On construction and (non)existence of $c$-(almost) perfect nonlinear functions

Functions with low differential uniformity have relevant applications in cryptography. Recently, functions with low $c$-differential uniformity attracted lots of attention. In particular, so-called APcN and PcN functions (generalization of APN and PN functions) have been investigated. Here, we provide a characterization of such functions via quadratic polynomials as well as non-existence results.


Introduction
Perfect nonlinear (PN) and almost perfect nonlinear (APN) functions and in general functions with low differential uniformity over finite fields have been widely investigated due to their applications in cryptography. Indeed, differential cryptanalysis [5,6] is an important cryptanalytic approach targeting symmetric-key primitives. In order to be resistant against such types of attacks, cryptographic functions used in the substitution box (S-box) in the cipher are required to have a differential uniformity as low as possible (see [10] for a survey on differential uniformity of vectorial Boolean functions). In [7], the authors introduce a different type of differential, useful for ciphers that utilize modular multiplication as a primitive operation. Consequently, a new concept called multiplicative differential (and the corresponding c-differential uniformity) has been introduced [20]. Definition 1.1. [20, Definition 1] Given a p-ary (n, m)-function f : F p n → F p m , and c ∈ F p m , the (multiplicative) c-derivative of f with respect to a ∈ F p n is the function For an (n, n)-function f , and a, b ∈ F p n , and c ∆ f := max{ c ∆ f (a, b) : a, b ∈ F p n , (a, c) = (0, 1)}.
The quantity c ∆ f is called c-differential uniformity of f . Note that for c = 1, the above definitions coincide with the usual derivative of f and its differential uniformity.
If c ∆ f ≤ δ ∈ N, we say that f is differentially (c, δ)-uniform. In the special cases δ = 1 and δ = 2, such functions are also called PcN and APcN functions. It is worth noting that PcN functions (namely β-planar functions) have been investigated and partially classified in [4].
Very recently, power functions with low c-differential uniformity have been studied in [42]. Also in [25], the authors focus on monomial functions and study their c-differential uniformity for c = −1. In [37], the c-differential uniformity of some known APN functions in odd characteristic is investigated.
In this paper, we further investigate the construction and existence of some APcN and PcN functions. First, in Section 2, we collect some preliminary results and definitions that we will use in the rest of the paper. In Section 3, we first give a characterization of APcN and PcN quadratic functions, which, in particular, gives us a correspondence between planar DO polynomials and APcN maps. Then, we show that, using the AGW criterion [1] and its generalization [33], it is possible to construct several classes of APcN and PcN functions. In the last section, we give some non existence results for some exceptional monomial APcN and PcN functions using connections with algebraic curves and a combination of Galois Theory tools introduced by Micheli in [34,35].

