Content uploaded by Namhun Koo
Author content
All content in this area was uploaded by Namhun Koo on Feb 25, 2022
Content may be subject to copyright.
On cryptographic parameters of permutation polynomials of the
form xrh(x(2n−1)/d)
Jaeseong Jeong1, Chang Heon Kim1, Namhun Koo2, Soonhak Kwon1, and Sumin Lee1
Email: wotjd012321@naver.com, {chhkim,shkwon,dltnals816}@skku.edu, nhkoo@ewha.ac.kr
1Department of Mathematics, Sungkyunkwan University, Suwon, Korea
2Institute of Mathematical Sciences, Ewha Womans University, Seoul, Korea
Abstract
The differential uniformity, the boomerang uniformity, and the extended Walsh spec-
trum etc are important parameters to evaluate the security of S(substitution)-box. In this
paper, we introduce efficient formulas to compute these cryptographic parameters of per-
mutation polynomials of the form xrh(x(2n
−1)/d) over a finite field of q= 2nelements,
where ris a positive integer and dis a positive divisor of 2n−1. The computational cost
of those formulas is proportional to d. We investigate differentially 4-uniform permutation
polynomials of the form xrh(x(2n
−1)/3) and compute the boomerang spectrum and the
extended Walsh spectrum of them using the suggested formulas when 6 ≤n≤12 is even,
where d= 3 is the smallest nontrivial dfor even n. We also investigate the differential
uniformity of some permutation polynomials introduced in some recent papers for the case
d= 2n/2+ 1.
Keywords. Permutation Polynomials, Differential Uniformity, Boomerang Uniformity,
Extended Walsh Spectrum, Differentially 4-Uniform Permutation Polynomials
Mathematics Subject Classification(2020) 94A60, 06E30
1 Introduction
Throughout this paper, F2nis the finite field of 2nelements, F∗
2nis the subset of nonzero
elements of F2n. For a function F:F2n→F2n, we denote δF(a, b) with a∈F∗
2nand b∈F2n
by the number of solutions of the equation F(x) + F(x+a) = band
δF= max
a∈F∗
2n,b∈F2nδF(a, b).(1)
In this case, Fis said to be differentially δF-uniform. Constructing an S-box with good
cryptographic properties for symmetric cipher is essential to the security of the symmetric
cryptography, and Nyberg[20] suggested to choose an S-box with low differential uniformity to
avoid differential cryptanalysis. We call Falmost perfect nonlinear (APN) if Fis differentially
2-uniform, which is the optimal case for δF. Though S-Box does not need to be invertible,
invertible S-Box has many advantages in symmetric cryptography. Several APN permutations
1
are known when nis odd, and the inverse function F(x) = x2n−2∈F2n[x] is always APN for
odd n. However, the situation for even nis quite different. It is known that there is no APN
permutation if n= 2,4, and a single example of APN permutation[5] is known for n= 6.
However, at this moment, the existence of APN permutations for even n≥8 is still unsettled,
and it is referred as the Big APN Problem.
Another important tool for cryptanalysis is the boomerang attack introduced by Wagner[22].
Recently, Cid et al.[8] introduced the boomerang connectivity table which contains the number
of solutions of
F−1(F(x) + a) + F−1(F(x+b) + a) = b(a, b ∈F2n)
for a permutation F:F2n→F2n, which is denoted by βF(a, b) in this paper. The boomerang
uniformity of F,βF, is defined as the maximum of βF(a, b) for all a, b ∈F∗
2n, where the case
a= 0 or b= 0 are excluded because βF(a, 0) = βF(0, b) = qfor all a, b ∈F2n. The boomerang
uniformity of an S-box is related to the success probability of the boomerang attack, hence
an S-box is suggested to have low boomerang uniformity. In [8], it is shown that βF≥δF,
and βF= 2 if and only if δF= 2 (i.e., Fis APN). In constructing an S-box, the cases
n= 4 and n= 8 are most preferred for implementations. However, when n= 4, there is no
APN permutation and it is also proved[3] that there is no permutation with βF= 4. When
n= 8, we do not know the existence of a permutation Fwith δF= 2 or βF= 4, and the
authors of [8] say that construction of a permutation polynomial Fwith βF= 4 would be quite
difficult. The result in [8] also says that a permutation of boomerang uniformity 4 needs to be
differentially 4-uniform, i.e., βF= 4 implies δF= 4. There are several results[3, 16, 19] about
the boomerang uniformity of the known differentially 4-uniform permutations. In [3, 16, 19],
some permutations having boomerang uniformity 4 are found when n≡2 (mod 4). However,
when n≡0 (mod 4), the lowest boomerang uniformity in the list is 6. Hence constructing a
permutation polynomial of boomerang uniformity 4 when 4 |nis still an open problem.
To construct a permutation with low boomerang uniformity, we investigate boomerang
uniformity of the known permutation polynomials. In particular, we consider permutation
polynomials of the form xrh(x(2n−1)/d). Permutation polynomials of this form were first char-
acterized by Wan and Lidl[23], and have since been widely studied[2, 10, 11, 12, 13, 14, 15, 16,
17, 18, 21, 25, 27]. In this paper, we introduce efficient formulas to compute differential uni-
formity and boomerang uniformity of permutation polynomials of this form. These formulas
are more efficient when dis small. Since 3 |(2n−1) for even n, we investigate permutation
polynomials of the form xrh(x(2n−1)/3) for even n≤10. We also consider other important
cryptographic parameters like the extended Walsh spectrum, the nonlinearity, the differential
spectrum, and the boomerang spectrum for these permutation polynomials.
The rest of this paper is organized as follows. In section 2, we recall some known results
about permutation polynomials of the form xrh(x(2n−1)/d ) and cryptographic properties includ-
ing the boomerang uniformity and the extended Walsh spectrum. In section 3, we give efficient
formulas for computing cryptographic parameters introduced in section 2 of permutation poly-
nomials of the form xrh(x(2n−1)/d). In section 4, we investigate cryptographic parameters of
differentially 4-uniform permutations of the form xrh(x(2n−1)/3) using our formulas obtained
in section 3, and we also investigate the differential uniformity of permutations of the form
xrh(x2n/2−1) in some recent papers for even n≤10. Finally we give a concluding remark in
section 5.
2
2 Preliminaries
2.1 Permutation polynomials of the form xrh(x(2n−1)/d)
In this subsection, we focus on permutation polynomials of the form xrh(x(2n−1)/d) introduced
by Wan and Lidl[23]. We first introduce the following notations which are also used in [23].
Definition 1. (Definition 1.1 of [23]) Let d|(2n−1) and gbe a fixed primitive root of F2n.
Let ωd=g(2n−1)/d be a primitive d-th root of unity in F2n. A map ψ:F∗
2n7→ (Z/dZ)+defined
by
ψ(a)≡Indg(a) (mod d)
where Indg(a)is the residue class (bmod (2n−1)) such that a=gb.
Note that the following equation holds.
a(2n−1)/d =ωψ(a)
d
With these notations, the following main theorem of [23] gives a characterization of permutation
polynomials of the form xrh(x(2n−1)/d).
Theorem 1. (Theorem 1.2 of [23]) Let rbe a positive integer, dbe a positive divisor of 2n−1.
Let h(x)∈F2n[x]. Then the polynomial F(x) = xrh(x(2n−1)/d)is a permutation polynomial of
F2nif and only if the following conditions are satisfied :
(i) gcd(r, (2n−1)/d)=1.
(ii) h(ωi)̸= 0 for all 0≤i < d.
(iii) ψh(ωi)
h(ωj)̸≡ r(j−i) (mod d)for all 0≤i < j < d.
Park and Lee[21] introduced a simpler characterization of these permutation polynomials.
This result is also found in [1, 24, 27].
