Advertisement

Cryptography and Communications

, Volume 9, Issue 6, pp 665–682 | Cite as

Character values of the Sidelnikov-Lempel-Cohn-Eastman sequences

  • Şaban Alaca
  • Goldwyn Millar
Article
  • 302 Downloads

Abstract

Binary sequences with good autocorrelation properties and large linear complexity are useful in stream cipher cryptography. The Sidelnikov-Lempel-Cohn-Eastman (SLCE) sequences have nearly optimal autocorrelation. However, the problem of determining the linear complexity of the SLCE sequences is still open. It is well known that one can gain insight into the linear complexity of a sequence if one can say something about the divisors of the gcd of a certain pair of polynomials associated with the sequence. Helleseth and Yang (IEEE Trans. Inf. Theory 49(6), 1548–1552 2002), Kyureghyan and Pott (Des. Codes Crypt. 29, 149–164 2003) and Meidl and Winterhof (Des. Codes Crypt. 8, 159–178 2006) were able to obtain some results of this type for the SLCE sequences. Kyureghyan and Pott (Des. Codes Crypt. 29, 149–164 2003) mention that it would be nice to obtain more such results. We derive new divisibility results for the SLCE sequences in this paper. Our approach is to exploit the fact that character values associated with the SLCE sequences can be expressed in terms of a certain type of Jacobi sum. By making use of known evaluations of Gauss and Jacobi sums in the “pure” and “small index” cases, we are able to obtain new insight into the linear complexity of the SLCE sequences.

Keywords

Linear complexity Feedback shift registers Autocorrelation Stream cipher cryptography Difference sets Almost difference sets Jacobi sums Gauss sums 

Mathematics Subject Classification (2010)

05B10 94A55 11T23 11T71 11B50 

1 Introduction

Let a = a 0 a 1 a 2… be a sequence over a field 𝔽. We say that a is periodic if there is an integer v > 0 such that a i = a v + i for all integers i ≥ 0. If v is the smallest such integer, then we say that a has period v. Periodic sequences with certain properties are useful in stream cipher cryptography. A list of general design parameters for cryptographic sequences is given at the end of Section 5.1 in [18]. A good sequence has a long period and ideally should posses two statistical properties known as the balance property and the run property (Properties R-1 and R-2 from [18], respectively). Furthermore, sequences should posses good correlation properties. Individual sequences should have low-valued auto-correlation (Property R-3 from [18]), and sets of sequences should have low-valued cross-correlation. Sequences should also have large linear complexity (large linear span). We will not discuss the run-property or the low-valued cross-correlation property in this paper.

It is important that the number of zeroes and ones in the first v elements of a binary sequence of period v differ by at most one [18]. This is the balance property.

It is possible to define autocorrelation for sequences with elements from various different fields (see [18]). But in this paper, we will discuss only autocorrelation of sequences defined over 𝔽2. Thus, we assume that a is a sequence with elements in 𝔽2. We define the autocorrelation function C τ of a by
$$C_{\tau} = C (\tau ) := \sum\limits_{i = 0}^{v-1} (-1)^{a_{i} + a_{i + \tau}},$$
where τ ∈ {0, ... , v − 1}. From a cryptographic standpoint, it is important that the maximum autocorrelation of the sequence is as small as possible.
Let be the smallest integer for which there exist \(c_{1}, {\ldots } ,c_{\ell } \in \mathbb {F}\) such that
$$-a_{i} = c_{1} a_{i-1} + {\cdots} + c_{\ell} a_{i - \ell} \text{ for each } i \geq \ell. $$

In other words, let be the length of the smallest linear feedback shift register that can be used to generate the sequence a (see [18]). Then we say that is the linear complexity of a. Linear complexity is one of the most important design parameters for cryptographic sequences: using the Berlekamp-Massey algorithm, one can deduce the entire sequence from 2 of its consecutive elements [18]. Ideally, the linear complexity of a sequence would be nearly as large as its period.

The polynomial \(c(x) = 1 + c_{1}x + {\cdots } + c_{\ell }x^{\ell } \in \mathbb {F} [x]\) is called the minimal polynomial of a. Let A(x) = a 0 + a 1 x + ⋯ + a v − 1 x v−1. It is well known (see for example [18] and [25]) that a has minimal polynomial
$$\begin{array}{@{}rcl@{}} c(x) = \frac{x^{v}-1}{\gcd(x^{v} -1,A(x))} \end{array} $$
(1.1)
and linear complexity
$$\begin{array}{@{}rcl@{}} l = v - \text{deg}(\gcd(x^{v}-1,A(x))). \end{array} $$
(1.2)

As discussed in [25], the computation of \(\gcd (x^{v}-1,A(x))\) is harder when the characteristic of 𝔽 divides v than when it does not. For if the characteristic of 𝔽 divides v, then one must not only find the common factors of x v − 1 and A(x) but also determine the multiplicity with which they divide \(\gcd (x^{v}-1,A(x))\).

In this paper, we study a class of sequences defined over \(\mathbb {F}_{2}\) that were discovered by Sidelnikov [34] and rediscovered by Lempel et al. [27]. Following [25], we refer to these sequences as Sidelnikov-Lempel-Cohn-Eastman sequences (or SLCE sequences). As the authors of [25] remark, SLCE sequences are some of the best even length sequences: they have the same number of zeroes as they do ones, and they have nearly optimal autocorrelation properties [27]. In fact, since circulant Hadamard matrices seem not to exist [28], the autocorrelation properties of the SLCE sequences may in fact be optimal.

We now define the SLCE sequences, and in so doing, we fix notation (for p, q, m, α, s, and S 2(x)) that we use throughout the paper.

Definition 1.1

Let p be an odd prime, m a positive integer, and q = p m . Let α be a primitive element of the finite field \(\mathbb {F}_{q}\). An SLCE sequence s = s 0 s 1 s 2… of period q − 1 over 𝔽2 is defined as follows:

For 0 ≤ tq − 2, we let s t := 1 if α t = α 2i+1 − 1 for some integer i with 0 ≤ iq − 2, and let s t := 0 otherwise. We define \(S_{2}(x) \in \mathbb {F}_{2}[x]\) by
$$S_{2}(x) = s_{0} + s_{1}x + {\cdots} + s_{q-2}x^{q-2}.$$

Since the SLCE sequences have good autocorrelation and balance properties, it makes sense to study their linear complexity. Since these sequences are binary, it is natural to determine their linear complexity over 𝔽2. The study of the linear complexity of the SLCE sequences over 𝔽2 began with [21] and was continued in [25] and [32]. However, this problem has turned out to be rather difficult. There are at least two reasons for this. For one thing, since q − 1 is always even, the characteristic of 𝔽2 divides the periods of the sequences. But there is also another problem, which is discussed in the concluding section of [25]. Many well-known sequences correspond (in a sense) to reasonably well-behaved combinatorial objects such as difference sets, divisible difference sets, and partial difference sets (see [8] for difference sets and divisible difference sets, and see [29] for partial difference sets). As a result of this correspondence, explicit formulae have been found for the linear complexity of these sequences (see, for example, [15]). However, the SLCE sequences do not correspond to any of these types of combinatorial objects. Rather, they correspond to combinatorial objects called almost difference sets that are, in a sense, more general and about which much less is presently known (see [5] for background on almost difference sets).

The authors of [21, 25], and [32] were able to obtain conditions under which certain polynomials divide \(\gcd (x^{q-1} + 1,S_{2}(x))\). In light of (1.1) and (1.2), such results provide some insight into the minimal polynomials of the SLCE sequences over 𝔽2 and yield upper bounds on the linear complexity of these sequences. The authors of [25] also computed \(\gcd (S_{2}(x),x^{q-1}+1)\) in a number of cases using MAGMA. However, much still remains to be learned about the divisors of these polynomials. Indeed, the authors of [25] mentioned that it would be nice to obtain new divisibility results giving conditions under which certain polynomials divide \(\gcd (S_{2}(x),x^{q-1}+1)\). We obtain more results of this type in this paper.

The results from [21] and [25] are based on a representation of the elements of the SLCE sequences in terms of certain quadratic character values. Using this representation in conjunction with certain facts concerning the cyclotomic numbers of order 2, the authors of [21] and [25] were able to gain some insight into the minimal polynomials of these sequences. Furthermore, the authors of [25] showed that under certain conditions, the problem of determining whether or not a certain polynomial divides \(\gcd (x^{q-1}+1,S_{2}(x))\) is equivalent to determining congruence classes of certain character sums known as Jacobsthal sums. The authors of [32] used known evaluations of cyclotomic numbers in certain special cases to obtain a number of new divisibility conditions.

