Plateaudness of Kasami APN functions

Plateaudness of Kasami APN functions

Finite Fields and Their Applications 47 (2017) 11–32 Contents lists available at ScienceDirect Finite Fields and Their Applications www.elsevier.com...
Download PDF
461KB Sizes 3 Downloads 51 Views
Report

Finite Fields and Their Applications 47 (2017) 11–32

Contents lists available at ScienceDirect

Finite Fields and Their Applications www.elsevier.com/locate/ffa

Plateaudness of Kasami APN functions Satoshi Yoshiara Department of Mathematics, Tokyo Woman’s Christian University, Suginami-ku, Tokyo 167-8585, Japan

a r t i c l e

i n f o

Article history: Received 9 July 2015 Received in revised form 28 April 2017 Accepted 20 May 2017 Available online xxxx Communicated by Gary McGuire

a b s t r a c t It is shown that the Kasami function defined on F2n with n even is plateaued. This generalizes a result [3, Theorem 11], where the restriction (n, 3) = 1 is assumed. The result is used to establish the CCZ-inequivalence of the Kasami function defined on F2n with n even to the other known monomial APN functions [4]. © 2017 Elsevier Inc. All rights reserved.

MSC: 11T06 12E05 12E10 Keywords: APN function Kasami function Plateaued function Walsh coefficients Quadratic form

E-mail address: [email protected]. http://dx.doi.org/10.1016/j.ffa.2017.05.004 1071-5797/© 2017 Elsevier Inc. All rights reserved.

12

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

1. Introduction The aim of this note is to prove the following results on the Walsh coefficients Wκ(a, u) of the Kasami APN function κ defined on L = F2n with n even. Theorem 1. Let n be an even integer with n ≥ 4, and let κ(x) = xd with d = 22s − 2s + 1, s an integer in [2, n/2] coprime to n, be a Kasami function on L = F2n . Then the Walsh coefficient Wκ (a, u) of κ at (a, u) ∈ L2 with u = 0 takes the following values, where U := {x3 | x ∈ L× }: / U , then Wκ (a, u) = ±2n/2 for every element a ∈ L. (i) If u ∈ (ii) If u ∈ U , then Wκ (a, u) is equal to 0 or ±2(n/2)+1 for every a ∈ L. There are exactly 3 · 2n−2 elements a ∈ L such that Wκ (a, u) = 0 with a fixed element u in U . In particular, the Kasami function κ on L = F2n with n even is plateaued, namely, the absolute value of a nonzero Walsh coefficient Wκ (a, u) depends only on u but not on a ∈ L. This corresponds to “Further work 6” suggested in [2, Conclusion]. Theorem 1 is used in [4] to show the following: the Kasami function κ(x) = xd , d = 22s − 2s + 1 (for an integer s in [2, n/2] coprime to n) defined over F2n with n even is CCZ-equivalent to a plateaued APN function g if and only if κ(x) is EA-equivalent to g  [4, Proposition 1]. As a corollary, κ(x) is CCZ-equivalent to a function xd (1 ≤ d < n/2) in the list of known monomial APN functions exactly when d = d [4, Corollary 1]. Theorem 1 was established by Dillon and Dobbertine in [3, Theorem 11] when n is not divisible by 6, with involved calculations based on ingenious ideas. The additional assumption ensures that {1, ω, ω 2 } is a complete set of representatives for three cosets of a subgroup U := {x3 | x ∈ L× } in the cyclic group L× , where ω denotes a primitive cubic root of unity. This fact makes many calculations much easier, especially when measuring the size of a certain subset denoted Aλ in [3, p. 375, Section 7]. In this paper, we faithfully trace their arguments to reveal that in fact the additional assumption (n, 3) = 1 is superfluous. We shall work with a complete set {1, ρ, ρ2 } of representatives for three cosets of U in L× in general, which requires careful arguments. The key idea which seems to be overlooked in [3] is to consider subsets Ai and Bi for every 2 index i ∈ {0, 1, 2} and derive a formula to express the sum i=0 |Ai | in terms of Walsh coefficients of a Gold function (see Lemma 5(3)). This together with informations about  the sums x∈L (−1)qi (x) (i ∈ {0, 1, 2}, see below) enables us to establish Theorem 1. Now I give an outline of the arguments. As in [3], we start with expressing 3Wκ(a, u)  as the sum of three sums in the shape x∈L (−1)qi (x) for quadratic forms qi (i ∈ {0, 1, 2}) determined by a and u (Subsection 3.2). We shall introduce a rational function Γi (corresponding to Γλ in [3, p. 374], but with a slight difference) to determine whether the radical Vi of qi contains a nonzero element with certain property (Subsection 3.4). We have a small list of possible values for Wκ (a, u) when a does not lie in the image of ρ−i Γi for every i ∈ {0, 1, 2} (Subsection 3.5). On the contrary, when a lies in the im-

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

13

age of ρ−i Γi for some i ∈ {0, 1, 2}, we determine the dimensions of the radicals Vj for all indices j ∈ {0, 1, 2} (modulo 3) (Subsection 3.7) based on involved calculations described in Subsection 3.6 (the corresponding calculations are just briefly sketched in [3]). This allows us in this case to describe Wκ (a, u) in terms of the Walsh coefficient of s the Gold function g(x) = x2 +1 (see Proposition 1). As a corollary, we conclude that Wκ (a, u) ∈ {0, ±2n/2 , ±2(n/2)+1 } for any a, u ∈ L, u = 0 (see Theorem 4). Up to here, we just refine the arguments in [3] before counting subsets Aλ . Then we introduce an element η and subsets Ai (w) of L (w ∈ {0, ±2n/2 }) in Subsection 3.9. Although Lemma 5 is just a collection of elementary observations, it turns out to be much useful to establish several inequalities. In the remaining two subsections, we give a proof of Theorem 1 according as u ∈ / U or u ∈ U . The arguments are quite similar. We observe that the proof is reduced to show some inequality. To derive the desired inequality, we introduce another subset Bi consisting of elements a such that Wκ (a, u) takes a specified value (−ε2n/2 or 0 according as u ∈ / U or u ∈ U ). To establish  the relation |Bi | = (1/3)|Ai |, we use the informations about the sums x∈L (−1)qi (x) (i ∈ {0, 1, 2}) obtained in Subsection 3.7. This paper is self-contained except few standard results on quadratic forms used in Subsection 2.2 e.g. [3, Appendix A, Proposition A.2]. I tried to give expository accounts as possible, because we need careful calculations. As the arguments depend heavily on the informations about the Walsh coefficients of a Gold function, they are given in Subsection 2.3 with a proof, after a short exposition on the Walsh coefficients. In this note, except Subsection 2.1, n always denotes an even positive integer. 2. Preliminaries 2.1. Walsh coefficients In this note, we use the letter L to denote the finite field of size 2n , which is regarded as a vector space of dimension n over F2 as well as an elementary abelian 2-group of n−1 i order 2n . For the absolute trace function Tr : L → F2 defined by Tr(x) = i=0 x2 (x ∈ L), a map BTr from L × L into F2 given by BTr (x, y) := Tr(xy) (x, y ∈ L) is a symmetric F2 -bilinear form which is non-degenerate in the sense that BTr (x, y) = 0 for all y ∈ L implies x = 0. We call this form BTr the trace form. Every non-degenerate symmetric F2 -bilinear form B on L is equivalent to the trace form, that is, there is a bijective F2 -linear map λ on L, regarded as a vector space of dimension n over F2 , such that B(x, y) = BTr (xλ , y λ ) for all x, y ∈ L. Thus in the subsequent arguments, we can adopt the trace form as a typical non-degenerate symmetric F2 -bilinear form on L. We regard L2 = L × L = {(x, y) | x, y ∈ L} as a vector space of dimension 2n over F2 , as well as an elementary abelian group of order 22n . Recall that every character of the elementary abelian 2-group L2 (that is, a homomorphism from the additive group L2 into the multiplicative group C× ) is described as the following map χa,u for some (a, u) ∈ L × L:

14

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

χa,u ((x, y)) := (−1)Tr(ax+uy) .

