GRS SUBCODES OF GRS CODES I T HE NON - GAP SEQUENCE OF A SUBCODE OF - - PowerPoint PPT Presentation

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

THE NON-GAP SEQUENCE OF A SUBCODE OF A

GENERALIZED REED-SOLOMON CODE

• I. M´

ARQUEZ-CORBELLA 1

• E. MART´

INEZ-MORO 2

• R. PELLIKAAN 3

1Department of Algebra, Geometry and Topology, University of Valladolid. Supported by a FPU grant AP2008-01598 by Spanish MEC. 2Department of Applied Mathematics, University of Valladolid. 3Department of Mathematics and Computing Science, Eindhoven University of Technology.

Seventh International Workshop on Coding and Cryptography 2011

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PUBLIC-KEY CRYPTOSYSTEMS

TWO KEYS: Private Key: Known only by the recipient. Public Key: Available to anyone. MOST PKC ARE BASED ON

NUMBER-THEORETIC PROBLEMS

➜ Quatum computers will break the most popular PKCs.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

MCELIECE CRYPTOSYSTEM

KEY GENERATION

1

Given: C an [n, k, d] linear code over Fq G ∈ Fk×n

q

a generator matrix of C. S ∈ Fk×k

q

a nonsingular matrix. P ∈ Fn×n

q

a permutation matrix.

2

McEliece Public Key :

• G′ = SGP, t
• .

3

McEliece Private Key: (G, S, P) ENCRYPTION Encrypt a message m ∈ Fk

q as

y′ = mG′ + e′ where e ∈ Fn

q is a random error vector of

weight ≤ t. DECRYPTION

1

Compute y = y′P−1 = mG′P−1 + eP−1 = mSG + e.

2

Apply the decoding algorithm for C to find mS.

3

m = mSS−1. McEliece introduced the first PKC based on Error-Correcting Codes in 1978. Advantages:

1

Interesting candidate for post-quantum cryptography.

2

Fast encryption (matrix-vector multiplication) and decryption functions. Drawback: Large key size.

• R. J. McEliece.

A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44:114-116, 1978.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

MOTIVATION

Niederreiter in [?] presents a dual version of McEliece cryptosystem which is equivalent in terms of security. ➜ He proposed the class of GRS codes over F2m . Sidelnikov and Shestakov in [?] introduced an algorithm to break the initial Niederreiter scheme. Berger and Loidreau in [?] propose another version of the Niederreiter scheme designed to resist the Sidelnikov-Shestakov attack. ➜ Main idea: work with subcodes of the original GRS code.

• T. Berger and P

. Loidreau. How to mask the structure of codes for a cryptographic use. Designs, Codes and Cryptography, 35: 63–79, 2005.

• H. Niederreiter.

Knapsack-type crypto systems and algebraic coding theory. Problems of Control and Information Theory, 15(2):159–166, 1986.

• V. M. Sidelnikov and S. O. Shestakov.

On the insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Math. Appl., 2:439–444, 1992.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

MOTIVATION

In [?] Wieschebrink presents the first feasible attack to the Berger-Loidreau cryptosystem but is impractical for small subcodes. In [?] Wieschebrink notes that if the double code of a subcode of a GRS code is itself a GRS code of dimension 2k − 1 then we can apply the Sidenikov-Shestakov attack. MAIN TASK OF THIS PAPER Confirm the previous question and give a characterization of the possible parameters that should be used to avoid attacks on the Berger-Loidreau cryptosystem.

• C. Wieschebrink.

An attack on the modified Niederreiter encryption scheme. In PKC 2006, Lecture Notes in Computer Science, volume 3958, 14–26, Berlin, 2006. Springer.

• C. Wieschebrink.

