In this paper, we assume that K is a finite field of characteristic p and order q = p n . Let ζ = exp(2πi/p). The canonical additive character of K is ψ : K → Q(ζ) given by ψ(x) = ζ Tr(x) , where Tr : K → F p with Tr(x) = x + x p + • • • + x q/p . We use s to denote an invertible exponent over K, that is, a positive integer with gcd(s, q -1) = 1. This ensures that s has a multiplicative inverse, 1/s, modulo q -1 and makes x ↦ → x s a permutation of the field K with inverse map x ↦ → x 1/s . For each u ∈ K, we define
which is a Weil sum of a binomial (if u ̸ = 0) or a Weil sum of a monomial (if u = 0). When the field K and the exponent s are clear from context, we omit the superscript and write W u . Note that Weil sum values lie in Z[ζ], the ring of algebraic integers in Q(ζ). In fact, it is known that they lie in
or see [Tra70,Theorem 2.3] for an earlier equivalent statement in terms of crosscorrelation of linear recursive sequences.
Theorem 1.1 (Trachtenberg, 1970). If K is a finite field and s is an invertible exponent over K, then W K,s u ∈ R for every u ∈ K.
A multiset of elements from a set X is a function µ from X into the nonnegative integers, where for x ∈ X the value µ(x) is the frequency (number of instances) of x in the multiset. Thus, µ represents a normal set if and only if it maps X into {0, 1} (in which case µ is identified with the subset µ -1 ({1}) of X). The Weil spectrum for the field K and the exponent s is the multiset of values W K,s u as u runs through K × . That is, the Weil spectrum is a multiset of elements from Z [ζ], where a given value A ∈ Z[ζ] has a frequency, written N K,s A (or N A when K and s are clear from context), with
We define the value set for the field K and the exponent s, written W K,s , to be the set of distinct values in the Weil spectrum, that is,
Note that we do not record W K,s 0 in W K,s , but this value is always 0 because x ↦ → x s is a permutation of K and ∑︁ x∈K ψ(x) = 0. The evaluation and estimation of Weil sums has been studied extensively [Klo27, DH36, Aku65, Kar67, Car78, Car79, Cou98, CP03, CP11, SV20], including special cases such as Kloosterman sums, which are of the form W K,|K|-2 u -1. Weil sums are used to count points in algebraic sets over finite fields; see, for example, Sections 7.7 and 7.11 of [Kat19] and Section 5 of this paper. In the Kloosterman case, the Weil spectra for fields of characteristic 2 and 3 were studied in [LW87] and [KL89], and Sections 7.2-7.4 of [Kat19] describe applications of Weil spectra in information theory, which we summarize here. The Walsh spectrum of the permutation x ↦ → x s of K is obtained from the Weil spectrum by also including the value W K,s 0 = 0. The Walsh spectrum measures the nonlinearity of the permutation, which indicates its resistance to linear cryptanalysis. The crosscorrelation spectrum of two maximum length linear recursive sequences is obtained by subtracting 1 from each value in the Weil spectrum. This crosscorrelation spectrum determines the performance of communications networks and remote sensing systems employing these sequences for modulation. Weil spectra also determine the weight distribution of certain error correcting codes, thus indicating the performance of the codes.
For a finite field K, we say that two exponents s and s ′ are equivalent to mean that s ′ ≡ p k s ℓ (mod q -1) for some k ∈ Z and ℓ ∈ {-1, 1}; this defines an equivalence relation, and equivalent exponents produce the same Weil spectrum by [Tra70, Theorems 2.4, 2.5] (in the language of crosscorrelation), or see [Kat19, Lemmas 7.5.2, 7.5.6] 1 . We say that s is degenerate over K to mean that it is equivalent to 1, that is, s is a power of p modulo q -1. If K has four or fewer elements, then all exponents are degenerate over K; larger finite fields always have at least one nondegenerate exponent (see [Kat19,Lemma 7.5.4]). If s is degenerate, then W K,s = {0, q} if q > 2 and W K,s = {q} if q = 2; see [Kat19,Corollary 7.5.5].
We say the Weil spectrum for K and s is v-valued (resp., at least vvalued, at most v-valued ) to mean that |W K,s | = v (resp., |W K,s | ≥ v, |W K,s | ≤ v). Thus, Weil spectra of degenerate exponents are at most 2valued, and Helleseth showed that Weil spectra of nondegenerate exponents are always at least 3-valued in [Hel76, Theorem 4.1].
Theorem 1.2 (Helleseth, 1976). Let K be a finite field and s be an invertible exponent over K. Then the Weil spectrum for K and s is at least 3-valued if and only if s is nondegenerate over K.
There is much interest in which pairs (K, s) produce Weil spectra with few values (e.g., 3-valued or 4-valued spectra). All known 3-valued spectra have been classified into ten infinite families (see [Kat19,Table 7.1]), and 4-valued spectra have been studied in [Nih72, Theorems 3-6, 3-7], [Hel76, Theorem 4.13], [Dob98, Proposition 1], [HR05, Theorem 6], [DFHR06, Theorem 23], [ZLFG14, Theorem II.5], and [XHW14, Theorem 1]. Although each Weil sum value is always an algebraic integer in some cyclotomic extension of Q, one observes that Weil spectra with few distinct values often have all of their values in Z. We say that the Weil spectrum for K and s is rational (or that W K,s is rational) to mean W K,s ⊆ Z. Helleseth proved a simple criterion for rationality in [Hel76, Theorem 4.2].
Theorem 1.3 (Helleseth, 1976). Let K be a finite field of characteristic p and s be an invertible exponent over K. Then the Weil spectrum for K and s is rational if and only if s ≡ 1 (mod p -1).
Later, in [Kat12, Theorem 1.7], it was proved that 3-valued Weil spectra are invariably rational.
Theorem 1.4 (Katz, 2012). Let K be a finite field and s be an invertible exponent over K. If the Weil spectrum for K and s is 3-valued, then it is rational.
Thus, in view of Theorem 1.3, when K is a field of characteristic p and s ̸ ≡ 1 (mod p -1), the Weil spectrum for K and s cannot be 3-valued. Katz and Langevin set an open problem [KL16, Problem 3.6], part of which is to find an analogue of Theorem 1.4 for 4-valued spectra. The main result of this paper is this analogue, which we now state.
1 Lemma 7.5.6 of [Kat19] has a typographical error: a 1/d should be fixed to read a -1/d there.
Theorem 1.5. Let K be a finite field and s be an invertible exponent over K. If the Weil spectrum for K and s is 4-valued, then it is rational unless K = F 5 and s ≡ 3 (mod 4) (in which case W K,s = {(5 ± √ 5)/2, ± √ 5}).
