Constructions of Involutions Over Finite Fields

Home , Anubis (cipher), KHAZAD

arXiv:1811.11344v1 [cs.IT] 28 Nov 2018 lc ihr.Oepatclavnaeo nouin sth is involutions of advantage inv practical of One use it the ciphers. and th motivates block permutation into This the comes implementations. both efficient S-box if have designer the the of for proces inverse advantageous encryption permutation compositional the a the during ciphers, cipher, confusion block providing com many for their in S-box and example, For polynomials a permutation required. also desired the and with aspects, both permutations applied situations, and of theoretical classes a both in new theory interest finding coding cryptography, So, been in have theory. applications fields wide finite their over to polynomials Permutation itself. ieto.Moreover, bijection. a oyoili t soitdplnma mapping polynomial associated its if polynomial Let Introduction 1 oeismlilctv ru.Apolynomial A group. multiplicative its note e Words Key q vrfiiefils hspprgvsancsayadsffiin conditio sufficient and necessary a construc gives form to paper the way of This general polynomials a fields. isn’t w there as finite far and over As involutions, theory. many coding been not have and are cryptography fields as finite such over involutions applications property, in this to Owing itself. where ocntutivltoso h form the of involutions construct to h orsodn ugopof subgroup corresponding the h form the eapwro rm.Let prime. a of power a be nivlto vrfiiefilsi emtto oyoilwoeinvers whose polynomial permutation a is fields finite over involution An osrcin fivltosoe nt fields finite over involutions of Constructions aut fMteaisadSaitc,HbiUiest,W University, Hubei Statistics, and Mathematics of Faculty r ≥ x ai Zheng Dabin r and 1 nttt fIfrainEgneig A,Biig10009 Beijing CAS, Engineering, Information of Institute 2 h ( x emtto oyoil nouin lc cipher block involution, polynomial, permutation s over ) s ue e aoaoyo ple Mathematics, Applied of Laboratory Key Hubei 1 | ( f q 1 − scle nivlto ftecmoiinlivreof inverse compositional the if involution an called is F q ) yuigti rtro epooeagnrlmethod general a propose we criterion this using By 1). uYuan Mu x r r obtained. are h ( x s ) F 1 ∈ q ∗ F hn aycasso xlctivltosof involutions explicit of classes many Then, . F q Abstract inLi Nian q x eafiiefil with field finite a be [ r x h ob nouin vrtefiiefield finite the over involutions be to ] 1 ( x 1 s over ) f e Hu Lei ( x ) f F ∈ q 2 : rmgvnivltosover involutions given from c F inyn Zeng Xiangyong q 7→ [ hn406,China 430062, uhan x hlegn ak nmany In task. challenging scle permutation a called is ] tteipeetto of implementation the at f .Wiedcytn the decrypting While s. dcmiaoildesign combinatorial nd ltosi h -o of S-box the in olutions xesvl tde due studied extensively opstoa inverse compositional s ( q oiinlivre are inverses positional ,China 3, c itr.Tu,i is it Thus, picture. e rprisi fgreat of is properties from ) lmnsand elements a enue san as used been has nw there know, e involutions t ieyused widely 1 o the for n F q oisl is itself to is e F q F , q ∗ f de- is the inverse does not require additional resources, which is particularly useful (as part of a block cipher) in devices with limited resources. Involutions have been used widely in block cipher designs, such as in AES [1], F Khazad, Anubis [5] and PRINCE [6]. For instance, the inverse function over 28 used in the S-box of AES is an involution. In PRINCE, a linear involution (denoted by M ′ ) was used to ensure α-reflection property. More typically, in Midori [4] and iSCREAM [14], non-linear involutions were used to provide both encryption and de- cryption functionalities with minimal tweaks in the circuit. Recently, Canteaut and Rouéhave shown that involutions were the best candidates against several cryptan- alytic attacks by analysing the behaviors of the permutations of an affine equivalent class with respect to these attacks [7]. Involutions have been also used to construct Bent functions over finite fields [10] and to design codes. For instance, Gallager used an involution (called Gallager’s involution transform) to update check nodes to obtain low-complexity hardware implementation of the sum product algorithm which was used for decoding [13]. To the best of our knowledge, there are not many known involutions over finite fields. Recently, Charpin, Mesnager and Sarkar [8] firstly discussed Dickson involutions over finite fields of even characteristic. Then, they [9] investigated monomial involutions and linear involutions, and proposed an approach to constructing involutions from known involutions over the finite field F2n . Rubio et. al. [23] further discussed monomial involutions and their fixed points. Very recently, Fu and Feng [12] investigated involutory behavior of all known differentially 4-uniform permutations over finite fields of even characteristic, and most of them were not involutions. To date, primary constructions of involutions over finite fields seems far from enough. r s It is known that every polynomial over Fq can be written as ax h(x )+ b for some r ≥ 1, s | (q −1), a, b ∈ Fq and h(x) ∈ Fq[x][3, 27]. Due to the importance of the polynomials of the form xrh(xs), Wan and Lidl [25] first gave a criterion for permutation polynomials of this type. Then, Park and Lee, Wang and Zieve proposed a more con- cise criterion for permutation behavior of polynomials of the form xrh(xs) [22, 26, 31], respectively. By using this criterion, many classes of permutation polynomials of the form xrh(xs) have been constructed [2, 11, 15, 16, 17, 18, 19, 20, 21, 24, 26, 29, 31, 32]. But the previous woks were not involved involutory behavior of the polynomials of this type. This paper proposes a criterion for involutions of polynomials of the form xrh(xs) by the piecewise representation of functions, and a general method to construct involutions of this form over Fq from given involutions over the correspond- F∗ F ing subgroup of q. Then, many classes of involutions over q are obtained. The remainder of this paper is organized as follows. In Section 2, we give a nec- r s essary and sufficient condition for x h(x ) being an involution over Fq and propose r s a general method to construct involutions of the form x h(x ) over Fq from a given F∗ involution over the corresponding subgroup of q. Section 3 presents explicit involu- r s F F∗ tions of the form x h(x ) over q from the inverse involution over the subgroup of q. r s In Section 4 we construct involutions of the form x h(x ) over Fq from some special

2 h(x) over Fq. Section 5 discusses the constructions of involutions over finite fields from those on their subfields. Finally, we conclude this paper in Section 6.