Cryptoanalysis of the Niederreiter public key scheme based on GRS subcodes. In Post-Quantum Cryptography, Lecture Notes in Computer Science, volume 6061, 6–72, Berlin, 2010. Springer.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

NOTATION

Let : Fq be a finite field with q elements. n, k, l ∈ N : 1 ≤ l ≤ k ≤ n ≤ q. Lk := {f ∈ Fq[X] : deg(f(X)) ≤ k − 1}. eva,b be the evaluation map at the elements a, b ∈ Fn

q i.e.

eva,b : Lk → Fn

q

f → (f(a1)b1, . . . , f(an)bn) GENERALIZED REED-SOLOMON CODES (OR GRS CODES) Let a ∈ Fn

q such that ai = aj for 1 ≤ i < j ≤ n and b ∈ Fn q with non-zero entries.

The GRS code GRSk(a, b) is defined by: GRSk(a, b) :=

• eva,b(f(X)) : f ∈ Lk
• We define the star product a ∗ b ∈ Fn

q by a ∗ b = (a1 · b1, . . . , an · bn).

REMARK ➜ GRSk(a, b) = b ∗ GRSk(a, 1). ➜ eva,b (f(X)g(X)) = eva,1(f(X)) ∗ eva,b(g(X)).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

(a, b)-GAP OF A CODE

Let C be an l-dimensional subcode of the code GRSk(a, b), we denote by Ci := C ∩ GRSi(a, b). Then C0 ⊆ C1 ⊆ . . . ⊆ Ck = C ∩ GRSk(a, b) = C. (a, b)-GAP OF THE CODE i ∈ Z≥0 is called an (a, b)-gap of the code C if Ci = Ci+1. We define the associated (a, b) non-gap of the code C sequence of C by I(a, b, C) = I(C) =

• i ∈ Z≥0 : i is a non-gap of C
• PROPOSITION 1

i ∈ Z≥0 is an (a, b) non-gap of C ⇐ ⇒ ∃f ∈ Fq[X] with deg(f(X)) = i such that eva,b(f(X)) ∈ C COROLLARY 1 Let C be an l-dimensional subcode of the code GRSk(a, b) with associated non-gap sequence I(C). Then:

1

I(C) =

• i | ∃f ∈ Fq[X] with deg(f(X)) = i < k : eva,b(f(X)) ∈ C
• 2

C =

• eva,b(f(X)) | f = 0 or f ∈ Fq[X] and deg(f(x)) ∈ I(C)

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

(a, b)-GAP OF A CODE

We can obtain a basis of C just studying the associated (a, b) non-gap sequence of C. PROPOSITION 2 There is a set I = {i1, . . . , il} and there are l polynomials in unique normal form fj(X) = X ij +

• s<ij

s / ∈I

fj,sX s ∈ Fq[X], for all j = 1, . . . , l, such that C = eva,b(fj(X)) with j = 1, . . . , l. Furthermore I(C) = I and dim(C) = |I(C)|. PROPOSITION 3 Let I = {i1, . . . , il} and

e(I) = i1l + (i2 − i1 − 1)(l − 1) + · · · + (il − il−1 − 1) = l

• s=1

(is − is−1 − 1)(l − s + 1)

where i0 = −1. Then the number of l-dimensional subcodes of the code GRSk(a, b)

• ver Fq with a given non-gap sequence I is equal to qe(I).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

(a, b)-GAP OF A CODE

REMARK e(I) is minimal and equal to 0 for I = {0, 1, . . . , l − 1}. e(I) is maximal and equal to l(k − l) for I = {k − l, . . . , k − 1}. ➜ The number of l-dimensional subcodes of the code GRSk(a, b) over Fq is equal to the Gaussian binomial: (qk − 1)(qk − q) · · · (qk − ql−1) (ql − 1)(ql − q) · · · (ql − ql−1) :=

• k

l

• q

=

• I⊆{0,...,k−1}

|I|=l

qe(I). ➜ This number is polynomial in q with non-negative integers as coefficients.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GRS SUBCODES OF GRS CODES I

We study the l-dimensional subcodes C of the code GRSk(a, b) that are themselves GRS codes.