By Theorem 1.3, this means that, other than in the exceptional case when |K| = 5 and s ≡ 3 (mod 4), the condition s ≡ 1 (mod p -1) is necessary for the Weil spectrum to be 4-valued. Since the Walsh spectrum of the power permutation x ↦ → x s over K is obtained from the Weil spectrum for K and s by including W K,s 0 = 0, Theorems 1.4 and 1.5 show that all the values in a four-valued Walsh spectrum must lie in Z.
The remainder of this paper is devoted to proving Theorem 1.5. We start in Section 2 by using Galois theory and algebraic number theory to study the structure of Weil spectra. Then, in Section 3, we present some archimedean and p-adic bounds on Weil sum values. Section 4 introduces some algebraic sets over finite fields, which we then relate to Weil sums in Section 5 via a group algebra. Finally, we prove Theorem 1.5 in Section 6.
In this section we introduce the number systems that are used in our proof of Theorem 1.5. Algebraic number theory provides several results that constrain the structure of Weil spectra and thus help us achieve our proof.
Recall that K is a finite field of characteristic p and order q = p n , that s is a positive integer such that gcd(s, q -1) = 1, and that ζ = exp(2πi/p). We use N to denote the set of nonnegative integers and Z + to denote the set of strictly positive integers. We know that Gal(Q(ζ)/Q) is a cyclic group of order p -1; an element of this Galois group fixes all elements of Q and maps ζ to ζ j for some j ∈ F × p . Let γ denote a primitive element of the prime subfield F p and let σ denote the automorphism in Gal(Q(ζ)/Q) that maps ζ to ζ γ : note that σ is a generator of the Galois group. Then [Kat12, Theorem 2.1(b)] shows that σ(W u ) = W γ 1-1/s u for every u ∈ K, where 1/s is interpreted as the multiplicative inverse of s modulo p -1. Thus, σ maps the value set W K,s (see (3)) to itself. From now on, we let τ : W K,s → W K,s be the permutation obtained by restricting σ, so that for every u ∈ K, we have τ
where 1/s is interpreted as the multiplicative inverse of s modulo p -1.
The following result indicates important relationships between the exponent s, the characteristic p of the field K, the order of τ , the order of the element γ 1-1/s in (4), and the degree of the extension of Q generated by the values in the Weil spectrum.
Proposition 2.1. The following are all equal:
(i) the order of the permutation τ of W K,s , (ii) the degree, [Q(W K,s ) : Q], of the field extension of the rationals generated by W K,s , (iii) the order of γ 1-1/s in F × p (where 1/s indicates the multiplicative inverse of s modulo p -1), and (iv) the quantity (p -1)/ gcd(p -1, s -1). Let m denote the common value of these. If p = 2, then m = 1, but if p > 2, then p ≡ 1 (mod 2m).
equals the order of the restriction to Q(W K,s ) of σ, which is the same as the order of τ . Lemma 5.3 of [AKL15] shows that [Q(W K,s ) : Q] equals (p -1)/ gcd(p -1, s -1), which is the order of γ 1-1/s = (γ 1/s ) s-1 because γ has order p -1 and s is invertible modulo p -1 (since gcd(s, q -1) = 1).
If
), an extension of Q of degree (p -1)/2, and so m | (p -1)/2. □ Remark 2.2. Proposition 2.1 shows that W K,s is rational when p = 2 or 3.
Recall from (2) that the frequency of a value A in the Weil spectrum is
The action of τ on the Weil spectrum gives us information about these frequencies.
Lemma 2.3. Suppose that τ has order m, and let A 0 , A 1 , . . . , A k-1 be distinct elements of W K,s that τ permutes in a k-cycle, that is, τ
kZ and let λ = γ 1-1/s , where we interpret 1/s as the multiplicative inverse of s modulo p -1. For u ∈ U 0 and j ∈ Z we have, by (4), that W λ j u = τ j (W u ) = τ j (A 0 ) = A j mod k . In particular, we have k | m since τ has order m. Moreover, W λ k u = A 0 = W u , so U 0 is a union of cosets of the subgroup ⟨λ k ⟩ of the group K × . Since λ is of order m by Proposition 2.1 and k | m, this subgroup is of order m/k, and so N A 0 = |U 0 | is a multiple of m/k. Lastly, for any j ∈ Z, the map u ↦ → λ j u provides a bijection from U 0 to U j mod k because we have seen that W λ j u = A j mod k for every u ∈ U 0 , and we can similarly prove
Let f be a permutation of a finite set X. The cycle type of f is the multiset of lengths of cycles that is obtained when f is written as a composition of disjoint cycles. Note that the sum of the values in the cycle type of a permutation f is equal to the size of the set being permuted. We say that f is a single cycle to mean that f can be written as a single cycle that contains all elements of X. The next two results explore constraints on the cycle type of τ .
Lemma 2.4. When p = 2, the cycle type of τ is a collection of |W K,s | instances of 1. When p is odd, the cycle type of τ contains no number larger than (p -1)/2.
Proof. Let m be the order of τ . When p = 2, the field Q(ζ) = Q(-1) = Q, so σ and τ are identity maps. When p is odd, Proposition 2.1 implies that m ≤ (p -1)/2, so the desired result follows since m is the least common multiple of all the numbers in the cycle type of τ . □ Proposition 2.5. The permutation τ is a single cycle if and only if K = F 2 (and then s is degenerate and τ is a 1-cycle).
Proof. Suppose p = 2. Lemma 2.4 shows that τ is a single cycle if and only if |W K,s | = 1, which happens exactly when K = F 2 (and then every exponent is degenerate and τ is a 1-cycle). Now suppose p is odd. Let W K,s = {A 0 , . . . , A k-1 } and suppose for a contradiction that τ is a single cycle. Then
Weil sum values is equal to q by [Kat12, Proposition 3.1(b)], so that kN A 0 = q -1 and
is an algebraic integer fixed by σ (of which τ is a restriction). Thus, N A 0 is a common divisor of q and q -1, and hence N A 0 = 1 and k = q -1. But then, by Lemma 2.4, we must have (p -1)/2 ≥ k = q -1 ≥ p -1, which is impossible. □
In this section we discuss some archimedean and non-archimedean bounds on the Weil sum W K,s u that are used in proving the main result (Theorem 1.5). Recall that we use N to refer to the set of nonnegative integers. We use the p-adic valuation, v p . One begins with v p : Z → N ∪ {∞}, where v p (0) = ∞ and v p (a) = max{j ∈ N : p j | a} when a ̸ = 0. Then one extends the domain of
1); see [Lan02, Theorem 4.1], [Lan90, p. 7], and [Hel76, p. 218]. For the purposes of this paper, the most important facts about v p (which we shall use without proof) are that v p
From (1), we know that Weil sums are sums of pth roots of unity, so we first explore linear combinations of these roots.
