
Sidon sets have several applications in mathematics and in real-world problems, including the generation of secret keys in cryptography, error-correcting codes, and the physical problem of compression of signals in telecommunications. In particular, in cryptography, the design of cryptographic functions with optimal properties like nonlinearity and differential uniformity plays a fundamental role in the development of secure cryptographic systems. Based on the construction of Bose-type Sidon sets, in this paper we present the construction of a new cryptographic function with good properties of nonlinearity and differential uniformity.
Citation: Julian Osorio, Carlos Trujillo, Diego Ruiz. Construction of a cryptographic function based on Bose-type Sidon sets[J]. AIMS Mathematics, 2024, 9(7): 17590-17605. doi: 10.3934/math.2024855
[1] | Huaning Liu, Zhixiong Chen, Chenhuang Wu . Correlation measures of binary sequences derived from Euler quotients. AIMS Mathematics, 2022, 7(6): 11087-11101. doi: 10.3934/math.2022619 |
[2] | Cemil Tunç, Alireza Khalili Golmankhaneh . On stability of a class of second alpha-order fractal differential equations. AIMS Mathematics, 2020, 5(3): 2126-2142. doi: 10.3934/math.2020141 |
[3] | Mohammad Mazyad Hazzazi, Gulraiz, Rashad Ali, Muhammad Kamran Jamil, Sameer Abdullah Nooh, Fahad Alblehai . Cryptanalysis of hyperchaotic S-box generation and image encryption. AIMS Mathematics, 2024, 9(12): 36116-36139. doi: 10.3934/math.20241714 |
[4] | Muhammad Sajjad, Tariq Shah, Huda Alsaud, Maha Alammari . Designing pair of nonlinear components of a block cipher over quaternion integers. AIMS Mathematics, 2023, 8(9): 21089-21105. doi: 10.3934/math.20231074 |
[5] | Adil Waheed, Fazli Subhan, Mazliham Mohd Suud, Muhammad Yasir Hayat Malik, Alina Mirza, Farkhanda Afzal . Construction of nonlinear component of block cipher using coset graph. AIMS Mathematics, 2023, 8(9): 21644-21667. doi: 10.3934/math.20231104 |
[6] | Hafeez Ur Rehman, Mohammad Mazyad Hazzazi, Tariq Shah, Amer Aljaedi, Zaid Bassfar . Color image encryption by piecewise function and elliptic curve over the Galois field $ {G}{F}\left({2}^{{n}}\right) $. AIMS Mathematics, 2024, 9(3): 5722-5745. doi: 10.3934/math.2024278 |
[7] | Narongrit Kaewbanjak, Watcharin Chartbupapan, Kamsing Nonlaopon, Kanit Mukdasai . The Lyapunov-Razumikhin theorem for the conformable fractional system with delay. AIMS Mathematics, 2022, 7(3): 4795-4802. doi: 10.3934/math.2022267 |
[8] | Huawei Huang, Xin Jiang, Changwen Peng, Geyang Pan . A new semiring and its cryptographic applications. AIMS Mathematics, 2024, 9(8): 20677-20691. doi: 10.3934/math.20241005 |
[9] | Samer Al Ghour . On some types of functions and a form of compactness via $ \omega _{s} $-open sets. AIMS Mathematics, 2022, 7(2): 2220-2236. doi: 10.3934/math.2022126 |
[10] | B. B. Jena, S. K. Paikray, S. A. Mohiuddine, Vishnu Narayan Mishra . Relatively equi-statistical convergence via deferred Nörlund mean based on difference operator of fractional-order and related approximation theorems. AIMS Mathematics, 2020, 5(1): 650-672. doi: 10.3934/math.2020044 |
Sidon sets have several applications in mathematics and in real-world problems, including the generation of secret keys in cryptography, error-correcting codes, and the physical problem of compression of signals in telecommunications. In particular, in cryptography, the design of cryptographic functions with optimal properties like nonlinearity and differential uniformity plays a fundamental role in the development of secure cryptographic systems. Based on the construction of Bose-type Sidon sets, in this paper we present the construction of a new cryptographic function with good properties of nonlinearity and differential uniformity.
The security of the block cipher in symmetric cryptography, is based, in some cases, on vectorial Boolean functions Fn2→Fm2 called substitution boxes (S-Box), which satisfy the properties of high nonlinearity and low differential uniformity that make those functions resistant to the linear cryptanalysis and differential cryptanalysis introduced by Mitsuru Matsui in [1], and Eli Biham and Adi Shamir in [2], respectively. The main ideas in those cryptanalyses are (i) to approximate the vectorial Boolean function by using affine functions, and (ii) to analyze how the differences in the input can affect the resulting difference in the output. Functions with high nonlinearity and low differential uniformity are highly resistant to the two cryptanalysis methods mentioned above. The notion of nonlinearity and differential uniformity can be generalized to algebraic structures other than Fn2, which allow us to talk about the nonlinearity and differential uniformity of functions between any two finite Abelian groups.
The designing and construction of cryptographic functions resistant to attacks is a complex task, and often based on algebraic methods, random generation, and heuristic designs [3,4,5,6]. Each of these methods has advantages and disadvantages over most of the desirable properties of a cryptographic function; for instance, with algebraic constructions, we analyze what properties the functions satisfy, but with heuristic designs, we obtain functions with several properties from their construction [7]. However, if we consider an application from Fn2 to Fm2, then there are 2m2n functions; that is, there exist many even in a few variables, which implies a hard problem in a computational search. The abundance of vectorial Boolean functions suggests to us that it is usually impossible to solve the problem of the construction of "good" cryptographic functions using only computational searching, and so it is necessary to introduce more effective methods to design new and better vectorial Boolean functions that can be efficiently implemented in electronic devices [3].
