Bounds on the differential uniformity of the Wan-Lidl polynomials

We study the differential uniformity of the Wan-Lidl polynomials over finite fields. A general upper bound, independent of the order of the field, is established. Additional bounds are established in settings where one of the parameters is restricted. In particular, we establish a class of permutation polynomials which have differential uniformity at most 5 over fields of order $3\bmod 4$, irrespective of the field size. Computational results are also given.


Introduction and The Main Results
Throughout this paper F q denotes the finite field of order q, with q = p e for some prime p and e ∈ N, and F ⋆ q denotes the nonzero elements of F q . We use z to denote a primitive element of F q . It follows from Lagrange Interpolation and counting that any function on F q can be represented uniquely by a polynomial in F q [x] of degree less than q. A polynomial f ∈ F q [x] is called a permutation polynomial (PP) over F q if the evaluation map c → f (c) is a bijection on F q . An easy to prove class of examples come from the monomials: x d is a PP over F q if and only if gcd(d, q − 1) = 1. Permutation polynomials have been studied extensively for decades. A broad introduction is given by Lidl and Niederreiter [10], Chapter 7, and there are the two classical survey articles of Lidl and Mullen [8,9]. For a more recent survey, see Hou [7]. This paper is concerned with an important property of functions known as differential uniformity. Let f ∈ F q [x] and a ∈ F ⋆ q . The differential operator of f in the direction of a is the function ∆ f,a (x) := f (x + a) − f (x). The differential uniformity (DU) of f is defined by The lower the DU of a function, the more resistant the function is to differential attacks when used as an Sbox. Functions with optimal DU are called almost perfect nonlinear (APN) over fields of characteristic 2 (with 2-DU), and planar over fields of odd characteristic (with 1-DU). PPs with optimal differential uniformity are highly desirable. Over fields of order 2 e , there are a number of classes of APN PPs known when e is odd, but when e is even we have only a single example, found by Browning, Dillon, McQuistan and Wolfe [2] for e = 6. If one weakens the requirement to constructing PPs with near-optimal DU, then further examples are known, a recent example being the 6-DU permutations constructed by Calderini [4].
In odd characteristic, it is actually impossible for a planar function to be a PP. Indeed, Coulter and Senger [5] showed that the image set of a planar function over F q can be no larger than roughly q − √ q. Thus, in odd characteristic, the problem becomes that of finding PPs with near-optimal DU. Some monomial examples were established in 1997. Helleseth and Sandberg [6] showed that the monomials x d with d = (p e + 3)/2, p 3 and p e ≡ 3 mod 4, are 4-DU over F p e , see [6], Theorem 3. These monomials are always PPs over F p e under these conditions.
Here we focus on a class of PPs first classified by Wan and Lidl in 1991. A Wan-Lidl polynomial is any polynomial of the form x s h(x (q−1)/d ) with h ∈ F q [x], s, d ∈ N, and d | (q − 1). Wan and Lidl gave necessary and sufficient conditions for polynomials of this form to be PPs in [11], see Theorem 4 below. Here we give several 1 results concerning the differential uniformity of these polynomials. Our main result gives a general upper bound on the DU of a Wan-Lidl polynomial.
Note that this bound does not require f to be a PP. The proof is based on a worst-case scenario which we believe rarely occurs, so the bound is almost certainly not tight in many cases. Specialising, we fix the parameter d = 2 and prove the following result, establishing an infinite class of binomial permutations with DU at most 5.
In particular, when s = 2 and s = 4, the bound in Theorem 2 gives δ f ≤ 5 and δ f ≤ 13, respectively. The bound has been shown to be tight for s = 2 and s = 4 using the Magma algebra system [12], though it would appear that the two cases are very different. When s = 2, it seems the bound is always tight for fields of order larger than 59, while for s = 4, we have found only one example where the bound is met, over the field of order 3671. Additionally, computational evidence led us to proving the following corollary, which gives an infinite class of PPs having DU at most 4.
Though the evidence is not particularly strong, it is possible that the PPs of this corollary form the only infinite class of Wan-Lidl PPs with a differential uniformity of 4. In subsequent computing for s ∈ {4, 6} we stopped finding Wan-Lidl PPs with a DU of 4 when the field size got large enough.
Similarly, by fixing the parameter s = 2, we obtain the following result.
Theorem 3. Let q be odd, d ∈ N be even and The paper is organized as follows. In Section 2, we recall the PP classification of Wan-Lidl polynomials obtained by Wan and Lidl, and explain why we believed these polynomials warranted further investigation with regard to their DU. In Section 3, we prove our general result, Theorem 1. In Section 4, we prove DU bounds for some special cases of Wan-Lidl PPs, namely, Theorem 2, Corollary 1, and Theorem 3. All of these three results rely on a key lemma, which we establish first. Finally, in Section 5, we present computational data for the DU of the Wan-Lidl PPs of the form described in Theorem 2 over some prime fields F p , and for some small values of s.

