More Low Differential Uniformity Permutations over F22k with k Odd

Permutations with low differential uniformity, high algebraic degree, and high nonlinearity over F22k can be used as the substitution boxes for many block ciphers. In this paper, several classes of low differential uniformity permutations are constructed based on the method of choosing two permutations over F22k to get the desired permutations. The resulted low differential uniformity permutations have high algebraic degrees and nonlinearities simultaneously, which provide more choices for the substitution boxes. Moreover, some numerical examples are provided to show the efficacy of the theoretical results.


Introduction
Suppose that n be a positive even integer. We always denote by F 2 n the finite field of even characteristic with degree n and F * 2 n the multiplicative group of nonzero elements of F 2 n . Every map from F 2 n to itself is called an (n, n)-function, and bijective (n, n)-function is called a permutation over F 2 n . It is well known that confusion introduced by Shannon [1] is one of the most generally accepted design principles for block ciphers and stream ciphers, which means making the relation between the ciphertext and the plaintext as complex as possible for the attacker. e substitution boxes (S-boxes) with good cryptographic properties are used to create confusion in block ciphers and often chosen to be permutations over F 2 n . As pointed out in [2], since it needs to resist the differential attack on the block cipher algorithm, the differential uniformity of those permutations as S-boxes is required to be as low as possible.
e permutations as S-boxes should also have high algebraic degree to resist the higher order differential attack and high nonlinearity to resist the linear attack (see, for instance, [3,4]).
It is well known that the lowest differential uniformity of an (n, n)-function over F 2 n is not less than 2. ose (n, n)-functions with differential uniformity 2 are called almost perfect nonlinear (APN) function, which has many interesting properties studied in the last decades (see, for instance, [5][6][7] and references). However, it is difficult to find APN permutations over the finite field F 2 n for n ≥ 6. Up to now, a few examples of APN permutations have been found over F 2 6 [8][9][10]. Naturally, people pay more attention to those permutations with differential uniformity 4 or 6 for S-boxes, and a lot of work has been done (see, for instance, [11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]). Although low differential uniformity permutations are not an optimal choice of S-boxes, they are still an efficient way to against differential attacks. For example, the famous advanced encryption standard (AES) chooses differential 4uniformity permutation x − 1 (0 − 1 : � 0) as its S-box. e original differential 4-uniformity permutations select Gold functions [12], the Kasami functions [13], the inverse functions [15], and the Bracken-Leander functions [11]. In 2012, Bracken et al. [26] constructed a class of binomials as differential 4-uniformity permutations with high nonlinearity. Inspired by the idea of Carlet [27], Li and Wang [28] obtained a construction of differential 4-uniformity permutations over F 2 n from quadratic APN permutations over F 2 n+1 . e modern method to construct differential 4-uniformity permutation is the switching method proposed by Dillon. In recent years, the power of this method has been shown in the construction of differential 4-uniformity permutations. Qu et al. in [21] constructed differential 4-uniformity permutations by composing the inverse function and permutations over F 2 n and, in [22], proved that the number of CCZ-inequivalent differential 4-uniformity permutations over F 2 n increases exponentially. For more details, the readers can refer to [14, 19, 23-25, 29, 30]. Different from the above method, in [31,32], some monomials with differential 6-uniformity over F 2 n for 17 ≤ n ≤ 31 are constructed and in the family of functions: In 2014, Zha et al. [33] presented three classes of nonmonomial with differential 6-uniformity by modifying the image values of the Gold function. In recent years, more nonmonomial permutations of differential 6-uniformity are proposed. Tu et al. [34,35] constructed several classes of differential 6-uniformity permutations by selecting the inverse function as a special type of rational functions over F 2 n .
Inspired by the idea of [18], we construct some new low differential uniformity permutations. Compared with the previous similar works, our construction can provide a large number of CCZ-inequivalent classes of functions. Precisely, for any ε, s ∈ F 4 and some U being a subset of F 2 2k with an odd integer k, we prove that the permutations have low differential uniformity 4 or 6. It is pointed out here that all of differentially 6-uniform permutations in our construction are CCZ-inequivalent to the existing ones, and it is surprising that there are two new differential 4-uniformity permutations for k � 3 CCZ-inequivalent to the previous ones mentioned above. Moreover, all these functions have the optimal algebraic degree and we get a lower bound of the high nonlinearity of F. e rest of this paper is organized as follows. In the next section, we recall some definitions and general properties of the differential uniformity, algebraic degree, and nonlinearity of (n, n)-functions. In Section 3, we present a new construction of low differential uniformity permutations and discuss the differential uniformity of these permutations over F 2 2k with k odd. In Section 4, we consider their other cryptographic properties. Finally, Section 5 concludes the paper.

