Values of polynomials over finite fields

Joachim von zur Gathen
1991 Bulletin of the Australian Mathematical Society  
Let q be a prime power, F, a field with q elements, / € F 4 [z] a polynomial of degree n ^ 1, V(/) = #/(F,) the number of different values /(a) of / , with a € F , , and p = q -V(/). It is shown that either p = 0 or 4n 4 > q or 2pn > q. Hence, if q is "large" and / is not a permutation polynomial, then either n or p is "large". Possible cryptographic applications have recently rekindled interest in permutation polynomials, for which p = 0 in the notation of the abstract (see Lidl and Mullen
more » ... Lidl and Mullen [10]). There is a probabilistic test for permutation polynomials using an essentially linear (in the input size nlogg) number of operations in F ? (von zur Gathen [5] ). There are rather few permutation polynomials: a random polynomial in F,[z] of degree less than q is a permutation polynomial with probability q\/q q , or about e~q . For cryptographic applications, we think of q as being exponential, about 2^, in some input size parameter N; then this probability is doubly exponentially small: e~2 . In the hope of enlarging the pool of suitable polynomials, one can relax the notion of "permutation polynomial" by allowing a few, say polynomially many in N, values of F , not to be images of / : p = N°^. There is a probabilistic test for this property, whose expected number of operations is essentially linear in nplogq (von zur Gathen [5] ). The purpose of this note is to show that this relaxation does not include new examples with q large and n, p small: if p ^ 0, then either + 4n 4 > q or 2pn > q (Corollary 2 (ii)). The theorem below provides quantitative versions of results of Williams [15] , Wan [14] , and others, which we now first state. As an application, we will show that a naive probabilistic polynomial-time test for permutation polynomials has a good chance of success; this could not be concluded from the previous less quantitative versions. If p = charF" then a »-> a p is a bijection of F , . If / -g(x p ) for some g £ F,[z], then V(f) = V(^), and, in particular, / is a permutation polynomial if and only if g
doi:10.1017/s0004972700028860 fatcat:iks7zgi7krhljljozzrt6ikoni