Page 1
Finite Fields and Their Applications 14 (2008) 593–614
http://www.elsevier.com/locate/ffa
On the cycle structure of permutation polynomials
Ayça Çe¸ smelio˘ glu, Wilfried Meidl, Alev Topuzo˘ glu∗
Sabancı University, MDBF, Orhanlı, 34956 Tuzla,˙Istanbul, Turkey
Received 12 April 2007; revised 4 August 2007
Available online 1 October 2007
Communicated by Gary L. Mullen
Abstract
Anypermutationofafinite field
Fq
canberepresentedbyapolynomial
Pn(x) =
(··· + ((a0x + a1)q−2+ a2)q−2+ ··· + an)q−2+ an+1, for some n ? 0. P0is linear and the cycle
structure of P1is known. In this work we present the cycle structure of the polynomials P2(x) and P3(x)
completely and give methods for constructing Pn(x) with full cycle, for arbitrary n ? 1.
© 2007 Elsevier Inc. All rights reserved.
Keywords: Permutation polynomials of finite fields; Cycle structure; Inversive generators
1. Introduction
Let p be an odd prime, r ? 1 a positive integer and Fqbe the finite field with q = prelements.
As usual, Sqdenotes the symmetric group on q letters.
We recall that under the operation of composition and reduction modulo xq− x, the set of
permutation polynomials of Fqof degree ? q −1 forms a group, which is isomorphic to Sq. This
isomorphism naturally motivates the study of the cycle structure of permutation polynomials.
We refer the reader to [9] and [12] for a detailed exposition of permutation polynomials of finite
fields. For the cycle structure of monomials and of Dickson polynomials we refer to [1] and [10],
respectively. See also [6] for recent results on related problems concerning repeated squaring
in Fp.
*Corresponding author.
E-mail addresses: cesmelioglu@su.sabanciuniv.edu (A. Çe¸ smelio˘ glu), wmeidl@sabanciuniv.edu (W. Meidl),
alev@sabanciuniv.edu (A. Topuzo˘ glu).
1071-5797/$ – see front matter © 2007 Elsevier Inc. All rights reserved.
doi:10.1016/j.ffa.2007.08.003
Page 2
594
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
L. Carlitz observed in 1953 that any transposition (0 a) for a ∈ F∗
polynomial
qcan be represented by the
pa(x) = −a2??(x −a)q−2+a−1?q−2−a?q−2,
(1)
and hence Sq is generated by the linear polynomials ax + b, for a,b ∈ Fq, a ?= 0, and xq−2,
see [3].
Now consider the permutation polynomials in Fq[x], which are of the form
Pn(x) =?···+?(a0x +a1)q−2+a2
where ai?= 0, for i = 0,2,...,n. Note that pa(x) = P3(x) for a suitable choice of parameters
a0,a1,...,a4and the composition of Pnand Pmis Pk, for k ? n+m and n,m ? 1. Hence any
element in Sq, i.e. any permutation (or permutation polynomial) of Fqcan be represented by a
polynomial (2), for some n ? 1.
Defining P0(x) = a0x + a1, we can also express (2) as Pn(x) = (Pn−1(x))q−2+ an+1for
n ? 1. We put Pn(x) =¯ Pn(x) if an+1?= 0 and Pn(x) = Pn(x) if an+1= 0, since it is more
convenient to treat the cases an+1= 0 and an+1?= 0 separately. For the polynomial
¯ Pn(x) =?···+?(a0x +a1)q−2+a2
we put
?q−2+···+an
?q−2+an+1,n ? 1,
(2)
?q−2+···+an
?q−2+an+1,
¯ rn(x) =?···+?(a0x +a1)−1+a2
and considering its continued fraction expansion,
an+1+1/?an+1/?···+a2+1/(a0x +a1)+···??,
we form the nth convergent
?−1+···+an
?−1+an+1
¯ Rn(x) =αn+1x +βn+1
αnx +βn
,
(3)
where
αk= akαk−1+αk−2
and
βk= akβk−1+βk−2,
(4)
for k ? 2 and α0= 0, α1= a0, β0= 1, β1= a1. Note that αkand βkcannot both be zero.
For the polynomial Pn(x) we define the corresponding functions rn(x) and Rn(x) similarly,
i.e.
Rn(x) =αn−1x +βn−1
αnx +βn
.
Consider the set Onof poles:
On=
?
xi: xi=−βi
αi
, i = 1,...,n
?
⊂ P1(Fq) = Fq∪{∞},
(5)
Page 3
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
595
where the elements of Onare not necessarily distinct. Obviously Rn(x) = Pn(x) and¯ Rn(x) =
¯ Pn(x) for x ∈ Fq\On.
Now we define the function ¯ Fn(x) by ¯ Fn(x) =¯ Rn(x) for x ?= xnand ¯ Fn(xn) := αn+1/αn
when xn∈ Fq.
With Fn(x), defined similarly, we put Fn(x) =¯Fn(x) if an+1?= 0, and Fn(x) = Fn(x) if
an+1= 0. It is easy to check that Fnis a permutation of Fq.
The next lemma describes the relation between the values of Pnand Fnwhen the poles are
distinct elements of Fq.
Lemma 1. Suppose that the poles x1,x2,...,xndefined by (5) are in Fqand distinct. Then
?Fn(xi−1)
for all n ? 2. We can therefore express the permutation Pn= Pn(x) as a product of the n-cycle
(Fn(xn−1)···Fn(x1)Fn(xn)) with the permutation Fn(x), i.e.
Pn(x) =?Fn(xn−1)···Fn(x1)Fn(xn)?Fn(x)
(multiplying in right-to-left order).
Pn(xi) =
for 2 ? i ? n,
for i = 1
Fn(xn)
(6)
Proof. The assertion follows easily by induction. Clearly, P2(x1) = F2(x2) and P2(x2) =
F2(x1). For the rest of the proof we focus on Pn, the case an+1?= 0 can be dealt with similarly.
Assuming that Pn−1(xi) = Fn−1(xi−1) for 2 ? i ? n−1, we get
Pn(xi) =?Pn−1(xi)+an
=
αn−1xi−1+βn−1
for 2 ? i ? n − 1. Since all the poles in Onare distinct, the pole xnis not in On−1and hence
Pn−1(xn) = Fn−1(xn). Therefore, for x = xn, we have
Pn(xn) =?Pn−1(xn)+an
=αn−1xn−1+βn−1
αnxn−1+βn
Finally, with the assumption that Pn−1(x1) = Fn−1(xn−1), Pn(x1) =αn−1
as above. Equation (6) is immediate now, since Pnand Fndiffer only at the poles.
?q−2=?Fn−1(xi−1)+an
αnxi−1+βn
?q−2
?
?q−2
= Fn(xi−1)
?q−2=?Fn−1(xn)+an
= Fn(xn−1).
?q−2= 0
αn
follows by induction
2
The cycle structure of Pntherefore, is closely related to that of Fn. The cycle decomposition
of Fnin turn, can be determined, essentially, by using the results of Chou [5], where the cycle
structure of the permutation, known as the inversive pseudorandom number generator is given.
Note that this particular permutation is P1with a1= 0. Results regarding permutations defined
by rational transformations are presented in Section 2.
Sections 3 and 4 of this work focus on the cycle structure of the permutations P2and P3,
while Section 5 deals with Pnfor arbitrary n ? 1. Two methods of construction of Pnwith full
cycle are presented.
Page 4
596
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
2. Cycle structure of permutations defined by rational transformations
Theorem 2 below can be found in [5]. Here the result is expressed in a slightly generalized
form, easily adaptable to various cases, which arise in Sections 3 and 4. We present the proof of
Theorem 2, not only to fix our notation that we use in the rest of this work, but also because our
proof is somewhat simpler than that given in [5].
Let
R(x) =ax +b
cx +d∈ Fq(x),c ?= 0,
(7)
be a nonconstant rational transformation. We consider the permutation
F(x) =
?R(x)
c
if x ?=−d
if x =−d
c,
a
c
(8)
of Fq. In what follows,
A =
?ab
dc
?
denotes the matrix in GL(2,q) associated with R(x) in (7) (or F(x) in (8)). Depending on the
nature of the characteristic polynomial f(x) = x2− tr(A)x + det(A) of A, we obtain the cycle
decomposition of the permutation F.
For s0∈ Fq, τ ∈ Sqwe put sn= τn(s0), where τnis the nth iterate of τ, and τ0(a) = a for
a ∈ Fq.
By the use of the matrix A, we define the sequences (An) and (Bn) over Fqby
?An+1
Bn+1
?
= A
?An
Bn
?
,A0= s0,B0= 1,
(9)
for s0∈ Fq. Putting sn= Fn(s0), n ? 0, we observe that sn= An/Bnif Bm?= 0 for 0 ? m ? n,
and sn= An+1/Bn+1if Bm?= 0 for 0 ? m ? n − 1 and Bn= 0. Suppose that the characteristic
polynomial f(x) of A has roots α,β ∈ Fq2. The recurrence relations concerning An,Bn, given
by (9) yield
An
Bn
= −d
c+αn+2−βn+2+(cs0−a)(αn+1−βn+1)
c[αn+1−βn+1+(cs0−a)(αn−βn)]
(10)
when Bn?= 0 and α ?= β. For α = β and Bn?= 0 we obtain
An
Bn
= −d
c+(n+2)α2+(cs0−a)(n+1)α
c[(n+1)α +(cs0−a)n]
.
(11)
Now we state and prove the result on the cycle decomposition of the permutation (8). In what
follows, ord(z) denotes the order of an element z in the multiplicative group of Fq2.
Page 5
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
597
We also use the following notation concerning the cycle decomposition of permutations τ of
Fq(or τ ∈ Sq). Consider a permutation τ of Fq, which can be expressed as a product of disjoint
cycles (or which is of the type),
τ = τ(1)
1τ(1)
2
...τ(1)
n1τ(2)
1τ(2)
2
...τ(2)
n2...τ(s)
1τ(s)
2...τ(s)
ns
(12)
where each τ(i)
nsls= q. We describe the cycle decomposition of a permutation of the type (12) by
T (τ) = [n1×l1,n2×l2,...,ns×ls].
Theorem 2. Let F be the permutation defined by (8), and let f(x) be the characteristic polyno-
mial of the matrix A associated with F. Let α,β ∈ Fq2 be the roots of f(x).
j, 1 ? j ? ni, is a cycle of length li, l1> l2> ··· > ls? 1, n1l1+ n2l2+ ··· +
(i) Suppose f(x) is irreducible. If k = ord(α
1×(k −1)]. In particular F is a full cycle if t = 1.
(ii) Suppose α,β ∈ Fq and α ?= β. If k = ord(α
1×(k −1),2×1].
(iii) Suppose f(x) = (x − α)2, α ∈ F∗
1×1].
β) =q+1
β) =q−1
t, 1 ? t <q+1
2, then T (F) = [(t −1)×k,
t, t ? 1, then T (F) = [(t − 1) × k,
q= Fq\ {0}, then T (F) = [(pr−1− 1) × p,1 × (p − 1),
Proof. Let sn= Fn(s0) for s0∈ Fq. Obviously a fixed point s0∈ Fqof F(x), yields a cycle of
length one. Observe that the equation s0= (as0+b)/(cs0+d), or equivalently cs2
b = 0 has two distinct solutions in Fqif the discriminant D = a2−2ad +d2+4bc is a nonzero
square in Fq. We have exactly one solution if D = 0 and no solution if D is a nonsquare in Fq.
Since the characteristic polynomial f(x) = x2− tr(A)x + det(A) has the same discriminant D,
we have two cycles of length one if f(x) has two distinct roots in Fq, one cycle of length one
if f(x) has a double root, and none if f(x) is irreducible. In the case α ?= β, s0= a/c Eq. (10)
implies
0+(d −a)s0−
An
Bn
= −d
c+
αn+2−βn+2
c(αn+1−βn+1).
(13)
Suppose that ord(α/β) = k. Then n = k − 1 is the smallest integer such that Bn= 0. Together
with (13) we have sk−2= −d/c, sk−1= F(−d/c) = a/c = s0. Therefore the cycle containing
s0= a/c is of length k −1.
If s0is in a cycle which does not contain a/c, and hence −d/c, then Bn?= 0 and sn= An/Bn
for all n ? 0. To determine the length of such a cycle we put An/Bn= s0in (10), and obtain the
condition
(as0+b)?αn−βn?= s0(cs0+d)?αn−βn?.
Consequently we either have n ≡ 0 mod k and thus the cycle has length k, or as0+ b =
s0(cs0+d) and s0is a fixed point of F(x). This completes the proof of (i) and (ii).
If α = β and s0= a/c, (11) yields
An
Bn
= −d
c+
n+2
c(n+1)α.
(14)
Page 6
598
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
It is easy to see that n = p − 2 is the smallest integer satisfying sn= −d/c. Hence with an
argument similar to that used above, one can see that the cycle containing s0= a/c is of length
p−1. For s0= (a −d)/(2c), which is the only fixed point of F, we obtain the cycle of length 1.
This completes the proof for the case of a prime field. For q = pr, r > 1, suppose that s0is not
in the cycle of a/c and it is not the fixed point (a − d)/(2c). Then we have sn= An/Bnfor all
n ? 0, and by setting An/Bn= s0in (11) we get
(as0+b)n = s0(cs0+d)n,
and hence n ≡ 0 mod p, since s0is not the fixed point of F(x).
Remark. The rational function R(x) in (7) above, with a = a2,b = a−1
rise to the permutation F(x) in (8) which coincides with P1(x) =¯ P1(x) = a0xq−2+ a2. Chou
focuses on this particular permutation in [5], since it is the well-known inversive pseudorandom
number generator. Clearly, Theorem 2 also gives the cycle structure of the polynomials¯ P1(x) =
(a0x +a1)q−2+a2and P1(x) = (a0x +a1)q−2for arbitrary values of a0, a1, a2.
2
0,c = 1,d = 0, gives
We supplement this section by an enumeration result on the permutations F of the type (8).
In the following, φ denotes the Euler φ-function.
Theorem3.Let F and k beasinTheorem2.Suppose q ? 5.Thenumberofdistinctpermutations
F with the given cycle decomposition is equal to φ(k)q−1
and is equal to (q −1)q in the case (iii).
2q in the cases (i) and (ii) of Theorem 2,
Proof. Without loss of generality we can assume that c = 1. We note that then the matrix A,
with fixed characteristic polynomial f(x) = x2− (a + d)x + (ad − b) is uniquely determined
by the element a ∈ Fq.
First we count the number of distinct permutations F where f(x) is irreducible and k is a
fixed divisor of q +1, k ?= 2.
We recall that there are exactly φ(k)/2 values C ∈ Fq, giving an irreducible polynomial
g(x) = x2+ Cx + 1 = (x − γ)(x − γ−1) ∈ Fq[x] which is of order k. The polynomials
f(x) = x2− Tx + D = (x − α)(x − β) ∈ Fq[x] with (T2/D) − 2 = −C are precisely the (ir-
reducible) polynomials that satisfy α/β = γ, see [4, Theorem 3]. Since C ?= 2 we have q − 1
possibilities to choose T, the value of D is then uniquely determined. Finally, once the charac-
teristic polynomial is fixed, there are q possible choices for a.
Now suppose that k is a divisor of q −1 and γ is one of the φ(k) elements in Fqwith order k.
Then there are exactly (q − 1)/2 distinct polynomials f(x) = (x − α)(x − β) ∈ Fq[x] with
α/β = γ.
The formula for the case (iii) immediately follows from the fact that there are q − 1 polyno-
mials of the form f(x) = (x −α)2, α ∈ F∗
q.
2
Theorem 2 plays a central role in our study of the cycle structure of Pn, n ? 2. The rational
transformation¯ Rn(x) in (3) is of the form R(x) in (7), for n ? 1, and hence one can associate to
it the characteristic polynomial
¯ f(x) =¯ f(n,x) = x2−(αn+1+βn)x +αn+1βn−βn+1αn,
(15)
Page 7
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
599
with αk, βk, k ? 1, as in (4). The cycle decomposition of¯ Fn(x) then follows by Theorem 2, and
the positioning of the poles x1,...,xnin the cycles of¯ Fndetermines the cycle structure of¯ Pn,
by the use of Lemma 1. The same method works, of course, for Pn(x) with
f(x) = f(n,x) = x2−(αn−1+βn)x +αn−1βn−αnβn−1.
(16)
We note here that Eqs. (10) and (11) above can also be expressed in the form
An
Bn
=(αn+1−βn+1)s0−(αn−βn)(ds0−b)
αn+1−βn+1+(αn−βn)(cs0−a)
=(n+1)αs0−n(ds0−b)
(n+1)α +n(cs0−a)
,
(17)
An
Bn
,
(18)
which are sometimes more convenient to use in the following sections.
3. Cycle structure of P2
Recall that
P2(x) =?(a0x +a1)q−2+a2
?q−2+a3,a0a2?= 0.
In accordance with the notation of Section 1, we have the poles x1= −a1
the corresponding rational function
a0,x2= −a1a2+1
a0a2, and
R2(x) =a0(a2a3+1)x +a1(a2a3+1)+a3
a0a2x +a1a2+1
.
The associated characteristic polynomial (15) becomes
¯ f(x) = x2−?a0(a2a3+1)+a1a2+1?x +a0.
In what follows C(τ,x) is used to refer to the particular cycle of the permutation τ ∈ Sq, which
contains x ∈ Fq. We denote the length of C(τ,x) by ?(τ,x). We also make the convention that
when we write y = τn(x), the exponent n is chosen to be minimal.
(19)
Lemma 4. Let F be a permutation of Fq, u,v ∈ Fqand P = (uv)F.
(a) If u = Fn(v) and ?(F,v) = l, then u / ∈ C(P,v), ?(P,v) = n and ?(P,u) = l −n.
(b) If u / ∈ C(F,v), ?(F,u) = k and ?(F,v) = l, then u ∈ C(P,v) and ?(P,v) = k +l.
Proof. (a) Let t0= v and tj= Pj(t0). Then tn= v, tj?= v for 0 < j < n and ?(P,v) = n. Hence
tj?= u for all j ? 0, i.e. u / ∈ C(P,v). Let s0= u and sj= Pj(s0). Then sl−n= u and sj?= u,
0 < j < l −n. Consequently, ?(P,u) = l −n.
(b) Let t0= v and tj= Pj(t0), then we have tl= u, tk+l= v and tj?= v for 0 < j < k+l.
2
We first consider the polynomial (19), with two distinct roots α,β.
Page 8
600
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
Lemma 5. Suppose¯ f in (19) has two distinct roots α,β ∈ Fq2 and ord(α
(α −1) ∈ P1(Fq2).
β) = k. Let γ = (β−1)/
(a) x1∈ C(F2,x2) if and only if γk= 1.
(b) When α,β are in Fq, the pole x1is a fixed point of F2if and only if a3= −a1/a0.
Proof. (a) We can see from the proof of Theorem 2 that the cycle which contains (a2a3+1)/a2
is of length k −1, and (17) implies that sn= Fn
2(s0) for s0= (a2a3+1)/a2satisfies
sn=a2a3+1
a2
−
αn−βn
a2(αn+1−βn+1),
0 ? n ? k −2,
where x2= sk−2. We observe that F2(x1) = a3. Thus x1∈ C(F2,x2) if and only if
a3=a2a3+1
a2
−
αn−βn
a2(αn+1−βn+1)
(20)
for some 0 ? n ? k −2. Equation (20) is equivalent to αn(α −1) = βn(β −1) and α ?= 1, which
is equivalent to (α/β)n= γ. Consequently x1∈ C(F2,x2) if and only if γ ∈ ?α
(Note that γ = (α
(b) The second assertion follows from x1= −a1/a0= F2(−a1/a0).
β?, or γk= 1.
β)nholds for some n ? k −2, and not for n = k −1, since (α/β)k−1= β/α.)
2
In some cases below, the length ?i of a cycle τ(i)
parameters and accordingly the ordering of the ?i’s varies. We use T (τ) to mean that the ordering
?1> ··· > ?sdoes not necessarily hold.
Theorem 6. Suppose that the polynomial ¯ f in (19) has two distinct roots α,β ∈ Fq2. Let k =
ord(α
1 ? t ? (q −1)/2, for α,β ∈ Fq. Put γ = (β −1)/(α −1) ∈ P1(Fq2).
j
in (12) depends on the values of some
β) and suppose that k =q+1
t, 1 ? t < (q + 1)/2, when ¯ f(x) is irreducible and k =q−1
t,
(1) If γk?= 1 and ¯ f(x) is irreducible, then T (P2) = [1 × (2k − 1),(t − 2) × k]. In particular
P2is a full cycle if k = (q +1)/2.
(2) If γk?= 1 and ¯ f(x) is reducible, then
(a) T (P2) = [1×(2k −1),(t −2)×k,2×1], when a3?= −a1/a0,
(b) T (P2) = [t ×k,1×1], when a3= −a1/a0.
(3) If γk= 1 and ¯ f(x) is irreducible, then T (P2) = [(t − 1) × k,1 × n,1 × (k − n − 1)] for
some integer 1 ? n ? k −2.
(4) If γk= 1 and ¯ f(x) is reducible, then T (P2) = [(t − 1) × k,1 × n,1 × (k − n − 1),2 × 1]
for some integer 1 ? n ? k −2.
Proof. Since P2(x) = (F2(x2)F2(x1))F2(x), the cycle decomposition of P2(x) is the same as
the cycle decomposition of F2(x) given in Theorem 2, except for the cycles containing x1,x2.
We recall that x2is in the unique cycleof F2of length k−1. Consequentlywe obtain the cycle
decomposition of P2(x) by Lemma 4 if we know the location of x1in the cycle decomposition
of F2(x). Lemma 5(a) provides the conditions for x1to be in the cycle of length k − 1. In case
Page 9
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
601
¯ f(x) is reducible, F2has two fixed points and Lemma 5(b) gives the condition for x1to be one.
The claim for all possible cases then follows immediately.
2
Remark. In the cases (3) and (4) of Theorem 6, the exact sizes of the cycles of length n and
k − n − 1 are determined by the smallest integer n for which (α/β)n= γ is satisfied. Hence, in
general, one encounters the problem of evaluating a discrete logarithm.
Theorem 7. Suppose that the polynomial ¯ f(x) in (19) has a double root α ?= 0.
(1) If α = 1, then a0= 1, a3= −a1/a0and T (P2) = [pr−1× p]. In particular, if r = 1, then
P2is a full cycle of length q = p.
(2) If α ∈ Fp\ {1}, then T (P2) = [(pr−1− 1) × p,1 × n,1 × p − n − 1,1 × 1], where n =
α/(1−α).
(3) If r > 1 and α ∈ Fq\Fp, then T (P2) = [1×(2p −1),(pr−1−2)×p,1×1].
Proof. (1) If ¯ f(x) = (x − 1)2, one can easily see that a0= 1 and a3= −a1/a0. Thus x1is a
fixed point of F2and the assertion follows by Theorem 2 and Lemma 4.
(2)By Theorem2andLemma4 theclaimedcycledecompositionisobtainedif x1∈ C(F2,x2)
hence F2(x1) = a3and F2(x2) = (a2a3+ 1)/a2are in the same cycle. Thus s0= F2(x2) would
yield F2(x1) = snfor some n ? 1. Therefore (14) gives the condition
a3=a2a3+1
a2
a2(n+1)α
for some 0 ? n ? p−2. Hence x1,x2are in the same cycle if and only if α ∈ Fp\{1}. Therefore
the cycle decomposition above follows with n = α/(1−α).
(3) From Theorem 2 and the proofs of (1), (2) one can see that ?(F2,x1) = p if and only if
α ∈ Fq\Fp. In this case Lemma 4(b) implies that the cycle of length p −1 (containing x2) and
the cycle of length p, which contains x1, join up to form a cycle of length 2p −1.
−
n
or equivalently
α =
n
n+1
2
4. The cycle structure of P3(x)
We recall that
P3(x) =?F3(x2)F3(x1)F3(x3)?F3(x),
see (6). Therefore P3(x) and¯ P3(x) are both obtained as products of 3-cycles with permutations
of the form (8). Accordingly they have the same types of cycle decomposition. For the sake of
simplicity, we restrict ourselves to the analysis of the permutations of Fqof the form
P3(x) =??(a0x +a1)q−2+a2
?q−2+a3
?q−2,a0a2a3?= 0.
The corresponding rational function is then
R3(x) =
a0a2x +a1a2+1
a0(a2a3+1)x +a1(a2a3+1)+a3
Page 10
602
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
and the poles are given by
x1= −a1
a0,x2= −a1a2+1
a0a2
,x3= −a1(a2a3+1)+a3
a0(a2a3+1)
,
where we firstly assume that a2a3+1 ?= 0, i.e. x3∈ Fq. The case a2a3+1 = 0 is investigated at
the end of this section.
The characteristic polynomial in (16), which is associated with R3(x) is given by
f(x) = x2−?a0a2+a1(a2a3+1)+a3
F3again denotes the permutation corresponding to R3(x), and hence
P3(x) =?F3(x2)F3(x1)F3(x3)?F3(x) =?F3(x1)F3(x3)??F3(x2)F3(x3)?F3(x).
For the analysis of the cycle decomposition of P3we will need the following lemmas. We recall
that the integers n, m in Lemmas 8, 9 are chosen to be minimal by our previous convention.
?x −a0.
(21)
Lemma 8. Let F be a permutation of Fq, u,v,w ∈ Fq and P = (uvw)F. Suppose that u =
Fn(w) and ?(F,w) = l.
(1) If v = Fm(w), then
(a) u,v,w lie in distinct cycles of P and ?(P,u) = m, ?(P,v) = n−m, ?(P,w) = l −n if
m < n,
(b) u,v,w are in the same cycle of P with length l if m > n.
(2) If v / ∈ C(F,w) and ?(F,v) = k, then v ∈ C(P,w), u / ∈ C(P,w) and ?(P,w) = k + n,
?(P,u) = l −n.
Proof. (1) Let u = F(y1),v = F(y2) and w = F(y3), then P(y1) = v,P(y2) = w and
P(y3) = u. If m < n, then P(x) has the following three types of cycles: (wF(w)...y2),
(v = Fm(w)F(v)...y1) and (u = Fn(w)F(u)...y3) of lengths m, n − m and l − n, respec-
tively.
If m > n then the cycle of F(x) of length l containing u,v,w becomes the cycle
(wF(w)...y1vF(v)...y3uF(u)...y2) of P, again of length l. Similarly one easily ob-
tains (2).
2
Remark. Suppose that F is a full cycle. It follows by Lemma 8(1.b) that P = (uvw)F =
(vw)(uw)F is also a full cycle if and only if m > n where u = Fn(w) and v = Fm(w).
Lemma 9. Let u, v, w, F, P be as in Lemma 8. Suppose that u / ∈ C(F,w), ?(F,u) = k and
?(F,w) = l.
(1) If v / ∈ C(F,u), v / ∈ C(F,w) and ?(F,v) = j, then u, v, w are in the same cycle of P, of
length k +l +j.
(2) If v = Fn(u), then u ∈ C(P,w) with ?(P,u) = ?(P,w) = l + n and v / ∈ C(P,w) with
?(P,v) = k −n.
(3) If v = Fn(w), then v ∈ C(P,u) with ?(P,u) = ?(P,v) = k + l − n and w / ∈ C(P,u) with
?(P,w) = n.
Page 11
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
603
Proof. Follows easily by an argument, similar to that used in the proof of Lemma 8.
2
Now we turn our attention to the characteristic polynomial f with two distinct roots α,β.
Lemma 10. Suppose that the polynomial f(x) in (21) has two distinct roots α,β ∈ Fq2 with
ord(α
β) = k. Let γ1= (β − a3)/(α − a3),γ2= (a2β + 1)/(a2α + 1),γ3= (β − a1)/(α − a1) ∈
P1(Fq2). Then
(i) x1∈ C(F3,x3) if and only if γk
(ii) x2∈ C(F3,x3) if and only if γk
(iii) the poles x1, x2, x3lie in different cycles of F3if and only if γk
1= 1,
2= 1,
1?= 1, γk
2?= 1 and γk
3?= 1.
Proof. Note that for s0= a2/(a2a3+1), we obtain by (17) that
1
a2a3+1
Recall that x3is in the cycle of length k −1 by the proof of Theorem 2.
(i) Obviously F3(x3) =
x1= −a1
sn=
?
a2+
αn−βn
αn+1−βn+1
?
,
0 ? n ? k −2.
(22)
a2
a2a3+1is in the cycle of length k −1. Consequently by (22), the pole
a0is contained in this cycle if and only if
?
for some 0 ? n ? k −2 or,
αn?a0+(a1a2a3+a1+a0a2)α?−βn?a0+(a1a2a3+a1+a0a2)β?= 0,
which is equivalent to
x1=
1
a2a3+1
a2+
αn−βn
αn+1−βn+1
?
,
αn+1(α −a3) = βn+1(β −a3)
and
α ?= a3
for some 0 ? n ? k − 2. This implies (α/β)n= (β − a3)/(α − a3) for 1 ? n ? k − 1 and so
β−a3
(ii) can be obtained similarly from the condition
α−a3∈ ?α
β?, hence (β−a3
α−a3)k= 1.
x2=
1
a2a3+1
?
a2+
αn−βn
αn+1−βn+1
?
for some 0 ? n ? k −2.
(iii) If γk
1,γk
F3(x2) = 0 and F3(x1) = 1/a3. Consequently, x1∈ C(F3,x2) if and only if 1/a3= Fn
some 0 ? n ? k −1. With (17) we get
(a1a2+1)(αn−βn)
2?= 1 then neither x1, nor x2is in the cycle of length k − 1. Now we note that
3(0) for
(αn+1−βn+1)−a0a2(αn−βn)=1
a3
Page 12
604
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
for some 0 ? n ? k −1, which is equivalent to
?α
β
?n
=α −a1
β −a1
= 1/γ3
for some 0 ? n ? k −1.
2
Theorem 11. Suppose that f(x) in (21) is irreducible with roots α,β ∈ Fq2. Let k = ord(α
q+1
(α −a1).
β) =
t, 1 ? t <q+1
2, and γ1= (β − a3)/(α − a3),γ2= (a2β + 1)/(a2α + 1),γ3= (β − a1)/
(1) If γk
(a) T (P3) = [(t −1)×k,1×(k −1)]. In particular P3is a full cycle if k = q +1, or
(b) T (P3) = [(t −1)×k,1 ×m,1 ×(k −n−1),1 ×(n −m)] for some integers 1 ? m <
n ? k −2.
(2) If γk
1?= 1 and γk
integer 1 ? n ? k −2.
(3) If γk
1,γk
3 divides q +1 and k = (q +1)/3.
(4) If γk
1,γk
integer 1 ? n ? k −1.
(5) If γk
1= 1 and γk
1 ? n ? k −2.
1= γk
2= 1 then
2= 1 then T (P3) = [1 × (k + n),(t − 2) × k,1 × (k − n − 1)] for some
2,γk
3?= 1 then T (P3) = [1×(3k −1),(t −3)×k]. In particular P3is a full cycle if
2?= 1 and γk
3= 1 then T (P3) = [1×(k +n−1),(t −2)×k,1×(k −n)] for some
2?= 1 then T (P3) = [1 × (2k − n − 1),(t − 2) × k,1 × n] for some integer
Proof. If we put u = F3(x2), v = F3(x1) and w = F3(x3), and recall that P3(x) = (F3(x2)
F3(x1)F3(x3))F3(x), then the theorem follows from Lemmas 8–10, and Theorem 2 on the cycle
decomposition of F3(x).
2
Remark. It is obvious that the exact values for the parameters m and n are given by the relative
positions of the three poles when they are in the same cycle of F3. These relative positions
are essentially described by the integers nifor which we have γi= (α/β)ni, i = 1,2,3. Their
identification, as in the case of P2, requires the evaluation of discrete logarithms.
If f(x) is reducible over Fq, then F3has fixed points, i.e. cycles of length one, which have to
be taken into consideration. F3has two fixed points when the roots of f(x) are distinct and has
only one fixed point when f(x) has a double root.
Lemma 12. Suppose that f(x) in (21) is reducible over Fq. Then
(i) the pole x1is a fixed point of F3(x) if and only if a3= −a0
(ii) the pole x2is a fixed point of F3(x) if and only if a2= −1
a1,
a1.
Proof. Follows easily from the definition of F3(x).
2
Remark. Suppose that F3has distinct roots α,β ∈ Fqand γ1,γ2are as in Lemma 10. If the pole
xiis a fixed point, then γk
F3of length k −1, is not a fixed point of F3unless k = 2.
i?= 1 for i = 1,2. Clearly, the pole x3, which is always in the cycle of
Page 13
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
605
Theorem 13. Suppose that f(x) in (21) has two distinct roots α,β ∈ Fq. Let k = ord(α
1 ? t ?q−1
γ1,γ2,γ3∈ P1(Fq2).
β) =q−1
t,
2,andalso γ1= (β−a3)/(α−a3),γ2= (a2β+1)/(a2α+1),γ3= (β−a1)/(α−a1),
(1)–(5) If a3?= −a0/a1and a2?= −1/a1, then T (P3) is the same as in the cases (1)–(5) of
Theorem 11, except that, in each case P3has two more cycles of length 1 (here of course,
k =q−1
t
(6) If a3= −a0/a1and a2= −1/a1, then T (P3) = [1×(k +1),(t −1)×k]. In particular
P3is a full cycle if k = q −1.
(7) (a) If a3= −a0/a1and γk
(b) if a2= −1/a1and γk
then T (P3) = [(t −1)×k,1×n,1×(k −n),1×1], with 2 ? n ? k −1 in the case of
(a) and 1 ? n ? k −2 in the case of (b).
(8) If a3= −a0/a1, a2?= −1/a1, γk
T (P3) = [1×2k,(t −2)×k,1×1].
t, notq+1
as in Theorem 11).
2= 1 or
1= 1,
2?= 1 or a3?= −a0/a1, a2= −1/a1, γk
1?= 1 then
Proof. The assertion follows as in the proof of Theorem 11, by using Lemmas 8–10, 12, with
u = F3(x2), v = F3(x1), w = F3(x3) and by Theorem 2.
2
Now we focus on the polynomial f(x), which has a double root α ∈ F∗
then T (F3) = [(pr−1−1)×p,1×(p −1),1×1]. We will use the following lemma.
q= F∗
pr. We recall that
Lemma 14. Suppose that f(x) in (21) has a double root α ∈ F∗
q. Then
(i) x1∈ C(F3,x3) if and only if α/a3∈ Fp\{1},
(ii) x2∈ C(F3,x3) if and only if −a2α ∈ Fp\{1},
(iii) x1∈ C(F3,x2) if and only if a1/α ∈ Fp\{1}.
Proof. For s0= a2/(a2a3+1), Eq. (18) can be transformed into
?
An
Bn
=
1
a2a3+1
a2+
n
α(n+1)
?
=
1
a0(a2a3+1)
?
a0a2−α
n
n+1
?
.
(23)
If again sn= Fn
(i) From (23) we obtain that x1is in the cycle of length p − 1, i.e. in the cycle that contains
x3, if and only if
3(s0), then sn=An
Bnin (23) for n = 0,1,...,p −2.
F3(x1) =1
a3
=
a2
a2a3+1+
n
(n+1)α·
1
a2a3+1
or
n
n+1=α
a3
for some 0 ? n ? p −2. This is equivalent to α/a3∈ Fp\{1}.
(ii) The analogous condition for x2is
F3(x2) = 0 =
a2
a2a3+1+
n
(n+1)α·
1
a2a3+1
or
n
n+1= −a2α.
Page 14
606
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
(iii) Since F3(x2) = 0 and F3(x1) = 1/a3, one can obtain the condition for x1,x2to be in the
same cycle, by setting s0= 0 in (18). This yields
1
a3
=
(a1a2+1)n
(n+1)α −a0a2n
or
na1= α(n−1)
for some 1 ? n ? p −1.
2
Remark. If r = 1, Fqis a prime field, then α = a3if and only if x1is a fixed point of F3(x)
and hence by Lemma 12, a3= −a0/a1. Similarly α = −1/a2implies that x2is a fixed point and
a2= −1/a1. Using α2= −a0, it can be shown that these equivalences also hold if Fqis not a
prime field. Consequently ?(F3,x1) = p if and only if α/a3∈ Fq\ Fpand ?(F3,x2) = p if and
only if −a2α ∈ Fq\ Fp. Moreover one easily obtains that α = a1implies that either x1or x2is
fixed point of F3(x).
Theorem 15. Suppose that f(x) in (21) has a double root α ∈ F∗
q= F∗
pr.
(1) If α/a3∈ Fp\{1} and −a2α ∈ Fp\{1} then
(a) T (P3) = [(pr−1−1)×p,1×(p −1),1×1], or
(b) T (P3) = [(pr−1−1)×p,1×m,1×(p−n−1),1×(n−m),1×1] for some integers
1 ? m < n ? p −2.
(2) If α = −1/a2 and α/a3∈ Fp\ {1}, or α = a3 and −a2α ∈ Fp\ {1}, then T (P3) =
[(pr−1− 1) × p,1 × n,1 × (p − n)] for some integer 1 ? n ? p − 2 in the first case and
2 ? n ? p −1 in the second case.
(3) If r ? 2, α/a3∈ Fp\ {1} and −a2α ∈ Fq \ Fp then T (P3) = [1 × (2p − n − 1),
(pr−1−2)×p,1×n,1×1] for some integer 1 ? n ? p −2.
(4) If r ? 2, α/a3∈ Fq\Fpand −a2α ∈ Fp\{1} then T (P3) = [1×(p +n),(pr−1−2)×p,
1×(p −n−1),1×1] for some integer 1 ? n ? p −2.
(5) If r ? 2, and α = a3and −a2α ∈ Fq\Fp, or α/a3∈ Fq\Fpand α = −1/a2, then T (P3) =
[1×2p,(pr−1−2)×p].
(6) If r ? 2, −a2α ∈ Fq\ Fpand α/a1∈ Fp\ {1} or a1= 0, then T (P3) = [(pr−1− 2) × p,
1×(p +n−1),1×(p −n),1×1] for some integer 1 ? n ? p −1.
(7) If r ? 2, α/a3∈ Fq\ Fp, −a2α ∈ Fq\ Fp, α/a1∈ Fq\ Fp and a1?= 0, then T (P3) =
[1×(3p −1),(pr−1−3)×p,1×1].
Proof. The theorem follows from Lemmas 8, 9, 12, 14, Remark thereafter, and Theorem 2.
2
Finally we consider the case where α3= a2a3+1 = 0, i.e. x3= ∞ or equivalently
??(a0x +a1)q−2+a2
The function R3(x), in this case, reduces to the linear polynomial
P3(x) =
?q−2−1
a2
?q−2
.
(24)
R3(x) = −a0a2
2x −?a1a2
2+a2
?,
Page 15
A. Çe¸ smelio˘ glu et al. / Finite Fields and Their Applications 14 (2008) 593–614
607
and we put F3(x) = R3(x), x ∈ Fq. It can be seen easily that we have
P3(x) =
⎧
⎩
⎨
F3(x)
F3(x2) = 0
F3(x1) = −a2
x ?= x1,x2,
x = x1,
x = x2.
Therefore P3(x) = (−a20)F3(x) and the cycle decomposition of P3(x) can easily be determined
by Lemma 4. We note that F3(x) = ax + b is a full cycle when a = 1 and b ?= 0. If a ?= 1
and k is the order of a in Fq, then F3(x) has one fixed point ℘ = b/(1 − a) and T (F3) =
[(q − 1)/k × k,1 × 1]. The following proposition gives the conditions for P3to be a full cycle.
The cycle decomposition of P3in the cases where it is not a full cycle can easily be obtained by
an argument, similar to that used previously.
Proposition 16. Let P3(x) = (((a0x + a1)q−2+ a2)q−2−1
P3is a full cycle if and only if ord(−a0a2
a1= −1/a2.
a2)q−2, a0a2?= 0. The permutation
2) = q −1 and one of the following holds: a1= a0a2or
Proof. We use Lemma 4 and note that the fixed point ℘ of F3is equal to x1if and only if
a1= a0a2and ℘ is equal to x2if and only if a1= −1/a2.
2
Remark. Since x3= ∞ yields P3= (−a20)F3, where F3 is a linear function, by putting
F3(x) = x (i.e a0= −1/a2
transposition (1) described by Carlitz.
2and a1= −1/a2in (24)) and −a2= a we get P3(x) = pa(x), the
5. Constructions of Pnwith full cycle
Hereweturnourattentiontotheconstructionofpermutations Pnwithgivennumberofcycles,
where we focus on the most interesting case of permutations with full cycle. We first introduce
some preliminaries in the first two subsections.
5.1. Multiplication by transpositions
The number of distinct cycles obtained by multiplying a single cycle of length m by a se-
quence of symbol-disjoint transpositions is determined by Cohn and Lempel [7]. In [2], Beck
generalized this result to arbitrary transpositions. We will utilize the main results of [2] which
will be presented in this subsection.
We fix a cycle τ = (s0 s1 ... sm−1) and consider the set T of transpositions of the set
{s0,s1,...,sm−1}.Fortwotranspositionsσ1= (si1sj1), σ2= (si2sj2) ∈ T wedefine(σ1∧σ2)τ=
σ1∧σ2by
?1
σ1∧σ2=
if σ1σ2τ is a full cycle,
if σ1σ2τ is not a full cycle,
0
where the multiplication, again, is performed from right-to-left. The next definition associates
a binary matrix to a sequence σ1,σ2,...,σkof k transpositions in T (cf. [2]). The link relation
Download full-text