On a conjectured ideal autocorrelation sequence and a ... - IEEE Xplore

680

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

[13] B. R. McDonald, Finite Rings with Identity. New York: Marcel Dekker, 1974. [14] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North Holland, 1977. [15] I. Niven, H. S. Zuckerman, and H. Montgomery, An Introduction to the Theory of Numbers, 5th ed. New York: Wiley, 1991. [16] J. P. Pedersen and C. Dahl, “Classification of pseudo-cyclic MDS codes,” IEEE Trans. Inform. Theory, vol. 37, pp. 365–370, Mar. 1991. [17] N. J. A. Sloane and J. G. Thompson, “Cyclic self-dual codes,” IEEE Trans. Inform. Theory, vol. IT-29, pp. 364–366, May 1983. [18] M. van Eupen and J. H. van Lint, “On the minimum distance of ternary cyclic codes,” IEEE Trans. Inform. Theory, vol. 39, pp. 409–422, Mar. 1993. [19] L. R. Vermani, Elements of Algebraic Coding Theory. London, U.K.: Chapman & Hall, 1996.

On a Conjectured Ideal Autocorrelation Sequence and a Related Triple-Error Correcting Cyclic Code Anchung Chang, Memeber, IEEE, Peter Gaal, Solomon W. Golomb, Fellow, IEEE, Guang Gong, Tor Helleseth, Fellow, IEEE, and P. Vijay Kumar, Member, IEEE

Abstract—In a recent paper, No, Golomb, Gong, Lee, and Gaal conjectured that certain binary sequences having a simple trace description possess the ideal autocorrelation property. In the present correspondence it is shown that each such sequence is balanced and, moreover, that the dual of the linear cyclic code generated by the sequence and its cyclic shifts, is a triple-error correcting code having the same weight distribution as the triple-error correcting Bose–Chaudhuri–Hocquenghem (BCH) code. This cyclic code also contains a cyclic subcode that yields a new family of sequences having the same size and correlation parameters as does the family of Gold sequences. Index Terms—Autocorrelation, BCH code, cyclic codes, cyclic Hadamard difference sets, Gold codes, ideal autocorrelation, triple-error correcting code.

k 2k denote the finite field of 2 elements. = 2 + 1. Let : 2n 2 denote

T (x) =

0

n 1 i=0

m

x2 ;

s(t) = T t + rt + r

T F

!F

x 2 F 2n :

Manuscript received August 7, 1998; revised October 20, 1999. This work was supported in part by the National Science Foundation under Grant NCR9612864 and in part by the Norwegian Research Council. A. Chang is with Hughes Space and Communications, Los Angeles, CA 90009 USA. P. Gaal is with Qualcomm Inc., San Diego, CA 92121 USA. S. W. Golomb and P. V. Kumar are with the University of Southern California, Los Angeles, CA 90089-2565 USA. G. Gong is with the Center for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ont. N2L 3G1, Canada. T. Helleseth is with the Department of Informatics, University of Bergen, N-5020 Bergen, Norway. Communicated by T. Kløve, Associate Editor for Coding Theory. Publisher Item Identifier S 0018-9448(00)01684-9.

t

has the ideal autocorrelation function, i.e., 2

02

t=0

0 1; 01;

n 2

0

s(t+ )+s(t) ( 1) =

Let F denote the family of 2n + 1 sequences

F = T rt + r t + t

+i

0

if  = 0 otherwise.

 i  2n 0 2

T rt + r t T t : Other numerical results (for n odd, 5  n  19) suggest that the

family of sequences F has a correlation distribution identical to that of the well-known family of binary Gold sequences. This conjecture appears in [9] and has recently been proven in [6]. A Gold sequence family has a similar description as do the sequences in family F . The only change required is that the terms rt + r t in the above, are replaced by dt for a suitable integer d. A formal definition of Gold sequences and the correlation spectrum of a Gold sequence family may be found in [19, pp. 603–606]. For additional descriptions, see [11] and [12], as well as the original paper by Gold [8]. A different family of sequences also having the same correlation distribution as the Gold sequence family is presented in [1]. The first result of the correspondence will show that fs(t)g has the balance property, i.e., 2

02

t=0

0 s t 0 1;

( 1)

( )

which is a necessary condition for the sequence to have the ideal autocorrelation property. This will be shown by proving that the function

f (x) = x + xr + xr

is a permutation polynomial, i.e., by showing that the function f is a one-one map from F 2n onto F 2n . Note that s(t) = T (f (t )). Let C denote the [2n 0 1; 3n] binary cyclic code given by

C=

I. INTRODUCTION For any integer k  1 let F Let m  2 be an integer and n the trace function given by

Set  to be a primitive element of F 2n and set r = 2m+1 + 1. Based upon extensive numerical evidence, it has been conjectured by No, Golomb, Gong, Lee, and Gaal [18] that the sequence

