FOR a prime power q, let F q denote the finite field with q

Transcription

1 PREPRINT SUBMITTED TO IEEE 1 On Inverses of Permutation Polynomials of Small Degree over Finite Fields Yanbin Zheng, Qiang Wang, and Wenhong Wei arxiv: v1 [math.co] 17 Dec 018 Abstract Permutation polynomials (PPs and their inverses have applications in cryptography, coding theory and combinatorial design. In this paper, we make a brief summary of the inverses of PPs of finite fields, and list the inverses of all normalized PPs of degree at most 5. In this list, the explicit inverse of a class of fifth degree PPs is our main result, which is obtained by using some congruences of binomial coefficients, the Lucas theorem, and a known formula for the inverses of PPs of finite fields. Index Terms Finite field, permutation polynomial, inverse, binomial coefficient. I. INTRODUCTION FOR a prime power q, let F q denote the finite field with q elements, F q = F q \{0}, and F q [x] the ring of polynomials over F q. A polynomial f F q [x] is called a permutation polynomial (PP of F q if it induces a bijection from F q to itself. Hence for any PP f of F q, there exists a polynomial f 1 F q [x] such that f 1 (f(c = c for each c F q or equivalentlyf 1 (f(x x (mod x q x, and f 1 is unique in the sense of reduction modulo x q x. Here f 1 is defined as the composition inverse of f on F q, and we simply call it the inverse of f. PPs of finite fields have been extensively studied for their applications in coding theory, combinatorial design, cryptography, etc. For instance, PPs of finite fields with even characteristic were used in [13] to construct a number of families of binary cyclic codes. The Dickson PPs of degree 5 of finite fields with characteristic 3 were employed in [1] to construct new examples of skew Hadamard difference sets, which are inequivalent to the classical Paley difference sets. In block ciphers, a permutation is often used as an S-box to build the confusion layer during the encryption process and the inverse is needed while decrypting the cipher. PPs are useful in the construction of bent functions [10], [6], [7], which Y. Zheng is with the School of Computer Science and Technology, Dongguan University of Technology, Dongguan, China, and also with the Guangxi Key Laboratory of Cryptography and Information Security and the Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin, China ( zhengyanbin@guet.edu.cn. Q. Wang is with the School of Mathematics and Statistics, Carleton University, 115 Colonel By Drive, Ottawa, Ontario, K1S 5B6, Canada ( wang@math.carleton.ca. W. Wei is with the School of Computer Science and Technology, Dongguan University of Technology, Dongguan, China ( @dgut.edu.cn. Manuscript received XXX; revised XXX. The work was partially supported by the National NSF of China (616015, , , the China Postdoctoral Science Foundation (018M63301, the NSF of Guangxi (016GXNSFBA380153, 017GXNSFAA19819, the Guangxi Science and Technology Plan Project, the research start-up grants of Dongguan University of Technology, and the Guangdong Provincial Science and Technology Plan Projects (016A , 016A have the optimal nonlinearity for offering resistance against the fast correlation attack on stream ciphers and the linear attack on block ciphers. PPs are employed in [15] to construct circular Costas arrays, which are useful in sonar and radar communications. PPs are also applied in the construction of check digit systems that detect the most frequent errors [3]. The study of PPs of finite fields has a long history. In 1897, Dickson [11] listed all normalized PPs of degree 5 of F q for all q, and classified all PPs of degree 6 of F q for odd q. In 010, the complete classification of PPs of degree 6 and 7 of F n was settled in [0]. In recent years, a lot of progress has been made on the constructions of PPs of finite fields; see for example [17], [1], [], [9], [50] for permutation binomials and trinomials of the formx r h(x q 1 off q, see [39], [51] for PPs of the form (x q x+c s +L(x of F q, see [3], [5] for PPs of the form (ax q +bx+c r φ((ax q +bx+c s +ux q +vx of F q, see [3], [], [6] for PPs of the form x s + γh(f(x. For a detailed introduction to the developments on PPs, we refer the reader to [18], [5], [9] and the references therein. The problem of explicitly determining the inverses of these PPs is a more challenging problem. In theory one could directly use the Lagrange interpolation formula, but for large finite fields (the useful cases cryptographically this becomes very inefficient. In fact, there are few known classes of PPs whose inverses have been obtained explicitly. It is also interesting to note that the explicit formulae of the inverses of low degree PPs have been neglected in the literature. This motivates us to give a short review of the progress in this topic and find explicit expressions of inverses of all classes of PPs of degree 7 in [11], [0], [35]. The rest of the paper is organized as follows. Section II gives a brief summary of the results concerning the inverses of PPs of finite fields. In Section III, we obtain the inverses of all PPs of degree6 of finite fields F q for all q, and the inverses of all PPs of degree 7 of F n. For simplicity, we only list in Table I all normalized PPs of degree 5 and their inverses. In particular, the inverse of PP F(x = x 5 ax 3 +a x off 5 n is shown in Theorem 7, which is the main result of this paper. Section IV starts with a formula for computing the inverse of an arbitrary PP, which was first presented in [30]. This formula provides all the coefficients of the inverse of a PP f(x by computing the coefficients of x q for all the powers f(x i (1 i q. Based on this method, we convert the problem of computing the inverse of F(x into the problem of finding the values of four classes of binomial coefficients. Section V gives the explicit values of these binomial coefficients by using the Lucas theorem and several congruences of binomial coefficients.

