universitÉ d’aix-marseille...mercie beth, ian, jonathan, christopher, harish et alain. parmi les...
TRANSCRIPT
Institutde Mathématiques
de Marseille
UNIVERSITÉ D’AIX-MARSEILLEÉCOLE DOCTORALE 184
INSTITUT DE MATHÉMATIQUES DE MARSEILLE/UMR 7373
THESE DE DOCTORAT
Discipline : Mathématiques
Florian CAULLERY
Polynomials over finite fields for cryptography
Soutenue le 28 mai 2014
Composition du jury :
Yves AUBRY I2M ÉxaminateurThierry BERGER XLIM RapporteurAnne CANTEAUT INRIA ÉxaminateurClaude CARLET LAGA RapporteurFrançois RODIER I2M Directeur de thèseKai-Uwe SCHMIDT Otto-von-Guericke University Éxaminateur
Cette oeuvre est mise à disposition selon les termes de la Licence CreativeCommons Attribution - Pas d’Utilisation Commerciale - Pas de Modification 3.0France.
Attention ! Cette thèse n’est pas une thèse sur le cyclimse.Merci de votre compréhension.
Résumé
Les fonctions de Fq dans lui-même sont des objets étudiés dans de divers do-maines tels que la cryptographie, la théorie des codes correcteurs d’erreurs,la géométrie finie ainsi que la géométrie algébrique. Il est bien connu queces fonctions sont en correspondance exacte avec les polynômes en une vari-able à coefficients dans Fq. Ces polynômes peuvent présenter une multitude depropriétés ayant des applications intéressantes en mathématiques pures ou ap-pliquées. Nous étudierons trois classes de polynômes particulières: les polynômesPresque Parfaitement Non linéaires (Almost Perfect Nonlinear (APN)), les polynô-mes planaires ouparfaitement non linéaire (PN) et les o-polynômes.
Les fonctions APN sont principalement étudiées pour leurs applications encryptographie. En effet, ces fonctions sont celles qui offre la meilleure résistancecontre la cryptanalyse différentielle. Elles sont aussi particulièrement intéres-sante en théorie des codes correcteurs d’erreurs car elles permettent de constru-ire des codes 2-correcteurs.
Les polynômes PN et les o-polynômes sont eux liés à des problèmes célèbresde géométrie finie. Les premiers décrivent des plans projectifs et les seconds sonten correspondance directe avec les ovales et hyperovales de P2(Fq). Néanmoins,leurs champ d’application a été récemment étendu à la cryptographie symétriqueet à la théorie des codes correcteurs d’erreurs.
La classification complète des polynômes APN ou PN et des o-polynômes est unproblème ouvert qui a attiré une multitude de mathématiciens depuis les années50.
L’un des moyens utilisé pour compléter la classification est de considérer lespolynômes présentant l’une des propriétés recherchées sur une infinité d’extensionde Fq. Ces fonctions sont appelées fonction APN (respectivement PN ou o-polynômes) exceptionnelles.
Nous étendrons la classification des polynômes APN et PN exceptionnels etnous donneront une description complète des o-polynômes exceptionnels. Lestechniques employées sont basées principalement sur la borne de Lang-Weil etsur des méthodes élémentaires.
Mots clés : corps finis, fonctions polynômiales, cryptographie symétrique,géométrie algébrique, fonction presque parfaitement non linéaire, plan projectif,ovale, hyperovale, code correcteurs d’erreurs.
v
Abstract
Functions from Fq to itself are interesting objects arising in various domains suchas cryptography, coding theory, finite geometry or algebraic geometry. It is wellknown that these functions admit a univariate polynomial representation. Thereexists many interesting classes of such polynomials with plenty of applicationsin pure or applied maths. We are interested in three of them: Almost PerfectNonlinear (APN) polynomials, Planar (PN) polynomials and o-polynomials.
APN polynomials are mostly used in cryptography to provide S-boxes withthe best resistance to differential cryptanalysis and in coding theory to constructdouble error-correcting codes.
PN polynomials and o-polynomials first appeared in finite geometry. They giverise respectively to projective planes and ovals in P2(Fq). Also, their field of ap-plications was recently extended to symmetric cryptography and error-correctingcodes.
A complete classification of APN, PN and o-polynomials is an interesting openproblem that has been widely studied by many authors. A first approach towardthe classification was to consider only power functions and the studies wererecently extended to polynomial functions.
One way to face the problem of the classification is to consider the polynomialsthat are APN, PN or o-polynomials over infinitely many extensions of Fq, namely,the exceptional APN, PN or o-polynomials.
We improve the partial classification of exceptional APN and PN polynomialsand give a full classification of exceptional o-polynomials. The proof techniqueis based on the Lang-Weil bound for the number of rational points in algebraicvarieties together with elementary methods.
Keywords : Finite fields, polynomial functions, symmetric cryptography, alge-braic geometry, Almost Perfectly Nonlinearity, projective plane, oval, hyperoval,error correcting code.
vii
Remerciements
Te voici donc à la seule partie de ma thèse que tu liras, toi qui es présent à masoutenance et qui ne t’intéresses qu’à moitié à ce que je suis en train de raconterdevant toi. En même temps, les remerciements ne sont-ils pas là pour cette rai-son ? Pour que tu oublies l’ennui qui te gagne alors que j’énumère les propriétéscryptographiques des polynômes sur les corps finisa ? Alors cher lecteur, je vaistâcher de t’offrir un peu de distraction pendant ces questions interminables dujury qui ne font que reculer le moment du tant attendu pot de thèse !
La tradition veut que l’on commence par remercier son directeur de thèse, jevais la respecter. Et j’en suis heureux car quelle chance j’ai eu de rencontrerFrançois ! Avant même la fin de mon stage de M2, il m’offrait un financementpour trois ans sur un plateau et l’opportunité de continuer mes études mathéma-tiques. Ensuite, il y eu cette première année de thèse un peu chaotique et difficilependant laquelle il a su garder sa confiance en moi malgré le fait que je tenaisà merveille mon rôle de “thésard invisible”b. Je me souviens qu’après chacunede nos entrevues, où j’avais un peu l’impression de faire des maths avec monpère, je retrouvais ma foi dans les mathématiques et l’envie de me remettre autravail. Le premier papier arrivait et je gagnais un peu en indépendance, mêmesi j’imposais toujours à François un important travail de relecture et de correc-tion pour lequel je le remercie vivement. Enfin, je le remercie pour ses précieuxconseils et pour m’avoir encouragé à partir très souvent en conférence. J’espèreque nous continuerons à travailler ensemble longtemps après cette soutenanceet que moi aussi j’aurai l’occasion de fêter les 93 ans de mon directeur de thèse.
Vient maintenant l’heure de remercier mon jury. Galanterie oblige, je com-mencerai par Anne Canteaut. Je vous remercie d’avoir accepté de faire partiede mon jury et de vous être donné tant de mal pour assister à ma soutenance.Je garde aussi en mémoire vos remarques élogieuses juste après mon exposé àBergen et ces instants sympathiques entre français en Islande.
Claude Carlet, tu auras été le chairman qui m’a rassuré avant mon premierexposé en conférence internationale et je te remercie du plus profond de mon
aOu bien que je t’explique quelle est la différence entre une courbe et une surface. Différencequi m’a jadis été enseignée par Virgile.
bVirigle, je t’en veux toujours pour ce statut sur le chat du labo !
ix
cœur pour avoir écrit toutes ces lettres de référence. Ta monographie et tes arti-cles bien écrits auront été d’un grand secours pour moi lors de mes recherches.J’espère que le rapport de ma thèse ne t’a pas donné trop de fil à retordre.
Thierry Berger, je vous remercie d’avoir accepté de rapporter ma thèse. Votrearticle avec Anne Canteaut, Pascale Charpin et Yann Laigle-Chapuy a été le pointde départ de mes travaux et c’est un honneur de vous avoir dans mon jury.
Yves, on t’a souvent comparé avec Alain Delon mais sache qu’il ne t’arrive pasà la cheville. Merci pour ton enseignement de M2 et pour tous ces moments defranche rigolade à chacune de nos rencontres au laboratoire et pendant les dif-férentes éditions de Yves Aubry’s Conference on Cryptography (plus connue sousle nom de YACC). Comme quoi, on peut pratiquer la science la plus sérieuse touten ne se prenant pas trop au sérieux.
Parmi tous les chercheurs que j’ai rencontré pendant ces quatre années je tiensà remercier en particulier Sihem Mesnager, qui me connait sous le sobriquet de“l’italien”, chacune de nos rencontres a été un plaisir. J’ai aussi une pensée pourStéphane Ballet, David Kohel, Robert Rolland et Jacques Wolfmann qui m’onttous accordé un peu de leur temps pour faire avancer mes recherches. Je tiensaussi à remercier Camille Plénat qui a grandement facilité ma vie d’ATER à Aix.
Je pense aussi à tous ceux qui ont réussi à me transmettre leur passion desmaths : Bernard Candelpergher, Gilles Lebeau et Michel Merle pendant mesétudes niçoises et plus récemment Marc-Hubert Nicole à Marseille.
Je n’aurais pas réussi à mener cette thèse à bien sans le cadre idéal que futl’IML. Je remercie le grand rouquin blanc qui m’a servi de co-bureau pendanttoute ma thèse et grâce à qui nous retrouverons tous nos amants (tous ceuxqui m’aimaient tant !), Christophe Arène et Christophe à Rennes avec qui j’aipassé un séjour au ski formidablec, Anna pour ta gentillesse, ta bonne humeuret tes tiramisus, Hamish pour nos conversations sur le metal, Florent pour avoirri de mon O(P3)d, Stéphanie Dib ma sœur académique, Joël pour tes discussionsintéressantes et profondes et enfin Tammam et ses courbes de ouf. Enfin, Auréliaet Éric je vous remercie pour votre soutien.
Je remercie aussi le CIRM et son équipe de bibliothécaires d’élites, Nathalieet Fabienne, qui ont su retrouver bien des références obscures tout en gardantleur bonne humeur. Stéphanie Vareilles, merci d’avoir relayé tant d’informationsutiles et de nous offrir l’opportunité de sortir de notre cadre purement mathéma-tique. Je veux aussi remercier l’IREM et son équipe, chaque stage hippocampeaura été un agréable moment de détente.
Cette thèse n’aurait pas été un succès si Uncle B. ne m’avait pas donné l’opportunité
cIl était moins bien pour Virgile, mais l’important c’est qu’il soit rétabli. En plus, Virgile s’estévité une petite nausée post soirée Chartreuse.
dQui a fait moins rire Virgile mais ça c’est parce qu’il est grognon.
x
d’apprendre l’anglais à Calgary et fait rencontrer sa famille avec qui j’ai passé desinstants que je n’oublierai jamais. Pour cela je te remercie Uncle B. et je vous re-mercie Beth, Ian, Jonathan, Christopher, Harish et Alain.
Parmi les amis qui m’auront soutenu, je souhaite remercier Robin m’voyez pourtoutes ses réflexions hilarantes et absurdes et Chrissie qui restera ma plus bellerencontre à la faculté de Nice, vous avez su me changer les idées et me remonterle moral maintes fois !
Je tiens aussi à remercier mon père qui n’a jamais compté ses heures et qui atoujours respecté mon travail.
Enfin, je ne peux pas conclure mes remerciements sans un mot pour maStéphanie, même si elle mérite des pages entières. Tu es celle qui me porte tousles jours, qui a fait de moi celui que je suis et celle qui fait tout mon bonheur. Turends les personnes autour de toi meilleurse. Ma vie et ma thèse n’auraient pasété les mêmes sans ton amitié et ton amour et je suis l’homme le plus chanceuxdu monde car je t’ai à mes côtés. J’ai aussi une pensée pour Josiane et Georgesqui m’ont si bien accueilli, vous êtes les beaux-parents dont j’ai toujours rêvé.
Voilà, j’espère n’avoir oublié personne...f
AcknowledgmentsWhat would have been the interest to thank someone in a language that hecouldn’t understand? That is why I wanted to say a word to those who helpedme during my thesis.
Kai-Uwe, our collaborations were fruitful and I hope it will still be. Thanks forbeing part of my jury and thanks for the new problems you submitted me. I keepin mind this week in Magdeburg which perfectly mixed maths and fun.
Keiko, you have been a support during the first part of my PhD. Thanks for allthose wonderful moments.
Yue/Joe, thanks for this week in Magdeburg and this common paper.
eEt tu fais de merveilleux banofee pour Phirchile.fMais non Virgile je ne t’ai pas oublié, n’as-tu pas remarqué que chaque note de bas de paget’est dédiée ?
xi
Contents
Résumé v
Abstract vii
Introduction 2
1 APN Polynomials 31.1 Introduction 3
1.1.1 APN polynomials in an other context 41.2 Equivalences of APN polynomials 51.3 Exceptional APN polynomials 6
1.3.1 The geometrical approach 71.3.2 The monomial case 111.3.3 The polynomial case 13
2 Planar Polynomials 352.1 Introduction 352.2 The odd characteristic case 362.3 The even characteristic case 41
3 O-polynomials 433.1 Introduction 43
3.1.1 Stability of o-polynomials 453.1.2 O-polynomials in cryptography 45
3.2 A classification of low-degree o-polynomials 463.3 Proof of Theorem 3.2.1 47
Bibliography 53
xiii
Introduction
Polynomials over finite fields are a useful tool in modern cryptography sincethey can represent a crucial component of the most widely used symmetric keyalgorithms: the Substitution-Box (S-Box). Modern symmetric cryptography al-gorithms are mainly of two kinds: DES-like Cryptosystems and Block CipherSP-Network (Substitution-Permutation Network). A famous attack against thesetwo kinds of cryptosystem is the so-called differential cryptanalysis. This attackwas first introduced by Biham and Shamir in [BS93]. Its basic principle is toanalyze how a difference between two inputs behaves along the block-cipher.We refer the reader to [FSK11] for a precise description of modern symmetriccryptography algorithms and differential cryptanalysis.
To counteract differential cryptanalysis, the S-Box and the polynomial func-tion which represents it shall present some very specific properties. We will beinterested in three of them:
• Almost Perfect Nonlinearity. A polynomial f ∈ Fq[x] is Almost PerfectlyNonlinear (APN) if for any nonzero a ∈ Fq and b ∈ Fq, there exist at mosttwo solutions to the equation f(x+ a) + f(x) = b.
• Planarity. A polynomial f ∈ Fq[x] is Planar (or Perfectly Nonlinear (PN)) iffor any nonzero a ∈ Fq, the function x→ f(x + a)− f(x) is a permutationover Fq. Obviously, there is no such polynomial when q is even. That is thereason why we will study their natural counterpart in even characteristicintroduced by Zhou [Zho13]: the polynomials such that the function x →f(x+ a) + f(x) + ax is a permutation over Fq for any nonzero a ∈ Fq.
• Ovality. A polynomial f ∈ Fq[x] is Oval (or is an o-polynomial) if the func-tion x → f(x) is a permutation over Fq and if for any nonzero a ∈ Fq, thefunction x→ f(x+a)+f(a)
xis also permutation over Fq.
The complete classification of polynomials having one of the properties aboveis an open and interesting problem that has been studied by many authors. Oneway to face this problem is to consider its weaker version: find the polynomialsthat present the sought property for infinitely many extensions of their groundfield, namely, the exceptional APN (respectively PN or o-) polynomials. The
1
Introduction
aim of this thesis is to partially complete the known list of exceptional APNpolynomials in characteristic 2, the list exceptional PN polynomials in odd andeven characteristic and to give a full list of polynomials that are o-polynomialsinfinitely often.
To achieve this goal, we will use an approach based on algebraic geometry.Let f(x) be a polynomial over Fq. The idea is to link f to a projective surface Xf
which equation depends on f and on the sought property. If the polynomial fhas this property, then the surface Xf should have all its rational points over Fqin some very specific planes and then have a specified number of rational points.
Now suppose thatXf has an absolutely irreducible component defined over Fq.In that case, the Lang-Weil bound gives an estimation on the number of rationalpoints of Xf over Fq. Comparing this estimation and the number of points ofthe specific planes mentioned above gives us an upper bound on q which onlydepends on the degree of f , meaning that the polynomial f cannot have thedesired property over infinitely many extension of its ground field.
All we have to do now is to determine the form of the polynomials f such thatthe surface Xf does not have an absolutely irreducible component defined overFq...
2
1 APN Polynomials
The first property of polynomials over finite fields that we propose to study isthe Almost Perfect Nonlinearity (APN). This notion was introduced by Nyberg in[Nyb94] as the function providing the S-Boxes with best resistance to the differ-ential cryptanalysis, a chosen plain text attack proposed by Biham and Shamirin [BS93].
1.1 Introduction
An Almost Perfectly Nonlinear function is a function with the lowest possibledifferential uniformity.
Definition 1.1.1. a function f : F2m → F2m is APN if, for all nonzero a and forall b in F2m, the number of solutions to the equation
f(x) + f(x+ a) = b
is at most two.
Remark 1.1.2. The name is due to a simple fact. Chose any a and put b = f(a). Iff is APN, there is at most two elements x of F2m satisfying f(x+a) = f(x)+f(a).
