On the Binary Sequences of Period 2047 with Ideal Autocorrelation Seok-Yong Jin

Transcription

1 On the Binary Sequences of Period 2047 with Ideal Autocorrelation Seok-Yong Jin The Graduate School Yonsei University Department of Electrical and Electronic Engineering

2 On the Binary Sequences of Period 2047 with Ideal Autocorrelation A Dissertation Submitted to the Department of Electrical and Eletronic Engineering and the Graduate School of Yonsei University in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Seok-Yong Jin August 2003

3 This certifies that the dissertation of Seok-Yong Jin is approved. Thesis Supervisor: Hong-Yeop Song Chulhee Lee Chungyong Lee The Graduate School Yonsei University August 2003

4 .. 6..,,,,,, Ghent Storme, Kabatianski., 1,2,,,,,,. 1,4,5, EngYCV,...,.,,

5 Contents List of Figures iii List of Tables iv Abstract v 1 Introduction Motivation An Overview Theory of Hadamard sequences m-sequences (v, k, λ)-cyclic difference sets Recently introduced cyclic Hadamard difference sets Conjectured three-term, five-term sequences and related sequence Hadamard sequences from monomial hyperovals Decimation Exhaustive search for (2047, 1023, 511)-Hadamard difference sets 19 i

6 3.1 Exhaustive search for (2047, 1023, 511)-cyclic difference sets Use of decimation in exhaustive search Results and some analyses Trace representation of hyperoval sequences The case of the Segre hyperoval The case of the Glynn hyperoval Linear complexity of Hadamard sequences of length Concluding Remarks 39 Bibliography 42 Abstract (in Korean) 50 ii

7 List of Figures 2.1 The difference set and Hadamard sequence of Example Equivalence relation between two Hadamard sequences of period iii

8 List of Tables 1.1 Known constructions for Hadamard sequences: situation in the end of 1990 s Cyclotomic cosets mod 3, 5, and Cyclotomic cosets mod 23 and Decomposition of cyclotomic cosets modulo Solutions of Diophantine equations for w = Permutation of coset classes by d-decimations, d=1, 3, 5, 9, 11, 13, 19, Inequivalent choices of a 0,, a Elements in the trace expansion of the Segre hyperoval sequence Linear complexities of known Hadamard sequences of length Trace expansion of known Hadamard sequences of length iv

9 ABSTRACT On the binary sequences of period 2047 with ideal autocorrelation Seok-Yong Jin Department of Electrical and Electronic Eng. The Graduate School Yonsei University In such systems as ranging, radar, and spread-spectrum communication systems, it needs to find sequences with good correlation property in order to improve the performance. The correlation property may be auto-correlation or cross-correlation according to the application. A balanced binary sequence with ideal autocorrelation property is called a Hadamard sequence. In this thesis, computational complexity of exhaustive search for Hadamard sequences of period is analyzed and some properties are investigated. It is verified that the current methodology for exhaustive search of Hadamard sequences of length 2047 is not feasible. Through partial search, no new which is inequivalent to all previously known Hadamard sequences of the same length sequence is obtained. As an analysis for recently introduced Hadamard sequences whose conv

10 struction is based on the hyperoval in finite projective plane, explicit trace representation for such sequence from the Glynn type hyperoval of length 2047 is obtained. By linear complexity analysis, it is confirmed that Hadamard sequence associated with the Glynn hyperoval of type II has wide applicability in such systems that require large linear span. Key words : ideal autocorrelation, Hadamard sequences, cyclic difference set, hyperoval, exhaustive search, linear complexity, trace function representation vi

11 Chapter 1 Introduction 1.1 Motivation Code division multiple access (CDMA) systems use pseudonoise (PN) binary sequences as signature sequences and several spread spectrum communication systems also use them as spreading codes for low probability of intercept. Major characteristics which are desirable of a family of binary sequences for such applications include long period, low out-of-phase autocorrelation values, low cross-correlation values, low nontrivial partialperiod correlation values, large linear span, balance of symbols, large family size, and ease of implementation [51] [55] [24] [25] [26] [48]. In general, the simplification of system implementation requires the use of periodic signals. So we restrict our attention to periodic sequences in this thesis. A binary (0 or 1) sequence {b(t)} N 1 t=0 of period N = 2n 1 is called balanced if the number of ones and zeros differ by one [24]. It is said to have two level autocorrelation property if its periodic autocorrelation function R(τ) is given as { N, for τ 0 mod N R(τ) = γ, else 1

12 , where R(τ) is defined by N 1 R(τ) = t=0 ( 1) b(t+τ)+b(t) and t + τ is computed modulo N. When γ is small in absolute value as possible as it can, it is proved quite useful in various applications [36] and said to have ideal autocorrelation property. Since such sequences with γ = 0 are very rare (actually conjectured that those sequences do not exist except for tirivial case of length 4 [50] [12] [52]) we denote conventionally balanced two-level sequence with γ = 1 as periodic binary sequences with ideal autocorrelation property or Hadamard sequence. Note that since R(τ) is the number of agreements minus the number of disagreements between {b(t)} and {b(t + τ)} as t runs through one period, the ideal autocorrelation property with γ = 1 implies the balance property [23] [24] [57]. Consider a set of J binary sequences, each with period N, denoted by { v (j) (t) } with t = 0, 1,, N 1 and j = 1, 2,, J. The periodic cross-correlation R jk (τ) at time shift τ between two sequences v (j) (t) and v (k) (t) from this collection is defined as R jk (τ) = N 1 t=0 Then the criterion for signal design is to minimize ( 1) v(j) (t+τ)+v (k) (t). R max = max (R A, R C ), where R A = max j max 0<τ<N R jj (τ) is the maximum out-of-phase periodic autocorrelation magnitude for this signal set and R C = max j k max 0 τ<n R jk (τ) is the maximum cross-correlation magnitude between sequences in this set. For more detailed 2