(1)

The characters form an orthonormal basis of the unitary space Map(L2 ) of all maps from L2 into C endowed with the unitary form ( , ) given by (f, g) := (1/22n )



f (v)g(v),

(2)

v∈L2

where g(v) denotes the complex conjugate of g(v) ∈ C. In particular, for a subset S of L2 , the (complex) characteristic function δS from L2 into C defined by δS (v) = 1 or 0 ac cording as v ∈ S or not is expressed as δS = (a,u)∈L2 wa,u χa,u , with coefficients wa,u =   (δS , χa,u ) = (1/22n ) (x,y)∈L2 δS (x, y)χa,u (x, y) = (1/22n ) (x,y)∈S (−1)Tr(ax+uy) . The coefficient wa,u multiplied by 22n = |L2 | can be regarded as the value of the character  χa,u at the element [S] := (x,y)∈S (x, y) in the group algebra C[L2 ] corresponding to the subset S. For a function f on L (from L to itself), the graph of f is defined as a subset G(f ) := {(x, f (x)) | x ∈ L} of L × L. The above coefficient of χa,u multiplied by |L2 | appearing in the decomposition of the (complex) characteristic function δG(f ) of G(f ) is called the Walsh coefficient of f at (a, u) ∈ L2 and denoted Wf (a, u): Wf (a, u) =



(−1)Tr(ax+uf (x)) .

(3)

x∈L

 Then the linear combination (1/22n ) (a,u)∈L2 Wf (a, u)χa,u of the characters coincides with the characteristic function of the graph G(f ): δG(f ) = (1/22n )



Wf (a, u)χa,u .

(4)

(a,u)∈L2

 By the definition (equation (3)) and the fact that x∈L (−1)Tr(ax) = |L| or 0 according as a = 0 or not, we obtain the following, where δa,0 = 1 or 0 according as a = 0 or not. Wf (a, 0) = 2n δa,0 .

(5)

We review two fundamental facts. If f is normalized (that is, f (0) = 0), 

Wf (a, u) = 2n

(6)

a∈L

for every u ∈ L. (This is compatible with equation (5).) Equation (6) is obtained by calcu lating (δG(f ) , a∈L χa,u ) in two ways. The left hand side follows from the decomposition of δG(f ) (equation (4)) and the orthonormality of the characters. From the definition of the unitary form (equation (2)), calculations yield the right hand side, using the fact  that a∈L (−1)Tr(ax) = |L|δx,0 (in fact, 2n (−1)Tr(uf (0)) for a general function f ). We

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

15

usually take f (0) = 0, by shifting f with the function f defined by f (x) := f (x) + f (0) (x ∈ L). (Notice that f is EA-equivalent to f .) Another useful equation is the Perseval relation; 

Wf (a, u)2 = 22n ,

(7)

a∈L

 for every u ∈ L. This is verified e.g. by calculating (δG(f ) , a∈L Wf (a, u)χa,u ). From the decomposition of δG(f ) (equation (4)) and the orthonormality of the characters, we obtain (1/22n ) times the left hand side of equation (7). On the other hand, it is  n straightforward to verify that a∈L Wf (a, u)χa,u is the constant function 2 on the graph G(f ). With this remark, the definition of the unitary form (equation (2)) yields  (δG(f ) , a∈L Wf (a, u)χa,u ) = 1. 2.2. Sums for quadratic forms  In this subsection, we consider the sum x∈L (−1)q(x) for some quadratic form q on L = F2n , with n even. Lemma 2 below will be used to determine the Walsh coefficient Wg (0, u) of the Gold function g at (0, u) for u ∈ L× (see Proposition 3) and to derive  general shapes of x∈L (−1)qi (x) for three quadratic forms qi (i = 0, 1, 2) in Section 3. We first review some fundamental facts in the theory of quadratic forms. Let q be a quadratic form on a finite dimensional vector space L over F2 , namely, a map from L into F2 with q(0) = 0 such that the map Bq from L × L into F2 defined by Bq (x, y) := q(x + y) + q(x) + q(y) (x, y ∈ L) is F2 -bilinear. The radical of q is defined to be the subspace V of L consisting of x ∈ L with Bq (x, y) = 0 for all y ∈ L. Then the restriction of Bq to a complementary space W of L to V is a non-degenerate alternating form, so that its dimension is even, say 2R. Furthermore, there is α ∈ F2 and a basis {ei }2R i=1 of 2R R W such that q( i=1 xi ei ) = j=1 x2j−1 x2j + α(x22R−1 + x22R ). The form q is called of plus or minus type, according as α = 0 or α = 1. If q is of plus type, it is immediate to verify that # {x ∈ W | q(x) = 0} = 22R−1 +2R−1 by induction on R. If q is of minus type, we have # {x ∈ W | q(x) = 0} = 22R−1 − 2R−1 , by applying the above formula to the restriction of q to the subspace of W (of dimension 2(R−1) 2(R − 1)) spanned by {ei }i=1 (which is plus type). As the map q restricted on V is linear, the set {x ∈ V | q(x) = 0} forms a subspace of V of codimension at most 1. Thus there exists a basis (ej )nj=1 for L together with a natural number R in [1, n/2] and α, β ∈ F2 such that

q(x) =

R 

x2j−1 x2j + α(x22R−1 + x22R ) + βx22R+1

(8)

j=1

n for every x = i=1 xi ei ∈ L. The radical V is spanned by {ei }ni=2R+1 and Bq restricted to the subspace W spanned by {ei }2R i=1 is non-degenerate. If α = 0, the 2-dimensional

16

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

subspace spanned by e2R−1 and e2R contains no nonzero vector x with q(x) = 0. However, if n ≥ 3, there is a nonzero vector x ∈ L with q(x) = 0 in any possibilities for α, β. We shall state two observations obtained by the above general results. First, in the above description of q, if β = 1 we have # {x ∈ L | q(x) = 1} = |L|/2, because if we denote x ∈ L as x = x2R+1 e2R+1 + y with y lying in the hyperplane of L spanned by {ei }ni=1 except e2R+1 , then q(x) = 1 if and only if either x2R+1 = 0 and q(y) = 1 or x2R+1 = 1 and q(y) = 0.  Next observation is that if β = 0 then x∈L (−1)q(x) = 2# {x ∈ L | q(x) = 0} − 2n = ±2n−R according as α = 0 or 1, because we have # {x ∈ L | q(x) = 0} = # {x ∈ W | q(x) = 0}|V | = 2n−2R (22R−1 ± 2R−1 ), where + or − appears according as α = 0 or 1. Now we shall state a main claim in this subsection. Lemma 2. Let q be a quadratic form on L = F2n with n even. Assume that # {x ∈ L | q(x) = 1} is a multiple of 3. Then the radical V of q has even dimension and we have 

(−1)q(x) = (−1)(n/2)+(dim(V )/2) 2(n/2)+(dim(V )/2) .

x∈L

Proof. We shall use the notation in the above review. By our assumption that # {x ∈ L | q(x) = 1} is a multiple of 3, we have β = 0 in equation (8), for otherwise β = 1 and # {x ∈ L | q(x) = 1} = |L|/2 = 2n−1 by the first observation above. Then the radical V is spanned by {ei }ni=2R+1 . In particular, dim(V ) = n − 2R is even, as n is  even. Furthermore, the second observation above implies that x∈L (−1)q(x) = η2n−R = η2(n/2)+(dim(V )/2) with η = 1 or −1 according as α = 0 or 1. It remains to show that η = (−1)(n/2)+(dim(V )/2) .  qi (x) = # {x ∈ L | qi (x) = 0} − # {x ∈ L | qi (x) = 1} = Notice that x∈L (−1) # |L| − 2 {x ∈ L | qi (x) = 1} is congruent to |L| modulo 3, by the assumption that # {x ∈ L | qi (x) = 1} ≡ 0 (modulo 3). As n is even, |L| = 2n ≡ 1 (modulo 3). Thus it follows from the above equation that η2(n/2)+(dim(V )/2) ≡ 1 (modulo 3). This implies that η ≡ 2(n/2)+(dim(V )/2) ≡ (−1)(n/2)+(dim(V )/2) (modulo 3). As η and (−1)(n/2)+(dim(V )/2) are integers in {±1}, we conclude that η = (−1)(n/2)+(dim(V )/2) as integers. 2.3. Walsh coefficients of the Gold function s

We denote by σ the field automorphism of L = F2n given by xσ = x2 for a fixed positive number s in the period [1, n −1] coprime to n. The power function g = gs defined below is called the Gold function: s

g(x) := x2

+1

= xσ+1 .

(9)

The Gold function g and the Kasami function κ are known to be APN, that is, for every a ∈ L× and b ∈ L, there are at most two solutions x in L for equation f (x +a) +f (x) = b, with both f = g and f = κ.

