arXiv:2008.08398v2 [cs.IT] 7 Mar 2021 Abstract fteppri eoe opoigta hr sn permutatio no is there form that the proving majo to of The devoted it. polynomial is to paper This equivalent the affine it. of to already We CCZ-equivalent is Villa. to is function that and EA-equivalent inverse permutation Calderini every already that Budaghyan, prove by is also conjecture function a inverse confirms the to s sa -o nbokcpeslk E.I hsppr we paper, this In AES. like ciphers widesprea block if its in that, to S-box show due an cryptography as in use functions studied most efc olna AN on uniformity (APN) differential nonlinear perfect with function A ento 1. Definition block uniformity. differential Bo of low vectorial design have a blocks should attacks, the function differential building in resist To as role [4]. ciphers cryptosystems big a symmetric play of functions Boolean Vectorial polynomials. permutation S-boxes, Terms equivalence, from tools Index and forms quadratic combinatorics. additive sums, Kloosterman combine where tefsc that such itself uniformity permutations (EA-equivalent) equivalent affine extended in.Tems ieyue oin feuvlneare equivalence of notions used func- widely Boolean equivalence vectorial affine most define of The which set transformations, the tions. on certain prop- relations by APN equivalence the preserved particular is in erty and attacks. uniformity differential differential against The function resistance APN best even, the always yield is uniformity differential the As qiaetadi spsil ochoose to possible is it and equivalent Moreover, F ento 2. Definition equivalence nafie ietv mapping bijective affine, an Germany. 1 ua ¨lc swt eateto ahmtc,Universit Mathematics, of Department with K¨olsch is Lukas and L d Teivrefunction inverse —The Email 1 nCZeuvlneo h nes function inverse the of CCZ-equivalence On max = F L , 2 F d a . 2 if , 1 ∈ A [email protected] : r called are Ivrefnto,CZeuvlne EA- CCZ-equivalence, function, —Inverse A n F r ozr ierfntos ntepof we proof, the In functions. linear nonzero are w functions Two and 1 function A 2 ∗ 1 ( n ≥ A , F ,b 1 , ∈ F ( 5 2 F A xeddafieequivalence affine extended vr ucinta sCCZ-equivalent is that function every , .I I. 2 2 n nafiemapping affine an and n 2 r called are ( |{ L x NTRODUCTION fn equivalent affine 1 x ) + ))) ( F : x F F − A : F 2 1 ( x F n 1 + ) A x on F , . 2 7→ + ) 3 n CCZ-equivalent ( 2 L F x x → : 2 2 = ) F − n ( F x 1 ( 2 × A x ) F n on F 2 3 2 over + F → n 2 0 = fteeaeaffine are there if 2 ( F scle almost called is fte r EA- are they if a n x A 2 a differential has = ) F n ) htmp the maps that 3 F . 2 nEq. in n soeo the of one is 2 from n b fRostock, of y and r called are fteeis there if }| if . n ua K¨olsch Lukas F (1) CCZ- olean 2 ≥ n rity the (1) . to 5 n d s , in Aeuvln oavcoilBoenfunction Boolean by vectorial similarly a the to EA-equivalent by tions fo denote tool powerful us a functions. Let is cryptological it studying since and years exten- constructing past been the has in CCZ-equivalence studied sively of concept the Especially hshpesfreapentrlyfrivltoslk the like involutions EA-class, for same naturally the function example in inverse for are inverse happens possibl its functions this is and Gold it permutation Additionally, for a 1]. case Theorem that [3, the dimension example one odd in for in EA-classes is two than this more have CCZ-class, to possible is it course, F t C ls fe ossso precisely of consists often class CCZ its lse.Eprmna eut hwta o ayfunctions many EA- for into that CCZ-class show F results a Experimental partition classes. can we CCZ-equivalence, to equivalent ls if class eeal eivdt ecmlt.W att oethat, its case is dimension, this note even in table to in is APN The want uniformity not We I. differential is function complete. Table inverse all the be in while of to given list believed is a generally families monomials, APN infinite the are known under for studied invariant case well is the notions. Particularly set general not more image generally two the is other EA-equivalence. of which for size equivalence, case the affine the that not also compo- is its Note to which CCZ-equivalent inverse, always of sitional is example concepts function for bijective the differ, a do general, equivalence In EA and CCZ-equivalent. CCZ-equivalence