Construction of CCZ transform for quadratic APN functions

Available online at www.sciencedirect.com

ScienceDirect Cognitive Systems Research xxx (xxxx) xxx www.elsevier.com/locate/cogsys

Construction of CCZ transform for quadratic APN functions Xinyang Zhang ⇑, Meng Zhou School of Mathematics and Systems Science, Beihang University, NO. 37, Xueyuan Road, Haidian District, Beijing 100191, China Received 11 August 2018; received in revised form 24 September 2018; accepted 27 September 2018

Abstract Almost perfect nonlinear (APN) function is an important type of function in cryptography, especially quadratic APN function. Since the notion of CCZ-equivalence developed, the construction of CCZ transform for APN functions to obtain new APN functions became a critical issue in cryptography. Inspired by the result of Budaghyan who used Gold functions, this article gives the construction of CCZ transform for all quadratic vectorial Boolean functions and proves that for quadratic APN functions, the functions transformed have algebraic degree 3, thus EA-inequivalent to all quadratic functions, and have minimum algebraic degree 2, thus EA-inequivalent to all power functions. Ó 2018 Elsevier B.V. All rights reserved.

Keywords: APN function; CCZ transform; Quadratic function; Power function; EA-equivalence

1. Introduction Almost perfect nonlinear (APN) and almost bent (AB) functions and significant theoretical meanings have been extensively applied in finite field theory. The search for new APN (see Definition 1.3) and AB (which also implies APN property, see (Kasami, 1971)) functions has become an interesting topic. Power functions have six known classes of APN functions, namely, Gold (1968), Kasami (1971), Canteaut, Charpin, & Dobbertin (2000), Niho (1972, 1972), Inverse, and Dobbertin (2001). Apart from power functions, APN polynomial also has several known classes. Accordingly, (Bracken, Byrne, Markin, & McGuire, 2008; Budaghyan and Carlet, 2008; Budaghyan, Claude, & Carlet, 2009; Budaghyan, Carlet, & Pott, 2006, 2007, Budaghyan, Carlet, Felke, & Leander, 2006) show that all results are quadratic functions

⇑ Corresponding author.

except (Budaghyan et al., 2006) (the meaning of degree is a little different, see Definition 1.1 and 1.2). For vectorial functions in cryptography, equivalence is an important concept. Equivalence implies that two functions are similar in structure, especially difference and nonlinearity. First is the affine equivalence, followed by the extended affine (EA) equivalence (see Definition 1.4). In 1998, Carlet, Charpin, and Zinoviev (1998) provided a new equivalence concept called CCZ-equivalence (see Definition 1.5). It is the best-known concept to keep properties such as perfect nonlinear (PN), almost perfect nonlinear (APN), and almost bent (AB) between functions; in other words, the concept of CCZ-equivalence discovered the nature of difference and nonlinearity. In general, EA-equivalent is strictly included in CCZequivalent, that is, two functions which are CCZequivalent may be EA-inequivalent. However, for perfect nonlinear (PN) functions, (Kyureghyan and Pott, 2008) proved that CCZ-transform for PN function must also be EA-transform. This implies that when all the differences reach the balance; CCZ-equivalent also weakens to no

E-mail address: [email protected] (X. Zhang). https://doi.org/10.1016/j.cogsys.2018.09.024 1389-0417/Ó 2018 Elsevier B.V. All rights reserved.

Please cite this article as: X. Zhang and M. Zhou, Construction of CCZ transform for quadratic APN functions, Cognitive Systems Research, https://doi.org/10.1016/j.cogsys.2018.09.024

