A note on hyper-bent functions via Dillon-like exponents
Size: px
Start display at page:

Download "A note on hyper-bent functions via Dillon-like exponents"

Transcription

1 A note on hyper-bent functions via Dillon-like exponents Sihem Mesnager Jean-Pierre Flori Monday 23 rd January, 2012 Abstract This note is devoted to hyper-bent functions with multiple trace terms including binomial functions) via Dillon-like exponents. We show how the approach developed by Mesnager to extend the Charpin Gong family and subsequently extended by Wang et al. fits in a much more general setting. To this end, we first explain how the original restriction for Charpin Gong criterion can be weakened before generalizing the Mesnager approach to arbitrary Dillon-like exponents. Afterward, we tackle the problem of devising infinite families of extension degrees for which a given exponent is valid and apply these results not only to reprove straightforwardly the results of Mesnager and Wang et al., but also to characterize the hyper-bentness of new infinite classes of Boolean functions. Keywords. Boolean functions, hyper-bent functions, Walsh Hadamard transform, exponential sums, Kloosterman sums, Dickson polynomials, Dillon exponents. 1 Introduction Hyper-bent functions were defined by Youssef and Gong [21] in 2001 and are both of theoretical and practical interest. In fact, they were initially proposed by Golomb and Gong [8] as a component of S-boxes to ensure the security of symmetric cryptosystems. But such functions are rare, and in particular they are interesting from a combinatorial point of view: they indeed have stronger properties than the well-known bent functions which were already studied by Dillon [6] and Rothaus [17] more than three decades ago and whose classification is still elusive. Therefore, not only their characterization, but also their generation are challenging problems. In 2008, Charpin and Gong [2] studied the hyper-bentness of Boolean functions in the following form: f a x) = Tr n 1 a ) r x r2m 1) where n = 2m is an even integer, R is a set of representatives of the cyclotomic classes modulo 2 m + 1 of full size n and the coefficients a r live in the subfield F 2 m. Such an approach was first extended by Mesnager in 2009 for the binomial case [15] and further in 2010 for the general case [14]) to treat Charpin Gong like functions with an additional LAGA Laboratoire Analyse, Géometrie et Applications), UMR 7539, CNRS, Department of Mathematics, University of Paris XIII and University of Paris VIII, 2, rue de la liberté, Saint-Denis Cedex, France. smesnager@univ-paris8.fr ANSSI Agence nationale de la sécurité des sytèmes d information), 51, boulevard de la Tour-Maubourg, Paris SP, France. jean-pierre.flori@ssi.gouv.fr 1

2 trace term over F 4 : f a,b x) = Tr n 1 a r x r2m 1) ) + Tr 2 1 ) bx 2n 1 3 where the same restriction lies on the coefficient a r, the coefficient b is in F 4 and m must verify m 1 mod 2), i.e. m is odd. Adopting the approach developed by Mesnager, Wang et al. studied in late 2011 for the general case [20], but also specific treatments for the binomial case [19, 18]) the following family with an additional trace term on F 16 : f a,b x) = Tr n 1 a r x r2m 1) ) + Tr 4 1 ) bx 2n 1 5 where some further restrictions lie on the coefficients a r, the coefficient b is in F 16 and m must verify m 2 mod 4). Both these approaches are quite similar and crucially depend on the fact that the hypothesis made on m implies that 3 or 5 do not only divide 2 n 1, but also 2 m + 1. In this note, we show how such approaches can be extended to an infinity of different trace terms, covering all the possible Dillon-like exponents. In particular, we show that they are valid for an infinite number of other denominators, e.g. 9 or 11. To this end, we consider a function of the general form f a,b x) = ) Tr n 1 a r x r2m 1) + Tr t 1 bx ) s2m 1) where n = 2m is an even integer, R is a set of representatives of the cyclotomic classes modulo 2 m + 1, the coefficients a r are in F 2 m, s divides 2 m + 1, i.e. s2 m 1) is a Dillon-like exponent, t = os2 m 1)), i.e. t is the size of the cyclotomic coset of s modulo 2 m + 1, and the coefficient b is in F 2 t. Our objective is to show how we can treat the property of hyper-bentness in this general case. In Section 2, we provide some background on the different objects we manipulate in the following sections, namely Boolean functions, Walsh-Hadamard transform, Dickson polynomials, exponential sums.section 3 and 4 build the core of this paper: in the former one, we study general Dillon-like exponents; in the latter one, we devise for which extension degrees a given exponent is valid. Section 5 then provides both known and new applications of the developed theory. 2 Notation and preliminaries Throughout this paper, m 0 is a positive integer and n = 2m is an even integer. The base field for our work will be F 2 m, but our final motivation is the study of Boolean functions defined over F 2 n. The element α denote a primitive element of F 2 n. While working over finite fields, we use the shorthand notation 1/0 = 0. For any set S such that 0 S, S denotes S = S \ {0} and S denotes the cardinality of S. 2.1 Boolean functions and polynomial forms Let n be a positive integer. A Boolean function f on F 2 n is an F 2 -valued function. The weight of f, denoted by wtf), is the Hamming weight of the image vector of f, i.e. the cardinality of its support suppf) = {x F 2 n fx) = 1}. For any positive integer k, and r dividing k, the field trace from F 2 k to F 2 r, denoted by Tr k r, can be explicitely defined as Tr k r x) = k r 1. In particular, we denote the absolute trace of x2ir 2

3 an element x F 2 n by Tr n 1 x) = n 1 x2i. Recall that, for every integer l dividing k, the trace function Tr k l is surjective and satisfies the transitivity property, that is Tr k 1 = Tr l 1 Tr k l. Every non-zero Boolean function f defined on F 2 n has a trace expansion of the form fx) = Tr n 1 aj x j) + ɛ1 + x 2n 1 ) j Γ n where Γ n is a set of representatives of the cyclotomic classes modulo 2 n 1, the coefficients a j are in F 2 n, and ɛ = wtf) modulo 2. Such a representation can be made unique by restricting the fields of definition of the coefficients a j to F 2 oj) and by writing f as fx) = aj x j) + ɛ1 + x 2n 1 ) Tr oj) 1 j Γ n where oj) is the size of the cyclotomic coset of j modulo 2 n 1. It is then called the polynomial form of f. Going from the non-unique trace representation to the unique one basically amounts to take the traces of the coefficients from F 2 n to F 2 oj). Going the other way around relies on the surjectivity of the trace map from F 2 n to F 2 oj). 2.2 Walsh Hadamard transform and bentness The sign function of a Boolean function f is the integer-valued function χ f = χ f) = 1) f, i.e. f composed with the additive character of F 2. The Walsh Hadamard transform of f is the discrete Fourier transform of χ f, whose value at ω F 2 n is defined as χ f ω) = 1) fx)+trn 1 ωx). x F 2 n The extended Walsh Hadamard transform of f is defined as χ f ω, k) = 1) fx)+trn 1 ωx k ), x F 2 n for ω F 2 n and k an integer co-prime with 2 n 1. Bent functions are functions with maximum nonlinearity. Definition 2.1. A Boolean function f : F 2 n F 2 is said to be bent if χ f ω) = ±2 n 2 for all ω F 2 n. Hyper-bent functions have even stronger properties than bent functions. hyper-bent functions can be defined as follows. More precisely, Definition 2.2. A Boolean function f : F 2 n F 2 is said to be hyper-bent if its extended Walsh Hadamard transform only takes the values ±2 n 2. Note that bent and hyper-bent functions only exist for n even. Moreover, it is well-known that their Hamming weight is even. Therefore, their polynomial forms are of the form fx) = aj x j). Tr oj) 1 j Γ n It is well-known that the algebraic degree of a bent function is at most n/2 [17]. If it is moreover hyper-bent, then it is exactly n/2 [1, Theorem 1]. 3

4 2.3 A characterization of hyper-bentness Dillon [6] introduced a convenient criterion for bentness involving the support of a Boolean function, forming the so-called Partial Spreads class PS of Boolean functions. Theorem 2.3 PS class [6]). Let E i, i = 1, 2,, N, be N subspaces of F 2 n of dimension m satisfying E i E j = {0} for all i, j {1, 2,, N} with i j. Let f be a Boolean function on F 2 n. Assume that the support of f can be written as suppf) = N i=1 E i. Then f is bent if and only if N = 2 m 1. In this case, f is said to belong to the PS class. Dillon also exhibited a subclass of PS, denoted by PS ap, whose elements are defined in an explicit form as follows. To this end, consider F 2 n as a F 2 m-vectorspace of dimension 2 with basis {1, w}; then every element z F 2 n can be decomposed as z = x + wy with x, y) F 2 m F 2 m. Definition 2.4 PS ap class [6]). The PS ap class consists of all Boolean functions f defined as follows. Let g be a balanced Boolean function on F 2 m such that g0) = 0. Then define the Boolean function f on F 2 n F 2 m F 2 m as fx, y) = gxy 2m 2 ) for every x, y) F 2 m F 2 m. A similar result for hyper-bentness was provided by Youssef and Gong [21] who showed that hyper-bent functions actually exist. They partially state this main result in terms of sequences. The following proposition is an easy translation of their result stated using only the terminology of Boolean functions as it was given by Carlet and Gaborit [1]. Proposition 2.5 PS # ap class [21, Theorem 1], [1, Proposition 3]). Let α be a primitive element of F 2 n. Let f be a Boolean function defined on F 2 n such that fα 2m +1 x) = fx) for every x F 2 n and f0) = 0. Then f is a hyper-bent function if and only if the weight of the vector f1), fα), fα 2 ),, fα 2m )) equals 2 m 1. In this case f is said to belong to the PS # ap class. Charpin and Gong [2] have derived a slightly different version of the preceding proposition. Proposition 2.6 [2, Theorem 2]). Let α be a primitive element of F 2 n. Let f be a Boolean function defined on F 2 n such that fα 2m +1 x) = fx) for every x F 2 n and f0) = 0. Denote by U the cyclic subgroup of F 2 of order n 2m + 1. Let ζ = α 2m 1 be a generator of U. Then f is a hyper-bent function if and only if the cardinality of the set { i fζ i ) = 1, 0 i 2 m} equals 2 m 1. Remark 2.7. It is important to point out that bent functions f defined on F 2 n such that fα 2m +1 x) = fx) for every x F 2 n and f0) = 0 are always hyper-bent. A proof of this claim can be found in the paper of Charpin and Gong [2, Proof of Theorem 2] or it can be directly observed that the support suppf) of such a Boolean function f can be decomposed as suppf) = i S αi F 2 m, where S = { i fα i ) = 1 }, that is, thanks to Theorem 2.3, f is bent if and only if S = 2 m 1, proving that such bent functions are actually hyper-bent functions according to Proposition 2.5. Finally, Carlet and Gaborit have proved the following more precise statement about the functions considered in Proposition 2.5. Proposition 2.8 [1, Proposition 4]). Hyper-bent functions as in Proposition 2.5 such that f1) = 0 are the elements of the PS ap class. Those such that f1) = 1 are the functions of the form fx) = gδx) for some g PS ap and δ F 2 n \ {1} such that gδ) = 1. 4

