Research article Special Issues

Construction of a cryptographic function based on Bose-type Sidon sets

  • Sidon sets have several applications in mathematics and in real-world problems, including the generation of secret keys in cryptography, error-correcting codes, and the physical problem of compression of signals in telecommunications. In particular, in cryptography, the design of cryptographic functions with optimal properties like nonlinearity and differential uniformity plays a fundamental role in the development of secure cryptographic systems. Based on the construction of Bose-type Sidon sets, in this paper we present the construction of a new cryptographic function with good properties of nonlinearity and differential uniformity.

    Citation: Julian Osorio, Carlos Trujillo, Diego Ruiz. Construction of a cryptographic function based on Bose-type Sidon sets[J]. AIMS Mathematics, 2024, 9(7): 17590-17605. doi: 10.3934/math.2024855

    Related Papers:

    [1] Huaning Liu, Zhixiong Chen, Chenhuang Wu . Correlation measures of binary sequences derived from Euler quotients. AIMS Mathematics, 2022, 7(6): 11087-11101. doi: 10.3934/math.2022619
    [2] Cemil Tunç, Alireza Khalili Golmankhaneh . On stability of a class of second alpha-order fractal differential equations. AIMS Mathematics, 2020, 5(3): 2126-2142. doi: 10.3934/math.2020141
    [3] Mohammad Mazyad Hazzazi, Gulraiz, Rashad Ali, Muhammad Kamran Jamil, Sameer Abdullah Nooh, Fahad Alblehai . Cryptanalysis of hyperchaotic S-box generation and image encryption. AIMS Mathematics, 2024, 9(12): 36116-36139. doi: 10.3934/math.20241714
    [4] Muhammad Sajjad, Tariq Shah, Huda Alsaud, Maha Alammari . Designing pair of nonlinear components of a block cipher over quaternion integers. AIMS Mathematics, 2023, 8(9): 21089-21105. doi: 10.3934/math.20231074
    [5] Adil Waheed, Fazli Subhan, Mazliham Mohd Suud, Muhammad Yasir Hayat Malik, Alina Mirza, Farkhanda Afzal . Construction of nonlinear component of block cipher using coset graph. AIMS Mathematics, 2023, 8(9): 21644-21667. doi: 10.3934/math.20231104
    [6] Hafeez Ur Rehman, Mohammad Mazyad Hazzazi, Tariq Shah, Amer Aljaedi, Zaid Bassfar . Color image encryption by piecewise function and elliptic curve over the Galois field $ {G}{F}\left({2}^{{n}}\right) $. AIMS Mathematics, 2024, 9(3): 5722-5745. doi: 10.3934/math.2024278
    [7] Narongrit Kaewbanjak, Watcharin Chartbupapan, Kamsing Nonlaopon, Kanit Mukdasai . The Lyapunov-Razumikhin theorem for the conformable fractional system with delay. AIMS Mathematics, 2022, 7(3): 4795-4802. doi: 10.3934/math.2022267
    [8] Huawei Huang, Xin Jiang, Changwen Peng, Geyang Pan . A new semiring and its cryptographic applications. AIMS Mathematics, 2024, 9(8): 20677-20691. doi: 10.3934/math.20241005
    [9] Samer Al Ghour . On some types of functions and a form of compactness via $ \omega _{s} $-open sets. AIMS Mathematics, 2022, 7(2): 2220-2236. doi: 10.3934/math.2022126
    [10] B. B. Jena, S. K. Paikray, S. A. Mohiuddine, Vishnu Narayan Mishra . Relatively equi-statistical convergence via deferred Nörlund mean based on difference operator of fractional-order and related approximation theorems. AIMS Mathematics, 2020, 5(1): 650-672. doi: 10.3934/math.2020044
  • Sidon sets have several applications in mathematics and in real-world problems, including the generation of secret keys in cryptography, error-correcting codes, and the physical problem of compression of signals in telecommunications. In particular, in cryptography, the design of cryptographic functions with optimal properties like nonlinearity and differential uniformity plays a fundamental role in the development of secure cryptographic systems. Based on the construction of Bose-type Sidon sets, in this paper we present the construction of a new cryptographic function with good properties of nonlinearity and differential uniformity.



    The security of the block cipher in symmetric cryptography, is based, in some cases, on vectorial Boolean functions Fn2Fm2 called substitution boxes (S-Box), which satisfy the properties of high nonlinearity and low differential uniformity that make those functions resistant to the linear cryptanalysis and differential cryptanalysis introduced by Mitsuru Matsui in [1], and Eli Biham and Adi Shamir in [2], respectively. The main ideas in those cryptanalyses are (i) to approximate the vectorial Boolean function by using affine functions, and (ii) to analyze how the differences in the input can affect the resulting difference in the output. Functions with high nonlinearity and low differential uniformity are highly resistant to the two cryptanalysis methods mentioned above. The notion of nonlinearity and differential uniformity can be generalized to algebraic structures other than Fn2, which allow us to talk about the nonlinearity and differential uniformity of functions between any two finite Abelian groups.