The problem is to list all APN polynomials. Many authors worked on thetopics. The studies focused on APN monomials on a first time and was recentlyextended to polynomial functions (Carlet, Charpin, Edel, Kyureghyan, Pott andZinoviev [CCZ98; EKP06; EP09]) or polynomials on small fields (Dillon [Dil09]).Also, several authors (Berger, Canteaut, Charpin, Laigle-Chapuy [BCC+06] orByrne and McGuire [BM08]) showed that APN functions cannot exist in certaincases. Some studied the APN functions on fields of odd characteristic (Leducq[Led12b], Dobbertin, Mills, Muller, Poinsot and Pott [DMM+03; PP11], Ness,Helleseth [NH07] or Wang, Zha [ZW10; ZW11] ). It is still an open problem tolist all the APN polynomials.
Here we give the list of classical APN monomials.
3
1 APN Polynomials
Name Exponent Condition Proven inGold 2i + 1 gcd(i,m) = 1 [Gol68]
Kasami 4i − 2i + 1 gcd(i,m) [Kas71]Welch 2i + 3 m = 2i+ 1 [CCD00]Inverse 22i−1 m = 2i+ 1 [Nyb94]
Dobbertin 24t + 23t + 22t + 2t − 1 m = 5i [Dob01]Niho 2t + 2
t2 − 1, t even m = 2t+ 1 [Dob01]
2t + 23t+1
2 − 1, t odd
Table 1.1: List of classical APN monomials
As we can see here, the only listed monomials which are APN over infinitelymany extensions of F2 are the Gold and Kasami functions. Hernando and McGuireshowed that they are the only ones with this property [HM11].
1.1.1 APN polynomials in an other contextAPN functions have applications in other fields than cryptography. The main oneis in coding theory because they give cyclic codes with minimal distance 5. Thefollowing definition of APN functions is equivalent.
Definition 1.1.3. A function is APN if f(0) = 0 and the binary linear code Cwith parity check matrix having columns[
xf(x)
], x ∈ F?2m
has minimum distance 5.
proof from [CCZ98]. Let c = (c0, . . . , cn−1) be a binary vector. By the definitionof the parity check matrix, c is a codeword of C if and only if it satisfies
n−1∑i=0
xici = 0 andn−1∑i=0
cif(xi) = 0.
Hence, C has a minimum distance equal to 5 if and only if there is no four distinctelements such that
x+ x′ + y + y′ = 0 and f(x) + f(x′) + f(y) + f(y′) = 0,
which is equivalent to f being APN.
4
1.2 Equivalences of APN polynomials
1.2 Equivalences of APN polynomialsThe APN property is stable under specific transformations, thus we can definesome equivalence classes. Here we give the list of all classical equivalence classeson APN functions. We begin by recalling the definition of an affine permutationsince this notion is often used in this section.
Definition 1.2.1. A polynomial in F2m [x] of the form
L(x) =∑i
cix2i
is called a linearized polynomial. The addition of a linearized polynomial and aconstant term is called an affine polynomial. A linearized (resp. affine) polynomialwhich defines a permutation over F2m is called a linear (resp. affine) permutation.
Proposition 1.2.2. The class of APN functions is stable under the addition ofaffine polynomial.
This proposition is obvious.We introduce here the first non-obvious class of equivalence known as the
Extended Affine (EA) equivalence.
Proposition 1.2.3. Let A1(x) and A2(x) be affine permutations, A(x) be an affinepolynomial and f(x) be an APN polynomial in F2m [x]. The polynomial
A1 ◦ f ◦ A2(x) + A(x)
is APN over F2m [x].
The proof of this result is straightforward.The last equivalence class we give is the most used one because it is the most
general. It has been introduced by Carlet, Charpin and Zinoviev in [CCZ98] andincludes all previously seen equivalences as particular cases (see [BCP06]).
Proposition 1.2.4 ([CCZ98]). Let f and g be two polynomials in F2m [x]. Supposetheir exists a linear permutation L : F2
2m → F22m between the sets {(x, f(x))|x ∈
F2m} and {(x, g(x))|x ∈ F2m} (i.e. the graphs of the functions f and g). Then fis APN if and only if g is APN.
Two functions satisfying the conditions of this proposition are said CarletCharpin Zinoviev (CCZ-) equivalent.
Proof. It is sufficient to show that δf (a, b) = δg(a, b) for any a and b in F2m . Letus write L = (L1, L2) where L1 and L2 are two linear functions from F2
2m to F2m .As L is a permutation we have the following equivalence
y = f(x)↔ L2(x, y) = g(L1(x, y)).
5
1 APN Polynomials
Now write F1(x) = L1(x, f(x)) and F2(x) = L2(x, f(x)). We claim that thefunction F1 is a permutation. Indeed, if F1 is not a permutation, then there existtwo distinct elements x and x′ such that F1(x) = F1(x
′). So F2(x) 6= F2(x′) and
the set (F1(x), F2(x)) cannot be the graph of a function. With this remark, it isclear that
g(x) = F2 ◦ F−11 (x).
Now, for all a and b in F2m we have
δf (a, b) = |{x ∈ F2m : f(x) + f(x+ a) = b}|= |{(x, y) ∈ F2
2m |(x, f(x)) + (y, f(y)) = (a, b)}|= |{(x, y) ∈ F2
2m |(F1(x), F2(x)) + (F1(y), F2(y)) = L(a, b)}|= |{(x, y) ∈ F2
2m |(x, F2 ◦ F−11 (x)) + (y, F2 ◦ F−11 (y)) = L(a, b)}|= δg(a, b)
With the introduction of these equivalence classes, the problem of the fullclassification of APN functions is reduced to find all CCZ-inequivalent APN func-tions. However, it is mathematically difficult to prove that two functions arenot CCZ-equivalent even though there exist a certain number of CCZ-invariantparameters (like for instance the extended Walsh spectrum, see [Car10]).
1.3 Exceptional APN polynomialsA way to get results on the classification is to get interested in a weaker versionof the problem: find all the polynomials APN over infinitely many extensions ofF2, namely the exceptional APN functions.
Definition 1.3.1. A polynomial of F2m [x] defining an APN function over infinitelymany extensions of F2 is called an exceptional APN polynomial.
Remark 1.3.2. The name is a reference to the exceptional polynomials which definepermutations over infinitely many extensions of Fq.
The two best known examples of exceptional APN functions are the Gold andKasami functions (see table 1.1). As, for now, all the known exceptional APNfunctions are CCZ-equivalent to a Gold or a Kasami function Aubry, McGuireand Rodier stated the following conjecture in [AMR10].
Conjecture 1. Up to CCZ-equivalence, the only exceptional APN functions arethe Gold and Kasami functions.
The main purpose of this chapter is to give a partial proof of this conjecture.The methods which gave the most significant results on the question rely onalgebraic geometry.
6
1.3 Exceptional APN polynomials
1.3.1 The geometrical approachThe goal of this section is to translate the APN property into the language ofalgebraic geometry. It will give us an efficient criterion to discard polynomialsfrom the list of potential exceptional APN polynomials. The cornerstone of thissection is the following theorem given in [Rod09] by Rodier.
Theorem 1.3.3 ([Rod09]). The polynomial f ∈ F2m [x] is APN if and only if theaffine surface of equation
f(x) + f(y) + f(z) + f(x+ y + z) = 0
has all its rational points contained in the surface of equation
(x+ y)(y + z)(z + x) = 0.
Proof. For f to be APN it is necessary and sufficient, that for all nonzero a andfor all b in F2m ,
|{x ∈ F2m : f(x) + f(x+ a) = b}| ≤ 2.
That is, for all nonzero a and for all b in F2m , there is no four distinct elementsx, y, z and t in F2m such that{
x+ y = a, f(x) + f(y) = bz + t = a, f(z) + f(t) = b.
That is equivalent to say there is no three distinct elements x, y and z in F2m suchthat
f(x) + f(y) + f(z) + f(x+ y + z) = 0.
Again, that is equivalent to say that the affine surface of equation
f(x) + f(y) + f(z) + f(x+ y + z) = 0
has all its rational points contained in the surface (x+ y)(y + z)(z + x) = 0.
Before going further, notice that the polynomial f(x)+f(y)+f(z)+f(x+y+z)is divisible by (x+ y)(y + z)(z + x). Hence,
φf (x, y, z) :=f(x) + f(y) + f(z) + f(x+ y + z)
(x+ y)(y + z)(z + x),
is a polynomial of degree deg(f)-3 which is null if and only if f is affine.
Remark 1.3.4. We will use φ(x, y, z) instead of φf (x, y, z) where there is no possibleconfusion.
The strategy is to study the number of rational points of the surface X ofequation φ(x, y, z) = 0. We first use a result of Serre.
7
1 APN Polynomials
Theorem 1.3.5 ([Ser91]). Let f be an homogeneous polynomial in Fq[X0, ..., Xn]of degree d ≤ q + 1 and let S = S(f) be its vanishing set in Pn(Fq). Denote byN = N(f) the number of elements in S and by πn = qn+qn−1 + . . .+1 the numberof points of Pn(Fq). We have
N ≤ dqn−1 + πn−2. (1.3.1)
Proof. The case d = q + 1 is trivial because dqn−1 + πn−2 is then equal to πn. Sowe suppose now d ≤ q.
We will use induction on n. The cases n = 0, 1 being easy, let us suppose n ≥ 2.
Let g1, . . . , gδ be the distinct linear factors of f on Fq and let G1, . . . , Gδ be thehyperplanes of Pn(Fq) defined by the g1, . . . , gδ. The union G of the G1, . . . , Gδ isincluded in S. We are going to distinguish two cases.
• G = S
For m = 1, . . . , δ we have
|G1 ∪ . . . ∪Gδ| ≤ mqn−1 + πn−2. (1.3.2)
This follows from induction on m because Gm+1 has πn−1 = qn− 1 + πn−2 andGm+1∩ (G1 ∪ . . . ∪Gm) has at least πn−2 points. As m ≤ d, (1.3.2) implies (1.3.1).
• G 6= S
Let us choose a point P in S but not in G. If H is an hyperplane of Pn(Fq)containing P , then the restriction of f to H is not identically null. So we canapply our induction hypothesis to S ∩ H: we have
|S ∩ H| ≤ dqn−2 + πn−3. (1.3.3)
Now, we are gonna apply a standard combinatorial process: let W the set of thecouples (P ′,H) where{
P ′ is a point of S − {P}H is an hyperplane containing P and P ′.
For a fixed P ′ in S − {P}, the number of hyperplanes containing P and P ′ isπn−2. We deduce
|W | = (N − 1)πn−2. (1.3.4)
On the other hand, for a fixed H containing P , the numbers of P ′ ∈ S − {P}contained in H is equal to |S ∩ H| − 1 ≤ dqn−2 + πn−3 − 1. As the number of H
8
1.3 Exceptional APN polynomials
containing P is equal to πn−1, we deduce
|W | ≤ πn−1(dqn−2 + πn−3 − 1
). (1.3.5)
Combining (1.3.4) and (1.3.5), we get
N ≤ 1 + πn−1dqn−2 + πn−3 − 1
πn−2(1.3.6)
A small calculation shows that (1.3.6) is equivalent to
N ≤ dqn−1 + πn−2 −(q + 1− d)qn−2
πn−2.
As q + 1− d > 0, we obtain
N ≤ dqn−1 + πn−2,
which is better than (1.3.1).
Now, we can determine the number of points of the projective closure X of thesurface X in the case where f is APN and the surface X is absolutely irreducible.
Theorem 1.3.6 ([Rod09]). Let f ∈ F2m [x] be of degree d ≥ 5. If f is APN and ifthe surface X of equation φ(x, y, z) = 0 is absolutely irreducible, then the projectiveclosure X of X admits at most 4((d− 3)2m + 1) rational points
Proof. If f is APN, then f is not an affine polynomial and the surfaceX is of degreegreater or equal than 2. If the surface X contains the plane x+ y = 0, it would bereduced to this plane because the surface is irreducible. But that is a contradictionwith the fact that the degree of the surface is greater than 1. Then the surfaceintersects the plane x+ y = 0 along a curve of degree d− 3. From Theorem 1.3.5,the number of rational points of this curve is at most (d− 3)2m + 1. The same istrue considering the plane infinity instead of x+y = 0. If f is APN, from Theorem1.3.3, the surface X has all its rational points in the surface (x+y)(y+z)(z+x) = 0,which is the reunion of the plane x + y = 0 and its symmetrics, and in the planeinfinity. Therefore X has at most 4((d− 3)2m + 1 rational points.
The next element which will lead us to the efficient criterion is the Lang-Weilbound.
1.3.1.1 The Lang-Weil bound
Denote by #X(Fq) the number of rational points of X. The first estimation ofthis number for varieties of arbitrary dimension was given by Serge Lang andAndré Weil in [LW54]. We give the inequality for absolutely irreducible surfaces.
9
1 APN Polynomials
Theorem 1.3.7. Let X be an absolutely irreducible surface in P3(Fq) of degree d.We have the following inequality
|#X(Fq)− q2 − q − 1| ≤ (d− 1)(d− 2)q3/2 + Cq,
where C is a constant depending only on d.
In [GL02], Ghorpade and Lachaud gave an explicit bound for the constant C.That is
Theorem 1.3.8 ([GL02]). With the notation of the previous theorem we have
C ≤ 18× (d+ 3)n+1.
Remark 1.3.9. The proof of the theorems above are not in the frame and contextof this thesis. we refer the reader to [LW54] and [GL02].
1.3.1.2 The criterion
Using the refinement of the Lang-Weil bound given by [GL02] along with Theo-rem 1.3.6, we obtain the following result.
Theorem 1.3.10 ([Rod09]). Let f be a polynomial of degree d in F2m [x] and X bethe surface of equation φ(x, y, z) = 0. Suppose now that X is absolutely irreducible.Then, if d ≤ 0.45q1/4 + 0.5 and d ≥ 9, f is not APN.
Proof. We know from Theorem 1.3.7 and 1.3.8 that
|#X(F2m)− q2 − q − 1| ≤ (d− 4)(d− 5)q3/2 + 18d4q,
as the surface X is of degree d− 3.So
#X(F2m) ≥ q2 + q + 1− (d− 4)(d− 5)q3/2 − 18d4q.
From Theorem 1.3.6, if q2 + q + 1 − (d − 4)(d − 5)q3/2 − 18d4q is greater than4((d− 3)q + 1) then f is not APN. That is, f is not APN if
q2 + q + 1− (d− 4)(d− 5)q3/2 − 18d4 − 4((d− 3)q + 1) > 0.
One can deduce with small computation that this equation is verified for d ≤0.45q1/4 + 0.5 and d ≥ 9 or for q1/2 > 13.51− 5d+ 4.773d2 if d ≥ 2.
We can deduce our desired criterion immediately.
Corollary 1.3.11. Let f be a polynomial in F2m [x] of degree d ≥ 2. If the surfaceX of equation φ(x, y, z) = 0 is absolutely irreducible (or has an absolutely irre-ducible component defined over F2m different from (x+y), (x+ z) or (y+ z)), thenf is not an exceptional APN function.
10
1.3 Exceptional APN polynomials
This condition is not a sufficient condition. As we will see in section 1.3.3.3,there exist non-APN polynomials such that X has no absolutely irreducible com-ponent defined over their ground field.
From now on, we let q = 2m and X will always refer to the surface of equationφ(x, y, z) = 0. To prove that X (or X) is absolutely irreducible or has an ab-solutely irreducible component defined over its ground field is a hard problem.That is why we will first study monomial functions. In this case, the equationφ(x, y, z) = 0 defines a curve in P2(F2m).
1.3.2 The monomial caseIn this section, we will suppose that f(x) is a polynomial in Fq[x] of the form xi
for some non-negative integer i. From now on, we will denote A = (x + y)(y +z)(z + x) and by φi the polynomial φ associated to xi. That is
φi(x, y, z) =xi + yi + zi + (x+ y + z)i
(x+ y)(y + z)(z + y).
Obviously, the polynomial φi is homogeneous and so the equation φi(x, y, z) = 0defines a curve in P2(Fq).
The main problem is to determine the decomposition of φi into absolutelyirreducible factors. The first thing we will do is to limit our study to odd exponentwith the following proposition.
Proposition 1.3.12 ([AMR10]). Let i = 2je where e is odd. The following equalityholds
φi = A2j−1φ2j
e .
Proof. We haveAφi = xi + yi + zi + (x+ y + z)i
= (xe + ye + ze + (x+ y + z)e)2j
= A2jφ2j
e .
Thus φi = A2j−1φ2j
e .
So now the question is to determine the decomposition into absolutely irre-ducible factors of φe for e odd. From now on, e will denote a positive odd in-teger. This decomposition in known only in a few cases. We give a summaryof the known results. Their proofs are based on singularities classification andBezout’s theorem for curves along with heavy computations so we will not givethe details but just the list of the results.
Theorem 1.3.13 ([HM11]). The polynomial φe has an absolutely irreducible com-ponent defined over F2 if and only if e is not a Kasami or Gold exponent.
