THE COMPOSITIONAL INVERSE OF A CLASS OF PERMUTATION POLYNOMIALS OVER A FINITE FIELD∗ ROBERT S. COULTER AND MARIE HENDERSON Abstract. A new class of bilinear permutation polynomials was recently identified. In this note we determine the class of permu- tation polynomials which represents the functional inverse of the bilinear class. 1. Introduction and Main Result e Throughout Fq denotes the finite field of q = p elements for some prime p and positive integer e with Fq [X] representing the ring of poly- nomials in the indeterminate X over Fq . For polynomials f; g 2 Fq [X], we write f ◦ g = f(g(X)) for the functional composition of f with g. A permutation polynomial over Fq is a polynomial which, under eval- uation, induces a permutation of the elements of Fq . Clearly, permu- tation polynomials are the only polynomials which have a (functional) inverse with respect to composition, id est for a permutation polyno- −1 mial f 2 Fq [X] there exists (a unique) f 2 Fq [X] of degree less than q such that f(f −1(X)) ≡ f −1(f(X)) ≡ X mod (Xq − X). We call f −1 the compositional inverse of f (or vice versa). The problem of discovering new classes of permutation polynomials is non-trivial and has generated much interest, see the surveys and open problems given in [3, 4, 6]. Discovering classes where the inverse polynomials can also be described seems to be even more difficult: there are very few known classes of permutation polynomials for which their compositional inverses are also known. To the authors knowledge, the classes with explicit formulae for inverses are: (1) The linear polynomials: X + a where a 2 Fq is trivially a permutation polynomial of Fq with the inverse polynomial being X − a. 1991 Mathematics Subject Classification. 11T06. ∗THIS RESEARCH WAS PARTIALLY SUPPORTED BY THE AUS- TRALIAN RESEARCH COUNCIL 1 2 R. COULTER AND M. HENDERSON n (2) The monomials: X is a permutation polynomial over Fq if and only if (n; q−1) = 1. In such cases, the compositional inverse of Xn is obviously the monomial X m where nm ≡ 1 mod (q − 1). (3) The Dickson polynomials of the 1st kind: Dn(X; a) is a permu- 2 tation polynomial over Fq if and only if (n; q − 1) = 1, see [5, Chapter 3]. In such cases, for a 2 f0; 1g, the compositional 2 inverse of Dn(X; a) is Dm(X; a) where nm ≡ 1 mod (q − 1), see [5, Chapter 3]. We note that there are classes for which inverses can be determined (for example linearised and sub-linearised polynomials) but that no explicit formulas for the inverses are known. Recently, a new class of permutation polynomials was introduced in [1]. Here we give a description for the compositional inverse of this class of permutation polynomials. Theorem 1. Let q = 2k for some integer k. Let n be an odd positive n integer and set Q = q . Denote the trace mapping from FQ to Fq by n−1 Tr(X) = X + Xq + : : : + Xq : For any α 2 Fq n f0; 1g, the polynomial 2 fα(X) = XTr(X) + (α + 1)X is a permutation polynomial over FQ. For α as above and for any integer i satisfying 1 ≤ i ≤ k − 1, define − − − α2k 1+2k 1 i−1 + 1 C = : i α + 1 Set 2nk−1 2k−1−1 2k−1 Aα(X) = Ck−1(X + α Tr(X) ) and k−1 (n−1)=2 k−1 k−1−i 2jk−2−i B (X) = C Tr(X)2 −2 0 (XTr(X) + X2)2 1 : α X i X i=1 @ j=1 A The polynomial gα = Aα + Bα is the compositional inverse of fα over FQ. The polynomials fα were shown to be permutation polynomials in [1]. From Theorem 1 we have the following obvious corollary. Bull. Austral. Math. Soc. 65 (2002), 521-526 Corollary 2. For α 2 Fq n f0; 1g, the polynomials gα, as defined in Theorem 1, are permutation polynomials over FQ. THE INVERSE OF A CLASS OF PERMUTATION POLYNOMIALS 3 2. The Proof of Theorem 1 Our attention from this point is directed to establishing the remain- ing statements of Theorem 1, which is to show that gα is the composi- tional inverse of fα. Our proof involves establishing a set of sequential propositions, basically involving closer examination of fα ◦ gα, primar- ily in terms of the two polynomials Aα and Bα. For n odd, we have Tr(Tr(x)) = Tr(x). This identity is used many times in the following propositions. We begin by collecting some useful identities. Proposition 3. For Aα; Bα 2 FQ[X] and Ci as defined in Theorem 1 we have 2 (2k−i−1) 2 (i) Ci = (α + 1)=(α + 1), 2 2 −1 Q (ii) Aα(X) ≡ Ck−1(X + α Tr(X)) mod (X + X), 2k−1−1 2k−1 Q (iii) Tr(Aα) ≡ α Tr(X) mod (X + X), and Q (iv) Tr(Bα) ≡ 0 mod (X + X). Proof. (i) Squaring Ci we obtain the identity: k k−i k−i α2 +2 −2 + 1 α2 −1 + 1 C2 = = : i α2 + 1 α2 + 1 2 2nk 2k−2 2k (ii) Squaring Aα(X) gives Ck−1(X + α Tr (X)) which reduced Q 2 −1 modulo (X + X) is Ck−1(X + α ) (iv) Using the definition of Aα(X) given in Theorem 1, 2nk−1 (2k−1−1) 2k−1 Tr(Aα(X)) = Ck−1(Tr(X) + α Tr(X) ) 2k−1 (2k−1−1) Q ≡ Tr(X) Ck−1(1 + α ) mod (X + X) k−1 k−1 ≡ α(2 −1)Tr(X)2 mod (XQ + X): (v) This is immediate as Tr(XTr(X) + X 2) = 0. The proof of the following result is tedious but seemingly necessary. Proposition 4. Using the same notation as above then Q fα(gα(X)) mod (X + X) k nk−1 k−1 k k−i = X + c X2 Tr(X)2 + Tr(X) + Tr(X)2 −2 S (X) α X i i=1 (2k−1−1) where cα = (α + 1)=(α + 1) and Bull. Austral. Math. Soc. 65 (2002), 521-526 (n−1)=2 2jk−i−1 (1) S (X) = (XTr(X) + X2)2 i X j=1 4 R. COULTER AND M. HENDERSON Proof. By expanding fα(X) ◦ gα(X) (with gα(X) = Aα(X) + Bα(X)) and using Proposition 3 (iv), Q fα(gα(X)) mod (X + X) 2 2 = (Aα(X) + Bα(X))Tr(Aα(X)) + (α + 1)(Aα(X) + Bα(X)): We split the terms of this sum so that fα(X)◦gα(X) = a(X)+b(X) mod Q 2 (X +X) where a(X) = Aα(X)Tr(Aα(X))+(α+1)Aα(X) and b(X) = 2 Bα(X)Tr(Aα(X)) + (α + 1)Bα(X). Using Proposition 3 (ii) and (iii), 2 (2k−1−1) 2nk−1 2k−1 (2k−1−1) a(X) =Ck−1(α + 1)(X Tr(X) + α Tr(X)) 2 −1 Q + Ck−1(α + 1)(X + α Tr(X)) mod (X + X): 2 −1 (2k−1−1) −1 From Proposition 3 (i), Ck−1 = (α + 1) and as cα = cαα + α then 2nk−1 2k−1 Q a(X) = X + cα(X Tr(X) + Tr(X)) mod (X + X): Next put b1(X) = Tr(Aα(X))Bα(X). Identically k−1 k−1 k−1 k k−1−i b (X) = α(2 −1)Tr(X)2 C Tr(X)(2 −2 )S (X): 1 X i i+1 i=1 (2k−1−1) (2k−1−1) (2k−i−1) Using α Ci = (α + α )=(α + 1) and re-writing the sum in b1(X) then we arrive at k (2k−1−1) (2k−i−1) α + α k k−i (2) b (X) = Tr(X)(2 −2 )S (X): 1 X α + 1 i i=2 2 Finally, put b2(X) = (α + 1)Bα(X). Then k−1 k k−1−i b (X) = (α + 1) C2Tr(X)(2 −2 )S2 (X): 2 X i i+1 i=1 2 As Si+1(X) = Si(X), from Proposition 3 (i) we have Bull. Austral. Math. Soc. 65 (2002), 521-526 − − k 1 (2k i−1) α + 1 k− k−i (3) b (X) = Tr(X)(2 2 )S (X): 2 X α + 1 i i=1 THE INVERSE OF A CLASS OF PERMUTATION POLYNOMIALS 5 So from Equations 2 and 3 we have b(X) = b1(X) + b2(X) k−1 k k−i k k−1 = c Tr(X)(2 −2 )S (X) + c Tr(X)(2 −2 )S (X) + c S (X) X α i α 1 α k i=2 k k− k−i = c Tr(X)(2 2 )S (X): α X i i=1 The result now follows from calculating the sum a(X) + b(X). Proposition 5. For β 2 Fq then fα(gα(βX)) = βfα(gα(X)). Proof. As Tr(βX) = βTr(X), it is simple to see nk−1 k−1 nk−1 k−1 (βX)2 + Tr(βX)2 + Tr(βX) = β(X2 + Tr(X)2 ): For β 2 Fq , from Equation 1 (n−1)=2 2jk−i 2jk−i−1 k−i S (βX) = β2 (XTr(X) + X2)2 = β2 S (X): i X i j=1 and it follows k k k k−i k−i k k k−i Tr(βX)(2 −2 )β2 S (X) = β2 Tr(X)(2 −2 )S (X) X i X i i=1 i=1 k k k−i = β Tr(X)(2 −2 )S (X): X i i=1 We then have, using Proposition 4 and these identities, that for β 2 Fq , fα(gα(βX)) = βfα(gα(X)) as required.