2

X. Zhang, M. Zhou / Cognitive Systems Research xxx (xxxx) xxx

more than EA-equivalent. This seems a little contradict, because the concept of CCZ-equivalent has been developed for (in the purpose of) finding new functions keeping the property of balanced differences. In fact, in the proof of Kyureghyan and Pott, the key is the condition of PN. Examples without PN property can also show this. In 2006, Budaghyan et al. (2006) from Gold function, using CCZ-transform, constructed a new class of APN functions, with algebraic degree 3 and EAinequivalent with any power function. Definition 1.1. Every Boolean function f : F n2 ! F 2 can be unique represented as polynomial P f ðx1 ; x2 ;    ; xn Þ ¼ I2P ðN Þ aI xI , in which N ¼ f1; 2;    ; ng, Q P ð N Þ is the power set of N , aI 2 F 2 and xI ¼ i2I xi . It is called the algebraic normal form (ANF) of f . The algebraic degree of f is degf ¼ maxfjI j : aI – 0; I 2 P ð N Þg. Definition 1.2. Mapping F : F n2 ! F m2 is called ðn; mÞ vectorial Boolean function, in short, ðn; mÞ function. Its ANF is similar to Boolean function, in which aI 2 F m2 . f a ð xÞ ¼ aT F ð xÞ when a 2 F m2 leftf0g is called the components of F . The algebraic degree of F is degf a and minimum algebraic degree degF ¼ max m DegF ¼

a2F 2 leftf0g

min

a2F m leftf0g 2

degf a .

m Sometimes, the F m 2 is written as F 2 , in this case, the components are in the form f a ð xÞ ¼ trðaF ð xÞÞ when a 2 F 2m leftf0g.

Definition 1.3. F ð xÞ is called the almost perfect nonlinear (APN) function on F n2 if Da F ð xÞ ¼ F ð x þ aÞ  F ð xÞ is 2–1 on F n2 (i.e. Da F ð xÞ ¼ Da F ð y Þ if and only if x ¼ y or x þ a ¼ y) for all a 2 F n2 ff0g. Almost bent (AB) function is a type of APN function. Definition 1.4. Two ðn; mÞ functions F 0 and F are called extended affine (EA-) equivalent if there are affine permutations A1 : F m2 ! F m2 , A2 : F n2 ! F n2 and affine mapping A : F n2 ! F m2 such that F 0 ¼ A1  F  A2 þ A, and affine equivalent if A ¼ 0.

function F , which implies that Lð x; y Þ affine permutes on F n2  F m2 such that L1 ð x; F ð xÞÞ permutes on F n2 . Lð x; y Þ can be represented by an n þ m order square matrix        c1 A1 B1 x L1 ð x; y Þ þ ¼ L2 ð x; y Þ A2 B2 y c2 for a particular Lð x; y Þ, irrespective of whether a CCZtransform is needed to consider both L1 ð x; y Þ and L2 ð x; y Þ. However, to know whether the CCZ-transform exists, the following lemma considering L1 ð x; y Þ is enough. Lemma 2.1. Assume A1 2 F nn and B1 2 F nm . If 2 2 mm and B 2 F rank ½A1 ; B1  ¼ n, then there exist A2 2 F mn 2 2 2 such that   A1 B1 rank ¼ n þ m; A2 B2 furthermore, the CCZ-transforms with different A2 and B2 are EA-equivalent. Proof. The set of row vectors of ½A1 ; B1  is linearly independent; therefore, it can be expanded to a basis of F n2  F m2 and the existence be proved. Suppose A02 , B02 also satisfies   A1 B1 rank ¼nþm A02 B02 consider the matrix equation      k 1 k 2 A1 B1 A1 B 1 ¼ A02 B02 k 3 k 4 A2 B2 then k 1 ¼ I, k 2 ¼ 0, and rank ðk 4 Þ ¼ n. Not only the result of this lemma but also the problem of finding Lð x; y Þ can be simplified furthermore. The following lemma shows the requirement of rank ½A1 ; B1  ¼ n h. Lemma 2.2. If A1 x þ B1 F ð xÞ is a permutation on F n2 , then rank ½A1 ; B1  ¼ n.

Definition 1.5. The subset fð x; F ð xÞÞg of F n2  F m2 is called the graph of ðn; mÞ function F . Two ðn; mÞ functions F 0 and F are called CCZ equivalent if there is affine permutasuch that tion Lð x; y Þ ¼ ðL1 ð x; y Þ; L2 ð x; y ÞÞ fLð x; F ð xÞÞg ¼ fð x; F 0ð xÞÞg. If L1 ð x; y Þ depends only on one of x or y, then it implies that F 0 is EA-equivalent with F or its inverse (if exist), respectively, and we call Lð x; y Þ trivial. Therefore, Lð x; y Þ is expected to be untrivial.