Theorem 2. (Lemma 2.1 of [27]) Let rbe a positive integer, dbe a positive divisor of 2n−1
and µd={α∈F∗
2n:αd= 1}. Let h(x)∈F2n[x]. Then the polynomial F(x) = xrh(x(2n−1)/d)
is a permutation polynomial of F2nif and only if the following conditions are satisfied :
(i) gcd(r, (2n−1)/d)=1.
(ii) xrh(x)(2n−1)/d permutes µd.
There are many results on the permutation polynomials of this form, and several recent
studies [2, 10, 11, 12, 13, 14, 15, 16, 17, 18] focus on the case d= 2n/2+ 1.
For any permutation polynomial, one can express the polynomial as the form xrh(x(2n−1)/d)
for some rand d(see also Section 1 of [25]). This can be explained as follows. Let F(x) =
Xgcixdiwhere ci≥0 and di’s are distinct. Note that if Fhas a constant term then di= 0
for some i. Letting
d′
F= gcd
i̸=j
(2n−1, di−dj)
and dF= (2n−1)/d′
F, we can write F(x) = xrh(x(2n−1)/dF) where r=difor some i. When F
is a monomial, we get d′
F= 2n−1 and dF= 1 which is the most efficient case.
3
2.2 Equivalent relations of Boolean functions
The followings definition contains some equivalence relations among the vectorial Boolean
functions on finite fields.
Definition 2. Let Fand Gbe functions defined on F2n.
(i) Fand Gare linear equivalent if F=L1◦G◦L2for some linear permutations L1and
L2.
(ii) Fand Gare affine equivalent if F=A1◦G◦A2for some affine permutations A1and
A2.
(iii) Fand Gare extended affine(EA) equivalent if F=A1◦G◦A2+A3for some affine
permutations A1and A2and an affine function A3.
The following equivalence, called CCZ-equivalence, was introduced in [6].
Definition 3. Let Fand F′be functions defined on F2n. Denote GF={(x, F (x)) : x∈F2n}
and GF′={(x, F ′(x)) : x∈F2n}. Then Fand F′are said to be CCZ-equivalent if there is
an affine permutation L:GF7→ GF′.
The relation among the above mentioned equivalences are as follows; Linear equivalence →
Affine equivalence →EA equivalence →CCZ-equivalence.
2.3 Boomerang uniformity
As mentioned in section 1, the boomerang uniformity of a permutation Fis defined as follows.
Definition 4. Let Fbe a permutation on F2n. We denote βF(a, b) (a, b ∈F2n)by the number
of solutions of the following equation
F−1(F(x) + a) + F−1(F(x+b) + a) = b. (2)
The boomerang uniformity of Fis defined by
βF= max
a,b∈F∗
2n
βF(a, b).(3)
The boomerang uniformity is preserved under affine equivalence but is not preserved under
EA equivalence[3]. Furthermore Fand F−1have the same boomerang uniformity[3] where
F−1is the inverse permutation of F.
The authors of [16] consider the following system of equations.
Definition 5. Let Fbe a permutation on F2nand a, b ∈F2n. We denote β′
F(a, b)by the
number of solutions (x, y)of the following system
(F(x+a) + F(y+a) = b
F(x) + F(y) = b(4)
We also denote β′
Fby
β′
F= max
a,b∈F∗
2n
β′
F(a, b).(5)
4
Then one has the following result on the boomerang uniformity[16].
Theorem 3. (Theorem 2.3 of [16]) The notations are same as those in Definition 4 and 5.
Then β′
F=βF.
The key idea of Theorem 3 is
β′
F(a, b) = βF−1(a, b).(6)
Theorem 3 is useful when computing the boomerang uniformity of Fbecause F−1is not used
in (4). However, since β′
F(a, b) = βF−1(a, b)̸=βF(a, b) in general, β′
F(a, b) do not generate the
boomerang connectivity table[8] of F, the table of βF(a, b) for all a, b ∈F2n.
2.4 Other notions of Boolean functions
In this subsection, we introduce some invariants of vectorial Boolean functions.
Definition 6 (Walsh Transform).Let a, b ∈F2nand Fbe a function on F2n. Then
λF(a, b) = X
x∈F2n
(−1)T r(ax+bF (x))
is called the Walsh transform of F, where T r (x) =
n−1
X
i=0
x2ifor all x∈F2n.
Definition 7 ((Extended) Walsh Spectrum).Let Fa function defined on F2n.
(i) The multiset ΛF={λF(a, b) : a∈F2n, b ∈F∗
2n}is called the Walsh spectrum of F.
(ii) The multiset Λ′
F={|λF(a, b)|:a∈F2n, b ∈F∗
2n}is called the extended Walsh spectrum
of F.
The nonlinearity can be defined using the notion of the Walsh transform.
Definition 8 (Nonlinearity).Let Fbe a function on F2nand
λF= max
a∈F2n,b∈F∗
2n
|λF(a, b)|(7)
be the maximum value in Λ′
F. Then the nonlinearity of Fis defined by
N L(F)=2n−1−1
2λF.(8)
Next we introduce another cryptographic parameter of Boolean functions related with the
differential uniformity.
Definition 9 (Differential Spectrum).Let Fbe a function defined on F2n. The multiset
DF={δF(a, b) : a∈F∗
2n, b ∈F2n}
is called the differential spectrum of F.
It is known that if two functions Fand F′are CCZ-equivalent then Fand F′have the
same extended Walsh spectrum, nonlinearity, and differential spectrum.
5
3 Efficient formulas for computing cryptographic parameters
of F(x) = xrh(x(2n−1)/d)
Throughout this section, we fix F(x) = xrh(x(2n−1)/d)∈F2n[x] for some h(x)∈F2n[x] where
ris an integer and dis a divisor of 2n−1. We will present efficient formulas for computing the
differential uniformity, the differential spectrum, the boomerang uniformity, the Walsh trans-
form, the extended Walsh spectrum, and the nonlinearity of F(x). The introduced formulas
are efficient for small d.
3.1 The differential uniformity
In this subsection, an efficient formula for δFof F(x) = xrh(x(2n−1)/d) is proposed. First we
introduce the the following result in [7].
Theorem 4. (Theorem 6 of [7]) Let µd={α∈F∗
2n:αd= 1}be the cyclic subgroup of order
din F∗
2n. If gcd(d, (2n−1)/d) = 1 then differential uniformity of Fcan be computed by
δF= max
a∈µd,b∈F2nδF(a, b).(9)
We would like to extend the above result to the case gcd(d, (2n−1)/d)>1. First we prove
the following lemma which is used in the proof of Theorem 5 and Theorem 8.
Lemma 1. If ψa′
a= 0 equivalently a′
a(2n−1)/d
= 1 where a, a′∈F∗
2n, then
Fa′
ax=a′
ar
F(x)
for all x∈F2n.
Proof. Since ψa′
a= 0, we get ψa′
ax=ψa′
a+ψ(x) = ψ(x). Since F(x) = xrh(ωψ(x)),
we get
Fa′
ax=a′
axr
hωψa′
ax=a′
ar
xrh(ωψ(x)) = a′
ar
F(x).
Theorem 5. Under the same condition as in Lemma 1 and for b∈F2n,
δF(a, b) = δFa′,a′
ar
b.
Proof. Suppose that yis a solution of F(x) + F(x+a) = b. By Lemma 1,
Fa′
ay+Fa′
ay+a′=Fa′
ay+Fa′
a(y+a)
=a′
ar
(F(y) + F(y+a)) = a′
ar
b
6
Thus a′
ayis a solution of
F(x) + F(x+a′) = a′
ar
b. (10)
This shows that there is a bijection between the set of solutions of F(x) + F(x+a) = band
the set of solutions of (10). Therefore, F(x) + F(x+a) = band (10) have same number of
solutions, which completes the proof.