2 A general construction of involutions over ﬁnite ﬁelds

Throughout this paper let q be a power of a prime, and s, d be divisors of q − 1 such that sd = q − 1. Let Fq be a ﬁnite ﬁeld with q elements and µd denote the set of dth F∗ roots of unity in q, i.e.,

F∗ d µd = x ∈ q | x = 1 , n o F∗ which is also the unique cyclic subgroup of q of order d. This subgroup can also be s F∗ represented as x | x ∈ q . It is easy to verify that

d F∗ F∗ s q = Sαi , Sαi = x ∈ q | x = αi , i=1 [ where αi ∈ µd for 1 ≤ i ≤ d. The following well-known lemma gives a necessary and r s suﬃcient condition for x h(x ) being a permutation over Fq.

Lemma 2.1 [22][26][31] Let r, s, d be positive integers with sd = q − 1. Let h(x) ∈ r s Fq[x]. Then x h(x ) permutes Fq if and only if both (1) gcd(r, s) = 1 and

r s (2) x h(x) permutes µd.

Next we give a criterion for involutions of the form f(x) = xrh(xs) for r ≥ 1, s|(q − 1) and h(x) ∈ Fq[x]. From above discussions we can express f(x) in the form of piecewise functions as

0, x = 0, h(α )xr, x ∈ S ,  1 α1  .  . r s  f(x)= x h(x )=  r (1)  h(αi)x , x ∈ Sαi ,  . .   h(α )xr, x ∈ S ,  d αd   where αi ∈ µd, i = 1, 2,...,d. From the piecewise functional representation we obtain r s a necessary and suﬃcient condition for x h(x ) being an involution over Fq.

3 Theorem 2.2 Let r, s, d be positive integers with sd = q − 1. Let g(x)= xrh(x)s for r s some polynomial h(x) ∈ Fq[x]. The polynomial f(x)= x h(x ) is an involution over Fq if and only if (1) r2 ≡ 1 mod s and

2− r 1 r (2) ϕ(z)= z s (h ◦ g)(z)h(z) = 1 for all z ∈ µd.

F∗ d Proof. Following notation introduced above, we know that q = ∪i=1Sαi ,Sαi = F∗ s s x ∈ q | x = αi , where αi ∈ µd. If x ∈ Sαi , i.e., x = αi, then

r s s sr s r (h(αi)x ) = h(αi) x = h(αi) αi = g(αi).

r So, h(αi)x ∈ Sg(αi). From (1) we obtain that

0, x = 0, r r2  h (g(α1)) h(α1) x , x ∈ Sα1 ,   .  .  f ◦ f(x)=  2 (2)  h (g(α )) h(α )rxr , x ∈ S ,  i i αi . .   r r2  h (g(α )) h(α ) x , x ∈ Sα .  d d d  2−  2 r 1  r If r ≡ 1 mod s and z s (h ◦ g)(z)h(z) = 1 for all z ∈ µd, then from (2) we have for x ∈ Sαi ,

r r2 f ◦ f(x)= h (g(αi)) h(αi) x 2− r s r 1 = h (g(αi)) h(αi) x s x

r2−1 r s = h (g(αi)) h(αi) αi x = x.

This shows that f is an involution over Fq. F Conversely, if f is an involution over q, then for each αi ∈ µd and any x ∈ Sαi , from (2) we have r r2 h(g(αi))h(αi) x = x. (3)

Let β be another element of Sαi , then

r r2 h(g(αi))h(αi) β = β. (4)

4 x r2−1 x From (3) and (4), we get ( β ) = 1. When x runs over Sαi , then β runs over S1. 2 So, r ≡ 1 mod s. With this condition, from (3) we have for any αi ∈ µd,

2 r2−1 2 r −1 r r −1 r s s r s 1= h(g(αi))h(αi) x = h(g(αi))h(αi) x = h(g(αi))h(αi) αi = ϕ(αi).

Corollary 2.3 Let f(x) = xrh(xs) and g(x) = xrh(x)s for some positive integer r and h(x) ∈ Fq[x]. If f(x) is an involution over Fq, then g(x) is an involution over the subgroup µd.

s s Proof. It is easy to verify that x ◦ f(x) = g(x) ◦ x for any x ∈ Fq. If f(x) is an involution over Fq, then for any x ∈ Fq, one has

xs = xs ◦ (f(x) ◦ f(x)) = (xs ◦ f(x)) ◦ f(x)= g(x) ◦ xs ◦ f(x)= g(x) ◦ g(x) ◦ xs.

This shows that g(x) ◦ g(x) is an identity over µd, i.e., g(x) is an involution on this subgroup of order d.