2 PREPRINT SUBMITTED TO IEEE TABLE I ALL NORMALIZED PPS OF DEGREE 5 AND THEIR INVERSES Normalized PPs of F q Inverses q (n 1 Reference x x any q x x q/ q = n x 3 x (aq a+1/3 (a = 1, and a 1 q (mod 3 q 1 (mod 3 Thm x 3 ax (a not a square i+1 n 1 1 a 3 x 3i q = 3 n [, Cor.] x x q/ q = n Thm x ±3x (x 3x q = 7 x +ax (a not a cube x +bx +ax (ab 0,S n +as n = 1* a q 1 3 (1 +a q n 1 n 1 i+1 1 a 3 x i q = n [, Cor.] ( S i+1 n i +a1 i+1 S i x i q = n Cor x 5 x (aq a+1/5 (1 a and a (1 q 3 (mod 5 q 1 (mod 5 Thm x 5 ax (a not a fourth power a q 1 (1 a q 1 1 n 1 1 x 5i q = 5 n [, Cor.] x 5 +ax (a = x 5 +ax q = 9 x 5 ±x x 5 x q = 7 x 5 +ax 3 ±x +3a x (a not a square x 5 ±(ax x +a x 3 +ax q = 7 x 5 +ax a x (a 0 ** m/ ( m m i i=1 m i i (5 1 a 5i x m i (m = 3q q ± (mod 5 [, Lem.8] 5 x 5 +ax 3 +3a x (a not a square a x 9 ax 7 +x 5 +a 5 x 3 5a x q = 13 x 5 ax 3 +a x (a not a square a q+5i+1 +5 j+1 3 x q+5i +5 j 1 q = 5 n Thm 7 0 i j n 1 3 ( i j * In [5, Table 7.1], the PP L(x = x + bx + ax (if its only root in F n is 0 was listed. Since x +bx is not a PP of F n for any b F n, we divide L(x into x, x +ax (a not a cube, and x +bx +ax (ab 0, S n +asn = 1 in Tabel I. The motivation is to give the explicit inverses of x and x +ax. The sequence {S i } is defined as follows: S 1 = 0, S 0 = 1, S i = b i 1 S i 1 +a i 1 S i for 1 i n. ** The normalized PP x 5 + ax a x (a arbitrary appeared in [5, Table 7.1]. We impose a restriction a 0 on it in Tabel I, so that the normalized PP x 5 can be listed separately. II. PPS AND THEIR INVERSES We now give a brief summary of the results concerning the inverses of PPs of finite fields, some of which will be used in the next section. Linear PPs. For a 0, b F q, ax+b is a PP of F q and its inverse is a 1 (x b. Monomials. For positive integer n, x n is a PP of F q if and only if gcd(n,q 1 = 1. In this case, the inverse is x m, where mn 1 (mod q 1. Dickson PPs. The Dickson polynomiald n (x,a of the first kind of degree n with parameter a F q is given as D n (x,a = n/ n n i ( n i i ( a i x n i, where n/ denotes the largest integer n/. It is known that D n (x,a is a PP of F q if and only if gcd(n,q 1 = 1. Its inverse is determined in [] by the following lemma. Lemma 1. [, Lemma.8] Let m, n be positive integers such that mn 1 (mod q 1. Then the inverse of D n (x,a on F q is D m (x,a n. PPs of the form x r h(x s. The first systematic study of PPs of F q of the form f(x = x r h(x s was made in [38], where q 1 = ds, 1 r < s and h F q [x]. A criterion for f to be a PP of F q was given in [38]. Later on, several equivalent criteria were found in other papers; see for instance [3], [0], [55]. Essentially, it says that f is a PP of F q if and only if gcd(r,s = 1 and x r h(x s permutesu d := {1,ω,,ω d 1 }, whereω is a primitived-th root of unity off q. [30, Theorem 1] characterized all the coefficients of the inverse of x r g(x s d on F q, where gcd(r,q 1 = 1. This result was generalized in [1], and the inverse of f on F q is given by f 1 (x = 1 d 1 ω i(t jr( x/h(ω i r+js, d j=0 where 1 r < s and r r +st = 1. This inverse is also obtained later by a piecewise method in [5]. When gcd(r,q 1 = 1, the inverses of f on F q is given in [] by f 1 (x = ( x q s h(l(x s s 1 r l(x s, where rr 1 (mod q 1 and l(x is the inverse of x r h(x s on U d. The method employed in [] is a multiplicative analogue of [36] and [7]. Linearized PPs. Suppose L(x = n 1 a ix qi F q n[x]. It is known that L is a PP of F q n if and only if the associate Dickson matrix a 0 a 1 a n 1 a q n 1 a q 0 a q n D L :=.... a qn 1 1 a qn 1 a qn 1 0

3 PREPRINT SUBMITTED TO IEEE 3 is nonsingular [5, Page 36]. In this case, the inverse is given in [8, Theorem.8] by n 1 L 1 (x = (det(d L 1 ā i x qi, where ā i is the (i,0-th cofactor of D L, i.e., the determinant of D L is n 1 det(d L = a 0 ā 0 + i=1 a qi n iāi. The inverses of some special linearized PPs are also obtained; see [] for the inverse of arbitrary linearized permutation binomial, see [6] for the inverse of x + x + Tr(x/a on F n, see [5] for the inverses of other linearized PPs. Very recently, linearized PPs of the form L(x+K(x of F q n and their inverses are presented in [33, Theorem 3.1], where L is a linearized PP of F q n, and K is a nilpotent linearized polynomial such that L K = K L. Bilinear PPs. The product of two linear functions is a bilinear function. Let q be even and n be odd. The inverse of bilinear PPs x(tr q n /q(x+ax of F q n was obtained in [9], where a F q \F. The inverse of more general bilinear PPs f(x = x(l(tr q n /q(x+atr q n /q(x+ax of F q n was given in [7] in terms of the inverse of bilinear PP xl(x when restricted to F q, where L F q [x] is a - polynomial and a F q. PPs of the form x s +γh(f(x. Let γ F qn be a b-linear translator with respect to F q for the mapping f : F q n F q, i.e., f(x+uγ f(x = ub holds for all x F q n, all u F q and a fixed b F q. [19, Theorem 8] stated that F 1 (x = x + γf(x is a PP of F q n if b 1 (it is actually also a necessary condition. The inverse is given in [19, Theorem 3] by F1 1 (x = x γ b+1f(x. Let h be an arbitrary mapping from F q to