The above theorem shows that for fixed a, a′∈F∗
2nwith ψ(a) = ψ(a′) the following is
satisfied
{δF(a, b) : b∈F2n}=δFa′,a′
ar
b:b∈F2n={δF(a′, b) : b∈F2n}.
The second equality comes from the fact that b7→ a′
ar
bis bijective. Let aibe any repre-
sentative element of the set
Ψi={a∈F∗
2n:ψ(a) = i}
for each 0 ≤i<d. Suppose that we have already computed δF(ai, b) for all b∈F2nand
0≤i<d. Then for all a′∈Ψiand b∈F2n, we get
δF(a′, b) = δFai,ai
a′rb(11)
from Theorem 5. Since gi∈Ψifor each 0 ≤i < d, where gis a primitive root of F2n,
Rd={gi: 0 ≤i<d}
can be an example of such set consisting of representative element of Ψi. Considering Rdas
the representative set, (11) is rewritten as
δF(a′, b) = δFgi,gi
a′r
b,(12)
and we also get the following corollary.
Corollary 1. The differential uniformity of Fcan be computed by
δF= max
a∈Rd,b∈F2nδF(a, b).(13)
If we apply (1) for computing the differential uniformity, then we need to consider all
a∈F∗
2n, while we only need to consider a∈Rdusing (13). Therefore our reduced search space
is only d/(2n−1) of the original search space. In a similar way, we get another corollary which
is useful for computing the differential spectrum of F(x).
Corollary 2. For c∈ DF, let
DF,c ={(a, b)∈F∗
2n×F2n:δF(a, b) = c},
DF,c,d ={(a, b)∈Rd×F2n:δF(a, b) = c}.
Then we have
#DF,c,d = #DF,c ·d/(2n−1).
7
Hence we can compute the differential spectrum of Fefficiently by computing the multiset
{δF(a, b) : a∈Rd, b ∈F∗
2n}
first and apply Corollary 2 to compute the multiplicity of each element in the above set.
Next we consider a special family of permutation polynomials of the form xrh(x(2n−1)/d).
For an integer k, we denote νd(k) such that dvd(k)|kbut dvd(k)+1 ∤k. Suppose that dis a
prime and gcd(d, (2n−1)/d) = d, and then νd(2n−1) >1. Now we consider the polynomials
G(x) = xr(x(2n−1)/d +ξ).(14)
where ξ∈µdνd(2n−1) \µd. First we prove that G(x) is a permutation polynomial for some
special cases.
Theorem 6. Let d= 3 and gcd(3,(2n−1)/3) = 3, that is, 6|n. If gcd(r, (2n−1)/3) = 1 and
ξis a primitive 9-th root of unity, then G(x)is a permutation polynomial.
Proof. By Theorem 2, it remains to show that G′(x) = xr(x+ξ)(2n−1)/3permutes µ3. Since
ξ6+ξ3+ 1 = 0,
(ξ2+ξ)7=ξ14 +ξ13 +ξ12 +ξ11 +ξ10 +ξ9+ξ8+ξ7
=ξ12 +ξ9+ (ξ6+ξ3+ 1)(ξ8+ξ7) = ξ3+ 1 = ξ6
and hence we get (ξ2+ξ)21 = 1. Since (2n−1)/3 is divisible by (26−1)/3 = 21 when 6|n, we
get
(ξ2+ξ)(2n−1)/3=ξ(2n−1)/3(ξ+ 1)(2n−1)/3= 1.(15)
For convenience, we denote ω3=ξ3. Observe that
G′(1) = (ξ+ 1)(2n−1)/3
G′(ω3) = ωr
3(ω3+ξ)(2n−1)/3=ωr
3(ξ3+ξ)(2n−1)/3=ωr
3ξ(2n−1)/3(ξ2+ 1)(2n−1)/3
=ωr
3ξ(2n−1)/3(ξ+ 1)(2n−1)/32=
(15) ωr
3(ξ+ 1)(2n−1)/3
G′(ω2
3) = ω2r
3(ω2
3+ξ)(2n−1)/3=ω2r
3(ξ6+ξ10)(2n−1)/3=ω2r
3(ξ6+ξ10)(2n−1)/3
=ω2r
3(1 + ξ4)(2n−1)/3=ω2r
3(1 + ξ)(2n−1)/34=ω2r
3(ξ+ 1)(2n−1)/3
and hence if gcd(r, (2n−1)/3) = 1 then G′(x) permutes µ3, which completes the proof.
We would like to show that the formula (13) in Corollary 1 for G(x) can be further simpli-
fied. First we prove the following lemma.
Lemma 2. Let ρ∈F2nbe a primitive dνd(2n−1)-th root of unity. If 2 is a primitive root mod
Ord(ξ), then
δG(ρj, b) = δG 1,ρ−j(r+(2n−1)/d)b2n−kj!
for some integer kjfor every 0< j < d.
8
Proof. Let xbe a solution of b=G(x) + G(x+ρj), that is,
b=G(x) + G(x+ρj) = xr+(2n−1)/d +ξxr+ (x+ρj)r+(2n−1)/d +ξ(x+ρj)r
Substitute x=ρjyinto the above equation we get
b= (ρjy)r+(2n−1)/d +ξ(ρjy)r+ (ρjy+ρj)r+(2n−1)/d +ξ(ρjy+ρj)i·(2n−1)/d−1
=ρj(r+(2n−1)/d)yr+(2n−1)/d +ξρ−j(2n−1)/d yr+ (y+ 1)r+(2n−1)/d +ξρ−j(2n−1)/d (y+ 1)r
Hence we get
ρ−j(r+(2n−1)/d)b=yr+(2n−1)/d +ξρ−j(2n−1)/d yr+ (y+ 1)r+(2n−1)/d +ξρ−j(2n−1)/d (y+ 1)r
Since ρ−j(2n−1)/d ∈µd, we get ξρ−j(2n−1)/d ∈µOrd(ξ)\µd. Since 2 is a primitive root mod
Ord(ξ), there is an integer kjsuch that ξ2kj=ξρ−j(2n−1)/d. Raising 2n−kj-th power to the last
equation, we get
ρ−j(r+(2n−1)/d)b2n−kj
= (y2n−kj)r+(2n−1)/d+ξ(y2n−kj)r+(y2n−kj+1)r+(2n−1)/d +ξ(y2n−kj+1)r
Hence z=y2n−kj= (ρ−jx)2n−kjis a solution of G(z) + G(z+ 1) = ρ−j(r+(2n−1)/d)b2n−kj.
Theorem 7. Under the same condition as in Lemma 2,
δG= max
b∈F2nδG(1, b).(16)
It is clear that we can set Rd={1}for computing the differential spectrum of G(x) in
Corollary 2.
3.2 The boomerang uniformity
For boomerang uniformity, we can derive similar theorem and formula to previous subsection.
We only consider the case for β′
F.
Theorem 8. Suppose F(x)is a permutation. Let a, a′∈F∗
2nand b∈F2n.If ψa′
a= 0
equivalently a′
a(2n−1)/d
= 1, then
β′
F(a, b) = β′
Fa′,a′
ar
b.
Proof. Suppose that (x, y)=(x0, y0) is a solution of (4). By Lemma 1, we get
Fa′
ax0+a′+Fa′
ay0+a′=Fa′
a(x0+a)+Fa′
a(y0+a)
=a′
ar
(F(x0+a) + F(y0+a)) = a′
ar
b,
9
and also
Fa′
ax0+Fa′
ay0=a′
ar
(F(x0) + F(y0)) = a′
ar
b.
Thus (x, y) = a′
ax0,a′
ay0is a solution of
F(x+a′) + F(y+a′) = a′
ar
b
F(x) + F(y) = a′
ar
b
(17)
This shows that there is a bijection between the solutions of (4) and the solutions of (17).
Therefore, (4) and (17) have same number of solutions, which completes the proof.
