Revisiting products of the form X times a linearized polynomial L(X)

Let \(q = p^m\) for a prime p and a positive integer m and let \(\mathbb {F}_{q^n}\) denote the field with \(q^n\) elements. A polynomial \(L \in \mathbb {F}_{q^n}[X]\) is called a q-polynomial if it is of the formThere is a one-to-one correspondence of q-polynomials in \(\mathbb {F}_{q^n}[X]\) and \(\mathbb {F}_q\)-linear mappings over \(\mathbb {F}_{q^n}\) by means of their evaluation maps.

For a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\), we denote \(f_L :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}, x \mapsto x \cdot L(x)\). Such \(f_L\) are exactly the functions of the formGiven a function \(f :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\) and \(a,b \in \mathbb {F}_{q^n}\), we defineThe differential spectrum of f, denoted by \(\mathcal {D}_f\), counts the occurrences of \(D_f(a,b)\) over all pairs \((a,b) \in \mathbb {F}_{q^n}^* \times \mathbb {F}_{q^n}\), formally,where \(\eta _i = |\{(a,b) \in \mathbb {F}_{q^n}^* \times \mathbb {F}_{q^n} \mid D_f(a,b) = i \} |\). The differential uniformity [23], denoted \(\delta _f\), is defined asThe differential uniformity, and more generally the differential spectrum of a function can be understood as a measure on the robustness against differential cryptanalysis [8] and its variants when using f as a substitution box in a symmetric cryptographic primitive (see e.g., [9] for a discussion). For p odd, functions reaching the lowest possible differential uniformity \(\delta _f = 1\) are called planar. For \(p=2\), the lowest possible differential uniformity is 2, and functions reaching this value with equality are called almost perfect nonlinear (APN). Besides the interest in functions with low differential uniformity for cryptographic applications, planar functions and APN functions have strong connections to objects in finite geometry and combinatorics (see [25] for a survey).

The differential uniformity of functions \(f_L\) has already been studied in the literature: In [7], Berger et al. showed that a function of the form (2) over a field of characteristic 2 can be APN (i.e., differentially 2-uniform) only if L is a monomial, hence the only APN functions \(f_L\) are the Gold APN functions (as defined in [18, 23]).

In the case of odd characteristic p, the planarity of functions \(f_L\) was first studied by Kyureghyan and Özbudak in [20]. They showed some sufficient conditions on L for \(f_L\) being planar as well as some non-existence results for special types of planar functions \(f_L\). However, all of the constructed planar functions were (CCZ-)equivalent to monomials. This study was continued in [14] and [29] by proving some open conjectures on the non-existence raised in [20].

For L being a trinomial of the form \(X^{q^2} + aX^q + bX\), Bartoli and Bonini characterized in [1] all planar functions \(f_L\) over \(\mathbb {F}_{q^3}\) with the restriction \(a,b \in \mathbb {F}_q\). Later, Chen and Mesnager [13] completed the characterization for general \(a,b \in \mathbb {F}_{q^3}\).

In [11], Budaghyan et al. introduced the notion of an isotopic shift of a function. Given \(g :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\) and a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\), the isotopic shift of g by L is defined as the function mapping \(x \in \mathbb {F}_{q^n}\) to \(g(x+L(x)) - g(x) - g(L(x))\). Hence, the isotopic shifts of \(g(x) = x^2\) are exactly the functions of the form \(2 \cdot f_L\). In [10], the authors studied isotopic shifts for constructing planar functions and showed that it is possible to have planar functions \(f_L\) inequivalent to monomials, more precisely, they obtained functions corresponding (up to equivalence) to commutative Dickson semifields.