func- also ar EA-equivalent equivalent are two affine tions are Furthermore, that EA-equivalent. functions two also that obvious is It h rp of graph the rp of graph rtn hsppri l vndmnin agrthan of larger as dimensions even known all bijection in paper a this for writing uniformity differential known Dobbertin : and Kasami Inverse AL :Ls fkonANepnnsover exponents APN known of List I: TABLE Welch F Niho Gold 2 n F F → − F 1 sntapruain If permutation. a not is 1 F en ersnaie o h w Acass Of EA-classes. two the for representatives being eoe by denoted , 2 CCZ-class 2 F 4 F n r 2 ic Aeuvlnei pca aeof case special a is EA-equivalence Since . . 2 + h C-ls of CCZ-class the x 2 t 2 2 7→ 2 3 − t Exponent r r − 2 2 2 2 − 2 + x n r t 3 2 2 3 + 1 + EA-class − t 2 2 2 n t +1 of r 2 − r 2 G − 1 + 2 2 + − F F 1 1 over 1 r h e falfntosCCZ- functions all of set the = − of { 1 F F ( F 2 ,F x, F n F onie ihisEA- its with coincides 2 n . 4 n sapruain then permutation, a is n hc stelowest the is which , 2 = gcd( gcd( 1 h e falfunc- all of set the 2 = pt CCZ-equivalence. to up n ( Conditions 2 x n 2 = t n t )): Acass with EA-classes, ,n r, n r, 1 + 1 + 5 = odd t 1 = ) 1 = ) x 1 + , , r t t ∈ even odd F F 2 6 n . and , } [11] [23] [10] [17] [12] to , [9] e e 1 r 2

Since CCZ-equivalence is a much more difficult concept permutations with good cryptographic properties is to look than EA-equivalence, it is desirable to understand when the for a permutation in the CCZ-class of a non-permutation CCZ-class of F can be described entirely by combining EA- with good cryptographic properties, since CCZ-equivalence equivalence and the inverse transformation (in the case that preserves many important properties. This is precisely the F is invertible). This is a problem that is open even for technique that was used to find the only known APN per- most of the APN monomials in Table I. As noted earlier, mutation in even dimension [1]. Thus it is a very interesting the CCZ-class of Gold functions in odd dimension contains question to classify all permutations that are in the CCZ- more than 2 EA-classes and thus cannot be described with class of an APN function. Treating this problem for infinite EA-equivalence and the inverse transformation alone. For families is however very difficult. To the authors knowledge, all other monomials, this question is still open. Budaghyan, the only result in this direction is found in a recent paper [14], Calderini and Villa conjectured the following based on a where it was shown that there is no permutation in the CCZ- computer search for small values of n: class of the APN Gold functions over F2n with n even and that there is no permutation in the CCZ-class of APN Kasami Conjecture 1 ([2, Conjecture 4.14]). Let F (x) = xd be a functions over F n if is divisible by . The proof technique F 2 n 4 non-Gold APN monomial or the inverse function over 2n . used in [14] relies on a careful analysis of the bent component Then, every function that is CCZ-equivalent to F is EA- functions of the Gold and Kasami functions. equivalent to or to −1 (if it exists). F F In this paper, we will also classify all permutations in the In this paper we are going to confirm this conjecture in the CCZ-class of the inverse function (both in odd and even case of the inverse function, i.e. we show that the CCZ-class dimension). We show that (excluding some sporadic cases in 2n−2 of the function x x on F2n coincides with its low dimension) the only permutations in the CCZ-class are EA-class. This is to our7→ knowledge the first theoretical result the “trivial” ones, i.e. the ones that are affine equivalent to the of this kind. Note that, in many ways, the inverse function is inverse function. Of course, since the inverse function does actually the most interesting case because of its widespread not have any bent components, the approach is necessarily use in cryptography, most famously as the S-box in AES. different from the approach in [14]. Instead, we are going to use the following proposition which connects both of the In [25], [7] it was shown that two power functions x xk problems we mentioned to a special type of permutation l 7→ polynomial. The proof of the proposition can be found and x x on F2n are CCZ-equivalent if and only if k 2il7→(mod 2n 1) or kl 2i (mod 2n 