On the Boomerang Spectrum of Power Permutation $X^{2^{3n}+2^{2n}+2^{n}-1}$ over $\GF{2^{4n}}$ and Extraction of Optimal Uniformity Boomerang Functions (2305.12655v1)

Abstract: A substitution box (S-box) in a symmetric primitive is a mapping $F$ that takes $k$ binary inputs and whose image is a binary $m$-tuple for some positive integers $k$ and $m$, which is usually the only nonlinear element of the most modern block ciphers. Therefore, employing S-boxes with good cryptographic properties to resist various attacks is significant. For power permutation $F$ over finite field $\GF{2^k}$, the multiset of values $\beta_F(1,b)=#{x\in \GF{2^k}\mid F^{-1}(F(x)+b)+F^{-1}(F(x+1)+b)=1}$ for $b\in \GF{2^k}$ is called the boomerang spectrum of $F$. The maximum value in the boomerang spectrum is called boomerang uniformity. This paper determines the boomerang spectrum of the power permutation $X^{2^{3n}+2^{2n}+2^{n}-1}$ over $\GF{2^{4n}}$. The boomerang uniformity of that power permutation is $3(2^{2n}-2^n)$. However, on a large subset ${b\in \GF{2^{4n}}\mid \mathbf{Tr}_n^{4n}(b)\neq 0}$ of $\GF{2^{4n}}$ of cardinality $2^{4n}-2^{3n}$ (where $ \mathbf{Tr}_n^{4n}$ is the (relative) trace function from $\GF{2^{4n}}$ to $\GF{2^{n}}$), we prove that the studied function $F$ achieves the optimal boomerang uniformity $2$. It is known that obtaining such functions is a challenging problem. More importantly, the set of $b$'s giving this value is explicitly determined for any value in the boomerang spectrum.