1 Introduction
LowMC
[3], MiMC
[2], GMiMC
[1], Hades [22], Rescue
[4], Poseidon [20] & Poseidon2 [21], Ciminion
[13], Reinforced Concrete
[19], Griffin [18], Anemoi
[9], Hydra [24] and Arion [38]. At round level, many of these primitives utilize low degree power permutations \(x^d\), where \(d \in \{ 3, 5, 7 \}\). While the boomerang uniformity for normalized permutation polynomials up to degree 6 has been worked out by hand [45], a general bound for the boomerang uniformity of \(x^d\) over large prime fields \(\mathbb{F}_{p}\) is unknown yet.-
Variants of the inverse permutation \(x^{-1}\).
-
Quadratic permutations over binary fields.
-
Special permutations, e.g. Gold functions.
-
Special permutations over special fields.
1.1 Our results
2 Preliminaries
2.1 c-differential uniformity
2.2 c-boomerang uniformity
2.3 Plane curves
2.4 Gröbner bases
3 Generalized c-boomerang equations for monomials
-
For \(c^2 = 1\), we take a closer look at the c-boomerang equations for some \(a \cdot b \ne 0\)Then$$\begin{aligned} f_1&= z^d - c \cdot x^d - b, \\ f_2&= (z + a)^d - c^{-1} \cdot (x + a)^d - b. \end{aligned}$$and by expanding the binomial theorem for \((z + a)^d\) and \((x + a)^d\) we see that \(\deg \left( f_1 - f_2 \right) \le d - 1\). Again by Lemma 3.3 we know that \(f_1\) is irreducible, so the homogenizations of \(f_1\) and \(f_1 - f_2\) cannot share any irreducible components, and we can again apply Bézout’s theorem to bound the number of solutions analog to Theorem 3.4. This yields the claim for \(c = -1\).$$\begin{aligned} f_1 - f_2 = \left( z^d - (z + a)^d \right) - c \cdot \left( x^d - (x + a)^d \right) , \end{aligned}$$
-
For \(c = 1\), we can exploit by Lemma 3.5 thatwhere \(g \in \mathbb{F}_{q}[x]\) is a non-constant univariate polynomial with \(\deg \left( g \right) \le d - 1\) and \({\tilde{g}} \in \mathbb{F}_{q}[z, x]\) is a non-zero polynomial with \(\deg \left( {\tilde{g}} \right) \le d - 2\). But then a root of \(f_1 - f_2\) is either a root of \(z - x = 0\) or \({\tilde{g}} = 0\). In the first case, we can substitute \(z = x\) into \(f_1\) which yields \(0 = b\). So if \(b \ne 0\), then \(z - x = 0\) cannot contribute any solutions to the boomerang equations. Hence, to estimate the \(\mathbb{F}_{q}\)-valued solutions we can restrict to \(f_1 = {\tilde{g}} = 0\), and by the irreducibility of \(f_1\) we can again apply Bézout’s theorem to their homogenizations analog to Theorem 3.4.$$\begin{aligned} f_1 - f_2 = \left( z^d - (z + a)^d \right) - \left( x^d - (x + a)^d \right) = g (z) - g (x) = (z - x) \cdot {\tilde{g}} (z, x), \end{aligned}$$
-
For \(c^2 = 1\), after the substitution \(z = x + y\) and multiplication by c Eq. (10) reduces toThen$$\begin{aligned} f_1&= z^d - c \cdot x^d - c \cdot a, \\ f_2&= (z + b)^d - c \cdot (x + c \cdot b)^d - a. \end{aligned}$$So for \(c = -1\) we can again pass to \(f_1 = f_1 - f_2 = 0\), and for \(c = 1\) we can apply the factorization trick of Lemma 3.5 for the application of Bézout’s theorem.$$\begin{aligned} f_1 - f_2 = \left( z^d - (z + b)^d \right) - c \cdot \left( x^d - (x + c \cdot b)^d \right) + a \cdot (1 - c). \end{aligned}$$
3.1 The cases \(a = 0\) & \(b = 0\)
4 On the tightness of the c-boomerang uniformity bound
4.1 Symbolic Gröbner basis computations
SageMath
[39] we have to specify a prime q. However, for a generic treatment we can apply another trick. For a fixed \(c \in \mathbb{F}_{q}\), we interpret the c-boomerang equationsSageMath
[39] script to compute the generic DRL Gröbner basis for the c-boomerang equations.4.1.1 \(c^2 \ne 1\)
4.1.2 \(c^2 = 1\)
SageMath
over \(\mathbb{Q} (a, b)\). In Table 1 we report the leading monomials of these Gröbner bases. Additionally, in Appendix B we report the symbolic DRL Gröbner bases for \(d = 3, 5\). By visual inspection of these bases we can see that every coefficient is a polynomial in \(\mathbb{Q} [a, b]\). The computations have been performed on an Intel Core i7-10700 with 64 GB RAM. The Gröbner bases for \(d \le 129\) have been found within less than one minute, and the Gröbner basis for \(d = 257\) has been found within 20 minutes.d | \(c = -1\) | \(c = 1\) |
---|---|---|
3 | \(x^4,\ z \cdot x^2,\ z^2\) | \(x^3,\ z\) |
