AAECC (2015) 26:555–570

DOI 10.1007/s00200-015-0265-4

ORIGINAL PAPER

Trace representation of pseudorandom binary

sequences derived from Euler quotients

Zhixiong Chen1,2 · Xiaoni Du2,3 · Radwa Marzouk4

Received: 14 August 2014 / Revised: 21 April 2015 / Accepted: 1 May 2015 /

Published online: 10 June 2015
© Springer-Verlag Berlin Heidelberg 2015

Abstract We give the trace representation of a family of binary sequences derived

from Euler quotients by determining the corresponding defining polynomials. The
result extends an earlier result of Z. Chen on the trace of binary sequences derived
from Fermat quotients modulo a prime. However, the case of composite modulus brings
some interesting twists. Trace representation can help us producing the sequences
efficiently and analyzing their cryptographic properties, such as linear complexity.

Keywords Cryptography · Pseudorandom binary sequences · Euler quotients ·

Fermat quotients · Trace function

Mathematics Subject Classification 94A55 · 94A60 · 65C10 · 11B68

B Zhixiong Chen
[email protected]
Xiaoni Du
[email protected]
Radwa Marzouk
[email protected]

1 Provincial Key Laboratory of Applied Mathematics, Putian University, Putian 351100, Fujian,
People’s Republic of China
2 The State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an 710071,
Shaanxi, People’s Republic of China
3 College of Mathematics and Statistics, Northwest Normal University, Lanzhou 730070, Gansu,
People’s Republic of China
4 Department of Mathematics, Faculty of Science, Cairo University, Giza 12613, Egypt

123
556 Z. Chen et al.

1 Introduction

For an odd prime p, integers r ≥ 1 and u with gcd(u, p) = 1, the Euler quotient
modulo pr , denoted by Q r (u), is defined as the unique integer

u ϕ( p ) − 1
r

Q r (u) ≡ (mod pr ), 0 ≤ Q r (u) ≤ pr − 1,

pr

where ϕ(−) is the Euler totient function. See, e.g., [1,12,29] for details. In addition,
we define

Q r (u) = 0 if p|u.

It is easy to verify

Q r (uv) ≡ Q r (u) + Q r (v)(mod pr ), gcd(uv, p) = 1 (1)

and

Q r (u + kpr ) ≡ Q r (u) − kpr −1 u −1 (mod pr ), gcd(u, p) = 1, k ∈ Z. (2)

In particular, Q 1 (u) is called the Fermat quotient. Many number theoretic problems
have been studied for Fermat and Euler quotients in [1,4,5,12–14,21,28–34] and
references therein.
More recently, Fermat and Euler quotients have been studied from the viewpoint
of cryptography, see [2,6–11,19,20,23,28,36]. Families of pseudorandom sequences
with good cryptographic properties are derived from Fermat and Euler quotients.
In this correspondence, we still concentrate on a family of binary sequences (eu )
defined by Euler quotients. For clarity1 we introduce a fixed integer r ≥ 1 and define
(eu ) as 
0, if 0 ≤ Q r(u)/ p r < 21 ,
eu = u ≥ 0. (3)
1, if 21 ≤ Q r(u)/ p r < 1,

We note that (eu ) is p r+1 -periodic by (2). The linear complexity of (eu ) has been
investigated in [7] for r = 1 and in [19] for r > 1, respectively. Here, we will
investigate a way to produce such binary sequences using trace function, which is
extensively applied to producing pseudorandom sequences efficiently and analyzing
their pseudorandom properties [22]. In particular, in [6] the first author has studied
the trace representation of (eu ) for r = 1, however, it cannot be extended to the case
of r ≥ 2 directly. This is the main objective of the work.
We organize this correspondence as follows. In Sect. 2, we introduce generalized
cyclotomic classes of Z pr by using Euler quotients and determine the defining pair
(see below for the definition) of (eu ). In Sect. 3, we present the trace representation

1 In the sequel, we will use the Euler quotients Q (u) and related notations for 1 ≤ r ≤ r repeatedly.
r

123
Trace representation of binary sequences. . . 557

of (eu ) in terms of its defining pair. We also give some remarks on the relationship
between the defining pair of (eu ) and its linear complexity in the last section.
We conclude this section by introducing the definition of defining pair of a binary
sequence. Let F2 = {0, 1} be the binary field and F2 the algebraic closure of F2 . For
a binary sequence (su ) over F2 of odd period T , there exists a primitive T -th root
β ∈ F2 of unity and a polynomial G(x) ∈ F2 [x] of degree smaller than T such that

su = G(β u ), u ≥ 0,

see [24, Theorem 6.8.2], we call the pair (G(x), β) a defining pair of (su ) and G(x)
the defining polynomial of (su ) corresponding to β [16–18]. For a given β, G(x)
is uniquely determined modulo x T − 1 [18, Lemma 2]. In fact G(x) is called the
Mattson-Solomon polynomial of (su ) in coding theory [26].

