Dept. of Mathematics, Central University of South Bihar, Gaya, Bihar, India [email protected]

Dept. of Mathematics, Central University of South Bihar, Gaya, Bihar, India Rpsingh@Cub.Ac.In

#A3 INTEGERS 21 (2021) A METHOD FOR GENERATING PERMUTATION POLYNOMIALS MODULO pn

Rajesh P. Singh Dept. of Mathematics, Central University of South Bihar, Gaya, Bihar, India [email protected]

Received: 6/10/20, Revised: 11/6/20, Accepted: 12/16/20, Published: 1/4/21

Abstract Using p-adic representation of integers, we obtain suﬃcient conditions for a polynomial over the residue class ring Zpn to be a permutation polynomial of Zpn , where p is a prime number and n a positive integer.

1. Introduction

Let R be a finite commutative ring. A polynomial f(x) ∈ R[x] is called a permutation polynomial of R if the function x 7→ f(x) is a bijection of R. A natural question d is the following: given a polynomial f(x) = a0 + a1x + ··· + adx ∈ R[x], what are necessary and sufficient conditions on the coefficients a0, a1, . . . , ad for f(x) to be a permutation of R? This problem has not yet been solved. Permutation polynomials have several applications in combinatorics, coding theory, and cryptography, mostly when R is a finite field and the ring of residue classes of integers, (see, [1], [10], [11], [12], [13]). We denote Zm as the ring of non-negative integers less than m, under addition m ki and multiplication modulo m. It is known that for any m = Πi=1 pi , where pi’s are distinct prime numbers, f(x) is a permutation polynomial over Zm if and only if f(x) is also permutation polynomial over Z ki , for each i (see [12]). In 2001, pi n Rivest [8] considered the ring Zm, where m = 2 , n ≥ 1, and proved that the d polynomial f(x) = a0 + a1x + ··· + adx with integral coefficients is a permutation n polynomial modulo 2 if and only if a1 is odd, and both a2 + a4 + a6 + ··· and a3 + a5 + a7 + ··· are even. This is a special case of a more general characterization given by Nöbauer(1953)[7]:the polynomial f is a permutation polynomial of Zpn 0 if and only if f is a permutation polynomial of Zp and f (x) 6= 0 for all x ∈ Zp. Thereby Nöbauer’scharacterization reduced the problem to characterizing permutation polynomials over the finite field Zp. In 1983, Mullen and Stevens [6] used Nöbauer’scharacterization to count the number of permutation polynomial functions over the residue class ring Zpn , where p is a prime number and n a positive INTEGERS: 21 (2021) 2 integer. Recently Görcsös,Horváthand Mészáros[2] have generalized these results about permutation polynomials over residue class ring Zpn to finite commutative unital local rings. Permutation polynomials with some additional properties are useful to construct public-key cryptosystems. Suppose we have a permutation polynomial p(x) for which computing the inverse is hard without some additional knowledge about p(x), but some structural information about p(x) paves the way to make it easy, also computationally. Such a polynomial can be effectively used for cryptosystems. In [11], the authors used two permutation polynomials f and g over finite fields F2m and imposed a relation f(s(x)) = g(t(y)) between plaintext variable x and cipher- text variable y, where s and t are secret invertible linear maps of F2m , to construct a multivariate public key cryptosystem. In [3], Khachatrian and Kyureghyan used linearized permutation polynomials over finite fields to propose a public-key cryptosystem. Permutation polynomials over residue class ring Zm are used in the design of RC6 block cipher [9], and in coding theory to construct a class of deterministic interleavers for turbo codes, [12], [13]. In this paper, we obtain certain sufficient conditions for a polynomial over the residue class ring Zpn to be a permutation polynomial. We show that every polynomial f(x) over the ring Zpn can be expressed as an n-tuple of multivariate triangular polynomials over Zp, that is, f(x) can be expressed as (f1, f2, . . . , fn), where fi = fi(x1, x2, . . . , xi). Using this representation, we obtain the desired sufficient conditions.