Applying Theorem 3 and Theorem 8, we get the following.
Corollary 3. The boomerang uniformity of Fcan be computed by
βF= max
a∈Rd,b∈F∗
2n
β′
F(a, b).(18)
In Corollary 2, we used the formula (12) to compute the differential spectrum efficiently. We
can apply similar argument for the boomerang uniformity. We define the boomerang spectrum
of a permutation F. Since βF(a, b) = qwhen a= 0 or b= 0, we exclude these cases in the
definition of the boomerang spectrum.
Definition 10 (Boomerang Spectrum).For any permutation Fon F2n, the boomerang spec-
trum of Fis defined as the multiset
BF={βF(a, b) : a, b ∈F∗
2n}.
It is shown[3] that if two permutations Fand F′defined on F2nare boomerang equivalent,
then BF=BF′. If we denote
B′
F={β′
F(a, b) : a, b ∈F∗
2n},
then we can easily see that B′
F=BFfrom (6). Note that the boomerang spectra of some
S-boxes including AES(Advanced Encryption Standards) S-box were investigated in [8]. Now
we have the following analogue to Corollary 2.
Corollary 4. Suppose F(x)is a permutation. For c∈ BF, we denote that
B′
F,c ={(a, b)∈F∗
2n×F2n:β′
F(a, b) = c}
B′
F,c,d ={(a, b)∈Rd×F2n:β′
F(a, b) = c}
Then we see that
#B′
F,c = #B′
F,c,d ·(2n−1)/d.
Hence we can compute the boomerang spectrum of Fefficiently by computing the multiset
{βF(a, b) : a∈Rd, b ∈F∗
2n}
first and apply Corollary 4 to compute the multiplicity of each element in the above set.
10
3.3 The extended Walsh spectrum
The result for the Walsh spectrum is similar, though the proof technique is slightly different
from Section 3.1 and Section 3.2.
Theorem 9. Let b, b′∈F∗
2nand a∈F2n. If ψb′
b= 0 equivalently b′
b(2n−1)/d
= 1, then
λF(a, b) = λF b′
br′
a, b′!.
where rr′≡1 (mod (2n−1)/d).
Proof. By Lemma 1,
ax +bF (x) = b′
br′b
b′r′
ax +b′·b
b′F(x) = b′
br′
a b
b′r′
x!+b′F b
b′r′
x!.
Since {(b/b′)r′
x:x∈F2n}=F2n, we obtain
λF(a, b) = X
x∈F2n
(−1)T r(ax+bF (x)) =X
x∈F2n
(−1)T r(b′/b)r′
a(b/b′)r′
x+b′F(b/b′)r′
x
=X
(b/b′)r′x∈F2n
(−1)T r(b′/b)r′
a(b/b′)r′
x+b′F(b/b′)r′
x
=X
x∈F2n
(−1)T r(b′/b)r′
ax+b′F(x)=λF b′
br′
a, b′!
which completes the proof.
From Theorem 9, we get
λF(a, b) = λF gi
br′
a, gi!.(19)
Corollary 5. For c∈ΛF, we denote that
ΛF,c ={(a, b)∈F2n×F∗
2n:λF(a, b) = c},ΛF,c,d ={(a, b)∈F2n×Rd:λF(a, b) = c},
Λ′
F,|c|={(a, b)∈F2n×F∗
2n:λ′
F(a, b) = |c|},Λ′
F,|c|,d ={(a, b)∈F2n×Rd:λ′
F(a, b) = |c|}
Then we see that
#ΛF,c = #ΛF,c,d ·(2n−1)/d and #Λ′
F,|c|= #Λ′
F,|c|,d ·(2n−1)/d.
Hence we can compute the Walsh spectrum and the extended Walsh spectrum of F(x)
efficiently by computing the multisets
{λF(a, b) : a∈F2n, b ∈Rd}and {|λF(a, b)|:a∈F2n, b ∈Rd}
first and apply Corollary 5 to compute the multiplicity of each element in the above sets,
respectively. The nonlinearity of F(x) can also be efficiently computed using Theorem 9.
11
Corollary 6. The nonlinearity of F(x)is given as
N L(F)=2n−1−1
2max
a∈F2n,b∈Rd
|λF(a, b)|.(20)
4 Numerical results for even n
4.1 A complete investigating for the case d= 3 when n≤12
It is well studied about the permutations of low boomerang uniformity including APN permu-
tations over F2nfor odd n. But the same topic on even nis not well studied yet. Especially
there is no known permutation polynomial of the boomerang uniformity at most 4 over F2n
when 4 |n. Since a permutation of the boomerang uniformity 4 is differentially 4-uniform, it is
worth to investigate the boomerang uniformity of differentially 4-uniform permutations. The
boomerang uniformity of power permutation Fwith δF= 4 is considered in [16]. Hence we
consider the second smallest case d= 3 in this section since 3 |(2n−1) for every even n. A
complete investigating is the most inefficient method, but it is also the most obvious method.
And we can expect to offset this inefficiency by applying our formulas proposed in section 3.
4.1.1 Permutation binomials
We investigate the permutation binomials of the form
F(x) = xr(x(2n−1)/3+gk) (21)
where 0 ≤k < 2n−1, when 4 ≤n≤10 is even.
■Reducing target space
As already mentioned in Section 2, it is known that the differential uniformity and the
extended Walsh spectrum are invariant under CCZ-equivalence and the boomerang uniformity
is invariant under affine equivalence and inversion. Therefore, if we know that some polynomials
have this equivalence, it is sufficient to investigate one of them as a representative. We first
introduce a corollary of the result about compositional inverse of F(x) in [18].
Theorem 10. ([18]) Let F(x) = xrh(x(2n−1)/d). Then the compositional inverse of Fcan be
expressed as
F−1(x) = xr′h′(x(2n−1)/d)
where rr′≡1 (mod (2n−1)/d)and for some h′(x)∈F2n[x].
Next we get the following linear equivalence.
Proposition 1. Let F(x) = xr(x(2n−1)/3+gk).
(i) Let r′≡r·2i(mod 2n−1) be an element of the cyclotomic coset of r(mod 2n−1). Then
F(x)is linear equivalent to
(xr′(x(2n−1)/3+gk′)for even i
xr′−(2n−1)/3(x(2n−1)/3+gk′)for odd i
12
for some k′.
(ii) If k′is contained in the same cyclotomic coset with k, then F′(x) = xr(x(2n−1)/3+gk′)is
linear equivalent to F(x).
Proof. (i) We have (F(x))2i=x2i·r(x2i·(2n−1)/3+gk·2i) = xr′(x(−1)i·(2n−1)/3+gk·2i). If iis
even, then F(x) is linear equivalent to xr′(x(2n−1)/3+gk·2i). If iis odd, then
(F(x))2i=xr′(x−(2n−1)/3+gk·2i) = gk·2ixr′−(2n−1)/3(x(2n−1)/3+g2n−1−k·2i),
thus F(x) is linear equivalent to xr′−(2n−1)/3(x(2n−1)/3+g2n−1−k·2i).
(ii) Let k′≡k·2j(mod 2n−1) for some 0 ≤j < n. For L1(x) = x2jand L2(x) = x2n−j, we
can see that F′(x) = (L1◦F◦L2)(x).
A detail process to select a target space for our experiments is in Algorithm 1. By Propo-
sition 1, we consider a representative set of cyclotomic cosets mod (2n−1)/3. We also apply
Theorem 10 in step 6-7. Note that ralr and kalr indicate whether there is an element that has
equivalence mentioned in Proposition 1 or Theorem 10 in Crand Ck, respectively.