Functions between two Abelian finite groups A and B with the same cardinality and the smallest possible nonlinearity are called perfect nonlinear (PN) functions. These functions are related to Sidon sets (a subset of an additive group with the property that all sums of two elements in this set are different), since a function is APN if and only if its associated graph is a Sidon set in the product group A×B. This is one of the reasons we focus on an algebraic construction to introduce new cryptographic functions that arise from the construction of a finite Sidon set due to Bose [8]. The main contribution of this paper is the construction of a new set of functions with good linear and differential properties based on the construction of Sidon sets. This set of functions is 2-to-1, that is, functions in which each output value has zero or two possible preimages [9]. We know that 2-to-1 functions play an important role in cryptography because they can be used to create reversible functions that are not 1-to-1, which can make it harder for attackers to break encryption schemes or find collisions in hash functions [10,11]. Moreover, they are often used in the construction of APN functions, bent functions, and binary linear codes [12,13,14].
The remainder of this paper is as follows: Section 2 introduces definitions related to differential uniformity and nonlinearity in Abelian groups. Section 3 presents the construction of our function and some of its properties, including differential uniformity and symmetry. We then illustrate its linearity, and list the number of functions that exist for each n∈N based on our construction. Finally, Section 4 presents some conclusions and future research directions.
The resistance of functions to cryptanalysis is characterized by two quantities: (ⅰ) nonlinearity, which measures the resistance of a function to linear cryptanalysis, and (ⅱ) differential uniformity, which measures the resistance of a function to differential cryptanalysis. So, we want to construct cryptographic functions with optimal nonlinearity and differential uniformity properties, concepts introduced in this section.
Let A and B denote two non-empty Abelian groups.
Definition 2.1. Let f:A→B be a function and let a∈A. The derivative of f in a is the function
Daf:A→Bx↦f(x+a)−f(x). |
A differential of f with input difference a and output difference b is given by
f(x+a)−f(x)=b. | (2.1) |
The number of solutions to (2.1) is denoted by δ(a,b), that is
δ(a,b)=|{x∈A:f(x+a)−f(x)=b}|. |
Now, if Δf denotes the positive integer
Δf=maxa∈A∖{0}(b∈Bδ(a,b), |
then f is said to be differentially Δf−uniform. Note that Δf≥|A|/|B|. In particular, if Δf=|A|/|B|, then f is called a perfect nonlinear (PN) function [15]. Note also that if |A|=|B|, then Δf=1, which implies that (2.1) has one solution. We know that PN functions do not exist in fields of characteristic 2, since if x satisfies f(x+a)−f(x)=b, then so does x+a. This is the reason for introducing the following definition:
Definition 2.2. A function f is an almost perfect nonlinear (APN) function if Δf=2|A|/|B|.
In particular, note that if |A|=|B|, then Δf=2, that is, (2.1) has at most two solutions [15].
If we consider a Boolean function f:Fn2→F2 of n variables, then the nonlinearity NL(f) of f is the minimum Hamming Distance* between f and all affine functions φa(x)=a⋅x+c, with a∈Fn2 and c∈F2. That is
*The Hamming Distance between f and g is d(f,g)=|{x∈Fn2; f(x)≠g(x)}|.
NL(f)=mina∈Fn2d(f,φa). |
However, an equivalent concept to nonlinearity that uses a special case of the discrete Fourier transform called the Walsh transform (or Walsh–Hadamard transform) is a useful tool when we want to study the nonlinearity of a function.
Now, consider A=Zq and B=Zr for the q and r integers. Let ωq∈C and ωr∈C denote the q−th and r−th roots of unity in C. The expression x↦ωaxq defines a character in Zq for all a∈Zq. Similarly, the set of characters in Zr for all b∈Zr is defined by y↦ωbyr [15].
Definition 2.3. The Walsh–Hadamard transform of f:Zq→Zr at a∈Zq and b∈Zr is defined as
ˆf(a,b)=∑x∈Aωbf(x)r¯ωaxq, |
where ¯ωq is the complex conjugate of ωq.
For the different possible parameter values (a,b), this formula compares every constant multiple of f against every linear function ax; the greatest value is indicative of the closeness of f to such a linear function, so the Walsh–Hadamard transform helps us measure the nonlinearity of a function f according to the following definition:
Definition 2.4. The linearity of a function f:Zq→Zr is defined by
L(f)=max0≤a<q(0<b<r|ˆf(a,b)|. |
From [16], we know that if f:Zq→Zr, then √q≤L(f)≤q. Functions that reach the lower bound have optimal linearity and are called bent functions.
Definition 2.5. Let f:Zq→Zr. We define the nonlinearity of f by
NL(f)=|Zq|−L(f)|Zr|=q−L(f)r. |
Note that nonlinearity actually measures the distance between f and all linear affine functions. Furthermore, also that NL(f)=0 if and only if f is an affine linear function. It is clear that a bijection and its inverse have the same nonlinearity [16].
Finally, from [17], we know that a function f:Fn2→Fm2, with n≥2m and n even, is perfect nonlinear if and only if it is bent.
In this section, we present the construction of our function, which is based on the construction of Sidon sets due to Bose [8].
