Incomplete character sums and a special class of permutations

J

OURNAL DE

T

HÉORIE DES

N

OMBRES DE

B

ORDEAUX

S. D. C

OHEN

H. N

IEDERREITER

I. E. S

HPARLINSKI

M. Z

IEVE

Incomplete character sums and a special

class of permutations

Journal de Théorie des Nombres de Bordeaux, tome

13, n

o

_{1 (2001),}

p. 53-63

<http://www.numdam.org/item?id=JTNB_2001__13_1_53_0>

© Université Bordeaux 1, 2001, tous droits réservés.

L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.

Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques

Incomplete

character

sums

and

a

special

class

of

permutations

par S. D.

COHEN,

H.

NIEDERREITER,

I. E. SHPARLINSKI

et M. ZIEVE

RÉSUMÉ. Nous donnons une méthode _{pour majorer} des sommes

incomplètes

des valeurs d’un caractère d’un _groupe abélien

_fini,

en

des éléments

_générés

par une récurrence d’ordre 1. Cette méthode

est

_{particulièrement explicite lorsque}

la récurrence

_implique

un

type

special

de _{permutations,}

_{appelées T-orthomorphismes.}

Nous

donnons

_{quelques exemples}

de ces

T-orthomorphismes.

ABSTRACT. We present a method of

bounding incomplete

char-acter sums for finite abelian _groups with _arguments

_{produced by}

a first-order recursion. This method is

_particularly

effective if the recursion involves a

_special

_type of _permutation called an

R-orthomorphism. Examples

of

_{T-orthomorphisms}

are _given.

1. Introduction

Let G be a finite abelian _group of order m &#x3E; 2 and

_Sym(G)

the _group of

_permutations

of G. For a fixed

permutation V)

E

_Sym(G)

the _sequence

uo, ui , ... of elements of G is

generated by

the recursion

where uo is a

_given

initial value. This _sequence is

purely

_periodic

with least

period

t m. For 1 N t and a nontrivial

character X

of G we consider

the

_problem

of

_finding

nontrivial upper bounds for the absolute value of

the character sum

. ,,-’"

This

_problem

arises in

_applications

such as

_pseudorandom

number

genera-tion for simulation methods and for

cryptography.

In these

_applications

the

typical

groups G are

Z/MZ -

the additive _group of residue classes mod

_M,

(Z/MZ)* -

the

_{multiplicative}

_group of reduced residue classes mod

_M,

_Fq

- the additive

group of the finite field of order q, and

F* -

the

multiplicative

group of nonzero elements of

_Fq,

as well as their

_subgroups.

Until

_recently,

nontrivial bounds for the character sum

(2)

have been

known

_only

in some _very

_special

cases. If we write the

_operation

in G

additively,

then an _easy case arises when

0(g)

_{= g +} a for

_{all g}

E

_G,

where

a E G is fixed. A less trivial case that has been treated before is G =

Z/MZ

= ag for

all 9

E

_G,

where a E

_(Z/MZ)*

is fixed

_{(see [4], [6,}

Section

8], [12,

Section

_9.2]).

In 1998 Niederreiter and

_Shparlinski

_[7]

invented a new method for the case where G =

Fp,

_p

prime,

and

0(g)

_{= ag}

₊ b for

all g

E

_G,

where a E

_Fp*

and b E

_Fp

are

fixed, g

denotes the

multiplicative

inverse

_{of 9}

for _g E

_Fp,

and 0

= 0 for the _zero element 0 _E

Fp.

This method

was later

applied

to related cases

(see [3], [8], [9], [10]).

In the

_present

_paper we

_develop

the method of

[7]

for

_bounding

the

char-acter sum

(2)

in a

general

framework. The method is

_particularly

effective

if the

_{permutation qb}

in the recursion

₍₁₎

is a so-called

_{R-orthomorphism.}

This

_special

_type

of

_permutation

is also of interest for other

_{applications,}

such as to combinatorial

design

theory.

We devote some attention to this

special

case, in

particular

to the construction of

_{R-orthomorphisms.}

2. Bounds for

_incomplete

character sums

The notation in the

_previous

section remains in force and we introduce some further notation. Without loss of

_generality

we write G

additively.

For a

_{positive integer}

r we define the

complete

character sum

If IC is a finite

_nonempty

set of

_integers,

then

_Ar(JC)

denotes the number of ordered

_pairs

_{(i, j)}

E

IC2

with i

_{- j}

= _r. Note that = 0 for all

sufficiently large

r. Now we are

ready

_{to prove} a bound for the

_incomplete

character sum

(2)

in terms of the

complete

character sums

(3).

Theorem 1. Let G be a

finite

abelian _group

of

2 and let

uo, U1, ... be the sequence

generated b~

(1)

with least

Period t.