Lemma 3.1. For any t ∈ Q and any v ∈ Q(ζ), there is one and only one way to write v as a Q-linear combination of 1, ζ, . . . , ζ p-1 such that the coefficients sum to t.
Proof. Our claim will follow if we show that the map φ :
) is an isomorphism of Q-vector spaces. Since φ is clearly a Q-linear map between two Q-vector spaces of dimension p, it suffices to show that ker(φ) is trivial. Let pr 1 :
0, we know that pr 1 •φ is surjective, which makes ker(pr 1 •φ) equal to the 1-dimensional space span Q {(1, 1, . . . , 1)}. Then ker(φ) is a subspace of ker(pr 1 •φ), but (pr 2 •φ)(1, 1, . . . , 1) ̸ = 0, so ker(φ) must be trivial. □
Now we shall apply the previous result to obtain an archimedean bound on nondegenerate Weil sums. Recall that we let K be a finite field with characteristic p and order q = p n and that s is a positive integer with gcd(s, q -1) = 1. Lemma 3.2. For any u ∈ K, there exist unique w 0 , . . . , w p-1 ∈ N with
Proof. By definition (1), a Weil sum W u is a sum of q terms from the set
The uniqueness of this representation follows from Lemma 3.1. Note that w 0 > 0 because one term in
When s is nondegenerate, [Kat12, Theorem 2.1(f)] tells us |W u | < q, which makes it impossible for w i = q for any i (else
The next two results explore p-adic bounds on Weil sums.
Proof. This is [Kat12, Theorem 2.1(e)]. For an equivalent version in terms of crosscorrelation, see [Hel76,Theorem 4.5].
, where w 0 , . . . , w p-1 are nonnegative integers that are strictly less than q with ∑︁ 0≤i<p w
, where each r i = w i /q is a nonnegative rational number strictly less than 1 with ∑︁ 0≤i<p r i = 1. Then we write r as ∑︁ 0≤i<p-1 (r i -r p-1 )ζ i , which is the unique Q-linear combination of 1, ζ, . . . , ζ p-2 equal to r, and since r ∈ Z[ζ], the coefficients r i -r p-1 are all in Z. Since 0 ≤ r i < 1 for every i, this forces r 0 = • • • = r p-1 , so that r = 0, and then W u = 0. □ Recall from Section 2 that γ is a primitive element of the prime subfield F p and σ is the generator of Gal(Q
where η is the quadratic character (Legendre symbol) of F × p . Lemma 3.5. Suppose that p ≡ 1 (mod 4). An expression of the form ∑︁ i∈Fp w i ζ i with rational coefficients w i lies in Q( √ p) if and only if, for every i, j ∈ F p , we have w i = w j when η(i) = η(j). In this case, if we write w + for the common value of the w i 's with η(i) = +1 and w -for the common value of the w i 's with η(i) = -1, then our sum becomes
and only if it is fixed by σ 2 , that is, if and only if ∑︂ i∈Fp
and then Lemma 3.1 tells us that this happens if and only if w i = w γ -2 i for every i ∈ F p , which is true if and only if w i = w j whenever j ∈ i ⟨︁ γ 2 ⟩︁ , i.e., whenever η(i) = η(j). In this case, write w + and w -as in the statement of this lemma, and then our sum becomes
where the penultimate summation is clearly -1 and the ultimate one is the quadratic Gauss sum (5). □
We now apply the previous result to Weil sums.
Lemma 3.6. Let p be a prime with p ≡ 1 (mod 4) and suppose that s is an invertible exponent over K. Any Weil sum W K,s u in Q( √ p) can be written uniquely in the form (I + J √ p)/2, where I, J ∈ Z. Furthermore, I ≡ J (mod 2) and v p (I) ≥ 1. If s is nondegenerate, then -q < -2(q-1)/(p-1) < I < 2q and |J| ≤ 2(q -1)/(p -1) < q.
Proof. From Lemmas 3.2 and 3.5, it follows that any Weil sum in Q( √ p) can be written as
where w 0 , w + , w -∈ Z. Thus, if we let I = 2w 0 -(w + + w -) and J = w + -w -, then I, J ∈ Z and our Weil sum is (I + J √ p)/2; since {1, √ p} is Q-linearly independent, the I and J are uniquely determined. Since J ∈ Z, we know that v p (J √ p) has strictly positive p-adic valuation, as does the entire Weil sum (by Lemma 3.3), and so v p (I) must be a strictly positive integer. Note also that I ≡ J (mod 2) since, as we stated in the paragraph before Lemma 3.5, algebraic integers in
where a, b ∈ Z and a ≡ b (mod 2). From now on, let us suppose that s is nondegenerate. Then by Lemma 3.2, we know that w 0 , w + , w -are all nonnegative integers that are strictly less than q with w 0 ≥ 1 and w 0 + (w + + w -)(p -1)/2 = q. Thus,
)︃ , and since w 0 < q, we know that w + + w -> 0, so -2
where since p -1 > 2, we have 2(q -1)/(p -1) < q -1 < q. □
In this section, we study a certain type of algebraic set over the finite field K. It turns out that these sets are closely related to sums of products of Weil sum values (as we shall see in Section 5), and thus will help us prove our main result (Theorem 1.5).
Recall that K is a finite field of characteristic p and order q = p n and that s is a positive integer such that gcd(s, q -1) = 1. First, we introduce two notations that enable us to express our algebraic sets very compactly.
The next four results relate various values of Q t a,b with each other.
Lemma 4.3. For any k ∈ Z + , any t ∈ (K × ) k , and any b ∈ K we have
The second summation counts the points in the hyperplane t • v = b in K k , while the first sum counts points with ∥v∥ s s = b s , which has the same cardinality because x ↦ → x s is a permutation of K.