itself. [19, Theorem 6] stated that F (x = x + γh(f(x permutes F q n if and only if u + bh(u permutes F q. When b = 0, the inverse is given in [3, Proposition ] by F 1 (x = x+(p 1γh(f(x, where p is the characteristic of F q n. The study of PPs of the form F 3 (x = x s +αtr(x t of F n was originated in [], [5], where 1 s, t n, α F n, and Tr is the absolute trace function. A criterion for F 3 to be a PP of F n was given in [5], [6]. If F 3 is a PP of F n and t = s( i +1 for some 0 i n 1 and i n/, then the inverse is given in [6, Theorem ] by F3 1 (x = (x+αtr(x i +1 r, where r is the inverse of s modulo n 1. Involutions. An involution is a permutation such that its inverse is itself. A systematic study of involutions over F n was made in [8]. The authors characterized the involution property of monomials, Dickson polynomials [7] and linearized polynomials over F n, and proposed several methods of constructing new involutions from known ones. In particular, involutions of the form G(x+γf(x were studied in [8], where G is an involution, γ F and f F n n[x]. Moreover, the number of fixed points of involutions over F n was also discussed in [8]. A class of involutions overf n with no fixed points was given in [33]. Involutions satisfying special properties were presented in [10], [6], [7] to construct Bent functions. PPs from the AGW criterion. The Akbary Ghioca Wang (AGW criterion [1] is an important method for constructing PPs. A necessary and sufficient condition for f of the form f(x = h(ψ(xϕ(x +g(ψ(x to be a PP of F q n was given in [1] by using the additive analogue of AGW criterion, where h,ψ,ϕ,g F q n[x] satisfy some conditions. In [36], the inverse of f was written in terms of the inverses of two other polynomials bijecting two subspaces of F q n, where one of these is a linearized polynomial. In some cases, these inverses can be explicitly obtained. Further extensions of [36] can be found in [37]. The general results in [36], [37] also contain some concrete classes mentioned earlier such as bilinear PPs [7], linearized PPs of the form L(x+K(x [33], and PPs of the form x+γf(x with b-linear translator γ [19]. Generalized cyclotomic mapping PPs. Cyclotomic mapping PPs of finite fields were introduced in [31], [0], and were generalized in []. A simple class of generalized cyclotomic mapping PPs of F q was defined in [] as f(x = 1 d 1 a i ω ij x ri+js, (1 d j=0 whereq 1 = ds,a i F q,1 r i < s andω is a primitived-th root of unity of F q. Several equivalent criteria for f permuting F q were given in [, Theorem.], and one is that f is a PP of F q if and only if gcd( d 1 r i,s = 1 and {a s i : i = ωiri 0,1,...,d 1} = U d. The inverses of f onf q is given in [3], [5] by f 1 (x = 1 d 1 d 1 ω i(ti jri (x/a ri+js i, d j=0 where 1 r i < s and r i r i +st i = 1. In [3], all involutions of the form (1 are characterized, and a fast algorithm is provided to generate many classes of these PPs, their inverses, and involutions. The class of PPs of the form x r h(x s is in fact a special case of generalized cyclotomic mapping PPs. More general piecewise PPs. The idea of more general piecewise constructions of permutations was summarized in [], [1]. Piecewise constructions of inverses of piecewise PPs were studied in [5], [53]. As applications, the inverse of PP f(x = ax+x (q+1/ of F q was given in [53] by f 1 (x = (a 1 1 (ax bx (q+1/, where (a 1 (q 1/ = 1, b = (a+1 (q 1/ { 1,1}, and q is odd. The inverse of PP of F p n of the form (ax pk bx+c pn +1 ±(ax pk +bx was also obtained in [53], where p is an odd prime, and a, b, c F p n such that ab is a nonzero square. Three classes of involutions of finite fields were also given in [5], [53]. In addition, the PP f in (1 can be written as piecewise form, and its inverse was deduced by the piecewise method in [5].

4 PREPRINT SUBMITTED TO IEEE III. THE INVERSES OF PPS OF SMALL DEGREE Assume g F q [x] and b,c,d F q with b 0. Then g is a PP of F q if and only if f(x = bg(x+c+d is. By choosing b,c,d suitably, we can obtain f in normalized form, that is, f is monic, f(0 = 0, and when the degree m of f is not divisible by the characteristic of F q, the coefficient of x m 1 is 0. It suffices, therefore, to study normalized PPs. In 1897, Dickson [11] listed all normalized PPs of degree 5 of F q for all q, and classified all PPs of degree 6 of F q for odd q. In 010, the complete classification of PPs of degree 6 and 7 of F n was settled in [0], which is complete up to an equivalence relation on the set of polynomials over F n. For a recent verification of the classification of normalized PPs of degree 6 of F q for all q, see [35]. According to the complete classifications of PPs in [11], [0], [35], all PPs of degree 6 of F q for all q are over small fields F q with q 3, except for x 6 over F n. All PPs of degree 7 of F n are over F n with n, except for x 7 and x 7 + x 5 + x. The inverses of PPs of F q with q 3 can be calculated by the Lagrange interpolation formula or Theorem 8 in the next section. The inverses of PPs x 6 and x 7 of F n can be obtained by the following Theorem. The polynomial