On Inverses of Permutation Polynomials of Small Degree over Finite Fields

Permutation polynomials (PPs) and their inverses have applications in cryptography, coding theory and combinatorial design. In this paper, we make a brief summary of the inverses of PPs of finite fields,and list the inverses of all normalized PPs of degree at most 5. In this list, the explicit inverse of a class of fifth degree PPs is our main result,which is obtained by using some congruences of binomial coefficients, the Lucas' theorem, and a known formula for the inverses of PPs of finite fields.


I. INTRODUCTION
F OR a prime power q, let F q denote the finite field with q elements, F * q = F q \ {0}, and F q [x] the ring of polynomials over F q . A polynomial f ∈ F q [x] is called a permutation polynomial (PP) of F q if it induces a bijection from F q to itself. Hence for any PP f of F q , there exists a polynomial f −1 ∈ F q [x] such that f −1 (f (c)) = c for each c ∈ F q or equivalently f −1 (f (x)) ≡ x (mod x q −x), and f −1 is unique in the sense of reduction modulo x q − x. Here f −1 is defined as the composition inverse of f on F q , and we simply call it the inverse of f .
PPs of finite fields have been extensively studied for their applications in coding theory, combinatorial design, cryptography, etc. For instance, PPs of finite fields with even characteristic were used in [13] to construct a number of families of binary cyclic codes. The Dickson PPs of degree 5 of finite fields with characteristic 3 were employed in [12] to construct new examples of skew Hadamard difference sets, which are inequivalent to the classical Paley difference sets. In block ciphers, a permutation is often used as an S-box to build the confusion layer during the encryption process and the inverse is needed while decrypting the cipher. PPs are useful in the construction of bent functions [10], [26], [27], which have the optimal nonlinearity for offering resistance against the fast correlation attack on stream ciphers and the linear attack on block ciphers. PPs are employed in [15] to construct circular Costas arrays, which are useful in sonar and radar communications. PPs are also applied in the construction of check digit systems that detect the most frequent errors [34].
The study of PPs of finite fields has a long history. In 1897, Dickson [11] listed all normalized PPs of degree ≤ 5 of F q for all q, and classified all PPs of degree 6 of F q for odd q. In 2010, the complete classification of PPs of degree 6 and 7 of F 2 n was settled in [20]. In recent years, a lot of progress has been made on the constructions of PPs of finite fields; see for example [17], [21], [24], [49], [50] for permutation binomials and trinomials of the form x r h(x q−1 ) of F q 2 , see [39], [51] for PPs of the form (x q − x + c) s + L(x) of F q 2 , see [23], [54] for PPs of the form (ax q + bx + c) r φ((ax q + bx + c) s ) + ux q + vx of F q 2 , see [3], [4], [6] for PPs of the form x s + γh(f (x)). For a detailed introduction to the developments on PPs, we refer the reader to [18], [25], [29] and the references therein.
The problem of explicitly determining the inverses of these PPs is a more challenging problem. In theory one could directly use the Lagrange interpolation formula, but for large finite fields (the useful cases cryptographically) this becomes very inefficient. In fact, there are few known classes of PPs whose inverses have been obtained explicitly. It is also interesting to note that the explicit formulae of the inverses of low degree PPs have been neglected in the literature. This motivates us to give a short review of the progress in this topic and find explicit expressions of inverses of all classes of PPs of degree ≤ 7 in [11], [20], [35].
The rest of the paper is organized as follows. Section II gives a brief summary of the results concerning the inverses of PPs of finite fields. In Section III, we obtain the inverses of all PPs of degree 6 of finite fields F q for all q, and the inverses of all PPs of degree 7 of F 2 n . For simplicity, we only list in Table I all normalized PPs of degree ≤ 5 and their inverses. In particular, the inverse of PP F (x) = x 5 −2ax 3 +a 2 x of F 5 n is shown in Theorem 7, which is the main result of this paper. Section IV starts with a formula for computing the inverse of an arbitrary PP, which was first presented in [30]. This formula provides all the coefficients of the inverse of a PP f (x) by computing the coefficients of x q−2 for all the powers f (x) i (1 ≤ i ≤ q−2). Based on this method, we convert the problem of computing the inverse of F (x) into the problem of finding the values of four classes of binomial coefficients. Section V gives the explicit values of these binomial coefficients by using the Lucas' theorem and several congruences of binomial coefficients.
x 4 x q/4 q = 2 n Thm 2 Thm 2 Table 7.1], the PP L(x) = x 4 + bx 2 + ax (if its only root in F 2 n is 0) was listed. Since x 4 + bx 2 is not a PP of F 2 n for any b ∈ F * 2 n , we divide L(x) into x 4 , x 4 + ax (a not a cube), and x 4 + bx 2 + ax (ab = 0, Sn + aS 2 n−2 = 1) in Tabel I. The motivation is to give the explicit inverses of x 4 and x 4 + ax. The sequence {S i } is defined as follows: Table 7.1]. We impose a restriction a = 0 on it in Tabel I, so that the normalized PP x 5 can be listed separately.