Let G denote an additive group. A set A⊆G is a Sidon set in G if, for all a,b,c,d∈A, we have
a+b=c+d⇒{a,b}={c,d}. |
That is, A is a Sidon set if all the sums of two elements of A are different. Since a+b=c+d if and only if a−c=d−b, Sidon sets can also be defined as those with the property that all nonzero differences of pairs of elements are distinct. In particular, the construction of Sidon sets due to Bose is as follows [8].
Theorem 3.1. Let q=pn with p a prime number and n∈N. Let (Fq,+,⋅) be the finite field with q elements, and Fq2 be an algebraic extension of degree two over Fq. If θ is a primitive element of Fq2, then
Bq(θ)=logθ(θ+Fq):={logθ(θ+a):a∈Fq} | (3.1) |
is a Sidon set in Zq2−1 with q elements.
From [18], we know that the set θ+Fq is a Sidon set with q elements in the multiplicative group F∗q2. Furthermore, we know that isomorphisms preserve the Sidon property, so using the discrete logarithm in base θ, we verify that set the Bq(θ) is a Sidon set with q elements in the group Zq2−1, which illustrates a proof of Theorem 3.1.
Example 3.1. Let q=24. If we take the primitive element θ over F2 such that θ8+θ4+θ3+θ2+1=0, then we can construct the Sidon set in Z255 given by
B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253}. |
According to the work in [18], we know that Bq(θ) satisfies the following properties, where [1,q] denotes the set of integers {1,…,q}.
Proposition 3.1. If Bq(θ) is the set in (3.1), then
B1) If b∈Bq(θ), then b≢0mod(q+1).
B2) If a,b∈Bq(θ) and a≠b, then a≢bmod(q+1).
B3) Bq(θ)mod(q+1):={amod(q+1):a∈Bq(θ)}=[1,q].
Proof. We verify property B2) by contradiction. Suppose a≡bmod(q+1), that is, there exists n∈Z such that a−b=n(q+1). Note that θq+1 generates F∗q, so θa−b=θn(q+1)∈F∗q. Now, let a,b∈Bq(θ), there exist k1,k2∈Fq with k1≠k2, such that a=logθ(θ+k1) and b=logθ(θ+k2), implying that θa=θ+k1 and θb=θ+k2. Thus, θa−b=(θ+k1)/(θ+k2). Since θa−b∈F∗q, there exists c∈F∗q such that (θ+k1)/(θ+k2)=c. So, (1−c)θ=ck2−k1. Because c≠1, then θ=(ck2−k1)(1−c)−1∈F∗q, which is a contradiction.
Proposition 3.1 means that for each x∈[1,q], we can find a unique b∈Bq(θ) such that bmod(q+1)=x, i.e., there exists a bijective relationship between the sets [1,q] and Bq(θ)mod(q+1).
The authors in [19,20] describe the following relationship between Sidon sets and APN functions: A function F:Fn2→Fn2 is APN if and only if the set GF={(x,F(x)):x∈Fn2} is a Sidon set in the group (Fn2×Fn2,+). It is common to refer to GF as the graph of F. This relationship gives us an idea of how to construct cryptographic functions from known constructions of Sidon sets on finite Abelian groups, that is, we take Sidon sets in one dimension and try to put them in two dimensions via some transformation that preserves the Sidon property; in particular, we use the isomorphism guaranteed by the Chinese remainder theorem to put the set Bq(θ) in two dimensions.
Note that if q=2n, then we have that gcd(q+1,q−1)=1, and so by the Chinese remainder theorem, we have that Zq2−1 is isomorphic to Zq+1×Zq−1. So if Bq(θ) is a Sidon set given by (3.1), then each element b∈Bq(θ) can be represented as an ordered pair in Zq+1×Zq−1 as follows:
(bmod(q+1),bmod(q−1)). | (3.2) |
According to Proposition 3.1, B3), note that if we run b in Bq(θ), then the set of first coordinates of pair (3.2) coincides with the set [1,q]; it allows us to define a set of functions with a common domain [1,q], which, when endowed with the sum modulo q, can be identified with Zq, that is ([1,q],+modq)≡Zq. The co-domain of this set of functions is obtained by reducing the set Bq(θ) modulo q−1, as indicated by the second coordinate of the pair (3.2). This set of functions is our main contribution to this work, and they have, in particular, properties of symmetry, good differential uniformity, and good nonlinearity. Moreover, since Proposition 3.1 is valid for all q, we observe that if q=pn with p>2, then the construction of these functions is still valid and their properties are preserved, except for good nonlinearity.
Definition 3.1. Let Bq(θ) be a Sidon set defined by (3.1). Identify the set [1,q] with the group Zq and consider Bq(θ)mod(q−1)⊆Zq−1. Define the function fq:Zq→Zq−1 as
fq(x)=bmod(q−1), | (3.3) |
for b∈Bq(θ) such that bmod(q+1)=x.
We denote the range of fq as the sequence R(fq)=[fq(x)]. The function fq can be constructed based on the following procedure, where step 2 is valid because of Proposition 3.1, B2).
Step 1. Take x∈Zq.
Step 2. Find the unique b∈Bq(θ) such that b≡xmod(q+1).
Step 3. Take fq(x)=bmod(q−1).
Note that b depends on x, so we can denote b as bx. In this way, the diagram in Figure 1 illustrates the procedure described above.
Example 3.2. Let
B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253} |
be the Sidon set in Example 3.1. We construct the function f16:Z16→Z15 as follows:
● If x=1, then b=1∈B24(θ) satisfies 1mod17=1, which implies that f16(1)=1mod15=1.
