Differential spectrum of some power functions in odd prime characteristic

Differential spectrum of some power functions in odd prime characteristic

Finite Fields and Their Applications 21 (2013) 11–29 Contents lists available at SciVerse ScienceDirect Finite Fields and Their Applications www.els...
Download PDF
294KB Sizes 0 Downloads 66 Views
Report

Finite Fields and Their Applications 21 (2013) 11–29

Contents lists available at SciVerse ScienceDirect

Finite Fields and Their Applications www.elsevier.com/locate/ffa

Differential spectrum of some power functions in odd prime characteristic Sung-Tai Choi a,∗ , Seokbeom Hong a , Jong-Seon No a , Habong Chung b a b

Department of Electrical Engineering and Computer Science, INMC, Seoul National University, Seoul 151-744, Republic of Korea School of Electronics and Electrical Engineering, Hongik University, Seoul 121-791, Republic of Korea

a r t i c l e

i n f o

Article history: Received 28 June 2012 Revised 2 December 2012 Accepted 10 January 2013 Available online 31 January 2013 Communicated by Gary McGuire MSC: 11T71 94A60 Keywords: Almost perfect nonlinear Cyclotomic class Differential spectrum Odd prime characteristic Perfect nonlinear Power function

a b s t r a c t p k +1

Upper bound on  f of the power function x 2 in F pn (Helleseth et al. (1999) [7]) is not tight, for example p = 5, n = 3, and k = 2, which is the motivation of this work. In this paper, for an odd p k +1

prime p, the differential spectrum of the power function x 2 in F pn is calculated. For an odd prime p such that p ≡ 3 mod 4 and odd n with m|n, the differential spectrum of the power function p n +1

+p

n −1

2 in F pn is also derived. We also find some new power x p m +1 functions which are differentially 4 and 6-uniform. © 2013 Elsevier Inc. All rights reserved.

1. Introduction Let p be a prime number and F pn the finite field with pn elements. Let f (x) be a mapping from F pn to F pn . Let N f (a, b) denote the number of solutions x ∈ F pn of

f (x + a) − f (x) = b,

*

Corresponding author. E-mail address: [email protected] (S.-T. Choi).

1071-5797/$ – see front matter © 2013 Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.ffa.2013.01.002

(1)

12

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

where a ∈ F∗pn and b ∈ F pn . Let

f =

max

a∈F∗pn ,b∈F pn

N f (a, b).

The mapping f with  f = k is said to be differentially k-uniform [2]. Mainly for the cryptographical purpose, the functions with low  f have been searched extensively for many years [7–15]. Especially for an odd prime characteristic, there exist functions with  f = 1, which are said to be perfect nonlinear (PN). The functions with  f = 2, called almost perfect nonlinear (APN) are also studied extensively. Functions with  f larger than two are studied in [9] and [16]. Let f (x) be a power function in F pn given as f (x) = xd . For any a ∈ F∗pn and b ∈ F pn , (1) can be rewritten as

 f (x + a) − f (x) = ad

x a

d +1

 d  x



a

= b,

which means that

 N f (a, b) = N f 1,

b ad

 .

Hence, in dealing with power functions, we will only consider N f (1, b) instead of N f (a, b). The differential spectrum of the function f (x) with  f = k is defined as (ω0 , ω1 , . . . , ωk ), where ωi is given as







ωi =  b ∈ F pn  N f (1, b) = i . Recently, the differential spectrum of some power functions have been studied [3–5]. In [5], the relat n−t +1 −1 in F n is studied and the differential tionship between the differential spectrum of x2 −1 and x2 2 2t −1 spectrum of x for t ∈ {3, n/2, n/2 + 1, n − 2} is also calculated. pk +1

For an odd prime characteristic p,  f of the power function x 2 in F pn was first studied in [7] and it was shown that  f is upper bounded as  f  gcd(( pk − 1)/2, p 2n − 1). Nevertheless, the upper bound is not tight in some cases of p, n, and k, which motivates us to derive the exact value k of  f for x( p +1)/2 .

In this paper, the differential spectrum of x

pk +1 2

is first derived. Consequently the explicit  f of pn +1

+p

n −1

2 the function is also determined. We also compute the differential spectrum of x pm +1 in F pn for an odd prime p such that p ≡ 3 mod 4, odd n, and m|n. We believe that our paper is the first to calculate the differential spectrum of power functions with an odd prime characteristic. This paper is organized as follows. In Section 2, some preliminaries and notations are stated. In

Section 3, the differential spectrum of x of x

n pn +1 + p 2−1 pm +1

pk +1 2

in F pn is computed. In Section 4, the differential spectrum

in F pn is calculated. The conclusion is given in Section 5.

2. Preliminaries and notations Let p be an odd prime, α be a primitive element of the finite field F pn . Let C 0 and C 1 denote the set of squares and nonsquares in F∗pn = F pn \ {0}, respectively. Then the cyclotomic number (i , j ) is defined as the number of solutions (xi , x j ) ∈ C i × C j such that xi + 1 = x j for 0  i , j  1.

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

13

Lemma 1. (See [17, Lemma 6].) The cyclotomic numbers (i , j ) are given as: 1) pn ≡ 1 mod 4:

(0, 0) =

pn − 5 4

;

(0, 1) = (1, 0) = (1, 1) =

pn − 1 4

.

2) pn ≡ 3 mod 4:

(0, 0) = (1, 0) = (1, 1) =

pn − 3 4

;

(0, 1) =

pn + 1 4

.

Let E i j , 0  i , j  1, be the set defined as







E i j = x ∈ F∗pn  x ∈ C i and x + 1 ∈ C j .

(2)

Then (i , j ) = | E i j |. In the following lemma, we are going to express each x ∈ E i j in terms of the primitive element of F pn or F p 2n . The lemma will play an important role in the rest of the paper. Let [a, b] denote the set of consecutive integers between a and b including a and b, that is, [a, b] = {a, a + 1, . . . , b}. Lemma 2. Any element x in E 00 can be represented as

 x=

αt − α −t

2 (3)

2

where t varies over T1 = [1, ( pn − 3)/4] for pn ≡ 3 mod 4 and over T2 = [1, ( pn − 5)/4] for pn ≡ 1 mod 4. Any element x in E 11 can be represented as

 x=γ

αt − γ −1 α −t

2 (4)

2

where γ = −1 and t varies over T1 for pn ≡ 3 mod 4 and γ = −α and t varies over T2 ∪ {0} for pn ≡ 1 mod 4. Any element x in E 10 can be represented as

 x=

δ 2t − δ −2t

2 (5)

2

where δ = β ( p −1)/2 and β is a primitive element in F p 2n and t varies over T1 for pn ≡ 3 mod 4 and over T2 ∪ {( pn − 1)/4} = [1, ( pn − 1)/4] for pn ≡ 1 mod 4. Finally, any element x in E 01 can be represented as n

 x=

δ 2t +1 − δ −(2t +1) 2

2 (6)

where t varies over T1 ∪ {0} = [0, ( pn − 3)/4] for pn ≡ 3 mod 4 and over T2 ∪ {0} = [0, ( pn − 5)/4] for pn ≡ 1 mod 4.