    The designing and construction of cryptographic functions resistant to attacks is a complex task, and often based on algebraic methods, random generation, and heuristic designs [3,4,5,6]. Each of these methods has advantages and disadvantages over most of the desirable properties of a cryptographic function; for instance, with algebraic constructions, we analyze what properties the functions satisfy, but with heuristic designs, we obtain functions with several properties from their construction [7]. However, if we consider an application from Fn2 to Fm2, then there are 2m2n functions; that is, there exist many even in a few variables, which implies a hard problem in a computational search. The abundance of vectorial Boolean functions suggests to us that it is usually impossible to solve the problem of the construction of "good" cryptographic functions using only computational searching, and so it is necessary to introduce more effective methods to design new and better vectorial Boolean functions that can be efficiently implemented in electronic devices [3].

    Functions between two Abelian finite groups A and B with the same cardinality and the smallest possible nonlinearity are called perfect nonlinear (PN) functions. These functions are related to Sidon sets (a subset of an additive group with the property that all sums of two elements in this set are different), since a function is APN if and only if its associated graph is a Sidon set in the product group A×B. This is one of the reasons we focus on an algebraic construction to introduce new cryptographic functions that arise from the construction of a finite Sidon set due to Bose [8]. The main contribution of this paper is the construction of a new set of functions with good linear and differential properties based on the construction of Sidon sets. This set of functions is 2-to-1, that is, functions in which each output value has zero or two possible preimages [9]. We know that 2-to-1 functions play an important role in cryptography because they can be used to create reversible functions that are not 1-to-1, which can make it harder for attackers to break encryption schemes or find collisions in hash functions [10,11]. Moreover, they are often used in the construction of APN functions, bent functions, and binary linear codes [12,13,14].

    The remainder of this paper is as follows: Section 2 introduces definitions related to differential uniformity and nonlinearity in Abelian groups. Section 3 presents the construction of our function and some of its properties, including differential uniformity and symmetry. We then illustrate its linearity, and list the number of functions that exist for each nN based on our construction. Finally, Section 4 presents some conclusions and future research directions.

    The resistance of functions to cryptanalysis is characterized by two quantities: (ⅰ) nonlinearity, which measures the resistance of a function to linear cryptanalysis, and (ⅱ) differential uniformity, which measures the resistance of a function to differential cryptanalysis. So, we want to construct cryptographic functions with optimal nonlinearity and differential uniformity properties, concepts introduced in this section.

    Let A and B denote two non-empty Abelian groups.

    Definition 2.1. Let f:AB be a function and let aA. The derivative of f in a is the function

    Daf:ABxf(x+a)f(x).

    A differential of f with input difference a and output difference b is given by

    f(x+a)f(x)=b. (2.1)

    The number of solutions to (2.1) is denoted by δ(a,b), that is

    δ(a,b)=|{xA:f(x+a)f(x)=b}|.

    Now, if Δf denotes the positive integer

    Δf=maxaA{0}(bBδ(a,b),

    then f is said to be differentially Δfuniform. Note that Δf|A|/|B|. In particular, if Δf=|A|/|B|, then f is called a perfect nonlinear (PN) function [15]. Note also that if |A|=|B|, then Δf=1, which implies that (2.1) has one solution. We know that PN functions do not exist in fields of characteristic 2, since if x satisfies f(x+a)f(x)=b, then so does x+a. This is the reason for introducing the following definition:

    Definition 2.2. A function f is an almost perfect nonlinear (APN) function if Δf=2|A|/|B|.

    In particular, note that if |A|=|B|, then Δf=2, that is, (2.1) has at most two solutions [15].

    If we consider a Boolean function f:Fn2F2 of n variables, then the nonlinearity NL(f) of f is the minimum Hamming Distance* between f and all affine functions φa(x)=ax+c, with aFn2 and cF2. That is

    *The Hamming Distance between f and g is d(f,g)=|{xFn2; f(x)g(x)}|.

    NL(f)=minaFn2d(f,φa).

    However, an equivalent concept to nonlinearity that uses a special case of the discrete Fourier transform called the Walsh transform (or Walsh–Hadamard transform) is a useful tool when we want to study the nonlinearity of a function.

    Now, consider A=Zq and B=Zr for the q and r integers. Let ωqC and ωrC denote the qth and rth roots of unity in C. The expression xωaxq defines a character in Zq for all aZq. Similarly, the set of characters in Zr for all bZr is defined by yωbyr [15].

    Definition 2.3. The Walsh–Hadamard transform of f:ZqZr at aZq and bZr is defined as

    ˆf(a,b)=xAωbf(x)r¯ωaxq,

    where ¯ωq is the complex conjugate of ωq.

    For the different possible parameter values (a,b), this formula compares every constant multiple of f against every linear function ax; the greatest value is indicative of the closeness of f to such a linear function, so the Walsh–Hadamard transform helps us measure the nonlinearity of a function f according to the following definition:

    Definition 2.4. The linearity of a function f:ZqZr is defined by

    L(f)=max0a<q(0<b<r|ˆf(a,b)|.

    From [16], we know that if f:ZqZr, then qL(f)q. Functions that reach the lower bound have optimal linearity and are called bent functions.

    Definition 2.5. Let f:ZqZr. We define the nonlinearity of f by

    NL(f)=|Zq|L(f)|Zr|=qL(f)r.