2 Defining pair

We denote by Zm = {0, 1, . . . , m − 1} the residue class ring modulo m and by Z∗m

the unit group of Zm . According to (1) and (2), the quotient Q r (−) defines a group
epimorphism from Z∗pr +1 to Z pr .
Let
(r )
Dl = {u : 0 ≤ u < pr +1 , gcd(u, p) = 1, Q r (u) = l}

(r ) (r ) (r )
for l = 0, 1, . . . , pr − 1. Clearly, D0 , D1 , . . . , D pr −1 form a partition of Z∗pr +1 .
Since Z∗pr +1 is cyclic, there exists a generator g such that each element in Z∗pr +1 can
be written as a power of g (such g is also called a primitive element of Z∗pr +1 ). We note
here that the order of g, i.e., the least positive number n satisfying g n ≡ 1(mod pr +1 ), is
ϕ( pr +1 ). For convenience, we will choose a primitive element g such that Q r (g) = 1.
One might ask whether such g exists or not? In fact, we suppose that Q r (g) = a = 1.
−1
It is easy to prove that gcd(a, p) = 1. By (1) we get Q r (g a ) = 1, where a −1 is the
r
inverse of a modulo p . Furtherly, we have
−1 +kpr
Q r (g a ) ≡ 1 (mod pr )

for all 0 ≤ k < p − 1. One can find a k0 (0 ≤ k0 < p − 1) such that gcd(a −1 +
−1 −1
k0 pr , ϕ( pr +1 )) = 1, i.e., g a +k0 p is primitive modulo pr +1 and Q r (g a +k0 p ) = 1.
r r

−1
Then we choose g a +k0 p instead of g.
r

From now on, we always suppose that Q r (g) = 1 for a fixed primitive element g
modulo pr +1 . By (1) we get
 
(r )
D0 = {g kp mod pr +1 : 0 ≤ k < p − 1}
r

and
   
(r ) (r )
= gl D0 = gl+kp mod pr +1 : 0 ≤ k < p − 1
r
Dl

123
558 Z. Chen et al.

(r )
for 1 ≤ l < pr . So each Dl exactly contains p − 1 many elements. We will use the
(r ) (r )
notation Dl+ pr = Dl in the context.
Let I = {( p r + 1)/2, ( p r + 3)/2, . . . , p r − 1}, one can define (eu ) equivalently by
 (r)
1, if u mod p r+1 ∈ ∪l∈I Dl ,
eu = u ≥ 0, (4)
0, otherwise,

which helps us to determine the defining pair and hence the trace representation.
We first present some technical lemmas, which are necessary for our arguments.
The following statement follows from (1) directly.
   
(r ) (r ) (r )
Lemma 1 For r ≥ 1, let u Dl = uv mod pr +1 : v ∈ Dl . If u ∈ Dl , then we
have
(r ) (r )
u Dl = Dl+l (mod pr ) ,

where 0 ≤ l, l < pr .

Lemma 2 For r ≥ 1 and 0 ≤ l < pr +1 , we have

   
(r +1) (r )
u mod pr +1 : u ∈ Dl = Dl(mod pr ) .

Proof For an integer u with p  u, we write by Euler’s theorem

u ϕ( p ) = 1 + pr ∈ Z,
r

where  = 0 + 1 pr + 2 p 2r + · · · ∈ Z with 0 ≤ i < pr for i ≥ 0. Then by the

definition of Euler quotients, we have Q r (u) ≡  ≡ 0 (mod pr ). On the other hand,
we have

p−1 2 r p−1 2  
Q r +1 (u) ≡  +  p ≡ 0 + 0 + 1 pr mod pr +1 ,
2 2

which is deduced from

r +1 )
 p p − 1 2 2r +1
u ϕ( p = u ϕ( p ) = (1 + pr ) p = 1 + pr +1 +
r
 p + ....
2

Therefore, we derive

Q r +1 (u) ≡ Q r (u) (mod pr ),

which leads to
   
(r +1) (r )
u mod pr +1 : u ∈ Dl ⊆ Dl(mod pr ) .

123
Trace representation of binary sequences. . . 559

(r +1)
Now we show the cardinality of {u(mod pr +1 ) : u ∈ Dl } is p − 1, which
(r ) +1 (r +1)
equals that of Dl(mod pr ). In fact, if u ≡ u (mod p ) for u, u ∈ Dl
r , we suppose
u = u + k0 pr +1 for some 0 ≤ k0 < p. We have

l ≡ Q r +1 (u) ≡ Q r +1 (u ) ≡ Q r +1 (u + k0 pr +1 )
≡ Q r +1 (u) − k0 u −1 pr (mod pr +1 ),

which indicates that k0 = 0 and hence u = u . This finishes the proof.

