/k Introduction and content 2/37 Error-correcting pair - - PowerPoint PPT Presentation

Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 /k

Introduction and content 2/37 ◮ Error-correcting pair - Generalized Reed-Solomon codes - Alternant codes - Goppa codes ◮ t -error-correcting pair corrects t -errors ◮ Algebraic geometry codes ◮ Code-based cryptography /k

Error-correcting codes 3/37 C linear block code: F q -linear subspace of F n q parameters [ n , k , d ] : n = length k = dimension of C d = minimum distance of C d = min |{ d ( x , y ) | x , y ∈ C , x �= y }| t = error-correcting capacity of C t = ⌊ d ( C ) − 1 ⌋ 2 /k

Inner and star product 4/37 The standard inner product is defined by a · b = a 1 b 1 + · · · + a n b n For two subsets A and B of F n q A ⊥ B if and only if a · b = 0 for all a ∈ A and b ∈ B Let a and b in F n q The star product is defined by coordinatewise multiplication: a ∗ b = ( a 1 b 1 , . . . , a n b n ) For two subsets A and B of F n q A ∗ B = { a ∗ b | a ∈ A and b ∈ B } /k

Error-correcting pairs 5/37 Let C be a linear code in F n q The pair ( A , B ) of linear subcodes of F n q m is a called a t-error correcting pair (ECP) over F q m for C if E.1 ( A ∗ B ) ⊥ C E.2 k ( A ) > t E.3 d ( B ⊥ ) > t E.4 d ( A ) + d ( C ) > n /k

Generalized Reed-Solomon codes 6/37 Let a = ( a 1 , . . . , a n ) be an n -tuple of mutually distinct elements of F q Let b = ( b 1 , . . . , b n ) be an n -tuple of nonzero elements of F q Evaluation map: ev a , b ( f ( X )) = ( f ( a 1 ) b 1 , . . . , f ( a n ) b n ) GRS k ( a , b ) = { ev a , b ( f ( X )) | f ( X ) ∈ F q [ X ] , deg ( f ( X ) < k } Parameters: [ n , k , n − k + 1 ] if k ≤ n Furthermore ev a , b ( f ( X )) ∗ ev a , c ( g ( X )) = ev a , b ( f ( X ) g ( X )) ∗ c � GRS k ( a , b ) ∗ GRS l ( a , c ) � = GRS k + l − 1 ( a , b ∗ c ) /k

t -ECP for GRS n − 2 t ( a , b ) 7/37 Let C = GRS n − 2 t ( a , b ) Then C has parameters: [ n , n − 2 t , 2 t + 1 ] and C ⊥ = GRS 2 t ( a , c ) for some c Let A = GRS t + 1 ( a , 1 ) and B = GRS t ( a , c ) Then A ∗ B ⊆ C ⊥ A has parameters [ n , t + 1 , n − t ] B has parameters [ n , t , n − t + 1 ] So B ⊥ has parameters [ n , n − t , t + 1 ] Hence ( A , B ) is a t -error-correcting pair for C Conversely an [ n , n − 2 t , 2 t + 1 ] code that has a t -ECP is a GRS code /k

Alternant codes 8/37 Let a be an n -tuple of mutually distinct elements of F q m Let b be an n -tuple of nonzero elements of F q m Let GRS k ( a , b ) be the GRS code over F q m of dimension k The alternant code ALT r ( a , b ) is the F q -linear restriction ALT r ( a , b ) = F n q ∩ ( GRS r ( a , b )) ⊥ Then ALT r ( a , b ) has parameters [ n , k , d ] q with k ≥ n − mr and d ≥ r + 1 Every linear code of minimum distance at least 2 is an alternant code! /k

t -ECP for ALT 2 t ( a , b ) 9/37 Let C = ALT 2 t ( a , b ) Then C has minimum distance d ≥ 2 t + 1 and C ⊆ ( GRS 2 t + 1 ( a , b )) ⊥ Let A = GRS t + 1 ( a , 1 ) and B = GRS t ( a , b ) Then A ∗ B ⊆ GRS 2 t + 1 ( a , b ) Then ( A ∗ B ) ⊥ C A has parameters [ n , t + 1 , n − t ] B has parameters [ n , t , n − t + 1 ] So B ⊥ has parameters [ n , n − t , t + 1 ] Hence ( A , B ) is a t -error-correcting pair over F q m for C /k