5 2.4 Dickson polynomials Recall that the family of binary Dickson polynomials D r x) F 2 [x] is defined by D r x) = r 2 r r i r i i ) x r 2i. Moreover, the family of Dickson polynomials D r x) F 2 [x] can also be defined by the recurrence relation D i+2 x) = xd i+1 x) + D i x) with initial values D 0 x) = 0, D 1 x) = x. The reader can refer to the monograph of Lind, Mullen and Turnwald [13] for many useful properties and applications of Dickson polynomials. In particular, for any non-zero positive integers r and s, Dickson polynomials satisfy 1. degd r x)) = r, 2. D rs x) = D r D s x)), 3. D r x + x 1 ) = x r + x r. A well-known result by Chou, Gomez-Calderon and Mullen [3] describes the cardinality of the preimage of an arbitraty element. Theorem 2.9 [3, Theorem 9 ], [13, Theorem 3.26 ]). Let F 2 m be the finite field with 2 m elements and 1 r 2 n 1 be an integer. Let Let x, y F 2 m D 1 r y) = k = gcdr, 2 m 1), l = gcdr, 2 m + 1). be two elements such that D r x) = y. Then k+l 2 if y = 0, k if y 0 and Tr m 1 1/x) = 0, l if y 0 and Tr m 1 1/x) = 1. Furthermore, a finer analysis of this result shows that Dickson polynomials leave stable the trace of the inverse of an arbitrary element. Lemma 2.10 [5, pp ]). Let r 0 be an integer and x F 2 m. Then ) ) 1 1 Tr m 1 = Tr m 1. D r x) x We therefore denote the subsets of elements with a given trace of inverse as follows. Definition For i F 2, let T i denote the set T i = {x F 2 m Tr m 1 1/x) = i}. The following property is then a corollary to the above results. Corollary Let 1 r 2 n 1 be an integer. permutation of T 0 if and only if k = gcdr, 2 m 1) = 1; T 1 if and only if l = gcdr, 2 m + 1) = 1. Then the map x D r x) induces a 5

6 2.5 Exponential sums Let f : F 2 m F 2 be a Boolean function. We denote the exponential sum associated with f by Ξf), that is Ξf) = χ f x). x F 2 m The classical binary Kloosterman sums on F 2 m are then defined as follows. Definition 2.13 Kloosterman sums). Let a F 2 m. The binary Kloosterman sums associated with a is K m a) = Ξ Tr m 1 ax + 1 )). x The values of Kloosterman sums have been explicitely determined. Proposition 2.14 [12, Theorem 3.4]). The Kloosterman sums K m a) on F 2 m takes all the integer values divisible by 4 in the range [ 2 m+2)/2 + 1, 2 m+2)/2 + 1]. The following partial exponential sums are a classical tool to study hyper-bentness. Beware that the Boolean function is defined on F 2 n in the first definition and F 2 m in the second one. Definition Let f : F 2 n F 2 be a Boolean function and U be the set of 2 m + 1)-th roots of unity in F 2 n. We define Λf) as Λf) = u U χ f u). Definition Let f : F 2 m F 2 be a Boolean function and, for i F 2, denote by T i f) the partial exponential sum on T i associated with f, that is T i f) = χ f x). x T i The following lemma is easily deduced from the equality 1) Trm 1 x) = 1 2 Tr m 1 the values of the trace are understood as the integers 0 and 1. Lemma Let f : F 2 m F 2 be a Boolean function. Then x) where T i f) = 1 2 Ξf) + 1) i Ξ Tr m 1 1/x) + fx)) ). Applying furthermore Corollary 2.12 gives the following result. Corollary Let 1 r 2 n 1 be an integer and f : F 2 m Suppose moreover that k = gcdr, 2 m 1) = 1. Then F 2 be a Boolean function. T 0 f D r ) = T 0 f), T 1 f D r ) = Ξf D r ) T 0 f). Finally, we have the following relation between Kloosterman sums and the above partial exponential sums. Corollary Let a F 2m. Then K m a) = 2T 1 Tr m 1 ax)), = 2T 0 Tr m 1 ax)). 6

7 Proof. According to Lemma 2.17, T 0 Tr m 1 ax)) T 1 Tr m 1 ax)) = K m a). Moreover, T 0 Tr m 1 ax)) + T 1 Tr m 1 ax)) = Ξ Tr m 1 ax)) = 0. 3 Hyper-bent Boolean functions with Dillon-like exponents: a generic approach 3.1 Extending the Charpin Gong criterion The family of Boolean functions F n consists of the functions f a given in trace representation by Dillon-like only exponents, that is f a x) = ) Tr n 1 a r x r2m 1) 1) where R is a set of representatives of the cyclotomic classes modulo 2 m + 1 hence the elements r2 m 1) yield a set of representatives of the cyclotomic classes modulo 2 n 1 of the form [i2 m 1)]) and the coefficients a r live in the field F 2 n. Departing from the approach of Charpin and Gong, we do not require that the cyclotomic classes are of maximal size n = 2m. Lemma 3.1. Let f a be a Boolean function in F n. Then f a α 2m +1 x) = f a x). Proof. We indeed have f a α 2m +1 x) = Tr n 1 a ) r α 2m +1 x) r2m 1) = Tr n 1 a ) r α r2n 1) x r2m 1) = f a x). Proposition 2.6 can therefore be directly applied to characterize the hyper-bentness of f a with the partial exponential sum Λa) = Λf a ). Proposition 3.2. Let f a be a Boolean function in F n. The function f a is hyper-bent if and only if Λa) = 1. Proof. According to Proposition 2.6, f a is hyper-bent if and only if its restriction to U has Hamming weight 2 m 1. Now Λa) = U 2 wtf a U ) = 2 m wtf a U ). Thus f a is hyper-bent if and only if Λa) = 1. Remark 3.3. An hyper-bent function f a F n is in PS ap if and only if Trn 1 a r ) = 1. In fact, the complete extended Walsh Hadamard spectrum of f a can be expressed with Λa). 7

8 Proposition 3.4. Let f a be a Boolean function in F n. For ω = 0, χ fa 0, k) = 1 + Λa) m ), and, for ω F 2 n non-zero, χ fa ω, k) = 1 Λa) + 2 m 1) faω2m 1)/2k)). Proof. It is a well-known fact that every non-zero element x F 2 has a unique polar decomposition as a product x = yu where y lies in the subfield F 2 m and u U. n The extended Walsh Hadamard transform of f a at ω, k) can consequently be expressed as χ fa ω, k) = χ f a x) + Tr n 1 ωx k )) x F 2 n = 1 + x F 2 n χ = 1 + u U fa x) + Tr n 1 ωx k )) y F 2 m χ fa yu) + Tr n 1 ωy k u k)). But f a yu) = Tr n 1 a ) r yu) r2m 1) = Tr n 1 a ) r y r2m 1) u r2m 1) = Tr n 1 a ) r u r2m 1) so that = f a u), χ fa ω, k) = 1 + χ fa u) + Tr n 1 ωy k u k)) u U y F 2 m = 1 + χ fa u) χ Tr n 1 ωy k u k)) u U y F 2 m = 1 + χ fa u) 1 + χ Tr n 1 ωy k u k)) u U = 1 Λa) + u U y F 2 m χ fa u) y F 2 m χ Tr n 1 ωy k u k)). If ω = 0, then χ f ω, k) = 1 + Λa) m ) as desired. If ω 0, then the transitivity of the trace yields Tr n 1 ωy k u k) = Tr m 1 Tr n m ωy k u k)) = Tr m 1 ωy k u k + ωy k u k) ) 2 m = Tr m 1 ωy k u k + ω 2m y k u k) = Tr m 1 y k ωu k + ω 2m u k)). 8

9 As a consequence of this equality and of the fact that k is co-prime with 2 m + 1, the sum over F 2 m is non-zero if and only if u 2k = ω 2m 1. Therefore χ fa ω, k) = 1 Λa) + 2 m 1) faω2m 1)/2k)). In particular, Proposition 3.2 is a direct corollary to the above proposition. Remark 3.5. Set f a x) = Tr n 1 a r x r ), and let Λa) = Λf a ). The integers 2 m 1 and 2 m + 1 are co-prime and so the 2 m 1)-power map induces a permutation of U. In particular, one has Λa) = Λa). We now restrict to the family G n of Boolean functions defined as above, but where the coefficients a r are restricted to the subfield F 2 m. The following remark shows that it is enough to restrict to Dillon-like exponents whose cyclotomic coset sizes do not divide m. Remark 3.6. If t = or2 m 1)), then Tr n 1 a r x r2m 1) ) = Tr t 1 Tr n t a r ) x r2m 1) ). Suppose now that a r F 2 m, e.g. f a G n. If t divides m, then Tr n t a r ) = Tr m t and ) a r x r2m 1) = 0. Tr n 1 ) ar + a 2m r = 0 Otherwise, if k = gcdt, m), then Tr n t a r ) F 2 k. Furthermore, Proposition 3.4 can be used to compute the dual of f a in the case where f a is hyper-bent. Proposition 3.7. Suppose that f a G n is hyper-bent. Then it is its own dual, i.e. we have χ fa ω) = 2 m χ fa ω). Proof. If f a is hyper-bent, then Λa) = 1 and one has χ fa ω) = 2 m χ fa u), where u 1 2m = ω 2m 1. In particular, one has f a u) = f a ω 1 ). One then concludes that f a ω 1 ) = f a ω) using the facts that a 2m r = a r and that 2 m 1 2 m ) 2 m 1 mod 2 n 1). For functions f a in G n, Remark 3.5 combined with the transitivity of the trace yields a useful expression of Λa) using the partial exponential sum T 1 whose proof we recall here. Lemma 3.8 [14, Lemma 12]). Let f a be a Boolean function in G n and l be any positive integer. Let g a be the Boolean function defined on F 2 m as g a x) = Trm 1 a r D r x)). Then Λf a x l )) = 1 + 2T 1 g a D l ). 9