Remark 2.4 In general, g(x) being an involution over µd can not imply f(x) being an involution over Fq. But in some special cases, Theorem 5.1 in Section 5 presents the similar result on involutory behavior of xrh(xs) as that in Lemma 2.1.

r s To obtain involutions of the form f(x) = x h(x ) over Fq, it is crucial to ﬁnd a suitable h(x). From Corollary 2.3, g(x)= xrh(x)s is necessary to be an involution on F∗ F the subgroup µd of q for f(x) being an involution on q. Next, we give a general method to determine the coeﬃcients of h(x) from a given involution g(x) over µd. s Let α be a primitive element of Fq and ω = α be a generator of the subgroup µd. Let σ be an involution over µd, which is represented by

1 ω · · · ωi · · · ωd−1 ωℓ0 ωℓ1 · · · ωℓi · · · ωℓd−1 σ = = , ωℓ0 ωℓ1 · · · ωℓi · · · ωℓd−1 1 ω · · · ωi · · · ωd−1 where ℓ0,ℓ1,...,ℓi,...,ℓd−1 is a rearrangement of 0, 1,...,d − 1. Assume that the r s polynomial g(x) = x h(x) as a mapping on µd is the same as σ on it, i.e, for 0 ≤ i ≤ d − 1, g(ωi)= ωirh(ωi)s = ωℓi , (5) ( g(ωℓi )= ωℓirh(ωℓi )s = ωi. s Since ω = α , from (5) there are some ni and nℓi with 0 ≤ ni,nℓi ≤ s − 1 such that

h(ωi)= αdni+ℓi−ir, (6) ℓ dn +i−ℓ r ( h(ω i )= α ℓi i ,

5 where i = 0, 1,...,d − 1 . By Theorem 2.2 and equalities (5) and (6), the polynomial r s f(x)= x h(x ) is an involution over Fq if and only if the following equalities hold: r2 ≡ 1 mod s, 2− i i r 1 ℓ i r d(n +rn )  ϕ(ω )= ω s h(ω i )h(ω ) = α ℓi i = 1,   2−  ℓ ℓ r 1 i ℓ r d(n +rn ) ϕ(ω i )= ω i s h(ω )h(ω i ) = α i ℓi = 1,  where i = 0, 1,...,d − 1. This is equivalent to r2 ≡1 mod s, (7) ( nℓi + rni ≡0 mod s, 2 since nℓi + rni ≡ 0 mod s is equivalent to ni + rnℓi ≡ 0 mod s due to r ≡ 1 mod s.

It is veriﬁed that there exist integers r, ni,nℓi satisfying (7) for i = 0, 1,...,d − 1. Let d−1 i F d h(x)= i=0 hix ∈ q[x] be a reduced polynomial modulo x − 1. Denote by αdn0+ℓ0 P1 1 · · · 1 h0 d−1 . 1 ω · · · ω h1  .      A = 1 ω2 · · · ω2(d−1) ,H = h2 , Λ= αdni+ℓi−ir .  .   .   ··· ···   .   .   d−1 (d−1)(d−1)       1 ω · · · ω   h   dnd−1+ℓd−1−(d−1)r     d−1   α        Since A is a Vandermonde matrix, from (6) the coeﬃcients of h(x) can be uniquely derived from the following linear equations AH = Λ. (8) In summary, we have the following theorem.

Theorem 2.5 Let ℓ0,ℓ1,...,ℓi,...,ℓd−1 be a rearrangement of 0, 1,...,d − 1. Let ni be numbers with 0 ≤ ni ≤ s − 1 for i = 0, 1,...,d − 1. Let α be a primitive F s F∗ element of q and ω = α be a generator of the subgroup µd of q. Let h(x) = d−1 d−2 hd−1x + hd−2x + . . . + h1x + h0 ∈ Fq[x], whose coeﬃcients are determined r s by (8). Then f(x)= x h(x ) is an involution over Fq if and only if (7) holds.

F∗ 3 Involutions from the inverse over the subgroup of q

In this section we will give an explicit construction of involutions over Fq from the F∗ inverse involution over the subgroup µd of q. To this end, we ﬁrst discuss a special q−1 1 case that µd having at most two elements. In this case, s = 2 and 2 is viewed as the inverse of 2 modulo q − 1 if q is even. Then, f(x) in (1) is rewritten as 0, x = 0, r s r f(x)= x h(x )=  ax , x ∈ S1, (9) r  bx , x ∈ S−1,  6 − F∗ q 1 where a = h(1), b = h(−1) and S±1 = {c ∈ q | c 2 = ±1}. r If h(1) = h(−1) = a, then f(x)= ax is a monomial over Fq. Theorem 2.2 implies r that f(x)= ax is an involution over Fq if and only if (1) r2 ≡ 1 mod q − 1, (2) ar+1 = 1. This is exactly Proposition 3.1 in [9] if q is even. When a 6= b, f(x) in (9) can be rewritten as the following form,

− a − b q 1 +r a + b r f(x)= x 2 + x . (10) 2 2 By Theorem 2.2, we have the following proposition.

Proposition 3.1 Let q be a power of an odd prime. Let Fq be a ﬁnite ﬁeld and a, b ∈ Fq with a 6= b. The polynomial f(x) in (10) is an involution over Fq if and only if 2 q−1 (1) r ≡ 1 mod 2 ,

2− q−1 q−1 2(r 1) a−b 2 +r a+b r r a−b 2 +r a+b r q−1 (2) 2 a + 2 a = 1 and (−1) 2 b + 2 b = (−1) . 1 Example 3.2 In Proposition 3.1, let r = 1 and a = δ and b = δ for some non- square element in Fq. It is easy to check that conditions (1) and (2) hold. Then the 2 q+1 2 δ −1 2 δ +1 F polynomial f(x)= 2δ x + 2δ x is an involution over q. F∗ Next, we discuss the case that the subgroup µd of q has at least 3 elements. It is clear that the inverse over µd is an involution, which can be represented as 1 ω · · · ωi · · · ωd−1 σ = . 1 ωd−1 · · · ωd−i · · · ω r s Assume that the polynomial g(x) = x h(x) as a mapping over µd is the same as σ on it. Then the equalities in (5) are as follows, g(ωi)= ωirh(ωi)s = ωd−i, i = 0, 1,...,d − 1. (11) From (11) we obtain that h(1) = αdn0 and h(ωi)= αdni+d−i−ir, i = 1, 2,...,d − 1. (12) where n0,n1,...,nd−1 ∈ {0, 1,...,s − 1}. Similarly to that in Theorem 2.5, the poly- r s nomial f(x)= x h(x ) is an involution over Fq if and only if the following equalities hold: r2 ≡ 1 mod s, r+1 dn (r+1)  ϕ(1) = h(1) = α 0 = 1,  r2−1  i i d−i i r d(n r+n − )  ϕ(ω )= ω s h(ω )h(ω ) = α i d i = 1, i = 1, 2,...,d − 1.   7 This is equivalent to r2 ≡1 mod s,