Goppa codes 10/37 Let L = ( a 1 , . . . , a n ) be an n -tuple of n distinct elements of F q m Let g be a polynomial with coefficients in F q m such that g ( a j ) �= 0 for all j Then g is called Goppa polynomial with respect to L Define the F q -linear Goppa code Ŵ( L , g ) by   n c j   �  c ∈ F n ≡ 0 mod g ( X ) Ŵ( L , g ) = q | X − a j j = 1  /k

Goppa codes are alternant codes 11/37 Let L = a = ( a 1 , . . . , a n ) Let g be a Goppa polynomial of degree r Let b j = 1 / g ( a j ) Then Ŵ( L , g ) = ALT r ( a , b ) Hence Ŵ( L , g ) has parameters [ n , k , d ] q with k ≥ n − mr and d ≥ r + 1 and has an ⌊ r / 2 ⌋ -error-correcting pair /k

Binary Goppa codes 12/37 Let L = a = ( a 1 , . . . , a n ) Let g be a Goppa polynomial with coefficients in F 2 m of degree r Suppose moreover that g has no square factor Then Ŵ( L , g ) = Ŵ( L , g 2 ) Hence Ŵ( L , g ) has parameters [ n , k , d ] q with k ≥ n − mr and d ≥ 2 r + 1 and has an r -error-correcting pair /k

Theory of error-correcting pairs 13/37 Let C be a linear code in F n q The pair ( A , B ) of linear subcodes of F n q m is a called a t-error correcting pair (ECP) over F q m for C if E.1 ( A ∗ B ) ⊥ C E.2 k ( A ) > t E.3 d ( B ⊥ ) > t E.4 d ( A ) + d ( C ) > n Let ( A , B ) be linear subcodes of F n q m that satisfy E . 1, E . 2, E . 3 and E.5 d ( A ⊥ ) > 1 E.6 d ( A ) + 2 t > n Then d ( C ) ≥ 2 t + 1 and ( A , B ) is a t -ECP for C /k

Kernel of a received word 14/37 Let A and B be linear subspaces of F n q m Let r ∈ F n q be a received word Define the kernel K ( r ) = { a ∈ A | ( a ∗ b ) · r = 0 for all b ∈ B } Lemma Let C be an F q -linear code of length n Let r be a received word with error vector e So r = c + e for some c ∈ C If A ∗ B ⊆ C ⊥ , then K ( r ) = K ( e ) /k

Kernel for a GRS code 15/37 Let A = GRS t + 1 ( a , 1 ) and B = GRS t ( a , 1 ) and C = � A ∗ B � ⊥ Let a i = ev a , 1 ( X i − 1 ) for i = 1 , . . . , t + 1 b j = ev a , 1 ( X j ) for j = 1 , . . . , t h l = ev a , 1 ( X l ) for l = 1 , . . . , 2 t Then a 1 , . . . , a t + 1 is a basis of A b 1 , . . . , b t is a basis of B h 1 , . . . , h 2 t is a basis of C ⊥ Furthermore a i ∗ b j = ev a , 1 ( X i + j − 1 ) = h i + j − 1 /k

Matrix of syndromes for a GRS code 16/37 Let r be a received word and s = r H T its syndrome Then ( b j ∗ a i ) · r = s i + j − 1 . To compute the kernel K ( r ) we have to compute the null space of the matrix of syndromes   s 1 s 2 s t s t + 1 · · · s 2 s 3 · · · s t + 1 s t + 2    . . . .  ... . . . .   . . . .   s t s t + 1 s 2 t − 1 s 2 t · · · /k