● If x=2, then b=223∈B24(θ) is the unique element that satisfies 223mod17=2, which implies that f16(2)=223mod15=13.
● If x=3, then b=3∈B24(θ) satisfies 3mod17=3, and so f16(3)=3mod15=3.
● If x=4, then b=157∈B24(θ) is the unique element that satisfies 157mod17=4, which implies that f16(4)=157mod15=7.
● We repeat the above procedure for the other elements of Z16.
Figure 2 illustrates the function f16:Z16→Z15 with a range given by
R(f16)=[1,13,3,7,0,2,11,10,10,11,2,0,7,3,13,1]. |
Note that we take 0:=16 in Z16, so Figure 2 shows a clear symmetry in the range of the function f16. In general, we have the following result:
Theorem 3.2. If fq:Zq→Zq−1 is the function defined in (3.3), then for all x∈Zq we have
i) fq(x)=fq(q+1−x).
ii) fq((q+1)/2+x)=fq((q+1)/2−x) for p>2 (i.e., fq is symmetric with respect to x=(q+1)/2).
Proof. ⅰ) Let x,q+1−x∈[1,q]. Assume that
fq(x)=r≡b1mod(q−1),fq(1−x)=s≡b2mod(q−1), |
with b1,b2∈Bq(θ). According to the definition of fq, we know that
b1≡xmod(q+1),b2≡q+1−xmod(q+1). |
Consider the following two cases:
Case 1. If b1=b2, then q+1−x≡xmod(q+1). Since 1≤x,q+1−x≤q<q+1 we have that q+1−x=x, or x=(q+1)/2 (only for q odd), which implies fq(x)=fq(q+1−x), that is, r=s.
Case 2. If b1≠b2, then there are k1,k2∈Fq with k1≠k2 such that
b1=logθ(θ+k1),b2=logθ(θ+k2), |
that is
b1−b2=logθ(θ+k1)−logθ(θ+k2)=logθ(θ+k1θ+k2). |
Let γ:=θb1−b2=θ+k1θ+k2. Note that γ≠1, since otherwise k1=k2. Moreover, γ∉F∗q because θ is a primitive element over Fq of degree two, so γ∈F∗q2∖F∗q. Because F∗q and ⟨θq−1⟩ (the group generated by θq−1) are two subgroups of F∗q2 that only intersect at 1 if q is even or ±1 if q is odd, and because γ∉F∗q, we have that γ∈⟨θq−1⟩. Therefore, there exists t∈Z such that γ=θt(q−1), from which θb1−b2=θt(q−1). Since b1−b2≡r−smod(q−1), then b1−b2=n(q−1)+(r−s) for some n∈Z, implying that
θn(q−1)+(r−s)=θt(q−1), |
from which n(q−1)+(r−s)≡t(q−1)mod(q2−1), that is, (r−s)≡0mod(q−1). Because 0≤r,s<q−1 we have that r=s.
ⅱ) Is similar to the proof of ⅰ).
Now, we know in Zq that −x=q−x, so in Zq+1 and for b1,b2∈Bq(θ), we have
b1mod(q+1)+b2mod(q+1)=x+1+q−x=0 |
in Zq+1. That is, b1+b2≡0mod(q+1) and b1−b2≡0mod(q−1). The following corollary formalizes this property, in which the system of congruences is a particular case of the multivariable Chinese Remainder theorem.
Corollary 3.1. For a given x∈Bq(θ), there exist a y∈Bq(θ) not necessarily different from x such that
{x+y≡0mod(q+1)x−y≡0mod(q−1). |
Example 3.3. Let
B24(θ)={1,3,16,25,41,48,62,90,145,146,157,165,217,223,227,253} |
be the Sidon set in Example 3.1. Table 1 illustrates Corollary 3.1.
x+y≡0mod17 | x−y≡0mod15 |
16+1 | 16−1 |
48+3 | 48−3 |
145+25 | 145−25 |
146+41 | 146−41 |
227+62 | 227−62 |
165+90 | 165−90 |
217+157 | 217−157 |
253+223 | 253−223 |
Note that Theorem 3.2 establishes that fq(x) is symmetric and consequently a 2-to-1 function according to the next definition [9].
Definition 3.2. Let A and B be two finite sets, and let f be a mapping from A to B. Function f is called a 2-to-1 mapping if one of the following two cases holds:
i) |A| is even, and for any b∈B, it has either 2 or 0 preimages of f.
ii) |A| is odd, and for all but one b∈B, it has either 2 or 0 preimages of f, and the exception element has exactly one preimage.
From Theorem 3.2, ⅰ), note that the conditions of Definition 3.2 are satisfied, and from Theorem 3.2, ⅱ), the exception element is 2−1modq=q+12. It implies the next corollary.
Corollary 3.2. For all prime numbers p and all n∈N, the function fq is 2-to-1.
One important property in cryptographic applications is low differentiability, since functions with low differential uniformity are resistant to differential attacks [2]. Fortunately, the function fq has this property, as we demonstrate in the following theorem.
Theorem 3.3. For all prime numbers p and all n∈N, the function fq is differentially 2-uniform.