The Wan-Lidl PPs
In [11], Wan and Lidl studied the permutation behaviour of polynomials of the form x s h(x (q−1)/d ). In particular, they determined necessary and sufficient conditions for them to be PPs, as well as establishing results about their group structure under composition modulo x q − x. Their classification result is as follows.
We may assume that deg(h) < d when studying Wan-Lidl polynomials f = x s h(T (x)). Indeed, since s > 1, if h has a term x d , then the reduction modulo One important aspect about these polynomials is that their overall behaviour is tied to their behaviour on the subgroup H. It is for this reason that we were first attracted to studying the DU of these polynomials. Restrictions such as this one have been used before in the study of low DU functions and their bijectiveness. For example, Budgahyan, Carlet and Leander [3] produced a method for constructing APN functions from known APN functions using a restriction condition. In the aforementioned paper of Calderini [4], the author also uses knowledge about a function's behaviour on a subfield to obtain a construction of low DU permutations. Very recently, Bergman and Coulter [1] used a restriction condition to prove a class of 4-DU functions were not bijections. The proofs for our results follow a similar approach to these previous low DU results.

Determining the DU for the general case
We shall now prove Theorem 1. To this end, fix s, d ∈ N with s > 1 and d | (q−1). Let h ∈ F q [x], T (x) = x (q−1)/d , and set H = z (q−1)/d . Note that T is a multiplicative function. That is, for α, β ∈ F q , we have T (αβ) = T (α)T (β). Additionally, T maps F ⋆ q into H, so that the only possible values of T (x) are in H ∪ {0}. Finally, we Let f (x) = x s h(T (x)), which is the Wan-Lidl polynomial whose DU we wish to determine.
To determine δ f , we count the number of solutions of ∆ f,a (x) = c for arbitrary a ∈ F ⋆ q and c ∈ F q in the worst case scenario. For a ∈ F ⋆ q , we have There are four cases to be considered, based on the values of T (x + a) and T (x).
which has degree at most s − 1. Hence, for arbitrary c ∈ F q , ∆ f,a (x) = c has at most s − 1 solutions in this case.
which has degree at most s. Hence, for arbitrary c ∈ F q , ∆ f,a (x) = c has at most s solutions in this case.
There are d possibilities of λ in Case 1, and d(d − 1) possibilities of the pair µ λ in Case 2. So the contribution from F q \ {0, −a} to the number of solutions of ∆ f,a (x) = c is at most Moreover, if c = f (a) or c = − f (−a), then Case 3 and Case 4 each gives one solution, respectively. Hence, for arbitrary c ∈ F q , the number of solutions of ∆ f,a (x) = c is at most d(sd − 1) + 2. This completes the proof of Theorem 1.

Determining the DU in restricted settings
For the remainder, for distinct µ, λ ∈ H, and fixed a ∈ F ⋆ q and c ∈ F q , we call Case 1 in the proof of Theorem 1 "Case (λ, λ)", and call Case 2 "Case (λ, µ)". For fixed a ∈ F ⋆ q and c ∈ F q , let be the polynomial ∆ f,a (x) − c obtained from Case (λ, λ), and be the polynomial ∆ f,a (x) − c obtained from Case (λ, µ). In the following lemma, we prove some necessary conditions for when g λ,λ (x) (resp. g λ,µ (x)) has the highest possible degree and splits over F q , and when the roots all satisfy (T (x + a), T (x)) = (λ, λ) (resp. (T (x + a), T (x)) = (λ, µ)). and and Proof.
Applying T to both sides of (4) and (5), and using the fact that T is a multiplicative function, we obtain (6) and (7).
Applying T to both sides of (8) and (9), and using the fact that T is a multiplicative function, we obtain (10) and (11).
Remark. Since we are counting the number of solutions of ∆ f,a (x) = c in the worst case scenario, we need not consider the situation where deg(g λ,λ ) < s − 1 or deg(g λ,µ ) < s, i.e., when the leading term vanishes in Case (λ, λ) or Case (λ, µ), respectively. Besides, in most of the cases that we are interested in, we may assume that p ∤ s and h(λ) 0 so that deg(g λ,λ ) = s − 1, so that we are mostly interested in this case anyway.
This technical lemma will form the basis of all of our remaining results. The proofs of Theorem 2 and 3 are based on the following framework. First, (1) shows that for any c ∈ F q and a ∈ F ⋆ q , ∆ f,a (x) = c has at most d(sd − 1) solutions in F q \ {0, −a}. We can reduce this number by the arguments in the next few paragraphs. If f is a PP, then by Theorem 4 (WL 3), λ s T (h(λ)) µ s T (h(µ)) whenever µ, λ ∈ H, µ λ. In fact, when all the assumptions of both Case (λ, λ) and Case (λ, µ) in Lemma 1 hold, i.e., they contribute the maximum number of solutions to ∆ f,a (x) = c, we can obtain an expression of λ s T (h(λ)) by combining (6) and (10) as follows. First, from (10) we can solve Substituting T (a s h(λ) − c) into (6) gives Multiplying both sides by λT (h(λ)) yields where C a = 1/(T (−1)T (sa)) is a constant that does not depend on µ and λ. Similarly, if the assumptions of both Case (µ, µ) and Case (µ, λ) are satisfied, we have Note that these expressions are independent of c. For the remaining, we use this method to prove improved bounds of the DU for some special cases when T (−1) = (µ/λ) s−1 . Since T (−1) ∈ {±1}, one possible future direction is to completely investigate all cases whose bound of DU can be improved by the aforementioned method.