10 Proof. Using the facts that the 2 m 1)-power map induces a permutation of U, that a 2m r = a r and that D r x + x 1 ) = x r + x r for any x F 2 n, one gets Λf a x l )) = χ a r u ) )) lr 2m 1 u U = u U χ = u U χ = u U χ = u U χ Tr n 1 Tr n 1 Tr m 1 Tr m 1 Tr m 1 ar u lr)) ar u lr) + a r u lr) 2 m ) ) ar u lr + u lr))) ar D r D l u + u 1 )) )). To conclude, recall that the map x x + x 1 is 2-to-1 from U \ {1} to T 1 to obtain Λf a x l )) = tint 1 g a D l t)) = 1 + 2T 1 g a D l ). The following extension of the Charpin Gong criterion is then straightforward. Theorem 3.9 Extension of the Charpin Gong criterion [2, Theorem 7]). Let f a be a Boolean function in G n. Let g a be the Boolean function defined on F 2 m as g a x) = Trm 1 a r D r x)). Then f a is hyper-bent if and only if T 1 a) = T 1 g a ) = 0. Moreover, if f a is hyper-bent, then it is in the PS ap class. Proof. This is a direct consequence of Proposition 3.2 and Lemma Extending the Mesnager criterion The above approach yields a satisfactory criterion for Boolean functions f a in the family G n. In particular, using Lemma 2.17, one gets a characterization of the hyper-bentness of f a involving only complete exponential sums, or equivalently the Hamming weight of f a and that of g a. Nonetheless, the restriction that lies on the coefficients a r is not satisfying, namely they should live in the field F 2 n. In this subsection, we extend the approach of Mesnager to partially address this issue. We therefore consider a different family of Boolean functions defined as follows. The family of Boolean functions H n consists of the functions f a,b defined as f a,b x) = ) ) Tr n 1 a r x r2m 1) + Tr t 1 bx s2m 1) 2) where R is a set of representatives of the cyclotomic classes modulo 2 m + 1, the coefficients a r are in F 2 m, s divides 2 m + 1, i.e. s2 m 1) is a Dillon-like exponent, t = os2 m 1)), i.e. t is the size 10

11 of the cyclotomic coset of s modulo 2 m + 1, and the coefficient b is in F 2 t. Moreover, let τ = 2m +1 s. Remark that f a,0 = f a where f a G n is the function defined in the previous subsection. Set f a,b x) = Tr n 1 a r x r ) + Tr t 1 bx s ). Remark According to Remark 3.6, the family H n is always strictly larger than the family G n. Let U = { u F 2 +1 n u2m = 1 } be the subgroup of F 2 of order n 2m +1, V = {v F 2 n vs = 1} its subgroup of order s and W = {w F 2 n wτ = 1} its subgroup of order τ. Denote by α a primitive element of F 2 n. Then ζ = α 2m 1 is a generator of U, ρ = ζ τ is a generator of V and ξ = ζ s is a generator of W. Remark Note that F 2 t W. Indeed, by definition s2 m 1) 2 t s2 m 1) mod 2 n 1). Thus 2 t 1)s 0 mod 2 m + 1), which implies that 2 t 1 0 mod τ), that is τ divides 2 t 1. Remark Let us consider the τ-power homomorphism φ : x F 2 n xτ F 2n. Its kernel is W and so it is τ-to-1. Furthermore, V and W are subsets of U, so that the restriction of φ to U maps U onto V and is again τ-to-1. A similar statement is clearly true for s, switching the sets V and W. Remark The set U can be decomposed as U = τ 1 ζ i V = s 1 ζ i W. Definition For 0 i τ 1, define S i a) and S i a) to be the partial exponential sums S i a) = v V S i a) = v V χ f a ζ i v) ), χ f a ζ i v) ). Moreover, define Λa, b) = Λf a,b ) and Λa, b) = Λf a,b ). Remark The Boolean function f a,b is hyper-bent if and only if Λa, b) = 1. Moreover, Remark 3.5 can be extended to f a,b and f a,b and yields Λa, b) = Λa, b). Finally, Proposition 3.7 can be extended to show that, if f a,b is hyper-bent, then its is f a,b 2 m. Remark One obviously has In particular, Lemma 3.8 yields τ 1 S i a) = Λa, 0) = Λa). τ 1 S i a) = 1 + 2T 1 a). 11

12 In the particular case where f a is a monomial function, i.e. f a x) = Tr n ) 1 ax r2 m 1), Remark 3.16 can be further refined. Lemma Suppose that r is co-prime with 2 m + 1. One has τ 1 S i a) = 1 K m a). Proof. The function u u + u 1 being onto and 2-to-1 from U \ {1} to T 1, one gets K m a) = 2T 1 Tr m 1 ax)) = χ Tr m 1 a u + u 1 ))) u U, u 1 = u U, u 1 χ Tr n 1 au)) = 1 u U χ Tr n 1 au)). Furthermore, the r-power map induces a permutation of U and thus χ Tr n 1 au)) = χ Tr n 1 au r )) u U u U = Λa) = Λa). The two partial exponential sums S i and S i defined above are closely related. Lemma For 0 i τ 1, one has S i a) = S 2i a). Proof. First, one has S i a) = v V χ f a ζ i v) ) = v V = v V χ χ Tr n 1 Tr n 1 a r ζ i v ) r2 m 1) )) a r ζ i2m 1) v 2m 1 ) r) ). But 2 m 1 is co-prime with s, so that the 2 m 1)-power map induces a permutation of V, as does multiplication by ζ τ. Moreover, 2 m mod τ) implies that 2 m 1 2 mod τ). Hence, S i a) = v V χ Tr n 1 a r ζ 2i v ) r )). 12

13 Remark 3.16 can then be extended to express Λa, b) as a linear combination of the sums S i. Proposition One has Proof. One has τ 1 Λa, b) = χ Tr t 1 i )) S i a). Λa, b) = Λa, b) = u U = u U = τ 1 v V χ f a u) + Tr t 1 bu s ) ) χ f a u) ) χ Tr t 1 bu s ) ) χ f a ζ i v) ) χ Tr t 1 b ζ i v ) )) s τ 1 = χ Tr t 1 i )) χ f a ζ i v) ) v V τ 1 = χ Tr t 1 i )) S i a). We now devise an additional relation between the partial exponential sums S i and the partial exponential sum T 1. In particular, we express the partial exponential sum S 0 using T 1. Lemma Let l be a divisor of τ and let k be the integer k = τ/l. Then For l = 1, it reads k 1 k 1 S il a) = S il a) = 1 l 1 + 2T 1g a D l )). τ 1 τ 1 S i a) = S i a) = 1 + 2T 1 g a )), which is nothing but Remark For l = τ, it reads S 0 a) = S 0 a) = 1 τ 1 + 2T 1g a D τ )). Proof. According to a straightforward extension of Remark 3.11, the l-power map is l-to-1 from U onto k 1 ζil V. Therefore, k 1 S il a) = = 1 l k 1 χ f a ζ il v) ) v V χ f a u l ) ). u U One then concludes with Lemma 3.8. The results for S i readily follows from the fact multiplication by 2 induces a permutation of and Lemma {il} k 1 13

14 Remark Recall that τ divides 2 m + 1, and so does l. Therefore, τ and l are co-prime with 2 m 1. According to Corollary 2.12, D l induces a permutation of T 0, whence the validity of the equality k 1 k 1 S il a) = S il a) = 1 l 1 + 2Ξ g a D l ) 2T 0 a)). In the case where l = τ, it reads S 0 a) = S 0 a) = 1 τ 1 + 2Ξ g a D τ ) 2T 0 a)). To conclude this section, we show how further identities involving the partial exponential sums S i can be obtained by restricting the field of definition of the coefficients a r to a strict subfield of F 2 m. Lemma Let l be a divisor of m and k = m/l. Suppose that the coefficients a r lie in F 2 l and that 2 l j mod τ), where j is a k-th root of 1 modulo τ. Then S i a) = S ij a). Proof. Recall that 2 m 1 mod τ). Hence, if 2 l j mod τ), then j is a k-th root of 1 modulo τ. Since a r F 2 l, one has a 2l r = a r. Recall that Tr m ) 1 x 2 = Tr m 1 x), so that S i a) = χ f a ζ i v) ) v V = χ v V = χ v V = χ v V Tr m 1 Tr m 1 Tr m 1 ar ζ i v) r)) a 2l r ζ 2li v 2l ) r)) a r ζ ij ζ i2l j) v 2l ) r)). But the 2 l )-power map and multiplication by ζ i2l j) induce permutations of V and therefore S i a) = χ v V = S ij a). Tr m 1 ar ζ ij v) r)) Remark In the particular case where l = m, note that 2 m 1 mod τ). Therefore, one has S i a) = S i a). One then deduces from Proposition 3.19 that Λa, b) = χ Tr t 1 b) ) S 0 a) + 2 τ 1 i=1 χ Tr t 1 i )) + χ Tr t 1 i ))) S i a). 14

15 Remark It is a difficult problem to deduce a completely general characterization of hyperbentness in terms of complete exponential sums from the results of the current section, that is a characterization valid for any m, s and b. Nevertheless, several powerful applications of these results, valid for infinite families of Boolean functions, will be described in Section An alternate proof To provide an alternate proof of Proposition 3.19, we introduce inverse exponential sums. Proposition For c F 2 t, let Λa, c) be the exponential sum Λa, c) = χ Tr t 1 bc) ) Λa, b). b F 2 t 1. For all c F 2 t, one has Λa, c) = 2 t χ f a u) ). u U, u s =c 2. If c F 2 t \ W, then Λa, c) = 0. If c W, that is if c = ξ i for some i, then Λa, ξ i ) = 2 t S i a). Proof. 1. Switching the summations on U and F 2 t yields Λa, c) = χ Tr t 1 bc) ) χ f a,b u)) b F 2 t = b F 2 t = u U u U χ Tr t 1 bc) ) χ f a u)) b F 2 t u U χ χ f a u)) χ Tr t 1 bu )) s2m 1) Tr t 1 ))) b c + u s2m 1). The sum over F 2 t is non-zero if and only if c = u s2m 1) so that Λa, c) = 2 t χ f a u)) u U, u s2m 1) =c = 2 t u U, u s =c χ f a u) ). 2. According to Remark 3.11, if c F 2 t \ W, then the equation u s = c has no solutions in U. Therefore, Λa, c) = 0. Suppose now that c W and that c = ξ i = ζ is for some i. The kernel of the s-power map is V so that u s = ζ is if and only if u ζ i V. Thus Λa, c) = 2 t v V χ f a ζ i v) ). The partial exponential sum Λa, b) can now be expressed with Λa, c). 15