 n0(r + 1) ≡0 mod s,   n1r + nd−1 ≡0 mod s, (13)   ······

n⌊ d ⌋r + n⌈ d ⌉ ≡0 mod s,  2 2   d−1 i F where n0,n1,...,nd−1 ∈ {0, 1,...,s − 1}. Let h(x)= i=0 hix ∈ q[x] be a reduced polynomial modulo xd − 1. The linear system (8) becomes P

dn0 1 1 · · · 1 h0 α dn1+d−1−r 1 ω · · · ωd−1 h1 α      dn2+d−2−2r  1 ω2 · · · ω2(d−1) h2 = α . (14)  .   .   ··· ···   .   .   d−1 (d−1)(d−1)       1 ω · · · ω   h   αdnd−1+1−(d−1)r     d−1          In summary, we have the following theorem.

Theorem 3.3 Let q be a power of a prime, s and d be divisors of q − 1 such that s ds = q − 1. Let α be a primitive element of Fq and ω = α be a generator of the F∗ d−1 d−2 F subgroup µd of q. Let h(x)= hd−1x + hd−2x + . . . + h1x + h0 ∈ q[x], whose coeﬃcients are determined by the linear system (14). Then f(x) = xrh(xs) is an involution over Fq if and only if (13) holds. F∗ Assume that q ≡ 1 mod 3 and the subgroup µd of q has exact 3 elements, i.e, q−1 s = 3 . Then the condition (13) is reduced to q − 1 r2 ≡1 mod , 3  q − 1  n (r + 1) ≡0 mod , (15)  0  3  q − 1 n r + n ≡0 mod . 1 2 3   By solving the corresponding linear system (14) we get

(2 + ω2)α3n0 − (1 + 2ω2)α3n1+2−r − (1 − ω2)α3n2+1−2r h = , 2 3(1 − ω)  3n 3n +2−r 3n +1−2r  (2 + ω)α 0 − (1 + 2ω)α 1 − (1 − ω)α 2  h1 = , (16)  3(1 − ω2)  α3n0 + α3n1+2−r + α3n2+1−2r h = .  0 3   

8 Proposition 3.4 Let q be a power of a prime with q ≡ 1 mod 3, α be a primitive − q 1 2 element of Fq and ω = α 3 be a primitive cubic root of unity. Let h(x) = h2x + − 2q 2 +r h1x + h0 ∈ Fq[x], where h2, h1 and h0 are given in (16). Then f(x) = h2x 3 + − q 1 +r r h1x 3 + h0x is an involution over Fq if and only if (15) holds.

2k Let q = 2 for a positive integer k and α be a primitive element of Fq. Let q−1 ω = α 3 be the cubic root of unity in Fq. Set r = 1. From (15) we get that q − 1 n =0 and n + n ≡ 0 mod . 0 1 2 3

3n1+1 q−4 Let β = α for n1 ∈ {0, 1,... 3 }. Substituting these into (16) we get 2 −1 2 −1 −1 h2 =1+ ωβ + ω β , h1 =1+ ω β + ωβ , h0 =1+ β + β .

From Proposition 3.4 we have

2q+1 q+2 Corollary 3.5 With notation introduced above, f(x)= h2x 3 + h1x 3 + h0x is an F involution on 22k .

− 8 q 1 85 Example 3.6 Let q = 2 , α be a primitive element of Fq and ω = α 3 = α be the F 3ℓ+1 q−4 cubic root of unity in q. Set β = α , where ℓ ∈ {0, 1,... 3 } and 2 −1 2 −1 −1 h2 =1+ ωβ + ω β , h1 =1+ ω β + ωβ , h0 =1+ β + β . 2q+1 q+2 F Magma veriﬁes that fℓ(x) = h2x 3 + h1x 3 + h0x is an involution on 28 for q−4 any ℓ ∈ {0, 1,... 3 }. This experimental result coincides with that of Corollary 3.5.

− q 1 q−4 2k F 3 Let q = 2 and α be a primitive element of q. Let ω = α and r = 3 . It q−4 is easy to verify that integers n0,n1,n2 with 0 ≤ ni ≤ 3 and n1 = n2 satisfy (15). Substituting these into (16) we get

3n0 3n0 3(n1+1) h2 = α , h1 = h0 = α + α ,

q−4 where n0,n1 ∈ {0, 1,... 3 }. From Proposition 3.4 we obtain − − q−2 2q 5 q 4 Corollary 3.7 With notation introduced above, f(x)= h2x + h0(x 3 + x 3 ) is F an involution on 22k .

8 Example 3.8 Let q = 2 and α be a primitive element of Fq. Set

− − 3u 3u 3(v+1) q−2 2q 5 q 4 h2 = α , h0 = α + α and fu,v(x)= h2x + h0(x 3 + x 3 ), q−4 F where u, v ∈ {0, 1,... 3 }. Magma veriﬁes that fu,v(x) is an involution over q for q−4 any u, v ∈ {0, 1,... 3 }. This experimental result coincides with that of Corollary 3.7.

9 4 Involutions from monomial mappings over the sub- F∗ group of q

In this section, we will construct more explicit involutions over Fq from some special F F∗ g(x) ∈ q[x], which as a mapping over the subgroup of q is the same as a monomial mapping on it.

