Invertible Quadratic Non-linear Functions over Fpn via Multiple Local Maps

Abstract

The construction of invertible non-linear layers over Fpn that minimize the multiplicative cost is crucial for the design of symmetric primitives targeting Multi Party Computation (MPC), Zero-Knowledge proofs (ZK), and Fully Homomorphic Encryption (FHE). At the current state of the art, only few non-linear functions are known to be invertible over Fp, as the power maps x↦ xd for gcd (d, p- 1 ) = 1. When working over Fpn for n≥ 2, a possible way to construct invertible non-linear layers S over Fpn is by making use of a local map F:Fpm→Fp for m≤ n, that is, SF(x0, x1, …, xn-1) = y0‖ y1‖ … ‖ yn-1 where yi= F(xi, xi+1, …, xi+m-1). This possibility has been recently studied by Grassi, Onofri, Pedicini and Sozzi at FSE/ToSC 2022. Given a quadratic local map F:Fpm→Fp for m∈ { 1, 2, 3 }, they proved that the shift-invariant non-linear function SF over Fpn defined as before is never invertible for any n≥ 2 · m- 1. In this paper, we face the problem by generalizing such construction. Instead of a single local map, we admit multiple local maps, and we study the creation of nonlinear layers that can be efficiently verified and implemented by a similar shift-invariant lifting. After formally defining the construction, we focus our analysis on the case SF0,F1(x0,x1,…,xn-1)=y0‖y1‖…‖yn-1 for F0,F1:Fp2→Fp of degree at most 2. This is a generalization of the previous construction using two alternating functions F0, F1 instead of a single F. As main result, we prove that (i) if n≥ 3, then SF0,F1 is never invertible if both F0 and F1 are quadratic, and that (ii) if n≥ 4, then SF0,F1 is invertible if and only if it is a Type-II Feistel scheme.