Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
Jean-Charles Faugère, Ayoub Otmani, Ludovic Perret, Frédéric de Portzamparc, Jean-Pierre Tillich
aa r X i v : . [ c s . I T ] M a y Folding Alternant and Goppa Codes withNon-Trivial Automorphism Groups
Jean-Charles Faug`ere †∗‡ , Ayoub Otmani § , Ludovic Perret ∗†‡ , Fr´ed´eric de Portzamparc ∗†‡k andJean-Pierre Tillich ¶∗ Sorbonne Universit´es, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005, Paris, [email protected] † INRIA, Paris-Rocquencourt Center,[email protected] ‡ CNRS, UMR 7606, LIP6, F-75005, Paris, France § Normandie Univ, France; UR, LITIS, F-76821 Mont-Saint-Aignan, [email protected]. ¶ INRIA, Paris-Rocquencourt Center,[email protected] k Gemalto, 6 rue de la Verrerie 92190, Meudon, [email protected]
Abstract
The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key.A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivialautomorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. Forinstance, a key-reduction is obtained by taking quasi-cyclic ( QC ) or quasi-dyadic ( QD ) alternant/Goppa codes. Weshow that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. Itis indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much)smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates ofcodewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold:the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding thedual of an alternant ( resp . Goppa) code provides the dual of an alternant ( resp . Goppa) code. A key point is to showthat all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of takingcodes whose support is globally invariant under the action of affine transformations (by building upon prior worksof T. Berger and A. D¨ur). This enables not only to present a unified view but also to generalize the constructionof QC , QD and even quasi-monoidic ( QM ) Goppa codes. All in all, our results can be harnessed to boost up anykey-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraicattacks. I. I
NTRODUCTION
Some significant research efforts have been put recently in code-based cryptography to reduce by a large factorthe public key sizes. This has resulted in keys which are now only a few times larger than RSA keys (see [1], [2]for instance). This is obtained by focusing on codes having symmetries , that is to say, codes having a non-trivialautomorphism group. Such codes have the advantage of admitting a compact parity-check or generator matrix [3],[4], [5], [1], [6]. Quasi-cyclic ( QC ) codes represent a good example of the use of symmetries in cryptography tobuild public-key encryption schemes with short keys [3], [4]. It was then followed by a series of papers proposingalternant and Goppa codes with different automorphism groups like quasi-dyadic ( QD ) Goppa or Srivastava codes[5], [6] and quasi-monodic ( QM ) codes [1]. The rationale behind this is the fact that the additional structure does not A preliminary version of this paper will be presented at ISIT’14 under the title ”Structural Weakness of Compact Variants of the McElieceCryptosystem”. deteriorate the security of the cryptographic scheme. This hope was eroded by the apparition of specific attacks [7],[8] and algebraic attacks [9], [10], [11] against QC / QD alternant/Goppa codes. Despite these preliminary warningsignals, the design of compact McEliece schemes remains a rather popular topic of research e.g. [12], [1], [6], [13],[14]. Besides these cryptographic motivations, the search for Goppa codes, and more generally alternant codes, withnon-trivial automorphisms is in itself an important issue in coding theory. Several papers focused on the problemof constructing quasi-cyclic Goppa codes [15], [16], or identifying alternant and Goppa codes invariant under agiven permutation [17], [18], [19]. Main Results
All the constructions of symmetric alternant/Goppa codes presented in previous works might look at first glanceunrelated, like ad hoc constructions designed for a very specific goal. In [5] symmetric QD Goppa codes areconstructed by using the narrower class of separable Goppa codes which have all their roots of multiplicity one inthe field over which the coefficients of the Goppa polynomial are taken and by choosing these roots in an appropriatemanner; the same approach is followed to obtain more general QM Goppa codes in [1], whereas in [4] the authorsrely on the larger class of alternant codes to obtain a large enough family of QC codes in a McEliece like scheme.Building upon the work of [20], [19], [18], we show in this paper that all the QC , QD and QM alternant/Goppacodes which are constructed in [4], [5], [1] rely actually on a common principle (Proposition 3). They are allequipped with non-trivial automorphism groups that involve some affine transformations leaving globally invarianttheir support. This property imposes on the non-zero scalars defining the alternant codes the constraint of beingbuilt from a root of unity. In the case of Goppa codes, this constraint is translated into a functional equation of theform α Γ( az + b ) = Γ( z ) that the Goppa polynomial Γ( z ) has to satisfy, where α is a root of unity and a , b belongto the underlying finite field on which the support is defined. We fully characterize polynomials satisfying suchequation in Proposition 4. This enables not only to present a unified view but also to generalize the constructionof QC , QD and QM Goppa codes (Proposition 5). In particular, there is no need to use separable polynomialslike in [5] for getting QD Goppa codes. Notice that this will also show that it is in principle not compulsory totake the larger family of alternant codes instead of Goppa codes as in [4] to obtain a large enough family of QC codes in a McEliece scheme: in fact there is nothing special with respect to QD Goppa codes instead of QC Goppacodes because there are roughly as many QD Goppa codes as there are QC Goppa codes (for a same size ofautomorphism group) with our way of constructing them.The major contribution of our paper is to prove that alternant and Goppa codes with symmetries can be seen asan inflated version of a smaller alternant code without symmetries. We call this latter a folded code because weshow that it can be obtained easily by adding the coordinates which belong to the same orbit under the actionof a permutation of the automorphism group. More importantly, we can also express precisely the relationshipbetween the supports and the non-zero scalars defining the alternant/Goppa with symmetries and their associatedfolded codes. These links are so explicit for the non-zero scalars that knowing those of the folded code is sufficientfor knowing those of the original symmetric alternant/Goppa codes. These results have an important impact incryptography. First the length and the dimension of the folded code is generally divided by the cardinality of theautomorphism group. It means in particular that the use of compact alternant/Goppa codes introduces a fundamentalweakness: decreasing the size of the public-key as in [4], [5], [1] necessarily implies a deterioration of the security.Furthermore, since the non-zero scalars of the folded code bear crucial information, it then allows in the context ofalgebraic attacks as proposed in ([9], [10], [21]), to reduce a key-recovery attack on the original public-code to theone on a smaller code, that is to say with less variables in the polynomial system. For instance, we can reduce thekey-recovery of a quasi-dyadic Goppa code of length and dimension to the key-recovery on a Goppacode of length and dimension .Interestingly enough, the folded code, if used in a McEliece-like encryption scheme, would have the same key sizeas the original scheme but without symmetries. In other words, the very reason which allowed to reduce the keysize in [4], [5], [1], [13] can be used to derive a reduced McEliece scheme whose key-recovery hardness and keysize is equivalent to the original system.