II. PPS AND THEIR INVERSES
We now give a brief summary of the results concerning the inverses of PPs of finite fields, some of which will be used in the next section.
Linear PPs. For a = 0, b ∈ F q , ax + b is a PP of F q and its inverse is a −1 (x − b).
Monomials. For positive integer n, x n is a PP of F q if and only if gcd(n, q − 1) = 1. In this case, the inverse is x m , where mn ≡ 1 (mod q − 1).
Dickson PPs. The Dickson polynomial D n (x, a) of the first kind of degree n with parameter a ∈ F q is given as where ⌊n/2⌋ denotes the largest integer ≤ n/2. It is known that D n (x, a) is a PP of F q if and only if gcd(n, q 2 − 1) = 1.
Its inverse is determined in [22] by the following lemma. Lemma 4.8] Let m, n be positive integers such that mn ≡ 1 (mod q 2 −1). Then the inverse of D n (x, a) on F q is D m (x, a n ).
PPs of the form x r h(x s ). The first systematic study of PPs of F q of the form f (x) = x r h(x s ) was made in [38], where q − 1 = ds, 1 ≤ r < s and h ∈ F q [x]. A criterion for f to be a PP of F q was given in [38]. Later on, several equivalent criteria were found in other papers; see for instance [32], [40], [55]. Essentially, it says that f is a PP of F q if and only if gcd(r, s) = 1 and x r h(x) s permutes U d := {1, ω, · · · , ω d−1 }, where ω is a primitive d-th root of unity of F q . [30,Theorem 1] characterized all the coefficients of the inverse of x r g(x s ) d on F q , where gcd(r, q − 1) = 1. This result was generalized in [41], and the inverse of f on F q is given by where 1 ≤ r < s and r r +st = 1. This inverse is also obtained later by a piecewise method in [52]. When gcd(r, q − 1) = 1, the inverses of f on F q is given in [22] by where rr ′ ≡ 1 (mod q −1) and ℓ(x) is the inverse of x r h(x) s on U d . The method employed in [22] is a multiplicative analogue of [36] and [47].
. It is known that L is a PP of F q n if and only if the associate Dickson matrix is nonsingular [25,Page 362]. In this case, the inverse is given in [48,Theorem 4.8] by The inverses of some special linearized PPs are also obtained; see [44] for the inverse of arbitrary linearized permutation binomial, see [46] for the inverse of x + x 2 + Tr(x/a) on F 2 n , see [45] for the inverses of other linearized PPs. Very recently, linearized PPs of the form L(x) + K(x) of F q n and their inverses are presented in [33,Theorem 3.1], where L is a linearized PP of F q n , and K is a nilpotent linearized polynomial such that L • K = K • L. Bilinear PPs. The product of two linear functions is a bilinear function. Let q be even and n be odd. The inverse of bilinear PPs x(Tr q n /q (x) + ax) of F q n was obtained in [9], where a ∈ F q \ F 2 . The inverse of more general bilinear PPs of F q n was given in [47] in terms of the inverse of bilinear Let h be an arbitrary mapping from F q to itself. [19,Theorem 6] where p is the characteristic of F q n . The study of PPs of the form F 3 (x) = x s + αTr(x t ) of F 2 n was originated in [4], [5], where 1 ≤ s, t ≤ 2 n − 2, α ∈ F * 2 n , and Tr is the absolute trace function. A criterion for F 3 to be a PP of F 2 n was given in [5], [6]. If F 3 is a PP of F 2 n and t = s(2 i + 1) for some 0 ≤ i ≤ n − 1 and i = n/2, then the inverse is given in [6,Theorem 4] Involutions. An involution is a permutation such that its inverse is itself. A systematic study of involutions over F 2 n was made in [8]. The authors characterized the involution property of monomials, Dickson polynomials [7] and linearized polynomials over F 2 n , and proposed several methods of constructing new involutions from known ones. In particular, involutions of the form G(x) + γf (x) were studied in [8], where G is an involution, γ ∈ F * 2 n and f ∈ F 2 n [x]. Moreover, the number of fixed points of involutions over F 2 n was also discussed in [8]. A class of involutions over F 2 n with no fixed points was given in [33]. Involutions satisfying special properties were presented in [10], [26], [27] to construct Bent functions.