13 literature, Sarwarte and Pursley [51], Helleseth and Kumar [32], and Simon et al. [55] are recommendable. Generally, the set of sequences with low cross-correlation values is generated from the sequences with good autocorrelation property, i.e., from Hadamard sequences, by some trade offs between autocorrelation values and crosscorrelation values. For instance, Gold [20] [21] and Kasami [37] [38] made several sets of sequences with low crosscorrelation values from m-sequences. Moreover, practical system design needs several distinct kind of Hadamard sequences of the same period, especially the period of type 2 n 1. So, it needs to know how many (up to equivalence) Hadamard sequences of certain period exist. Known constructions for Hadamard sequences are tabulated below: [3] [10] Table 1.1: Known constructions for Hadamard sequences: situation in the end of 1990 s. m sequence 1938 Legendre sequence 1933 Hall s sextic residue sequence 1956 Twin prime sequence 1939 GMW sequence 1962 The table also brings out a rather surprising fact that the most recent construction of Hadamard sequences contained in the table dates back to the early sixties. This was the picture until 1997 [10] when Maschietti came up with an observation that led to the discovery [45] of a new family of Hadamard sequence. A parallel development on the topic of ideal autocorrelation sequences relates to certain conjectures on new Hadamard 3

14 sequences by No, Golomb, Gong, Lee and Gaal [47]. It is remarkable that all of these two new constructions correspond to Hadamard sequence of period of 2 n 1 and both are results obtained from trials to explain unreported Hadamard sequences of such period, which was found and verified to be inequivalent to the known constructions through exhaustive search. By far, exhaustive search for Hadamard sequences of period 2 n 1 with n 10 has been done (for n = 7 by Baumert in 1967 [4], for n = 8 by Cheng in 1983 [11], for n = 9 by Dreier and Smith in 1991 [16] and independently by Kim and Song in 1997 [40], and lastly for n = 10 by Gaal and Golomb in 2000 [18].) In this thesis, Hadamard sequences of period = 2047 will be investigated. 1.2 An Overview In the next chapter, basic theory of Hadamard sequences and known construction methods will be described. Especially, one of recent constructions arising from monomial hyperoval in finite projective plane will be explained in detail. In chapter 3, the methods and procedures of the exhaustive search are presented. In chapter 4, the results and some analysis focused on the sequences associated with the monomial hyperovals are presented. We conclude this thesis by summarizing and giving some remarks in chapter 5. 4

15 Chapter 2 Theory of Hadamard sequences As described in chapter 1, a periodic binary sequence {A i } v 1 i=0 of period v is called an Hadamard sequence if it has two-level autocorrelation function with all out-of-phase autocorrelations being 1. It is well known that if an Hadamard sequence of length v exists, then it has to be balanced and the period v of it must be v = 1 (mod 4). All known examples of Hadamard sequences have a period v of the following three types [3] [57]. 1. v = 4n 1 is a prime number. 2. v = p(p + 2) is a product of twin primes. 3. v = 2 t 1, for t = 2, 3, 4,. There is a conjecture which states that these are all, i.e., if a Hadamard sequence exists, the period v of it must be one of the above three types [27]. In [3], it is reported that there are no other values of v < 1000 with Hadamard sequences of period other than those listed above, except for the six cases v = 399, 495, 627, 651, 783, and 975, not fully investigated. In [57], Song and Golomb reconfirmed the conjecture for all v <

16 including those six cases. Furthermore, it is verified up to v < 10000, except for the following 17 cases: 1295, 1599, 1935, 3135, 3439, 4355, 4623, 5775, 7395, 7743, 8227, 8463, 8591, 8835, 9135, 9215, The four smallest cases v = 1295, 1599, 1935, and 3135 were also examined and the conjecture was confirmed for all v 3435 by Kim and Song [41], but this conjecture is still open 1. There are following five classical constructions of Hadamard sequences tabulated in chapter When v = 4n 1 is a prime, (a) The Legendre sequences using Legendre symbol [24]. (b) Hall s sextic residue construction, whenever v = 4t for some integer t [30]. 2. When v is a product of twin primes, (a) The Jacobi sequence construction [58]. 3. When v = 2 t 1 for t = 2, 3, 4,, (a) m-sequences [56] [24]. (b) The GMW-sequences for composite t [28] [53]. Among these, the case 3 has the richest structure in view of theoretical aspect as well as it has wide applications in various practical communication systems. In addition, as mentioned in chapter 1, in the end of 1990 s there were significant updates in the list of 1 In May 2003 six cases 4623, 5775, 7395, 7743, 8227, and 8463 are ruled out by Baumert and Gordon [5]. 6

17 construction method for the case 3. This case includes the maximal length linear feedback shift register sequence (m-sequence for short) which is one of the most popular PN-sequences. GMW sequences can be thought as a generalization of m-sequences. M-sequences have been used in various area of communication systems such as directsequence spread spectrum communication system. We will describe m-sequences in several forms and enumerate their properties in the next section. After that, to explain recently introduced new Hadamard sequences, we give brief description of cyclic difference set and then develop theory of such construction. 2.1 m-sequences If s is a binary sequence generated by a primitive polynomial p(x) of degree n, the period of s must be 2 n 1 and s is called a maximal-length sequence, or an m-sequence. M- sequence is described by both linear feedback shift register (LFSR) and trace function. For LFSR approach, see [24] or [22]. Here we adopt definition by trace function. Definition 2.1 Let GF (2 n ) be the finite field with 2 n elements and β GF (2 n ). The Trace T r n d where d n is an onto function from GF (2n ) to GF (2 d ) defined as T r n d (β) = β + β2d + β 22d + + β 2d(n/d 1). When d = 1, trace T r n 1 can be written as T r n 1 (β) = β + β 2 + β β 2n 1. For convenience, the T r1 n (β) is denoted by just T r(β). The theory of finite fields and related material could be found in [46] [43]. Every Hadamard sequence of period 2 n 1 7

18 can be expressed as a sum of traces of some elements in GF (2 n ) [40]. Especially, m- sequences have only one term in this sum of traces representation. Definition 2.2 Let α be a primitive element of GF (2 n ) and θ GF (2 n ). Then T r(θα i ) for i = 0, 1, 2,, 2 n 2 gives a binary sequence of period 2 n 1 and it is called an m-sequence. By Definition 2.2, an m-sequence s(t) can be written as s(t) = T r(θα t ) for primitive element α GF (2 n ) and for some nonzero θ GF (2 n ). M-sequence s has the following properties [46] [40] [51] : autocorrelation s has ideal autocorrelation property. period The period of s is N = 2 n 1. balanced property Number of 1 s in s is (N + 1)/2. span-n property Through the 2 n 1 windows of length n, each nonzero binary vector of length n appears exactly once. decimation property Let d be a positive integer with gcd(n, d) = 1. Then the sequence u(t) = s(dt), called the decimation by d of s, is also an m- sequence. cycle-and-add property Given distinct integer i and j, there exists a unique integer 0 k < N such that s(t + i) + s(t + j) = s(t + k). It is known that a binary sequence is an m-sequence if and only if it has this property. 8