Define
(r )
Dl (x) = x u ∈ F2 [x]
(r )
u∈Dl

for l = 0, 1, . . . , pr − 1.
For an element γ ∈ F2 , we denote by ord(γ ) the order of γ , i.e., the least positive
integer n such that γ n = 1.
Lemma 3 For r ≥ 1, let γ ∈ F2 be of order ord(γ ) with ord(γ )| pr +1 . We have
pr −1 
(r ) 1, if ord(γ ) = p,
Dl (γ ) =
0, otherwise.
l=0

Proof If ord(γ ) = 1, i.e., γ = 1, we have

pr −1
Dl(r ) (1) = pr ( p − 1) = 0.
l=0

Since
pr −1
(r )
Dl (γ ) = γi = γi − γ ip,
l=0 i∈Z∗ r +1 i∈Z pr +1 i∈Z pr
p

if ord(γ ) > p, using the formula 1 + x + · · · + x n−1 = (1 − x n )/(1 − x), we have

r +1 r +1
1−γp 1−γp
γ =
i
= 0, γ ip
= = 0,
1−γ 1−γp
i∈Z pr +1 i∈Z pr

pr −1 (r )
which leads to l=0 Dl (γ ) = 0. While if ord(γ ) = p, we have

γ ip = 1 = pr = 1,
i∈Z pr i∈Z pr

pr −1 (r )
which leads to l=0 Dl (γ ) = 1. This finishes the proof.

123
560 Z. Chen et al.

For r ≥ 1, we define pr -tuples

 
(r ) (r ) (r ) (r )
Ci (x) = Di (x), Di+1 (x), . . . , Di+ pr −1 (x) , i = 0, 1, . . . , pr − 1.

(r ) (r ) m
We will calculate the inner product Ci (x) · C j (x p ) for 0 ≤ i, j < pr in the
following lemma, where we also need the notation for divisibility of integers, i.e.,
p k a means p k |a but p k+1  a.

Lemma 4 Let θ ∈ F2 be a primitive pr +1 -th root of unity. Let 0 ≤ i, j < pr be a

fixed pair.
(I). For r ≥ 1, we have
 m
(r ) (r )
Ci (θ ) · C j θ p = 0,

if m ≥ 1.
(II). For r ≥ 2, we have

(r ) (r ) 1, if pr −1 (i − j),
Ci (θ ) · C j (θ ) =
0, otherwise.

(III). For r = 1, we have


(1) (1) 0, if i = j,
Ci (θ ) · C j (θ ) =
1, otherwise.

Proof Firstly, if m ≥ r + 1 we have C (rj ) (θ p ) = C (rj ) (1) = (0, 0, . . . , 0) since

m

(r ) (r ) m (r )
each Dl (x) has p − 1 many terms and Dl (θ p ) = Dl (1) = p − 1 = 0 for all
0 ≤ l < pr . Hence, for all 0 ≤ i, j < pr we have

(r ) (r ) m (r ) (r )
Ci (θ ) · C j (θ p ) = Ci (θ ) · C j (1) = 0.

Secondly, for 0 ≤ i, j < pr and 0 ≤ m ≤ r , we note that Dl(r ) = gl D0(r ) for all
l ≥ 0 since we always suppose Q r (g) = 1, then we calculate

(r ) (r ) m (r ) (r ) m (r ) (r ) m
Ci (θ ) · C j (θ p ) = Di (θ )D j (θ p ) + Di+1 (θ )D j+1 (θ p )
(r ) (r ) m
+ · · · + Di+ pr −1 (θ )D j+ pr −1 (θ
p
)
pr −1
θ vg
i+k j+k p m
= θ ug
k=0 (r ) (r )
u∈D0 v∈D0
pr −1
i+k j+k p m
= θ ug θ uwg (we use v = uw)
k=0 (r ) (r )
u∈D0 w∈D0

123
Trace representation of binary sequences. . . 561

pr −1
j+k (g i− j +wp m )
= θ ug
k=0 (r ) (r )
u∈D0 w∈D0
i− j +wp m
= γwz (we use z = ug j+k , γw = θ g )
(r )
w∈D0 z∈Z∗ r +1
p

pr −1
(r )
= Dl (γw ).
(r ) l=0
w∈D0

(r )
Now we need to determine ord(γw ), the order of γw above for each w ∈ D0 . We
note that ord(γw )| pr +1 since θ is a primitive pr +1 -th root of unity.
(r )
If 1 ≤ m ≤ r , we find that p  (g i− j + wp m ) for all w ∈ D0 and hence
ord(γw ) = pr +1 . So we get
pr −1
(r )
Dl (γw ) = 0
(r ) l=0
w∈D0

by Lemma 3. This finishes the proof of the first statement.