Comparison with “Structural Cryptanalysis of McEliece Schemes with Compact Keys” [21]
This paper is a companion paper of [21] which has been submitted separately. In [21], we mainly focused on thecryptanalysis of QM Goppa codes. That is, we [21] developed new algebraic tools for solving the algebraic systemsarising in the cryptanalysis QM Goppa codes, reported various experimental results and prove in addition partialresults on folded QM Goppa codes. In this submission, we present a much deeper and more systematic treatment ofthe the folding process. In [21], the folding was performed directly over QM Goppa codes and it was proved therethat it results in a subcode of a Goppa code of reduced length. Using a slightly different approach (by consideringthe dual of the codes), we obtain here a much stronger result which holds in a more general setting. Namely, weprove that if we perform folding on the dual of QC , QD or QM affine induced Goppa/alternant codes (this appliesfor instance to all the codes constructed in [4], [5], [13], [1]) we obtain a reduced dual Goppa or alternant codewhere the reduction factor can be as large as the size of the cyclic or monodic blocks of a symmetric parity-checkmatrix attached to these codes. Folding preserves here the structure of the dual code: if we start with the dual ofan alternant code we end up with the dual of an alternant code and if we start with the dual of a Goppa code weend up with the dual of a Goppa code.II. A LTERNANT AND G OPPA C ODES
In this section we introduce notation which is used in the whole paper and recall a few well known facts aboutalternant and Goppa codes. Throughout the paper, the finite field of q elements with q being a power of a primenumber p is denoted by F q . Vectors are denoted by bold letters like x and the notation x = ( x i ) i Let q be a prime power and k , n be integers such that k Keeping the notation of Definition 1, there exists a vector z ∈ F nq such that GRS k ( x , y ) ⊥ = GRS n − k ( x , z ) . This leads to the definition of alternant codes. Definition 2 (Alternant code, degree, support, multiplier) Let x , y ∈ F nq m be two vectors such that the entriesof x are pairwise distinct and those of y are all nonzero, and let r and m be positive integers. The alternant code A r ( x , y ) defined over F q is the subfield subcode over F q of GRS r ( x , y ) ⊥ ⊂ F nq m : A r ( x , y ) def = GRS r ( x , y ) ⊥ ∩ F nq . The integer r is the degree of the alternant code, x is a support and y is a multiplier of the alternant code. The dual of a subfield subcode is known to be a trace code [23]. From this it follows that Lemma 1 The dual A r ( x , y ) ⊥ of the alternant code A r ( x , y ) of degree r and extension m over F q is given by: A r ( x , y ) ⊥ = Tr (cid:16) GRS r ( x , y ) (cid:17) = n(cid:0) Tr( c ) , . . . , Tr( c n − ) (cid:1) | ( c , . . . , c n − ) ∈ GRS r ( x , y ) o where Tr is the trace map from F q m to F q defined by Tr( z ) = z + z q + · · · + z q m − . Let us remark that an alternant code has many equivalent descriptions as shown by the following proposition whoseproof can be found in [22, Chap. 10, p. 305]. Proposition 2 For all a ∈ F q m \ { } , b ∈ F q m , and c ∈ F q m \ { } , it holds that: A r ( x , y ) = A r ( a x + b, c y ) . We introduce now Goppa codes which form an important subfamily of alternant codes. Definition 3 (Classical Goppa codes) Let x = ( x , . . . , x n − ) be an n -tuple of distinct elements of F q m andchoose Γ( z ) ∈ F q m [ z ] of degree r such that Γ( x i ) = 0 for all i ∈ { , . . . , n − } . The Goppa code G ( x , Γ) ofdegree r over F q associated to Γ( z ) is the alternant code A r ( x , y ) with y i = 1Γ( x i ) . Γ( z ) is called the Goppa polynomial and x is the support of the Goppa code. III. C ONSTRUCTION OF S YMMETRIC A LTERNANT AND G OPPA C ODES The purpose of this section is to recall how quasi-cyclic (QC), quasi-dyadic (QD) and quasi-monoidic (QM)alternant/Goppa codes [5], [13], [1] and more generally any symmetric alternant/Goppa code can be constructedfrom a common principle which stems from D¨ur’s work in [20] about the automorphism group of (generalized)Reed-Solomon codes. This has been applied and developed in [19], [18] to construct large families of symmetricalternant or Goppa codes. It should be emphasized that this way of constructing symmetric Goppa codes is moregeneral than the constructions proposed for QD or QM Goppa in a cryptographic context by [5], [13], [1]. Inparticular, it is required in [5], [13], [1] to choose Goppa codes with a separable Goppa polynomial. We will provein the following that this constraint is unnecessary.In order to recall these results we need a few definitions. An automorphism of a code of length n defined over F q is an isometry of the Hamming space F nq i.e. a linear transform of F nq which both preserves the Hamming weightand leaves the code globally invariant. A well-known fact about such isometries is that they consist of permutationsand/or non-zero multiplications of the coordinates.In this paper, we will be interested only in isometries that are permutations. This action is denoted, given a permu-tation σ of the symmetric group on { , . . . , n − } and a vector x = ( x , . . . , x n − ) , by x σ def = ( x σ (0) , . . . , x σ ( n − ) .For a code C and a permutation σ , we define: C σ def = { c σ | c ∈ C } . A permutation automorphism of C is then any permutation σ such that c σ is in C whenever c belongs to C . Symmetric codes are then codes with a non-trivial automorphism group.We have seen in Proposition 2 that alternant codes may have several identical descriptions thanks to affinetransformations. Actually, symmetric Goppa codes and alternant codes can easily be constructed by looking atthe action of the projective semi-linear goup on the support of these codes as shown in [19], [18]. By projectivesemi-linear group, we mean here transformations of the form: F q m ∪ {∞} → F q m ∪ {∞} z az q i + bcz q i + d Basically when the support of the alternant code is invariant by the action of such a transformation and under acertain condition on the multiplier, it turns out that such a transformation induces a permutation automorphism ofthe alternant code. However, this action on the support may transform a coordinate of the support into ∞ and aslightly more general definition of generalized Reed-Solomon codes and of alternant codes is required to cope withthis issue. This is why A. D¨ur introduced Cauchy codes in [20] which are in essence a further generalization of generalized Reed-Solomon codes. This construction allows to have ∞ in its support. To avoid such a technicality(and also to simplify some of the statements and propositions obtained here) we will only consider the subgroupof affine transformations of the projective semi-linear group. It should be noted however that this simplificationpermits to cover all the constructions of symmetric alternant or Goppa codes used in a cryptographic context [4],[5], [13], [1], [6] and in some cases even to generalize them. Namely, we will deal with the following cases: Definition 4 Let C be an alternant or Goppa code defined over a field F of length n , with an automorphism group G . Given a nonnegative integer λ n , we say that C is: • Quasi-Cyclic ( QC ) if G is of the form ( Z /λ Z ) , • Quasi-Dyadic ( QD ) if