By contrast, the approach of this paper is based on an expression of character values associated with the SLCE sequences (in a manner to be specified later) in terms of certain Jacobi sums (see Theorem 3.1 below). In fact, the problem of determining whether certain polynomials divide \(\gcd (x^{q-1}+1,S_{2}(x))\) turns out to be equivalent to determining the congruence classes of these Jacobi sums modulo certain prime ideals in certain algebraic number fields.

Jacobi sums are closely related to both cyclotomic numbers and Jacobsthal sums (see [7, Chapters 2 and 6]), so it is perhaps not surprising that the problem can be interpreted in these various different manners. Nonetheless, our method does have some virtues. At present, the Jacobsthal sum condition from [7] only applies when q ≡ 1(mod 4), and calculation of the cyclotomic numbers of order t is quite complicated when t is large. Thus, our representation of the problem in terms of Jacobi sums provides a convenient means by which to harness the information from known evaluations of Gauss and Jacobi sums. Indeed, by making use of such evaluations, we are able to obtain divisibility conditions different than those from [21, 25], and [32] (see Theorems 4.1 and 4.2 below).

We should also note that since the problem of determining the linear complexity of the SLCE sequences over 𝔽2 is rather difficult, many authors have turned to the important work of calculating the linear complexity of these sequences over other fields. For instance, since the SLCE sequences are constructed using the finite field q , several authors have studied the linear complexity of these sequences over 𝔽 p (see [3, 4, 9, 13, 17, 19, 20, 24], and [12]; some of the papers in fact deal with closely related questions). The problem of determining the linear complexity of the SLCE sequences over non-prime fields has also been considered (see [10] and [11]).

2 Preliminary results

We introduce some concepts and list some preliminary results that we use throughout the paper. Let G denote a finite Abelian group of exponent v . The integral group ring \(\mathbb {Z}[G]\) consists of all formal sums \({\sum }_{g \in G} a_{g} g\), where \(a_{g} \in \mathbb {Z}\) and with addition and multiplication defined as follows:
$$\begin{array}{@{}rcl@{}} \sum\limits_{g \in G} a_{g} g + \sum\limits_{g \in G} b_{g} g = \sum\limits_{g \in G} (a_{g} + b_{g}) g \end{array} $$
and
$$\begin{array}{@{}rcl@{}} \left( \sum\limits_{g \in G} a_{g} g \right) \left( \sum\limits_{h \in G} b_{h} h \right) = \sum\limits_{f\in G} \left( \sum\limits_{gh =f} a_{g} b_{h} \right) f . \end{array} $$

For any subset \(T \subseteq G,\) we identify T with the group ring sum of all the elements in T; indeed, we refer to this sum as T.

Notation 2.1

Let n be a positive integer. We write ζ n to denote a primitive, complex nth root of unity. Sometimes we write ζ to refer to a (not necessarily primitive) root of unity.

A group character is a homomorphism \(\chi :G \to \langle \zeta _{v^{*}} \rangle \). Such a homomorphism can be extended by linearity to a map from \(\mathbb {Z}[G]\) to \(\mathbb {Z}[\zeta _{v^{*}}]\). For a discussion of the use of characters in the theory of difference sets, see [8]; for a discussion of characters over finite fields, see [23].

Definition 2.1

Let \(D:= \lbrace \alpha ^{t} \mid \exists (i \in \{ 0, 1, \ldots , q-2\})~ \alpha ^{t} = \alpha ^{2i+1}-1 \rbrace \subseteq \mathbb {F}_{q}^{*}\). We also refer to the group ring element \(D \in \mathbb {Z}[\mathbb {F}_{q}^{*}]\) as S D (α).

We adopt the following convention. For an integer i ∈ {1,…, p − 1}, we refer to the corresponding element of \(\mathbb {F}_{p}^{*}\) by italicizing i.

Definition 2.2

Let \(Y:= \lbrace y \in \mathbb {F}_{q}^{*} \mid y = x(\mathit {1}-x) \text { for some } x \in \mathbb {F}_{q}^{*} \rbrace \). Let Z: = Y c denote the complement of Y in \(\mathbb {F}_{q}^{*}\).

The following result, due to Lempel, Cohn, and Eastman [27, proof of Theorem 5] plays a fundamental role in our work.

Theorem 2.1

Let D and Z be as in Definitions 2.1 and 2.2, respectively. Then Z is a shift of D: in fact, Z = −4−1 D, so that D = −4Z and D c = −4Y.

We need several results concerning cyclotomic fields. First, we fix some notation.

Notation 2.2

Let k be a positive odd divisor of q − 1, and let f denote the multiplicative order of 2 modulo k, so that f is the smallest positive integer for which k|2 f − 1. Let ϕ(k) denote the Euler phi-function, which is the number of positive integers less than k and relatively prime to k.

For a proof of the next result, see [31, Theorems 8.7 and 8.8].

Theorem 2.2

In the ring of integers \(\mathbb {Z}[\zeta _{k}]\) of the cyclotomic field \(\mathbb {Q}(\zeta _{k}),\) the prime ideal factorization of the ideal 〈2〉 is given by
$$\langle 2 \rangle = P_{1}P_{2} {\cdots} P_{\phi(k)/f},$$
where \(P_{1}, {\dots } ,P_{\phi (k)/f}\) are distinct prime ideals, and for every i = 1, …, ϕ(k)/f, \(\mathbb {Z}[\zeta _{k}]/P_{i}\) is a finite field of order 2 f .

Notation 2.3

Let us now stipulate that \(\mathcal {P}\) is a prime ideal lying above 2 in \(\mathbb {Z}[\zeta _{k}]\).

For a proof of the following theorem, see [23, Propositions 13.2.3 and 14.2.1].

Theorem 2.3

The elements \(1, \zeta _{k}, {\ldots } , \zeta _{k}^{k-1}\) belong to mutually distinct cosets of \(\mathbb {Z}[\zeta _{k}]/\mathcal {P}\) . Furthermore, if \(\gamma \in \mathbb {Z}[\zeta _{k}]\) and \(\gamma \notin \mathcal {P},\) then there exists a unique (not necessarily primitive) kth root of unity ζ such that
$$\gamma^{(2^{f}-1)/k} \equiv \zeta (\text{mod}~{\mathcal{P}}).$$

We note that for any quadratic field K, there exists a unique square-free integer n such that \(K = \mathbb {Q}(\sqrt {n})\), see [2, p. 95] or [23, p. 188]. For the proof of the following result, see [2, p. 96] or [23, p. 189].

Theorem 2.4

Let n ≡ 1(mod 4). Let \(K = \mathbb {Q}(\sqrt {n})\) be a quadratic field. Then the ring O K of algebraic integers in K is given by
$$O_{K} = \mathbb{Z} +\mathbb{Z}\left( \frac{-1+ \sqrt{n}}{2} \right).$$

The following result is a special case of Theorem 10.2.1 from [2, pp. 242–245].

Theorem 2.5

Let \(K = \mathbb {Q}(\sqrt {n })\) be a quadratic field. If n ≡ 1(mod 8), then the ideal 〈2〉 factors into a product of two prime ideals as
$$\langle 2 \rangle = P_{1}P_{2} = \langle 2, \frac{1}{2}(1 + \sqrt{n}) \rangle \langle 2, \frac{1}{2}(1 - \sqrt{n}).$$
Further, O K /P i is a finite field of order 2 for i = 1, 2.

The following result relates quadratic and cyclotomic fields, see [23, p. 199].

Theorem 2.6

Let ℓ be a prime. Then \(\mathbb {Q} \left (\sqrt {(-1)^{(\ell - 1)/2} \ell }~ \right )\) is the unique quadratic field contained in the cyclotomic field \(\mathbb {Q}(\zeta _{\ell })\).

Let \(K = \mathbb {Q}(\sqrt {n})\) be a quadratic field. It is known that the set I(K) of all nonzero fractional and integral ideals of K forms an Abelian group under multiplication [2, Theorem 8.3.4]. Let P(K) be the subgroup consisting of principal ideals. The quotient group H(K) = I(K)/P(K) is finite [2, Theorem 12.5.4]. We call the order of this group the class number of the field K and refer to it as h(K).

We now turn our attention to character sums. We note that for every (not necessarily primitive) kth root of unity ζ, there exists a unique character \(\chi : \mathbb {F}_{q}^{*} \to \langle \zeta _{k} \rangle \) of order dividing k such that χ(α) = ζ [23, Chapter 8].