1

C = GRSl(a, b) with 2 ≤ l ≤ k. PROPOSITION 4 C = GRSl(a, b) ⇐ ⇒ I(C) = {0, . . . , l − 1}

There is exactly ONE l-dimensional subcode C with I(C) = {0, . . . , l − 1} which is GRSl (a, b). 2

C = GRSl(a, ai ∗ b) with i + l ≤ k. PROPOSITION 5 Let I(C) = {i1, . . . , il} and c = eva(f(X)) with f ∈ Fq[X] and deg(f(X)) = i. If i + il < k then I(c ∗ C) = i + I(C).

Note that the converse is not true in general.

COROLLARY 3 If i + l ≤ k then I(GRSl(a, ai ∗ b)) = {i, i + 1, . . . , i + l − 1}.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GRS SUBCODES OF GRS CODES II

3

C = GRSl(c, d). PROPOSITION 6 Let l ≥ 2, g0, h1 ∈ Fq[X], a ∈ Fn

q : ai = aj with 1 ≤ i < j ≤ n,

d0 = deg(g0(X)), b ∈ Fn

q : bi = 0 with 1 ≤ i ≤ n,

d1 = d0 + deg(h1(X)) If

1

eva(h1(X)) = c : ci = cj with 1 ≤ i < j ≤ n,

2

eva,b(g0(X)) = d : di = 0 with 1 ≤ i ≤ n,

3

d0 < d1

4

d0 + (l − 1)(d1 − d0) < k. Then the code C = GRSl(c, d) is an l-dimensional subcode of GRSk(a, b) with : I(C, a, b) = {d0, d1, . . . , d0 + j(d1 − d0), . . . , d0 + (l − 1)(d1 − d0)} PROPOSITION 7 Assume that C = GRSl(c, d) ⊆ GRSk(a, b). And let d0 < d1 be the first two elements of I(C, a, b). Then ∃g0, h1 ∈ Fq[X] such that:

1

eva,b(g0(X)) = d.

2

eva(h1(X)) = c.

3

d0 = deg(g0(X)).

4

d1 = d0 + deg(h1(X)).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GRS SUBCODES OF GRS CODES III

COROLLARY 5 If 2k − 2 < n and 2 ≤ l ≤ k. Then the number of l-dimensional subcodes of the code GRSk(a, b) over Fq that are GRS code is at most qk−l+3. The probability that an arbitrary l-dimensional subcode of the code GRSk(a, b) is a GRS code is at most qk−l+3

• k

l

• q

≤ qk−l+3 ql(k−l) = q−(l−1)(k−l)+3 This fraction tends to zero for k → ∞ or (k − l) → ∞.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

THE SQUARE OF A CODE

THE SQUARE CODE The square code of a [n, k] linear code C over Fq denoted by D = C ∗ C is the code generated by the set

• ri ∗ rj : 1 ≤ i ≤ j ≤ k
• where r1, . . . , rk denotes the rows of a generator matrix of C.

Let: C be an l-dimensional subcode of GRSk(a, b). r1, . . . , rl be the rows of a generator matrix of C. f1, . . . , fl be the polynomials associated to those rows. Then ri ∗ rj =

• b2

1fi(a1)fj(a1), . . . , b2 nfi(an)fj(an)

• = eva,b∗b(fi(X)fj(X))

and deg(fi(X)fj(X)) = deg(fi(X)) + deg(fj(X)) ≤ 2k − 2 for 1 ≤ i ≤ j ≤ l Thus the code D = C ∗ C = ri ∗ rj : 1 ≤ i ≤ j ≤ l is a subcode of the code GRS2k−1(a, b ∗ b). REMARK The code D = C ∗ C = ri ∗ rj : 1 ≤ i ≤ j ≤ l is a subcode of the code GRS2k−1(a, b ∗ b).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

(a, b ∗ b) GAP OF D = C ∗ C

We denote by Di = D ∩ GRSi(a, b ∗ b). Then: i ∈ Z≥0 is an (a, b ∗ b) gap of D if Di = Di+1. J (D, a, b ∗ b) =