x 7 + x 5 + x is actually the degree 7 Dickson polynomial D 7 (x,1 over F n, and so its inverse is D m (x,1, where m is the inverse of 7 modulo n 1. In a word, we can obtain the inverses of all PPs of degree 6 of F q for all q and the inverses of all PPs of degree 7 of F n. In the rest of this section, we give the inverses of all normalized PPs of degree 5 in [11], which are actually the same as that in [5, Table 7.1] or in the previous Table I. Since the inverses of normalized PPs of small fields F q with q 13 can be obtained by the Lagrange interpolation formula, we need only consider the normalized PPs of degree 5 of F q for infinite many q. A. Inverses of monomials The inverse of x is clearly itself, and the inverse of x on F n is x n 1. The following theorem gives the explicit inverse of x m on F q for m 3. Theorem. For m 3, if x m is a PP of F q, then its inverse on F q is x (aq a+1/m, where 1 a m 1 satisfies a (q 1 φ(m 1 (mod m, and φ is the Euler s phi function. Proof. If x m is a PP of F q, then gcd(m,q 1 = 1 and aq a+1 1 (q 1 φ(m 0 (mod m. Since m(aq a + 1/m a(q 1 = 1, the inverse of m modulo q 1 is (aq a+1/m. The inverse of x m (3 m 5 can obtain by this theorem; see Table I. B. Inverses of linearized binomials and trinomials Assume L st (x := bx qs + cx qt is an arbitrary linearized binomial of F q n, where b, c F qn and 0 t < s n 1. Then L st (x = b ( x qs t +b 1 cx x qt, and so L st permutes F q n if and only if L r (x := x qr ax permutes F q n, where r = s t and a = b 1 c. The inverse of L r on F q n is given in [] as follows. Theorem 3. [, Theorem.1] Let L r (x = x qr ax, where a F q and 1 r n 1. Then L n r is a PP of F q n if and only if the norm N qn /qd(a 1, where d = gcd(n,r. In this case, its inverse on F q n is L 1 r (x = N q n /q d(a n/d 1 1 N q n /q d(a a q(i+1r 1 q r 1 x qir. The norm N q n /q d(a 1 if and only if a is not a (qd 1th power. Hence, Theorem 3 gives the inverse of x qr ax for q r = 3,, 5 in Tabel I. The normalized PP of the form x + bx + ax of F n is the only linearized trinomial in Table I. Its inverse has a close relation with the sequence S 1 = 0, S 0 = 1, S i = b i 1 S i 1 +a i 1 S i, where 1 i n and a, b F n. An argument similar to that in [16, Lemma ] leads to an equivalent definition of S i : ( S i = bsi 1 +a Si, 1 i n. (3 Denote Z n = S n +as n. Then Zn = S n +a Sn ( = bsn 1 +as n +a Sn (3 = S n +as n = Z n, and so Z n = 0 or 1. A criterion for f(x = x q +bx q +ax to be a PP of F q n and the inverse of f were presented in [5, Theorem 3..9]. Taking q = in this theorem and using the fact Z n = 0 or 1, we obtain the following corollary. Corollary. Let L(x = x + bx + ax, where a,b F n and n 1. Then L is a PP of F n if and only if S n +as n = 1. In this case, the inverse of L on F n is n 1 L 1 ( (x = S i+1 n i +a1 i+1 S i x i. Note that Corollary holds for n = 1,. Indeed, if n = 1 then L(x L 1 (x x (mod x +x. If n = and L is a PP of F, then L(x L 1 (x bx (mod x +x. The necessary and sufficient condition for L permuting F n can also be obtained by [16, Proposition ]. This proposition also shown that M 0 = ( n ( 1 n /3, where M 0 is the number of c F such that P c(x = x 3 + x + c has no n root in F n. Since L(b 1/ x = b x(x 3 + x + ab 3/, we have L is a PP of F n if and only if P c has no root in F n, where c = ab 3/. Hence the number of a,b F n such that L permutes F n is equal to ( n 1( n ( 1 n /3, which implies the probability of L permuting F n is almost 1/3.

5 PREPRINT SUBMITTED TO IEEE 5 C. Inverses of non-linearized trinomials In Table I, there are only two infinite classes of nonlinearized permutation trinomials. One is the polynomial x 5 +ax a x, where a F q and q ± (mod 5. It is actually the degree 5 Dickson PP D 5 (x, 5 1 a, and so its inverse on F q is D m (x, (5 1 a 5, where m = (3q /5. The other is as follows. Lemma 5. [5, Table 7.1] Let f(x = x 5 ax 3 + a x, where a F 5 and n 1. Then f is a PP of F n 5n if and only if a (q 1/ = 1. The inverse of f was given in [] by solving equations over finite fields. Theorem 6. [, Lemma.9] The inverse of f in Lemma 5 on F 5 n is ( (a/x f 1 5n 1 n 1 (x = x (a/x 5i (a/x 5n (1/x 5i, 1 where x F 5 n and f 1 (0 = 0. By employing the method in the next section, we obtain the explicit polynomial form of f 1 as follows. Theorem 7. The inverse of f in Lemma 5 on F 5 n is f 1 (x = a (5n +5 i+1 +5 j+1 3/ b ij x (5n +5 i +5 j 1/, where 0 i j n 1 b ij = { 1 if i < j, 3 if i = j. Proof. Here we only verify the correctness of the theorem. It suffices to show that f 1 (f(x x (mod x 5n x. Let g(x = a 5i+1 +5 j+1 b ij x 5i +5 j. 0 i j n 1 Then f 1 (x = a (5n 1/ x (5n 1/ g(x and 0 i j a 5i+1 1 b ij x 5i 1 (x a 5i = 3a 5j+1 1 x 5j 1 (x a 5j + a 5i+1 1 x 5i 1 (x 5i a 5i 0 i j 1 = 3a 5j+1 1 x 5j 1 (x a 5j + ((x /a 5i+1 1 (x /a 5i 1 0 i j 1 = 3a 5j+1 1 x 5j 1 (x a 5j +(x /a 5j 1 1 = 3(x /a 5j (x /a 5j 1 1. Therefore, g(f(x = = 0 i j n 1 0 i j n 1 a 5i+1 +5 j+1 b ij (x(x a 5i +5 j ( a 5i+1 +5 j+1 b ij x 5i +5 j (x a 5i +5 j = 0 j n 1 0 i j ( = 0 j n 1 a 5j+1 1 x 5j +1 (x a 5j a 5i+1 1 b ij x 5i 1 (x a 5i x ((x /a 5j+1 1 (x /a 5j 1 (3(x /a 5j (x /a 5j 1 1 = 3x ((x /a 5j+1 1 (x /a 5j 1 x 0 j n 1 0 j n 1 = 3x ((x /a 5n 1 1 ((x /a 5j+1 1 (x /a 5j 1 x ((x /a 5n 1 1 = 3x 5n 3x a 5n 1 x 5n +1 +x a 5n 1 x 5n +1 (mod x 5n x. Also note that a F 5 n is not a square. We have f 1 (f(x = a 5n 1 f(x 5n 1 g(f(x = a 5n 1 (x(x a 5n 1 g(f(x = a 5n 1 x 5n 1 (x a 5n 1 g(f(x a 5n 1 x 5n 1 ( a 5n 1 x 5n +1 a 5n 1 x 5n x (mod x 5n x. Remark 1. Theorem 7 can be obtained from Theorem 6 and the identity ( x i = x i + x i x j, 1 i n 1 i n 1 i<j n where x i = a 5i 1 x 5i 1 1. However, we will demonstrate our method of deducing Theorem 7 in the next sections. The main reason is that our method can also be used to finding the inverses of other PPs of small degree. In summary, all inverses of normalized PPs of degree 5 are obtained. For convenience, we list these PPs and their inverses in Table I. IV. THE COEFFICIENTS OF INVERSE OF A PP In this section, we will write the coefficients of inverse of the PP f in Lemma 5 in terms of binomial coefficients, by employing the following formula (5 presented first in [30]. Theorem 8. (See [30] Let f F q [x] be a PP of F q and let f(x q 1 i b ik x k (mod x q x 0 k q 1 for i = 1,,...,q. Then the inverse of f on F q is f 1 (x = b i,q x i. (5 1 i q

6 PREPRINT SUBMITTED TO IEEE 6 Proof. Assume f 1 (x = q i=1 c ix i. From the Lagrange interpolation formula, we have f 1 (x = a F q a ( 1 (x f(a q 1 = a F q = 1 i q 1 a ( ( 1 i q 1 a F q Hence for 1 i q, we have c i = a F q = a a F q = = b i,q, 0 k q 1 ( 1 i ( f(a q 1 i x i af(a q 1 i x i. af(a q 1 i 0 k q 1 b ik a F q b ik a k a k+1 where the last identity follows from { a t 1 if t = q 1, = 0 if t = 0, 1,..., q. a F q The proof is completed. Remark. Theorem 8 is the same as the one in [30], [1]. All these results are essentially part of Theorem in [8]. For the reason of completeness, we include a proof by using the Lagrange interpolation formula. Next we use Theorem 8 to calculate the coefficients of the inverse of f in Lemma 5. Recall that f(x = x 5 ax 3 +a x, where a F 5 n and a (q 1/ = 1. Let q = 5 n and r i = q 1 i, where 1 i q. Then f(x ri = x ri (x a ri = ( ri ( a ri j x ri+j. j 0 j r i The degree of f(x ri is 5r i, and 5 5r i < (q 1+q. By (5, the coefficient b i,q of f 1 equals the sum of the coefficients of x k(q 1+(q (k = 0,1,,3 in (6. If i is even, then r i + j is even, and so the coefficients of odd powers of x in (6 are all 0. Also note k(q 1+(q is odd. We have b i,q = 0. If i is odd, then b i,q = 0 k 3 ( 0 k 3 r i (k(q 1+i 1/ (6 ( a ri k(q 1+i 1. Let i = m+1. Then 0 m (q 3/ and b i,q = ( q m q 1 k q 1 k ( a 5m 0 k 3 +m = ( q m k q 1 ( 1 k+m a 5m, +m (7 where the last identity follows from the fact a (q 1/ = 1 and q = 5 n. If q m < (k(q 1/+m, i.e., m > (( kq +k 8/10, then ( q m k = 0. Thus a direct computation reduces (7 to q 1 +m 0 if T +1 < m (q 3/, e m0 if 3T < m T +1, b i,q = e m0 +e m1 if T < m 3T, (8 e m0 +e m1 +e m if T < m T, e m0 +e m1 +e m +e m3 if 0 m T, where T = (q 5/10 and ( q m e mk = k q 1 ( 1 k+m a 5m,k = 0,1,,3. (9 +m Now the key of deducing Theorem 7 is to find the values of binomial coefficients above. V. EXPLICIT VALUES OF BINOMIAL COEFFICIENTS In this section, we first give the explicit values of binomial coefficients in (9, and then prove Theorem 7. In order to remove the multiples of q in these binomial coefficients, we need the following lemma. Lemma 9. Let q be a prime p power, and let r, k be integers with 0 k < q. Then ( ( q +r r (mod p, k k where ( r k = r(r 1 (r k +1/k!. Proof. By the Chu-Vandermonde identity, we have ( q +r k ( ( ( q r r = (mod p. k i k i k According to Lemma 9, for 0 m T +1, we obtain ( ( q m m m m ( (10 5m+3 ( 1 m (mod 5, m where we use the fact ( n ( m = ( 1 m m+n 1 m for m, n > 0. Similarly, for 0 m 3T, ( ( q m 5m+3+ q 1 ( 1 m (mod 5. q 1 +m m+ q 1 (11 For 0 m T, the Chu-Vandermonde identity leads to that ( q+m 1 q m ( ( q q m = q +m 1 k q +m 1 k k=0 ( ( q m q m + q +m 1 m 1 ( ( (1 q m m = m 1 m 1 ( 5m+ ( 1 m 1 (mod 5. m 1

7 PREPRINT SUBMITTED TO IEEE 7 Similarly, for 0 m T, we have ( ( q m 5m++ q 1 ( 1 m 1 3 q 1 +m m 1+ q 1 (mod 5. (13 In order to find the explicit value of the last binomial coefficients in (10-(13, we need the Lucas theorem. Lemma 10 (Lucas theorem. For non-negative integers n, k and a prime p, let n = n 0 +n 1 p+ +n s p s, k = k 0 +k 1 p+ +k s p s be their p-adic expansions, where 0 n i, k i p 1 for i = 0,1,...,s. Then ( n s ( ni (mod p. k k i In particular, ( n k 0 (mod p if and only if ni k i for all i. Now we give a result about binomial coefficients in (10. Theorem 11. Let q = 5 n, n 1 and 0 m q 1. Write m = m 0 +m m n 1 5 n 1, 0 m i. Then the following three statements are equivalent: ( 5m+3 (i 0 (mod 5; m (ii 3 m 0 m 1 m n 1 0; (iii m = 5k 1 1 k 3 n. + 5k 1, where 0 k 1 k Proof. It is easy to obtain the 5-adic expansions: 5m+3 = 3+m m n 5 n 1 +m n 1 5 n, m = m 0 +m m n 1 5 n 1. By the Lucas theorem and Lemma 9, (i is equivalent to (ii. To show (ii is equivalent to (iii, it suffices to prove M 1 = M, where M 1 = {m : 3 m 0 m 1 m n 1 0}, M = { 5k k 1 : 0 k 1 k k 3 n}. Since (5 k 1/ = k 1 and 0 k 1 k k 3 n, we