4.1.
Proof of Theorem 2. In this subsection, we consider the case where d = 2 and s is even. Take h ∈ F q [x], T (x) = x (q−1)/2 , and H = z (q−1)/2 = {±1}. Note that now T is the quadratic character η of F q , so we use η instead of T for the remaining of this subsection. Let f (x) = x s h(η(x)). First, a few things can be simplified as follows.
(i) Since d = 2 and we are not interested in monomial PPs, we may assume that h(x) = x+b for some b ∈ F ⋆ q . Moreover, the three necessary and sufficient conditions of Theorem 4 give the following restrictions on q and b for f (x) = x s (η(x) + b) being a PP. (WL 1) gcd(s, q−1 2 ) = 1: Since s is even, (q − 1)/2 must be odd. So q ≡ 3 mod 4 and η(−1) = −1.
Moreover, we claim that we only need to check ∆ f,1 (x) for determining the DU. First, by the fact that Hence, for all c ∈ F q , the number of solutions of ∆ f,1 (x) = c is the same as ∆ f ′ ,1 (x) = c. Next, fix a ∈ F ⋆ q and c ∈ F q . Then Substituting Y = x a and dividing both sides by a s η(a) yields The left hand side equals to either ∆ f,1 (Y) or ∆ f ′ ,1 (Y), depending on the value of η(a). And for fixed a ∈ F ⋆ q , as c runs over all F q , so does c ′ = c a s η(a) . Therefore, To prove Theorem 2, we first show that ∆ f,1 (x) = c has at most 4s − 3 solutions in F q \ {0, −1} for any c ∈ F q . From (1) we know that Next, let c = f (1) = b + 1 so that 0 is a solution of ∆ f,1 (x) = c. First note that if −1 was also a solution, then c = − f (−1) = −b + 1, which means b = 0. So −1 cannot be another solution as long as b ∈ F ⋆ q . We need to check the number of solutions in F q \ {0, −1}. By Lemma 1 (a), if g λ,λ (x) has s − 1 roots, x 1 , . . ., x s−1 ∈ F q , then . Similarly, by Lemma 1 (b), if g λ,µ (x) has s roots, x 1 , . . ., x s ∈ F q , then .
Similarly, by Lemma 1 (b), if g λ,µ (x) has s roots,  1). First, since s = 2, g λ,−λ (x) is quadratic: should be either a square in F q if the two roots are distinct, or should be 0 if the roots coincide. For Case (1, −1), the discriminant is and for Case (−1, 1), the discriminant is Now set b = 3 in D and D ′ , and together with simplified (6), (7), (10), and (11) about η values for s = 2 and a = 1 from Lemma 1, we obtain the following.
Moreover, since Therefore, we conclude that ∆ f,1 (x) = c has at most 4 solutions in F q for any c ∈ F q , which means the DU of f (x) = x 2 (η(x) ± 3) is at most 4.

