Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Abstract

Polar codes discovered by Arikan form a very powerful family of codes attaining many information theoretic limits in the fields of error correction and source coding. They have in particular much better decoding capabilities than Goppa codes which places them as a serious alternative in the design of both a public-key encryption scheme à la McEliece and a very efficient signature scheme. Shrestha and Kim proposed in 2014 to use them in order to come up with a new code-based public key cryptosystem. We present a key-recovery attack that makes it possible to recover a description of the permuted polar code providing all the information required for decrypting any message.

Appendices

Proofs of the Results of Section 3

1.1 Proof of Proposition 2

In order to prove this result, we first prove a few lemmas about the partial order we introduced.

Lemma 2

For all f and g in \(\mathcal {M}\), \(f \preceq g\) if and only if \(\check{f} \succeq \check{g}\).

Proof

Let \(f=x_{i_1}\dots x_{i_s}\) and \(g=x_{j_1}\dots x_{j_t}\) with \(s\leqslant t\) and \(i_1 < \dots < i_s\), \(j_1<\dots <j_t\). Then we have two cases:

• if \(\deg f=\deg g\) then by definition of the order we have \(i_\ell \leqslant j_\ell \) for all \(j=1,\dots ,s\). Consider the \(\ell \)-th variable \(x_{i'_\ell }\) in the monomial \(\check{f}\) and the \(\ell \)-th variable \(x_{j'_\ell }\) in the monomial \(\check{g}\). Let us define

  $$\begin{aligned} \varphi (u)&\mathop {=}\limits ^{\text {def}}&\ell -1 + \#\{i_a:i_a \leqslant u\}\\ \gamma (u)&\mathop {=}\limits ^{\text {def}}&\ell -1 + \#\{j_a:j_a \leqslant u\} \end{aligned}$$

  Observe now that (i) since \(\varphi (u+1)\) is either equal to \(\varphi (u)\) or to \(\varphi (u)+1\) and since \(\varphi (0) \geqslant 0\), \(\varphi (m-1) \leqslant m-1\), there exists at least one u such that \(\varphi (u)=u\), (ii) when \(\varphi (u)=u\) this means that there exist exactly \(\ell \) variables \(x_b\) for b in \(\{0,1,\dots ,u\}\) that belong to the monomial \(\check{f}\). All this implies that \(i'_\ell \) is the smallest index u such that \(\varphi (u)=u\) (or what amounts to the same it is the smallest index u such that \(\varphi (u) \leqslant u\)). A similar property holds for \(j'_\ell \). In other words

  $$\begin{aligned} i'_\ell= & {} \min \{u: \varphi (u) \leqslant u\} \end{aligned}$$

  (2)
  $$\begin{aligned} j'_\ell= & {} \min \{u: \gamma (u) \leqslant u\} \end{aligned}$$

  (3)

  From the fact that \(j_a \geqslant i_a\) for all a in \(\{1,\dots ,s\}\) we have that for all indices u

  $$\begin{aligned} \varphi (u) \geqslant \gamma (u) \end{aligned}$$

  (4)

  On the other hand, we know that \(i'_\ell =\varphi (i'_\ell )\), where the righthand term is larger than or equal to \(\gamma (i'_\ell )\) by using (4). Therefore \(\gamma (i'_\ell ) \leqslant i'_\ell \), and by using (3) we deduce that \(j'_\ell \leqslant i'_\ell \).

• if \(\deg f<\deg g\) then by definition of the order: \(f \preceq g \Leftrightarrow \exists \; g_1\in \mathcal {M}\) s.t. \(g=g_1g_2\) with \(\deg g_1=\deg f\) and \(f \preceq g_1\). From the first case we deduce that \(\check{f} \succeq \check{g_1}\). On the other hand one checks immediately that \(\check{g_1} \succeq \check{g}\). From these two inequalities we deduce \(\check{f} \succeq \check{g}\).

Corollary 2

Let \(I \subseteq \mathcal {M}\) be a decreasing set then \(\mathcal {M}\setminus \check{I}\) is a decreasing set.