Theorem 4.1 Let q be a power of a prime and r be an integer with r ≡−1 mod q−1. F Let h(x) ∈ q2 [x] satisfy that for any β ∈ µq+1,

r2−1 − r β q 1 h(β )= h(β) ∈ Fq. (17)

r q−1 F If h(β) 6= 0 for any β ∈ µq+1, then f(x)= x h(x ) is an involution over q2 .

Proof. It is clear that r2 ≡ 1 mod q − 1. By Theorem 2.2, we only need to show r q−1 r that ϕ(β) = 1 for any β ∈ µq+1. Note that g(β)= β h(β) = β and q − 1 | (r + 1). From (17) we have

r2−1 ϕ(β)= β q−1 h (g(β)) h(β)r

r2−1 = β q−1 h(βr)h(β)r+1h(β)−1

r2−1 = β q−1 h(βr)h(β)−1 = 1.

This completes the proof.

Remark 4.2 With notation introduced in Theorem 4.1, moreover we assume that 2(r2−1) i q qi F q−1 ≡ 0 mod q + 1. The polynomial h(x) = i∈Ω(hix + hi x ) ∈ q2 [x] satisﬁes the condition (17), where P r + 1 Ω= 0 ≤ i ≤ q | + i (r − 1) ≡ 0 mod q + 1 . q − 1 Corollary 4.3 Let q be a power of an odd prime, r = q2 −q−1 and h(x)= bxi+bqxqi, where 1 ≤ i ≤ q. Then

2 2 2 f(x)= xrh(xs)= xq −q−1h(xq−1)= bxq +(i−1)q−1−i + bqx(1+i)q −(1+i)q−1 F is an involution on q2 if one of the following condition hold: F∗ • q ≡ 1 mod 4 and b is an square element in q2 ; F∗ • q ≡ 3 mod 4 and b is a non-square element in q2 .

10 r s Lemma 2.1 shows that x h(x ) permutes Fq if and only if gcd(r, s) = 1 and r s F∗ q−1 x h(x) permutes the subgroup µd of q, where d = s . So, it is interesting to ﬁnd the collections of polynomials which permute µd for certain values of d. Zieve [31, 32] r s proposed a method to construct permutations of the form x h(x) over µd. Thus, r s several classes of permutations of the form x h(x ) over Fq were obtained. Following this technique proposed by Zieve in [31, 32] we obtain many classes of involutions of r s the form x h(x ) over Fq by careful choices of h(x). Theorem 4.4 Let q be a prime power. Let m and d be integers with d | gcd(q−1,m). qm−1 r2−1 Let s = d and r be an integer with r ≡ −1 mod s, and e ≡ s (mod d) with i F e ≤ d − 1. Let h(x)= 0≤i≤d−1 hix ∈ q[x] be a polynomial with

P he−i = hi, 0 ≤ i ≤ e; (18) ( hd+e−i = hi, e + 1 ≤ i ≤ d − 1. r s If h(x) has no root in µd, then f(x)= x h(x ) is an involution over Fqm . Proof. It is clear that r2 ≡ 1 mod s. To show that f(x) is an involution over Fqm , by Theorem 2.2 we only need to verify that ϕ(β) = 1 for any β ∈ µd. Since q ≡ 1 mod d we have

d−1 qd − 1 = qj ≡ 0 mod d. q − 1 Xj=0 qd−1 qm−1 So, (q − 1) | d , and (q − 1) | d , i.e., (q − 1) | s since d | m. In short, d | (q − 1), F∗ F (q − 1) | s and s | (r + 1). Hence, for β ∈ µd we have β ∈ q and h(β) ∈ q. Since s r s r −1 h(β) 6= 0, we have h(β) = 1 and g(β)= β h(β) = β = β . For β ∈ µd, from (18) we have d−1 d−1 2− 2− r 1 −1 r 1 −i e−i β s h(β )= β s hiβ = hiβ Xi=0 Xi=0 e d−1 e−i e−i = hiβ + hiβ Xi=0 i=Xe+1 = h(β). This equality implies that

r2−1 ϕ(β)= β q−1 h (g(β)) h(β)r

r2−1 = β q−1 h(β−1)h(β)r+1h(β)−1

r2−1 = β q−1 h(β−1)h(β)−1 = 1.

11 Corollary 4.5 Let q = 2k for some positive integer k and m = d = q − 1. Then qm−1 si F s = d and µd = {α , | 0 ≤ i ≤ d − 1}, where α is a primitive element of qm . q−2 q−3 If a, b ∈ Fq such that h(β) 6= 0 for h(x) = ax + bx + b and any β ∈ µd, then s−1 s f(x)= x h(x ) is an involution over Fqm .

For q = 22, m = 3 and r = 20, Magma veriﬁes that f(x)= x20(αx42 + α2x21 + α2)= 62 2 41 2 20 F αx + α x + α x is an involution over 26 . This experimental result coincides with Corollary 4.5.

Corollary 4.6 Let q = 32k for some positive integer k, and m = 4, d = 4. Then 38k−1 si F s = 4 and µ4 = {α , | 0 ≤ i ≤ 3}, where α is a primitive element of 38k . If F 3 2 a, b, c ∈ 32k such that h(β) 6= 0 for β ∈ µ4, where h(x) = ax + bx + ax + c, then 8k − 38k−2 3 1 F f(x)= x h(x 4 ) is an involution over 38k .

For k = 1, Magma veriﬁes that f(x) = x6559(αx4920 + α3x3280 + αx + α5) is an F involution over 38 . This experimental result coincides with Corollary 4.6.