1) for some in [13], co-written by the author of this paper, that deals with i ≡ N. Our result− can then≡ be seen as a− generalization the same questions as this paper but only achieved partial of∈ this result for the specific case k = 2n 2 since the results. only power functions that are EA-equivalent− to the inverse Proposition 1 ([13]). (a) Let F : F2n F2n and assume i n function are the power functions with l 2 (2 2) no permutation of the form F (x)+→L(x) exists where (mod 2n 1). Our approach in this paper is≡ very different− − L is a non-zero linear function. Then every permutation from the one used in [25], [7], which relies on sophisticated that is EA-equivalent to F is already affine equivalent tools exploiting the structure of the automorphism groups to it. of power functions. It seems difficult to use these group (b) Let F : F2n F2n and assume no permutation of theoretical tools to settle the complete relationship of EA- → the form L1(F (x)) + L2(x) exists where L1,L2 are and CCZ-equivalence between (APN) power functions and non-zero linear functions. Then every function that is arbitrary functions because the different power functions CCZ-equivalent to F is EA-equivalent to F or F −1 display different behavior. Indeed, as mentioned above, (if it exists). Moreover, all permutations that are CCZ- there exist functions that are CCZ-equivalent to an APN equivalent to F are affine equivalent to F or F −1. Gold function but not EA-equivalent to any power function. Computer results in low dimensions show that for most Based on this proposition, we are going to study permutation 2n−2 other power functions, such functions do not exist (and polynomials of the form F (x)= L1(x )+ L2(x) where a proof of this nonexistence in the case of the inverse L1,L2 are linear functions. For simplicity, we will use for function is of course the subject of this paper). The general the rest of this paper the usual convention 0−1 = 0 which approach we present in this paper (see Proposition 1) is allows us to denote the inverse function by x x−1. 7→ quite flexible and may be used also for different functions, even non-power functions. However, the precise proof II. PERMUTATION POLYNOMIALS OF THE FORM depends a lot on the specific function, and our proof is to a −1 L1(x )+ L2(x) large degree tailored specifically towards the inverse function. A. Preliminaries and preparation Because of the importance of permutations for the design of Let us first introduce some basic concepts and notation. block ciphers, it is also interesting to search for permutations We denote by Tr the absolute trace function mapping F2n inside the CCZ-class of a function F . Indeed, a way to find to F2. The value of n is here always taken from the context. 3

We then define the hyperplanes of F2n as Ha = x Let Q: F2n F2 be the quadratic form defined by ∗ { ∈ → F n : Tr(ax)=0 for a F n . i j 2 } ∈ 2 Q(x)= x2 +2 For a set A F2n , we denote by 1/A the set of all inverses 0≤i

− i Tr(x 1+ax) X K (a)= ( 1) . 2i 2i n − = (xy) + Tr(y) x x∈F n 2 i i X X X Using Kloosterman sums and the adjoint polynomial, we can = Tr(xy) + Tr(x) Tr(y). −1 give a criterion when L1(x )+ L2(x) is a permutation. A partial result in the classification of permutations of the −1 form L1(x ) + L2(x) was found in [20]. We want to Proposition 2 ([13]). Let L1,L2 be linear mappings over −1 remark that the techniques we develop in this paper to tackle F2n . Then L1(x )+ L2(x) is a permutation of F2n if and only if the more general question differ considerably from the ones ∗ ∗ employed in [20]. Kn(L1(b)L2(b))=0 Theorem 2 ([20]). Let F : F2n F2n defined by F (x) = F ∗ ∗ −1 → for all b 2n and ker(L1) ker(L2)= 0 . x +L(x) with some nonzero linear mapping L(x). If n 5 ∈ ∩ { } ≥ ∗ then F is not a permutation. Proposition 2 motivates us to investigate elements a F n ∈ 2 with the property that Kn(a)=0. We call such elements From this theorem we can derive a straightforward corollary. Kloosterman zeros. Kloosterman zeros are used for the con- Corollary 2. Let n 5 and F : F n F n be defined struction of bent and hyperbent functions (see for example 2 2 by F (x) = L (x−1)+≥ L (x), where L→,L are non-zero [8], [5]). Few results about the distribution of Kloosterman 1 2 1 2 linear mappings. If L or L is bijective, then F is not a zeros