Proof. Let a 2 F n2 , if aT ½A1 ; B1  ¼ 0, then T a ð A1 x þ B1 F ð xÞÞ ¼ 0. Because A1 x þ B1 F ð xÞ is a permutation, for every b 2 F n2 , aT b ¼ 0, thus a ¼ 0. The basic idea in this article is that one component of function F ð xÞ : F n2 ! F m 2 is considered and combined with an affine function, that is, every component of L1 ð x; y Þ has the form lð xÞ or lð xÞ þ f a ð xÞ, in which lð xÞ affine, f a ð xÞ ¼ aT F ð xÞ with the same a 2 F m 2 ff0g for all components, and at least one component be lð xÞ þ f a ð xÞ. Then, L1 ð x; y Þ ¼ c þ Px þ Qy, Q ¼ daT , where c; d 2 F n2 . h

2. Construction of CCZ transforms and its requirements

The following theorem shows the requirement for Lð x; y Þ to be a CCZ transform.

The main question in this article is constructing a CCZtransform Lð x; y Þ ¼ ðL1 ð x; y Þ; L2 ð x; y ÞÞ on F n2  F m2 for ðn; mÞ

Theorem 2.1. L1 ð x; F ð xÞÞ above is a permutation if and only if rank ð P ; d Þ ¼ n and Pb þ ðDb f a ð xÞ þ 1Þd ¼ 0 for some b 2 F n2 ff0g. Furthermore, b is unique.

Please cite this article as: X. Zhang and M. Zhou, Construction of CCZ transform for quadratic APN functions, Cognitive Systems Research, https://doi.org/10.1016/j.cogsys.2018.09.024

X. Zhang, M. Zhou / Cognitive Systems Research xxx (xxxx) xxx

3

Proof. If L1 ð x; F ð xÞÞ is a permutation, then by Lemma 1.2, rank ð P ; d Þ ¼ n. Therefore, there exists b 2 F n2 ff0g such that Pb 2 f0; d g, thus

involutions, i.e. L  Lð x; y Þ ¼ ð x; y Þ and F 1  F 1 ð xÞ ¼ x. In this case, F 0 ð xÞ ¼ F 2  F 1 ð xÞ ¼ F ð xÞ þ f a ð xÞDb F ð xÞ.

Lð x; F ð xÞÞ þ Lð x þ b; F ð x þ bÞÞ ¼ Pb þ Db f a ð xÞd 2 f0; d g

3. Properties of new classes

Because b 2 F n2 ff0g and L1 ð x; F ð xÞÞ is a permutation, then Pb þ ðDb f a ð xÞ þ 1Þd ¼ 0. If rank ð P ; d Þ ¼ n and Pb þ ðDb f a ð xÞ þ 1Þd ¼ 0 for some b 2 F n2 ff0g, it is then easy to prove the equation

In Theorem 2.2, we proved that for the same a and b in Theorem 2.1, transforms generated are EA-equivalent to each other. Can the result be more strong, such as given only a or only b? First, does a 2 F n2 ff0g exist for any b 2 F n2 ff0g? Second, if it exists, is a unique? Third, if given a to find b, does b exists and is it unique? To answer these questions, first, we use the Dickson theorem to obtain a normalized form for the quadratic form on F n2 , which is different from the square sum for field which characteristic is not 2.

L1 ð x;F ð xÞÞ þ L1 ð y þ F ð y ÞÞ ¼ P ð x þ y Þ þ ðf a ð xÞ þ f a ð y ÞÞd ¼ 0 implying that x þ y ¼ 0, thus Lð x; F ð xÞÞ is a permutation. h The following lemma shows that this class of CCZtransform exists if and only if there exist a 2 F m2 ff0g and b 2 F n2 ff0g, such that Db f a ð xÞ is constant. n Lemma 2.3. If a 2 F m 2 ff0g and b 2 F 2 ff0g such that Db f a ð xÞ is constant, then there exists L1 ð x; y Þ ¼ Px þ daT y satisfying rank ð P ; d Þ ¼ n and Pb þ ðDb f a ð xÞ þ 1Þd ¼ 0. Furthermore, if L01 ð x; y Þ ¼ P 0 x þ d 0 aT y also satisfies rank ðP 0 ; d 0 Þ ¼ n and P 0 b þ ðDb f a ð xÞ þ 1Þd 0 ¼ 0, then 0 and rank U ¼ n. L1 ð x; y Þ ¼ UL1 ð x; y Þ, in which U 2 F nn 2

According to Lemma 2.1 and Lemma 2.3, it is easy to prove. n Theorem 2.2. For the same a 2 F m 2 ff0g and b 2 F 2 ff0g, transforms generated according to Theorem 2.1 are EAequivalent to each other.