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

17

In Section 3, we shall frequently use the following informations about the Walsh coefficients of the Gold functions. Although they are well-known, we provide a proof, because the arguments are prototype of the involved calculations in Section 3. To show claim (3) below, we use fundamental facts in the theory of quadratic forms, which will be summarized in Subsection 3.3. Proposition 3. Assume that n is even. The Walsh coefficient Wg (a, u) at (a, u) ∈ L2 for s the Gold function g(x) = x2 +1 , (s, n) = 1, defined on L = F2n is given as follows: (0) If u = 0, Wg (0, 0) = 2n and Wg (a, 0) = 0 for a ∈ L× . s (1) If u = 0 and u ∈ / U := {x2 +1 | x ∈ L× } = {x3 | x ∈ L× }, then Wg (a, u) = ±2n/2 for every a ∈ L. (2) If u ∈ U , Wg (a, u) = 0 or ±2(n+2)/2 . We have Wg (a, u) = 0 (resp. ±2(n+2)/2 ) s exactly when among the three elements z ∈ L× satisfying z 2 +1 = u−1 there exists an element z such that Tr(az) = 1 (resp. we have Tr(az) = 0 for any of the three s elements z ∈ L× with z 2 +1 = u−1 ). (3) We set ε := (−1)n/2 . Then, for u ∈ L× , we have Wg (0, u) = ε2n/2 or −ε2(n/2)+1 according as u ∈ ρU ∪ ρ2 U or u ∈ U . Proof. We may assume that u = 0, in view of equation (5). We first rewrite Wg (a, u)2 by the definition of a Walsh coefficient (see equation (3)): 

Wg (a, u)2 =

(−1)Tr(ax+ug(x)) (−1)Tr(ay+ug(y))

x,y∈L



=

(−1)Tr(a(x+y)+u(g(x)+g(y)))

x,y∈L

=





(−1)Tr(az+ug(z))

z∈L

(−1)Tr(u(x

σ

z+xz σ ))

,

x∈L

where the last expression is obtained by setting z := x + y, because a(x + y) + u(g(x) + g(y)) = az + ug(z) + u(g(z) + g(x) + g(x + z)) = az + ug(z) + u(xσ z + xz σ ). Notice that 2 Tr(u(xσ z + xz σ )) = Tr(Lu (z)xσ ), where Lu (z) := uz + uσ z σ is an F2 -linear map in z.  σ Since x∈L (−1)Tr(Lu (z)x ) is |L| = 2n or 0 according as Lu (z) = 0 or not, we have 

(−1)Tr(az+ug(z))

z∈L

=





(−1)Tr(u(x

x∈L Tr(az+ug(z))

(−1)

z∈L

 x∈L

σ

z+xz σ ))

(−1)Tr(Lu (z)x

σ

)

= 2n



(−1)Tr(az+ug(z)) .

z∈Ker(Lu )

Summarizing, we have Wg (a, u)2 = 2n

 z∈Ker(Lu )

2

(−1)Tr(az+ug(z)) with Lu (z) := uσ z σ + uz.

18

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

Now we use the assumption that n is even. Let K be the subfield of L of size 4. Then K = {0, 1, ω, ω 2 } with ω a cubic root of unity in L. We have (2s + 1, 2n − 1) = 3, because both 2s + 1 and 2n − 1 are divisible by 3 (as s is coprime to n even, s is odd) and (2s + 1, 2n − 1) is a divisor of (22s − 1, 2n − 1) = 2(2s,n) − 1 = 2(2,n) − 1 = 3. In s particular, the endomorphism on the cyclic group L× sending x to xσ+1 = x2 +1 has the kernel K × and the image U := {xσ+1 | x ∈ L× } = {x3 | x ∈ L× }. We denote  Vu := z∈Ker(Lu ) (−1)Tr(az+ug(z)) . As Wg (a, u)2 = 2n Vu is a square integer with n even, Vu is a square integer as well. 2 We shall examine Ker(Lu ) = {z ∈ L | uσ z σ + uz = 0}. As u = 0, z ∈ Ker(Lu ) if 2 2 and only if z σ + u1−σ z = 0. If z = 0, this is equivalent to z σ −1 = u1−σ . Notice that σ − 1 is a bijection on L× , because xσ−1 = 1 for x ∈ L× implies that xσ = x, which is equivalent to x = 1 as σ is a generator of the absolute Galois group Gal(L/F2 ). Thus we have z σ+1 = u−1 . This has a solution z ∈ L× exactly when u lies in U = {xσ+1 | x ∈ L× } = {x3 | x ∈ L× }. If u ∈ U , we have {z ∈ L× | z σ+1 = u−1 } = K × z0 for z0 ∈ L× satisfying z0σ+1 = u−1 . / U . In The conclusion in the above paragraph shows that Ker(Lu ) = {0} if u ∈ this case, Wg (a, u)2 = 2n for every a ∈ L. On the other hand, if u ∈ U , Ker(Lu ) = {0, z0 , ωz0 , ω 2 z0 }, which is a 1-dimensional subspace of L over K ∼ = F4 , for a nonzero σ+1 −1 i i element z0 ∈ L with z0 = u . In this case, as g(ω z0 ) = (ω z0 )σ+1 = z0σ+1 = u−1  i i σ+1 for all i ∈ {0, 1, 2}, we have Vu = (−1)0 + i∈{0,1,2} (−1)Tr(aω z0 +u(ω z0 ) ) = 1 +  2 Tr(aω i z0 +u·u−1 ) = 1 + (−1)Tr(az0 ) + (−1)Tr(aωz0 ) + (−1)Tr(aω z0 ) . (Notice i∈{0,1,2} (−1) that Tr(1) = 0, as n is even.) If a = 0, then Vu = 4 and Wg (a, u)2 = 2n Vu = 2n+2 . If a = 0, a⊥ := {x ∈ L | Tr(ax) = 0} is a hyperplane of L, whence either Ker(Lu ) ⊆ a⊥ or Ker(Lu )∩a⊥ is a 1-dimensional subspace of L over F2 . In the former case, Vu = 4 from the expression of Vu above, whence Wg (a, u)2 = 2n+2 . In the latter case, Vu = 1 +1 −1 −1 = 0 and Wg (a, u)2 = 0.  (3) We have Wg (0, u) = x∈L (−1)q(x) , where q(x) := Tr(ug(x)) = Tr(uxσ+1 ) is a quadratic form on L. As n is even, there is a primitive cubic root of unity, say ω, in L× . Observe that q(ωx) = q(x), as (s, n) = 1 with n even implies that s is odd and hence s ω σ+1 = ω 2 +1 = 1. Thus {x ∈ L | q(x) = 1} is a union of some orbits under the multiplication by ω, and hence # {x ∈ L | q(x) = 1} ≡ 0 (modulo 3). Thus it follows from Lemma 2 that Wg (0, u) = ε(−1)dim(V )/2 2(n/2)+(dim(V )/2) , where V denotes the radical of the quadratic form q. 2 The associated bilinear form of q is Bq (x, y) = Tr(u(xσ y + xy σ ) = Tr((uσ xσ + ux)y). Then the radical V = {x ∈ L | Bq (x, y) = 0 (∀y ∈ L)} consists of x ∈ L satisfying 2 u1−σ = xσ −1 , or equivalently x1+σ = u−1 , as the map σ − 1 is bijective on L× . Thus we conclude that V = {0} if u ∈ / U , and that V is a 1-dimensional subspace over K = F4 σ+1 × spanned by x0 ∈ L with x0 = u−1 if u ∈ U . Now the claim follows from the above equation. 2