16 Lemma One has Λa, b) = 1 2 t χ Tr t 1 bc) ) Λa, c). c F 2 t Proof. Going back to the definition of Λa, c), one has χ Tr t 1 bc) ) Λa, c) = χ Tr t 1 bc) ) χ Tr t 1 dc) ) Λa, d) c F 2 t c F 2 t d F 2 t d F 2 t = Λa, d) χ Tr t 1 bc) ) χ Tr t 1 dc) ) c F 2 t = Λa, d) χ Tr t 1 b + d) c) ). d F 2 t c F 2 t But c F χ Tr t 2 t 1 b + d) c) ) = 0 if b d and 2 t otherwise. Therefore χ Tr t 1 bc) ) Λa, c) = 2 t Λa, b). c F 2 t Remark Proposition 3.25 and Lemma 3.26 provide an alternate proof of Proposition 3.19: Λa, b) = 1 2 t χ Tr t 1 bc) ) Λa, c) c F 2 t = 1 2 t c F 2 t \W = 1 2 t χ Tr t 1 bc) ) Λa, c) c W = 1 τ 1 2 t χ Tr t 1 i )) Λa, ξ i ) = 1 τ 1 2 t χ Tr t 1 i )) 2 t S i a) τ 1 = χ Tr t 1 i )) S i a). χ Tr t 1 bc) ) Λa, c) + χ Tr t 1 bc) ) Λa, c) 4 Building infinite families of extension degrees In the previous subsection, we set an extension degree m and studied the corresponding exponents s. It is however customary to go the opposite way around, i.e. set an exponent, or a given form of exponent, which is valid for an infinite family of extension degree and devise characterizations valid for this inifinity of extension degrees. In this section we provide the link between these two approaches. The above construction relies on the fact that τ divides 2 m + 1, that is 2 m 1 mod τ) or equivalently that 1 is in the cyclotomic coset of 1 modulo 2 m + 1. We now focus on the construction of values of τ for which an infinite number of such m exists. Recall that the integers s and τ of the previous section verify s = 2m +1 τ. 16 c W

17 4.1 Prime case Let p be an odd prime number. The set of modular integers Z/pZ is a field and there exists i such that 2 i 1 mod p) if and only if the multiplicative order of 2 modulo p is even. In this case, taking m l mod 2l), where 2l is the multiplicative order of 2 modulo p, yields an infinite family of values of m for which 2 m 1 mod p). The corresponding denominator is τ = p. The size t = os) of the cyclotomic coset of s = 2 m + 1)/τ modulo 2 m + 1, is then Furthermore, one has t = 2l. 2 m 2 l mod 2 t 1), so that if f a,b H n is hyper-bent, then its dual is f a,b 2 l. To actually devise such prime numbers, we now focus on the specific case where the multiplicative order of 2 modulo p is maximal, that is where 2 is a primitive root modulo p. In this situation, the above condition becomes 2 p mod p). ) 2 p This implies that the Legendre symbol of 2 modulo p is 1 and that 2 is a quadratic nonresidue modulo p. It is well-known that the Legendre symbol of 2 modulo an odd prime p is ) { 2 = 1) p if p ±1 mod 8), = p 1 if p ±3 mod 8). Therefore, if 2 is a primitive root modulo p, then one must have p ±3 mod 8). This gives a practical criterion to discard prime numbers such that 2 is not a primitive element. Further characterizations of primes p such that 2 is a primitive root modulo p can be found in a paper of Park, Park and Kim [16]. For such a prime number p, taking m p 1 2 mod p 1) yields an infinite family of values of m for which 2 m 1 mod p), the corresponding denominator being τ = p. The size t = os) of the cyclotomic coset of s = 2 m + 1)/τ modulo 2 m + 1, is then t = p 1 = τ 1. Finding an inifinite number of odd prime numbers for which 2 is a primitive element would thus give an elegant solution to our problem, i.e. finding an infinite family of denominators τ associated with infinite families of extension degrees m. This question is however difficult; it is a special case of Artin s conjecture on primitive roots. Conjecture 4.1 Artin s conjecture on primitive roots). Let a be an integer which is neither a perfect square nor 1. Then the number of primes numbers p such that a is a primitive element modulo p is infinite. It should be noted that Artin s conjecture has been proved by Hooley [10] under the Generalized Riemann Hypothesis. Heath-Brown [9] has proved unconditionally that there exist at most two exceptional primes for which Artin s conjecture fails; nonetheless, this proof is non-constructive. From a more computational perspective, the first elements of the sequence of primes such that 2 is a primitive element is sequence A in OEIS [11] and begins with 3, 5, 11, 13, 19, 29, 37, 53, 59, 61, 67,

18 As mentioned in the beginning of this section, it is not necessary that 2 is a primitive root modulo 2 for 1 and 1 to lie in the same cyclmotomic coset modulo p. The list of odd primes p smaller than 100 such that the multiplicative order of 2 modulo p is even and a strict divisor of p 1, together with half the order l of 2, i.e. the smallest integer l such that 2 l 1 mod p), is 17, 4), 41, 10), 43, 7), 97, 24). Finally, there exist as well odd primes for which 1 and 1 are not in the same cyclotomic coset modulo p. The list of such primes smaller than 100 is 4.2 Prime power case 7, 23, 31, 47, 71, 73, 79, 89. Let p be an odd prime number and k 2 a positive integer. The multiplicative group of units modulo p k is once again cyclic and isomorphic to Z/p k Z ) Z/p 1)Z) Z/pZ) k 1. The condition for the prime case is thus still valid; there exists i such that 2 i 1 mod p k ) if and only if the multiplicative order of 2 modulo p k is even. In this case, taking m l mod 2l), where 2l is the multiplicative order of 2 modulo p k, yields an infinite family of values of m for which 2 m 1 mod p). The corresponding denominator is τ = p k. The size t = os) of the cyclotomic coset of s = 2 m + 1)/τ modulo 2 m + 1, is then t = 2l. If f a,b H n is hyper-bent, then its dual is f a,b 2 l. It is a classical result [4, Lemma and following remarks], that if an integer a is a primitive root modulo p, then a or a + p is a primitive root modulo p 2. Furthermore, if a is a primitive root modulo p 2, then it is modulo p k for any k 2. Conversely, if a is not a primitive root modulo p i, then it is not a primitive root modulo p k for any k i. The approach of the previous subsection can therefore be extended to any prime power p k with k 2 by just checking that 2 is a primitive root modulo p 2. If it is, then 2 φpk ) 2 1 mod φp k )) for any k 2, where φ denotes Euler s totient function. In particular, φp k ) = p 1)p k. In this case, one would choose m φpk ) 2 mod φp k )), the corresponding denominator being τ = p k. The size t = os) of the cyclotomic coset of s = 2 m + 1)/τ modulo 2 m + 1, is then t = φp k ). The primes smaller than 100 such that 2 is a primitive root modulo p 2 are 3, 5, 11, 13, 19, 29, 37, 53, 59, 61, 67, 83. From a computational perspective, more can be said. Indeed, if 2 is primitive root modulo p, but is not modulo p 2, a simple calculation shows that 2 p 1 1 mod p 2 ), that is p is a Wieferich prime. The sequence of such primes is sequence A in the OEIS [11]. Only two of them are currently known: 1093 and 3511; and 2 is not a primitive root for both of these primes. Checking that 2 is a primitive root modulo p is therefore enough to ensure that it is modulo any power of p as long as p is not too large, less than fifteen decimal digits according to Dorais and Klyve [7]. 18

19 The list of odd primes p smaller than 100 such that the multiplicative order of 2 modulo p 2 is even and a strict divisor of φp 2 ), together with half the order l of 2, i.e. the smallest integer l such that 2 l 1 mod p 2 ), is 17, 68), 41, 410), 43, 301), 97, 2328). Finally, the list of odd primes p smaller than 100 such that 1 and 1 do not lie in the same cyclotomic coset modulo p 2 is 4.3 Composite case 7, 23, 31, 47, 71, 73, 79, 89. We now consider the general case of an odd composite number. Let s say that τ = p k1 1 pkr r is a product of r 2 distinct prime powers. The multiplicative group of units modulo τ is not cyclic anymore and is isomorphic to the product of the cyclic groups corresponding to each prime power: ) Z/τZ) Z/p k1 1 Z Z/p k r r Z ). The multiplicative order of 2 modulo τ is the least common multiple of its multiplicative orders modulo the prime powers dividing n. There exists an integer i such that 2 i 1 mod τ) if and only if there exists such integers for each prime power dividing τ, that is if the multiplicative order of 2 modulo p kj j is even for 1 j r, and if moreover their least common multiple is an odd multiple of each of them, that is if they all have the same 2-adic valuation. In such a situation, taking m l mod 2l), where 2l is the multiplicative order of 2 modulo τ, yields an infinite family of values of m for which 2 m 1 mod τ). Recall that the corresponding denominator is τ. The size t = os) of the cyclotomic coset of s = 2 m + 1)/τ modulo 2 m + 1, is then t = 2l. If f a,b H n is hyper-bent, then its dual is f. a,b 2 l In particular, if 2 is a primitive root modulo each prime power dividing τ, then the multiplicative order of 2 modulo τ is 2l = lcmφp k1 1 ),..., φpkr r )), and 2 l 1 mod τ) if and only if ν 2 p 1 1) = = ν 2 p r 1), where ν 2 denotes the 2-adic valuation. Conditioned by the fact that there exists an infinite number of primes p such that 2 is a primitive root modulo p or modulo p 2 and such that p 1 has a given 2-adic valuation, we can construct an infinite number of composite odd numbers addressing our original problem. The list of suitable odd composite numbers τ smaller than 100, together with half the multiplicative order l of 2 modulo τ, that is the smallest integer such that 2 l 1 mod τ), is 5 Applications 33, 5), 57, 9), 65, 6), 99, 15). In this section, we show how the results of Section 3 can be applied to several infinite families of Boolean functions in order to obtain characterizations of their hyper-bentness in terms of complete exponential sums. Much of these applications can be straightforwardly extended to other cases. 19