(r )
Now we consider the case m = 0. For those w ∈ D0 with ord(γw ) = p we get
pr −1
(r )
Dl (γw ) = 0
l=0

by Lemma 3 again. While in this case (m = 0), we show below that there exists
(r )
w ∈ D0 such that ord(γw ) = p if and only if pr −1 (i − j). That is, we need to
find solutions w ∈ D0(r ) satisfying

g i− j + w ≡ l0 pr (mod pr +1 )

for some integer l0 with 1 ≤ l0 < p. By (1) and (2) we get

0 ≡ Q r (w) ≡ Q r (−g i− j + l0 pr )
≡ Q r (−g i− j ) − l0 pr −1 (−g i− j )−1
≡ Q r (−1) + (i − j)Q r (g) − l0 pr −1 (−g i− j )−1
≡ (i − j) − l0 pr −1 (−g i− j )−1 (mod pr ). (5)

Then for fixed 0 ≤ i, j < pr , l0 exists if and only if pr −1 (i − j). From (5) we also
find that there is only one solution l0 and hence only one w, written by w0 , such that
ord(γw0 ) = p, in which case we obtain by Lemma 3 again
pr −1
(r )
Dl (γw0 ) = 1.
l=0

123
562 Z. Chen et al.

So we conclude that

pr −1 
(r ) 1, if pr −1 (i − j),
Dl (γw ) =
0, otherwise,
(r ) l=0
w∈D0

which finishes the proof of the second statement.

For the third statement, we can find a proof from [6, Lemma 3].
(r ) (r +1)
According to Lemma 2, we remark that u(mod pr +1 ) ∈ Dl (mod pr ) if u ∈ Dl
(r )
for r ≥ 1. So together with Lemma 1, we will use Cl+ pr (x) = Cl(r ) (x) for any integer
l ≥ 0.

Lemma 5 Let r ≥ 2 and β ∈ F2 be a fixed primitive p r+1 -th root of unity. Then for
(i)
0 ≤ i < p r, the defining pair of the binary sequence (su ) defined by

1, if umod p r+1 ∈ Di(r) ,
su(i) = u≥0
0, otherwise,

is (G i (x), β) with

p−1 r
r r−t r−t
G i (x) = x kp + Ci(t) (β p ) · C0(t) (x p ).
k=1 t=1

Proof For u = 0, we have

p−1 r
(t) r−t (t)
G i (β 0 ) = G i (1) = 1+ Ci (β p ) · C0 (1)
k=1 t=1
(i)
= ( p − 1) + 0 = 0 = s0 .

For u = u p m with gcd(u , p) = 1 and 1 ≤ m ≤ r, we also suppose u mod p r+1 ∈

(r)
Dj for some j, then we derive by Lemmas 1, 2 and 4

p−1 r
r+m u (t) r−t (t) p m p r−t
G i (β u ) = β kp + Ci (β p ) · C0 (β u )
k=1 t=1
r
r−t
= p−1+ Ci(t) (θ ) · C0(t) (θ u pm
) (we use θ = β p )
t=1
r
Ci(t) (θ ) · C (t) ) = 0 = su(i) .
m
= j (θ
p

t=1

123
Trace representation of binary sequences. . . 563

(r)
For u ∈ D j with 0 ≤ j < p r, we have by Lemma 1

p−1 r
r (t) r−t (t) r−t
G i (β u ) = β kup + Ci (β p ) · C0 (β up )
k=1 t=1
r
(r ) (t) r−t
= 1+ Ci (θ ) · C0 (θ u ) (we use θ = β p )
t=1
r
(t) (t)
= 1+ Ci (θ ) · C j (θ ).
t=1

We proceed the proof by using the second and third statements in Lemma 4.
If p  (i − j), then i ≡ j (mod p t ) for all t ≥ 1. Hence we get

r
(1) (1) (t) (t)
G i (β u ) = 1 + Ci (θ ) · C j (θ ) + Ci (θ ) · C j (θ )
t=2
= 1+1+0=0= su(i) .

If p n (i − j) for some 1 ≤ n < r, which indicates i ≡ j (mod p t ) for all 1 ≤ t ≤ n

but i ≡ j (mod p t ) for all t > n, then we get

r
(n+1) (n+1) (t) (t)
G i (β u ) = 1 + Ci (θ ) · C j (θ ) + Ci (θ ) · C j (θ )
t=1
t=n+1

= 1 + 1 + 0 = 0 = su(i) .

Finally if i = j, we get

r
(t) (t)
G i (β u ) = 1 + Ci (θ ) · C j (θ ) = 1 + 0 = su(i) .
t=1

Putting everything together, we get su(i) = G i (β u ) for all u ≥ 0 and complete the
proof.

Applying Lemma 5, one can get the following main result.

Theorem 1 Let r ≥ 2 and β ∈ F2 be a fixed primitive p r+1 -th root of unity. Then the
defining polynomial G(x) (corresponding to β) of the binary sequence (eu ) defined
in (3) or (4) is

p−1 r p t −1
pr − 1 kp r (t) r−t (t) r−t
G(x) = x + Ci (β p ) · C0 (x p ).
2
k=1 t=1 i=( p t +1)/2

123
564 Z. Chen et al.