    Note that nonlinearity actually measures the distance between f and all linear affine functions. Furthermore, also that NL(f)=0 if and only if f is an affine linear function. It is clear that a bijection and its inverse have the same nonlinearity [16].

    Finally, from [17], we know that a function f:Fn2Fm2, with n2m and n even, is perfect nonlinear if and only if it is bent.

    In this section, we present the construction of our function, which is based on the construction of Sidon sets due to Bose [8].

    Let G denote an additive group. A set AG is a Sidon set in G if, for all a,b,c,dA, we have

    a+b=c+d{a,b}={c,d}.

    That is, A is a Sidon set if all the sums of two elements of A are different. Since a+b=c+d if and only if ac=db, Sidon sets can also be defined as those with the property that all nonzero differences of pairs of elements are distinct. In particular, the construction of Sidon sets due to Bose is as follows [8].

    Theorem 3.1. Let q=pn with p a prime number and nN. Let (Fq,+,) be the finite field with q elements, and Fq2 be an algebraic extension of degree two over Fq. If θ is a primitive element of Fq2, then

    Bq(θ)=logθ(θ+Fq):={logθ(θ+a):aFq} (3.1)

    is a Sidon set in Zq21 with q elements.

    From [18], we know that the set θ+Fq is a Sidon set with q elements in the multiplicative group Fq2. Furthermore, we know that isomorphisms preserve the Sidon property, so using the discrete logarithm in base θ, we verify that set the Bq(θ) is a Sidon set with q elements in the group Zq21, which illustrates a proof of Theorem 3.1.

    Example 3.1. Let q=24. If we take the primitive element θ over F2 such that θ8+θ4+θ3+θ2+1=0, then we can construct the Sidon set in Z255 given by

    B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253}.

    According to the work in [18], we know that Bq(θ) satisfies the following properties, where [1,q] denotes the set of integers {1,,q}.

    Proposition 3.1. If Bq(θ) is the set in (3.1), then

    B1) If bBq(θ), then b0mod(q+1).

    B2) If a,bBq(θ) and ab, then abmod(q+1).

    B3) Bq(θ)mod(q+1):={amod(q+1):aBq(θ)}=[1,q].

    Proof. We verify property B2) by contradiction. Suppose abmod(q+1), that is, there exists nZ such that ab=n(q+1). Note that θq+1 generates Fq, so θab=θn(q+1)Fq. Now, let a,bBq(θ), there exist k1,k2Fq with k1k2, such that a=logθ(θ+k1) and b=logθ(θ+k2), implying that θa=θ+k1 and θb=θ+k2. Thus, θab=(θ+k1)/(θ+k2). Since θabFq, there exists cFq such that (θ+k1)/(θ+k2)=c. So, (1c)θ=ck2k1. Because c1, then θ=(ck2k1)(1c)1Fq, which is a contradiction.

    Proposition 3.1 means that for each x[1,q], we can find a unique bBq(θ) such that bmod(q+1)=x, i.e., there exists a bijective relationship between the sets [1,q] and Bq(θ)mod(q+1).

    The authors in [19,20] describe the following relationship between Sidon sets and APN functions: A function F:Fn2Fn2 is APN if and only if the set GF={(x,F(x)):xFn2} is a Sidon set in the group (Fn2×Fn2,+). It is common to refer to GF as the graph of F. This relationship gives us an idea of how to construct cryptographic functions from known constructions of Sidon sets on finite Abelian groups, that is, we take Sidon sets in one dimension and try to put them in two dimensions via some transformation that preserves the Sidon property; in particular, we use the isomorphism guaranteed by the Chinese remainder theorem to put the set Bq(θ) in two dimensions.

    Note that if q=2n, then we have that gcd(q+1,q1)=1, and so by the Chinese remainder theorem, we have that Zq21 is isomorphic to Zq+1×Zq1. So if Bq(θ) is a Sidon set given by (3.1), then each element bBq(θ) can be represented as an ordered pair in Zq+1×Zq1 as follows:

    (bmod(q+1),bmod(q1)). (3.2)

    According to Proposition 3.1, B3), note that if we run b in Bq(θ), then the set of first coordinates of pair (3.2) coincides with the set [1,q]; it allows us to define a set of functions with a common domain [1,q], which, when endowed with the sum modulo q, can be identified with Zq, that is ([1,q],+modq)Zq. The co-domain of this set of functions is obtained by reducing the set Bq(θ) modulo q1, as indicated by the second coordinate of the pair (3.2). This set of functions is our main contribution to this work, and they have, in particular, properties of symmetry, good differential uniformity, and good nonlinearity. Moreover, since Proposition 3.1 is valid for all q, we observe that if q=pn with p>2, then the construction of these functions is still valid and their properties are preserved, except for good nonlinearity.

    Definition 3.1. Let Bq(θ) be a Sidon set defined by (3.1). Identify the set [1,q] with the group Zq and consider Bq(θ)mod(q1)Zq1. Define the function fq:ZqZq1 as

    fq(x)=bmod(q1), (3.3)

    for bBq(θ) such that bmod(q+1)=x.

    We denote the range of fq as the sequence R(fq)=[fq(x)]. The function fq can be constructed based on the following procedure, where step 2 is valid because of Proposition 3.1, B2).