Proof. Lemma 4.4 shows that Q t a,0 (resp., Q t 0,a ) has the same value for every a ∈ K × , so (6) and the b = 0 case of (7) follow from Lemma 4.3. The b ̸ = 0 case of (7) then similarly follows from Lemma 4.3, using (6). □ Lemma 4.6. For any k ∈ Z + , any b, t 1 , . . . , t k ∈ K × , and any a ∈ K, we have
Proof. For the rest of this proof, let t = (t 1 , . . . , t k ) and t ′ = (a/b, t 1 , . . . , t k ), and let u and v ′ be shorthand for (u 1 , . . . , u k ) and (v 0 , v 1 , . . . , v k ), respectively. Then
, where the second equality uses the reparameterization with u j = -bv j /v 0 for j ∈ {1, . . . , k} and the fact that the invertibility of s makes (-1) s = -1. □ Now we compute certain values of Q t a,b that will be useful later. Lemma 4.7. Let t 1 , t 2 ∈ K × and let δ denote the Kronecker delta.
Proof. The first claim is clear because
a,b counts the number of v 1 ∈ K such that t 1 v 1 = a and (v s 1 ) 1/s = b. Applying this result to the fact that
0,0 by Lemma 4.6 gives the expression in the first case of the second claim, and then the second case follows from using Lemma 4.5 to deduce the value of
We explore certain special values of Q t a,b that are critical for our proof of Theorem 1.5.
The first result follows from the observation that (x 1 , x 2 ) ∈ K 2 satisfies the system of equations corresponding to Q
(1,-1) 1,w if and only if (-x 2 , -x 1 ) satisfies the system of equations corresponding to Q
1,-1 counts how many (x 1 , x 2 ) ∈ K 2 satisfy x 1 + x 2 = 1 and x s 1 + x s 2 = (-1) s , and since these equations preclude x 2 = 0 in odd characteristic, we can reparameterize with x 2 = -1/y for y ∈ K × and eliminate x 1 to see that Q
(1,1) 1,-1 is the same as the number of y ∈ K × such that (y + 1)
For the third result, note that the system of equations that corresponds to Q
(1,1) 1,w is symmetric in both unknowns, so (x 1 , x 2 ) satisfies this system if and only if (x 2 , x 1 ) does. This implies that Q
(1,1) 1,w is even except when there is some x ∈ K such that 2x = 1 and 2 1/s x = w, which happens exactly when p is odd, x = 1/2, and w = 2 1/s-1 . □
In this section, we use a group algebra that gives us a convenient way to encapsulate all the Weil spectrum values in a single object; this builds upon the methods of Feng [Fen12] and developments in [Kat15]. After introducing the relevant group algebra here, we define the key group algebra elements of interest in Section 5.1 and demonstrate their relation to the cardinalities of algebraic sets studied in Section 4. Then we present other related group algebra elements designed to have a particular symmetry in Section 5.2, and focus on a particularly important case of this symmetry in Section 5.3.
Let L = Q(ζ, ξ), where ξ = exp(2πi/(q -1)), and consider the group L-algebra L[K × ], whose elements are of the form S = ∑︁ u∈K × S u [u], where S u ∈ L for each u ∈ K × . We write the elements of K × in brackets to distinguish them from similar-appearing elements in L. We identify any subset
. Below, we record some easily proved observations. Lemma 5.1. For any S, T ∈ L[K × ] and any t ∈ Z, we have
Let K × y denote the group of multiplicative characters from K × to L × . The identity element of K × y is called the principal character and is written χ 0 ; it maps every element of K × to 1. We define the application of a multiplicative character χ ∈ K × y to a group algebra element
and we call χ(S) the Fourier coefficient of S at χ. The following facts, which we record without proof, are easy to verify.
Lemma 5.2. The following facts hold for any S, T ∈ L[K × ] and any χ ∈ The next lemma follows from Theorem 5.4 of [LN97].
Lemma 5.3. We have
The next result says that a group algebra element is determined by its Fourier transform.
Proof. This follows from the fact that the Fourier transform (the map from
) is an isomorphism of L-algebras with the inverse map
where
and
and when the field K and the exponent s are clear from context, we simply write
. We now relate W to Ψ.
Lemma 5.5. We have
from which the result follows. □
Let χ ∈ K × y . Then the Gauss sum G(χ) is given by ∑︁ u∈K × ψ(u)χ(u). Note that G(χ) = χ(Ψ). We list some useful facts about Gauss sums, which will be useful later when we calculate the Fourier transform of group algebra elements that generalize W . Lemma 5.6. Let χ 0 be the principal character and χ ∈ K × y . Then (i)
√ q for χ ̸ = χ 0 , and
Proof. For a proof of the first and second parts, see [LN97, Theorem 5.11]; for a proof of the third part, see [LN97, Theorem 5.12(iii)]. □
We record two more useful calculations concerning Ψ and W .
Lemma 5.7. If t ∈ Z and gcd(t, q -1) = 1, then
Proof. The first result follows from Lemmas 5.5, 5.1, and 5.6, which give us
The second is proved as follows:
where the third equality uses Lemmas 5.7 and 5.1, and the fourth equality uses Lemmas 5.1 and 5.6. □
The proof of our main result requires us to use generalizations of W whose coefficients are products of Weil sum values rather than individual ones. We introduce a convenient notation for these. Notation 5.9. Let k ∈ Z + and let t = (t 1 , t 2 , . . . , t k ) ∈ (K × ) k . We write
Often, we just write W [t 1 ,...,t k ] instead of W [(t 1 ,...,t k )] and W
[t]
u for (W [t] ) u . Also, note that W [1] = W . Lemma 5.10 and Proposition 5.13 below make a connection between the group algebra elements just defined in Notation 5.9 and the cardinalities of algebraic sets defined in Notation 4.2. The connecting object is defined in Notation 5.11. Lemma 5.10. Let k ∈ Z + and let t = (t 1 , . . . , t k ) ∈ (K × ) k . Then
Proof. This is Lemma 7.7.2 of [Kat19]. □
Recall the notations • and ∥•∥ s from Notation 4.1, which we use for the rest of this section. Notation 5.11. Let k ∈ Z + and let t = (t 1 , t 2 , . . . , t k ) ∈ (K × ) k . Then, adopting the convention that [0] is the 0 of the group algebra L[K × ], we write
We often write V [t 1 ,...,t k ] instead of V [(t 1 ,...,t k )] and use the notation
The following calculation is needed for our proof of Proposition 5.13, which connects W [t] to V [t] . Lemma 5.12. Let k ∈ Z + and t ∈ (K × ) k . Then
Proof. The first equality comes from using Notation 5.11 to write
and then applying Lemma 4.3. The second equality then follows from Lemma 4.5. □
Now we show the relation between V [t] and W [t] .
Proposition 5.13. For k ∈ Z + and t ∈ (K × ) k , we have
Proof. Since both sides of this equation are elements of L[K × ], it suffices to show that χ(W [t] ) = χ(W V [t] ) for all χ ∈ K × y by Lemma 5.4. For the principal character χ 0 we have
where the first and last equalities follow from Lemma 5.2, the second comes from Lemmas 5.8 and 5.12, and the third comes from Lemma 5.10. Now let χ be any non-principal character. On one hand, we have
where we use Lemma 5.3 to impose t • x ̸ = 0 following the second equals sign, and we use the Gauss sum in the third and second-to-last equalities and the reparameterization w = z 1/s , x = z 1/s v in the fourth equality.
On the other hand, Lemmas 5.5, 5.2, 5.3, and Notation 5.11 give us
where
by Lemmas 5.6 and 5.2, so the result is proved. □
For future convenience, we explicitly calculate some values of |W [t] | and V [t] . Lemma 5.14. For any t 1 , t 2 , t 3 ∈ K × , we have
Proof. The first result is from Lemma 5.8. Next, we use Theorem 1.1 and Lemma 5.8 to obtain
For (iii), we use Theorem 1.1 to show that
)︁ 1/t 3 . Then, Lemmas 5.13 and 5.8 and Notation 5.11 give us that
Lastly, we observe that
) 1 , so the fourth result follows from Lemmas 5.13 and 5.8, which tell us that
, then we have
that is,
u ≥ -1 for every u ∈ K × , and if
u ≥ 0 for every u ∈ K × . Furthermore,
Proof. These facts follow from Notation 5.11 and Lemma 5.12, as well as the formula for Q t 1,0 found in Lemma 4.7 and the fact that Q t 1,u values are always nonnegative, since they count solutions to systems of equations. □ 5.2. Symmetrized Weil sums. In later sections we study Weil spectra where there is a symmetry among the Weil sums W K,s u . Here we present some general results.
Fix some k ∈ Z + and suppose that p ≡ 1 (mod k). Then we let
where λ is a primitive kth root of unity in F × p . We also let
We call Ω u = ∑︁ k-1 i=0 W λ i u the k-laterally symmetrized Weil sum at u, and we use the word bilateral to mean 2-lateral. Note that Ω has real coefficients by Theorem 1.1. First, we relate Ω to W and T . Lemma 5.16. We have Ω = W T .
Proof. Reordering the sums in the definition of Ω gives us
We compute power moments for Ω.
Lemma 5.17. We have (i)
). Proof. The first equation comes from the fact that |K × | = q -1. The second and third results follow from Lemmas 5.16 and 5.8 as well as the fact that the coefficients of Ω are real, so that
so the desired result follows from Lemma 5.14(iii). □ When p is odd and k = 2, we have further results, which we explore in the next section. 5.3. Bilateral symmetry in the group algebra. In Propositions 6.4 and 6.5 below we study bilaterally symmetrized Weil sums. Here, we present some general results that hold in this situation. To this end, suppose that p is odd and let
Note that this use of T and Ω is consistent with the notation introduced in Section 5.2 when k = 2. Also, note that Φ, Ω, and Υ have real coefficients by Theorem 1.1. For convenience of notation, we set
We relate the various group algebra elements that we have just defined.
Lemma 5.18. We have Φ = W S and Υ = W (T V -2U ).
Proof. These results come from the above notation and Proposition 5.13. □
Before we prove further results, we shall restate in the notation of this section a few key facts that we have proved earlier.
Lemma 5.19. We have
Proof. Part (i) follows from the definitions of U and V and Lemma 5.15. Then, using the result in part (i) and the assumption that p is odd, parts (ii) and (iii) follow from the first two parts of Lemma 4.8. Lastly, the part (iv) comes from Lemma 5.15. □
We compute some power moments for Φ and a related sum that involves both Φ and Ω.
Lemma 5.20. We have
), and (iv)
Recall that Φ and Υ have real coefficients.
To prove the first part, we use Lemmas 5.18 and 5.1(iv) to get |Φ| = |W ||S| = 0. The second part follows from Lemmas 5.18, 5.8, and 5.1(vii), which give us ∑︁ u∈K × Φ 2 u = (ΦΦ) 1 = (W SW S) 1 = q 2 (SS) 1 = 2q 2 . We can prove the third part by observing that ∑︁ u∈K × Φ 2 u • Ω u = (Υ • Ω) 1 and then using Lemmas 5.18, 5.16, 5.8, and 5.19(iii) to get that
). The fourth and final part is a consequence of Lemmas 5.1(vii) (using the fact that all coefficients in our group algebra elements here are real), 5.18 and 5.8, since we have
In this section, we examine the action on the value set W K,s (see (3)) of τ , the restriction of the generator σ of Gal(Q(ζ)/Q) to W K,s . We shall prove our main theorem (Theorem 1.5), which is: Theorem 6.1. Let K be a finite field and s be an invertible exponent over K. If the Weil spectrum for K and s is 4-valued, then it is rational unless K = F 5 and s ≡ 3 (mod 4) (in which case W K,s = {(5 ± √ 5)/2, ± √ 5}).
Suppose W K,s = {A, B, C, D}, where A, B, C, and D are distinct. Recall that σ is a generator of Gal(Q(ζ)/Q) and that τ is the restriction of σ to W K,s . We saw in (4) that τ always permutes the elements of W K,s , so here τ must act trivially, as a transposition (while keeping two values fixed), as a composition of two disjoint transpositions, as a 3-cycle (while keeping one value fixed), or as a 4-cycle on the set {A, B, C, D}. We shall address each of the non-trivial actions in the next four propositions, and then finally prove the theorem. Throughout this section, we shall use the notation (from (2) in the Introduction) where N K,s A (or simply N A ) denotes the frequency of a value A in the Weil spectrum for the field K and the exponent s. Step 1. The exponent s is nondegenerate.
Proof. This is from Theorem 1.2.
Step 2. We have p ≡ 1 (mod 6), so p ≥ 7, and there is a primitive third root of unity λ ∈ F × p such that τ (W u ) = W λu for all u ∈ K × . Proof. This is from Proposition 2.1 and (4), since τ has order 3.
Step 3. We have 3
Proof. This is from Lemma 2.3, since τ has order 3, permutes A in a 1-cycle, and permutes B, C, D in a 3-cycle.
Step 4. Let X = 3A and Y = B + C + D. Then X and Y are rational integers with 3 | X and 3q 2 -3q(X + Y ) + (q -1)XY = 0.
(9)
Proof. We know that A and Y are in Z because σ (of which τ is a restriction) fixes both of these algebraic integers. Thus, X is a rational integer with 3 | X. By Step 2, we can let Ω u = W u +W λu +W λ 2 u = W u +τ (W u )+τ 2 (W u ) for all u ∈ K × , as in Section 5.2 (with k = 3). Notice that Ω u only assumes two values as u runs through K × , namely X = 3A (N A times) and Y = B+C+D (3N B times by Step 3). This means that ∑︁ u∈K × (Ω u -X)(Ω u -Y ) = 0, so we obtain (9) from the first three results in Lemma 5.17.
Step 5. We have max{v p (X), v p (Y )} ≥ v p (q). Proof. If max{v p (X), v p (Y )} < v p (q), then v p ((q -1)XY ) < v p (3q 2 -3q(X + Y )), contradicting (9) in Step 4.
Step 6. We have 0 / ∈ {X, Y }.
Proof. We assume 0 ∈ {X, Y } to show contradiction. Then {X, Y } = {0, q} by (9). Now q is a power of the prime p with p ≥ 7 (by Step 2), but X is a rational integer with 3 | X (by Step 4), so we cannot have X = q. Thus, X = 3A = 0 and Y = B +C +D = q. Since s is nondegenerate by Step 1, we have |B|, |C|, |D| < q by Lemma 3.2, so that B + C + D = q makes at least two of B, C, D positive, while [AKL15, Corollary 2.3] makes at least one negative, and so BCD < 0. Now Lemma 5.14(iii) gives us
. Recalling the relation involving τ and λ from Step 2, this means that
. Then in view of the fact that W K,s = {A, B, C, D} with τ (B) = C, τ (C) = D, and τ (D) = B, and since we have shown that A = 0 here and
= -1, and hence 3N B BCD = -q 2 . But BCD ∈ Z since it is an algebraic integer fixed by τ , which is a restriction of σ, the generator of Gal(Q(ζ)/Q). This means that 3 | q 2 , contradicting p ≥ 7 from Step 2.
Step 7. We have v p (X) < v p (q) and v p (Y ) ≥ v p (q). Proof. Recall from Step 4 that X = 3A. Therefore, by Step 2 we have v p (X) = v p (3A) = v p (A), and then by Step 6 and Lemma 3.4, we know that v p (A) < v p (q). Thus v p (X) < v p (q) and so by Step 5 we know that v p (Y ) ≥ v p (q).
Step 8. We have Y = rq for some r ∈ {±1, ±2}.
Step 4 that Y = B + C + D. By Steps 6 and 1 combined with Lemma 3.2, we know that 0 < |Y | = |B + C + D| < 3q. Thus, 0 < |Y | < pq by Step 2. Now Step 4 shows that Y ∈ Z, so by Step 7 we have v p (Y ) = v p (q). Then Y = rq for some r ∈ Z and recall that 0 < |Y | < 3q.
Step 9. We conclude that τ does not permute W K,s as a 3-cycle.
Proof. We rule out each of the four possible values of r in Step 8 using the following formula for X ∈ Z, which comes from (9) and Y = rq:
(note that the denominator is not zero because q -1 ≥ p -1 ≥ 6 by Step 2). If r = 1, then X = 0, which contradicts Step 6. If r = -2 (resp., -1, 2), then (10) becomes 4+(q-4)/(2q+1) (resp., 6-12/(q+2), 1+(q+5)/(2q-5)). None of these expressions can be a rational integer, since q is a power of some prime p ≥ 7 by Step 2, so Step 4 is contradicted. □ Proposition 6.4 (Action as a composition of two disjoint 2-cycles).
The following are equivalent: (i) |W K,s | = 4 and τ permutes W K,s as a composition of two disjoint transpositions; (ii) q = 5 and s ≡ 3 (mod 4). When these hold, W K,s = {(5 ± √ 5)/2, ± √ 5}.
Suppose that q = 5 and s ≡ 3 (mod 4). In fact, we may assume s = 3 since W K,s ′ = W K,s ′′ if s ′ ≡ s ′′ (mod q -1) (see the definition of equivalent exponents in Section 1). Let ζ = e 2πi/5 . The polynomial x 3 -x represents 0 thrice and each of ±1 only once over K = F 5 , and so W K,s
)/2 by Lemma 3.5. Similarly, x 3 -2x represents 0 once and each of ±1 twice over K; x 3 -3x represents 0 once and each of ±2 twice; and x 3 -4x represents 0 three times and each of ±2 once over K, so we can calculate that W K,s
, it is clear that τ acts on W K,s as a product of two disjoint transpositions. Now suppose that |W K,s | = 4 and suppose that τ acts on W K,s as a composition of two disjoint transpositions. For clarity, the remainder of the proof is broken up into steps.
Step 1. We have p ≡ 1 (mod 4), so p ≥ 5, and τ (W u ) = W -u for all u ∈ K × .
Proof. This is from Proposition 2.1 and (4), since τ has order 2.
Step 2. We write W K,s = {A, B, C, D} with Proof. Since τ has order 2 and since Step 1 tells us that p ≡ 1 (mod 4), Proposition 2.1 shows that the elements of W K,s are algebraic integers in Q( √ p), the unique degree 2 extension of Q that lies in Q(ζ). Thus, each element of W K,s has the form described in Lemma 3.6, and the four elements consist of two pairs of Galois conjugates because of the action of τ . This establishes the existence of the integers E, F , G, and H which are used to describe our four elements of W K,s above (making sure to arrange so that v p (E) ≤ v p (G)), and we also name the elements A, B, C, and D as above, so that the Galois conjugate pairs are {A, B} and {C, D}; this means that τ must act as (AB)(CD).
Step 3. We have
Proof. This is due to Lemma 2.3 since τ = (AB)(CD) from Step 2.
Step 4. We have the following equations:
Proof. For u ∈ K × , let Ω u = W u + W -u and Φ u = W u -W -u . This is consistent with the notation we introduced in Section 5.2 (with k = 2) and in Section 5.3 since p ≡ 1 (mod 2) by Step 1. Thus, by Step 1, we have
As we run through u ∈ K × , Steps 2 and 3 tell us that Ω u has
so that (11), (12), and (13) follow from parts (i), (ii), and (iii) of Lemma 5.17 and ( 14) follows from 5.20(ii). The left-hand side of Lemma 5.14(iii) (with t 1 = t 2 = t 3 = 1) is summing W 3 u over all u ∈ K × , and since N A = N B and N C = N D by Step 3, we obtain (15).
Step 5. We have G = 0.
Proof. Add EG times (11) and -(E + G) times (12) to (13) to get 0 = EG (︃ q -1 2
Recall from Step 2 that v p (E) ≤ v p (G). Note that if either v p (G) < v p (q) or v p (E) > v p (q), then one of the terms in (16) would have strictly lower p-adic valuation than the other terms. Thus, v p (E) ≤ v p (q) ≤ v p (G), so that E ̸ = 0 and q | G. On the other hand, since N A , N C ∈ Z + , (13) tells us that
, and so G = 0.
Step 6. We have E = q and N A = 1.
Proof. Since G = 0 by Step 5, (12) and (13) imply that E = q and N A = 1.
Step 7. We have N C = (q -3)/2.
Proof. Since N A = 1 by Step 6, (11) gives us that N C = (q -3)/2.
Step 8. The quantity F is odd and H = 2I for some I ∈ Z \ {0}.
Proof. We know that G = 0 by Step 5 and E = q by Step 6. Furthermore, q is odd since p is odd by Step 1.
Step 2 tells us that E ≡ F (mod 2) and G ≡ H (mod 2), so F is odd and H is even. But H ̸ = 0, else C = D (see Step 2), so H = 2I for some I ∈ Z \ {0}.
Step 9. We must have q ≤ 5.
Proof. We can substitute the results from Steps 5-8 into (15) and ( 14) to obtain
Since p ≡ 1 (mod 4) by Step 1, we have gcd(q/p, 3) = gcd(q/p, 2(q -3)) = 1, and therefore since V
[1,1] 1
∈ Z, (17) and ( 18) consecutively give us that (q/p) | F 2 and (q/p) | I 2 . Now we know from Step 8 that F, I ̸ = 0, so F 2 /(q/p), I 2 /(q/p) ≥ 1. If we substitute this into (18), the equality becomes the inequality q = q 2 /p q/p = F 2 q/p + 2(q -3) • I 2 q/p ≥ 1 + 2(q -3) = 2q -5, so that q ≤ 5.
Step 10. We conclude that q = 5 and s ≡ 3 (mod 4).
Proof. Steps 1 and 9 give us that an action with two disjoint transpositions can only occur when q = p = 5. We now consider the possible values for s. Since W K,s ′ = W K,s ′′ if s ′ ≡ s ′′ (mod q -1) (see the definition of equivalent exponents in Section 1), it suffices to consider the cases when s ≡ 0, 1, 2, 3 (mod 4). We cannot have s ≡ 0, 2 (mod 4), for then gcd(s, q -1) = gcd(s, 4) ̸ = 1, so s would not be invertible. Nor can we have s ≡ 1 (mod 4), for then s would be degenerate and this would make |W K,s | ≤ 2 by Theorem 1.2. Thus s ≡ 3 (mod 4). □ Proposition 6.5 (No action as a transposition). If |W K,s | = 4, then τ does not permute the elements of W K,s as a transposition.
Suppose that |W K,s | = 4. Assume that τ permutes W K,s as a transposition to show a contradiction. For clarity, the proof of this proposition is broken into steps.
Step 1. We have p ≡ 1 (mod 4), so p ≥ 5, and there exist A, B, E, F ∈ Z with |A| ≤ |B|, F > 0, and E ≡ F (mod 2) such that W Proof. Since τ has order 2, we know by Proposition 2.1 that p ≡ 1 (mod 4) and that Q(W K,s ) = Q( √ p), the unique degree 2 extension of Q that lies in Q(ζ). This means that the two elements of W K,s exchanged by τ are Galois conjugate algebraic integers in Q( √ p), and hence can be written as
for some E, F ∈ Z where E ≡ F (mod 2) and F > 0 by Lemma 3.6. The other two elements of W K,s are algebraic integers fixed by τ (and hence by σ), so they must be rational integers; we label these A and B in such a way that |A| ≤ |B|. Then both N A and N B are even and N C = N D by Lemma 2.3.
Step 2. We have τ (W u ) = W -u for all u ∈ K × , so as in Sections 5.2 (with k = 2) and 5.3 we can let
Proof. Since Step 1 implies that τ has order 2 and p ≡ 1 (mod 2), Proposition 2.1 and (4) give us that τ (W u ) = W -u for all u ∈ K × and we have the bilateral symmetry alluded to in Sections 5.2 (with k = 2) and 5.3.
Step 3. The integer E is odd and there exist rational integers
, (E, 2N C )} and the following equations hold:
Proof. Since N C = N D by Step 1, we observe that as u runs through
and Ω u = E for those u such that Φ u ̸ = 0. Thus, we obtain (26)-(28) from Lemma 5.20(ii)-(iv). Note that (26) and Step 1 imply that E and F are odd, whereas 2A and 2B must be distinct and even, so that there are rational integers X < Y < Z with {X, Y, Z} = {2A, 2B, E} and we can let M X , M Y , and M Z be as stated above. Equations ( 19)-( 21) then follow from Lemma 5.17(i)-(iii), which we also use to prove (22) from the following observation:
and ( 23) and ( 24) follow similarly by exchanging the roles of X, Y , and Z.
Similarly, one can prove (25) using all parts of Lemma 5.17 (and the fact that V = V [1,1] ) from the following observation:
Step 4. We have -q < -2(q -1)/(p -1) < X < Y < Z < 2q and v p (X), v p (Y ), v p (Z) ≥ 1. If any of X, Y , or Z is nonzero, then its p-adic valuation is less than the p-adic valuation of q. If none of X, Y , and Z is zero, then v p (XY ), v p (Y Z), v p (ZX) > v p (q).
Proof. The first chain of inequalities follows from Step 3 and Lemma 3.6 (which applies due to Step 1 and Theorem 1.2), once we notice that 2A, 2B, and E take the place of I in Lemma 3.6. Lemma 3.6 also tells us that v p (X), v p (Y ), v p (Z) ≥ 1. Next, M X X 2 , M Y Y 2 , and M Z Z 2 are all even rational integers by Step 3, so if X ̸ = 0 but v p (X) ≥ v p (q), then 2q 2 | M X X 2 , and hence M X X 2 = 2q 2 and Y = Z = 0 by (21). This contradicts Step 3. Analogous arguments show that the same result holds for Y and Z. In particular, if 0 ̸ ∈ {X, Y, Z}, then v p (X), v p (Y ), v p (Z) < v p (q). Thus, if we write (25) as
then (q -1)XY Z has a strictly smaller p-adic valuation than every other term on the right-hand side of the above equation. This implies that
and so the desired inequalities follow from subtracting one of the terms on the left-hand side from both sides.
Step 5. We have -q < X < Y = 0 < Z < q.
Proof. Recall from Step 3 that M X is a strictly positive count, so the numerator and denominator in (22) must have the same sign. Thus, to prove this step, it suffices to show that Y = 0 since -q < X < Y < Z by Step 4, for then the numerator in (22), which is positive, becomes 2q(q -Z).
Suppose that Y ̸ = 0. By Step 3, we know that Z > 0, since otherwise the right-hand side of (20) would be negative. Moreover, the numerator in ( 22) is positive, that is,
Thus, using Step 4 and the fact that p ≥ 5 from Step 1 in (29) gives us
We cannot have Y < 0, for that would imply both 0 ̸ ∈ {X, Y, Z} and v p (Y Z) ≤ v p (q), which contradicts Step 4. So we must have Y > 0. If we use the same argument, replacing ( 22) with ( 24), Z with Y , and Y with X, we show that X < 0 is also impossible, and so obtain X ≥ 0. If X > 0, then Step 4 implies that X, Y, Z ≥ p, so (20), ( 19), and the fact that q ≥ p ≥ 5 by Step 1 give us the contradiction 2q ≥ p(M X + M Y + M Z ) = p(q -1) ≥ 5q -p ≥ 4q. This forces X = 0 < Y < Z by Step 3, so that (20) and ( 21
so that v p (Y ) = v p (q) + v p (Z) -v p (Z -Y ), and so v p (Z -Y ) = v p (q). In other words, q | Z -Y . Since 0 < Y < Z < 2q by Step 4, this is only possible if Z = Y + q. If we substitute this equation for Z into (30) and (31) and solve for Y , we obtain 3Y = q, which is impossible because p ≡ 1 (mod 4) by Step 1.
Step 6. We have E = X < 0 and A = Y /2 = 0 and B = Z/2 > 0. Moreover, |E| < |B| and V -1 > 0 and B = 2V -1 /(1 -E/q).
Proof. Recall from Step 3 that {X, Y, Z} = {2A, 2B, E} is a set of three distinct numbers and that E is odd. Since |A| ≤ |B| by Step 1 and Y = 0 is even by Step 5, we must have 0 = Y = A and {X, Z} = {2B, E}. We obtain B = 2V -1 /(1 -E/q) by substituting these facts into (25) and using (27) (note that we can divide by 1 -E/q since Step 5 implies that |E| < q). Now, since B is nonzero, 1 -E/q is positive (since |E| < q), and V -1 is nonnegative (by Lemma 5.19(i)), we must have B = Z/2 is positive, and hence V -1 > 0 and E = X < 0. It then follows that 1 < 1 -E/q < 2 and V -1 < B < 2V -1 . Lastly, Lemma 5.19(i) tells us that V 1 ≥ 0, so E ≥ -V -1 by (27), and thus |E| < |B|.
Step 7. There exists an odd integer m with 0 < m < n such that N C = p m and F = p n-(m+1)/2 . Let ℓ = v p (B) -v p (E). Then v p (N B ) = m -2ℓ. Moreover, we have
Proof. The results about m, N C , and F follow from (26) since N C < q, while (32) and (33) come from equations ( 20) and ( 21) and Steps 3 and 6. Lastly, (33) implies that v p (N B B 2 ) = v p (N C E 2 ) since 2N B B 2 > 0 and N C E 2 > 0 by Step 6 and p ∤ 2 by Step 1, so v p (N B ) = m -2ℓ.
Step 8. We have ℓ > 0, and there exist β, ε, ν ∈ Z + all relatively prime to p such that B = βp n-m+2ℓ , E = -εp n-m+ℓ , and
Moreover, we have the following equations:
2νβ -εp ℓ = 1 (35)
Proof. Steps 1, 6, and 7 allow us to write B = βp vp(E)+ℓ , N B = 2νp m-2ℓ , E = -εp vp(E) , and N C = p m with β, ε, ν ∈ Z + all relatively prime to p, so that (32) and (33) become 2νβp m+vp(E)-ℓ -εp m+vp(E) = p n (37)
It thus suffices to show that ℓ > 0, for then m + v p (E) -ℓ < m + v p (E), and hence m + v p (E) -ℓ = n by (37), so that v p (E) = n -m + ℓ, and so the expressions for E and B at the beginning of this proof become those in (34) while (37) and (38) become (35) and (36). Suppose ℓ ≤ 0, and let g = n -m -v p (E). Then (37) and (38) become 2νβp -ℓ -ε = p g (39)
By
Step 6, we have ε = |E|/p vp(E) < |B|/p vp(E)+ℓ = β, so (39) gives us
and hence g > 0 since β, ν ≥ 1. Note that this implies that ℓ = 0, for otherwise the p-adic valuation of the left-hand side of (39) would be 0. We can thus solve (39) for ε and substitute the resulting expression into (40) to get 4β 2 ν(ν + 1) -4νβp g + p 2g -p 2g+m = 0. (42)
Since g > 0, the third and fourth terms on the left-hand side of (42) have strictly larger p-adic valuation than the second term does, so we must have v p (4β 2 ν(ν + 1)) = v p (4νβp g ), that is, v p (ν + 1) = g. So ν = -1 + µp g for some µ ≥ 1 such that p ∤ µ. But if we substitute this into p g > β(2ν -1) from (41) and rearrange to obtain an upper bound for µ, then (keeping in mind that p ≥ 5 by Step 1) we obtain
which is a contradiction. We thus have ℓ > 0, as we wished.
Step 9. We have both BE -2CD = βp 2n-2m+2ℓ and C 2 + D 2 -BE = p 2n-2m+2ℓ (p m-2ℓ -β).
Proof. These results come from using the expressions for C and D in Step 1 and those for B, E, and F in Steps 7 and 8 to write
(︃ p m-2ℓ + ε 2 2 + βεp ℓ )︃
and then using (35) and (36) to simplify these expressions.
Step 10. Let S R = {u ∈ K × : W u = R} for R ∈ W K,s . If we identify these subsets of K × with group algebra elements as described before Lemma 5.1, then, using the definitions of W = W K,s from (8) in Section 5.1 and of T , U , V from Step 2, we have
Proof. The left-hand equalities follow from the definitions of T , U , and V and also Proposition 5.13 in the case of (44) and (45). The right-hand equalities follow from the fact that W -u = τ (W u ) (by Step 2) and the values for W u in Steps 1 and 6.
Step 11. We have β = 1, so B = p n-m+2ℓ .