φ p−1 distinct Welch Costas permutations of order p−1.Here φ denotes Euler's totient function: φ x , x ∈ N, is the number of positive integers less than and relatively prime to x.In particular, there are no self-inverse W 1 -permutations i.e., corresponding to symmetric Welch Costas arrays for p > 5.
Algorithm 2.5 Golomb Construction G 2 q, a, b .Let q p m , where p is a prime and m ∈ N * , and let a, b be primitive roots of the finite field F q ; the Golomb permutation f of order q − 2 corresponding to a and b is defined through the equation 2.6 There are φ 2 q − 1 /m distinct G 2 -permutations of order q − 2 3 .

A Comprehensive Example
Consider the W 1 -permutation f resulting from p 11, g 2, and c 0. The values corresponding to 0, 1, . . ., 9 are, in that order, 0, 1, 3, 7, 4, 9, 8, 6, 2, and 5.As mentioned above, f is an APN permutation when construed as a function from Z 10 to Z 10 : in this case, all additions take place in arithmetic modulo 10, and we write, for example, that Note that, after generating f, we forget all about the prime number p used to generate it in this case p 11 : henceforth, all modulo operations take place in arithmetic modulo p − 1 10, which is the size of the group Z 10 , in both the domain and the range.
Considering, however, f as a Costas permutation from 10 to 10 ; we see that 1 − 4 −3, because addition takes place now in the usual integer arithmetic, in both the domain and the range.

Linearity
What does it mean for a function f to be linear?In general, we will assume that both the domain D f and the range R f of the function are subsets of a ring R, and we will call f linear if and only if there exist three constants α, β, γ ∈ R such that αf x βx γ for all x ∈ D f , where addition and multiplication are as defined in R. It is important to note that, occasionally, R can be chosen in more than one way: for example, in the example shown in Section 2.3 we may choose either R Z or R Z 10 , and this leads to different functions f, neither of which is linear, however.

Linearity Measures for Discrete Functions
How can we quantify the linearity of a discrete function, and especially of a Costas permutation, in a meaningful way?There are essentially two different ways to proceed, according to whether we are willing/able to introduce some sort of an algebraic structure to the problem or not.Note that we will follow the convention of labeling the criteria we study below by L or NL, according to whether an increase in the value returned by the criterion implies increased linearity or nonlinearity for the tested function, respectively.

Least Squares
In this version of the problem we are given a set of n points x i , y i f x i , i ∈ n on the plane as an input, and we are asked to determine how closely they correspond to the graph of a linear function.The obvious course of action is to fit a line of the form c 1 x c 2 y c, c, c 1 , c 2 ∈ R, according to some fitting criterion, and determine the error of the approximation.The smaller the error, the more "linear" f is.Perhaps the most frequently used fitting method used in such cases is the familiar least squares approximation.

Nonmodular Phases
Within the same context, an alternative, completely different concept of linearity can be defined based on the distance vectors between pairs of points x i − x j , f x i − f x j , i, j ∈ n , i > j, where, without loss of generality we may assume that x i ≥ x j whenever i ≥ j: the function f is linear if and only if all such distance vectors have the same phase on the plane.A way to quantify this idea in a continuous way is to determine the unit vector with each such phase, sum the vectors, and find the length of the vector sum.In other words, we consider 3.1 As there are n n − 1 /2 such vectors in total, the length of the vector sum will be n n − 1 /2 when f is linear and less than that otherwise.The normalized is then a number between 0 and 1: the larger it is, the more linear f is.In particular, since each phase is confined to −π/2, π/2 , we may substitute ∠ u, v by tan −1 v/u .Given that e iu cos u i sin u , cos u 1 3.4

The Log-Ratio
In order to obtain a more sensitive measure of linearity, we observe that if f x αx β, we would get

3.5
For a general function f, these two expressions yield two estimates for α, namely, α 1 and α 2 , where we assume α 1 > α 2 without loss of generality.The log-ratio NL c f : ln α 1 /α 2 ≥ 0 is a kind of condition number for f: the larger it is, the more nonlinear f is, so we can use this log-ratio as a measure of the nonlinearity of f.

