On permutation quadrinomials with boomerang uniformity 4 and the best-known nonlinearity

Abstract

Motivated by recent works on the butterfly structure, particularly by its generalization introduced by Canteaut et al. (IEEE Trans Inf Theory 63(11):7575–7591, 2017), we first push further the study of permutation polynomials over binary finite fields by completely characterizing those permutations\(f_{\underline{\epsilon }}\) defined over the finite field \({\mathbb F}_{Q^2}\) (of order \(Q^2\)) having the following shape:

$$\begin{aligned} f_{\underline{\epsilon }}(X):=\epsilon _1\overline{X}^{q+1} +\epsilon _2\overline{X}^qX+\epsilon _3\overline{X}X^q+\epsilon _4X^{q+1} \end{aligned}$$

where \(q=2^k\), \(Q=2^m\), m is odd, \(\mathrm {gcd}(m,k)=1\), \(\overline{X}=X^Q\) and \(\underline{\epsilon }=(\epsilon _1, \epsilon _2, \epsilon _3, \epsilon _4)\in {\mathbb F}_{Q}^4\). We shall provide an approach to handle the bijectivity of \(f_{\underline{\epsilon }}\) for any \(k\ge 1\). Notably, we show that the problem of finding conditions for bijectivity of the quadrinomial \(f_{\underline{\epsilon }}\) is closely related to the study of the famous equation \(X^{q+1}+X+a=0\) (*). We then reduce the initial problem into the problem of finding conditions for which an equation of the form (*) has a unique solution in \({\mathbb F}_{Q}\) for every \(a\in {\mathbb F}_{Q}\). In addition, as a crucial direct consequence our result, we prove the validity of the conjecture (Conjecture 19) proposed by Li et al. (Des Codes Cryptogr 89:737–761, 2021). We emphasize that our positive answer completely characterizes permutations with boomerang uniformity 4 from the butterfly structure, which leads to the view of the quadrinomial \(f_{\underline{\epsilon }}\) as excellent candidates to design block ciphers in symmetric cryptography. Despite a lot of attention regarding the considered conjecture, it remains unsolved on its whole when the coefficients lie in \({\mathbb F}_{Q}\). However, this article is the first which propose an approach that solves the enter conjecture by handling both sides of it involving equivalence simultaneously. We believe that our novel approach and its strength could benefit from proving the bijectivity of other families of polynomials over finite fields.

Appendix A

In this appendix, we present the proofs of a series of results that we have used in Sect. 3.3.

Lemma 6

For any \(x\in \mathbb {F}_{2^m}\) with \(\mathrm {Tr}_1^m(x)=1\) and any integer \(2^{m-1}\le t<2^m-1\), letting \(l=\lceil \log _2{(2^m-t)}\rceil -1\), i.e. \(2^m-2^{l+1}\le t<2^m-2^l,\) one has

$$\begin{aligned} x^t=x^{t-2^{m}+2^{l+1}}+\sum _{i=l+1}^{m-1}x^{t-2^{m}+2^i}\cdot (x+x^{2}+\cdots +x^{2^{l}}), \end{aligned}$$

where all exponents appeared are less than \(2^{m-1}\), pairwise different and in order of size.

Proof

\(\mathrm {Tr}_1^m(x)=1\) can be rewritten as

$$\begin{aligned} x^{2^{m-1}}=1+x+x^{2}+\cdots +x^{2^{m-2}}. \end{aligned}$$

Therefore, if \(2^{m-1}\le t \), then

$$\begin{aligned} x^t=x^{t-2^{m-1}}\cdot (1+x+x^{2}+\cdots +x^{2^{m-2}}) \end{aligned}$$

and one has if \(2^m-2^{l+1}\le t<2^m-2^l,\) then \(t-2^{m-1}+2^j \ge 2^{m-1}\) for \(l+1\le j\le m-2\) and it holds that

$$\begin{aligned} x^t=x^{t-2^{m-1}}\cdot (1+x+x^{2}+\cdots +x^{2^{l}})+\sum _{i=l+1}^{m-2}x^{t-2^{m}+2^i}\cdot (1+x+x^{2}+\cdots +x^{2^{m-2}}). \end{aligned}$$