are known. It is known that Kloosterman zeros exist for 1 2 permutation on F n . all values of n (note that this is not true in characteristic 5 2 ≥ [18]). There is a way to compute the number of Kloosterman Proof. Assume F is a permutation and L1 is bijective. Then −1 −1 −1 zeros [19], which relies on determining the class number of L1 F = x +L1 (L2(x)) is a permutation, contradicting binary quadratic forms. However, it is difficult to use this Theorem◦ 2. −1 method to derive a theoretical result on the number and Since F is a permutation if and only if F (x )= L1(x)+ −1 distribution of Kloosterman sums. Moreover, it is known that L2(x ) is a permutation, the same holds also for L2. for n> 4, Kloosterman zeros are never contained in proper subfields of F2n [22]. B. The proof of the non-existence of permutations of the form −1 Instead of working directly with Kloosterman sums, we are L1(x )+ L2(x) −1 going to use dyadic approximations, which give necessary We now prove that no permutations of the form L1(x )+ conditions for elements to be a Kloosterman zero. L (x) with L ,L =0 exist if n 5. The conditions given 2 1 2 6 ≥ 4 in Corollary 1 are our starting point. Our proof consists of Adding the last equation to Eq. (2) yields three steps: ∗ 2 ∗ ∗ −1 Tr((L1(x)) L2(z)L2(y))=0 (3) • We show that if L1(x )+ L2(x) permutes F2n , then ∗ F the kernels of L1 and L2 must be translates of a subfield for all y,z ker(L1) and x 2n . F F F∗ ∈ ∈ ∗ ∗ of 2n , i.e. of the form a 2k with a 2n and k n. Setting y = z in Eq. (3) we have 0 = Tr(L1(x)L2(y)) = ∈ | ∗ F • Under this condition, we show k = 1, i.e. that Tr(xL1(L2(y))) for all x 2n . Consequently, ∗ ∗ ∈ ∗ ∗ dim(ker(L1)) = dim(ker(L2))=1. L2(ker(L1)) ker(L1). Since ker(L1) ker(L2) = 0 ⊆ ∩ ∗ { } • We show explicitly that there is no permutation with by Corollary 1 and dim(ker(L1)) = dim(ker(L1)) by ∗ ∗ dim(ker(L1)) = dim(ker(L2))=1. Lemma 1, we get ker(L1)= L2(ker(L1)). The key step here is the first one. Generally, the difficulty of Again using Eq. (3), we get the problem lies in the fact that the inverse function does not ∗ ∗ preserve the additive structure given by the linear mappings. Tr xL1 L2(z)L2(y) =0 F 1 F However, if ker(L) = a 2k , then 1/ ker(L) 0 = a 2k ,  q  ∪{ } ∗ so the kernel retains its structure after inversion, which is for all y,z ker(L ) and x F n , so ∈ 1 ∈ 2 the key for the next steps. L∗(ker(L∗)) L∗(ker(L∗)) ker(L ). Now since 2 1 · 2 1 ⊆ 1 L∗(ker(L∗)) = ker(L ) we have ker(L ) ker(L ) = p2 1 1 1 · 1 We will use the following result from additive combinatorics ker(L ). 1 p which characterizes the subsets in an Abelian group with This particularly implies that doubling constant 1. (ker(L1) 0 ) (ker(L1) 0 ) = (ker(L1) 0 ) , Theorem 3 ([24, Proposition 2.7]). Let (G, ) be an Abelian | \{ } · \{ } | | \{ } | group and A G a finite subset of G. Then· A A = A if so by Theorem 3 we get ker(L1) = aH 0 where a ⊆ | · | | | F∗ F∗ ∪{ } ∈ and only if A = gH, where g G and H G is a subgroup 2n and H 2n is a subgroup of the multiplicative group F ≤ k N of G. ∈ ≤ of 2n . Since ker(L1) = 2 for some k , we infer H =2k 1. In| particular,| H is the multiplicative∈ group of We are now ready to prove the first step we outlined above. | | − F F a subfield of 2n , so ker(L1) = a 2k for some a = 0 and k n. 6 Theorem 4. Let F : F n F n with n 5 be defined by 2 2 | −1 F (x)= L (x−1)+ L (x)→, where L ,L ≥are nonzero linear Since F (x)= L1(x )+ L2(x) is a permutation if and only 1 2 1 2 −1 −1 if F (x )= L1(x)+ L2(x ) is a permutation, we get the mappings over F2n . If F is a permutation, then ker(L1) and same results also for the kernel of L2. ker(L2) are translates of subfields of F2n , i.e. they are of the F form a 2k for a =0 and k n. Moreover, we have ker(L1)= ∗ ∗ 6 | ∗ ∗ L2(ker(L1)) and ker(L2)= L1(ker(L2)). Before we start with the second step of the proof, we need ∗ ∗ some lemmas. The first one is very well-known and can be Proof. We define R(x) = L1(x)L2(x). Assume that F found for instance in [21]. permutes F2n . Then Corollary 1 implies Q(R(x)) = 0 and ∗ Tr(R(x))=0 for all x F n . Let x F n and y ker(L ) 2 2 2 1 Lemma 2. The quadratic equation ax +bx+c =0 over F n ∈ ∗ ∈ ∈ 2 (recall that we can assume ker(L ) = 0 by Corollary 2). 