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

19

Comment. For u ∈ U , let Nu be the number of a ∈ L with Wg (a, u) = 0. By Per seval’s relation (equation (7)) and Proposition 3(2), we have 22n = a∈L Wg (a, u)2 = Nu 2n+2 , whence Nu = 2n−2 . Thus by Proposition 3(2) #{a ∈ L | Tr(az) = 0 for all s s z ∈ L× with z 2 +1 = u−1 } = 2n−2 . We set S(u) := {z ∈ L× | z 2 +1 = u−1 }. The above result implies that S(u)⊥ := {a ∈ L | Tr(az) = 0 for all z ∈ S(u)} is a subspace of L of dimension n − 2. This fact can be also explained from the non-degeneracy of the trace form and the fact that S(u) is a 1-dimensional subspace over K, whence dimension 2 over F2 , which was observed in the proof of Proposition 3. 3. Walsh coefficients of the Kasami function 3.1. Setting Throughout this section, we assume that n is even. The symbol κ = κs for an integer s in the period [2, n − 1] coprime to n denotes the Kasami function on L = F2n define s by κ(x) = xd , d := 22s − 2s + 1 (x ∈ L). We denote by σ the map x → x2 , which is a 2 generator of the absolute Galois group Gal(L/F2 ), as (n, s) = 1. We have κ(x) = xσ −σ+1 for x ∈ L× . We shall denote by K the subfield of L isomorphic to F4 , and denote by ω a cubic root of unity: K = {0, 1, ω, ω 2 }. As 2n − 1 ≡ 22s − 2s + 1 ≡ 0 (modulo 3) for n even and s odd, the greatest common divisor (2n − 1, d) is a multiple of 3. On the other hand, (2n − 1, d) divides (2n − 1, d(2s + 1)(23s − 1)) = (2n − 1, 26s − 1) = 2(n,6s) − 1 = 22(n,3) − 1, which is either 3 or 63 = 32 · 7, according as (n, 3) = 1 or (n, 3) = 3. Notice that d is coprime to 23 − 1 = 7, because d(2s + 1) = 23s + 1 = (23 )s + 1 ≡ 1s + 1 = 2 (modulo 23 − 1 = 7). Furthermore, notice that d = 22s − 2s + 1 = t2 − t + 1 (t = 2s ) is divisible by 3 but not divisible by 9. This fact is verified as follows: as s is odd, t = 2s ≡ −1 (modulo 3) and hence t ≡ −1, −1 + 3 = 2 or −1 + 6 = 5 (modulo 9), accordingly we have d = t2 − t + 1 ≡ 1 + 1 + 1 = 3, 22 − 2 + 1 = 3 or 52 − 5 + 1 = 21 ≡ 3 (modulo 9). Summarizing the above informations, we conclude that (2n − 1, d) is a divisor of 3, whence (2n − 1, d) = 3 for n even and d = 22s − 2s + 1, (n, s) = 1, 2 ≤ s ≤ n − 1. In particular, {κ(x) = xd | x ∈ L× } is a subgroup of the cyclic group L× of order (2n − 1)/(3, 2n − 1) = (2n − 1)/3, whence it coincides with {x3 | x ∈ L× }, the group of nonzero cubes in L. We also have (2n − 1, 2s + 1) = 3, because (2n − 1, 2s + 1) divides (2n − 1, 22s − 1) = 2(n,2s) − 1 = 22 − 1 = 3. Thus the above group also coincides with {xσ+1 | x ∈ L× }. We keep record these facts: U : = {x3 | x ∈ L× } = {xd | x ∈ L× } = {xσ+1 | x ∈ L× }.

(10)

Let ζ be a generator of L× . As U is a subgroup of index 3 in L× , we have a coset decomposition L× = U ∪ (ζ p U ) ∪ (ζ 2p U ) for every integer p coprime to 3. In the sequel,

20

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

we fix a natural number p coprime to 3 and denote ρ := ζ p . Then we have L× = ∪2i=0 ρi U . When (n, 3) = 1, we may take p = (2n − 1)/3. In this case, ρ = ω is a cubic root of unity ling in the subfield K ∼ = F4 . This case is investigated in Section 7 of [3]. 3.2. Reduction to three sums for quadratic forms  Tr(ax+uxd ) We shall calculate the Walsh coefficient Wκ (a, u) = for x∈L (−1) (a, u) ∈ L2 . As Wκ (a, 0) = 0 or 2n according as a = 0 or a = 0 (see Section 2), we may assume that u = 0. In the following we shall do so. We decompose L into {0}, U , 2  i i d ρU and ρ2 U . Then Wκ (a, u) = 1 + i=0 y∈U (−1)Tr(aρ y+u(ρ y) ) . Recall that the map x → xσ+1 is a surjective homomorphism from L× to U with kernel K × . Thus for each i ∈   i σ+1 di (σ+1)d i di d ) {0, 1, 2}, x∈L× (−1)Tr(aρ x +uρ x = 3 y∈U (−1)Tr(aρ y+uρ y ) . As (xσ+1 )d = 2  3 i σ+1 di σ 3 +1 ) xσ +1 , by the above equations 3Wκ (a, u) = 3 + i=0 x∈L× (−1)Tr(aρ x +uρ x = 2  i σ+1 di σ 3 +1 Tr(aρ x +uρ x ) . x∈L (−1) i=0 We set for each i ∈ {0, 1, 2}, qi (x) := Tr(aρi xσ+1 + uρdi xσ

3

+1

).

(11)

3

This is a quadratic form on L, as xσ+1 and xσ +1 are quadratic functions. When we need to remind that this quadratic form depends on (a, u) (and p), we denote qia,u instead of qi . Then the above relation are expressed as:

3Wκ (a, u) =

2   a,u ( (−1)qi (x) ).

(12)

i=0 x∈L

Thus we are reduced to calculate the values qia,u (i = 0, 1, 2).



qia,u (x) x∈L (−1)

for three quadratic forms

3.3. Sum for a quadratic form In the sequel, we use the symbol ε to denote (−1)n/2 : ε := (−1)n/2 .

(13)

We fix an index i ∈ {0, 1, 2}. For short, we set ai := aρi , ui := uρdi , so that qi (x) = Tr(ai xσ+1 + ui xσ

3

+1

We also denote by Vi the radical of qia,u : Vi := {x ∈ L | qi (x + y) + qi (x) + qi (y) = 0 (∀y ∈ L)}.

).

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

21

We first claim that # {x ∈ L | qi (x) = 1} is a multiple of 3. Indeed, the multiplication by a cubic root of unity ω is a fixed point free action on L× , which preserves the value 3 of the quadratic form qi , because qi (ωx) = Tr(ai (ωx)σ+1 + ui (ωx)σ +1 ) = Tr(ai xσ+1 + 3 ui xσ +1 ) = qi (x) as σ + 1 is a multiple of 3. Then it follows from Lemma 2 that 

(−1)qi (x) = ε(−1)dim(Vi )/2 2n/2 2dim(Vi )/2 .

(14)

x∈L

 Thus x∈L (−1)qi (x) is either ε2n/2 2dim(Vi )/2 or −ε2n/2 2dim(Vi )/2 , according as dim(Vi )/2 is even or odd. 3.4. Radical of a quadratic form We shall examine the radical Vi . We denote Bi (x, y) := qi (x + y) + qi (x) + qi (y). Then 3 3 3 Bi (x, y) = Tr(ai (xσ y + xy σ ) + ui (xσ y + xy σ )) = Tr(Li (y)xσ ), where Li (y) is a linear function in y defined by 2

3

3

Li (y) := (ai y)σ + (ai y σ )σ + (ui y) + (ui y σ )σ 3

6

3

4

2

3

2

= uσi y σ + aσi y σ + aσi y σ + ui y. 2

4

(15)

6

As Li (y) is a linear combination of y, y σ , y σ and y σ , the kernel Vi is a vector space over F4 and dimF4 (Vi ) ≤ 4. (The former claim gives another proof that dimF2 (Vi ) is even. The latter remark is not used in the sequel, but this follows from the fact that σ is a generator of Gal(L/F2 ). See e.g. [1, Corollary 1].) We deduce further information by applying a trick due to Dillon and Dobbertine. Notice that 3

3

6

+σ 3

+ ui y σ

3

4

+σ 3

+ (ui y σ

y σ Li (y) = uσi y σ = aσi y σ

2

+ aσi y σ

3



2

3

+1 3

3

+ aσi y σ

+1 σ 3

+ (ui y σ

)

3

4

+σ 3

+ (ui y σ

+1 σ

)

2

3

2

+ aσi y σ +1 σ 2

+ (ui y σ

)

3

3

+σ 2

+ (ui y σ

+1 σ

3

+1 σ

) + (ui y σ

)

3

+1

)

σ

= Pi (y) + Pi (y), where 2

Pi (y) := aσi y σ

3

+σ 2

+ (ui y σ

3

+1 σ 2

)

+ (ui y σ

3

+1 σ

) + (ui y σ

3

+1

).

(16)

3

We have y ∈ Vi iff Bi (x, y) = Tr(Li (y)xσ ) = 0 for all x ∈ L iff Li (y) = 0. If y = 0, this 3 condition is equivalent to 0 = y σ Li (y) = Pi (y)σ + Pi (y). The last condition is equivalent to the requirement that Pi (y) ∈ F2 , as σ is a generator of Gal(L/F2 ). Hence we have Vi = {y ∈ L | Pi (y) ∈ F2 }.