Algorithm 1
Input : An even integer n
Output : Target space
1: Cr← {}, Ck← {}
2: for odd kfrom 1 to (2n−1)/3do
3: ralr ←0, kalr ←0, i ←0
4: while kalr = 0 and i<ndo
5: k′←k·2i(mod (2n−1)/3)
6: if gcd(k′,(2n−1)/3) = 1 do
7: Compute 0 < r′<(2n−1)/3 such that k′r′≡1 (mod (2n−1)/3)
8: if k′or r′belong to Crdo
9: ralr = 1
10: if k′belong to Ckdo
11: kalr = 1
12: i←i+ 1
13: if gcd(k, (2n−1)/3) = 1 and ralr = 0 do
14: add kin Cr
15: if kalr = 0 do
16: add kin Ck
17: return {r+i(2n−1)/d :r∈Cr,0≤i<d} × Ck
Remark 1. By Theorem 10, when r≡ −1 (mod (2n−1)/3), the inverse of xrh(x(2n−1)/3)is
also of the form xrh′(x(2n−1)/3), that is, r′=r. But we do not consider this property when
we generate a target space by Algorithm 1. In our experimental results if two permutation
polynomials have the same differential and boomerang spectrum and the same extended Walsh
spectrum, then we investigate that one is linear equivalent to the inverse of the another. Note
that some permutations are linear equivalent to their own inverse, for example F6,2,1(x)below.
13
■Our experiments
For each even nwith 6 ≤n≤12, we have the following experiments for all (r, k) in target
space generated by Algorithm 1.
Check whether F(x) is a permutation or not. Note that we can use Theorem 2.
If F(x) is a permutation, then check whether F(x) is differentially 4-uniform or not using
the formula (13).
If F(x) is differentially 4-uniform, then compute other cryptographic parameters includ-
ing βFusing the formulas in Section 3.
Unfortunately, as already mentioned in [7], there is no differentially 4-uniform permutation
binomial of the form (21) when n= 4,8,10,12. However, we find the following 3 differentially
4-uniform permutation binomials in F26. Cryptographic parameters of those differentially
4-uniform permutation binomials are described in Table 1. We denote these binomials as
F6,2,i(x).
i(r, k)DF6,2,i BF6,2,i Λ′
F6,2,i
1 (20,7) {02268,21512,4252} {01953 ,21386,4378,6378 ,8126} {01512 ,82016,16504}
2 (41,7) {02394,21260,4378} {01890 ,2882,4882,6252 ,1263} {0819 ,41386,81008,12504 ,16189,20126 }
3 (62,7) {02394,21260,4378} {01890 ,2882,4882,6252 ,1263} {0819 ,41386,81008,12504 ,16189,20126 }
Table 1: Differentially 4-uniform binomials F6,2,i when n= 6
According to Remark 1, we confirm that F6,2,1is linear equivalent to its inverse, and F6,2,2
is linear equivalent to F−1
6,2,3. Note that all F6,2,i(x) are of the form G(x) in Eq. (14).
4.1.2 Permutation trinomials
We investigate the permutation trinomials of the form
F(x) = xr(x2(2n−1)/3+gkx(2n−1)/3+gl) (22)
where 0 ≤k, l < 2n−1, when 6 ≤n≤12 is even.
■Reducing target space
Similar with the binomial case, we have the following linear equivalence among those poly-
nomials.
Proposition 2. Let F(x) = xr(x2(2n−1)/3+gkx(2n−1)/3+gl).
(i) If r′≡r·2i(mod (2n−1)/3) for some i, then F(x)is linear equivalent to xr′h′(x(2n−1)/3)
for some h′(x)∈F2n[x].
(ii) Let Ck,l ={(k·2i, l ·2i) (mod 2n−1) : 0 ≤i<n}and (k′, l′)∈Ck,l. Then
F′(x) = xr(x2(2n−1)/3+gk′x(2n−1)/3+gl′)
14
is linear equivalent to F(x).
(iii) Let
F1(x) = xr(x2(2n−1)/3+gk−(2n−1)/3x(2n−1)/3+gl+(2n−1)/3),
F2(x) = xr(x2(2n−1)/3+gk+(2n−1)/3x(2n−1)/3+gl−(2n−1)/3).
Then F1(x)and F2(x)are linear equivalent to F(x).
Proof. If F(x) is of the form (22), then the exponents of monomials of F(x) belong in the
same class under modulo (2n−1)/3. Thus we may write F(x) = xrh(x(2n−1)/3) for some
h(x)∈F2n[x] where 0 ≤r < (2n−1)/3.
(i) We have (F(x))2i=x2i·r(x2i+1·(2n−1)/3+gk·2ix2i·(2n−1)/3+gl·2i). Thus we can express
(F(x))2i=xr′h′(x(2n−1)/3) for some h′(x)∈F2n[x], and F(x) is linear equivalent to xr′h′(x(2n−1)/3).
(ii) Write (k′, l′)≡(k·2j, l ·2j) (mod 2n−1) for some 0 ≤j < n. For L1(x) = x2jand
L2(x) = x2n−j, we can see that F′(x)=(L1◦F◦L2)(x).
(iii) Let L3(x) = gx,L4(x) = g(2n−1)/3−rx,L5(x) = g2x, and L6(x) = g2(2n−1)/3−2rx. Then
F1(x)=(L4◦F◦L3)(x) and F2(x)=(L6◦F◦L5)(x).
Proposition 2 shows that we can select target space of (r, k, l) for our experiments by
Cr×Ck× {0,· · · ,2n−2}, where Crand Ckare in Algorithm 1. But the case k= 0 is not
contained in this target space. (In the case of binomials, if k= 0 then F(x) in Eq. (21)
cannot be a permutation by Theorem 2. Hence we reject the case k= 0 from initial process
for binomial case.) We generate Clbe a representative set of cyclotomic cosets mod 2n−1.
Then the target space of our experiments for trinomials is
Cr×((Ck× {0,· · · ,2n−2})∪({0} × Cl)) .
■Our experiments
For each even nwith 6 ≤n≤12, we have similar experiments in Section 4.1.1 for all
(r, k, l) in target space mentioned above.
•The case n= 6
When n= 6, we get 11 differentially 4-uniform permutation trinomials only for r=
(2n−1)/3−1 = 20. We consider Remark 1 to get the following 6 CCZ-inequivalent dif-
ferentially 4-uniform permutation trinomials. Table 2 contains cryptographic parameters of
those differentially 4-uniform permutation trinomials, denoted by F6,3,i. Note that F6,3,5and
F6,3,6are involutions, they do not belong our target space but we find that our some permuta-
tion polynomials are linear equivalent to these involutions. Note that F6,3,1is linear equivalent
to its inverse.
•The case n= 8
When n= 8, we get 7 differentially 4-uniform permutation trinomials. See Table 3 for
details. We confirm that 2 permutation trinomials for r= (2n−1)/3 = 84 are linear equivalent
15
i(k, l)DF6,3,i BF6,3,i Λ′
F6,3,i
1 (0,11) {02457,21134,4441} {01848 ,2924,4882,6189,8105,1021 } {0,4,8,12,16,20,24}
2 (1,8) {02394,21260,4378} {01869 ,21050,4756,6210,884} {0,4,8,12,16,24}
3 (5,28) {02394,21260,4378} {01932 ,2987,4714,6252,863,1021 } {0,4,8,12,16,20,24}
4 (7,14) {02457,21134,4441} {01890 ,21008,4819,8126,10126} {0,4,8,12,16,20}
5 (13,13) {02331,21386,4315} {01974 ,21239,4483,6105,8105,1042 ,1221} {0,4,8,12,16,20,24}
6 (61,31) {02520,21008,4504} {02037 ,2714,4777,6210,884,1084 ,1263} {0,4,8,12,16,20,24}
Table 2: Differentially 4-uniform permutation trinomials F6,3,i when n= 6
to the inverse of each other, and hence we omit one of them in Table 3. Though F8,3,3and
F8,3,6have the same differential spectrum and the same extended Walsh spectrum, we cannot
confirm their CCZ-equivalence, nor the equivalence between F8,3,4and F8,3,5. Nevertheless, we
find at least 4 CCZ-inequivalent differentially 4-uniform trinomials for the case n= 8. Note
that we apply F28=F2[x]/(x8+x4+x3+x2+ 1), the SageMath default finite field of 28
elements which is not exactly same with the base field of AES F2[x]/(x8+x4+x3+x+ 1).
