On the Modulus in Matching Vector Codes

Lin Zhu Wen Ming Li Liang Feng Zhang corresponding author School of Information Science and Technology, ShanghaiTech University,
Shanghai 201210, China [email protected] (*corresponding author)

Abstract

A $k$ -query locally decodable code (LDC) $C$ allows one to encode any $n$ -symbol message $x$ as a codeword $C(x)$ of $N$ symbols such that each symbol of $x$ can be recovered by looking at $k$ symbols of $C(x)$ , even if a constant fraction of $C(x)$ have been corrupted. Currently, the best known LDCs are matching vector codes (MVCs). A modulus $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\cdots p_{r}^{\alpha_{r}}$ may result in an MVC with $k\leq 2^{r}$ and $N=\exp(\exp(O((\log n)^{1-1/r}(\log\log n)^{1/r})))$ . The $m$ is good if it is possible to have $k<2^{r}$ . The good numbers yield more efficient MVCs. Prior to this work, there are only finitely many good numbers. All of them were obtained via computer search and have the form $m=p_{1}p_{2}$ . In this paper, we study good numbers of the form $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}$ . We show that if $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}$ is good, then any multiple of $m$ of the form $p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}$ must be good as well. Given a good number $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}$ , we show an explicit method of obtaining smaller good numbers that have the same prime divisors. Our approach yields infinitely many new good numbers.

keywords:

matching vector codes, locally decodable codes, private information retrieval

1 Introduction

Classical error-correcting codes allow one to encode any $n$ -bit message $x$ as an $N$ -bit codeword $C(x)$ such that $x$ can still be recovered, even if a constant fraction of $C(x)$ have been corrupted. The disadvantage of such codes is that one has to read all or most of the codeword to recover any information about $x$ . As a better solution for decoding particular bits of the message, a $(k,\delta,\epsilon)$ -locally decodable code (LDC) [1] encodes any $n$ -bit message $x$ to an $N$ -bit codeword, such that any message bit $x_{i}$ can be recovered with probability $\geq 1-\epsilon$ , by a randomized decoding procedure that makes at most $k$ queries, even if $\delta N$ bits of $C(x)$ have been corrupted. Such codes have interesting applications [2, 3] in cryptography and complexity theory. For an efficient LDC, both the code length $N$ and the query complexity $k$ should be as small as possible, as functions of $n$ .

Following [1, 4, 5], Gasarch [2] and Goldreich [4] conjectured that for any constant $k$ , the length $N$ of a $k$ -query LDC should be $\exp(n^{\Omega(1)})$ . Yekhanin [6] disproved this conjecture with a 3-query LDC of length $\exp(\exp(O(\log n/\log\log n)))$ , assuming that there are infinitely many Mersenne primes. For any $r\geq 2$ , Efremenko [7] provided a construction of $2^{r}$ -query LDCs of length $N_{r}=\exp(\exp(O((\log n)^{1-1/r}(\log\log n)^{1/r})))$ under no assumptions, and in particular a 3-query LDC when $r=2$ . Such codes have been reformulated and called matching vector codes (MVCs) in [8].

The MVCs in [7] are based on two ingredients: $S$ -matching family and $S$ -decoding polynomial. For $r\geq 2$ , let $\mathcal{M}_{r}$ be the set of integers of the form $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\cdots p_{r}^{\alpha_{r}}$ , where $p_{1},p_{2},\ldots,p_{r}>2$ are distinct primes and $\alpha_{1},\alpha_{2},\ldots,\alpha_{r}>0$ . The existence of both ingredients in MVCs depends on a modulus $m\in{\cal M}_{r}$ . In particular, the query complexity $k$ of the MVC is equal to the number of monomials in the $S$ -decoding polynomial, and is at most $2^{r}$ for all $m\in{\cal M}_{r}$ . A number $m\in{\cal M}_{r}$ has been called good if an $S$ -decoding polynomial with $k<2^{r}$ monomials exists when $m$ is used to construct MVC. For example, the 3-query LDC of [7] was constructed with the good number $m=7\times 73$ . Itoh and Suzuki [9] showed that one can reduce the query complexity of MVCs via a composition theorem. In particular, by using the good numbers 511 and 2047, they were able to obtain $9\cdot 2^{r-4}$ -query LDC of length $N_{r}$ for all $r>5$ . Chee et al. [10] showed that if there exist primes $t,p_{1},p_{2}$ such that $m=2^{t}-1=p_{1}p_{2}$ , then $m$ must be good. They determined 50 new good numbers of the above form and then significantly reduced the query complexity of MVCs.

Since [7, 9, 10], the work of finding good numbers has become interesting. However, the study of [7, 9, 10] was limited to good numbers of the form $m=p_{1}p_{2}\in{\cal M}_{2}$ . When $\max\{\alpha_{1},\alpha_{2}\}>1$ , it is not known how to decide a number of the form $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ is good except using the very expensive computer search. In this paper, we shall provide two methods for obtaining new good numbers in ${\cal M}_{2}$ :

•

If $m_{1}=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ is good and $m_{2}=p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}\in{\cal M}_{2}$ is a multiple of $m_{1}$ , then $m_{2}$ must be good as well;
•

If $m_{2}=p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}\in{\cal M}_{2}$ is good, and there is an $S$ -decoding polynomial of the form $P(X)=X^{u}+aX^{v}+b$ for $m_{2}$ such that $\gcd(u,v,m_{2})=p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}$ , then $m_{1}=m_{2}/(p_{1}^{\omega_{1}}p_{2}^{\omega_{2}})$ must be good as well.

2 Preliminaries

We denote by $\mathbb{Z}$ and $\mathbb{Z}^{+}$ the set of integers and positive integers, respectively. For any $n\in\mathbb{Z}^{+}$ , we denote $[n]=\{1,2,\ldots,n\}$ . For any $m\in\mathbb{Z}^{+}$ , we denote by $\mathbb{Z}_{m}$ the set of integers modulo $m$ and denote by $\mathbb{Z}_{m}^{*}$ the multiplicative group of integers modulo $m$ . When $m$ is odd, we have that $2\in\mathbb{Z}_{m}^{*}$ and denote by ${\rm ord}_{m}(2)$ the multiplicative order of $2$ in $\mathbb{Z}_{m}^{*}$ . For a prime power $q$ , we denote by $\mathbb{F}_{q}$ the finite field of $q$ elements and denote by $\mathbb{F}_{q}^{*}$ the multiplicative group of $\mathbb{F}_{q}$ . For any $z\in\mathbb{F}_{q}^{*}$ , we denote by ${\rm ord}_{q}(z)$ the multiplicative order of $z$ . For any two vectors $x=(x_{1},\ldots,x_{n}),y=(y_{1},\ldots,y_{n})$ , we denote by $d_{H}(x,y)=\{i:i\in[n],x_{i}\neq y_{i}\}$ the Hamming distance between $x$ and $y$ . For any $x,y\in\mathbb{Z}_{m}^{h}$ , we denote by $\langle x,y\rangle_{m}=\sum_{i=1}^{n}x_{i}y_{i}\bmod m$ the dot product of $x$ and $y$ . If the components of a vector $y$ are labeled by a set $V$ , then for every $v\in V$ we denote by $y[v]$ the $v$ th component of $y$ .

Definition 2.1.

(locally decodable code) Let $k,n,N\in\mathbb{Z}^{+}$ and let $0\leq\delta,\epsilon\leq 1$ . A code $C:\mathbb{F}_{q}^{n}\longrightarrow\mathbb{F}_{q}^{N}$ is said to be $(k,\delta,\varepsilon)$ -locally decodable if there exist randomized decoding algorithms $D_{1},D_{2},\ldots,D_{n}$ such that:

•

For any $x\in\mathbb{F}_{q}^{n}$ , any $y\in\mathbb{F}_{q}^{N}$ such that $d_{H}(C(x),y)\leq\delta N$ and any $i\in[n]$ , $\Pr[D_{i}(y)=x_{i}]\geq 1-\epsilon$ .
•

The algorithm $D_{i}$ makes at most $k$ queries to $y$ .

The numbers $k$ and $N$ are called the query complexity and the length of $C$ , respectively. They are usually considered as functions of $n$ , the message length, and measure the efficiency of $C$ . Ideally, we would like $k$ and $N$ to be as small as possible.

Efremenko [7] proposed a construction of LDCs, which is based on two fundamental building blocks: $S$ -matching family and $S$ -decoding polynomial.

Definition 2.2.

( $S$ -matching family) Let $m,h,n\in\mathbb{Z}^{+}$ and let $S\subseteq\mathbb{Z}_{m}\setminus\{0\}$ . A set ${\cal U}=\{u_{i}\}_{i=1}^{n}\subseteq\mathbb{Z}_{m}^{h}$ is said to be an $S$ -matching family if

•

$\langle u_{i},u_{i}\rangle_{m}=0$ for every $i\in[n]$ ,
•

$\langle u_{i},u_{j}\rangle_{m}\in S$ for all $i,j\in[n]$ such that $i\neq j$ .

Definition 2.3.

( $S$ -decoding polynomial) Let $m\in\mathbb{Z}^{+}$ be odd. Let $t={\rm ord}_{m}(2)$ and let $\gamma\in\mathbb{F}_{2^{t}}^{*}$ be a primitive $m$ th root of unity. A polynomial $P(X)\in\mathbb{F}_{2^{t}}[X]$ is said to be an $S$ -decoding polynomial if

•

$P(\gamma^{s})=0$ for every $s\in S$ ,
•

$P(\gamma^{0})=1$ .

Given an $S$ -matching family ${\cal U}=\{u_{i}\}_{i=1}^{n}\subseteq\mathbb{Z}_{m}^{h}$ and an $S$ -decoding polynomial $P(X)=a_{0}+a_{1}X^{b_{1}}+\cdots+a_{k-1}X^{b_{k-1}}\in\mathbb{F}_{2^{t}}[X]$ , Efremenko’s LDC can be described by Figure. 1.

Encoding: This algorithm encodes any message $x=(x_{1},\ldots,x_{n})\in\mathbb{F}_{2^{t}}^{n}$ as a codeword $C(x)\in\mathbb{F}_{2^{t}}^{m^{h}}$ such that:

•

the $m^{h}$ components of $C(x)$ are labeled by the $m^{h}$ elements of $\mathbb{Z}_{m}^{h}$ respectively; and
•

for every $v\in\mathbb{Z}_{m}^{h}$ , the $v$ th component is computed as $C(x)[v]=\sum_{j=1}^{n}x_{j}\cdot\gamma^{\langle u_{j},v\rangle_{m}}$ .

Decoding: This algorithm takes a word $y\in\mathbb{F}_{2^{t}}^{m^{h}}$ and an integer $i\in[n]$ as input. It recovers $x_{i}$ as follows:

•

choose a vector $v\in\mathbb{Z}_{m}^{h}$ uniformly and at random.
•

output $\gamma^{-\langle u_{i},v\rangle_{m}}\cdot(a_{0}\cdot y[v]+\sum_{\ell=1}^{k-1}a_{\ell}\cdot y[v+b_{\ell}u_{i}])$ .

Figure 1. Efremenko’s Construction

Efremenko’s construction gives a linear $(k,\delta,k\delta)$ -LDC that encodes messages of length $n$ to codewords of length $N=m^{h}$ . When $N$ is fixed, the larger the $n$ is, the more efficient the $C$ is. Efremenko [7] and several later works [9, 10] choose $S$ as the canonical set in $\mathbb{Z}_{m}$ . For any $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\cdots p_{r}^{\alpha_{r}}\in{\cal M}_{r}$ , the canonical set in $\mathbb{Z}_{m}$ is defined as

S_{m}=\big{\{}s_{\sigma}:\sigma\in\{0,1\}^{r}\setminus\{0^{r}\},s_{\sigma}\equiv\sigma_{i}(\bmod~{}p_{i}^{\alpha_{i}}),\forall i\in[r]\big{\}}.

For example, $S_{15}=\{1,6,10\}$ . Efremenko [7] observed that Grolmusz’s set system [11] gives a direct construction of $S_{m}$ -matching families.

Lemma 2.4.

([11, 7]) For any $m\in{\cal M}_{r}(r\geq 2)$ and integer $h>0$ , there is an $S_{m}$ -matching family ${\cal U}=\{u_{i}\}_{i=1}^{n}\subseteq\mathbb{Z}_{m}^{h}$ of size $n\geq\exp(c(\log h)^{r}/(\log\log h)^{r-1})$ , where $c$ is a constant that only depends on $m$ .

In particular, the $n$ takes the form of $\ell^{\ell}$ for an integer $\ell>0$ and $h$ is determined by both $m$ , $\ell$ , and the weak representation of the function ${\sf OR}_{\ell}$ [11]. Efremenko [7] also observed that the polynomial $P(X)=\prod_{s\in S_{m}}(X-\gamma^{s})/(1-\gamma^{s})$ is an $S_{m}$ -decoding polynomial with $k\leq 2^{r}$ monomials.

Lemma 2.5.

([7]) For any $m\in{\cal M}_{r}(r\geq 2)$ , there is an $S_{m}$ -decoding polynomial with at most $2^{r}$ monomials.

Lemmas 2.4 and 2.5 yield LDCs of subexponential length.

Theorem 2.6.

([7]) For every integer $r\geq 2$ , there is a $(k,\delta,k\delta)$ -LDC of query complexity $k\leq 2^{r}$ and length $N_{r}$ .

For every integer $r\geq 2$ , Theorem 2.6 gives an infinite family of LDCs, each based on a number $m\in{\cal M}_{r}$ . Different $m\in{\cal M}_{r}$ may give LDCs of different query complexity. For example, $m=7\times 73$ gives a code of query complexity 3 [7], while $m=3\times 5$ is only able to give a code of query complexity 4 [9]. A number of the form $m=p_{1}p_{2}$ has been called good in [9, 10] if it is able to result in an LDC of query complexity $<4$ . By using the good numbers $511$ and $2047$ , Itoh and Suzuki [9] concluded that for any $r>5$ , the query complexity $2^{r}$ of the LDCs in Theorem 2.6 can be reduced to $9\cdot 2^{r-4}$ . On the other hand, for $r=2,3,4$ and $5$ , the best decoding algorithms to date for the LDCs in Theorem 2.6 have query complexity 3, 8, 9, and 24, respectively. Chee et al. [10] showed Mersenne numbers of the form $p_{1}p_{2}$ are good. With infinitely many such good numbers, Chee et al. [10] can further reduce the query complexity to $3^{r/2}$ .

3 Good Numbers of the Form $p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}$

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in\mathcal{M}_{2}$ . Let $t={\rm ord}_{m}(2)$ and let $\gamma\in\mathbb{F}_{2^{t}}^{*}$ be a primitive $m{\rm th}$ root of unity. Lemma 2.5 shows that there is an $S_{m}$ -decoding polynomial $P(X)$ with $k\leq 4$ monomials. In this section, we will establish several sufficient and necessary conditions for a number $m$ to be good.

Lemma 3.1.

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ . Then any $S_{m}$ -decoding polynomial has $\geq 3$ monomials.

Proof 3.2.

If $P(X)=aX^{u}\in\mathbb{F}_{2^{t}}[X]$ is an $S_{m}$ -decoding polynomial, then $a=P(1)=1$ and $a=\gamma^{-u}P(\gamma)=0$ , which give a contradiction. If $P(X)=aX^{u}+bX^{v}\in\mathbb{F}_{2^{t}}[X]$ is an $S_{m}$ -decoding polynomial with 2 monomials, then $ab\neq 0$ and

$\displaystyle a\gamma^{us_{01}}+b\gamma^{vs_{01}}$	$\displaystyle=P(\gamma^{s_{01}})=0,$	(1)
$\displaystyle a\gamma^{us_{10}}+b\gamma^{vs_{10}}$	$\displaystyle=P(\gamma^{s_{10}})=0,$	(2)
$\displaystyle a+b$	$\displaystyle=P(1)\hskip 12.51918pt=1.$	(3)

Equations (1) and (2) imply that $b/a=\gamma^{(u-v)s_{01}}=\gamma^{(u-v)s_{10}}$ . As ${\rm ord}_{2^{t}}(\gamma)=m$ , we must have that

(u-v)(s_{01}-s_{10})\equiv 0~{}(\bmod~{}m).

(4)

Note that $\gcd(s_{01}-s_{10},m)=1$ . Equation (4) implies $u\equiv v~{}(\bmod~{}m).$ It follows that $b/a=\gamma^{(u-v)s_{01}}=1$ and thus $a+b=0$ , which contradicts to (3).

Let $\mathbb{M}_{2}$ be the set of good numbers in ${\cal M}_{2}$ . The following lemmas characterize $\mathbb{M}_{2}$ .

Lemma 3.3.

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ . Then $m\in\mathbb{M}_{2}$ if and only if there is a polynomial $Q(X)=X^{u}+aX^{v}+b\in\mathbb{F}_{2^{t}}[X]$ that satisfies the following properties

①

$ab\neq 0,$
②

$|\{(u\bmod~{}m),(v\bmod~{}m),0\}|=3$ , and
③

$Q(\gamma)=Q(\gamma^{s_{01}})=Q(\gamma^{s_{10}})=0$ , $Q(1)\neq 0$ .

Proof 3.4.

If $m\in\mathbb{M}_{2}$ , then by Lemma 3.1 there exists an $S_{m}$ -decoding polynomial

P(X)=c_{1}X^{d_{1}}+c_{2}X^{d_{2}}+c_{3}X^{d_{3}}\in\mathbb{F}_{2^{t}}[X]

(5)

with exactly 3 monomials. In particular, we must have

④

$c_{1}c_{2}c_{3}\neq 0$ ,
⑤

$|\{(d_{1}\bmod~{}m),(d_{2}~{}\bmod~{}m),(d_{3}~{}\bmod~{}m)\}|=3$ , and
⑥

$P(\gamma^{s_{01}})=P(\gamma^{s_{10}})=P(\gamma)=0,P(1)=1$ .

While ④ and ⑥ are clear from the definition, we show that ⑤ is also true. Assume for contradiction that $d_{1}\equiv d_{2}(\bmod~{}m)$ . Then $(\gamma^{s})^{d_{1}}=(\gamma^{s})^{d_{2}}$ for all $s\in\{s_{01},s_{10},1\}$ and thus

$\displaystyle(c_{1}+c_{2})\gamma^{s_{01}d_{1}}+c_{3}\gamma^{s_{01}d_{3}}$	$\displaystyle=P(\gamma^{s_{01}})=0,$	(6)
$\displaystyle(c_{1}+c_{2})\gamma^{s_{10}d_{1}}+c_{3}\gamma^{s_{10}d_{3}}$	$\displaystyle=P(\gamma^{s_{10}})=0,$	(7)
$\displaystyle c_{1}+c_{2}+c_{3}$	$\displaystyle=P(1)\hskip 12.51918pt=1.$	(8)

Due to (6) and (7), we have that $\gamma^{s_{01}(d_{3}-d_{1})}=\gamma^{s_{10}(d_{3}-d_{1})}$ and thus $d_{1}\equiv d_{3}(\bmod~{}m)$ . Consequently, (6) implies that $c_{1}+c_{2}+c_{3}=0$ , which contradicts to (8).

W.l.o.g., we suppose that $d_{1}>d_{2}>d_{3}$ . Let $u=d_{1}-d_{3},v=d_{2}-d_{3},a=c_{2}/c_{1}$ and $b=c_{3}/c_{1}$ . Then

Q(X):=X^{u}+aX^{v}+b=\frac{P(X)}{c_{1}X^{d_{3}}}.

(9)

The properties ①, ②, and ③ trivially follow from ④, ⑤, and ⑥, respectively.

Conversely, suppose that $Q(X)=X^{u}+aX^{v}+b$ is a polynomial that satisfies the properties ①, ②, and ③. Then $P(X)=Q(X)/Q(1)$ will be an $S_{m}$ -decoding polynomial with exactly 3 monomials. Therefore, $m\in\mathbb{M}_{2}$ .

Lemma 3.5.

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ . Then $m\in\mathbb{M}_{2}$ if and only if there exist $u,v\in E:=\{e:p_{1}^{\alpha_{1}}\nmid e,p_{2}^{\alpha_{2}}\nmid e,e\in\mathbb{Z}\}$ such that $u\not\equiv v(\bmod~{}m)$ and $\det(A)=0$ , where

A=\left(\begin{matrix}\gamma^{s_{01}u}&\gamma^{s_{01}v}&1\\ \gamma^{s_{10}u}&\gamma^{s_{10}v}&1\\ \gamma^{u}&\gamma^{v}&1\\ \end{matrix}\right).

(10)

Proof 3.6.

If $m\in\mathbb{M}_{2}$ , then there is a polynomial $Q(X)=X^{u}+aX^{v}+b\in\mathbb{F}_{2^{t}}[X]$ such that the ①, ②, and ③ in Lemma 3.3 are true. Due to ②, we have that $u\not\equiv v(\bmod~{}m)$ . On the other hand, ③ is equivalent to

	$\displaystyle A\left(\begin{matrix}1\\ a\\ b\\ \end{matrix}\right)$	$\displaystyle=\left(\begin{matrix}0\\ 0\\ 0\\ \end{matrix}\right),$		(11)
	$\displaystyle 1+a+b$	$\displaystyle\neq 0.$		(12)

Equation (11) requires that $\det(A)=0$ . It remains to show that $u,v\in E$ . We show that $p_{1}^{\alpha_{1}}\nmid u$ . The proofs for $p_{2}^{\alpha_{2}}\nmid u,p_{1}^{\alpha_{1}}\nmid v,$ and $p_{2}^{\alpha_{2}}\nmid v$ will be similar and omitted. Note that

$\displaystyle 0=\det(A)=$	$\displaystyle(\gamma^{s_{01}u}+\gamma^{u})(\gamma^{s_{10}v}+\gamma^{v})+$	(13)
	$\displaystyle(\gamma^{s_{01}v}+\gamma^{v})(\gamma^{s_{10}u}+\gamma^{u})$
$\displaystyle=$	$\displaystyle((\gamma^{-s_{10}u}+1)(\gamma^{-s_{01}v}+1)+$
	$\displaystyle\hskip 3.41432pt(\gamma^{-s_{01}u}+1)(\gamma^{-s_{10}v}+1))\gamma^{u+v}.$

If $p_{1}^{\alpha_{1}}|u$ , then $s_{10}u\equiv 0~{}(\bmod~{}m)$ and $\gamma^{-s_{10}u}+1=0$ . Equation (13) would imply $\gamma^{-s_{01}u}+1=0$ or $\gamma^{-s_{10}v}+1=0$ . If $\gamma^{-s_{01}u}+1=0$ , then $p_{2}^{\alpha_{2}}|u$ and thus $m|u$ , which would contradicts to ②. If $\gamma^{-s_{10}v}+1=0$ , then $p_{1}^{\alpha_{1}}|v$ and thus $0=Q(\gamma^{s_{10}})=1+a+b$ , which contradicts to (12).

Conversely, suppose that $u,v\in E$ are integers such that $u\not\equiv v(\bmod~{}m)$ and $\det(A)=0$ . To show that $m\in\mathbb{M}_{2}$ , it suffices to construct an $S_{m}$ -decoding polynomial $Q(X)=X^{u}+aX^{v}+b\in\mathbb{F}_{2^{t}}[X]$ such that ①, ②, and ③ are satisfied. First of all, $\det(A)=0$ implies that ${\rm rank}(A)\leq 2$ . If ${\rm rank}(A)=1$ , then we must have that $\gamma^{s_{01}u}=\gamma^{s_{10}u}$ . It follows that $u\equiv 0(\bmod~{}m)$ , which contradicts to $u\in E$ . As ${\rm rank}(A)=2$ , the null space of $A$ will be 1-dimensional and spanned by a nonzero vector $c=(c_{1},c_{2},c_{3})^{T}$ . Below we shall see that $c_{i}\neq 0$ for all $i\in[3]$ . If $c_{1}=0$ , then

\left(\begin{matrix}\gamma^{s_{01}v}&1\\ \gamma^{s_{10}v}&1\\ \gamma^{v}&1\\ \end{matrix}\right)\left(\begin{matrix}c_{2}\\ c_{3}\\ \end{matrix}\right)=\left(\begin{matrix}0\\ 0\\ 0\\ \end{matrix}\right).

(14)

Then $c_{2}c_{3}$ must be nonzero and thus $\gamma^{s_{01}v}=\gamma^{s_{10}v}$ . The latter equality requires that $v\equiv 0(\bmod~{}m)$ , which contradicts to the fact $v\in E$ . Hence, $c_{1}\neq 0$ . Similarly, we have $c_{2}\neq 0$ and $c_{3}\neq 0$ . Let $R(X)=c_{1}X^{u}+c_{2}X^{v}+c_{3}$ . Then $R(\gamma)=R(\gamma^{s_{01}})=R(\gamma^{s_{10}})=0$ . Furthermore, we must have $R(1)\neq 0$ . Otherwise, $c_{3}=c_{1}+c_{2}$ and

\left(\begin{matrix}\gamma^{s_{01}u}+1&\gamma^{s_{01}v}+1\\ \gamma^{s_{10}u}+1&\gamma^{s_{10}v}+1\\ \gamma^{u}+1&\gamma^{v}+1\\ \end{matrix}\right)\left(\begin{matrix}c_{1}\\ c_{2}\\ \end{matrix}\right)=\left(\begin{matrix}0\\ 0\\ 0\\ \end{matrix}\right).

(15)

As $c_{1}c_{2}\neq 0$ , this is possible only if

\frac{\gamma^{s_{01}u}+1}{\gamma^{s_{01}v}+1}=\frac{\gamma^{s_{10}u}+1}{\gamma^{s_{10}v}+1}=\frac{\gamma^{u}+1}{\gamma^{v}+1}.

(16)

Denote by $\lambda$ the value of the fractions in (16). Then

\begin{split}\frac{\gamma^{s_{10}u}}{\gamma^{s_{10}v}}\cdot\underbrace{~{}\frac{\gamma^{s_{01}u}+1}{\gamma^{s_{01}v}+1}~{}}_{\lambda}&=\frac{\gamma^{s_{10}u}+\gamma^{u}}{\gamma^{s_{10}v}+\gamma^{v}}\\ &=\frac{\gamma^{s_{10}u}+1+\gamma^{u}+1}{\gamma^{s_{10}v}+1+\gamma^{v}+1}\\ &=\frac{\lambda(\gamma^{s_{10}v}+1)+\lambda(\gamma^{v}+1)}{\gamma^{s_{10}v}+1+\gamma^{v}+1}\\ &=\lambda,\end{split}

(17)

where the first equality is based on the fact that $s_{01}+s_{10}\equiv 1(\bmod~{}m)$ and the second equality is true because we are working over a finite field of characteristic 2. It follows from (17) that $\gamma^{s_{10}(u-v)}=1$ . Therefore, we must have that $u\equiv v(\bmod~{}p_{1}^{\alpha_{1}})$ . Similarly, we have that $u\equiv v(\bmod~{}p_{2}^{\alpha_{2}})$ . Based on the two congruences, we have that $u\equiv v(\bmod~{}m)$ , which gives a contradiction. Hence, $R(1)\neq 0$ and $Q(X):=R(X)/c_{1}$ is a polynomial satisfying ①, ②, and ③.

Lemma 3.7.

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ . Let $t={\rm ord}_{m}(2)$ and let $\gamma\in\mathbb{F}_{2^{t}}^{*}$ be a primitive $m$ th root of unity. Let

\tau(z_{1},z_{2})=\frac{z_{1}+z_{2}}{z_{1}z_{2}+z_{2}}.

Then $m\in\mathbb{M}_{2}$ if and only if $\tau$ is not injective on ${\cal D}=\{(z_{1},z_{2})\in(\mathbb{F}_{2^{t}}^{*}\setminus\{1\})^{2}:{\rm ord}_{2^{t}}(z_{1})|p_{1}^{\alpha_{1}},{\rm ord}_{2^{t}}(z_{2})|p_{2}^{\alpha_{2}}\}$ .

Proof 3.8.

If $m\in\mathbb{M}_{2}$ , then by Lemma 3.5 there exist $u,v\in E$ such that $u\not\equiv v(\bmod~{}m)$ and $\det(A)=0$ , where $A$ is defined by (10). Note that $\det(A)=0$ requires that

\frac{\gamma^{s_{10}u}+\gamma^{s_{01}u}}{\gamma^{u}+\gamma^{s_{01}u}}=\frac{\gamma^{s_{10}v}+\gamma^{s_{01}v}}{\gamma^{v}+\gamma^{s_{01}v}}.

Clearly, $(\gamma^{s_{10}u},\gamma^{s_{01}u})$ and $(\gamma^{s_{10}v},\gamma^{s_{01}v})$ are two distinct elements of $\cal D$ and $\tau(\gamma^{s_{10}u},\gamma^{s_{01}u})=\tau(\gamma^{s_{10}v},\gamma^{s_{01}v}).$ Hence, $\tau$ is not injective on $\cal D$ .

Conversely, suppose that $\tau(z_{1},z_{2})=\tau(z_{1}^{\prime},z_{2}^{\prime})$ for two distinct elements $(z_{1},z_{2}),(z_{1}^{\prime},z_{2}^{\prime})\in{\cal D}$ . To show that $m\in\mathbb{M}_{2}$ , by Lemma 3.5 it suffices to find $u,v\in E$ such that $u\not\equiv v(\bmod~{}m)$ and $\det(A)=0$ . Suppose that

{\rm ord}_{2^{t}}(z_{1})=p_{1}^{i_{1}},{\rm ord}_{2^{t}}(z_{2})=p_{2}^{j_{1}},

{\rm ord}_{2^{t}}(z_{1}^{\prime})=p_{1}^{i_{2}},{\rm ord}_{2^{t}}(z_{2}^{\prime})=p_{2}^{j_{2}}

for $i_{1},i_{2}\in[\alpha_{1}]$ and $j_{1},j_{2}\in[\alpha_{2}]$ . Then there exist integers $u_{1},u_{2},v_{1},v_{2}$ , where $p_{1}\nmid u_{1},v_{1}$ and $p_{2}\nmid u_{2},v_{2}$ , such that

z_{1}=(\gamma^{s_{10}p_{1}^{\alpha_{1}-i_{1}}})^{u_{1}},z_{2}=(\gamma^{s_{01}p_{2}^{\alpha_{2}-j_{1}}})^{u_{2}},

z_{1}^{\prime}=(\gamma^{s_{10}p_{1}^{\alpha_{1}-i_{2}}})^{v_{1}},z_{2}^{\prime}=(\gamma^{s_{01}p_{2}^{\alpha_{2}-j_{2}}})^{v_{2}}.

By Chinese remainder theorem, there exist $u,v$ such that:

\left\{\begin{array}[]{ll}u\equiv p_{1}^{\alpha_{1}-i_{1}}u_{1}(\bmod~{}p_{1}^{\alpha_{1}}),\\ u\equiv p_{2}^{\alpha_{2}-j_{1}}u_{2}(\bmod~{}p_{2}^{\alpha_{2}}),\end{array}\right.\left\{\begin{array}[]{ll}v\equiv p_{1}^{\alpha_{1}-i_{2}}v_{1}(\bmod~{}p_{1}^{\alpha_{1}}),\\ v\equiv p_{2}^{\alpha_{2}-j_{2}}v_{2}(\bmod~{}p_{2}^{\alpha_{2}}).\end{array}\right.

In particular, $u,v\in E$ and $u\not\equiv v(\bmod~{}m)$ (o.w., we will have $(z_{1},z_{2})=(z_{1}^{\prime},z_{2}^{\prime})$ ). Furthermore, $z_{1}=\gamma^{s_{10}u},z_{2}=\gamma^{s_{01}u},z_{1}^{\prime}=\gamma^{s_{10}v}$ and $z_{2}^{\prime}=\gamma^{s_{01}v}.$ Since $\tau(z_{1},z_{2})=\tau(z_{1}^{\prime},z_{2}^{\prime})$ , we must have that $\det(A)=0$ due to (13).

Let $\rho(z_{1},z_{2})=\tau(z_{1},z_{2})-1=(1+z_{2}^{-1})(1+z_{1}^{-1})^{-1}.$ Then Lemma 3.7 gives the following theorem.

Theorem 3.9.

Let $m=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}}\in{\cal M}_{2}$ . Let $t={\rm ord}_{m}(2)$ and let $\gamma\in\mathbb{F}_{2^{t}}^{*}$ be a primitive $m{\rm th}$ root of unity. Then $m\in\mathbb{M}_{2}$ if and only if $\rho$ is not injective on $\cal D$ .

Theorem 3.9 gives a characterization of the good numbers in ${\cal M}_{2}$ . We say that $(u,v)\in E^{2}$ form a collision for $m$ if

•

$\rho(\gamma^{s_{10}u},\gamma^{s_{01}u})=\rho(\gamma^{s_{10}v},\gamma^{s_{01}v})$ , and
•

$u\not\equiv v(\bmod~{}m)$ .

The proof of Lemma 3.7 shows that $m\in\mathbb{M}_{2}$ if and only if there is a collision $(u,v)\in E^{2}$ for $m$ .

4 Implications between Good Numbers

In this section, we show the implications between good numbers in ${\cal M}_{2}$ , which allows us to construct new good numbers from old.

Lemma 4.1.

Let $m_{1}=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}},m_{2}=p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}\in{\cal M}_{2}$ . Let $t_{i}={\rm ord}_{m_{i}}(2)$ and let $\gamma_{i}\in\mathbb{F}_{2^{t_{i}}}^{*}$ be a primitive $m_{i}{\rm th}$ root of unity for $i=1,2$ . If $m_{1}|m_{2}$ , then there is an integer $\sigma\in\mathbb{Z}_{m_{1}}^{*}$ such that $\gamma_{1}=\gamma_{2}^{\sigma m_{2}/m_{1}}$ .

Proof 4.2.

As $m_{1}|m_{2}$ and $m_{2}|(2^{t_{2}}-1)$ , we must have that $t_{1}|t_{2}$ . Then $\mathbb{F}_{2^{t_{1}}}$ is a subfield of $\mathbb{F}_{2^{t_{2}}}$ . Note that $\gamma_{1}\in\mathbb{F}_{2^{t_{1}}}\subseteq\mathbb{F}_{2^{t_{2}}}$ and $\gamma_{2}^{m_{2}/m_{1}}\in\mathbb{F}_{2^{t_{2}}}$ are elements of the same finite field and have the same multiplicative order (i.e., $m_{1}$ ). Both $\langle\gamma_{1}\rangle$ and $\langle\gamma_{2}^{m_{2}/m_{1}}\rangle$ are subgroups of $\mathbb{F}_{2^{t_{2}}}^{*}$ of order $m_{1}$ . As $\mathbb{F}_{2^{t_{2}}}^{*}$ has a unique subgroup of order $m_{1}$ , it must be the case that $\langle\gamma_{1}\rangle=\langle\gamma_{2}^{m_{2}/m_{1}}\rangle$ . Hence, there is an integer $\sigma\in\mathbb{Z}_{m_{1}}^{*}$ such that $\gamma_{1}=\gamma_{2}^{\sigma m_{2}/m_{1}}$ .

Theorem 4.3.

Let $m_{1}=p_{1}^{\alpha_{1}}p_{2}^{\alpha_{2}},m_{2}=p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}\in{\cal M}_{2}$ . If $m_{1}\in\mathbb{M}_{2}$ and $m_{1}|m_{2}$ , then $m_{2}\in\mathbb{M}_{2}$ .

Proof 4.4.

For $i\in\{1,2\}$ , let $S_{m_{i}}=\{s^{i}_{01},s^{i}_{10},1\}$ , let $t_{i}={\rm ord}_{m_{i}}(2)$ , and let $\gamma_{i}\in\mathbb{F}_{2^{t_{i}}}^{*}$ be of order $m_{i}$ . Let $E_{1}=\{e:p_{1}^{\alpha_{1}}\nmid e,p_{2}^{\alpha_{2}}\nmid e,e\in\mathbb{Z}\}$ and $E_{2}=\{e:p_{1}^{\beta_{1}}\nmid e,p_{2}^{\beta_{2}}\nmid e,e\in\mathbb{Z}\}$ .

If $m_{1}\in\mathbb{M}_{2}$ , then there is a collision $(u_{1},v_{1})\in E^{2}$ such that $u_{1}\not\equiv v_{1}(\bmod~{}m_{1})$ and

\frac{\gamma_{1}^{-s^{1}_{01}u_{1}}+1}{\gamma_{1}^{-s^{1}_{10}u_{1}}+1}=\frac{\gamma_{1}^{-s^{1}_{01}v_{1}}+1}{\gamma_{1}^{-s^{1}_{10}v_{1}}+1}.

(18)

As per Lemma 4.1, let $\sigma\in\mathbb{Z}_{m_{1}}^{*}$ be an integer such that $\gamma_{1}=\gamma_{2}^{\sigma m_{2}/m_{1}}$ . Then (18) is

\frac{\gamma_{2}^{-s^{1}_{01}u_{1}\sigma m_{2}/m_{1}}+1}{\gamma_{2}^{-s^{1}_{10}u_{1}\sigma m_{2}/m_{1}}+1}=\frac{\gamma_{2}^{-s^{1}_{01}v_{1}\sigma m_{2}/m_{1}}+1}{\gamma_{2}^{-s^{1}_{10}v_{1}\sigma m_{2}/m_{1}}+1}.

(19)

We claim that if there exist integers $u_{2},v_{2}$ such that

{\rm(i)}\left\{\begin{array}[]{ll}s^{1}_{01}u_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{01}u_{2}(\bmod~{}m_{2}),\\ s^{1}_{10}u_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{10}u_{2}(\bmod~{}m_{2}),\end{array}\right.

{\rm(ii)}\left\{\begin{array}[]{ll}s^{1}_{01}v_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{01}v_{2}(\bmod~{}m_{2}),\\ s^{1}_{10}v_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{10}v_{2}(\bmod~{}m_{2}),\end{array}\right.

then $u_{2},v_{2}\in E_{2}$ , $u_{2}\not\equiv v_{2}(\bmod~{}m_{2})$ and

\frac{\gamma_{2}^{-s^{2}_{01}u_{2}}+1}{\gamma_{2}^{-s^{2}_{10}u_{2}}+1}=\frac{\gamma_{2}^{-s^{2}_{01}v_{2}}+1}{\gamma_{2}^{-s^{2}_{10}v_{2}}+1},

(20)

i.e., $(u_{2},v_{2})$ form a collision for $m_{2}$ (and thus $m_{2}\in\mathbb{M}_{2}$ ). Note that (20) is clear from (i), (ii) and (19). We need to show that $u_{2},v_{2}\in E_{2}$ and $u_{2}\not\equiv v_{2}(\bmod~{}m_{2})$ . If $p_{1}^{\beta_{1}}|u_{2}$ , then we will have that $m_{2}|s^{2}_{10}u_{2}$ . The second congruence of (i) would imply that $p_{1}^{\alpha_{1}}|u_{1}\sigma$ , which contradicts to $u_{1}\in E_{1}$ and $\sigma\in\mathbb{Z}_{m_{1}}^{*}$ . Similarly, we have $p_{2}^{\beta_{2}}\nmid u_{2},p_{1}^{\beta_{1}}\nmid v_{2}$ and $p_{2}^{\beta_{2}}\nmid v_{2}$ . Hence, $u_{2},v_{2}\in E_{2}$ . If $u_{2}\equiv v_{2}(\bmod~{}m_{2})$ , then the first congruences of (i) and (ii) would imply that $s^{1}_{01}\sigma(u_{1}-v_{1})\equiv 0(\bmod~{}m_{1})$ , which requires that $u_{1}\equiv v_{1}(\bmod~{}p_{2}^{\alpha_{2}})$ . Similarly, the second congruences of (i) and (ii) would imply $u_{1}\equiv v_{1}(\bmod~{}p_{1}^{\alpha_{1}})$ . It follows that $u_{1}\equiv v_{1}(\bmod~{}m_{1})$ , which is a contradiction.

It remains to show the existence of integers $u_{2}$ and $v_{2}$ that satisfy (i) and (ii). We show that existence of $u_{2}$ . The existence of $v_{2}$ is similar. Due to Chinese remainder theorem, the first congruence of (i) is equivalent to

\left\{\begin{array}[]{ll}s^{1}_{01}u_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{01}u_{2}(\bmod~{}p_{1}^{\beta_{1}}),\\ s^{1}_{01}u_{1}\sigma m_{2}/m_{1}\equiv s^{2}_{01}u_{2}(\bmod~{}p_{2}^{\beta_{2}}),\end{array}\right.

(21)

Note that the first congruence of (21) is always true. On the other hand, as $s^{2}_{01}\equiv 1(\bmod~{}p_{2}^{\beta_{2}})$ , the first congruence of (i) must be equivalent to

u_{2}\equiv s^{1}_{01}u_{1}\sigma m_{2}/m_{1}(\bmod~{}p_{2}^{\beta_{2}}).

(22)

Similarly, the second congruence of (i) is equivalent to

u_{2}\equiv s^{1}_{10}u_{1}\sigma m_{2}/m_{1}(\bmod~{}p_{1}^{\beta_{1}}).

(23)

Therefore, (i) is equivalent to the system formed by (22) and (23). The existence of $u_{2}$ is an easy consequence of the Chinese remainder theorem.

Theorem 4.5.

Let $m_{2}=p_{1}^{\beta_{1}}p_{2}^{\beta_{2}}\in{\cal M}_{2}$ . Suppose that $m_{2}\in\mathbb{M}_{2}$ and $(u,v)=(p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1},p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2})$ is a collision for $m_{2}$ , where $\sigma_{1},\sigma_{2}\in\mathbb{Z}_{m_{2}}^{*}$ . Let $\omega_{1}=\min\{i_{1},j_{1}\}$ and $\omega_{2}=\min\{i_{2},j_{2}\}$ . Then $m_{1}:=m_{2}/(p_{1}^{\omega_{1}}p_{2}^{\omega_{2}})$ belongs to $\mathbb{M}_{2}$ .

Proof 4.6.

For $i=1,2$ , let $S_{m_{i}}=\{s^{i}_{01},s^{i}_{10},1\}$ , let $t_{i}={\rm ord}_{m_{i}}(2)$ and let $\gamma_{i}\in\mathbb{F}_{2^{t_{i}}}^{*}$ be of order $m_{i}$ . Let $E_{1}=\{e:p_{1}^{\beta_{1}-\omega_{1}}\nmid e,p_{2}^{\beta_{2}-\omega_{2}}\nmid e,e\in\mathbb{Z}\}$ and $E_{2}=\{e:p_{1}^{\beta_{1}}\nmid e,p_{2}^{\beta_{2}}\nmid e,e\in\mathbb{Z}\}$ . To show that $m_{1}\in\mathbb{M}_{2}$ , it suffices to find two integers $u_{1},v_{1}\in E_{1}$ such that $u_{1}\not\equiv v_{1}(\bmod~{}m_{1})$ and

\frac{\gamma_{1}^{-s^{1}_{01}u_{1}}+1}{\gamma_{1}^{-s^{1}_{10}u_{1}}+1}=\frac{\gamma_{1}^{-s^{1}_{01}v_{1}}+1}{\gamma_{1}^{-s^{1}_{10}v_{1}}+1}.

(24)

As per Lemma 4.1, there is an integer $\sigma\in\mathbb{Z}_{m_{2}}^{*}$ such that $\gamma_{1}=\gamma_{2}^{p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma}$ . Then (24) is

\frac{\gamma_{2}^{-s^{1}_{01}u_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma}+1}{\gamma_{2}^{-s^{1}_{10}u_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma}+1}=\frac{\gamma_{2}^{-s^{1}_{01}v_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma}+1}{\gamma_{2}^{-s^{1}_{10}v_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma}+1}.

(25)

As $(p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1},p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2})\in E_{2}^{2}$ is a collision for $m_{2}$ , we have

\frac{\gamma_{2}^{-s^{2}_{01}p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}}+1}{\gamma_{2}^{-s^{2}_{10}p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}}+1}=\frac{\gamma_{2}^{-s^{2}_{01}p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}}+1}{\gamma_{2}^{-s^{2}_{10}p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}}+1}.

(26)

We claim that if there exist integers $u_{1},v_{1}$ such that

{\rm(i)}\left\{\begin{array}[]{ll}s^{1}_{01}u_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma\equiv s^{2}_{01}p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}(\bmod~{}m_{2}),\\ s^{1}_{10}u_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma\equiv s^{2}_{10}p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}(\bmod~{}m_{2}),\end{array}\right.

{\rm(ii)}\left\{\begin{array}[]{ll}s^{1}_{01}v_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma\equiv s^{2}_{01}p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}(\bmod~{}m_{2}),\\ s^{1}_{10}v_{1}p_{1}^{\omega_{1}}p_{2}^{\omega_{2}}\sigma\equiv s^{2}_{10}p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}(\bmod~{}m_{2}),\end{array}\right.

then $u_{1},v_{1}\in E_{1}$ , $u_{1}\not\equiv v_{1}(\bmod~{}m_{1})$ and (25) holds. Note that (25) is clear from (i), (ii) and (26). If $p_{1}^{\beta_{1}-\omega_{1}}|u_{1}$ , then the second congruence of (i) would imply that $p_{1}^{\beta_{1}}|p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}$ , which contradicts to the fact that $p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}\in E_{2}$ . Similarly, we can show that $p_{2}^{\beta_{2}-\omega_{2}}\nmid u_{1},p_{1}^{\beta_{1}-\omega_{1}}\nmid v_{1}$ and $p_{2}^{\beta_{2}-\omega_{2}}\nmid v_{1}$ . Therefore, $u_{1},v_{1}\in E_{1}$ . If $u_{1}\equiv v_{1}(\bmod~{}m_{1})$ , then the first congruences of (i) and (ii) would imply that $s^{2}_{01}(p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}-p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2})\equiv 0(\bmod~{}m_{2})$ , which requires that $p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}\equiv p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}(\bmod~{}p_{2}^{\beta_{2}})$ . Similarly, the second congruences of (i) and (ii) require that $p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}\equiv p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}(\bmod~{}p_{1}^{\beta_{1}})$ . It follows that $p_{1}^{i_{1}}p_{2}^{i_{2}}\sigma_{1}\equiv p_{1}^{j_{1}}p_{2}^{j_{2}}\sigma_{2}(\bmod~{}m_{2})$ , which is a contradiction.

It remains to show the existence of $u_{1}$ and $v_{1}$ that satisfy (i) and (ii). We show the existence of $u_{1}$ . The existence of $v_{1}$ is similar and omitted. As $\omega_{1}\leq i_{1}\leq\beta_{1}$ and $\omega_{2}\leq i_{2}\leq\beta_{2}$ , the first congruence in (i) is equivalent to

\left\{\begin{array}[]{ll}s^{1}_{01}u_{1}\sigma\equiv s^{2}_{01}p_{1}^{i_{1}-\omega_{1}}p_{2}^{i_{2}-\omega_{2}}\sigma_{1}(\bmod~{}p_{1}^{\beta_{1}-\omega_{1}}),\\ s^{1}_{01}u_{1}\sigma\equiv s^{2}_{01}p_{1}^{i_{1}-\omega_{1}}p_{2}^{i_{2}-w_{2}}\sigma_{1}(\bmod~{}p_{2}^{\beta_{2}-\omega_{2}}).\end{array}\right.

(27)

Note that the first congruence of (27) is always true. On the other hand, as $p_{2}\nmid s^{1}_{01}\sigma$ , there is an integer $t^{1}_{01}$ such that $s^{1}_{01}\sigma t^{1}_{01}\equiv 1(\bmod~{}p_{2}^{\beta_{2}-\omega_{2}})$ . Therefore, the first congruence of (i) will be equivalent to

u_{1}\equiv s^{2}_{01}t^{1}_{01}p_{1}^{i_{1}-\omega_{1}}p_{2}^{i_{2}-\omega_{2}}\sigma_{1}(\bmod~{}p_{2}^{\beta_{2}-\omega_{2}}).

(28)

Similarly, we can show that the second congruence of (i) is equivalent to

u_{1}\equiv s^{2}_{10}t^{1}_{10}p_{1}^{i_{1}-\omega_{1}}p_{2}^{i_{2}-\omega_{2}}\sigma_{1}(\bmod~{}p_{1}^{\beta_{1}-\omega_{1}}),

(29)

where $t^{1}_{10}$ is an integer such that $s^{1}_{10}\sigma t^{1}_{10}\equiv 1(\bmod~{}p_{1}^{\beta_{1}-\omega_{1}})$ . The existence of $u_{1}$ is an easy consequence of the Chinese remainder theorem on (28) and (29).

Example 4.7.

Let $m_{2}=7^{2}\times 151$ . Then $S_{m_{2}}=\{s_{01}=1813,s_{10}=5587,s_{11}=1\}$ . Let $t_{2}={\rm ord}_{m_{2}}(2)$ and let $\gamma_{2}\in\mathbb{F}_{2^{t_{2}}}^{*}$ be a primitive $m_{2}{\rm th}$ root of unity. Then $(238,455)$ is a collision for $m_{2}$ . Clearly, $\omega_{1}=1$ and $\omega_{2}=0$ . Then $m_{1}=m_{2}/7=1057$ must be a good number, which is $<m_{2}$ .

5 Conclusion

In this paper, we characterized the good numbers in ${\cal M}_{2}$ and showed two implications between good numbers in ${\cal M}_{2}$ . In particular, the second implication requires an additional condition. It is an interesting problem to remove the condition.

Data Availability Statement The data underlying this article are available in the article.

Funding Natural Science Foundation of Shanghai (21ZR1443000); Singapore Ministry of Education under Research Grant RG12/19

Acknowledgments The authors would like to thank the anonymous reviewers for their helpful suggestions.

References

[1] Katz, J. and Trevisan, L. (2000) On the efficiency of local decoding procedures for error-correcting codes. In Yao, F. and Luks, E. M. (eds) Proc. 32nd Annual ACM SIGACT Symposium on Theory of Computing, STOC 2000, Portland, OR, USA, May 21-23, 2000, pp. 80–86. ACM.
[2] Gasarch, W. (2004) A survey on private information retrieval. Bulletin of the EATCS, 82, 72–107.
[3] Trevisan, L. (2004) Some applications of coding theory in computational complexity. Electron. Colloquium Comput. Complex., 11, No. 043.
[4] Goldreich, O., Karloff, H.J., Schulman, L.J. and Trevisan, L. (2006) Lower bounds for linear locally decodable codes and private information retrieval. Comput. Complex., 15, 263–296.
[5] Woodruff, D.P. (2007) New lower bounds for general locally decodable codes. Electron. Colloquium Comput. Complex., 14, No. 006.
[6] Yekhanin, S. (2008) Towards 3-query locally decodable codes of subexponential length. J. ACM, 55, 1:1–1:16.
[7] Efremenko, K. (2012) 3-query locally decodable codes of subexponential length. SIAM J. Comput., 41, 1694–1703.
[8] Dvir, Z., Gopalan, P. and Yekhanin, S. (2011) Matching vector codes. SIAM J. Comput., 40, 1154–1178.
[9] Itoh, T. and Suzuki, Y. (2010) Improved constructions for query-efficient locally decodable codes of subexponential length. IEICE Trans. Inf. Syst., E93–D, 263–270.
[10] Chee, Y.M., Feng, T., Ling, S., Wang, H. and Zhang, L.F. (2013) Query-efficient locally decodable codes of subexponential length. Comput. Complex., 22, 159–189.
[11] Grolmusz, V. (2000) Superpolynomial size set-systems with restricted intersections mod 6 and explicit Ramsey graphs. Combinatorica, 20, 71–86.