Linearity with Algebraic Structure
Let us reformulate the ideas presented above regarding distance vectors and their phases in the special case of a function f : n → n .An indication of the linearity of f is the degree to which a constant multiple of x − y approximates a constant multiple of the difference f x − f y , the approximation holding for all pairs x, y , x, y ∈ n : in other words, we consider the functions F α, β; x, y β f x − f y − α x − y and we determine whether any specific choice of the parameters α and β leads to values that lie uniformly "close to" 0 for all pairs x, y , according to some proximity criterion.
A possible proximity criterion is again to apply "phase modulation", namely, to allow the values of F α, β; x, y to multiply the phase of complex exponential exp iφ , which represents a vector of unit length, and then find the length of the aggregate vectors and choose the longest one.This we define as the square of the linearity of f:

3.6
Clearly, f is linear if and only if L f n.Since f is an integer function, and remembering that our ultimate goal is to introduce algebraic structure in the problem at some point, it makes sense to confine α and β to integer values as well.Choosing further φ 2π/N, N ∈ N * , we effectively impose a modulo N addition and consider F mod N instead of F: Sometimes 9 it even makes sense to generalize the previous expression slightly and use two different integer parameters M and N as follows: though we will mostly focus on the simple case M N from now on.So far we have not related N and n; how should we choose N for a given n?A first possibility is dictated by the extension of f to a function on Z n , that is, f : Z n → Z n , in which case the obvious choice would be N n.Alternatively, considering still f as a function on n , both x − y and f x − f y , x, y ∈ n range from − n − 1 to n − 1 included, so the range includes 2 n − 1 1 2n − 1 distinct values and hence it suffices to choose N 2n − 1, if our goal is to avoid any fold-over of values within this range.Finally, note that if f : Z p−1 → Z * p is a W 1 -permutation, it makes sense to choose either M N p − 1, as both the domain and the range contain p − 1 elements, or M p − 1 and N p, as these parameters reflect the natural modulo arithmetic in the domain and the range, respectively both cases were studied in 9 .
Let us finish this discussion by mentioning that 1−L n f /n has already been proposed as a measure of the nonlinearity of f : Z n → Z n in the literature 7, 8 , though, in our opinion, the presentation therein was much less straightforward and intuitive than the one given here.

Results
In this section we discuss the results obtained for each non linearity criterion through simulation.Simulation has been used extensively in recent times for the study of the properties of Costas arrays see, e.g., 12, 13 .

Least Squares
When f is a Costas permutation of order n, linear least squares fitting fails to reveal any meaningful information, precisely because the points are very dispersed on the n × n square, owing to the Costas property.Computer simulations confirm our expectations in that the line fitted by least squares is invariably either horizontal or vertical, while the line fitted by orthogonal least squares, namely the variant of the method where the sum of the square distances of the points from the fitted line is minimized, yields invariably either y x or y n − 1 − x as the fitted line.To conclude, Costas arrays are so far from being linear that it makes no sense to measure how far from linearity they are using this criterion.

Nonmodular Phases
The real part of the vector sum 3.4 is in general much larger than the imaginary part, precisely because we always choose x > y, so the real parts of the summands add constructively.This, in turn, implies that this criterion is not sensitive enough.For example, Figure 1 shows the histograms of L over all Costas arrays of order 15 and over an equinumerous collection of randomly chosen permutations of order 15: though the histograms look different, the range of the former lies entirely within the range of the latter, so this criterion is not sensitive enough to determine that Costas permutations are more nonlinear than random permutations.