Proof By Lemma 5 we see that the defining polynomial G(x) of (eu ) is

p−1 p r −1 r
pr − 1 kp r (t) r−t (t) r−t
G(x) = x + Ci (β p ) · C0 (x p ).
2
k=1 i=( p r +1)/2 t=1

On the other hand, re-arranging the following summation, we get for each 1 ≤ t ≤ r

p t −1 p t −1 p t −1
(t) r−t (t) r−t (t) r−t (t) r−t
Ci (β p ) · C0 (x p ) = Di (β p ) · Dl (x p )=0
i=0 i=0 l=0

r−t
by Lemma 3 since ord(β p ) = p t+1 . Then using this fact we get

p r −1 p t −1
(t) r−t (t) r−t (t) r−t (t) r−t
Ci (β p ) · C0 (x p ) = Ci (β p ) · C0 (x p ),
i=( p r +1)/2 i=( p t +1)/2

(t)
since the subscript i of Ci is reduced modulo p t . This finishes the proof.

For example, let p = 5 and r = 3, we have

4 4
3 (1) 2 (1) 2
G(x) = 62 x kp + Ci (β p ) · C0 (x p )
k=1 i=3
24 124
(2) (2) (3) (3)
+ Ci (β p ) · C0 (x p ) + Ci (β) · C0 (x)
i=13 i=63
4 24
(1) 2 (1) 2 (2) (2)
= Ci (β p ) · C0 (x p ) + Ci (β p ) · C0 (x p )
i=3 i=13
124
(3) (3)
+ Ci (β) · C0 (x) ∈ F2 [x].
i=63

2
Below we compute two examples. Write θ1 = β p , θ2 = β p and θ3 = β. Then θ1
(resp. θ2 , θ3 ) is a primitive p 2 -th (resp. p 3 -th, p 4 -th) root of unity.
(3) (1) (2)
If u ∈ D17 , then we have u ∈ D2 and u ∈ D17 by Lemma 2, hence we see that

4 24
(1) 2 (1) 2 (2) (2)
G(β u ) = Ci (β p ) · C0 (β up ) + Ci (β p ) · C0 (β up )
i=3 i=13
124
(3) (3)
+ Ci (β) · C0 (β u )
i=63

123
Trace representation of binary sequences. . . 565

4 24
= Ci(1) (θ1 ) · C2(1) (θ1 ) + Ci(2) (θ2 ) · C17
(2)
(θ2 )
i=3 i=13
124
(3) (3)
+ Ci (θ3 ) · C17 (θ3 )
i=63
= (1 + 1) + 1 + (1 + 1 + 1) (by Lemma 4)
= 0 = eu .
(3) (1) (2)
If u ∈ D85 , then we have u ∈ D0 and u ∈ D10 by Lemma 2 again, we get similarly

4 24
(1) (1) (2) (2)
G(β u ) = Ci (θ1 ) · C0 (θ1 ) + Ci (θ2 ) · C10 (θ2 )
i=3 i=13
124
+ Ci(3) (θ3 ) · C85
(3)
(θ3 )
i=63
= (1 + 1) + (1 + 1) + 1 = 1 = eu .

3 Trace representation

The trace representation plays an important role in sequence design. The trace function
from F2n to F2k is defined by

k 2k ( nk −1)k
Tr nk (x) = x + x 2 + x 2 + · · · + x 2 .

For a, b ∈ F2k and x, y ∈ F2n , we have Tr nk (ax + by) = aTr nk (x) + bTr nk (y). We refer
the reader to [22,25] for details on the trace function. The trace representations of many
famous sequences, such as Legendre and Jacobi sequences and their generalizations,
have been studied in the literature [16–18].

Lemma 6 We suppose that 2 p−1 ≡ 1(mod p 2 ). If the order of 2 modulo p is λ, then

the order of 2 modulo pr is λpr −1 for r ≥ 2.

Proof Let 2λ = 1 + k0 p for some integer k0 , since λ is the order of 2 modulo p. We

have
r −1 r −1
2λp ≡ (1 + k0 p) p ≡ 1(mod pr ).

According to the following two claims, we prove the desired result.

r −1
Claim 1 2λ1 p ≡ 1(mod pr ) for 1 ≤ λ1 < λ.
(Proof of Claim 1) Since otherwise, we have 2λ1 ≡ 1(mod p), which contradicts to
the condition that λ is the order of 2 modulo p.
r −2
Claim 2 2λp ≡ 1(mod pr ).

123
566 Z. Chen et al.

(Proof of Claim 2) We note first that k0 ≡ 0(mod p) since

p−1 p−1 p−1

2 p−1 ≡ (2λ ) λ ≡ (1 + k0 p) λ ≡1+ k0 p ≡ 1(mod p 2 ).
λ

Then we have
r −2 r −2
2λp ≡ (1 + k0 p) p ≡ 1 + k0 pr −1 ≡ 1(mod pr ).