14

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Proof. For x ∈ E 00 , we can set x + 1 = u 2 and x = v 2 for some u , v ∈ F∗pn . Then we have u 2 − v 2 =

(u + v )(u − v ) = 1. Let u + v = αt . Then we have u = (αt + α −t )/2 and v = (αt − α −t )/2. Hence x in E 00 is represented as x = (α t − α −t )2 /4. Then we have to determine the range over which t varies. From Lemma 1, we know that | E 00 | = ( pn − 3)/4 for pn ≡ 3 mod 4 and ( pn − 5)/4 for pn ≡ 1 mod 4. It is easy to check that {α t , α −t , −α t , −α −t } induce the same x in (3). Note that t = 0 makes x = 0 and t = ( pn − 1)/4 makes x = 0 when pn ≡ 1 mod 4. Hence t varies over 1  t  ( pn − 3)/4 for pn ≡ 3 mod 4 and 1  t  ( pn − 5)/4 for pn ≡ 1 mod 4. For x ∈ E 11 , we can set x + 1 = γ u 2 and x = γ v 2 for some u , v ∈ F∗pn , where γ is a nonsquare in F∗pn . Then we have u 2 − v 2 = (u + v )(u − v ) = γ −1 . Let u + v = α t . Then we have u − v = γ −1 α −t and thus u = (α t + γ −1 α −t )/2 and v = (α t − γ −1 α −t )/2. Hence x ∈ E 11 is represented as x = γ (α t − γ −1 α −t )2 /4. Now, we have to determine the range over which t varies. From Lemma 1, we know that | E 11 | = ( pn − 3)/4 for pn ≡ 3 mod 4 and ( pn − 1)/4 for pn ≡ 1 mod 4. It is easy to check that {αt , −αt , γ −1 α −t , −γ −1 α −t } induce the same x in (4). Clearly, for the case of pn ≡ 3 mod 4, if we set γ = −1, then each t in T1 makes distinct x in E 11 . For the case of pn ≡ 1 mod 4, each t in T2 makes distinct x in E 11 for γ = −α similarly. For x ∈ E 10 or E 01 , the proof becomes a little more tricky. For x ∈ E 10 , we can set x + 1 = u 2 and x = γ v 2 for some u , v ∈ F pn , where γ is a nonsquare in F∗pn . Then we have u 2 − γ v 2 = 1, which can n n be factorized in F p 2n as u 2 − γ v 2 = (u + λ v )(u − λ v ) = (u + λ v )(u + λ p v ) = (u + λ v ) p +1 = 1, where n

λ and −λ = λ p are the two solutions in F p 2n of X 2 = γ [1]. Since u + λ v is the ( pn + 1)-st root of n n unity in F p 2n , we can set u + λ v = β ( p −1)t = δ 2t , where δ = β ( p −1)/2 and β is a primitive element of F p 2n . Since u + λ v = δ 2t and u − λ v = δ −2t , we have x = (δ 2t − δ −2t )2 /4. Then we have to determine the range over which t varies. From Lemma 1, we know that | E 10 | = ( pn − 3)/4 for pn ≡ 3 mod 4 and ( pn − 1)/4 for pn ≡ 1 mod 4. Note that {δ 2t , δ −2t , −δ 2t , −δ −2t } induce the same x in (5). The values t = 0, t = ( pn + 1)/2 which make x = 0 and t = ( pn + 1)/4 which makes x = −1 should be excluded. Then each t ∈ T1 gives distinct x for pn ≡ 3 mod 4 and so does t ∈ T2 ∪ {( pn − 1)/4} for pn ≡ 1 mod 4. We can prove the case for x ∈ E 01 similarly. 2 3. Differential spectrum of x

p k +1 2

in F pn

In [7], for an odd prime p, the upper bound on  f of the power function f (x) = x derived. The result is stated in the following theorem.

pk +1 2

in F pn is

Theorem 1. (See [7, Theorem 11].) Let f (x) = xd be the function defined on F pn , where p is an odd prime and d = ( pk + 1)/2. Then we have

 k  p − 1 2n  f  gcd ,p −1 . 2

However, in some cases of p, n, and k, the upper bound is not tight, which motivates us to compute the differential spectrum and  f . Lemmas 3 and 4 are needed to prove the following lemmas and theorem. Lemma 3. Define the set A = [1, N ] for a positive integer N. Let N = qv + r, where v is a positive integer divisor, q is a quotient, and r is a remainder. For an integer μ with 0  μ  v /2, nμ denote the number of a ∈ A such that a mod v is equal to either +μ or −μ. Then nμ is determined as: 1) When μ = 0 or v /2 for even v:

 nμ =

q + 1, for μ = q,

v 2

 r with even v

for μ = 0 or μ =

v 2

> r with even v .

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

15

Table 1 Relationships among parameters. pn

n/e

k/e

g and e

pk

pe

3 mod 4

odd

odd even

g =e g = 2e

3 mod 4 1 mod 4

3 mod 4

1 mod 4

even

odd

g =e

odd

odd even

g =e g = 2e

1 mod 4 3 mod 4 1 mod 4

1 mod 4 3 mod 4 1 mod 4

2) When 0 < μ < v /2:

⎧ ⎨ 2(q + 1), for v − r  μ  r nμ = 2q + 1, for μ  max( v − r , r + 1) or μ  min(r , v − r − 1) ⎩ 2q, for r < μ < v − r . We will omit the proof because it is nothing more than a simple counting. Lemma 4. (See [18, Theorem 2.4].) Let p be an odd prime and l = gcd(a, b). Let a = a/l and b = b/l. Then





gcd pa + 1, p b − 1 =



pl + 1, for odd a and even b

2,

otherwise.

Let D f (x) = f (x + 1) − f (x) and Ii j be the image of E i j under D f , that is,

   Ii j = D f (x)  x ∈ E i j where i , j ∈ {0, 1}. Also, define the set Ui j (b), b ∈ Ii j , as the set of elements x ∈ E i j such that D f (x) = b. In the following Lemmas 5–7, the cardinalities of each Ii j and Ui j (b)’s, b ∈ Ii j , will be determined. Let e = gcd(n, k) and g = gcd(2n, k) in the remainder of this section. In each proof of Lemmas 5–7, θ : t → x denotes the four bijective mappings from t to x defined in Lemma 2 shown as in (3)–(6), without distinguishing them from each other. In Table 1, the relationships among parameters p, n, k, e, and g are summarized, which is useful for separating cases in each of the lemmas and theorems in this section. Lemma 5. For I00 and D f | E 00 , we have: 1) For an odd n/e (n is even or odd):

|I00 | = pn + p e − 2 / 2 p e − 1 ⎧ p e −3 n ⎪ ⎪ 4 , for b = 1 and p ≡ 3 mod 4   ⎨ p e −5 U00 (b) = , for b = 1 and pn ≡ 1 mod 4 4 ⎪ ⎪ ⎩ p e −1 , for b( = 1) ∈ I00 . 2 2) For an even n/e (n is even):

|I00 | = pn + 2p e − 3 / 2 p e − 1

16

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

  U00 (b) =

⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

p e −3 , 4 p e −5 , 4 e p −1 , 4 p e −1 , 2

for b = ±1 and p e ≡ 3 mod 4 for b = 1 and p e ≡ 1 mod 4 for b = −1 and p e ≡ 1 mod 4 for b( = ±1) ∈ I00 .

Proof. From Lemma 2, D f (x)| E 00 is represented in terms of t as

D f (x)| E 00 =

α(p

k

−1)t

+ α −( p

k

−1)t

2

k  M α ( p −1)t

(7)

where x = (α t − α −t )2 /4 and t varies over T1 for pn ≡ 3 mod 4 and T2 for pn ≡ 1 mod 4. Assume that there exist x1 and x2 ( = x1 ) in E 00 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). From (7), it is straightforward that t 1 and t 2 satisfy either

t 1 + t 2 ≡ 0 mod v

(8)

t 1 ≡ t 2 mod v

(9)

or

where v = ( pn − 1)/( p e − 1). Define the set

 Sμ =

{t ≡ ±μ mod v | t ∈ T1 }, for pn ≡ 3 mod 4

(10)

{t ≡ ±μ mod v | t ∈ T2 }, for pn ≡ 1 mod 4

where 0  μ   v /2. Then, from (8) and (9), all the elements in S μ give a single value M (α ( p −1)t ) in I00 and the elements in each S μ give distinct values in I00 . Therefore, |I00 | is equal to the number of distinct sets S μ ’s. Since 0  μ   v /2, |I00 | is equal to ( v + 1)/2 for odd v and v /2 + 1 for even v. Note that v is even when n/e is even and odd when n/e is odd. k Clearly, S μ corresponds to U00 ( M (α ( p −1)t )). Thus, obtaining |U00 (b)| for b ∈ I00 is finding the cardinality of corresponding S μ , which can be done easily by applying Lemma 3. Case 1). For pn ≡ 3 mod 4. In this case, we have k

S μ = {t ≡ ±μ mod v | t ∈ T1 }. Since

pn −3 4

=

p e −3 v 4

+

v −1 , 2

from Lemma 3, we have

  | S μ | = U00 (b) =



p e −1 , 2 e p −3 , 4

for 0 < μ <

v 2

for μ = 0

where b = D f (x) for θ −1 (x) ≡ ±μ mod v. Since n/e is odd, i.e., v is odd, in this case, we don’t need to consider S v /2 . Note that S 0 corresponds to U00 (1).