T at + brt + cr t

a; b; c 2 F 2n :

The second and main result of the correspondence will establish that for n odd, n  5, the dual C ? of the code C is a triple-error correcting cyclic code having the same weight distribution as the triple-error correcting primitive Bose–Chaudhuri–Hocquenghem (BCH) code of the same length. To the authors’ knowledge, this result has not previously appeared in the literature. The weight distribution of the dual of the triple-error correcting BCH is given in [15, p. 669]. The weight distribution of the code itself may be found using MacWilliams’ identities. Proof of the main result proceeds as follows. It is first shown that the minimum Hamming distance d of C ? is  7. Next, a theorem of McEliece is used to show that the Hamming weight of each codeword in C is divisible by 2m . McEliece’s theorem [15], [17] connects the divisibility of codeword weights by powers of 2 to the smallest number of nonzeros of C whose product is 1. Application of McEliece’s theorem in the present instance led the authors to an interesting and nontrivial tiling problem. Thereafter, the proof follows Lemma 3 of a recent paper by Canteaut, Charpin, and Dobbertin [2] who build on an earlier technique of Kasami [13]. Section II proves balance of the sequence fs(t)g and also that C ? has minimum distance  7. Section III contains the divisibility result. Section IV concludes the proof using the approach of Kasami and of Canteaut, Charpin, and Dobbertin.

0018–9448/00$10.00 © 2000 IEEE

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

Note: Since the initial submission of this manuscript, Dillon and Dobbertin [6] have proven that the conjectured sequences indeed have ideal autocorrelation function. II. BALANCE AND A BOUND ON DUAL DISTANCE Theorem 1: The function f(x) = x + xr + xr : F ! F

2 2 is a permutation polynomial. Proof: Since (r; 2n 0 1) = 1, r is invertible (mod 2n 0 1). In fact, if we set q = 2m+1 , r 01 = q 0 1 is easily checked. Let g(x) be the function defined by g(x) = f x0(q01) :

681

assumed to be nonzero; and a “?” will represent transform coefficients whose values are either unknown or irrelevant. It will be found convenient to argue separately the cases of odd and even weight codewords. Within these two classes, we will investigate subclasses obtained by assuming elements belonging to certain chosen cyclotomic cosets to either be zero or nonzero. Often codewords within such subclasses can be analyzed for their minimum Hamming weight using either the BCH or HT bounds. Case i): Odd weight codewords (i.e., A0 = 1). a) Ar+2 6= 0 and A3r+2 6= 0. The rank of the matrix is at least as large as the rank of the following submatrix:

Then it can be verified by straightforward substitution that

g(g(x)) = x

i.e., g is an involution. It follows that polynomial.

f

like

g,

is a permutation

Our next result will make use of a bound on the minimum distance of cyclic codes due to Hartmann and Tzeng [15]. A version of the theorem that applies in the present situation is stated below. Theorem 2—Hartmann–Tzeng: Let g(x) 2 F 2 [x] be the generator polynomial of a cyclic code 0 of length 2n 0 1 and let  be a primitive element of F 2 . If g(l+ic +jc ) = 0 for i = 0; 1; 2; 1 1 1 ; d0 0 2 and j = 0; 1; 2; 1 1 1 ; s, where l is an arbitrary integer and (2n 0 1; c1 ) = (2n 0 1; c2 ) = 1, then the minimum distance d of 0 satisfies d  d0 + s. Setting s = 0; c1 = obtains the BCH bound.

A =

02

111

t ;

2n

0

at  = 0; 1; ; 2: t=0 Considering A as a periodic sequence of period 2n 1, it is well known (see, for example, [20] or as pointed out by a referee, [16, Theorem II.5]) that the Hamming weight of a equals the linear complexity [12] (also called linear span) of the sequence A . It therefore is enough to show that

f g

0

f g

rank

A0 A1 .. .

A1 A2 .. .

111 A 0 111 A 2

..

.

0

We apply the HT bound with the following parameters:

The rank of the matrix is at least as large as the rank of the following submatrix:

f2r + 1; 3r + 1g  Cr :

A = 0;

rank

+ A1 A2 A2 ? A1 Ar01 Ar Ar+1 Ar Ar+1 + Ar+1 + ? A2r+1 A2r+2 ? = 0 and Ar+3 = 0.

? A4 + ? ? +

Ar+1 + + ? A2r A2r+1 A2r+1 A2r+2 A2r+2 ? A3r+2 +

d)

Ar+2

e)

Ar ; 1 1 1 ; Ar+3 we get d  6. Ar+2 = 0, Ar+3 6= 0, and A3r+2 = 0.