2. The Main Result

n n Let p be a prime and n > 1. A mapping F : Zp → Zp is triangular if F (x1, . . . , xn) = i (f1(x1), f2(x1, x2), . . . , fi(x1, . . . , xi), . . . , fn(x1, . . . , xn)), where fi : Zp → Zp are arbitrary functions, mapping (x1, x2, ··· , xi) 7→ fi(x1, x2, ··· , xi), for i = 1, 2. ··· , n. In 2002 [4], Klimov et. al. construct some classes of invertible transformations over n-bit words which can mix arithmatic and boolean operations (not, xor, and or). Motivated by this work, we show that every polynomial over ﬁnite ring Zpn can be expressed as a n-tuple of multivariate triangular polynomials over Zp. Note that by using p-adic representation of integers, any element x ∈ Zpn can be uniquely Pn i−1 n expressed as x = i=1 xip , where xi ∈ Zp. Let θ : Zpn 7→ Zp be a map de- ﬁned as θ(x) = (x1, x2, . . . , xn). It is easy to see that the map θ is a bijection. n Since there is a one-one correspondence between Zpn and Zp , we can identify x by n n-tuple (x1, x2, . . . , xn) over Zp . Let Zpn [x] be the ring of polynomials over Zpn ; let R = Zp[x1, x2, . . . , xn] be the ring of multivariate polynomials in the variables Pn i−1 Pn i−1 x1, x2, . . . , xn. Now using the expansion f(x) = f( i=1 xip ) = i=1 fip , where f(x) ∈ Zpn [x], and fi ∈ R, 1 ≤ i ≤ n, we have an induced mapping INTEGERS: 21 (2021) 3

n Zpn [x] → R , which we also denote by θ given by θ(f(x)) = (f1, f2, . . . , fn), each fi is a multivariate polynomial over Zp in variables x1, x2, . . . , xn. To present our results systematically we need some lemmas.

Lemma 1. Let x, y ∈ Zpn and xi, yi, (x + y)i and (xy)i respectively denote the i-th n coordinates in the n-tuple representation of x, y, x + y and xy over Zp . Then

(i) (x + y)1 = (x1 + y1) mod p.

(ii) for i ≥ 2, (x + y)i = (xi + yi + αi) mod p, where αi is a function of the coordinates x1, x2, . . . , xi−1, y1, y2, . . . , yi−1.

(iii) for i ≥ 2, (xy)i = (xiy1 + x1yi + βi) mod p, where βi is a function of the coordinates x1, x2, . . . , xi−1, y1, y2, . . . , yi−1.

m m m m−1 (iv) for any integer m ≥ 2, (x )1 = (x1) mod p and (x )i = (mxi(x1) + γi) mod p, if i ≥ 2, where γi is a function of the coordinates x1, x2, . . . , xi−1.

Pn i−1 Pn i−1 Proof. We have x = i=1 xip and y = (y1, y2, . . . , yn) = i=1 yip . The ﬁrst assertion in trivial. In (ii) αi is the carry over from the previous coordinates in the sum, so depends only on the coordinates x1, x2, . . . , xi−1, y1, y2, . . . , yi−1. For (iii) we note that xy = x1y1 + (x1y2 + y1x2)p + ··· + (xiy1 + yix1 + xi−1y2 + ··· + i−1 n−1 x2yi−1)p +···+(xny1 +xn−1y2 +···+x1yn)p from which it follows that (xy)i is the sum modulo p of the coeﬃcient of pi−1 and the carry over from the previous coordinates. Finally, the second part of (iv) follows easily from (iii) by induction on m.

Pn i−1 Lemma 2. Let x = i=1 xip , k ≥ 1, 1 ≤ r ≤ p − 1. Then for i ≥ 2

pk (i) x i = αi mod p, pk+r pk+r−1 (ii) x i = rxi(x1) + βi mod p, where αi, βi are functions of x1, x2, . . . , xi−1.

Proof. The results follows from (iv) of Lemma 1.

Next we give some examples.

2 3 2 Example 1. Consider the monomials x, x , x over Z23 . For x = x1 + x2.2 + x3.2 , we have

θ(x) = (x1, x2, x3), 2 θ(x ) = (x1, 0, x2 + x1x2), and 3 θ(x ) = (x1, x1x2, x1x3). INTEGERS: 21 (2021) 4

2 3 2 Example 2. Consider the monomials x, x , x over Z33 . For x = x1 + x2.3 + x3.3 , we have

θ(x) = (x1, x2, x3), 2 2 2 θ(x ) = (x1, 2x1x2, x2 + 2x1x3), and 3 3 2 θ(x ) = (x1, 0, x1x2).

It is clear from part (iv) of Lemma 1 that θ(xm), for positive integer m, is a n n triangular map from Zp to Zp . In the next proposition, we prove that θ(f(x)), for n n any polynomial f(x) ∈ Zpn [x], is a triangular map from Zp to Zp .

Pd i Proposition 1. Let f(x) = i=0 aix is a any polynomial of degree d over Zpn . n Suppose θ(f(x)) = (f1, f2, . . . , fn). Then θ(f(x)) is a triangular mapping from Zp n to Zp .