i(r, k, l)DF8,3,i BF8,3,i Λ′
F8,3,i
1 (84,1,159) {037230,223460 ,44590} {031450 ,220655 ,49435,62635 ,8680,10170 } {4j: 0 ≤j≤11}
2 (3,3,16) {036975,223970 ,44335} {032555 ,220145 ,47990,63655 ,8510,10170 } {024140 ,1633235,327820 ,4885}
3 (3,3,107) {035955,226010 ,43315} {032555 ,222950 ,46290,62805 ,8170,10255 } {022950 ,1634680,327650 }
4 (3,13,155) {035190,227540 ,42550} {032130 ,225840 ,44845,61615 ,8510,1085 } {021420 ,1636720,327140 }
5 (3,15,123) {035190,227540 ,42550} {031875 ,225755 ,45440,61785 ,885,1285 } {021420 ,1636720,327140 }
6 (3,29,39) {035955,226010 ,43315} {032470 ,223035 ,46205,62890 ,8340,1085 } {022950 ,1634680,327650 }
Table 3: Differentially 4-uniform permutation trinomials F8,3,i when n= 8
•The cases n= 10 and n= 12
Unfortunately, when n= 10 and n= 12, we cannot find any differentially 4-uniform
permutation trinomials of the form (22). It takes 405 seconds and 42822 seconds(about 12
hours) for thess experiments for the case n= 10 and n= 12, respectively, using SageMath
performed on Intel Core i7-4770 3.40GHz with 8GB memory. Therefore, the same experiment
for the case n= 14 seems to be possible in several days, but we do not run this experiment
because expected experimental result is not optimistic like the cases n= 10 and n= 12.
4.1.3 Differentially 6-uniform permutation polynomials
Based on the experimental results in the above subsections, we can see that there is no APN
permutation of the form xrh(x(2n−1)/3) and differentially 4-uniform permutation polybomials
of this form are very rare. Hence we also try the same experiments with the above subsections
for differentially 6-uniform permutation binomials and trinomials of the form xrh(x(2n−1)/3).
We compute the differential spectrum and the extended Walsh specturm of differentially 6-
uniform permutation polynomials of the form xrh(x(2n−1)/3), and count the number of CCZ-
inequivalent classes of differentially 6-uniform permutation binomials and trinomials that can
16
be distinguished by differential spectrum or extended Walsh spectrum, when 6 ≤n≤12. The
results of these experiments are summarized in Table 4.
n6 8 10 12
# of binomials Fwith δF= 6 1 5 7 8
# of binomials Fwith δF= 6 when r≡ −1 1 2 5 7
# of trinomials Fwith δF= 6 11 615 1779 1618
# of trinomials Fwith δF= 6 when r≡ −1 11 141 1005 1615
Table 4: The number of CCZ-inequivalent differentially 6-uniform permutation polynomials
when 6 ≤n≤12
In particular, we also indicate the number of differentially 6-uniform binomials and tri-
nomials obtained in the case r≡ −1 (mod (2n−1)/3) in the second row and the forth row
of Table 4, respectively. We can see that many differentially 6-uniform permutation polyno-
mials of this form are in the case r≡ −1 (mod (2n−1)/3). Especially for n= 12, only
one binomial and 3 trinomials are not in this case. Moreover, we can see that the number
of differentially 6-uniform permutation polynomials for r≡ −1 (mod (2n−1)/3) is signifi-
cantly larger than the number of differentially 6-uniform permutation polynomials for r̸≡ −1
(mod (2n−1)/3), when n= 10,12. Hence we may conjecture that permutation polynomials
of this form in the case r≡ −1 (mod (2n−1)/3) have lower differential uniformity than the
case r̸≡ −1 (mod (2n−1)/3) in average. In next subsection we give some heuristic analysis
for this conjecture.
4.2 Some Heuristic Analysis
In previous subsection, we can see that the differential uniformity for the case r≡ −1
(mod (2n−1)/d) is relatively smaller than the case r̸≡ −1 (mod (2n−1)/d). We can easily
see that there are the following upper bound of the differential uniformity of Fwhen r≡ −1
(mod (2n−1)/d).
Theorem 11. Let F(x) = xrh(x(2n−1)/d)where r≡ −1 (mod (2n−1)/d). Then δF≤2d2+ 2.
Proof. For convenience we fix r= 2n−2. Let F(x) = x2n−2h(x(2n−1)/d) and denote
Wa,i,j ={x∈F2n:ψ(x) = i, ψ(x+a) = j}
for a̸= 0 and 0 ≤i, j < d. If x∈Wa,i,j is a solution of F(x) + F(x+a) = bthen it is also
a solution of x2n−2h(ωi
d) + (x+a)2n−2h(ωj
d) = b. Then, it is also a solution ofthe following
quadratic equation
Qa,b,i,j(x) = bx2+h(ωi
d) + h(ωj
d) + abx+ah(ωi
d) = 0.(23)
Since there are d2equations Qa,b,i,j(x) = 0(0 ≤i, j < d), there are at most 2d2possible
solutions. When b=F(a) there is an exceptional case that x= 0, a are also solutions of
F(x) + F(x+a) = F(a) but 0, a ̸∈ Wa,i,j for any 0 ≤i, j < d. Together with solutions of
Eq.(23) we get δF(a, F (a)) ≤2d2+ 2. If b̸=F(a), we get δF(a, b)≤2d2.
17
By Theorem 11, we can express F(x) + F(x+a) = bas a quadratic equation Qa,b,i,j(x)=0
for each 0 ≤i, j < d when r≡1 (mod (2n−1)/3). Since we can express F(x) = xrh(ωψ(x)
d),
if i=jthen F(x) + F(x+a) = bcan be expressed by xr+ (x+a)r=b·h(ωi
d)−1which is
related with δxra, b h(ωi
d)−1. Hence if xrhas low differential uniformity, then the above
equation has small number of solutions. But if r̸≡ −1 (mod (2n−1)/3) and i̸=jthen it is
not easy to apply the similar argument with r≡ −1 (mod (2n−1)/3) and i̸=j. For example,
it is well known that x3is APN for all n. For the case r= 3, we get a quadratic equation for
each case i=j, but we get a cubic equation for each case i̸=j. Hence we cannot apply same
arguement in Theorem 11 for the case r= 3.
Next we propose a heuristic analysis to compute an expected value of δFfor the case r≡ −1
(mod (2n−1)/3). If b̸=F(a) then by Theorem 11 we can see that
δF(a, b) = X
i,j
|{x∈F2n:Qa,b,i,j(x) = 0} ∩ Wa,i,j |.
For each 0 ≤i, j < d, we first check whether Qa,b,i,j(x) = 0 is solvable or not. If Qa,b,i,j (x) = 0
is solvable, we check each solution is contained in Wa,i,j or not. We assume that Wa,i,j’s are
uniformly distributed in F2n\ {0, a}and hence we apply the probability that each element in
F2n\ {0, a}is contained in each Wa,i,j by 1/d2. Also, we assume that each quadratic equation
Qa,b,i,j(x) = 0 is solvable with same probability 1/2. We denote
Da,b(k) = P r
X
0≤i,j<d
|{x∈Fq:Qa,b,i,j(x)=0} ∩ Wa,i,j |=k
Ua,b(k) = P r
X
0≤i,j<d
|{x∈Fq:Qa,b,i,j(x)=0} ∩ Wa,i,j | ≤ k
=
k/2
X
i=0
Da,b(2i)
that are computed under these assumptions. Then, we can compute that
P r(δF≤k) = Y
a∈Rd,b∈Fq
Ua,b(k)
P r(δF=k) = P r(δF≤k)−P r (δF≤k−2) = Y
a∈Rd,b∈Fq
Ua,b(k)−Y
a∈Rd,b∈Fq
Ua,b(k−2) (24)
We compare this heuristic analysis with actual experimental results in previous section
for trinomials of the form x(2n−1)/3−1h(x(2n−1)/3). This heuristic analysis does not meet with
actual experimental results (see Table 5 for n= 10). But this analysis is not ridiculous because
expected values given by (24) are somewhat similar with actual average(see Table 6).