2 1 with b =0 has solutions in F2n if and only if Tr(ac/b )=0. Then 6 { } 6 Proposition 3. Let F : F2n F2n be defined by F (x) = −1 → 0=Q(R(x + y)) L1(x )+L2(x), where L1,L2 are nonzero linear mappings ∗ ∗ ∗ ∗ F =Q(R(x)+ L1(x)L2(y)+ L1(y)L2(x)+ R(y)) over 2n . F is a permutation polynomial if and only if F ∗ ∗ 1 F∗ has only one zero and L2(a) L1( ) for all a 2n . =Q(R(x)+ L1(x)L2(y)) 6∈ H1/a ∈ ∗ ∗ ∗ ∗ =Q(R(x)) + Q(L1(x)L2(y)) + B(R(x),L1(x)L2(y)) Proof. F permutes F2n if and only if F (x)+ F (x + a) =0 ∗ ∗ ∗ ∗ F F∗ 6 =Q(L (x)L (y)) + Tr(R(x)L (x)L (y)), (2) for all x 2n and a n , i.e. 1 2 1 2 ∈ ∈ 2 ∗ −1 −1 where we use R(y) = L (y) = 0, Q(R(x)) = 0 and L1(x + (x + a) ) = L2(a). (4) 1 6 Tr(R(x)) = 0 throughout the computation, as well as the −1 We determine the set M = c F n x F n : x + bilinear form B(x, y) = Tr(xy) + Tr(x) Tr(y). a 2 2 (x + a)−1 = c . We have { ∈ | ∃ ∈ For every z ker(L∗), we then get using Eq. (2) } ∈ 1 −1 −1 −1 1 0=Q(L∗(x + z)L∗(y)) + Tr(R(x + z)L∗(x + z)L∗(y)) x + (x + a) = c c = a or Tr( )=0. 1 2 1 2 ⇐⇒ ac =Q(L∗(x)L∗(y)) + Tr(R(x + z)L∗(x)L∗(y)) 1 2 1 2 Indeed, c = a−1 if we choose x = 0 or x = a, and in the ∗ ∗ ∗ ∗ ∗ ∗ =Q(L1(x)L2(y)) + Tr(L1(x)L2(x + z)L1(x)L2(y)) other cases we can multiply the equation by x(x + a) which ∗ ∗ ∗ ∗ =Q(L1(x)L2(y)) + Tr(R(x)L1(x)L2(y)) results in the quadratic equation ∗ 2 ∗ ∗ + Tr((L1(x)) L2(z)L2(y)). cx2 + acx + a =0. 5

′′ ′ ′′ By Lemma 2, this equation has a solution in F2n if and mapping L such that L = L L, so (using Theorem 5) we ◦ 2 only if c =0 and Tr(1/(ac))= 0. We conclude that Ma = can assume without loss of generality that L1(x)= x + ax 6 −1 1/H 1 a , so Eq. (4) gives L2(a) L1(Ma). Observe for some a = 0. In fact, we can even assume a = 1 as the a ∪{ } −1 6∈ 6 that L2(a) = L1(a ) if and only if a is a zero of F and following argument shows: the result follows. −2 −1 x + ax + L2(x)= c (5) ∗ Lemma 3. Let a,b,c be three distinct elements in F n . Then −2 −2 −1 −1 −2 −2 2 a x + a x + a L2(x)= a c Ha Hb Hc = F2n if and only if a+b = c. In particular, if ⇐⇒ ∪ F∪ F∗ by multiplying the equation with −2. After a substitution M = r 2k with k n, k> 1 and r 2n , we can always find a three elements a,b,c| M 0 ,∈ such that H H x x/a, we get ∈ \{ } 1/a ∪ 1/b ∪ 7→ H1/c = F2n . −2 −1 −2 −2 x + x + a L2(x/a)= a c. (6) Proof. Clearly, all hyperplanes have 2n−1 elements and all Eq. (5) has one solution for every c F n if and only if intersections of two distinct hyperplanes have 2n−2 elements, 2 Eq. (6) has one solution for each . Observe∈ that −2 so c a L2(x/a) is still a linear mapping, so we can consider without loss 2 Ha Hb Hc = Ha + Hb + Hc Ha Hb of generality L1(x) = x + x. In fact, we will instead use − − | ∪ ∪ | | | | | | | − | ∩ | 2 2n 1 2n 1 Ha Hc Hb Hc L1(x) = (x + x) = x + x, which is equivalent − | ∩ | − | ∩ | 2 −2 to the case L1(x) = x + x. Indeed, if F (x) = x + − + Ha Hb Hc −1 2n 1 −1 | ∩ ∩ | x + L2(x) is a permutation, then so is F (x )= x + n−1 n−2 − − =3 2 3 2 + Ha Hb Hc −2n 1 2n 1 · − · | ∩ ∩ | x + L2(x ). The reason for this transformation is n−1 n−2 ∗ =2 +2 + Ha Hb Hc . that in this case L (x)= x2 + x, which makes the following | ∩ ∩ | 1 technical calculations slightly easier. In this case we also Consequently, H H H = F n if and only if H H a ∪ b ∪ c 2 | a ∩ b ∩ ∗ H =2n−2, which means H H H . This is equivalent have ker(L1) = ker(L1)= 0, 1 . By Theorem 4, we know c| a ∩ b ⊆ c ∗ ∗ { } ∗ to a + b = c. ker(L1)= L2(ker(L1)), which implies L2(1) = 1. F F Now let M = r 2k be a translate of a subfield of 2n with Theorem 6. There is no permutation of the form F (x) = −1 k > 1. Choose two distinct elements a = rs1, b = rs2 with L1(x ) + L2(x) on F2n with nonzero linear mappings F∗ s1,s2 2k , then L ,L if n 5. ∈ 1 2 ≥ 1 1 1 1 1 + = + . Proof. Assume that F is a permutation. By the consider- a b r s1 s2 ations above we can assume without loss of generality that   ∗ 2 ∗ ∗ 2i F∗ L (x)= x +x and L (1) = 1. We set L (x)= cix and Clearly, 1/s1 +1/s2 = 1/s is an element in 2k . For the 1 2 2 1 1 1 derive necessary conditions on the coefficients ci and show three elements a,b,rs M we have a + b = rs , so we ∈ that those conditions contradict each other. As theP basis we have H1/a H1/b H1/rs = F2n . ∪ ∪ use the conditions given in Corollary 1 as well as Eq. (2) for F F Theorem 5. Let F : 2n 2n be defined by F (x) = y =1. We get −1 → L1(x )+ L2(x) with n 5, where L1,L2 are nonzero ≥ 2 ∗ linear mappings over F2n . If F is a permutation, then Tr((x + x)L2(x)) =0 (7) ∗ ker(L1) = ker(L2) =2. 