Then

for

any

nontrivial character _X

_{of G}

and

_for

_any

_finite

_nonempty

set IC

_of

_integers

we have

Proof.

We use the abbreviation

From

₍₁₎

we

_get

_un =

’lfJn(uo)

for all

integers n &#x3E; 0,

and _{we use} this

identity

to define un for all

negative integers

n. It is easy to see that for _any

integer

k we have

If we use this for all E then we

_get

where

By

the

_{Cauchy-Schwarz inequality}

we obtain

Since

_1fJj

is a

_permutation

of

G,

the inner sum in the last

expression

is

equal

to the sum in

(3).

Thus we

_get

Corollary

1. Let G be a

_finite

abelian _group

_of

order m &#x3E; 2 and let

uo, U1,... be the sequence

generated by

(1 )

with least

period

t. Then

for

any nontrivial character X

of

G and any

positive integer

K we have

Proof. Apply

Theorem 1 with

if K is even and

if K is odd. 0

In various

_applications

the

_complete

character sums

Sr(X,

can be

bounded

_by

known

_results,

_{e. g.} the Weil bound or the Bombieri-Weil

bound. In such cases one obtains

_good

bounds for the character sum

(2)

_by

optimizing

the choice of 1C in Theorem 1 or the choice of K in

Corollary

1

(see

e.g.

[7], [10]).

A similar

procedure,

applied

to

subgroups

G of the

group of

_Fq-rational

points

of an

elliptic

curve over

_Fq,

_may

yield

results

of interest for

_cryptology.

3.

_{R-orthomorphisms}

A

_particularly

favorable case arises in the bounds in Section 2 if the

complete

character sums

Sr (x,

vanish. This

_happens,

for

_instance,

if the

corresponding

are

_permutations

of

_G,

where 6 is the

_identity

map on G. This observation

_suggests

the

following

definition.

Definition 1. Let G be a finite abelian _group and R a

_nonempty

set of nonzero

_integers.

Then a

_{permutation 0}

of G is called an

_{7Z-orthomorphism}

of G if E

_Sym(G)

for all r E ~Z.

In the case R we

_get

the classical

_concept

of an

_{orthomorphism}

of

G which is useful for the construction of

_orthogonal

Latin squares

(see

[13,

Chapter

22]).

An

_application

of

_{orthomorphisms}

to

_cryptology

_{appears in}

the work of Schnorr and

_Vaudenay

_[11].

Special

types

of

R-orthomorphisms

with

_applications

to combinatorial

_design

_theory

arise in the recent _paper

of D6nes and Owens

_[2].

Since it is obvious that

_t

E

_Sym(G)

if and

_only

if

_t

E

_Sym(G),

can take

where

_ord(~)

is the order

_{of 0}

in

_Sym(G)

and

_e(G)

is the

_exponent

of

Sym(G).

It is also trivial that if S is a

_nonempty

subset of

_{IZ and 0}

is an

R-orthomorphism

of

_G,

_{then 0}

is an

S-orthomorphism

of G.

The

_following

result is an immediate _consequence of

_Corollary

1 if is

a suitable

R-orthomorphism

of G.

Corollary

2. Let G be a

finite

abelian _group

_of

order m &#x3E; 2 and

_for

some

integerK &#x3E;

2 be an

_{R-orthomorphism of}

G with R =

{I,

2,

... ,

K- 11.

Then

_for

the sequence uo, ul, ...

generated

by

(1)

with least

period

t and

for

any nontrivial

character X of

G we have

Corollary

3. Let G be a

finite

abeliare _group

of

order m &#x3E; 2 and let

uo,ul,... be the sequence

generated by

(1)

with least

period

t. Let the

integer

N with 1 N t be

_given

and assume that the

_{permutation o}

in

₍₁₎

is an

R-orthomorphism

of

G with R =

f 1,

2,

... , L -

11

for

some

integer

L &#x3E; Then

_for

_any nontrivial character _X

_of

G we have

Proof. Apply Corollary

2 with K =

rN1/3ml/31. 0

We now show that some variation of our method

_produces

a bound that

is sometimes better than the result of

_Corollary

2.

Theorem 2. Let G be a

finite

abelian _group

of

order m &#x3E; 2 and let

uo, U1,... be the sequence

generated by

(1)

with least

period

t. Let the

integer

N with 1 N t be

_given

and assume that the

_{permutation 0}

in

₍₁₎

is an

R-orthomorphism

of

G with R =

11,

2, ... ,

K -

11

_for

_some

integer

K &#x3E; 2. Then

_for

_any nontrivial character _X

_of

G we have

We first show that

Fix a and note that for _any

integer k &#x3E;

0 we have

since the terms of the sum aha have

period

t. It follows that

By

the

_{Cauchy-Schwarz inequality}

we obtain

The inner sum is

_equal

to m if h

_{= j}

and

equal

to 0

_otherwise,

and so

(5)

follows.