11
1 APN Polynomials
Until recently, it was thought that φe was absolutely irreducible for every e nota Gold or a Kasami exponent but Fernando Hernando and Gary McGuire showedthat φ205 was divisible by φ13, providing the smallest counterexample [HM11].The problem now is to find the exact decomposition into absolutely irreduciblefactors of φe. It remains unknown in many cases. Éric Férard could show thefollowing interesting result.
Theorem 1.3.14 ([Fér13]). Suppose e ≡ 5 (mod 8), e ≥ 29 and that φe is notabsolutely irreducible. Then φ13 divides φe.
However, there exist two cases where φe is known to be absolutely irreducible.
Theorem 1.3.15 ([JMW95]). Suppose that e ≡ 3 (mod 4), then the polynomialφe is absolutely irreducible.
Theorem 1.3.16 ([JMW95]). Suppose that e ≡ 5 (mod 8), e > 13 and thatthe maximal cyclic code of length e−1
4has no codewords of weight 4. Then the
polynomial φe is absolutely irreducible.
The following result has to be noted and will be useful in the next sections.We recall that e denotes an odd integer.
Theorem 1.3.17 ([AMR10; JW93]). The polynomial φe has no repeated absolutelyirreducible factor.
Proposition 1.3.18. The polynomial φe is not divisible by (x + y), (x + z) or(y + z).
Proof. It is sufficient to show that φe is not divisible by (x+ y) as φe is symmetricin the variables x, y and z. Writing s = x+ y we have
xe + ye + ze + (x+ y + z)e = s(xe−1 + ze−1) + s2P (x, y, z),
where P (x, y, z) is a polynomial. As A = s(x + z)(z + y), φe is not divisible by(x+ y).
We give the decomposition of φe in the case where e is a Gold or a Kasamiexponent as they will be needed in the next sections.
Proposition 1.3.19 ([JW93]). Suppose that e = 2i + 1. We have the followingequality
φe(x, y, z) =∏
α∈F2i−F2
(x+ αy + (α + 1) z)
Proof. As φe is homogeneous we can suppose z = 1. We have
xy (x+ y)φe(x+ 1, y + 1, 1) = (x+ 1)2i+1 + (y + 1)2
i+1 + 1 + (x+ y + 1)2i+1
= yx2i+ xy2
i
= y∏
α∈F2i(x+ αy).
12
1.3 Exceptional APN polynomials
Thus replacing x by x+ 1 and y by y+ 1 and dividing by (x+ 1)(y+ 1)(x+ y) weobtain
φe(x, y, 1) =∏
α∈F2i−F2
(x+ αy + α + 1).
As φe(x, y, z) is homogeneous, we obtain the desired decomposition.
Remark 1.3.20. Obviously, (x+ αy + (α + 1) z) is absolutely irreducible and wehave the decomposition of φe into absolutely irreducible factors.
Theorem 1.3.21 ([JW93]). Suppose that e = 4i − 2i + 1. We have the followingequality
φe =∏
α∈F2i−F2
pα(x, y, z),
where, for each α ∈ F2i − F2, pα is an absolutely irreducible polynomial of degree2i + 1 defined over F2i such that
pα(x, 0, 1) = (x− α)2i+1.
Not we treat the case where f(x) is not a monomial.
1.3.3 The polynomial caseIn this section we write f(x) =
∑di=0 aix
i with d the degree of f and we supposethat there exist a nonzero ai with i 6= d. Without loss of generality, we can alwaysassume that ad = 1 as Fq is a field.
The approach we will use here was introduced by Aubry, McGuire and Rodierin [AMR10]. The idea is to consider the intersection of the surface X and thehyperplane at infinity in P3(Fq) to use the known results from the previous sec-tion. This approach is based on the following lemma which uses [Sha94, Chap.I, 6.2, Corollary 5]
Proposition 1.3.22 ([AMR10]). Let H be a hypersurface in P3(Fq). If X ∩H is areduced (no repeated component) absolutely irreducible curve, then X is absolutelyirreducible.
Proof. If X is not absolutely irreducible, then every irreducible component of Xintersects H in a variety of dimension at least 1. So X ∩H is reduced or reducible.
More precisely, we will use the following lemma and its direct corollary inorder to apply our criterion 1.3.11.
Lemma 1.3.23 ([AMR10]). Let H be a projective hypersurface. If X ∩ H has areduced absolutely irreducible component defined over Fq, then X has an absolutelyirreducible component defined over Fq.
13
1 APN Polynomials
Proof. Let YH be a reduced absolutely irreducible component of X∩H defined overFq. Let Y be an absolutely irreducible component of X that contains YH. Supposefor the sake of contradiction that Y is not defined over Fq. Then Y is definedover Fqt for some t. Let σ be a generator for the Galois group Gal(Fqt/Fq) of Fqtover Fq. Then σ (Y ) is an absolutely irreducible component of X that is distinctfrom Y . However, σ (Y ) ⊇ σ (YH) = YH, which implies that YH is contained in twodistinct absolutely irreducible components of X. This means that a double copy ofYH is a component of X, which contradicts the assumption that YH is reduced.
The combination of the two precedent lemmas with corollary 1.3.11, will en-able us to discard entire classes of polynomials from the list of potential excep-tional APN polynomials.
The equation of X in P3(Fq) is given by φ(x, y, z, h) = 0 where
φ(x, y, z, h) =d∑i=3
aiφihd−i.
The idea consists to intersect X with the plane infinity H∞ of equation h = 0.From now on we will writeX∞ := X∩H∞. Its equation is given by φd(x, y, z) = 0.The strategy is to eliminate polynomials which are not CCZ-equivalent to a Goldor Kasami function in order to prove the conjecture 1. We begin with polynomialsof odd degree.
1.3.3.1 Polynomials of odd degree
Degree not a Gold or Kasami exponent
Considering the previous discussion, the following theorem is almost straight-forward.
Theorem 1.3.24 ([AMR10]). Let f ∈ Fq[x] be a polynomial of degree d ≥ 7 oddand not a Gold or Kasami number. Then f is not an exceptional APN polynomial.
Proof. By Propositions 1.3.17 and 1.3.18 and by Theorem 1.3.13, the curve X∞has a reduced absolutely irreducible component defined over F2 different from(x+ y), (x+ z) or (y + z). We conclude with corollary 1.3.11.
Degree a Gold or a Kasami exponent
The cases where the degree of f is a Gold or a Kasami exponent are a bitmore intricate and require some extra minor conditions on f to get the samekind of result. Their proof are not exactly based on the approach we presentedand use methods which will be employed in the next chapters (see the proof of
14
1.3 Exceptional APN polynomials
Proposition 2.2.7 for example). That is why we will not give the proofs of thenext theorems. We begin with results on polynomials of degree a Gold exponent.
Theorem 1.3.25 ([DJ12]). Let f be a polynomial in F2m [x]. Suppose that f(x) =x2
i+1 + h(x) with i ≥ 2 prime with m and deg(h) ≡ 3 (mod 4) < 2i + 1. Then fis not an exceptional APN polynomial.
If the degree of h(x) is not 3 (mod 4), we need an extra condition.
Theorem 1.3.26 ([DJ12]). Let f be a polynomial in F2m [x]. Suppose that f(x) =x2
i+1 + h(x) with i ≥ 2 prime with m and deg(h) = d ≡ 1 (mod 4) < 2i + 1. If φdand φ2i+1 are coprime, then f is not an exceptional APN polynomial.
Rodier was able to prove the following by exhaustive treatment.
Theorem 1.3.27 ([Rod09]). Let f(x) be a polynomial of F2m of degree d ≤ 9 odd.Then either f is CCZ-equivalent to a Gold function, either f is not an exceptionalAPN polynomial.
For polynomials of degree a Kasami exponent we have this theorem.
Theorem 1.3.28 ([FOR12]). Let f be a polynomial in F2m [x]. Suppose thatf(x) = x4
i−2i+1 + h(x) with i ≥ 2 prime with m and deg(h) = d ≤ 4i−1 − 2i−1 + 1.Write h(x) =
∑dj=0 bjx
j and suppose that there exist a nonzero aj such that φj isabsolutely irreducible. Then f is not an exceptional APN polynomial.
Remark 1.3.29. If i is not coprime with m, then X∞ would have a reduced abso-lutely irreducible component defined over F2m because of Propositions 1.3.19 and1.3.21. Then, X has an absolutely irreducible component defined over F2m andthen f cannot be an exceptional APN function.
1.3.3.2 Polynomials of degree 2e with e odd
This case is a bit more complicated than the previous one because X∞ is notreduced anymore. However we have the following result.
Theorem 1.3.30 ([AMR10]). Let f be a polynomial in F2m [x] of degree d = 2ewith e odd. Suppose moreover that f contains a term of odd degree. Then f is notan exceptional APN polynomial.
Proof. The equation of X∞ is given by φd = 0. By Proposition 1.3.12, we have
φd = (x+ y)(y + z)(z + x)φ2e.
As x+ y = 0 is a reduced absolutely irreducible component of X∞, there exist anabsolutely irreducible component Y of X defined over F2 which contains x+y = 0in the plane infinity. Now, since f contains a term of odd degree, we concludefrom Proposition 1.3.18 that Y is not the plane x + y = 0. Hence X containsan absolutely irreducible component defined over F2, thus f is not an exceptionalAPN polynomial.
15
1 APN Polynomials
If f does not contain a term of odd degree, then we can write f(x) = g(x)2
where g(x) is a polynomial of odd degree. Therefore, f(x) is CCZ-equivalent tog(x) and we are reduced to the case of odd degree polynomials.
The theorem is not true if e is even. A counter example is given in [AMR10].
f(x) = x12 + cx3
where c ∈ F4 − F2 is APN over F4m if and only if 3 does not divide m since thispolynomial is EA-equivalent (thus CCZ-equivalent) to x3. Indeed, we can writef(x) = L(x3) where L(x) = x4 + cx is obviously a linear permutation on F4m.That is why we need to consider the case of polynomials of degree 4e with e odd.
1.3.3.3 Polynomials of degree 4e with e odd
This case is even more intricate than the previous one as the multiplicity of thecomponents of X∞ increases. Indeed, writing deg(f)= d = 4e, the equation ofX∞ is given by
φd = A3φ4e = 0.
The strategy is to determine the possible forms of the absolutely irreduciblecomponents of X using their intersection with the plane H∞ (i.e. the planeh = 0). The full list is given by the following theorem.
Theorem 1.3.31. Let f : Fq → Fq be an exceptional APN function of degree 4ewith e odd and let σ be a generator of the Galois group Gal(Fq3/Fq). One of thesethree conditions holds
1. The polynomial φ is divisible by the polynomials of the form
(A+ P (x, y, z)) (A+ σ (P (x, y, z)))(A+ σ2 (P (x, y, z))
),
where P (x, y, z) is a symmetric polynomial of degree 2 defined over Fq3.
2. The polynomial φ is divisible by
(Ψ(x, y, z) + L(x, y, z)) (AΨ(x, y, z) +R(x, y, z))σ (AΨ +R(x, y, z))
σ2 (AΨ(x, y, z) + (R(x, y, z)) ,
where Ψ(x, y, z) is a symmetric factor of φe defined over Fq3 which is not anabsolutely irreducible factor of φe defined over Fq and R(x, y, z) and L(x, y, z)are symmetric polynomials of degree respectively less than deg(AΨ) and deg(Ψ)defined over Fq3.
3. The polynomial φ is divisible by the absolutely irreducible polynomials of the
16
1.3 Exceptional APN polynomials
form(Aψ3(x, y, z) + S(x, y, z)
)σ(Aψ3(x, y, z) + S(x, y, z)
)σ2(Aψ3(x, y, z) + S(x, y, z)
),
where ψ(x, y, z) is a is a square-free non absolutely irreducible symmetricfactor of φe defined over Fq3 such that ψ, σ(ψ) and σ2(ψ) are coprime.
Proof. Let f be an exceptional APN function of degree d = 4e. Our goal is toshow that, if its associated projective surface X does not contain any absolutelyirreducible component different from x + y = 0, x + z = 0 or y + z = 0, then itsequation is of a certain form.
By Lemma 1.3.23, the curve X∞ cannot contain any reduced absolutely irre-ducible component defined over Fq different from x+y = 0, y+z = 0 or z+x = 0.From Lemma 1.3.12 we have
φd = A3φ4e, (1.3.7)
meaning that X∞ is defined by the equation A3φ4e = 0.
Let D be the divisor associated to the hyperplane section X∞. We denote byA0, A1 and A2 the divisors associated, respectively, with the section of the planesof equation x + y = 0, y + z = 0 and z + x = 0 with the plane H∞. Let pi be anabsolutely irreducible factor of φe. We will denote by Ci the divisors associatedto the section of the curves of equation pi(x, y, z) = 0 with the plane H∞. Then,from (1.3.7) and Lemma 1.3.12
D = 3(A0 + A1 + A2) + 4∑i
Ci.
Now let X0 be an absolutely irreducible component of X which contains the linex+ y = 0 in H∞. As we have supposed that f is an exceptional APN function, X0
is defined over an extension of Fq, say Fqt . We choose t to be the smallest possible.We will refer to σ as a generator of the Galois group Gal(Fqt/Fq). We set X0 to bethe divisor associated to the section X0 ∩H∞, as X0 is a component of X, X0 is asubdivisor of D, and as X0 contains the line x + y = 0 in H∞ we have X0 ≥ A0.Our goal is to find the possible forms for X0.
The case where X0 ≥ 2A0
In that case we haveX0 + Xσ
0 ≥ 4A0.
But that is a contradiction since X0+Xσ0 must be a subdivisor of D and D contains
only three times A0.
17
1 APN Polynomials
The case where X0 contains only one time A0
From the previous section, we know that X0 is of the form A0 + D0 where D0
is a subdivisor of D which does not contain A0. Thus, there exists two othercomponents X1 and X2, with associated divisors respectively X1 and X2, thatcontains only one time A0.
Let G be the Galois group Gal(Fqt/Fq), since G fixes the line x + y = 0 inH∞ , the group G acts on the Xi and let us consider the orbit of X0 under thisaction. If it contains just X0 , then X0 is defined over Fq which is impossible fromProposition 1.3.23. If it contains X0 and X1 then G fixes X2 and X2 is then definedover Fq, that is again in contradiction with Proposition 1.3.23. Finally, that meansthat it contains the three components. Then G acts transitively on these threecomponents. Let G1 the stabilizer of X0 . Then the group G/G1 is isomorphic toZ/3Z, and G1 is the only subgroup of G of index 3. The same is true for the linesy + z = 0 and z + x = 0.
The case X0 = A0 +∑
i niCi
First suppose that all the nis are zero, hence X0 = A0 and then the equationof X0 would be x + y + b = 0 with b ∈ Fqt and b 6∈ Fq . In this case x + y + bwould divide f(x) + f(y) + f(z) + f(x + y + z). As b 6∈ Fq , by the action of G,x+y+σ(b) would be a distinct plane containing the line x+y = 0 in H∞. As thereare only three distinct components of X containing the line x+ y = 0 in H∞ andas t is minimal, this implies that t = 3. By symmetry of the variables x, y, z in theexpression of f(x) + f(y) + f(z) + f(x+ y+ z), z+ y+ b and x+ z+ b divide alsof(x)+f(y)+f(z)+f(x+y+z). Finally f(x)+f(y)+f(z)+f(x+y+z) is divisible by(x+y+b)(z+y+b)(x+z+b) = (x+y)(y+z)(z+x)+b(x2+y2+z2+xy+xz+zy)+b3
which is of the form given in (1) in Theorem 1.3.31.
Now suppose that there exist at least one nonzero ni. Thus we have
X1 = A0 +∑i
niCσi
andX2 = A0 +
∑i
niCσ2
i .
Now suppose that X0 is not invariant under the transposition (x, y), then thedivisor
X4 = A0 +∑i
niC(x,y)i
is different from the precedents and∑
j Xj = 4A0 + D1 should be a subdivisorof D (we recall that φ is symmetric). That is a contradiction to the fact that D
18
1.3 Exceptional APN polynomials
contains only three times A0 and hence X0 is invariant under (x, y).
Denote Y0 the image of X0 by the permutation (x, y, z) and define Y1 = Yσ0
and Y2 = Yσ2
0 . With the same argument as before, Y0 should be invariant under(y, z), that is
∑i niCi is invariant under (x, z). Thus
∑i niCi (i.e. the product
ψ =∏
i pi(x, y, z)ni) is symmetric.
For the sake of contradiction, suppose now that there exists an i and k suchthat nk and ni are nonzero and Ck = Cσ
i . Hence, X0 +X1 +Y0 +Y1 +Z0 containsat least five times Ck which cannot happens since D contains it only four times.The same is true when we consider σ2.
Now suppose that one of the ni, namely nk, is greater than 1. Then X0 + Y0 +Z0 > A0 + A1 + A2 + 6Ck, but there is only four times Ck in D because φe is re-duced (see Lemma 1.3.12), so that is a contradiction and all the nis are maximum 1.