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

17

Case 2). For pn ≡ 1 mod 4. In this case, we have

S μ = {t ≡ ±μ mod v | t ∈ T2 }. Clearly, p e can be congruent to 3 or 1 modulo 4 in this case. pn −5 p e −3 Since 4 = 4 v + ( 2v − 1) for p e ≡ 3 mod 4, from Lemma 3, we have

  | S μ | = U00 (b) =



p e −1 , 2 e p −3 , 4

for 0 < μ <

v 2

for μ = 0 or

v 2

where b = D f (x) for θ −1 (x) ≡ ±μ mod v. Note that n/e is even, i.e., v is even, in this case, S v /2 should be considered. Note that S 0 corresponds to U00 (1) and S v /2 corresponds to U00 (−1). Since

pn −5 4

=

p e −5 v 4

+ ( v − 1) for p e ≡ 1 mod 4, from Lemma 3, we have

  | S μ | = U00 (b) =

⎧ ⎪ ⎪ ⎨ ⎪ ⎪ ⎩

p e −1 , 2 p e −5 , 4 p e −1 , 4

for 0 < μ <

v 2

for μ = 0 for μ =

v 2

and even

n e

where b = D f (x) for θ −1 (x) ≡ ±μ mod v. Here, S v /2 should be considered only when n/e is even. Note that S 0 corresponds to U00 (1) and S v /2 corresponds to U00 (−1). 2 Lemma 6. For I11 and D f | E 11 , we have: 1) For an odd n/e (n is even or odd):

|I11 | = pn + p e − 2 / 2 p e − 1 ⎧ e p −3 ⎪ , for b = 1, pn ≡ 3 mod 4, even k/e ⎪ 4 ⎪ ⎪ ⎪ ⎪ or b = −1, pn ≡ 3 mod 4, odd k/e ⎪   ⎨ p e −1 U11 (b) = , for b = 1, pn ≡ 1 mod 4, even k/e 4 ⎪ ⎪ ⎪ ⎪ or b = −1, pn ≡ 1 mod 4, odd k/e ⎪ ⎪ ⎪ e ⎩ p −1 , for remaining b ∈ I11 . 2 2) For an even n/e (n is even):

|I11 | = pn − 1 / 2 p e − 1   U11 (b) = p e − 1 /2, for any b ∈ I11 . Proof. Case 1). For pn ≡ 3 mod 4. By Lemma 2, we know that in this case



D f (x)| E 11 = M (−1) where t ∈ T1 and x = −(α t + α −t )2 /4.

γ = −1 and D f (x)| E 11 is represented as

p k −1 2

α(p

k

−1)t



= (−1)

p k −1 2

M



α(p

k

−1)t



(11)

18

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Since

(−1)

p k −1 2

 =

1,

if pk ≡ 1 mod 4

−1, if pk ≡ 3 mod 4

and t varies over T1 , we have I00 = I11 for pk ≡ 1 mod 4 and I00 = −I11 for pk ≡ 3 mod 4. Therefore, |I11 | and |U11 (b)| are equal to |I00 | and |U00 (b)| in Lemma 5, respectively. Note that n/e is odd in this case. Case 2). For pn ≡ 1 mod 4. By Lemma 2, we know that in this case γ = −α and D f (x)| E 11 is represented as



D f (x)| E 11 = M (−α )

p k −1 2

α(p

k

−1)t



(12)

where t ∈ T2 ∪ {0} and x = −α (α t + α −(t +1) )2 /4. Assume that D f (x1 ) = D f (x2 ) for two distinct elements x1 and x2 in E 11 . Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Then, from (12), t 1 and t 2 should satisfy

t 1 + t 2 + 1 ≡ 0 mod v

(13)

t 1 ≡ t 2 mod v

(14)

or

where v = ( pn − 1)/( p e − 1). Note that T2 ∪ {0} ∼ = Z pn −1 . Let R i , 0  i  v − 1, be the equivalent class congruent to i modulo v in Z pn −1 .

4

4

From (13) and (14), we know that all the elements t in R i ∪ R v −i −1 map to a single value in I11 . Thus, obtaining |U11 (b)| is just finding out the corresponding | R i ∪ R v −i −1 |. When v is odd, i.e., n/e is odd, and i = ( v − 1)/2, R i coincides with R v −i −1 . In this case, we can easily check that any t in R ( v −1)/2 maps to 1 for even k/e and −1 for odd k/e. Otherwise, |U11 (b)| = ( p e − 1)/2 because | R i | = ( p e − 1)/4. 2 Lemma 7. For I10 , I01 , D f | E 10 , and D f | E 01 , we have: 1) For an odd k/e: D f is bijective on both E 10 and E 01 so that |I10 | = | E 10 | = (1, 0) and |I01 | = | E 01 | = (0, 1); 1∈ / I10 and 1 ∈ / I01 . 2) For an even k/e:

|I10 | = |I01 | = pn + p e + 2 / 2 p e + 1 ⎧ p e −1 n ⎪ ⎪ 4 , for b = 1, p ≡ 1 mod 4   ⎨ p e −3 U10 (b) = , for b = 1, pn ≡ 3 mod 4 4 ⎪ ⎪ ⎩ p e +1 , for b( = 1) ∈ I10 2 ⎧ p e −1 n ⎪ ⎪ 4 , for b = 1, p ≡ 1 mod 4   ⎨ p e +1 U01 (b) = , for b = 1, pn ≡ 3 mod 4 4 ⎪ ⎪ e ⎩ p +1 , for b( = 1) ∈ I01 . 2

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

19

Proof. Case 1). For I 10 and D f | E 10 . From Lemma 2, D f (x)| E 10 can be written as

k n k D f (x)| E 10 = M β ( p −1)( p −1)t = M δ 2( p −1)t

(15)

where x = (δ 2t − δ −2t )2 /4 and t varies over [1, ( pn − 3)/4] for pn ≡ 3 mod 4 and over [1, ( pn − 1)/4] for pn ≡ 1 mod 4. Let t = θ −1 (x). Then from (15), θ(t 1 ) and θ(t 2 ) give the same value of D f (x) if and only if

t 1 ± t 2 ≡ 0 mod L

(16)

where L = ( pn + 1)/ gcd( pk − 1, pn + 1). From Lemma 4, L = ( pn + 1)/2 for odd k/e and L = ( pn + 1)/ ( p e + 1) for even k/e. Now, consider the case when pn ≡ 3 mod 4 and odd k/e. Since T1 = [1, ( pn − 3)/4], no t 1 and t 2 in T1 satisfy (16) so that D f is bijective on E 10 . Note that there exists no t ∈ T1 such that t mod L ≡ 0, / I10 . that is, D f (x) = 1. Hence we can conclude that |I10 | = | E 10 | = ( pn − 3)/4 and 1 ∈ For the case when pn ≡ 3 mod 4 and even k/e, we can use Lemma 3 by setting v = L = ( pn + 1)/ ( p e + 1). In this case, q and r become q = ( p e − 3)/4 and r = v − 1. Note that v is odd in this case. From Lemma 3, it is derived that |U10 (b)| = ( p e + 1)/2 for b( = 1) ∈ I10 and |U10 (1)| = ( p e − 3)/4. For the case when pn ≡ 1 mod 4, the proof can be done similarly. Case 2). For I 01 and D f | E 01 . In this case, D f (x)| E 01 can be written as

k D f (x)| E 01 = M δ (2t +1)( p −1) where x = (δ 2t +1 − δ −(2t +1) )2 /4 and t varies over [0, ( pn − 3)/4] for pn ≡ 3 mod 4 and over [0, ( pn − 5)/4] for pn ≡ 1 mod 4. Using the similar argument to the previous case, θ(t 1 ) and θ(t 2 ) give the same value of D f (x) if and only if

(2t 1 + 1) pk − 1 ± (2t 2 + 1) pk − 1 ≡ 0 mod 2 pn + 1 .