Notation 2.4

Let \(\chi : \mathbb {F}_{q}^{*} \to \langle \zeta _{k} \rangle \) denote the unique character mapping α to ζ k , and let ρ be the (unique) quadratic character on \(\mathbb {F}_{q}^{*}\) . Note that χ has order k.

Definition 2.3

Let χ be the unique character given above, and let ϕ be another nontrivial character of \(\mathbb {F}_{q}^{*}\). We define the Jacobi sum J(χ, ϕ) by
$$J(\chi,\phi) := \sum\limits_{i = 1}^{q-2} \chi(\alpha^{i})\phi(1 - \alpha^{i}).$$
We shall be particularly interested in the Jacobi sum
$$K(\chi) := \chi(4)J(\chi,\chi).$$
We mention the following congruence (see [7, Theorem 2.18]).
$$ K(\chi) \equiv -q (\text{mod}~{2(1 - \zeta_{k})}). $$
(2.1)
The following identity is also important for our work (see [7, Theorem 2.1.4]).
$$ K(\chi) = J(\chi,\rho). $$
(2.2)

It is well known that \(|J(\chi ,\phi )| = \sqrt {q},\) but in general, the exact value of J(χ, ϕ) is not known (and, in particular, the exact value of the Jacobi sum K(χ) is not known). Such sums have been evaluated in certain special cases. For instance, evaluations are known for Jacobi sums over characters of small order. This information has already been used to obtain evaluations for cyclotomic numbers [7, Chapter 2] which were in turn used in [32] to obtain divisibility conditions for the SLCE sequences. So, we do not use these evaluations here.

Another case in which evaluations are known is that of the pure Jacobi sums. A Jacobi sum is called pure if some positive integral power of it is real. Such sums were studied in [1] and [33]. Indeed, in light of (2.2), the results from [1] and [33] can be used to evaluate certain Jacobi sums of the type K(χ). The authors of [1] and [33] showed that if m is odd, then no Jacobi sum defined on \(\mathbb {F}_{p^{m}}\) can be pure. They completely determined conditions under which Jacobi sums are pure when m = 2.

Theorem 2.7

If m = 2, then K(χ) is pure if and only if k is a divisor of p + 1, k is an even divisor of 2(p − 1), k = 24 and p ≡ 17, 19(mod 24), or k = 60 and p ≡ 41, 49(mod 60).

It follows from Theorem 2.7 and Notation 2.2 that if q = p 2, then our sum K(χ) is pure only when k is an odd divisor of p + 1. In this case an explicit evaluation of K(χ) is given in [6, Theorem 2.14].

Theorem 2.8

Let m = 2, and let k be an odd divisor of p + 1. Then K(χ) = p.

The evaluation in Theorem 2.8 is a special case of a more general result. To explain why, it is necessary to introduce another type of character sum.

Definition 2.4

Let 𝜖 be a character on \(\mathbb {F}_{q}\). We define the Gauss sum G(𝜖) by
$$ G(\epsilon) :=\sum\limits_{\alpha \in \mathbb{F}_{q}} \epsilon(\alpha) e^{2\pi i \text{tr}(\alpha)/p}, $$
(2.3)
where tr is the field trace from \(\mathbb {F}_{q}\) to \(\mathbb {F}_{p}\).
The following identity relates Gauss and Jacobi sums (see [23, Theorem 2.1.3] or [7]). If χ ϕ is not the trivial character, then
$$ J(\chi,\phi) = \frac{G(\chi) G(\phi)}{G(\chi \phi)}. $$
(2.4)
In particular, since χ is a character of order greater than 2, we have
$$ K(\chi) = J(\chi,\rho) = \frac{G(\rho)G(\chi)}{G(\chi \rho)}. $$
(2.5)
Let s ≥ 1 be an integer, and let \(\chi ^{\prime } := \chi \circ N,\) where N is the field norm from \(\mathbb {F}_{q^{s}}^{*}\) to \(\mathbb {F}_{q}^{*}\). Then \(\chi ^{\prime }\) is a character of \(\mathbb {F}_{q^{s}}\) of order k, which is called a lifted character. Note that every character on \(\mathbb {F}_{q^{s}}\) of order k can be obtained as a lifted character from a character of \(\mathbb {F}_{q}\) of order k. We mention the following important identity, which is known as the Hasse-Davenport Lifting Theorem (see [7, Theorem 11.5.2]).
$$ G(\chi^{\prime}) = (-1)^{s-1} (G(\chi))^{s}. $$
(2.6)
The problem of evaluating Gauss sums is just as hard as the problem of evaluating Jacobi sums. But explicit evaluations have been obtained in a number of special cases. The first of these evaluations is due to Gauss, who evaluated G(ρ) when q = p (i.e. when m = 1). His evaluation can be extended to a general (odd) prime power q = p m [7, Theorem 11.5.4] as
$$ G(\rho) = \left\{\begin{array}{ll} (-1)^{m-1} p^{m/2} & \text{if } p \equiv 1 (\text{mod}~4) \\ (-1)^{m-1}i^{m} p^{m/2} & \text{if } p \equiv 3 (\text{mod}~4). \end{array}\right. $$
(2.7)

A Gauss sum is called pure if some positive integral power of it is real. The following theorem completely classifies pure Gauss sums (see [7, Section 11.6]).

Theorem 2.9

Let n|q − 1, and let 𝜖 be a character of order n. Then G(𝜖) is pure if and only if there exists a positive integer x such that p x ≡ −1(mod n). Furthermore, if there exist such integers and t is the least such integer, then there exists a positive integer s such that m = 2ts, and
$$G(\epsilon) = (-1)^{s-1+(p^{t}+1)s/n} p^{m/2}.$$

We now assume that there exists a positive integer x such that p x ≡ −1(mod k); indeed, we refer to the least such integer as t. Then, by Theorem 2.9, G(χ) is a pure Gauss sum. Since k is odd and p t + 1 is even, then k|p t + 1 ⇔ 2k|p t + 1. Hence, since t is the smallest positive integer satisfying p t ≡ −1(mod k), then t is also the smallest positive integer satisfying p t ≡ −1(mod 2k). We note that χ ρ is a character of order lcm(2, k) = 2k. Thus, G(χ ρ) is a pure Gauss sum. Thus, in this case, we can use Theorem 2.9, (2.7), and (2.4) to evaluate the Jacobi sum K(χ). We note that by Theorem 2.9, m = 2t s for some positive integer s. Since the evaluation in (2.7) breaks into two cases, our evaluation also breaks into two cases.

First, we assume that p ≡ 1(mod 4). Then
$$\begin{array}{@{}rcl@{}} K(\chi) = \frac{(-1)^{m-1} p^{m/2} (-1)^{s-1 + (p^{t}+1)s/k}p^{m/2}}{(-1)^{s-1 + (p^{t}+1)s/(2k)}p^{m/2}} = (-1)^{1 + (p^{t}+1)s/(2k)}p^{m/2}. \end{array} $$

Let us consider the special case in which m = 2 and k|p + 1 (so that t = s = 1). Since p ≡ 1(mod 4), it follows that (p t +1)/2k is odd. Then by Theorem 2.8, the evaluation of K(χ) given above reduces to the evaluation K(χ) = p.

Next, we assume that p ≡ 3(mod 4). Then
$$\begin{array}{@{}rcl@{}} K(\chi) = \frac{(-1)^{m-1}{i}^{m}p^{m/2}(-1)^{s-1 + (p^{t}+1)s/k}p^{m/2}}{(-1)^{s-1 + (p^{t}+1)s/(2k)}p^{m/2}} = (-1)^{1 + m/2 + (p^{t}+1)s/(2k)}p^{m/2}. \end{array} $$

Again, let us consider the special case in which m = 2 and k|p + 1 (so that s = t = 1). Since p ≡ 3(mod 4), it follows that (p t + 1)/2k is even. Then by Theorem 2.8, the evaluation of K(χ) given above reduces to the evaluation K(χ) = p.