19 constant-on-the-coset property There exists a cyclic-shift s of s such that s(t) = s(2t) for all t, where s is called a characteristic m-sequence or a characteristic phase of s. This property is called constant-on-the-coset property in terms of cyclic difference sets. When one tries an exhaustive search for Hadamard sequences, it is almost impossible to check all the possible balanced binary sequences since there are too many possibilities as n grows. In general, one tries an exhaustive search for related cyclic difference sets rather than for Hadamard sequences, because there are some known results about cyclic difference sets which can reduce the complexity of an exhaustive search drastically. In the next section, the formal definition of cyclic difference sets is given and their basic properties are presented. 2.2 (v, k, λ)-cyclic difference sets Difference sets were first introduced by Singer (1938 [56]), but their systematic study only started with the fundamental paper of Hall (1947 [29]) who considered cyclic planar difference sets and introduced the important concept of multipliers. Finally, Bruck (1955 [8]) initiated the investigation of difference sets in general groups [36]. Extensive study of difference set can be found in [6] [35] [36], or one may want to consult [50] [44] for compact yet readable introduction. We have the following general definition: Definition 2.3 Let G be an additively written group of order v, and D a k-subset of G. Then D is called a (v, k, λ)-difference set in G if its list of differences, that is D = { d d d, d D, d d } 9

20 contains each non-zero element of G precisely λ times. If G is cyclic (respectively abelian, non-abelian, ), D is likewise called cyclic (respectively abelian, non-abelian, ). Two (v, k, λ)-difference sets D 1 and D 2 in an abelian group G are equivalent if there exists an automorphism α in G such that α(d) = D + a for some a G. In this thesis only cyclic difference set is considered, then another intuitive definition is more useful. Definition 2.4 Given a positive integer v, let U be the set of nonnegative integers smaller than v. Then a k-subset D of U is called a (v, k, λ)-cyclic difference set if for every nonzero d U, there exist exactly λ ordered pairs (d i, d j ) D D, such that d i d j d (mod v). To exclude certain degenerated configuration, we suppose that 0 < λ < k < v 1. Two (v, k, λ)-cyclic difference sets D 1 and D 2 are equivalent if there exists an integer t with (t, v) = 1 such that D 1 = td 2 +a for some a U, where td 2 +a = {t d + a d D}. By the following theorem 2.1 [36], we easily know that a periodic binary sequence with ideal autocorrelation is equivalent to a cyclic difference set. Theorem 2.1 Let s be a periodic binary sequence with period v, the number of entries 0 per period is k and s has a 2-level autocorrelation function with all nontrivial autocorrelation coefficient equal to some constant γ. Then D {g Z v s g = 0}, is a cyclic (v, k, λ)-difference set, where λ is given by γ = v 4(k λ). Moreover, any cyclic difference set arises in this way. 10

21 A (v, k, λ)-cyclic difference set with v = n 2 + n + 1, k = n + 1, and λ = 1 is called planar. A planar difference set gives a finite projective plane of order n which is another topic of combinatorial design theory. A difference set with v = 4n 1, k = 2n 1, and λ = n 1 is called a cyclic Hadamard difference set (CHDS: this is the case γ = 1 in theorem 2.1,) which gives a Hadamard matrix of order 4n and also gives a Hadamard sequence of period 4n 1. In fact, a ( 2 n 1, 2 n 1 1, 2 n 2 1 ) -cyclic difference set of interest in this thesis is a special case of cyclic Hadamard difference set. The following example quoted from [40] illustrates how to make a Hadamard sequence from a given Hadamard difference set. Example 2.1 Let D = {0, 5, 7, 10, 11, 13, 14}. Then D is a (15, 7, 3)-Hadamard difference set. Each nonzero d < v can be written as differences modulo 15 of the following three pairs. 1 = 0 14 = = 14 13, 2 = 0 13 = 7 5 = 13 11, 3 = 10 7 = = 14 11, 4 = 0 11 = 11 7 = 14 10, 5 = 0 10 = 5 0 = 10 5, 6 = 5 14 = 11 5 = 13 7, 7 = 5 13 = 7 0 = 14 7, 8 = 0 7 = 7 14 = 13 5, 9 = 5 11 = 7 13 = 14 5, 10 = 0 5 = 5 10 = 10 0, 11 = 7 11 = = 11 0, 12 = 7 10 = = 11 14, 13 = 5 7 = = 13 0, 14 = = = Let (a i ) be the binary sequence of period 15 in which a i = 0 if i D and a i = 1 otherwise. Then it can be easily checked that (a i ) is balanced and has ideal autocorrela- 11

22 (15,7,3)-cyclic difference set binary sequence of period 15 with ideal autocorrelation Figure 2.1: The difference set and Hadamard sequence of Example 2.1. tion property. One of the most important properties of Hadamard difference sets is that it can have a multiplier. A multiplier of the Hadamard difference set is defined as follows. Definition 2.5 Let U be the v-set of the integers 0, 1, 2,, v 1. An integer t is called a multiplier of a (v, k, λ)-difference set D = {d 1, d 2,, d k }, provided there exists a integer s such that E = {td 1, td 2,, td k } and E = {d 1 + s, d 2 + s,, d k + s} are the same k-subset of U, where every operation is taken modulo v. If a difference set D = {d 1, d 2,, d k } and td = {td 1, td 2,, td k } are the same, then D is said to be fixed by multiplier t. In [50], it is shown that if a difference set D has a non-trivial multiplier t 2, there is always a difference set D fixed by multiplier t. 2 non-trivial means t 1 (mod v). 12