(17)

Then (17) can be rewritten as either

t 1 − t 2 ≡ 0 mod L

(18)

t 1 + t 2 + 1 ≡ 0 mod L .

(19)

or

For the case when pn ≡ 3 mod 4 and odd k/e, again D f is bijective on E 01 and there exists no x such / I01 . that D f (x) = 1. Thus, |I01 | = | E 01 | = ( pn + 1)/4 and 1 ∈ For the case when pn ≡ 3 mod 4 and even k/e, applying Lemma 3 to (18) and (19) yields that |U01 (b)| = ( p e + 1)/2 for b( = 1) ∈ I01 and |U01 (1)| = ( p e + 1)/4. For the case when pn ≡ 1 mod 4, the proof can be done similarly. 2 So far, we have investigated the cardinality of the images, |Ii j |, and the inverse images, |Ui j (b)|, of D f | E i j , i , j ∈ {0, 1}. In order to unify Lemmas 5–7 and to see the overall mapping property of D f , we have to look into the relationship between I00 , I11 , I10 , and I01 in the following three lemmas.

20

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Lemma 8. For I00 and I11 , we have



I00 = I11 ,

k e k . e

for even

I00 ∩ I11 = ∅, for odd

Proof. Case 1). For pn ≡ 3 mod 4. From Lemma 6, if pk ≡ 1 mod 4, we have I00 = I11 , k/e is even, and the first equation of the lemma is proved. From the same lemma, if pk ≡ 3 mod 4, we have I00 = −I11 and k/e is odd. To prove the second equation, we want to show that any two elements a and −a cannot belong to I00 . Assume that there are two distinct elements x1 and x2 in E 00 such that D f (x1 ) = − D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Then from (7), it is easy to see that either

α(p

−1)t 1

= −α −( p

α(p

k

−1)t 1

= −α ( p

k

−1)t 2

−1)t 2 must hold. But this is a contradiction because −α ±( p −1)t 2 is a nonsquare k in F pn , whereas α ( p −1)t1 is a square in F pn . Therefore, I00 ∩ I11 = I00 ∩ (−I00 ) = ∅ for odd k/e.

or

k

k

k

Case 2). For pn ≡ 1 mod 4. Again, assume that there exist x1 ∈ E 00 and x2 ∈ E 11 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) ∈ T2 and t 2 = θ −1 (x2 ) ∈ T2 ∪ {0}. Then, from (7) and (12), we have

(−α )

p k −1 2

α(p

k

−1)t 2

= α(p

k

−1)t 1

k or α −( p −1)t1 .

(20)

For pk ≡ 3 mod 4, (20) cannot be satisfied because the left-hand side of (20) is a nonsquare in F pn , while the right-hand side of (20) is a square in F pn . pk −1

pk −1

For pk ≡ 1 mod 4, (20) implies that either α 2 (2t1 +2t2 +1) = 1 or α 2 (2t2 −2t1 +1) = 1, which further implies that either 2(t 1 + t 2 ) + 1 or 2(t 2 − t 1 ) + 1 must be divisible by 2( pn − 1)/( p e − 1) for odd k/e and ( pn − 1)/( p e − 1) for even k/e. Since 2(t 2 ± t 1 ) + 1 is odd, we can easily see that the above is possible only when k/e is even and n/e is odd and that such t 1 and t 2 can be always found in T2 and T2 ∪ {0}, respectively. Note that n/e is always odd when k/e is even. Hence we conclude that I00 = I11 for even k/e and I00 ∩ I11 = ∅, otherwise. 2 Lemma 9. For I10 and I01 , we have



I10 ∩ I01 = ∅, for odd I10 = I01 ,

k e

and p e ≡ 3 mod 4

otherwise.

Proof. Assume that there exist x1 ∈ E 10 and x2 ∈ E 01 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Then, from Lemma 2, we have

δ 2t1 ( p

k

−1 )

+ δ −2t1 ( p

k

−1 )

= δ (2t2 +1)( p

k

−1 )

+ δ −(2t2 +1)( p

k

−1 )

.

(21)

Since δ 2( p +1) = 1, the necessary and sufficient conditions for (21) to hold is n

2(t 2 ± t 1 ) + 1 ≡ 0 mod L

(22)

where L = 2( pn + 1)/ gcd(2( pn + 1), pk − 1). Note that t 1 lies in [1, ( pn − 3)/4] for pn ≡ 3 mod 4 and in [1, ( pn − 1)/4] for pn ≡ 1 mod 4 and t 2 lies in [0, ( pn − 3)/4] for pn ≡ 3 mod 4 and in [0, ( pn − 5)/4] for pn ≡ 1 mod 4. When L becomes even, which occurs only if k/e is odd and p e ≡ 3 mod 4, (22) cannot be satisfied because the left-hand side of (22) is odd. Hence we conclude that I01 ∩ I10 = ∅ in this case. Otherwise, it is not difficult to find t 2 satisfying (22) for each t 1 because L is either ( pn + 1)/2 or n ( p + 1)/( p e + 1) which is odd. Since |I10 | = |I01 | in Lemma 7, the proof is done. 2

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

21

Lemma 10. Let S1 = I00 ∪ I11 and S2 = I01 ∪ I10 . Then we have

 S1 ∩ S2 = Proof. The proof is in Appendix A.

∅,

k e even ke .

for odd

{1}, for

2

Using the previous lemmas, the main theorem can be stated as follows. Note that the differential spectrum of f (x) with  f = k is defined as (ω0 , ω1 , . . . , ωk ), where ωi denotes the number of b ∈ F pn such that N f (1, b) = i. Theorem 2. For an odd prime p, d = ( pk + 1)/2, and e = gcd(n, k), the differential spectrum of the function f (x) = xd in F pn is given as: 1) For an odd k/e: 1-i) For p e ≡ 3 mod 4:

ωi =

⎧ ⎪ 2, ⎪ ⎪ ⎪ ⎪ pn − p e ⎪ ⎪ ⎪ p e −1 , ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

if i = if i =

p e +1 4 p e −1 2

p −1 , 2 n e p n −3 − ppe−−p1 , 2

if i = 1

0,

otherwise.

n

(the corresponding two b’s are ± 1)

if i = 0

1-ii) For p e ≡ 1 mod 4:

ωi =

⎧ ⎪ ⎪ 1, ⎪ ⎪ ⎪ ⎪ ⎪ 1, ⎪ ⎪ ⎪ ⎪ ⎨ pn − p e ,

if i = if i =

p e +3 4 p e −1 4 p e −1 2

(the corresponding b is 1) (the corresponding b is − 1)

if i = p e −1 n ⎪ p − 1 ⎪ ⎪ , if i = 2 ⎪ 4 ⎪ ⎪ n e ⎪ ( p − 1 )( 3p − 7 ) ⎪ ⎪ 4( pe −1) , if i = 0 ⎪ ⎪ ⎩ 0, otherwise.