have M M 1. It remains to show that M 1 M, i.e., m M for any m M 1. The remainder of our proof is divided into two cases. Case 1: assume m M 1 such that m 0 = m 1 = = m n 1 = a, where 0 a 3. If a =, then m = 5k k 1, where k 1 = 0 and k = k 3 = n. Hence m M. Similarly, m M for a = 0, 1 or 3. Case : assume m M 1 such that m 0, m 1,..., m n 1 are not all equal. Then the number N of the sign > in 3 m 0 m 1 m n 1 0 is 1, or 3. If N = 3, then there exist a, b, c such that Then 0 a < b < c n, m 0 = m 1 = = m a = 3, m a+1 = m a+ = = m b =, m b+1 = m b+ = = m c = 1, m c+1 = m c+ = = m n 1 = 0. m = 5k k 1, where k 1 = a+1, k = b+1 and k 3 = c+1. Hence m M. Similarly, m M for N = 1 or. Two criteria that ( 5m+3 m 0 (mod 5 are given in the theorem above. The following theorem finds the explicit values of this binomial coefficient. Theorem 1. Let m = 5k 1 1 with 0 k 1 k k 3 n. Then in F 5, ( { 5m+3 1 if k 1 = k = k 3 or k 1 < k < k 3, = m 3 if k 1 = k < k 3 or k 1 < k = k k 1 Proof. It is easy to obtain the 5-adic expansions: 5m+3 = 3+m m n 5 n 1 +m n 1 5 n, m = m 0 +m m n 1 5 n 1. The remainder of the proof is divided into four cases. For ease of notations, we denote A = ( 5m+3 m. Case 1: k 1 = k = k 3 = k with 0 k n. If k = 0, then m = 0 and A = ( 3 0 = 1. If 1 k n, then m = 3 5 k 1, i.e., m 0 = = m k 1 = 3, m k = = m n 1 = 0. Hence A ( 3 3( 3 0 = 1 (mod 5. Case : k 1 = k < k 3. If k 1 = k = 0, then m 0 = = m k3 1 = 1, m k3 = = m n 1 = 0. Thus A ( 3 1( 1 0 = 3 (mod 5. If k1 = k = k 1, then m 0 = = m k 1 = 3, m k = = m k3 1 = 1, m k3 = = m n 1 = 0. Hence A ( 3 3( 3 1( 1 0 = 3 (mod 5. Case 3: k 1 < k = k 3. The proof is quite similar to that of Case and so is omitted. Case : k 1 < k < k 3. If k 1 = 0, then m 0 = = m k 1 =, m k = = m k3 1 = 1, m k3 = = m n 1 = 0. So A ( 3 ( 1( (mod 5. If 0 < k1 < k < k 3, then m 0 = = m k1 1 = 3, m k1 = = m k 1 =, m k = = m k3 1 = 1, m k3 = = m n 1 = 0. Hence A ( 3 3( 3 ( 1( (mod 5.

8 PREPRINT SUBMITTED TO IEEE 8 Corollary 13. Let q = 5 n, n 1 and T < m T + 1, where T = (q 5/10. Then in F 5, ( { 5m+3 3 (k 1 k if m = (q +5 = k1 +5 k 3/, m 0 otherwise, where 0 k 1 k n 1. Proof. Denote A = ( 5m+3 m. According to Theorem 11, if 0 m q 1, then A 0 (mod 5 if and only if m = 5k k 1, where 0 k 1 k k 3 n. Since T = n +0 5 n 1, T +1 = n +1 5 n 1. We have, for T < m T +1, A 0 (mod 5 if and only if m = (5 k1 +5 k +5 n 3/, where 0 k 1 k < n. In this case, by Theorem 1, A 3 (k 1 k (mod 5. The following corollary presents a congruence relation for two binomial coefficients. Corollary 1. Let q = 5 n, n and q 5 10 < m (q 5 Then ( ( 5m+3 5m+ (mod 5. m m Proof. Denote by A and B the above binomial coefficients, respectively. Then ma = (5m + 3B, and so ma B (mod 5. If A 0 (mod 5, then B 0 (mod 5, and thus A B (mod 5. We next show A B (mod 5 for A 0 (mod 5. By Theorem 11, for 0 m q 1, A 0 (mod 5 if and only if m = 5k k 1, where 0 k 1 k k 3 n. Since (q 5/10 = n, (q 5/10 = n, we obtain, for(q 5/10 < m (q 5/10,A 0 (mod 5 if and only if m = q k 1, where 1 k n 1. Hence m 3 (mod 5, and so A ma B (mod 5. Next we study the last binomial coefficient in (11. Theorem 15. Let q = 5 n, n 1 and 0 m q 1. Write (i m = m 0 +m m n 1 5 n 1, 0 m i. Then the following three statements are equivalent: ( 5m+3+ q 1 m+ q 1 0 (mod 5; (ii 3 = m 0 m 1 m n 1 ; (iii m = q 1 + 5k 1, where 1 k n. Proof. Denote α = 5m+3+ q 1 and β = m + q 1. Then their 5-adic expansions are as follows: α = 0+(m (m (m (m n +5 n 1 +m n 1 5 n, β = (m 0 ++(m 1 +5+(m (m n 1 +5 n n. (1 (15 If ( α β 0 (mod 5, then by the Lucas theorem, 0 m 0 +, i.e., m 0 = 3, where a i b i denotes a i b i in F 5. The condition m 0 = 3 leads to a carry 1 in (1 and (15, respectively. Now we have α = (m (m , β = 0+(m (m +5 +(m If ( α β 0 (mod 5, then 1 m1 +3, which also yields two carry 1 in the expansions above. Now we have α = (m 1 5 +(m , β = 0+(m 1 5+(m +35 +(m If ( α β 0 (mod 5, then 1 m1 m + 3, and so 1 m + 3, which also yields two carry 1. And so on, we obtain ( α β 0 (mod 5 if and only if m 0 = 3, 1 m 1 m n 1, m n (16 So m k =, 3 for 1 k n 1. There are exactly two cases: m 1 = = m n 1 = 3, i.e., m = q 1 + 5n 1. m 1 = = m k 1 = 3 and m k = = m n 1 = for some 1 k n 1. That is, m = q 1 + 5k 1, where 1 k n 1. Therefore, (16 is equivalent to (ii or (iii. Corollary 16. Let q = 5 n, n 1 and 0 m q 1. Then ( 5m+3+ q 1 m+ q 1 0 (mod 5. Now we consider the last binomial coefficient in (13. Theorem 17. Let q = 5 n, n 1 and 0 m (q Write (i m = m 0 +m m n 5 n, 0 m i. Then the following three statements are equivalent: ( 5m++ q 1 m 1+ q 1 0 (mod 5; (ii m 0 m 1 m n 0; (iii m = 5k k 1, where 0 k 1 k n 1. Proof. Denote α = 5m + + q 1 and β = m 1 + q 1 Then their 5-adic expansions are as follows: α = +(m (m n +5 n 1, β = (m 0 +1+(m n 1. The proof that (i is equivalent to (ii is divided in two cases. ( α βcase 1: 0 m i for all i. Then by the Lucas Theorem, 0 (mod 5 if and only if m 0 + m n +, i.e., m 0 m n 0. Case : m i = 3 or for some i (0 i n. We first show ( α β 0 (mod 5 if m0 = 3. An argument similar to the one used in Theorem 15 shows that ( α β 0 (mod 5 if and only if m 1 = 3, 1 m m n 3..