For a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\), letandThe set \(\mathcal {I}(L)\) denotes the image set of the rational function \(r_L :\mathbb {F}_{q^n}^* \rightarrow \mathbb {F}_{q^n}, x \mapsto \frac{L(x)}{x}\) and we have \(\mathcal {I}(L) = \mathbb {F}_{q^n} {\setminus } \mathcal {V}(L)\). Those sets played a central role in the study of planarity of \(f_L\) and were also studied in previous papers in the context of finite geometry and coding theory, see, e.g., [17, 20, 22] and the references therein. We would like to point out the geometric interpretation in more detail (see, e.g., [16]): Let W be a 2-dimensional \(\mathbb {F}_{q^n}\)-vector space and let \(\Lambda = \textrm{PG}(W,\mathbb {F}_{q^n}) = \textrm{PG}(1,q^n)\) be the projective line over \(\mathbb {F}_{q^n}\). An \(\mathbb {F}_q\)-linear set \(\mathcal {L}_U\) of \(\Lambda \) of rank n is defined as the point set of the non-zero points of an n-dimensional \(\mathbb {F}_q\)-subspace U of W, i.e.,If \(L \in \mathbb {F}_{q^n}[X]\) is a q-polynomial, we can take \(U = U_L :=\{(x,L(x)) \mid x \in \mathbb {F}_{q^n}\}\) and denote the corresponding linear set \(\mathcal {L}_{U_L}\) by \(\mathcal {L}_L\). We then haveThe study of linear sets has also been successfully applied to the study of APN functions. For instance, in [2] the authors analyze certain classes of \(\mathbb {F}_2\)-linear sets to prove the existence of APN functions of a specific form. It is known that the planarity property of a function \(f_L\) is completely determined by a property (independent of L) of the set \(\mathcal {I}(L)\). Indeed, \(f_L\) being planar is equivalent to \(x \mapsto a L(x) + x L(a)\) having trivial kernel for all \(a \in \mathbb {F}_{q^n}^*\), i.e., \(-\frac{L(a)}{a} \notin \mathcal {I}(L)\) for all \(a \ne 0\), i.e., \(0 \notin \mathcal {I}(L)\) and for all \(b \in \mathbb {F}_{q^n}^*\), at most one of \(-b,b\) is contained in \(\mathcal {I}(L)\) (see [20, Theorem 1]). So, if \(f_L\) is planar and M a q-polynomial for which \(\mathcal {I}(L) = \mathcal {I}(M)\), also \(f_M\) is planar. Clearly, for any planar function over \(\mathbb {F}_{q^n}\), there is only one possibility of its differential spectrum, i.e., \(\eta _1 = q^n(q^n-1)\) and \(\eta _i = 0\) for \(i \ne 1\).

One might ask more generally whether the differential uniformity, or even the differential spectrum, of \(f_L\) (not necessarily planar) is completely determined by the set \(\mathcal {I}(L)\):

The question for which pairs of q-polynomials \(L,M \in \mathbb {F}_{q^n}[X]\) the identity \(\mathcal {I}(L) = \mathcal {I}(M)\) holds was studied in [17] and a classification was obtained for the case of \(n \le 5\). To recall this result, we need the notion of \(\Gamma \textrm{L}(2,q^n)\)-equivalence of two q-polynomials, given below. For a function \(f :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\), we denote by \(\mathcal {G}_f\) the graph of f, defined as \(\{(x,f(x)) \mid x \in \mathbb {F}_{q^n} \}\). The functions f and g are called CCZ-equivalent [12], if there is an affine bijection A over \(\mathbb {F}_{q^n} \times \mathbb {F}_{q^n}\) such that \(A(\mathcal {G}_f) = \mathcal {G}_g\). An important fact is that the differential spectrum of a function is invariant under CCZ-equivalence.

Clearly (see also [17]), if M and L are \(\Gamma \textrm{L}(2,q)\)-equivalent via \(M = \varphi (L)\), then \(|\mathcal {I}(L) |= |\mathcal {I}(\varphi (L)) |\). Further, given L and M with \(\mathcal {I}(L) = \mathcal {I}(M)\) and admissible \(\varphi \) as in (3), then \(\mathcal {I}(\varphi (L)) = \mathcal {I}(\varphi (M))\).

Given a q-polynomial L in the form of (1), we denote by \(L^*\) its adjoint, i.e., the q-polynomialThe induced \(\mathbb {F}_q\)-linear mappings \(x \mapsto L(x)\) and \(x \mapsto L^*(x)\) over \(\mathbb {F}_{q^n}\) are adjoint relative to the bilinear form \((x,y) \mapsto \textrm{tr}(xy)\), where \(\textrm{tr}:x \mapsto \sum _{i=0}^{n-1} x^{q^i}\) denotes the trace function from \(\mathbb {F}_{q^n}\) to \(\mathbb {F}_q\). That is, \(\textrm{tr}(xL(y)) = \textrm{tr}(L^*(x)y)\) holds for all \(x,y \in \mathbb {F}_{q^n}\) (see, e.g., [22]).