Proof. Let a∈Zq∖{0} and b∈Zq−1. Consider the equation
fq(x+a)−fq(x)=b. | (3.4) |
From the definition of fq we know that there exist b1,b2∈Bq(θ) such that
b1mod(q+1)=x+a,b2mod(q+1)=x, |
which implies that b1+b2≡2x+amod(q+1), and so there exists m∈N such that
b1+b2=(q+1)m+2x+a. | (3.5) |
Note also from the definition of fq that
fq(x+a)=b1mod(q−1),fq(x)=b2mod(q−1), |
so (3.4) is equivalent to b1−b2≡bmod(q−1), that is, there exists n∈N such that
b1−b2=(q−1)n+b, | (3.6) |
and thus, from (3.5) and (3.6), we have
2x=(q−1)n−(q+1)m+2b2+b−a. |
That is
2x≡−2m+2b2+b−amod(q−1). | (3.7) |
So far, we have proved that (3.4) is equivalent to (3.7). Next, to show that (3.4) has at most 2 solutions, we consider the following cases for q:
1) If q=2n, then gcd(2,q−1)=1, and so (3.7) has one solution.
2) If q=pn and p≠2, then gcd(2,q−1)=2, but note that 2|(−2m+2b2+b−a) if and only if 2|(b−a). So it is sufficient to find b∈Zq−1 and a∈Zq∖{0} such that b−a is an even number to guarantee that (3.7) has exactly two solutions.
Note that the function fq depends on the Sidon set Bq(θ) given in (3.1); thus, if we want to count the functions fq we must first count the sets Bq(θ). Note also that for a fixed q=pn, the construction of the Sidon set Bq(θ) depends on a primitive element θ∈F∗q2, so we can wonder about the behavior of these sets when we vary the primitive element within the field. We have the following:
Theorem 3.4. If α and θ are conjugates, then Bq(θ)=Bq(α).
Proof. If α and θ are conjugates, then α=θpi for some i∈{1,…,2n−1}. Let logα(α+a)∈Bq(α). Since αq+1 generates F∗pn there exists m∈Z such that a=αm(q+1)=θm(q+1)pi, thus
logα(α+a)=logθpi(θpi+θm(q+1)pi)=logθpi(θ+θm(q+1))pi=pi⋅logθpi(θ+θm(q+1)). | (3.8) |
Note that θq+1 also generates F∗pn, so b:=θm(q+1)∈F∗pn. If we apply the base interchange formula on the right side of (3.8), then
pi⋅logθpi(θ+θm(q+1))=pi⋅logθpiθ⋅logθ(θ+b)=pi(pi)−1⋅logθ(θ+b)=logθ(θ+b). |
Therefore, logα(α+a)∈Bq(θ), which implies that Bq(α)⊆Bq(θ). Now, because |Bq(α)|=|Bq(θ)|, we have that Bq(α)=Bq(θ).
Computational calculations indicate that the reciprocal of Theorem 3.4 is valid, but its proof is strongly related to the theory of multipliers on relative difference sets, of which we do not know the solution. So we conjecture the following:
Conjecture 3.1. If Bq(θ)=Bq(α), then α and θ are conjugates.
Theorem 3.4 helps us to establish an upper bound for the number of different Bose-type Sidon sets that exist for each p≥2 and n≥1, and since the construction of our set of functions depends on these sets, it will also help us to establish an upper bound for the number of different functions fq that exist.
Theorem 3.5. Let q=pn. For each p≥2 and each n∈N, there exist at most φ(q2−1)/2n different Sidon sets Bq(θ).
Proof. Note that, if θ is a primitive element of Fq2 over Fp, then its 2n conjugates θ,θp,…,θp2n−1 are also primitives, so from Theorem 3.4, it generates the same Sidon set Bq(θ). Furthermore, because there are φ(q2−1) primitive elements in Fq2 (φ is Euler's phi function), we have that actually there exist φ(q2−1)/2n different primitive elements that are not conjugated to each other, thus these primitive elements generate at most φ(q2−1)/2n different Sidon sets Bq(θ).
Note that if Conjecture 3.1 is true, then we obtain the equality in Theorem 3.5 since the φ(q2−1)/2n different primitive elements not conjugate with each other would generate exactly φ(q2−1)/2n sets Bq(θ).
Lemma 3.1. Let p>2 and θ be a primitive element of Fp2. If c=p2−12+p, then θc=θ+b for some b∈Fp∖{0}.
Proof. Note that gcd(c,p2−1)=1, so θc is another primitive element of Fp2, implying that θc=aθ+b for some a,b∈Fp∖{0}. Note also that θc=−θp, from which θp=−aθ−b, and so θp+θ=(1−a)θ−b. Because θp+θ∈Fp, we have a=1.
Theorem 3.6. Let p>2 and t≤φ(p2−1)/2. Let A={Bp(θi):i=1,…,t} be the collection of the t different Bose-type Sidon sets. For each Bp(θi)∈A there exist Bp(θj)∈A, with i≠j such that
Bp(θi)mod(p−1)=Bp(θj)mod(p−1). |
Proof. Let θi be a primitive element such that Bp(θi)∈A and c=p2−12+p. Take j=ic and note that Bp(θj)∈A because θj is also a primitive element; moreover, Bp(θj)≠Bp(θi) since otherwise θj and θi would be conjugates, which is not possible. Now, from Lemma 1, we have that
θj=(θi)c=θi+b | (3.9) |
for some b∈Fp∖{0}. Now, if logθj(θj+k0)∈Bp(θj) for some k0∈Fp, then from (3.9) we have that
logθj(θj+k0)=logθj(θi+b+k0)=logθj(θi+k1) |
for k1∈Fp. If we apply the base interchange formula, then
logθj(θj+k0)=logθjθi⋅logθi(θi+k1)=j−1i⋅logθi(θi+k1)=c−1⋅logθi(θi+k1), |
so
clogθj(θj+k0)=logθi(θi+k1), |
that is
clogθj(θj+k0)∈Bp(θi). |
This implies that cBp(θj)⊆Bp(θi), and because |cBp(θj)|=|Bp(θi)|, we have proof that cBp(θj)=Bp(θi), and so Bp(θj)mod(p−1)=Bp(θi)mod(p−1).