2) For an even k/e:

⎧ 1, ⎪ ⎪ ⎪ pn − p e ⎪ ⎪ , ⎪ 2 ( p e −1 ) ⎪ ⎨ n e p −p ω i = 2 ( p e +1 ) , ⎪ ⎪ ⎪ pn+e −1 ⎪ ⎪ pn − p 2e −1 , ⎪ ⎪ ⎩ 0,

if i = p e (the corresponding b is 1) if i = p e − 1 if i = p e + 1 if i = 0 otherwise.

Proof. So far, we have derived |Ii j |’s and |Ui j (b)|’s in Lemmas 5–7. From Lemmas 8 and 9, we have seen that I00 and I11 are either disjoint or identical and so be I01 and I10 . Finally, from Lemma 10, we have seen that I00 ∪ I11 and I01 ∪ I10 are either disjoint or almost disjoint. For the proof of this theorem, we have to combine these results.

22

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Case 1). Combining D f | E 00 and D f | E 11 . For the case when k/e is odd, we have |I00 ∪ I11 | = ( pn + p e − 2)/( p e − 1) because I00 and I11 are disjoint. For any b ∈ (I00 ∪ I11 ) \ {1, −1}, the cardinality of U0 (b), the inverse image in E 00 ∪ E 11 of b, is ( p e − 1)/2. For the elements ±1 ∈ I00 ∪ I11 , we have

    U0 (1), U0 (−1) =



( p 4−5 , e

( p 4−3 , e

p e −1 ), 4 p e −3 ), 4

for p e ≡ 1 mod 4 for p e ≡ 3 mod 4.

For the case when k/e is even, we have |I00 ∪ I11 | = ( pn + p e − 2)/(2( p e − 1)) since I00 and I11 coincide. Also, we have

  U0 (b) =



p e − 1,

if b ∈ (I00 ∪ I11 ) \ {1}

p e −3 , 2

if b = 1.

Case 2). Combining D f | E 10 and D f | E 01 . For the case when k/e is odd, we have |I10 ∪ I01 | = |I10 | = |I01 | = ( pn − 1)/4 for p e ≡ 1 mod 4 and |I10 ∪ I01 | = |I10 | + |I01 | = ( pn − 1)/2 for p e ≡ 3 mod 4. The cardinality of U1 (b), the inverse image in E 10 ∪ E 01 of b ∈ (I10 ∪ I01 ), is

 |U1 (b)| =

2,

for p e ≡ 1 mod 4

1,

for p e ≡ 3 mod 4.

For the case when k/e is even, we have |I10 ∪ I01 | = |I10 | = |I01 | = ( pn + p e + 2)/(2( p e + 1)). Also, we have

  U1 (b) =



p e + 1, p e −1 , 2

if b ∈ (I10 ∪ I01 ) \ {1} if b = 1.

The unified mapping property of D f | E 10 and D f | E 01 is that the cardinality of the inverse image in E 10 ∪ E 01 of each element in (I10 ∪ I01 ) \ {1} is p e + 1 and the cardinality of the inverse image in E 10 ∪ E 01 of the element 1 ∈ I10 ∪ I01 is ( p e − 1)/2. / ( E 00 ∪ E 11 ∪ E 10 ∪ E 01 ), we have to consider the case when x = 0 and x = −1. It Since x = 0, −1 ∈ k is easy to derive that D f (0) = 1 and D f (−1) = (−1)( p +3)/2 . Finally, with Lemma 10, we can combine Case 1) and Case 2). Hence the proof is done. 2 Corollary 1. For an odd prime p and d = ( pk + 1)/2,  f of f (x) = xd in F pn is given as

 f =

p e −1 , 2 e

p + 1,

k e even ke

for odd for

where e = gcd(n, k). Note that the derived differential spectrum in the above theorem is very sparse. The comparison with the existing bound in Theorem 1 and our new result in Corollary 2 is given in Table 2. The bound in Theorem 1 is not tight for some cases of d = ( pk + 1)/2, whereas Theorem 2 provides the exact differential spectrum and  f . There have been few works about the differential spectrum. Especially with odd characteristic, we believe that this is the first work to derive the differential spectrum.

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

23

Table 2 Comparison between the existing bound in Theorem 1 and new result in Corollary 2. p

n

k

Upper bound on  f in [7]

5

3

2

12

6

5

5

2

12

6

5

5

4

24

6

7

3

2

24

8

7

5

2

24

8

7

5

4

48

8

7

7

2

24

8

7

7

4

48

8

7

7

6

24

8

11

3

2

60

12

p n +1

4. Differential spectrum of x pm +1

+p

n −1 2

Explicit  f (new result)

in F pn

Let n be an odd integer, p an odd prime such that p ≡ 3 mod 4, and m a divisor of n, i.e., m|n. Then we consider the power function f (x) = xd with the power d = ( pn + 1)/( pm + 1) + ( pn − 1)/2. Note that only when pm ≡ 3 mod 4, i.e., p ≡ 3 mod 4, and n is odd, there exists no inverse d−1 = ( pm + 1)/2 which has already been dealt with in the previous section. Therefore we restrict p and n to p ≡ 3 mod 4 and odd n in computing  f and the differential spectrum of f (x) = xd in this section. Define the functions h i (x) in F pn , 1  i  4, as

h1 (x) = (x + 1) h2 (x) = (x + 1)

p m +1 2 p m +1 2

h3 (x) = −(x + 1) h4 (x) = −(x + 1) Let λi (b) and

+x −x

p m +1 2 p m +1 2

p m +1 2 p m +1 2

+x −x

p m +1 2 p m +1 2

.

χi (b), 1  i  4, be the number of solutions of h i (x) = b−

p m +1 2

(23)

in E 00 and E 11 , respectively. pn +1

Lemma 11. For f (x) = x pm +1

+p

n −1 2

and b ∈ F∗pn , N f (1, b) is determined as:

1) For b = ±1:

 N f (1, b) =

λ1 (b) + λ2 (b) + λ3 (b) + λ4 (b),

for b ∈ C 0 \ {1}

χ1 (b) + χ2 (b) + χ3 (b) + χ4 (b), for b ∈ C 1 \ {−1}.

2) For b = ±1:

 N f (1, b) =

λ1 (b) + λ2 (b) + λ3 (b) + λ4 (b) + 1,

for b = 1

χ1 (b) + χ2 (b) + χ3 (b) + χ4 (b) + 1, for b = −1.

24

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Proof. Consider the cases when x ∈ F∗pn \ {−1}. Since gcd( pm + 1, pn − 1) = 2, any element x ∈ E 00 can

m m be expressed as x = ν p +1 and x + 1 = ψ p +1 for some then we have

p n +1

( x + 1) p m +1

+p

n −1 2

p n +1

− x p m +1

+p

ν and ψ . If this x is a solution to D f (x) = b,

n −1 2

= ψ 2 − ν 2 = b.

(24)

By setting y = b−1 ν 2 , we have y + 1 = b−1 ψ 2 and thus y becomes the solution to

h 2 ( y ) = ( y + 1)

p m +1 2

−y

p m +1 2

= b−

p m +1 2

(25)

.

Since the transformation x to y is one-to-one, each solution x ∈ E 00 to D f (x) = b corresponds to either a solution y ∈ E 00 to (25) for b ∈ C 0 or a solution y ∈ E 11 to (25) for b ∈ C 1 . m m Similarly, if x ∈ E 11 is a solution to D f (x) = b, then by letting x + 1 = −ψ p +1 and x = −ν p +1 , we have (24). Again by setting y = b−1 ν 2 , we have y + 1 = b−1 ψ 2 . Thus y is a solution to

h3 ( y ) = −( y + 1)

p m +1 2

+y

p m +1 2

= b−

p m +1 2

.