Proof

Let h be a monomial that belongs to \(\mathcal {M}\setminus \check{I}\), and let g be a monomial such that \(g \preceq h\). If \(g \notin \mathcal {M}\setminus \check{I}\) then it would mean that there exists \(f \in I\) such that \(g = \check{f}\). This means that \(\check{f} \preceq h\) and by using Lemma 2 we would get \(\check{h} \preceq \check{\check{f}}=f\). Since I is a decreasing set, \(\check{h} \in I\), that is to say, \(\check{{\check{h}}} = h \in \check{I}\) which contradicts the assumption. Therefore \(\mathcal {M}\setminus \check{I}\) is a decreasing set.

These lemmas can now be used to prove Proposition 2 that we recall below.

Proposition. Let \(\mathscr {C}(I)\) be a decreasing monomial code, then its dual is a decreasing monomial code given by

$$\begin{aligned} \mathscr {C}(I)^{\bot }=\mathscr {C}( \mathcal {M}\setminus \check{I}). \end{aligned}$$

Proof

As \(\left| \check{I}\right| =\left| I\right| \), we have \(\dim \mathscr {C}(\mathcal {M}\setminus \check{I}) = |\mathcal {M}| - |\check{I}| = |\mathcal {M}| - |I| = 2^m - \dim \mathscr {C}(I) =\dim \mathscr {C}(I)^{\bot }\), so we need to prove only one inclusion.

Let \(f \in \mathcal {M}\setminus \check{I}\) and consider \(g \in I\). Notice that

$$\begin{aligned} <\mathsf {ev}(f),\mathsf {ev}(g)> =<\mathsf {ev}(fg),\mathsf {ev}(1)> \end{aligned}$$

where \(<.,.>\) stands for the standard inner product in \(\{0,1\}^{2^m}\): \(<{\varvec{x}},{\varvec{y}}>=\sum _{i} x_i y_i\). Observe now that f g is a monomial and that the only monomial whose evaluation is not orthogonal (with respect to \(<,>\)) to the all 1 vector is the “full” monomial \(x_1 \dots x_m\). Assume now that we are in such a case: \(f g = x_1 \cdots {} x_m\). This means that \(\check{g}\) is a divisor of f. A divisor of a monomial is always smaller than or equal to this monomial with our definition of order. Therefore \(\check{g} \preceq f\). From Corollary 2 we know that \(\mathcal {M}\setminus \check{I}\) is a decreasing set and that this would imply \(\check{g} \in \mathcal {M}\setminus \check{I}\). This would imply that \(\check{\check{g}}=g\) would belong to \(\check{\mathcal {M}} \setminus \check{\check{I}}= \mathcal {M}\setminus I\). This would contradict the assumption that g belongs to I. Therefore we proved by contradiction that \(\mathscr {C}( \mathcal {M}\setminus \check{I}) \subseteq \mathscr {C}(I)^{\bot }\).

1.2 Proof of Theorem 1

Let us recall this theorem:

Theorem. The permutation group of a decreasing monomial code in m variables contains \({\mathbb {L T A}_{m}}\).

Proof

Let \(\mathscr {C}(I)\) be a decreasing monomial code and let \(\pi \) be in \({\mathbb {L T A}_{m}}\). Consider \({\varvec{x}}\) in \(\mathbb {F}_2^m\). Let \({\varvec{x}}' \mathop {=}\limits ^{\text {def}}\pi ({\varvec{x}})\). There exist binary numbers \(a_{ij}\) and \(\varepsilon _i\) such that for any i in \(\{0,\dots ,m-1\}\) we have

$$\begin{aligned} x'_i = x_i + \sum _{j<i} a_{ij} x_j + \varepsilon _i. \end{aligned}$$

An affine permutation \(\pi \) acts also in a natural way on monomials, with its action being defined by

$$\begin{aligned} \pi (x_{i_1}\dots x_{i_s}) \mathop {=}\limits ^{\text {def}}x'_{i_1}\dots x'_{i_s}. \end{aligned}$$

In other words the action of an affine permutation \(\pi \) on a monomial f is given by \(f \circ \pi \). Observe that this action is such that

$$\begin{aligned} \mathsf {ev}(f)^\pi = \mathsf {ev}(f \circ \pi ). \end{aligned}$$

Choose now a monomial f in I and use the observation above. We can expand \(f \circ \, \pi \) and verify that it is a sum of monomials that are smaller than f with respect to the order \(\preceq \) that we introduced. Since I is a decreasing set, then all these monomials belong to I as well and therefore we obviously have that \(\mathsf {ev}(f \circ \pi )\) is also in \(\mathscr {C}(I)\). \(\mathscr {C}(I)\) is therefore invariant by \(\pi \).