Preliminaries
Let q = p n be a fixed prime power. We denote by F q and F q the field with q elements and its algebraic closure. In the following we will focus on functions defined from F q to itself, i.e. p-ary (n, n)-functions. Any function f : F q → F q can be represented uniquely by an element of the polynomial ring F q [x] of degree less than q. For • f is affine if it differs from a linear polynomial by a constant.
• f is quadratic if it differs from a DO polynomial by an affine polynomial.
A polynomial f is a permutation polynomial (PP) over F q , if x → f (x) is a bijection from F q to itself, and it is a complete permutation polynomial (CPP) over F q , if both f (x) and f (x) + x are PPs.
The AGW criterion, introduced in [1], is a useful method in the construction of PPs and CPPs; see for instance [32,41,43,44]. The AGW criterion, in the additive case, is given by the following proposition.
Proposition 2.1 (Proposition 5.4 [1]). Let p be a prime and q = p m for some integer m > 0. Let φ(x) and ψ(x) be two F q -linear polynomials over F q seen as endomorphisms of F q n , and let is a permutation polynomial of F q n if and only if the following two conditions hold: As immediate consequence, in Theorem 5.10 in [1] the authors provided the following general framework of PPs.
Theorem 2.2 ([1]). Let p be a prime and q = p m for some integer m > 0. Let φ(x) a F q -linear polynomials over F q seen as endomorphisms of F q n , and and In [33], Mesnager and Qu extend the AGW criterion for constructing 2to-1 map. If q is even, a 2-to-1 map over F q is a function such that any b ∈ F q has either 2 or 0 preimages. If q is odd, for all but one b ∈ F q , it has either 2 or 0 preimages, and the exception element has exactly one preimage.
For q = 2 m , using φ a 2-to-1 map over F q and that permutes J = {x q + x : x ∈ F q n } it is possible to construct 2-to-1 maps of same type as in Theorem 2.2. More specifically, we have the following result. Theorem 2.3 (Theorem 15 [33]). Let q = 2 m , φ(x) be a linear F q -linear polynomial seen as an endomorphism of F q n . Let g, h ∈ F q n [x] be such that h(x q + x) ∈ F * q for any x ∈ F q n . Assume and If φ is 2-to-1 over F q and h(x)φ(x) permutes J = {x q + x x ∈ F q n }, then both f 1 and f 2 are 2-to-1 over F q n .
In the second part of this work, Section 4, we deal with exceptional power APcN and PcN maps.
be a APcN (PcN) function over F q r for infinitely many r. Then, f is said exceptional APcN (PcN).
Results on exceptional APN e PN functions can be found in [2,13] and the references therein.
We use Galois theory tools to provide non-existence results for APcN and PcN monomials. We recall here the Galois theoretical part of our approach which deals with totally split places. This method was successfully used also in [3,21,34,35].
We will make use of the following results.
Theorem 2.5. [40, Theorem 3.9] Let r be a prime and G be a primitive group of degree n = s + k with k ≥ 3. If G contains an element of degree and order s (i.e. an s-cycle), then G is either alternating or symmetric.
The proof of the following result can be found in [24].
Lemma 2.6. Let L : K be a finite separable extension of function fields, let M be its Galois closure and G := Gal(M : K) be its Galois group. Let P be a place of K and Q be the set of places of L lying above P . Let R be a place of M lying above P . Then we have the following: The following can also be deduced by [30]; its proof can be found in [3].
Theorem 2.7. Let p be a prime number, m a positive integer, and q = p m . Let L : F be a separable extension of global function fields over F q of degree n, M be the Galois closure of L : F , and suppose that the field of constants of M is F q . There exists an explicit constant C ∈ R + depending only on the genus of M and the degree of L : F such that if q > C then L : F has a totally split place.

A characterization of APcN and PcN functions
It is well-known that a DO polynomial is planar if and only if it is 2-to-1 (see [12,Theorem 3]), the following result gives a characterization of APcN and PcN quadratic polynomials for c ∈ F p \ {1}. Theorem 3.1. Let p be a prime. Let f be a quadratic polynomial over F p m for some integer m. Then, for any c ∈ F p \ {1} we have the following.
We can note that for any γ we have and f is 2-to-1. Therefore, f is a planar function.
then the results above can be extended to any c ∈ F q \ {1}.
Up to now, all known planar functions are DO polynomials, but the case of x we have that these known planar functions are also APcN. Moreover, in [42] it has been proved that the planar function x is APcN for c = −1. The result (i) of Theorem 3.1 cannot be extend to a general planar quadratic function. Indeed, the planarity of a function f is invariant by adding a linear (affine) polynomial to f , while the c-differential uniformity is not. So, if we consider a planar DO polynomial, adding a linear function we could obtain a functions which is no more 2-to-1 and thus which is no APcN.
Remark 3.4. In [39], the authors introduce and study c-differential bent functions. In their work, they also relax the definition of perfect c-nonlinearity excluding the case of the derivative in the zero direction. In particular, they define PcN function any f such that f (x + γ) − cf (x) is a permutation for any γ ∈ F * q , and strictly PcN if in addition f is a permutation. For p = 2, even if we exclude the derivative in the zero direction, a PcN function has to be a PP. Indeed, let f be PcN and suppose that there exist x 1 and which is a contradiction.
It would be interesting to understand if this is the case also for p > 2.