• j ∈ Z≥0 : j is an (a, b ∗ b)-non gap of D
• is the (a, b ∗ b)

non-gap sequence associated to the square code. REMARK j ∈ J (D, a, b ∗ b) ⇐ ⇒ ∃g ∈ Fq[X] with deg(g(X)) = j : eva,b∗b(g(X)) ∈ D PROPOSITION 8 I(C, a, b) + I(C, a, b) = {i + j : i, j ∈ I(C, a, b)} ⊆ J (D, a, b ∗ b) Furthermore:

1

If 0 ∈ I(C, a, b) then I(C, a, b) ⊆ J (D, a, b ∗ b)

2

Let I(C, a, b) = {i1, . . . , il} with i1 + il < 2k − 1 and c = eva,b(f(X)) ∈ C for f ∈ Fq[X] with deg(f(X)) = i1 then I(c ∗ C, a, b) = i1 + I(C, a, b) ⊆ J (D).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

THE SQUARE CODE

PROPOSITION 9 dim(D) ≤ min

• 2k − 1,

l + 1 2

• Furthermore:

1

If D = GRSr (a, b ∗ b) then I(C, a, b) ⊆

• 0, . . . , ⌊ r−1

2 ⌋

• .

2

If D = GRSr (a, ai ∗ b ∗ b) then I(C, a, b) ⊆

• ⌊ i

2 ⌋, . . . , ⌊ i+r−1 2

⌋

• .

3

If D = GRSr (a, ai ∗ b ∗ b) then I(C, a, b) ⊆

• ⌊

d0 2 ⌋, . . . , ⌊ d0+(r−1)(d1−d0) 2

⌋

• where d0 < d1 and d0 + (r − 1)(d1 − d0) < 2k − 1

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

THE SQUARE CODE OF A GRS CODE

Let C be a GRS code then: PROPOSITION 10 GRSk(a, b) ∗ GRSl(a, c) = GRSk+l−1(a, b ∗ c) In particular GRS2l−1(a, b ∗ b) is the square code of GRSl(a, b). COROLLARY 6 If I(C, a, b) = {0, . . . , l − 1} then J (D, a, b ∗ b) = {0, . . . , 2l − 2} i.e. D = GRS2l−1(a, b ∗ b).

The converse is NOT true in general

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

WHEN D = C ∗ C = GRS2k−1(a, b ∗ b)?

PROPOSITION 11 Let I(C, a, b) = {i1, . . . , il}. If D = GRS2k−1(a, b ∗ b), then |{ (u, v) : iu + iv ≥ t and 1 ≤ u ≤ v ≤ l }| ≥ 2k − t − 1 for all t = 0, . . . , 2k − 2. REMARK Let C be an l-dimensional subcode of GRSk(a, b) with I(C, a, b) = {i1, . . . , il}. If D = C ∗ C = GRS2k−1(a, b ∗ b) then:

1

2k − 1 ≤ l+1

2

• (Particular case t = 0 of Proposition 11).

2

il = k − 1 (Case t = 2k − 2 of Proposition 11).

3

il−1 = k − 2 (Case t = 2k − 3 of Proposition 11).

4

il−2 ≥ k − 4 (Case t = 2k − 5 of Proposition 11). REMARK I(C, a, b) = {k − l, . . . , k − 1} satisfies the conditions of Proposition 11 for all t. However this not imply that D = C ∗ C is exactly GRS2k−1(a, b ∗ b).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GENERATOR MATRIX OF D

Assume that we have two polynomials f(X), g(X) ∈ Lk, i.e. : f(X) = k−1

r=0 fr X r

and g(X) = k−1

s=0 gsX s

with fr , gs ∈ Fq for r, s ∈ {0, . . . , k − 1}. Then: f(X)g(X) = h(X) = h0 + h1X + . . . + h2k−2X 2k−2 ∈ L2k−2. This can be expressed in matrix form as follows: R(f)S(g)T =            h2k−2 h2k−3 . . . hk−1 . . . h0            , where

R(f) =                f0 f1 · · · fk−1 · · · · · · f0 · · · fk−2 fk−1 · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · f0 f1 · · · fk−1 · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · f0 f1 · · · fk−1                ∈ F(2k−1)×(3k−2) q

and

S(g) = ( · · ·

• k−1

gk−1 · · · g0 · · ·

• k−1

) ∈ F1×(3k−2) q .

