Cryptographic properties of orthomorphic permutations

In this paper, we consider bijective mappings $F:\mathbb{Z}_2^n \rightarrow \mathbb{Z}_2^n$ called orthomorphisms such that the mappings $G(x) = F(x) \oplus x$ are also bijective. It is used in the Lai — Massey scheme as a mixing element between rounds and it also can be used to construct cryptographically strong $\mathrm{S}$-boxes. The main cryptographic properties are studied, namely nonlinearity and differential uniformity. It was revealed that, for $n=2,3,4$, the linear approximation tables of orthomorphisms consist of the values $0$ and $\pm 2^{n-1}$, and the difference distribution tables consist of the values $0$ and $2^n$. It turned out that orthomorphisms of a small number of variables are not resistant to linear and differential cryptanalysis.