    Step 1. Take xZq.

    Step 2. Find the unique bBq(θ) such that bxmod(q+1).

    Step 3. Take fq(x)=bmod(q1).

    Note that b depends on x, so we can denote b as bx. In this way, the diagram in Figure 1 illustrates the procedure described above.

    Figure 1.  Diagram for function fq:ZqZq1.

    Example 3.2. Let

    B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253}

    be the Sidon set in Example 3.1. We construct the function f16:Z16Z15 as follows:

    If x=1, then b=1B24(θ) satisfies 1mod17=1, which implies that f16(1)=1mod15=1.

    If x=2, then b=223B24(θ) is the unique element that satisfies 223mod17=2, which implies that f16(2)=223mod15=13.

    If x=3, then b=3B24(θ) satisfies 3mod17=3, and so f16(3)=3mod15=3.

    If x=4, then b=157B24(θ) is the unique element that satisfies 157mod17=4, which implies that f16(4)=157mod15=7.

    We repeat the above procedure for the other elements of Z16.

    Figure 2 illustrates the function f16:Z16Z15 with a range given by

    R(f16)=[1,13,3,7,0,2,11,10,10,11,2,0,7,3,13,1].
    Figure 2.  Function f16 associated with the Sidon set B24(θ).

    Note that we take 0:=16 in Z16, so Figure 2 shows a clear symmetry in the range of the function f16. In general, we have the following result:

    Theorem 3.2. If fq:ZqZq1 is the function defined in (3.3), then for all xZq we have

    i) fq(x)=fq(q+1x).

    ii) fq((q+1)/2+x)=fq((q+1)/2x) for p>2 (i.e., fq is symmetric with respect to x=(q+1)/2).

    Proof. ⅰ) Let x,q+1x[1,q]. Assume that

    fq(x)=rb1mod(q1),fq(1x)=sb2mod(q1),

    with b1,b2Bq(θ). According to the definition of fq, we know that

    b1xmod(q+1),b2q+1xmod(q+1).

    Consider the following two cases:

    Case 1. If b1=b2, then q+1xxmod(q+1). Since 1x,q+1xq<q+1 we have that q+1x=x, or x=(q+1)/2 (only for q odd), which implies fq(x)=fq(q+1x), that is, r=s.

    Case 2. If b1b2, then there are k1,k2Fq with k1k2 such that

    b1=logθ(θ+k1),b2=logθ(θ+k2),

    that is

    b1b2=logθ(θ+k1)logθ(θ+k2)=logθ(θ+k1θ+k2).

    Let γ:=θb1b2=θ+k1θ+k2. Note that γ1, since otherwise k1=k2. Moreover, γFq because θ is a primitive element over Fq of degree two, so γFq2Fq. Because Fq and θq1 (the group generated by θq1) are two subgroups of Fq2 that only intersect at 1 if q is even or ±1 if q is odd, and because γFq, we have that γθq1. Therefore, there exists tZ such that γ=θt(q1), from which θb1b2=θt(q1). Since b1b2rsmod(q1), then b1b2=n(q1)+(rs) for some nZ, implying that

    θn(q1)+(rs)=θt(q1),

    from which n(q1)+(rs)t(q1)mod(q21), that is, (rs)0mod(q1). Because 0r,s<q1 we have that r=s.

    ⅱ) Is similar to the proof of ⅰ).

    Now, we know in Zq that x=qx, so in Zq+1 and for b1,b2Bq(θ), we have

    b1mod(q+1)+b2mod(q+1)=x+1+qx=0

    in Zq+1. That is, b1+b20mod(q+1) and b1b20mod(q1). The following corollary formalizes this property, in which the system of congruences is a particular case of the multivariable Chinese Remainder theorem.

    Corollary 3.1. For a given xBq(θ), there exist a yBq(θ) not necessarily different from x such that

    {x+y0mod(q+1)xy0mod(q1).

    Example 3.3. Let

    B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253}

    be the Sidon set in Example 3.1. Table 1 illustrates Corollary 3.1.

    Table 1.  Illustration of Corollary 3.1.
    x+y0mod17 xy0mod15
    16+1 161
    48+3 483
    145+25 14525
    146+41 14641
    227+62 22762
    165+90 16590
    217+157 217157
    253+223 253223

     | Show Table
    DownLoad: CSV

    Note that Theorem 3.2 establishes that fq(x) is symmetric and consequently a 2-to-1 function according to the next definition [9].

    Definition 3.2. Let A and B be two finite sets, and let f be a mapping from A to B. Function f is called a 2-to-1 mapping if one of the following two cases holds:

    i) |A| is even, and for any bB, it has either 2 or 0 preimages of f.

    ii) |A| is odd, and for all but one bB, it has either 2 or 0 preimages of f, and the exception element has exactly one preimage.

    From Theorem 3.2, ⅰ), note that the conditions of Definition 3.2 are satisfied, and from Theorem 3.2, ⅱ), the exception element is 21modq=q+12. It implies the next corollary.

    Corollary 3.2. For all prime numbers p and all nN, the function fq is 2-to-1.