20 5.1 The case b = 1 We first apply results of Subsections 3.1 and 3.2 to f a,1 defined as in Equation 2) in the specific case where b = 1. Since 1 lies in F 2, there exists β F 2 m such that Tr n t β) = 1. In particular, f a,1 belongs to both families G n and H n. Applying Theorem 3.9 shows that f a,1 is hyper-bent if and only if ) a r D r t) + βd s t) = 0. t T 1 χ Applying Lemma 2.17, this condition is straightforwardly expressed in terms of complete exponential sums, or of the Hamming weights of f a,β and g a,β. We now show how the results of Subsection 3.2 can be applied to obtain a different characterization ot the hyper-bentness of f a,1. According to Proposition 3.2, f a,1 is hyper-bent if and only if Λa, 1) = 1. Let ξ be a primitive τ-th root of unity. First, recall that ξ lies in F 2 t, that Tr t ) 1 ξ 2 = Tr t 1 ξ) and that τ 1 ξ i = 0. Second, remark that the results of Section 4 imply that t is even, so that Tr t 1 1) = 0. Moreover, ξ is a 2 t/2 + 1)-th root of unity so that ξ + ξ 1 F 2 t/2 which implies that Finally, Proposition 3.19 reads Λa, 1) = S 0 a) + 2 Tr t 1 ξ i ) = Tr t 1 ξ i ). 2 χ Tr t 1 ξ i )) S i a). τ 1 i=1 Nonetheless, the trace of ξ i for i 0 depends on the exact value of τ. In the sequel, we deal with some specific cases Prime case For simplicty, we first suppose that τ = p is a prime and that 2 is a primitive root modulo p. In this case, t = p 1 and i is co-prime with p, so that Therefore Tr p 1 1 ξ i ) p 2 = ξ i2j = j=0 p 1 p 1 ξ ij = ξ j = 1. j=1 j=1 τ 1 Λa, 1) = 2S 0 a) S i a). Applying Lemma 3.20 with l = 1 and l = τ yields i=1 Λa, 1) = 2 τ 1 + 2T 1g a D τ )) 1 + 2T 1 g a )). Consequently, we get the following characterization. 20

21 Proposition 5.1. Suppose that τ = p is a prime and that 2 is a primitive root modulo p. Then In particular, f a,1 is hyper-bent if and only if Prime power case τλa, 1) = 4T 1 g a D τ ) 2τT 1 g a ) τ T 1 g a D τ ) τt 1 g a ) = τ 1. We now treat the case where τ = p k is a prime power and that 2 is a primitive root modulo p k, including the case where k = 1. Then t = φp k ) = p 1)p k 1. Remark that in this situation, for every positive integers i 0 and j > 0 such that i + j = k, one has ξ pi) p j = ξ pk = 1, so that Then p j 1 l=0 ξ lpi = 0. 3) Tr φpk ) 1 ξ i ) φp k ) 1 = ξ i2j = j=0 1 j p k 1, p j ξ ij. If p e i with 0 e k 1, then i = lp e with l co-prime with p 1 and Tr φpk ) 1 ξ i ) = ξ jlpe = = = 1 j p k 1, p j 1 j p k 1, p j p k 1 j=0 p k 1 j=0 ξ jpe p k 1 1 ξ jpe + j=0 p k 1 ξ jpe + j=0 ξ jpe+1 ξ jpe+1 + p k 1 ξ jp e+1 j=p k 1. Equation 3) shows that the first two sums of the right hand side of the last equality can be splitted into a multiple of sums equal to zero. If 0 e k 2, then the third sum is zero as well, so that Tr φpk ) 1 ξ i ) = 0. If e = k 1, then the third sum reads Therefore p k 1 ξ jp k j=p k 1 = p k 1 j=p k 1 ξ j = 1. Tr φpk ) 1 ξ i ) = 1. 21

22 Summing up the above observations yields Λa, 1) = p k 1 p 1 S i a) 2 i=1 S ip k 1a) p k 1 p 1 = 2S 0 a) + S i a) 2 S ip k 1a). Applying Lemma 3.20 with l = 1, l = p k 1 and l = p k then gives Λa, 1) = 2 p k 1 + 2T 1g a D p k)) 2 p k T 1g a D p k 1)) T 1 g a )). Consequently, we get the following characterization. Proposition 5.2. Suppose that τ = p k is a prime power and that 2 is a primitive root modulo p k. Then p k Λa, 1) = 4T 1 g a D p k)) 4pT 1 g a D p k 1) + 2p k T 1 g a ) + p k 2p + 2. In particular, f a,1 is hyper-bent if and only if Other cases 2T 1 g a D p k) 2pT 1 g a D p k 1) + p k T 1 g a ) = p 1. The cases where τ is an odd composite number or where 2 is not a primitive root modulo τ are more involved and will be treated in subsequent works. 5.2 Explicit values for τ The previous subsection dealt with a fixed value of b F 2 casting as few restictions as possible t on τ. In this subsection we go the other way around and treat the first few possible values of τ for all values of b with as few restrictions as possible on the corresponding infinite family of Boolean functions The case τ = 3 The smallest possible value for τ is τ = 3. This case was originally addressed by Mesnager in 2009 for the binomial case [15] and further in 2010 for the general case [14]. We now show how the characterizations for the general case can be directly deduced from the results of Section 3. In this case, t = 2 and m 1 mod 2). In particular, t < 2m as soon as m 1. Furthermore, if f a,b is hyper-bent, then its dual is f a,b 2. According to Remark 3.23, Λa, b) = χ Tr 2 1 b) ) S 0 a) + χ Tr 2 1 ) ) + χ Tr ))) S 1 a). Note that ξ is a 3-rd root of unity and that ξ + ξ 1 = 1, so that Λa, b) = χ Tr 2 1 b) ) S 0 a) + χ Tr 2 1 ) ) 1 + χ Tr 2 1 b) )) S 1 a). Moreover, F 4 = ξ. Thus, if b = 1, then Λa, 1) = S 0 a) 2S 1 a), and if b = ξ or b = ξ 1, that is if b is a 3-rd root of unity or equivalently a primitive element of F 4, then Λa, b) = S 0 a). Applying Lemma 3.20 with l = 1 and l = 3 then gives the following theorem and the corresponding characterizations for hyper-bentness. 22

23 j\i j\i Table 1: Traces for τ = 5 Theorem 5.3 [15]). Let τ = 3 and m 1 mod 2). Then 1. If b = 1, then 3Λf a,1 ) = 4T 1 g a D 3 ) 6T 1 g a ) If b is a primitive element of F 4, then 3Λf a,b ) = 2T 1 g a D 3 ) The case τ = 5 The next possible value for τ is τ = 5. This case was originally addressed by Wang et al. in late 2011 for the general case [20], but they also gave specific treatments for the binomial case [19, 18]. We now show how their characterizations for the general case can be directly deduced from the results of Section 3. In this case, t = 4 and m 2 mod 4). In particular, t < 2m as soon as m 2. Furthermore, if f a,b is hyper-bent, then its dual is f a,b 4. According to Remark 3.23, Λa, b) = χ Tr 4 1 b) ) S 0 a) Introduce γ = ξ + ξ 1 F 4. Then + χ Tr 4 1 ) ) + χ Tr ))) S 1 a) + χ Tr )) + χ Tr ))) S 2 a). Λa, b) = χ Tr 4 1 b) ) S 0 a) + χ Tr 4 1 ) ) 1 + χ Tr 4 1 bγ) )) S 1 a) + χ Tr )) 1 + χ Tr 4 1 bγ 2 ))) S 2 a). Next, recall that ξ is a 5-th root of unity, so that 4 ξi = 0. In particular, γ + γ 2 = 1 and Tr 4 1 bγ) + Tr 4 1 bγ 2 ) = Tr 4 1 b). We now explicitely compute the traces Tr 4 1 i ). The finite field F 16 is represented as F 2 [x]/c 4 x)) where C 4 x) = x 4 + x + 1 is the 4-th Conway polynomial. We denote the class of x modulo C 4 x) by β; this is a primitive element of F 16. Let ξ = β 3 be a 5-th root of unity. The traces Tr 4 1 i ) are given in Table 1. The expression of Λa, β j ) as a sum of the partial exponential sums S i, together with the minimal polynomial m j of β j, are given in Table 2. Moreover, if the coefficients a r lie in F 2 l, where l = m/2, then l 1 mod 2) and 2 l ±2 mod 5) and Lemma 3.22 tells that either S 1 a) = S 2 a) or S 1 a) = S 3 a). But S 2 a) = S 3 a), so that one always has S 1 a) = S 2 a). 23

24 j Λa, β j ) m j 0 S 0 2S 1 2S 2 x S 0 x 4 + x S 0 x 4 + x S 0 2S 2 x 4 + x 3 + x 2 + x S 0 x 4 + x S 0 + 2S 1 2S 2 x 2 + x S 0 2S 1 x 4 + x 3 + x 2 + x S 0 + 2S 1 x 4 + x j Λa, β j ) m j 8 S 0 x 4 + x S 0 2S 1 x 4 + x 3 + x 2 + x S 0 2S 1 + 2S 2 x 2 + x S 0 + 2S 2 x 4 + x S 0 2S 2 x 4 + x 3 + x 2 + x S 0 + 2S 1 x 4 + x S 0 + 2S 2 x 4 + x Table 2: Λa, β j ) for τ = 5 Finally applying Lemma 3.20 for l = 1 and l = 5 gives the following theorem which summarizes the above discussion. Theorem 5.4 [20]). Let τ = 5 and m 2 mod 4). 1. If b = 1, then 5Λf a,1 ) = 4T 1 g a D 5 ) 10T 1 g a ) If b is a primitive element of F 16 such that Tr 4 1 b) = 0, then 5Λf a,b ) = 2T 1 g a D 5 ) Suppose moreover that a r F 2 m 2. a) If b is a primitive element of F 16 such that Tr 4 1 b) = 1, then 5Λf a,b ) = 3T 1 g a D 5 ) + 5T 1 g a ) + 1. b) If b is a primitive 5-th root of unity, then 5Λf a,b ) = T 1 g a D 5 ) 5T 1 g a ) 3. c) If b is a primitive 3-rd root of unity, then 5Λf a,b ) = 2T 1 g a D 5 ) The case τ = 7 For τ = 7, 1 and 1 do not lie in the same cyclotomic coset modulo 7, hence the next suitable value for τ is τ = The case τ = 9 In the case τ = 9, t = 6 and m 3 mod 6). In particular, t < 2m as soon as m 3. Furthermore, if f a,b is hyper-bent, then its dual is f a,b 8. According to Remark 3.23, Λa, b) = χ Tr 6 1 b) ) S 0 a) + χ Tr 6 1 ) ) + χ Tr ))) S 1 a) + χ Tr )) + χ Tr ))) S 2 a) + χ Tr )) + χ Tr ))) S 3 a) + χ Tr )) + χ Tr ))) S 4 a). Introduce γ = ξ 8 + ξ F 8. Note that γ 2 = ξ 2 + ξ 7, γ 3 = ξ + ξ 3 + ξ 6 + ξ 8, γ 4 = ξ 4 + ξ 5, γ 5 = ξ 3 + ξ 4 + ξ 5 + ξ 6, γ 6 = ξ 2 + ξ 3 + ξ 6 + ξ 7. 24