The Log-Ratio
What if L c is used instead of L? The log-ratio histograms for all Costas permutations of order 15 and an equinumerous collection of random permutations of order 15, as well as the logratio histograms for all Costas permutations of order 16 and for all algebraically constructed Costas permutations of order 16 are shown in Figure 2. Costas permutations are indeed found to be more nonlinear than random ones, even if only slightly so: though the random permutations histogram contains a few outliers at higher values, its main body lies clearly at smaller values compared to the Costas permutations histogram.Similarly, algebraically constructed Costas permutations are observed to be, on average, some of the most linear Costas permutations.The linearity histogram of all Costas permutations of order 15 a is well approximated by the Gaussian of the same mean and variance, but the corresponding histogram of order 27 c is not, due to the small number of samples.Furthermore, the linearity criterion is efficient: histograms show that the linearity of Costas permutations of order 15 is clearly less than that of an equinumerous collection of randomly chosen permutations of order 15 b .

Linearity with Algebraic Structure
We computed the linearity of several families of Costas permutations, using L 2n−1 as the measure of linearity, n being the order of the Costas permutation.More specifically, we focused on the families of all Costas permutations of order 27 and below Table 1 , and on the families of W 1 -and G 2 -permutations generated in F p , 3 ≤ p ≤ 151 Table 2 .For each family we recorded the minimal and maximal linearities found, the mean linearity and the standard deviation.As a general observation, the linearity histograms for all families are well approximated by Gaussian distributions see, e.g., Figure 3 , provided the families contain enough Costas permutations at least a few hundred .Furthermore, the mean linearities L W n and L G n for W 1 -and G 2 -permutations of order n, respectively, seem to increase asymptotically linearly with n see that L 2n−1 successfully distinguishes Costas permutations from random permutations, assigning on average smaller linearity to the former.

Conclusion
We proposed various non linearity measures for Costas permutations, divided in two broad categories, according to whether we are willing to impose some algebraic structure on the domain and the range or not.Amongst the measures that do not take advantage of any algebraic structure, the linear least squares fit was found inappropriate, as it was completely insensitive to the input, the nonmodular phases criterion was found not to be sensitive enough, while the log-ratio performed adequately in terms of distinguishing Costas permutations from randomly chosen permutations of the same order and correctly deciding that the former are more nonlinear than the latter; it also suggested that algebraically constructed Costas permutations are amongst the most linear Costas permutations.On the other hand, when the difference vectors are combined with an underlying modulo structure, the resulting criterion is sensitive enough to recognize that Costas permutations are less linear than randomly chosen permutations of the same order.

Figure 1 :
Figure 1:The histograms of all Costas permutations of order 15 a and an equinumerous collection of randomly chosen permutations of order 15 b , according to L: Costas permutations are shown to be more nonlinear.

Figure 2 :
Figure 2: a, b the log-ratio histograms of all Costas permutations of order 15 a and an equinumerous collection of randomly chosen permutations of order 15 b ; Costas permutations are shown to be more nonlinear.c, d the log-ratio histograms of all Costas permutations of order 16 c and of all algebraically constructed Costas permutations of order 16 d ; algebraically constructed Costas permutations seem to be amongst the most linear ones.

Figure 3 :
Figure 3:The linearity histogram of all Costas permutations of order 15 a is well approximated by the Gaussian of the same mean and variance, but the corresponding histogram of order 27 c is not, due to the small number of samples.Furthermore, the linearity criterion is efficient: histograms show that the linearity of Costas permutations of order 15 is clearly less than that of an equinumerous collection of randomly chosen permutations of order 15 b .

Figure 4 :Figure 4 :
Figure 4: a plot of the minimal, maximal, and mean linearities for the Welch and Golomb family generated in F p , 3 ≤ p ≤ 151.b plot of the mean linearity divided by the order, indicating convergence near 0.4.c a detail of the tail of the previous plot.

Table 1 :
Linearity results for all Costas permutations of orders 3 ≤ n ≤ 27: the columns correspond from left to right to n, the minimal and maximal linearities observed, and the mean and standard deviations of the linearity.

Table 2 :
Linearity results for W 1 -a and G 2 -b permutations generated in F p , 7 ≤ p ≤ 151: the columns correspond from left to right to p, the minimal and maximal linearity observed, and the mean and standard deviations of the linearities.