(17)

22

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

In particular, the function Pi (see equation (16)) is a quadratic form on Vi . It follows from a general theory of quadratic form (see the last remark in the third paragraphs in Subsection 3.3) that if dimF2 (Vi ) ≥ 3 then there is a nonzero element y ∈ Vi with Pi (y) = 0. In view of Equation (16), y is a nonzero element with Pi (y) = 0 if and only if   3 3 −1 3 −2 ai = ui y σ +1 + (ui y σ +1 )σ + (ui y σ +1 )σ /y σ+1 . We give a name to the function appeared above. For each i ∈ {0, 1, 2}, define a rational function Γi (determined by ui = uρdi ) from L× to L by Γi (θ) :=

ui θ σ

3

+1

+ (ui θσ

3

+1 σ −1

)

θσ+1

+ (ui θσ

3

+1 σ −2

)

.

(18)

With this notation, the conclusion in the above paragraph can be expressed as follows: the radical Vi contains a nonzero element y with Pi (y) = 0 if and only if ai lies in the image Γi (L× ). 3.5. Case when dim(Vi )/2 ≤ 1 for all i We first consider the case when dim(Vi )/2 ≤ 1 for all i ∈ {0, 1, 2}. It follows from the  conclusion of Subsection 3.3 that x∈L (−1)qi (x) is either ε2n/2 or −ε2n/2 2, according as 2  dim(Vi )/2 = 0 or 1. Then the value Wκ (a, u) = (1/3) i=0 x∈L (−1)qi (x) (see equation (12)) is one of the following, according as the multiset {dim(Vi )/2 | i = 0, 1, 2}. {dim(Vi )/2 | i = 0, 1, 2}

Wκ (a, u)

{0, 0, 0} {0, 0, 1} {0, 1, 1} {1, 1, 1}

(1/3)2n/2 (ε + ε + ε) = ε2n/2 (1/3)2n/2 (ε + ε − 2ε) = 0 (1/3)2n/2 (ε − 2ε − 2ε) = −ε2n/2 (1/3)2n/2 (−2ε − 2ε − 2ε) = −ε2(n/2)+1

3.6. Another expression of qj (x) Notice that the assumption in Subsection 3.5 is satisfied, if there is no nonzero element y with Pi (y) = 0 for every i ∈ {0, 1, 2}. Hence in Subsections 3.6, 3.7, and 3.8, we shall assume that there is a nonzero element y ∈ L with Pi (y) = 0 for some i ∈ {0, 1, 2}. In these subsections, we fix an index i and a nonzero element θ of L such that Pi (θ) = 0. Then it follows from the conclusion of Subsection 3.4 that ai = Γi (θ) (see equation (18)). We shall find another expression of qj (x) for every j ∈ {0, 1, 2}, in terms of θ, ui and ρj−i . As aj = aρj = (aρi )ρj−i = ai ρj−i and uj = uρdj = (uρdi )ρd(j−i) = ui ρd(j−i) , we have

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

qj (x) = Tr(aj xσ+1 + uj xσ

3

+1

) = Tr(ai ρj−i xσ+1 + ui ρd(j−i) xσ

2

= Tr((ai ρj−i xσ+1 )σ + ui ρd(j−i) xσ

3

+1

3

23

+1

)

).

From equation (18) and the relation ai = Γi (θ), we have  j−i σ+1 σ 2

(ai ρ

x

)

=

3

4

2

ui θ1+σ + uσi θσ+σ + uσi θσ θσ2 +σ3 3

4

2

= (ui θ1+σ + uσi θσ+σ + uσi θσ

2

2

+σ 5

+σ 5



)(

(ρj−i xσ+1 )σ

2

ρj−i xσ+1 σ2 ) . θσ+1

We set y := ρj−i ( xθ )σ+1 . Then 2

3

4

2

Tr((ai ρj−i xσ+1 )σ ) = Tr((ui θ1+σ + uσi θσ+σ + uσi θσ 3

2

3

2

4

2

+σ 5

2

)y σ )

2

2

= Tr((ui θ1+σ )y σ + (uσi θσ+σ )y σ + (uσi θσ 3

2

+σ 5

2

)y σ )

3

= Tr((ui θ1+σ )y σ + (ui θ1+σ )y σ + (ui θ1+σ )y) 3

2

= Tr((ui θ1+σ )(y + y σ + y σ )). As ui ρd(j−i) xσ

3

+1

3

= ui (ρj−i xσ+1 )d = ui (θσ+1 y)d = ui θ1+σ y d , we conclude that 3

2

qj (x) = Tr(ui θ1+σ (y + y σ + y σ + y d )). Now notice that  ρj−i

2

x xσ + (ρj−i )σ−1 σ2 θ θ



3

σ xσ j−i σ 2 −σ x + (ρ ) θσ θσ3



3

= ρj−i

2

2

3

σ +σ 2 2 x x1+σ x1+σ xσ+σ + (ρj−i )σ −σ+1 1+σ3 + (ρj−i )σ σ+σ2 + (ρj−i )σ σ2 +σ3 1+σ θ θ θ θ 2

= y + yd + yσ + yσ . 2

Hence we have y + y σ + y σ + y d = ρj−i 



j−i 1+σ 3

qj (x) = Tr ui ρ

θ

x θ

+ (ρj−i )σ−1 ( xθ )σ

x θ

j−i σ−1

+ (ρ

)

2

1+σ , and

x σ2 1+σ . ( ) θ

(19)

3.7. Some results on sums for three quadratic forms 2

The map λj sending x ∈ L to t := (x/θ) + (ρj−i )σ−1 (x/θ)σ ∈ L is a linear map. If x 2 is a nonzero element contained in the kernel of λj , then 1 = (ρj−i )σ−1 (x/θ)σ −1 , whence ρi−j = (x/θ)σ+1 , as x → xσ−1 is a bijection on L× . However, as (x/θ)σ+1 ∈ U , this

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

24

occurs exactly when j = i. Hence, if j = i, the map λj is a linear bijection. In particular, from equation (19), for j = i we have 

(−1)qj (x) =

x∈L

 j−i 1+σ 3 1+σ t ) (−1)Tr(uj ρ θ .

(20)

t∈L

As t → t1+σ is a surjective homomorphism from L× to U with kernel K × = {1, ω, ω 2 } of size 3, we have 

(−1)qj (x) =

x∈L

 j−i 1+σ 3 1+σ t ) (−1)Tr(uj ρ θ t∈L

=1+3



j−i 1+σ 3

(−1)Tr(uj ρ

θ

z)

w)

=1+3

z∈U

=1+3



j−i

(−1)Tr(uρ





(−1)Tr(w ) ,

w ∈uρj−i U

w∈U

where we set w := ρdj θ1+σ z ∈ U and w := uρj−i w. Notice that z → w is a bijection on 3 U and uj ρj−i θ1+σ z = uρj−i w. Adding these equations for j = i + 1 and j = i − 1 (read modulo 3), we have 3



(−1)qi+1 (x) +

x∈L

= 2 + 3{



(−1)qi−1 (x)

x∈L

 

(−1)Tr(w) }

w∈uρ2 U

w∈uρU

= 2 + 3{



(−1)Tr(w) + (−1)Tr(w) −

w∈L×



w∈uU

using the facts that uU ∪ uρU ∪ uρ2 U = L× and 

(−1)qi+1 (x) +

x∈L

 x∈L



(−1)Tr(w) } = 2 + 3{−1 −

(−1)Tr(w) },

w∈uU



Tr(w) w∈L (−1)

(−1)qi−1 (x) = −1 − 3



= 0. Hence

(−1)Tr(w) .

(21)

w∈uU

Next notice that the right hand side of equation (20) is the Walsh coefficient of the 3 Gold function g(t) = t1+σ at (0, uj ρj−i θ1+σ ):  x∈L 3

(−1)qj (x) =

 j−i 1+σ 3 1+σ 3 t ) (−1)Tr(uj ρ θ = Wg (0, uj ρj−i θ1+σ ).

(22)

t∈L 3

As uj ρj−i θ1+σ = uρj−i (ρdj θ1+σ ) lies in the coset uρj−i U , it follows from Proposition 3  that for j = i, x∈L (−1)qj (x) = ±2n/2 (resp. ±2(n/2)+1 ), if uρj−i ∈ ρU ∪ ρ2 U (resp. uρj−i ∈ U ).