Some PcN and APcN polynomials from the AGW criterion
In the following we will show that from the AGW criterion and its generalization [33] (for the case p = 2) we can obtain PcN and APcN functions. Theorem 2.2 gives us the possibility of constructing PPs of the form where g can be any polynomial over F q n . This is implied by the fact that x q − x annihilates both T r q n q (g(x)) and g(x) (q n −1)/(q−1) for any x. We can immediately construct some PcN polynomials.
is a PP for any γ. Denoting by ψ(x) = x q − x, from the AGW criterion (Proposition 2.1) we have that this is a PP if and only if ) − cT r q n q (g(x)) = 0 and thus b(1 − c)φ(x)+ permutes J since f 1 is a PP. The same holds for f 2 .
Another type of PPs, which are also PcN, can be constructed in the following way.
Theorem 3.6. Let p be a prime and q = p m for some integer m > 0. Let

is a PP if and only if φ(x) induces a permutation over J.
Proof. From the AGW criterion (Proposition 2.1) we have that f is a PP if and only if (g(x)) qs − (g(x)) s + bφ(x) permutes J. Note that for any y ∈ J we have T r q 2 q (y) = 0 and thus y q = −y. Since s = p h + p k has p-weight 2, for any y ∈ J we have y s ∈ F q . Indeed, Then, since g(J) ⊆ J we have that (g(x)) qs − (g(x)) s = 0, for any x ∈ J. Thus, f is a PP if and only if φ(x) permutes J. Example 3.7. An easy example of function g such that g(J) ⊆ J is given by g(x) = x + δ with δ ∈ J.
Theorem 3.6 can be generalized (with a similar proof) to functions f of type where s i 's have p-weight 2, that is s i = p h i + p k i for some h i , k i , and g i 's are such that g i (J) ⊆ J.

is a PP if and only if φ(x) induces a permutation over J.
Remark 3.9. Note that the polynomials in Theorem 2.2 and 3.6, considering φ(x) = x, are also CPPs when b = 0, −1.
As for the case of the functions f 1 and f 2 of Theorem 2.2, also the functions satisfying Theorem 3.6 are PcN when c ∈ F q \ {1}. Theorem 3.10. Let p be a prime and q = p m for some integer m > 0. Let f (x) be a PP as in Theorem 3.6. Then f (x) is PcN for any c ∈ F q \ {1}.
. Note that since J is an F q -vector space, g ′ (J) ⊆ J. Now as in Theorem 3.6, this is a permutation if and only if φ(x) permutes J. This condition is satisfied since f is a PP.
Remark 3.11. In even characteristic, PN functions (i.e. PcN function with c = 1) do not exist. As pointed out in [20], PcN functions, for c = 1, exist also for the case p = 2. Indeed, trivially, any PP is PcN for c = 0 and any linear permutation is PcN for any c = 1. Theorems 3.5 and 3.10 provide non-trivial PcN functions for p = 2.
A similar argument can be done for the case of APcN maps using the results of [33]. As for the PcN case we can obtain APcN maps for any c ∈ F q \ {1} using functions as in Theorem 2.3. In particular, for n odd, we can obtain the following APcN maps.
Theorem 3.12. Let n and m be two positive integers with n odd. Let q = 2 m and φ(x) be an F q -linear polynomial which is 2-to-1 over F q and that permutes are APcN functions for any c ∈ F q \ {1}.
Proof. Let us consider f 1 (x). For any γ we have For f 2 the claim follows in a similar way.
Remark 3.14. Note that, when n is even, it is not possible to construct φ that is a 2-to-1 map over F q and permutes J since F q ⊆ J. Indeed F q 2 is a subfield of F q n and, denoting by ψ(x) = x q + x, we have ψ(F q 2 ) = F q . So, for n even, it is not possible to construct APcN functions as in Theorem 3.12.