To summarize, X0 should be of the formA0+∑
i niCi where ni ≤ 1 and∑
i niCi isinvariant under the action of the symmetry group and does not share any commoncomponent with
∑i niC
σi or
∑i niC
σ2
i . With the same reasoning than in section5.9 in [Rod11] (see also 1.3.3.3), we get the condition (3) of Theorem 1.3.31.
The case X0 = A0 + A1 +∑
i niCi
If X0 = A0 +A1 +∑
i niCi we get X1 = A0 +A1 +∑
i niCσi and X2 = A0 +A1 +∑
i niCσ2
i . With the notations above we also have Y0 = A1 + A2 +∑
i niC(x,y,z)i .
Now we just have to remark that the subdivisor of D, X0 +X1 +X2 +Y0 is greaterthan 4A1 + 3A0 + A2. That is impossible since D contains only three times A1.Hence X0 cannot be of the form A0 + A1. In the same way, we eliminate the caseX0 = A0 + A2 +
∑i niCi.
The case X0 = A0 + A1 + A2 +∑
i niCi
First suppose that the nis are all zero. That is the case 5.9 in [Rod11], we copythe proof here for the sake of completeness. In this case, the equation of such X0
is of the form (x+ y)(x+ z)(y + z) + P (x, y, z) where P is a polynomial of degreeat most 2. Let σ be a generator of G. The equation of X1 is (x + y)(x + z)(y +z) + σ(P )(x, y, z) and the equation of X2 is (x+ y)(x+ z)(y + z) + σ2(P )(x, y, z).Since these polynomials are irreducible (we have supposed that X0 is irreducible)and distinct, they are prime with each other. Therefore f(x0) + f(x1) + f(x2) +f(x0 + x1 + x2) is divisible by
19
1 APN Polynomials
2∏i=0
((x+ y)(x+ z)(y + z) + σi(P )(x, y, z)
)(1.3.8)
The equation of the curve X∞ is
((x+ y)(x+ z)(y + z))3 φ4e = 0
so we find that the product (1.3.8) can contain only three summands, henceσ3(P ) = P . Hence P is defined on Fq3 and X0 also. The product (1.3.8) mustbe symmetric in the variables x, y, z, since if it were not, the image of the product(1.3.8) by some element of the symmetry group G of the 3 variables would bedifferent, and also divide f(x) + f(y) + f(z) + f(x+ y + z), therefore forcing thecurve X∞ to contain more than 3 time the line x + y = 0. If P is not symmetricin the variables x, y, z, then the orbit of P by the symmetry group G of the 3variables would be contained in the set {P, σ(P ), σ2(P )} since the product (1.3.8)is symmetric. The orbit of P under G is not reduced to {P} since P is not sym-metric. It is not either reduced to two elements, because the third element wouldbe symmetric, so it is equal to the set {P, σ(P ), σ2(P )}. The stabilizer of P inG would then be reduced to a transposition. But the stabilizer of σ(P ) wouldcontain a conjugate transposition, and this transposition would also fix P , as theaction of G and G commute. So it is impossible, which proves that P must besymmetric. Therefore P is of the form
P (x, y, z) = c1(x2 + y2 + z2) + c4(xy + xz + zy) + b1(x+ y + z) + d1.
That is the condition (1) of Theorem 1.3.31.So the only case left is when at least one of the nis is non-zero. In this case we
haveX1 = A0 + A1 + A2 +
∑i
niCσi ,
andX2 = A0 + A1 + A2 +
∑i
niCσ2
i .
If∑
i niCi is not invariant under the action of the symmetry group, then thereexist a divisor X3 > A0 +A1 +A2 different from X0, X1 and X2. Then
∑j Xj > D,
which is a contradiction and∑
i niCi is invariant under the action of the symmetrygroup.
Moreover, if∑
i niCi lies over Fq and corresponds to an absolutely irreduciblefactor of φi (i.e. only one of the ni’s is equal to one and all the others are zero),there exists a divisor X4 which is defined over Fq and which contains Ci, leadingagain to a contradiction.
This corresponds to the condition (2) of Theorem 1.3.31
20
1.3 Exceptional APN polynomials
The following result of Rodier becomes a corollary of the last theorem becausewhen φe is absolutely irreducible, there are clearly no polynomials satisfyingconditions (2) and (3).
Theorem 1.3.32 ([Rod11]). Let f : Fq → Fq be an exceptional APN functionof degree 4e with e such that φe is absolutely irreducible. Then the absolutelyirreducible polynomials of the form
(x+ y) (x+ z) (y + z) + P,
with
P (x, y, z) = c1(x2 + y2 + z2
)+ c4 (xy + xz + zy) + b1 (x+ y + z) + d1,
for c1, c4, b1, d1 ∈ Fq3, divides φ.
Remark 1.3.33. This theorem is originally stated for e ≡ 3 (mod 4) but its proofis also valid with e such that φe is absolutely irreducible.
Armed with this technical results, we are now able to prove the following.
Theorem 1.3.34 ([Cau13]). Let f be a polynomial function over Fq of degree 4ewith e > 3 such that φe is absolutely irreducible (e.g. e ≡ 3 (mod 4)). Then f isnot an exceptional APN function.
The proof of this theorem is decomposed in two main steps. The first oneconsists in making explicit what Theorem 1.3.32 involves on the coefficients ofexceptional APN functions with the form specified in Theorem 1.3.34. That isdone in Proposition 1.3.35. We prove this proposition with identification degreeby degree.
Once the conditions on the coefficients of the functions are determined, wewill be able to prove with little effort that the studied functions are CCZ-equivalentto a non-exceptional APN function, which will lead to a contradiction.
We first begin to prove this technical proposition.
Proposition 1.3.35. Let f be inF2m [x] and let φ be its associated polynomial. IfA+R divides φ, then R = c1φ5 + c31 and the trace of c1 in Fq3 is 0. Moreover thepolynomial (A+R) (A+ ρ (R)) (A+ ρ2 (R)) is equal to
L (x)3 + L (y)3 + L (z)3 + L (x+ y + z)3
(x+ y) (y + z) (z + x)
where L (x) = x (x+ c1) (x+ ρ (c1)) (x+ ρ2 (c1)).
Proof. Our case fall in condition (1) of Theorem 1.3.31, so the polynomial
P = (A+R) (A+ ρ (R))(A+ ρ2 (R)
)
21
1 APN Polynomials
divides φ. Hence, there exists a polynomial Q ∈ Fq3 [x, y, z] of total degree d− 12such that φ = P × Q. The strategy now is to use identification degree by degreebetween φ and P ×Q. As P and φ have a specific form, we will obtain restrictiveconditions on their coefficients.
Let us denote by Pi (respectively Qi) the homogeneous component of degree iof P (respectively Qi). As φ is of total degree d− 3, we have
9∑i=0
Pi ·d−12∑i=0
Qi =d∑i=0
aiφi.
As φ is a symmetric polynomial in x, y, z, we can write it using symmetricfunctions s1 = x+ y + z, s2 = xy + xz + yz and s3 = xyz (see [Bou85] chapter 6).Denoting pi = xi + yi + zi, we have pi = s1pi−1 + s2pi−2 + s3pi−3. We remark thatφi =
pi+si1
Aand that A = (x+ y) (y + z) (z + x) = s1s2 + s3.
We shall now determine all the coefficients of R.We will first need the following lemmas
Lemma 1.3.36. Suppose e ≡ 3 (mod 4) and let s = x+ y. We have
(x+ z)2 φe =(xe−1 + ze−1
)+ s
(xe−2z + ze−2x)
x+ z+
s2(xe−3 + ze−3) (x2 + z2 + xz)
(x+ z)2(mod s3).
Proof. We haveAφe = xe + ye + ze + (x+ y + z)e.
Let us put s = y + z. We get
(x+ z) (s+ x+ z) sφe
= xe + (s+ z)e + ze + (x+ s)e
= s(xe−1 + ze−1
)+ s2
(xe−2 + ze−2
)+ s3
(xe−3 + ze−3
)(mod s4).
Hence
s (x+ z)φe + (x+ z)2 φe =(xe−1 + ze−1
)+ s
(xe−2 + ze−2
)+ s2
(xe−3 + ze−3
)+
s3(xe−4 + ze−4
)(mod s4). (1.3.9)
As we have(x+ z)2 φe =
(xe−1 + ze−1
)(mod s),
and hence(x+ z)φe =
xe−1 + ze−1
x+ z(mod s),
22
1.3 Exceptional APN polynomials
we deduce
(x+ z)2 φe =(xe−1 + ze−1
)+ s
(xe−2 + ze−2
)+ s (x+ z)φe (mod s2)
=(xe−1 + ze−1
)+ s
(xe−2 + ze−2
)+ s
xe−1 + ze−1
x+ z(mod s2)
=(xe−1 + ze−1
)+ s
xe−2z + ze−2x
x+ z(mod s2).
So we have
(x+ z)2 φe =(xe−1 + ze−1
)+ s
xe−2z + ze−2x
x+ z(mod s2) (1.3.10)
and
(x+ z)φe =(xe−1 + ze−1)
x+ z+ s
xe−2z + ze−2x
(x+ z)2(mod s2). (1.3.11)
Using 1.3.10 and 1.3.11 in 1.3.9 we get
(x+ z)2 φe = (xe−1 + ze−1) + s (x+ z)φe + s (xe−2 + ze−2) +s2 (xe−3 + ze−3) (mod s3)
= (xe−1 + ze−1) + s(xe−1+ze−1)
x+z+ s2 x
e−2z+ze−2x(x+z)2
+
s (xe−2 + ze−2) + s2 (xe−3 + ze−3) (mod s3)
= (xe−1 + ze−1) + s(xe−2z+ze−2x)
x+z+ s2
(xe−3+ze−3)(x2+z2+xz)(x+z)2
(mod s3).
Lemma 1.3.37. Suppose e ≡ 1 (mod 4) and let s = x+ y. We have
(x+ z)2 φe =(xe−1 + ze−1
)+ s
(xe−1 + ze−1)
x+ z+ s2
(xe−1 + ze−1)
(x+ z)2(mod s3).
Proof. The proof of Lemma 1.3.37 is similar to the proof of Lemma 1.3.36.
Lemma 1.3.38. For all odd e ∈ N we have
φe(x, z, z) =xe−1 + ze−1
(x+ z)2.
The proof is straightforward from previous lemmas. It can also be found in[DJ12].
23
1 APN Polynomials
For all k ∈ {0, 1, . . . , d} we have
akφk =9∑i=0
PiQk−i−3,
where we set Qk−i−3 = 0 when the index is negative.Degree d− 3
We haveφd = A3φ4
e = P9Qd−12.
As P9 = A3, we get Qd−12 = φ4e.
Degree d− 4
We havead−1φd−1 = P9Qd−13 + P8Qd−12.
As P8 = A2(s21tr(c1) + s2tr(c2)), it gives us
ad−1φd−1 = A3Qd−13 + A2φ4e(s
21tr(c1) + s2tr(c2)).
By Lemma 1.3.38, φd−1 is not divisible by A, so ad−1 = 0 and
AQd−13 = φ4e(s
21tr(c1) + s2tr(c2)).
We know that A is prime with s21tr(c1) + s2tr(c2) because (x+ y) does not dividethis polynomial, and A does not divide either φ4
e, which implies Qd−13 = P8 = 0and tr(c1) = tr(c2) = ad−1 = 0.
Degree d− 5
We have
ad−2φd−2 = ad−2(Aφ22e−1) = P9Qd−14 + P8Qd−13 + P7Qd−12.
Knowing that P8 = Qd−13 = 0 we obtain
ad−2(Aφ22e−1) = P9Qd−14 + P7Qd−12.
We also know that
P7 = A(s41q1(c1) + s22q1(c2) + s21s2q5(c1, c2)) + A2s1tr(b),
denotingq1(ci) = ciρ(ci) + ciρ
2(ci) + ρ(ci)ρ2(ci) and
24
1.3 Exceptional APN polynomials
q5(c1, c2) = c1(ρ(c2) + ρ2(c2)) + c2(ρ(c1) + ρ2(c1)) + ρ(c1)ρ2(c2) + ρ(c2)ρ
2(c1).
So
ad−2φ22e−1 = A2Qd−14 +φ4
e(s41q1(c1) + s22q1(c2) + s21s2q5(c1, c2) +As1tr(b)), (1.3.12)
Putting y = z, we have
ad−2
(x4e−4 + z4e−4
(x+ z)4
)+
(x4e−4 + z4e−4
(x+ z)8
)(q1(c1)x
4 + q1(c2)z4 + x2z2q5(c1, c2)) = 0,
hence we obviously have q5(c1, c2) = 0 and q1(c1) = q1(c2) = ad−2. We do notassume that y = z anymore.
We know from (1.3.12) that A divides ad−2(φ22e−1 +φ4
e(s41 +s22)), as it is a square,
A2 divides it too. Replacing in (1.3.12) we get
ad−2(φ22e−1 + φ4
e(s41 + s22))
2 + A2Qd−14 = Aφ4es1tr(b),
so A divides tr(b)s1φ4e. But A divides neither s1 nor φ4
e so tr(b) = 0. In conclusion
P7 = q1(c1)(s21 + s2)
2A = q1(c1)Aφ25. and
Qd−14 = q1(c1)φ22e−1+φ
4eφ
25
A2 .
Lemma 1.3.39. The polynomial Qd−14(x, z, z) is equal to zero.
Proof. From Lemma 1.3.37 and 1.3.36 we get, if either e ≡ 3 (mod 4) or e ≡ 1(mod 4)
Qd−14 =
(x2e−2+z2e−2
(x+z)2+ s
(x2e−2+z2e−2
(x+z)3
)+ s2R1
)A
2
+
(x2e−2+z2e−2
(x+z)4+ s2R2
)((x+ z)2 + s(x+ z) + s2)
A
2
=s
(x+ y)(x+ z)R3,
hence Qd−14(x, z, z) = 0.
Degree d− 6
We have
ad−3φd−3 = P9Qd−15 + P8Qd−14 + P7Qd−13 + P6Qd−12 = P9Qd−15 + P6Qd−12.
25
1 APN Polynomials
We know that
P6 = A2tr(d1) + A(s31q5(c1, b) + s1s2q5(c1, b)) + s61N(c1) + s41s2q4(c1, c2)+
s21s22q4(c2, c1) + s32N(c2),
whereN(a) = aρ(a)ρ2(a) which is the norm of a in Fq,
q4(a, b) = aρ(a)ρ2(b) + aρ(b)ρ2(a) + bρ(a)ρ2(a)
and
q5(a, b) = a(ρ(b) + ρ2(b)) + b(ρ(a) + ρ2(a)) + ρ(a)ρ2(b) + ρ(b)ρ2(a),
for all a, b in Fq3 .
Making y = z, we get
ad−3φd−3(x, z, z) = P6(x, z, z)φ4e(x, z, z),
with
P6(x, z, z) = (c1x2 + c2z
2)(ρ(c1)x2 + ρ(c2)z
2)(ρ2(c1)x2 + ρ2(c2)z
2).
As
φd−3(x, z, z) =xd−4 + zd−4
(x+ z)2
and
φ4e(x, z, z) =
xd−4 + zd−4
(x+ z)8,
we have
(c1x2 + c2z
2)(ρ(c1)x2 + ρ(c2)z
2)(ρ2(c1)x2 + ρ2(c2)z
2) = ad−3(x+ z)6.
Hence c1 = c2.Now we have
N(c1)(φd3 + φ3
5φ4e
)= A3Qd−15 + Tr(d1)A
2φ4e + q5(c1, b)Aφ5s1φ
4e. (1.3.13)
One can verify with Lemma 1.3.36 and 1.3.37 that A2 divides φd−3 + φ35φ
4e and
we obtain q5(c1, b) = 0 since φ5s1φ4e is prime with A. Plugging the last result into
(1.3.13) and dividing the whole expression by A2 we get
AQd−15 = N(c1)(φd3 + φ3
5φ4e)
A2+ Tr(d1)φ
4e.
26
1.3 Exceptional APN polynomials
Putting y = z, we obtain
N(c1)(φd3 + φ3
5φ4e)
A2(x, z, z) = Tr(d1)φ
4e(x, z, z).
Now either (φd3+φ35φ
4e)
A2 (x, z, z) is different from φ4e(x, z, z) and Tr(d1) = N(c1) =
0, or (φd−3+φ35φ
4e)
A2 (x, z, z) = φe(x, z, z) and Tr(d1) = N(c1) but in both case we haveTr(d1) = N(c1).
Degree d− 7
We have
ad−4φd−4 = P9Qd−16 + P8Qd−15 + P7Qd−14 + P6Qd−13 + P5Qd−12, (1.3.14)
whereP5 = q4(c1, b)s1φ
25 + A(q1(b)s
21 + q5(c1, d1)φ5),
We know that φd−4 = A7φ e−12
so making again y = z enables us to obtain
0 = P5(x, z, z) = q4(c1, b)x(x2 + z2)
and finally q4(c1, b) = 0. Now (1.3.14) becomes
ad−4A7φ e−1
2= A3Qd−16 + q1(c1)Aφ
25Qd−14 +
(q1(b)s
21 + q5(c1, d1)φ5
)Aφ4
e.