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

25

 From the conclusion of Subsection 3.3, if x∈L (−1)qj (x) is ±2n/2 , then Vj = {0} and   (−1)qj (x) = ε2n/2 , while if x∈L (−1)qj (x) is ±2(n/2)+1 , then dim(Vj )/2 = 1 and x∈L qj (x) = −ε2(n/2)+1 . x∈L (−1) We also note that if j ≡ i + 1 (modulo 3) (resp. j ≡ i − 1 (modulo 3)) then uρj−i ∈ ρU ∪ ρ2 U if and only if u ∈ U ∪ ρU (resp. u ∈ U ∪ ρ2 U ). Summarizing these remarks and the above conclusion, we obtain the following results. (0) If u ∈ U , then (



(−1)qi+1 (x) , dim(Vi+1 )/2) = (ε2n/2 , 0) = (

x∈L



(−1)qi−1 (x) , dim(Vi−1 )/2).

x∈L

In particular, i is the unique index with dim(Vi ) = 0. (1) If u ∈ ρU , then (



(−1)qi+1 (x) , dim(Vi+1 )/2) = (ε2n/2 , 0) and

x∈L

(



(−1)qi−1 (x) , dim(Vi−1 )/2) = (−ε2(n/2)+1 , 1).

x∈L

In particular, i +1 (read modulo 3) is the unique index j ∈ {0, 1, 2} with dim(Vj ) = 0. (2) If u ∈ ρ2 U , then (



(−1)qi+1 (x) , dim(Vi+1 )/2) = (−ε2(n/2)+1 , 1) and

x∈L

(



(−1)qi−1 (x) , dim(Vi−1 )/2) = (ε2(n/2) , 0).

x∈L

In particular, i −1 (read modulo 3) is the unique index j ∈ {0, 1, 2} with dim(Vj ) = 0. The uniqueness claim in the above conclusion implies that i is a unique index in {0, 1, 2} such that ai = aρi ∈ Γi (L× ), or equivalently Vi contains a nonzero element θ with Pi (θ) = 0. Thus if u ∈ ρU then Vi−1 = {0, y, ωy, ω 2 y} with Pi−1 (y) = 1. (Remark that Pj (y) = Pj (ωy) in view of equation (16), as ω σ+1 = ω 3 = 1.) If u ∈ ρ2 U then Vi+1 = {0, y  , ωy  , ω 2 y  } with Pi+1 (y  ) = 1. 3.8. Walsh coefficients 3

2

When j = i, equation (19) reads qi (x) = Tr(ui θ1+σ { xθ + ( xθ )σ }1+σ ). Consider the 2 map λi from L to itself sending x to t = xθ + ( xθ )σ . Observe that λi is a linear map with the image L0 := {t ∈ L | TrL/K (t) = 0}, where TrL/K denotes the trace map for L/K; (n/2)−1 4i (n/2)−1 σ2 namely, TrL/K (x) = i=0 x , which is equal to i=0 x , as σ is a generator of

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

26

Gal(L/F2 ) and so σ 2 is a generator for Gal(L/K). The kernel of λi is {θy | y ∈ K} = θK. As λi is a 4 to 1 map onto L0 , we have   1+σ 3 1+σ t ) (−1)qi (x) = 4 (−1)Tr(ui θ . (23) x∈L

t∈L0

We shall show the following equality:   1+σ 3 1+σ 1+σ 3 1+σ t ) t +αt) 4 (−1)Tr(ui θ = (−1)Tr(ui θ . t∈L0

(24)

α∈K t∈L

Observe first that L0 = K ⊥ := {x ∈ L | Tr(αx) = 0 (∀α ∈ K)}. As Tr(αt) = TrK/F2 (αTrL/K (t)) for α ∈ K, t ∈ L, we have L0 ⊆ K ⊥ . By the non-degeneracy of the absolute trace, we have dimF2 (K ⊥ ) = n − 2, which coincides with dimF2 (L0 ). Thus we have L0 = K ⊥ . Returning to equation (24), its right hand side can be written    1+σ 3 1+σ t ) as t∈L ( α∈K (−1)Tr(αt) )(−1)Tr(ui θ , where the inner sum α∈K (−1)Tr(αt) is equal to 4 or 0, according as t ∈ K ⊥ = L0 or not. Thus the right hand side of equation (24) coincides with the left hand side of equation (24), as desired. It follows from equations (23) and (24) that we have 

(−1)qi (x) = 4

x∈L



(−1)Tr(ui θ

1+σ 3 1+σ

t

)

t∈L0

=

 

(−1)Tr(ui θ

1+σ 3 1+σ

t

+αt)

α∈K × t∈L

=

 

+



(−1)Tr(ui θ

t∈L

(−1)Tr(ui θ

1+σ 3 1+σ

t

+αt)

+1+3

α∈K × t∈L



1+σ 3 1+σ

t

)

(−1)Tr(w) ,

w∈uU

because the map sending t ∈ L× to w = ui θ1+σ t1+σ is a 3 to 1 surjective map onto uU . 3 3 Putting v := αt for each α ∈ K × , we have Tr(ui θ1+σ t1+σ + αt) = Tr(ui θ1+σ v 1+σ + v),   1+σ 3 1+σ 1+σ 3 1+σ t +αt) v +v) as ω 1+σ = ω 3 = 1. Thus t∈L (−1)Tr(ui θ = v∈L (−1)Tr(ui θ for × all α ∈ K . Notice that the right hand side of the above equation does not depend on α ∈ K × . Summarizing, from the above equations, we obtain    1+σ 3 1+σ v +v) (−1)qi (x) = 3 (−1)Tr(ui θ +1+3 (−1)Tr(w) . (25) 3

x∈L

v∈L

w∈uU

From equations (12), (21) and (25), we finally obtain    3Wκ (a, u) = (−1)qi (x) + (−1)qi+1 (x) + (−1)qi−1 (x) x∈L

=3



x∈L

(−1)Tr(ui θ

1+σ 3

x∈L v 1+σ +v)

+1+3

v∈L

=3



(−1)Tr(ui θ

v∈L



w∈uU 1+σ 3

v 1+σ +v)

.

(−1)Tr(w) − 1 − 3

 w∈uU

(−1)Tr(w)

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

27

3   Tr(ui θ 1+σ v 1+σ +v) Tr(ui w1+σ +θ −d w) Hence Wκ (a, u) = = , putting v∈L (−1) w∈L (−1) 3 d 1+σ 1+σ 1+σ w := θ v. (Notice that ui θ v = ui w .) The last expression is equal to the Walsh coefficient of the Gold function g(w) = w1+σ at (θ−d , ui ). Thus we proved the following:

Proposition 1. Assume that there is an index i ∈ {0, 1, 2} such that the radical Vi of 3 the quadratic form qi (x) = Tr(ai xσ+1 + ui xσ +1 ) with ai = aρi , ui = uρdi contains a nonzero element θ with Pi (θ) = 0. Then we have Wκ (a, u) = Wg (θ−d , ui ) for the Gold function g(w) = w1+σ . As a corollary, we established the following fact, because we already saw that Wκ(a, u) belongs to {0, ±2(n/2) , ±2(n/2)+1 } in Subsection 3.5, when Vi contains no nonzero element y of L with Pi (y) = 0 for every i ∈ {0, 1, 2}. Theorem 4. Let n be even. Then the Walsh coefficient Wκ (a, u) of the Kasami function κ(x) = xd , d = 22s − 2s + 1, (s, n) = 1, defined on L = F2n at (a, u) ∈ L2 with u = 0 belongs to {0, ±2(n/2) , ±2(n/2)+1 }. 3.9. Preliminaries for showing plateaudness In the remaining part of this paper, we shall establish Theorem 1 described in Introduction. For this purpose, we take an element η ∈ L× with η σ+1 = ρd . As ρd is contained in U and U = {xσ+1 | x ∈ L× } (see Subsection 3.1) such an element η exists. We fix such an element η. We shall start with elementary observations. Recall that g denotes the Gold function s g(x) = xσ+1 on L = F2n , where xσ = x2 , (s, n) = 1, and that ε = (−1)n/2 . Lemma 5. (1) We have η ∈ / U . In particular, {1, η, η −1 } is a complete set of representatives for the three cosets of U in L× . (2) Wg (θ−d η −i , u) = Wg (θ−d , uρdi ) for every index i ∈ {0, 1, 2} and every θ, u ∈ L× . (3) For an index i ∈ {0, 1, 2} and an element w ∈ {0, ±2n/2 }, we set Ai (w) := {θ ∈ L× | Wg (θ−d η −i , u) = w}. 2 # Then |Ai (w)| = 3# {y ∈ η −i U | Wg (y, u) = w} and i=0 |Ai (w)| = 3 {y ∈ L | n/2 2 and u ∈ ρU ∪ ρ U . Wg (y, u) = w} except for the case w = ε2