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GENERATOR MATRIX OF D

Let C be an l-dimensional subcode of GRSk(a, b) with I(C, a, b) = {i1, . . . , il}. By Proposition 2 there are l polynomials in normal form fj(X) =

ij −1

• s=0

fj,sX s + X ij for j = 1, . . . , l. such that C = eva,b(fi(X)) with i ∈ {1, . . . , l}. Then the elements eva,b∗b(fu(X)fv(X)) with 1 ≤ u ≤ v ≤ l generate the square code D = C ∗ C. Let us denote by fu(X)fv(X) = guv(X) = guv0 + guv1X + · · · + guv(2k−2)X 2k−2 ∈ L2k−1 with 1 ≤ u ≤ v ≤ l. Then the following matrix is a generator matrix of D.

GD =       g11(2k−2) · · · g1l(2k−2) g22(2k−2) · · · g2l(2k−2) · · · gll(2k−2) . . . . . . . . . . . . . . . . . . . . . . . . g110 · · · g1l0 g220 · · · g2l0 · · · gll0      

GD is a matrix of size (2k − 1) × l+1

2

• ver Fq.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

GENERATOR MATRIX OF D

If we define

R = (R(f1), . . . , R(f1)

• l

, R(f2), . . . , R(f2)

• l−1

, . . . , R(fl )) ∈ F (2k−1)× l+1 2

• (3k−2)

q , S(f1, . . . , fl ) =        S(f1) · · · S(f2) · · · . . . . . . . . . . . . . . . · · · S(fl )        ∈ Fl×l(3k−2) q .

and

S =        S(f1, . . . , fl ) · · · S(f2, . . . , fl ) · · · . . . . . . . . . . . . . . . · · · S(fl )        ∈ F l+1 2

• ×

l+1 2

• (3k−2)

q .

Then RST = GD.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

NECESSARY CONDITIONS TO HAVE: D = C ∗ C = GRS2k−1(a, b ∗ b)

FINAL REMARK The following properties are necessary conditions to have that D = C ∗ C is the code GRS2k−1(a, b ∗ b).

1

I(C) = {i1, . . . , il} ⊆ {0, . . . , k − 1}.

2

il = k − 1, il−1 = k − 2 and il−2 ≥ k − 4.

3

The matrix GD has full rank, i.e. rank(R(f1), . . . , R(fl)) = 2k − 1.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

THANK FOR YOUR ATTENTION

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 1

PROPOSITION 1 i ∈ Z≥0 is an (a, b) non-gap of C ⇐ ⇒ ∃f ∈ Fq[X] with deg(f(X)) = i such that eva,b(f(X)) ∈ C ⇒ Suppose that i ∈ I(C, a, b) then by definition Ci = Ci+1. That is ∃c ∈ Ci+1 \ Ci ⇒

• c ∈ C

c ∈ GRSi+1(a, b) \ GRSi(a, b) i.e. there exists a unique polynomial f ∈ Li+1 : c = eva,b(f(X)) But if deg(f(X)) < i then c ∈ Ci, thus deg(f(X)) = i. ⇐ If ∃f ∈ Fq[X] with deg(f(X)) = i such that c = eva,b(f(X)) then c ∈ Ci+1 \ Ci. Hence i ∈ I(C, a, b).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 2

By Corollary 1, ∀c ∈ C, ∃f ∈ Fq[X] with deg(f(X)) ∈ I(C) : c = eva,b(f(X)). Furthermore the code C has dimension l, i.e. ∃f1, . . . , fl ∈ Fq[X] with deg(fi(X)) ∈ I()) for i ∈ {1, . . . , l} such that C = eva,b(fi(X)) with i ∈ {1, . . . , l}. To make the notation easier we can assume that:

1

deg(fj(X)) = ij for j ∈ {1, . . . , l}.