This finishes the proof.

Lemma 7 We suppose that 2 p−1 ≡ 1(mod p 2 ). Let λ be the order of 2 modulo p and
Q r (g) = 1 for a (fixed) primitive root g modulo pr +1 for r ≥ 1 as before. We have

p−1
λ −1  
(r ) λpr j pr +l
Dl (x) = Tr pr xg , l ≥ 0.
j=0

Proof According to Lemma 6, we write

U (r ) = {2 j p (mod pr +1 ) : 0 ≤ j < λ} ⊆ Z∗pr +1 .

r

(r )
It is clear that U (r ) is a subgroup of D0 due to Q r (2 j p ) ≡ j pr Q r (2) ≡ 0(mod pr )
r

(r )
for 0 ≤ j < λ. Then we divide D0 into ( p − 1)/λ many subsets

p−1
U (r ) , g p U (r ) , . . . , g ( λ −1) p U (r ) .
r r

Now applying

λpr
U (r ) (x) = x u = Tr pr (x) ∈ F2 [x],
u∈U (r )

we derive
p−1
λ −1  
(r ) λpr j pr
D0 (x) = Tr pr xg .
j=0

Then the desired result follows from the fact that Dl(r ) = gl D0(r ) for l ≥ 0.

Theorem 2 Let r ≥ 2 and β ∈ F2 be a fixed primitive p r+1 -th root of unity. Let g
be a (fixed) primitive root modulo p r+1 such that Q r(g) = 1. Let λ be the order of 2
modulo p. If 2 p−1 ≡ 1(mod p 2 ), then the trace representation of (eu ) defined in (3) is

123
Trace representation of binary sequences. . . 567

p−1 p−1
λ −1 r p t −1 λ −1  
pr − 1 r k (t) λp t r−t g j pt +l
eu = Tr λ1 (β up g ) + ηl Tr pt β up ,
2
k=0 t=1 l=0 j=0

where
p t −1
(t) (t) r−t
ηl = Di+l (β p ). (6)
i=( p t +1)/2

Proof From Theorem 1, we re-write the defining polynomial G(x) of (eu ) as

p−1 r p t −1
pr − 1 kp r r−t
G(x) = x + ηl(t) Dl(t) (x p ), (7)
2
k=1 t=1 l=0

where ηl(t) is defined in (6). The trace representation of Dl(t) (x p ) is given in Lemma 7.
r−t

We remark that g is also a primitive root modulo p t+1 and Q t (g) = 1 for all 1 ≤ t ≤ r
since we suppose that g is a primitive root modulo p r+1 such that Q r(g) = 1. So we
p−1 r
only need to describe k=1 x kp by using trace function.
Since λ is the order of 2 modulo p and g is also a primitive root modulo p, we have
p−1
λ −1
Z∗p = g k 2,
k=0

where 2 = {1, 2, 22 , . . . , 2λ−1 } generated by 2 modulo p is a subgroup of Z∗p . Hence

we derive
p−1
p−1 λ −1
kp r r gk
x = Tr λ1 (x p ).
k=1 k=0

This finishes the proof.

For the case of 2 p−1 ≡ 1(mod p 2 ), we see that the order of 2 modulo pr is not
always λpr −1 , where λ is the order of 2 modulo p. For example, for p = 1093, the
experimental result shows that the order of 2 modulo pr is λ = 364 for r = 1 or 2
and the order of 2 modulo pr is λpr −2 for r ≥ 3.
In fact, for any such p (i.e., satisfying 2 p−1 ≡ 1(mod p 2 )), if λ is the order of 2
modulo pr for all 1 ≤ r ≤ t0 with a maximal integer t0 , then the order of 2 modulo
pr is λpr −t0 for all r ≥ t0 + 1 by using a similar proof of Lemma 6. In terms of

(r )
U (r ) = {2 j (mod pr +1 ) : 0 ≤ j < λ} ⊆ D0 , r < t0

and
r +1−t0 (r )
U (r ) = {2 j p (mod pr +1 ) : 0 ≤ j < λ} ⊆ D0 , r ≥ t0 ,

123
568 Z. Chen et al.

(r )
one can apply the idea of Lemma 7 to describing the trace of each Dl (x) and hence
the defining polynomial G(x) of (eu ) without any difficulties.
We finally remark that such primes p, which are called Wieferich primes, are very
rare. To date the only known such primes are p = 1093 and p = 3511 and it was
reported that there are no new such primes p < 4 × 1012 , see [15].