5 | \(x^8,\ z \cdot x^4,\ z^4\) | \(x^7,\ z \cdot x^4,\ z^3\) |
7 | \(x^{12},\ z \cdot x^6,\ z^6\) | \(x^{11},\ z \cdot x^6,\ z^5\) |
11 | \(x^{20},\ z \cdot x^{10},\ z^{10}\) | \(x^{19},\ z \cdot x^{10},\ z^9\) |
129 | \(x^{256},\ z \cdot x^{128},\ z^{128}\) | \(x^{255},\ z \cdot x^{128},\ z^{127}\) |
257 | \(x^{512},\ z \cdot x^{256},\ z^{256}\) | \(x^{511},\ z \cdot x^{256},\ z^{255}\) |
4.2 Examples over small prime fields
SageMath
, we display our results in Table 2. In Appendix A.2 we provide a simple SageMath
script for this purpose. In all our examples, for \(c = 1\) and \(d = 3\) our upper bound from Corollary 3.6 is met. Moreover, in most of our examples the ideals for the maximal displayed c-boomerang uniformities are radical. So the inequalities will eventually become tight over a sufficiently large field extension2\(\mathbb{F}_{q}\subset \mathbb{F}_{q^n}\) for some \(n \in \mathbb{Z}_{\ge 1}\) provided of course that also \(\gcd \left( d, q^n - 1 \right) = 1\). Two exceptions for non-radical c-boomerang ideals are \(q = 17\), \(c = 1\), \(a = b = 1\) and \(d = 5\) which achieves \(\beta _{x^5, 1} = 4\), and \(q = 29\), \(c = 1\), \(a = 1\), \(b = 3\) and \(d = 5\) which achieves \(\beta _{x^5, 1} = 7\).\(d = 3\) | \(d = 5\) | |||||
---|---|---|---|---|---|---|
q | \(c^2 \ne 1\) | \(c = -1\) | \(c = 1\) | \(c^2 \ne 1\) | \(c = -1\) | \(c = 1\) |
11 | (8, 4) | 2 | 3 | n.a | n.a | n.a |
17 | (10, 4) | 4 | 3 | n.a | n.a | 4 |
23 | (20, 4) | 4 | 3 | (5, 5) | 6 | 5 |
29 | (8, 6) | 4 | 3 | (2, 5) | 2 | 7 |
107 | (2, 6) | 6 | 3 | (16, 7) | 5 | 4 |
5 c-uniformities of the generalized triangular dynamical system
5.1 c-differential distribution table of the generalized triangular dynamical system
-
For \(\alpha \ne c \cdot \beta\), we obtain a polynomial with leading monomial \((\alpha - c \cdot \beta ) \cdot x^{\deg \left( p_{n - 1} \right) }\), therefore we can have at most \(\deg \left( p_{n - 1} \right)\) many solutions for \(x_{n - 1}\) in \(\mathbb{F}_{q}\).
-
For \(\alpha = c \cdot \beta\), we obtain a rescaled 1-differential equation for \(p_{n - 1}\).
-
If \(\varvec{\Delta x}_{n - 1} = 0\), then the equation becomes constant, so it can have at most q many solutions for \(x_{n - 1}\).
-
If \(\varvec{\Delta x}_{n - 1} \ne 0\), then we obtain a proper 1-differential equation for \(p_{n - 1}\), so by Lemma 5.2 we can have at most \(\deg \left( p_{n - 1} \right)\) many solutions for \(x_{n - 1}\) in \(\mathbb{F}_{q}\).
-
5.2 c-boomerang connectivity table of a class of generalized triangular dynamical systems
-
If \(\deg \left( p_n \right) = 1\), then we can apply Lemma 2.7, so depending on \(a_n\) and c we can either have 0, 1 or q solutions for \((z_n, x_n)\).
-
If \(\deg \left( p_n \right) > 1\) and \(a_n \cdot b_n = 0\), the boomerang equations for \(p_n\) might not be fully determined, so in this case we can have at most q many solutions for \((z_n, x_n)\), see Lemma 3.9.
-
If \(\deg \left( p_n \right) > 1\) and \(a_n \cdot b_n \ne 0\), then by Corollary 3.6 we have at most \(d_n^2\) solutions for \((z_n, x_n)\).
-
If \(\deg \left( p_{n - 1} \right) = 1\), then in principle it might happen that both equations become constant and that the left-hand sides coincide with the right-hand sides. Then the c-boomerang uniformity is maximal, i.e. we have to bound it by q.
-
If \(a_{n - 1} \cdot b_{n - 1} = 0\), then the equation system might not be fully determined. In that case we have to use the trivial upper bound q.
-
If \(a_{n - 1} \cdot b_{n - 1} \ne 0\), then we divide both equations by \(a_{n - 1}^d\), the first equation by \(\alpha\) and the second one by \(c \cdot \gamma\). After a substitution analog to Eq. (8), we obtain a generalized boomerang equation system with the coefficientsSo by Theorem 3.4 the generalized boomerang equation system \({\mathcal{F}} (d_{n - 1}, c_1, \dots , c_5)\) has at most \(d_{n - 1}^2\) many solutions in \(\mathbb{F}_{q}^2\).$$\begin{aligned} c_1 = \frac{c \cdot \beta }{\alpha }, \quad c_2 = \frac{b_{n - 1}}{\alpha \cdot a_{n - 1}^{d_{n - 1}}}, \quad c_3 = \frac{\delta }{c \cdot \gamma }, \quad c_4 = 1, \quad c_5 = \frac{b_{n - 1}}{\gamma \cdot a_{n - 1}^{d_{n - 1}}}. \end{aligned}$$