2 (8) | | | | Q((x + x)L2(x)) =0 F 2 4 2 ∗ Proof. By Theorem 4, we know that ker(L2) = a 2k for Q(x + x) + Tr((x + x )L2(x)) =0 (9) F∗ some a 2n and k n. We want to show that k =1. Assume ∈ | for all x F n . to the contrary that k 2. Then there exist three distinct ∈ 2 ≥ We start by expanding condition (7). We have elements a,b,c ker(L2) such that H1/a H1/b H1/c = ∈ 1 1∪ 1∪ ∗ − F n F n n 1 2 by Lemma 3. Equivalently, = 2 . i H1/a ∪ H1/b ∪ H1/c 2 2 1 Tr((x + x) cix ) By Proposition 3, we have L2(x) L1( ) for all x H1/x ∗ 6∈ ∈ i=0 F n . For the elements , this relation becomes 2 a,b,c n−1 n−1 X n−1 n−1 1 1 1 2s 2i+s+2s+1 2s 2i+s+2s F∗ = ci x + ci x 0 L1( ) L1( ) L1( )= L1( 2n ). 6∈ H1/a ∪ H1/b ∪ H1/c s=0 i=0 s=0 i=0 nX−1 nX−1 nX−1 nX−1 But since ker(L1) > 1 by Corollary 2, this is not possible. 2s 2i+2s+1 2s 2i+2s | | = ci−sx + ci−sx We conclude k =1 and ker(L2) =2. −1 | | s=0 i=0 s=0 i=0 Since L1(x ) + L2(x) is a permutation if and only if nX−1 nX−1 X X −1 s−1 s i s L1(x)+L2(x ) is a permutation, the argument works again 2 2 2 +2 = (ci−s+1 + ci−s)x , symmetrically for the kernel of L1. s=0 i=0 X X Basic linear algebra shows that for two linear mappings L,L′ where we use a transformation i i s in the second step with ker(L) = ker(L′), there exists always a bijective linear and then a transformation s s 7→1 −in the left double sum 7→ − 6 in the last step. Here we view the indices of the coefficients We simplify the equation by substituting r r and taking r+2 7→ − ci modulo n. By condition (7) this polynomial is equal to the resulting equation to the power 2 : the zero polynomial. When we check the coefficient of x4 (achieved by setting i = s =1), we get 2 2 4 1, r = n 2 cr+3 + cr+2 + cr+1 + cr = − (14) (0, r 1,...,n 3 . c = c2. (10) ∈{ − } 1 0 We show by induction that the constraints we have obtained r Similarly, checking the coefficient of x2 +1 for 1 r n 1 so far imply i (achieved for i =0, s = r and i = r, s =0) we≤ get ≤ − c2 , i odd 0 (15) ci = 2i −1 −1 c +1, i even . 2r 2r 2 ( 0 c−r+1 + c−r + cr+1 + cr =0 (11) for all i 1,...,n 1 . The cases i = 1 and i = 2 are for all 1 r n 1. shown in∈ Eq. { (10) and− (12).} We verify the case i = 3 by ≤ ≤ − We now do the same procedure for condition (9). We have using Eq. (13) with r =1:

−2 −1 −1 2 4 2 ∗ 2 2 2 Q(x + x) + Tr((x + x )L2(x)) 0=1+ c3 + c2 + c1 + c0 − − 2 3 2 2 2 2 2 2 =Q(x )+ Q(x) + Tr(x ) + Tr(x) =1+ c3 + c0 +1+ c0 + c0 = c3 + c0, n−1 i which immediately yields c = c8 as claimed. We now + Tr((x4 + x2) c x2 ) 3 0 i proceed by induction: Assume that all coefficients up to i=0 Xn−1 n−1 k 3 satisfy Eq. (15). Then by Eq. (14) s i+s s+2 ≥ 3 2 2 +2 k+1 k k k+1 = Tr(x ) + Tr(x)+ ci x 2 2 4 2 2 2 2 ck+1 = ck+ck−1+ck−2 = (c0 +1)+c0 +(c0 +1) = c0 s=0 i=0 X X n−1 n−1 if k +1 is odd and 2s 2i+s+2s+1 + c x k+1 k k k+1 i c = c2 +c2 +c4 = c2 +(c2 +1)+c2 = c2 +1 s=0 i=0 k+1 k k−1 k−2 0 0 0 0 n−X1 X n−1 i+1 i i if k +1 is even, proving Eq. (15). = x2 +2 + x2 We compute cn−1 in another way using Eq. (11) for r =1: i=0 i=0 −1 Xn−1 n−1 X 2 2 2 2 2 − − 0= c0 + cn−1 + c2 + c1 = cn−1 + c0 + c0 +1+ c0, (16) 2s 2 2s 1 2i +2s + (c + c )x , − i−s+2 i−s+1 2n 1 s=0 i=0 so cn−1 = 1+c0 . This immediately implies in connection X X with Eq. (15) that n must be odd. 2 where we use Q(x )= Q(x) and in the last two steps again The last step is to find a contradiction to the coefficients the transformations i i s and s s 2 (in the left double 7→ − 7→ − described in Eq. (15). For that, we use the condition from sum) and s s 1 (in the right double sum). Checking the Eq. (8). First, we expand the condition coefficient of7→x8−(achieved by i = s =2 in the double sum) n−1 n−1 n−1 we get i i i Q((x2 + x) c x2 )= Q( c x2 +2 + c x2 +1) 2 i i i c2 = c1 +1. (12) i=0 i=0 i=0 X X X r n−1 2 +1 r−1 r i r For the coefficients of x for 1 r n 1 (achieved = (c2 + c2 )x2 +2 by , and , ), we≤ similarly≤ − get i−r+1 i−r i = r s =0 i =0 s = r ≤ ≤ − i=0 ! 0 r

− − − 8 2 2r 1 2r 2r 2 2r 1 1, r =2 We check the coefficient of x of the polynomial Q((x + c−r+1 + c−r + c−r+3 + c−r+2 = ∗ 0, r 3,...,n 1 . x)L2(x)): The possible choices for i,j,r,s are: ( ∈{ − } 7