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

28

Proof. (1) We first show that η ∈ / U . To see this fact, let t be the 3 -part of |L× | = 2n −1, that is, the largest divisor of |L× | coprime to 3. Then ρt is a generator of the Sylow 3-subgroup of L× , whence ρtd = η t(σ+1) is a generator of the Sylow 3-subgroup U3 of U = {xd | x ∈ L× }. Suppose η ∈ U . Then η t(σ+1) = ρdt would be contained in the subgroup of U3 of index 3, as 3 divides 2s + 1. This contradiction shows that η ∈ / U. Then η belongs to ρv U for some v ∈ {±1} (note that ρ2 U = ρ−1 U , as ρ3 ∈ U ). Then U , ηU = ρv U and η −1 U = ρ−v U are mutually distinct cosets of U in L× . (2) Setting y = η −i x, we have xσ+1 = η i(σ+1) y σ+1 = ρdi y σ+1 , whence Wg (θ−d η −i , u) =



(−1)Tr(θ

−d −i

η

x∈L

x+uxσ+1 )

=



(−1)Tr(θ

−d

y+uρdi y σ+1 )

y∈L

= Wg (θ−d , uρdi ). (3) Fix an index i ∈ {0, 1, 2}. Recall that the map sending x ∈ L× to xd is a 3 to 1 surjection onto U . Thus for every element y in the coset η −i U , there are exactly three elements θ ∈ L× with y = θ−d η −i . Then it follows from the definition of Ai (w) (w ∈ {0, ±2n/2 }) that |Ai (w)| = 3# {y ∈ η −i U | Wg (y, u) = w}. By claim (1), L× is a disjoint union of three cosets η −i U for i = 0, 1, 2. Then we have {y ∈ L× | Wg (y, u) = w} = 2 ∪2i=0 {y ∈ η −i U | Wg (y, u)}, and therefore, for every w ∈ {0, ±2n/2 }, i=0 |Ai (w)| is equal to 3

2 

#

{y ∈ η −i U | Wg (y, u) = w} = 3# {y ∈ L× | Wg (y, u) = w}.

i=0

2 In view of Proposition 3(3), the above conclusions imply that i=0 |Ai (w)| = 3# {y ∈ 2 L | Wg (y, u) = w} for all w ∈ {0, ±2n/2 } if u ∈ U , and i=0 |Ai (w)| = 3# {y ∈ L | Wg (y, u) = w} for all w ∈ {0, ±2n/2 } \ {ε2n/2 } if u ∈ ρU ∪ ρ2 U . 2 3.10. The case when u does not lie in U In this section, we shall establish Theorem 1(i): that is, if u ∈ ρU ∪ ρ2 U , then we have Wκ (a, u) = ±2n/2 for every element a ∈ L. The claim is certainly true if there is some index i ∈ {0, 1, 2} such that the radical 3 Vi of the quadratic form qia,u (x) = Tr(ai xσ+1 + ui xσ +1 ) with ai := aρi and ui := uρdi contains a nonzero element θ in L with Pi (θ) = 0, because in this case we have Wκ (a, u) = Wg (θ−d , ui ) for the Gold function g(x) = xσ+1 by Proposition 1, which is ±2n/2 by Proposition 3(1) applied to ui ∈ ρU ∪ ρ2 U . On the other hand, if there is no index i in {0, 1, 2} such that Vi contains θ = 0 with Pi (θ) = 0, then one can apply Subsection 3.5 to conclude that Wκ (a, u) ∈ {0, ±ε2n/2 , −2ε2n/2 }. Hence it remains to eliminate the possibility that Wκ (a, u) = 0 or −2ε2n/2 . This task is reduced to show a certain inequality (Lemma 6(5)). To explain this, for δ ∈ {0, ε, −ε, −2ε} define Nδ := {a ∈ L | Wκ (a, u) = δ2n/2 }. As we saw in the above

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

29

 paragraph, we have Nε + N−ε + N0 + N−2ε = |L| = 2n . As a∈L Wκ (a, u) = 2n by a fundamental equation (6), we have (ε2n/2 )Nε + (−ε2n/2 )N−ε + 0 · N0 + (−2ε2n/2 )N−2ε = |L| = 2n , or equivalently Nε − N−ε − 2N−2ε = ε2n/2 . By Perseval’s equality (equation (7)), we have (ε2n/2 )2 Nε +(−ε2n/2 )2 N−ε +0 ·N0 +(−2ε2n/2 )2 N−2ε = 22n , or equivalently Nε + N−ε + 4N−2ε = 2n . From the last two equations, we have N−ε + 3N−2ε = 12 (2n − ε2n/2 ). Thus if we show the inequality N−ε ≥ 12 (2n − ε2n/2 ), then the last equation implies that N−ε = 12 (2n − ε2n/2 ) and N−2ε = 0, as N−2ε is a nonnegative integer, which in turn implies that N0 = 0 by the above equations. Hence, once we established the above inequality, then we show that Wκ (a, u) = ±ε2n/2 for every a, u ∈ L with u ∈ ρU ∪ ρ2 U . We now consider the following subsets of L× for every i ∈ {0, 1, 2}: Ai := {θ ∈ L× | Wg (θ−d η −i , u) = −ε2n/2 }, Bi := {ρ−i Γi (θ) | θ ∈ Ai }. With notation in Lemma 5(3), we have Ai = Ai (w) for w = −ε2n/2 . As w = ε2n/2 , we can apply the last claim in Lemma 5(3) to conclude that 2 

|Ai | = 3# {y ∈ L | Wg (y, u) = −ε2n/2 }.

i=0

We shall show the following claims in turn. The last inequality completes the proof of Theorem 1(i), as we saw above. Lemma 6. (1) (2) (3) (4) (5)

|Bi | = (1/3)|Ai | for every index i ∈ {0, 1, 2}. Bi ∩ Bj = ∅ for every distinct i, j ∈ {0, 1, 2}. | ∪2i=0 Bi | = # {y ∈ L | Wg (y, u) = −ε2n/2 }. ∪2i=0 Bi ⊆ {a ∈ L | Wκ (a, u) = −ε2n/2 }. N−ε ≥ 12 (2n − ε2n/2 ).

Proof. (1) Fix i ∈ {0, 1, 2}. It suffices to verify that a := ρ−i Γi (θ) = ρ−i Γi (φ) for θ, φ ∈ Ai if and only if φ ∈ θK × (recall that K denotes the subfield F4 of L). Clearly, if θ ∈ Ai then ωθ ∈ Ai as ω d = 1, and then ρ−i Γi (θ) = ρ−i Γi (ωθ) in view of definition of Γi (see equation (18)). Conversely, assume that a = ρ−i Γi (θ) = ρ−i Γi (φ), which is equivalent to the condition that ai := aρi = Γi (θ) = Γi (φ). As we saw in Subsection 3.4, this 3 implies that the radical Vi of the quadratic form qia,u (x) := Tr(ai xσ+1 + ui xσ +1 ) with ui := uρdi contains θ and φ and that Pi (θ) = Pi (φ) = 0. Then it follows from Proposition 1 that Wκ (a, u) = Wg (θ−d , ui ) = Wg (φ−d , ui ) for the Gold function g(x) = xσ+1 . By Lemma 5(2), we have Wg (θ−d , ui ) = Wg (θ−d η −i , u) and Wg (φ−d , ui ) = Wg (φ−d η −i , u), both of which are equal to −ε2n/2 , as θ, φ ∈ Ai . Thus we have Wκ (a, u) = −ε2n/2 . Now recall that (with fixed a and u) the index i is the unique index j in {0, 1, 2} 3 such that the radical Vj of the quadratic form qja,u (x) := Tr(aj xσ+1 + uj xσ +1 ) for

30

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

aj = aρj and uj = uρdj contains a nonzero element y with Pj (y) = 0. (See the remarks in Subsection 3.7.) We have 3Wκ (a, u) =



(−1)qi (x) +

x∈L



(−1)qi−1 (x) +

x∈L



(−1)qi+1 (x) ,

x∈L

  qi+1 (x) by equation (12), where the sum + x∈L (−1)qi−1 (x) is equal to x∈L (−1) −ε2(n/2)+1 +ε2n/2 = −ε2n/2 by conclusion (1), (2) of Subsection 3.7, because ui = uρdi ∈ ρU ∪ ρ2 U . On the other hand, the left hand side of the above equation is 3(−ε2n/2 ), as we verified in the above paragraph. Thus we have 

(−1)qi (x) = (−2)ε2n/2 .