Theorem 4.7 Let q be a prime power. Let r, d be integers with r ≡ −1 mod q − 1 F and d ≡ r − 1 mod q + 1. Let h(x) ∈ q2 [x] be a polynomial of degree d such that F∗ h(0) 6= 0, and for any x ∈ q2 ,

q xdh(x−1) = h(xq). (19) r q−1 F Then f(x)= x h(x ) is an involution on q2 if and only if h(x) has no root in µq+1. F Proof. If f(x) is an involution on q2 , then h(x) has no root in µq+1, otherwise ϕ(z) has a root in µq+1. This is a contradiction by Theorem 2.2. Conversely, it is veriﬁed that r2 ≡ 1 mod q − 1 since r ≡ −1 mod q − 1. If h(x) has no root in µq+1, then from (19) we have that

h(β)q h(β−q)q h(β)q−1 = = = β−d h(β) h((βq)q)

r q−1 r−d for any β ∈ µq+1. So, for β ∈ µq+1, g(β) = β h(β) = β = β since d ≡ r+1 r − 1 mod q + 1. Set e = q−1 . For any β ∈ µq+1,

r2−1 ϕ(β)= β q−1 h(g(β))h(β)r = βe(r−1)h(β)r+1 = βe(r−1)h(β)e(q−1) = βe(r−d−1) = 1. F Thus, f is an involution on q2 by Theorem 2.2. F q Remark 4.8 Let ai ∈ q2 satisfy a0 6= 0 and ad−i = ai for 0 ≤ i ≤ d/2. It is veriﬁed d i that the polynomials h(x)= i=0 aix satisfy (19). P 12 F∗ Corollary 4.9 Let q be a power of a prime and a ∈ q2 . The polynomial

2 f(x)= axq −3q+1 + aqxq−2 = xq−2(ax(q−3)(q−1) + aq) F is an involution on q2 if and only if one of the following holds:

q2−1 • q ≡ 1 mod 4 and a 2 6= −1;

q2−1 • q ≡ 3 mod 8 and a 4 6= −1;

q2−1 • q ≡ 7 mod 8 and a 4 6= 1.

Proof. It is clear that f(x)= xq−2h(xq−1), where h(x)= axq−3 +aq, i.e., r = q−2 and d = q − 3. It is easy to check that h(x) satisﬁes (19). By Theorem 4.7, f is an F involution on q2 if and only if h(x) has no root in µq+1. However, one can verify q−1 q−3 that h(x) has roots in µq+1 if and only if −a is in (µq+1) . So, h(x) has no root in µq+1 if and only if q+1 (−aq−1) gcd(q+1,q−3) 6= 1. (20) We discuss this inequality in the following cases.

q+1 2 (1) If q is even, then gcd(q + 1,q − 3) = 1. We have (−aq−1) gcd(q+1,q−3) = aq −1 = 1. F So, there is no a ∈ q2 satisfying (20).

q+1 q2−1 q−1 − (2) If q ≡ 1 mod 4, then gcd(q + 1,q − 3) = 2. So, (−a ) gcd(q+1,q 3) = −a 2 . q2−1 When a 2 6= −1, then (20) holds.

q+1 q2−1 q−1 − (3) If q ≡ 3 mod 8, then gcd(q + 1,q − 3) = 4. Thus, (−a ) gcd(q+1,q 3) = −a 4 . q2−1 When a 4 6= −1, then (20) holds.

q+1 q2−1 q−1 − (4) If q ≡ 7 mod 8, then gcd(q + 1,q − 3) = 4. Hence, (−a ) gcd(q+1,q 3) = a 4 . q2−1 When a 4 6= 1, then (20) holds.

Theorem 4.10 Let q be a power of a prime p and d be an integer with q ≡−1 mod d. Let m and s be integers satisfying q2m − 1 = sd. The polynomial f(x)= x(1 + xs + (k−1)s F . . . + x ) is an involution on q2m if the following conditions hold:

m(q2 − 1) (k − 1) gcd k + 1, − 1 ≡ 0 mod d, 2d (21)   k2 ≡ 1 mod p.

 13 q2−1 m−1 2i Proof. From our assumption we have s = d i=0 q . So, (q − 1) | s. Set 2 k−1 s h(x)=1+ x + x + . . . + x , and so f(x)= xh(x).P Since d| q + 1, for any β ∈ µd, βq = β−1 and

q − − − q − − − h(β) − k 1 − k 3 k 1 k 1 − k 3 − k 1 = β 2 + β 2 + . . . + β 2 = β 2 +. . .+β 2 +β 2 . (22) β(k−1)/2 1 If k is even, then d is odd from the ﬁrst congruent equality in (21). In this case, 2 is h(β) viewed as the inverse of 2 modulo d. The equality (22) shows that − ∈ F . So, β(k 1)/2 q we have − − q−1 (k 1)(q 1) q2 h(β) = β 2 and h(β) = h(β). These further imply that

2− − 2 − − 2− s q 1 Pm 1 q2i (q 1)m m(k 1)(q 1) +1 g(β)= βh(β) = βh(β) d ( i=1 ) = βh(β) d = β 2d . F To show that f(x) is an involution on q2m , by Theorem 2.2 it is suﬃcient to verify that for any β ∈ µd, ϕ(β) = h(g(β))h(β) = 1. By the ﬁrst congruence of (21) 2 m(q2−1) we know that d | (k − 1) and d | (k − 1) 2d − 1 . For 1 6= β ∈ µd, − 2− m(k 1)(q 1) +1 ϕ(β)= h(g(β))h(β) = h β 2d h(β) − 2− m(k 1)(q 1)+2d k k β 2d − 1 β − 1 = · m(k−1)(q2−1)+2d β − 1 β 2d − 1 2 βk − 1 βk − 1 = · βk − 1 β − 1 = 1.

(q−1) s F∗ s q−1 For β = 1, from (22) we know that k = h(1) ∈ q. So, g(1) = h(1) = k ≡ 1 mod p. By the second congruence of (21), we have ϕ(1) = h(g(1))h(1) ≡ k2 ≡ 1 mod p.