    One important property in cryptographic applications is low differentiability, since functions with low differential uniformity are resistant to differential attacks [2]. Fortunately, the function fq has this property, as we demonstrate in the following theorem.

    Theorem 3.3. For all prime numbers p and all nN, the function fq is differentially 2-uniform.

    Proof. Let aZq{0} and bZq1. Consider the equation

    fq(x+a)fq(x)=b. (3.4)

    From the definition of fq we know that there exist b1,b2Bq(θ) such that

    b1mod(q+1)=x+a,b2mod(q+1)=x,

    which implies that b1+b22x+amod(q+1), and so there exists mN such that

    b1+b2=(q+1)m+2x+a. (3.5)

    Note also from the definition of fq that

    fq(x+a)=b1mod(q1),fq(x)=b2mod(q1),

    so (3.4) is equivalent to b1b2bmod(q1), that is, there exists nN such that

    b1b2=(q1)n+b, (3.6)

    and thus, from (3.5) and (3.6), we have

    2x=(q1)n(q+1)m+2b2+ba.

    That is

    2x2m+2b2+bamod(q1). (3.7)

    So far, we have proved that (3.4) is equivalent to (3.7). Next, to show that (3.4) has at most 2 solutions, we consider the following cases for q:

    1) If q=2n, then gcd(2,q1)=1, and so (3.7) has one solution.

    2) If q=pn and p2, then gcd(2,q1)=2, but note that 2|(2m+2b2+ba) if and only if 2|(ba). So it is sufficient to find bZq1 and aZq{0} such that ba is an even number to guarantee that (3.7) has exactly two solutions.

    Note that the function fq depends on the Sidon set Bq(θ) given in (3.1); thus, if we want to count the functions fq we must first count the sets Bq(θ). Note also that for a fixed q=pn, the construction of the Sidon set Bq(θ) depends on a primitive element θFq2, so we can wonder about the behavior of these sets when we vary the primitive element within the field. We have the following:

    Theorem 3.4. If α and θ are conjugates, then Bq(θ)=Bq(α).

    Proof. If α and θ are conjugates, then α=θpi for some i{1,,2n1}. Let logα(α+a)Bq(α). Since αq+1 generates Fpn there exists mZ such that a=αm(q+1)=θm(q+1)pi, thus

    logα(α+a)=logθpi(θpi+θm(q+1)pi)=logθpi(θ+θm(q+1))pi=pilogθpi(θ+θm(q+1)). (3.8)

    Note that θq+1 also generates Fpn, so b:=θm(q+1)Fpn. If we apply the base interchange formula on the right side of (3.8), then

    pilogθpi(θ+θm(q+1))=pilogθpiθlogθ(θ+b)=pi(pi)1logθ(θ+b)=logθ(θ+b).

    Therefore, logα(α+a)Bq(θ), which implies that Bq(α)Bq(θ). Now, because |Bq(α)|=|Bq(θ)|, we have that Bq(α)=Bq(θ).

    Computational calculations indicate that the reciprocal of Theorem 3.4 is valid, but its proof is strongly related to the theory of multipliers on relative difference sets, of which we do not know the solution. So we conjecture the following:

    Conjecture 3.1. If Bq(θ)=Bq(α), then α and θ are conjugates.

    Theorem 3.4 helps us to establish an upper bound for the number of different Bose-type Sidon sets that exist for each p2 and n1, and since the construction of our set of functions depends on these sets, it will also help us to establish an upper bound for the number of different functions fq that exist.

    Theorem 3.5. Let q=pn. For each p2 and each nN, there exist at most φ(q21)/2n different Sidon sets Bq(θ).

    Proof. Note that, if θ is a primitive element of Fq2 over Fp, then its 2n conjugates θ,θp,,θp2n1 are also primitives, so from Theorem 3.4, it generates the same Sidon set Bq(θ). Furthermore, because there are φ(q21) primitive elements in Fq2 (φ is Euler's phi function), we have that actually there exist φ(q21)/2n different primitive elements that are not conjugated to each other, thus these primitive elements generate at most φ(q21)/2n different Sidon sets Bq(θ).

    Note that if Conjecture 3.1 is true, then we obtain the equality in Theorem 3.5 since the φ(q21)/2n different primitive elements not conjugate with each other would generate exactly φ(q21)/2n sets Bq(θ).

    Lemma 3.1. Let p>2 and θ be a primitive element of Fp2. If c=p212+p, then θc=θ+b for some bFp{0}.

    Proof. Note that gcd(c,p21)=1, so θc is another primitive element of Fp2, implying that θc=aθ+b for some a,bFp{0}. Note also that θc=θp, from which θp=aθb, and so θp+θ=(1a)θb. Because θp+θFp, we have a=1.

    Theorem 3.6. Let p>2 and tφ(p21)/2. Let A={Bp(θi):i=1,,t} be the collection of the t different Bose-type Sidon sets. For each Bp(θi)A there exist Bp(θj)A, with ij such that

    Bp(θi)mod(p1)=Bp(θj)mod(p1).