= 6:

Applying the BCH bound using consecutive zeros

Ar01 ;

f)

We apply the HT bound with parameters l + ic1 + jc2 , l = 1, c1 = 1, c2 = r , i = 0; 1, and j = 0; 1; 2; 3. (Again, both c1 = 1 and c2 = r are relative prime to 2n 0 1.) The HT bound then gives d  6. Ar+2 = 0, Ar+3 6= 0, A3r+2 6= 0, and A2r+3 = 0.

g)

l + ic1 + jc2 , l = r 0 1, c1 = 1, c2 = r + 1, i = 0; 1; 2; 3, and j = 0; 1. (Both c1 = 1 and c2 = r + 1 are relative prime to 2n 0 1.) The HT bound gives d  6. Ar+2 = 0, Ar+3 6= 0, A3r+2 6= 0, and A2r+3= 6= 0.

 7:

We know that the codewords a in C ? satisfy

 2 C1 [ Cr [ Cr :

In what follows, we will employ the following notation: we will write to represent a Fourier transform coefficient of a codeword in C ? that is known to equal 0; a “+” will denote elements that are known or

Ai

c)

l+ic1+jc2 , l=r01, c1 =1, c2 =r+1, i=0; 1; 2, and j =0; 1; 2. (It is easily checked that (2n 0 1; c1 ) = (2n 0 1; c2 ) = 1). The HT bound then gives d  6. Ar+2 6= 0, A3r+2 = 0, and A3r+3 6= 0.

We apply the HT bound with the following parameters:

A2 02 A0 1 1 1 A2 03 Let us define two elements a; b 2 Z2 01 to be equivalent if a = 2i b (mod 2n 0 1); for some i  0: This partitions Z2 01 into equivalence classes which are called [15] 2-cyclotomic cosets modulo 2n 0 1. Let Cl ; l 2 Z2 01 denote the 2-cyclotomic coset containing l. Then the following can be verified: r 0 1 2 C1 fr; r + 1; 2r; 2r + 2g  Cr 3r 0 1 2 Cr+2 2r 0 1 2 Cr+3

Ar+2

2

.. .

= 6:

b)

1 in the Hartmann–Tzeng (HT) bound, one

Theorem 3: The minimal distance d of C ? is at least 7. Proof: We use the fact that d is also equal to the minimum weight of a nonzero codeword in C ? . Let a = [a0 ; a1 ; 1 1 1 ; a2 02 ] be a codeword in C ? and let  be, as before, a primitive element of F 2 . The Fourier transform A of a is defined by 2

rank

Ar01 Ar Ar+1 + A2r A2r+1 Ar Ar+1 + ? A2r+1 A2r+2 Ar+1 + ? ? A2r+2 ? + ? ? ? ? + A2r A2r+1 A2r+2 ? A3r+1 + ? A2r+1 A2r+2 ? + + 6= 0, A3r+2 = 0, and A3r+3 = 0.

The rank of the matrix is at least as large as the rank of the following submatrix:

rank

Ar01 Ar Ar+1 Ar+2 Ar Ar+1 Ar+2 + Ar+1 Ar+2 + ? Ar+2 + ? ? + ? ? ? A2r+1 A2r+2 + A2r+4

+ ? ? ? ? ?

A2r A2r+1 A2r+2 + A2r+4 +

= 6:

In each of the above cases, we found that d  6. Since by assumption the codeword weights are odd, the bound can be improved to d  7 as desired. Case ii): Even-weight codewords (i.e., A0 = 0). a) Ar+2 6= 0, A3r+2 6= 0, and A2r01 6= 0.

682

b)

c)

d)

e)

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

The rank of the matrix is at least as large as the rank of the submatrix shown in (1) at the bottom of this page. Ar+2 6= 0, A3r+2 6= 0, and A2r01 = 0. The rank of the matrix is at least as large as the rank of the submatrix shown in (2) at the bottom of this page. Ar+2 6= 0 and A3r+2 = 0. The rank of the matrix is at least as large as the rank of the submatrix shown in (3) at the bottom of this page. Ar+2 = 0 and Ar+3 = 0. We apply the HT bound with the following parameters l + ic1 + jc2 , l = r 0 1, c1 = 1, c2 = r 0 1, i = 0; 1; 2; 3; 4, and j = 0; 1. (Both c1 = 1 and c2 = r 0 1 are relative prime to 2n 0 1.) The HT bound gives d  7. Ar+2 = 0 and Ar+3 6= 0. The rank of the matrix is at least as large as the rank of the submatrix shown in (4) at the bottom of the following page. Thus in all cases, we obtain d  7. III. DIVISIBILITY OF WEIGHTS

We begin by stating a key theorem, due to McEliece [17]. Theorem 4—McEliece: Let 0 be a binary cyclic code, and let l be the smallest number such that l nonzeros of the code 0 (with repetitions allowed) have product 1. Then the weight of every codeword in 0 is divisible by 2l and there is at least one codeword in C whose weight is not divisible by 2l+1 .