23 In fact, given a difference set D and a multiplier t, there exist exactly gcd(t 1, v) = d shifts fixed by the multiplier t [3]. Every known difference set (not concerning it is a Hadamard difference set or not) has a non-trivial multiplier. But the question as to whether it is always true is open. Hall and Ryser proved the existence of a non-trivial multiplier under certain circumstance in so-called the multiplier theorem [3]. Fortunately, difference sets with v = 2 n 1, k = 2 n 1 1, and λ = 2 n 2 1 always has 2 as a multiplier. In the previous section, it is mentioned that an m-sequence s has a characteristic phase s such that s(t) = s(2t) for all t. This is because m-sequence is equivalent to a difference set with the above parameters (Singer difference set). Baumert made some results about the difference sets based on the multiplier concept. These results give a powerful tool for an exhaustive search. In the next chapter, we explain the method by which the exhaustive search for (2 n 1, 2 n 1 1, 2 n 2 1)-cyclic difference sets with n 10 has been done. 2.3 Recently introduced cyclic Hadamard difference sets In the end of last century, there were introduced two parallel new constructions of cyclic Hadamard sequences of length 2 n 1, equivalently (2 n 1, 2 n 1 1, 2 n 2 1)-cyclic Hadamard difference sets. One is called three-term or five-term construction and the other is CHDS arising from monomial hyperoval of finite projective plane. In this section, we give summary of these results. 13

24 2.3.1 Conjectured three-term, five-term sequences and related sequence In 1997 No, Golomb, Gong, Lee and Gaal conjectured [47] that the followings are Hadamard sequences of length 2 n 1: 1. n = 2k + 1, k a positive integer b(t) = T r(α t ) + T r(α (2k +1)t ) + T r(α (2k +2 k 1 +1)t ) 2. n = 3k 1, k 2 a positive integer b(t) = T r(α t ) + T r(α (2k +1)t ) + T r(α (22k 1 +2 k 1 +1)t ) + + T r(α (22k 1 2 k 1 +1)t ) + T r(α (22k 1 +2 k 1)t ) 3. n = 3k 2, k 2 a positive integer b(t) = T r(α t ) + T r(α (2k 1 +1)t ) + T r(α (22k 2 +2 k 1 +1)t ) + + T r(α (22k 2 2 k 1 +1)t ) + T r(α (22k 1 2 k 1 +1)t ) 4. Welch-Gong transform of case 2 5. Welch-Gong transform of case 3 All these were verified by computer search for n 19 [47] and have subsequently been proven [13] [14] [15]. Currently, Various properties of those sequences are being studied actively. See [2] [10] [9] [15] [13] [17] [60]. Note that for n = 11, cases 1, 2, and 4 are applicable. In the study of the above sequences, Dobbertin found [15] another Hadamard sequences which is based on Kasami power function [39]. 14

25 2.3.2 Hadamard sequences from monomial hyperovals In this section, we explain Maschietti s construction [45] of cyclic Hadamard difference set with parameters v = 2 n 1, k = 2 n 1 1, λ = 2 n 2 1. Let n > 1, q = 2 n and P G(2, q) be the projective plane corresponding to 2- dimensional projective space over F q. (Basic theory of projective geometry can be easily found from various textbooks or lecture notes. For example, see [7] [59].) A k-arc of P G(2, q) is a set of k distinct points, no three of which are collinear. The maximum value of k is q + 2 in which case, the k-arc is called a hyperoval. Every hyperoval in P G(2, q) may be written in the form [33] D(f) = {(1, t, f(t)) t F q } {(0, 1, 0), (0, 0, 1)}, where f is a permutation polynomial over F q of degree at most q 2, satisfying f(0) = 0, f(1) = 1 and, for each s F q, such that the polynomial f s (x) = f(x + s) + f(s), f s (0) = 0 x is also a permutation polynomial. When f(x) = x k is a monomial, the hyperoval is called a monomial hyperoval and denoted by D(x k ) or simply D(k). The following monomial hyperovals are known: the hyperovals corresponding to f(x) = x 2k, (k, n) = 1 known as translation hyperovals (especially for k = 1, called regular hyperoval) the Segre hyperoval [54] corresponding to k = 6 and n odd, n 5 the Glynn hyperovals [19]: 15

26 k = 2 (n+1)/2 + γ for n odd, n 7 where γ = 2 l if n = 4l 1 and γ = 2 3m+1 if n = 4m + 1 k = 3 2 (n+1)/2 + 4 for n odd, n 7 Monomial hyperovals have the following alternative characterization [45]: (k, q 1) = 1 and for every a F q, the equation x k + x + a = 0 has either zero or two solutions in F q Given a monomial hyperoval D(k), let D k = { x + x k x F q } {0}. Maschietti [45] made the following very interesting finding: Theorem 2.2 The (q+2)-set D(k) is a hyperoval if and only if Dk is a (q 1, q/2 1, q/4 1)- difference set in F q, or equivalently, the sequence {r(t)} defined by { 0, α t Dk r(t) = 1, else where α is a primitive element of F q, has ideal autocorrelation. This theorem can be proved in several ways. Maschietti s original proof [45] is geometric in nature. Algebraic proof is contained in the paper by Dillon [13]. Now a proof using Jacobi sums is also obtained [17]. Before ending this section, we remark that cyclic difference sets from the translation monomial hyperovals (including regular hyperoval) are equivalent [17] to Singer difference set [56]. More exactly we have the following: 16

27 Remark 2.1 Let q = 2 d, q > 2. If D(x k ) and D(x j ) are two projectively equivalent monomial hyperovals in P G(2, q), then the corresponding difference sets are equivalent. (Proposition 2.6. of [17]) As a corollary to this, the difference sets arising from the translation or regular hyperovals D(x 2i ) are the Singer difference sets { y F T r(y) = 0 }. Then together with 2 d the theorem 2.1, we know that the Hadamard sequences associated with the difference sets from the translation hyperovals are equivalent to m-sequence, in terminology of sequences. 2.4 Decimation Before starting off exhaustive search, we bring in one more property of Hadamard sequences. In Section 2.1, the notion of decimation is already introduced in terms of the properties of m-sequences. In fact, decimation can be applied to any binary sequence. Let us define decimation once again. Definition 2.6 Let (a n ) be a Hadamard sequence of period N and let q be an integer with (q, N) = 1. Then (b n ) with b i = a qi is called the q-decimation of (a n ) or decimation by q of (a n ). It is easy to show that a q-decimation of a Hadamard sequence is also Hadamard sequence. Therefore, decimation gives equivalence relation on Hadamard sequences of the same period, where two Hadamard sequences belong to a same equivalence class if they are related by some decimation. Furthermore, a decimation of a Hadamard sequence fixed by a multiplier t is also fixed by t. Thus, decimation also gives a partition to the set 17