1) i = j =0, r =1,s =2 with di,j,r,s =1 It would also be of interest to look at the same problem in 2) i = r =0,s =1, j =2 with di,j,r,s =0 odd characteristic. As shown in [15], there is no permutation 3) i = r =0, j =1,s =2 with d =0 polynomial of the form L (x−1)+L (x) in characteristic 5 i,j,r,s 1 2 ≥ 4) j = r =0,i =1,s =2 with di,j,r,s =1 which is a straightforward observation based on the fact that 5) j = r =0,s =1,i =2 with di,j,r,s =1. there is no Kloosterman zero in finite fields of characteristic 8 5. The characteristic 3 case is however still open. In particular, the coefficient of x is the sum of the listed ≥ values of d , which is 1, so Q((x2 + x)L (x)) is not the i,j,r,s 2 ACKNOWLEDGMENT zero polynomial. This contradicts condition (8) and proves the theorem. I would like to thank Gohar Kyureghyan and Faruk G¨olo˘glu for many discussions, hints and encouragement throughout my work on this paper. I would also like to thank the Remark 1. The condition n 5 in Theorem 6 is necessary. anonymous referees for their comments that improved the Indeed, it is possible to find permutation≥ polynomials of the presentation of this paper. −1 form L1(x ) + L2(x) over F24 and F23 using a simple REFERENCES computer search, examples with L1(x)= x can be found in [20]. [1] K. A. Browning, J. F. Dillon, M. T. McQuistan, and A. J. Wolfe, “An APN permutation in dimension six,” in Finite Fields: Theory Appl., ser. Our main result is a direct consequence from Theorem 6 Comtemporary Mathematics, G. McGuire, G. L. Mullen, D. Panario, and I. E. Shparlinski, Eds., 2010, vol. 518, pp. 33–42. and Proposition 1 (recall that the inverse function is an [2] L. Budaghyan, M. Calderini, and I. Villa, “On relations between involution). CCZ- and EA-equivalences,” Cryptography and Communications, vol. 12, no. 1, pp. 85–100, Jan 2020. [Online]. Available: Theorem 7 (Main result). Let F : F2n F2n be the inverse https://doi.org/10.1007/s12095-019-00367-5 function with n 5. The CCZ-class of→F coincides with the [3] L. Budaghyan, C. Carlet, and A. Pott, “New classes of almost bent ≥ and almost perfect nonlinear polynomials,” IEEE Transactions on EA-class of F . Moreover, all permutations in the CCZ-class Information Theory, vol. 52, no. 3, pp. 1141–1152, March 2006. of F are affine equivalent to F . [4] C. Carlet, Boolean Functions for Cryptography and Coding Theory. Cambridge University Press, 2021. [5] P. Charpin and G. Gong, “Hyperbent functions, Kloosterman sums III. CONCLUSIONANDPOSSIBLEDIRECTIONSOFFUTURE and Dickson polynomials,” in 2008 IEEE International Symposium on RESEARCH Information Theory, July 2008, pp. 1758–1762. [6] P. Charpin and G. Kyureghyan, “Monomial functions with linear We have shown that no permutation polynomials of the form structure and permutation polynomials,” in Finite fields: theory and −1 applications, vol. 518. Contemporary Mathematics, 2010, pp. 99– L1(x )+ L2(x) in F2n for n 5 exist. This implies that ≥ 111. every function that is CCZ-equivalent to the inverse function [7] U. Dempwolff, “CCZ equivalence of power functions,” Designs, is already EA equivalent to it, and that all permutations CCZ- Codes and Cryptography, vol. 86, no. 3, pp. 665–692, Mar 2018. equivalent to the inverse function are affine equivalent to it. [Online]. Available: https://doi.org/10.1007/s10623-017-0350-8 [8] J. Dillon, “Elementary Hadamard difference sets,” Ph.D. dissertation, An interesting avenue of further research is to consider the University of Maryland, 1974. same questions for other functions with good cryptographic [9] H. Dobbertin, “Almost perfect nonlinear power functions n properties (nonlinearity/differential uniformity). In particular, on GF (2 ): The Welch case,” IEEE Trans. Inf. Theor., vol. 45, no. 4, pp. 1271–1275, Sep. 1999. [Online]. Available: Theorem 7 proves Conjecture 1 for the case of the inverse https://doi.org/10.1109/18.761283 function. However, all other cases have not been answered [10] ——, “Almost perfect nonlinear power functions on n yet (to our knowledge). Using the approach in this paper, GF (2 ): The Niho case,” Information and Computation, vol. 151, no. 1, pp. 57 – 72, 1999. [Online]. Available: a possible way to prove the conjecture would be to prove http://www.sciencedirect.com/science/article/pii/S089054019892764X the non-existence of permutation polynomials of the form [11] ——, “Almost