We divide this expression by A and we put y = z and it gives
q1(b)x2 = q5(c1, d1)(x
2 + y2),
so q1(b) = q5(c1, d1) = 0.
Degree d− 8
For this step we have
ad−5φd−5 = P9Qd−17 + P8Qd−16 + P7Qd−15 + P6Qd−14 + P5Qd−13 + P4Qd−12
withP4 = q4(b, c1)s
21φ5 + q4(c1, d1)φ
25 + q5(b, d1)As1,
27
1 APN Polynomials
Putting y = z, we get
ad−5xd−6 + zd−6
(x+ z)2=
1
(x+ z)8((q4(b, c1) + q4(c1, d1))(x
d + x4zd−4)+
q4(b, c1)(xd−2z2 + x2zd−2) + q4(c1, d1)(x
d−4z4 + zd)).
Putting on the same denominator, we have
ad−5(xd−6z6 + x6zd−6) = 0
and then ad−5 = 0, therefore q4(b, c1) = q4(c1, d1) = 0.
Summary
To sum up, we obtained the following system
tr(b) = 0q5(c1, b) = 0q4(c1, b) = 0q4(b, c1) = 0q1(b) = 0tr(c1) = 0q4(c1, d1) = 0q5(c1, d1) = 0Tr(d1) = N(c1)
Let us suppose that c1 6= 0. The linear system in b, ρ(b), ρ2(b) formed by thethree first equations gives b = 0. Indeed, the determinant of this system is (c1 +ρ(c1))(ρ(c1)+ρ2(c1))(ρ
2(c1)+ c1) and can vanish only if c1 = 0 because Tr(c1) = 0.If, moreover, c1 6= ρ(c1), the last three equations form a linear system in d1,
ρ(d1), ρ2(d1) which givesd1 = c31.
Therefore R = c1φ5 + c31, which is the form given in the Proposition 1.3.35.If c1 = ρ(c1) then, as Tr(c1) = 0, c1 = 0. Let us suppose from now on that it is
the case. We need to use
ad−6φd−6 = P9Qd−18+P8Qd−17+P7Qd−16+P6Qd−15+P5Qd−14+P4Qd−13+P3Qd−12,
when we replace c1 by zero we get
ad−6Aφ22e−1 = A3Qd−18 + P3φ
4e,
whereP3 = N(b)s31 + q1(d1)A.
28
1.3 Exceptional APN polynomials
Put y = z to obtain0 = P3(x, z, z) = N(b)x3.
So N(b) = 0 and therefore b = 0.Now we use
ad−9φd−9 = P9Qd−21 + P8Qd−20 + P7Qd−19 + P6Qd−18 + P5Qd−17 + P4Qd−16+
P3Qd−15 + P2Qd−14 + P1Qd−13 + P0Qd−12,
which givesad−9φd−9 = A3Qd−21 +N(d1)φ
4e.
If we put y = z, we obtain
ad−9xd−10 + zd−10
(x+ z)2= N(d1)
xd−4 + zd−4
(x+ z)8.
Putting on the same denominator, we get ad−9 = 0 and therefore N(d1) = 0, henced1 = 0. It means that R = 0, finally proving the first part of Proposition 1.3.35.
Now, let us consider L (x) = x (x+ c1) (x+ ρ (c1)) (x+ ρ2 (c1)). Since Tr (c1) =0, L is a q-affine polynomial and as L(x) has only one root in Fq (that is x = 0),L(x) is a q-affine permutation. We have
L(x)3 = x12+q1(c1)x10+N(c1)x
9+(q1(c1)3+N(c1)
2)x6+N(c1)q1(c1)2x5+N(c1)
3x3+L1(x),
where L1(x) is a linearized polynomial in Fq. Hence
φL3 =L (x)3 + L (y)3 + L (z)3 + L (x+ y + z)3
(x+ y) (y + z) (z + x)
= φ12 + q1(c1)φ10 +N(c1)φ9 + (q1(c1)3 +N(c1)
2)φ6 +N(c1)q1(c1)2φ5 +N(c1)
3φ3.
As we have φ12 = A3, φ10 = Aφ25, φ6 = A and φ3 = 1, we obtain
φL3 = (A+R)(A+ ρ (R)
(A+ ρ2(R
)),
meaning that the polynomial φL3 associated to L (x)3 divides φf , which proves thesecond part of Proposition 1.3.35.
The next step is to prove that the Proposition 1.3.35 implies that f is CCZ-equivalent to a non-exceptional APN polynomial.
29
1 APN Polynomials
Theorem 1.3.40. Let f be a function such that deg (f) = 4e, with e > 3 suchthat φe is absolutely irreducible, and such that the polynomials of the form
(x+ y) (x+ z) (y + z) +R,
divides φ, then f is CCZ-equivalent to xe + S (x), where S ∈ Fq [x] is of degree atmost e− 1.
Proof. Let us consider the set G of the polynomials of the form g (x) = L (x)e +S (L (x)), where S is a polynomial of Fq [x] of degree at most e− 1 with no mono-mials of exponent a power of 2. Let δ be the number of powers of 2 less or equalthan e− 1. It is easy to see that G defines an affine subspace of the vector spaceFq[x] of dimension e− δ. We have
φg = φLe + φS(L).
Now, let us consider the set F of all the polynomials f of degree 4e with leadingcoefficient 1 such that φL3 divides φf and such that f does not have any monomialof exponent a power of 2. The goal of this proof is to show that F = G. We beginby proving that G ⊂ F , then we show that they have the same dimension.
Lemma 1.3.41. The set G is a subset of F .
Proof. It is sufficient to prove that φL3 divides φLn for all n > 3.We know that x3+y3+z3+(x+ y + z)3 = A divides xn+yn+zn+(x+ y + z)n.
Putting
X = L (x)
Y = L (y)
Z = L (z) ,
we have thatX3+Y 3+Z3+(X + Y + Z)3 dividesXn+Y n+Zn+(X + Y + Z)n. Astr(c1) = 0, L (x) is a linearized polynomial so X + Y + Z = L (x) + L (y) +L (z) = L (x+ y + z) therefore L (x)3 + L (y)3 + L (z)3 + L (x+ y + z)3 dividesL (x)n + L (y)n + L (z)n + L (x+ y + z)n, then φL3 divides φLn .
Lemma 1.3.42. F defines an affine subspace of the vector space Fq [x] of dimen-sion less or equal than e− δ.
Proof. We consider the mapping
ϕ : F → Fe−δq
f → (ad−4, . . . , a12)
It is sufficient to prove that this mapping is injective.
30
1.3 Exceptional APN polynomials
Let f and f ′ in F be two elements such that ϕ (f) = ϕ (f ′). We write f =∑di=0 aix
i and f ′ =∑d
i=0 a′ixi. We note akφk =
∑9i=0 PiQk−i−3 and a′kφk =∑9
i=0 PiQ′k−i−3.
We will show by induction that ai = a′i for all 0 6 i 6 d and that Qi = Q′i forall 0 6 i 6 d− 12.
We have ad = a′d = 1 and Qd−12 = Q′d−12 = φ4e.
Suppose that aj = a′j and that Qj−12 = Q′j−12 for j > i. Let us show that ai = a′iand Qi−12 = Q′i−12 if 4 does not divide i.
If i > 12, we have
aiφi =9∑
sup(0,i−d+9)
PkQi−k−3 = A3Qi−12 +8∑
sup(0,i−d+9)
PkQi−k−3,
so A3 divides
aiφi +8∑
sup(0,i−d+9)
PkQi−k−3.
It also divides
a′iφi +8∑
sup(0,i−d+9)
PkQ′i−k−3 = a′iφi +
8∑sup(0,i−d+9)
PkQi−k−3,
because i − k − 3 > i − 11. So it divides (ai + a′i)φi. If 4 does not divide i thenA3 does not divide φi so ai = a′i and
Qi−12 =aiφi +
∑8sup(0,i−d+9) PkQi−k−3
A3=a′iφi +
∑8sup(0,i−d+9) PkQ
′i−k−3
A3= Q′d−12.
From Lemma 1.3.41 and 1.3.42 we obtain F = G. So every f ∈ F is of theform L (x)e +S (L (x)) and hence they are CCZ-equivalent to xe
+S (x). If f is ofdegree 4e with leading coefficient 1 such that φL3 divides φf and has monomials ofexponent a power of 2, then f is CCZ-equivalent to a polynomial in F , therefore,it is also CCZ-equivalent to x
e+ S (x).
We now have that f is CCZ-equivalent to a polynomial of degree e which isodd. As e is odd and not a Gold or Kasami number, we can deduce from The-orem 1.3.24 that f cannot be an exceptional APN function which is the desiredcontradiction finally proving Theorem 1.3.34.
We now treat some example where φe is not absolutely irreducible.
31
1 APN Polynomials
Theorem 1.3.43. Let f : F2m → F2m be an exceptional APN function of degreed = 20. Then m is odd and f is CCZ-equivalent to x5.
Proof. The decomposition of φ5 is given by Lemma 1.3.19.
φ5 = (x+ αy + α2z)(x+ α2y + αz),
where α is in F4−F2. Hence, the only symmetric factor of φ5 is φ5 itself and thenthe condition (3) of Theorem 1.3.31 cannot hold. Also, the condition (1) is alreadytreated above and the conclusion is that f is CCZ-equivalent to x5. So we onlyhave to study the consequences of condition (2) on f . That is
φ = (φ5 + L(x, y, z)) (Aφ5 +R(x, y, z)) (Aφ5 + σ (R(x, y, z)))(Aφ5 + σ2 (R(x, y, z))
),
where L is a symmetrical polynomial of Fq of degree 1 and R is a symmetricalpolynomial of Fq3 of degree 4.
The first thing we show is that L(x, y, z) = a(x + y + z) + b = 0. As φ doesnot have any absolutely irreducible component defined over Fq, (φ5 + L) cannot beabsolutely irreducible. Hence, there exist two polynomials G(x, y, z) and H(x, y, z)in F2[x, y, z] such that G×H = φ5 + as1 + b. Writing Gi and Hi the homogeneouscomponents of degree i of G and H respectively, we get
φ5 = G1 ×H1.
Without loss of generality we can assume that G1 = x + αy + α2z and H1 =x+ α2y + αz. Also,
a(x+ y + z) = G0(x+ α2y + αz) +H0(x+ αy + α2z),
and hence
G0 +H0 = a
G0α +H0α2 = a
G0α2 +H0α = a
Plugging G0 = H0 + a into the last two equations, we get H0 = aα and H0 =a(α + 1), that is a = H0 = G0 = 0 and thus b = 0, so L(x, y, z) = 0.
Now, as φ =∑20
j=0 ajφj, we have for every j = 0, . . . , 20, φ5 divides ajφj. Hence
φ = a20φ20 + a10φ10 + a5φ5.
That is f is equal to a20x20+a16x16+a10x
10+a8x8+a5x
5+a4x4+a2x
2+a1x+a0.As the class of APN polynomial is invariant under the addition of q-affine poly-nomial, we can limit ourselves to f = a20x
20 + a10x10 + a5x
5. Clearly, f is of the
32
1.3 Exceptional APN polynomials
form ϕ(x5) where ϕ(x) is a q-affine polynomial of degree 4, hence f is EA (thusCCZ) equivalent to the polynomial x5.
To sum up, what we have proved is that if f is an exceptional APN function ofdegree 20, then it is CCZ-equivalent to the function x5. As this function is APNonly on every extension of F2 of odd degree we get that m is an odd number andthis concludes the proof of Theorem 1.3.43.
The case e = 9 can be solved in the same way than the precedent one. But theimpossibility of showing that φ9 + L(x, y, z) is not absolutely irreducible if andonly if L is zero leads to a long calculation which is not of real interest here butone can prove that f is CCZ-equivalent to x9.
One can ask if there exist e such that the condition (3) of Theorem 1.3.31happens. We provide an example here.
Take e = 26 + 1. We have
φ65 =∏
α∈F26−F2
(x+ αy + (α + 1)z).
Now, let β be a generator of F26, then the polynomial
ψ = (x+ βy + (β + 1)z)(x+ β7y + (β7 + 1)z)(x+ β8y + (β8 + 1)z)
(x+ β56y + (β56 + 1)z)(x+ β55y + (β55 + 1)z)(x+ β62y + (β62 + 1)z)
is symmetric, defined over F23 (and then on Fq3), square free and ψ, σ(ψ) andσ2(ψ) are relatively prime if Fq does not contain F23. That means that the polyno-mial ψ meets the condition (3) of Theorem 1.3.31. Again, some long calculationswould be necessary to investigate the consequences of this division.
In conclusion, I think that this method reaches its limit here and I would sug-gest to try a different approach to solve the remaining cases.
33
2 Planar Polynomials
This section is a joint work with Kai-Uwe Schmidta and Yue Zhoub
2.1 IntroductionLet q be a prime power. If q is odd, a function f : Fq → Fq is a planar function if,for each nonzero a ∈ Fq, the function
x 7→ f(x+ a)− f(x) (2.1.1)
is a permutation on Fq. Such planar functions can be used to construct fi-nite projective planes [DO68], relative difference sets [GS75], error-correctingcodes [CDY05], and S-boxes in block ciphers [NK93].
If q is even, a function f : Fq → Fq cannot satisfy the above definition ofplanar functions. This is another motivation to define APN functions. However,there is no apparent link between APN functions and projective planes. Recently,Zhou [Zho13] defined a natural analogue of planar functions on finite fields ofcharacteristic 2: If q is even, a function f : Fq → Fq is a planar function if, foreach nonzero a ∈ Fq, the function
x 7→ f(x+ a) + f(x) + ax
is a permutation on Fq. As shown by Zhou [Zho13] and Schmidt and Zhou [SZ13],such planar functions have similar properties and applications as their counter-parts for odd characteristic.
The first remark is that EA-equivalence (as defined in proposition 1.2.3) pre-serves planarity (see [KP08] for a discussion on equivalences preserving pla-narity). Up to EA-equivalence, the only known examples of exceptional planarpolynomials on finite fields of odd characteristic are given in the table below.
aFaculty of Mathematics, Otto-von-Guericke University, Universitätsplatz 2, 39106 Magdeburg,Germany. E-mail: [email protected]
bDepartment of Mathematics and System Sciences, College of Science, National University ofDefense Technology, 410073, Changsha, China. E-mail: [email protected]
35
2 Planar Polynomials
Polynomial Condition Proven inxp
k+1 r/ gcd(k, r) odd [CM97]x(3
k+1)/2 p = 3 and gcd(k, r) = 1 [CM97]x10 − ux6 − u2x2 p = 3, u ∈ F3n and n odd [DY06]
Table 2.1: List of classical planar polynomials in odd characteristic
The aim of this chapter is to establish a partial classification of exceptional pla-nar polynomials, i.e. polynomials f ∈ Fq[x] that induce planar functions on Fqrfor infinitely many r.
To prove our main results, we use the strategy that has been used in the prece-dent chapter to classify exceptional APN polynomials in F2m [x].
2.2 The odd characteristic caseIn this section, we suppose that q is an odd prime power. As shown in twopapers by Leducq [Led12a] and Zieve [Zie13b], up to EA-equivalence, the onlyexceptional planar monomials are the ones given in the two first lines of table2.1.
Theorem 2.2.1 ([Led12a], [Zie13b]). Let p be an odd prime and let f ∈ Fpn [x] bea monic monomial of degree d with p - d. If f is exceptional planar, then eitherf(x) = xp
k+1 or f(x) = x(3k+1)/2 and p = 3.
A partial classification of exceptional planar polynomials was obtained byZieve [Zie13a].
Theorem 2.2.2 ([Zie13a]). Let f ∈ Fpn [x] be of degree d. If f is exceptionalplanar and d 6≡ 0, 1 (mod p), then up to EA-equivalence, f(x) = x(3
k+1)/2 andp = 3.
Theorem 2.2.2 allows us to restrict ourselves to polynomials over Fpn whosedegrees are 0 or 1 modulo p. We prove the following result for the case that thedegree is 1 modulo p.
Theorem 2.2.3. Let f ∈ Fpn [X] be monic of degree d. If f is exceptional planarand d ≡ 1 (mod p), then f(X) = Xpk+1 + h(X) for some nonnegative integer k,where the degree e of h satisfies e < pk + 1 and either p | e or p | e− 1.
We remark that, except for the trivial case e = 1, no example is known forwhich p | e − 1 occurs in Theorem 2.2.3. A nontrivial example for which p | eoccurs in Theorem 2.2.3 is the third polynomials of table 2.1.
36
2.2 The odd characteristic case
To prove theorem 2.2.3, consider f ∈ Fq[x] and define the polynomial F (x, y, w)to be
f(x+ w)− f(x)− f(y + w) + f(y)
(x− y)w. (2.2.1)
It is a direct consequence of the definition of planar functions that, if f inducesa planar function on Fqr , then all Fqr -rational zeros of F satisfy x = y or w = 0.
It will be more convenient to consider the polynomial F (x, y, z − x), namely
G(x, y, z) =f(x)− f(y)− f(z) + f(−x+ y + z)
(x− y)(x− z). (2.2.2)
Then, f induces a planar function on Fqr if and only if all Fqr -rational zeros of Gsatisfy x = y or x = z.