28 of all the Hadamard sequences of the same period fixed by the same multiplier. In the exhaustive search for this thesis, we only consider the Hadamard difference sets which are fixed by the multiplier 2. Thus what makes it possible to reduce the total search area in the exhaustive search is the fact that the collection of Hadamard difference sets which are fixed by the same multiplier have an equivalence class structure under decimation. It will be explained explicitly how to apply the decimation property to an exhaustive search. decimation by decimation by 6 t Tr( α ) t α 6 Tr( ) Figure 2.2: Equivalence relation between two Hadamard sequences of period 7. In this thesis, two binary sequences are said to be (cyclically) equivalent if they are related by some decimation or one is a time-shifted version of another. Otherwise, they are said to be inequivalent or distinct. 18

29 Chapter 3 Exhaustive search for (2047, 1023, 511)-Hadamard difference sets Let D = {d 1, d 2,, d k } be a (v, k, λ)-cyclic Hadamard difference set and θ(x) = k x d i. i=1 From the definition of a cyclic Hadamard difference set, it can be easily shown that v 1 θ(x)θ(x 1 ) k λ + λ x i (mod x v 1). If w is a divisor of v, the above equation can be expressed as follows i=0 w 1 θ(x) b i x i (mod x w 1) (3.1) i=0 w 1 θ(x)θ(x 1 ) k λ + (λv/w) x i (mod x w 1), (3.2) where b i is the number of d j in D satisfying d j i (mod w). In [3], Baumert showed the following theorem. i=0 19

30 Theorem 3.3 [3] If a (v, k, λ)-cyclic difference set exists, then for every divisor w of v, there exists integers b i (0 i w 1) satisfying the following diophantine equations. w 1 b i = k (3.3) i=0 w 1 b 2 i = k λ + (λv/w) (0 b i v/w) (3.4) i=0 w 1 b i b i j = λv/w for all 1 j w 1, (3.5) i=0 where the subscript i j is taken modulo w. In fact, b i in Eq. 3.1, that is the number of d j in D satisfying d j i (mod w), satisfy the three equations in Theorem 3.3. Usually one uses this theorem to prove the nonexistence of cyclic difference sets for certain parameters [31]. Song and Golomb [57], and subsequently Kim and Song [41] applied this theorem and obtained powerful result on the nonexistence of CHDSs. One can also use this theorem to reduce the computational complexity of an exhaustive search for Hadamard difference sets. The following example shows the main procedures. Example 3.2 For a (15, 7, 3)-cyclic difference set (if it exists), since 15 = 3 5, and since 2 must be a multiplier of this cyclic difference set, we need to consider the following cyclotomic cosets. See table 3.1. Let a i = 1 if Ci 15 D and a i = 0 if Ci 15 D. Then 4 θ(x) = x j (mod x 15 1). i=0 a i j C 15 i Since D must contain 7 elements, one has a 0 + 4(a 1 + a 2 + a 3 ) + 2a 4 = 7. (3.6) 20

31 Table 3.1: Cyclotomic cosets mod 3, 5, and 15 cosets mod 3 C0 3 = {0}, C3 1 = {1, 2} cosets mod 5 C0 5 = {0}, C5 1 = {1, 2, 3, 4} cosets mod 15 C0 15 = {0}, C1 15 = {1, 2, 4, 8}, C2 15 = {3, 6, 9, 12} C 15 3 = {7, 11, 13, 14}, C 15 4 = {5, 10} When w = 3, we have b 0 = a 0 + 4a 2 b 1 = b 2 = 1 2 (4(a 1 + a 3 ) + 2a 4 ) = 2(a 1 + a 3 ) + a 4. Then Eq. 3.4 gives (a 0 + 4a 2 ) 2 + 2(2(a 1 + a 3 ) + a 4 ) 2 = 19. (3.7) When w = 5, we have b 0 = a 0 + 2a 4 b 1 = b 2 = b 3 = b 4 = a 1 + a 2 + a 3 Then (a 0 + 2a 4 ) 2 + 4(a 1 + a 2 + a 3 ) 2 = 13. (3.8) By Eq. 3.6, a 0 = a 4 = 1, and exactly one of a 1, a 2, a 3 is 1. Furthermore, by considering Eq. 3.7 one can find that a 2 cannot be 1. Thus, the possible solutions are (1, 1, 0, 0, 1) (a 0, a 1, a 2, a 3, a 4 ) = or (1, 0, 0, 1, 1) (3.9) Eq. 3.8 gives no further information. In fact, both of these solutions give (15, 7, 3)- CHDSs. 21

32 In this example, Eq. 3.5 was not used. But for other parameters, Eq. 3.5 can give more information if we are fortunate. In 1983, Cheng finished the exhaustive search for (255, 127, 63)-cyclic difference set using this theorem [11], and in 1997 Kim and Song completed search for (511, 255, 127) case. Actually, it is main functionality of the theorem 3.3 to reduce the number of candidates which have to be examined. But as n grows, since the number of candidates increases exponentially, more efficient algorithm that can shorten time taken for twolevel test was necessary. Gaal proposed [18] a technique using inverse Fourier domain analysis, and successfully completed exhaustive search for (1023, 511, 255)-cyclic difference sets. 3.1 Exhaustive search for (2047, 1023, 511)-cyclic difference sets Since 2047 = 23 89, the cyclotomic cosets to be considered are tabulated in table 3.2. Here we denote the cyclotomic coset modulo x by C x i. Let A i,j be the class which contains all cyclotomic cosets C 2047 l such that a Cl 2047, a (mod 23) Ci 23 and a (mod 89) Cj 89 and let a h be the number of cosets whose elements belong to difference set D, in each class. Then cyclotomic cosets modulo 2047 can be decomposed as shown in Table 3.3. In this table, we have 0 a 0, a 1,, a 8, a 9, a a 10,, a 17, a 19,, a