Preliminaries
Let n be a positive even integer and F be an (n, n)-function. We know that any (n, n)-function can be uniquely represented as a univariate polynomial in F 2 n [x]: where An (n, n)-function F is affine if deg(F) ≤ 1. For any (n, n)-permutation F, it is known that deg(F) ≤ n − 1. If this upper bound is achieved, then F is said to have optimal algebraic degree.
For an (n, n)-function F and (a, b) ∈ F * 2 n × F 2 n , denote by δ F (a, b) the number of solutions of the equation the differential spectrum of F. e maximum value in the differential spectrum of F is called the differential uniformity of F and denoted by δ, and F is called a differential δ-uniform function [15]. Observe that if x is a solution of F(x + a) + F(x) � b, then x + a is also a solution of the equation, and then it follows that δ F must be an even number greater than or equal to 2. Let n be a positive integer and k a divisor of n. e trace map Tr n k (x) from F 2 n onto its subfield F 2 k is defined by In particular, for k � 1, Tr n k (x) is called the absolute trace map and denoted by Tr(x) simply.
For an (n, n)-function F(x), the Walsh transform of the function F is defined as follows: e multisets * F W (a, b) | (a, b) ∈ F * 2 n × F 2 n * and * |F W (a, b)| | (a, b) ∈ F * 2 n × F 2 n * are called Walsh spectrum and extended Walsh spectrum of F(x), respectively. e nonlinearity of F is defined as follows: It is well known that NL(F) ≤ 2 n− 1 − 2 (n− 1)/2 when n is odd. For the case n even, 2 n− 1 − 2 n/2 is conjectured to be an upper bound of NL(F) [36].
For two (n, n)-functions G 1 (x) and G 2 (x), if there exist two affine permutations A 1 (x) and A 2 (x) such that G 1 (x) � A 1 (G 2 (A 2 (x))), then G 1 (x) and G 2 (x) are called affine equivalent; if there exists an affine function A(x) such that G 1 (x) � A 1 (G 2 (A 2 (x))) + A(x), then G 1 (x) and G 2 (x) are called extended affine (EA) equivalent. If the graphs of G 1 (x) and G 2 (x) are EA-equivalent, then they are said to be Carlet-Charpin-Zinoviev (CCZ) equivalent, where the graph of G(x) is (x, G(x)) | x ∈ F 2 n . It is known that EA-equivalence implies CCZ-equivalence, and the converse is not always right. Moreover, CCZ-equivalence and EA-equivalence preserve the extended Walsh spectrum and the differential spectrum, and EA-equivalence also preserves the algebraic degree when it is greater than 2 [37,38]. 2 Mathematical Problems in Engineering Definition 1. Let H(x) and G(x) be two permutations over F 2 n . Given α ∈ F 2 n , if there exist some positive integer t and some set C � α 1 , α 2 , . . . , α t of F 2 n with α 1 � α such that then the t-subset C is called a t-cycle set of the function H related to the function G and we denote by C α . Obviously, β ∈ C α if and only if C β � C α . All the t-cycle sets for 1 ≤ t ≤ 2 n are also called cycle sets [18]. We still need some helpful lemmas. e following famous lemma reveals that the nonlinearity of the inverse function could achieve the upper bound 2 n− 1 − 2 n/2 of NL(F).
Lemma 1 (see [39]) For any positive integer n and any can take any integer divisible by 4 in the range Lemma 2 (see [40]) Let n be a positive integer. For any a, b, c ∈ F 2 n with ab ≠ 0, the equation has two solutions in F 2 n if and only if Tr(ac/b 2 ) � 0.
Lemma 3 (see [18]) Let H(x) and G(x) be two permutations over F 2 n . en, the function is a permutation over F 2 n if and only if U is a union of some cycle sets of H(x) related to G(x).

Construction of Low Differential Uniformity Permutations
In this section, we always assume that k ≥ 3 is odd. For any where U is a disjoint union of the cycle set of H(x) related to G(x). Firstly, we find all the cycle sets In what follows, we always write that ω is a primitive element in F 4 .