With the same approach than for exceptional APN polynomials we have thefollowing criterion.
Proposition 2.2.4. Let f ∈ Fq[x] and let G be defined by (2.2.2). If G has anabsolutely irreducible factor over Fq different from x− y = 0 and x− z = 0, thenf is not exceptional planar.
Proof. The proof is similar to the proof of Corollary 1.3.11.
The strategy is to use Theorem 1.3.23 and intersect the projective surface de-fined by G with a hyperplane and then apply the last result.
Theorem 2.2.3, will follow from Propositions 2.2.5 and 2.2.7, to be stated andproved below. Before we proceed, we introduce some notation that will be usedthroughout the remainder of this section. Let d be the degree f ∈ Fq[x]. Writef(x) =
∑dj=0 ajx
j, where ad 6= 0. Defining
φj(x, y, z) =xj − yj − zj + (−x+ y + z)j
(x− y)(x− z), (2.2.3)
we have
G(x, y, z) =d∑j=2
ajφj(x, y, z). (2.2.4)
since φ0 = φ1 = 0. We shall also work with the homogenisation G of G, namely
G(x, y, z, h) =d∑j=2
ajφj(x, y, z)hd−j.
Proposition 2.2.5. Let f ∈ Fpn [x] be of degree d. If f is exceptional planar andd ≡ 1 (mod p), then d = pk + 1 for some nonnegative integer k.
37
2 Planar Polynomials
To prove Proposition 2.2.5, we require the following lemma.
Lemma 2.2.6. Let f ∈ Fpn [x] be of degree d. If f is exceptional planar and p - d,then d is even.
Proof. Suppose for a contradiction that f is exceptional planar and p - d and d isodd. By the definition of a planar function, the degree of f must be at least 2, sothat f ′ is not constant. The intersection of G with the hyperplane h = 0 is definedby the polynomial
G(x, y, z, 0) = adφd(x, y, z).
Since d is odd, y + z divides φd. By taking the partial derivative of xd − yd −zd + (−x + y + z)d with respect to y, we see that (y + z)2 does not divide φd.Therefore y+ z is a reduced absolutely irreducible component of φd and hence, byLemma 1.3.23, G (and so also G itself) has an absolutely irreducible factor overFpn . Therefore, by Lemma 2.2.4, the polynomial f is not exceptional planar, acontradiction.
We now prove Proposition 2.2.5.
Proof of Proposition 2.2.5. Suppose that f is exceptional planar and d ≡ 1 (mod p).We show that this is impossible unless d is of the form pk + 1.
If d = pk(pk − 1) + 1 for some nonnegative integer k, then d is odd and f isnot exceptional planar by Lemma 2.2.6, so assume that d is not of this form. Inparticular, f ′ is not constant. The intersection of G with the hyperplane h = 0 isdefined by the polynomial
G(x, y, z, 0) = φd(x, y, z).
Since d ≡ 1 (mod p) and d is not of the form pk(pk − 1) + 1, the polynomial
φd(u+ w, u, v + w) =(u+ w)d − ud − (v + w)d + vd
(u− v)w
has an absolutely irreducible factor of Fp provided that d is not of the form pk + 1,as shown by Leducq [Led12a]. Furthermore, Leducq [Led12a] showed that thenumber of singular points of φd(u+w, u, v+w) is finite. Hence the variety definedby φd and all of its partial derivatives has dimension 0, which implies that φd hasno multiple component. Therefore φd has a reduced absolutely irreducible factorover Fp and so, by Lemmas 1.3.23 and 2.2.4, the polynomial f is not exceptionalplanar, a contradiction.
Proposition 2.2.7. Let f ∈ Fpn [x] be of the form f(x) = xpk+1 + h(x), where the
degree e of h satisfies e < pk + 1. If f is exceptional planar, then either p | e orp | e− 1.
38
2.2 The odd characteristic case
In order to prove Proposition 2.2.7, we prove two lemmas on the polynomialsφj, defined by (2.2.3).
Lemma 2.2.8. Let p be a prime and let φj ∈ Fp[x, y, z] be defined by (2.2.3).
(i) We have
φj(x, x, z) = jxj−1 − zj−1
x− z.
(ii) If p - j and p - j− 1, then φj(x, x, z) is not divisible x− z and φj(x, x, z) andφpk+1(x, x, z) are coprime.
Proof. We may write
(x− z)φj(x, y, z) =xj − yj
x− y− (−x+ y + z)j − zj
(−x+ y + z)− z
=
j−1∑i=0
xi yj−i−1 −j−1∑i=0
(−x+ y + z)i zj−i−1,
from which (i) follows. If p - j, then φj(x, x, z) is not the zero polynomial. If, inaddition, p - j − 1, then φj(x, x, z) splits into linear factors different from x − z.From (i) we have φpk+1(x, x, z) = (x − z)p
k−1. Hence, if p - j and p - j − 1, thenφj(x, x, z) and φpk+1(x, x, z) are coprime. This proves (ii).
Lemma 2.2.9. Let p be a prime and let φj ∈ Fp[x, y, z] be defined by (2.2.3).Then φpk+1 is square-free.
Proof. Write
ψ(x, y, z) = xpk+1 − ypk+1 − zpk+1 + (−x+ y + z)p
k+1.
Then φpk+1 divides ψ. We show that ψ is square-free, for which it is sufficient toshow that all of the following conditions are satisfied:
• gcd(ψ, ∂ψ/∂y) ∈ Fp[x, z],
• gcd(ψ, ∂ψ/∂z) ∈ Fp[x, y],
• x - ψ.
These conditions are readily verified.
We now prove Proposition 2.2.7, using an idea of Delgado and Janwa [DJ12].
Proof of Proposition 2.2.7. Suppose that f is exceptional planar. Then G, definedin (2.2.2), is not absolutely irreducible by Lemma 2.2.4. Suppose further that p - eand p - e− 1. We show that this leads to a contradiction.
39
2 Planar Polynomials
We may write
G(x, y, z) = (Ps + Ps−1 + · · ·+ P0)(Qt +Qt−1 + · · ·+Q0), (2.2.5)
where Pi and Qi are zero or homogeneous polynomials of degree i, defined overthe algebraic closure of Fpn . Since G is not absolutely irreducible, we may alsoassume that s, t > 0. Write
f(x) =
pk+1∑j=0
ajxj,
where apk+1 = 1 and recall from (2.2.4) that
G(x, y, z) =
pk+1∑j=2
ajφj(x, y, z), (2.2.6)
where the φj’s are defined in (2.2.3). Notice that the degree of φj is j − 2 andthus, since apk+1 = 1, the degree of G is pk − 1. Hence s + t = pk − 1 by (2.2.5).From (2.2.5) and (2.2.6) we find that
PsQt = φpk+1. (2.2.7)
Therefore, by Lemma 2.2.9, Ps and Qt are coprime. From (2.2.5) and (2.2.6) wealso find that
PsQt−1 + Ps−1Qt = apkφpk = 0
since φpk = 0. Hence Ps divides Ps−1Qt and so Ps divides Ps−1, which by a degreeargument implies that Ps−1 = 0. Likewise, we see that Qt−1 = 0. Now, by theassumed form of f , we have
aj = 0 for each j ∈ {pk, pk − 1, . . . , e+ 1}. (2.2.8)
Since Ps−1 = Qt−1 = 0, we have from (2.2.5) and (2.2.6)
PsQt−2 + Ps−2Qt = apk−1φpk−1.
If pk − 1 ≥ e + 1, the right hand side equals zero by (2.2.8) and, by an argumentsimilar to that used above, we conclude that Ps−2 = Qt−2 = 0. We can continuein this way to show that
Pt−1 = · · · = Pe−t−1 = Qs−1 = · · · = Qe−s−1 = 0.
Hence, by invoking (2.2.5) and (2.2.6) again, we have
PsQe−s−2 + Pe−t−2Qt = aeφe. (2.2.9)
40
2.3 The even characteristic case
If Qe−s−2 = 0, then Qt divides φe and also φpk+1 by (2.2.7). This contradictsLemma 2.2.8 (ii). Likewise, we get a contradiction if Pe−t−2 = 0. Hence we mayassume that Pe−t−2 andQe−s−2 are both nonzero. From (2.2.7) and Lemma 2.2.8 (i)we find that
Ps(x, x, z)Qt(x, x, z) = φpk+1(x, x, z) = (x− z)pk−1. (2.2.10)
Hence x−z divides Ps(x, x, z) and Qt(x, x, z) and thus x−z also divides φe(x, x, z)by (2.2.9). From (2.2.10) we then see that φe(x, x, z) and φpk+1(x, x, z) share thefactor x− z, which contradicts Lemma 2.2.8 (ii).
2.3 The even characteristic caseWe now turn to finite fields of characteristic two, in which case the only knownexamples of exceptional planar polynomials are the polynomials that induceaffine functions on F2m (it is trivial to check that such polynomials are excep-tional planar). Indeed, Müller and Zieve [MZ13] established the following clas-sification of exceptional planar monomials.
Theorem 2.3.1 ([MZ13]). Let f ∈ F2m [x] be a monomial of degree d. If f isexceptional planar, then d is a power of 2.
The case that d is odd in Theorem 2.3.1 was obtained previously by Schmidtand Zhou [SZ13] using different techniques.
We prove the following partial classification of exceptional planar polynomials.
Theorem 2.3.2. Let f ∈ F2m [x] be of degree d. If f is exceptional planar, theneither d ∈ {1, 2} or 4 | d.
To prove theorem 2.3.2, we will use the same approach than for odd charac-teristic case. Let f ∈ F2m [x] and define the polynomial F (x, y, w) to be
f(x+ w) + f(x) + wx+ f(y + w) + f(y) + wy
(x+ y)w. (2.3.1)
It is a direct consequence of the definition of planar functions that, if f inducesa planar function on F2mr , then all F2mr -rational zeros of F satisfy x = y or w = 0.It will be more convenient to consider the polynomial F (x, y, z + x), namely
H(x, y, z) =f(x) + f(y) + f(z) + f(x+ y + z)
(x+ y)(x+ z)+ 1. (2.3.2)
Then f induces a planar function on F2mr if and only if all F2mr -rational zeros ofH satisfy x = y or x = z.
The following lemma is our counterpart of Lemma 2.2.4 in even characteristic.
41
2 Planar Polynomials
Lemma 2.3.3. Let f ∈ F2m [x], and let H be defined by (2.3.2). If H has anabsolutely irreducible factor over F2m, then f is not exceptional planar.
Proof. The proof is similar to the proof of Corollary 1.3.11.
We now prove Theorem 2.3.2.
Proof of Theorem 2.3.2. Write f(x) =∑d
j=0 ajxj, where ad = 1. Defining
φj(x, y, z) =xj + yj + zj + (x+ y + z)j
(x+ y)(x+ z),
the polynomial H, defined in (2.3.2), can be written as
H(x, y, z) =d∑j=2
ajφj(x, y, z) + 1
since φ0 = φ1 = 0. The homogenisation H of H is given by
H(x, y, z, h) =d∑j=2
ajφj(x, y, z)hd−j + hd−2
and the intersection of the projective surface H with the hyperplane h = 0 isdefined by the polynomial
H(x, y, z, 0) = adφd(x, y, z).
Now suppose for a contradiction that f is exceptional planar and 4 - d, but d 6∈{1, 2}. We show that φd has a reduced absolutely irreducible component, which byLemmas 1.3.23 and 2.3.3 implies that f is not exceptional planar, a contradiction.
First suppose that d is odd and d 6= 1. Then y + z divides φd. By taking thepartial derivative of xd+yd+zd+(x+y+z)d with respect to y, we see that (y+z)2
does not divide φd. Therefore y+ z is a reduced absolutely irreducible componentof φd, as required.
Now suppose that d ≡ 2 (mod 4) and d 6= 2. Write d = 2e, so that e is odd ande 6= 1. It is readily verified that
φd = φ2e · (x+ y)(x+ z).
Hence x+y divides φd. By taking the partial derivative of xe+ye+ze+(x+y+z)e
with respect to y, we find that x + y does not divide φe and so (x + y)2 does notdivide φd. Hence x + y is a reduced absolutely irreducible component of φd, asrequired.
42
3 O-polynomials
This chapter is a joint work with Kai-Uwe Schmidta.
3.1 IntroductionAn arc in the projective plane P2(Fq) is a set of points of P2(Fq) no three of whichare collinear. It is well known that the maximum number of points in an arc inP2(Fq) is q+1 for odd q and q+2 for even q (see [Hir98, Chapter 8], for example).Accordingly, an arc of size q+ 1 is called an oval and an arc of size q+ 2 is calleda hyperoval. By a theorem due to Segre [Seg55], every oval in P2(Fq) of oddorder is a conic, which at once classifies ovals in P2(Fq) for odd q. In contrast,the classification of hyperovals is a major open problem in finite geometry, whichhas attracted sustained interest over the last sixty years.
Throughout this chapter we let q be a power of two and we write q = 2m.Hyperovals have a canonical description via polynomials over Fq.
Theorem 3.1.1 ([LN97]). Any hyperoval in P2(Fq), q > 2, can be written in theform
A(f) = {(f(c), c, 1) : c ∈ Fq} ∪ {(1, 0, 0), (0, 1, 0)},
where f is such that
1. f is a permutation polynomial of Fq with deg(f)< q and
f(0) = 0, f(1) = 1;
2. for each a ∈ Fq, ga(x) = f(x+a)+f(a)x
is a permutation polynomial of Fq withga(0) = 0. Conversely, every such A(f) is an oval.
Proof. Let D be an oval in P2(Fq). We can arrange the coordinatization insuch a way that P0(1, 0, 0), P1(0, 1, 0), P2(0, 0, 1) and P3(1, 1, 1) are points of D.Then D as no other points on the line P0P1, hence the q points different fromP0(1, 0, 0), P1(0, 1, 0) are of the form (di, ci, 1), 1 ≤ i ≤ q with di, ci ∈ Fq. Sinceeach line through P0 contains only one other points of D, we have ci 6= cj for
aFaculty of Mathematics, Otto-von-Guericke University, Universitätsplatz 2, 39106 Magdeburg,Germany. E-mail: [email protected]
43
3 O-polynomials
i 6= jand since each line through P1 contains only one other points of D, we havedi 6= dj, for i 6= j. Thus
{c1, . . . , cq} = {d1, . . . , dq} = Fq,
and there exists a permutation polynomial f of Fq with f(ci) = di for 1 ≤ i ≤ qand deg(f)< q. Since P2, P3 ∈ D, we have f(0) = 0 and f(1) = 1. Thus D = A(f)with f satisfying 1.
It remains to show that 2 is equivalent to no three points of A(f) − (P0, P1)being collinear. The latter property holds if and only if
1 1 1b c d
f(b) f(c) f(d)6= 0
for all distinct b, c, d ∈ Fq. This means
[f(b) + f(c)](b+ c)−1 6= [f(b) + f(d)](b+ d)−1.
Equivalently, for each a ∈ Fq, [f(t) + f(a)](t + a)−1 takes a different value in F?qfor each t ∈ Fq with t 6= a. Substituting x+ a for t yields that the polynomial
ga(x) =f(x+ a) + f(a)
a
defines a permutation of F?q. Since deg(ga)≤ q − 2, we get from [LN97, Lemma7.1],
ga(x) =∑c∈Fq
(1− (x− c)q−1
).
Thus, comparing the coefficients of xq−1
ga(x) =∑
c∈Fqga(c) = ga(0) +
∑c∈F?
qga(c)
= ga(0) +∑
c∈Fqga(c).
It follows that ga is a permutation over Fq.
A polynomial f such that A(f) is an oval is called an o-polynomial. A polyno-mial which is an o-polynomial over infinitely many extensions of Fq is called anexceptional o-polynomial. A list of classical o-polynomials is given in the tablebelow.
44
3.1 Introduction
Polynomial Condition Proven inx2
i(i,m) = 1 [Seg62]
x6 m odd [Gly83]x3.2k+4 m = 2k − 1 [Gly83]x2
k+22k m = 4k − 1 [Gly83]x2
2k+1+23k+1m = 4k + 1 [Gly83]
x2k
+ x2k+2 + x3.2
k+4 m = 2k − 1 [Che98]x1/6 + x1/2 + x5/6 m odd [LMT93]
Table 3.1: List of classical o-polynomials
There exist several other infinite families of o-polynomials and some sporadicexamples. For a list of known hyperovals, as of 2003, we refer to [Pen03]. Since2003, no new hyperovals have been found.
O-polynomials of F2m have been classified for m ≤ 5 [Hal75], [OP91], [PR94]and monomial o-polynomials of F2m have been classified for m ≤ 30 [Gly89].There is also a classification of monomial o-polynomials of a certain form, namelythose of degree 2i + 2j [CS98] or 2i + 2j + 2k [Vis10]. O-polynomials of degreeat most 6 are also classified [Hir98, Theorem 8.31].
3.1.1 Stability of o-polynomialsIn this section, we study the stability of the class of o-polynomials under trans-formations.
Proposition 3.1.2 ([CM11]). Let f(x) ∈ Fq be an o-polynomial. Then the poly-nomials listed below are o-polynomials.
