On Almost Perfect Nonlinear Functions

A function F:F[unk]¿F[unk] is almost perfect nonlinear (APN) if, for every a¿0, b in F[unk], the equation F(x)+ F(x+a)=b has at most two solutions [4]. When used as an S-box in a block cipher, it opposes then an optimum resistance to differential cryptanalysis. The function F is almost bent (AB) if the minimum Hamming distance between all its component functions v·F, v ¿ F[unk]{0}, where "·" denotes any inner product in F[unk] and all affine Boolean functions on F[unk] takes the maximal value 2^n-1 2^(n-1)/2. AB functions exist for n odd only and oppose an optimum resistance to the linear cryptanalysis (see [3]). Every AB function is APN [3], and in the n odd case, any quadratic APN function is AB [2]. The APN and AB properties are preserved by affine equivalence: F~F\´ if F\´ = A1[unk] F[unk] A2, where A1, A2 are affine permutations. More generally, they are preserved by CCZ-equivalence [2], that is, affine equivalence of the graphs of F:{(x, F(x)) | x¿F[unk]} and of F\´. Until recently, the only known constructions of APN and AB functions were CCZ-equivalent to power functions F(x)=x^d over finite fields (F2n being identified with F[unk]).