Example 4.11 Let q = 32, d = 5,m = 4 and k = 4. Then s = (qm − 1)/d = 1312. It is easy to verify that these parameters satisfy (21). By Theorem 4.10 we know that 1313 2625 3937 F f(x) = x + x + x + x is an involution on 38 . This is also veriﬁed by Magma.

5 Involutions from known ones over the subﬁelds

r s r s Let f(x)= x h(x ) and g(x) = x h(x) be polynomials over Fq. It is necessary that F∗ g(x) must be an involution over the subgroup µd of q for f(x) being an involution

14 over Fq. Generally, the converse is not true. But it is still true under some additional conditions. In this section, we construct new involutions over finite fields from known ones on their subfields.

Theorem 5.1 Let q be a prime power and r, s be integers with r2 ≡ 1 mod s and q−1 F r s gcd(s, d) = 1 for d = s . Let h(x) ∈ q[x] satisfy h(µd) ⊂ µd. Then f(x)= x h(x ) r s is an involution on Fq if and only if g(x)= x h(x) is an involution on µd.

r s r s Proof. By Corollary 2.3, g(x)= x h(x) is an involution on µd if f(x)= x h(x ) is an involution on Fq. Conversely, by the Theorem 2.2, it is suﬃcient to show that ϕ(β) = 1 for any β ∈ µd. Since h(µd) ⊂ µd, we have that ϕ(β) ∈ µd for any β ∈ µd. If g(x) is an involution on µd, then for β ∈ µd,

2 (ϕ(β))s = βr −1h (g(β))s h(β)sr = β−1h (g(β))s (βrh(β)s)r = β−1h (g(β))s g(β)r = β−1g ◦ g(β) = 1.

Thus ϕ(β) = 1 for any β ∈ µd since gcd(s, d) = 1. If we choose a special s in Theorem 5.1 such that µd is exactly a multiplicative group of a ﬁnite ﬁeld, then the following corollary is obtained.

Corollary 5.2 Let q be a prime power and m, r be positive integers with gcd(q − m m q −1 2 q −1 F r q−1 1,m) = 1 and r ≡ 1 mod q−1 . Let h(x) ∈ q[x]. Then f(x) = x h(x ) is an r m involution on Fqm if and only if g(x)= x h(x) is an involution on Fq.

qm−1 m−1 i F Proof. Let s = q−1 . Since s = m + i=1 (q − 1) ≡ m mod q − 1 and h(x) ∈ q[x], qm−1 we have that gcd(q − 1,s) = gcd(q − 1P,m)=1 and g(x)= xrh(x) q−1 = xrh(x)m for qm−1 r − any x ∈ Fq. By Theorem 5.1, f(x)= x h(x q 1 ) is an involution on Fqm if and only r m if g(x)= x h(x) is an involution on Fq. Corollary 5.2 allows us to construct new involutions over finite fields from the known ones on their subfields.

Example 5.3 Let q = 22k for a positive integer k. From Corollary 3.5 we know that 2q+1 q+2 h2x 3 + h1x 3 + h0x is an involution over Fq, where h2, h1, h0 are introduced in Corollary 3.5. Assume that h(x) ∈ Fq[x] satisﬁes

2 2q+1 q+2 xh(x) = h2x 3 + h1x 3 + h0x.

1 q2+2 1 q2+5 1 q+1 2 2 2 By Corollary 5.2 we have that f(x) = xh(x ) = h2 x 3 + h1 x 6 + h0 x is an F involution over q2 .

15 2 1 q −3q k F∗ 3 3 Example 5.4 Let q = 3 for a positive integer k and a ∈ q2 . Let h(x)= a x + − q q 3 F q4+q2+1 2 a 3 x 3 ∈ q2 [x] and f(x) = xh(x ). It is clear that gcd(3,q − 1) = 1. By F 3 q2−3q+1 Corollary 5.2, f(x) is an involution on q6 if and only if g(x)= xh(x) = ax + q q−2 F a x is an involution on q2 . From Corollary 4.9 we have that the polynomial

6 5 4 3 2 5 4 3 2 1 q −3q +q −3q +q −3q+3 q q −3q +q −3q +q f(x)= a 3 x 3 + a 3 x 3 F is an involution on q6 if and only if one of the following hold:

q2−1 • k is even and a 2 6= −1;

q2−1 • k is odd and a 4 6= −1.

6 Concluding remark

In this paper, we have systematically studied involutory behavior of the polynomials r s over Fq of the form x h(x ) for some divisor s of q − 1. A necessary and suﬃcient condition for xrh(xs) being an involution has been obtained. From this criterion we have proposed a general method to construct involutions of the form xrh(xs) over F F∗ q from given involutions over the corresponding cyclic subgroup µd of q. Then, many classes of explicit involutions over Fq have been obtained from involutions over the small subgroup µd or monomial mappings over some general µd. The proposed method can be used to ﬁnd more desired involutions and the obtained involutions may have direct applications.

References

[1] Advanced Encryption Standard. http://en.wikipedia.org/wiki/RijndaelS -box. [2] A. Akbary, D. Ghioca, Q. Wang, On constructing permutations of ﬁnite ﬁelds, Finite Fields Appl., 17, 51-67, 2011. [3] A. Akbary, Q. Wang, On polynomials of the form xrf(x(q−1)/l), Hindawi Pub- lishing Corporation, International Journal of Mathematics and Mathematical Sciences, 2007, ID 23408, doi:10.1155/2007/23408, 2007. [4] S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishita, F. Regazzoni, Midori: A block cipher for low energy. In: Iwata T., Cheon J. (eds) Advances in Cryptology-ASIACRYPT 2015, LNCS 9453, 411-436, 2015, Springer, Berlin, Heidelberg. [5] A. Biryukov, Analysis of involutional ciphers: Khazad and Anubis. In: T. Johansson (eds), Fast Software Encryption, FSE 2003, LNCS 2887, 45-53, 2003, Springer, Berlin, Heidelberg.