x∈L

As this is equal to (−1)dim(Vi )/2 ε2n/2 2dim(Vi )/2 by equation (14), we conclude that dim(Vi ) = 2. Hence Vi is a 1-dimensional subspace over K and two nonzero elements θ and φ of Vi are linearly dependent over K. (2) Suppose Bi ∩ Bj (i = j ∈ {0, 1, 2}) contains an element a = ρ−i Γi (θ) = ρ−j Γj (φ) for some θ ∈ Ai and φ ∈ Aj . Then ai := aρi = Γi (θ) and aj := aρj = Γj (φ). This implies 3 that θ lies in the radical Vi of the quadratic form qia,u (x) = Tr(ai xσ+1 + ui xσ +1 ) with ui := ρid u, while φ lies in the radical Vj of the quadratic form qja,u (x) = Tr(aj xσ+1 + 3 uj xσ +1 ) with uj := ρid u. However, as we remarked in Subsection 3.7, there is a unique index k in {0, 1, 2} such that the radical Vk of the quadratic form qk defined similarly to above contains a nonzero element θ with Pk (θ) = 0. This contradiction implies that Bi ∩ Bj = ∅ for every distinct i = j ∈ {0, 1, 2}. 2  (3) By claim (2), we have | ∪2i=0 Bi | = i=0 |Bi |, which equals (1/3) i=0 |Ai | by claim (1). Now, applying Lemma 5(3) to w = −ε2n/2 (= ε2n/2 ), the last sum is equal to # {y ∈ L | Wg (y, u) = −ε2n/2 }. (4) Take any element a in ∪2i=0 Bi . Then a = ρ−i Γi (θ) for some index i ∈ {0, 1, 2} and some θ ∈ L× in Ai . As we saw in Subsection 3.4, this implies that the radical Vi of the 3 quadratic form qia,u (x) = Tr(ai xσ+1 + ui xσ +1 ) with ai = aρi and ui = uρdi contains the above element θ and Pi (θ) = 0. By Proposition 1, we have Wκ (a, u) = Wg (θ−d , ui ), which is equal to Wg (θ−d η −i , u) by Lemma 5(2). Furthermore, as θ ∈ Ai , it follows from the definition of Ai that Wg (θ−d η −i , u) = −ε2n/2 . Hence we have Wκ (a, u) = −ε2n/2 . (5) For a sign δ ∈ {±}, we set αδ := {a ∈ L | Wg (a, u) = δε2n/2 }. By Proposition 3 and the equation (6), we have α+ +α− = 2n and ε2n/2 α+ −ε2n/2 α− = 2n , or equivalently α+ − α− = ε2n/2 . Thus α− = 12 (2n − ε2n/2 ). Hence it follows from claim (3) and claim (4) that we have N−ε = # {a ∈ L | Wκ (a, u) = −ε2n/2 } ≥ | ∪2i=0 Bi | = # {y ∈ L | Wg (y, u) = −ε2n/2 } = α− =

1 n (2 − ε2n/2 ). 2

2

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

31

3.11. The case when u lies in U In this section, we shall establish Theorem 1(ii). Arguments are almost parallel to those in Subsection 3.10 but simpler. Again the above claim is certainly true if a lies in Γi (L× ) for some index i ∈ {0, 1, 2}. Because, in this case we have Wκ (a, u) = Wg (θ−d , ui ) for the Gold function g(x) = xσ+1 by Proposition 1, which is 0 or ±2(n/2)+1 by Proposition 3(2) applied to ui ∈ U . On the other hand, if there is no index i in {0, 1, 2} such that Vi contains θ = 0 with Pi (θ) = 0, then one can apply Subsection 3.5 to conclude that Wκ (a, u) ∈ {0, ±ε2n/2 , −2ε2n/2 }. Hence it remains to eliminate the possibility that Wκ (a, u) = ±ε2n/2 . This task is reduced to show a certain inequality (Lemma 7(5)). To explain this, for δ ∈ {0, ε, 2ε} define Mδ := # {a ∈ L | Wκ (a, u) ∈ {δ2n/2 , −δ2n/2 }}. (Thus Mδ = Nδ + N−δ with notation in the previous subsection.) As we saw in the above paragraph, we have Mε + M0 + M2ε = |L| = 2n . By Perseval’s equality (see equation (7)), we have (ε2n/2 )2 Mε + 0 · M0 + (2ε2n/2 )2 M2ε = 22n , or equivalently Mε + 4M2ε = 2n . From these two equations, we have Mε = 43 (3 · 2n−2 − M0 ). Thus if we show the inequality M0 ≥ 3 · 2n−2 , then the last equation implies that M0 = 3 · 2n−2 and Mε = 0, as Mε is a nonnegative integer. Hence, once we establish the above inequality, then Wκ (a, u) = 0 or ±ε2(n/2)+1 for every a, u ∈ L with u ∈ U , and M0 = 3 · 2n−2 . This completes the proof of Theorem 1(ii). Now we consider the following subsets of L× for every i ∈ {0, 1, 2}: Ai := {θ ∈ L× | Wg (θ−d η −i , u) = 0}, Bi := {ρ−i Γi (θ) | θ ∈ Ai }. With notation in Lemma 5(3), we have Ai = Ai (w) for w = 0. We apply the last claim 2 in Lemma 5(3) to conclude i=0 |Ai | = 3# {y ∈ L | Wg (y, u) = 0}. We shall show the following claims in turn. The last inequality completes the proof of Theorem 1(ii), as we saw above. Every proof is briefly sketched, as the arguments are similar to those for Lemma 6. Lemma 7. (1) (2) (3) (4) (5)

|Bi | = (1/3)|Ai | for every index i ∈ {0, 1, 2}. Bi ∩ Bj = ∅ for every distinct i, j ∈ {0, 1, 2}. | ∪2i=0 Bi | = # {y ∈ L | Wg (y, u) = 0}. ∪2i=0 Bi ⊆ {a ∈ L | Wκ (a, u) = 0}. M0 ≥ 3 · 2n−2 .

Proof. (1) Fix an index i ∈ {0, 1, 2}. As we saw in the proof of Lemma 6(1), it suffices to show that a := ρ−i Γi (θ) = ρ−i Γi (φ) for some θ and φ in Ai implies that dim(Vi ) = 2. The same argument as those in the proof Lemma 6(1) show that Wκ (a, u) = Wg (y −d , ui ) = Wg (y −d η −i , u) = 0 for y ∈ {θ, φ}.

32

S. Yoshiara / Finite Fields and Their Applications 47 (2017) 11–32

   We have 3Wκ (a, u) = x∈L (−1)qi (x) + x∈L (−1)qi−1 (x) + x∈L (−1)qi+1 (x) by equation (12). As ui ∈ U , it follows from by conclusion (0) of Subsection 3.7 that the sum of the last two sums in the right hand side is equal to ε2n/2 + ε2n/2 = 2ε2n/2 . As  3Wκ (a, u) = 0, we have −2ε2n/2 = x∈L (−1)qi (x) . By equation (14), this sum is also given by (−1)dim(Vi )/2 ε2n/2 2dim(Vi )/2 . Thus we have dim(Vi ) = 2, as desired. (2) This claim follows from the same arguments for Lemma 6(2). (3) This follows from claim (2), claim (1) and Lemma 5(3) applied to w = 0. (4) This is just a repetition of the arguments in the proof of Lemma 6(4). Take any a ∈ ∪2i=0 Bi . Then a = ρ−i Γi (θ) for some index i ∈ {0, 1, 2} and some θ ∈ Ai . Thus it follows from Proposition 1 and Lemma 5(2) that Wκ (a, u) = Wg (θ−d , ui ) = Wg (θ−d η −i , u) = 0. (5) As u ∈ U , we have Nu := # {y ∈ L | Wg (y, u) = 0} = 2n−2 as we saw in the comment after Proposition 3. Then # {y ∈ L | Wg (y, u) = 0} = 2n − Nu = 3 · 2n−2 . By claim (3) and claim (4), we have the desired inequality M0 = # {a ∈ L | Wκ (a, u) = 0} ≥ | ∪2i=0 Bi | = # {y ∈ L | Wg (y, u) = 0} = 3 · 2n−2 .

2

References [1] C. Bracken, E. Byrne, N. Markin, G. McGuire, Determining the Nonlinearity of a New Family of APN Functions, Lecture Notes in Computer Science, vol. 4851, Springer, Berlin–Heidelberg, 2007, pp. 72–79. [2] C. Carlet, Boolean and vectorial plateaued functions and APN functions, IEEE Trans. Inf. Theory 61 (2015) 6272–6289. [3] J.F. Dillon, H. Dobbertin, New cyclic difference sets with Singer parameters, Finite Fields Appl. 10 (2004) 342–389. [4] S. Yoshiara, Equivalences among plateaued APN functions, Des. Codes Cryptogr. (2016), http:// dx.doi.org/10.1007/s10623-016-0298-0.