Information Technology Reference
In-Depth Information
The randomness criteria demands to use permutation S-boxes in the design
of block ciphers. At the same time, the S-boxes on even number of variables
are being preferred in the design of some block ciphers for the reason of easy
implementation and hardware friendliness of even variable S-box. Unfortunately,
there is no evidence of existence of permutation APN S-box on even number of
variables. Further, the power functions are being preferred in the design of block
ciphers for the reason of fast implementation of S-boxes. For an example, the
most popular block cipher AES uses inverse function (
X
−
1
=
X
2
m
−
2
)as under-
lying S-box. However, the power APN functions on even number of variables are
of the form
X
3
d
[1]. The APN S-boxes on even number of variables of the form
X
3
d
are 3-to-1 functions (i.e, each nonzero element has either 3 or 0 pre-images
and zero maps to zero). For an instance, the function
X
3
is 3-to-1 function and
APN when
m
is even. Therefore, 3-to-1 functions on even number of variables
have an important role in the study of APN S-boxes. In Section 3 we have stud-
ied on a special type of 3-to-1 functions which is named as S3-to-1 functions.
The Power APN functions and the function
X
3
+
tr
(
X
9
) falls in this category.
Then we have studied for some more results on the APN property of this class
of functions.
Since the power functions are being used as underlying S-boxes in many pop-
ular block ciphers, the identification of APN power functions is an important
topic in the study of design of block ciphers. The complete identification of APN
power functions is an exciting open problem. In Section 4, we present a necessary
condition for a power function to be APN. Using the necessary condition we can
filter out some non-APN power functions. The necessary condition shows that
if
m
is multiple of small primes, one can filter out many power non-APN func-
tions. In the following section we present some preliminary information which is
required for our results.
2 Preliminary
In this paper, we always consider the S-boxes are of the form
F
:
V
m
→
V
m
.The
derivative of
F
with respect to
a
∈
V
m
is defined as follows.
Definition 1.
Let
F
:
V
m
→
V
m
be a S-box. The derivative of
F
with respect to
a
∈
V
m
is the function
D
a
F
:
V
m
→
V
m
is defined as
D
a
F
(
x
)=
F
(
x
)+
F
(
x
+
a
)
,
∀
x
∈
V
m
.
δ
is an integer valued function from
V
m
×
V
m
is defined as
δ
(
a, b
)=
|{
x
∈
V
m
,D
a
F
(
x
)=
b
}|
for
a, b
∈
V
m
.
Abusing the notation
δ
, we define
δ
(
F
)=
max
δ
(
a, b
)
.
a
=0
,b
∈
V
m