We do not investigate for the cases n≥14 because it is expected to be difficult to compute.
We apply the expected value of δFobtained by this heuristic analysis to guess existence of
Fwith low differential uniformity. We summarize the expected value computed by (24) for
n≥14 in Table 7. When n= 14 or n= 16, the expected value of δFis not much larger than
the expected value of δFwhen n= 12 in Table 6. Since there are 1626 differentially 6-uniform
trinomials when n= 12(see Table 4), we can expect there may exist differentially 6-uniform
18
k4 6 8 10 12 14 16 18
Permutations 0 2136 2207 1850 1796 390 66 5
Actual Prob 0 0.2528 0.2612 0.2189 0.2125 0.0462 0.0078 0.0006
(24) 1.12 ×10−18 0.0139 0.7127 0.2565 0.0162 0.0006 1.45 ×10−81.83 ×10−7
Table 5: Comparison of heuristic analysis and actual data for trinomials when n= 10
n6 8 10 12
Average of δF7.16 7.93 9.12 10.32
Expected value from (24) 6.52 7.53 8.55 9.56
Table 6: Comparison of expected value and actual average of δFfor trinomials when 6 ≤n≤12
permutation polynomials of the form x(2n−1)/3−1h(x(2n−1)/3) when n= 14 or n= 16. We
also note that we obtain that the expected value of δFis larger than 18 when n≥38. Hence
we guess that almost all permutation polynomials of this form archieve the upperbound of
differential uniformity in Theorem 11.
n14 16 18 20 22 24 26 28
Expected value from (24) 10.46 11.36 12.25 12.91 13.90 14.37 15.12 15.98
Table 7: Expected value of δFwhen n≥14
Next we consider G(x) in Eq. (14) with d= 3 and r≡ −1 (mod (2n−1)/3). We denote
them by
Gn,j,i(x) = xi(2n−1)/3−1(x(2n−1)/3+ξ)
where ξ∈µ3νd(2n−1) \µ3is a primitive 3j-th root of unity and 0 ≤i < 3. Note that we showed
that each Gn,2,i(x) is a permutation polynomial in Theorem 6. It can be applied for the case
j > 2 if Eq. 15 holds, and we confirm that G18,3,i(x) is a permutation polynomial for each i.
By applying Theorem 2, (24) also can be simplified by
P r(δGn,j,i =k) = Y
b∈F2n
U1,b(k)−Y
b∈F2n
U1,b(k−2) (25)
We compare the expected value computed by Eq. (25) with actual differential uniformity
of Gn,j,i in Table 8. Expected value from (24) is less than expected value from (24), but is
significantly larger than actual differential uniformity of Gn,j,i.
4.3 The case d̸= 3
We also investigate the differential uniformity of permutation polynomials of the form xrh(xn/2−1)
discussed in some recent papers, see Table 9 for details. This is the case d= 2n/2+ 1 and we
19
(n, j, i) (6,2,-) (12,2,0) (12,2,1) (18,2,-) (18,3,-) (24,2,-)
δGn,j,i 4 6 8 8 8 8
Expected value from (25) 5.77 8.72 8.72 11.59 11.59 14.04
Table 8: Comparison of extended value and actual δGn,j,i
denote m=n/2 in Table 9 for convenience. Note that
F25(x) = x2n−2m+2 +x2n−3·2m+4 +x2n−5·2m+6 +x2n−7·2m+8 +x7·2m−5+x5·2m−3+x3·2m−1,
F27(x) = x2n−2m+2 +x2n−5·2m+6 +x2n−7·2m+8 +x7·2m−5+x3·2m−1
in Table 9, which are too long to be expressed in Table 9.
Polynomial Introduced in 6 8 10
x(2n−1)/(2t−1)+1 +αx (n= 2st,t=odd) Theorem 1.1 in [2] 4 lin. 4
x3·2m+1 +x2m+3 +x4Theorem 3.1 in [10] – 16 34
x3·2m−1+x2m+1 +x2Theorem 3.3 in [10] – 16 34
x2m+2+1 +x2m+4 +x5Theorem 3.4 in [10] 16 – 64
x2m+2−1+x3·2m+x3Theorem 3.5 in [10] 16 – 44
x3·2m−2+αx Theorem B in [11] 10 – 34
x2m+1−1+αx2m+γx Theorem 1.1 in [12] 8 16 32
xs(2m−1)+1 +xt(2m−1)+1 +xTheorem 1 and 3 in [14] 16 10 64
x2n−1+2m−1+1 +x2m+xTheorem 4.7 in [15] – 16 34
x2n−1+2m−1+1 +x2m+2 +xTheorem 4.8 in [15] 8 – 10
α2m−1x2n−2m+1 +αx2m+1−1+xTheorem 4.9 in [15] 14 32 62
x3∗2m−2+x2m+1−1+x2n−2m+1 +x2n−2m+1 +2 +xTheorem 3.9 in [17] 16 32 104
x2m+1x2(x2m−1+x1−2m)2m−2m/2−1Theorem 3.13 in [17] – 28 –
x2m+1x2(x2m−1+x2n−2m)2(2m+1 −2m/2−1)/3Theorem 3.15 in [17] – 16 –
F25(x) Theorem 3.25 in [17] 16 16 36
F27(x) Theorem 3.27 in [17] 16 16 34
Table 9: Differential uniformity of some permutation polynomials for even 6 ≤n≤10
We investigate the differential uniformity of those polynomials only when they are permu-
tations, thus if the differential uniformity is omitted in the table, then the polynomial in that
case is not a permutation. Please refer the cited papers for detailed conditions where each
polynomial in the first column is a permutation polynomial. From the table, we see that the
differential uniformity is not very low except the case in the first row when n≡2 (mod 4).
However, since n= 2tin this case, the polynomial is x2m+2 +αx. The differential unifor-
mity of this polynomial was already investigated in [26], and the boomerang uniformity was
investigated in [16]. We also computed the differential uniformity of these polynomial when
n= 12, which is not the case n≡2 (mod 4), but we get δF= 88. For the class of permutation
20
polynomials in [14], there are several pairs (s, t) that the corresponding polynomial is a per-
mutation, and the value in Table 9 is the minimal value of the differential uniformity of those
permutation polynomials for each n. Overall, it is not very optimistic to get a permutation
polynomial of low differential uniformity for the case d= 2m+ 1.
5 Conclusion
Compared with permutations having low differential uniformity, the permutations with low
boomerang uniformity are not well studied yet. Since a permutation of the boomerang uni-
formity 4 is also differentially 4-uniform, the study of the boomerang uniformity of the known
differentially 4-uniform permutations(see Table 1 in [9] for known differentially 4-uniform per-
mutations) is important. Our research in this paper focuses on this topic. In this paper,
we get efficient formulas for computing some cryptographic parameters (including boomerang
and differential uniformity) of permutation polynomials of the form xrh(x(2n−1)/d). The com-
putational cost of our formulas is proportional to d. We tried our formulas to investigate
differentially 4-uniform permutations for d= 3 with even 6 ≤n≤10, where 3 is the least
nontrivial factor dividing 2n−1 for even n. For n= 4,8, we computed the boomerang unifor-
mity and the boomerang spectrum of differentially 4-uniform permutations using the suggested
formula which turned out to be rather large. We also investigated the differential uniformity
of some permutation polynomials for the case d= 2m+ 1 and found out that they are not
suitable for S-box construction.