1. f(x−1).
2. L−1 ◦ f ◦ L(x), where L(x) = x2j .
3. f(λx+ λ′) + f(λ+ λ′) + 1 with λ 6= 0 and f(λ+ λ′) + 1 = f(λ′).
4. xf(xq−2).
The above proposition is easy to verify. Note that it is not proved to be the fulllist of transformations for which the class of o-polynomials remains stable.
3.1.2 O-polynomials in cryptographyO-polynomials have suitable properties for cryptography because they give classesof bent functions. A bent function is boolean function (a function from G : Fq →
45
3 O-polynomials
F2) such that its Walsh transform G
G(a) :=∑x∈Fq
(−1)f(x)+a.x,
where a.x is any inner product in Fq, has a constant absolute value. Bent func-tions are in a sense equidistant from all the affine functions, so they are equallyhard to approximate with any affine functionb.
Bent functions have a long history in cryptography since they give S-boxeswith a provable resistance to differential and linear cryptanalysis. Moreover,they have plenty of applications in other area such that sequences with lowauto/cross-correlation.
The way o-polynomials and bent functions are linked is described by the fol-lowing result from Carlet and Mesnager [CM11].
Theorem 3.1.3 ([CM11]). Let G : Fq × Fq → F2 be a boolean function defined by
G(x, y) =
{Tr(xτ(xy
))if x 6= 0
Tr (µy) if x = 0
where µ ∈ Fq and τ is a mapping from Fq. Denote f(x) = τ(x) + µx.The function G is bent if and only if f is an o-polynomial.
3.2 A classification of low-degree o-polynomialsOur main result is the following classification of low-degree o-polynomials (inwhich we consider without loss of generality only monic polynomials).
Theorem 3.2.1. Suppose that f is a monic o-polynomial of Fq of degree less than12q1/4. Then f is either x6, or x6 + x4 + x2, or x2k for a positive integer k.
It is well known that x6 and x6 + x4 + x2 are o-polynomials of F2m if and onlyif m is odd and that x2k is an o-polynomial of F2m if and only if k and m arecoprime.
We obtain the following consequence of Theorem 3.2.1, giving a completeclassification of exceptional o-polynomials.
Corollary 3.2.2. Suppose that f is a monic exceptional o-polynomial of Fq. Thenf is either x6, or x6 + x4 + x2, or x2k for a positive integer k.
The specialisation of Corollary 3.2.2 to the case that f is a monomial wasconjectured by Segre and Bartocci [SB71] and was recently proved by Hernandoand McGuire [HM12] (another, much simpler, proof of this case was later givenby Zieve [Zie13b]).bhttp://en.wikipedia.org/wiki/Bent_function
46
3.3 Proof of Theorem 3.2.1
3.3 Proof of Theorem 3.2.1We begin with recalling several standard results, for which proofs can be foundin [Hir98, Chapter 8], for example. Our first result is an almost immediateconsequence of the definition of an o-polynomial.
Lemma 3.3.1 ([Hir98, Corollary 8.23]). Every o-polynomial of Fq with q > 2 hasonly terms of positive even degree.
We need the following (easy) classification of o-polynomials of degree 6.
Lemma 3.3.2 ([Hir98, Theorem 8.31]). Let f be a monic o-polynomial of degree6. Then f is either x6 or x6 + x4 + x2.
We also need the following result, originally proved by Payne [Pay71] and laterby Hirschfeld [Hir75] with a different method, classifying translation hyperovals.
Lemma 3.3.3 ([Hir98, Theorem 8.41]). Every o-polynomial, in which the degreeof every term is a power of two, is in fact a monomial.
Now let f ∈ Fq[x] and define the polynomial
Φf (x, y, z) =1
(x+ y)(x+ z)(y + z)· det
1 1 1x y z
f(x) f(y) f(z)
=x(f(y) + f(z)) + y(f(x) + f(z)) + z(f(x) + f(y))
(x+ y)(x+ z)(y + z).
The condition 2 of Theorem 3.1.1 is equivalent to the condition that all points inA3(Fq) of the surface defined by
Φf (x, y, z) = 0
satisfy x = y, x = z, or y = z. This leads us to the following result, whichessentially follows from a refinement of the Lang-Weil bound [LW54] for thenumber of Fq-rational points in algebraic varieties.
Proposition 3.3.4. Let f ∈ Fq[x] be of degree less than 12q1/4. If Φf has an
absolutely irreducible factor over Fq, then f is not an o-polynomial of Fq.
Proof. If f has degree 0 or 1, then f is not an o-polynomial by Lemma 3.3.1, soassume that f has degree at least 2. We first show that Φf is not divisible byx+ y, x+ z, or y + z. Suppose, for a contradiction, that Φf is divisible by x+ y.Then the partial derivative of
x(f(y) + f(z)) + y(f(x) + f(z)) + z(f(x) + f(y))
47
3 O-polynomials
with respect to x is divisible by x+ y, or equivalently,
f(y) + f(z) + (y + z)f ′(y) = 0.
This forces the degree of f to be 0 or 1, contradicting our assumption. Hence, bysymmetry, Φf is not divisible by x + y, x + z, or y + z. Therefore, Φf (x, y, x),Φf (x, y, y), and Φf (x, x, z) are nonzero polynomials, and so each has at most d qzeros in A2(Fq), where d is the degree of Φf (see [LN97, Theorem 6.13], for exam-ple).
Now suppose that Φf has an absolutely irreducible factor over Fq. Then, by arefinement of the Lang-Weil bound [LW54] due to Ghorpade and Lachaud [GL02,p. 11.3], the number of points in A3(Fq) of the surface defined by Φf (x, y, z) = 0is at least
q2 − (d− 1)(d− 2)q3/2 − 12(d+ 3)4 q.
Hence the number of such points that are not on one of the planes x = y, x = z,or y = z is at least
q2 − (d− 1)(d− 2)q3/2 − 12(d+ 3)4 q − 3dq,
which is positive since0 ≤ d ≤ 1
2q1/4 − 3.
Then our remarks preceding the proposition imply that f is not an o-polynomialof Fq.
In order to prove Theorem 3.2.1, we first use the constraints given by Lem-mas 3.3.1, 3.3.2, and 3.3.3 and then show that in all remaining cases, Φf hasan absolutely irreducible factor over Fq unless f is one of the polynomials inTheorem 3.2.1. To do so, we frequently use the polynomials
φj(x, y, z) =x(yj + zj) + y(xj + zj) + z(xj + yj)
(x+ y)(x+ z)(y + z). (3.3.1)
Then, writing
f(x) =d∑i=0
aixi,
we have
Φf (x, y, z) =d∑i=0
aiφi(x, y, z).
If j is an even positive integer, not equal to 6 or a power of two, then φj has anabsolutely irreducible factor over F2 (and so proves Corollary 3.2.2 in the casethat f is a monomial). This was conjectured by Segre and Bartocci [SB71] andproved by Hernando and McGuire [HM12] (and can also be deduced with a few
48
3.3 Proof of Theorem 3.2.1
extra steps from an argument due to Zieve [Zie13b, Section 5]).
Lemma 3.3.5 ([HM12, Theorem 8]). Let j be an even positive integer, not equalto 6 or a power of two. Then φj has an absolutely irreducible factor over F2.
If f is an o-polynomial of Fq, then either q = 2 and f has degree 1 or q > 2 andf has positive even degree by Lemma 3.3.1. Hence to prove Theorem 3.2.1, wecan assume that f has positive even degree. In the case that f has positive evendegree that is neither 6 nor a power of two, we show that Φf has an absolutelyirreducible factor over Fq, and using Proposition 3.3.4 prove the statement ofTheorem 3.2.1 in this case.
Proposition 3.3.6. Let f ∈ Fq[x] be of positive even degree not equal to 6 or apower of two. Then Φf has an absolutely irreducible factor over Fq.
Proposition 3.3.6 will follow from Lemma 3.3.5 and lemma 1.3.23.
Proof of Proposition 3.3.6. Write
f(x) =d∑i=0
aixi,
where ad 6= 0, and consider the homogenisation of Φf , namely
Φf (w, x, y, z) =d∑i=0
aiφi(x, y, z)wd−i.
The intersection of the projective surface defined by Φf (w, x, y, z) = 0 with theplane defined by w = 0 is the projective curve defined by φd(x, y, z) = 0 and w = 0.By Lemma 3.3.5, φd has an absolutely irreducible factor over Fq. Notice that φdis square-free, which follows from the fact that the partial derivative of
x(yd + zd) + y(xd + zd) + z(xd + yd)
with respect to x is in F2[y, z] (using that d is even) and from symmetry. Therefore,Lemma 1.3.23 implies that Φf (and therefore Φf ) has an absolutely irreduciblefactor over Fq.
In view of Proposition 3.3.6 and Lemma 3.3.2, it remains to prove Theo-rem 3.2.1 when the degree of f is a power of two. In view of Lemmas 3.3.1and 3.3.3, this case follows from Proposition 3.3.4 and the following result.
Proposition 3.3.7. Let k be an integer satisfying k ≥ 2 and let f ∈ Fq[x] be apolynomial of the form
f(x) =2k−1∑i=1
a2i x2i
49
3 O-polynomials
such that a2k 6= 0 and such that the degree of at least one term in f is not a powerof two. Then Φf is absolutely irreducible.
To prove Proposition 3.3.7, we use the following corollary to Lucas’s theorem(see [Fin47], for example).
Lemma 3.3.8. The binomial coefficient(nr
)is even if and only if at least one of
the base-2 digits of r is greater than the corresponding digit of n.
Proof of Proposition 3.3.7. Suppose, for a contradiction, that Φf is not absolutelyirreducible. Let φj be defined by (3.3.1). Our proof relies on the following claim.Claim 3.3.9. There exists θ ∈ F2k − F2 such that for all i ∈ {1, 2, . . . , 2k−1}, wehave
a2i = 0 or x+ z + θ(y + z) divides φ2i(x, y, z).
We defer the proof of the claim and first deduce the statement in the propositionfrom the claim. Let n be an even integer such that an is nonzero. By puttingx = θy + (θ + 1)z into
(x+ y)(x+ z)(y + z)φn(x, y, z),
we see from the claim that
yzn + zyn + (yn + zn)(θy + (θ + 1)z) + (y + z)(θy + (θ + 1)z)n = 0,
which implies that
(θ + θn)yn + ((θ + 1) + (θ + 1)n)zn +n−1∑r=1
(n
r
)θmyr(θ + 1)n−rzn−r = 0.
Comparing coefficients, we find that(nr
)is even for each r ∈ {1, . . . , n − 1}. It
is then readily verified that Lemma 3.3.8 implies that n must be a power of two.Therefore, the degree of every term in f is a power of two, contradicting ourassumption. Hence Φf is absolutely irreducible.
To prove the claim, we repeatedly use the identity
φ2i(x, y, x) =
(xi + yi
x+ y
)2
for each i ≥ 1, (3.3.2)
which is elementary to verify. We also use the expansion
Φf = a2φ2 + a4φ4 + · · ·+ a2kφ2k .
Since Φf is not absolutely irreducible by assumption, we may write
a2φ2 + a4φ4 + · · ·+ a2kφ2k = (Ps +Ps−1 + · · ·+P0)(Qt +Qt−1 + · · ·+Q0), (3.3.3)
50
3.3 Proof of Theorem 3.2.1
where Pi and Qi are zero or homogeneous polynomials of degree i, defined overthe algebraic closure of Fq, and s, t > 0 and PsQt is nonzero. Without loss ofgenerality we may also assume that s ≤ t. We have
φ2k(x, y, z) =(x+ z)2
k−1 + (y + z)2k−1
x+ y
=∏
α∈F2k−F2
(x+ z + α(y + z)
). (3.3.4)
Since a2kφ2k = PsQt by (3.3.3), we find from (3.3.4) that Ps and Qt are coprimeand from (3.3.2) that
Ps(x, y, x)Qt(x, y, x) = a2k(x+ y)2k−2. (3.3.5)
From (3.3.3) we have0 = PsQt−1 + Ps−1Qt.
Since Ps and Qt are coprime, we find that Ps | Ps−1, thus Ps−1 = 0 by a degreeargument. Let I be the smallest positive integer i such that a2k−2i is nonzero(this I exists by our assumed form of f). With a simple induction, involving thepreceding argument, we conclude that
Ps−1 = · · · = Ps−2I+1 = 0. (3.3.6)
In the next step we have from (3.3.3) that
a2k−2Iφ2k−2I = PsQt−2I + Ps−2IQt,
which using (3.3.5) gives
a2k−2Iφ2k−2I(x, y, x)
= βa2k(x+ y)sQt−2I(x, y, x) + β−1(x+ y)tPs−2I(x, y, x) (3.3.7)
for some nonzero β in the algebraic closure of Fq. Write I = 2`e for some nonneg-ative integer ` and some positive odd integer e. Using (3.3.2), we have
φ2k−2I(x, y, x) =
((x2
k−`−1−e + y2k−`−1−e)2`
x+ y
)2
.
Since 2k−`−1 − e is odd, the polynomial
x2k−`−1−e + y2
k−`−1−e
splits into distinct factors, and therefore the largest power of x + y dividing
51
3 O-polynomials
φ2k−2I(x, y, x) is at most 2(2` − 1). Hence, since a2k−2I 6= 0 and s ≤ t by as-sumption, we have in view of (3.3.7) that
s ≤ 2(2` − 1) ≤ 2(I − 1).
Therefore, we find from (3.3.6) that Pi = 0 unless i = s and then from (3.3.3) that
a2k−2jφ2k−2j = PsQt−2j for each j ∈ {0, 1, . . . , 2k−1 − 1}.
This shows that Ps divides a2k−2jφ2k−2j for each j ∈ {0, 1, . . . , 2k−1 − 1}, which inview of a2kφ2k = PsQt and (3.3.4) proves our claim.
52
Bibliography
[AMR10] Yves Aubry, Gary McGuire, and François Rodier. “A few more func-tions that are not APN infinitely often”. In: Finite fields: theoryand applications. Vol. 518. Contemp. Math. Providence, RI: Amer.Math. Soc., 2010, pp. 23–31. DOI: 10.1090/conm/518/10193. URL:http://dx.doi.org/10.1090/conm/518/10193 (cit. on pp. 6,11–16).
[BCC+06] Thierry P. Berger, Anne Canteaut, Pascale Charpin, et al. “On al-most perfect nonlinear functions over F n
2 ”. In: IEEE Trans. Inform.Theory 52.9 (2006), pp. 4160–4170. ISSN: 0018-9448. DOI: 10.1109/TIT.2006.880036. URL: http://dx.doi.org/10.1109/TIT.2006.880036 (cit. on p. 3).
[BS93] E. Biham and A. Shamir. Differential cryptanalysis of the data en-cryption standard. Springer-Verlag, 1993. ISBN: 9780387979304.URL: http://books.google.fr/books?id=vZA\_AQAAIAAJ (cit. onpp. 1, 3).
[Bou85] Nicolas Bourbaki. Éléments de mathématique. Algèbre commuta-tive. Chapitres 5 à 7. [Commutative algebra. Chapters 5–7], Reprint.Paris: Masson, 1985, p. 351. ISBN: 2-225-80269-6 (cit. on p. 22).
[BCP06] L. Budaghyan, C. Carlet, and A. Pott. “New classes of almost bentand almost perfect nonlinear polynomials”. In: Information The-ory, IEEE Transactions on 52.3 (2006), pp. 1141–1152. ISSN: 0018-9448. DOI: 10.1109/TIT.2005.864481 (cit. on p. 5).
[BM08] E. Byrne and G. McGuire. “Quadratic Binomial APN Functions andAbsolutely Irreducible Polynomials”. In: ArXiv e-prints (Oct. 2008).arXiv: 0810.4523 [math.NT] (cit. on p. 3).
[CCD00] Anne Canteaut, Pascale Charpin, and Hans Dobbertin. “Binary m-sequences with three-valued crosscorrelation: A proof of welchconjecture”. In: IEEE Trans. Inf. Theory (2000), pp. 4–8 (cit. onp. 4).
[CDY05] C. Carlet, C. Ding, and J. Yuan. “Linear codes from perfect non-linear mappings and their secret sharing schemes”. In: IEEE Trans.Inform. Theory 51 (2005), pp. 2089–2102 (cit. on p. 35).
53
Bibliography
[Car10] Claude Carlet. “Boolean Models and Methods in Mathematics, Com-puter Science, and Engineering”. In: ed. by Yves Crama and Pe-ter L. Hammer. 1st. New York, NY, USA: Cambridge UniversityPress, 2010. Chap. Vectorial Boolean Functions for Cryptography,pp. 398–469. ISBN: 0521847524, 9780521847520 (cit. on p. 6).
[CCZ98] Claude Carlet, Pascale Charpin, and Victor Zinoviev. “Codes, bentfunctions and permutations suitable for DES-like cryptosystems”.In: Des. Codes Cryptogr. 15.2 (1998), pp. 125–156. ISSN: 0925-1022. DOI: 10.1023/A:1008344232130. URL: http://dx.doi.org/10.1023/A:1008344232130 (cit. on pp. 3–5).