Error location 17/37 Let ( A , B ) be a t -ECP for C Let J be a subset of { 1 , . . . , n } Define the subspace of A A ( J ) = { a ∈ A | a j = 0 for all j ∈ J } Lemma Let ( A ∗ B ) ⊥ C Let e be an error vector of the received word r If I = supp ( e ) = { i | e i �= 0 } , then A ( I ) ⊆ K ( r ) If moreover d ( B ⊥ ) > wt ( e ) , then A ( I ) = K ( r ) /k

Basic algorithm 18/37 Let ( A , B ) be a t -ECP for C with d ( C ) ≥ 2 t + 1 Suppose that c ∈ C is the code word sent and r = c + e is the received word for some error vector e with wt ( e ) ≤ t The basic algorithm for the code C : - Compute the kernel K ( r ) This kernel is nonzero since k ( A ) > t - Take a nonzero element a of K ( r ) K ( r ) = K ( e ) since ( A ∗ B ) ⊥ C - Determine the set J of zero positions of a supp ( e ) ⊆ J since d ( B ⊥ ) > t | J | < d ( C ) since d ( A ) + d ( C ) < n - Compute the error values by erasure decoding /k

t -ECP corrects t errors efficiently 19/37 Theorem Let C be an F q -linear code of length n Let ( A , B ) be a t -error-correcting pair over F q m for C Then the basic algorithm corrects t errors for the code C with complexity O (( mn ) 3 ) /k

Algebraic geometry codes 20/37 Let X be an algebraic variety over F q with a subset P of X ( F q ) enumerated by P 1 , . . . , P n Suppose that we have a vector space L over F q of functions on X with values in F q So f ( P i ) ∈ F q for all i and f ∈ L In this way we have an evaluation map → F n ev P : L − q defined by ev P ( f ) = ( f ( P 1 ), . . . , f ( P n )) This evaluation map is linear, so its image is a linear code /k

Codes on the affine line 21/37 The classical example: Generalized Reed-Solomon codes The geometric object X is the affine line over F q The points are n distinct elements of F q L is the vector space of polynomials of degree at most k − 1 and with coefficients in F q This vector space has dimension k Such polynomials have at most k − 1 zeros so nonzero codewords have at least n − k + 1 nonzeros This code has parameters [ n , k , n − k + 1 ] if k ≤ n /k

Codes on curves-function fields 22/37 Let X be an algebraic curve over F q of genus g F q ( X ) is the function field of the curve X with field of constants F q Let f be a nonzero rational function on the curve The divisor of zeros and poles of f is denoted by ( f ) Let E be a divisor of X of degree m Then L ( E ) = { f ∈ F q ( X ) | f = 0 or ( f ) ≥ − E } The dimension of the space L ( E ) is denoted by l ( E ) Then l ( E ) ≥ m + 1 − g and equality holds if m > 2 g − 2 by the Theorem of Riemann-Roch /k

Codes on curves 23/37 Let P = ( P 1 , . . . , P n ) an n -tuple of mutual distinct points of X ( F q ) If the support of E is disjoint from P , then the evaluation map ev P : L ( E ) → F n q where ev P ( f ) = ( f ( P 1 ), . . . , f ( P n )) , is well defined. The algebraic geometry code C L ( X , P , E ) is the image of L ( E ) under the evaluation map ev P If m < n , then C L ( X , P , E ) is an [ n , k , d ] code with k ≥ m + 1 − g and d ≥ n − m n − m is called the designed minimum distance of C L ( X , P , E ) /k

Information rate 24/37 Information rate R = k / n Relative minimum distance δ = d / n Singleton R + δ ≤ 1 Gilbert-Varshamov R ≥ 1 − H q (δ) q-ary entropy function H q Goppa for AG codes R + δ ≥ 1 − γ Relative genus γ = g / n 1 Ihara-Tsfasman-Vladut-Zink γ = √ q − 1 /k