25 Thus Λa, b) = χ Tr 6 1 b) ) S 0 a) + χ Tr 6 1 ) ) 1 + χ Tr 6 1 bγ) )) S 1 a) + χ Tr )) 1 + χ Tr 6 1 bγ 2 ))) S 2 a) + χ Tr )) 1 + χ Tr 6 1 bγ 3 + γ) ))) S 3 a) + χ Tr )) 1 + χ Tr 6 1 bγ 4 ))) S 4 a). Next, recall that 8 ξi = 0. Hence, γ 2 + γ 3 + γ 4 = 1 and Tr 6 1 bγ) + Tr 6 1 bγ 2 ) + Tr 6 1 bγ + γ 3 ) ) + Tr 6 1 bγ 4 ) = Tr 6 1 b). We now explicitely compute the traces Tr 6 1 i ). The finite field F 64 is represented as F 2 [x]/c 6 x)) where C 6 x) = x 6 + x 4 + x 3 + x + 1 is the 6-th Conway polynomial. We denote the class of x modulo C 6 x) by β; this is a primitive element of F 64. Let ξ = β 7 be a 9-th root of unity. The traces Tr 6 1 β j ξ i) are given in Table 3. The expression of Λa, β j ) as a sum of the partial exponential sums S i, together with the minimal polynomial m j of β j, are given in Tables 4 and 5. Moreover, if the coefficients a r lie in F 2 l, where l = m/3, then 2 l is 1, 2 or 4 modulo 9 when l is respectively 0, 1 and 2 modulo 3. In the last two cases, Lemma 3.22 tells that S 1 a) = S 2 a) = S 4 a). The corresponding expressions for Λa, b), obtained after applying Lemma 3.20 for l = 1, l = 3 and l = 9, are given in Table 6, where m b is the minimal polynomial of b. Finally, the following theorem summarizes the above discussion. Theorem 5.5. Let τ = 9 and m 3 mod 6). 1. If b = 1, then 9Λa, 1) = 18T 1 g a ) 12T 1 g a D 3 ) + 4T 1 g a D 9 )) If b is a primitive 3-rd root of unity, then 9Λf a,b ) = 18T 1 g a ) 6T 1 g a D 3 ) 2T 1 g a D 9 ) Suppose moreover that a r F 2 m 3 and m 3 0 mod 3). a) If the minimal polynomial of b is x 3 +x+1, then 9Λa, b) = 6T 1 g a )+8T 1 g a D 3 )+1. b) If the minimal polynomial of b is x 3 + x 2 + 1, then 9Λa, b) = 6T 1 g a ) 4T 1 g a D 3 ) + 4T 1 g a D 9 ) 3. c) If the minimal polynomial of b is x 6 +x 3 +1, then 9Λa, b) = 6T 1 g a )+4T 1 g a D 3 )+5. d) If the minimal polynomial of b is x 6 + x 4 + x 2 + x + 1, then 9Λa, b) = 6T 1 g a ) + 8T 1 g a D 3 ) + 1. e) If the minimal polynomial of b is x 6 + x 5 + x 4 + x 2 + 1, then 9Λa, b) = 6T 1 g a ) + 2T 1 g a D 3 ) 2T 1 g a D 9 ) 3. f) If the minimal polynomial of b is x 6 + x + 1, then 9Λa, b) = 6T 1 g a ) 4T 1 g a D 3 ) + 4T 1 g a D 9 ) 3. g) If the minimal polynomial of b is x 6 + x 5 + 1, then 9Λa, b) = 6T 1 g a ) 2T 1 g a D 3 ) 2T 1 g a D 9 ) + 1. h) If the minimal polynomial of b is x 6 + x 4 + x 3 + x + 1, then 9Λa, b) = 6T 1 g a ) 8T 1 g a D 3 ) + 4T 1 g a D 9 ) + 1. i) If the minimal polynomial of b is x 6 + x 5 + x 2 + x + 1, then 9Λa, b) = 6T 1 g a ) 2T 1 g a D 3 ) 2T 1 g a D 9 )

26 j\i j\i Table 3: Traces for τ = 9 26

Similar documents

Decomposing Bent Functions

Decomposing Bent Functions 2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions

More information

Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice

Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice Noname manuscript No. (will be inserted by the editor) Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice Chunming Tang Yanfeng Qi Received: date

More information

Dickson Polynomials that are Involutions

Dickson Polynomials that are Involutions Dickson Polynomials that are Involutions Pascale Charpin Sihem Mesnager Sumanta Sarkar May 6, 2015 Abstract Dickson polynomials which are permutations are interesting combinatorial objects and well studied.

More information

Hyperbent functions, Kloosterman sums and Dickson polynomials

Hyperbent functions, Kloosterman sums and Dickson polynomials Hyperbent functions, Kloosterman sums and Dickson polynomials Pascale Charpin INRIA, Codes Domaine de Voluceau-Rocquencourt BP 105-78153, Le Chesnay France Email: pascale.charpin@inria.fr Guang Gong Department

More information

Hyperbent functions, Kloosterman sums and Dickson polynomials

Hyperbent functions, Kloosterman sums and Dickson polynomials Hyperbent functions, Kloosterman sums and Dickson polynomials Pascale Charpin Guang Gong INRIA, B.P. 105, 78153 Le Chesnay Cedex, France, Pascale.Charpin@inria.fr Department of Electrical and Computer

More information

A conjecture about Gauss sums and bentness of binomial Boolean functions. 1 Introduction. Jean-Pierre Flori

A conjecture about Gauss sums and bentness of binomial Boolean functions. 1 Introduction. Jean-Pierre Flori A conjecture about Gauss sums and bentness of binomial Boolean functions Jean-Pierre Flori arxiv:608.05008v2 [math.nt] 9 Aug 206 Abstract In this note, the polar decomposition of binary fields of even

More information

On The Weights of Binary Irreducible Cyclic Codes

On The Weights of Binary Irreducible Cyclic Codes On The Weights of Binary Irreducible Cyclic Codes Yves Aubry and Philippe Langevin Université du Sud Toulon-Var, Laboratoire GRIM F-83270 La Garde, France, {langevin,yaubry}@univ-tln.fr, WWW home page:

More information

CCZ-equivalence and Boolean functions

CCZ-equivalence and Boolean functions CCZ-equivalence and Boolean functions Lilya Budaghyan and Claude Carlet Abstract We study further CCZ-equivalence of (n, m)-functions. We prove that for Boolean functions (that is, for m = 1), CCZ-equivalence

More information

Quasi-reducible Polynomials

Quasi-reducible Polynomials Quasi-reducible Polynomials Jacques Willekens 06-Dec-2008 Abstract In this article, we investigate polynomials that are irreducible over Q, but are reducible modulo any prime number. 1 Introduction Let

More information

Part II. Number Theory. Year

Part II. Number Theory. Year Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler

More information

Differential properties of power functions

Differential properties of power functions Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France

More information

arxiv: v1 [cs.dm] 20 Jul 2009

arxiv: v1 [cs.dm] 20 Jul 2009 New Binomial Bent Function over the Finite Fields of Odd Characteristic Tor Helleseth and Alexander Kholosha arxiv:0907.3348v1 [cs.dm] 0 Jul 009 The Selmer Center Department of Informatics, University

More information

Maximal Class Numbers of CM Number Fields

Maximal Class Numbers of CM Number Fields Maximal Class Numbers of CM Number Fields R. C. Daileda R. Krishnamoorthy A. Malyshev Abstract Fix a totally real number field F of degree at least 2. Under the assumptions of the generalized Riemann hypothesis

More information

Standard forms for writing numbers

Standard forms for writing numbers Standard forms for writing numbers In order to relate the abstract mathematical descriptions of familiar number systems to the everyday descriptions of numbers by decimal expansions and similar means,

More information

TC10 / 3. Finite fields S. Xambó

TC10 / 3. Finite fields S. Xambó TC10 / 3. Finite fields S. Xambó The ring Construction of finite fields The Frobenius automorphism Splitting field of a polynomial Structure of the multiplicative group of a finite field Structure of the

More information

ON THE SEMIPRIMITIVITY OF CYCLIC CODES

ON THE SEMIPRIMITIVITY OF CYCLIC CODES ON THE SEMIPRIMITIVITY OF CYCLIC CODES YVES AUBRY AND PHILIPPE LANGEVIN Abstract. We prove, without assuming the Generalized Riemann Hypothesis, but with at most one exception, that an irreducible cyclic

More information

A connection between number theory and linear algebra

A connection between number theory and linear algebra A connection between number theory and linear algebra Mark Steinberger Contents 1. Some basics 1 2. Rational canonical form 2 3. Prime factorization in F[x] 4 4. Units and order 5 5. Finite fields 7 6.

More information

On Cryptographic Properties of the Cosets of R(1;m)

On Cryptographic Properties of the Cosets of R(1;m) 1494 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 4, MAY 2001 On Cryptographic Properties of the Cosets of R(1;m) Anne Canteaut, Claude Carlet, Pascale Charpin, and Caroline Fontaine Abstract

More information

ECEN 5022 Cryptography

ECEN 5022 Cryptography Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,

More information

An Additive Characterization of Fibers of Characters on F p

An Additive Characterization of Fibers of Characters on F p An Additive Characterization of Fibers of Characters on F p Chris Monico Texas Tech University Lubbock, TX c.monico@ttu.edu Michele Elia Politecnico di Torino Torino, Italy elia@polito.it January 30, 2009

More information

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2 8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose

More information

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups Chapter 4 Characters and Gauss sums 4.1 Characters on finite abelian groups In what follows, abelian groups are multiplicatively written, and the unit element of an abelian group A is denoted by 1 or 1

More information

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information MRQ 2017 School of Mathematics and Statistics MT5836 Galois Theory Handout 0: Course Information Lecturer: Martyn Quick, Room 326. Prerequisite: MT3505 (or MT4517) Rings & Fields Lectures: Tutorials: Mon

More information

Third-order nonlinearities of some biquadratic monomial Boolean functions

Third-order nonlinearities of some biquadratic monomial Boolean functions Noname manuscript No. (will be inserted by the editor) Third-order nonlinearities of some biquadratic monomial Boolean functions Brajesh Kumar Singh Received: April 01 / Accepted: date Abstract In this

More information

Algebra SEP Solutions

Algebra SEP Solutions Algebra SEP Solutions 17 July 2017 1. (January 2017 problem 1) For example: (a) G = Z/4Z, N = Z/2Z. More generally, G = Z/p n Z, N = Z/pZ, p any prime number, n 2. Also G = Z, N = nz for any n 2, since

More information

SOLVING SOLVABLE QUINTICS. D. S. Dummit

SOLVING SOLVABLE QUINTICS. D. S. Dummit D. S. Dummit Abstract. Let f(x) = x 5 + px 3 + qx + rx + s be an irreducible polynomial of degree 5 with rational coefficients. An explicit resolvent sextic is constructed which has a rational root if

