LCD codes over F q are as good as linear codes for q at least four - - PowerPoint PPT Presentation

Faculteit Wiskunde & Informatica

LCD codes over Fq are as good as linear codes for q at least four

Ruud Pellikaan g.r.pellikaan@tue.nl International Conference on Graph Theory and Information Security ICGTIS, August 7, 2017 Universitas Indonesia, Depok, Indonesia

2/35 Faculteit Wiskunde & Informatica

Content

• 1. Error-correcting codes
• Parameters of a code
• Generator and parity check matrix of a linear code
• 2. LCD codes
• Inner product and dual code
• Hull of a code and linear codes with complementary dual (LCD)
• Permutational, scalar and monomial equivalence
• 3. Applications
• Two-user binary adder channel (2-BAC)
• Side channel attack (SCA) and Fault Injection Attack (FIA)
• 4. Proof Main Theorem
• Theory of Gröbner bases
• Proof
• 5. Conclusion

3/35 Faculteit Wiskunde & Informatica

Error-correcting codes

4/35 Faculteit Wiskunde & Informatica

Error-correcting codes

Communication: internet, telephone, WiFi, computer Memory: computer, compact disc, DVD, USB stick Barcodes, ISBN, product codes, QR codes ...

5/35 Faculteit Wiskunde & Informatica

Information theory - Shannon

source encoding sender noise receiver decoding target

✲

message

✲

001...

✲

011...

✲

message

✻

6/35 Faculteit Wiskunde & Informatica

Hamming distance

Q alphabet of q elements Hamming distance d(x, y) = |{i | xi = yi}| between x = (x1, . . . , xn) and y = (y1, . . . , yn) in Q n

• ✒

x

• ✠

d(x,y)

❍❍❍❍❍ ❍ ❥

y

❍ ❍ ❍ ❍ ❍ ❍ ❨

d(y,z)

✘✘✘✘✘✘✘✘✘✘✘ ✘ ✿ z ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✾

d(x,z)

Triangle inequality

7/35 Faculteit Wiskunde & Informatica

Block codes

C is called (block) code if it is a subset of Q n The minimum distance of C is: d(C) = min { d(x, y) | x, y ∈ C, x = y } parameters of C are (n, M, d)q or (n, M, d) q = |Q| = size of alphabet Q n = length of C M = |C| = size of C d = d(C) = minimum distance of C

8/35 Faculteit Wiskunde & Informatica

Linear codes and their parameters

Fq the finite field with q = pe elements and p prime Fn

q is an Fq-linear vector space of dimension n

A linear code is an Fq-linear subspace C of Fn

q

with parameters [n, k, d]q or [n, k, d] or [n, k] q = size finite field n = length of C k = dimension of C d = minimum distance of C r = redundancy of C = n − k

9/35 Faculteit Wiskunde & Informatica

Generator matrix

Let C be an [n, k] linear code over Fq Then G is a generator matrix of C if it is a k × n matrix with entries in Fq such that its rows are a basis of C Let m = (m1, . . . , mk) ∈ Fk

q be a message

Then c = mG is a codeword Fk

q −

→ Fn

q

Encoding m → mG = c So C is the image of Fk

q under G

10/35 Faculteit Wiskunde & Informatica

Parity check matrix

Let C be an [n, k] linear code over Fq Then H is called a parity check matrix of C if it is a (n − k) × n matrix with entries in Fq such that r ∈ C if and only if rH T = 0 Fn

q −

→ Fn−k

q

r → rH T r ∈ C if and only if syndrome cH T is zero So C is left kernel (null space) of H T

11/35 Faculteit Wiskunde & Informatica

LCD codes

12/35 Faculteit Wiskunde & Informatica

Inner product

The standard inner product is defined by a · b = a1b1 + · · · + anbn Is bilinear and non-degenerate but positive definite makes no sense not right picture Vectors a, b ∈ Fn

q are perpendicular denoted by a ⊥ b

if and only if a · b = 0

13/35 Faculteit Wiskunde & Informatica

Dual code

Let C be a linear code in Fn

q

The dual code is defined by C ⊥ = { x ∈ Fn

q | x · c = 0 for all c ∈ C }

PROPOSITION Let C be an [n, k] code with generator matrix G Then C ⊥ is an [n, n − k] code with G as parity check matrix