1.3 Proof of Proposition 3

Let \(\mathscr {C}(I)\) be a decreasing monomial code. Let us start by proving Point (i), namely that the minimum distance of \(\mathscr {C}(I)\) is equal to \(2^{m-{r_{+}}(\mathscr {C}(I))}\). This follows on the spot by noticing that \({r_{+}}\) is also the largest degree of a monomial in I. If we consider the evaluation of this monomial we obtain a codeword of weight \(2^{m-{r_{+}}(\mathscr {C}(I))}\). This implies that the minimum distance of \(\mathscr {C}(I)\) is smaller than or equal to this quantity. On the other hand, the minimum distance of \(\mathscr {C}(I)\) is larger than or equal to the minimum distance of \(\mathscr {R}({r_{+}},m)\) which is equal to \(2^{m-{r_{+}}(\mathscr {C}(I))}\) by using Theorem 2. This implies our claim.

Consider now the second point that we recall below

$$\begin{aligned} {r_{-}}(\mathscr {C}(I)^\perp )= & {} m-1- {r_{+}}(\mathscr {C}(I)) \end{aligned}$$

(5)

$$\begin{aligned} {r_{+}}(\mathscr {C}(I)^\perp )= & {} m-1- {r_{-}}(\mathscr {C}(I)) \end{aligned}$$

(6)

This follows immediately from Proposition 2: \(\mathscr {C}(I)^\perp =\mathscr {C}(\mathcal {M}\setminus \check{I})\) and the alternative definitions of \({r_{-}}(\mathscr {C}(I)^\perp )\) and of \({r_{+}}(\mathscr {C}(I)^\perp )\) which are respectively the largest degree r such that all monomials of degree r are monomials in \(\mathcal {M}\setminus \check{I}\) and the largest degree of a monomial that belongs to \(\mathcal {M}\setminus \check{I}\).

The third point, namely that the minimum distance of \(\mathscr {C}(I)^\perp \) is equal to \(2^{{r_{-}}(\mathscr {C}(I))+1}\) is a straightforward of Point(i) applied to the monomial code \(\mathscr {C}(I)^\perp \) and by using (6).

1.4 Proof of Proposition 3

Here we want to prove that any minimum weight codeword \({\varvec{c}}\) in a decreasing monomial code \(\mathscr {C}(I)\) can be written as \({\varvec{c}}= \mathsf {ev}(f)^\pi \) where f is a monomial in I and \(\pi \) an element of \({\mathbb {L T A}_{m}}\).

Note that from Proposition 3 we know that a minimum weight codeword of \(\mathscr {C}(I)\) is also a minimum codeword of \(\mathscr {R}({r_{+}}(\mathscr {C}(I)),m)\). For simplicity we will simply write \({r_{+}}\) for \({r_{+}}(\mathscr {C}(I))\) from now on. By using Theorem 2, we know that \({\varvec{c}}\) can be written as the evaluation of the product of \({r_{+}}\) independent affine forms \(x'_0 \mathop {=}\limits ^{\text {def}}\varepsilon _0 + \sum _j a_{0j} x_j\),\(\cdots \), \(x'_{{r_{+}}-1} \mathop {=}\limits ^{\text {def}}\varepsilon _{{r_{+}}-1} +\sum _{j} a_{{r_{+}}-1,j} x_j\) where the \(\varepsilon _i\)’s are elements of the binary field \(\mathbb {F}_2\). We claim now that there are \({r_{+}}\) independent affine forms \(x''_0,\dots ,x''_{{r_{+}}-1}\) such that:

1. (i)

   \(\mathsf {ev}(x'_0\dots x'_{{r_{+}}-1})=\mathsf {ev}(x''_0\dots x''_{{r_{+}}-1})\),

2. (ii)

   for all \(i \in \{0,\dots ,{r_{+}}-1\}\) we have that the \(x"_i\)’s can be written as \(\varepsilon '_i +\sum _{j < \varphi (i)} a'_{\varphi (i),j} x_j\), where \(\varphi \) is some permutation of \(\{0,1,\dots ,m-1\}\) and the \(\varepsilon '_i\)’s and \(a'_{\varphi (i),j}\) are binary.

This is easy to check by considering the affine form \(x'_i\) that involves the “largest” variable \(x_j\) (the one consisting of the largest index j). Let \(x_{j_0}\) be this variable. We may assume without loss of generality that this is \(x'_0\). We can check now that

$$\begin{aligned} \mathsf {ev}(x'_0 x'_1 \dots x'_{{r_{+}}-1}) = \mathsf {ev}(x'_0 x'''_1 \dots x'''_{{r_{+}}-1}) , \end{aligned}$$

where \(x'''_i= x'_i - x'_0-1\) if \(x'_i\) involves the variable \(x_{j_0}\) and \(x'''_i=x'_i\) otherwise. Observe now that the \({r_{+}}-1\) affine forms \(x'''_1, \dots , x'''_{{r_{+}}-1}\) involve only variables \(x_j\) which are such that \(j < j_0\). We can carry on this process with these \({r_{+}}-1\) (independent) affine forms \(x""_1,\dots ,x'''_{{r_{+}}-1}\) by considering the variable \(x_j\) which is the largest among the variables that are involved in these affine forms and so on and so forth. We end up with \({r_{+}}\) affine forms \(x''_0,\dots ,x''_{{r_{+}}-1}\) which have exactly the aforementioned properties (i) and (ii). Consider the monomial \(x_{j_0}\dots x_{j_{{r_{+}}-1}}\) which is the product of the “largest” variable \(x_j\) in each of these \(x"_i\)’s. This monomial has to belong to I and we obviously have \(\mathsf {ev}(x"_0\dots x"_{{r_{+}}-1})=\mathsf {ev}(\pi (x_{j_0}\dots x_{j_{{r_{+}}-1}}))\) for some \(\pi \) in \({\mathbb {L T A}_{m}}\). This proves our theorem.

Proof of the Results of Section 4

1.1 Proof of Theorem 4

We will first begin this proof by proving a general result about the dual of shortened monomial codes.

Lemma 3

Let \(\mathscr {C}(I)\) be a decreasing monomial code and \(g \in I\). Let \(\mathsf {supp}(g)\) be the support of \(\mathsf {ev}(g)\). We denote by \(E\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) the dual of the shortened code in \(\mathsf {supp}(g)\) that we have extended by zeros in the positions in which we have shortened the code. Then

$$\begin{aligned} E\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot =\{\mathsf {ev}((1+g)f):f \in \mathcal {M}\setminus \check{I}\} \end{aligned}$$

Proof

Recall that we have

$$\begin{aligned} \left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\perp = {\mathcal {P}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)^\perp \right) \end{aligned}$$

We know that \(\mathscr {C}(I)^\perp =\mathscr {C}(\mathcal {M}\setminus \check{I})\). The lemma follows from this and the fact the \(\mathsf {ev}(1+g)\) takes value 1 on the complementary of \(\mathsf {supp}(g)\) and 0 on \(\mathsf {supp}(g)\).

The following notation turns out to be convenient.

Notation 2

For a monomial \(g=x_{i_1}\dots x_{i_s}\), its set of indices \(\text {Ind}(g)\) is given by \(\{i_1,\dots ,i_s\}\) and its intersection \(g \wedge h\) with a monomial h is given by

$$\begin{aligned} g \wedge h \mathop {=}\limits ^{\text {def}}\Pi _{i \in \text {Ind}(g) \cap \text {Ind}(h)} x_i. \end{aligned}$$

We will also need the following result that is only a slight generalization of [Mn07, Proposition 6, p. 69] (and our proof will follow closely the proof of this proposition).

Lemma 4

Let g be some monomial of degree \(s \geqslant 1\). Denote by \(\mathsf {supp}(g)\) the support of \(\mathsf {ev}(g)\), then the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is greater than or equal to \(2^{{r_{-}}}\). If the minimum distance is equal to \(2^{{r_{-}}}\) then there exists a monomial h in \(\mathcal {M}\setminus \check{I}\) such that

1. (i)

   the number of variables of \(h \wedge g\) is \(s-1\),

2. (ii)

   the number of variables of \(h \wedge \check{g}\) is \(m-{r_{-}}-s\).

Proof

Let us take a nonzero codeword of \(\mathscr {C}(I)^\bot \), say that is the evaluation of some polynomial f, which is in this case of degree at most \(m-1-{r_{-}}\). Write \(f=\sum _j m_j\) as a sum of monomials. Then \(\tilde{f} \mathop {=}\limits ^{\text {def}}\sum _{j: g \not \mid m_j} m_j\) is defined as the polynomial where we have removed from the monomial expression of f all monomials that are divisible by g. Since \(({\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) )^\bot ={\mathcal {P}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)^\perp \right) \), we want to prove that the evaluation of f on \(\{0,1\}^m \setminus \mathsf {supp}(g)\) is either zero or of weight \(\geqslant 2^{{r_{-}}}\). Notice that the evaluation on \(\{0,1\}^m \setminus \mathsf {supp}(g)\) coincides with the evaluation of \(\tilde{f}\).

Let us assume that \(g=x_0 \dots x_{s-1}\). With this choice, let us pick a monomial of \(\tilde{f}\) that has maximum degree in \(x_s,\dots ,x_{m-1}\). Let d be this degree (in \(x_s,\dots ,x_{m-1}\)). \(\tilde{f}\) can be written as

$$\begin{aligned} \tilde{f} = m u(x_0,\dots ,x_{s-1}) + v(x_0,\dots ,x_{m-1}), \end{aligned}$$

where m is a monomial of degree d in \(x_s,\dots ,x_{m-1}\). We take here in the monomials whose sum is equal to \(\tilde{f}\) all monomials that are divisible by m and u is just the sum of these monomials divided by m. Let \(d'\) be the degree of u which is necessarily smaller than s since \(\tilde{f}\) does not contain any monomial divisible by g.

Notice that \(u(x_0 \dots x_{s-1})\) is non zero in at least \(2^{s-d'}-1\) entries if we do not count the \((1,\dots ,1)\) entry, since its evaluation is a codeword of \(\mathscr {R}(d',s)\).

Call a “block” the set of points \((x_0,\dots ,x_{m-1})\) which take a prescribed value on \(x_0,\dots ,x_{s-1}\). The support \(\mathsf {supp}(g)\) of g corresponds to the block \(x_0=1,\dots ,x_{s-1}=1\). Notice that the weight of \(\mathsf {ev}(\tilde{f})\) restricted to a block (with the exception of the block \(x_0=1,\dots ,x_{s-1}=1\)) is at least \(2^{m-s-d}\), since this restriction is a codeword of \(\mathscr {R}(d,m-s)\). In other words the weight of \(\mathsf {ev}(\tilde{f}(1+g))\) is lower-bounded by

$$\begin{aligned} |\mathsf {ev}(\tilde{f})(1+g)| \geqslant 2^{m-s-d}(2^{s-d'}-1) \geqslant 2^{m-s-d}2^{s-d'}\frac{1}{2} = 2^{m-d-d'-1}. \end{aligned}$$

Notice that we have \(d+d' \leqslant m - {r_{-}}-1\) and therefore we finally obtain

$$\begin{aligned} |\mathsf {ev}(\tilde{f})| \geqslant 2^{m-(m-{r_{-}}-1)-1}=2^{{r_{-}}}. \end{aligned}$$

This proves the statement about the minimum distance in this case. A quick inspection of this proof shows that the only fact we used on g was that is is different from 1 (the particular form of g was only here to simplify notation), and therefore it also holds for all monomials g different from 1.

Assume now that the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is equal to \(2^{{r_{-}}}\). By a quick inspection of this proof this means that \(\deg u=s-1\) and \(\deg m=m-{r_{-}}-1-(s-1)=m-{r_{-}}-s\). Write u as a set of monomials \(u=\sum _j m'_j\) and choose \(m'\) as any monomial in this sum that is of degree \(s-1\). Obviously \(h \mathop {=}\limits ^{\text {def}}m m'\) is a monomial of degree \(s-1+m-{r_{-}}-s=m-{r_{-}}-1\) that appears as a monomial in the sum \(f = \sum _j m_j\). Therefore h is in \(\mathcal {M}\setminus \check{I}\). Such an h has the aforementioned form.

We will now use this to prove Theorem 4. We recall its statement below.

Theorem. Let \(g=x_{i_1}\dots x_{i_{{r_{+}}}}\) be a monomial of degree \({r_{+}}\) in I. Denote by \(\mathsf {supp}(g)\) the support of \(\mathsf {ev}(g)\), then the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is equal to \(2^{{r_{-}}}\) if and only if there exists a monomial h in \(\mathcal {M}\setminus \check{I}\) such that:

(i) :

the number of variables of h that are also variables of g is \({r_{+}}-1\),

(ii) :

the number of variables of h that are also variables of \(\check{g}\) is \(m-{r_{-}}-{r_{+}}\).

Proof

First of all let us notice that the minimum distance of \(E\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is the same as the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \). From Lemma 3 we know that any codeword in the first code can be written as \(\mathsf {ev}((1+g)f))\) where f is polynomial which is a linear combination of monomials in \(\mathcal {M}\setminus \check{I}\). Consider now that there is a monomial h satisfying the conditions above. Let us prove that the weight of \(\mathsf {ev}((1+g)h)\) is equal to \(2^{{r_{-}}}\). Let \(i_0\) be the only index that is in \(\text {Ind}(g)\) but not in \(\text {Ind}(g \wedge h)\). Observe now that

$$\begin{aligned} (1+g)h= & {} (1+x_{i_1}\dots x_{i_{{r_{+}}}})\prod \limits _{i \in \text {Ind}{g \wedge h}}x_i \prod \limits _{i \in \text {Ind}(\check{g} \wedge h)}x_i \\= & {} (1+x_{i_0}) \prod \limits _{i \in \text {Ind}{g \wedge h}} x_i \prod \limits _{i \in \text {Ind}(\check{g} \wedge h)}x_i \\= & {} (1+x_{i_0})h. \end{aligned}$$

Thus

$$\begin{aligned} |\mathsf {ev}((1+g)h))|=|(\mathsf {ev}((1+x_{j_0})h)|=2^{m-(m-{r_{-}}-1+1)}=2^{{r_{-}}}. \end{aligned}$$

By using the lower-bound on the minimum distance coming from Lemma 4 we obtain that the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is equal to \(2^{{r_{-}}}\).

Assume now that the minimum distance of \(\left( {\mathcal {S}}_{\mathsf {supp}(g)}\left( \mathscr {C}(I)\right) \right) ^\bot \) is equal to \(2^{{r_{-}}}\), then we can use Lemma 4 and obtain the aforementioned claim.

1.2 Proof of Proposition 4

Proposition. \(W_{\text {min}}^\pi \) is invariant by the action of \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \) and if \(\varSigma \) is a signature for \(W_{\text {min}}\) under the action of \({\mathbb {L T A}_{m}}\), then it is also a signature for the action of \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \) on \(W_{\text {min}}^\pi \).

Proof

The invariance of \(W_{\text {min}}^\pi \) follows from the fact that (i) \({\mathbb {L T A}_{m}}\) is a subgroup of the permutation group of \(\mathscr {C}(I)\) by Theorem 1 and (ii) this implies that \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \) is a subgroup of the permutation group of \(\mathscr {C}(I)^\pi \) by Proposition 1. For the second part, it suffices to prove that \(\varSigma \) takes different values on the orbits of \(W_{\text {min}}^\pi \) under the action of \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \). Consider two elements \({\varvec{x}}^\pi \) and \({\varvec{y}}^\pi \) that belong to two different orbits. They are the permuted versions of \({\varvec{x}}\) and \({\varvec{y}}\) which belong to different orbits of \(W_{\text {min}}\). If this were not the case we would have \({\varvec{x}}= {\varvec{y}}^\gamma \) for \(\gamma \) in \({\mathbb {L T A}_{m}}\). However this would imply that \({\varvec{x}}^\pi ={\varvec{y}}^{\gamma \pi }={\varvec{y}}^{\pi \pi ^{-1} \gamma \pi }=({\varvec{y}}^\pi )^{\pi ^{-1}\gamma \pi }\) and this would imply that \({\varvec{x}}^\pi \) and \({\varvec{y}}^\pi \) would be in the same orbit under the action of \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \). We finish the proof by observing that

$$\begin{aligned} \varSigma ({\varvec{x}}^\pi ,\mathscr {C}(I)^\pi )= & {} \varSigma ({\varvec{x}},\mathscr {C}(I))\\ \varSigma ({\varvec{y}}^\pi ,\mathscr {C}(I)^\pi )= & {} \varSigma ({\varvec{y}},\mathscr {C}(I)) \end{aligned}$$

Therefore \(\varSigma ({\varvec{x}}^\pi ,\mathscr {C}(I)^\pi )\) and \(\varSigma ({\varvec{y}}^\pi ,\mathscr {C}(I)^\pi )\) are different since \(\varSigma ({\varvec{x}},\mathscr {C}(I))\) and \(\varSigma ({\varvec{y}},\mathscr {C}(I))\) are different.

1.3 Proof of Proposition 5

Proposition. The orbit of \({\varvec{c}}_{\text {min}}\) under \({\mathbb {L T A}_{m}}\) consists of \(2^{r_{+}}\) codewords that are of the form \({\varvec{c}}_{\text {min}}(\varepsilon _0,\dots ,\varepsilon _{{r_{+}}-1})\) where the \(\varepsilon _i\) ’s are arbitrary element of \(\mathbb {F}_2\). The orbit of \({\varvec{c}}_{\text {min}}^\pi \) under \(\pi ^{-1} {\mathbb {L T A}_{m}}\pi \) is given by \(2^{r_{+}}\) codewords of weight \(2^{m-{r_{+}}}\) that have disjoint supports which are the permuted versions \(A(\varepsilon _0,\dots ,\varepsilon _{{r_{+}}-1})^\pi \) of the affine spaces \(A(\varepsilon _0,\dots ,\varepsilon _{{r_{+}}-1})\).

Proof

Let f be the monomial \(x_0 \dots x_{{r_{+}}-1}\) (i.e. \({\varvec{c}}_{\text {min}}=\mathsf {ev}(f)\)). Under the action of \(\pi \) in \({\mathbb {L T A}_{m}}\) this monomial is transformed into \(x'_0 \dots x'_{{r_{+}}-1}\) where \(x'_i = \varepsilon _i + x_i + \sum _{j<i} a_{ij} x_j\) where the \(\varepsilon _i\)’s and the \(a_{ij}\)’s are binary. The support of such a monomial is given by the affine space \(x'_0=1,\dots ,x'_{{r_{+}}-1}=1\), but this is readily seen to be an affine space of the form \(x_0=\varepsilon _0',\dots ,x_{{r_{+}}-1}=\varepsilon _{{r_{+}}-1}'\) where the \(\varepsilon _i'\)’s are binary. This implies the first claim. The claim on the orbit of \({\varvec{c}}_{\text {min}}^\pi \) follows from the fact that for any \(\gamma \in {\mathbb {L T A}_{m}}\) we have

$$\begin{aligned} ({\varvec{c}}_{\text {min}}^\pi )^{\pi ^{-1} \gamma \pi } = ({\varvec{c}}_{\text {min}}^\gamma )^\pi . \end{aligned}$$