Corollary 2.1

Assume that there exist positive integers x such that p x ≡ −1(mod k), and let t be the least such integer. Then there exists \(s \in \mathbb {N}\) such that m = 2ts, and
$$\begin{array}{@{}rcl@{}} K(\chi) = \left\{\begin{array}{ll} (-1)^{1 + (p^{t}+1)s/(2k)}p^{m/2} & \text{if } p \equiv 1 (\text{mod}~4) \\ (-1)^{1 + m/2 + (p^{t}+1)s/(2k)}p^{m/2} & \text{if } p \equiv 3 (\text{mod}~4). \end{array}\right. \end{array} $$
Finally, a third case in which there are known evaluations for Gauss and Jacobi sums is that of the small index Gauss and Jacobi sums. We will discuss the sums K(χ) in this context. Recall that \(\text {Gal}(\mathbb {Q}(\zeta _{k})) \cong \left (\mathbb {Z}/k\mathbb {Z}\right )^{*}\). Let \(\sigma _{p} \in \text {Gal}(\mathbb {Q}(\zeta _{k}))\) be the automorphism mapping ζ k to \({\zeta _{k}^{p}}\). Then, since the Frobenius map is an automorphism of \(\mathbb {F}_{q}\) fixing the elements of \(\mathbb {F}_{p},\) we have that
$$\begin{array}{@{}rcl@{}} \sigma_{p} (K(\chi)) &=& \sigma_{p}(\chi(4))\sum\limits_{i = 1}^{q-2} \sigma_{p}(\chi(\alpha^{i}))\sigma_{p}(\chi(1-\alpha^{i})) \\ &=& \chi(4^{p})\sum\limits_{i = 1}^{q-2}\chi((\alpha^{i})^{p})\chi(1^{p} - (\alpha^{i})^{p}) \\ &=& \chi(4)\sum\limits_{i = 1}^{q-2}\chi(\alpha^{i})\chi(1 - \alpha^{i}) = K(\chi). \end{array} $$

Thus, K(χ) is in the fixed field of σ p , and by the Fundamental Theorem of Galois Theory, this field has degree \([(\mathbb {Z}/k\mathbb {Z})^{*}: \langle p \rangle ]\) as an extension of \(\mathbb {Q}\). Since we know how to evaluate K(χ) when there exist positive integers x such that p x ≡ −1(mod k), we can confine ourselves to the case in which there exist no such integers. Having made this assumption, we see that the quotient group \((\mathbb {Z}/k\mathbb {Z})^{*}/\langle p \rangle \) must contain the (non-identity) element −1 + 〈p〉 and so (by Lagrange’s Theorem) must have even order.

The small index assumption is the assumption that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ]\) is a small positive integer. By making this assumption, we can infer that K(χ) lies in an algebraic number field of small degree, and can therefore use facts about such number fields to evaluate K(χ). Explicit evaluations have been obtained for Gauss sums in the index 2 and index 4 cases. It is sometimes possible to translate these Gauss sum evaluations into evaluations of K(χ).

Let us assume that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ] = 2\). It is easy to see that
$$(\mathbb{Z}/k\mathbb{Z})^{*} \cong \langle p \rangle \times \langle -1 \rangle.$$

Thus, \((\mathbb {Z}/k\mathbb {Z})^{*}\) contains at most 3 elements of order 2, and it follows easily from the Chinese Remainder Theorem that (since k is odd) either \(k = \ell _{1}^{r_{1}}\) or \(k = \ell _{1}^{r_{1}}\ell _{2}^{r2}\) for some odd primes 1 and 2, and some positive integers r 1 and r 2.

The following evaluation is due to Langevin [26]. We note that the congruence condition ≡ 3(mod 4) is actually forced by the index 2 assumption, as Langevin demonstrates in his paper. Furthermore, the hypothesis in the evaluation below that > 3 is only necessary to obtain a nice expression for the Gauss sum in terms of the class number of a certain quadratic field. We have rephrased Langevin’s result in the manner in which it was stated in [35].

Theorem 2.10

Let k = ℓ r , where ℓ > 3 is a prime congruent to 3(mod 4) and r is a positive integer. We suppose that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ] = 2\) and m = ϕ(k)/2. Then
$$G(\chi) = p^{\frac{1}{2} (m - h)}\left( \frac{a + b\sqrt{-\ell}}{2}\right),$$
where \(h = h(\mathbb {Q}(\sqrt {-\ell }))\) is the class number of \(\mathbb {Q}(\sqrt {-\ell })\) , and the integers a and b satisfy the three conditions
$$\begin{array}{@{}rcl@{}} a,b \not\equiv 0 (\text{mod}~{p}),~4p^{h} = a^{2} + \ell b^{2}, \text{ and }a \equiv -2p^{\frac{1}{2} (m + h)} (\text{mod}~{\ell}). \end{array} $$
Furthermore, these conditions are sufficient to determine a completely and to determine b up to sign.
In the above formula, in place of the expression \(\left (\frac {a + b\sqrt {-\ell }}{2} \right )\), Langevin had originally used the expression \(a^{\prime } + b^{\prime }\left (\frac {-1 + \sqrt {-\ell }}{2}\right )\), where \(a^{\prime }, b^{\prime } \in \mathbb {Z}\). Note that
$$a^{\prime} + b^{\prime}\left( \frac{-1 + \sqrt{-\ell}}{2}\right) = \frac{\left( 2a^{\prime} - b^{\prime}\right) + b^{\prime}\sqrt{-\ell}}{2}.$$

The integers a and b in the version from [35] (and from Theorem 2.10 above) are obtained by setting \(a = 2a^{\prime } - b^{\prime }\) and \(b = b^{\prime }\). As a result, we also have the condition (not stated explicitly in our version of Theorem 2.10) that ab(mod 2).

Note also that \([(\mathbb {Z}/2k\mathbb {Z})^{*}:\langle p \rangle ] =2\). Xia and Yang have evaluated index 2 Gauss sums over characters of order 2 r [35]. Their result breaks into two separate cases: one in which ≡ 3(mod 8) and one in which ≡ 7(mod 8). We only make use of the result for the case in which ≡ 7(mod 8).

Theorem 2.11

Let k = ℓ r , where ℓ > 3 is a prime congruent to 7(mod 8) and r is a positive integer. We supppose that \([(\mathbb {Z}/2k\mathbb {Z})^{*}:\langle p \rangle ]=2\) and m = ϕ(k)/2. Let 𝜖 be a character on \(\mathbb {F}_{q}\) of order 2k. Then
$$G(\epsilon) = (-1)^{r\frac{p-1}{2}\sqrt{(-1)^{(p-1)/2}}}p^{\frac{m}{2}}.$$
Let us make a slight modification to our earlier hypotheses. Assume s is a positive integer, and let m = ϕ(k)s/2. So, we are now considering a larger class of prime powers p m . Let us set e = ϕ(k)/2, so that m = e s. Let ≡ 7(mod 8). We consider two cases.
  1. Case 1:
    p ≡ 1(mod 4). By Theorems 2.6, 2.7 and 2.11, we have that
    $$K(\chi) = \frac{(-1)^{es-1}p^{es/2}(-1)^{s-1}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}}{(-1)^{s - 1 + r(p-1)s/2 + (p-1)s/4}p^{es/2}}. $$
    Since e is odd and (p − 1)/2 is even, we deduce that
    $$K(\chi) = (-1)^{s-1-(p-1)s/4}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}.$$
     
  2. Case 2:
    p ≡ 3(mod 4). By Theorems 2.6, 2.7 and 2.11, we have that
    $$K(\chi) = \frac{(-1)^{es-1+ es/2}p^{es/2}(-1)^{s-1}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}}{(-1)^{s - 1 + r(p-1)s/2 + (p-1)s/4}p^{es/2}}. $$
    Since e and (p − 1)/2 are odd, we deduce that
    $$K(\chi) = (-1)^{s-1-rs + (e + 1)s/2}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}.$$
    We collect these observations for later reference.
     

Corollary 2.2

Let k = ℓ r , where ℓ is a prime congruent to 7(mod 8) and r is a positive integer. We suppose that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ] = 2\) and m = ϕ(k)s/2, where s is a positive integer.

If p ≡ 1(mod 4), then
$$K(\chi) = (-1)^{s-1-(p-1)s/4}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}.$$
If p ≡ 3(mod 4), then
$$K(\chi) = (-1)^{s-1-rs + (e + 1)s/2}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s}.$$

3 Character values

We show that the problem of finding \(\gcd (S_{2}(x),x^{q-1}+1)\) is equivalent to determining the equivalence class of K(χ) modulo a certain prime ideal. Several authors have previously made use of complex group characters to determine the linear complexity of various classes of sequences (see, for instance, [30] and [15]).

