An Improvement on the Hasse-Weil Bound and applications to Character Sums, Cryptography and Coding
aa r X i v : . [ c s . D M ] M a y An Improvement on the Hasse-Weil Bound andapplications to Character Sums, Cryptography andCoding
Ronald Cramer ∗ Chaoping Xing † Abstract
The Hasse-Weil bound is a deep result in mathematics and has found wide applications inmathematics, theoretical computer science, information theory etc. In general, the bound istight and cannot be improved. However, for some special families of curves the bound could beimproved substantially. In this paper, we focus on the Hasse-Weil bound for the curve definedby y p − y = f ( x ) over the finite field F q , where p is the characteristic of F q . Recently, Kaufmanand Lovett [5, FOCS2011] showed that the Hasse-Weil bound can be improved for this family ofcurves with f ( x ) = g ( x ) + h ( x ), where g ( x ) is a polynomial of degree ≪ √ q and h ( x ) is a sparsepolynomial of arbitrary degree but bounded weight degree. The other recent improvement byRojas-Leon and Wan [8, Math. Ann. 2011] shows that an extra √ p can be removed for thisfamily of curves if p is very large compared with polynomial degree of f ( x ) and log p q .In this paper, we show that the Hasse-Weil bound for this special family of curves can beimproved if q = p n with odd n which is the same case where Serre [10] improved the Hasse-Weilbound. However, our improvement is greater than Serre’s one for this special family of curves.Furthermore, our improvement works for small p as well compared with the requirement oflarge p by Rojas-Leon and Wan. In addition, our improvement finds interesting applications tocharacter sums, cryptography and coding theory. The key idea behind is that this curve has theHasse-Witt invariant 0 and we show that the Hasse-Weil bound can be improved for any curveswith the Hasse-Witt invariant 0. The main tool used in our proof involves Newton polygon andsome results in algebraic geometry. ∗ CWI, Amsterdam & Mathematical Institute, Leiden University, The Netherlands. [email protected] † Division of Mathematical Sciences, School of Physical & Mathematical Sciences, Nanyang Technological Univer-sity, Singapore. [email protected]
Introduction
Let χ be a nontrivial additive character from F q to the nonzero complex C ∗ . The Weil boundfor character sums states that, when the degree m of a polynomial f ( x ) is co-prime with q , then | E ( χ ( f ( x ))) | ( m − / √ q . The Weil bound for character sums can be derived from the Hasse-Weilbound of a special family of algebraic curves, i.e., y p − y = f ( x ), where p is the characteristic of F q .Therefore, any improvement on the Hasse-Weil bound of this family could lead to an improvementon the Weil bound for character sums. The Hasse-Weil bound is a deep result in mathematicsand has found wide applications in mathematics, theoretical computer science, information theoryetc. In general, the bound is tight and cannot be improved. However, in some special cases thebound could be improved substantially. For instance, when the ground filed size q is small, thebound could be improved up to half of it. There have been various improvements on the Hasse-Weilbound. One of the most famous improvements is the Weil-Serre bound [10]. Recently, Kaufmanand Lovett [5, FOCS2011] showed that the Weil bound for character sums can be improved for f ( x ) = g ( x ) + h ( x ), where g ( x ) is a polynomial of degree ≪ √ q and h ( x ) is a sparse polynomialof arbitrary degree but bounded weight degree. The other recent improvement by Rojas-Leon andWan [8, Math. Ann. 2011] shows that an extra √ p can be removed if p is very large comparedwith polynomial degree m of f ( x ) and log p q . From now on in this paper, we assume that q = p n for a prime p and an odd integer n >
3. Considerthe trace map Tr from F q to F p defined by α P n − i =0 α p i . It is easy to see that Tr( α pt ) = Tr( α t ).This implies that, for a polynomial f ( x ) ∈ F q [ x ], one can find a polynomial g ( x ) = P mi =0 g i x i ∈ F q [ x ]such that g i are zero whenever i ≡ p and Tr( f ( α )) = Tr( g ( α )). Thus, we only consider thosepolynomials with nonzero term x i , where gcd( i, p ) = 1.Now let f ( x ) be a polynomial of degree m > F q . Without loss of generality, we mayassume that gcd( m, p ) = 1. We consider the cardinality of the set Z f := { α ∈ F q : Tr( f ( α )) = 0 } . (1)Then the Weil bound shows that (cid:12)(cid:12)(cid:12)(cid:12) | Z f | − qp (cid:12)(cid:12)(cid:12)(cid:12) ( p − m − √ qp . (2)The main result of this paper is given below. Theorem 1.1 (MAIN RESULT) . Let g = ( m − p − / , then one has (cid:12)(cid:12)(cid:12)(cid:12) | Z f | − qp (cid:12)(cid:12)(cid:12)(cid:12) p ⌈ n/g ⌉− j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > p ( n − / j ⌊ √ q ⌋ p ( n +1) / k if g = 1 . (3)One could not see how largely the bound (2) is improved in Theorem 1.1. In fact, the improve-ment could be substantial. We refer this to Example 2.2 and Sections 2.3 and 2.4 for numericalillustration. 1 .2 Our technique Our technique for the improvement is through an improvement of the Hasse-Weil bound for thealgebraic curve. More precisely speaking, we show the improvement through three steps: (i) showthat the Weil bound for character sums is derived from the Hasse-Weil bound of an algebraic curve;(ii) prove that the Hasse-Weil bound for the algebraic curve with the Hasse-Witt invariant 0 canbe improved; (iii) show by the Deuring-Shafarevich Theorem that the curve y p − y = f ( x ) has theHasse-Witt invariant 0. Consequently, we obtain an improvement on the Weil bound for charactersums.Among the above three steps, the critical one is to show an improvement on the Hasse-Weilbound for the algebraic curve with the Hasse-Witt invariant 0. In order to achieve this, we analyzethe Newton polygon of the characteristic polynomial of an abelian verity with Hasse-Witt invariant0. Then we employ some fundamental results on factorization of the characteristic polynomial toobtain the desired result. We mainly compare our improvement with those by Serre [10], Kaufman-Lovett [5, FOCS2011] andRojas-Leon-Wan [8, Math. Ann. 2011].The improvement by Serre applies to arbitrary algebraic curve over F p n with odd n , while ourimprovement only applies to the curve y p − y = f ( x ) over F p n with odd n . On the other hand, ourimprovement is even greater than the one by Serre for this special family of curves.. The methodby Serre mainly employs some properties of algebraic numbers.The improvement by Kaufman and Lovett works for those polynomial with degree bigger than √ q . Thus, the scenario is different. The main idea by Kaufman-Lovett uses Deligne Theorem onmultivariate polynomials.The improvement by Rojas-Leon and Wan shows that an extra √ p can be removed if p is verylarge compared with polynomial degree m of f ( x ) and log p q . However, our improvement works forany characteristic p including p = 2 (see numerical examples of Section 2). The idea of Rojas-Leonand Wan involves moment L -functions and Katz’s work on ℓ -adic monodromy calculations. Section 2 presents the main result and some applications to character sum, cryptography and codingtheory. We also show that the Weil bound for character sums can be derived from the Hasse-Weilbound of y p − y = f ( x ) in Section 2. We outline the proof of the main result in Section 3 withoutrequirement on knowledge of algebraic geometry. In Appendix, we show the detailed proof of themain result with requirement on knowledge of algebraic geometry.2 Main result and applications
The Hasse-Weil bound [14] provides an upper bound on the number of points of an algebraic curveover a finite field F q in terms of its genus and the ground field size q . The bound was improved bySerre [10] when q is not a square. The refined bound by Serre is now called the Weil-Serre bound.In this section, we show that the Weil-Serre bound can be further improved for a class of curvesarising from trace when q is not a square. Furthermore, several applications are provided for thisimprovement.It is a well-known fact that the cardinality of Z f in (1) is equal to ( N f − /p , where N f standsfor the number of the F q -rational points on the Artin-Schreier type curve defined by X f : y p − y = f ( x ) . (4)Note that the set of the F q -rational points on X f is { P ∞ } ∪ { ( α, β ) ∈ F q : β p − β = f ( α ) } , where P ∞ stands for the “points at infinity”.To see this, we note that P ∞ can be discarded towards counting the cardinality of Z f . Further-more, an element α belongs to Z f if and only if there are p elements β ∈ F q such that ( α, β ) aresolutions of the equation (4).When applying the Weil bound [14] to the curve X f , we have | N f − q − | g √ q, (5)where g = ( m − p − / genus of X f . Serre [10] improved the above bound to the followingWeil-Serre bound | N f − q − | g ⌊ √ q ⌋ . (6)It seems that the bound (6) is just a small improvement on the Weil bound. However, the improve-ment could be substantial if m is big. For instance, q = 32 and m = 2001, then the Weil boundgives | N f − q − | , | N f − q − | , | Z f | (cid:12)(cid:12)(cid:12)(cid:12) | Z f | − qp (cid:12)(cid:12)(cid:12)(cid:12) (cid:22) g ⌊ √ q ⌋ p (cid:23) . (7)In this paper, we show that the bound (7) can be further improved. We repeat the main result ofthis paper is that improves the above bound (7) as follows. Theorem 2.1 (MAIN RESULT) . Let g = ( m − p − / , then one has (cid:12)(cid:12)(cid:12)(cid:12) | Z f | − qp (cid:12)(cid:12)(cid:12)(cid:12) p ⌈ n/g ⌉− j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > p ( n − / j ⌊ √ q ⌋ p ( n +1) / k if g = 1 . (8)The proof of Theorem 2.1 involves algebraic geometry and algebraic number theory. We willoutline the proof in the next section in a more elementary way and provide some details in Appendix.From the formula of (8), one cannot see the big difference between the Weil-Serre bound (7)and our bound (8). Let us use some examples to illustrate improvement.3 xample 2.2. (i) Let q = 2 = 128 and m = deg( f ) = 5, then the Weil-Serre bound (7) gives || Z f | − |
22, while the bound (8) gives || Z f | − | q = 3 = 243 and m = deg( f ) = 5, then the Weil-Serre bound (7) gives || Z f | − | || Z f | − | q = 2 and m =deg( f ) = 5, then the Weil-Serre bound (7) gives (cid:12)(cid:12) | Z f | − (cid:12)(cid:12) (cid:12)(cid:12) | Z f | − (cid:12)(cid:12) It is well-known that every nontrivial additive character from F q to C ∗ can be represented by χ β ( x ) := exp(2 πi Tr( βx ) /p ) for some β ∈ F ∗ q (see [4]). Let f ( x ) be a polynomial of degree m over F q with gcd( m, p ) = 1 and put g = ( m − p − /
2. Then χ β ( f ( x )) is uniformly distributed when √ q ≫ m . More precisely speaking, the Weil bound gives | E ( χ ( f ( x ))) | m − √ q . (9)Furthermore, applying the Weil-Serre bound (7) gives | E x ∈ F q ( χ β ( f ( x ))) | q (cid:22) g ⌊ √ q ⌋ p (cid:23) , (10)where E x ∈ F q ( χ β ( f ( x ))) is the expectation of χ β ( f ( x )) defined by E x ∈ F q ( χ β ( f ( x ))) = 1 q X α ∈ F q χ β ( f ( α )) = X a ∈ F p M βf ( a ) q exp(2 πai/p ) (11)with M βf ( a ) being the cardinality of the set { α ∈ F q : Tr( βf ( α )) = a } . Note that M βf (0) = | Z βf | .Now we apply the bound (8) to get an improvement to the bound (10). Theorem 2.3.
Let g = ( m − p − / , then one has | E α ∈ F q ( χ β ( f ( α ))) | p ⌈ n/g ⌉− n j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > , p ( n +1) / − n j ⌊ √ q ⌋ p ( n +1) / k if g = 1 (12) for any nonzero element β ∈ F q .Proof. For each a ∈ F p , choose γ a ∈ F q such that Tr( γ a ) = a . Then we have Tr( βf ( α )) = a if andonly if Tr( βf ( α ) − γ a ) = 0. This implies that M βf ( a ) = M βf − γ a (0) = | Z βf − γ a | . Thus, M βf ( a ) also4atisfies the bound (8). Hence, | E α ∈ F q ( χ β ( f ( α ))) | = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) X a ∈ F p M βf ( a ) q exp(2 πai/p ) (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) = 1 q (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) X a ∈ F p (cid:18) M βf ( a ) − qp (cid:19) exp(2 πai/p ) (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) q X a ∈ F p (cid:12)(cid:12)(cid:12)(cid:12)(cid:18) M βf ( a ) − qp (cid:19) exp(2 πai/p ) (cid:12)(cid:12)(cid:12)(cid:12) = 1 q X a ∈ F p (cid:12)(cid:12)(cid:12)(cid:12) | Z βf − γ a | − qp (cid:12)(cid:12)(cid:12)(cid:12) . The desired result follows from Theorem 2.1.We illustrate our improvement by consider some small examples.
Example 2.4.
Let us consider character sums for polynomials of degree 3 and 5, respectively.(i) Let q = 2 n with odd n and let f ( x ) be a polynomial of degree 3. By Theorem 2.3, for anynontrivial additive character χ from F n to C ∗ , one has (cid:12)(cid:12)(cid:12)P α ∈ F q χ ( f ( α )) (cid:12)(cid:12)(cid:12) ( n +1) / . The Weilbound (9) gives an upper bound 2 ( n +2) / , while the Weil-Serre bound (10) gives an upperbound between 2 ( n +1) / and 2 ( n +2) / .(ii) Let q = 2 n with odd n and let f ( x ) be a polynomial of degree 5. By Theorem 2.3, for anynontrivial additive character χ from F n to C ∗ , one has (cid:12)(cid:12)(cid:12)P α ∈ F q χ ( f ( α )) (cid:12)(cid:12)(cid:12) ( n +3) / . The Weilbound (9) gives an upper bound 2 ( n +4) / , while the Weil-Serre bound (10) gives an upperbound between 2 ( n +3) / and 2 ( n +4) / . In streamcipher, nonlinearity of a function f ( x ) from F n to F n is an important measure [1]. Thenonlinearity of a function f ( x ) is defined as follows.The Walsh transfer W f of f ( x ) is defined by W f : F n × F n → C ; ( a, b ) X x ∈ F n ( − af ( x )+ bx . (13)Then the Walsh spectrum of f is the image set { W f ( a, b ) : a ∈ F ∗ n , b ∈ F n } . The nonlinearity,denoted by NL( f ), of f ( x ) is defined byNL( f ) := 2 n − −
12 max ( a,b ) ∈ F ∗ n × F n | W f ( a, b ) | . (14)In fact, the Walsh transformation W f ( a, b ) is nothing but 2 times the expectation of χ ( af ( x )+ bx ),i.e., W f ( a, b ) = 2 E x ∈ F n ( χ ( af ( x ) + bx )). Thus, The nonlinearity NL( f ) of f ( x ) can be expressedin terms of the expectation of χ ( af ( x ) + bx ), i.e.,NL( f ) = 2 n − − max ( a,b ) ∈ F ∗ n × F n | E x ∈ F n ( χ ( af ( x ) + bx )) | . (15)5or an odd n , it can be proved that NL( f ) is upper-bounded by 2 n − − ( n − / [1]. Thus, ifdeg( f ) = 3, i.e., the curves defined in (4) is an elliptic curve, then by Theorem 2.1 one hasNL( f ) = 2 n − − max ( a,b ) ∈ F ∗ n × F n | E x ∈ F n ( χ ( af ( x ) + bx )) | > n − − ( n − / $ ⌊ ( n +2) / ⌋ ( n +1) / % = 2 n − − ( n − / . Hence, by the upper bound, we have NL( f ) = 2 n − − ( n − / for polynomials f of degree 3, i.e.,polynomials of degree 3 produce the highest nonlinearity. Previously, polynomials of degree 3 areusual candidates for functions with highest nonlinearity. Now let us look a polynomial f of degree5 and by the bound (12)NL( f ) = 2 n − − max ( a,b ) ∈ F ∗ n × F n | E x ∈ F n ( χ ( af ( x ) + bx )) | > n − − ( n − / − $ ⌊ ( n +2) / ⌋ ( n +1) / % = 2 n − − ( n − / . Thus, polynomials of degree 5 also produce functions with the highest nonlinearity. This enlargesthe pool of functions with the highest nonlinearity when people search for functions with thehighest nonlinearity together with other cryptographic properties such as algebraic degree, algebraicimmunity, etc. [1].
Many codes such as BCH codes, classical Goppa codes and Reed-Muller codes can be realized astrace codes. In fact, every cyclic code can be represented as a trace code in a natural way [16].Let P := { α , α , . . . , α N } be a subset of F q of cardinality N . For a polynomial f ( x ) ∈ F q [ x ],we denote by Tr P ( f ) the vector (Tr( f ( α )) , Tr( f ( α )) , . . . , Tr( f ( α N ))). For an F p -subspace V of F q [ x ], we denote by Tr P ( V ) the trace code { Tr P ( f ) : f ∈ V } . Let us warm up by looking at asmall example first. Example 2.5.
Consider the binary code Tr P ( V ), where P consists of all elements in F , and V = { f ( x ) ∈ F [ x ] : deg( f ) } . note that Tr P ( x ) = Tr P ( x ) = Tr P ( x ). Then it is easy tosee that Tr P ( V ) has a basis { (1 , , . . . , } ∪ { Tr P ( α i x j ) } i ,j =1 , , , where { α , α , . . . , α } is an F -basis of F . Thus, Tr P ( V ) is a binary [128 , f be a nonzero polynomial of degree m with m m,
2) = 1. By the Weil-Serre bound(7), we know that the number of zeros of Tr P ( f ) can be at most 64 + 22 = 86, thus we get a lowerbound on minimum distance, i.e., d > −
86 = 42. However, by our bound in Theorem 2.1, weget a lower bound d > − (64 + 16) = 48. This achieves the best-known bound [2]. In fact,the software Magma verifies that this code indeed has minimum distance 48. In other words, ourbound (8) is tight in this case.Next we study dual codes of primitive BCH codes.
Example 2.6.
Let α be a primitive element of F q and let BCH( t ) be a t -error correcting p -aryBCH code of length N = q − p n −
1. Then by Delsarte’s Theorem [6], the dual BCH( t ) ⊥ can be6epresented as the trace code Tr P ( V ) [12], where P consists of all q − F q , and V is the F q -vector space generated by { , x, x , . . . , x t } . If i is divisible by p , then Tr P ( x i ) = Tr P ( x i/p ).Thus, BCH( t ) ⊥ is generated by { (1 , , . . . , } ∪ { Tr P ( α i x j ) : 1 j t, p ∤ j, i n } , where { α , α , . . . , α n } is an F p -basis of F q . Hence, the dimension of BCH( t ) ⊥ is at most 1 + n ( t − ⌊ t/p ⌋ ).On the other hand, if t < √ q/ ( p − P ( f ) = 0 for any f ∈ V \ { } with gcd(deg( f ) , p ) = 1. This implies that the dimension of BCH( t ) ⊥ is exactly1 + n ( t − ⌊ t/p ⌋ ) for t < √ q/ ( p − t ) ⊥ , namely d (cid:16) BCH( t ) ⊥ (cid:17) > p n − − p n − − p ⌈ n/g ⌉− j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > p n − − p n − − p ⌈ ( n − / ⌉ j ⌊ √ q ⌋ p ( n +1) / k if g = 1, (16)where g = ( p − t − / p ∤ t and g = ( p − t − / p | t Now we add all-one vector to BCH( t ) ⊥ , then we get a code C p ( t, n ) generated by and { Tr P ( x i ) : 0 i t, p i } . The dimension of C increases by 1, i.e., 1 + n ( t − ⌊ t/p ⌋ ) for t < √ q/ ( p −
1) and the lower bound (16) on the minimum distance still holds for C p ( t, n ).Let us illustrate the parameters of our code C by looking at some numerical results. Taking p = 2, t = 4 and n = 5, we get a binary [31 , , > C (4 , p = 3, t = 3 and n = 3, then C (3 ,
3) is a ternary [26 , , > Example 2.7.
In this example, we consider the duals of classical Goppa codes. Let q = p n and let L = F q = { α , α , . . . , α q } . Let g ( x ) be a polynomial of degree t with gcd( t, p ) = 1 and g ( α i ) = 0for all i = 1 , , . . . , q . Then the classical Goppa code Γ( L, g ) defined byΓ(
L, g ) = ( ( c , c , . . . , c q ) ∈ F np : q X i =1 c i x − α i ≡ g ( x ) ) . is a p -ary linear code of length q = p n . By Delsarte’s Theorem [6], the dual Γ( L, g ) ⊥ can berepresented as the trace code { (Tr( v f ( α )) , (Tr( v f ( α )) , . . . , (Tr( v f ( α q ))) : f ∈ F q [ x ] , deg( f ) t − } , where v i = g ( α i ) [12]. It is clear that Γ( L, g ) ⊥ is equivalent to Tr P ( V ), where P consistsof all q elements of F q , and V is the F q -vector space generated by { , x, x , . . . , x t − } . In the sameway, we have that the dimension of Γ( L, g ) ⊥ is exactly 1 + n ( t − ⌊ ( t − /p ⌋ ) for t < √ q/ ( p − L, g ) ⊥ , namely d (cid:16) Γ( L, g ) ⊥ (cid:17) > p n − p n − − p ⌈ n/g ⌉− j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > p n − p n − − p ⌈ ( n − / ⌉ j ⌊ √ q ⌋ p ( n +1) / k if g = 1, (17)where g = ( p − t − / p ∤ ( t −
1) and g = ( p − t − / p | ( t − p = 5, t = 2 and n = 3, we get a 5-ary [125 , , > Outline of the proof of the main result
The main objective of this section is to outline the proof of our Main Theorem 2.1 in more elemen-tary way. L -polynomial The Artin-Schreier type curve X f defined in (4) is just an example of general algebraic curves. Thecurve X f is defined over F q and of course it can be regarded as a curve over arbitrary extension F q i for every i >
1. Let N f ( i ) denote the number of F q i -rational points on X f , i.e., N f ( i ) standsfor the size of the set of F q i -rational points { P ∞ } ∪ { ( α, β ) ∈ F q i : β p − β = f ( α ) } . Then onecan define the zeta function of X f by ζ f ( T ) := exp (cid:16)P ∞ i =1 N f ( i ) T i (cid:17) . It was proved by Weil [14] that ζ f ( T ) is a rational function of the form L f ( T )(1 − T )(1 − qT ) , where L f ( T ) ∈ Z [ T ] is a polynomial of degree2 g = ( m − p − L f (0) = 1 and every reciprocity root of L f ( T ) has absolutevalue √ q .If we write L f ( T ) = P gi =0 a i T i , then a = L f (0) = 1 and a i + g = q i a i for every all 0 i g . Inparticular, the leading coefficient a g = q g . Definition 3.1.
Let L f ( T ) = P gi =0 a i T i be the L -polynomial of X f . Then the Hasse-Witt invariantof X f , denoted by i X f , is defined to be the maximal j such that a j p , i.e., i X f = max { j g : a j p } . (18)Since a = 1, we have i X f >
0. On the other hand, we clearly have i X f g . Lemma 3.2.
The Hasse-Witt invariant i X f for the curve X f defined in (18) is . We refer to Lemma A.4 for the proof of Lemma 3.2.
Denote by Q p the p -adic field. It is the completion field of the rational field Q at prime p . The uniquediscrete valuation in Q p is again denoted by ν p . The Newton polygon of a polynomial u ( x ) ∈ Q p [ x ]over the local field Q p provides information on factorization of u ( x ) over Q p . We briefly describethe Newton polygon method in this subsection. The reader may refer to [15, Section 3.1] for thedetails.Let u ( x ) = u + u x + · · · + u m x m be a polynomial over Q p with u u m = 0. For each 0 i m ,we assign a point in R as follows: (i) if u i = 0, take the point ( i, ν p ( u i )); (ii) if u i = 0, we ignore thepoint ( i, ∞ ). In this way, we form an envelope for the set of points { ( i, ν p ( u i )) : i = 0 , , , . . . , m } .The polygon thus determined is called the Newton polygon . Lemma 3.3.
Suppose ( r, ν p ( u r )) ↔ ( s, ν p ( u s )) with s > r is a segment of the Newton polygon of u ( x ) with slope − k . Then u ( x ) has exactly s − r roots α , α , . . . , α s − r with ν p ( α ) = ν p ( α ) = · · · = ν p ( α s − r ) = k . Moreover, the polynomial a ( x ) := Q s − ri =1 ( x − α i ) belongs to Q p [ x ] . Now if h ( x ) ∈ Q p [ x ] is an irreducible factor of a ( x ) in the above lemma, then ν p ( h (0)) = k deg( h ( x )) k deg( a ( x )) = k ( s − r ). 8 .3 Weil number Definition 3.4. (i) An algebraic number ω is called a q -Weil number if ω and all Q -conjugates of ω have absolute value √ q (by a Q -conjugate of ω , we mean a root of the minimal polynomialof ω over Q ).(ii) A monic polynomial Φ( T ) over Z [ T ] is called a q -Weil polynomial if it has an even degree andall its roots are q -Weil numbers.(iii) The Hasse-Witt invariant of a q -Weil polynomial Φ( T ) = P gi =0 c g − i T i ∈ Z [ t ] is defined to bethe maximal j ∈ [0 , g ] such that c j p . Lemma 3.5. A q -Weil polynomial Φ( t ) must have the form g X i =0 c g − i t i ∈ Z [ t ] with c g = q g and c g − i = q i c i for all i = 0 , , . . . , g. (19) Proof.
First, note that the product of two polynomials of the form (19) still has the form (19).Hence, it is sufficient to show that an irreducible q -Weil polynomial Φ( T ) over Z has the form(19). Let ω be a root of Φ( T ). If ω is a real number, we must have ω = √ q or −√ q . Thus,Φ( T ) = ( T − √ q )( T + √ q ) = T − q . In this case, Φ( T ) has the form (19).If ω is not a real number, we may assume that all Q -conjugates of ω are { ω , ¯ ω , . . . , ω g , ¯ ω g } ,where ¯ ω i are complex conjugate of ω i . By definition of a q -Weil polynomial, we have Φ( T ) = Q gi =1 ( T − ω i )( T − ¯ ω i ) and | ω i | = | ¯ ω i | = √ q for all 1 i g . The desired result follows from thefollowing identity T g q g Φ (cid:16) qT (cid:17) = T g q g g Y i =1 (cid:16) qT − ω i (cid:17) (cid:16) qT − ¯ ω i (cid:17) = g Y i =1 (cid:18) T − qω i (cid:19) (cid:18) T − q ¯ ω i (cid:19) = Φ( T ) . Note that we use the fact that qω i = ¯ ω i in the above identity. Lemma 3.6.
Let Φ( T ) is a q -Weil polynomial with Hasse-Witt invariant equal to and let Ψ( T ) be a divisor of Φ( T ) which is also a q -Weil polynomial. Then Ψ( T ) has Hasse-Witt invariant equalto as well.Proof. Let Φ( T ) = P gi =0 c g − i T i ∈ Z [ t ] and let Ψ( T ) = P ri =0 a r − i T i ∈ Z [ T ]. Put Φ( T ) / Ψ( T ) = P si =0 b s − i T i ∈ Z [ T ]. Then r + s = g .Suppose that Ψ( T ) has Hasse-Witt invariant bigger than 0. Let i be the largest index such that ν p ( a i ) = 0. Then 1 i r . Let j be the largest index such that ν p ( b j ) = 0 for some 0 j s .Consider c i + j = X k + ℓ = i + j a k b ℓ = a i b j + X k + ℓ = i + j, ( k,ℓ ) =( i,j ) a k b ℓ . (20)Every term in the summation of the above equation (20) is divisible by p , while a i b j is not divisibleby p . Thus, c i + j is not divisible by p . This is a contradiction to our condition.9 .4 Characteristic polynomial Let L f ( T ) = P gi =0 a i T i be the L -polynomial of X f . By abuse of notation, the reciprocal polynomial˜ L f ( T ) = P gi =0 T g − i of L f ( T ) is called the characteristic polynomial of X f (in fact, ˜ L f ( T ) is thecharacteristic polynomial of the Jacobian of the curve X f (see Appendix)). Then it is clear thatevery root of ˜ L f ( T ) is a Weil number and ˜ L f ( T ) is a q -Weil Polynomial. Lemma 3.7.
If the characteristic polynomial ˜ L f ( T ) of X f is canonically factorized into product ˜ L ( T ) = Q r ( T ) e of powers of irreducible polynomials over Q , then the power e is the least commondenominator of ν p ( h (0)) /n , where h ( T ) runs through all irreducible factors of r ( T ) in Q p [ x ] . We refer Lemma 3.7 to Theorem B.3.
Theorem 3.8.
Assume that the characteristic polynomial ˜ L f ( T ) of X f is canonically factorizedinto product ˜ L ( T ) = Q r ( T ) e over Q . Write r ( T ) e = P gi =0 b g − i T i ∈ Z [ T ] . Then ν p ( b ) > n/g if g is bigger than .Proof. We outline the proof here. We refer to Theorem C.2 for the detailed proof.Let r ( T ) = P ri =0 a g − i T i ∈ Z [ T ]. Since e is the least common denominators of ν p ( h (0)) /n forall irreducible factors h ( T ) of r ( T ) over Q p , we consider the Newton polygon of the polynomial r ( T ). By identifying one particular segment (2 r − i, ν p ( a i )) ↔ (2 r,
0) for some 1 i r and itsslope − ν p ( a i ) /i , one obtains a lower bound on ν p ( a i ) for some 1 i g . Furthermore, the slope − ν p ( a ) of the segment (2 r − , ν p ( a )) ↔ (2 r,
0) is at most the slope − ν p ( a i ) /i . This gives a lowerbound on ν p ( a ). The desired result follows from this lower bound on ν p ( a ). Theorem 3.9.
Let ˜ L f ( T ) = P gi =0 a g − i T i ∈ Z [ T ] be the characteristic polynomial of the curve X f defined in ( ?? ) with g = ( m − p − / . Then we have ν p ( a ) > ( l ng m if g > n +12 if g = 1 Proof.
By Lemma 3.2, we know that ˜ L f ( T ) is a q -Weil polynomial with Hasse-Witt invariantequal to 0. If g = 1, then we must have p = 2 or 3. In this case, the desired result followsfrom [13, Theorem 4.1]. Now assume that g >
2. Factorize ˜ L f ( T ) into a product Q ki =1 Φ i ( T ) ofco-prime q -Weil polynomials such that every Φ i ( T ) is a power of an irreducible polynomial over Q . Let Φ i ( T ) = P g i j =0 a i, g i − j T j . Then we have ν p ( a i, ) > min { n/g i , ( n + 1) / } > n/g for all i = 1 , , . . . , k . Thus, we have ν p ( a ) = ν p (cid:16)P ki =1 a i, (cid:17) > min i k { ν p ( a i, ) } > n/g. Proof of the Main Result (Theorem 2.1) : Let ˜ L f ( t ) = P gi =0 a g − i T i ∈ Z [ T ] be thecharacteristic polynomial of X f with g = ( m − p − /
2. First we note that | N f − q − | = | a | .Combining Theorem 3.9 and the Weil-Serre bound, we get | N g − q − | p ⌈ n/g ⌉ j g ⌊ √ q ⌋ p ⌈ n/g ⌉ k if g > p ( n +1) / j g ⌊ √ q ⌋ p ( n +1) / k if g = 1.The desired result follows from the fact that | Z f | = ( N f − /p . (cid:3) eferences [1] C. Carlet, Boolean Functions for Cryptography and Error-Correcting Codes, Book Chapter in Boolean Models and Methods in Mathematics, Computer Science and Engneering
Algebraic Curves of Finite Fields , PrincetonSeries in Applied Mathematics, 2008.[4] R. Lidl and H. Niederreiter,
Finite Fields , Addison-Wesley, Reading, MA, 1983; now distributedby Cambridge University Press.[5] Tali Kaufman and Shachar Lovett,
New Extension of the Weil Bound for Character Sumswith Applications to Coding,
The Theory ofError-Correcting Codes , Amsterdam, TheNetherlands: North-Holland, 1977.[7] D. Mumford,
Abelian Varieties , Mumbai, 2008.[8] A. Rojas-Leon and D. Wan, Improvements of the Weil bound for Artin-Schreier curves, Math.Ann., (2011), 417-442.[9] I. R. Shafarevich
Basic Algebraic Geometry I , Second Edition, Springer, 1995.[10] J.-P. Serre,
Rational Points on Curves over Finite Fields , Lecture Notes, Harvard University,1985.[11] H. Stichtenoth, Die Hasse-Witt-Invariante eines Kongruenzfunktionenk¨orpers, Arch. Math, (1979), 357-360.[12] H. Stichtenoth and C. Voss, Generalized Hamming Weights of Trace Codes, IEEE Trans. onInformation Theory, (1994), 554-558.[13] W. Waterhouse, Abelian varieties over finite fields, Ann. Sci. Ecole Norm. Sup. (4) (1969),521-560.[14] A. Weil, Sur les courbes algebriques et les varietes qui s’en deduisent, Actualities Sci. et Ind.no. 1041. Hermann, Paris, 1948.[15] E. Weiss, Algebraic Number Theory,
McGaw-Hill, New York, 1963.[16] J. Wolfmann, New bounds on cyclic codes from algebraic curves, in Lecrrire Notes in CompurerScience, , New York: Springer- Verlag, 1988, pp. 47-62.11 ppendix
A Algebraic curves and Hasse-Witt invariants
Throughout the Appendix, we assume that X is an absolutely irreducible, projective and smoothalgebraic curve over F q of genus g . Then it can be regarded as a curve over F q i for any i > N X ( i ) the number of F q i -rational points. Then one can define the zeta function of X by ζ X ( T ) := exp ∞ X i =1 N X ( i ) T i ! . (21)It was proved by Weil [14] that ζ X ( T ) is a rational function of the form L X ( T )(1 − T )(1 − qT ) , where L X ( T ) ∈ Z [ T ] is a polynomial of degree 2 g . Furthermore, L X (0) = 1 and every reciprocity root of L f ( T ) hasabsolute value √ q .If we write L X ( T ) = P gi =0 a i T i , then a = L f (0) = 1 and a i + g = q i a i for every all 0 i g .In particular, the leading coefficient a g = q g .We need some preliminaries and background on algebraic geometry, in particular, abelian va-rieties in this Appendix. The reader may refer to [9, 13, 7] for some basic results on curves andabelian varieties.In Section 3.1, we defined the Hasse-Witt invariant of X through the L -polynomial of X .Actually, it is more proper to define it in terms of p -torsion points of its Jacobian. For an algebraiccurve X over F q of genus g , we denote by J X the Jacobian of X . Then J X is an abelian variety over F q of dimension g . Let J X ( F q ) and J X ( F q ) be the groups of the F q -rational points and F q -rationalpoints on X , respectively. Definition A.1.
Denote by J X [ p ] the subgroup of the p -torsion points of J X ( F q ) , then one has |J X [ p ] | = p r for some integer r with r g . The integer r is called the Hasse-Witt invariant of X , denoted by i X . For each abelian variety A over F q , we can consider the Frobenius morphism π A which sendsevery coordinate of a point on this variety to its q th power. The characteristic polynomial Φ A of π A over the local field Q p is called the characteristic polynomial of A (see [13, 7]). It is, infact, a polynomial over Z . Furthermore, if A is the Jacobian of an algebraic curve X / F q , then thecharacteristic polynomial of A is in fact the reciprocal polynomial of the L -polynomial of X .The following result given in [11] characterizes i X in terms of the characteristic polynomial of J X . Proposition A.2.
Let Φ X ( t ) = P gi =0 a g − i t i be the characteristic polynomial of J X . Then i X isthe maximal j such that a j p , i.e., i X = max { j g : a j p } . Theorem A.3 (Deuring-Shafarevich (see e.g. [3])) . Let
E, F be the function fields of two curves X / F q and Y / F q , respectively. Assume that E/F is a Galois extension of function fields and the alois group of this extension is a p -group. Then i X − E : F ]( i Y −
1) + X P ∈Y X Q ∈X Q | P ( e ( Q | P ) − . Lemma A.4.
The Hasse-Witt invariant i X f for the curve X f defined in (4) is .Proof. Let F be the rational function field F q ( x ) of the projective line and let E be the function field F q ( X f ) of X f . The only ramified point is the unique point ∞ lying over the pole of x . Moreover,the ramification index is p . Thus, by the Deuring-Shafarevich Theorem, we have i X f − E : F ](0 −
1) + p − p × (0 −
1) + p − − , i.e., i X f = 0. B Abelian varieties
We introduce a few definitions now.
Definition B.1. (i) An abelian variety is called elementary or simple if it has no subvarieties.(ii) Two abelian varieties over F q are said isogenous if they have the same characteristic polyno-mial.The characteristic polynomial of an abelian variety over F q is a q -Weil polynomial. Thus, byLemma 3.5 the characteristic polynomial of an abelian variety over F q of dimension g has the form P gi =0 a g − i T i ∈ Z [ T ] with a = 1 and a g − i = q g − i a i for i = 0 , , . . . , g . The following well-knownresult (see [13]) provides information on factorization of characteristic polynomials of an abelianvarieties. Theorem B.2.
Every abelian variety is isogenous to a product of elementary abelian varieties,i.e., the characteristic polynomial of every abelian variety is a product of characteristic polynomialsof elementary abelian varieties.
In view of the above theorem, it is sufficient to consider elementary abelian varieties in our case(see [13]).
Theorem B.3 (Tate-Honda) . There is one-to-one correspondence between isogeny classes of el-ementary abelian varieties over F q and conjugacy classes of q -Weil numbers. More precisely, apolynomial Φ( T ) is the characteristic polynomial of an elementary abelian variety over F q if andonly if Φ( T ) = r ( T ) e for some irreducible polynomial r ( T ) ∈ Z [ T ] with all roots being q -Weil num-bers and e is the least common denominators of ν p ( h (0)) /n , where h ( T ) runs through all irreduciblefactors over Q p . Abelian varieties with Hasse-Witt invariants The following result plays a crucial role.
Theorem C.1.
Let Φ A ( T ) = P gi =0 b g − i T i ∈ Z [ T ] be the characteristic polynomial of an elemen-tary abelian variety A with Hasse-Witt invariant equal to . If the dimension g of A is bigger than , then ν p ( b ) > n/g .Proof. By Theorem B.3, we know that every elementary abelian variety A has the characteristicpolynomial of the form Φ A ( T ) = r ( T ) e for an integer e > r ( T ) over Z .If r ( T ) has a real root, then this root must be ±√ q . In this case, we have that r ( T ) =( T − √ q )( T + √ q ) = T − q . Hence, b = 0 and the desired result follows.Now we assume that all roots of r ( T ) are not real. Then it is clear that the degree of r ( T ) iseven. Let r ( T ) = P ri =0 a r − i T i with g = er . To analyze ν p ( a i ), we look at the Newton polygon of r ( T ). By our assumption, we know that ν p ( a i ) > i r .Define the set I := { i r : ν p ( a i ) > in/ } and J := { j r : ν p ( a j ) < jn/ } . If 1 ∈ I , then ν p ( a ) > n/ > n/g . Hence, ν p ( b ) = ν P ( e ) + ν p ( a ) > n/g .Now assume that 1 ∈ J . We claim the following.There exists 1 i r such that ν p ( a i ) i < min r +1 ℓ r (cid:26) ν p ( a ℓ ) ℓ (cid:27) . (22)First of all, ν p ( a ) < n/ ν p ( q r ) / r = ν p ( a r ) / r . Hence, to prove the inequality (22), itis sufficient to prove that for every ℓ ∈ { r + 1 , r + 2 , . . . , r − } , there exists j ∈ J such that ν p ( a ℓ ) /ℓ > ν p ( a j ) /j . Note that, since I ∪ J = { , , . . . , r } , thus ℓ = 2 r − k with k in I \ { r } or in J .Then for every i ∈ I \ { r } and j ∈ J , we have ν p ( a r − j )2 r − j = ν p ( a j ) + ( r − j ) n r − j > ν p ( a j ) j and ν p ( a r − i )2 r − i = ν p ( a i ) + ( r − i ) n r − i > n > ν p ( a j ) j . Our claim follows.Now let 0 i r be the largest index such that ν p ( a i ) i = min j r (cid:26) ν p ( a j ) j (cid:27) , r − i, ν p ( a i )) ←→ (2 r,
0) forms a segment in the Newton Polygon of r ( T ) with slope − ν p ( a i ) /i .Assume that h ( t ) is an irreducible factor of r ( T ) in Q p [ t ] corresponding to this segment. Then wehave ν p ( h (0)) ν p ( a i ) i × (2 r − (2 r − i )) = ν p ( a i ). Assume that ν p ( h (0)) n = kℓ with gcd( k, ℓ ) = 1. Thenwe have e > ℓ and ν p ( a i ) > ν p ( h (0)) = n × ν p ( h (0)) n = knℓ > kne > ne . (23)Since (2 r − i, ν p ( a i )) ←→ (2 r,
0) forms a segment in the Newton Polygon of h ( t ), the slope − ν p ( a )of the segment (2 r − , ν p ( a )) ←→ (2 r,
0) is at most the slope − ν p ( a i ) /i of the segment (2 r − i, ν p ( a i )) ←→ (2 r, ν p ( a ) > ν p ( a i ) i > nie > nre = ng . Hence, ν p ( b ) > ν p ( e ) + ν p ( a ) > ng . This completes the proof. Corollary C.2.
Assume that ˜ L ( T ) is the reciprocal polynomial of the L -polynomial of an algebraiccurve X over F q . Let ˜ L ( T ) have the canonical factorization into product Q r ( T ) e . If the Hasse-Wittinvariant of X is , then ν P ( a ) > n/g , where r ( T ) e = P gi =0 a g − i T i with g > ..