16 [6] J. Borghoﬀ, A. Canteaut, T. G¨uneysu, E.B. Kavun, M. Knezevic, L.R. Knud- sen, G. Leander, V. Nikov, C. Paar C, C. Rechberger, P. Rombouts, S. Thom- sen, T. Yal¸cin, PRINCE - A low-latency block cipher for pervasive comput- ing applications. In X. Wang and K. Sako (Eds.) Advances in Cryptology- ASIACRYPT 2012, LNCS 7658, 208-225, 2012, Springer, Berlin, Heidelberg.

[7] A. Canteaut, J. Roué, On the behaviors of affine equivalent s-boxes regarding differential and linear attacks. In: Oswald E., Fischlin M. (eds), Advances in Cryptology-EUROCRYPT 2015, LNCS 9056, 45-74, 2015, Springer, Berlin, Heidelberg.

[8] P. Charpin, S. Mesnager, S. Sarkar, Dickson polynomials that are involutions, Finite Fields and Applications-Fq 12, Saratoga, USA, July, 13-17, IACR Cryp- tology ePrint Archive 2015/434.

[9] P. Charpin, S. Mesnager, S. Sarkar, Involutions over the Galois Field F2n , IEEE Trans. Inf. Theory, 62(4), 2266-2276, 2016.

[10] R.S. Coulter, S. Mesnager, Bent functions from involutions over F2n , IEEE Trans. Inf. Theory, 64(4), 2979-2986, 2018.

[11] C. Ding, L. Qu, Q. Wang, J. Yuan, P. Yuan, Permutation trinomials over ﬁnite ﬁelds with even characteristic, SIAM J. Discrete Math., 29, 79-92, 2015.

[12] S. Fu, X. Feng, Involutory diﬀerentially 4-uniform permutations from known constructions, Des. Codes Cryptogr., https://doi.org/10.1007/s10623-018- 0482-5, 2018.

[13] R.G. Gallager, Low density parity-check codes, IEEE Trans. Inf. Theory, 8(1), 3-26, 1963.

[14] V. Grosso, G. Leurent, F.X. Standaert, K. Varici, F. Durvaux, L. Gas- par, S. Kerckhof: SCREAM & iSCREAM side-channel resistant au- thenticated encryption with masking. Submission to CAESAR, 2014. https://competitions.cr.yp.to/round1/screamv1.pdf.

[15] R. Gupta, R.K. Sharma, Some new classes of permutation trinomials over finite fields with even characteristic, Finite Fields Appl., 41, 89-96, 2016. F r(q−1)+1 [16] X. Hou, Permutation polynomials of q2 of the form aX + X . Con- temporary developments in finite fields and applications, 74-101, World Sci. Publ., Hackensack, NJ, 2016.

[17] G. Kyureghyan, M.E. Zieve, Permutation polynomials of the form X + γTr(Xk), Contemporary Developments in Finite Fields and Appl., doi:10.1142/9789814719261-0011, 2016.

17 [18] N. Li, T. Helleseth, Several classes of permutation trinomials from Niho ex- ponents, Cryptogr. Commun., 9(6), 693-705, 2017.

[19] K. Li, L. Qu, X. Chen, New classes of permutation bionmials and permutation trinomials over ﬁnite ﬁelds, Finite Fields Appl., 43, 69-85, 2017.

[20] K. Li, L. Qu, Q. Wang, New constructions of permutation poly- r q−1 F nomials of the form x h(x ) over q2 , Des. Codes Cryptogr., https://doi.org/10.1007/s10623-017-0452-3, 2017.

[21] J. Ma, G. Ge, A note on permutation polynomials over ﬁnite ﬁelds, Finite Fields Appl., 48, 261-270, 2017.

[22] Y.H. Park, J.B. Lee, Permutation polynomials and group permutation polynomials, Bull. Aust. Math Soc., 63, 67-74, 2001.

[23] I. Rubio, N. Pacheco-Tallaj, C. Corrada-Bravo, FN. Castro, Explicit formu- las for monomial involutions over ﬁnite ﬁelds, Advances in Mathematics of Communications, 11(2), 301-306, 2017.

[24] Z. Tu, X. Zeng, L. Hu, Several classes of complete permutation polynomials, Finite Fields Appl., 25, 182-193, 2014.

[25] D. Q. Wan, R. Lidl, Permutation polynomials of the form xrf(x(d−1)/d) and their group structure, Monatshefte f¨ur Mathematik, 112(2), 149-163, 1991.

[26] Q. Wang, Cyclotomic mapping permutation polynomials over ﬁnite ﬁelds, Pro- ceedings of the 2007 international conference on Sequences, subsequences, and consequences (SSC 2007), Pages 119-128, Los Angeles, CA, USA, 2007.

[27] Q. Wang, Cyclotomy and permutation polynomials of large indices, Finite Fields Appl., 22, 57-69, 2013.

[28] Q. Wang, A note on inverses of cyclotomic mapping permutation polynomials over ﬁnite ﬁelds. Finite Fields Appl., 45, 422-427, 2017.

[29] Z. Zha, L. Hu, S. Fan, Further results on permutation trinomials over ﬁnite ﬁelds with even characteristic, Finite Fields Appl., 45, 43-52, 2017.

[30] Y. Zheng, P. Yuan, D. Pei, Piecewise constructions of inverses of some permutation polynomials. Finite Fields Appl. 36, 151-169, 2015.

[31] M.E. Zieve, On some permutation polynomials over Fq of the form xrh(x(q−1)/d), Proc. Am. Math Soc., 137, 209-216, 2009.

[32] M.E. Zieve, Permutation polynomials on Fq induced from R´edei function bi- F∗ jections on subgroups of q, arXiv:1310.0776v2, 2013.