Lemma 4.
For any α ∈ F 2 2k \F 4 , the cycle set C α of H(x) related to G(x) can be expressed as follows: (2) If ε � 1, Proof. By similarity, we only give the details of (1) and (2).
en we also get H(α 2 ) � G(α). erefore, the cycle set of H(x) related to G(x) is just a 2-cycle set and C α � α, α + 1 { }. In the case of Mathematical Problems in Engineering either s � ω or ω 2 .
Remark 1. When ε � ω 2 , the cycle sets of H(x) related to G(x) are equivalent to Lemma 4 (3) since ω is a primitive element of F 4 if and only if ω 2 is also a primitive element of F 4 . Some properties of these cycle sets are listed as follows.

Lemma 5.
Let C α and ε be the same as in Lemma 4. en Proof. For (a), by similarity, we only prove it for ε � 1. If And if s � ω or s � ω 2 , e proof of (b) is very simple and we omit the details. To prove (c), we suppose that We complete the proof of Lemma 5.
We can define the 2cycle set as I ′ and easily get that is closed under addition by ε.
en S α is closed under addition by ε.
where J is a subset of L and the set I ′ has been defined in Remark 2.
Proof. By the definition of S α , we know that all of U is a union of some cycle sets of H(x) related to G(x), which, associated with Lemma 3, implies eorem 1 holds. e next step is to study the differential uniformity of F(x). For any (a, b) ∈ F * 2 2k × F 2 2k and ε, s ∈ F 4 , the equation F(x + a) + F(x) � b is equivalent to the following four equations on F 2 2k : 4 Mathematical Problems in Engineering As the statement of [18], the notations of roots and solutions have different meanings for those equations. For example, we say x 0 is a root of equation (26) if and say x 0 is a solution of equation (26) if x 0 is a root of (26) with x 0 , x 0 + a ∈ F 2 2k \U. (26)-(29), we have the following:

Lemma 6. For the roots of equations
(a) If x is a root of equation (26), then x + ε is a root of equation (27), and vice versa. Moreover, x + a is also a root of equation (26). (b) If x is a root of equation (28), then x + ε is a root of equation (29), and vice versa. Moreover, x + a + ε is also a root of equation (28).
Proof. If x is a root of equation (26), then we have is shows that x + ε is a root of equation (27). Obviously, x + a is another root of equation (26) and x + a + ε is also a root of equation (27). It finishes the proof of (a) and the proof of (b) can be similarly proved.
If we denote by C i the set of all solutions of equations (30)∼(33), respectively, then we have the following results for the cardinals of C i , i � 6, 7, 8, 9.
When ε � 0, it is obvious that the function in (13) is a differential 4-uniformity permutation over F 2 2k if s � 0. If s ≠ 0, Zha et al. [24] proved F in (13) is a differential 4uniformity permutation over F 2 2k as a special case. Now, we only need to show that the differential uniformity of the permutation F is as in (13) when ε ≠ 0.
Proof. By eorem 1, it suffices to prove that F(x + a) + F(x) � b has at most 4 solutions. It is equivalent to show that the sum of the numbers of solutions of equations (26) to (29) is less than 4. Let (a, b) ∈ ε { } × F * 2 2k . e fact that x − 1 is of differential uniformity 4 implies that the total of the numbers of solutions of equations (26) and (27) is at most 4. Moreover, (28) and (29) have no solutions. us, in this case, F is of differential 4-uniformity. Now we prove that F(x) To end this, we consider it to three cases: which shows that F(x) + F(x + a) � b has at most 4 solutions.

Mathematical Problems in Engineering
(2) b � a − 1 . When a ∈ U, by the fact that 0 ∉ U, we know that a is not a solution of equation (26). Neither is 0. e sum of the numbers of equations (26) and (27) is at most 2. Since b ≠ (a + ε) − 1 , by Lemma 7 (2), the sum of the numbers of equations (28) and (29) is also at most 2. And hence, F(x) + F(x + a) � b has at most 4 solutions. When a ∉ U, obviously, 0 and a are the solutions of equation (26). In addition, since ab � 1 and Tr(1) � 0, by Lemma 2, equation (30) has two solutions aω and aω 2 , where that ω is a primitive element in F 4 . We have |T 2 | � 4. By ε, a + ε ∉ U and Lemma 7 (1), we conclude that T 3 is empty. Moreover, we claim that equations (28) and (29) have no solutions. In fact, by Lemma 7, we only need to show that equation (31) or (32) has no solutions. If λ is a solution of equation (32), we get a 2 + λa + (λε + λ 2 ) � 0. However, which together with Lemma 2 implies that a 2 + λa + (λε + λ 2 ) ≠ 0 for any a ∈ F 2 2k . It is a contradiction. us, F(x) + F(x + a) � b has 4 solutions. Together with the discussion of the above three cases, we know that F is of differential 4-uniformity. erefore, it finishes the proof of eorem 1.

