3

The Gold APN is defined as $F(x)=x^{2^{k}+1}$ in $GF(2^n)$, where $\gcd(k,n)=1$. The differential uniformity computed using $F(x)=F(x+a)=b$ as following:

$$x^{2^{k}+1} + (x+a)^{2^{k}+1}=b$$

$$x^{2^{k}+1} + (x+a)^{2^{k}}(x+a)=b$$

$$x^{2^{k}+1} + (x^{2^k}+a^{2^k})(x+a)=b$$

$$x^{2^{k}+1} + x^{2^{k}+1} +x^{2^k}a +a^{2^k}x +a^{2^{k}+1} =b$$

$$x^{2^k}a +a^{2^k}x =b +a^{2^{k}+1}.$$

Dividing both sides by $a^{2^k+1}$:

$$x^{2^k}(a^{-1})^{2^k}+xa^{-1}=b(a^{2^k+1})^{-1}+1.$$

From this point onward, I got stuck to prove that the Gold APN has two solutions using trace functions.

If solution exists

$$\operatorname{tr}(x^{2^k}(a^{-1})^{2^k}+xa^{-1})=0=\operatorname{tr}(b(a^{2^k+1})^{-1}+1)$$

Q1: How to apply the trace function to find the roots of the differential uniformity function?

M. A.
  • 1,774
hardyrama
  • 217
  • 1
    Please modify your question specifying where and how the trace comes in, it's incomplete as it stands. – kodlu Jan 15 '19 at 00:11
  • 2
    $g(x) = x^{2^k}$ is a $GF(2)$-linear map so $F(x+a) = (x+a)g(x+a) = (x+a)(g(x)+g(a))$ and $F(x)+F(x+a) = ag(x)+ag(a) $ which is an affine map in $x$ – reuns Jan 15 '19 at 03:21

1 Answers1

1

I know this answer may be 5 years too late, but I am posting this here for anyone who comes across this post with a similar question.

You need not use the (absolute) trace function to prove that the Gold function is differentially 2-uniform (i.e. almost perfect nonlinear (APN)). Here is a proof from Carlet's book Boolean Functions for Cryptography and Coding Theory.

We want to bound by above the of solutions $x \in \mathbb{F}_{2^n}$ to $$ D_aF(x)=(x+a)^{2^k+1} + x^{2^k+1} =b. $$ Notice that it suffices to consider when $D_1F(x)=b$ as $D_aF(x) = a^{2^k+1} D_1F(xa^{-1})$. Moreover $D_1F(x) = b = D_1F(y)$ is equivalent to $(x+y)^{2^k} = x+y$ and this implies $x+y\in \{0,1\}$ as $\gcd(k,n)=1$. Thus, we know the equation above has at most $2$ solutions, and so $x^{2^k+1}$ is APN. (Note that it is impossible for the equation to have only one solution as if $x$ is a a solution, then so is $x+a$).

Alternative sources for proofs that the Gold function is APN are:

  1. Nyberg (1994). The theorem here is more general, proving that $x^{2^k+1}$ is a differentially $2^s$-uniform map where $s=\gcd(k,n)$.
  2. Gold (1968). This paper came before the language of APN functions. In short, Gold proved that $x^{2^k+1}$ is an almost bent (AB) function. Since AB functions are a subclass of APN functions (see this paper for instance), we immediately know that $x^{2^k+1}$ is differentially 2-uniform.
Darrion
  • 46