perfect nonlinear power functions on GF (2n): A d d new case for n divisible by 5,” in Finite Fields and Applications, L1(x )+ L2(x) with L1,L2 = 0 where x is a non-Gold 6 D. Jungnickel and H. Niederreiter, Eds. Berlin, Heidelberg: Springer APN monomial. Note however, that the non-existence of such Berlin Heidelberg, 2001, pp. 113–121. a polynomial is a stronger statement than the statement in [12] R. Gold, “Maximal recursive sequences with 3-valued recursive Conjecture 1, i.e. finding a permutation polynomial of the cross-correlation functions,” IEEE Trans. Information Theory, d vol. 14, no. 1, pp. 154–156, 1968. [Online]. Available: form L1(x )+L2(x) with nonzero L1,L2 does not disprove https://doi.org/10.1109/TIT.1968.1054106 Conjecture 1. [13] F. G¨olo˘glu, L. K¨olsch, G. Kyureghyan, and L. Perrin, “On subspaces of −1 More generally, an interesting way to expand on the results Kloosterman zeros and permutations of the form L1(x )+ L2(x),” in Arithmetic of Finite Fields, J. C. Bajard and A. Topuzo˘glu, Eds. in this paper would be to work towards a classification of Cham: Springer International Publishing, 2021, pp. 207–221. d permutation polynomials of the form L1(x )+L2(x) (or even [14] F. G¨olo˘glu and P. Langevin, “Almost perfect nonlinear families d which are not equivalent to permutations,” Finite Fields and just x +L(x)) over F n where L,L ,L are linear mappings. 2 1 2 Their Applications, vol. 67, p. 101707, 2020. [Online]. Available: Combined with Proposition 1, this might give insight into http://www.sciencedirect.com/science/article/pii/S1071579720300769 the CCZ-classes of monomials. Note that this family of [15] F. G¨olo˘glu and G. McGuire, “On theorems of Carlitz and permutation polynomials is similar to other families that have Payne on permutation polynomials over finite fields with an application to x−1 + L(x),” Finite Fields and Their been investigated in the past, for instance the polynomials Applications, vol. 27, pp. 130 – 142, 2014. [Online]. Available: xs + γ Tr(xt) considered in [6]. http://www.sciencedirect.com/science/article/pii/S107157971400015X 8

[16] F. G¨olo˘glu, G. McGuire, and R. Moloney, “Binary Kloosterman sums using Stickelberger’s theorem and the Gross-Koblitz formula,” Acta Arithmetica, vol. 148, no. 3, pp. 269–279, 2011. [Online]. Available: http://eudml.org/doc/279847 [17] T. Kasami, “The weight enumerators for several clauses of subcodes of the 2nd order binary Reed-Muller codes,” Information and Control, vol. 18, pp. 369–394, 1971. [18] K. P. Kononen, M. J. Rinta-aho, and K. O. V¨a¨an¨anen, “On integer values of Kloosterman sums,” IEEE Transactions on Information Theory, vol. 56, no. 8, pp. 4011–4013, Aug 2010. [19] G. Lachaud and J. Wolfmann, “The weights of the orthogonals of the extended quadratic binary Goppa codes,” IEEE Transactions on Information Theory, vol. 36, no. 3, pp. 686–692, 1990. [20] Y. Li and M. Wang, “Permutation polynomials EA-equivalent to the inverse function over GF(2n),” Cryptography and Communications, vol. 3, no. 3, pp. 175–186, Sep 2011. [Online]. Available: https://doi.org/10.1007/s12095-011-0045-3 [21] R. Lidl and H. Niederreiter, Finite Fields, 2nd ed., ser. Encyclopedia of Mathematics and its Applications. Cambridge University Press, 1996. [22] P. Lisonek and M. Moisio, “On zeros of Kloosterman sums,” Designs, Codes and Cryptography, vol. 59, no. 1, pp. 223–230, 2011. [Online]. Available: https://doi.org/10.1007/s10623-010-9457-x [23] K. Nyberg, “Differentially uniform mappings for cryptography,” in Advances in Cryptology — EUROCRYPT ’93, T. Helleseth, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1994, pp. 55–64. [24] T. Tao and V. H. Vu, Additive Combinatorics, ser. Cambridge Studies in Advanced Mathematics. Cambridge University Press, 2006. [25] S. Yoshiara, “Equivalences of power APN functions with power or quadratic APN functions,” Journal of Algebraic Combinatorics, vol. 44, no. 3, pp. 561–585, Nov 2016. [Online]. Available: https://doi.org/10.1007/s10801-016-0680-z

Lukas Kolsch¨ received the M.Sc. degree from Otto von Guericke University, Magdeburg, in 2017, and the Ph.D. degree from University of Rostock in 2020. He is currently with University of Rostock, Germany. His research interests include cryptography, Boolean functions, and finite fields.