TRANSACTIONS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 361, Number 8, August 2009, Pages 4169–4180 S 0002-9947(09)04578-4 Article electronically published on March 17, 2009 PERMUTATION BINOMIALS OVER FINITE FIELDS ARIANE M. MASUDA AND MICHAEL E. ZIEVE Abstract. m n F We prove that if x + ax permutes the√ prime field p,where ∈ F∗ − − − m>n>0anda p,thengcd(m n, p 1) > p 1. Conversely, we prove that if q ≥ 4andm>n>0 are fixed and satisfy gcd(m − n, q − 1) > 2q(log log q)/ log q, then there exist permutation binomials over Fq of the form xm + axn if and only if gcd(m, n, q − 1) = 1. 1. Introduction A polynomial over a finite field is called a permutation polynomial if it permutes the elements of the field. These polynomials first arose in work of Betti [1] and Hermite [10] as a way to represent permutations. A general theory was developed by Hermite [10] and Dickson [6], with many subsequent developments by Carlitz and others. The simplest class of nonconstant polynomials are the monomials m m x with m>0, and one easily checks that x permutes Fq if and only if m is coprime to q − 1. However, already for binomials the situation becomes much more mysterious. Some examples occurred in Hermite’s work [10], and Mathieu [17] pi i showed that x − ax permutes Fq whenever a is not a (p − 1)-th power in Fq;here p denotes the characteristic of Fq. A general nonexistence result was proved by Niederreiter and Robinson [20] and improved by Turnwald [28]: m n F ∈ F∗ Theorem 1.1. If f(x):=x + ax permutes q,wherem>n>0 and a q , then either q ≤ (m − 2)4 +4m − 4 or m = npi. 4 This result implies that, when q>m, the only permutation binomials over Fq are the compositions of Mathieu’s examples with permutation monomials. The key ingredient in the proof of Theorem 1.1 is Weil’s lower bound [33] for the number of Fq-rational points on the curve (f(x) − f(y))/(x − y). We do not know whether Theorem 1.1 can be improved in general. However, for prime fields it was improved by Wan [30] and Turnwald [28]; by using ingredients from both of their proofs, one can show the following result, which improves both of their results: m n Theorem 1.2. If f(x):=x + ax permutes the prime field Fp,wherem>n>0 ∈ F∗ − ≤ − · − − and a p,thenp 1 (m 1) max(n, gcd(m n, p 1)). Received by the editors February 2, 2007 and, in revised form, July 19, 2007. 2000 Mathematics Subject Classification. 11T06. Key words and phrases. Permutation polynomial, finite field, Weil bound. The authors thank Jeff VanderKam and Daqing Wan for valuable conversations, and Igor Shparlinski for suggesting the use of the Brun–Titchmarsh theorem in Section 4. c 2009 American Mathematical Society Reverts to public domain 28 years from publication 4169 License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 4170 ARIANE M. MASUDA AND MICHAEL E. ZIEVE The proofs of Wan and Turnwald rely on a trick due to Hermite [10], which can be viewed as a character sum argument: they find an integer with 0 <<p− 1 such that f(x) mod (xp − x) has degree p − 1. This implies that f(α) =0, α∈Fp so f does not permute Fp. We will prove the following stronger result by exhibiting two integers , of which at least one must have the above property: m n F Theorem 1.3. If f(x):=x + ax permutes the prime field√ p,wherem>n>0 ∈ F∗ − − ≥ − − − and a p,thengcd(m n, p 1) p (3/4) (1/2) > p 1. Writing g := gcd(m − n, p − 1), the conclusion of this result can be restated as p − 1 ≤ (g +1)· g, whereas the conclusion of Theorem 1.2 says that p − 1 ≤ (m−1)·max(n, g). Thus, Theorem 1.3 implies Theorem 1.2 whenever g+1 ≤ m−1, which always holds except in the special case that n =1and(m − 1) | (p − 1). We emphasize that Theorem 1.3 is qualitatively different from all previous results, since it gives a bound on p which depends only on gcd(m − n, p − 1), and not on thedegreeoff. Both Theorem 1.2 and Theorem 1.3 yield improvements to Weil’s lower bound for the number of rational points on the curve (f(x)−f(y))/(x−y) appearing in the proof of Theorem 1.1. On a related note, for any polynomial f over Fp of degree in a certain range, Voloch [29] has improved Weil’s upper bound for this same