[CM11] Claude Carlet and Sihem Mesnager. “On Dillon’s class H of bentfunctions, Niho bent functions and o-polynomials”. In: J. Combin.Theory Ser. A 118.8 (2011), pp. 2392–2410. ISSN: 0097-3165. DOI:10.1016/j.jcta.2011.06.005. URL: http://dx.doi.org/10.1016/j.jcta.2011.06.005 (cit. on pp. 45, 46).
[Cau13] Florian Caullery. “A new large class of functions not APN infinitelyoften”. In: CoRR abs/1309.7776 (2013) (cit. on p. 21).
[CS98] W. E. Cherowitzo and L. Storme. “α-flocks with oval herds andmonomial hyperovals”. In: Finite Fields Appl. 4.2 (1998), pp. 185–199 (cit. on p. 45).
[Che98] William Cherowitzo. “α-Flocks and Hyperovals”. In: GEOM. DEDI-CATA 72 (1998), pp. 221–246 (cit. on p. 45).
[CM97] R. S. Coulter and R. W. Matthews. “Planar functions and planes ofLenz-Barlotti class II”. In: Des. Codes Cryptogr. 10 (1997), pp. 167–184 (cit. on p. 36).
[DJ12] Moises Delgado and Heeralal Janwa. “On the Conjecture on APNFunctions”. In: CoRR abs/1207.5528 (2012) (cit. on pp. 15, 23,39).
[DO68] P. Dembowski and T. G. Ostrom. “Planes of order nwith collineationgroups of order n2”. In: Math. Z. 103 (1968), pp. 239–258 (cit. onp. 35).
[Dil09] John F. Dillon. APN polynomials. An update. University CollegeDublin: International Conference on Finite Fields and their Ap-plications, 2009. URL: http://mathsci.ucd.ie/~gmg/Fq9Talks/Dillon.pdf (cit. on p. 3).
[DY06] C. Ding and J. Yuan. “A family of skew Hadamard difference sets”.In: J. Combin. Theory Ser. A 113 (2006), pp. 1526–1535 (cit. onp. 36).
54
Bibliography
[Dob01] Hans Dobbertin. “Almost Perfect Nonlinear Power Functions onGF(2 n ): A New Case for n Divisible by 5”. English. In: Finite Fieldsand Applications. Ed. by Dieter Jungnickel and Harald Niederreiter.Springer Berlin Heidelberg, 2001, pp. 113–121. ISBN: 978-3-642-62498-8. DOI: 10.1007/978- 3- 642- 56755- 1_11. URL: http://dx.doi.org/10.1007/978-3-642-56755-1_11 (cit. on p. 4).
[DMM+03] Hans Dobbertin, Donald Mills, Eva Nuria Müller, et al. “APN func-tions in odd characteristic”. In: Discrete Math. 267.1-3 (2003).Combinatorics 2000 (Gaeta), pp. 95–112. ISSN: 0012-365X. URL:http://www.sciencedirect.com/science?_ob=GatewayURL&_origin=MR&_method=citationSearch&_piikey=s0012365x02006064&_version=1&md5=dcd1612a67b8762a681dd6d7c800ede4 (cit. onp. 3).
[EKP06] Yves Edel, Gohar Kyureghyan, and Alexander Pott. “A new APNfunction which is not equivalent to a power mapping”. In: IEEETrans. Inform. Theory 52.2 (2006), pp. 744–747. ISSN: 0018-9448.DOI: 10.1109/TIT.2005.862128. URL: http://dx.doi.org/10.1109/TIT.2005.862128 (cit. on p. 3).
[EP09] Yves Edel and Alexander Pott. “A new almost perfect nonlinearfunction which is not quadratic”. In: Adv. Math. Commun. 3.1 (2009),pp. 59–81. ISSN: 1930-5346. DOI: 10.3934/amc.2009.3.59. URL:http://dx.doi.org/10.3934/amc.2009.3.59 (cit. on p. 3).
[Fér13] Eric Férard. “On the irreducibility of φe”. Personnal communica-tion. 2013 (cit. on p. 12).
[FOR12] Eric Férard, Roger Oyono, and François Rodier. “Some more func-tions that are not APN infinitely often. The case of Gold and Kasamiexponents”. In: Arithmetic, geometry, cryptography and coding the-ory. Vol. 574. Contemp. Math. Providence, RI: Amer. Math. Soc.,2012, pp. 27–36. DOI: 10.1090/conm/574/11423. URL: http://dx.doi.org/10.1090/conm/574/11423 (cit. on p. 15).
[FSK11] N. Ferguson, B. Schneier, and T. Kohno. Cryptography Engineer-ing: Design Principles and Practical Applications. Wiley, 2011. ISBN:9781118080917. URL: http://books.google.fr/books?id=1YwIcpDtQPEC (cit. on p. 1).
[Fin47] N. J. Fine. “Binomial coefficients modulo a prime”. In: Amer. Math.Monthly 54 (1947), pp. 589–592 (cit. on p. 50).
[GS75] M. J. Ganley and E. Spence. “Relative difference sets and quasireg-ular collineation groups”. In: J. Combin. Theory Ser. A 19 (1975),pp. 134–153 (cit. on p. 35).
55
Bibliography
[GL02] Sudhir R. Ghorpade and Gilles Lachaud. “Étale cohomology, Lef-schetz theorems and number of points of singular varieties overfinite fields”. In: Mosc. Math. J. 2.3 (2002). Dedicated to Yuri I.Manin on the occasion of his 65th birthday, pp. 589–631. ISSN:1609-3321 (cit. on pp. 10, 48).
[Gly89] D. G. Glynn. “A condition for the existence of ovals in PG(2, q), qeven”. In: Geom. Dedicata 32.2 (1989), pp. 247–252 (cit. on p. 45).
[Gly83] DavidG. Glynn. “Two new sequences of ovals in finite desarguesianplanes of even order”. In: Combinatorial Mathematics X. Ed. byLouisReynoldsAntoine Casse. Vol. 1036. Lecture Notes in Mathe-matics. Springer Berlin Heidelberg, 1983, pp. 217–229. ISBN: 978-3-540-12708-6. DOI: 10.1007/BFb0071521. URL: http://dx.doi.org/10.1007/BFb0071521 (cit. on p. 45).
[Gol68] R. Gold. “Maximal recursive sequences with 3-valued recursivecross-correlation functions (Corresp.)” In: Information Theory, IEEETransactions on 14.1 (1968), pp. 154–156. ISSN: 0018-9448. DOI:10.1109/TIT.1968.1054106 (cit. on p. 4).
[Hal75] M. Hall, Jr. “Ovals in the Desarguesian plane of order 16”. In: Ann.Mat. Pura Appl. (4) 102 (1975), pp. 159–176 (cit. on p. 45).
[HM12] F. Hernando and G. McGuire. “Proof of a conjecture of Segre andBartocci on monomial hyperovals in projective planes”. In: Des.Codes Cryptogr. 65.3 (2012), pp. 275–289 (cit. on pp. 46, 48, 49).
[HM11] Fernando Hernando and Gary McGuire. “Proof of a conjecture onthe sequence of exceptional numbers, classifying cyclic codes andAPN functions”. In: J. Algebra 343 (2011), pp. 78–92. ISSN: 0021-8693. DOI: 10.1016/j.jalgebra.2011.06.019. URL: http://dx.doi.org/10.1016/j.jalgebra.2011.06.019 (cit. on pp. 4, 11,12).
[Hir75] J. W. P. Hirschfeld. “Ovals in desarguesian planes of even order”.In: Ann. Mat. Pura Appl. 102 (1975), pp. 79–89 (cit. on p. 47).
[Hir98] J. W. P. Hirschfeld. Projective geometries over finite fields. Second.Oxford Mathematical Monographs. New York: The Clarendon PressOxford University Press, 1998 (cit. on pp. 43, 45, 47).
[JW93] H. Janwa and R. M. Wilson. “Hyperplane sections of Fermat vari-eties in P3 in char. 2 and some applications to cyclic codes”. In: Ap-plied algebra, algebraic algorithms and error-correcting codes (SanJuan, PR, 1993). Vol. 673. Lecture Notes in Comput. Sci. Berlin:Springer, 1993, pp. 180–194. DOI: 10.1007/3-540-56686-4_43.URL: http://dx.doi.org/10.1007/3-540-56686-4_43 (cit. onpp. 12, 13).
56
Bibliography
[JMW95] Heeralal Janwa, Gary M. McGuire, and Richard M. Wilson. “Double-error-correcting cyclic codes and absolutely irreducible polynomi-als over GF(2)”. In: J. Algebra 178.2 (1995), pp. 665–676. ISSN:0021-8693. DOI: 10.1006/jabr.1995.1372. URL: http://dx.doi.org/10.1006/jabr.1995.1372 (cit. on p. 12).
[Kas71] T. Kasami. “The weight enumerators for several classes of sub-codes of the 2nd order binary Reed-Muller codes”. In: Informa-tion and Control 18.4 (1971), pp. 369 –394. ISSN: 0019-9958.DOI: http://dx.doi.org/10.1016/S0019-9958(71)90473-6.URL: http://www.sciencedirect.com/science/article/pii/S0019995871904736 (cit. on p. 4).
[KP08] G. M. Kyureghyan and A. Pott. “Some theorems on planar map-pings”. In: Arithmetic of finite fields. Vol. 5130. Lecture Notes inComput. Sci. Berlin: Springer, 2008, pp. 117–122 (cit. on p. 35).
[LW54] Serge Lang and André Weil. “Number of points of varieties in finitefields”. In: Amer. J. Math. 76 (1954), pp. 819–827. ISSN: 0002-9327 (cit. on pp. 9, 10, 47, 48).
[Led12a] E. Leducq. Functions which are PN on infinitely many extensionsof Fp, p odd. arXiv:1006.2610v2 [math.NT]. 2012 (cit. on pp. 36,38).
[Led12b] Elodie Leducq. “New families of APN functions in characteristic3 or 5”. In: Arithmetic, geometry, cryptography and coding theory.Vol. 574. Contemp. Math. Providence, RI: Amer. Math. Soc., 2012,pp. 115–123. DOI: 10.1090/conm/574/11419. URL: http://dx.doi.org/10.1090/conm/574/11419 (cit. on p. 3).
[LN97] R. Lidl and H. Niederreiter. Finite fields. Second. Vol. 20. Encyclo-pedia of Mathematics and its Applications. Cambridge: CambridgeUniversity Press, 1997 (cit. on pp. 43, 44, 48).
[LMT93] Rudolf Lidl, Gary L Mullen, and G Turnwald. Dickson polynomials/ R. Lidl, G.L. Mullen, G. Turnwald. English. Includes bibliograph-ical references (p. 186-199) and indexes. Harlow, Essex, England: Longman Scientific & Technical ; New York : Copublished in theUnited States with John Wiley & Sons, 1993. ISBN: 0582091195(cit. on p. 45).
[MZ13] P. Müller and M. E. Zieve. Low-degree planar monomials in charac-teristic two. arXiv:1305.6597v1 [math.NT]. 2013 (cit. on p. 41).
57
Bibliography
[NH07] Geir Jarle Ness and Tor Helleseth. “A new family of ternary almostperfect nonlinear mappings”. In: IEEE Trans. Inform. Theory 53.7(2007), pp. 2581–2586. ISSN: 0018-9448. DOI: 10 . 1109 / TIT .2007.899508. URL: http://dx.doi.org/10.1109/TIT.2007.899508 (cit. on p. 3).
[NK93] K. Nyberg and L. R. Knudsen. “Provable security against differen-tial cryptanalysis”. In: Advances in cryptology—CRYPTO ’92 (SantaBarbara, CA, 1992). Vol. 740. Lecture Notes in Comput. Sci. Berlin:Springer, 1993, pp. 566–574 (cit. on p. 35).
[Nyb94] Kaisa Nyberg. “Differentially uniform mappings for cryptography”.In: Advances in Cryptology - EUROCRYPT’93. Vol. 765. Lecture Notesin Computer Science. Springer-Verlag, 1994. URL: http://link.springer.de/link/service/series/0558/bibs/0765/07650055.htm (cit. on pp. 3, 4).
[OP91] C. M. O’Keefe and T. Penttila. “Hyperovals in PG(2, 16)”. In: Euro-pean J. Combin. 12.1 (1991), pp. 51–59 (cit. on p. 45).
[Pay71] S. E. Payne. “A complete determination of translation ovoids infinite Desarguian planes”. In: Atti Accad. Naz. Lincei 51 (1971),pp. 328–331 (cit. on p. 47).
[Pen03] T. Penttila. “Configurations of ovals”. In: J. Geom. 76.1-2 (2003),pp. 233–255 (cit. on p. 45).
[PR94] T. Penttila and G. F. Royle. “Classification of hyperovals in PG(2, 32)”.In: J. Geom. 50.1-2 (1994), pp. 151–158 (cit. on p. 45).
[PP11] Laurent Poinsot and Alexander Pott. “Non-Boolean almost perfectnonlinear functions on non-Abelian groups”. In: Internat. J. Found.Comput. Sci. 22.6 (2011), pp. 1351–1367. ISSN: 0129-0541. DOI:10.1142/S0129054111008751. URL: http://dx.doi.org/10.1142/S0129054111008751 (cit. on p. 3).
[Rod09] François Rodier. “Borne sur le degré des polynômes presque par-faitement non-linéaires”. In: Arithmetic, geometry, cryptography andcoding theory. Vol. 487. Contemp. Math. Providence, RI: Amer.Math. Soc., 2009, pp. 169–181. DOI: 10.1090/conm/487/09531.URL: http://dx.doi.org/10.1090/conm/487/09531 (cit. onpp. 7, 9, 10, 15).
[Rod11] François Rodier. “Functions of degree 4e that are not APN infinitelyoften”. In: Cryptogr. Commun. 3.4 (2011), pp. 227–240. ISSN: 1936-2447. DOI: 10.1007/s12095-011-0050-6. URL: http://dx.doi.org/10.1007/s12095-011-0050-6 (cit. on pp. 19, 21).
58
Bibliography
[SZ13] K.-U. Schmidt and Y. Zhou. Planar functions over fields of charac-teristic two. arXiv:1301.6999v1 [math.CO]. 2013 (cit. on pp. 35,41).
[Seg55] B. Segre. “Ovals in a finite projective plane”. In: Canad. J. Math. 7(1955), pp. 414–416 (cit. on p. 43).
[SB71] B. Segre and U. Bartocci. “Ovali ed altre curve nei piani di Galoisdi caratteristica due”. In: Acta Arith. 18 (1971), pp. 423–449 (cit.on pp. 46, 48).
[Seg62] Beniamino Segre. “Ovali e curve σ nei piani di Galois di caratteris-tica due.” In: Atti Accad. Naz. Lincei Rend. Cl. Sci. Fis. Mat. Nat. (8)32 (1962), pp. 785–790 (cit. on p. 45).
[Ser91] Jean-Pierre Serre. “Lettre à M. Tsfasman”. In: Astérisque. JournéesArithmétiques de Luminy. Ed. by Gilles Lachaud. Vol. 198-199-200. 1991, pp. 351–354 (cit. on p. 8).
[Sha94] I.R. Shafarevich. Basic Algebraic Geometry. Basic Algebraic Geom-etry livr. 1. Springer-Verlag, 1994. ISBN: 9780387548128. URL:http://books.google.fr/books?id=Ldqod\_Ixc\_IC (cit. onp. 13).
[Vis10] T. L. Vis. Monomial hyperovals in Desarguesian planes. Thesis (Ph.D.)–University of Colorado at Denver. ProQuest LLC, Ann Arbor, MI,2010, p. 189 (cit. on p. 45).
[ZW10] ZhengBang Zha and XueLi Wang. “Power functions with low uni-formity on odd characteristic finite fields”. In: Sci. China Math.53.8 (2010), pp. 1931–1940. ISSN: 1674-7283. DOI: 10 . 1007 /s11425-010-3149-x. URL: http://dx.doi.org/10.1007/s11425-010-3149-x (cit. on p. 3).
[ZW11] Zhengbang Zha and Xueli Wang. “Almost perfect nonlinear powerfunctions in odd characteristic”. In: IEEE Trans. Inform. Theory 57.7(2011), pp. 4826–4832. ISSN: 0018-9448. DOI: 10 . 1109 / TIT .2011.2145130. URL: http://dx.doi.org/10.1109/TIT.2011.2145130 (cit. on p. 3).
[Zho13] Y. Zhou. (2n, 2n, 2n, 1)-relative difference sets and their representa-tions. arXiv:1211.2942v2 [math.CO], to appear in J. Combin. Des.2013 (cit. on pp. 1, 35).
[Zie13a] M. E. Zieve. Personal communication. 2013 (cit. on p. 36).
[Zie13b] Michael E. Zieve. “Planar functions and perfect nonlinear monomi-als over finite fields”. English. In: Designs, Codes and Cryptography(2013), pp. 1–10. ISSN: 0925-1022. DOI: 10.1007/s10623-013-9890-8. URL: http://dx.doi.org/10.1007/s10623-013-9890-8(cit. on pp. 36, 46, 49).
59