We have now established the necessary terminology to recall the classification result by Csajbók et al.

Since a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\) with maximum field of linearity \(\mathbb {F}_{q^t}\) is also a \(q^t\)-polynomial in \(\mathbb {F}_{{q^t}^{n/t}}[X]\) and for \(L,M \in \mathbb {F}_{q^n}[X]\) with \(\mathcal {I}(L) = \mathcal {I}(M)\), the fields of linearity of L and M coincide [17, Propostion 2.1], this yields the following corollary.

Given a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\), we denote by \(\ker (L)\) the kernel of the \(\mathbb {F}_q\)-linear map \(x \mapsto L(x)\) over \(\mathbb {F}_{q^n}\), i.e., the subspace of all elements \(y \in \mathbb {F}_{q^n}\) with \(L(y) = 0\). For \(0 \le k \le n\), let us defineClearly, \(\mathcal {V}_0(L) = \mathcal {V}(L)\) and \(\cup _{k=1}^n \mathcal {V}_k(L) = \mathcal {I}(L)\). Further, note that, for \(1 \le k \le n\), we haveThe sets \(\mathcal {V}_k(L)\) for \(0 \le k \le n\) have the following interpretation in terms of linear sets: For a point \(P = \langle (x,y) \rangle _{\mathbb {F}_{q^n}} \in \textrm{PG}(1,q^n)\) with \(x,y \in \mathbb {F}_{q^n}\), the weight of P with respect to the \(\mathbb {F}_q\)-linear set \(\mathcal {L}_L\), denoted by \(w_{\mathcal {L}_L}(P)\), is defined as the dimension of the intersection \(U_L \cap \langle (x,y) \rangle _{\mathbb {F}_{q^n}}\) as an \(\mathbb {F}_q\)-vector space. The set \(\mathcal {V}_k(L)\) consists precisely of those \(y \in \mathbb {F}_{q^n}\) for which \(w_{\mathcal {L}_L}(\langle (1,y) \rangle _{\mathbb {F}_{q^n}}) = k\).

The crucial point for the following discussion is the fact that the differential spectrum of \(f_L\) is completely determined by \((\mathcal {V}_k(L))_{k=1,\dots ,n}\), which we show in the following characterization. For a set S, we denote by \(-S\) the set \(\{-a \mid a \in S\}\).

It was first proven in [3, Lemma 2.6] that \(\mathcal {V}(L) = \mathcal {V}(L^*)\) and \(\mathcal {I}(L) = \mathcal {I}(L^*)\). There are various other proofs given in the literature, e.g., in [22], which uses the characterization of permutations by their Walsh transforms. A particularly elegant proof was given in [16, Rem. 3.3], proving the (a priori) more general question of equality of \(\mathcal {V}_k(L)\) and \(\mathcal {V}_k(L^*), 0 \le k \le n\). For completeness, we repeat this proof in the following.

To settle Theorem 2, we finally show that the property of equality of sets \(\mathcal {V}_k(L)\), \(\mathcal {V}_k(M)\) is not affected when changing L, M under \(\Gamma \textrm{L}(2,q^n)\)-equivalence using the same \(\varphi \). We can show more generally how the sets \(\mathcal {V}_k(L), k = 1,\dots ,n\) are affected under \(\Gamma \textrm{L}(2,q^n)\)-equivalence of L.

The above Lemmas 1, 2, and 3, together with Theorem 1 imply Theorem 2 and thus completely settle Question 1 for the case of \(n \le 5\).

An interesting open question is whether the sets \(\mathcal {V}_k(L)\), \(k=1,\dots ,n\) are completely determined from \(\mathcal {I}(L)\) (equivalently from \(\mathcal {V}(L)\)) in general.

In terms of linear sets, the question is equivalent to asking whether the weights of \(\langle (1,y) \rangle _{\mathbb {F}_{q^n}}\) with respect to the linear set \(\mathcal {L}_L\) are completely determined by the points \(\langle (1,y) \rangle _{\mathbb {F}_{q^n}}\) of weight \(w_{\mathcal {L}_L}(\langle (1,y) \rangle _{\mathbb {F}_{q^n}}) = 0\). Answering this question affirmatively immediately gives a positive answer to Question 1.