Note again that if Conjecture 3.1 is true, then we could guarantee uniqueness in the set Bp(θj)∈A. The objective of this section was to count the functions fq, so, in the following theorem, we establish an upper bound for the number of functions for q=2n and q=p.
Theorem 3.7. Let q=pn with n∈N. For p=2, there exist at most φ(q2−1)/2n different functions fq, and for p>2 and n=1, there exist at most φ(p2−1)/4 different functions fp.
Proof. If p=2, then by the Chinese remainder theorem we have that Zq2−1 is isomorphic to Zq+1×Zq−1 (denoted by Zq2−1≡Zq+1×Zq−1), and because Sidon's property is preserved under isomorphism [18], from (3.2) we have that
Bq(θ)≡(Bq(θ)mod(q+1),Bq(θ)mod(q−1))=(dom(fq),ran(fq)), |
and the result follows from Theorem 3.5.
Now, if p>2 and n=1, then we simply put the set Bp(θ) in the group Zp+1×Zp−1 as
(Bp(θ)mod(p+1),Bp(θ)mod(p−1))=(dom(fp),ran(fp)), |
and the result follows from Theorem 3.5 and Theorem 3.6.
Example 3.4. Note that if q=2n, then gdc(q−1,q+1)=1, and φ(q2−1)/2n=φ(q−1)φ(q+1)/2n, which facilitates the counting of the functions fq. For instance, for q=24, there exists φ(15)φ(17)/8=16 different functions given by
[1,13,3,7,0,2,11,10,10,11,2,0,7,3,13,1],[1,7,12,4,3,14,11,13,13,11,14,3,4,12,7,1],[1,4,14,10,2,0,6,7,7,6,0,2,10,14,4,1],[1,0,8,13,11,14,5,9,9,5,14,11,13,8,0,1],[1,2,9,4,6,3,12,8,8,12,3,6,4,9,2,1],[1,7,2,4,8,9,6,13,13,6,9,8,4,2,7,1],[1,12,14,4,11,8,2,3,3,2,8,11,4,14,12,1],[1,13,8,7,5,12,6,10,10,6,12,5,7,8,13,1],[1,10,5,13,14,3,6,4,4,6,3,14,13,5,10,1],[1,4,9,10,12,5,11,7,7,11,5,12,10,9,4,1],[1,5,3,13,6,9,0,14,14,0,9,6,13,3,5,1],[1,14,0,10,6,12,9,2,2,9,12,6,10,0,14,1],[1,9,5,10,11,2,14,12,12,14,2,11,10,5,9,1],[1,3,2,7,11,5,8,0,0,8,5,11,7,2,3,1],[1,10,0,13,9,8,11,4,4,11,8,9,13,0,10,1],[1,8,12,7,6,0,3,5,5,3,0,6,7,12,8,1]. |
From [21, Chapter 18], we know that lim supφ(n)/n=1, which means that the order of φ(n) is nearly n, that is,
φ(q2−1)2n≈q2−12n. |
So for p=2 and n sufficiently large, we conclude that there exist approximately 22n/2n functions fq. Moreover, from [21, Theorem 328], we know that the function φ(n) satisfies
lim infn→∞φ(n)nloglogn=e−γ, | (3.10) |
where γ is the Euler–Mascheroni constant. So for q=2n, (3.10) implies that φ(q2−1)/2n is bounded below by
22n2neγloglog22n, |
this expression is equivalent to
22n(2eγ+εn)nlogn |
with εn→0 when n→∞. Hence, for q=2n, we have that the number of functions fq is at least
22n(2eγ+εn)nlogn, |
if n is large enough. For p>2 and n=1, similar formulas can be derived.
This section illustrates the linearity of fq. We know for α≠0 that |ˆfq(q−α,(q−1)−β)|=|ˆfq(α,β)|, which, together with Theorem 3.2, reduces by a factor of approximately 4 the number of points required to calculate the linearity of fq. With this fact and the fast Fourier transform, we illustrate in Figures 3 and 4 the linearity of fq for q=p with 2<p<20000 and q=2n with 2≤n≤16. Figure 3b illustrates that the approximation of linearity has a slope of around 0.64, which leads us to conjecture that the linearity of fp is bounded below by an affine function that depends on p; unfortunately, this implies that L(fp) would be asymptotically closer to the upper bound, that is, fp is closer to being a linear function.
But when q=2n, our simulations show a more interesting behavior. For example, for values of n∈{4,5,6,7,8}, important in cryptographic applications, the linearity of f2n is closer to the lower bound, as shown in Figure 4a and Table 2, implying that f2n has high nonlinearity. Figure 4b illustrates, by means of an exponential regression with a coefficient of determination of r2=0.998, that for values of n greater than 16, the behavior of the linearity of f2n tends to remain.
n | Lower bound | L(f2n) | Upper bound |
4 | 4 | 6, 00776721665963 | 16 |
5 | 5, 65685425 | 9, 76163585008853 | 32 |
6 | 8 | 15, 7984554517002 | 64 |
7 | 11, 3137085 | 23, 1605616207365 | 128 |
8 | 16 | 33, 7779991765064 | 256 |
Now, when we compare the cases q=2n and q=p with p>2, we suspect that the loss of linearity for the second case is due to the fact that there is no an isomorphism between Zp2−1 and Zp+1×Zp−1. Furthermore, note that this behavior still remains when q=pn with p>2 and n>1.