Notation 3.1

Since \(\mathbb {F}_{2^{f}}^{*}\) is a cyclic group of order 2 f − 1, it has a subgroup of order k. Hence, the polynomial x k + 1 = (1 + x)(1+ x + ⋅⋅⋅ + x k−1) splits completely over \(\mathbb {F}_{2^{f}}\) . Let \(\beta \in \mathbb {F}_{2^{f}}\) be an element of order k, so that β is a root of 1 + x + ⋅⋅⋅ + x k−1 . Let I β (x) be the minimal polynomial of β over \(\mathbb {F}_{2}\).

Note that I β (x)|1 + x +⋅⋅⋅ + x k−1; indeed, 1 + x +⋅⋅⋅ + x k−1 is a product of distinct minimal polynomials of elements of \(\mathbb {F}_{2^{f}}\) of order dividing k. Since k|q − 1, β is a root of x q−1 + 1, and so I β (x) is a factor of x q−1+1 (and, indeed, 1 + x +⋅⋅⋅ + x k−1|x q−1 + 1). We want to determine whether or not I β (x) and/or 1 + x + ⋅⋅⋅ + x k−1 divide S 2(x). Note that I β (x)|S 2(x) if and only if S 2(β) = 0, where S 2(β) is an element of \(\mathbb {F}_{2^{f}}\).

By Theorem 2.2 we have \(\mathbb {F}_{2^{f}} \simeq \mathbb {Z}[\zeta _{k}] / \mathcal {P}\). Let \(\phi :\mathbb {F}_{2^{f}} \to \mathbb {Z}[\zeta _{k}] / \mathcal {P}\) be an isomorphism. Of course, \(\phi (0) = 0 + \mathcal {P}\) and \(\phi (1) = 1 + \mathcal {P}\). Since β has order k, there exists \(\eta \in \mathbb {F}_{2^{f}}\) such that \(\beta = \eta ^{(2^{f}-1)/k},\) so that \(\phi (\beta ) = \phi (\eta )^{(2^{f}-1)/k}\). Consequently, by Theorem 2.3, there exists a unique (in this case, primitive) kth root of unity congruent to \(\phi (\beta ) (\text {mod}~{\mathcal {P}})\).

Notation 3.2

Let ζ denote the unique primitive kth root of unity congruent to \(\phi (\beta ) (\text {mod}~{\mathcal {P}})\). Let χ denote the unique group character mapping α to ζ. Let S z (x) be the polynomial in ℤ[x] obtained by replacing each coefficient of S 2 (x) with its counterpart (0 or 1) from ℤ.

We note that ϕ(S 2(β)) is the equivalence class modulo \(\mathcal {P}\) containing S z (ζ), and
$$\chi(D) + \mathcal{P} = \chi(S_{G}(\alpha)) + \mathcal{P} = S_{z}(\zeta) + \mathcal{P} = \phi(S_{2}(\beta)).$$
Hence,
$$I_{\beta}(x)|S_{2}(x) \iff \chi(D) \equiv 0 (\text{mod}~{\mathcal{P}}).$$
Since χ is nontrivial, we have χ(D) = χ(GD c ) = −χ(D c ), so that
$$\chi(D) \equiv 0 (\text{mod}~{\mathcal{P}}) \iff \chi(D^{c}) \equiv 0 (\text{mod}~{\mathcal{P}}).$$
Hence,
$$ I_{\beta}(x)|S_{2}(x) \iff \chi(D^{c}) \equiv 0 (\text{mod}~{\mathcal{P}}). $$
(3.1)

Thus, it suffices to consider χ(D c ) instead of χ(D).

We now prove the result mentioned at the beginning of this section. As we show in the next section, this result enables us to derive several new divisibility results for the SLCE sequences. We proceed by obtaining an expression for χ(D c ) in terms of K(χ).

Theorem 3.1

We have
$$I_{\beta}(x)|S_{2}(x) \iff \frac{1}{2}(K(\chi) + 1) \equiv 0 (\text{mod}~{\mathcal{P}}).$$

Proof

The reasoning in the next two sentences is taken from [7, Theorem 2.14], where it serves a different purpose. Let \(\gamma \in \mathbb {F}_{q}^{*}\) be fixed. An element \(x \in \mathbb {F}_{q}^{*}\) satisfies the equation x(1x) = γ if and only if it satisfies the equation (2 x1)2 = 14 γ. Hence, the number of solutions of the equation x(1x) = γ in \(F_{q}^{*}\) is 1 + ρ(14 γ), where ρ denotes the (unique) quadratic character on \(\mathbb {F}_{q}\). It follows that every element of \(\mathbb {F}_{q}^{*}\) is represented either twice or zero times in the form x(1x), save for 4 −1, which is represented once. This makes sense since there are q − 2 choices of x for which \(x(\mathit {1}-x) \in \mathbb {F}_{q}^{*},\) and q − 2 is an odd number. Making use of Theorem 2.1, we see that
$$\begin{array}{@{}rcl@{}} \chi(\mathit{-1})K(\chi) &= &\chi(\mathit{-4})J(\chi,\chi) = \chi(\mathit{-4})\sum\limits_{x \in \mathbb{F}_{q}^{*}} \chi(x)\chi(\mathit{1}-x) \\ &=& \chi(\mathit{-4})\sum\limits_{x \in \mathbb{F}_{q}^{*}} \chi(x(\mathit{1}-x)) = \chi(\mathit{-4})\chi \left( \sum\limits_{x\in \mathbb{F}_{q}^{*}} x(\mathit{1}-x) \right) \\ & =& \chi(\mathit{-4})\chi(2Y - \mathit{4}^{-1}) = \chi(2D^{c} - (\mathit{-1})) = 2\chi(D^{c}) - \chi(\mathit{-1}). \end{array} $$
So, we deduce that
$$\chi(D^{c}) = \frac{1}{2} \chi(\mathit{-1})(K(\chi) + 1).$$

Note that, by (2.1), K(χ) ≡ 1(mod 2), so that the value we have ascribed to χ(D c ) is indeed an element of \(\mathbb {Z}\left [\zeta _{k} \right ]\). The result now follows by equivalence (3.1). □

4 Divisibility results

We use Theorem 3.1, in conjunction with the evaluations of the sums K(χ) given in Section 2, to obtain new results concerning the divisors of \(\gcd (S_{2}(x),x^{q-1}+1)\). We first apply the evaluations of the pure Jacobi sums given in Corollary 2.1.

Lemma 4.1

Suppose that there exist positive integers x satisfying the congruence p x ≡ −1(mod k), and let t be the least such integer. Hence, by Theorem 2.9, m = 2ts for some positive integer s.

If p ≡ 1(mod 4), then I β (x)|S 2(x) ⇔ s ≡ 0(mod 2).

If p ≡ 3(mod 4), then I β (x)|S 2(x) ⇔ either s ≡ 0(mod 2) or ts is odd.

Proof

By Corollary 2.1, K(χ) is pure; in fact, \(K(\chi ) \in \mathbb {Z}\). We know that \(\mathcal {P}\cap \mathbb {Z} = 2\mathbb {Z}\) (see [23]). Hence,
$$I_{\beta}(x)|S_{2}(x) \iff \frac{1}{2}(K(\chi)+1) \equiv 0 (\text{mod}~2) \iff K(\chi) + 1 \equiv 0 (\text{mod}~4).$$
If p ≡ 1(mod 4), then by Corollary 2.1, we have
$$\begin{array}{@{}rcl@{}} I_{\beta}(x)|S_{2}(x)& \iff& (-1)^{1 + (p^{t} + 1)s/(2k)}p^{m/2} + 1 \equiv 0 (\text{mod}~4) \\ &\iff& (-1)^{1 + (p^{t}+1)s/(2k)} + 1 \equiv 0 (\text{mod}~4). \end{array} $$
Since k is odd, we have
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{1 + s} + 1 \equiv 0 (\text{mod}~4) \iff s \equiv 0 (\text{mod}~2).$$
If p ≡ 3(mod 4), then by Corollary 2.1, we have
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{1 + m/2 + (p^{t} + 1)s/(2k)}p^{m/2} + 1 \equiv 0 (\text{mod}~4).$$
We first assume that ts is even. Thus, p m/2 ≡ 1(mod 4). Hence,
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{1 + (p^{t} + 1)s/(2k)} + 1 \equiv 0 (\text{mod}~4).$$
If t is even and s is odd, then 1+(p t +1)s/(2k) ≡ 0(mod 2). On the other hand, if s is even, then 1+(p t +1)s/(2k) ≡ 1(mod 2). Hence, if ts is even, then
$$I_{\beta}(x)|S_{2}(x) \iff s \equiv 0 (\text{mod}~2).$$
We now assume that ts is odd. Then
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{ts + (p^{t}+1)s/(2k)} + 1 \equiv 0 (\text{mod}~4) \iff (-1) + 1 \equiv 0 (\text{mod}~4).$$

So, clearly I β (x)|S 2(x) when ts is odd. □

We use Lemma 4.1 to determine conditions under which 1 + x +⋅⋅⋅ + x k−1S 2(x).