(26)

Since the transformation x to y is one-to-one, each solution x ∈ E 11 to D f (x) = b corresponds to either a solution y ∈ E 00 to (26) for b ∈ C 0 , or a solution y ∈ E 11 to (26) for b ∈ C 1 . m m Similarly, if x ∈ E 10 is a solution to D f (x) = b, then by letting x + 1 = ψ p +1 and x = −ν p +1 , we have (24). Again by setting y = b−1 ν 2 , we have y + 1 = b−1 ψ 2 . Thus y is a solution to

h 1 ( y ) = ( y + 1)

p m +1 2

+y

p m +1 2

= b−

p m +1 2

(27)

.

Since the transformation x to y is one-to-one, each solution x ∈ E 11 to D f (x) = b corresponds to either a solution y ∈ E 00 to (27) for b ∈ C 0 or a solution y ∈ E 11 to (27) for b ∈ C 1 . m m Similarly, if x ∈ E 01 is a solution to D f (x) = b, then by letting x + 1 = −ψ p +1 and x = ν p +1 , we have (24). Again by setting y = b−1 ν 2 , we have y + 1 = b−1 ψ 2 . Thus y is a solution to

h4 ( y ) = −( y + 1)

p m +1 2

−y

p m +1 2

= b−

p m +1 2

.

(28)

Since the transformation x to y is one-to-one, each solution x ∈ E 11 to D f (x) = b corresponds to either a solution y ∈ E 00 to (28) for b ∈ C 0 or a solution y ∈ E 11 to (28) for b ∈ C 1 . Since D f (0) = 1 and D f (−1) = −1, we have completed the proof. 2 Using the above lemma, the differential spectrum of f (x) can be derived as follows. Theorem 3. For an odd prime p such that p ≡ 3 mod 4, odd n with m|n, and d = ( pn + 1)/( pm + 1) + ( pn − 1)/2, the differential spectrum of f (x) = xd in F pn is given as

ωi =

⎧ ⎪ ⎪ ⎪ 2, ⎪ ⎪ n m ⎪ ⎪ ppm−−p1 , ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

p n −1 2



if i = if i = pn − pm , p m −1

p m +1 4 p m +1 2

if i = 1

p n −3 , 2

if i = 0

0,

otherwise.

(the corresponding two b’s are ± 1)

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Proof. From Lemma 11, in order to determine N f (1, b), we should calculate

4

25

4

i =1 λi (b )

and

i =1 χi (b ) for b ∈ C 0 and b ∈ C 1 , respectively. From Lemma 2, h 1 (x) and h 2 (x) on E 00 can be represented as

h1 (x)| E 00 = h2 (x)| E 00 =

αt ( p

m

+1 )

+ α −t ( p

m

+1 )

m

−1 )

2

α

t ( p m −1 )

+ α −t ( p

(29)

2

where x = (α t − α −t )2 /4 and t varies over T1 . Similarly, h1 (x) and h2 (x) on E 11 can be represented as

h1 (x)| E 11 =

αt ( p

m

+1 )

+ α −t ( p

m

+1 )

2

h2 (x)| E 11 = −

αt ( p

m

−1 )

+ α −t ( p

m

−1 )

(30)

2

where x = −(α t + α −t )2 /4 and t varies over T1 . Note that h1 (x) = −h4 (x) and h2 (x) = −h3 (x). Since gcd(( pm + 1)/2, pn − 1) = 2, b−

pm +1 2

pm +1

in (23) varies over C 0 twice, while b varies over F∗pn .

Note that b = ±λ give the same b− 2 and one of ±λ is a square in F pn and the other is a nonsquare in F pn . Hence, in order to determine N f (1, b) for b ∈ F∗pn , we need to derive the mapping property of h i (x) = c, 1  i  4, where c is a square in F pn , for x ∈ E 00 and x ∈ E 11 , respectively. Then, using Lemma 11, the differential spectrum of f (x) can be determined. Define the sets as

   Hi jl = h i (x)  x ∈ E jl . For b ∈ C 0 , we should consider the mapping property of h i (x) = c on E 00 , where c is a square in F pn . Assume that there exist x1 , x2 ∈ E 00 such that h1 (x1 ) = h1 (x2 ) for x1 = x2 . Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Then, from (29), it is easy to derive that ( pm + 1)t 1 ≡ ±( pm + 1)t 2 mod pn − 1. Since ( pm + 1, pn − 1) = 2, we have t 1 ± t 2 ≡ 0 mod ( pn − 1)/2, which cannot be satisfied because 1  t 1 , t 2  ( pn − 3)/4. Hence we conclude that h1 (x)| E 00 is injective on E 00 , that is, |H100 | = | E 00 | = ( pn − 3)/4. Consider the mapping h2 (x)| E 00 , which has the same form as (7). Therefore we can use the result when pn ≡ 3 mod 4 in Lemma 5 and thus we have |H200 | = ( pn + pm − 2)/(2( pm − 1)). The cardinality of the inverse image in E 00 of any element in H200 \ {1} is ( pm − 1)/2 and the cardinality of the inverse image in E 00 of 1 ∈ H200 is ( pm − 3)/4. Now, consider the relationship of the elements in H100 and H200 . Assume that there exist x1 , x2 ∈ E 00 such that h1 (x1 ) = h2 (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Then, from (29), we have ( pm + 1)t 1 ≡ ±( pm − 1)t 2 mod pn − 1, which can be rewritten as

pm + 1 2

t1 ≡ ±

pm − 1 2

t 2 mod

pn − 1 2

.

(31)

Since gcd(( pm + 1)/2, ( pn − 1)/2) = 1, ( pm + 1)/2 has an inverse modulo ( pn − 1)/2. Hence for any t 2 ∈ T1 which is not divisible by ( pn − 1)/( pm − 1), there exists t 1 ∈ T1 satisfying (31). Since t 2 which is divided by ( pn − 1)/( pm − 1) gives h2 (x) = 1, we conclude that 1 ∈ H200 and H100 ⊃ (H200 \ {1}). Since h4 (x) = −h1 (x) and h3 (x) = −h2 (x), h4 (x)| E 00 has the same mapping property with h1 (x)| E 00 , and h3 (x)| E 00 has the same mapping property with h2 (x)| E 00 . Furthermore, it is easy to check that H400 = −H100 , H300 = −H200 , and H400 ⊃ (H300 \ {−1}).

26

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

Table 3 Related PN and APN functions in f (x) = xd . Researcher

p, n, and k

d

Class

Coulter [6]

p = 3 and k is odd

d = (3k + 1)/2, where gcd(n.k) = 1

PN

Helleseth [7]

p=5

d = (5k + 1)/2, where gcd(2n, k) = 1

APN

Helleseth [7]

p = 3 and n is odd

d = ( pn + 1)/4 + ( pn − 1)/2

APN

pn > 7

It should also be checked that H100 cannot include both y and − y. Assume that there exist x1 , x2 ∈ E 00 such that h1 (x1 ) = −h1 (x2 ). From (29), we have ( pm + 1)t 1 ≡ ±( pm + 1)t 2 + ( pn − 1)/2 mod pn − 1, which can be rewritten as





pm + 1 (t 1 ± t 2 ) ≡

pn − 1 2

mod pn − 1.