F curve. In a different direction, for hyperelliptic curves over p one can improve√ both the upper and lower Weil bound when the genus is on the order of p,by using Stepanov’s method [12, 18, 24, 19, 26, 8, 34]. All of these improvements are specific to prime fields. It would be interesting to understand what are the types of curves for which one has such improvements to Weil’s bounds. Theorem 1.3 is not true for nonprime fields; one counterexample is x10 +3x over F343, and we have found several infinite families of counterexamples, which we will describe in a forthcoming paper. Returning to prime fields, we suspect that Theorem 1.3 can be improved. We checked via computer that, for p<105, the hypotheses of Theorem 1.3 imply that gcd(m − n, p − 1) >p/(2 log p). It seems likely that this improved result remains true for larger p, but we do not know a proof. The best we can do is give a heuristic to the effect that ‘at random’ there would not be any permutation m n binomials x + ax over Fq with gcd(m − n, q − 1) <q/(2 log q). Of course, our examples over nonprime fields show that this heuristic is not always correct, but those examples exhibit nonrandom features dependent on the subfield structure of Fq, which is in line with our ‘at random’ notion. Conversely, following earlier investigations of Hermite [10] and Brioschi [2, 3], Carlitz [4] studied permutation binomials of the form xn(x(q−1)/2 + a). He showed ∈ F∗ that there are permutation binomials of this shape (with n =1anda q ) whenever q ≥ 7. He proved a similar result for the form x(x(q−1)/3 + a), and more generally in a paper with Wells [5] he proved Theorem 1.4. If d>0 and q ≡ 1(modd),whereq is sufficiently large compared − ∈ F∗ to d, then for each n>0 with gcd(n, q 1) = 1 there exists a q such that n (q−1)/d x (x + a) permutes Fq. The proof of this result is quite remarkable, as it uses the Weil lower bound on an auxiliary curve to prove the existence of permutation binomials. This (and a generalization in [32]) is the only known instance of the Weil bound being used License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use PERMUTATION BINOMIALS OVER FINITE FIELDS 4171 to prove existence of permutation polynomials. We give a new proof of a refined version of Theorem 1.4, which allows us to estimate the number of such a’s: Theorem 1.5. Pick integers 0 <n<msuch that gcd(m, n, q−1) = 1, and suppose ≥ − − ∈ F∗ q 4.Ifgcd(m n, q 1) > 2q(log log q)/ log q, then there exists a q such that m n x + ax permutes Fq. Further, letting T denote the number of values a ∈ Fq for m n which x + ax permutes Fq, and putting r := (q − 1)/ gcd(m − n, q − 1), we have √ √ q − 2 q +1 √ T q +2 q +1 √ − (r − 3) q − 2 ≤ ≤ +(r − 3) q. rr−1 (r − 1)! rr−1 We note that the condition gcd(m, n, q − 1) = 1 is clearly necessary if xm + axn is to permute Fq. In some special cases, a weaker estimate for T was derived in a recent paper by Laigle-Chapuy [13], via methods quite different from ours. We checked that, for each q<106,andforeverym>n>0 satisfying − − − ∈ F∗ gcd(m, n, q 1) = 1 and gcd(m n, q 1) > 2q/ log q,thereexistsa q such that m n x + ax permutes Fq. Combined with our previously mentioned computer data, this paints a rather clear picture of permutation binomials over prime fields. As a final remark, we note that several papers prove results about the special binomials xm + ax. In general, if a binomial has a term of degree coprime to q − 1, then one can convert it to this special form by composing with suitable permutation monomials and reducing mod (xq − x). However, there are binomials for which this 26 3 is impossible. For instance, f(x):=x +17x permutes F139, but the degrees of both terms of f have a common factor with 138. Throughout this paper, Fq is the field of order q,andp is the characteristic of Fq. In particular, p is always prime. We prove Theorem 1.3 in the next section. Then in Section 3 we prove Theorem 1.5, and in the final section we give the heuristic argument mentioned above. In an appendix we include a proof of Theorem 1.2. 2. Nonexistence results In this section we prove Theorem 1.3 in the following form: Theorem 2.1.