2

deg(f1(X)) ≤ . . . ≤ deg(fl(X)), i.e. I = {i1, . . . , il}.

3

The polynomials f1, . . . , fl are monics. Thus each polynomial fj can be written as fj(X) =

ij −1

• s=0

fj,sX s + X ij for j = 1, . . . , l. Let us define the matrix M(f1, . . . , fl) = (fj,s) ∈ Fl×k

q

as the matrix whose i-th row represent the coefficients with respect to the monomials {1, X, . . . , X k−1} of the polynomial fj for j ∈ {1, . . . , l}. After applying Gaussian elimination on the previous matrix we obtain a matrix with the following form:

         ∗1,0 . . . ∗1,i1−1 1 . . . . . . ∗2,0 . . . ∗2,i1−1 ∗2,i1+1 . . . ∗2,i2−1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ∗l,0 . . . ∗l,i1−1 ∗l,i1+1 . . . ∗l,i2−1 . . .          . (1)

From the above matrix we can conclude the result of the Theorem.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 3

Let C be an l-dimensional subcode of GRSk(a, b) with non-gap sequence I(C) = {i1, . . . , il}. By Proposition 2 there are l polynomials in normal form fj(X) =

ij −1

• s=0

fj,sX s + X ij for j = 1, . . . , l. such that C = eva,b(fi(X)) with i ∈ {1, . . . , l}. If we fix the set I there are qe(I) l-dimensional subcodes of GRSk(a, b) with associated non-gap sequence I.     

∗1,0 . . . ∗1,i1−1 1 . . . . . . ∗2,0 . . . ∗2,i1−1 ∗2,i1+1 . . . ∗2,i2−1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ∗l,0 . . . ∗l,i1−1 ∗l,i1+1 . . . ∗l,i2−1 . . .

     . Note that e(I) is equal to the number of elements of the matrix M(f1, . . . , fl) which are free to be chosen in Fq as long as the form of M is not changed.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 4

⇒ If C = GRSl(a, b) by definition I(C) = {0, . . . , l − 1} ⇐ Suppose that the associated non-gap sequence of C is I(C) = {0, . . . , l − 1} i.e. by Proposition 2

• eva,b(X i) with i ∈ {0, . . . , l − 1}
• form a basis of C

which is also a basis of GRSl(a, b). Thus C = GRSl(a, b). REMARK If I = {0, . . . , l − 1} then e(I) = 0, thus there exists exactly ONE l-dimensional subcode C of the code GRSk(a, b) with I(C) = {0, . . . , l − 1}. And by Proposition 4 we have that C = GRSl(a, b).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 5

Suppose that I(C) = {i1, . . . , il}, then there are l polynomials in normal form fj(X) =

ij −1

• s=0

fj,sX s + X ij for j = 1, . . . , l. such that C = eva,b(fi(X)) with i ∈ {1, . . . , l}. Since c = eva(fX)) with f ∈ Fq[X] and deg(f(X)) = i. Then: c ∗ eva,b(fj(X)) = eva,b(f(X)fj(X)) with deg(f(X)fj(X)) = i + ij ≤ i + il < k for all j ∈ {1, . . . , l}. Hence c ∗ C = eva,b(f(X)fj(X)) with j ∈ {1, . . . , l} ⊆ GRSi+il +1(a, b) That is {i + i1, . . . , i + il} = i + I(C) ⊆ I(c ∗ C). Since c ∗ C has dimension l then |I(c ∗ C)| = l, thus I(c ∗ C) = i + I(C).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 6