14/35 Faculteit Wiskunde & Informatica

LCD codes - Massey 1992

The code C is called linear with complementary dual (LCD) if C ∩ C ⊥ = {0} PROPOSITION (1992 Massey) LCD codes are asymptotically good (2004 Sendrier) LCD codes meet the Gilbert-Varshamov bound

15/35 Faculteit Wiskunde & Informatica

Hull of a code

The hull of an Fq-linear code C is defined by H(C) = C ∩ C ⊥ Hence C is LCD if and only if H(C) = {0}

16/35 Faculteit Wiskunde & Informatica

Dimension of the hull

PROPOSITION Let C be an Fq-linear [n, k] code Let h be the dimension of H(C) and r = k − h Then C has a generator matrix G0 such that G0G T

0 =

Oh×h Oh×r Or×h P

• ,

where Ol×m is the all zeros l × m matrix and P is an invertible r × r matrix Furthermore the rank of G1G T

1 is r for every generator matrix G1 of C

17/35 Faculteit Wiskunde & Informatica

LCD

COROLLARY Let C be an Fq-linear [n, k] code with generator matrix G Then the following statements are equivalent:

◮ C is LCD ◮ C ∩ C ⊥ = {0} ◮ GG T has rank k ◮ GG T is invertible

18/35 Faculteit Wiskunde & Informatica

Example - Hamming code

Let C be the binary [7, 4, 3] Hamming code with generator matrix G1 =     1 1 1 1 1 1 1 1 1 1 1 1 1     Then G1G T

1 =

    1 1 1 1 1 1 1 1 1 1 1 1     has rank 1 Hence H(C) has dimension 3

19/35 Faculteit Wiskunde & Informatica

Example - Hamming code

Now C has another generator matrix G0 =     1 1 1 1 1 1 1 1 1 1 1 1 1 1 1     with G0G T

0 =

    1    

20/35 Faculteit Wiskunde & Informatica

Permutational, diagonal and monomial matrices

◮ A permutation matrix is a square matrix with zeros and ones

such that in every row (and in every column) there is exactly one element equal to one

◮ A diagonal matrix is a square matrix with zeros outside its diagonal ◮ A monomial matrix is a square matrix

such that in every row (and in every column) there is exactly one nonzero element A permutation matrix and an invertible diagonal matrix are special monomial matrices

21/35 Faculteit Wiskunde & Informatica

Permutational, scalar and monomial equivalent

Let C1 and C2 be Fq-linear codes of length n Then C1 and C2 are called

◮ permutational equivalent

if there exists a permutation matrix P such that C1P = C2

◮ diagonal equivalent

if there exists an invertible diagonal matrix D such that C1D = C2

◮ linear equivalent or monomial equivalent

if there exists a monomial matrix M such that C1M = C2

22/35 Faculteit Wiskunde & Informatica

Dimension of the hull under equivalence

The dimension of the hull of a code is

◮ invariant under permutational equivalence ◮ also invariant under monomial equivalence if q = 2, 3 ◮ can be computed with the (extended) weight enumerator ◮ is used to find the permutation in case

C1 and C2 are permutational equivalent

◮ is not a monomial equivalence invariant if q ≥ 4

23/35 Faculteit Wiskunde & Informatica

Applications

24/35 Faculteit Wiskunde & Informatica

Two-user binary adder channel (2-BAC)

Let x, y ∈ F2 Define x ⊕ y ∈ Z by x y x ⊕ y 1 1 1 1 1 1 2 Let x, y ∈ Fn

2

Define x ⊕ y = (x1 ⊕ y1, . . . , xn ⊕ yn)