PPs from the AGW criterion. The Akbary-Ghioca-Wang (AGW) criterion [1] is an important method for constructing PPs. A necessary and sufficient condition for f of the form to be a PP of F q n was given in [1] by using the additive analogue of AGW criterion, where h, ψ, ϕ, g ∈ F q n [x] satisfy some conditions. In [36], the inverse of f was written in terms of the inverses of two other polynomials bijecting two subspaces of F q n , where one of these is a linearized polynomial. In some cases, these inverses can be explicitly obtained. Further extensions of [36] can be found in [37]. The general results in [36], [37] also contain some concrete classes mentioned earlier such as bilinear PPs [47], linearized PPs of the form L(x) + K(x) [33], and PPs of the form x + γf (x) with b-linear translator γ [19].
Generalized cyclotomic mapping PPs. Cyclotomic mapping PPs of finite fields were introduced in [31], [40], and were generalized in [42]. A simple class of generalized cyclotomic mapping PPs of F q was defined in [42] as where q−1 = ds, a i ∈ F * q , 1 ≤ r i < s and ω is a primitive d-th root of unity of F q . Several equivalent criteria for f permuting F q were given in [42,Theorem2.2], and one is that f is a PP of F q if and only if gcd( The inverses of f on F q is given in [43], [52] by where 1 ≤ r i < s and r i r i +st i = 1. In [43], all involutions of the form (1) are characterized, and a fast algorithm is provided to generate many classes of these PPs, their inverses, and involutions. The class of PPs of the form x r h(x s ) is in fact a special case of generalized cyclotomic mapping PPs.
More general piecewise PPs. The idea of more general piecewise constructions of permutations was summarized in [2], [14]. Piecewise constructions of inverses of piecewise PPs were studied in [52], [53]. As applications, the inverse of PP f (x) = ax + x (q+1)/2 of F q was given in [53] by was also obtained in [53], where p is an odd prime, and a, b, c ∈ F p n such that ab is a nonzero square. Three classes of involutions of finite fields were also given in [52], [53]. In addition, the PP f in (1) can be written as piecewise form, and its inverse was deduced by the piecewise method in [52].
we can obtain f in normalized form, that is, f is monic, f (0) = 0, and when the degree m of f is not divisible by the characteristic of F q , the coefficient of x m−1 is 0. It suffices, therefore, to study normalized PPs. In 1897, Dickson [11] listed all normalized PPs of degree ≤ 5 of F q for all q, and classified all PPs of degree 6 of F q for odd q. In 2010, the complete classification of PPs of degree 6 and 7 of F 2 n was settled in [20], which is complete up to an equivalence relation on the set of polynomials over F 2 n . For a recent verification of the classification of normalized PPs of degree 6 of F q for all q, see [35].
According to the complete classifications of PPs in [11], [20], [35], all PPs of degree 6 of F q for all q are over small fields F q with q ≤ 32, except for x 6 over F 2 n . All PPs of degree 7 of F 2 n are over F 2 n with n ≤ 4, except for x 7 and x 7 + x 5 + x. The inverses of PPs of F q with q ≤ 32 can be calculated by the Lagrange interpolation formula or Theorem 8 in the next section. The inverses of PPs x 6 and x 7 of F 2 n can be obtained by the following Theorem 2. The polynomial x 7 + x 5 + x is actually the degree 7 Dickson polynomial D 7 (x, 1) over F 2 n , and so its inverse is D m (x, 1), where m is the inverse of 7 modulo 2 2n − 1. In a word, we can obtain the inverses of all PPs of degree 6 of F q for all q and the inverses of all PPs of degree 7 of F 2 n .
In the rest of this section, we give the inverses of all normalized PPs of degree ≤ 5 in [11], which are actually the same as that in [25, Table 7.1] or in the previous Table I. Since the inverses of normalized PPs of small fields F q with q ≤ 13 can be obtained by the Lagrange interpolation formula, we need only consider the normalized PPs of degree ≤ 5 of F q for infinite many q.