Our contribution in this work is the construction of a new set of functions that are 2-to-1 functions and differentially 2-uniform, which, for the case q=2n, present an asymptotic behavior close to the trivial lower bound for its linearity, that is, the asymptotic nonlinearity of function fq is high. The number of functions that exist for each n, with p=2, is of the order 22n/2n, and for n=1 and p>2, it is of the order p2/4, so this set of functions grows rapidly as n and p increase, respectively.
Due to the particular way in which we define our function fq, we cannot establish nontrivial bounds for its linearity, so this problem remains open. For instance, through linear and exponential regression, respectively, we conjecture that, i) for q=p, there exist two constants 0.5<α<1 and 0<β<0.5 such that L(fp)≥αp+β, and ii) for q=2n, there exist two constants γ>1 and 0<μ<1 such that L(f2n)≤γeμn. Moreover, note that in this work we emphasize the study of two cases; first, when q=2n due to the isomorphism between Zq2−1 and Zq+1×Zq−1, and second, when q=p; but the case q=pn with p>2 and n>1 was not studied in detail, so it remains open to study what other properties the function fpn satisfies for this case. For instance, we conjecture from Theorem 3.7 that the number of functions fq that exist for q=pn with p>2 and n>1 is equal to φ(q2−1)/4n, but for proof of this, it is necessary to generalize Lemma 1 and Theorem 3.6 for that case.
Some ciphers, such as SAFER [22], use non-binary transformations with "high nonlinearity" and optimal differential uniformity, known in the literature as exponential Welch Costas (EWC) and logarithmic Welch Costas (LWC) functions [16,23,24]. Given that for the case q=2n, the characteristics of our function are similar to those of these functions, we raised concern about the possibility of using our function in a cipher like SAFER.
Julian Osorio: Writing – original draft, Writing – review & editing, Conceptualization, Formal analysis, Investigation; Carlos Trujillo: Conceptualization, Formal analysis, Investigation; Diego Ruiz: Writing – original draft, Writing – review & editing, Conceptualization, Formal analysis, Investigation. All authors have read and approved the final version of the manuscript for publication.
The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.
Authors would like to thank the Universidad del Cauca for funding this paper, and the reviewers for the important feedback, which helped us to improve the quality of this paper. The first author would like to thank MINCIENCIAS (Colombia) for supporting his doctoral studies through "Convocatoria del fondo de ciencia, tecnología e innovación del sistema general de regalías para conformación de una lista de proyectos elegibles para ser viabilizados, priorizados y aprobados por el OCAD en el marco del programa de becas de excelencia doctoral del bicentenario (No. BB 2019 01)."
The authors declare no conflict of interest in this paper.
[1] | M. Matsui, A. Yamagishi, A New Method for Known Plaintext Attack of FEAL Cipher, in Advances in Cryptology — EUROCRYPT' 92 (ed. Rueppel, R.A.), Springer Berlin Heidelberg, Berlin, Heidelberg, 1993, 81–91. https://doi.org/10.1007/3-540-47555-9_7 |
[2] | E. Biham, A. Shamir, Differential Cryptanalysis of DES Variants, Differential Cryptanalysis of the Data Encryption Standard, Springer New York, New York, NY, 1993, 33–77. https://doi.org/10.1007/978-1-4613-9314-6_4 |
[3] | L. Budaghyan, Construction and Analysis of Cryptographic Functions, Springer Publishing Company, Incorporated, 2015. https://doi.org/10.1007/978-3-319-12991-4 |
[4] |
Y. Chen, L. Zhang, Z. Gong, W. Cai, Constructing Two Classes of Boolean Functions With Good Cryptographic Properties, IEEE Access, 7 (2019), 149657–149665. https://doi.org/10.1109/ACCESS.2019.2947367 doi: 10.1109/ACCESS.2019.2947367
![]() |
[5] |
C. Beierle, G. Leander, New Instances of Quadratic APN Functions, IEEE T. Inform. Theory, 68 (2022), 670–678. https://doi.org/10.1109/TIT.2021.3120698 doi: 10.1109/TIT.2021.3120698
![]() |
[6] |
L. Mariot, M. Saletta, A. Leporati, L. Manzoni, Heuristic search of (semi-) bent functions based on cellular automata, Natural Computing, 21 (2022), 377–391. https://doi.org/10.1007/s11047-022-09885-3 doi: 10.1007/s11047-022-09885-3
![]() |
[7] |
J. A. Clark, J. L. Jacob, S. Maitra, P. Stănică, Almost Boolean functions: the design of Boolean functions by spectral inversion, Computational intelligence, 20 (2004), 450–462. https://doi.org/10.1111/j.0824-7935.2004.00245.x doi: 10.1111/j.0824-7935.2004.00245.x