For every Gð xÞ EA-equivalent with F ð xÞ, a CCZtransform for F ð xÞ has a corresponding transform for Gð xÞ. Theorem 2.3. If Lð x; y Þ is a CCZ-transform for F ð xÞ, then for Gð xÞ ¼ A1  F  A2 þ A, CCZ-transform L0 ð x; y Þ ¼   L A2 x; A1 1 ð y þ AxÞ on Gð xÞ generates the same function with Lð x; y Þ on F ð xÞ. Furthermore, if L1 ð x; y Þ ¼ c þ Pxþ   T 1 daT y, then L01 ð x; y Þ ¼ c þ PA2 þ daT A1 1 A x þ da A1 y. Construction When f a ð xÞ is quadratic, Db f a ð xÞ for all b 2 F n2 ff0g is affine. Because affine function is either balanced or constant, we can easily know that unless f a ð xÞ is bent (i.e. Db f a ð xÞ for all b 2 F n2 ff0g is balanced, for Boolean function, bent and PN are the same), we can easily construct a CCZ-transform. According to Nyberg (1992); ðn; mÞ bent function (i.e. all the components are bent) exists if and only if m 6 n=2; this implies that for every quadratic ðn; mÞ function with m > n=2, this type of CCZ-transform can always be constructed. Given that b 2 F n2 ff0g and affine function Db F ð xÞ ¼ Ax þ d is considered, obviously Ab ¼ 0 and then rank A 6 n  1. When m P n, there exists a 2 F m2 ff0g, such that aT A ¼ 0 i.e. Db f a ð xÞ ¼ aT d. According to Theorem 2.3, we can assume that affine function Db F ð xÞ is linear, then Db f a ð xÞ ¼ 0. Let Lð x; y Þ ¼ ð x þ baT y; y Þ, thus F 1 ð xÞ ¼ L1 ð x; F ð xÞÞ ¼ x þ f a ð xÞb. Obviously, both are

Lemma 3.1. (Dickson) (MacWilliams and Sloane, 1981) Every quadratic function f : F n2 ! F 2 is affine equivalent to one of the three kinds of functions below: (1) x1 x2 þ ::: þ x2k1 x2k þ x2kþ1 ; (2) x1 x2 þ ::: þ x2k1 x2k ; (3) x1 x2 þ ::: þ x2k1 x2k þ 1. The following theorem gives a positive answer for these questions. Theorem 3.1. If F ð xÞ is a quadratic APN function on F n2 , then a is decided by b. Furthermore, if n is odd, then a and b are decided by each other. Proof. Because F ð xÞ is quadratic, Db F ð xÞ is affine; because F ð xÞ is APN, Db F ð xÞ can have 2n1 values, so Db F ð xÞ ¼ Ax þ d, in which rank A ¼ n  1 and Ab ¼ 0. Then, there exists unique a 2 F n2 ff0g, such that aT A ¼ 0 , i.e. Db f a ð xÞ ¼ aT d.However, when n is odd, according to Lemma 2.1, for any a 2 F n2 ff0g, there exists b 2 F n2 ff0g, such that Db f a ð xÞ is constant. h According to Theorem 2.2. Corollary 3.1. If F ð xÞ is a quadratic APN function, for the same b 2 F n2 ff0g and for the same a 2 F n2 ff0g, in the case of n being odd, transforms generated according to Theorem 2.1 are EA-equivalent to each other. It is easy to know that the quadratic power function on i j F 2n has the form x2 þ2 . If it is APN, then it is called the i Gold function. For Gold function F ð xÞ ¼ x2 þ1 , in which ði; nÞ ¼ 1, Budaghyan et al. (2006) gave a construction of CCZ-transform: ð x þ trð xÞ þ trð y Þ; y þ trð y Þ þ trð xÞÞ, when n odd; ð x þ trð y Þ; y Þ, when n even. The function generated by the CCZ-transform above is:

Please cite this article as: X. Zhang and M. Zhou, Construction of CCZ transform for quadratic APN functions, Cognitive Systems Research, https://doi.org/10.1016/j.cogsys.2018.09.024

4

X. Zhang, M. Zhou / Cognitive Systems Research xxx (xxxx) xxx

 i   i  i x2 þ1 þ x2 þ x tr x2 þ1 þ x , when n odd;  i   i  i x2 þ1 þ x2 þ x þ 1 tr x2 þ1 , when n even. In fact, if both a ¼ 1 and b ¼ 1, or according to Theorem 3.1, if only b ¼ 1, then there rises a question: If the value of b changes, will a new class in EA-equivalent be constructed? In general, the answer is positive; however, for power functions, it is negative. Proposition 3.1. If Lð x; y Þ is a CCZ-transform for i F ð xÞ ¼ x2 þ1 and L1 ð x; y Þ has the form lð x; trðay ÞÞ, then i i i F 0 ð xÞ is EA-equivalent to x2 þ1 þ x2 þ x tr x2 þ1 þ x or     i i i x2 þ1 þ x2 þ x þ 1 tr x2 þ1 when n is odd or even, respectively. Proof. According to Theorem 2.1 and Corollary 3.1, i b 2 F 2n leftf0g, such that a ¼ bð2 þ1Þ and Lðbx; a1 y Þ are EA-equivalent to ð x þ trð xÞ þ trð y Þ; y þ trð y Þ þ trð xÞÞ or ð x þ trð y Þ; y Þ when n is odd or even, respectively. Consider 2i þ1

¼ aF ðbxÞ, according to EA-equivalence x2 þ1 ¼ aðbxÞ Theorem 2.3, F 0 ð xÞ is generated by CCZ transform Lðbx; a1 y Þ on aF ðbxÞ. h i

The function in (Budaghyan et al., 2006) has algebraic degree 3 when n P 4; thus, it is EA-inequivalent to any quadratic function. When the function has minimum algebraic degree 2, according to the following proposition, it is EA-inequivalent to any power function. Proposition 3.2 Budaghyan et al., 2006. Let F be a function m from F m 2 to itself. If there exists an element c 2 F 2 f0g, such that degf c –degF and degF > 1, then F is EA-inequivalent to power functions. For a general quadratic APN function, not all the functions generated in Theorem 2.1 are in this class. There exist some quadratic APN functions that are CCZ-inequivalent to Gold functions, thus differing from functions in (Budaghyan et al., 2006) for any CCZ transform. Fortunately, they also have the same degree property. Proposition 3.3 ((Carlet, 2010)). Let F be an APN function in n > 2 variables, then the nonlinearity of F cannot be null. Corollary 3.2. The minimum algebraic degree of an APN function in n > 2 variables should be at least 2; in other words, the degree of every component should be at least 2. Theorem 3.2. Suppose F ð xÞ is a quadratic APN function on F n2 . If Lð x; y Þ ¼ ðL1 ð x; y Þ; L2 ð x; y ÞÞ affine permutes on F n2  F n2 and in which L1 ð x; y Þ ¼ Px þ caT y satisfies L1 ð x; F ð xÞÞ permutes on F n2 , then F 0 ð xÞ generated has algebraic degree 3 when n P 4 and minimum algebraic degree 2. Proof. According to Lemma 3.1 and Theorem 2.3, without losing generality we can assume that