To bound the sum in the

theorem,

we use a standard method

by

_starting

which is valid since the sum over b is 1 for 0 n N - 1 and 0 for

N n t - 1.

_Rearranging

_terms, we

_get

In view of

₍₅₎

this

_yields

By

an

_inequality

of Cochrane

[1]

we have

.L -1

and so the result of the theorem follows. 0

Remark 1. There is also an alternative method of

_improving

the result

of

_Corollary

3 if

_larger

values of L are

_available,

but not so

large

that

Theorem 2 becomes efhcient. The method is based on induction on the sum

_length

N.

Indeed, using

the

_{representation}

for

_integers

k &#x3E; 0

_(and

_analogously

for k

_0),

one can bound the last two

sums

inductively

rather than

trivially

(as

we have done in Theorem 1 and

thus in

_Corollary

_3).

4.

_Examples

of

_{R-orthomorphisms}

We

_present

two classes of

_examples

of

_{R-orthomorphisms}

for G =

Fq.

The first class of

_examples

is obtained from linear

_algebra.

Proposition

1.

_{Let 0}

be a linear

_operator

on the _{vector space}

_Fq

over its

prime

subfield

Fp

and let R be a

_nonempty

set

_of

_{positive integers.}

Then

qb is

an

R-orthomorphism

of Fq

if

and

only if

neither 0 nor an rth root

_of

unity

for

some r E R is an

eigenvalues

Proof.

This follows from the definition of an

_{R-orthomorphism}

and

ele-mentary

linear

_algebra.

D

Remark 2. To

_get

a concrete

example

from

Proposition 1,

let 0

be such

that its characteristic

_{polynomial f}

is irreducible over

Fp,

with 0

if q

=

all roots of

_f

have order h in

_Fq.

It follows therefore from

_Proposition

1

that o

is an

R-orthomorphism

of

Fq

whenever contains no

multiple

of

h. For

_instance,

_{if q &#x3E;}

3 and the characteristic

_{polynomial of 0}

is

_primitive

over

_Fp,

so that h

_{= q -1,}

then 0

is an

R-orthomorphism

of

_Fq

with

~={1~...~-2}.

Remark 3. The last

_example

in Remark 2 is best

_possible

in the sense

that if G is an

arbitrary

finite abelian _group of order m &#x3E;

2,

then there are no

_{?Z-orthomorphisms}

of G with R

= 1, 2, ... , m -1 }.

To see

this,

observe that an

orthomorphism 0

of G has a

(unique)

fixed

_point,

hence

the

_length

c of _any other

_{cycle of 0}

satisfies c

_{m -1,}

and

_{so o}

is not a

{c}-orthomorphism

of G.

_Similarly,

if the _{sequence in}

₍₁₎

has least

_period

t &#x3E;

_2,

then the

_{permutation V)}

in

₍₁₎

is not an

R-orthomorphism

of G with

7~={1,2,...~}.

In the second class of

_examples

we consider _maps of the

_following

form.

Let q &#x3E;

5 be odd and choose a E

_Fq

_{with a #}

0, + 1 .

Then the

_self-map

of

_Fq

is defined

_by

By

[5,

Theorem

_{7. 10]}

or

by

a

simple

direct

_argument

(compare

with the

proof

of

_Proposition

2

_below),

_’l/;a

is a

_permutation

of

_FQ.

Proposition

2. Let the

_permutation

_of

_Fq

be as in

(6)

and let R be a

non-empty

set

_of

_{positive integers.}

_Thenoa

is an

R-orthomoqphism of

_Fq

if

and

_{only if}

where _{17 is} the

_quadratic

character

_{o f Fq.}

Proof.

Note that the _map

_1/Ja

in

₍₆₎

can be described also

by

Oa(C) =

c(a -1 ) 2

if c is a _{square in}

Fq

and =

c(a

₊

1 ) 2

if c is a _{nonsquare in}

Fq.

We remark in

_passing

that this shows that

_1/Ja

is a

_permutation

of

_Fq.

By

straightforward

induction it is seen that for _any

_{positive integer}

r we

have = if _c is _a

square in

Fq

and =

c(a + 1 ) 2’’

if _c is _a

nonsquare in

_Fq.

From this it follows

immediately

that E

_Sym(Fq)

if and

_only

if

and this

_yields

the result of the

_{proposition. D}

We now show a sufficient condition for the existence of

7Z-orthomorphisms

Theorem 3. Let _q be odd and let R be a

finite

_nonempty

set

of

_positive

integers.