More information

MINIMAL GENERATING SETS OF GROUPS, RINGS, AND FIELDS

MINIMAL GENERATING SETS OF GROUPS, RINGS, AND FIELDS MINIMAL GENERATING SETS OF GROUPS, RINGS, AND FIELDS LORENZ HALBEISEN, MARTIN HAMILTON, AND PAVEL RŮŽIČKA Abstract. A subset X of a group (or a ring, or a field) is called generating, if the smallest subgroup

More information

Constructions of Quadratic Bent Functions in Polynomial Forms

Constructions of Quadratic Bent Functions in Polynomial Forms 1 Constructions of Quadratic Bent Functions in Polynomial Forms Nam Yul Yu and Guang Gong Member IEEE Department of Electrical and Computer Engineering University of Waterloo CANADA Abstract In this correspondence

More information

Chapter 5. Modular arithmetic. 5.1 The modular ring

Chapter 5. Modular arithmetic. 5.1 The modular ring Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence

More information

Prime Divisors of Palindromes

Prime Divisors of Palindromes Prime Divisors of Palindromes William D. Banks Department of Mathematics, University of Missouri Columbia, MO 6511 USA bbanks@math.missouri.edu Igor E. Shparlinski Department of Computing, Macquarie University

More information

Chapter 8. P-adic numbers. 8.1 Absolute values

Chapter 8. P-adic numbers. 8.1 Absolute values Chapter 8 P-adic numbers Literature: N. Koblitz, p-adic Numbers, p-adic Analysis, and Zeta-Functions, 2nd edition, Graduate Texts in Mathematics 58, Springer Verlag 1984, corrected 2nd printing 1996, Chap.

More information

Factorization of integer-valued polynomials with square-free denominator

Factorization of integer-valued polynomials with square-free denominator accepted by Comm. Algebra (2013) Factorization of integer-valued polynomials with square-free denominator Giulio Peruginelli September 9, 2013 Dedicated to Marco Fontana on the occasion of his 65th birthday

More information

Mathematics for Cryptography

Mathematics for Cryptography Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1

More information

On the Existence and Constructions of Vectorial Boolean Bent Functions

On the Existence and Constructions of Vectorial Boolean Bent Functions On the Existence and Constructions of Vectorial Boolean Bent Functions Yuwei Xu 1, and ChuanKun Wu 1 1 State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy

More information

NOTES ON DIOPHANTINE APPROXIMATION

NOTES ON DIOPHANTINE APPROXIMATION NOTES ON DIOPHANTINE APPROXIMATION Jan-Hendrik Evertse January 29, 200 9 p-adic Numbers Literature: N. Koblitz, p-adic Numbers, p-adic Analysis, and Zeta-Functions, 2nd edition, Graduate Texts in Mathematics

More information

EXPLICIT EVALUATIONS OF SOME WEIL SUMS. 1. Introduction In this article we will explicitly evaluate exponential sums of the form

EXPLICIT EVALUATIONS OF SOME WEIL SUMS. 1. Introduction In this article we will explicitly evaluate exponential sums of the form EXPLICIT EVALUATIONS OF SOME WEIL SUMS ROBERT S. COULTER 1. Introduction In this article we will explicitly evaluate exponential sums of the form χax p α +1 ) where χ is a non-trivial additive character

More information

DICKSON POLYNOMIALS OVER FINITE FIELDS. n n i. i ( a) i x n 2i. y, a = yn+1 a n+1 /y n+1

DICKSON POLYNOMIALS OVER FINITE FIELDS. n n i. i ( a) i x n 2i. y, a = yn+1 a n+1 /y n+1 DICKSON POLYNOMIALS OVER FINITE FIELDS QIANG WANG AND JOSEPH L. YUCAS Abstract. In this paper we introduce the notion of Dickson polynomials of the k + 1)-th kind over finite fields F p m and study basic

More information

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2018 57 5. p-adic Numbers 5.1. Motivating examples. We all know that 2 is irrational, so that 2 is not a square in the rational field Q, but that we can

More information

GALOIS THEORY. Contents

GALOIS THEORY. Contents GALOIS THEORY MARIUS VAN DER PUT & JAAP TOP Contents 1. Basic definitions 1 1.1. Exercises 2 2. Solving polynomial equations 2 2.1. Exercises 4 3. Galois extensions and examples 4 3.1. Exercises. 6 4.

More information

Factorization in Polynomial Rings

Factorization in Polynomial Rings Factorization in Polynomial Rings Throughout these notes, F denotes a field. 1 Long division with remainder We begin with some basic definitions. Definition 1.1. Let f, g F [x]. We say that f divides g,

More information

A Generalization of Wilson s Theorem

A Generalization of Wilson s Theorem A Generalization of Wilson s Theorem R. Andrew Ohana June 3, 2009 Contents 1 Introduction 2 2 Background Algebra 2 2.1 Groups................................. 2 2.2 Rings.................................

More information

FIELD THEORY. Contents

FIELD THEORY. Contents FIELD THEORY MATH 552 Contents 1. Algebraic Extensions 1 1.1. Finite and Algebraic Extensions 1 1.2. Algebraic Closure 5 1.3. Splitting Fields 7 1.4. Separable Extensions 8 1.5. Inseparable Extensions

More information

NOTES ON FINITE FIELDS

NOTES ON FINITE FIELDS NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining

More information

Cover Page. The handle holds various files of this Leiden University dissertation

Cover Page. The handle holds various files of this Leiden University dissertation Cover Page The handle http://hdl.handle.net/1887/25833 holds various files of this Leiden University dissertation Author: Palenstijn, Willem Jan Title: Radicals in Arithmetic Issue Date: 2014-05-22 Chapter

More information

On a generalized combinatorial conjecture involving addition mod 2 k 1

On a generalized combinatorial conjecture involving addition mod 2 k 1 On a generalized combinatorial conjecture involving addition mod k 1 Gérard Cohen Jean-Pierre Flori Tuesday 14 th February, 01 Abstract In this note, e give a simple proof of the combinatorial conjecture

More information

(January 14, 2009) q n 1 q d 1. D = q n = q + d

(January 14, 2009) q n 1 q d 1. D = q n = q + d (January 14, 2009) [10.1] Prove that a finite division ring D (a not-necessarily commutative ring with 1 in which any non-zero element has a multiplicative inverse) is commutative. (This is due to Wedderburn.)

More information

Lecture 8: The Field B dr

Lecture 8: The Field B dr Lecture 8: The Field B dr October 29, 2018 Throughout this lecture, we fix a perfectoid field C of characteristic p, with valuation ring O C. Fix an element π C with 0 < π C < 1, and let B denote the completion

More information

The primitive root theorem

The primitive root theorem The primitive root theorem Mar Steinberger First recall that if R is a ring, then a R is a unit if there exists b R with ab = ba = 1. The collection of all units in R is denoted R and forms a group under

More information

Generalized hyper-bent functions over GF(p)

Generalized hyper-bent functions over GF(p) Discrete Applied Mathematics 55 2007) 066 070 Note Generalized hyper-bent functions over GFp) A.M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC, H3G

More information

SECOND-ORDER RECURRENCES. Lawrence Somer Department of Mathematics, Catholic University of America, Washington, D.C

SECOND-ORDER RECURRENCES. Lawrence Somer Department of Mathematics, Catholic University of America, Washington, D.C p-stability OF DEGENERATE SECOND-ORDER RECURRENCES Lawrence Somer Department of Mathematics, Catholic University of America, Washington, D.C. 20064 Walter Carlip Department of Mathematics and Computer

More information

Some Open Problems Arising from my Recent Finite Field Research

Some Open Problems Arising from my Recent Finite Field Research Some Open Problems Arising from my Recent Finite Field Research Gary L. Mullen Penn State University mullen@math.psu.edu July 13, 2015 Some Open Problems Arising from myrecent Finite Field Research July

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013 18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and

More information

ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION

ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION PAVEL RŮŽIČKA 9.1. Congruence modulo n. Let us have a closer look at a particular example of a congruence relation on

More information

Some Remarks on the Discrete Uncertainty Principle

Some Remarks on the Discrete Uncertainty Principle Highly Composite: Papers in Number Theory, RMS-Lecture Notes Series No. 23, 2016, pp. 77 85. Some Remarks on the Discrete Uncertainty Principle M. Ram Murty Department of Mathematics, Queen s University,

More information

Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.

Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV. Glossary 1 Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.23 Abelian Group. A group G, (or just G for short) is

More information

Factorization in Integral Domains II

Factorization in Integral Domains II Factorization in Integral Domains II 1 Statement of the main theorem Throughout these notes, unless otherwise specified, R is a UFD with field of quotients F. The main examples will be R = Z, F = Q, and

More information

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille Math 429/581 (Advanced) Group Theory Summary of Definitions, Examples, and Theorems by Stefan Gille 1 2 0. Group Operations 0.1. Definition. Let G be a group and X a set. A (left) operation of G on X is

More information

Galois theory of fields

Galois theory of fields 1 Galois theory of fields This first chapter is both a concise introduction to Galois theory and a warmup for the more advanced theories to follow. We begin with a brisk but reasonably complete account

More information

arxiv: v1 [math.nt] 9 Jan 2019

arxiv: v1 [math.nt] 9 Jan 2019 NON NEAR-PRIMITIVE ROOTS PIETER MOREE AND MIN SHA Dedicated to the memory of Prof. Christopher Hooley (928 208) arxiv:90.02650v [math.nt] 9 Jan 209 Abstract. Let p be a prime. If an integer g generates

More information

On more bent functions from Dillon exponents

On more bent functions from Dillon exponents AAECC DOI 10.1007/s0000-015-058-3 ORIGINAL PAPER On more bent functions from Dillon exponents Long Yu 1 Hongwei Liu 1 Dabin Zheng Receive: 14 April 014 / Revise: 14 March 015 / Accepte: 4 March 015 Springer-Verlag

More information

CYCLICITY OF (Z/(p))

CYCLICITY OF (Z/(p)) CYCLICITY OF (Z/(p)) KEITH CONRAD 1. Introduction For each prime p, the group (Z/(p)) is cyclic. We will give seven proofs of this fundamental result. A common feature of the proofs that (Z/(p)) is cyclic

More information

Galois Representations

Galois Representations 9 Galois Representations This book has explained the idea that all elliptic curves over Q arise from modular forms. Chapters 1 and introduced elliptic curves and modular curves as Riemann surfaces, and