Theorem 5: The Hamming weight of each codeword in C is divisible by 2m . There is at least one codeword in C whose weight is not divisible by 2m+1 .

rank

rank

rank

A0 A1 A2 Ar01 Ar Ar+1 + A0 A1 A2 ? Ar01 Ar+1 + A0 A1 A2 ? Ar01 Ar+1 +

Ar01 Ar Ar+1 A2r02 + A2r A2r+1 Ar01 Ar Ar+1 + A2r02 A2r A2r+1 A1 A2 ? A4 Ar + ?

Ar Ar+1 + + A2r A2r+1 A2r+2

Fig. 1. The fundamental tiles s

;

d ;

and t .

Proof: The nonzeros of the cyclic code C under study here are 01 , 0r , 0r . Clearly, replacing the nonzeros of a code by their reciprocals does not alter the divisibility of the code as given by McEliece’s theorem. Let A = C1 [ Cr [ Cr . Thus to apply McEliece’s theorem to C , we need to find the smallest number of elements drawn from A that when added together, yield a multiple of 2n 0 1. In the sequel we will at times regard an integer a 2 A as an n-tuple corresponding to the base-2 representation of a. Contrary to conventional notation, we will assume that the leftmost bit of this n-tuple is the least significant bit. It then makes sense to speak of the Hamming weight of an element a of A. Note that in the above viewpoint, all the elements in C1 have weight one, those in Cr have weight two, and that each element in Cr has weight three. Note also that the n-tuple representations of the different elements within a fixed cyclotomic coset Cl are all cyclic shifts of each other. For obvious reasons, we will refer to elements in C1 , Cr , and Cr as singles, doubles, and triples, respectively. Furthermore, we will use si ; dj ; tk , 0  i; j; k  n 0 1 to denote the modulo 2n 0 1 reductions of the integers 2i , 2m+j r , 2m01+k r2 , respectively. The translation factors 2m ; 2m01 in the definition of d0 ; t0 are for convenience in pictorial depiction. The integers s0 ; d0 ; t0 are provided in picture form in Fig. 1. Thus each picture only identifies the location of 1’s in the corresponding n-tuple.

Ar+1 + A2r A2r+1 + + A2r+1 A2r+2 + ? A2r+2 ? A2r A2r+1 + ? A2r+1 A2r+2 ? A3r+1 A2r+2 ? A3r+1 + ? + + ?

Ar Ar+1 + A2r A2r+1 Ar+1 + Ar+3 A2r+1 A2r+2 + Ar+3 ? A2r+2 ? ? ? ? + Ar+3 A2r01 A2r A2r+1 + ? A2r+1 A2r+2 ? A3r+1 + A2r+2 ? + + ? Ar01 Ar Ar+1 + Ar Ar+1 + ? Ar+1 + ? ? + ? ? ? A2r02 ? A2r A2r+1 A2r A2r+1 A2r+2 ? A2r+1 A2r+2 ? +

A2r A2r+1 A2r+2 ? + A3r+1 A3r+2

=7

=7

=7

(1)

(2)

(3)

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

683

Fig. 2. Tiling with doubles and a single. Only the doubles are shown.

Let B be a collection of elements, drawn from A of minimum possible size whose elements sum to an integer multiple of 2n 0 1. Note that the collection B cannot really contain repetitions since if B contains the element a 2 A twice, we can get a smaller set whose elements also add to a multiple of 2n 0 1 simply by replacing the two a’s by the element 2a(mod 2n 0 1) that is also contained in A. Thus we may redefine B to be a subset of A of minimal size whose elements sum to a multiple of 2n 0 1.

certain column by a 1 in the carrybox of the succeeding column as the process of clearing a carry. Since  = [2n 0 1 0 ( 0 1)] + [ 0 1]2n , it follows that after carries have been cleared in columns 0 through n 0 2, there will be 2( 0 1) carries that are cleared in column n 0 1. At this stage, we depart from the normal process of binary addition and place the ( 0 1) 1’s arising from clearing carries in column n 0 1 in the carrybox associated to column 0. We then repeat the addition process moving from column 0 through to column n 0 1 again. After reaching column n 0 1, the process is terminated. This modification of the process of binary addition will have the effect of replacing the normal sum n n  = ((2 0 1) 0 ( 0 1)) + 2 ( 0 1)