char( F ) = 2 and G is of the form ( Z / Z ) λ , • Quasi-Monoidic ( QM ) if G is of the form ( Z /p Z ) λ with p = char( F ) > . Let us now reformulate some corollaries of the results obtained in [19], [18] in this particular case. The symmetricalternant or Goppa codes that will be obtained here correspond to permutation automorphisms of alternant or Goppacodes based on the action of affine maps x → ax + b on the support ( x , x , . . . , x n − ) of the Goppa code or thealternant code. If this support is globally invariant by this affine map (and a is not equal to ), then this induces apermutation σ of the code positions { , , . . . , n − } by defining σ ( i ) as the unique integer in { , , . . . , n − } such that x σ ( i ) = ax i + b . In such a case, we say that σ is the permutation induced by the affine map x → ax + b .Restricting Theorem 1 of [18] to affine transformations yields immediately Proposition 3 Let a = 0 and b be elements of F q m . Let x ∈ F nq m be a support which is globally invariant by theaffine map x → ax + b . Let σ be the permutation of S n induced by this affine map. Let ℓ be the order of σ . Assumethat y ∈ ( F q m ) n is an n -tuple of nonzero elements such that ∃ α ∈ F q m an ℓ -th root of unity such that y σ ( i ) = αy i ,for all i ∈ { , , . . . , n − } . Then σ is a permutation automorphism of the alternant code A t ( x , y ) for any degree t > . If we want to obtain Goppa codes, we can apply this result and we just have to check that the conditions on thesupport x σ ( i ) = ax i + b and multiplier y σ ( i ) = αy i are compatible with the definition of the Goppa code, namely y i = x i ) where Γ( x ) is the Goppa polynomial. These considerations yield immediately the following corollaryof Proposition 3. Corollary 1 Let a = 0 and b be elements of F q m with b = 0 when a = 1 . Let x ∈ F nq m be a support which isglobally invariant by the affine map x → ax + b . Let σ be the permutation of S n induced by this affine map andlet ℓ be its order. Assume that there exists a polynomial Γ( z ) and an ℓ -th root of unity α in F q m which is such that Γ( az + b ) = α Γ( z ) . (1) In such a case, σ is a permutation automorphism of the Goppa code G ( x , Γ) . This proposition allows to obtain easily Goppa codes or alternant codes with a non trivial automorphism group thatis cyclic. Remark 1 One might wonder whether it is possible to characterize polynomials which satisfy Equation (1) . In[19, Theorem 4] a slightly more general polynomial equation is considered, namely Γ( az q s + b ) = α Γ( z ) q s . It isthe particular case of s = m of Theorem 4 of [19] which is of interest to us here. However, since it deals with theclassification of cyclic alternant codes (there is therefore a restriction on the order compared to the length whichtrivializes the solutions of this problem in many cases which are of interest to us) and since for further purposesit will be convenient for us to remove the assumption on Γ( z ) to have no roots in { x , . . . , x n − } which is doneimplicitly in Theorem 4 (and also in Lemma 2 of [19] that is used to prove Theorem 4) we can not use it in ourcase directly. The characterization of the solution set to (1) we will use is the following. Proposition 4 Let F be a field of finite characteristic p and let a, b, α be elements of F , such that (i) a = 0 and(ii) b = 0 when a = 1 . All the polynomials Γ( z ) ∈ F [ z ] satisfying Γ( az + b ) = α Γ( z ) have the following form • If a = 1 then necessarily α = 1 , ℓ = p and Γ( z ) is any polynomial in F [ z ] of degree a multiple of p which isof the form Γ( z ) = P ( z p − b p − z ) . • If a = 1 then there exists a unique integer d in the range [0 , . . . , ℓ − such that α = a d and if we denote by z the unique fixed point of the affine map z → az + b , we have that Γ( z ) is any polynomial in F [ z ] of degreeequal to d modulo ℓ which is of the form ( z − z ) d P (cid:0) ( z − z ) ℓ (cid:1) . The proof of this proposition can be found in Appendix A. By taking polynomials P in this proposition whichare such that the resulting Γ( z ) has no zeros in the support ( x , . . . , x n − ) we obtain Goppa codes with a cyclicpermutation automorphism group. To obtain automorphism groups which are isomorphic to ( Z /p Z ) λ , for some λ > , we need a slightly more general statement which is the following: Proposition 5 Let p def = char( F q m ) . Let α , . . . , α λ − ∈ F q m be a set of s elements which are F p -independent over F q m . Let G be the group of order p λ generated by the α i ’s. Consider a support x def = ( x , . . . , x n − ) which is globallyinvariant by all the affine transformations z → z + α i and assume that the multiplier y def = ( y , y , . . . , y n − ) isconstant on the cosets of G meaning that y i = y j iff x i − x j ∈ G . Then A r ( x , y ) is an alternant code with apermutation automorphism group isomorphic to ( Z /p Z ) λ for any degree r . Let P ( z ) def = Π g ∈ G ( z − g ) , then anypolynomial Γ( z ) of the form Γ( z ) = Q ( P ( z )) where Q is a polynomial in F q m [ z ] gives a Goppa code G ( x , Γ( z )) of degree p λ deg Q with an automorphism group isomorphic to ( Z /p Z ) λ .Proof: All the shifts z → z + α i give rise to a permutation automorphism of the alternant code by Proposition3 and they generate a group of order p λ from the independence assumption on the α i ’s. The statement about Goppacodes follows by observing that the polynomial Γ( z ) = Q (Π g ∈ G ( z − g )) is invariant by all the shifts z → z + α i and by using Corollary 1. Remark 2 A support ( x , . . . , x n − ) satisfying the conditions of Proposition 5 is easily obtained by takingunions of cosets of G and getting a QD or a QM Goppa code is obtained by arranging the support asfollows. We define x = ( x i ) i The key ingredient which allows to reduce to smaller alternant codes or Goppa codes when these are either quasi-monoidic or quasi-cyclic is a fundamental result on the form taken by polynomials which are invariant by an affine map. These polynomials will arise as sums of the form: Q ( z ) def = ℓ − X i =0 α i P ( σ i ( z )) (3)where P is a polynomial, σ an affine map of order ℓ and α an ℓ -th root of unity. Such polynomial sums clearlysatisfy polynomial Equation (1), since: Q ( σ ( z )) = ℓ − X i =0 α i P ( σ i +1 ( z )) = 1 α ℓ − X i =0 α i +1 P ( σ i +1 ( z ))= 1 α ℓ − X i =0 α i P ( σ i ( z )) = 1 α Q ( z ) . Proposition 4 characterizes all solutions of the polynomial Equation (1). Conversely, and this will be crucial in ourcontext, it turns out that all these solutions are of the form (3). To formalize this point, we introduce the followingnotation Notation 1 Let I σ,α t [ z ] ⊆ F t [ z ] be the set of polynomials of degree t which satisfy (1) , i.e. which satisfy P (cid:0) σ ( z ) (cid:1) = αP ( z ) . When α = 1 we will simply write I σ t [ z ] . Finally, when t < we adopt the convention that I t [ z ] = I σ,α t [ z ] = { } . We will first consider the case when α = 1 and σ ( x ) = x + b . Lemma 2 Let F be a field of characteristic p . Let b be a non zero element of F and denote by σ the shift σ : x x + b . Denote by S the mapping defined by: S : F [ z ] → F [ z ] P ( z ) p − X i =0 P ( σ i ( z )) We have for every nonnegative integer t : S ( F t [ z ]) = I σ j t − p +1 p k p [ z ]= (cid:26) P ( z p − b p − z ) | deg P (cid:22) t − p + 1 p (cid:23)(cid:27) (4)The proof of this lemma can be found in Appendix B. A similar result holds for affine maps of the form σ ( x ) = ax + b where a = 1 . Lemma 3 Let F be a finite field. Let a be an element of order ℓ = 1 in F , b be an arbitrary element of F , σ bethe affine map x ax + b , d be an integer in the range [0 , . . . , ℓ − and let α def = a d . We define S by S : F [ z ] → F [ z ] P ( z ) ℓ − X i =0 α i P ( σ i ( z )) If we denote by z the unique fixed point of σ , we have: S ( F t [ z ]) = I σ,α t [ z ] (5) = (cid:26) ( z − z ) d P (( z − z ) ℓ ) | deg P ⌊ t − ℓ + dℓ ⌋ (cid:27) , (6)The proof of this lemma can be found in Subsection C of the appendix. V. R EDUCING TO A S MALLER A LTERNANT OR G OPPA C ODE A. Folded codes Alternant codes and Goppa codes in particular with a certain non-trivial automorphism group (as considered inProposition 3) meet a very peculiar property. Namely it is possible to derive a new alternant (or a Goppa code) withsmaller parameters by simply summing up the coordinates. To define this new code more precisely, we introducethe following operator. Definition 5 (Folded code) Let C be a code and G be a subgroup of permutations of the set of code positionsof C . For each orbit G ( i ) def = { σ ( i ) : σ ∈ G } we choose one representative (for instance the smallest one). Let i , i , . . . , i s − be the set of these representatives. The folded code of C with respect to G , denoted by C G , is acode of length s which is given by the set of words c G def = (cid:0) P σ ∈ G c σ ( i j ) (cid:1) j s − , where c ranges over C . When G is generated by a single element σ , that is G = < σ > , we will simply write C σ instead of C <σ> and c σ insteadof c <σ> . This folded code is related to constructions which were considered in the framework of decoding codes with non-trivial automorphism group [24], [25]. The approach there was to consider for a code C with non-trivial permutationautomorphism σ of order ℓ (which was supposed to be of order ℓ = 2 in [24], [25], but their approach generalizeseasily to other orders) the σ -subcode e C σ obtained as follows: e C σ def = n c + c σ + · · · + c σ ℓ − | c ∈ C o . If we denote by e c σ def = c + c σ + · · · + c σ ℓ − then it turns out that e c σ takes on a constant value on the orbit i, σ ( i ) , σ ( i ) , . . . of any code position i that is precisely the term P ℓ − t =0 c σ t ( i ) which appears in the definition of thefolded code. Stated differently, the words of e C σ are nothing but the words of C σ where each code coordinate ¯ c σi of the latter code is repeated as many times as the size of the orbit of i under σ . These two codes have thereforethe same dimension, but their lengths are different : the first one has the same length as C whereas the latter haslength s (the number of orbits under σ ).The point of considering such a code for decoding C lies in the fact that e C σ is a subcode of C which is typicallyof much smaller dimension than C . Under mild assumptions, it can be shown that the dimension gets reduced bythe order of σ . More precisely: Proposition 6 Let C be a code of length n that has a permutation automorphism group G of size ℓ and a generatormatrix G such that if g i is a row of G then g σi is also a row of G for any σ ∈ G . Denote by { g , . . . , g k − } theset of rows of G . Consider the group action of G on the set { g , . . . , g k − } of rows of G where σ acts on g j as g j g σj for σ ∈ G . Assume that the size of each orbit is equal to ℓ . Then, the dimension e C G is equal to dim( C ) ℓ .This is also the dimension of C G and the length of this code is equal to nℓ .Proof: This follows at once from the fact that e C G is generated by the set of e g i G def = P σ ∈ G g σi where the g i ’sare representatives of each orbit of G acting on { g , . . . , g k − } . These vectors are clearly independent and thereare dim( C ) ℓ such representatives. This implies that the dimension of e C G is equal to dim( C ) ℓ . This is also clearly thedimension of C G and the length of the latter code is equal to nℓ . Remark 3 A generator matrix of this form is precisely what is achieved by all the constructions of monoidicalternant/Goppa/Srivastava codes proposed in [4], [5], [1], [13], [6]. This can be used to decode a word y by decoding instead e y σ in e C σ . The point is that this decoding can be lesscomplex to perform than decoding y directly and that the result of the decoding can be useful to solve the originaldecoding problem, see [25]. B. Folding alternant codes with respect to a cyclic group If we consider the monoidic alternant or Goppa codes constructed in [4], [5], [1], [13] they have typically lengthof the form n = n ℓ , degree of the form r = r ℓ and dimension of the form k = n − rm = ℓ ( n − r m ) where m is the extension degree of the alternant/Goppa code and ℓ is the size of the automorphism group of the code.The automorphism group of these codes satisfies the assumptions of Proposition 6 and therefore the folded codehas length n and dimension n − r m . This could suggest that these codes are alternant or Goppa codes of length n and degree r . In all our experiments we have noticed that this was indeed the case. We have proved in [21] aslightly weaker result, namely that in the case of a Goppa code obtained from the constructions of [5], [1], [13],the folded code is included in a Goppa code of length n and degree r . We will prove a significantly strongerresult here, by considering instead the dual of these codes. It will turn out that the folded dual of those alternantor Goppa codes will be duals of alternant or Goppa codes and this even if the degree is not of the form r ℓ . Moreprecisely, we have: Theorem 1 Consider an alternant code A t ( x , y ) over F q of length n with support x = ( x , x , . . . , x n − ) ∈ F nq m and multiplier y ∈ F nq m with a non trivial permutation automorphism group induced by the affine map x → ax + b where a, b ∈ F q m are such that a = 0 and b = 0 when a = 1 . Denote by σ the permutation of S n induced by thisaffine map. Let ℓ be the order of σ . By definition of an affine induced automorphism, there exists α ∈ F q m an ℓ -throot of unity such that y σ ( i ) = αy i for all i ∈ { , , . . . , n − } . We denote by d the integer in { , , . . . , ℓ − } verifying α = a d . Let us denote by u the unique fixed point in F q m ∪ {∞} of this affine map. Moreover, we assumethat u 6∈ { x , x , . . . , x n − } . In such a case, the action of σ on { , , . . . , n − } has nℓ orbits, each of them beingof size ℓ . Choose a representative i , i , . . . , i n/ℓ − in each of these orbits. There exists y ′ ∈ F n/ℓq m and a integer r such that ( A t ( x , y ) ⊥ ) σ = (cid:16) A r ( x ′ , y ′ ) (cid:17) ⊥ with: • when a = 1 then r = (cid:4) t − ℓℓ (cid:5) + 1 and for all j ∈ { , . . . , n/ℓ − } : x ′ j = x ℓi j − b ℓ − x i j and y ′ j = y i j • and when a = 1 then r = (cid:4) t − ℓ + d − ℓ (cid:5) + 1 and for all j ∈ { , . . . , n/ℓ − } : x ′ j = ( x i j − u ) ℓ and y ′ j = y i j ( x i j − u ) ℓ − d Proof: The case a = 1 : remark first that the order ℓ of the permutation σ , which is the shift x x + b in this case,is necessarily the characteristic p of F q m . Since the order of the multiplicative group of F q m , which is q m − , iscoprime with the characteristic of F q m it follows that α is necessarily equal to when a = 1 . This implies that y is constant over each orbit { i, σ ( i ) , . . . , σ ℓ − ( i ) } . From Lemma 1, the dual C of A t ( x , y ) is: C = n (Tr (cid:0) y i P ( x i ) (cid:1) i In essence, we have proved here that folding a GRS code with a non trivial automorphism groupobtained from affine transformations yields again a GRS code. Indeed, the dual of an alternant code is the traceof a GRS code. When we choose the extension degree to be equal to we really prove here that folding such asymmetric GRS code yields again a GRS code. Taking the trace preserves this property : the folding of a trace of asymmetric GRS code is again the trace of a GRS code. The crucial point which explains why such a property holdsis the fact that the ring of polynomial in F [ x ] invariant by an affine transformation σ is a ring of the form F [ Q ( x )] for some polynomial Q which is invariant by σ . This is what allows to write a sum of the form P ℓ − i =0 P ( σ i ( x )) asa polynomial of the form R ( Q ( x )) .One might wonder whether folding a subfield subcode of a GRS code (i.e. an alternant code) also yields a subfieldsubcode of a GRS code. While the proof technique used here obviously allows to prove that a folded subfieldsubcode of a symmetric GRS code lies in a subfield subcode of a certain subcode, proving equality of both codesseems to be more delicate here. This point can be explained as follows. Consider an alternant code A r ( x , y ) defined over F q and of extension degree m where x is globally invariant by some σ and y is constant on the orbitson σ (we make this assumption to simplify the discussion). To prove equality that the folded alternant code is stillan alternant code we should be able to express a polynomial Q ( z ) in F q m [ z ] which is invariant by σ and which issuch that y i Q ( x i ) belongs to F q for any i as a sum Q ( x ) = P ℓ − j =0 P ( σ j ( x )) where all the y i P ( σ j ( x i )) belong to F q for any i and j and where P is some polynomial which depends on Q . C. Folding alternant codes with respect to non-cyclic groups We have treated the case of folding an alternant code with respect to a group generated by a single element. Thegroup of automorphism might not be cyclic. This happens in particular in the case of the Goppa codes in [5], [1],[13]: in such a case the automorphism group is isomorphic to ( Z /p Z ) λ . Treating the general case of a subgroupof the affine subgroup is beyond the scope of this article, we will just consider the case of a subgroup which isisomorphic to ( Z /p Z ) λ . This follows at once from Theorem 1 by noticing that we may fold iteratively the codewith respect to λ generators of the subgroup and end up with an alternant code. We use here the straightforwardfact Lemma 4 Consider a code C and a group of permutations G acting on the positions of C and assume that thispermutation group has a subgroup G and an element σ of G which does not belong to G such that: the cosets σ i G form a partition of G for i ∈ { , . . . , ℓ − } where ℓ is the order of σ ; σ commutes with any element of G .Then σ induces a permutation on the set of positions of C G that we call ˆ σ which is defined as follows. We viewa code position i of C G as an orbit { τ ( u ) , τ ∈ G } for some code position u of C and ˆ σ ( i ) is given by the orbit { τ ( σ ( u )) , τ ∈ G } . If the order of ˆ σ is equal to the order ℓ of σ and for an appropriate order on the choices ofthe representatives for the orbits under < ˆ σ > , G and G , we have (cid:16) C G (cid:17) ˆ σ = C G . Proof: First we have to check that the definition of ˆ σ ( u ) makes sense, i.e. that it does not depend on thechoice of u in the orbit { τ ( u ) , τ ∈ G } . This follows from the fact that σ commutes with any element of G .Indeed assume that we have: { τ ( u ) , τ ∈ G } = { τ ( v ) , τ ∈ G } then we clearly have u = τ ( v ) for a certain τ in G . From that we deduce: { τ ( σ ( u )) , τ ∈ G } = { τ ( σ ( τ ( v ))) , τ ∈ G } = { τ ( τ ( σ ( v ))) , τ ∈ G } = { τ ( σ ( v )) , τ ∈ G } This shows that ˆ σ is well-defined. We let i , i , . . . , i s − be a set of representatives of each orbit of the code positionsof C under G (we assume that there are s orbits) and we assume that the set of code positions , , . . . , s − of C G corresponds to i , i , . . . , i s − in this order. Consider now an element c in C and let c ′ be the folding of c with respect to G , that is: c ′ j = X τ ∈ G c τ ( i j ) (8)If we fold c ′ with respect to ˆ σ we obtain an element c ′′ defined by: c ′′ j = ℓ − X l =0 c ′ ˆ σ l ( i ′ j ) (9)where i ′ , i ′ , . . . , i ′ t − are the representatives of the orbits of the code positions of C G under ˆ σ . Notice that wehave used here the fact that the order of ˆ σ is equal to the order of σ . By observing that the code position i ′ j of C G corresponds to some orbit { τ ( u ) , τ ∈ G } and putting (8) and (9) together with the characterization of theaction of ˆ σ , we obtain: c ′′ j = ℓ − X l =0 X τ ∈ G c τ ( σ l ( u )) = X τ ∈ G c τ ( u ) . This implies that c ′′ j is equal to some coordinate of c G . It remains to show that there is a one-to-one and onto mapping from the set of coordinates of c ′′ and those of c G .In order to do so we are going to prove that there is a one-to-one mapping between the orbits under ˆ σ and the orbitsunder G . This is a straightforward consequence of the following observation. Consider an orbit O = { τ ( s ) , τ ∈ G } under G . It decomposes as a union of orbits O h under G : O = ∪ h ℓ − O h where O h def = { τ ( σ h ( s )) } . Theseorbits O h form a single orbit under ˆ σ and we are done.A straightforward consequence of this is the following Corollary 2 Consider a code C which is the dual of an alternant code with an affine-induced permutation group G isomorphic to ( Z /p Z ) λ where p is the characteristic of the field over which the alternant code is defined. Then C G is the dual of an alternant code.Proof: In such a case, there exists g , . . . , g λ of order p that generate G . We proceed by induction and assumethat this property holds for λ = h . When h = 1 , this is just Theorem 1. Consider now a group G isomorphic to ( Z /p Z ) h +1 . We observe that G def = < g , . . . , g h > and σ = g h +1 satisfy the assumptions of Lemma 4, so we canapply it to this case and obtain that: (cid:16) C G (cid:17) ˆ σ = C G . Since by induction hypothesis C G is the dual of an alternant code and since ˆ σ is clearly an affine inducedpermutation automorphism of C G we can apply Theorem 1 to it and obtain that the result of the folding of C G by ˆ σ gives an alternant code again.All the duals of the codes used in the following variants of the McEliece cryptosystem, namely the dyadic Goppacodes of [5], [13], the monoidic Goppa codes of [1] or the dyadic Srivastava codes of [6] are instances of alternantcodes which have an affine induced permutation group isomorphic to ( Z /p Z ) λ and this corollary can be appliedto reduce attacks on the key to a much smaller key recovery problem (namely on the dual of the code obtained byfolding). One might also wonder when we fold certain subfamilies of duals of alternant codes with respect to anaffine-induced permutation automorphism group, such as duals of Goppa codes, we stay in the subfamily, i.e. dowe still obtain the dual of a Goppa code? This turns out to be the case as shown by the next subsection. D. Folding Goppa codes Folding the dual of a Goppa code with an affine-induced automorphism group yields the dual of an alternant codeby using Corollary 2. It turns out that a stronger statement holds: we actually obtain the dual of a Goppa code,both in the cyclic case as shown by the following theorem and when the group is isomorphic to ( Z /p Z ) λ as shownlater on. Theorem 2 Consider a Goppa code C = G ( x , Γ( z )) of length n associated to the support x = ( x i ) i We will distinguish between a = 1 and a = 1 . In both cases, notice that we can apply Theorem 1 to C which is an alternant code A t ( x , y ) where t is the degree of Γ and y i = x i ) . This is a consequence of thedefinition of a Goppa code with an affine induced automorphism σ ( x ) = ax + b : this is a Goppa code obtainedfrom the construction of Proposition 3 and this is precisely what is needed (together with the fact that the supportdoes not contain the fixed point of σ ) for applying Theorem 1 to it. In all cases, folding the dual of C gives thedual of an alternant code of the form A t ′ ( x ′ , y ′ ) for some integer t ′ and some x ′ , y ′ in F sq m . Moreover in bothcases, there exists an ℓ -th root of that we denote by α which is such that the Goppa polynomial satisfies theidentity Γ( az + b ) = α Γ( z ) . Case a = 1 : ℓ is equal to the characteristic p of the field F q m , α is necessarily equal to , Γ( z ) is of degree amultiple of p and is of the form Γ( z ) = γ ( z p − b p − z ) . Notice that y satisfies: y σ ( i ) = 1Γ( ax i + b ) = 1Γ( x i ) = y i and using Theorem 1 gives that y ′ j = y i j and therefore: y ′ j = y i j = 1Γ( x i j ) = 1 γ ( x pi j − b p − x i j ) = 1 γ ( x ′ j ) This implies that A t ′ ( x ′ , y ′ ) is nothing but the Goppa code G ( x ′ , γ ( z )) . Case a = 1 : there exists a unique integer d in the range [0 , . . . , ℓ − such that α = a d and Γ( z ) is of the form Γ( z ) = ( z − u ) d γ (cid:0) ( z − u ) ℓ (cid:1) . Notice that in such a case: y σ ( i ) = Γ( ax i + b ) = ( ax i + b − u ) d γ (cid:16) ( ax i − u ) ℓ (cid:17) = ( ax i + b − au − b ) d γ (cid:16) ( ax i + b − au − b ) ℓ (cid:17) = ( a ( x i − u )) d γ (cid:16) a ℓ ( x i − u ) ℓ (cid:17) = a d ( x i − u ) d γ (cid:16) ( x i − u ) ℓ (cid:17) = a d Γ( x i ) = a d y i We use Theorem 1 and obtain: y ′ j = y i j ( x i j − u ) d = ( x i j − u ) d Γ( x i j ) = ( x i j − u ) d ( x i j − u ) d γ (cid:0) ( x i j − u ) ℓ (cid:1) = 1 γ ( x ′ j ) This implies again that A t ′ ( x ′ , y ′ ) is nothing but the Goppa code G ( x ′ , γ ( z )) .When the group is isomorphic to ( Z /p Z ) λ we have the following statement Theorem 3 Consider a Goppa code C = G ( x , Γ) with an affine induced automorphism group G isomorphic to ( Z /p Z ) λ where p is the characteristic of the field over which the Goppa code is defined, then the folding ( C ⊥ ) G is the dual of a Goppa code G ( x ′ , γ ( z )) where the degree deg( γ ) of γ is equal to deg(Γ) p λ .Proof: We proceed similarly to the proof of Corollary 2. First we notice that there exists g , . . . , g λ of order p that generate G . We proceed by induction and assume that this property holds for λ = h . When h = 1 , this is justTheorem 2 (since g is necessarily induced by an affine transformation of the form x x + β which has no fixedpoint in the extension field in which the coordinates of the multiplier live). Consider now a group G isomorphicto ( Z /p Z ) h +1 . We observe that G def = < g , . . . , g h > and σ = g h +1 satisfy the assumptions of Lemma 4, so wecan apply it to this case and obtain that: (cid:16) C G (cid:17) ˆ σ = C G . Since by induction hypothesis C G is the dual of a Goppa code of degree deg(Γ) p h and since ˆ σ is clearly an affineinduced permutation automorphism of C G we can apply Theorem 2 to it and obtain that the result of the foldingof C G by ˆ σ gives the dual of a Goppa code of degree deg(Γ) p h +1 .VI. C ONCLUSION – C RYPTOGRAPHIC I MPLICATIONS The results presented on this paper have some significant consequences on a recent research trend which consistsin devising McEliece schemes with reduced public key size. This is achieved by relying on QD / QM Goppa codesor QC alternant codes [4], [5], [13], [1]. Some of them were attacked by the algebraic attack introduced in [9],[11] where it was proved that the QD or the QC structure allowed to set up an algebraic system which could besolved by Gr¨obner bases techniques thanks to the reduction of unknowns obtained in this case compared to anunstructured McEliece scheme. Our result actually explains where this reduction in the number of unknowns comesfrom: there is in fact a smaller hidden Goppa (or alternant) code behind the public generator or parity-check matrixof the scheme. Moreover it is shown in [21] that a key recovery attack on the reduced cryptosystem can be used torecover the secret key of the original cryptosystem. This implies that a key-recovery on QD and QM schemes isnot harder than a key-recovery on a reduced McEliece scheme where all parameters have been scaled down by afactor of p , which is the compression factor allowed by the QC , QD or QM structure. For instance, we can reducethe key-recovery of a QD Goppa code of length and dimension (parameters suggested in [5]) to thekey-recovery on a QD Goppa code of length and dimension . In other words, the very reason which allowedto design compact variants of McEliece can be used to attack such schemes much more efficiently.Our result does not rule out the possibility of devising alternant or Goppa codes with a non trivial automorphismgroup for which folding does not produce an alternant or a Goppa code: it only applies to such codes with an affineinduced automorphism group. Symmetric codes of this kind could be obtained from the action of the semi-linearprojective group on the support instead of the affine group (see Section III). It is an open question to understandif folding such symmetric codes yields again Goppa or alternant codes, but obviously even treating the case ofthe linear projective group (obtained from the transformations of the kind z → az + bcz + d ) needs much more generaltools than those that have been considered here and is beyond the scope of this paper. It should also be added thatthis result does not mean that all compact key McEliece cryptosystems based on alternant or Goppa codes with anaffine induced automorphism group are weak. It just means that the key security is not better than the key securityof a reduced scheme obtained from the folding process. Since key recovery attacks are generally more expensivethat message recovery attacks it might be possible to choose secure parameters for which we still obtain a goodreduction of the key size where key recovery attacks on the folded key are of the same complexity as messagerecovery attacks on the original scheme. However this thread of research requires great care since there has beensome recent progress on key recovery attacks, see [21], [26] for instance.R EFERENCES [1] P. S. L. M. Barreto, R. Lindner, and R. Misoczki, “Monoidic codes in cryptography,” in PQCrypto , ser. Lecture Notes in ComputerScience, B.-Y. Yang, Ed., vol. 7071. Springer, 2011, pp. 179–199.[2] R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto, “MDPC-McEliece: New McEliece variants from moderate densityparity-check codes,” in ISIT , 2013, pp. 2069–2073.[3] P. Gaborit, “Shorter keys for code based cryptography,” in Proceedings of the 2005 International Workshop on Coding and Cryptography(WCC 2005) , Bergen, Norway, Mar. 2005, pp. 81–91.[4] T. P. Berger, P. Cayrel, P. Gaborit, and A. Otmani, “Reducing key length of the McEliece cryptosystem,” in Progress in Cryptology -Second International Conference on Cryptology in Africa (AFRICACRYPT 2009) , ser. Lecture Notes in Computer Science, B. Preneel,Ed., vol. 5580, Gammarth, Tunisia, Jun. 21-25 2009, pp. 77–97.[5] R. Misoczki and P. S. L. M. Barreto, “Compact McEliece keys from Goppa codes,” in Selected Areas in Cryptography (SAC 2009) ,Calgary, Canada, Aug. 13-14 2009.[6] E. Persichetti, “Compact McEliece keys based on quasi-dyadic Srivastava codes,” J. Mathematical Cryptology , vol. 6, no. 2, pp. 149–169,2012.[7] A. Otmani, J. Tillich, and L. Dallot, “Cryptanalysis of McEliece cryptosystem based on quasi-cyclic LDPC codes,” in Proceedings ofFirst International Conference on Symbolic Computation and Cryptography . Beijing, China: LMIB Beihang University, Apr. 28-302008, pp. 69–81. [8] ——, “Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes,” Mathematics in Computer Science , vol. 3, no. 2,pp. 129–140, 2010.[9] J.-C. Faug`ere, A. Otmani, L. Perret, and J.-P. Tillich, “Algebraic cryptanalysis of McEliece variants with compact keys,” in EUROCRYPT ,2010, pp. 279–298.[10] ——, “Algebraic Cryptanalysis of McEliece variants with compact keys – toward a complexity analysis,” in SCC ’10: Proceedings ofthe 2nd International Conference on Symbolic Computation and Cryptography ∼ jcf/Papers/SCC2010a.pdf[11] V. G. Umana and G. Leander, “Practical key recovery attacks on two McEliece variants,” in International Conference on SymbolicComputation and Cryptography–SCC , vol. 2010, 2010, p. 62.[12] S. Heyse, “Implementation of McEliece based on quasi-dyadic Goppa codes for embedded devices,” in Post-Quantum Cryptography ,ser. Lecture Notes in Computer Science, B.-Y. Yang, Ed. Springer Berlin Heidelberg, 2011, vol. 7071, pp. 143–162. [Online].Available: http://dx.doi.org/10.1007/978-3-642-25405-5 10[13] P. S. L. M. Barreto, P.-L. Cayrel, R. Misoczki, and R. Niebuhr, “Quasi-dyadic CFS signatures,” in Inscrypt , ser. Lecture Notes inComputer Science, X. Lai, M. Yung, and D. Lin, Eds., vol. 6584. Springer, 2010, pp. 336–349.[14] M. Barbier, “Key reduction of McEliece’s cryptosystem using list decoding,” CoRR , vol. abs/1102.2566, 2011.[15] G. Bommier and F. Blanchet, “Binary quasi-cyclic Goppa codes,” Designs, Codes and Cryptography , vol. 20, no. 2, pp. 107–124, 2000.[16] J. Ryan and P. Fitzpatrick, “Quasicyclic irreducible Goppa codes,” in Information Theory, 2004. ISIT 2004. Proceedings. InternationalSymposium on , June 2004, p. 183.[17] T. P. Berger, “Cyclic alternant codes induced by an automorphism of a GRS code,” in Finite fields: Theory, Applications and Algorithms ,R. Mullin and G. Mullen, Eds., vol. 225. Waterloo, Canada: AMS, Contemporary Mathematics, 1999, pp. 143–154.[18] ——, “Goppa and related codes invariant under a prescribed permutation,” IEEE Trans. Inform. Theory , vol. 46, no. 7, p. 2628, 2000.[19] ——, “On the cyclicity of Goppa codes, parity-check subcodes of Goppa codes and extended Goppa codes,” Finite Fields andApplications , vol. 6, pp. 255–281, 2000.[20] A. D¨ur, “The automorphism groups of Reed-Solomon codes,” J. Combin. Theory Ser. A , vol. 44, pp. 69–82, 1987.[21] J.-C. Faug`ere, A. Otmani, L. Perret, F. de Portzamparc, and J.-P. Tillich, “Structural cryptanalysis of McEliece-like schemes withcompact keys,” IACR Cryptology ePrint Archive , vol. 2014, p. 210, 2014.[22] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes , 5th ed. Amsterdam: North–Holland, 1986.[23] P. Delsarte, “On subfield subcodes of modified Reed-Solomon codes,” IEEE Transactions on Information Theory , vol. 21, no. 5, pp.575–576, 1975.[24] M. Legeay, “Towards an approach using algebraic properties of the σ -subcode,” in Proceedings of the Workshop on Coding andCryptography, WCC 2011 , ed. by D. Augot and A. Canteaut, Eds., Paris, France, 2011, pp. 193–202.[25] ——, “Utilisation du groupe de permutations d’un code correcteur pour am´eliorer l’efficacit´e du d´ecodage,” Ph.D. dissertation, Univ.Rennes 1, 2012.[26] A. Couvreur, A. Otmani, and J.-P. Tillich, “Polynomial time attack on wild McEliece over quadratic extensions,” 2014, arXiv:1402.3264.To appear EUROCRYPT 2014.[27] I. Shafarevich, Basic Algebraic Geometry, Varieties in Projective Space , 2nd ed. Springer Verlag, 1994, vol. Vol. 1. A PPENDIX A. Proof of Proposition 4 We will first characterize the solutions to Equation (1) in the case where α = 1 . In some sense, this characterizationgeneralizes a classical result about even polynomials, i.e. polynomials P ( z ) which satisfy P ( z ) = P ( − z ) . It isnamely well known that a polynomial is even if and only if there exists a polynomial Q such that P ( z ) = Q ( z ) .Lemma 5, which uses the notation I σ t [ z ] that is defined in Section IV, will generalize this result to any polynomialinvariant under a finite order affine map. Lemma 5 Let σ ( z ) = az + b be an affine map of finite order ℓ (with ℓ > ) defined over a field F . We have • if a = 1 then F is of characteristic ℓ and I σ t [ z ] = (cid:8) Q ( z ℓ − b ℓ − z ) | deg Q t/ℓ (cid:9) . • if a = 1 then I σ t [ z ] = (cid:8) Q (( z − z ) ℓ ) | deg Q t/ℓ (cid:9) with z being the unique fixed point of σ . In other words, the ring of polynomials invariant by an affine map is generated by a single element and the lemmaprovides this generator explicitly. This result follows from classical results in invariant theory and we derive it fromscratch here to keep the paper self-contained. Also, we treat the case where the order ℓ of the group generated by σ is divisible by the characteristic of F . This is precisely what happens when a = 1 , and that is commonly avoidedin invariant theory (see for instance [27, Appendix, § Proof of Lemma 5: Let us first prove that the right hand side terms which appear in the expressions for I σ t [ z ] are indeed included in I σ t [ z ] . If a = 1 , consider a polynomial P of degree t of the form P ( z ) = Q ( z ℓ − b ℓ − z ) for some polynomial Q . We have: P ( z + b ) = Q (cid:16) ( z + b ) ℓ − b ℓ − ( z + b ) (cid:17) = Q (cid:16) z ℓ + b ℓ − b ℓ − z − b ℓ (cid:17) = Q (cid:16) z ℓ − b ℓ − z (cid:17) = P ( z ) . We just used the fact that ℓ is the characteristic of F and therefore ( z + b ) ℓ = z ℓ + b ℓ .In the case a = 1 , if we consider a polynomial P of degree t of the form P ( z ) = Q (cid:0) ( z − z ) ℓ (cid:1) for somepolynomial Q of degree deg P/ℓ we obtain: P ( az + b ) = Q (cid:16) ( az + b − z ) ℓ (cid:17) = Q (cid:16) ( az + b − az − b ) ℓ (cid:17) = Q (cid:16) a ℓ ( z − z ) ℓ (cid:17) = Q (cid:0) ( z − z ) ℓ (cid:1) = P ( z ) . We used the fact that ℓ is also the order of a .Let us prove now the reverse inclusion. Let P be a polynomial which is invariant by σ . Consider now a nonconstant polynomial R of smallest degree which is invariant by σ . Such a polynomial necessarily exists since theset of polynomials which are non constant and which are invariant by σ is non empty (since z ℓ − b ℓ − z in the case a = 1 and ( z − z ) ℓ in the case a = 1 , belong to it). Perform the division of P by R . We can write P ( z ) = R ( z ) P ( z ) + P ( z ) (10)with deg P < deg R . Observe now that P ( az + b ) = R ( az + b ) P ( az + b ) + P ( az + b ) . (11) Since P ( az + b ) = P ( z ) and R ( az + b ) = R ( z ) we deduce by subtracting the second equation to the first one,that we have R ( z ) ( P ( az + b ) − P ( z )) = P ( z ) − P ( az + b ) Since the degree of S ( z ) def = P ( z ) − P ( az + b ) is less than the degree of R , this can only happen if P is invariantunder σ and therefore also P . Since R is a non constant polynomial of smallest degree which is invariant under σ and since deg P < deg R , this implies that P is constant. By carrying on this process (i.e. dividing P by R )we eventually obtain that P is a polynomial in R . We finish the proof by proving that R can be chosen to be R ( z ) = z ℓ − b ℓ − z in the case a = 1 and R ( z ) = ( z − z ) ℓ otherwise.Let us first prove this for a = 1 . We can add any constant to R , it will still be invariant under σ . We maytherefore assume that R (0) = 0 . We can also assume that R is monic. Let us observe now that R (0) = R ( b ) = R (2 b ) = . . . = R (cid:0) ( ℓ − b (cid:1) by the invariance of R under z z + b . This implies that R is a multiple of z ( z − b ) · · · ( z − b ( ℓ − . R is therefore of degree greater than or equal to ℓ . The polynomial z ℓ − b ℓ − z is ofdegree ℓ , is invariant under σ and is a multiple of z ( z − b ) . . . ( z − b ( ℓ − . Therefore R ( z ) = z ℓ − b ℓ − z .Consider now the case a = 1 . Without loss of generality (by adding a suitable constant as in the case a = 0 ) wemay assume that R ( c ) = 0 , where c is some element of F such that the orbit of c under σ is of size ℓ . By theinvariance of R under σ this implies that R ( c ) = R ( σ ( c )) = · · · = R (cid:0) σ ℓ − ( c ) (cid:1) . This implies that R ( z ) isdivisible by ( z − c )( z − σ ( c )) · · · (cid:0) z − σ ℓ − ( c ) (cid:1) . Therefore R is of degree ℓ at least. Since ( z − z ) ℓ is of degree ℓ and is invariant by σ we can choose R ( z ) = ( z − z ) ℓ .This proves Proposition 4 when α = 1 . Let us prove now this proposition in general. Proof of Proposition 4: Denote by σ the affine map z az + b . First of all, let us notice that if there existssome polynomial P ( z ) satisfying the equation P ( σ ( z ) = αP ( z ) for some α , then necessarily such an α satisfies α ℓ = 1 . This follows at once from the fact that we have P ( z ) = P (cid:0) σ ℓ ( z ) (cid:1) = α d P ( z ) . This also implies that theorder of α divides ℓ . There are now two cases to consider. Case a = 1 : then the order ℓ of σ is necessarily equal to the characteristic of F and there is no element, apartfrom , whose order divides ℓ . In this case, Lemma 5 implies Proposition 4. Case a = 1 : in such a case the order of a is equal to ℓ and a is a primitive ℓ -th root of unity. Since α is an ℓ -throot of unity, there exists in this case an integer d in the range [0 , . . . , ℓ − such that α = a d . Consider now apolynomial which is such that P ( σ ( z )) = αP ( z ) . (12)If α = 1 , then we can use directly Lemma 5 and we are done. Otherwise, observe that from the fact that σ ( z ) = z we deduce that P ( z ) = P ( σ ( z )) = αP ( z ) . This implies that P ( z ) = 0 . Define now a polynomial P by P ( z ) = ( z − z ) P ( z ) . Observe now that on the onehand P ( az + b ) = ( az + b − z ) P ( az + b ) = a ( z − z ) P ( az + b ) and that on the other hand P ( az + b ) = αP ( z ) = a d ( z − z ) P ( z ) . Putting both equations together, we obtain P ( az + b ) = a d − P ( z ) If d = 1 we can carry on this process on P , deduce from the previous equation that P ( z ) = 0 and deduce byinduction on d that P ( z ) has a zero of order at least d at z and that the polynomial P d ( z ) defined by P d ( z ) = P ( z )( z − z ) d satisfies the equation P d ( az + b ) = P d ( z ) . We apply Lemma 5 to P d and derive from it that P should be of the form P ( z ) = ( z − z ) d Q (cid:16) ( z − z ) ℓ (cid:17) , where Q is any polynomial of degree deg P − dℓ . Conversely, any polynomial P of this form is readily seen to verify(12). B. Proof of Lemma 2 For this result, we will need the following lemma. Lemma 6 k + 2 k + · · · + ( p − k ≡ p ) for every integer k which is not a multiple of p − whereas k + 2 k + · · · + ( p − k ≡ − p ) otherwise.Proof: Recall that the multiplicative group F × p is generated by a single element α which is of order p − .The mapping φ k : F × p → F × p x x k maps therefore F × p to a subgroup of F × p different from the trivial subgroup consisting only of if and only if k is nota multiple of p − . In other words, if k is a multiple of p − , we have s k ≡ p ) for any s ∈ { , . . . , p − } .This implies that k + 2 k + · · · + ( p − k ≡ p − ≡ − p ) . Assume now that k is not a multiple of p − .Thus φ k ( F × p ) is a subgroup of F × p of size a divisor ℓ > of p − . Since F × p is generated by α , φ k ( F × p ) is generatedby β def = α k and we have k + 2 k + · · · + ( p − k ≡ p − ℓ (cid:16) β + · · · + β ℓ − (cid:17) (mod p ) ≡ ( p − β ℓ − ℓ ( β − 1) (mod p ) ≡ p ) Let us prove now Lemma 2. Proof: Let us first compute S ( z t ) , where t is some nonnegative integer. S ( z t ) = p − X s =0 ( z + sb ) t = z t + p − X s =1 t X i =0 (cid:18) ti (cid:19) z t − i ( sb ) i = p − X s =1 t X i =1 (cid:18) ti (cid:19) z t − i ( sb ) i = t X i =1 b i (cid:18) ti (cid:19) p − X s =1 s i ! z t − i = t X i = p − b i (cid:18) ti (cid:19) p − X s =1 s i ! z t − i (13)where the last equation follows by using Lemma 6 which allows us to write P p − s =1 s i = 0 when i is in therange [1 ..p − and when the sum is performed over a field of characteristic p . This implies immediately that S ( F t ) ⊆ F t − p +1 [ z ] . Since S ( Q ( z )) is obviously invariant by σ for any polynomial Q ( z ) ∈ F [ z ] , we know fromLemma 5 that it is of the form S ( Q ( z )) = R ( z p − b p − z ) for some polynomial R in F [ z ] . Its degree is thereforea multiple of p . This implies that we actually obtain the refined inclusion S ( F t ) ⊆ I j t − p +1 p k p [ x ] . (14)Equality is proven by dimension considerations. It follows from Lemma 5 that I t [ z ] is a vector space which is ofdimension ⌊ t/p ⌋ + 1 . The calculation (13) performed above also shows that S ( z ( k +1) p − ) is a polynomial of degree kp (since the coefficient of z kp which is equal to b p − (cid:0) ( k +1) p − p − (cid:1) P p − s =1 s p − by (13) can be shown to be differentfrom by using the fact proven in Lemma 6 which says that p − + 2 p − + · · · + ( p − p − ≡ − p ) ). Thiscan be used to obtain that dim S ( F t ) > (cid:22) t − p + 1 p (cid:23) + 1 = dim I j t − p +1 p k p [ z ] . This together with (14) implies that S ( F t ) = I j t − p +1 p k p [ x ] , which concludes the proof. C. Proof of Lemma 3Proof: Let us calculate S ( z t ) = ℓ − X i =0 a di (cid:0) a i ( z − u ) (cid:1) t , = ( z − u ) t ℓ − X i =0 a ( d + t ) i . This sum is equal to as long as d + t ℓ ) and is equal to ( ℓ mod p ) ( z − u ) t when d + t ≡ ℓ ) .The polynomial S (cid:0) P ( z ) (cid:1) is therefore a polynomial of degree ℓ − d + j deg P − ℓ + dℓ k ℓ of the form S ( P ( z )) = ( z − u ) l − d ⌊ deg P − ℓ + dℓ ⌋ X i =0 a i ( z − u ) iℓ (15)when deg P > ℓ − d and is equal to zero otherwise. We conclude the proof by noting that the term P ⌊ deg P − ℓ + dℓ ⌋ i =0 a i ( z − u ) iℓ is a polynomial which is invariant by σσ