Theorem 4.1

Suppose that there exist positive integers x satisfying the congruence p x ≡ −1(mod k), and let t be the least such integer. Hence, by Theorem 2.9, m = 2ts for some positive integer s.

If p ≡ 1(mod 4), then 1 + x + ⋯ + x k−1 |S 2(x) ⇔ s ≡ 0(mod 2).

If p ≡ 3(mod 4), then 1 + x + ⋯ + x k−1 |S 2(x) ⇔ either s ≡ 0(mod 2) or ts is odd.

Proof

Let \(\nu \in \mathbb {F}_{q}^{*}\) be an element of order n, where n|k. Since, p t ≡ −1(mod k), it follows that p t ≡ −1(mod n). Thus, the equation p x ≡ −1(mod n) has a positive integer solution x. Let \(t^{\prime }\) be the smallest such solution. There exists unique integers y, r ≥ 0 such that \(t = yt^{\prime } + r\), \(r<t^{\prime }\). Furthermore,
$$-1 \equiv p^{t} = p^{yt^{\prime} + r} \equiv (-1)^{y}p^{r} (\text{mod}~n). $$

Since \(r<t^{\prime }\), the above equation is only possible if r = 0. Hence, \(t^{\prime }|t\).

Now, by Theorem 2.9, there exists a positive integer \(s^{\prime }\) such that \(m = 2t^{\prime }s^{\prime },\) so that \(2t^{\prime }s^{\prime } = 2ts = 2yt^{\prime }s,\) and hence \(s^{\prime } = ys\). Consequently, we have
$$s \equiv 0 (\text{mod}~2) \implies s^{\prime} \equiv 0 (\text{mod}~2). $$
Further, since \(ts = t^{\prime }s^{\prime },\) we have
$$ts \equiv 1 (\text{mod}~2) \implies t^{\prime}s^{\prime} \equiv 1 (\text{mod}~2). $$

So, it follows from Lemma 4.1 that the conditions guaranteeing that I β (x)|S 2(x) are also sufficient to guarantee that I ν (x)|S 2(x), where ν is any element of order dividing k. Thus, these conditions are sufficient to guarantee that 1 + x + ⋯ + x k−1|S 2(x). And, of course, they are also necessary. The result follows. □

We now give some examples to illustrate Theorem 4.1.

Example 4.1

Let p = 19 and let s be the SLCE sequence of length 192 − 1 = 360 with corresponding polynomial S 2(x). Note that 5|20=19+1. Thus, we have p ≡ 3(mod 4) and s = t = 1. Hence, ts is odd. Thus, Theorem 4.1 guarantees that \(1+x+x^{2}+x^{3}+x^{4}|\gcd (S_{2}(x),x^{360}+1)\).

We use Theorem 4.1 to interpret some of the numerical results from [25].

Example 4.2

Let q = 52. The authors of [25] found (via computer computations) that \(\gcd (S_{2}(x),x^{q-1}+1) = (x+1)^{4}\). Hence, even though 3|5+1, \(1+x+x^{2} \nmid \gcd (S_{2}(x),x^{q-1}+1)\). Of course, this follows from Theorem 4.1 since p ≡ 1(mod 4), but s = 1 ≡ 1(mod 2).

Let q = 34. Note that 5|32+1 but \(5\nmid 3+1\). So, p ≡ 3(mod 4), t = 2 and s = 1. Hence, s ≡ 1(mod 2) and ts is even, so that \(1 + x + x^{2} + x^{3} + x^{4} \nmid \gcd (S_{2}(x),x^{q-1}+1)\). This agrees with the calculations in [25], where it was found that \(\gcd (S_{2}(x),x^{q-1}+1) = (x+1)^{10}\).

Let q = 54. Note that 13|52 + 1 but \(13\nmid 5+1\). So, t = 2, s = 1, and p ≡ 1(mod 4). Since s ≢ 0(mod 2), Theorem 4.1 guarantees that \(1 + x + \cdot \cdot \cdot + x^{13} \nmid S_{2}(x)\). This agrees with the calculations in [25], where it was shown that \(\gcd (S_{2}(x),x^{q-1}+1) = (x+1)^{12}(x^{2}+x+1)^{10}\).

Let q = 74. Note that 5|72+1. So, t = 2, s = 1, and p ≡ 3(mod 4). By Theorem 4.1, since s ≢ 0(mod 2) and ts is even, \(1 + x + x^{2} + x^{3} + x^{4} \nmid S_{2}(x)\). This agrees with the calculations in [25], where it was found that \(\gcd (S_{2}(x),x^{q-1}+1) = (x+1)^{22}(x^{2}+x+1)^{18}(x^{4} + x + 1)^{2}(x^{4} + x^{3} + 1)^{2}\).

Let q = 36. Note that 7|33+1. So, t = 3, s = 1, and p ≡ 3(mod 4). Thus, ts is odd, and so Theorem 4.1 guarantees that 1 + x + ⋯ + x 6S 2(x). This agrees with the calculations in [25], where it was shown that
$$\begin{array}{@{}rcl@{}} \gcd(S_{2}(x),x^{q-1}+1)&=& (x+1)^{2}(x^{3}+x+1)^{4}(x^{3}+x^{2}+1)^{4}(x^{12} + x^{11} + {\cdots} + x + 1)^{2} \\ &=& (x+1)^{2} (1 + x + {\cdots} + x^{6})^{4}(x^{12} + {\cdots} + x + 1)^{2}. \end{array} $$
Let q = 56. Now 3|5+1. In this case, t = 1, s = 3, and p ≡ 1(mod 4). So, by Theorem 4.1, \(1 + x + x^{2} \nmid S_{2}(x)\). Also, 32|53+1. Here, t = 3 and s = 1. So, by Theorem 4.1, \(1 + x + {\cdots } + x^{8} \nmid S_{2}(x)\). Finally, 7|53+1. Here, t = 3, and s = 1. So, by Theorem 4.1, \(1 + x + {\cdots } + x^{6} \nmid S_{2}(x)\). This agrees with the calculations in [25], where it was found that
$$\begin{array}{@{}rcl@{}} \gcd(S_{2}(x),x^{q-1}+1) &=& (x^{5} + x^{3} + x^{2} + x + 1)^{4}(x^{5} + x^{4} + x^{3} + x^{2} + 1)^{4}\\ &&\times (x^{5} + x^{4} + x^{3} + x + 1)^{4}(x^{5} + x^{4} + x^{3} + x^{2} + 1)^{4}. \end{array} $$
Let q = 38. Now, 5|32+1. Here, t = 2, s = 2, and p ≡ 3(mod 4). Hence, since s ≡ 0(mod 2), Theorem 4.1 guarantees that 1 + x + x 2 + x 3 + x 4|S 2(x). Also, 41|34 + 1. Here, t = 4, and s = 1. Hence, since s ≢ 0(mod 2) and since ts is even, Theorem 4.1 guarantees that \(1 + x + {\cdots } + x^{40} \nmid S_{2}(x)\). This agrees with the calculations in [25], where it was shown that
$$\gcd(S_{2}(x),x^{q-1}+1) = (x+1)^{26}(x^{4} + x^{3} + x^{2} + x + 1)^{18}. $$

We now apply the evaluations of the Jacobi sums of index 2 given in Corollary 2.2 to deduce new divisibility conditions.

Lemma 4.2

Let k = ℓ r , where ℓ is a prime congruent to 7(mod 8) and r is a positive integer. We suppose that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ] = 2\) and m = ϕ(k)s/2, where s is a positive integer. Let e = ϕ(k)/2, so that m = es. Let a and b be determined as in Theorem 2.10 (Langevin’s result).