25/35 Faculteit Wiskunde & Informatica

Unique decodable

Let C and D be Fq-linear codes of length n Define C × D = { (c, d) | c ∈ C, d ∈ D } C ⊕ D = { c ⊕ d | c ∈ C, d ∈ D } C ⊕ D is called unique decodable if the map C × D → C ⊕ D given by (c, d) → c ⊕ d is injective C ⊕ D is unique decodable if and only if C ∩ D = {0} Hence C ⊕ C ⊥ is unique decodable if and only if C is LCD

26/35 Faculteit Wiskunde & Informatica

Side Channel Attack (SCA)

27/35 Faculteit Wiskunde & Informatica

Fault Injection Attack (FIA)

28/35 Faculteit Wiskunde & Informatica

Orthogonally Direct Sum Masking (ODSM)

Carlet and Guilley (2014) Let C and D be Fq-linear codes of length n Define C + D = { c + d | c ∈ C, d ∈ D } If C ∩ D = {0} then C + D is denoted by C ⊎ D Then C ⊎ D = Fn

q if and only if C ∩ D = {0} and dim C + dim D = n

Hence C ⊎ C ⊥ = Fn

q if and only if C is LCD

29/35 Faculteit Wiskunde & Informatica

Main Theorem

30/35 Faculteit Wiskunde & Informatica

Star product

Let x, y ∈ Fn

q

Then the star product is defined by x ∗ y = (x1y1, . . . , xnyn) Let x ∈ Fn

q have nonzero entries

Define x−1 = (x−1

1 , . . . , x−1 n )

Let C ⊆ Fn

q

Define x ∗ C = { x ∗ c | c ∈ C } C1 and C2 are scalar equivalent if and only if there exists an x with nonzero entries such that C2 = x ∗ C1

31/35 Faculteit Wiskunde & Informatica

LCD codes are good

THEOREM (2017 Carlet-Mesnager-Tang-Qi-P) If q ≥ 4 and C is an Fq-linear code Then there exits an x ∈ Fn

q with nonzero entries

such that x ∗ C is an LCD code Hence LCD codes over Fq are as good as Fq-linear codes if q ≥ 4

32/35 Faculteit Wiskunde & Informatica

LCD codes are good

THEOREM (2017 Carlet-Mesnager-Tang-Qi-P) If q ≥ 4 and C is an Fq-linear code Then there eixts an x ∈ Fn

q with nonzero entries

such that x ∗ C is an LCD code Hence LCD codes over Fq are as good as Fq-linear codes if q ≥ 4

33/35 Faculteit Wiskunde & Informatica

Gröbner bases

PROPOSITION Let f(X) be a nonzero polynomial of Fq[X1, . . . , Xn] such that the degree of f(X) with respect to Xj is at most q − 1 for all j Then there exists a x ∈ Fn

q such that f(x) = 0

PROPOSITION Let f(X) be a nonzero polynomial of Fq[X1, . . . , Xn] such that the degree of f(X) with respect to Xj is at most q − 2 for all j Then there exists a x ∈ Fn

q with nonzero entries such that f(x) = 0

34/35 Faculteit Wiskunde & Informatica

Proof

We may assume that C has a generator matrix of the form G = (Ik|B) Let x = (x1, . . . , xk) be an k-tuple of nonzero elements of Fq Let D(x) be the diagonal matrix with x on its diagonal Let Gx = (D(x)|B) be the generator matrix of the code Cx Then Cx is monomial equivalent with C Now det(GxG T

x ) = det(D(x2 1, . . . , x2 k ) + BB T)

is a polynomial in x1, . . . , xk Its degree with respect to xi is 2 for all i which is at most q − 2, since q ≥ 4 Hence there exists a x ∈ Fn

q with nonzero entries

such that det GxG T

x = 0

So GxG T

x is invertible

Therefore Cx is LCD

35/35 Faculteit Wiskunde & Informatica

Thank you