On the Equation $x^{2^l+1}+x+a=0$ over $mathrm{GF}(2^k)$ (Extended Version)

In this paper, the polynomials $P_a(x)=x^{2^l+1}+x+a$ with $a\in\mathrm{GF}(2^k)$ are studied. New criteria for the number of zeros of $P_a(x)$ in $\mathrm{GF}(2^k)$ are proved. In particular, a criterion for $P_a(x)$ to have exactly one zero in $\mathrm{GF}(2^k)$ when $\gcd(l,k)=1$ is formulated in terms of the values of permutation polynomials introduced by Dobbertin. We also study the affine polynomial $a^{2^l}x^{2^{2l}}+x^{2^l}+ax+1$ which is closely related to $P_a(x)$. In many cases, explicit expressions for calculating zeros of these polynomials are provided.

💡 Research Summary

The paper investigates the algebraic and combinatorial properties of the polynomial

  Pₐ(x) = x^{2^{l}+1} + x + a

with a ∈ GF(2^{k})∖{0}, together with the closely related affine polynomial

  Fₐ(x) = a^{2^{l}} x^{2^{2l}} + x^{2^{l}} + a x + 1.

The authors provide a complete classification of the number of zeros of Pₐ(x) (and consequently of Fₐ(x)) in the finite field GF(2^{k}) for all possible pairs (l, k). The work is divided into two main regimes: the coprime case (gcd(l,k)=1) and the general case (gcd(l,k)=d≥1).

1. Coprime case (gcd(l,k)=1).
The authors exploit the family of Dobbertin permutation polynomials

  q(x) = Σ_{i=1}^{l′} x^{2^{i}} + ε x^{2^{l}+1},

where l′ = l−1 (mod k) and ε ≡ l′+1 (mod 2). They recall from Dobbertin’s work that q(x) is a permutation of GF(2^{k})∗ if and only if ε satisfies the above congruence, and that its inverse R(x) satisfies R(q(u)) = u−1 for all u ≠ 0. By linking the roots of Pₐ(x) to the values of q, they obtain a simple trace‑based criterion:

 Pₐ(x) has exactly one root in GF(2^{k}) ⇔ Tr_{k}(q^{-1}(a+1)) = 1 (or 0, depending on the parity of k).

When q is not a permutation, they introduce a 3‑to‑1 mapping V(x) = x^{1−2^{l}}/(x^{1−2^{l}}+1)^{2^{l}+1} and study its action on the two trace classes T₀ = {x | Tr_{k}(x)=0} and T₁ = {x | Tr_{k}(x)=1}. They prove that V maps T₀ three‑to‑one onto a set V(T₀) and injectively onto T₁, while V(T₁) is the image of T₀ under the permutation q. This detailed analysis yields a full description of when Pₐ(x) has 0, 1, or 2 zeros in the coprime setting.

2. General case (gcd(l,k)=d≥1).
Writing k = n d, the authors define a recursive family of linearized polynomials

 C₁(x)=C₂(x)=1, C_{i+2}(x)=C_{i+1}(x)+x^{i} C_i(x) (i≥1),

and a companion family

 Z_n(x)=C_{n+1}(x)+x C_{2^{l}n−1}(x).

Through a series of lemmas they express the zeros of C_n and Z_n in a closed form involving a parameter V = (v₀^{2^{l}+1}+v₀+v₁)^{−(2^{l}+1)}(v₀+v₁)^{2^{l}+1}, where v₀, v₁ ∈ GF(2^{nd}) satisfy Tr_{nd,d}(v₀)=0. They prove that each zero of C_n has multiplicity 2^{l} and that the total number of distinct zeros is

 • 2^{(n−1)d−1}·2^{2d−1} when n is odd,
 • 2^{(n−1)d−2d}·2^{2d−1} when n is even.

Moreover, C_n splits completely over GF(2^{nd}) if and only if d = l or n < 4. Analogous statements hold for Z_n. Using these results, they derive explicit criteria for the number of roots of Pₐ(x):

 – Pₐ(x) has no root ⇔ a does not belong to the image of the mapping V.
 – Pₐ(x) has exactly one root ⇔ a = V(x) for a unique x in a certain trace class.
 – Pₐ(x) has exactly two roots ⇔ a = V(x) for exactly two distinct x, which occurs precisely when the trace condition Tr_{nd,d}(v₀)=0 holds and a−1 has the special form (8) in the paper.

They also compute the quantities M_i = #{a ∈ GF(2^{k})∗ | Pₐ(x) has exactly i zeros} for i = 0,1,2, providing closed formulas in terms of k, l, and d.

3. Affine polynomial Fₐ(x).
The authors observe that solving Fₐ(x)=0 is equivalent, after a simple substitution, to solving P_{a^{-1}}(y)=0. Consequently, all the criteria and explicit root formulas obtained for Pₐ(x) transfer directly to Fₐ(x). This yields a complete description of the zero‑distribution of the affine polynomial, which is of independent interest in the study of linearized equations and in applications such as sequence design.

4. Applications and Algorithms.
The paper supplies constructive algorithms for computing the roots when they exist, based on the explicit formulas for V, C_n, and Z_n. These algorithms run in polynomial time in k and are suitable for implementation in cryptographic software. The results have immediate implications for the construction of difference sets with Singer parameters, cross‑correlation analysis of m‑sequences, and the design of nonlinear feedback shift registers (NLFSRs) where the feedback function has the form of Pₐ(x) or Fₐ(x).

5. Conclusions and Outlook.
By integrating Dobbertin’s permutation polynomials with a novel recursive framework for linearized polynomials, the authors resolve a long‑standing problem: a precise, field‑theoretic criterion for the exact number of zeros of x^{2^{l}+1}+x+a over GF(2^{k}) for any l and k. The work not only settles the “zero‑or‑two‑roots” ambiguity that persisted for gcd(l,k)>1 but also provides explicit root expressions, enriching the toolbox for finite‑field researchers. Future directions suggested include extending the methodology to odd characteristic fields, higher‑degree binomials, and exploring connections with permutation rational functions.