Non-existence results for APcN and PcN monomials
In this section we provide non-existence results for exceptional APcN (and PcN) monomials. In what follows, we will consider exponents d such that p ∤ d(d − 1), and we denote p h by q, for some integer h, and by s the smallest positive integer such that d − 1 | (p s − 1).
Let us consider For a = 0, the condition above implies that x d is at most a 2-to-1 function.
That is (d, q − 1) ≤ 2. When a = 0, Condition (2) can be simplified to A standard tool, when dealing with APN or PN functions is to consider the curve C f,c of affine equation We refer to [4] for and the references therein for an introduction to basic concepts about curves over finite fields.
It is readily seen that Condition (3) implies the existence of at most one absolutely irreducible component of C f,c defined over F q , provided that q is large enough with respect to d.
First, we will provide sufficient conditions on c and d for which C f,c is absolutely irreducible. In particular, we provide upper bounds on the number of singular points of C f,c . To this end we will consider, for simplicity, the curve D f,c : Singular points of C f,c are a subset of the singular points of D f,c .
Note that, under the hypothesis of Theorem 4.1 the number of singular points of C f,c is at most d/2. A deeper analysis shows that and therefore points (a, a) are double points of D f,c and then simple points of C f,c . So, C f,c possesses no singular points and hence it is absolutely irreducible.
Theorem 4.2. Suppose that d−1 √ c / ∈ F p s . Then C f,c is absolutely irreducible.
We want to prove that if q is large enough there exists t 0 ∈ F q such that the equation (x + 1) d − cx d = t 0 has more than two solutions, i.e. x d is not exceptional PcN nor APcN. To this end we will investigate the geometric and the algebraic Galois groups of the polynomial F c,d (t, More in details, consider G arith . They are both subgroups of S d , the symmetric group over d elements. Our aim is to prove that G geom and therefore by Chebotarev density Theorem [30], one obtains the existence of a specialization t 0 ∈ F q for which F c,d (t 0 , x) splits into d pairwise distinct linear factors (x − x i ) defined over F q and therefore (x + 1) d − cx d cannot be a permutation or 2-to-1 and x d is not PcN nor APcN. Proof. First we prove that the geometric Galois group of F c,d (t, is primitive (i.e. it does not act on a nontrivial partition of the underlying set). Let M be the splitting field of F c,d (t, x) and G be the Galois group of F c,d (t, x) over F q (t). Let x be a root of F c,d (t, x) and consider the extension F q (x) : F q (t). Clearly, t = ( By Theorem 4.2, C f,c is absolutely irreducible and then Suppose that there exists another repeated root y 0 = x 0 of (x+1 which is equivalent to (5). So each t 0 has at most one repeated root. Note that a repeated root x 0 is at most a double root of (x + 1) d − cx d = t 0 since otherwise (x 0 + 1) d−2 = cx d−2 0 and a contradiction easily arises from Let r be such that the element t 0 obtained above belongs to F q r . This means that (x + 1) d − cx d − t 0 has exactly one factor of multiplicity 2 and all the others of multiplicity 1. Let now M be the splitting field of F c,d (t, x) over F q r (t). Let R be a place of M lying above t 0 . Now, using Lemma 2.6 we obtain that the decomposition group D(R | t 0 ) has a cycle of order exactly 2 and fixes all the other elements of H = Hom Fq(t) (F q (t)[x] : F c,d (x), M) (H can be simply thought as the set of roots of F c,d (t, x) in F q (t)). Now pick any element g ∈ D(R | t 0 ) that acts non-trivially on H. This element has to be a transposition, which in turn forces Gal(F c,d (t, x) : F q ru (t)) to contain a transposition for any u ∈ N and therefore in particular that Gal(F c,d (t, x) : F q (t)) contains a transposition.
We already know that Gal(F c,d (t, x) : F q (t)) is primitive. Now using Theorem 2.5 with s = 2 we conclude that both S d = Gal(F c,d (t, x) : F q (t)) and Gal(F c,d (t, x) : F q (t)) = S d . Proof. Consider F = F q (t) and L = F (z), where z is a root of F c,d (t, x) | F q (t). Lemma 4.3 tells us that the field of constants of the Galois closure of L : F is trivial, as the geometric Galois group of F c,d (t, x) is equal to the arithmetic one. Let C be the constant in Theorem 2.7. Using now Theorem 2.7 we have that if q > C there exists a specialization t 0 ∈ F q such that F c,d (t, x) is totally split and therefore f c,d (x) = t 0 has d solutions in F q . The claim follows.
Finally, we list a couple of open problems. Open Problem 4.5. Non-existence results for PN or APN functions have been obtained using a number of different methods. It would be interesting to check whether such methods apply also to PcN and APcN for c = 1. Open Problem 4.6. If p = 2, as already mentioned, no PN functions exist. A different definition of planar functions was given by Zhou [46]: a function f : F q → F q is pseudo-planar if, for each nonzero ǫ ∈ F q , the function is a permutation of F q . As shown by Zhou [46] and Schmidt and Zhou [38], pseudo-planar functions have similar properties and applications as their counterparts in odd characteristic. It is natural to extend such a definition to different c. We call a function f (x) pseudo-P cN if for all c, ǫ ∈ F q , ǫ = 0, f (x + ǫ) + cf (x) + ǫx is a permutation of F q . Can these functions have the same applications as "normal" PcN or APcN?