Let us define gj(X) = g0(X) (h1(X))j with j ∈ {0, . . . , l − 1}. Then 0 ≤ deg(gj(X)) = d0 + j(d1 − d0) < k for all j ∈ {0, . . . , l − 1}. Thus the degree of gj(X) is strictly increasing with j, (since d0 < d1). Furthermore eva,b(gj(X)) = eva,b(g0(X)) ∗ (eva(h1(X)))j = d ∗ cj i.e. the code GRSl(c, d) has eva,b(gj(X)) with j ∈ {0, . . . , l − 1} as a basis. That is GRSl(c, d) is an l-dimensional subcode of the code GRSk(a, b) and I(C, a, b) = {d0, d1, d0 + 2(d1 − d0), . . . , d0 + (l − 1)(d1 − d0)}

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 7

Let us assume that C = GRSk(c, d) is an l-dimensional subcode of GRSk(a, b), i.e. ∃gj ∈ Fq[X] : eva,b(gj(X)) = evc,d(X j) with j ∈ {0, . . . , l − 1}. Hence: b ∗ eva,b(gi(X)gj(X)) = eva,b(gi(X)) ∗ eva,b(gj(X)) = evc,d(X i) ∗ evc,d(X j) = d ∗ evc,d(X i+j) So eva,b(gi(X))gj(X)) = eva,b(gu(X)gv(X)), i.e. gi(X)gj(X) = gu(X)gv(X) with 0 ≤ i, j, u, v ≤ l such that i + j = u + j. In particular we have that gj−1 (X)gj(X) = gj

1(X)

(2) g0(X)g2(X) = g1(X)g1(X) (3) From Equation ?? we can deduce that ∃h1 ∈ Fq[X] such that g1(X) = g0(X)h1(X). That is gj(X) = g0(X)hj

1(X).

And this imply that d ∗ cj = evc,d(X j) = eva,b(gj(X)) = eva,b(g0(X)) ∗ eva(h1(X))j

1

If j = 0 we deduce that d = eva,b(g0(X)).

2

If j = 1 we deduce that c = eva(h1(X)). Let ˆ d0 = deg(g0(X)) and ˆ d1 = ˆ d0 + deg(h1(X)). Then the (a, b) non-gap sequence

• f C is

ˆ d0, ˆ d1, ˆ d0 + 2( ˆ d1 − ˆ d0), . . . , ˆ d0 + (l − 1)( ˆ d1 − ˆ d0). Therefore ˆ d0 = d0 and ˆ d1 = d1.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 8

If i1 + i2 ∈ I(C) + I(C) ⇒

• i1 ∈ I(C)

= ⇒Prop.1 ∃f1 ∈ Fq[X] with deg(f1(X)) = i1 : eva,b(f1(X)) ∈ C i2 ∈ I(C) = ⇒Prop.1 ∃f2 ∈ Fq[X] with deg(f2(X)) = i2 : eva,b(f2(X)) ∈ C Therefore: eva,b(f1(X)) ∗ eva,b(f2(X)) = eva,b∗b(f1(X)f2(X)) ∈ D with deg(f1(X)f2(X)) = deg(f1(X)) + deg(f2(X)) = i1 + i2 Thus i1 + i2 ∈ J (D). COUNTEREXAMPLE: THE EQUALITY DOES NOT HOLD IN GENERAL Consider C = eva,b(f1), . . . , mathrmeva,b(fl) ⊆ GRS5(a, b) where f1 = 1, f2 = X 2 + X, f3 = X 3 and f4 = X 4 Then:

1

I(C) = {0, 2, 3, 4} ⇒ I(C) + I(C) = {0, 2, 3, 4, 5, 6, 7, 8}.

2

1 ∈ J (D) since X = f1(X)f2(X) − f 2

2 (X) + f1(X)f4(X) + 2f1(X)f3(X) ∈ C ∗ C = D.

But 1 / ∈ I(C) + I(C). In fact J (D) = {0, 1, . . . , 8} ⇒ D = GRS9(a, b).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 9

Let g1, . . . , gl be a basis of C. Then the elements gi ∗ gj with 1 ≤ i ≤ j ≤ l generate D. Therefore dim D ≤

l

• i=1

i = l + 1 2

• .