If p ≡ 1(mod 4), then
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{s-1-(p-1)s/4}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$
If p ≡ 3(mod 4), then
$$I_{\beta}(x)|S_{2}(x) \iff (-1)^{s-1-rs + es +(1-h)s/2}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$

Proof

Since ≡ 3(mod 4), Theorem 2.6 implies that \(K(\chi ) \in \mathbb {Q}(\sqrt {-\ell })\). Since \(\mathcal {P}\) is a prime ideal lying over 2, \(\mathcal {P}\cap \mathbb {Q}(\sqrt {-\ell })\) is a prime ideal of \(\mathbb {Q}(\sqrt {-\ell })\) lying over 2 (and conversely, for every prime ideal \(\mathcal {P}^{\prime }\) of \(\mathbb {Q}(\sqrt {-\ell })\) lying above 2, there is a prime ideal \(\mathcal {Q}\) of \(\mathbb {Q}(\zeta _{k})\) lying above 2 for which \(\mathcal {Q}\cap \mathbb {Q}(\sqrt {-\ell }) = \mathcal {P}^{\prime }\)). Also, note that the procedure we have outlined in this paper allows us free choice as to which prime ideal of \(\mathbb {Q}(\zeta _{k})\) lying above 2 we choose as \(\mathcal {P}\). Finally, recall that an explicit description of the prime ideals lying above 2 in \(\mathbb {Q}(\sqrt {-\ell })\) is given in Theorem 2.5. Without loss of generality, let us choose \(\mathcal {P}\) so that
$$\mathcal{P} \cap \mathbb{Q}(\sqrt{-\ell}) = \langle 2, \frac{-1 + \sqrt{-\ell}}{2}\rangle. $$
In what follows, we will use the fact, mentioned above under Theorem 2.10, that ab(mod 2) (where a and b are determined as in Theorem 2.10) as well as the simple facts that
$$\frac{1}{2}(K(\chi) + 1) \equiv 0 (\text{mod}~{\mathcal{P}}) \iff K(\chi) + 1 \equiv 0 (\text{mod}~{2\mathcal{P}}) $$
and that the squares mod 8 are congruent to either 0, 1, or 4.
Since p ≡ 1, 3(mod 4), it follows that p h ≡ 1,3(mod 4). Hence, 4p h ≡ 4(mod 8). If a and b are both odd, then a 2, b 2 ≡ 1(mod 8). So, if we assume that this is the case, then by Theorem 2.10,
$$4 \equiv 4p^{h} = a^{2} + \ell b^{2} \equiv 1 + 7 \cdot 1 \equiv 0 (\text{mod}~{8}), $$
which is clearly impossible. Consequently, a, b ≡ 0(mod 2).
  1. Case 1:
    p ≡ 1(mod 4). By Corollary 2.2, we have
    $$\begin{array}{@{}rcl@{}} &K(\chi) + 1 &= 1 + (-1)^{s-1-(p-1)s/4}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s} \\ &&= 1 + (-1)^{s-1-(p-1)s/4}p^{(e-h)s/2}\left( \frac{a+b}{2} + b \left( \frac{-1 + \sqrt{-\ell}}{2}\right)\right)^{s}. \end{array} $$
    Now, since \(2\mathcal {P}|\langle 4 \rangle ,\) it follows that \(p^{(e-h)s/2} \equiv 1 (\text {mod}~{2\mathcal {P}})\). Further, since b ≡ 0(mod 2) and since, by Theorem 2.4, \(\frac {-1+\sqrt {-\ell }}{2} \in \mathbb {Z}[\sqrt {n}],\) we have that \(b\left (\frac {-1 + \sqrt {-\ell }}{2}\right ) \equiv 0 (\text {mod}~{2\mathcal {P}})\). Hence,
    $$K(\chi) + 1 \equiv 1 + (-1)^{s-1-(p-1)s/4}\left( \frac{a+b}{2}\right)^{s} (\text{mod}~{2\mathcal{P}}). $$
    But \(1 + (-1)^{s-1-(p-1)s/4}\left (\frac {a+b}{2}\right )^{s} \in \mathbb {Z},\) and \(2\mathcal {P} \cap \mathbb {Z} = \langle 4 \rangle \). Consequently,
    $$I_{\beta}(x)|S_{2}(x) \iff (-1)^{s-1-(p-1)s/4}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$
     
  2. Case 2:
    p ≡ 3(mod 4). By Corollary 2.2, we have
    $$\begin{array}{@{}rcl@{}} K(\chi) + 1 &=& 1 + (-1)^{s-1-rs + (e + 1)s/2}p^{(e-h)s/2}\left( \frac{a + b\sqrt{-\ell}}{2}\right)^{s} \\ &=& 1 + (-1)^{s-1-rs + (e + 1)s/2}p^{(e-h)s/2}\left( \frac{a+b}{2} + b \left( \frac{-1 + \sqrt{-\ell}}{2}\right)\right)^{s}. \end{array} $$
    Now, since \(2\mathcal {P}|\langle 4 \rangle ,\) it follows that \(p^{(e-h)s/2} \equiv (-1)^{(e-h)s/2} (\text {mod}~{2\mathcal {P}})\). Further, since b ≡ 0(mod 2) and since, by Theorem 2.4, \(\frac {-1+\sqrt {-\ell }}{2} \in \mathbb {Z}[\sqrt {n}],\) we have that \(b\left (\frac {-1 + \sqrt {-\ell }}{2}\right ) \equiv 0 (\text {mod}~{2\mathcal {P}})\). Hence,
    $$K(\chi) + 1 \equiv 1 + (-1)^{s-1-rs + es +(1-h)s/2}\left( \frac{a+b}{2}\right)^{s} (\text{mod}~{2\mathcal{P}}). $$
    But \(1 + (-1)^{s-1-rs + es +(1-h)s/2}\left (\frac {a+b}{2}\right )^{s} (\text {mod}~{2\mathcal {P}}) \in \mathbb {Z},\) and \(2\mathcal {P} \cap \mathbb {Z} = \langle 4 \rangle \). Consequently,
    $$I_{\beta}(x)|S_{2}(x) \iff (-1)^{s-1-rs + es +(1-h)s/2}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$
     

Let us now focus on the special case in which r = 1, so that k = .

Theorem 4.2

Let ℓ ≡ 7(mod 8) be a prime, and let k = l. We suppose that \([(\mathbb {Z}/k\mathbb {Z})^{*}:\langle p \rangle ] = 2\) and m = ϕ(k)s/2, where s is a positive integer. Let e = ϕ(k)/2, so that m = es. Let a and b be determined as in Theorem 2.10 (Langevin’s result).

If p ≡ 1(mod 4) and b ≡ 0(mod 4), then
$$1 + x + \cdot \cdot \cdot + x^{\ell-1}|S_{2}(x) \iff (-1)^{s-1-(p-1)s/4}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$
If p ≡ 3(mod 4) and b ≡ 0(mod 4), then
$$1 + x + \cdot \cdot \cdot + x^{\ell-1}|S_{2}(x) \iff (-1)^{s-1-rs + es +(1-h)s/2}\left( \frac{a+b}{2}\right)^{s} \equiv 3 (\text{mod}~4). $$

Proof

Note that 1 + x + ⋅⋅⋅ + x −1 is the product of the minimal polynomials of the elements of \(\mathbb {F}_{2^{f}}\) of order . So, if we can guarantee that the relevant condition from Lemma 4.2 is the same for each element β of order , then we can deduce conditions under which 1 + x + ⋅⋅⋅ + x −1|S 2(x).

The explicit conditions given in Theorem 2.10 are sufficient to determine a completely and to determine b up to sign. In order to determine the sign of b, one must use Stickleberger’s congruence [16, Lemma 3.5]. However, we cannot guarantee that the sign of b will be same for Gauss/Jacobi sums corresponding to different characters of order k [7, Section 11.2]. But, if we assume that b ≡ 0(mod 4), then the residue class mod 4 of \(\frac {a+b}{2}\) is unaffected by the sign of b. □

We now give an example to illustrate Theorem 4.2.

Example 4.3

Let = 23 ≡ 7(mod 8), let p = 13 ≡ 1(mod 4), and let s = 1. It is easy to check that \([(\mathbb {Z}/23\mathbb {Z})^{*}:\langle 13 \rangle ] = 2\). In this case, m = ϕ(23)/2 = 11, so that q = 1311. Referring to the class number table on [2, p. 325], we see that \(h = h(\mathbb {Q}(\sqrt {-23})) = 3\). Further, 4p h = 4 ⋅ 133 = (74)2+23⋅(12)2, so that a = ±74 and b = ±12, and since \(a \equiv -2p^{\frac {1}{2}(m+h)}(\text {mod}~{\ell }),\) we have that a = 74. By Theorem 4.2, we have
$$1 + x + \cdot \cdot \cdot + x^{22}|S_{2}(x) \iff (-1)^{1-1-(13-1)\cdot 1/4}\left( \frac{74 \pm 12}{2}\right) \equiv 3 (\text{mod}~4) $$
$$\iff -37 \equiv 3 (\text{mod}~4). $$

But −37 ≡ 3(mod 4), and so 1 + x + ⋅⋅⋅ + x 22|S 2(x).