Pd i Proof. By part (i) of Lemma 1, we have f1 = (f(x))1 = i=0(ai)1(x1) mod p. Similarly, using Lemmas 1 and 2, it is easy to see that for i ≥ 1, (f(x))i = fi(x1, x2, . . . , xi), that is, the i-th coordinate of f(x) is function of the ﬁrst i coordinates of x.

n n Proposition 1 tells us that-non triangular mappings from Zp to Zp cannot be rep- resented by a polynomial over Zpn . In view of Proposition 1, we have the following lemma.

Pd i Lemma 3. Let f(x) = i=0 aix be a polynomial over Zpn . Then f(x) is a permutation polynomial of Zpn if and only if the corresponding triangular mapping n θ(f(x)) is permutation of Zp .

2 3 4 5 Example 3. Suppose f(x) = x+2x +x +4x +x is a polynomial over Z23 , then 3 3 θ(f(x)) = (x1, x2, x3 +x1x2). Since the mapping from Z2 to Z2 given by θ(f(x)) is a 3 2 3 4 5 surjection, therefore, it is a permutation of Z2. Hence f(x) = x+2x +x +4x +x is a permutation polynomial of Z23 . The following is a well known result which is used in the sequel.

Proposition 2. ([5]) If d > 1 is a divisor of p−1, then there exists no permutation polynomial of Zp of degree d.

Now, using triangular representation of polynomials, we give some suﬃcient conditions for a polynomial over Zpn to be a permutation polynomial..

2 d Theorem 1. Let p be a prime and f(x) = a0 + a1x + a2x + ··· + adx be a polynomial with integral coeﬃcients. Let tr (0 ≤ r ≤ p − 2) be the largest integers INTEGERS: 21 (2021) 5

d−r such that tr(p − 1) + r ≤ d, that is, tr = b p−1 c, where = b.c denotes the greatest integer function. Then f(x) is a permutation polynomial over Zpn , n ≥ 1, if

t X1 ak(p−1)+1 6= 0 mod p, (1) k=1

t Xr ak(p−1)+r = 0 mod p, for r = 0, 2, 3, . . . , p − 2, and (2) k=1

d−r p−1 b p c X X pk+r−1 rapk+r` 6= 0 mod p for ` = 0, 1, 2, . . . , p − 1. (3) r=1 k=0

n n Proof. We show that the mapping from Zp to Zp given by θ(f(x)) is a surjection if the conditions (1), (2) and (3) are satisﬁed. We show that for 1 ≤ i ≤ n,(f(x))i, as a function of xi and for ﬁxed xj, j < i, is invertible. For i = 1 we note that k k k(p−1)+r r x 1 = (x1) mod p, and (x1) = (x1) mod p for 1 ≤ r ≤ p − 2. Therefore, we get

2 d (f(x))1 = a0 + a1x + a2x + ··· + adx 1

2 3 d = (a0)1 + (a1)1x1 + (a2)1(x1) + (a3)1(x1) + ··· + (ad)1(x1) mod p

t0 t1 X k(p−1) X k(p−1)+1 = (a0)1 + ak(p−1) 1 (x1) + ak(p−1)+1 1 (x1) + ··· k=1 k=1

tp−2 X k(p−1)+p−2 + ak(p−1)+p−2 1 (x1) mod p k=1

t0 ! t1 ! X k(p−1) X = (a0)1 + ak(p−1) 1 (x1) + ak(p−1)+1 1 x1 + ··· k=1 k=1

tp−2 ! X p−2 + ak(p−1)+p−2 1 (x1) mod p. (4) k=1

t t P1 Pr If ak(p−1)+1 1 6= 0 mod p, and ak(p−1)+r 1 = 0 mod p, for r = 0, 2, 3...... p− k=1 k=1 2, then the mapping in Equation (4) is invertible. INTEGERS: 21 (2021) 6

Next, for i > 1, using the part (ii) of Lemma 1 recursively, we get

2 d (f(x))i = (a0 + a1x + a2x + ... + adx )i

 d d−r  b p c p−1 b p c  X pk X X pk+r = a0 + apkx + apk+rx  k=1 r=1 k=0 i d d−r b p c p−1 b p c X pk X X pk+r = apkx i + apk+rx i + β1 mod p, k=1 r=1 k=0 where β1 is a function of the ﬁrst i − 1 coordinates of x. Using Lemmas 1 and 2 we get

pk pk pk apkx i = (apk)i x 1 + (apk)1 x i + β2 mod p = β0, where β0 is a function of the ﬁrst i − 1 coordinates of x. Again

pk+r pk+r pk+r (apk+rx )i = (apk+r)i(x )1 + (apk+r)1(x )i + β3 mod p pk+r pk+r−1 = (apk+r)i(x )1 + (apk+r)1 r(x1) xi + β4 + β3 mod p pk+r−1 0 = r(apk+r)1(x1) xi + γ mod p,