(32)

Since gcd( pm + 1, pn − 1) = 2 does not divide ( pn − 1)/2, (32) cannot be satisfied. Hence we conclude that there exist no x1 , x2 ∈ E 00 such that h1 (x1 ) = −h1 (x2 ). Consequently, we conclude that H100 ∩ H400 = ∅. So far, we have investigated the mapping property of h i (x)| E 00 and the relationship among the elements in Hi00 , 1  i  4. Now, we will calculate that N f (1, b) = λ1 (b)+λ2 (b)+λ3 (b)+λ4 (b) for square b ∈ F∗pn , which is the

sum of the cardinalities of the inverse images in E 00 of the square element in F pn , b−( p +1)/2 in (23). Note that there are ( pn − 3)/4 squares in H100 ∪ H400 because H100 ∩ H400 = ∅ and H100 = −H400 . Since H100 ⊃ (H200 \ {1}), H400 ⊃ (H300 \ {−1}), and H200 = −H300 , there are ( pn − pm )/(2( pm − 1)) squares in (H200 \ {1}) ∪ H300 , which are also included in H100 ∪ H400 . We can regard each square m in H100 ∪ H200 ∪ H300 ∪ H400 as b−( p +1)/2 in (23). From Lemma 11, it is easy to check that for each square c in (H200 \ {1}) ∪ H300 , N f (1, δ) = ( pm + 1)/2 and for each square c in (H100 ∪ H400 ) \ m

(H200 ∪ H300 ), N f (1, δ) = 1, where δ is a square in F pn such that δ −( p +1)/2 = c. For b = 1, from Lemma 11, N f (1, b) = ( pm − 3)/4 + 1 = ( pm + 1)/4. Let ni denote the number of b ∈ F pn , which are squares in F pn , such that N f (1, b) = i. Then, n( pm +1)/2 = ( pn − pm )/(2( pm − 1)), n( pm +1)/4 = 1, n1 = ( pn − 3)/4 − ( pn − pm )/(2( pm − 1)), and n0 = ( pn − 1)/2 − n( pm +1)/2 − n1 . Consider the case when b ∈ C 1 . From (29) and (30), note that h1 (x)| E 00 = h1 (x)| E 11 , h4 (x)| E 00 = h4 (x)| E 11 , h2 (x)| E 00 = h3 (x)| E 11 , and h3 (x)| E 00 = h2 (x)| E 11 . Since t varies over T1 for both x ∈ E 00 and x ∈ E 11 , they have the same mapping property, which means that for b ∈ C 1 , the distribution of N f (1, b) is the same as the case when b ∈ C 0 . Taking that N f (1, b) = 1 when b = 0 into account, it is derived that ω( pm +1)/2 = 2n( pm +1)/2 = ( pn − pm )/( pm − 1), ω( pm +1)/4 = 2n( pm +1)/4 = 2, ω1 = 2n1 + 1 = ( pn − 1)/2 − ( pn − pm )/( pm − 1), and ω0 = pn − ω( pm +1)/2 − ω( pm +1)/4 − ω1 . 2 m

Corollary 2. For an odd prime p such that p ≡ 3 mod 4, odd n, m|n, and d = ( pn + 1)/( pm + 1) + ( pn − 1)/2,  f of the function f (x) = xd in F pn is given as  f = ( pm + 1)/2. From Sections 3 and 4, we can explain the previously known PN and APN functions as in Table 3. Moreover new power functions which are differential 4-uniform and 6-uniform are also introduced in the following corollaries. Corollary 3. Let d = ( pn + 1)/8 + ( pn − 1)/2. Then xd defined on F pn is differentially 4-uniform for p = 7 and odd n. Corollary 4. Let d = ( pn + 1)/12 + ( pn − 1)/2. Then xd defined on F pn is differentially 6-uniform for p = 11 and odd n.

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

27

5. Conclusion pn +1

pk +1

+p

n −1

2 In this paper, the differential spectrum of the two power functions x 2 and x pm +1 in F pn are derived. The result can be used to determine  f of the two power functions. We believe that it is the first result to compute the differential spectrum of power functions in odd prime characteristic. Some existing PN and APN functions are explained from our results. Two new power functions in F pn which are differentially 4-uniform and 6-uniform are also found.

Appendix A Proof of Lemma 10. Case 1). Relationship between I00 and I10 . Note that g = gcd(2n, k). Assume that there exist x1 ∈ E 00 and x2 ∈ E 10 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). From Lemma 3, we have k

−1)t 1

n

−1)/2 , (33) is satisfied if and only if

α(p Since

α = βp

n

+1 and

δ = β (p



+ α −( p



k

−1)t 1

= δ 2( p





pn + 1 t 1 ± pn − 1 t 2

k

−1)t 2

+ δ −2 ( p



k

−1)t 2

(33)

.





pk − 1 ≡ 0 mod p 2n − 1 .

(34)

Then (34) can be rewritten as









pn + 1 t 1 ± pn − 1 t 2 ≡ 0 mod

p 2n − 1

(35)

pg − 1

where gcd( pk − 1, p 2n − 1) = p g − 1. Note that

 gcd

p 2n − 1 pg

−1



 n

,p +1 =

p n + 1,

if g = e

p n +1 , p e +1

if g = 2e .

(36)

Consider the case when g = e, i.e., k/e is odd. For the solvability of (34), ±( pn − 1)t 2 should be divided by pn + 1. Since gcd( pn + 1, pn − 1) = 2, t 2 should be divided by ( pn + 1)/2. Since t 2 varies over [1, ( pn − 3)/4] for pn ≡ 3 mod 4 and [1, ( pn − 1)/4] for pn ≡ 1 mod 4, t 2 cannot be divided by ( pn + 1)/2. Hence we conclude that I00 ∩ I10 = ∅ for odd k/e. Next, consider the case when g = 2e, i.e., k/e is even. From (35), ( pn + 1)t 1 should be divided by gcd( pn − 1, ( p 2n − 1)/( p 2e − 1)) = ( pn − 1)/( p e − 1). Since gcd(( pn − 1)/( p e − 1), pn + 1) = 1, t 1 should be divided by ( pn − 1)/( p e − 1), which means that I00 ∩ I10 = {1} for even k/e. Case 2). Relationship between I11 and I10 . For the case when pn ≡ 3 mod 4 and pk ≡ 1 mod 4, we already proved that I00 = I11 . Since g = 2e, i.e., k/e is even, in the case, we conclude that I11 ∩ I10 = {1} for even k/e. Consider the case when pn ≡ 3 mod 4 and pk ≡ 3 mod 4. Note that g = e, i.e., k/e is odd in the case. We can prove this case similar to Case 1). Assume that there exist x1 ∈ E 11 and x2 ∈ E 10 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). From Lemma 3, we have



pk − 1









pn + 1 t 1 ± pn − 1 t 2 ≡

p 2n − 1 2





mod p 2n − 1 .

(37)

Then (37) can be rewritten as









pn + 1 t 1 ± pn − 1 t 2 ≡

p 2n − 1 2( p e

− 1)

mod

p 2n − 1 pe − 1

(38)

28

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

where gcd( pk − 1, ( p 2n − 1)/2) = p e − 1. For the solvability of (38), ±( pn − 1)t 2 should be divided by ( pn + 1)/2. Since gcd(( pn + 1)/2, pn − 1) = 2, t 2 should be divided by ( pn + 1)/4. Since t 2 varies over [1, ( pn − 3)/4] for pn ≡ 3 mod 4, t 2 cannot be divided by ( pn + 1)/4. Hence we conclude that I00 ∩ I10 = ∅ for odd k/e. Next, consider the case when pn ≡ 1 mod 4 and pk ≡ 1 mod 4. Assume that there exist x1 ∈ E 11 and x2 ∈ E 10 such that D f (x1 ) = D f (x2 ). From Lemma 3 and by setting γ = −α , we have



pk − 1









pk − 1

pn + 1 t 1 ± pn − 1 t 2 ≡ −

2







pn + 1 mod p 2n − 1 .

(39)

Note that g can be equal to either e or 2e in this case. For the case when g = e, i.e., k/e is odd, (39) can be rewritten as

pk − 1  pe − 1







pn + 1 t 1 ± pn − 1 t 2 ≡ −

pn + 1 2

·

pk − 1 pe − 1

mod

p 2n − 1 pe − 1

.