Acknowledgement This research was supported by the National Research Foundation of
Korea (KRF) Grant funded by the Korea government (MSIP) (No. 2016R1A5A1008055)
Namhun Koo was supported by the National Research Foundation of Korea (NRF) grant
funded by the Korea government (MSIT) (No. 2021R1C1C2003888). Soonhak Kwon was
supported by the National Research Foundation of Korea (NRF) grant funded by the Korea
government (MSIT) (No. 2019R1F1A1058920 and No. 2021R1F1A1050721).
References
[1] A. Akbary, and Q. Wang, On Polynomials of the Form xrf(x(q−1)/l), International
Journal of Mathematics and Mathematical Sciences, Vol. 2007, Article ID 23408.
https://doi.org/10.1155/2007/23408
[2] S. Bhattacharya, and S. Sarkar, On some permutation binomials and trinomials over F2n,
Des. Codes Cryptogr. 82(1-2) (2017) 149-160 https://doi.org/10.1007/s10623-016-0229-0
[3] C. Boura, and A. Canteaut, On the Boomerang Uniformity of Cryptographic
Sboxes. IACR Transactions on Symmetric Cryptology, 2018(3) (2018) 290-310.
https://doi.org/10.13154/tosc.v2018.i3.290-310
[4] C. Boura, A. Canteaut, J. Jean, and V. Suder, Two notions of differential equivalence
on Sboxes, Des. Codes Cryptogr. 87(2-3) (2019) 185-202 https://doi.org/10.1007/s10623-
018-0496-z
21
[5] K.A. Browning, J.F. Dillon, M.T. McQuistan, and A.J. Wolfe, An APN permutation
in dimension six 9th, International conference on finite fields and applications; Finite
fields: theory and applications, Dublin, in Comtemporary Mathematics, 518 (2010) 33-42.
http://doi.org/10.1090/conm/518
[6] C. Carlet, P. Charpin, and V. Zinoviev, Codes, Bent Functions, and Permutations
Suitable For DES-like Cryptosystems, Des. Codes Cryptogr. 15(2) (1998) 125-156
https://doi.org/10.1023/A:1008344232130
[7] P. Charpin, and G.M. Kyureghyan, On sets determining the differential spectrum
of mappings, International Journal of Information and Coding Theory, 4(2-3) (2017)
170-184, a recent revised version is available at https://hal.inria.fr/hal-01406589v3.
https://doi.org/10.1504/IJICOT.2017.083844
[8] C. Cid, T. Huang, T. Peyrin, Y. Sasaki, and L. Song, Boomerang Connectivity Table:
A New Cryptanalysis Tool. In: Nielsen J., Rijmen V. (eds) Advances in Cryptology –
EUROCRYPT 2018. Lecture Notes in Computer Science, vol 10821, pp.683-714, Springer,
Cham. https://doi.org/10.1007/978-3-319-78375-8 22
[9] S. Fu, and X. Feng, Involutory differentially 4-uniform permutations from known construc-
tions, Des. Codes Cryptogr. 87(1) (2019) 31-56 https://doi.org/10.1007/s10623-018-0482-5
[10] R. Gupta, and R.K. Sharma, Some new classes of permutation trinomials
over finite fields with even characteristic, Finite Fields Appl. 41 (2016) 89-96
http://dx.doi.org/10.1016/j.ffa.2016.05.004
[11] X. Hou, Determination of a type of permutation trinomials over finite fields, II, Finite
Fields Appl. 35 (2015) 16-35 http://dx.doi.org/10.1016/j.ffa.2015.03.002
[12] X. Hou, and S.D. Lappano, Determination of a type of permutation binomials over finite
fields, J. Number Theory 147 (2015) 14-23 http://dx.doi.org/10.1016/j.jnt.2014.06.021
[13] N. Li, and T. Helleseth, Several classes of permutation trinomials from Niho exponents
Cryptogr. Commun. 9 (2017) 693-705 https://doi.org/10.1007/s12095-016-0210-9
[14] N. Li, and T. Helleseth, New permutation trinomials from Niho exponents
over finite fields with even characteristic, Cryptogr. Commun. 11 (2019) 129-136
https://doi.org/10.1007/s12095-018-0321-6
[15] K. Li, L. Qu, and X. Chen, New classes of permutation binomials and
permutation trinomials over finite fields, Finite Fields Appl. 43 (2017) 69-85
https://doi.org/10.1016/j.ffa.2016.09.002
[16] K. Li, L. Qu, B. Sun, and C. Li, New Results about the Boomerang Unifor-
mity of Permutation Polynomials, IEEE Trans. on Inf. Theory, 65 (2019) 7542-7553
http://dx.doi.org/10.1109/TIT.2019.2918531
[17] K. Li, L. Qu, and Q. Wang, New constructions of permutation polynomials
of the form xrhx(xq−1) over Fq2,Des. Codes Cryptogr. 86(10) (2019) 2379-2405
https://doi.org/10.1007/s10623-017-0452-3
22
[18] K. Li, L. Qu, and Q. Wang, Compositional inverses of permutation polynomi-
als of the form xrh(xs) over finite fields, Cryptogr. Commun. 11 (2019) 279-298
https://doi.org/10.1007/s12095-018-0292-7
[19] S. Mesnager, C. Tang, and M. Xiong, On the boomerang uniformity of (quadratic) per-
mutations over F2n,a preprint, available at https://arxiv.org/abs/1903.00501 (2019)
[20] K. Nyberg, Differentially uniform mappings for cryptography. In: Helleseth T. (eds) Ad-
vances in Cryptology — EUROCRYPT ’93. Lecture Notes in Computer Science 765 (1994)
55-64, Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48285-7 6
[21] Y.H. Park, and J.B. Lee, Permutation polynomial and group permutation polynomials,
Bull. Aust. Math. Soc. 63 (2001) 67-74 https://doi.org/10.1017/S0004972700019110
[22] D. Wagner, The Boomerang Attack. In: Knudsen L. (eds) Fast Software Encryption 1999.
Lecture Notes in Computer Science 1636 (1999) 156-170 Springer, Berlin, Heidelberg.
https://doi.org/10.1007/3-540-48519-8 12
[23] D. Wan, and R. Lidl, Permutation Polynomials of the Form xrf(x(q−1)/d ) and
Their Group Structure, Monalshefte f¨ur Mathematik 112 (1991) 149-163, Springer.
https://doi.org/10.1007/BF01525801
[24] Q. Wang, Cyclotomic Mapping Permutation Polynomials over Finite Fields, In: Golomb
S.W., Gong G., Helleseth T., Song HY. (eds) Sequences, Subsequences, and Consequences.
Lecture Notes in Computer Science, vol 4893 (2007), pp. 119-128, Springer, Berlin, Hei-
delberg, https://doi.org/10.1007/978-3-540-77404-4 11
[25] Q. Wang, Cyclotomy and permutation polynomials of large indices, Finite Fields Appl.
22 (2013) 57-69 https://doi.org/10.1016/j.ffa.2013.02.005
[26] X. Zhu, X. Zeng, and Y. Chen, Some Binomial and Trinomial Differentially 4-Uniform Per-
mutation Polynomials, International Journal of Foundations of Computer Science 26(4)
(2015) 487-497 https://doi.org/10.1142/S0129054115500276
[27] M.E. Zieve, On some permutation polynomial over Fqof the form xrh(x(q−1)/d). Proc.
Am. Math. Soc. 137 (2009) 2207-2216 https://doi.org/10.1090/S0002-9939-08-09767-0
23