In the second summation, (only) the terms \(x^{t-2^m+2^i+2^j}\), where \(j\ge l+1\) and \(j\ne i\), appear twice and therefore can be canceled. Thus, we can write

$$\begin{aligned} x^t= & {} x^{t-2^{m-1}}\cdot (1+x+x^{2}+\cdots +x^{2^{l}})\\&+\sum _{i=l+1}^{m-2}x^{t-2^{m}+2^i}\cdot (1+x+x^{2}+\cdots +x^{2^{l}}+x^{2^i}), \end{aligned}$$

or

$$\begin{aligned} x^t=\sum _{i=l+1}^{m-1}x^{t-2^{m}+2^i}\cdot (1+x+x^{2}+\cdots +x^{2^{l}})+\sum _{i=l+1}^{m-2}x^{t-2^{m}+2^{i+1}}, \end{aligned}$$

or

$$\begin{aligned} x^t=x^{t-2^{m}+2^{l+1}}+\sum _{i=l+1}^{m-1}x^{t-2^{m}+2^i}\cdot (x+x^{2}+\cdots +x^{2^{l}}). \end{aligned}$$

It can be easily checked that all exponents in this last expression are less than \(2^{m-1}\), pairwise different and in order of size. \(\square \)

Corollary 5

Let \(0\le t<2^m\). The representative expression of \(X^t\) in \(\mathbb {F}_{2^m}[X]/(T_m(X)+1)\) has non-zero constant term if and only if \(t=2^m-2^l\) for some \(0\le l\le m\).

Using this corollary, we can state the following statement.

Proposition 4

Let \(s\ge 2\) and \(0\le i_1<i_2<\cdots<i_s<m\) be a sequence of integers such that \((i_x-i_y) \mod m \ne 1\) for every pair \((x,y)\in [1,s]^2\). Let \(\gamma \) be any constant in \(\mathbb {F}_{2^m}^*\). Then, the following are true:

1. 1.

   \(T_m(\gamma \cdot \frac{1}{X^{2^{i_1}+2^{i_2}+\cdots +2^{i_s}}})\) has no constant term when expressed as an element in \(\mathbb {F}_{2^m}[X]/(T_m(X)+1)\).

2. 2.

   \(T_m(\gamma \cdot X^{2^j}\cdot \frac{1}{X^{2^{i_1}+2^{i_2}+\cdots +2^{i_s}}})\) has non-zero constant term when expressed as an element in \(\mathbb {F}_{2^m}[X]/(T_m(X)+1)\) if and only if \(s=2\), and \(j=i_x\) or \(j=(i_x+1)\mod m\) for some \(1\le x\le 2\). Furthermore, if \(j=i_x\) for some \(1\le x\le 2\), then the constant term of \(T_m(\gamma \cdot X^{2^j}\cdot \frac{1}{X^{2^{i_1}+2^{i_2}}})\) is \(\gamma ^{2^{-(i_1+i_2-i_x)}}.\) If \(j=(i_x+1)\mod m\) for some \(1\le x\le 2\), then the constant term of \(T_m(\gamma \cdot X^{2^j}\cdot \frac{1}{X^{2^{i_1}+2^{i_2}}})\) is \(\gamma ^{2^{-i_x}}.\)

Proof

By Corollary 5, we have

$$\begin{aligned}&T_m(\gamma \cdot \frac{1}{X^{2^{i_1}+2^{i_2}+\cdots +2^{i_s}}})=\sum _{u=0}^{m-1}\gamma ^{2^u}\cdot \frac{1}{X^{2^{i_1+u}+2^{i_2+u}+\cdots +2^{i_s+u}}}\\&=\sum _{u=0}^{m-1}\gamma ^{2^u}\cdot X^{2^m-1-(2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m})} \end{aligned}$$

has non-zero constant term if and only if there exist some integers \(0\le u,v\le m\) such that

$$\begin{aligned}2^m-1-\left( 2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m}\right) =2^m-2^v,\end{aligned}$$

i.e.