4 Final remarks

In this manuscript, we give the trace representation of a family of binary threshold

sequences derived from Euler quotients modulo a prime power by determining the
corresponding defining polynomials.
The defining polynomial of a sequence plays an important role in cryptography. It
is closely related to the linear complexity of the sequence. We recall that the linear
complexity L((eu )) is the least order L of a linear recurrence relation over F2

eu+L = c L−1 eu+L−1 + · · · + c1 eu+1 + c0 eu for u ≥ 0,

which is satisfied by (eu ) and where c0 = 1, c1 , . . . , c L−1 ∈ F2 , see e.g. [25,35]. For
a sequence to be cryptographically strong, its linear complexity should be large and
at least a half of the period according to the Berlekamp-Massey algorithm [27]. From
[3] or [22, Theorem 6.3], the linear complexity of (eu ) equals the number of nonzero
coefficients of the defining polynomial G(x), i.e., the Hamming weight of G(x).
(t)
According to the proof of [19, Lemma 6], we see that ηl = 0 in (6) for all 1 ≤ t ≤ r
and 0 ≤ l < p t . Hence if 2 p−1 ≡ 1(mod p 2 ), by computing the Hamming weight of
G(x) in (7) we get

r
pr − 1
L((eu )) = p t ( p − 1) + ( p − 1)
2
t=1
pr − 1
= p r+1 − p + ( p − 1)
2
⎧ r+1
⎨p − p, if p ≡ 1(mod4),
= p r+1 − p, if p ≡ 3(mod4) and r is even,
⎩ r+1
p − 1, if p ≡ 3(mod4) and r is odd,
 
p r −1
which has been proved in [19, Theorem 1]. The notation 2 above satisfies

 r
pr − 1 0, if p 2−1 is even,
=
2 1, otherwise.

It is natural to ask whether the results can be extended to the case of general modulus.
For general modulus m, M. Sha introduced a different quotient called Carmichael
quotient by using Carmichael function in [29]. Since the unit group Z∗m need not be

123
Trace representation of binary sequences. . . 569

cyclic, the largest order occurring amongst elements in Z∗m is λ(m), the Carmichael
function of m, defined by

λ(m) = lcm(λ( p1e1 ), . . . , λ( prer )),

where m = p1e1 , . . . , prer is the prime number factorization of m, and


p e−1 ( p − 1), if p ≥ 3 or e ≤ 2,
λ( p ) =
e
2e−2 , if p = 2 and e ≥ 3,

for a prime power p e .

Then the Carmichael quotient Cm (u) modulo m is defined as

u λ(m) − 1
Cm (u) ≡ (mod m), 0 ≤ Cm (u) ≤ m − 1,
m

where gcd(u, m) = 1. For every positive integer m, we have λ(m)|ϕ(m), and λ(m) =
ϕ(m) if and only if m ∈ {1, 2, 4, p e , 2 p e }, where p is an odd prime and e ≥ 1. It
seems better to use Carmichael quotients than Euler quotients for applications by [29,
Proposition 2.1]. Certain binary sequences are considered in [36] when m = 2r and
m = 2 p, respectively.
On can find that Lemma 4 plays a key role in our arguments. The requirement that
Z∗m is cyclic is needed in the proof. So the way in the correspondence can be extended
to the case m = 2 pr . However, it seems difficult for us to extend to the cases of m = 2r
and general odd m without more knowledge. We leave it open.

Acknowledgments The authors wish to thank the anonymous referees and the editor for their patience
in reading this manuscript and their helpful suggestions. Z. Chen was partially supported by the National
Natural Science Foundation of China under Grant No. 61373140. X. Du was partially supported by the
National Natural Science Foundation of China under Grants 61202395,61462077 and the Program for New
Century Excellent Talents in University (NCET-12-0620).

References
1. Agoh, T., Dilcher, K., Skula, L.: Fermat quotients for composite moduli. J. Number Theory 66(1),
29–50 (1997)
2. Aly, H., Winterhof, A.: Boolean functions derived from Fermat quotients. Cryptogr. Commun. 3,
165–174 (2011)
3. Blahut, R.E.: Transform techniques for error control codes. IBM J. Res. Dev. 23, 299–315 (1979)
4. Bourgain, J., Ford, K., Konyagin, S., Shparlinski, I.E.: On the divisibility of Fermat quotients. Mich.
Math. J. 59, 313–328 (2010)
5. Chang, M.C.: Short character sums with Fermat quotients. Acta Arith. 152, 23–38 (2012)
6. Chen, Z.: Trace representation and linear complexity of binary sequences derived from Fermat quo-
tients. Sci. China Inf. Sci. 57(11), 112109(10) (2014). doi:10.1007/s11432-014-5092-x
7. Chen, Z., Du, X.: On the linear complexity of binary threshold sequences derived from Fermat quotients.
Des. Codes Cryptogr. 67, 317–323 (2013)
8. Chen, Z., Gómez-Pérez, D.: Linear complexity of binary sequences derived from polynomial quotients.
In: Proceedings of the 7th Int’l Conference on Sequences and Their Applications-SETA 2012, Lecture
Notes in Computer Science, vol. 7280, pp. 181–189. Springer, Heidelberg (2012)

123
570 Z. Chen et al.