    Proof. Let θi be a primitive element such that Bp(θi)A and c=p212+p. Take j=ic and note that Bp(θj)A because θj is also a primitive element; moreover, Bp(θj)Bp(θi) since otherwise θj and θi would be conjugates, which is not possible. Now, from Lemma 1, we have that

    θj=(θi)c=θi+b (3.9)

    for some bFp{0}. Now, if logθj(θj+k0)Bp(θj) for some k0Fp, then from (3.9) we have that

    logθj(θj+k0)=logθj(θi+b+k0)=logθj(θi+k1)

    for k1Fp. If we apply the base interchange formula, then

    logθj(θj+k0)=logθjθilogθi(θi+k1)=j1ilogθi(θi+k1)=c1logθi(θi+k1),

    so

    clogθj(θj+k0)=logθi(θi+k1),

    that is

    clogθj(θj+k0)Bp(θi).

    This implies that cBp(θj)Bp(θi), and because |cBp(θj)|=|Bp(θi)|, we have proof that cBp(θj)=Bp(θi), and so Bp(θj)mod(p1)=Bp(θi)mod(p1).

    Note again that if Conjecture 3.1 is true, then we could guarantee uniqueness in the set Bp(θj)A. The objective of this section was to count the functions fq, so, in the following theorem, we establish an upper bound for the number of functions for q=2n and q=p.

    Theorem 3.7. Let q=pn with nN. For p=2, there exist at most φ(q21)/2n different functions fq, and for p>2 and n=1, there exist at most φ(p21)/4 different functions fp.

    Proof. If p=2, then by the Chinese remainder theorem we have that Zq21 is isomorphic to Zq+1×Zq1 (denoted by Zq21Zq+1×Zq1), and because Sidon's property is preserved under isomorphism [18], from (3.2) we have that

    Bq(θ)(Bq(θ)mod(q+1),Bq(θ)mod(q1))=(dom(fq),ran(fq)),

    and the result follows from Theorem 3.5.

    Now, if p>2 and n=1, then we simply put the set Bp(θ) in the group Zp+1×Zp1 as

    (Bp(θ)mod(p+1),Bp(θ)mod(p1))=(dom(fp),ran(fp)),

    and the result follows from Theorem 3.5 and Theorem 3.6.

    Example 3.4. Note that if q=2n, then gdc(q1,q+1)=1, and φ(q21)/2n=φ(q1)φ(q+1)/2n, which facilitates the counting of the functions fq. For instance, for q=24, there exists φ(15)φ(17)/8=16 different functions given by

    [1,13,3,7,0,2,11,10,10,11,2,0,7,3,13,1],[1,7,12,4,3,14,11,13,13,11,14,3,4,12,7,1],[1,4,14,10,2,0,6,7,7,6,0,2,10,14,4,1],[1,0,8,13,11,14,5,9,9,5,14,11,13,8,0,1],[1,2,9,4,6,3,12,8,8,12,3,6,4,9,2,1],[1,7,2,4,8,9,6,13,13,6,9,8,4,2,7,1],[1,12,14,4,11,8,2,3,3,2,8,11,4,14,12,1],[1,13,8,7,5,12,6,10,10,6,12,5,7,8,13,1],[1,10,5,13,14,3,6,4,4,6,3,14,13,5,10,1],[1,4,9,10,12,5,11,7,7,11,5,12,10,9,4,1],[1,5,3,13,6,9,0,14,14,0,9,6,13,3,5,1],[1,14,0,10,6,12,9,2,2,9,12,6,10,0,14,1],[1,9,5,10,11,2,14,12,12,14,2,11,10,5,9,1],[1,3,2,7,11,5,8,0,0,8,5,11,7,2,3,1],[1,10,0,13,9,8,11,4,4,11,8,9,13,0,10,1],[1,8,12,7,6,0,3,5,5,3,0,6,7,12,8,1].

    From [21, Chapter 18], we know that lim supφ(n)/n=1, which means that the order of φ(n) is nearly n, that is,

    φ(q21)2nq212n.

    So for p=2 and n sufficiently large, we conclude that there exist approximately 22n/2n functions fq. Moreover, from [21, Theorem 328], we know that the function φ(n) satisfies

    lim infnφ(n)nloglogn=eγ, (3.10)

    where γ is the Euler–Mascheroni constant. So for q=2n, (3.10) implies that φ(q21)/2n is bounded below by

    22n2neγloglog22n,

    this expression is equivalent to

    22n(2eγ+εn)nlogn

    with εn0 when n. Hence, for q=2n, we have that the number of functions fq is at least

    22n(2eγ+εn)nlogn,

    if n is large enough. For p>2 and n=1, similar formulas can be derived.

    This section illustrates the linearity of fq. We know for α0 that |ˆfq(qα,(q1)β)|=|ˆfq(α,β)|, which, together with Theorem 3.2, reduces by a factor of approximately 4 the number of points required to calculate the linearity of fq. With this fact and the fast Fourier transform, we illustrate in Figures 3 and 4 the linearity of fq for q=p with 2<p<20000 and q=2n with 2n16. Figure 3b illustrates that the approximation of linearity has a slope of around 0.64, which leads us to conjecture that the linearity of fp is bounded below by an affine function that depends on p; unfortunately, this implies that L(fp) would be asymptotically closer to the upper bound, that is, fp is closer to being a linear function.

    Figure 3.  Behavior of the linearity of fp for 2<p<20000.