33 Table 3.2: Cyclotomic cosets mod 23 and 89 cosets mod 23 cosets mod 89 C 23 0 = {0} C 89 0 = {0} C 23 1 = {1, 2, 4, 8, 16, 9, 18, 13, 3, 6, 12} C 89 1 = {1, 2, 4, 8, 16, 32, 64, 39, 78, 67, 45} C 23 2 = {5, 10, 20, 17, 11, 22, 21, 19, 15, 7, 14} C 89 2 = {3, 6, 12, 24, 48, 7, 14, 28, 56, 23, 46} C 89 3 = {5, 10, 20, 40, 80, 71, 53, 17, 34, 68, 47} C 89 4 = {9, 18, 36, 72, 55, 21, 42, 84, 79, 69, 49} C 89 5 = {11, 22, 44, 88, 87, 85, 81, 73, 57, 25, 50} C 89 6 = {13, 26, 52, 15, 30, 60, 31, 62, 35, 70, 51} C 89 7 = {19, 38, 76, 63, 37, 74, 59, 29, 58, 27, 54} C 89 8 = {33, 66, 43, 86, 83, 77, 65, 41, 82, 75, 61} When w = 23, we have b 0 = a i=1 a i b 1 = b 2 = = b 12 ( b i, i C 23 1 ) = a 9 + a a 17 b 5 = b 10 = = b 14 ( b i, i C 23 2 ) = a 18 + a a 26. Let x = a Then by Eq. 3.3 and 3.4, 8 a i, y = a 9 + i=1 17 i=10 a i, z = a i=19 a i. (3.10) x + 11(y + z) = 1023 (3.11) x (y 2 + z 2 ) = (3.12) We have the following four solutions to Eq and Eq. 3.12, and they all satisfy 23

34 Table 3.3: Decomposition of cyclotomic cosets modulo a h A ij cosets in A ij # of cosets coset size a 0 A 00 C a 1 A 01 C a 2 A 02 C a 3 A 03 C a 4 A 04 C a 5 A 05 C a 6 A 06 C a 7 A 07 C a 8 A 08 C a 9 A 10 C a 10 A 11 C 1 C 20 C 46 C 51 C 59 C 76 C 81 C 99 C 124 C 146 C a 11 A 12 C 2 C 47 C 49 C 57 C 84 C 121 C 134 C 156 C 161 C 164 C a 12 A 13 C 24 C 35 C 60 C 77 C 101 C 116 C 118 C 126 C 130 C 147 C a 13 A 14 C 5 C 25 C 28 C 79 C 85 C 102 C 117 C 132 C 155 C 180 C a 14 A 15 C 13 C 36 C 40 C 42 C 43 C 64 C 120 C 122 C 141 C 152 C a 15 A 16 C 7 C 16 C 18 C 58 C 65 C 69 C 94 C 137 C 166 C 169 C a 16 A 17 C 14 C 15 C 30 C 62 C 67 C 74 C 75 C 95 C 145 C 172 C a 17 A 18 C 21 C 37 C 38 C 93 C 97 C 105 C 106 C 112 C 131 C 151 C a 18 A 20 C a 19 A 21 C 23 C 33 C 45 C 70 C 96 C 107 C 154 C 159 C 170 C 177 C a 20 A 22 C 4 C 50 C 55 C 63 C 82 C 89 C 114 C 133 C 140 C 162 C a 21 A 23 C 3 C 9 C 27 C 48 C 53 C 72 C 83 C 109 C 138 C 160 C a 22 A 24 C 11 C 39 C 52 C 61 C 88 C 108 C 119 C 127 C 135 C 143 C a 23 A 25 C 6 C 29 C 54 C 86 C 90 C 103 C 110 C 136 C 144 C 148 C a 24 A 26 C 8 C 26 C 68 C 73 C 87 C 100 C 113 C 123 C 157 C 158 C a 25 A 27 C 10 C 19 C 32 C 66 C 91 C 104 C 128 C 129 C 139 C 142 C a 26 A 28 C 17 C 22 C 31 C 41 C 71 C 78 C 80 C 98 C 125 C 149 C

35 Eq x = 33, y = 41, z = 49, x = 66, y = 43, z = 44 x = 33, y = 49, z = 41, x = 66, y = 44, z = 43 (3.13) Since 11 x, from Eq When w = 89, we have a 0 = 0, and 8 a i = 3 or 6. (3.14) i=1 p 0 b 0 = a (a 9 + a 18 ) p 1 b 1 = b 2 = = b 45 = ( b i, i C 89 1 ) = a 1 + a 10 + a 19 p 2 b 3 = b 6 = = b 46 = ( b i, i C 89 2 ) = a 2 + a 11 + a 20 p 3 b 5 = b 10 = = b 47 = ( b i, i C 89 3 ) = a 3 + a 12 + a 21 p 4 b 9 = b 18 = = b 49 = ( b i, i C 89 4 ) = a 4 + a 13 + a 22 p 5 b 11 = b 22 = = b 50 = ( b i, i C 89 5 ) = a 5 + a 14 + a 23 p 6 b 13 = b 26 = = b 51 = ( b i, i C 89 6 ) = a 6 + a 15 + a 24 p 7 b 19 = b 38 = = b 54 = ( b i, i C 89 7 ) = a 7 + a 16 + a 25 p 8 b 33 = b 66 = = b 61 = ( b i, i C 89 8 ) = a 8 + a 17 + a 26. From Eq. 3.3 and 3.4, we have ( 8 ) p p i = 1023 (3.15) p i=1 ( 8 p 2 i i=1 ) = (3.16) with p 0 0 (mod 11). Then there are solutions of p i s by Eq. 3.3 and 3.4, among them 88 solutions satisfy Eq They are tabulated in the Table

36 Table 3.4: Solutions of Diophantine equations for w = 89 p 0 p 1 p 2 p 3 p 4 p 5 p 6 p 7 p 8 p 0 p 1 p 2 p 3 p 4 p 5 p 6 p 7 p 8 p 0 p 1 p 2 p 3 p 4 p 5 p 6 p 7 p 8 p 0 p 1 p 2 p 3 p 4 p 5 p 6 p 7 p

37 3.2 Use of decimation in exhaustive search Generally a decimation gives a permutation of the cyclotomic cosets, and a decimation does not affect the class structure of the cyclotomic cosets, a decimation is also a permutation of the coset classes, which is due to: Lemma 3.1 [40] Let N = 2 n 1 and let t be an integer with gcd(2 n 1, t) = 1. Let d be a divisor of N. If x C d i and tx Cd j, then for all y Cd i, ty Cd j. Since a decimation does not affect the class structure, it can be thought as a permutation of the values of a i s. Thus, if there exists a cyclic difference set for certain values of a i s, there also exists a cyclic difference set for the values of a i s permuted by a decimation. This property of decimation can be used for reducing the computational complexity of an exhaustive search. For N = 2047, there are ϕ(2047) = 1936 (where ϕ( ) is Euler ϕ-function) distinct decimations including 1-decimation. The set of those 1936 decimations can be thought as a multiplicative group which has 1-decimation as its identity. We denote d-decimation by ψ d. Then multiplication of two decimations ψ a and ψ b is defined as ψ a ψ b = ψ ab. The structure of class permutations by several decimations are tabulated in Table 3.5. Actually, among all 1936-decimations, eight decimations listed in table 3.5 are the only truly distinct ones. In Table 3.5, a 9 is mapped to itself or a 18 by some decimation, and correspondingly coset class A 1,0 is mapped to itself or A 2,0. From the diophantine equations for w = 23, we had the following four solutions (Eq. 3.13). 27