9 PREPRINT SUBMITTED TO IEEE 9 This is contrary to 3 > 1. Similarly, we can prove that ( α β 0 (mod 5 when m 0 =, m i = 3 or for 1 i n. An argument similar to the one used in Theorem 11 can show that (ii is equivalent to (iii. The following corollaries give the linear congruence relations between the binomial coefficients in (10, (1 and (13. Corollary 18. Let q = 5 n, n 1 and 0 m (q Then ( 5m++ q 1 ( 5m+ m 1+ q 1 (mod 5. m Proof. Denote by C and D the above binomial coefficients, respectively. Then by the Lucas theorem, D 0 (mod 5 if and only if m 0 m 1 m n 0. That is, D 0 (mod 5 if and only ifc 0 (mod 5. Hence C D (mod 5 when C 0 (mod 5. On the other hand, if C 0 (mod 5, then, by Theorem 17, m = 5k k 1, where 0 k 1 k n 1. An argument similar to that in Theorem 1 shows C 3 + ( k 1 k D (mod 5. Hence C D (mod 5 for C 0 (mod 5. Corollary 19. Let q = 5 n, n and 0 m q Then ( ( 5m+3 5m++ q 1 ( 5m+ + m m 1+ q 1 (mod 5. m 1 Proof. Denote by A, C, B the above binomial coefficients, respectively. By ma = (5m + 3B, we get ma B (mod 5. Let D = ( 5m+ m. Then (m+3a = (5m+3D, and so D (3m + 1A (mod 5. By Corollary 18, C D (m 1A (mod 5. Hence A+C B (mod 5. With the help of the preceding results, we now prove Theorem 7. According to (8, the coefficients b i,q of f 1 are linear combinations of e m0, e m1, e m and e m3 in (9. Corollary 16 and the congruence (11 imply that e m1 0 (mod 5 0 m 3T, where T = (q 5/10. By (10, (1 and Corollary 1, e m0 +e m 0 (mod 5 for T < m T. From (10, (1, (13 and Corollary 19, we obtain e m0 +e m +e m3 0 (mod 5 for 0 m T. By (10 and Corollary 13, fort < m T+1 we get, in F 5, { 3 (k 1 k a 5m if m = (q +5 e m0 = k1 +5 k 3/, 0 otherwise, where 0 k 1 k n 1. Then Theorem 7 follows from (8 and Theorem 8. ACKNOWLEDGMENT We would like to thank Junwei Guo, Fu Wang, Baofeng Wu for their helpful suggestions. REFERENCES [1] A. Akbary, D. Ghioca, and Q. Wang, On constructing permutations of finite fields, Finite Fields Appl., vol. 17, pp , 011. [] X. Cao, L. Hu, and Z. Zha, Constructing permutation polynomials from piecewise permutations, Finite Fields Appl., vol. 6, pp , 01. [3] N. Cepak, P. Charpin, and E. Pasalic, Permutations via linear translators, Finite Fields Appl., vol. 5, pp. 19, 017. [] P. Charpin and G. Kyureghyan, When does G(x + γtr(h(x permute F n? Finite Fields Appl., vol. 15, pp , 009. [5] P. Charpin and G. M. Kyureghyan, Monomial functions with linear structure and permutation polynomials, in Finite Fields: Theory and Applications-FQ9, ser. Contemporary Mathematics, vol American Mathematical Society, 010, pp [6] P. Charpin, G. M. Kyureghyan, and V. Suder, Sparse permutations with low differential uniformity, Finite Fields Appl., vol. 8, pp. 1 3, 01. [7] P. Charpin, S. Mesnager, and S. Sarkar, Dickson polynomials that are involutions, in Contemporary Developments in Finite Fields and Their Applications. World Scientific, 016, pp. 7. [8], Involutions over the Galois Field F n, IEEE Trans. Inform. Theory, vol. 6, no., pp , 016. [9] R. S. Coulter and M. Henderson, The compositional inverse of a class of permutation polynomials over a finite field, Bull. Aust. Math. Soc., vol. 65, pp , 00. [10] R. S. Coulter and S. Mesnager, Bent functions from involutions over F n, IEEE Trans. Inform. Theory, vol. 6, no., 018. [11] L. E. Dickson, The analytic representation of substitutions on a power of a prime number of letters with a discussion of the linear group, Part I, Ann. Math., vol. 11, pp , [1] C. Ding and J. Yuan, A family of skew Hadamard difference sets, J. Comb. Theory Ser. A, vol. 113, pp , 006. [13] C. Ding and Z. Zhou, Binary cyclic codes from explicit polynomials over GF( m, Discrete Math., vol. 31, pp , 01. [1] N. Fernando and X. Hou, A piecewise construction of permutation polynomials over finite fields, Finite Fields Appl., vol. 18, no. 6, pp , 01. [15] S. W. Golomb and O. Moreno, On periodicity properties of Costas arrays and a conjecture on permutation polynomials, IEEE Trans. Inform. Theory, vol., no. 6, pp. 5 53, [16] T. Helleseth and A. Kholosha, x l +1 + x + a and related affine polynomials over GF( k, Cryptogr. Commun., vol., pp , 010. [17] X. Hou, Determination of a type of permutation trinomials over finite fields, II, Finite Fields Appl., vol. 35, pp , 015. [18], Permutation polynomials over finite fields A survey of recent advances, Finite Fields Appl., vol. 3, pp , 015. [19] G. M. Kyureghyan, Constructing permutations of finite fields via linear translators, J. Combin. Theory Ser. A, vol. 118, pp , 011. [0] J. Li, D. B. Chandler, and Q. Xiang, Permutation polynomials of degree 6 or 7 over finite fields of characteristic, Finite Fields Appl., vol. 16, pp , 010. [1] K. Li, L. Qu, and X. Chen, New classes of permutation binomials and permutation trinomials over finite fields, Finite Fields Appl., vol. 017, pp , 3. [] K. Li, L. Qu, and Q. Wang, Compositional inverses of permutation polynomials of the formx r h(x s over finite fields, Cryptogr. Commun., published online: 13 March 018. [3] L. Li, S. Wang, C. Li, and X. Zeng, Permutation polynomials (x pm x+δ s 1+(x pm x+δ s +x over F p n, Finite Fields Appl., vol. 51, pp , 018. [] N. Li, On two conjectures about permutation trinomials over F 3 k, Finite Fields Appl., vol. 7, pp. 1 10, 017. [5] R. Lidl and H. Niederreiter, Finite Fields, nd ed. Cambridge University Press, [6] S. Mesnager, Further constructions of infinite families of bent functions from new permutations and their duals, Cryptogr. Commun., vol. 8, no., pp. 9 6, 016. [7], On constructions of bent functions from involutions, in IEEE International Symposium on Information Theory (ISIT, 016, pp [8] G. L. Mullen, A. Muratović-Ribić, and Q. Wang, On coefficients of powers of polynomials and their compositions over finite fields, in Contemporary Developments in Finite Fields and Applications. World Scientific, 016, pp [9] G. L. Mullen and D. Panario, Handbook of finite fields. CRC Press, 013.