$$\begin{aligned}2^v=1+\left( 2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m}\right) .\end{aligned}$$

Under the condition of the proposition, this is impossible when \(s\ge 2.\)

On the other hand,

$$\begin{aligned}&T_m(\gamma \cdot X^{2^j}\cdot \frac{1}{X^{2^{i_1}+2^{i_2}+\cdots +2^{i_s}}})=\sum _{u=0}^{m-1}\gamma ^{2^u}\cdot X^{2^{j+u}}\cdot \frac{1}{X^{2^{i_1+u}+2^{i_2+u}+\cdots +2^{i_s+u}}}\\&\quad =\sum _{u\in I_+}\gamma ^{2^u}\cdot X^{2^{(j+u)\mod m}-(2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m})}\\ {}&\qquad +\sum _{u\in I_-}\gamma ^{2^u}\cdot X^{2^{(j+u)\mod m}+2^m-1-(2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m})}, \end{aligned}$$

where

$$\begin{aligned}I_+:=\{0\le u\le m-1\mid 2^{(j+u)\mod m}\ge 2^{(i_1+u)\mod m}+\cdots +2^{(i_s+u)\mod m}\}\end{aligned}$$

and

$$\begin{aligned}I_-:=\{0\le u\le m-1\mid 2^{(j+u)\mod m}< 2^{(i_1+u)\mod m}+\cdots +2^{(i_s+u)\mod m}\}.\end{aligned}$$

The first summand has no constant term since

$$\begin{aligned}2^{(j+u)\mod m}- (2^{(i_1+u)\mod m}+\cdots +2^{(i_s+u)\mod m})<2^{m-1}\le 2^m-2^v\end{aligned}$$

for any \(0\le v\le m-1\) and obviously it can’t happen

$$\begin{aligned}2^{(j+u)\mod m}- (2^{(i_1+u)\mod m}+\cdots +2^{(i_s+u)\mod m})=0 (=2^m-2^m)\end{aligned}$$

as \(s\ge 2.\)

The second summation has non-zero constant term if and only if for some \(0\le v\le m\),o

$$\begin{aligned}&2^{(j+u)\mod m}+2^m-1-(2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m})\\&\quad =2^m-2^v,\end{aligned}$$

i.e.

$$\begin{aligned} 2^{(j+u)\mod m}+2^v=1+2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m}.\nonumber \\ \end{aligned}$$

(35)

Here, we have \((j+u)\mod m\ne 0\) and \(v\ne 0\). (In fact, if \((j+u)\mod m=0\), then

$$\begin{aligned}2^v=2^{(i_1+u)\mod m}+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m}\end{aligned}$$

which is impossible as \(s\ge 2\). Assumption \(v=0\) yields the same impossibility.)

Now, we can assume w.l.o.g. \((i_1+u)\mod m<(i_2+u)\mod m<\cdots <(i_s+u)\mod m\). Since the left side of equality (35) is even, it follows \((i_1+u)\mod m=0\) (therefore, under the assumption of the proposition, \(2\le (i_2+u)\mod m\)), i.e.

$$\begin{aligned} u=m-i_1, \end{aligned}$$

(36)

and

$$\begin{aligned} 2^{(j+u)\mod m}+2^v=2+2^{(i_2+u)\mod m}+\cdots +2^{(i_s+u)\mod m}. \end{aligned}$$

(37)

Hence, it must be \(s\le 2\). Now, two cases are possible: (1) \((j+u)\mod m=(i_2+u)\mod m\) and \(v=1\); (2) \((j+u)\mod m=1\) and \(v=(i_2+u)\mod m\). In the first case, we get \(j=i_2\). In the second case, regarding (36), we get \(j=(i_1+1)\mod m\). By symmetry, the statement follows. \(\square \)

The following facts are simple.