38 Table 3.5: Permutation of coset classes by d-decimations, d=1, 3, 5, 9, 11, 13, 19, 33 a h ψ 1 ψ 3 ψ 5 ψ 9 ψ 11 ψ 13 ψ 19 ψ 33 a 0 a 0 a 0 a 0 a 0 a 0 a 0 a 0 a 0 a 1 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 2 a 2 a 4 a 6 a 7 a 8 a 1 a 5 a 3 a 3 a 3 a 6 a 5 a 1 a 4 a 8 a 2 a 7 a 4 a 4 a 7 a 1 a 5 a 3 a 2 a 8 a 6 a 5 a 5 a 8 a 4 a 3 a 1 a 7 a 6 a 2 a 6 a 6 a 1 a 8 a 2 a 7 a 3 a 4 a 5 a 7 a 7 a 5 a 2 a 8 a 6 a 4 a 3 a 1 a 8 a 8 a 3 a 7 a 6 a 2 a 5 a 1 a 4 a 9 a 9 a 9 a 18 a 9 a 18 a 9 a 18 a 18 a 10 a 10 a 11 a 21 a 13 a 23 a 15 a 25 a 26 a 11 a 11 a 13 a 24 a 16 a 26 a 10 a 23 a 21 a 12 a 12 a 15 a 23 a 10 a 22 a 17 a 20 a 25 a 13 a 13 a 16 a 19 a 14 a 21 a 11 a 26 a 24 a 14 a 14 a 17 a 22 a 12 a 19 a 16 a 24 a 20 a 15 a 15 a 10 a 26 a 11 a 25 a 12 a 22 a 23 a 16 a 16 a 14 a 20 a 17 a 24 a 13 a 21 a 19 a 17 a 17 a 12 a 25 a 15 a 20 a 14 a 19 a 22 a 18 a 18 a 18 a 9 a 18 a 9 a 18 a 9 a 9 a 19 a 19 a 20 a 12 a 22 a 14 a 24 a 16 a 17 a 20 a 20 a 22 a 15 a 25 a 17 a 19 a 14 a 12 a 21 a 21 a 24 a 14 a 19 a 13 a 26 a 11 a 16 a 22 a 22 a 25 a 10 a 23 a 12 a 20 a 17 a 15 a 23 a 23 a 26 a 13 a 21 a 10 a 25 a 15 a 11 a 24 a 24 a 19 a 17 a 20 a 16 a 21 a 13 a 14 a 25 a 25 a 23 a 11 a 26 a 15 a 22 a 12 a 10 a 26 a 26 a 21 a 16 a 24 a 11 a 23 a 10 a 13 28

39 Case 1 8 a i = 3, i=1 8 a i = 6, i=1 17 i=10 17 a i = 41, a i = 43, i=10 26 i=19 26 a i = 49 (3.17) a i = 44 (3.18) i=19 Case 2 8 a i = 3, i=1 8 a i = 6 i=1 17 i=10 17 a i = 49, a i = 44, i=10 26 i=19 26 a i = 41 (3.19) a i = 43 (3.20) i=19 But as shown in Table 3.5, each of ψ 5, ψ 11, ψ 19, ψ 33 maps {a i i = 10,, 17} bijectively onto {a i i = 19,, 26}. Thus, any cyclic difference set from case1 can be made from that of the case2 by some suitable decimation, thereby excluding two solution-sets from four possibilities. In final search the case 1 is considered. Generally, exhaustive search for (2 n 1, 2 n 1 1, 2 n 2 1)-CHDS could be thought as the problem of assigning appropriate values to a i s, which satisfy (when transformed into b i s) all equations in theorem 3.3 for every proper divisor w of v. Since a decimation is a permutation on {a 0,, a 26 } in the cycle decomposition form (a 0, a 1,, a 8 ) (i,j)(a i, a j ), where the transposition (a i, a j ) in product is taken from the pair (i, j), i {9,, 17}, j {19, 26}, we can apply decimation property further to reduce the number of candidates of 9-tuple vector (a 0, a 1,, a 8 ). In fact, we only need to examine the 29

40 assignments in which a 1, a 2,, a 8 are the same as one of the 11 kinds of values shown in table 3.6. Any other assignment can be transformed into one of the assignments with those values of a 1, a 2,, a 8 listed in the table. Table 3.6: Inequivalent choices of a 0,, a 8 for the case (x, y, z) = (33, 41, 49) for the case (x, y, z) = (66, 43, 44) values of a 1, a 2,, a 8 # of candidates values of a 1, a 2,, a 8 # of candidates In the final search, every a h with range 0 a h 11 is substituted for binary 11- tuple vector, where each 0 or 1 indicates whether the corresponding coset is included in difference set or not. For the given set of a h s, one has to construct the binary sequence and check the ideal autocorrelation property. For two-level autocorrelation test, inverse DFT method proposed by Gaal [18] is used. The procedure for exhaustive search of (2047, 1023, 511)-CHDS is summarized: step 1 Find cyclotomic cosets mod step 2 Decompose the cosets of step 1 into 27-A i,j classes according to the relations between cyclotomic cosets mod 2047 and cosets mod 23, and between cosets mod 2047 and cosets mod 89, respectively. (Table 3.3) 30