Suppose

that

where R is the

_{cardinality of}

R. Then there exists an a E

_Fq

such that the

map in

(6)

is an

R-orthomorphism of

_Fq,

Proof.

Let

_L(R)

denote the number of a E

_F*

for which

Furthermore,

we

_put

Then with Therefore

(7)

Moreover,

Consider the innermost sum on the

right-hand

side of

(8).

If the

_polynomial

drk

is the square of a

polynomial,

then the

_{corresponding}

sum is

clearly

nonnegative.

If

_drk

is not the square of a

_polynomial,

then

by

the Weil bound

_{(see [5,}

Theorem

_5.41])

we obtain

Together

with

₍₈₎

this

_yields

Going

back to

_(7),

we

_get

By

assumption,

the last

_expression

is at least

_2,

and so 3. Hence there exists an a E

_F*

with

_{a ~}

:1:1 that is counted

_by

_L(R),

which means

by Proposition

2 that

_iba

is an

_{7Z-orthomorphism}

of

_{Fq. D}

Remark 4. For sets ~ of the

_{form 7~={1,2,...,7~20131}}

the condition

on R in Theorem 3 is satisfied with some K N

_{0.5 log2}

_q.

It would be desirable to find further

_examples,

besides those in Remark

_2,

of

_{R-orthomorphisms}

of _groups G

_{with 7~= {1,2,... K -1 ~}

and K

_large

relative to the order m of G.

_According

to Remark 3 we must have K

m -1,

so one _may ask for K at least of the order of

_magnitude

me

for

some 0 0 1. Such

_examples

are of interest not

_only

in their own

_right,

but also in view of the bounds for character sums in Section 3 and for

applications

to combinatorial

_{design theory}

_{(see [2]}

for such

_{applications).}

References

[1] T. _COCHRANE, On a _{trigonometric inequality of Vinogradov.} J. Number Theory 27 _(1987), 9-16.

[2] J. DÉNES, P.J. OWENS, Some new Latin power sets not based on groups. J. Combinatorial

Theory Ser. A 85 _(1999), 69-82.

[3] J. GUTIERREZ, H. NIEDERREITER, I.E. SHPARLINSKI, On the multidimensional distribution

of inversive congruential pseudorandom numbers in parts of the _period. Monatsh. Math.

129 _(2000), 31-36.

[4] N.M. KOROBOV, On the distribution of digits in periodic fractions. Math. USSR Sbornik 18

(1972), 659-676.

[5] R. LIDL, H. _{NIEDERREITER,} Finite Fields. Cambridge Univ. Press, Cambridge, 1997.

[6] H. NIEDERREITER, Quasi-Monte Carlo methods and pseudo-random numbers. Bull. Amer. Math. Soc. 84 _(1978), 957-1041.

[7] H. _{NIEDERREITER,} I.E. _SHPARLINSKI, On the distribution of inversive congruential

pseudo-random numbers in parts of the _period. Math. Comp., to appear.

[8] H. _{NIEDERREITER,} I.E. _SHPARLINSKI, On the distribution and lattice structure _of nonlinear

[9] H. NIEDERREITER, I.E. _{SHPARLINSKI, Exponential} sums and the distribution _of inversive

congruential pseudorandom numbers with _prime-power modulus. Acta Arith. 92 _(2000), 89-98.

[10] H. NIEDERREITER, I.E. _SHPARLINSKI, On the distribution _{of pseudorandom} numbers and

vectors _{generated by} inversive methods. _{Applicable Algebra Engrg.} Comm. Comput. 10

(2000),189-202.

[11] C.P. SCHNORR, S. _VAUDENAY, Black box _{cryptanalysis of} hash networks based on

multiper-mutations. Advances in _{Cryptology -} EUROCRYPT ’94 _(A. De _{Santis, ed.),} Lecture Notes

in Computer Science, Vol. _950, pp. 47-57, Springer, Berlin, 1995.

[12] I.E. SHPARLINSKI, Finite Fields: Theory and Computation. Kluwer Academic Publ.,

Dor-drecht, 1999.

[13] J.H. VAN _LINT, R.M. WILSON, A Course in Combinatorics. Cambridge Univ. Press,

Cam-bridge, 1992. S. D. COHEN Department of Mathematics University of _Glasgow University Gardens Glasgow G12 _8QW Scotland E-mail : sdcCDmaths.gla.ac . uk H. NIEDERREITER Department of Mathematics National University of _Singapore

2 Science Drive 2

Singapore 117543

Republic of _Singapore

E-mail : niedOmath. nus . _{edu . sg}

I. E. SHPARLINSKI

Department of Computing Macquarie University

NSW 2109

Australia

E-mail : _{igorocomp . mq. edu . au}

M. ZIEVE

Center for Communications Research

29 Thanet Road

Princeton, NJ 08540 USA