### Values of polynomials over finite fields

Joachim von zur Gathen
1991 Bulletin of the Australian Mathematical Society
Let q be a prime power, F, a field with q elements, / € F 4 [z] a polynomial of degree n ^ 1, V(/) = #/(F,) the number of different values /(a) of / , with a € F , , and p = q -V(/). It is shown that either p = 0 or 4n 4 > q or 2pn > q. Hence, if q is "large" and / is not a permutation polynomial, then either n or p is "large". Possible cryptographic applications have recently rekindled interest in permutation polynomials, for which p = 0 in the notation of the abstract (see Lidl and Mullen
more » ... Lidl and Mullen ). There is a probabilistic test for permutation polynomials using an essentially linear (in the input size nlogg) number of operations in F ? (von zur Gathen  ). There are rather few permutation polynomials: a random polynomial in F,[z] of degree less than q is a permutation polynomial with probability q\/q q , or about e~q . For cryptographic applications, we think of q as being exponential, about 2^, in some input size parameter N; then this probability is doubly exponentially small: e~2 . In the hope of enlarging the pool of suitable polynomials, one can relax the notion of "permutation polynomial" by allowing a few, say polynomially many in N, values of F , not to be images of / : p = N°^. There is a probabilistic test for this property, whose expected number of operations is essentially linear in nplogq (von zur Gathen  ). The purpose of this note is to show that this relaxation does not include new examples with q large and n, p small: if p ^ 0, then either + 4n 4 > q or 2pn > q (Corollary 2 (ii)). The theorem below provides quantitative versions of results of Williams  , Wan  , and others, which we now first state. As an application, we will show that a naive probabilistic polynomial-time test for permutation polynomials has a good chance of success; this could not be concluded from the previous less quantitative versions. If p = charF" then a »-> a p is a bijection of F , . If / -g(x p ) for some g £ F,[z], then V(f) = V(^), and, in particular, / is a permutation polynomial if and only if g