0 where β3, β4 and γ are functions of the ﬁrst i − 1 coordinates of x. Note that 0 pk+r γ = (apk+r)i(x )1 + (apk+r)1β4 + β3. Bringing them all together, we have

d−r p−1 b p c X X pk+r−1 ? (f(x))i = r(apk+r)1(x1) xi + β mod p r=1 k=0 d−r p−1 b p c X X pk+r−1 ? = xi r(apk+r)1(x1) + β mod p, r=1 k=0 where β? is a function of the ﬁrst i−1 coordinates of x. For f(x) to be permutation polynomial this mapping should be invertible for all values of x1. Thus we get the conditions d−r p−1 b p c X X pk+r−1 r(apk+r)1(x1) 6= 0 mod p. r=1 k=0

Suppose ` = x1. Then we can rewrite it in the form

d−r p−1 b p c X X pk+r−1 rapk+r` 6= 0 mod p r=1 k=0 for ` = 0, 1, . . . , p − 1. INTEGERS: 21 (2021) 7

Example 4. We give an example of a permutation polynomial satisfying the conditions given in Theorem 1. Consider the polynomial f(x) = x + 11x2 + 7x3 + 11x10 + 2x11 + 4x13 + 6x21. It can be seen easily that the coeﬃcients of f(x) satisfy (1) and (2). Moreover, the condition (3) amounts to

1 + 2.11 l + 3.7 l2 + 10.11 l9 + 2.4 l13 + 10.6 l20 6≡ 0 mod 11, for l = 0, 1,..., 10. This can be easily veriﬁed to be true, noting that l10 ≡ 1 mod 11 for 1 ≤ l ≤ 10. Hence, f(x) is a permutation polynomial of Z11n for all n ≥ 1.

3. Conclusion

In this paper, we have obtained sufficient conditions in terms of coefficients of a polynomial to be a permutation polynomial of Zpn . Information about such type of sufficient conditions over arbitrary finite commutative rings seems elusive at the moment and needs further intensive investigations. It can be interesting to generalize our result to Galois rings.

Acknowledgements. I am grateful to the anonymous referees and Prof. B. K. Sarma (Department of Mathematics, IIT Guwahati) for their constructive sugges- tions that helped to improve the content of the paper.

References

[1] C. Ding, J. Yuan, A family of skew hadmard diﬀrence sets, J. Combin. Theory Ser. A 113 (2006), 345–352.

[2] D. Görcsös,G.Horváth,A.Mészáros,Permutation polynomials over finite rings, Finite Fields Appl. 49 (2018), 198–211.

[3] G. Khachatrian, M. Kyureghyan, Permutation polynomials and a new public-key encryption, Discrete Appl. Math. 216 (3) (2017), 622–626.

[4] A. Klimov, A. Shamir, A new class of invertible mappings, CHES-2002, LNCS, Vol 2523 (2003), 470–483.

[5] R. A. Mollin and C. Small, On permutation polynomials over ﬁnite ﬁelds, Internat. J. Math. & Math. Sci. 10 (3) (1987), 535–544.

[6] G. Mullen, H. Stevens, Polynomial functions (mod (m)), Acta Math. Hungar. 44 (1984), 237–241.

[7] W. N¨obauer, Uber¨ Gruppen von restklassen nach respolynomidealen, Osterreich.¨ Akad. Wiss. Math-Nat. KI. S.-B. IIa 162 (1953), 207–233.

[8] R. L. Rivest, Permutation polynomials modulo 2w, Finite Fields Appl. 7 (2001), 287–292. INTEGERS: 21 (2021) 8

[9] R. L. Rivest, M. J. B. Robshaw, R. Sidney, and Y. L. Y. Yin, The RC6 Block Cipher, M. I. T. Laboratory for computer Science, 545 Technology Square, Cambridge, M A 02139, version 1.1-August, 20, 1998. Available on the site: http://people.csail.mit.edu/rivest/RC6.pdf.

[10] Rajesh P. Singh, M. K. Singh, Two Congurence identies on ordered partitions, Integers 18, #A73.

[11] Rajesh P. Singh, Anupam Saikia and B. K. Sarma, Poly-Dragon: An eﬃcient multivariate cryptosystem, J. Math. Cryptol. 4 (4) (2011), 349–364.

[12] J. Sun, O. Y. Takeshita, Interleavers for turbo codes using permutation polynomials over integer rings, IEEE Trans. Inform. Theory 51 (1) (2005), 101–119.

[13] O. Y. Takeshita, On maximum contention free interleavers and permutation polynomials over integer rings, IEEE Trans. Inform. Theory 52 (3) (2006), 1249–1253.