10 PREPRINT SUBMITTED TO IEEE 10 [30] A. Muratović-Ribić, A note on the coefficients of inverse polynomials, Finite Fields Appl., vol. 13, pp , 007. [31] H. Niederreiter and A. Winterhof, Cyclotomic R-orthomorphisms of finite fields, Discrete Math., vol. 95, pp , 005. [3] Y. H. Park and J. B. Lee, Permutation polynomials and group permutation polynomials, Bull. Austral. Math. Soc., vol. 63, pp. 67 7, 001. [33] L. Reis, Nilpotent linearized polynomials over finite fields and applications, Finite Fields Appl., vol. 50, pp. 79 9, 018. [3] R. Shaheen and A. Winterhof, Permutations of finite fields for check digit systems, Des. Codes Cryptogr., vol. 57, pp , 010. [35] C. J. Shallue and I. M. Wanless, Permutation polynomials and orthomorphism polynomials of degree six, Finite Fields Appl., vol. 0, pp. 8 9, 013. [36] A. Tuxanidy and Q. Wang, On the inverses of some classes of permutations of finite fields, Finite Fields Appl., vol. 8, pp. 81, 01. [37], Compositional inverses and complete mappings over finite fields, Discrete Appl. Math., vol. 17, pp , 017. [38] D. Wan and R. Lidl, Permutation polynomials of the form x r f(x (q 1/d and their group structure, Monatsh. Math., vol. 11, pp , [39] L. Wang and B. Wu, General constructions of permutation polynomials of the form (x m +x+δ i(m 1+1 +x over F m, Finite Fields Appl., vol. 5, pp , 018. [0] Q. Wang, Cyclotomic mapping permutation polynomials over finite fields, in Sequences, subsequences, and consequences, ser. Lecture Notes in Comput. Sci., vol Springer, 007, pp [1], On inverse permutation polynomials, Finite Fields Appl., vol. 15, pp , 009. [], Cyclotomy and permutation polynomials of large indices, Finite Fields Appl., vol., pp , 013. [3], A note on inverses of cyclotomic mapping permutation polynomials over finite fields, Finite Fields Appl., vol. 5, pp. 7, 017. [] B. Wu, The compositional inverses of linearized permutation binomials over finite fields, arxiv: v1, 013. [5], Linearized and linearized derived permutation polynomials over finite fields and their compositional inverses, Ph.D thesis (in Chinese, University of Chinese Academy of Sciences, Beijing, China, May 013. [6], The compositional inverse of a class of linearized permutation polynomials over F n, n odd, Finite Fields Appl., vol. 9, pp. 3 8, 01. [7] B. Wu and Z. Liu, The compositional inverse of a class of bilinear permutation polynomials over finite fields of characteristic, Finite Fields Appl., vol., pp , 013. [8], Linearized polynomials over finite fields revisited, Finite Fields Appl., vol., pp , 013. [9] D. Wu, P. Yuan, C. Ding, and Y. Ma, Permutation trinomials overf m, Finite Fields Appl., vol. 6, pp , 017. [50] Z. Zha, L. Hu, and S. Fan, Further results on permutation trinomials over finite fields with even characteristic, Finite Fields Appl., vol. 5, pp. 3 5, 017. [51] D. Zheng, M. Yuan, and L. Yu, Two types of permutation polynomials with special forms, Finite Fields Appl., vol. 56, pp. 1 16, 019. [5] Y. Zheng, Y. Yu, Y. Zhang, and D. Pei, Piecewise constructions of inverses of cyclotomic mapping permutation polynomials, Finite Fields Appl., vol. 0, pp. 1 9, 016. [53] Y. Zheng, P. Yuan, and D. Pei, Piecewise constructions of inverses of some permutation polynomials, Finite Fields Appl., vol. 36, pp , 015. [5], Large classes of permutation polynomials over F q, Des. Codes Cryptogr., vol. 81, pp , 016. [55] M. E. Zieve, On some permutation polynomials over F q of the form x r h(x (q 1/d, Proc. Am. Math. Soc., vol. 137, no. 7, pp , 009. Yanbin Zheng received the Ph.D. degree in Mathematics from Guangzhou University, China, in 015. Then, he joined the School of Computer Science and Engineering, Guilin University of Electronic Technology, China. He is currently a postdoctoral research fellow in the School of Computer Science and Technology, Dongguan University of Technology, China. His research interests include finite fields and cryptography. Qiang Wang was born in China where he received B. Sc., M.Sc. degrees in Mathematics from ShaanXi Normal University (China. He received a M. Sc. degree in information and System Science from Carleton University (Canada and a Ph.D. in Mathematics from the Memorial University of Newfoundland (Canada. He is currently a Professor at Carleton University in Ottawa (Canada. His main research interests are in finite fields and applications in coding theory, combinatorics, and cryptography. Wenhong Wei received the Ph.D. degree in Computer Science from South China University of Technology, China, in 009. He is currently a full professor in the School of Computer Science and Technology, Dongguan University of Technology, China. His research interests include discrete mathematics and computer network.