A. Inverses of monomials
The inverse of x is clearly itself, and the inverse of x 2 on F 2 n is x 2 n−1 . The following theorem gives the explicit inverse of x m on F q for m ≥ 3.
, and φ is the Euler's phi function.
The inverse of x m (3 ≤ m ≤ 5) can obtain by this theorem; see Table I.

B. Inverses of linearized binomials and trinomials
Assume L st (x) := bx q s + cx q t is an arbitrary linearized binomial of F q n , where b, c ∈ F * q n and 0 ≤ t < s ≤ n − 1.
The inverse of L r on F q n is given in [44] as follows.
where a ∈ F * q n and 1 ≤ r ≤ n − 1. Then L r is a PP of F q n if and only if the norm N q n /q d (a) = 1, where d = gcd(n, r). In this case, its inverse on F q n is The norm N q n /q d (a) = 1 if and only if a is not a (q d − 1)th power. Hence, Theorem 3 gives the inverse of x q r − ax for q r = 3, 4, 5 in Tabel I.
The normalized PP of the form x 4 + bx 2 + ax of F 2 n is the only linearized trinomial in Table I. Its inverse has a close relation with the sequence where 1 ≤ i ≤ n and a, b ∈ F * 2 n . An argument similar to that in [16,Lemma 2] leads to an equivalent definition of S i : Denote Z n = S n + aS 2 n−2 . Then and so Z n = 0 or 1. A criterion for f (x) = x q 2 + bx q + ax to be a PP of F q n and the inverse of f were presented in [45,Theorem 3.2.29]. Taking q = 2 in this theorem and using the fact Z n = 0 or 1, we obtain the following corollary. In this case, the inverse of L on F 2 n is Note that Corollary 4 holds for n = 1, 2. Indeed, if n = 1 then L(x) ≡ L −1 (x) ≡ x (mod x 2 + x). If n = 2 and L is a PP of F 4 , then L(x) ≡ L −1 (x) ≡ bx 2 (mod x 4 + x).
The necessary and sufficient condition for L permuting F 2 n can also be obtained by [16,Proposition 2]. This proposition also shown that M 0 = (2 n − (−1) n )/3, where M 0 is the number of c ∈ F * 2 n such that P c (x) = x 3 + x + c has no root in F 2 n . Since L(b 1/2 x) = b 2 x(x 3 + x + ab −3/2 ), we have L is a PP of F 2 n if and only if P c has no root in F 2 n , where c = ab −3/2 . Hence the number of a, b ∈ F * 2 n such that L permutes F 2 n is equal to (2 n − 1)(2 n − (−1) n )/3, which implies the probability of L permuting F 2 n is almost 1/3.