We conclude with a few remarks regarding the applicability of Theorem 4.2. The fastest way to compute the class number of \(\mathbb {Q}(\sqrt {-\ell })\) is via an algorithm due to Shanks, which requires at most O( 1/4 + 𝜖 ) operations, where 𝜖 is any positive number; see [14, Section 5.4]. The class number of \(\mathbb {Q}(\sqrt {-\ell })\) can be used to obtain divisibility results whenever p satisfies \([(\mathbb {Z}/\ell \mathbb {Z})^{*}:\langle p \rangle ] = 2,\) and it follows by Dirichlet’s Theorem on primes in an arithmetic progression that there are infinitely many primes p for which this is true. When the class number h = 1, there exists a probabilistic polynomial time algorithm, known as the modified Cornacchia algorithm, that can be used to find the integers a and b satisfying 4p h = 4p = a 2 + b 2; see [14, Section 1.5.2]. In the general case, Hardy, Muskat, and Williams have given a deterministic algorithm that finds a and b (up to sign) in at most \(O((4p^{h})^{1/4}(\log 4p^{h})^{3}(\log \log 4p^{h})(\log \log \log (4p^{h})))\) operations [22].

Notes

Acknowledgments

The authors wish to thank the anonymous referees for their valuable comments. The research of Şaban Alaca is supported by a Discovery Grant from the Natural Sciences and Engineering Research Council of Canada (RGPIN-2015-05208). Goldwyn Millar’s studies are supported by an Ontario Graduate Scholarship.

References

  1. 1.
    Akiyama, S.: On the pure Jacobi sums. Acta Arith. 75(2), 97–104 (1996)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Alaca, S., Williams, K.: Introductory Algebraic Number Theory. Cambridge (2004)Google Scholar
  3. 3.
    Aly, H., Meidl, W.: On the linear complexity and k-error linear complexity over 𝔽p of the d-ary Sidelnikov sequence. IEEE Trans. Inform. Theory 53(12), 4755–4761 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Aly, H.,Winterhof, A.: On the k-error linear complexity over 𝔽p of Legendre and Sidelnikov sequences. Des. Codes Crypt. 40(3), 369–374 (2006)Google Scholar
  5. 5.
    Arasu, K.T., Ding, C., Helleseth, T., Kumar, V., Martinsen, H.M.: Almost difference sets and their sequences with optimal autocorrelation. IEEE Trans. Inform. Theory 47(7), 2934–2943 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Berndt, B.C., Evans, R.J.: Sums of Gauss, Eisenstein, Jacobi, Jacobsthal, and Brewer. Ill. J. Math. 23(3), 374–437 (1979)MathSciNetzbMATHGoogle Scholar
  7. 7.
    Berndt, B.C., Evans, R.J., Williams, K.S.: Gauss and Jacobi Sums. A Wiley-Interscience Publication (1998)Google Scholar
  8. 8.
    Beth, T., Jungnickel, D., Lenz, H.: Design Theory, 2nd edn, vol. 1. Cambridge (1999)Google Scholar
  9. 9.
    Brandstätter, N., Meidl, W.: On the Linear Complexity of Sidelnikov Sequences over 𝔽d, Sequences and their Applications - SETA 2006, 47 - 60, Lecture Notes in Comput. Sci., vol. 4086. Springer, Berlin (2006)Google Scholar
  10. 10.
    Brandstätter, N., Meidl, W.: On the linear complexity of Sidelnikov sequences over nonprime fields. J. Complexity 24(5–6), 648–659 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Brandstätter, N., Meidl, W., Winterhof, A.: Addendum to Sidel’nikov sequences over nonprime fields. Inf. Process. Lett. 113, 332–336 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Brandstätter, N., Winterhof, A.: k-error linear complexity over 𝔽p of subsequences of Sidelnikov sequences of period (p r − 1)/3. J. Math. Cryptol. 3(3), 215–225 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Chung, J.H., Yang, K.: Bounds on the Linear Complexity and the 1-Error Linear Complexity over 𝔽p of M-ary Sidelnikov Sequences, Sequences and their Applications - SETA 2006, 74 - 87, Lecture Notes in Comput. Sci., vol. 4086. Springer, Berlin (2006)Google Scholar
  14. 14.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer-Verlag, Berlin (1993)CrossRefzbMATHGoogle Scholar
  15. 15.
    Evans, R., Hollmann, H.D.L., Krattenthaler, C., Xiang, Q.: Gauss sums, Jacobi Sums, and p-ranks of cyclic difference sets. J. Comb. Theory Ser. A 87, 74–119 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Feng, T., Xiang, Q.: Cyclotomic constructions of skew Hadamard difference sets. J. Comb. Theory Ser. A 119, 245–256 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Garaev, M.Z., Luca, F., Shparlinski, I.E., Winterhof, A.: On the lower bound of the linear complexity over 𝔽p of Sidelnikov sequences. IEEE Trans. Inform. Theory 52(7), 3299–3304 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Golomb, S., Gong, G.: Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar. Cambridge (2005)Google Scholar
  19. 19.
    Helleseth, T., Kim, S.H., No, J.S.: Linear complexity over 𝔽p and trace representation of Lempel-Cohn-Eastman sequences. IEEE Trans. Inform. Theory 49(6), 1548–1552 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Helleseth, T., Maas, M., Mathiassen, J.E., Segers, T.: Linear complexity over 𝔽p of Sidel’nikov sequences. IEEE Trans. Inform. Theory 50(10), 2468–2472 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Helleseth, T., Yang, K.: On binary sequences of period n = p m − 1 with optimal autocorrelation. In: Helleseth, T., Kumar, P., Yang, K. (eds.) Proceedings of SETA01, pp 209–217 (2002)Google Scholar
  22. 22.
    Hardy, K., Muskat, J.B., Williams, K.S.: A deterministic algorithm for solving n = f u 2 + g v 2 in coprime integers u and v. Math. Comp. 91(55), 327–343 (1990)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Ireland, K., Rosen, M.: A Classical Introduction to Modern Number Theory, 2nd edn. Springer-Verlag (1990)Google Scholar
  24. 24.
    Kim, Y.S., Chung, J.S., No, J.S., Chung, H.: Linear complexity over 𝔽p of ternary Sidelnikov sequences. Sequences and their applications - SETA 2006, 61–73, Lecture Notes in Comput. Sci., vol. 4086. Springer, Berlin (2006)Google Scholar
  25. 25.
    Kyureghyan, G., Pott, A.: On the linear complexity of the Sidelnikov-Lempel-Cohn-Eastman sequences. Des. Codes Crypt. 29, 149–164 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Langevin, P.: Calculs de Certaines Sommes de Gauss. J. Number Theory 63, 59–64 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Lempel, A., Cohn, M., Eastman, W.L.: A class of binary sequences with optimal autocorrelation properties. IEEE Trans. Inform. Theory IT-23, 38–42 (1977)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Leung, K.H., Schmidt, B.: The field descent method. Des. Codes Crypt. 171–188 (2005)Google Scholar
  29. 29.
    Ma, S.L.: A survey of partial difference sets. Des. Codes Crypt. 221–261 (1994)Google Scholar
  30. 30.
    MacWilliams, J., Mann, H.B.: On the p-rank of the design matrix of a difference set. Inform. Control 12, 474–488 (1968)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Mann, H.B.: Introduction to Algebraic Number Theory. Ohio State Press, Columbus (1955)zbMATHGoogle Scholar
  32. 32.
    Meidl, W., Winterhof, A.: Some notes on the linear complexity of Sidel’nikov-Lempel-Cohn-Eastman sequences. Des. Codes Crypt. 8, 159–178 (2006)CrossRefzbMATHGoogle Scholar
  33. 33.
    Shiratani, K., Yamada, M.: On Rationality of Jacobi Sums. Colloq. Math. 73 (2), 251–260 (1997)MathSciNetzbMATHGoogle Scholar
  34. 34.
    Sidelnikov, V.M.: Some k-valued pseudo-random sequences and nearly equidistant codes. Probl. Inform. Trans. 5(1), 12–16 (1969)MathSciNetGoogle Scholar
  35. 35.
    Xia, L., Yang, J.: Complete solving of explicit evaluation of Gauss sums in the index 2 case. Sci. China Math. 53(9), 2525–2542 (2010)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.School of Mathematics and StatisticsCarleton UniversityOttawaCanada

Personalised recommendations