(40)

From (40), ( pn − 1)t 2 should be divided by ( pn + 1)/2. Since gcd( pn − 1, ( pn + 1)/2) = 1, t 2 should be divided by ( pn + 1)/2. Note that t 2 varies over [1, ( pn − 1)/4]. We conclude that I11 ∩ I10 = ∅ for odd k/e. For the case when g = 2e, i.e., k/e is even, (39) can be rewritten as

pk − 1  pg

−1







pn + 1 t 1 ± pn − 1 t 2 ≡ −

pn + 1 2

·

pk − 1 pg

−1

mod

p 2n − 1 pg − 1

.

(41)

From gcd(( p 2n − 1)/( p g − 1), ( pn + 1)/2) = ( pn + 1)/( p e + 1) and (41), ( pn − 1)t 2 should be divided by ( pn + 1)/( p e + 1). Since gcd( pn − 1, ( pn + 1)/( p e + 1)) = 1, t 2 should be divided by ( pn + 1)/( p e + 1). From Lemma 4, we have p e + 1| pk − 1. Hence t 2 which is divided by ( pn + 1)/( p e + 1) gives D f (x) = 1, which means that I11 ∩ I10 = {1} for even k/e. The case when pn ≡ 1 mod 4 and pk ≡ 3 mod 4 can be proved similarly. Case 3). Relationship between I00 and I01 . We already proved that I10 ∩ I01 = ∅ for p e ≡ 3 mod 4 and odd k/e and I10 = I01 , otherwise. Hence we only need to consider the case when p e ≡ 3 mod 4 and odd k/e in Case 3) and Case 4). Note that pk ≡ 3 mod 4 in this case. First, consider the relationship between I00 and I01 . Assume that there exist x1 ∈ E 00 and x2 ∈ E 01 such that D f (x1 ) = D f (x2 ). Let t 1 = θ −1 (x1 ) and t 2 = θ −1 (x2 ). Again, we have



pk − 1







pn + 1 t 1 ±

pn − 1 2

+ pn − 1 t 2



≡ 0 mod p 2n − 1 ,

(42)

which can be rewritten as



pk − 1 pe − 1

n





p + 1 t1 ±

pn − 1 2



n



+ p − 1 t2

 ≡ 0 mod

p 2n − 1 pe − 1

.

(43)

For the solvability of (43), ( pn − 1)/2 ± ( pn − 1)t 2 should be divided by pn + 1, which is given as

pn − 1 2

(1 ± 2t 2 ) ≡ 0 mod pn + 1 .

(44)

For pn ≡ 3 mod 4, the left-hand side is odd, while the right-hand side is even, which is a contradiction. For pn ≡ 1 mod 4, since gcd(( pn − 1)/2, pn + 1) = 2, 1 ± 2t 2 should be divided by ( pn + 1)/2.

S.-T. Choi et al. / Finite Fields and Their Applications 21 (2013) 11–29

29

Assume that 1 + 2t 2 = ( pn + 1)/2. Then t 2 should be ( pn − 1)/4. However, since t 2 varies over [0, ( pn − 5)/4], it is impossible. Therefore, we conclude that I00 ∩ I01 = ∅. Case 4). Relationship between I11 , and I01 . Next, consider the relationship between I11 and I01 . Assume that there exist x1 ∈ E 11 and x2 ∈ E 01 such that D f (x1 ) = D f (x2 ). For the case when pn ≡ 3 mod 4, by setting γ = −1, we have



k

p −1







n

p + 1 t1 ±

pn − 1 2



n





+ p − 1 t2



p 2n − 1 2





mod p 2n − 1 ,

(45)

which can be rewritten as



pk − 1 pe

−1



pn + 1 t 1 ±



pn − 1 2

+ pn − 1 t 2

 ≡

pn + 1 2

·

pn − 1 pe

−1

mod

p 2n − 1 pe − 1

.

(46)

For the solvability of (46), ( pn − 1)(1 ± 2( pn − 1)t 2 )/2 should be divided by ( pn + 1)/2. Since gcd(( pn − 1)/2, ( pn + 1)/2) = 1, 1 ± 2( pn − 1)t 2 should be divided by ( pn + 1)/2. Since ( pn + 1)/2 is even and 1 ± 2( pn − 1)t 2 is odd, it is a contradiction. Hence we conclude that I00 ∩ I01 = ∅. For the case when pn ≡ 1 mod 4, ( pn − 1)/2(1 ± 2t 2 ) should be divided by ( pn + 1)/2. Hence 1 ± 2t 2 should be divided by ( pn + 1)/2. Assume that 1 + 2t 2 is divided by ( pn + 1)/2. Then t 2 should be equal to ( pn − 1)/4, which is a contradiction because t 2  ( pn − 5)/4. Therefore, I00 ∩ I01 = ∅. 2 References [1] L.E. Dickson, Linear Groups with an Exposition of the Galois Field Theory, Dover Publications, New York, 1958. [2] K. Nyberg, Differentially uniform mappings for cryptography, in: Advances in Cryptography—EUROCRYPTO’93, in: Lecture Notes in Comput. Sci., vol. 765, Springer-Verlag, New York, 1994, pp. 55–64. [3] C. Blondeau, A. Canteaut, P. Charpin, Differential properties of power functions, Int. J. Inf. Coding Theory 1 (2) (2010) 149–170. [4] C. Blondeau, A. Canteaut, P. Charpin, Differential properties of power functions, in: Proc. IEEE Int. Symp. Inf. Theory (ISIT 2010), Austin, Texas, Jun. 2010, pp. 2478–2482. t [5] C. Blondeau, A. Canteaut, P. Charpin, Differential properties of x → x2 −1 , IEEE Trans. Inform. Theory 57 (12) (2011) 8127– 8137. [6] R.S. Coulter, R.W. Matthews, Planar functions and planes of Lenz–Barlotti class, II, Des. Codes Cryptogr. 10 (2) (1997) 167– 184. [7] T. Helleseth, C. Rong, D. Sandberg, New families of almost perfect nonlinear power mapping, IEEE Trans. Inform. Theory 45 (2) (1999) 475–485. [8] H. Dobbertin, D. Mills, E.N. Muller, A.P. Willems, APN functions in odd characteristic, Discrete Math. 267 (2003) 95–112. [9] T. Helleseth, D. Sandberg, Some power mappings with low differential uniformity, Appl. Algebra Engrg. Comm. Comput. 8 (1997) 363–370. [10] Z. Zha, X. Wang, Power functions with low uniformity on odd characteristic finite fields, Sci. China Math. 53 (8) (2010) 1931–1940. [11] Z. Zha, X. Wang, Almost perfect nonlinear power functions in odd characteristic, IEEE Trans. Inform. Theory 57 (7) (2011) 4826–4832. [12] G.J. Ness, T. Helleseth, A new family of ternary almost perfect nonlinear mappings, IEEE Trans. Inform. Theory 53 (7) (2007) 2581–2586. [13] H. Dobbertin, Almost perfect nonlinear power functions on GF (2n ): The Welch case, IEEE Trans. Inform. Theory 45 (4) (1999) 1271–1275. [14] T.P. Berger, A. Canteaut, P. Charpin, Y. Laigle-Chapuy, On almost perfect nonlinear functions over F 2n , IEEE Trans. Inform. Theory 52 (9) (2006) 4160–4170. [15] Y. Edel, G. Kyureghyan, A. Pott, A new APN functions which is not equivalent to a power mapping, IEEE Trans. Inform. Theory 52 (2) (2006) 744–747. [16] C. Bracken, G. Leander, A highly nonlinear differentially 4 uniform power mapping that permutes fields of even degree, Finite Fields Appl. 16 (4) (2010) 231–242. [17] T. Storer, Cyclotomy and Difference Sets, Lect. Adv. Math., Markham, Chicago, IL, 1967. [18] S.E. Payne, Greatest common divisors of am ± 1 and an ± 1, http://math.ucdenver.edu/~spayne/classnotes/rgcd.ps.