    But when q=2n, our simulations show a more interesting behavior. For example, for values of n{4,5,6,7,8}, important in cryptographic applications, the linearity of f2n is closer to the lower bound, as shown in Figure 4a and Table 2, implying that f2n has high nonlinearity. Figure 4b illustrates, by means of an exponential regression with a coefficient of determination of r2=0.998, that for values of n greater than 16, the behavior of the linearity of f2n tends to remain.

    Figure 4.  Behavior of the linearity of f2n for 2n16.
    Table 2.  Linearity of f2n and lower and upper bounds of L(f2n).
    n Lower bound L(f2n) Upper bound
    4 4 6, 00776721665963 16
    5 5, 65685425 9, 76163585008853 32
    6 8 15, 7984554517002 64
    7 11, 3137085 23, 1605616207365 128
    8 16 33, 7779991765064 256

     | Show Table
    DownLoad: CSV

    Now, when we compare the cases q=2n and q=p with p>2, we suspect that the loss of linearity for the second case is due to the fact that there is no an isomorphism between Zp21 and Zp+1×Zp1. Furthermore, note that this behavior still remains when q=pn with p>2 and n>1.

    Our contribution in this work is the construction of a new set of functions that are 2-to-1 functions and differentially 2-uniform, which, for the case q=2n, present an asymptotic behavior close to the trivial lower bound for its linearity, that is, the asymptotic nonlinearity of function fq is high. The number of functions that exist for each n, with p=2, is of the order 22n/2n, and for n=1 and p>2, it is of the order p2/4, so this set of functions grows rapidly as n and p increase, respectively.

    Due to the particular way in which we define our function fq, we cannot establish nontrivial bounds for its linearity, so this problem remains open. For instance, through linear and exponential regression, respectively, we conjecture that, i) for q=p, there exist two constants 0.5<α<1 and 0<β<0.5 such that L(fp)αp+β, and ii) for q=2n, there exist two constants γ>1 and 0<μ<1 such that L(f2n)γeμn. Moreover, note that in this work we emphasize the study of two cases; first, when q=2n due to the isomorphism between Zq21 and Zq+1×Zq1, and second, when q=p; but the case q=pn with p>2 and n>1 was not studied in detail, so it remains open to study what other properties the function fpn satisfies for this case. For instance, we conjecture from Theorem 3.7 that the number of functions fq that exist for q=pn with p>2 and n>1 is equal to φ(q21)/4n, but for proof of this, it is necessary to generalize Lemma 1 and Theorem 3.6 for that case.

    Some ciphers, such as SAFER [22], use non-binary transformations with "high nonlinearity" and optimal differential uniformity, known in the literature as exponential Welch Costas (EWC) and logarithmic Welch Costas (LWC) functions [16,23,24]. Given that for the case q=2n, the characteristics of our function are similar to those of these functions, we raised concern about the possibility of using our function in a cipher like SAFER.

    Julian Osorio: Writing – original draft, Writing – review & editing, Conceptualization, Formal analysis, Investigation; Carlos Trujillo: Conceptualization, Formal analysis, Investigation; Diego Ruiz: Writing – original draft, Writing – review & editing, Conceptualization, Formal analysis, Investigation. All authors have read and approved the final version of the manuscript for publication.

    The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.

    Authors would like to thank the Universidad del Cauca for funding this paper, and the reviewers for the important feedback, which helped us to improve the quality of this paper. The first author would like to thank MINCIENCIAS (Colombia) for supporting his doctoral studies through "Convocatoria del fondo de ciencia, tecnología e innovación del sistema general de regalías para conformación de una lista de proyectos elegibles para ser viabilizados, priorizados y aprobados por el OCAD en el marco del programa de becas de excelencia doctoral del bicentenario (No. BB 2019 01)."

    The authors declare no conflict of interest in this paper.