Theorem 3.
If ε ≠ 0 and s ≠ 0, where U � ∪ α∈J S α , then the differential uniformity of the function is of 4 or 6.
Proof. Since the proof of eorem 3 is very similar to that of eorem 2, we omit the details.

Other Cryptographic Properties
In this section, we study the algebraic degree and nonlinearity of F(x) over F * 2 2k . Moreover, we present some numerical results about the differential spectra, extend Walsh spectra, and nonlinearities of F(x). We also discuss the CCZ-equivalence of F(x) constructed in Section 3.

Algebraic Degree and Nonlinearity.
e aim of this section is to prove that all functions we constructed have the optimal algebraic degree. For any given permutation F over F * 2 n , the algebraic degree of F(x) is at most n − 1. As noticed in [23] that, for any (n, 1)-function h(x) (or n-variable Boolean function) with deg(h(x)) ≤ n − k − 1, if F(x) has algebraic degree at most k, one must have It follows that the size of the set x ∈ F 2 n | Tr(F(x)h(x)) � 0 must be even from the fact that the algebraic degree of Tr(aF(x))h(x) is at most n − 1. Hence, for a permutation F(x) over F * 2 n , if we can show that there exists some Boolean function h(x) with algebraic degree at most 1 such that then we can conclude that the algebraic degree of F is at least n − 1.    (13) has the optimal algebraic degree 2k − 1.

Mathematical Problems in Engineering
Proof. When ε � 0, Zha et al. [24] proved eorem 4 as a special case. Now we turn to prove it for ε ≠ 0. To end this, we only need to show that there exists some Boolean function h(x) with algebraic degree at most 1 such that x∈F 2 n F(x)h(x) ≠ 0. Let ε ≠ 0. Taking h(x) � Tr(ε − 1 x), we know that it is of algebraic degree 1. By Tr(ε − 1 (x + ε)) � Tr(ε − 1 x) + Tr(1) and Tr(1) � 0, we have where U is the same as in eorem 1. For any x ∈ U, we have erefore, We complete the proof of eorem 4. Now we consider the nonlinearity of the functions F and obtain the following lower bound. Theorem 5. Let k ≥ 3 be an odd integer. For any ε, s ∈ F 4 , the nonlinearity of F satisfies NL(F) ≥ 2 2k− 1 − 2 k − |U|, where U is as in eorem 1.

Numerical Result of CCZ-Inequivalence of F(x).
From the primary definition of CCZ-equivalence, it is difficult to check whether two (n, n)-functions are CCZequivalent. An alternative method to solve this problem is to compare their CCZ-invariant parameters (such as differential spectrum and extended Walsh spectrum). We compute the nonlinearity, the extended Walsh spectrum, and the differential spectrum of the constructed functions with different parameters. As we said in Remark 4, we find at least 27 classes of CCZ-inequivalent differential 4uniformity functions which are listed in Table 1. And as we remarked in Remark 5 (4), there are 2 CCZ-inequivalent differential 4-uniformity classes of functions, which are listed in Table 2. Moreover, CCZ-invariant parameters of the newly differential 6-uniformity functions from eorem 3 are also computed and listed in Table 3. In these tables, we denote by NL the nonlinearity of a function and the multiset * m[t] * { } the times of t appearing in this multiset which is m.

Conclusions
In this paper, we constructed several classes of low differential uniformity permutations over F 2 2k with k odd. All these functions have the optimal algebraic degree, and we get a lower bound of the high nonlinearity of F(x). Moreover, it has been checked by a computer program for k � 3 that there are many new CCZ-inequivalent classes of differentially 4-and 6-uniform permutations in our construction. Precisely, all of the differential 6-uniformity permutations are CCZ-inequivalent with the known ones, and there are two new families of differential 4-uniformity permutations.
Data Availability e data of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest regarding the publication of this paper.