Using Corollary 2, a simple upper bound on the differential uniformity of \(f_L\) can be given based on the emptiness of sets \(\mathcal {V}_k(L)\). That is, if \(k \in \{1,\dots ,n\}\) is the largest integer such that \(\mathcal {V}_k(L) \ne \emptyset \), the differential uniformity of \(f_L\) is bounded above by \(q^k\). Moreover, for the case of \(p=2\), we have \(-\mathcal {V}_k(L) = \mathcal {V}_k(L) \subseteq \mathcal {I}(L)\). Hence, for \(p=2\), the differential uniformity is equal to \(q^k\).

Then, from Lemma 3, it follows that we obtain functions of bounded differential uniformity from \(f_L\) if we stay in the same \(\Gamma \textrm{L}(2,q^n)\)-equivalence class.

For odd values of p, this allows us to obtain functions \(f_M\) with different differential spectra (hence CCZ-inequivalent to each other), but \(\delta _{f_M} \le q^k\), from M within the \(\Gamma \textrm{L}(2,q^n)\)-equivalence class of L (an example is given in Example 1 below). However, in even characteristic, we do not leave the extended-affine equivalence class of \(f_L\) (and hence cannot obtain distinct differential spectra), as the following lemma states. Note that two functions \(f,g :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\) are extended-affine equivalent (EA-equivalent) if there exist affine bijections \(A,B :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\) and an affine function \(C :\mathbb {F}_{q^n} \rightarrow \mathbb {F}_{q^n}\) such that \(g = B \circ f \circ A + C\). In case that A and B are also linear and \(C= 0\), the functions f and g are called linear-equivalent. Since EA-equivalence is a special case of CCZ-equivalence, two EA-equivalent functions have the same differential spectrum.

The q-polynomials L such that \(\mathcal {V}_k(L) = \emptyset \) for all \(k > 1\) are called scattered q-polynomials [26]. They are widely studied as they have applications in finite geometry (in terms of maximum scattered linear sets) and coding theory (in terms of rank distance codes [26]), see [21] and the references therein. It is well known that a q-polynomial \(L \in \mathbb {F}_{q^n}[X]\) is scattered if and only if \(\mathcal {I}(L)\) is of maximal size, i.e., \(\vert \mathcal {I}(L) |= \frac{q^n-1}{q-1}\). Indeed, \(\mathcal {I}(L)\) is of maximal size if and only if each element \(\frac{L(y)}{y} \in \mathcal {I}(L)\) has \(q-1\) preimages \(x = cy\) with \(c \in \mathbb {F}_{q}^*\). This yields an affirmative answer to Question 1 and Question 2 for those L, M for which \(\mathcal {V}(L)\) and \(\mathcal {V}(M)\) have size \(q^n-\frac{q^n-1}{q-1}\). There are only a few known instances and families of scattered q-polynomials, see e.g., the list in [4, Section 1]. The best known family of scattered q-polynomials are the monomials \(X^{q^s}\) with \(\gcd (s,n) = 1\). Bartoli and Zhou [5] showed that those monomials are the only exceptional scattered (of index 0) monic q-polynomials, i.e., the only monic q-polynomials that are scattered over infinitely many extensions of \(\mathbb {F}_q\).

For scattered q-polynomials, we get the following immediate corollaries from Propostion 1 and Corollary 3, respectively.

This corollary is a consequence of the fact that the property of a q-polynomial in \(\mathbb {F}_{q^n}[X]\) being scattered is invariant under \(\Gamma \textrm{L}(2,q^n)\)-equivalence.

In the following example, we illustrate that it is possible to get a variety of distinct differential spectra for \(f_{\varphi (L)}\) when L is a scattered q-polynomial and \(\varphi \) and admissible mapping for L (in the case where q is odd).

In general, it would be interesting to classify all possible differential spectra of \(f_{\varphi (L)}\) for admissible mappings \(\varphi \) for L, for a given scattered q-polynomial L and to understand whether a scattered q-polynomial L can yield CCZ-inequivalent planar functions \(f_{\varphi (L)}\).