![]() |
[8] | R. C. Bose, An affine analogue of singer's theorem, Journal of the Indian Mathematical Society, 6 (1942), 1–15. |
[9] |
S. Mesnager, L. Qu, On Two-to-One Mappings Over Finite Fields, IEEE T. Inform. Theory, 65 (2019), 7884–7895. https://doi.org/10.1109/TIT.2019.2933832 doi: 10.1109/TIT.2019.2933832
![]() |
[10] | N. Alamati, G. Malavolta, A. Rahimi, Candidate Trapdoor Claw-Free Functions from Group Actions with Applications to Quantum Protocols, Theory of Cryptography (eds. Kiltz, E., Vaikuntanathan, V.), Springer Nature Switzerland, Cham, 2022,266–293. https://doi.org/10.1007/978-3-031-22318-1_10 |
[11] | T. Morimae, T. Yamakawa, Proofs of Quantumness from Trapdoor Permutations, arXiv: 2208.12390, 2022. https://doi.org/10.48550/arXiv.2208.12390 |
[12] |
D. Bartoli, M. Giulietti, M. Timpanella, Two-to-one functions from Galois extensions, Discrete Appl. Math., 309 (2022), 194–201. https://doi.org/10.1016/j.dam.2021.12.008 doi: 10.1016/j.dam.2021.12.008
![]() |
[13] |
V. Idrisova, On an algorithm generating 2-to-1 APN functions and its applications to "the big APN problem", Cryptography and Communications, 11 (2019), 21–39. https://doi.org/10.1007/s12095-018-0310-9 doi: 10.1007/s12095-018-0310-9
![]() |
[14] |
S. Mesnager, L. Qian, X. Cao, Further projective binary linear codes derived from two-to-one functions and their duals, Designs, Codes and Cryptography, 91 (2023), 719–746. https://doi.org/10.1007/s10623-022-01122-3 doi: 10.1007/s10623-022-01122-3
![]() |
[15] |
C. Blondeau, K. Nyberg, Perfect nonlinear functions and cryptography, Finite Fields and Their Applications, 32 (2015), 120–147. Special Issue: Second Decade of FFA. https://doi.org/10.1016/j.ffa.2014.10.007 doi: 10.1016/j.ffa.2014.10.007
![]() |
[16] |
K. Drakakis, V. Requena, G. McGuire, On the Nonlinearity of Exponential Welch Costas Functions, IEEE T. Inform. Theory, 56 (2010), 1230–1238. https://doi.org/10.1109/TIT.2009.2039164 doi: 10.1109/TIT.2009.2039164
![]() |
[17] | F. Chabaud, S. Vaudenay, Links between differential and linear cryptanalysis, in Advances in Cryptology — EUROCRYPT'94 (ed. A. De Santis), Springer Berlin Heidelberg, Berlin, Heidelberg, 1995,356–365. https://doi.org/10.1007/BFb0053450 |
[18] | D. Ruiz, C. Trujillo, Y. Caicedo, New Constructions of Sonar Sequences, International Journal of Basic & Applied Sciences, 14 (2014), 12–16. |
[19] |
C. Carlet, S. Picek, On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials, Adv. Math. Commun., 17 (2023), 1507–1525. https://doi.org/10.3934/amc.2021064 doi: 10.3934/amc.2021064
![]() |
[20] |
C. Carlet, S. Mesnager, On those multiplicative subgroups of F∗2n which are Sidon sets and/or sum-free sets, J. Algebr. Comb., 55 (2022), 43–59. https://doi.org/10.1007/s10801-020-00988-7 doi: 10.1007/s10801-020-00988-7
![]() |
[21] | G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edition, Oxford university press, 1979. |
[22] | J. L. Massey, Safer K-64: A Byte-Oriented Block-Ciphering Algorithm, in Fast Software Encryption (ed. R. Anderson), Springer Berlin Heidelberg, Berlin, Heidelberg, 1994, 1–17. https://doi.org/10.1007/3-540-58108-1_1 |
[23] |
K. Drakakis, R. Gow and G. McGuire, APN permutations on Zn and Costas arrays, Discrete Appl. Math., 157 (2009), 3320–3326. https://doi.org/10.1016/j.dam.2009.06.029 doi: 10.1016/j.dam.2009.06.029
![]() |
[24] |
R. M. Hakala, An upper bound for the linearity of Exponential Welch Costas functions, Finite Fields and Their Applications, 18 (2012), 855–862. https://doi.org/10.1016/j.ffa.2012.05.001 doi: 10.1016/j.ffa.2012.05.001
![]() |
x+y≡0mod17 | x−y≡0mod15 |
16+1 | 16−1 |
48+3 | 48−3 |
145+25 | 145−25 |
146+41 | 146−41 |
227+62 | 227−62 |
165+90 | 165−90 |
217+157 | 217−157 |
253+223 | 253−223 |
n | Lower bound | L(f2n) | Upper bound |
4 | 4 | 6, 00776721665963 | 16 |
5 | 5, 65685425 | 9, 76163585008853 | 32 |
6 | 8 | 15, 7984554517002 | 64 |
7 | 11, 3137085 | 23, 1605616207365 | 128 |
8 | 16 | 33, 7779991765064 | 256 |
x+y≡0mod17 | x−y≡0mod15 |
16+1 | 16−1 |
48+3 | 48−3 |
145+25 | 145−25 |
146+41 | 146−41 |
227+62 | 227−62 |
165+90 | 165−90 |
217+157 | 217−157 |
253+223 | 253−223 |
n | Lower bound | L(f2n) | Upper bound |
4 | 4 | 6, 00776721665963 | 16 |
5 | 5, 65685425 | 9, 76163585008853 | 32 |
6 | 8 | 15, 7984554517002 | 64 |
7 | 11, 3137085 | 23, 1605616207365 | 128 |
8 | 16 | 33, 7779991765064 | 256 |