Proof of Theorem 3.
In this subsection, we set s = 2 and let d ∈ N be even. Since we require that d | q − 1, q must be odd. Let h ∈ F q [x], T (x) = x (q−1)/d , and H = z (q−1)/d . Let f (x) = x 2 h(T (x)) be a PP. By Theorem 4 (WL 1), if f is a PP, then gcd(2, q−1 d ) = 1. Hence, (q − 1)/d is odd, and T (−1) = −1. To prove Theorem 3, first by (1) we know that ∆ f,a (x) = c has at most 2d 2 − d solutions in F q \ {0, −a} for any a, c ∈ F q , a 0. We shall reduce this count by finding suitable λ, µ ∈ H that give a contradiction as described in (16). Since d is even, −1 ∈ H. So for λ ∈ H, there exists µ ∈ H such that µ = −λ. This gives the desired condition −1 = T (−1) = (µ/λ) s−1 = −1 that leads to the contradiction in (16). Therefore, for every pair of ±λ ∈ H, Case (λ, λ), Case (−λ, −λ), Case (λ, −λ), and Case (−λ, λ) cannot all have the maximum number of solutions simultaneously. Since there are d/2 such pairs, we conclude that for any c ∈ F q , ∆ f,a (x) = c has at most Next, let c = f (a) = a 2 h(T (a)) so that x = 0 is a solution of ∆ f,a (x) = c. If x = −a is another solution, then a 2 h(T (a)) = c = − f (−a) = −a 2 h(T (−a)). So if h(T (−a)) = −h(T (a)), then we need to add one more solution to the worst case. For solutions in F q \ {0, −a}, since q is odd and s = 2 0 in F q , g λ,λ (x) is linear. By Lemma 1 (a), the root of g λ,λ (x) is If x 0, then h(λ) − h(T (a)) 0, which implies λ T (a). So for fixed a ∈ F ⋆ q , Case (λ, λ) may give one solution in F q \ {0, −a} only if λ T (a). This means we have at most d − 1 solutions in F q \ {0, −a} from this type.

Computation Data for Theorem 2
Using the Magma algebra system [12], we computed the DU of all PPs of the form f (x) = x s (η(x) + b) described in in Theorem 2 over some prime fields F p for s = 2, 4, 6. We provide a selection of the computational results in Table 1, Table 2, and Table 3, respectively. The rows are indexed by p, the order of the field, and the columns are indexed by δ f . The number in row p and column δ f represents the number of such f ∈ F p [x] with that exact δ f . Since b ±1, and x s (η(x) + b) and x s (η(x) − b) are linearly equivalent, we only test 2 ≤ b ≤ (p − 1)/2. So the numbers in our tables are actually half of the total counts, if one were to consider all possible b ∈ F ⋆ p . Moreover, recall that Theorem 4 (WL 1) states that a necessary condition for f to be a PP is that gcd(s, (p − 1)/2) = 1, so we only test F p that satisfy this condition for a given s. For s = 2 and 4, this is simply requiring that p ≡ 3 (mod 4). For s = 6, we also need p ≡ 5 (mod 6).
When s = 2, the bound in Theorem 2 gives δ f ≤ 5. We computed the DU of all PPs of the form f (x) = x 2 (η(x) + b) ∈ F p [x] for all prime fields of order p < 7000. We found that there exists f ∈ F p [x] with δ f = 5 for p = 31 and 59 ≤ p < 7000, i.e., almost all tested fields have examples that meet the upper bound. Moreover, when p is large (roughly > 1400), about 95% or more of the PPs involved have δ f = 5. Finally, we observe that when p > 4007, all such f have δ f = 5, except for when 2 is a non-square. In fact, the only example of δ f = 4 found shown in those fields is when b = 3, which corresponds to our Corollary 1.
When s = 4, we do the computation for all prime fields of order p < 10000. Our bound from Theorem 2 gives δ f ≤ 13. In stark contrast to the s = 2 case, here we found only one example of a PP f that met the bound; specifically, f (x) = x 4 (η(x) + 1734) over F 3671 . For this polynomial, one can check that |{x ∈ F 3671 | ∆ f,1 (x) = 2307}| = 13. From Table 2, it is easily observed that this example is an outlier. In fact, there are no examples at all of δ f = 12, and very few examples of δ f = 11 were found (in just 28 of the 618 choices of p in our range). It can also be seen that although the distribution of δ f values does move up as p grows, it does not keep moving towards the upper bound 13. Instead, when p is large, the distribution of δ f concentrates around δ f = 6 and 7. When p > 5000, at least 88% of the f have δ f = 6 or 7. This suggests that when p is large, even though the upper bound is 13, there is a high probability that a randomly chosen PP of the form of f will have DU only 6 or 7. No PPs with a DU of 4 were found over fields of order p > 3323.
When s = 6, we also do the computation for all prime fields of order p < 10000. The bound in Theorem 2 for this case is δ f ≤ 21. Here, we observed no PP example that approached the bound. Indeed, the largest DU that we observed is only δ f = 13 over F 5903 . There are no examples of δ f ≥ 14 for all tested fields F p . On this evidence, we highly suspect that the bound can be improved, possibly significantly, for s ≥ 6. This is not altogether surprising, as as p increases it seems more and more unlikely that the worst-case scenarios that yield our upperbound could all occur at once. Additionally, as observed in the s = 4 data, the distribution of δ f also concentrates around δ f = 6 and 7 when p is large. Although the distribution does not shift towards these values as quickly as in the s = 4 case, we still observe that many fields of size p > 5000 have more than 90% of the f with δ f = 6 or 7. No PPs with a DU of 4 were found over fields of order p > 2579.