Proposition 5

Let \(0<k,k'<m\) be integers with \(\mathrm {gcd}(m,k)=1\) and \(k\cdot k'\equiv 1\mod m\). There exist such integers \(1\le u,v\le k'\) that \((u-v)\cdot k \equiv 1 \mod m\) if and only if \(m< 2k'\).

Proof

If \((u-v)k \equiv 1 \mod m\) for some \(1\le u,v\le k'\), then \((u-v)k \equiv k'k \mod m\), i.e. \((k'-u+v)k\equiv 0 \mod m\) which means \(m \mid k'-u+v\) as k is coprime to m. Since \(|k'-u+v|<2k'\), it follows \(m< 2k'\).

Conversely, if \(m< 2k'\), then \(0<m-k'<k'\) and therefore with \(u=1\) and \(v=m-k'+1\) it holds that \((u-v)k \equiv 1 \mod m\). \(\square \)

Proposition 6

Let m be odd. For every \(x\in \mathbb {F}_{2^m}\) it holds that

$$\begin{aligned}\sum _{i=0}^{k'-1} T_k(x)^{q^i}=(k\cdot k'+1)\cdot \mathrm {Tr}_1^m(x)+x.\end{aligned}$$

In particular, if \(x\in \mathfrak {F}_1\), i.e. \(x\in {\mathbb F}_{2^m}[X]/(T_m(X)+1)\), then

$$\begin{aligned}\sum _{i=0}^{k'-1} T_k(x)^{q^i}=k\cdot k'+1+x\end{aligned}$$

and if \(x\in \mathfrak {F}_0\), then

$$\begin{aligned}\sum _{i=0}^{k'-1} T_k(x)^{q^i}=x.\end{aligned}$$

Proof

$$\begin{aligned}&\sum _{i=0}^{k'-1} T_k(x)^{q^i}=\frac{k\cdot k'-1}{m}\cdot \mathrm {Tr}_1^m(x)+x\\&= {\left\{ \begin{array}{ll}x, \text { if both { k} and k' are odd} \\ \mathrm {Tr}_1^m(x)+x, \text { otherwise} \end{array}\right. }=(k\cdot k'+1)\cdot \mathrm {Tr}_1^m(x)+x. \end{aligned}$$

\(\square \)

Proposition 7

Let \(m>2k'\) and \(k\cdot k'\equiv 1 \mod m\). Then,

$$\begin{aligned} \{1\le j\le k' \mid k\cdot j\mod m<k\}=\{1\le j\le k' \mid (k\cdot j+1)\mod m <k\}. \end{aligned}$$

Proof

First of all, \((kj+1)\mod m=0\) means \(j=m-k'> k'\). On the other hand, if \(kj\mod m<k<m\), then \((kj+1)\mod m =(kj\mod m)+1\). Therefore, for any \(1\le j\le k'\) in both sets, \((kj+1)\mod m =(kj\mod m)+1\), and it follows \(\{1\le j\le k' \mid kj\mod m<k\}\supset \{1\le j\le k' \mid (kj+1)\mod m <k\}\). If \(kj\mod m=k-1\), i.e. \(k(1-j)\mod m=1\), then \(j=m+1-k'>k'\). Thus, \(kj\mod m<k-1\) for any \(1\le j\le k'\) and we get also the inclusion in opposite direction, i.e. \(\{1\le j\le k' \mid kj\mod m<k\}\subset \{1\le j\le k' \mid (kj+1)\mod m <k\}\). \(\square \)

Proposition 8

Let \(1< j<k'\). Then, \(k\cdot j\mod m<k\) if and only if \(k\cdot (k'+1-j)\mod m<k\).

Proof

Let \(s:=kj\mod m\) and \(t:=k(k'+1-j)\mod m\). Note \(s\ne 1,k\) as \(j\ne 1,k'\). We have \(t=1+k-s \mod m\). Therefore, if \(s<k\), then \(t=k+1-s<k\). Now, if we assume that \(t<k\) and \(s> k\), then \(s\ne k+1\) since \(t\ne 0\), and we have \(t=k+1-s+m<k\), i.e. \(m<s-1\) which is a contradiction to \(s<m\). \(\square \)