Since D ⊆ GRS2k−1(a, b ∗ b) then dim D ≤ 2k − 1 Furthermore:

1

If D = GRSr (a, b) ⇒ I(C, a, b) ⊆ {0, . . . , ⌊ r−1

2 ⌋}.

In fact since D = GRSr (a, b) then by Proposition 4: J (D) = {0, . . . , r − 1} and by Proposition 8: I(C, a, b) + I(C, a, b) ⊆ J (D, a, b ∗ b). i.e. if I(C, a, b) = {i1, . . . , il} then:

1

2i1 = i1 + i1 ≥ 0 ⇒ i1 ≥ 0.

2

If 2il ≤ 2k − 1 then 2il = il + il ∈ J (D) ⇒ il ≤ ⌊ r−1

2 ⌋. 2

Similarly to the previous procedure we can conclude 2 and 3.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 10

Recall that the code GRSk(a, b) is generated by the elements eva,b(X i) with i ∈ {0, . . . , k − 1}. Thus the code GRSk(a, b) ∗ GRSl(a, c)) is generated by the elements: eva,b(X i) ∗ eva,c(X j) = eva,b∗c(X i+j) with i ∈ {0, . . . , k − 1} and j ∈ {0, . . . , l − 1} i.e. 0 ≤ i + j ≤ k + l − 2. Therefore the right hand side of the previous equality is a complete set of generators

• f the code GRSk+l−1(a, b ∗ c).

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

PROPOSITION 11

Let C be an l-dimensional subcode of GRSk(a, b) with I(C, a, b) = {i1, . . . , il}. Then by Proposition 2 there are l polynomials in normal form fj(X) = X ij +

• s<ij

s / ∈I

fj,sX s ∈ Fq[X], for all j = 1, . . . , l, with j ∈ {1, . . . , l} such that C =

• eva,b(f1(X)), . . . , eva,b(fl(X))
• .

Then the elements eva,b∗b(fu(X)fv(X)) with 1 ≤ u ≤ v ≤ l generate the square code D = C ∗ C where deg(fu(X)fv(X)) = deg(fu(X)) + deg(fv(X)) = iu + iv Assume that D = GRS2k−1(a, b ∗ b) i.e. the elements eva,b∗b(X j) with 0 ≤ j ≤ 2k − 2 form a basis of D. Hence ∀t ∈ {0, . . . , 2k − 2}, ∃(u, v) : iu + iv ≥ t and 1 ≤ u ≤ v ≤ l. Since eva,b∗b(fu(X)fv(X)) ∈ GRSt(a, b ∗ b) ⇒ iu + iv < t and 1 ≤ u ≤ v ≤ l. Then the vector space Vt = GRS2k−1(a, b ∗ b) \ GRSt(a, b ∗ b) is generated by the elements eva,b∗b(fu(X)fv(X)) with iu + iv ≥ t and 1 ≤ u ≤ v ≤ l, i.e. dim Vt = 2k − 1 − t. Thus this is a lower bound of the number of elements that generates Vt.

THE NON-GAP SEQUENCE OF

A SUBCODE OF A GENERALIZED

REED-SOLOMON CODE

COROLLARY 5

Let C be an l-dimensional GRS subcode of GRSk(a, b), i.e. C = GRSl(c, d) and d0 < d1 be the first two elements of I(C, a, b). By Proposition 7 there exists g0, h1 ∈ Fq[X] such that:

1

eva,b(g0(X)) = d.

2

eva(h1(X)) = c.

3

d0 = deg(g0(X)).

4

d1 = d0 + deg(h1(X)). Note that The number of possible polynomials g0 ∈ Fq[X] is at most (q − 1)qd0. The number of possible polynomials h1 ∈ F1[X] is at most (q − 1)qd1−d0. Since the pair (g0, h1) determines the code C uniquely and the number of possible pairs of given degree d0 and d1 is at most (q − 1)2qd1, then the number of l-dimensional subcodes of GRSk(a, b) that are GRS is at most

k−l+1

• d1=1

(q − 1)2qd1 ≤ qk−l+3.