9. Chen, Z., Hu, L., Du, X.: Linear complexity of some binary sequences derived from Fermat quotients.
China Commun. 9(2), 105–108 (2012)
10. Chen, Z., Niu, Z., Wu, C.: On the k-error linear complexity of binary sequences derived from polynomial
quotients. Sci. China Inf. Sci. 58 (2015). doi:10.1007/s11432-014-5220-7
11. Chen, Z., Ostafe, A., Winterhof, A.: Structure of pseudorandom numbers derived from Fermat quo-
tients. In: Proceedings of the Third Int’l Workshop on Arithmetic of Finite Fields-WAIFI 2010, Lecture
Notes in Computer Science, vol. 6087, pp. 73–85. Springer, Heidelberg (2010)
12. Chen, Z., Winterhof, A.: On the distribution of pseudorandom numbers and vectors derived from
Euler–Fermat quotients. Int. J. Number Theory 8(3), 631–641 (2012)
13. Chen, Z., Winterhof, A.: Additive character sums of polynomial quotients. In: Proceedings of the 10th
International Conference on Finite Fields and Their Applications-Fq10, Contemporary Mathematics,
vol. 579, pp. 67–73. American Mathematical Society, Providence, RI (2012)
14. Chen, Z., Winterhof, A.: Interpolation of Fermat quotients. SIAM J. Discrete Math. 28, 1–7 (2014)
15. Crandall, R., Dilcher, K., Pomerance, C.: A search for Wieferich and Wilson primes. Math. Comp.
66(217), 433–449 (1997)
16. Dai, Z., Gong, G., Song, H.: Trace representation and linear complexity of binary e-th residue
sequences. In: Int’l Workshop on Coding and Cryptography-WCC 2003, pp. 121–133. Versailles,
France (2003)
17. Dai, Z., Gong, G., Song, H.: A trace representation of binary Jacobi sequences. Discrete Math. 309,
1517–1527 (2009)
18. Dai, Z., Gong, G., Song, H., Ye, D.: Trace representation and linear complexity of binary e-th power
residue sequences of period p. IEEE Trans. Inf. Theory 57, 1530–1547 (2011)
19. Du, X., Chen, Z., Hu, L.: Linear complexity of binary sequences derived from Euler quotients with
prime-power modulus. Inf. Process. Lett. 112(12), 604–609 (2012)
20. Du, X., Klapper, A., Chen, Z.: Linear complexity of pseudorandom sequences generated by Fermat
quotients and their generalizations. Inf. Process. Lett. 112(6), 233–237 (2012)
21. Ernvall, R., Metsänkylä, T.: On the p-divisibility of Fermat quotients. Math. Comp. 66(219), 1353–
1365 (1997)
22. Golomb, S.W., Gong, G.: Signal Design for Good Correlation. Cambridge University Press, Cambridge
(2005)
23. Gómez-Pérez, D., Winterhof, A.: Multiplicative character sums of Fermat quotients and pseudorandom
sequences. Period. Math. Hungar. 64, 161–168 (2012)
24. Jungnickel, D.: Finite Fields: Structure and Arithmetics. Bibliographisches Institut, Mannheim (1993)
25. Lidl, R., Niederreiter, H.: Finite Fields. Addison-Wesley, Reading, MA (1983)
26. MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. Elsevier, Amsterdam (1977)
27. Massey, J.L.: Shift register synthesis and BCH decoding. IEEE Trans. Inf. Theory 15(1), 122–127
(1969)
28. Ostafe, A., Shparlinski, I.E.: Pseudorandomness and dynamics of Fermat quotients. SIAM J. Discrete
Math. 25(1), 50–71 (2011)
29. Sha, M.: The arithmetic of Carmichael quotients. Period. Math. Hungar (2015).doi:10.1007/
s10998-014-0079-3
30. Shparlinski, I.E.: Character sums with Fermat quotients. Q. J. Math. 62(4), 1031–1043 (2011)
31. Shparlinski, I.E.: Bounds of multiplicative character sums with Fermat quotients of primes. Bull. Aust.
Math. Soc. 83(3), 456–462 (2011)
32. Shparlinski, I.E.: On the value set of Fermat quotients. Proc. Am. Math. Soc. 140(4), 1199–1206 (2012)
33. Shparlinski, I.E.: Fermat quotients: exponential sums, value set and primitive roots. Bull. Lond. Math.
Soc. 43(6), 1228–1238 (2011)
34. Shparlinski, I.E., Winterhof, A.: Distribution of values of polynomial Fermat quotients. Finite Fields
Appl. 19, 93–104 (2013)
35. Winterhof, A.: Linear complexity and related complexity measures. In: Selected Topics in Information
and Coding Theory, pp. 3–40. World Scientific, Singapore (2010)
36. Wu, C., Chen, Z., Du, X.: Binary threshold sequences derived from Carmichael quotients with even
numbers modulus. IEICE Trans. Fund. 95–A(7), 1197–1199 (2012)

123