More information

Section VI.33. Finite Fields

Section VI.33. Finite Fields VI.33 Finite Fields 1 Section VI.33. Finite Fields Note. In this section, finite fields are completely classified. For every prime p and n N, there is exactly one (up to isomorphism) field of order p n,

More information

A short proof of Klyachko s theorem about rational algebraic tori

A short proof of Klyachko s theorem about rational algebraic tori A short proof of Klyachko s theorem about rational algebraic tori Mathieu Florence Abstract In this paper, we give another proof of a theorem by Klyachko ([?]), which asserts that Zariski s conjecture

More information

Solutions of exercise sheet 6

Solutions of exercise sheet 6 D-MATH Algebra I HS 14 Prof. Emmanuel Kowalski Solutions of exercise sheet 6 1. (Irreducibility of the cyclotomic polynomial) Let n be a positive integer, and P Z[X] a monic irreducible factor of X n 1

More information

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Scalar multiplication in compressed coordinates in the trace-zero subgroup Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland

More information

18. Cyclotomic polynomials II

18. Cyclotomic polynomials II 18. Cyclotomic polynomials II 18.1 Cyclotomic polynomials over Z 18.2 Worked examples Now that we have Gauss lemma in hand we can look at cyclotomic polynomials again, not as polynomials with coefficients

More information

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations Page 1 Definitions Tuesday, May 8, 2018 12:23 AM Notations " " means "equals, by definition" the set of all real numbers the set of integers Denote a function from a set to a set by Denote the image of

More information

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d The Algebraic Method 0.1. Integral Domains. Emmy Noether and others quickly realized that the classical algebraic number theory of Dedekind could be abstracted completely. In particular, rings of integers

More information

FURTHER EVALUATIONS OF WEIL SUMS

FURTHER EVALUATIONS OF WEIL SUMS FURTHER EVALUATIONS OF WEIL SUMS ROBERT S. COULTER 1. Introduction Weil sums are exponential sums whose summation runs over the evaluation mapping of a particular function. Explicitly they have the form

More information

Residual modular Galois representations: images and applications

Residual modular Galois representations: images and applications Residual modular Galois representations: images and applications Samuele Anni University of Warwick London Number Theory Seminar King s College London, 20 th May 2015 Mod l modular forms 1 Mod l modular

More information

Convoluted Convolved Fibonacci Numbers

Convoluted Convolved Fibonacci Numbers 1 2 3 47 6 23 11 Journal of Integer Sequences, Vol. 7 (2004, Article 04.2.2 Convoluted Convolved Fibonacci Numbers Pieter Moree Max-Planc-Institut für Mathemati Vivatsgasse 7 D-53111 Bonn Germany moree@mpim-bonn.mpg.de

More information

CYCLOTOMIC POLYNOMIALS

CYCLOTOMIC POLYNOMIALS CYCLOTOMIC POLYNOMIALS 1. The Derivative and Repeated Factors The usual definition of derivative in calculus involves the nonalgebraic notion of limit that requires a field such as R or C (or others) where

More information

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra D. R. Wilkins Contents 3 Topics in Commutative Algebra 2 3.1 Rings and Fields......................... 2 3.2 Ideals...............................

More information

arxiv: v2 [math.nt] 23 Sep 2011

arxiv: v2 [math.nt] 23 Sep 2011 ELLIPTIC DIVISIBILITY SEQUENCES, SQUARES AND CUBES arxiv:1101.3839v2 [math.nt] 23 Sep 2011 Abstract. Elliptic divisibility sequences (EDSs) are generalizations of a class of integer divisibility sequences

More information

Local Fields. Chapter Absolute Values and Discrete Valuations Definitions and Comments

Local Fields. Chapter Absolute Values and Discrete Valuations Definitions and Comments Chapter 9 Local Fields The definition of global field varies in the literature, but all definitions include our primary source of examples, number fields. The other fields that are of interest in algebraic

More information

On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials

On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials Claude Carlet 1 and Stjepan Picek 1, 2 1 LAGA, Department of Mathematics, University of Paris 8 (and Paris

More information

Algebra Exam Topics. Updated August 2017

Algebra Exam Topics. Updated August 2017 Algebra Exam Topics Updated August 2017 Starting Fall 2017, the Masters Algebra Exam will have 14 questions. Of these students will answer the first 8 questions from Topics 1, 2, and 3. They then have

More information

A New Characterization of Semi-bent and Bent Functions on Finite Fields

A New Characterization of Semi-bent and Bent Functions on Finite Fields A New Characterization of Semi-bent and Bent Functions on Finite Fields Khoongming Khoo DSO National Laboratories 20 Science Park Dr S118230, Singapore email: kkhoongm@dso.org.sg Guang Gong Department

More information

Some algebraic number theory and the reciprocity map

Some algebraic number theory and the reciprocity map Some algebraic number theory and the reciprocity map Ervin Thiagalingam September 28, 2015 Motivation In Weinstein s paper, the main problem is to find a rule (reciprocity law) for when an irreducible

More information

ϕ : Z F : ϕ(t) = t 1 =

ϕ : Z F : ϕ(t) = t 1 = 1. Finite Fields The first examples of finite fields are quotient fields of the ring of integers Z: let t > 1 and define Z /t = Z/(tZ) to be the ring of congruence classes of integers modulo t: in practical

More information

Basic Algorithms in Number Theory

Basic Algorithms in Number Theory Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms

More information

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions. D-MAH Algebra II FS18 Prof. Marc Burger Solution 26 Cyclotomic extensions. In the following, ϕ : Z 1 Z 0 is the Euler function ϕ(n = card ((Z/nZ. For each integer n 1, we consider the n-th cyclotomic polynomial

More information

Design of Signal Sets with Low Intraference for CDMA Applications in Networking Environment

Design of Signal Sets with Low Intraference for CDMA Applications in Networking Environment Design of Signal Sets with Low Intraference for CDMA Applications in Networking Environment Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1,

More information

Divisibility Properties of Kloosterman Sums and Division Polynomials for Edwards Curves

Divisibility Properties of Kloosterman Sums and Division Polynomials for Edwards Curves Divisibility Properties of Kloosterman Sums and Division Polynomials for Edwards Curves by Richard Moloney A dissertation presented to University College Dublin in partial fulfillment of the requirements

More information

PERFECT POLYNOMIALS OVER F p WITH p + 1 IRREDUCIBLE DIVISORS. 1. Introduction. Let p be a prime number. For a monic polynomial A F p [x] let d

PERFECT POLYNOMIALS OVER F p WITH p + 1 IRREDUCIBLE DIVISORS. 1. Introduction. Let p be a prime number. For a monic polynomial A F p [x] let d PERFECT POLYNOMIALS OVER F p WITH p + 1 IRREDUCIBLE DIVISORS L. H. GALLARDO and O. RAHAVANDRAINY Abstract. We consider, for a fixed prime number p, monic polynomials in one variable over the finite field

More information

LECTURE NOTES AMRITANSHU PRASAD

LECTURE NOTES AMRITANSHU PRASAD LECTURE NOTES AMRITANSHU PRASAD Let K be a field. 1. Basic definitions Definition 1.1. A K-algebra is a K-vector space together with an associative product A A A which is K-linear, with respect to which

More information

Notes on p-divisible Groups

Notes on p-divisible Groups Notes on p-divisible Groups March 24, 2006 This is a note for the talk in STAGE in MIT. The content is basically following the paper [T]. 1 Preliminaries and Notations Notation 1.1. Let R be a complete

More information

MT5836 Galois Theory MRQ

MT5836 Galois Theory MRQ MT5836 Galois Theory MRQ May 3, 2017 Contents Introduction 3 Structure of the lecture course............................... 4 Recommended texts..................................... 4 1 Rings, Fields and

More information

Céline Blondeau, Anne Canteaut and Pascale Charpin*

Céline Blondeau, Anne Canteaut and Pascale Charpin* Int. J. Information and Coding Theory, Vol. 1, No. 2, 2010 149 Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin* INRIA Paris-Rocquencourt, Project-Team SECRET,

More information

p-class Groups of Cyclic Number Fields of Odd Prime Degree

p-class Groups of Cyclic Number Fields of Odd Prime Degree International Journal of Algebra, Vol. 10, 2016, no. 9, 429-435 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ija.2016.6753 p-class Groups of Cyclic Number Fields of Odd Prime Degree Jose Valter

More information

Critical Groups for Cayley Graphs of Bent Functions

Critical Groups for Cayley Graphs of Bent Functions Critical Groups for Cayley Graphs of Bent Functions Thomas F. Gruebl Adviser: David Joyner December 9, 2015 1 Introduction This paper will study the critical group of bent functions in the p-ary case.

More information

arxiv: v1 [math.gr] 3 Feb 2019

arxiv: v1 [math.gr] 3 Feb 2019 Galois groups of symmetric sextic trinomials arxiv:1902.00965v1 [math.gr] Feb 2019 Alberto Cavallo Max Planck Institute for Mathematics, Bonn 5111, Germany cavallo@mpim-bonn.mpg.de Abstract We compute

More information

A. Algebra and Number Theory

A. Algebra and Number Theory A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding

More information

Twists and residual modular Galois representations

Twists and residual modular Galois representations Twists and residual modular Galois representations Samuele Anni University of Warwick Building Bridges, Bristol 10 th July 2014 Modular curves and Modular Forms 1 Modular curves and Modular Forms 2 Residual

More information

but no smaller power is equal to one. polynomial is defined to be

but no smaller power is equal to one. polynomial is defined to be 13. Radical and Cyclic Extensions The main purpose of this section is to look at the Galois groups of x n a. The first case to consider is a = 1. Definition 13.1. Let K be a field. An element ω K is said

More information

On transitive polynomials modulo integers

On transitive polynomials modulo integers Notes on Number Theory and Discrete Mathematics Print ISSN 1310 5132, Online ISSN 2367 8275 Vol. 22, 2016, No. 2, 23 35 On transitive polynomials modulo integers Mohammad Javaheri 1 and Gili Rusak 2 1

More information

Classification of Finite Fields

Classification of Finite Fields Classification of Finite Fields In these notes we use the properties of the polynomial x pd x to classify finite fields. The importance of this polynomial is explained by the following basic proposition.

More information

Algebraic structures I

Algebraic structures I MTH5100 Assignment 1-10 Algebraic structures I For handing in on various dates January March 2011 1 FUNCTIONS. Say which of the following rules successfully define functions, giving reasons. For each one

More information

Essential idempotents in group algebras and in Coding Theory

Essential idempotents in group algebras and in Coding Theory in group algebras and in Coding Theory César Polcino Milies Universidade de São Paulo and Universidade Federal do ABC NON COMMUTATIVE RINGS AND APPLICATIONS IV, LENS, 2015 Definition A linear code C F

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback