Efficient indexing of necklaces and irreducible polynomials over finite fields

We study the problem of indexing irreducible polynomials over finite fields, and give the first efficient algorithm for this problem. Specifically, we show the existence of poly(n, log q)-size circuits that compute a bijection between {1, ... , |S|} and the set S of all irreducible, monic, univariate polynomials of degree n over a finite field F_q. This has applications in pseudorandomness, and answers an open question of Alon, Goldreich, H{\aa}stad and Peralta[AGHP]. Our approach uses a connection between irreducible polynomials and necklaces ( equivalence classes of strings under cyclic rotation). Along the way, we give the first efficient algorithm for indexing necklaces of a given length over a given alphabet, which may be of independent interest.


Introduction
For a finite field F q and an integer n, let S be the set of all irreducible polynomials in 1 variable over F q of degree exactly n. There is a well known formula for |S| (which is approximately q n n ). We consider the problem of giving an efficiently computable indexing of irreduducible polynomials i.e., finding a bijection f : {1, . . . , |S|} → S such that f (i) is computable in time poly(log |S|) = poly(n log q). Our main result is that indexing of irreducible polynomials can be done efficiently given O(n log q) advice. This answers a problem posed by Alon, Goldreich, Håstad and Peralta [AGHP92], and is the polynomial analogue of the the well-known problem of "giving a formula for the n-bit primes". Note that today it is not even known (in general) how to produce a single irreducible polynomial of degree n in time poly(n log q) without the aid of either advice or randomness. The main technical result we show en route is an efficient indexing algorithm for necklaces. Necklaces are equivalance classes of strings modulo cyclic rotation. We give an poly(n log |Σ|)-time computable bijection g : {1, 2, . . . , |N |} → N , where N is the set of necklaces of length n over the alphabet Σ.

The indexing problem
We define an indexing of a finite set S to be a bijection from the set {1, . . . , |S|} to S. Let us formalize indexing as a computational problem. Suppose that L is an arbitrary language over alphabet Σ and let L n be the set of strings of L of length n. We want to "construct" an indexing function A n for each of the sets L n . Formally, this means giving an algorithm A which takes as input a size parameter n and an index j and outputs A n (j), so that the following properties hold for each n: • A n maps the set {1, . . . , |L n |} bijectively to L n .
• If j > |L n | then A n (j) returns too large.
An indexing algorithm is considered to be efficient if its running time is poly(n).
A closely related problem is reverse-indexing. A reverse-indexing of L a bijection from L n to {1, . . . , |L n |}, and we say it is efficient if it can be computed in time poly(n).
We can use the above formalism for languages to formulate the indexing and reverse-indexing problems for any combinatorial structure, such as permutations, graphs, partitions, etc. by using standard efficient encodings of such structures by strings.

Indexing, enumeration, counting and ranking
Indexing is closely related to the well-studied counting, enumeration and ranking problems for L. The counting problem is to give an algorithm that, on input n outputs the size of L n . The enumeration problem is to give an algorithm that, on input n, outputs a list containing all elements of L n . A counting or enumeration algorithm is said to be efficient if it runs in time poly(n) or |L n | · poly(n) respectively.
Other important algorithmic problems associated with combinatorial objects include the ranking and unranking problems. For the ranking problem, one is given an ordering of L n (such as the lexicographic order) and the goal is to compute the rank (under this order) of a given element of L n . For the unranking problem, one has to compute the inverse of this ranking map. It is easy to see that unranking algorithms for any ordering are automatically indexing algorithms, and ranking algorithms for any ordering are automatically reverse-indexing algorithms 1 .
There is well developed complexity theory for counting problems, starting with the fundamental work of Valiant [Val79]. For combinatorial structures, counting problems are (of course) at the heart of combinatorics, and many basic identities in combinatorics (such as recurrence relations that express the number of structures of a particular size in terms of the number of such structures of smaller sizes) can also be viewed as giving efficient counting algorithms for these structures. The enumeration and ranking problems for combinatorial structures has also received a large amount of attention. See the books [NW78,KS99,Rus03,Arn11] for an overview of some of the work on this topic.
Counting and enumeration can be easily reduced to indexing: Given an indexing algorithm A we can compute |L n | by calling A n (j) on increasing powers of 2 until we get the answer 'too large' and then do binary search to determine the largest j for which A n (j) is not too large. Enumeration can be done by just running the indexing algorithm on the integers 1, 2, . . . until we get the answer too large. Conversely, in many cases, such as for subsets, permutations, set partitions, integer partitions, trees, spanning trees, (and many many more) the known counting algorithms can be modified to give efficient indexing (and hence enumeration) algorithms. This happens, for example, when the counting problem is solved by a recurrence relation that is proved via a bijective proof.
However, it seems that not all combinatorial counting arguments lead to efficient indexing algorithms. A prime example of this situation is when we have a finite group acting on a finite set, and the set we want to count is the set of orbits of the action. The associated counting problem can be solved using the Burnside counting lemma, and there seems to be no general way to use this to get an efficient indexing algorithm.
This leads us to one of the indexing problems studied here: Fix an alphabet Σ and consider two strings x and y in Σ n to be equivalent if one is a rotation of the other, i.e. we can find strings x 1 , x 2 such that x = x 1 x 2 and y = x 2 x 1 (here uv denotes the concatenation of the strings u and v). The equivalence classes of strings are precisely the orbits under the natural action of the cyclic group Z n on Σ n . These equivalence classes are often called necklaces because if we view the symbols of a string as arranged in a circle, then equivalent strings give rise to the same arrangement. We are interested in the problem of efficiently indexing necklaces. We apply the indexing algorithm for necklaces to the problem of indexing irreducible polynomials over a finite field.

Main results
Our main result is an efficient algorithm for indexing irreducible polynomials.
Theorem 1.1. Let q be a prime power, and let n ≥ 1 be an integer. Let I q,n be the set of monic irreducible polynomials of degree n over F q .
There is an indexing algorithm for I q,n , which takes O(n log q) bits of advice and runs in poly(n, log q) time.
We remark that it is not known today how to deterministically produce (without the aid of advice or randomness) even a single irreducible polynomial of degree n in time poly(n log q) for all choices of n and q. Our result shows that once we take a little bit of advice, we can produce not just one, but all irreducible polynomials. For constant q, where it is known how to deterministically construct a single irreducible polynomial in poly(n) time without advice [Sho90a], our indexing algorithm can be made to run with just poly(log n) bits of advice.
Using a known correspondence [Gol69] between necklaces and irreducible polynomials over finite fields, indexing irreducible polynomials reduces to the problem of indexing necklaces. Our main technical result (of independent interest) is an efficient algorithm for this latter problem.
Theorem 1.2. There is an algorithm for indexing necklaces of length n over the alphabet {1, . . . , q}, which runs in time poly(n log q).
Our methods also give an efficient reverse-indexing algorithm for necklaces (but unfortunately this does not lead to an efficient reverse-indexing algorithm for irreducible polynomials; this has to do with the the open problem of efficiently computing the discrete logarithm). Theorem 1.3. There is an algorithm for reverse-indexing necklaces of length n over the alphabet {1, . . . , q}, which runs in time poly(n log q).
The indexing algorithm for irreducible polynomials can be used to make a classical ǫ-biased set construction from [AGHP92] based on linear-feedback shift register sequences constructible with logarithmic advice (to put it at par with the other constructions in that paper). It can also be used to make the explicit subspace designs of [GK13] very explicit (with small advice).
Agrawal and Biswas [AB03] gave a construction of a family of nearly-coprime polynomials, and used this to give randomness-efficient black-box polynomial identity tests. The ability to efficiently index irreducible polynomials enables one to do this even more randomness efficiently (using a small amount of advice). Similarly, the string fingerprinting algorithm by Rabin [Rab81], which is based on choosing a random irreducible polynomial can be made more randomness efficient by choosing the random irreducible polynomial via first choosing a random index and then indexing the corresponding irreducible polynomial using our indexing algorithm. This application also requires a small amount of advice. As another application of the indexing algorithm for necklaces, we give a poly(n) time algorithm for computing any given entry of the k × 2 n generator matrix matrix or the (2 n − k) × 2 n parity check matrix of BCH codes for all values of the designed distance (this is the standard notion of strong explicitness for error-correcting codes). Earlier, it was only known how to compute this entry explicitly for very small values of the designed distance (which is usually the setting where BCH codes are used).

Related Work
There is an extensive literature on enumeration algorithms for combinatorial objects (see the books [Rus03,Knu06,KS99,NW78,Arn11]). Some of these references discuss necklaces in depth, and some also discuss the ranking/unranking problems for various combinatorial objects.
The lexicographically smallest element of a rotation class is called a Lyndon word, and much is known about them. Algorithmically, the problem of enumerating/indexing necklaces is essentially equivalent to the problem of enumerating/indexing Lyndon words. Following a long line of work [FJK86, FM78, RSMYW92, Duv88, BP94, RS99, CRS + 00], we now know linear time enumeration algorithms for Lyndon words/necklaces. In [MM04] and [Rus03], it was noted that the problem of efficient ranking/unranking of the lexicographic order on Lyndon words is an open problem. Our indexing algorithms in fact give a solution to this problem too: we get an efficient ranking/unranking algorithm for the lexicographic order on Lyndon words. Recent work of Andoni, Goldberger, McGregor and Porat [AGMP13] studied a problem that may be viewed as an approximate version of reverse indexing of necklaces. They gave a randomized algorithm for producing short fingerprints of strings, such that the fingerprints of rotations of a string are determined by the fingerprint of the string itself. This fingerprinting itself was useful for detecting proximity of strings under misalignment.
Recent independent work : A preliminary version of this paper appeared as [KKS14]. At about the same time, similar results were published by Kociumaka, Radoszewski and Rytter [KRR14]. The work in these two papers was done independently. The papers both have polynomial time algorithms for indexing necklaces; the authors in [KRR14] exercised more care in designing the algorithm to obtain a better polynomial running time. Their approach to alphabets of size more than 2 is cleaner than ours. On the other hand, we put the results in a broader context and have some additional applications (indexing irreducible polynomials and explicit constructions).

Organization of the paper
The rest of the paper is organized as follows. We give the algorithm to index necklaces in Section 2. In Section 3, we use our indexing algorithm for necklaces to give an indexing algorithm for irreducible polynomials over finite fields. In Section 4, we give an application to the explicit construction of generator and parity check matrices of BCH codes. We conclude with some open problems in Section 5. In Appendix A, we give an alternate algorithm for indexing binary necklaces of prime length. In Appendix B, we give some prelimary observations about the complexity theory of indexing in general.
2 Indexing necklaces 2.1 Strategy for the algorithm We first consider a very basic indexing algorithm which will inspire our algorithms. Given a directed acyclic graph D on vertex set V and distinguished subsets S and T of nodes, there is a straightforward indexing algorithm for the set of of paths that start in S and end in T : Fix an arbitrary ordering on the nodes, and consider the induced lexicographic ordering on paths (i.e. path P 1 P 2 . . . is less than path Q 1 Q 2 . . . if P i < Q i where i is the least integer such that P i = Q i ). Our indexing function will map the index j to the jth path from S to T in lexicographic order. There is a simple dynamic program which computes for each node v, the number N (v) of paths from v to a vertex in T . Let v 1 , . . . , v r be the nodes of S listed in order. Given the input index j, we find the first source v i such that the number of paths to T starting at nodes v 1 , . . . , v i is at least j; if there is no such source then the index j is larger than the number of paths being indexed. Otherwise, v i is the first node of the desired path, and we can proceed inductively by replacing the set S by the set of children of v i . This approach can be adapted to the following situation. Suppose the set S we want to index is a set of strings of fixed length n over alphabet Σ. A read-once branching program of length n over alphabet Σ is an acyclic directed graph with vertex layers numbered from 0 to n, where (1) layer 0 has a single start node, (2) there is a designated subset of accepting nodes at level n, and (3) every non-sink node has one outgoing arc corresponding to each alphabet symbol, and these arcs connect the node to nodes at the next level. For nodes v and w and alphabet symbol σ we write v → σ w to mean that there is an arc from v to w labelled by σ.
Such a branching program takes words from Σ n and, starting from the start node, follows the path corresponding to the word to either the accept or reject node. Given a read-once branching program for S, there is a 1-1 correspondence between strings in S and paths from the start node to an accepting node. We can use the indexing algorithm for paths given above to index S.
This suggests the following approach to indexing necklaces. For each equivalence class of strings (necklace) identify a canonical representative string of the class (such as the lexicographically smallest representative). Then build a branching program B which, given string y, determines whether y is a canonical representative of its class. By the preceding paragraph, this would be enough to index all of the canonical representatives, which is equivalent to indexing equivalence classes.
In fact, we are able to implement this approach provided that q = 2 and n is prime (See appendix A). However, we have not been able to make it work in general. For this we need another approach, which still uses branching programs, but in a more involved way. First some notation. For a given string y, we write the string obtained from y after cyclically rotating it rightwards by i positions as Rot i (y). We define Orbit(y) to be the set containing y and all its distinct rotations. Orbit(y) will also be referred to as the equivalence class of y. A string y is said to be periodic with period p if it can be written as y 1 q for some y 1 ∈ Σ p and q = n p . A string is said to have fundamental period p if it is periodic with period p and not periodic with any period smaller than p. We will denote the fundamental period of a string y by FP(y). Note that for any string y, |Orbit(y)| = FP(y). If E is an orbit and x is a string, we say that E < x if E contains at least one string y that is lexicographically less than x. (Notice that under our definition, if x and y are strings then we might have both that the orbit of x is less than y and the orbit of y is less than x).
Let t be the total number of orbits. Let C x be the set of orbits that are less than x. Our main goal will be to design an efficient algorithm which, given string x, returns |C x |. We now show that if we can do this then we can solve both the indexing and reverse indexing problems.
For the indexing problem, we want a 1-1 function ψ that maps j ∈ {1, . . . , t} to a string so that all of the image strings are in different orbits. The map ψ will be easily computabile given a subroutine for |C x |. Define the minimal representative of an orbit to be the lexicographically least string in the orbit. Let y 1 < · · · < y t denote the minimal representatives in lex order. Our map ψ will map j to y j . This clearly maps each index to a representative of a different orbit.
It suffices to show how to compute ψ(j). Note that |C x | is equal to the number of y i that precede x, and is thus a nondecreasing function of x. Therefore, ψ(j) = y j is equal to the lexicographically largest string with |C x | < j. Furthermore, since |C x | is a nondecreasing function of x, we can find ψ(j) by doing binary search on the set of strings according to the value of |C x |.
Simiarly, we can solve the reverse indexing problem: given a string x we can find the index of the orbit to which it belongs by first finding the lexicographically minimal representative y i of its orbit and then computing |C y i | + 1.
Lemma 2.1. To efficiently index and reverse index necklaces of length n over an alphabet Σ, it suffices to have an efficient algorithm that takes as input a string x ∈ Σ n and outputs |C x |.
The next section gives our algorithm to determine |C x | fpr any input string x.

Computing |C x |
Let us define: • G x,p = E∈Cx:|E|=p E.
In Section 2.2.2 we reduce the problem of computating of |C x | to the problem of computing |G x,≤p | for various p. The main component of the indexing algorithm is a subroutine that computes |G x,≤p | given a string x and an integer p. This subroutine works by building a branching program with n O(1) nodes, which when given a string y accepts if and only if (1) the orbit of y has size dividing p and (2) Orbit(y) < x. The quantity we want to compute, |G x,≤p |, is therefore simply the number of y accepted by this branching program (which, as noted above can be computed in polynomial time via a simple dynamic program).

Notation and Preliminaries
Preliminaries: We state some basic facts about periodic strings without proof.
Fact 2.2. Let y be a string of length n and let p be positive integer dividing n. Then, |Orbit(y)| = p if and only if y has fundamental period p. In particular, y can be written as y 1 n p for an aperiodic string y 1 ∈ Σ p . Fact 2.3. The fundamental period of a string is a divisor of any period of the string.
In particular, the fundamental period of a string is unique. We denote the fundamental period of y by FP(y).

Reduction to computing |G x,≤p |
We begin with some simple transformations that reduce the computation of |C x | to the computation of |G x,≤p | (for various p).
Proof. For y ∈ G x,≤n , Rot i (y) ∈ G x,≤n for every positive integer i. Note that there are exactly |Orbit(y)| distinct strings of the form Rot i (y). Thus for any orbit E ∈ C x , we have y∈E 1 |Orbit(y)| = 1. Therefore: The sum on the right hand side can be split on the basis of the period of y. From Lemma 2.4 and Fact 2.2, we have the following lemma.
Lemma 2.5. For all x ∈ Σ n , So, to count |C x | efficiently, it suffices to compute |G x,i | efficiently for each i|n. Now, from the definitions, we have the following lemma.
From the Möbius Inversion Formula (see Chapter 3 in [Sta11] for more details), we have the following equality.
Lemma 2.7 implies that it suffices to compute |G x,≤p | efficiently for every divisor p of n. In the next few sections, we will focus on this sub-problem and design an efficient algorithm for this problem. We will first describe the algorithm when the alphabet is binary, and then generalize to larger alphabets.

2.2.3
Computing |G x,≤n | efficiently for the binary alphabet In this section, we will design an efficient algorithm that given a string x ∈ {0, 1} n computes |G x,≤n |.
On input x the algorithm will construct a branching program with the property that |G x,≤n | is the number of accepting paths in the branching program. This number of accepting paths can be computed by a simple dynamic program as described at the beginning of Section 2.1.
Lemma 2.8. Given as input a branching program B of length n over alphabet Σ, we can compute the size of the set of accepted strings in time poly(|B|, log n).
Proof. The number accepted strings is the number of paths from the start node to the accept node, and all such paths have length exactly n. Thus the number of accepted strings is the i, j entry in the n th power of the adjacency matrix of the graph. and can thus be computed in time polynomial in the size of the graph and log n (by repeated squaring).
We now describe how to construct, for each fixed string x ∈ {0, 1} n , a branching program B x of size polynomial in n such that the strings accepted by B x are exactly those in G x,≤n . Lemma 2.8 then implies that we can compute |G x,≤n | in time polynomial in n.
For strings x, y, when is y< lex x? This happens and only if there exists an i ∈ {1, 2, . . . , n − 1} such that y j = x j for every j ≤ i and x i+1 > y i+1 . In the case of binary strings of length n, we must have x i+1 = 1 and y i+1 = 0.
Definition 2.9. The set of witnesses for x, denoted L x , is defined by: We can summarize the discussion from the paragraph above as follows: Observation 2.10. For x, y ∈ {0, 1} n , we have y< lex x if and only if some prefix of y lies in L x .
We will now generalize this observation to strings under rotation. For strings x, y, when is Orbit(y) < x? Recall that Orbit(y) < x if for some y ′ ∈ Orbit(y), we have y ′ < lex x. From Observation 2.10, we know that this happens if and only if some y ′ ∈ Orbit(y) has some prefix w in L x . Rotating back to y, two situations can arise. Either y contains w as a contiguous substring, or w appears as a "split substring" wrapped around the end of y. In the latter case, y has a prefix w 1 and a suffix w 2 such that w 2 w 1 = w ∈ L x .
Recall that G x,≤n is the set of y with Orbit(y) < x. Thus, y ∈ G x,≤n if and only if it has a contiguous substring as a witness, or it has a witness that is wrapped around its end. Let us separate these two cases out.
Definition 2.11. For a string x ∈ {0, 1} n , G c x,≤n = {y ∈ {0, 1} n : y contains a string in L x as a contiguous substring } G w x,≤n = {y ∈ {0, 1} n : y has a prefix w 1 and suffix w 2 such that w 2 w 1 ∈ L x } From the discussion in the paragraph above, we have the following observation: The branching program B x will be obtained by combining two branching programs B c x and B w x , where the first accepts the strings in G c x,≤n and the second accepts the strings in G w x,≤n . Each layer j of the branching program B x is the product of layer j of B c x and layer j of B w x and we have arcs The accepting nodes at level n + 1 are nodes (v, v ′ ) where v is an accepting node of B c x or v ′ is an accepting node of B w x . The resulting branching program clearly accepts the set of strings accepted by B c x or B w x . Note that the branching programs B x produced by the algorithm are never actually "run", but are given as input to the algorithm of Lemma 2.8 in order to determine |G x,≤n |. For a set of strings W , we will use Prefix(W ) to denote the set of all prefixes of all strings in W (including the empty string ǫ). Similarly, Suffix(W ) denotes the set of all suffixes of of all strings in W (including the empty string ǫ). Similarly, we will use Substring(W ) for set of all contiguous substrings of strings in W . For a string r, Q(r) is the set of suffixes of r that belong to Prefix(L x ).

Constructing branching program B c
x We now present an algorithm which on input x ∈ {0, 1} n ,runs in time polynomial in n and outputs a branching program B c x that recognizes L c x .
Definition 2.13. Branching program B c x 1. Nodes at level j are triples (j, s, b) where s ∈ Prefix(L x ) and b ∈ {0, 1}. (We want string s to be the longest suffix of z 1 z 2 . . . z j that belongs to Prefix(L x ), and b = 1 iff z 1 z 2 . . . z j contains a substring that belongs to L x .) 2. The start node is (0, Λ, 0) where Λ is the empty string.
3. The accepting nodes (n, s, b) are those with b = 1.
4. For j ≤ n, the arc out of nodes (j − 1, s, b) labeled by alphabet symbol α is (j, s ′ , b ′ ) where s ′ is the longest string in Q(sα) and b ′ = 1 if s ′ contains a suffix in L x and otherwise b ′ = b.
It is clear that the branching program can be constructed (as a directed graph) in time polynomial in n. It remains to show that it accepts those z that have a substring that belongs to (L x ).
Fix a string z ∈ {0, 1} n . Let (j, s j , b j ) be the jth vertex visited by the branching program on input z. Note that s j is a suffix of z 1 . . . z j . Let h j be the index such that s = z h j . . . z j ; if s is empty, we set h j = j + 1. For j between 1 and n let i j be the least index such that z i j . . . z j belongs to The branching program is designed to make the following true: Claim 2.14. For j between 1 and n, h j = i j and b j = 1 if and only if a substring of z 1 . . . z j belongs to L x .
The claim for b j = 1 implies that the branching program accepts the desired set of strings.
Proof. The claim follows easily by induction, where the basis j = 0 is trivial. Assume j > 0. First we show that h j = i j . By induction h j−1 = i j−1 and by definition of h j and i j we have i j ≤ h j . To show h j ≤ i j , note that since i j ≥ i j−1 = h j−1 , the string z i j . . . z j is in Q(t j−1 α) and so is considered in the choice of s j and thus h j = i j .
For the claim on b j , if z has no substring in L x then b j remains 0 by induction. If z has a substring in L x let z i . . . z k be such a substring with k minimum. Then by the claim on t k , h k ≤ i, and so z i . . . z k is a suffix of s k and so b k = 1, and for all j ≥ k, b j continues to be 1.

Constructing branching program B w x
We now present an algorithm which on input x ∈ {0, 1} n ,runs in time polynomial in n and outputs a branching program B w x that accepts the set of strings z that have a nonempty suffix u and nonemtpy prefix v such that uv belongs to L x .
Definition 2.15. Branching program B w x 1. Nodes at level j are triples (j, s, p) where p, s ∈ Prefix(L x ). (String s will be the longest suffix of z 1 z 2 . . . z j that belongs to Prefix(L x ) (as in B c x ) and p is the longest prefix of z 1 z 2 . . . z j that belongs to Prefix(L x ).
3. The accepting states are those states (n, s, p) such that p has a nonempty prefix p ′ and s has a nonempty suffix s ′ such that s ′ p ′ ∈ L x . 4. For j ≤ n, the arc out of state (j − 1, s, p) labeled by alphabet symbol α is (j, s ′ , p ′ ) where s ′ is the longest string in Q(sα) and p ′ = pα if |s| = j − 1 and pα ∈ Prefix(L x ) and p ′ = p otherwise.
It is clear that the branching program can be constructed (as a directed graph) in time polynomial in n. It remains to show that it accepts L w x . Fix a string z ∈ {0, 1} n . Let (j, s j , p j ) be the jth node visited by the branching program on input z. Notice that s j is calculated the same way in B w x as in B c x and so s j is the longest suffix of z 1 . . . z j that belongs to Prefix(L x ). An easy induction shows that p j is the longest prefix of z 1 . . . z j belonging to Prefix(L x ): Let k be the length of the longest prefix of z belonging to Prefix(L x ). For j ≤ k we have p j = z 1 . . . z j and for j > k, p j = z 1 . . . z k .
Finally, we need to show that the branching program accepts z if and only if z has a a nonempty suffix s ′ and z has a nonempty prefix p ′ such that s ′ p ′ ∈ L x . If the program accepts then the acceptance condition and the fact that s n is a suffix of z and p n is a prefix of z implies that z has the required suffix and prefix. Conversely, if z has such a prefix p ′ and suffix s ′ , then they each belong to Prefix(L x ). Since p n is the longest prefix of z belonging to Prefix(L x ), p ′ is a prefix of p n and since s n is the longest suffix of z belonging to Prefix(L x ), s ′ is a suffix of t n . So the branching program will accept.
Putting things together From the constructions, it is clear that the size of the branching programs B w x and B c x are polynomial in the size of L x and hence polynomial in n = |x|. Moreover, by a product construction, we can efficiently construct the deterministic finite branching program B x which accepts the strings accepted by B w x or B c x , which is G x,≤n . This observation, along with Lemma 2.8 implies the following lemma.
Lemma 2.16. There is an algorithm which takes as input a string x in {0, 1} n and outputs the size of G x,≤n in time polynomial in n.

Computing |G x,≤p | efficiently
In this section, we will show that for every p|n, we can compute the quantity |G x,≤p | efficiently. The algorithm will be a small variation of our algorithm for computing |G x,≤n | from the previous section. Let p be a divisor of n with p < n. Every string y ∈ G x,≤p is of the form a n p for some a ∈ {0, 1} p , and every string in Orbit(y) is of the form (Rot i (a)) n p , for some i ≤ p. Let us write the string x as x 1 x 2 . . . x n p where for each i, x i is of length exactly p. We will now try to characterize the strings in G x,≤p . From the definitions, y = a n p ∈ G x,≤p if and only if there is a rotation 0 ≤ i < p such that (Rot i (a)) n p has a prefix in L x . This, in turn, can happen if and only if there is an i < p such that one of the following is true.
The strings y = a n p for which a has a rotation which is less than x 1 in lexicographic order are exactly the strings of the form c n p with c ∈ G x 1 ,≤p . Via the algorithm of the previous subsection, there is a polynomial in n time algorithm which outputs a branching program recognizing G x 1 ,≤p . The only strings which satisfy the second condition are of the form c n p , where c is a rotation of x 1 and x 1 < x i+1 in lexicographic order. There are at most |Orbit(x 1 )| such strings, and we can count them directly given x. This gives us our algorithm for computing |G x,≤p |: Computing |G x,≤p |: Input: • Integers n, p such that p|n

Let M be the number of strings of length p accepted by
. . x i and x 1 < x i+1 in lexicographic order, and x 1 / ∈ L(A x 1 ) , then output M + |Orbit(x 1 )|, else output M .
From the construction in Section 2.2.3 and Lemma 2.16, it follows that we can construct A x 1 and count M in time polynomial in n. We thus have the following lemma.
Lemma 2.17. For any divisor p of n and string x ∈ {0, 1} x , we can compute the size of the set G x,≤p in time poly(n).
We now have all the ingredients for the proof of the following theorem, which is a special case of Theorem 1.2 when the alphabet under consideration is {0, 1}.
Theorem 2.18. There is an algorithm for indexing necklaces of length n over the alphabet {0, 1}, which runs in time poly(n).
Proof. The proof simply follows by plugging together the conclusions of Lemma 2.5, Lemma 2.6, Lemma 2.7, Lemma 2.8 and Lemma 2.17.
It is not difficult to see that the indexing algorithm can be used to obtain a reverse indexing algorithm as well and hence, we also obtain a special case of Theorem 1.3 for the binary alphabet.

Indexing necklaces over large alphabets
In this subsection we how to handle the case of general alphabets Σ (with |Σ| = q). A direct generalization of the algorithm for the case of the binary alphabet, where the set L x is appropriately defined, will run in time polynomial in n and q. Our goal here is to improve the running time to polynomial in n and log q.
The basic idea is to represent the elements in Σ by binary strings of length t def = ⌈log q⌉. Let Bin : Σ → {0, 1} t be an injective map whose image is the set Γ of q lexicographically smallest strings in {0, 1} t . Extend this to a map Bin : Σ n → {0, 1} tn in the natural way. We now use the map Bin to convert our indexing/counting problems over the large alphabet Σ to a related problem over the small alphabet {0, 1}. For x ∈ Σ n , we have Bin(Rot i (x)) = Rot ti (Bin(x)). For an orbit E ⊆ Σ n and x ∈ {0, 1} tn , we say E < x if some element z ∈ E satisfies Bin(z)< lex x.
Let C x be the set of orbits E ⊆ Σ n which are less than x. For each x ∈ {0, 1} tn and p | n, define: The following identity allows us to count G x,≤n : It is easy to efficiently produce a branching program A 0 such that L(A 0 ) ∩ {0, 1} tn = Γ n . As we will describe below, the methods of the previous section can be easily adapted to efficiently produce a branching program A x such that The following lemma will be crucial in the design of this branching program.
Lemma 2.19. Let y ∈ {0, 1} tn . There exists i < n such that Rot it (y)< lex x if and only if at least one of the following events occurs: 1. there exists w ∈ L x such that w appears as a contiguous substring of y starting at a coordinate j with j ≡ 0 mod t (where the coordinates of x are 0, 1, . . . , (tn − 1)).
2. there exist strings w 1 , w 2 such that w 1 w 2 ∈ L x , w 2 is a prefix of y, w 1 is a suffix of y, and |w 1 | ≡ 0 mod t.
Given this lemma, the construction of A x follows easily via the techniques of the previous subsections. The main addition is that one needs to remember the value of the current coordinate mod t, which can be done by blowing up the number of states of the branching program by a factor t.
Intersecting the accepted sets of A x and A 0 gives us our desired branching program which allows us to count |G x,≤n |. This easily adapts to also count |G x,≤p | for each p | n. We conclude using the ideas of Section 2.2.2. We can now compute |G x,p | for each x and each p | n. From Lemma 2.5, Lemma 2.6 and Lemma 2.7, it follows that for every x, we can compute |C x | efficiently. We thus get our main indexing theorem for necklaces from Lemma 2.1.
Theorem 2.20. There are poly(n, log |Σ|)-time indexing and reverse-indexing algorithms for necklaces of length n over Σ. Furthermore, there are poly(n, log |Σ|)-time indexing and reverse-indexing algorithms for necklaces of length n over Σ with fundamental period exactly n.

Indexing irreducible polynomials
In the previous section, we saw an algorithm for indexing necklaces of length n over an alphabet Σ of size q, which runs in time polynomial in n and log q. In this section, we will see how to use this algorithm to efficiently index irreducible polynomials over a finite field. More precisely, we will use an indexing algorithm for necklaces with fundamental period exactly equal to n (which is also given by the methods of the previous sections). Let q be a prime power, and let F q denote the finite field of q elements. For an integer n > 0, let I q,n denote the set of monic, irreducible polynomials of degree n in F q [T ].
Theorem 3.1. For every q, n as above, there is an algorithm that runs in poly(n, log q) time, takes O(n log q) bits of advice, and indexes I q,n .
Proof. To prove this theorem, we start by first describing the connection between the tasks of indexing necklaces and indexing irreducible polynomials. Let P (T ) ∈ I q,n . Note that P (T ) has all its roots in the field F q n . Let α ∈ F q n be one of the roots of P (T ). Then we have that α, α q , . . . , α q n−1 are all distinct, and: Conversely, if we take α ∈ F q n such that α, α q , . . . , α q n−1 are all distinct, then the polynomial P (T ) = n−1 i=0 (T − α q i ) is in I q,n . Define an action of Z n on F * q n as follows: for k ∈ Z n and α ∈ (F q n ) * , define: This action partitions F * q n into orbits. By the above discussion, I q,n is in one-to-one correspondence with the orbits of this action with size exactly n. Thus it suffices to index these orbits.
Let g be a generator of the the multiplicative group (F q n ) * . Define a map E : Z q n −1 → F * q n by: We have that E is a bijection. Via this bijection, we have an action of Z n on Z q n −1 , where for k ∈ Z n and a ∈ Z q n −1 , Now represent elements of Z q n −1 by integers in {0, 1, . . . , q n − 2}. Define Σ = {0, 1, . . . , q − 1}. For a ∈ Z q n −1 , consider its base-q expansion a σ ∈ Σ n . This gives us a bijection between Z q n −1 and Σ n \ {(q − 1, . . . , q − 1)}. Via this bijection, we get an action of Z n on Σ n \ {(q − 1, . . . , q − 1)}. This action is precisely the standard rotation action! This motivates the following algorithm. The Indexing Algorithm: Input: q (a prime power), n ≥ 0, i ∈ [|I q,n |] Advice: 1. A description of F q 2. An irreducible polynomial F (T ) ∈ F q [T ] of degree n, whose root is a generator g of (F q n ) * (a.k.a. primitive polynomial).
4. Use F (T ) to construct the finite field F q n and the element g ∈ F * q n . (This can be done by setting F q n = F q [T ]/F (T ), and taking the class of the element T in that quotient to be the element g.) 5. Set α = g a .
For constant q, this algorithm can be made to work with poly(log n) advice. Indeed, one can construct the finite field F q n in poly(q, n) time, and a wonderful result of Shoup [Sho90b] constructs a set of q poly(log n) elements in F q n , one of which is guaranteed to be a generator. The advice is then the index of an element of this set which is a generator.

Explicit Generator Matrices and Parity Check Matrices for BCH codes
In this section, we will apply the indexing algorithm for necklaces to give a strongly explicit construction for generator and the parity check matrices for BCH codes. More precisely, we use the fact that our indexing algorithm is in fact an unranking algorithm for the lexicgraphic ordering on (lexicographically least representatives of) necklaces.
BCH codes [MS78] are classical algebraic error-correcting codes based on polynomials over finite extension fields. They have played a central role since the early days of coding theory due to their remarkable properties (they are one of the few known families of codes that has better rate/distance tradeoff than random codes in some regimes). Furthermore, their study motivated many advances in algebraic algorithms.
Using our indexing algorithm for necklaces, we can answer a basic question about BCH codes: we construct strongly explicit explicit generator matrices and parity check matrices for BCH codes. For the traditionally used setting of parameters (constant designed distance), it is trivial to construct generator matrices and parity check matrices for BCH codes. But for large values of the designed distance, as far as we are aware, this problem was unsolved.
Let q be a prime power, and let n ≥ 1 and 0 ≤ d < q n − 1. The BCH code associated with these parameters will be of length q n over the field F q , where the q n coordinates are identified with the big field F q n . Let: In words: this is the F q -linear space of all F q n -evaluations of F q n -polynomials of low degree, which have the property that all their evaluations lie in F q . In coding theory terminology, this is a subfield subcode of Reed-Solomon codes.
The condition that P (α) ∈ F q for each α ∈ F q n can be expressed as follows: Thus, if P (X) = d i=0 a i X i , then the above condition is equivalent to: which simplifies to: ∀i, a iq mod (q n −1) = a q i . Thus: 2. Specifying a i ∈ V ℓ automatically determines a iq mod (q n −1) , a iq 2 mod (q n −1) , . . ., 3. a i can take any value in V ℓ .
This motivates the following choice of basis for BCH codes. Let F = {S ⊆ {0, 1, . . . , d} | i ∈ S ⇒ (iq mod (q n − 1)) ∈ S}. Let α S,1 , . . . , α S,|S| be a basis for V |S| over F q (note that when j | n, we have that V ℓ = {α ∈ F q n | α q ℓ = α} is an F q -linear subspace of F q n of dimension ℓ). For S ∈ F, define m S = min i∈S i. For S ∈ F and j ∈ [|S|], define: It is easy to see from the above description that (P S,j ) S∈F ,j∈[n] forms an F q basis for the BCH code V . Thus it remains to show that one can index the sets of F.
If we write all the elements of S ∈ F in base q, we soon realize that the S are precisely in one-to-one correspondence with those rotation orbits of Σ n (with Σ = {0, 1, . . . , q − 1}) where all elements of the orbit are lexicographically ≤ some fixed string in Σ n (in this case the fixed string turns out to be the base q representation of the integer d). By our indexing algorithm for orbits, F can be indexed efficiently. Thus we can compute any given entry of a generator matrix for BCH codes. The parity check matrices can be constructed similarly. For a given designed distance d, one starts with d × F * q n matrix M whose i, α entry equals α i . Note that every d columns of this matrix form a van der Monde matrix: thus they are linearly independent over F q n (and hence also over F q ). Define an equivalence ∼ relation on [d] as follows: i 1 ∼ i 2 iff i 2 = i 1 · q k mod (q n − 1) for some k. Now amongst the rows of M , for each equivalance class E ⊆ d, keep only one row from E (i.e., for some i ∈ E, keep the i'th row of M and delete the j'th row for all j ∈ E \ {i}). The remarkable dimension-distance tradeoff of BCH codes is based on the fact that this operation, while it reduces the dimension of the ambient space in which the columns of this matrix lie, preserves the property that every d columns of this matrix are linearly independent over the small field F q . This reduced matrixM is the parity-check matrix of the BCH code.
We now give a direct construction of the parity-check matrixM . Let F = {S ⊆ [q n − 1] | i ∈ S =⇒ iq ∈ S}. For S ∈ F, let m S = min i∈S i. Then the rows ofM are indexed by those S ∈ F for which m S ≤ d. The (S, α) entry ofM equals α m S . Writing all the integers of [q n −1] in base q, we see that the elements of F are orbits of the Z n action on Σ n , where Σ = {0, 1, . . . , q − 1}. Furthermore, the S with m S ≤ d are precisely those orbits which have some element lexicographically at most a given fixed element x (which in this case is the base q representation of d). By our indexing algorithm, the rows ofM can be indexed efficiently, and hence each entry of theM can be computed in time poly(n), as desired.

Open Problems
We conclude with some open problems.
1. Can the orbits of group actions be indexed in general?
One formulation of this problem is as follows: Let G be a finite group acting on a set X, both of size poly(n). Suppose G and its action on X are given as input explicitly. For a finite alphabet Σ, consider the action of G on Σ X (by permuting coordinates according to the action on X). Can the orbits of this action be indexed? Can they be reverse-indexed? 2. Let G be the symmetric group S n . Consider its action on {0, 1} ( [n] 2 ) , where G acts by permuting coordinates. The orbits of this action correspond to the isomorphism classes of n-vertex graphs. Can these orbits be indexed?
More ambitiously, can these orbits be reverse-indexed? This would imply that graph isomorphism is in P .
3. It would be interesting to explore the complexity theory of indexing and reverse-indexing.
Which languages can be indexed efficiently? Can this be characterized in terms of known complexity classes?
In particular, it would be nice to disprove the conjecture: "Every pair-language L ∈ P for which the counting problem can be solved efficiently can be efficiently indexed".

A Alternative indexing algorithm for binary necklaces of prime length
In this section we give another algorithm for indexing necklaces in {0, 1} n in the special case where n is prime.
For convenience, we will denote the n coordinates of {0, 1} n by 0, 1, . . . , n − 1, and identify them with elements of Z n .
Definition A.1. Let x ∈ {0, 1} n . We say x is top-heavy if for every j, 0 ≤ j < n: In words: every prefix of x has normalized Hamming weight at least as large as the normalized Hamming weight of x. The next lemma by Dvoretzky and Motzkin [DM47] shows that every string has a unique top-heavy rotation.
Lemma A.2 ( [DM47]). Let n be prime. For each x ∈ {0, 1} n \ {0 n , 1 n }, there exists a unique i, Proof. Define f : Then the top-heaviness of x is equivalent to f (x, j) ≥ 0 for all j ∈ N.
We make two observations: . This follows from the fact that: 2. For nonnegative integers j, ℓ with j < n, we have: Putting these two facts together, we get that: Now fix x ∈ {0, 1} n \ {0 n , 1 n }. Define i ∈ {0, 1, . . . , n − 1} to be such that f (x, i) is minimized. By Equation (1), we get that f (Rot i (x), ℓ) ≥ 0 for all nonnegative integers ℓ. This proves the existence of i. For uniqueness of i, we make two more observations: 1. If f (x, j) > f (x, i), then and thus Rot j (x) is not top-heavy.
2. If f (x, j) = f (x, j ′ ), then j = j ′ mod n. To see this, first note that we may assume j < j ′ . Then: Thus, since the first term is an integer, we must have that (j ′ − j) · wt(x) must be divisible by n, and by our hypothesis on x, we have that j ′ = j mod n.
The above lemma implies that each orbit E contains a unique top-heavy string. We define the canonical element of E to be that element. We now show that there is a branching program A such that L(A) ∩ {0, 1} n precisely equals the set of top-heavy strings. By the discussion in the introduction, this immediately gives an indexing algorithm for orbits of E.
At the same time, it also computes the weight of x. At the final state, it checks if C wt(x) is true.
x is top-heavy if and only if it is true.
This completes the description of the indexing algorithm. We also know an extension of this approach that can handle n which have O(1) prime factors. The key additional ingredient of this extension is a new encoding of strings that enables verification of properties like top-heaviness by automata.

B Complexity of indexing
In this section, we explore some basic questions about the complexity theory of indexing and reverse indexing. We would like to understand what sets can be indexed/reverse-indexed efficiently. The outline of this section is as follows. We first deal with indexing and reverse-indexing in a nonuniform setting. Based on some simple observations about what cannot be indexed/reverse-indexed, we make some naive, optimistic conjectures characterizing what is efficiently indexable/reverseindexable, and then proceed to disprove these conjectures. We then make some natural definitions for indexing and reverse-indexing in a uniform setting, and conclude with some analogous naive, optimistic conjectures.

B.2 Indexing and reverse-indexing in the uniform setting
We now introduce a natural framework for talking about indexing in the uniform setting. Let L ⊆ Σ * × Σ * be a pair-language. For x ∈ Σ * , define L x = {y | (x, y) ∈ L}. An algorithm M (x, i) is said to be an indexing algorithm for L if for every x ∈ Σ * , the function M (x, ·) is an indexing of the set L x . An algorithm M (x, y) is said to be a reverse indexing algorithm for L if for every x ∈ Σ * , the function M (x, ·) is a reverse indexing of the set L x . Indexing/reverse-indexing algorithms are said to be efficient if they run in time poly(|x|). We now make some preliminary observations about the limitations of efficient indexing/reverseindexing.
1. If L can be efficiently indexed, then the counting problem for L can be solved efficiently (recall that the counting problem for L is the problem of determining |L x | when given x as input. The counting problem can be solved via binary search using an indexing algorithm).
2. If L can be efficiently reverse indexed, then L must be in P . Indeed, the reverse indexing algorithm M (x, y) immediately tells us whether (x, y) ∈ L.
In the absence of any other easy observations, we gleefully made the following optimistic conjectures.
1. Every pair-language L ∈ P for which the counting problem can be solved efficiently can be efficiently indexed.
2. Every pair-language L ∈ P can be efficiently reverse indexed.
Using ideas similar to those used in the nonuniform case, one can show that the latter of these conjectures is not true (unless the polynomial hierarchy collapses). However we have been unable to say anything interesting about the first conjecture, and we leave the conjecture that it is false as an open problem.