T

f a ð xÞ ¼ x1 x2 þ ::: þ x2k1 x2k and b ¼ ð0; :::0; 1Þ and the affine function Db F ð xÞ is linear, in which k P 1 and n P 2k þ 1. Thus, it is easy to prove that F 0 ð xÞ is EAequivalent with F ð xÞ þ ðx1 x2 þ ::: þ x2k1 x2k ÞDb F ð xÞ, whose graph is equal to that of fð x þ baT y; yjy ¼ F ð xÞÞg. Obviously, aT ð F ð xÞ þ ðx1 x2 þ :: þ x2k1 x2k ÞDb F ð xÞÞ ¼ f a ð xÞ. According to Proposition 3.3, F 0 ð xÞ has minimum degree 2. According to Theorem 3.1, the linear transform Db F ð xÞ has rank n  1; thus, there exists e 2 F n2 , such that Therefore, eT ð F ð xÞ þ ðx1 x2 þ :::þ eT Db F ð xÞ ¼ xn1 . x2k1 x2k ÞDb F ð xÞÞ ¼ f e ð xÞ þ ðx1 x2 þ ::: þ x2k1 x2k Þxn1 has 0 degree 3 when n P 4. F ð xÞ has also the same degree. h Finally, according to Proposition 3.2. Corollary 3.3. F 0 ð xÞ is EA-inequivalent to power functions. 4. The case n ¼ 3 In the previous section, we presented a method to construct new classes of APN functions from quadratic APN functions when n P 4. Therefore, it is natural to ask: Why not in n ¼ 3? P Theorem 4.1. If f ð xÞ ¼ 6i¼0 ai xi on F 8 is APN, then f ð xÞ is EA-equivalent to x3 . Proof. Let P ð x Þ ¼ a3 x þ a6 x 2 þ a5 x 4 and 2 4 Qð xÞ ¼ a0 þ a1 x þ a2 x þ a4 x ,   Then, f ð xÞ can be written as P x3 þ Qð xÞ. Because f ð xÞ is APN, according to Proposition 3.3, P ð xÞ is invertible. h n Lemma 4.1. Assume P / permutes P on F 2 , then for any F ð xÞ : F 2n ! F 2n , x2F 2n f ð xÞ ¼ x2F 2n f ðuð xÞÞ

Lemma 4.2. X x2F 2n

 xd ¼

0; 0 6 d 6 2n  2 1; d ¼ 2n  1

; 0 6 d 6 2n  1

Proof. n Only for 1 6 d 6 2n  2. Because uð xÞ ¼ xd=ðd;2 1Þ permutes on F 2n , without losing generality, we can assume dj2n  1; therefore, F 2n leftf0g can be divided into ð2n  1Þd equivalent classes by the value of xd with d elements in each P Pð2n 1Þ=d id class. i.e. x2F 2n xd ¼ d i¼1 a , here a is the generated element of cyclic group F 2n leftf0g. Because  Qð2n 1Þ=d  n id ð2n 1Þ=d xa ¼x 1 and ð2  1Þ=d > 1, i¼1 Pð2n 1Þ=d id a ¼ 0. h i¼1 P2n 1 Corollary 4.1. f ð xÞ ¼ i¼0 if and only if a2n 1 ¼ 0.

ai xi satisfies

P

x2F 2n f ð xÞ

¼0

Please cite this article as: X. Zhang and M. Zhou, Construction of CCZ transform for quadratic APN functions, Cognitive Systems Research, https://doi.org/10.1016/j.cogsys.2018.09.024

X. Zhang, M. Zhou / Cognitive Systems Research xxx (xxxx) xxx

The core of the proof by Kyureghyan and Pott (2008) for PN function is that if L1 ð x; F ð xÞÞ permutes, then L1 ð x; y Þ is independent of y, thus Lð x;y Þ ¼ ðL1 ð xÞ;L2 ð x; y ÞÞ. Therefore, the nature of x3 as shown in the following theorem is totally different with PN functions, although the result seems similar. Theorem 4.2. If F ð xÞ is CCZ-equivalent to x3 on F 8 , then F ð xÞ and x3 are EA-equivalent too. Proof. Because f ð xÞ is CCZ-equivalent to x3 , Lð x; y Þ ¼ ðL1 ð x; y Þ; L2 ð x; y ÞÞ affine permutes on F 8  F 8 , permuting on F8 and with L1 ð x; x3 Þ 3 f ðL1 ð x; x ÞÞ ¼ L2 ð x; x3 Þ. According to Corollary 4.1, P L2 ð x; x3 Þ ¼ 0. Moreover, from Lemma 4.1, P Px2F 8 3 x2F 8 f ð xÞ ¼ x2F 8 f ðL1 ð x; x ÞÞ ¼ 0. According to CorolP6 lary 4.1 again, f ð xÞ ¼ i¼0 ai xi . As f ð xÞ is APN, according to Theorem 4.1, f ð xÞ is EA-equivalent to x3 . Corollary 4.2. If F ð xÞ is quadratic APN on F 8 and Gð xÞ is CCZ-equivalent to F ð xÞ, then F ð xÞ and Gð xÞ are also EA-equivalent. 5. Conclusions The construction presented in this article can be applied to all quadratic Boolean functions. For quadratic functions on F np with characteristic p–2, the generalized construction will be provided in a further study. Even for quadratic Boolean functions, the construction is limited to rank Q ¼ 1 in Lð x; y Þ ¼ ðL1 ð x; y ÞÞ ¼ Px þ Qy; L2 ð x; y ÞÞ. For Gold functions on F 2n , Budaghyan et al. (2006) gave a construction in which Qy ¼ trn=m ð y Þ; thus rank Q ¼ m for any mjn. Finding constructions with rank Q > 1 for all quadratic Boolean functions is also an interesting problem. Acknowledgement This work was partly supported by Chinese National Natural Science Foundation project 11271040.