    [1] M. Matsui, A. Yamagishi, A New Method for Known Plaintext Attack of FEAL Cipher, in Advances in Cryptology — EUROCRYPT' 92 (ed. Rueppel, R.A.), Springer Berlin Heidelberg, Berlin, Heidelberg, 1993, 81–91. https://doi.org/10.1007/3-540-47555-9_7
    [2] E. Biham, A. Shamir, Differential Cryptanalysis of DES Variants, Differential Cryptanalysis of the Data Encryption Standard, Springer New York, New York, NY, 1993, 33–77. https://doi.org/10.1007/978-1-4613-9314-6_4
    [3] L. Budaghyan, Construction and Analysis of Cryptographic Functions, Springer Publishing Company, Incorporated, 2015. https://doi.org/10.1007/978-3-319-12991-4
    [4] Y. Chen, L. Zhang, Z. Gong, W. Cai, Constructing Two Classes of Boolean Functions With Good Cryptographic Properties, IEEE Access, 7 (2019), 149657–149665. https://doi.org/10.1109/ACCESS.2019.2947367 doi: 10.1109/ACCESS.2019.2947367
    [5] C. Beierle, G. Leander, New Instances of Quadratic APN Functions, IEEE T. Inform. Theory, 68 (2022), 670–678. https://doi.org/10.1109/TIT.2021.3120698 doi: 10.1109/TIT.2021.3120698
    [6] L. Mariot, M. Saletta, A. Leporati, L. Manzoni, Heuristic search of (semi-) bent functions based on cellular automata, Natural Computing, 21 (2022), 377–391. https://doi.org/10.1007/s11047-022-09885-3 doi: 10.1007/s11047-022-09885-3
    [7] J. A. Clark, J. L. Jacob, S. Maitra, P. Stănică, Almost Boolean functions: the design of Boolean functions by spectral inversion, Computational intelligence, 20 (2004), 450–462. https://doi.org/10.1111/j.0824-7935.2004.00245.x doi: 10.1111/j.0824-7935.2004.00245.x
    [8] R. C. Bose, An affine analogue of singer's theorem, Journal of the Indian Mathematical Society, 6 (1942), 1–15.
    [9] S. Mesnager, L. Qu, On Two-to-One Mappings Over Finite Fields, IEEE T. Inform. Theory, 65 (2019), 7884–7895. https://doi.org/10.1109/TIT.2019.2933832 doi: 10.1109/TIT.2019.2933832
    [10] N. Alamati, G. Malavolta, A. Rahimi, Candidate Trapdoor Claw-Free Functions from Group Actions with Applications to Quantum Protocols, Theory of Cryptography (eds. Kiltz, E., Vaikuntanathan, V.), Springer Nature Switzerland, Cham, 2022,266–293. https://doi.org/10.1007/978-3-031-22318-1_10
    [11] T. Morimae, T. Yamakawa, Proofs of Quantumness from Trapdoor Permutations, arXiv: 2208.12390, 2022. https://doi.org/10.48550/arXiv.2208.12390
    [12] D. Bartoli, M. Giulietti, M. Timpanella, Two-to-one functions from Galois extensions, Discrete Appl. Math., 309 (2022), 194–201. https://doi.org/10.1016/j.dam.2021.12.008 doi: 10.1016/j.dam.2021.12.008
    [13] V. Idrisova, On an algorithm generating 2-to-1 APN functions and its applications to "the big APN problem", Cryptography and Communications, 11 (2019), 21–39. https://doi.org/10.1007/s12095-018-0310-9 doi: 10.1007/s12095-018-0310-9
    [14] S. Mesnager, L. Qian, X. Cao, Further projective binary linear codes derived from two-to-one functions and their duals, Designs, Codes and Cryptography, 91 (2023), 719–746. https://doi.org/10.1007/s10623-022-01122-3 doi: 10.1007/s10623-022-01122-3
    [15] C. Blondeau, K. Nyberg, Perfect nonlinear functions and cryptography, Finite Fields and Their Applications, 32 (2015), 120–147. Special Issue: Second Decade of FFA. https://doi.org/10.1016/j.ffa.2014.10.007 doi: 10.1016/j.ffa.2014.10.007
    [16] K. Drakakis, V. Requena, G. McGuire, On the Nonlinearity of Exponential Welch Costas Functions, IEEE T. Inform. Theory, 56 (2010), 1230–1238. https://doi.org/10.1109/TIT.2009.2039164 doi: 10.1109/TIT.2009.2039164
    [17] F. Chabaud, S. Vaudenay, Links between differential and linear cryptanalysis, in Advances in Cryptology — EUROCRYPT'94 (ed. A. De Santis), Springer Berlin Heidelberg, Berlin, Heidelberg, 1995,356–365. https://doi.org/10.1007/BFb0053450
    [18] D. Ruiz, C. Trujillo, Y. Caicedo, New Constructions of Sonar Sequences, International Journal of Basic & Applied Sciences, 14 (2014), 12–16.
    [19] C. Carlet, S. Picek, On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials, Adv. Math. Commun., 17 (2023), 1507–1525. https://doi.org/10.3934/amc.2021064 doi: 10.3934/amc.2021064
    [20] C. Carlet, S. Mesnager, On those multiplicative subgroups of F2n which are Sidon sets and/or sum-free sets, J. Algebr. Comb., 55 (2022), 43–59. https://doi.org/10.1007/s10801-020-00988-7 doi: 10.1007/s10801-020-00988-7
    [21] G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edition, Oxford university press, 1979.
    [22] J. L. Massey, Safer K-64: A Byte-Oriented Block-Ciphering Algorithm, in Fast Software Encryption (ed. R. Anderson), Springer Berlin Heidelberg, Berlin, Heidelberg, 1994, 1–17. https://doi.org/10.1007/3-540-58108-1_1
    [23] K. Drakakis, R. Gow and G. McGuire, APN permutations on Zn and Costas arrays, Discrete Appl. Math., 157 (2009), 3320–3326. https://doi.org/10.1016/j.dam.2009.06.029 doi: 10.1016/j.dam.2009.06.029
    [24] R. M. Hakala, An upper bound for the linearity of Exponential Welch Costas functions, Finite Fields and Their Applications, 18 (2012), 855–862. https://doi.org/10.1016/j.ffa.2012.05.001 doi: 10.1016/j.ffa.2012.05.001
  • Reader Comments
  • © 2024 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(968) PDF downloads(46) Cited by(0)

Figures and Tables

Figures(4)  /  Tables(2)

Other Articles By Authors

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog