IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 289

On the Crosscorrelation of SequencesOver GF with Short Periods

Eva Nuria Muller

Abstract—In this correspondence we investigate the crosscorrelationfunction Cd(t) = �p �1

i=1 �a �a , where � is a complex primitivepth root of unity, (ai)i2 is a maximal linear shift-register sequenceof length pn � 1, and p is an odd prime. For p = 3, n odd, andd = p +1

4+ p �1

2we show that 2 �

ppn is an upper bound for the

absolute value of1 + Cd(t): For any odd prime p and pk + 1, wheren=gcd=(n; k) is not divisible by 4 we determine the maximum absolutevalue of Cd(t) and the number of values ofCd(t).

Index Terms—Absolute value, crosscorrelation, linear shift-registersequences, shorter periods.

Maximal linear shift-register sequences have been the object ofextensive studies. In this correspondence we present two results con-cerning the crosscorrelation of the sequences(ai)i2 and(adi)i2where(ai)i2 is a maximal sequence and the length of the periodof (adi)i2 equals half of the length of the period of(ai)i2 : Weonly consider sequences over GF(p) wherep is an odd prime.

Given c1; � � � ; cn 2 GF(p); cn 6= 0; and a linear shift-registersequence(ai)i2 obtained by a linear recurrence relation

ai = c1ai�1 + � � �+ cnai�n (1)

and a starting vector(a�n; � � � ; a�1): Every linear shift-registersequence(ai)i2 obtained in this way is periodic of a period lessthan or equal topn � 1, depending on the valuesc1; � � � ; cn andthe starting vector. It is well known that(ai)i2 has maximalperiod pn � 1 if and only if the characteristic polynomialf(x) =1��n

i=1 cixi associated with the recurrence relation given by (1) is a

polynomial over GF(p) with maximal exponent. In this case, we callthe sequence(ai)i2 a maximal sequence. We give a short summaryof the most important properties of linear shift-register sequences (c.f.[1, pp. 209–210]).

i) The number of maximal sequences which are different undercyclic shifts is'(pn � 1)=n where' denotes Euler’s function.

ii) Let (ai)i2 be a maximal sequence anda�1 be a root of thecharacteristic polynomialf(x), then� is a primitive element ofGF(pn)�: Let Tr denote the trace function from GF(pn) ontoGF(p) whereTr (y) = �n�1

i=0 yp for everyy 2 GF(pn): Thenthere exists an element� 2 GF(pn)� such thatai = Tr (��i)for every i 2 0: Furthermore, each other� 2 GF(pn)� givesa cyclic shift of (ai)i2 :

iii) If bi = adi holds for all i 2 0, we say the sequence(bi)i2is obtained by decimation from(ai)i2 andd is the decimationfactor. The sequence(bi)i2 has maximal period if and onlyif gcd (d; pn � 1) = 1: Conversely, if(bi)i2 is a maximalsequence, there existd, t 2 0 such thatbi+t = adi:

Manuscript received October 28, 1997; revised May 14, 1998. A prelimi-nary version of this correspondence is available as Preprint 17/97 Serie A ofFachbereich Mathematik and Informatik der FU Berlin.

The author was with Fachbereich Mathematik und Informatik, WE 02, FUBerlin, D-14195 Berlin, Germany. She is now with the Fakultat fur Math-ematik, IAG, Otto-von-Guericke-Universit¨at, 39016 Magdeburg, Germany(e-mail: eva.mueller@mathematik.uni-magdeburg.de).

Communicated by T. Kløve, Associate Editor for Coding Theory.Publisher Item Identifier S 0018-9448(99)00081-4.

If (ai)i2 is a maximal sequence, these conditions ensure thatthere exists a cyclic shift(aj)j2 = (ai+t)i2 such thataj =Tr (�j) holds for everyj 2 0: Without loss of generality we assumefrom now on that every maximal sequence obeysaj = Tr (�j):

For a more comprehensive introduction we refer the reader to [2]and [1]. More information about the trace function and the theory ofquadratic forms can be found in [3].

Definition 1 (Crosscorrelation):Let (ai)i2 and(bi)i2 be lin-ear shift-register sequences over GF(p) and (ai)i2 a maximalsequence. For the primitive complexpth root of unity� := e(2�i=p),the crosscorrelationCab(t) of the sequences(ai) and (bi) withrespect tot is defined by

Cab(t) =

p �2

i=0

�a

� �b (2)

where�b denotes the complex conjugate of�b : By definition, thecrosscorrelation function compares the sequence(bi)i2 term byterm with each cyclic shift of the sequence(ai)i2 :

Since we consider sequences(bi)i2 that are obtained by adecimation factord from a maximal sequence(ai)i2 , we cansimplify the expression in (2)

Cab(t) =

p �2

i=0

�a

� �b

=

p �2

i=0

�a

� ��a

=

p �2

i=0

�Tr (� �� )

=x2GF (p )

�Tr ( x�x )

= � 1 +x2GF (p )

�Tr ( x�x ) (3)

where we used := ��t andTr (0) = 0: From now on we use thenotationCd(t) instead ofCab(t): We are interested in the numberof different values and the maximal absolute value and it is desiredthat these parameters are small.

Sometimes it will be more convenient to change the roles of thesequences and we will compare(ai)i2 with all cyclic shifts of(adi)i2 , term by term, which leads to the same result regardingthe set of values ofCd(t): In this case we consider the expression

Cd(t) = �1 +x2GF (p )

�Tr (x� x ) (4)

instead of (3).The proposition of the following theorem is about the maximal

absolute value ofCd(t), the particular value1 of d is obtained froma paper by Helleseth, Rong, and Sandberg [4] on power mappingswith low differential uniformity (see also [5] for the connection ofpower mapping with low differential uniformity and sequences withgood correlation properties).

1The author is grateful to Prof. T. Helleseth for drawing her attention onthis value ofd:

0018–9448/99$10.00 1999 IEEE

290 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999

Theorem 2: Let n � 3 be odd andd = 3 +14

+ 3 �12

: Further-more, let(ai)i2 be a maximal linear shift-register sequence overGF(3): Then per(adi) = 3 �1

2and the absolute value ofCd(t)

obeys the following inequality:

j1 + Cd(t)j � 2 �p3n:

Proof: First we show thatgcd (d; 3n � 1) = 2: Since n isodd and3 � �1 (mod4) we have3n � 1 � �2 � 2 (mod4) so3n � 1 is divisible by2 but not by4. Thus 3 �1

2 is odd. Similarly,3n + 1 � 0 (mod4) and we know that3 +1

4is an integer. But

3n+1 � 4 (mod8) so3n+1 is not divisible by8 and we concludethat 3 +1

4is an odd integer. Putting this together we know that

d = 3 +14

+ 3 �12

is even and2 dividesgcd (d; 3n � 1): We haveseen already that3n � 1 is not divisible by4. It remains to showthat gcd (d; 3n � 1) is not divisible by any odd primep: Supposepdividesgcd (d; 3n�1) thenp divides both4d = 3n+1+2 �(3n�1)

and3n�1, thusp divides4d�2 � (3n�1) = 3n+1 and3n�1 andwe conclude thatp divides2 (the difference of3n + 1 and3n � 1)which is impossible sincep is odd.

Sincegcd (d; 3n � 1) = 2 we know that the length of the periodof (adi) is 3 �1

2, which is the largest possible nonmaximal length.

We evaluate (4) for every 2 GF(3n)�: In other words, for every in GF(pn)� we have to determine the number of solutions of

Tr (x� xd) = c (5)

in GF(3n) for every c 2 GF(3):Each x in GF(3n) is either a square, a nonsquare, or0. We

have already seen that3 +14

is an integer. Usingx3 = x we get

(x3 n+1)=4)4 = x3 +1 = x2 and conclude that every square can bewritten as a fourth power of some element in GF(3n): Since everyfourth power is obviously a square we have

fx2: x 2 GF(3n)g = fx4: x 2 GF(3n)g:

Let � be a primitive element of GF(3n)�, then�1 = �3 n�1)=2

and since3 �12

is odd�1 is a nonsquare in GF(3n): (A more generalresult can be found in [6, Lemma 3.4]: Ifp is an odd prime, thenonsquares in GF(p) are nonsquares in GF(pn) if and only if n isodd.) Instead of dividing GF(3n) in squares and nonsquares we canwrite

GF(3n) = fy4: y 2 GF(3n)g [ f�y4: y 2 GF(3n)g:

Let x = y4, as y becomes each nonzero element in GF(3n), xbecomes every square in GF(3n) twice, andx = 0 iff y = 0: In thesame way,x = �y4 becomes every nonsquare in GF(3n) twice asy runs through GF(3n) andx = 0 iff y = 0:

We look at the function in (5), ifx is a square, simple calculationyields

Tr (x� � xd) =Tr y4 � � (y4) +

=Tr (y4 � � y2)

and, similarly, if x is a nonsquare

Tr (x� � xd) =Tr �y4 � � (�y4) +

=Tr (�y4 � � y2):

In the last equation we used the fact that(3(n + 1)=4) + (3(n �1)=2) is an even number.

Instead of counting the number of solutions of (5) we determinethe number of solutions of

Tr (y4 � y2) = c and Tr (�y4 � y2) = c (6)

in GF(3n) and divide the sum by2.We have to show that both functions in (6) lead to quadratic

forms. Let f�1; � � � ; �ng be a basis of GF(3n) over GF(3) andlet y = �n

i=1 yi�i with yi 2 GF(3): Using the Frobenius property,y3i = yi sinceyi 2 GF(3), and the linearity of the trace functionwe obtain

Tr (y4 � y2)

= Tr

n

i=1

yi�i

3 n

j=1

yj�j � �n

i=1

yi�i

n

j=1

yj�j

= Tr

n

i=1

n

j=1

yiyj�3i�j � �

n

i=1

n

j=1

yiyj�i�j

=

n

i=1

n

j=1

yiyjTr(�3i�j � � �i�j)

if x is a square. Since is fixed andy runs through GF(3n) weconsider the coordinatesy1; � � � ; yn as indeterminates. Thus the lastequation is a quadratic form in GF(3)[y1; � � � ; yn]: Similarly, weobtain

Tr (�y4 � y2) =

n

i=1

n

j=1

yiyj Tr (��3i�j � �i�j)

for every nonsquarex:Thus we have two quadratic forms, namely,f1(y) = Tr (y4� y2)

andf2(y) = Tr (�y4 � y2) both of them inn indeterminates. Wewant to determine the number of solutions offi(y) = c for eachc 2 GF(p) and i = 1; 2 which will be denoted byN(fi(y) = c) inthe sequel. Letki = rank (fi) (see Definition 5). It is well known thatthere exist nondegenerate (see again Definition 5) quadratic formsgiover GF(p) in k indeterminates such that

N(fi(y) = c) = pn�k �N(gi(y) = c)

(see e.g. [3, Theorem 6.21]). Since Theorem 7 provides the valuesof N(gi(y) = c), it remains to determineki = rank (fi): ApplyingLemma 6, we have to find out for how manyz’s in GF(3n) theequation

fi(y + z)� fi(y) = 0; for all y 2 GF(3n) (7)

holds. Again with the properties of the trace function, especially

Tr (yz3) = Tr ((yz3)3) (8)

we get

0 = f1(y + z)� f1(y)

=Tr ((y + z)4 � (y + z)2 � y4 + y2)

=Tr ((y + z)3(y + z)� (y + z)2 � y4 + y2)

(8)= Tr (y3z + (yz3)3 � (2 )3y3z3 + z4 � z2)

=Tr (y3(z + z9 + 3z3) + z4 � z2):

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 291

But (7) has to be fulfilled for everyy in GF(3n), so z mustbe a root of g1 := z9 + 3z3 + z: For f2 we can concludesimilarly that z has to be a root ofg2 := z9 � 3z3 + z: Sincedeg (g1) = deg (g2) = 9 we conclude by Lemma 6 that the possiblenumbers of roots ofg1 andg2 are1, 3, and9. Hence,n, n� 1, andn � 2 are the only possibilities for bothrank (f1) andrank (f2):

To exclude some of the possible combinations we look atg1 andg2 simultaneously. Simple calculation leads to

g1 � g2 = z2 � ((z4)4 + 2 � (z4)2 �

6z4 + 1):

Let u := z4, the polynomialu4 + 2 � u2 � 6u+ 1 has at most fourroots in GF(3n): If u0 is one of these roots and! is a primitivefourth root of unity over GF(3); the corresponding roots ofg1 � g2in the splitting field ofg1 � g2 over GF(3n) are

pu0; !

pu0; 2

pu0;

and 2!pu0: But ! is an element of GF(32) and not contained in

GF(3n) sincen is odd by assumption.Thus for each rootu0 of u4 + 2 � u2 � 6u + 1 only two of the

four possible corresponding roots are elements of GF(3n) and wecan conclude thatg1 � g2 has at most2+2 � 4 = 10 roots in GF(3n):

The remaining cases we still have to consider are the following.

1) Both g1 and g2 have one root in GF(3n), then rank (f1) =rank (f2) = n:

2) Both g1 andg2 have three roots in GF(3n), thenrank (f1) =rank (f2) = n � 1:

3) g1 has one root andg2 has three roots in GF(3n) or vice versa.Without loss of generality we can assumerank (f1) = n andrank (f2) = n � 1:

4) g1 has one root andg2 has nine roots in GF(3n) or viceversa; as above, we can assume thatrank (f1) = n andrank (f2) = n � 2:

Now we can calculate the upper bound for the absolute value ofthe crosscorrelation: Theorem 7 gives us the number of solutionsof the nondegenerate quadratic form inki := rank (fi) manyindeterminates. Since we are interested in the number of solutions offi(y) = c we multiply the numbers of solutions given by Theorem7 with 3n�k :

Let �i := (�i � (�1)(k�1)=2) where �i is the determinant ofthe nondegenerate quadratic form belonging tofi, and denotes theLegendre symbol.

Since�p=1 and� 6=1 we collect multiples of1+�+� � �+�p�1=0:

Case 1: rank (f1) = rank (f2) = n, according to (4) we obtain

2 � (1+Cd(t))

=3n�1+� � (3n�1+�1 � 3 )+�2 � (3n�1��1 � 3 )

f

+3n�1+� � (3n�1+�2 � 3 )+�2 � (3n�1��2 � 3 )

f

=3 � (�1 � ���1 � �2+�2 � ���2 � �2)=3 � (�1+�2) � (���

2):

Squaring both sides and usingj� � �2j2 = 3 yields

4 � j(1 + Cd(t))j2 =3n�1 � j�1 + �2j2 � 3

=0; if �1 6= �24 � 3n; if �1 = �2:

In this case,j1 + Cd(t)j �p3n:

Case 2: rank (f1) = rank (f2) = n � 1, then

2 � (1 + Cd(t))

= 3 � (3n�2 + 2 � 3 � �1 + � � (3n�2 � 3 � �1)+ �

2 � (3n�2 � 3 � �1))+ 3 � (3n�2 + 2 � 3 � �2 + � � (3n�2 � 3 � �2)+ �

2 � (3n�2 � 3 � �2))= 3 � (2 � (�1 + �2)� � � (�1 + �2)� �

2 � (�1 + �2))

= 3 � 3 � (�1 + �2):

Squaring leads to

4 � j1 + Cd(t)j2 =3n�1 � 32 � j�1 + �2j2

=0; if �1 6= �24 � 3n+1; if �1 = �2:

Here j1 + Cd(t)j �p3 � p3n< 2 � p3n:

Case 3: rank (f1) = n, rank (f2) = n � 1, then

2 � (1 + Cd(t))

= 3n�1 + � � (3n�1 + �1 � 3 )

+ �2 � (3n�1 � �1 � 3 )

+ 3 � (3n�2 + 2 � 3 � �2 + � � (3n�2 � 3 � �2)+ �

2 � (3n�2 � 3 � �2))= 3 � (� � �1 � �

2 � �1 + 2 � �2 � � � �2 � �2 � �2)

= 3 � (� � (�1 � 3�2)� �2 � (�1 + 3�2)):

If we square, we obtain

4 � j1 + Cd(t)j2 = 3n�1 � (3�21 + 9�22) = 3n � 4:In this case, we get againj1 + Cd(t)j =

p3n:

Case 4: rank (f1) = n, rank (f2) = n � 2

2 � (1 + Cd(t))

= 3n�1 + � � (3n�1 + �1 � 3 )

+ �2 � (3n�1 � �1 � 3 )

+ 32 � (3n�3 + � � (3n�3 + �1 � 3 )

+ �2 � (3n�3 � �1 � 3 ))

= � � (�1 � 3 + �2 � 3n+1=2)� �2

� (�1 � 3 + �2 � 3n+1=2)= 3 � (� � (�1 + 3 � �2)� �

2 � (�1 + 3 � �2)):Similarly, it follows that

4 � j1 + Cd(t)j2 =3n�1 � (j� � �2j2 � j�1 + 3�2j2)

=3n � 42; if �1 = �23n � 4; if �1 6= �2:

Here we havej1+Cd(t)j�2 � p3n which completes the proof.

The fourth case was the one that implied the largest upper boundfor jCd(t)j: The following example shows that this case can not beexcluded: Letn = 3, then the polynomialx3 � x + 1 has exactlynine roots in GF(27), which implies that the upper bound providedby the previous theorem is sharp.

292 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999

As mentioned above, the particular value ofd in the previoustheorem is obtained from [5]: Helleseth and Sandberg prove thatf(x) = xd is almost perfect nonlinear ford = p +1

4+ p �1

2if

pn � 3 (mod8) and ford = p +14

if pn � 7 (mod8): Therefore, itseems very natural to generalize the previous theorem in this sense.Indeed, it is easy to see thatgcd (d; pn � 1) = 2 still holds underthese conditions. However, the proof of Theorem 2 does not hold forp 6= 3: We give a short explanation of this fact. The beginning of theproof does not cause any difficulties until (6), accordingly we wouldhave to evaluatef1(y) = Tr (y4� y2) andf2(y) = Tr (�y4� y2)and determine the number of solutions off1(y) = c andf2(y) = c

in GF(pn): But if p 6= 3, the two mappings are no longer quadraticforms, they rather lead to equations of degree4.

Another attempt is to make use of the fact that bothf1 and f2are polynomials iny2: The substitutionz = y2 yields the equationsTr (z2� z) = c, if y is a square in GF(pn) andTr (z2+ z) = c,if y is a nonsquare in GF(pn), respectively. Although we can solveequations of the typef(z) = c, if the degree off is two, we cannotdetermine the number of solutions of the equations above. The reasonis that we would have to determine the number ofsquaresz inGF(pn) for which Tr (z2 � z) = c holds. In several examples thecomparison of the total number of solutions ofTr (z2 � z) = c inGF(pn) and the number of squares that are solutions did not seem toshow any regularities that could help to solve this problem. However,numerical results based on programming in MAGMA indicate that themaximal crosscorrelation value is even lower than2 � ppn, if p 6= 3:But still another problem may occur: We do not really know muchabout the influence of the choice of the primitive root of unity in thedefinition ofCd(t), if the number of solutions ofTr ( x� xd) doesnot result from a quadratic form (see Lemma 8).

In the following theorem we consider a class of values for thedecimation factord = pk + 1:

Theorem 3: Let p be an odd prime,n odd,n 6= 1, k 2 f1; � � � ; ng,(ai)i2 a maximal linear shift-register sequence, andd = pk + 1:

Then the crosscorrelationCd(t) of the sequences(ai)i2 and(adi)i2 is p-valued andjCd(t)j � 1 +

ppn:

Proof: According to [6, Lemma 3.1] we know thatgcd (pk +1; pn � 1) = 2 if p is an odd prime andn is odd. We prove thepropositions in four steps:

1) We show that it is sufficient to determine the number ofsolutions off (x1; � � � ; xn) = c, wheref is a polynomialin GF(p)[x1; � � � ; xn] anddeg (f ) = 2:

2) In two steps we transform the polynomialf (x1; � � � ; xn) into adiagonal quadratic formh(z1; � � � ; zn) and investigate in whichway the solutions off (xxx) = c andh(zzz) = c correspond.

3) We show that the crosscorrelation functionCd(t) takes onexactly p values, ifn � 3:

4) We prove thatjCd(t)j � 1 +ppn: Due to [7, p. 608] this is

optimal.

Step 1): According to (3) we have to determine the number ofsolutions ofTr ( x� xd) = c in GF(pn) for everyc in GF(p) andfor every in GF(pn)�: Let f�1; � � � ; �ng be a basis of GF(pn)over GF(p) andx = �n

i=1 xi�i with xi 2 GF(p): Similar to theproof of Theorem 2 we have

Tr ( x� xd) =Tr �

n

i=1

xi�i �n

i=1

xi�i

p

�n

j=1

xj�j

=Tr �n

i=1

xi�i �n

i=1

n

j=1

xixj�pi �j

=

n

i=1

xi � Tr ( � �i)�n

i=1

n

j=1

xixj Tr (�pi �j)

(9)

which is a polynomial in GF(p)[x1; � � � ; xn] of degree2. It con-sists of a linear part�n

i=1 xi � Tr ( � �i) and a quadratic form

�ni=1 �n

j=1 xixj Tr (��pi �j) in GF(p)[x1; � � � ; xn]:

Step 2): LetA be the symmetric coefficient matrix of the quadraticform given by (9), thenf (xxx) = xxxT � A � xxx:

According to [3, Theorem 6.21] there exists a nonsingular transfor-mation matrixT such thatT T �A �T is a diagonal matrix. Performingthe nonsingular transformationxxx = T � yyy in (9), we obtain

g (y1; � � � ; yn) =n

i=1

biyi +

n

i=1

aiy2i

for some elementsa1; � � � ; an appropriately chosen in GF(p): Thecoefficientsb1; � � � ; bn are obtained by

b1...bn

= TT �

Tr ( � �1)...

Tr ( � �n)

: (10)

This transformation preserves the number of solutions of thequadratic forms associated withf and g : Since T is a regularmatrix this transformation does not affect the linear parts off andg , this implies

f (xxx) = c, g (yyy) = c: (11)

In order to be able to perform the second transformation we need toknow the rank of the quadratic form that is associated tog : Since thisquadratic form is equivalent to the quadratic form off ,we considerTr (�xp +1): To prove that this quadratic form is nondegenerate weshow that the equation

Tr ((x+ y)p +1)�Tr (xp +1) = 0; for all x 2 GF(pn) (12)

has no solution excepty = 0, then Lemma 6 implies that the quadraticpart of f is nondegenerate

0 =Tr ((x+ y)p +1)� Tr (xp +1)

=Tr ((xp + yp ) (x+ y)� x

p +1)

=Tr (xp y + xyp + y

p +1)

=Tr (xp (y + yp ) + y

p +1): (13)

We used again the linearity of the trace function andTr (xyp ) =

Tr (xp yp ) in the last equation. Since (13) has to hold for everyx

in GF(pn) we conclude thaty has to fulfill

y + yp = 0, y

p = �y: (14)

Squaring leads to

yp = (yp )p

(14)= (�1)p � yp (14)

= �(�y) = y

so y is an element of GF(p4k): But y is an element of GF(pn) atthe same time and we obtain

y 2 GF(p4k)\GF(pn) = GF(pgcd (4k;n)):

Since n is odd by assumption,gcd (4k; n) also dividesk whichimplies thaty 2 GF(pk), hence

yp = (yp )p = y

p = y:

But yp = y by (14), sincep is odd,y = 0 is the only solutionof (12).

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 293

We have shown that the quadratic form belonging tof isnondegenerate which implies that the quadratic form belonging tog has full rank and every coefficientai in

g (y1; � � � ; yn) =

n

i=1

(aiy2

i + biyi)

is a nonzero element of GF(p):Let us now consider the mappingh(z1; � � � ; zn) that we obtain

from g via the transformationyi = zi�b2i =2ai: A simple calculationleads to

n

i=1

aiy2

i +

n

i=1

biyi = c,

n

i=1

aiz2

i �

n

i=1

b2i22ai

= c: (15)

If we set

h(z1; � � � ; zn) =

n

i=1

aiz2

i and c =

n

i=1

b2i22ai

(16)

(15) becomes

g (yyy) =

n

i=1

(aiy2

i + biyi) = c

, h(zzz) =

n

i=1

aiz2

i = c+ c : (17)

Step 3): The mappingh is a (diagonal) quadratic form and equalsthe quadratic form associated withg and is, therefore, nondegener-ate. Thus we can determine the number of solutions ofh(zzz) = c inGF(pn) by applying Theorem 7. Equations (11) and (17) show howthe numbers of solutions off (xxx) = c andh(zzz) = c correspond.

Let kh(i) denote the number of solutions ofh(z1; � � � ; zn) = igiven by Theorem 7 and let

vvvh := (kh(0); � � � ; kh(p� 1)) (18)

denote the “coefficient vector” ofh(zzz) which belongs to the distri-bution of values ofh(zzz): If vvvf is the corresponding “coefficientvector” of f , we have

1 + Cd(t) =

p�1

i=1

kf (i) � �i:

Let � denote the cyclic-shift operator onp0 where

�(v0; � � � ; vp�1) := (v1; � � � ; vp�1; v0):

From (11) and (17) we obtain

f (xxx) = i, h(zzz) = i+ c (19)

for every i, thus we havekf (i) = kh(i + c ) for every i and thecoefficient vectors off and h are connected byvvvf = �c (vvvh):Since this equation holds for every 2 GF(pn)� we have as a firstresult: each coefficient vector off is nothing but a cyclic shift ofthe coefficient vectorvvvh of h:

As vvvh is a vector in p0 there exist at mostp different cyclic shifts

of vvvh so Cd(t) takes on at mostp different values. To prove thatCd(t) takes on exactlyp values it remains to show the followingstatements:

a) Each cyclic shift ofvvvh is a coefficient vector off for anappropriate in GF(pn)�:

b) Thep possible cyclic shifts ofvvvh are mutually different.c) Different coefficient vectors ofvvvh lead to different values of

Cd(t):

ad a): It is sufficient to show thatc in (16) attains each value inGF(p) as runs through GF(pn)�: To do this we have to go backa bit: if 2 GF(pn)� is given,(Tr ( � �1); � � � ;Tr ( � �n)) is thecoefficient vector of the linear part off wheref�1; � � � ; �ng is abasis of GF(pn) over GF(p):

The coefficientsb1; � � � ; bn of the linear part ofg are given by(10). Since the transformation matrixT of the first transformationof indeterminates is a regular matrix andf�1; � � � ; �ng is a basis,every nonzero vector in(GF(p))n is a coefficient vector while runs through GF(pn)�:

Consider the mapping

r:(GF(p))n ! GF(p)

(b1; � � � ; bn) 7!1

22a1b21 + � � �+

1

22anb2n

given b1; � � � ; bn this function returns the appropriate value such that(19) holds. Obviously,r is a nondegenerate quadratic form, accordingto Theorem 7, each value in GF(p) is attained at least

pn�1 � p = p � (p � 1)

� 3 � (3 � 1) = 6

times (remember thatn � 3 andp is odd). Sor is a mapping ontoGF(p) and we are finished.

ad b): According to Theorem 7, the entries of the coefficientvector vvvh in (18) are given by

kh(0) = pn�1 and kh(i) = pn�1 � p ; for i 6= 0: (20)

Suppose two different cyclic shifts ofvvvh coincide, sayi � j and�i(vvvh) = �j(vvvh); this implies�i�j(vvvh) = vvvh: But there is exactlyone position in each cyclic shift ofvvvh with the entrypn�1: Comparingthe first positions of the vectorsvvvh and�i�j(vvvh) we geti = j: Thusthe cyclic shifts ofvvvh are mutually different.

ad c): Given a coefficient-vector(ks; � � � ; ks+p�1) we computethe value of the crosscorrelation in the following way:

1 + Cd(t) =

p�1

i=0

ks+i�i = ��s �

p�1

i=0

ki�i: (21)

Suppose two coefficient-vectors would lead to the same value ofCd(t): This would mean there exists; t 2 f0; � � � ; p � 1g such thatthe following identity holds:

��t �

p�1

i=0

ki�i = ��s �

p�1

i=0

ki�i , (��s � ��t) �

p�1

i=0

ki�i = 0:

Thus one of the factors on the right-hand side of the last equationwould have to be0. If (��s � ��t) = 0, we gets = t and we arefinished. It remains to show that�p�1

i=0 ki�i = 0 cannot happen. As

a pth root of unity,� obeys�p�1 = �1� � � �2 � � � � � �p�2 andwe conclude that�p�2

i=0 (ki � kp�1)�i = 0: But f1; � � � ; �p�2g is a

linear independent set over, thuski = kp�1 for every i, which isa contradiction to (20).

Finally we compute the values ofCd(t) and determine the absolutevalues.

Let

� :=det h � (�1)

p:

294 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999

Note that� is either1 or �1. Equation (21) and Theorem 7 give usfor an appropriates 2 f1; � � � ; p � 1g

1 + Cd(t) = �s �p�1

i=0

ki � �i

= �s �p�1

i=0

pn�1 + � � i

p� p � �i

= �s � �p�1

i=0

i

p� p � �i:

Step 4): It remains to show that

p�1

i=0

i

p� �i =

pp

holds. But this expression can be regarded as a Gaussian sum

i2GF (p)

�(i) �(i)

where ( ip) is a nontrivial multiplicative character(i) and �i is a

nontrivial additive character�(i): According to [3, Theorem 5.11]the absolute value of a nontrivial Gaussian sum is

pp:

We can generalize the result of Theorem 3 for the case whenn iseven and achieve similar results. But the condition

gcd (pk + 1; pn � 1) = 2

is in general only true fork = n, otherwise

gcd (pk + 1; pn � 1)

can get much bigger and the length of the period of the sequence(adn)i2 gets much smaller.

Theorem 4:Let p be an odd prime,n even, k 2 f1; � � � ; ng,(ai)i2 a maximal linear shift-register sequence,n=gcd (k; n) notdivisible by 4, and d = pk + 1: Then the crosscorrelationCd(t)of the sequences(ai)i2 and (adi)i2 is p-valued andjCd(t)j �1 +

ppn:

Proof: We proceed similarly to the proof of Theorem 3, onlya few changes are necessary. We have to show that the quadraticpart of f (x1; � � � ; xn) = Tr( x � xd) is nondegenerate for every 2 GF(pn)�: Like in (12) and (14). we get

Tr ((x+ y)p +1)� Tr (xp +1) = 0, yp = �y (22)

so y is an element of GF(pgcd (n;4k)): But n=gcd (n; k) is notdivisible by 4 by assumption and we conclude

n

gcd (n; k)= m or

n

gcd (n; k)= 2 �m (23)

for an odd integerm: Thus we have

gcd (n; 4k) = gcd (n; k) or gcd (n; 4k) = gcd (n; 2k) (24)

respectively. In both cases,gcd (n; 4k) divides2k, soyp = y holdsfor everyy and together with (22) againy = 0 is the only solutionof the left-hand side of (22).

The number of solutions of a quadratic form in an even numberof indeterminates is given by a different formula then in the proofof Theorem 3. But still the number of solutions off (xxx) = c isgreater then0 for everyc 2 GF(p) which is the crucial property tomake sure that we get at mostp different values ofCd(t): Similarly,the number of solutions off (xxx) = 0 is different from the numberof solutions off (xxx) = c for c 6= 0 which guarantees that we getexactly p different values ofCd(t):

We compute the values of the crosscorrelation: Let� := (deth �(�1)n=2=p), note that� is either1 or �1. Equation (21) gives usfor an appropriates 2 f1; � � � ; p � 1g

1 + Cd(t) = �s �p�1

i=0

ki�i:

Theorem 7 (see the Appendix),1+� � �+�p�1 = 0, and elementarycalculation yields

p�1

i=0

ki�i = pn�1 + � � (p� 1) � p

i=0

+

p�1

i=1

(pn�1 � � � p ) � �i

=� � p � � � p �p�1

i=0

�i = � � pn=2 (25)

which proves the theorem.

Finally, we provide an example which was computed withMAGMA. It demonstrates that the restriction(n=gcd (n; k)) 6�0(mod4) in the proposition of Theorem 4 is necessary: Considerthe following table forp = 3, n = 8: The results in the rightmostcolumn are provided by Theorem 4, the other columns show thatthe theorem cannot be generalized to other values ofk: The sign#Cd denotes the number of valued assumed byCd(t): In the lastrow the deviation factor from the optimal absolute value

ppn of

j1 + Cd(t)j is enlisted.

k = 1 k = 2 k = 4n

gcd (n; k)8 4 2

#Cd 4 4 3

maxj1 + Cd(t)jp

pn3 9 1

APPENDIX

Definition 5 (Rank of a Quadratic Form):Let

f(x1; � � � ; xn) =n

i=1

n

j=1

�ijxixj

be a quadratic form. The quadratic matrixAf := (�ij)i;j=1;���;ngiven by�ij := (1=2)(�ij+�ji) is called the coefficient matrix off:We setrank (f) := rank (Af ) anddet (f) := det (Af): A quadraticform in n indeterminates is called nondegenerate, ifrank (f) = n:

Two quadratic formsf(xxx) = xxxTAxxx and g(yyy) = yyyTByyy overGF(p) are called equivalent, if there exists a nonsingular matrixT in GF(p)(n;n), such that the coefficient matrices off and gare connected by the equationT TAT = B: Given two equivalentquadratic formsf andg, the regularity of the transformation matrixTimplies that the number of solutions off(xxx) = c equals the numberof solutions ofg(yyy) = c:

Lemma 6 (Rank of a Quadratic Form):Let

f 2 GF(p)[x1; � � � ; xn]

be a quadratic form. Furthermore, let

Y :=fyyy2(GF(p))n: f(xxx+yyy)�f(xxx)=0 for all xxx2(GF(p))ng:

ThenY is a subspace of(GF(p))n andrank (f) = n�dim (Y ):

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 1, JANUARY 1999 295

Proof: Since equivalence of quadratic forms preserves the rankand there exists a diagonal quadratic form that is equivalent tof (e.g.[3, Theorem 6.21]), we can assume that

f(x1; � � � ; xn) = a1x21 + � � �+ anx

2n:

Since0 2 Y andf(xxx+yyy1+yyy

2) = f(xxx+yyy

1) = f(xxx), whenever

yyy1

,yyy22 Y , the setY is a subspace of(GF(p))n:

Let rank (f) = k, thenai 6= 0 for i 2 f1; � � � kg without loss ofgenerality. Let(eee1; � � � ; eeennn) denote the canonical basis, nowaj = 0for j >k implies

f((�1; � � � ; �n) + eeejjj) =

k

i=1

ai�2i = f(�1; � � � ; �n):