C. Inverses of non-linearized trinomials
In Table I, there are only two infinite classes of nonlinearized permutation trinomials. One is the polynomial x 5 + ax 3 + 5 −1 a 2 x, where a ∈ F q and q ≡ ±2 (mod 5). It is actually the degree 5 Dickson PP D 5 (x, −5 −1 a), and so its inverse on F q is D m (x, −(5 −1 a) 5 ), where m = (3q 2 − 2)/5. The other is as follows. Table 7.1] Let f (x) = x 5 − 2ax 3 + a 2 x, where a ∈ F * 5 n and n ≥ 1. Then f is a PP of F 5 n if and only if a (q−1)/2 = −1.
The inverse of f was given in [22] by solving equations over finite fields. Lemma 4.9] The inverse of f in Lemma 5 on F 5 n is where x ∈ F * 5 n and f −1 (0) = 0. By employing the method in the next section, we obtain the explicit polynomial form of f −1 as follows.

Theorem 7. The inverse of f in Lemma 5 on F 5 n is
Proof. Here we only verify the correctness of the theorem. It suffices to show that f −1 (f (x)) ≡ x (mod x 5 n − x). Let Then f −1 (x) = a −(5 n −1)/4 x (5 n −1)/2 g(x) and Therefore, Also note that a ∈ F 5 n is not a square. We have

Remark 1. Theorem 7 can be obtained from Theorem 6 and the identity
. However, we will demonstrate our method of deducing Theorem 7 in the next sections. The main reason is that our method can also be used to finding the inverses of other PPs of small degree.
In summary, all inverses of normalized PPs of degree ≤ 5 are obtained. For convenience, we list these PPs and their inverses in Table I.

IV. THE COEFFICIENTS OF INVERSE OF A PP
In this section, we will write the coefficients of inverse of the PP f in Lemma 5 in terms of binomial coefficients, by employing the following formula (5) presented first in [30].
Theorem 8. (See [30]) Let f ∈ F q [x] be a PP of F q and let for i = 1, 2, . . . , q − 2. Then the inverse of f on F q is where the last identity follows from The proof is completed. [30], [41]. All these results are essentially part of Theorem 2 in [28]. For the reason of completeness, we include a proof by using the Lagrange interpolation formula.
V. EXPLICIT VALUES OF BINOMIAL COEFFICIENTS In this section, we first give the explicit values of binomial coefficients in (9), and then prove Theorem 7. In order to remove the multiples of q in these binomial coefficients, we need the following lemma.
Proof. By the Chu-Vandermonde identity, we have According to Lemma 9, for 0 ≤ m ≤ 4T + 1, we obtain where we use the fact −n m = (−1) m m+n−1 m for m, n > 0.
For 0 ≤ m ≤ 2T , the Chu-Vandermonde identity leads to that Similarly, for 0 ≤ m ≤ T , we have (13) In order to find the explicit value of the last binomial coefficients in (10)-(13), we need the Lucas' theorem.
Lemma 10 (Lucas' theorem). For non-negative integers n, k and a prime p, let n = n 0 + n 1 p + · · · + n s p s , k = k 0 + k 1 p + · · · + k s p s be their p-adic expansions, where 0 ≤ n i , k i ≤ p − 1 for i = 0, 1, . . . , s. Then In particular, n k ≡ 0 (mod p) if and only if n i ≥ k i for all i. Now we give a result about binomial coefficients in (10).
By the Lucas' theorem and Lemma 9, (i) is equivalent to (ii).
Two criteria that 5m+3 m ≡ 0 (mod 5) are given in the theorem above. The following theorem finds the explicit values of this binomial coefficient.
The proof is quite similar to that of Case 2 and so is omitted.
The following corollary presents a congruence relation for two binomial coefficients.
Next we study the last binomial coefficient in (11).
The proof that (i) is equivalent to (ii) is divided in two cases.
An argument similar to the one used in Theorem 11 can show that (ii) is equivalent to (iii).