5

References Bracken, C., Byrne, E., Markin, N., & McGuire, G. (2008). New families of quadratic almost perfect nonlinear trinomials and multinomials. Finite Fields and their Applications, 14(3), 703–714. Budaghyan, L., & Carlet, C. (2008). Classes of quadratic APN trinomials and hexanomials and related structures. IEEE Transactions on Information Theory, 54(5), 2354–2357. Budaghyan, L., Carlet, C., & Leander, G. (2009). Constructing new APN functions from known ones. Finite Fields and their Applications, 15(2), 150–159. Budaghyan, L., Carlet, C., & Pott, A. (2006). New classes of almost bent and almost perfect nonlinear polynomials. IEEE Transactions on Information Theory, 52(3), 1141–1152. Budaghyan, L., Carlet, C., Felke, P., & Leander, G. (2006). An infinite class of quadratic APN functions which are not equivalent to power mappings. In Proceedings of the IEEE International Symposium on Information Theory (ISIT ’06) (pp. 2637–2641). Seattle, Wash, USA. Budaghyan, L., Carlet, C., Felke, P., & Leander, G. (2007). Another class of quadratic APN binomials over F2n: the case n divisible by 4. In International Workshop on Coding and Cryptography (WCC ’07) (pp. 49–58). Versailles, France. Canteaut, A., Charpin, P., & Dobbertin, H. (2000). Binary m-sequences with three-valued crosscorrelation: A proof of Welch’s conjecture. IEEE Transactions on Information Theory, 46(1), 4–8. Carlet, C. (2010). Vectorial Boolean functions for cryptography. In Y. Crama & P. L. Hammer (Eds.), Boolean Models and Methods in Mathematics, Computer Science, and Engineering (pp. 398–472). London, UK: Cambridge University Press. Carlet, C., Charpin, P., & Zinoviev, V. (1998). Codes, bent functions and permutations suitable for des-like cryptosystems. Designs, Codes and Cryptography, 15, 125–156. Dobbertin, H. (2001). Almost perfect nonlinear power functions on GF (2n): A new case for n divisible by 5. In Finite Fields and Applications (pp. 113–121). Berlin, Germany: Springer. Gold, R. (1968). Maximal recursive sequences with 3-valued recursive cross-correlation functions (corresp.). IEEE Transactions on Information Theory, 14(1), 154–156. Kasami, T. (1971). The weight enumerators for several classes of subcodes of the 2nd order binary Reed-Muller codes. Information and Control, 18(4), 369–394. Kyureghyan, G. M., & Pott, A. (2008). Some theorems on palnar mappings. In LNCS 5130 (pp. 117–122). Springer. MacWilliams, F. J., & Sloane, N. J. A. (1981). The Theory of Error Correcting Codes, 3rd printing. Amsterdam, Holland: North-Holland Press (pp. 438). Amsterdam, Holland: North-Holland Press. Niho, Y. (1972). Multi-valued cross-correlation functions between two maximal linear recursive sequences (Ph.D. thesis). Nyberg, K. (1992). Perfect Nonlinear S-boxes. In EUROCRYPT 91, LNCS 547 (pp. 378–386). Springer-Verlag.

Please cite this article as: X. Zhang and M. Zhou, Construction of CCZ transform for quadratic APN functions, Cognitive Systems Research, https://doi.org/10.1016/j.cogsys.2018.09.024