This holds for all xxx = (�1; � � � ; �n) 2 (GF(p))n, wheneverj 2 fk+1; � � � ; ng, and we conclude thateeejjj 2 Y , hencedim (Y ) �n � k: Now assumedim (Y )>n � k; then there exists an elementyyy = �n

i=1 �ieeeiii 2 Y which is not contained inheeekkk+1; � � � ; eeennni:Hence at least one of the coefficients�1; � � � ; �k is not zero, say�j :We want to show that there exists an elementxxx 2 (GF(p))n, suchthat f(xxx + yyy) � f(xxx) 6= 0: Let xxx = 0 be the all-zero vector, thenak+1 = � � � = an = 0 implies

f(xxx+ yyy)� f(xxx) = f(yyy) =

k

i=1

ai�2i :

If �ki=1 ai�

2i 6= 0, the element0 has the desired property. If not,

we choosexxx = eeejjj , then�j 6= 0 implies

f(eeejjj + yyy)� f(eeejjj) = aj � (1 + �j)2 +

k

i=1

ai�2i � aj�

2j

f(eeejjj+yyy)

�aj

= aj + 2aj�j + aj�2j +

k

i=1

ai�2i � aj�

2j � aj

= 2aj�j + f(yyy)

= 2aj�j

since f(yyy) = 0: As 1 � j � k and �j 6= 0 by assumption, theproduct2aj�j is not zero. Therefore,0 or eeejjj has the desired property,and the proof is established.

Theorem 7 (Number of Solutions of a Quadratic Form):(c.f. [3,Theorems 6.26 and 6.27])

Let f be a nondegenerate quadratic form over GF(p) in kindeterminates,p an odd prime,� = det (f), c 2 GF(p), and let(a=p) denote the Legendre symbol.

• If k is even, then the number of solutions off(x1; � � � ; xk) = cis

pk�1 �(�1) ��

p� p ; if c 6= 0

pk�1 + (p� 1) �(�1) ��

p� p ; if c = 0:

• If k is odd, then the number of solutions off(x1; � � � ; xk) = c is

pk�1 +� � (�1) � c

p� p ; if c 6= 0

pk�1; if c = 0:

Trachtenberg has shown that the set of values ofCd(t) and theirdistribution is independent of the choice of� in Definition 2, if dis relatively prime topn � 1 ([6, Theorem 2.2]). This theorem doesnot apply to the decimation factorsd we have considered. In fact,in these cases an exchange of� by �s may cause a change of thesign of1+Cd(t) as it is described by the following Lemma. But thispotential change of sign can be neglected since a certain ambiguity ofsign already occured within the proofs. Moreover, it has no influenceon the number of values ofCd(t) as well as on the absolute value.

Lemma 8: Let p be an odd prime,n 2 and letCd(t) denotethe crosscorrelation function for a decimation factord that is notrelatively prime to the lengthpn�1 of a maximal sequence(ai)i2 :For 1<s<p let Cs

d(t) denote the crosscorrelation function where�is replaced by�s: If

1 + Cd(t) =x2GF (p )

�f (x)

wheref is a quadratic form, then

1 + Csd(t) =

s

p

k

� (1 + Cd(t))

wherek = rank (f ):Proof: (Sketch) First letf be nondegenerate (i.e.,rank (f ) =

n) and let

1 + Cd(t) =

p�1

i=0

li�i

where the coefficientsli are given by Theorem 7. Then

1 + Csd(t) =

p�1

i=0

li�s�i =

p�1

i=0

ls �i�i:

Let n be even, as multiplication withs mapsf1; � � � ; p � 1g ontoitself mod p, we are finished, sinceli = lj for 1 � i, j � p � 1in this case. Now letn be odd, thenli = ls �i if s is a squareand againCd(t) andCs

d(t) coincide. Otherwise, ifs is a nonsquare,multiplication with s maps the squares inf1; � � � ; p � 1g onto thenonsquares andvice versa. If we subtract0 = �p�1

i=0 pn�1�i, weobserve a change of sign which is expressed by(s=p)n:

If rank (f ) = k<n; we consider the corresponding nonde-generate quadratic form ink indeterminates over GF(p): Then thearguments above still hold and it remains to multiply the coefficientsli with pn�k finally, which does not affect the sign.

REFERENCES

[1] T. Helleseth, “Some results about the crosscorrelation between twomaximal lenear sequences,”Discr. Math., vol. 16, pp. 209–232, 1976.

[2] S. W. Golomb,Shift register sequences. Laguna Hills, CA: AegeanPark Press, 1982.

[3] R. Lidl and H. Niederreiter,Finite Fields, vol. 20 of Encyclopediaof Mathematics and its Applications. Reading, MA: Addison-Wesley,1980.

[4] T. Helleseth, C. Rong, and D. Sandberg, “New families of almost perfectnonlinear power mappings,”IEEE Trans. Inform. Theory, submitted forpublication.

[5] T. Helleseth and D. Sandberg, “Some power mappings with lowdifferential uniformity,” Appl. Algebra Eng. Commun. Comput., vol. 8,pp. 363–370, 1997.

[6] H. M. Trachtenberg, “On the cross-correlation functions of maximallinear recurring sequences,” Ph.D. dissertation, Faculty of the GraduateSchool, Univ. South. Calif., Los Angeles, CA, 1970.

[7] P. V. Kumar and O. Moreno, “Prime-phase sequences with periodiccorrelation properties better than binary sequences,”IEEE Trans. Inform.Theory, vol. 37, pp. 603–616, 1991.