41 step 3 For w = 23 and w = 89, establish a series of diophantine equations of b i s (Eq. 3.11, Eq for w = 23, and Eq. 3.15, Eq for w = 89) by theorem 3.3 and then solve them giving solutions. (Eq for w = 23, and table 3.4 for w = 89) step 4 Using the decimation structure of cyclotomic cosets given in table 3.5, exclude redundant solutions found in step 3. step 5 Convert equations of b i s established in step 3 into equations of a i s. Then using sieved solution sets given in step 4, find all the solution sets of a i s which jointly satisfy all the equations in the step 3. step 6 For a given solution set (a 0,, a 26 ) in step 5, convert each of a 10,, a 17, a 19,, a 26 into a binary string of length 11 so that it indicates which cosets in the corresponding class are selected. When doing this, we can further apply decimation property to reduce the number of ways of choosing cosets. step 7 Construct binary sequence of length 2047 which contains all cosets selected in step 6. step 8 Examine whether the sequence from step 7 has two-level ideal autocorrelation or not. 31

42 Chapter 4 Results and some analyses In conclusion, it is verified that exhaustive search for (2047, 1023, 511)-cyclic difference sets is not feasible currently. For one solution set (a 0, a 1,, a 26 ), there are M = 26 ( Nh a h h=0 ways to choose cosets which are contained in a potential difference set to be examined, where N h is the class size of the h-th class. But N h is 11 for 16-h s (h = 9,, 17, 19,, 27, see table 3.3), so the above number M is greater than at least, and actually in average. Since there are more than such solution sets of a i s (see table 3.6, we have to check the correlation property of approximately sequences. In this thesis, partial search was done and no new (inequivalent to all previously known Hadamard sequences) sequence has been found. In this chapter, some analysis on binary sequence of period 2047 is presented. Some detail on Hadamard sequences arising from monomial hyperoval, especially from the Segre type hyperoval is given including its explicit trace representation and linear complexity. Until now there are known three categories of constructions, by which ideal auto- ) 32

43 correlation sequences of period can be synthesized. They were all described in chapter 2. For convenience we list them once again. 1. m-sequence 2. 3-term or 5-term and related sequences (a) three-term sequence (b) five-term sequence (c) Welch-Gong transform of the above five-term sequence (d) Dobbertin s Kasami power function sequence 3. hyperoval sequences (a) translation hyperoval sequence (equivalent to m-sequence) (b) Segre hyperoval sequences (c) Glynn type I and type II hyperoval sequence Among them, m-sequence and three or five term sequences are themselves defined in terms of trace function, but that is not the case for hyperoval sequences. In next section, we find explicit trace representation of hyperoval sequences. 4.1 Trace representation of hyperoval sequences The Hadamard sequences associated with the hyperovals of finite projective plane P G(2, q) with q = 2 n were defined in chapter 2. When n = 11, let F q be the finite fields with 33

44 q = 2 11 elements and α be a primitive element of F q. Let D k be the subset of F q defined by D k = { x + x k x F q } {0}. (4.1) Define a binary sequence r(t) of length 2047 by { 0, α t Dk r(t) = 1, else Then r(t) is a Hadamard sequence of length 2047 if k = 2 m with (m, 11) = 1 (Translation type) k = 6 (Segre type) k = (Glynn type I) or k = (Glynn type II) Since the difference sets from the translation hyperovals are equivalent to Singer difference set (see remarks in the end of section 2.3.2), we do not need to consider the case of translation hyperovals The case of the Segre hyperoval Now consider the binary sequence of period 2 n 1 arising from the Segre hyperoval. The trace representation of the Segre type hyperoval sequence was obtained in [10]. Let (1) l denote a string of l-consecutive 1 s. Let A 1, A 2 denote the collection of all binary (0, 1) strings of the form (1) 4a+1 where a is any integer 0, and (1) 4b where b is any integer 0, respectively. Note that the empty string φ is contained in A 2. Let A = A 1 A 2, and A denote the set of all strings obtained by concatenating one or more strings from A. Let B = { (01γ0(1) 2s ) s 0, γ A } {(011γ11) γ A }. 34

45 Table 4.1: Elements in the trace expansion of the Segre hyperoval sequence (λ 0,, λ 10 ) leader for λ leader for λ (λ 0,, λ 10 ) leader for λ leader for λ Let B n denote the set of all binary (0, 1) strings of length n, i.e., that consist of n-(0,1) symbols. Then we have [10] [9]: Theorem 4.4 Let k = 6 and {r(t)} be the sequence associated with the Segre hyperoval. Then r(t) has the trace representation where λ = n 1 j=0 2j λ j. r(t) = (λ 0,λ 1,,λ n 1 ) B n T r ( α λt), For n = 11, we can find B 11 without difficulty. It consists of 15 length 11 strings (λ 0, λ 1, λ 10 ) s listed in table 4.1. Therefore the Hadamard sequence s(t) of length arising from the Segre hyperoval in P G(2, 2 11 ) is represented in terms of traces as follows: s(t) = 1 + T r(α 5t + α 25t + α 105t + α 309t + α 469t + α 83t + α 39t + + α 29t + α 3t + α 19t + α 73t + α 33t + α 9t + α 17t + α 149t ) (4.2) 35

46 4.1.2 The case of the Glynn hyperoval General explicit formula for trace expansion of the Glynn hyperoval sequence is not known, currently. To represent the sequences of this type as a sum of traces, we use an algorithm using discrete Fourier technique. According to that algorithm, a binary sequence of length N = 2 n 1 with the constant-on-the-coset property can be represented in terms of trace function [1]. Let C i be the i-th cyclotomic cosets modular N = 2 n 1 and let r i (t) be the binary sequence of length N such that r i (t) = { 1 t C i 0 else Then the above algorithm generates integer e j s corresponding to r i (t) with which, r i (t) can be represented as a trace function r i (t) = e j T r(α e jt ), where α is a primitive element of GF (2 n ). Let D k = { x + x k x F q } {0} with k = 72 and k = 68 be the subset of GF (2 11 ) associated with the Glynn hyperoval in P G(2, 2 11 ) of type I and II, respectively. By using above algorithm, we get the following trace representations for the binary sequences g 1 (t) and g 2 (t) of length 2047 arising from the Glynn hyperoval: g 1 (t) = 1 + T r(α 43t + α 9t + α 137t + α 5t + α 37t + α 69t + α 293t + + α 19t + α 43t + α 67t + α 163t + α 13t + α 211t ) g 2 (t) = 1 + T r(α t + α 33t + α 17t + α 5t + α 37t + α 69t + α 81t + α 49t + α 139t + α 147t + α 171t + + α 101t + α 13t + α 173t + α 113t + α 151t + α 183t + α 29t + α 61t + α 93t + α 157t + α 125t + α 125t ) 36