Lemma 6: jBj  m + 1. Proof: Consider the set B 0 containing the single s0 and the m doubles di ; i = 1; 2; 1 1 1 ; m. The doubles are shown in Fig. 2. Clearly, B0 is a subset of A of size m + 1 and the elements of B0 add to 2n 0 1. The lemma follows. Let us next assume that B is of size 1    m. Our aim is to arrive at a contradiction, thereby proving that the minimal set B is of size m + 1, i.e., the set displayed in Lemma 6 is a minimal set.

by the wrap-around sum n n wa = (2 0 1) 0 ( 0 1) + ( 0 1) = 2 0 1: Note that wa has weight n. Let wB denote the Hamming weight of the binary ( 2 n) matrix B . Clearly, wB  3  3m. Since clearing a carry under wrap-around addition results in the replacement of two 1’s by a single 1, and since the sum vector wa has Hamming weight n = 2m + 1, it follows that there can be at most

Step 1: It will be shown as a first step, that without loss of generality, the elements of B can be assumed to sum to 2n 0 1 exactly (as opposed to a multiple of 2n 0 1). Let b1 ; b2 ; 1 1 1 ; b be the elements of B and let us visualize the elements bi as being stacked on top of each other in some order, to  b . Since form a  2 n matrix B of 0’s and 1’s. Let  = i=1 i n  = 0 (mod 2 0 1), we can define the integer  by  = (2n 0 1) . We will now describe a process of binary addition with carry, which will cause the rows of B to sum to the integer 2n 0 1 represented by the all-1 tuple. We will term this as wrap-around addition. Each column of B is associated with a carrybox that is initially empty. During the addition process, the carrybox may be filled with one or more 1’s. Wrap-around addition of the rows of B begins with addition of the elements in the leftmost column. If the leftmost column has two or more 1’s, then each pair of 1’s in column 0 is replaced by a single 1 placed in the carrybox associated with column 1. If there is a single 1 remaining in column 0 after all pairs have been so replaced, then we place a 1 in the column zero position of the sum vector wa which we will call the wrap-around sum vector. After addition in column 0 has been completed, we move to column 1 and repeat this process. While adding entries in column 1 of B , we treat the 1’s belonging to the carrybox of column 1 in the same way as the 1’s in other locations of column 1. We will refer to the process of replacing a pair of 1’s in a

rank

A0 A1 A2 Ar01 Ar +

A2r02

3

0 (2m + 1)  3m 0 (2m + 1) = m 0 1

carries that are cleared in all. Since n = 2m + 1 > m 0 1, there is at least one column, say column 0  j0  n 0 1, in which a carry did not need to be cleared, at any stage during the wrap-around addition process. If j0 = n 0 1 then this implies  = 2n 0 1 since it follows that   2n 0 1 and we already know that  is a multiple of 2n 0 1. Thus we may assume that j0  n 0 2. Since no carries are cleared in column j0 , this means that the carrybox associated with column j0 + 1 is empty. Next, let B0 be the set derived from B by replacing each element b 2 B by b:20(j +1) (mod 2n 0 1). Let the  2 n matrix B 0 correspond to B0 as B does to B . One can view B 0 as being derived from B by cyclically shifting the columns of B to the left by j0 + 1 columns. Thus column j0 + 1 of B is column 0 of B 0 , etc. (see Table I). Let  0 denote the sum of the rows of B 0 , i.e.,  0 0  = bi : i=1

Ar01 Ar Ar+1 A2r02

Ar Ar+1 Ar+2

Ar+1 Ar+2

Ar+2

+

+

?

+

?

?

+

A2r

A2r+1 A2r+2

A2r+2

+

?

A2r+2

?

+

?

?

A2r A2r+1 A2r+4 A3r01

A1 A2 ?

Ar Ar+1

?

?

?

?

A3r+1

=7

(4)

684

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

TABLE I RELATING THE COLUMNS OF THE MATRICES B

Clearly,

0

=

 (mod 2n 0 1) = 0 (mod 2n 0 1):

We claim that  0 = 2n 0 1. To see this, we add the rows of B 0 using normal binary addition (not wrap-around addition). However, we carry out this addition in a somewhat unconventional way, in three stages as described below. To begin with, ignoring the carries cleared in columns 0 through n 0 1 0 (j0 + 1) of matrix B 0 , let us begin addition of the rows of B 0 by adding the entries in columns n 0 (j0 + 1) and clearing carries in the usual way. Normally, there would be additional 1’s in the carrybox of column n 0 (j0 + 1) of B 0 arising from carries cleared in the previous column (n 0 1) 0 (j0 + 1), but here we are for the time being ignoring these. We then proceed to the right, clearing carries as we go along, in the usual way. Let denote the binary vector that is the result of this addition. Let the leftmost n 0 (j0 + 1) bits of be set to zero. The next j0 +1 entries are the result of adding the entries in columns n 0 (j0 +1) through column n 0 1 of B 0 as described above. Clearly, addition of columns n 0 (j0 + 1) through column n 0 1 of B 0 is identical to addition of columns 0 through j0 of the matrix B (see Table I) and we know that there are no carries to be cleared in column j0 of B . Since column j0 of B corresponds to column n 0 1 of the matrix B 0 , it follows that there are no carries cleared in column n 0 1 of B 0 if we ignore, as we have done, the 1’s placed in the carrybox of column n 0 (j0 + 1) of B 0 . We claim that even if the carries placed in the carrybox of column n 0 (j0 + 1) of B 0 are taken into account, there will still be no carries cleared in column n 0 1 of B 0 , i.e.,

0

n =2

01

and thus we are done if this claim is proven. To prove the claim, let us now add the entries in column 0 of B 0 in the usual way and proceed, clearing carries until we reach column (n 0 1) 0 (j0 + 1). Let the results of addition of these columns be used to replace the first n 0 (j0 + 1) bits of which previously were set to 0 0. Next, column (n 0 1) 0 (j0 + 1) of B corresponds to column n 0 1 of B and we know that there are 2( 0 1) carries that are cleared there. Since no carries were cleared in column j0 of B it follows that there are 2( 0 1) carries cleared in column (n 0 1) 0 (j0 + 1) of B 0 as well. However, clearing the carries in column (n 0 1) 0 (j0 + 1) of B 0 will not affect the fact that no carries are cleared in column n 0 1 of B 0 since column n 0 1 of B 0 corresponds to column j0 of B and in column j0 of B , there was no clearing of carries during the entire wrap-around addition procedure. This proves that =  0  2n 0 1 which forces

=  0 = 2n 0 1. To summarize, we have shown to this point that if a minimal set B of size 1    m exists, we may assume the elements of this minimal set to sum to 2n 0 1 exactly. Step 2: Our next goal is to show that any minimal set B whose associated matrix B has some column of Hamming weight greater than 1 can be replaced by a second minimal set B of the same or lesser size whose associated matrix B has columns of weight exactly 1. We first consider the result of adding a pair of elements drawn from A that overlap. By overlap we mean that if the base-2 representations of the two numbers form the rows of a 2 2 n array, then some column of this matrix has weight 2. Figs. 3 and 4 show all possible pairs of

AND

B

elements drawn from A except that if a; b 2 A are shown in the figure, then the pair i n 2 a (mod 2

0 1); 2i b (mod 2n 0 1)

is not displayed. A horizontal line divides the original from its replacement. In the pairs shown in the figure, with two exceptions, the sum of the pair is either a third element in A or else the sum of a nonoverlapping pair contained in A. We shall refer to these as “replacements.” Also, as can be seen from the figure, in every case in which such a replacement is possible, the replacements have the same integer sum but a smaller Hamming weight. Returning to the minimal set B and its associated matrix B , we know that we can assume that the elements of B add to exactly 2n 0 1. Consider the leftmost column of B in which there is more than one 1. There must be an odd number  3 of 1’s in that column since the rows of B sum to 2n 0 1 which in binary representation, is a string of n consecutive 1’s. As a result, at least one pair of elements in B corresponding to rows in B containing a 1 in that column can be replaced either by an element drawn from A or else by a pair of elements drawn from A which do not overlap such that the sum of the elements in the set B after such replacement is still 2n 0 1. Clearly, this process can be repeated until one arrives at a collection B whose associated matrix B has all columns of Hamming weight 1. The process is guaranteed not to continue indefinitely since the Hamming weight decreases whenever there is a replacement. Step 3: Finally, to finish the proof it is enough to show that it is impossible to have a nonoverlapping set B , i.e., a set whose associated matrix B has all columns of weight one, of size  m. Consider a nonoverlapping set B of size  m. Let ns ; nd ; nt denote the number of singles, doubles, and triples in B , respectively. Then we have

ns + 2nd + 3nt

= 2m + 1:

There must be at least one triple for otherwise, from the above, with nt = 0 we would get

ns + 2nd

= 2m + 1

leading to

 m + 1: Consider a triple ti 2 B . Since B is a nonoverlapping set, in the matrix B associated with B , there must be precisely one 1 in column i 0 1 (mod n). After studying the various possibilities one realizes that ns + nd

the only way in which this is possible, while avoiding overlaps is if si01 2 B . Thus there must be at least as many singles as triples, i.e.,

ns

 nt :

When combined with ns + 2nd + 3nt = (2m + 1), this gives 2nd + 4nt

 2m + 1

i.e.,

nd + 2nt

 m + 1 which implies ns + nd + nt  m + 1

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

685

Fig. 3. Six pairs of tiles and their replacements.

and we have the desired contradiction. This completes proof of the theorem. IV. WEIGHT DISTRIBUTION OF THE CYCLIC CODE Set q = 2n and consider the linear code ? CBCH =

x2F q

0

2s

(;  ) 0

6=

Tr((a +a )x+( b +b )x +(c +c )x )

( 1)

and

M20 s =

M20 s = q6 F (0; 2s) 0 q3+2s ;

;

where s = 1; 2; 3;

111:

for s = 1; 2; 3

where F (0; 2s) are in Table II (see, for example, [14]). Since n is odd, it is known [15] that for  6= 

ax + bx3 + cx5 x 2 F q a; b; c 2 F q :

Tr

This code is the extended dual code of the triple-error-correcting BCH code having zeros f1; 3; 5g. Let

0;  =

A version of the Pless power-moment identities gives us

0;  2

0;

6

2q;

6

8q

:

Thus we can also write

M20 s = 1 (2q)s + 2 (8q)s ; for some rational numbers 1 and 2 : The sequence fM20 s g1 s=1 thus satisfies the recursion with characteristic polynomial (z

0 2q)(z 0 8q) = z 0 10qz + 16q 2

2

686

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

Fig. 4. Replacements for six more pairs of tiles. ? identities that the second, fourth, and sixth moments of C ? and CBCH are the same. We now prove

TABLE II COEFFICIENTS IN THE PLESS POWER-MOMENT IDENTITIES

? Theorem 7: C ? and CBCH have the same 5-level (nonzero) weight distribution. Proof: Let

; 

=

x2F n

0

Tr ((a +a )x+( b +b )x +( c +c )x

( 1)

)

and i.e., 0 2 0 M20 (s+2) 0 10qM2( s+1) + 16q M2s

M2s = 0;

for s = 1; 2; 3;

111: (5)

The minimum distance of the cyclic code C defined in the first section is at least 7 from Theorem 3. It follows from the Pless power-moment

=

2s

6=

(;  )

;

where s = 1; 2; 3;

111:

Since the minimum distance of C and CBCH is at least 7, M2s = M20 s for s = 1; 2; 3. From Theorem 5, the Hamming weight of each codeword in C ? is divisible by 2m . We now proceed along the lines of the proof of Lemma 3 of Canteaut, Charpin, and Dobbertin [2]. We can assume

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000

;  = Vi 2m+1 where Vi is some integer and let fi be the number of ;  = Vi 2m+1 . Thus, M2s =

l i=1

fi Vi2s 22s(m+1) :

(6)

From (5)

687

[18] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee, and P. Gaal, “Binary pseu1 with ideal autocorrelation,” IEEE dorandom sequences of period 2 Trans. Inform. Theory, vol. 44, pp. 814–817, Mar. 1998. [19] D. V. Sarwate and M. B. Pursley, “Crosscorrelation properties of pseudorandom and related sequences,” Proc. IEEE, vol. 68, pp. 593–619, 1980. [20] T. Schaub, “A linear complexity approach to cyclic codes,” Ph.D. dissertation, Swiss Federal Ins. Technol., Zurich, Switzerland, 1988.

0

M60 0 10qM40 + 16q2 M20 = M6 0 10qM4 + 16q2 M2 = 8q = 0:

3

l

fi Vi2 (Vi2 0 4)(Vi2 0 1)

i=1

Therefore, the only possible value of Vi are 0; ? the case of CBCH , for  6= ,

;  2

0;

6

2q;

6

61, and 62. Thus as in

8q

Fourier Transforms and the -Adic Span of Periodic Binary Sequences Mark Goresky, Associate Member, IEEE, Andrew M. Klapper, Member, IEEE, and Lawrence Washington

:

Since the first three even moments M2s ; M20 s for s = 1; 2; 3 are the same, it follows that the two codes have the same weight distribution.

Abstract—An arithmetic or with-carry analog of Blahut's theorem is presented. This relates the length of the smallest feedback with-carry shift register to the number of nonzero classical Fourier coefficients of a periodic binary sequence.

REFERENCES

Index Terms—Blahut's theorem, feedback register, Fourier coefficients, periodic binary sequence, 2-adic numbers.

[1] S. Boztas¸ and P. V. Kumar, “Binary sequences with Gold-like correlation but larger linear span,” IEEE Trans. Inform. Theory, vol. 40, pp. 532–537, Mar. 1994. [2] A. Canteaut, P. Charpin, and H. Dobbertin, “Binary -sequences with three-valued crosscorrelation: A proof of Welch’s conjecture,” IEEE Trans. Inform. Theory, vol. 46, pp. 4–8, Jan 2000. [3] A. Chang, “Minimum distance and decoding algorithm for cyclic codes,” Ph.D. dissertation, Univ. So. Calif., Los Angeles, CA, 1998. [4] A. Chang, P. Gaal, S. W. Golomb, G. Gong, and P. V. Kumar, “On a sequence conjectured to have ideal 2-level autocorrelation function,” in IEEE Int. Symp. Information Theory, Cambridge, MA, Aug. 16–21, 1998, p. 468. [5] A. Chang, T. Helleseth, and P. V. Kumar, “Further results on a conjectured 2-level autocorrelation sequence,” in 36th Ann. Allerton Conf. Communication, Control and Computing, Allerton, IL, Sept. 23–25, 1998. [6] J. Dillon and H. Dobbertin, Cyclic difference sets with Singer parameters, to be published. [7] H. Dobbertin, “Kasami power functions, permutation polynomials and cyclic difference sets,” in NATO-A.S.I. Workshop, Bad Windsheim, Germany, Aug. 3–14, 1998. [8] R. Gold, “Maximal recursive sequences with 3-valued recursive cross-correlation functions,” IEEE Trans. Inform. Theory, vol. IT-14, pp. 154–156, Jan. 1968. [9] G. Gong and S. W. Golomb, “Hadamard transforms of three-term sequences,” IEEE Trans. Inform. Theory, vol. 45, pp. 2059–2060, Sept. 1999. [10] C. R. P. Hartmann and K. K. Tzeng, “Generalization of the BCH bound,” Inform. Contr., vol. 20, pp. 489–498, 1972. [11] T. Helleseth and P. V. Kumar, “Pseudonoise sequences,” in The Mobile Communications Handbook, J. Gibson, Ed. New York: CRC Press and IEEE Press, 1996. , “Sequences with low correlation,” in Handbook of Coding Theory, [12] V. Pless and C. Huffman, Eds. Amsterdam, The Netherlands: Elsevier, 1998. [13] T. Kasami, “Weight distributions of Bose–Choudhary–Hochquengham codes,” in Combinatorial Mathematics and its Applications. Chapel Hill, NC: Univ. North Carolina Press, 1969. [14] P. V. Kumar and C.-M. Liu, “On lower bounds to the maximum correlation of complex roots-of-unity sequences,” IEEE Trans. Inform. Theory, vol. 36, pp. 633–640, May 1990. [15] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North Holland, 1979. [16] B. R. McDonald, Finite Rings with Identity. New York: Marcel Dekker, 1974. [17] R. J. McEliece, “On periodic sequences from GF ( ),” J. Combin. Theory, vol. 10, no. 1, pp. 80–91, Jan. 1971.

m

q

I. INTRODUCTION The purpose of this correspondence is to develop an arithmetic analog of Blahut's theorem [1], [3], which relates the linear span of a sequence to its discrete Fourier transform. For comparison, let us recall this theorem. Let S = a0 ; a1 ; 1 1 1 be a periodic binary sequence with period L. The linear span of S , denoted (S ), is the length of the shortest linear recurrence satisfied by S or, equivalently, the size of the smallest linear feedback shift register that generates S . It is an important measure of the complexity of a sequence, and it is used in a number of engineering applications. For example, suppose that S is to be used as the key in a stream cipher. The Berlekamp–Massey algorithm can be used by a cryptanalyst to recover the sequence once 2(S ) bits of S are known. Thus S is secure only if (S ) is large. Let  be a primitive Lth root of unity in some field extension F of GF (2). (Such a  exists if and only if L is odd. Various work has been done to extend Blahut's theorem to the case when L is even, [4].) The k th discrete Fourier coefficient of S is

ak =

L01 i=0

ai  ki 2 F:

Blahut's remarkable theorem says that the linear span of S is equal to the number of nonzero discrete Fourier coefficients of S . It makes Manuscript received October 19, 1997; revised October 25, 1999. The work of A. Klapper was supported in part by NSF under Grant NCR-9400762. The work of L. Washington was supported in part by NSA under Grant MDA904-9610036. M. Goresky is with the School of Mathematics, Institute for Advanced Study, Princeton, NJ 08540 USA (e-mail: [email protected]). A. M. Klapper is with the Department of Computer Science, 763H Anderson Hall, University of Kentucky, Lexington, KY 40506-0046 USA (e-mail: [email protected]). L. Washington is with the Department of Mathematics, University of Maryland, College Park, MD 20742 USA (e-mail: [email protected]). Communicated by D. Stinson, Associate Editor for Complexity and Cryptography. Publisher Item Identifier S 0018-9448(00)01669-2.

0018–9448/00$10.00 © 2000 IEEE