introduction to coding theory - · introduction to coding theory clément pernet m2 cyber...
TRANSCRIPT
Introduction to Coding Theory
Clément PERNET
M2 Cyber Security,UFR IM2AG, Univ. Grenoble-Alpes.
ENSIMAG, Grenoble INP
December 8, 2017
Outline
Introduction
Linear Codes
Reed-Solomon codes
Application: Mc Eliece cryptosystem
Outline
Introduction
Linear Codes
Reed-Solomon codes
Application: Mc Eliece cryptosystem
Errors everywhere
Errors everywhere
Error models
Communication channel
I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash
Error models
Communication channel
I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash
Sender
MessageMessage Message
Receiver
Error models
Communication channel
I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash
Sender
MessageMessage Message
ErrorReceiver
Error models
Communication channel
I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash
Error
Message Messagecode word received wordcode word
decod
ing
en
cod
ing
Sender Receiver
Generalities
Goals:Detect: require retransmission (integrity certificate)
Correct: i.e. when no interraction possibleTool: Adding redundancy
Example (NATO phonetic alphabet)
A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !
Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the
same treatment to each block
Generalities
Goals:Detect: require retransmission (integrity certificate)
Correct: i.e. when no interraction possibleTool: Adding redundancy
Example (NATO phonetic alphabet)
A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !
Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the
same treatment to each block
Generalities
Goals:Detect: require retransmission (integrity certificate)
Correct: i.e. when no interraction possibleTool: Adding redundancy
Example (NATO phonetic alphabet)
A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !
Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the
same treatment to each block
Generalities
Goals:Detect: require retransmission (integrity certificate)
Correct: i.e. when no interraction possibleTool: Adding redundancy
Example (NATO phonetic alphabet)
A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !
Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the
same treatment to each block
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)
→ (x1, x2, x3, s)→ Error detected
withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”
I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)
→ (x1, x2, x3, s)→ Error detected
withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”
I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”
I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”
I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”I “a”→ “aaa”→ “aab”→ “aaa”→ “a”
E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Generalities
I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.
Parity check
(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =
∑3i=1 xi mod 2 ⇒
∑3i=1 xi + s = 0 mod 2
Repetition code
I “Say that again?”I “a”→ “aaa”→ “aab”→ “aaa”→ “a”
E : Σ −→ Σr
x 7−→ (x, . . . , x︸ ︷︷ ︸r times
) , and C = Im(E) ⊂ Σr
Types of channels
Symmetric binary channel
01−p //
p
��
0
1
p@@
1−p// 1
p: error rate
Floppy 10−9
CD 10−5 (7kB every 700MB)Optic fibre 10−9
Satellite 10−6
DSL 10−3 to 10−9
LAN 10−12
Capacity of a channelInput distribution: random var. X with val. in V: Pr[X = vi] = pi.Output distribution: random var. Y.Transition probabilities: pj|i = Pr[Y = vj|X = vi]
Mutual information
I(X,Y) =∑x,y
p(x, y)log(p(x, y))
log(p(x)) log(p(y))= H(X)− H(X|Y)
= H(Y)− H(Y|X).
I Mesures how much information is shared between X and Y
I how much information of the source has been transmitted
Definition (Channel capacity)
C = maxall probability distrib for X I(X,Y)
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− p
I symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− p
I symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given
input ⇒error free channel ⇒C = H(X).
Exercice (Capacity of the symmetric binary channel)
I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX
I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.
I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.
I
{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)
,
I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)
I p=1/2 ⇒C = 0 but > 0 otherwise
Second theorem of Shannon
Theorem (Shannon)
Over a binary channel of capacity C, for any ε > 0, there is an(n, k) code of rate R = k/n that can decode with probability oferror < ε if and only if
0 ≤ R < C.
Outline
Introduction
Linear Codes
Reed-Solomon codes
Application: Mc Eliece cryptosystem
Linear Codes
Linear CodesLet E = Vn over a finite field V.A linear code C is a subspace of E .
I length: nI dimension: k = dim(C)I Rate (of information): k/n
Encoding function: E : Vk −→ Vn s.t. C = Im(E) ⊂ Vn
Example
I Parity code: k = n− 1 1-detectorI r-repetition code: k = n/r r − 1-detector,
b r−12 c-corrector
Linear Codes
Linear CodesLet E = Vn over a finite field V.A linear code C is a subspace of E .
I length: nI dimension: k = dim(C)I Rate (of information): k/n
Encoding function: E : Vk −→ Vn s.t. C = Im(E) ⊂ Vn
Example
I Parity code: k = n− 1 1-detectorI r-repetition code: k = n/r r − 1-detector,
b r−12 c-corrector
Distance of a codeI Hamming weight: wH(x) = |{i, xi 6= 0}|.
I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)
In a linear code: δ = minx∈C\{0} wH(x))
C is t-corrector if
I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t
Distance of a codeI Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|
I minimal distance of a code δ = minx,y∈C dH(x, y)In a linear code: δ = minx∈C\{0} wH(x))
C is t-corrector if
I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t
Distance of a code
I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)
In a linear code: δ = minx∈C\{0} wH(x))
t
δ
C is t-corrector if
I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t
Distance of a code
I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)
In a linear code: δ = minx∈C\{0} wH(x))
t
C is t-corrector ifI ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1
I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t
Distance of a code
I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)
In a linear code: δ = minx∈C\{0} wH(x))
t
δ
C is t-corrector ifI ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t
Perfect codes
DefinitionA code is perfect if any detected error can be corrected.
Example
I 4-repetition is not perfectI 3-repetition is perfect
Property
A code is perfect if the balls of radius t around the codewordsform a partition of the ambiant space.
Perfect codes
DefinitionA code is perfect if any detected error can be corrected.
Example
I 4-repetition is not perfectI 3-repetition is perfect
Property
A code is perfect if the balls of radius t around the codewordsform a partition of the ambiant space.
Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG
Systematic form: G =
1 0. . .
0 1
G
Parity check matrix
1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0
2. basis of ker(GT): HGT = 0
ExerciceFind G and H of the binary parity check and of the k-repetition codes.
Gpar =
1 1. . .
...1 1
,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar
Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG
Systematic form: G =
1 0. . .
0 1
G
Parity check matrix
1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0
2. basis of ker(GT): HGT = 0
ExerciceFind G and H of the binary parity check and of the k-repetition codes.
Gpar =
1 1. . .
...1 1
,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar
Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG
Systematic form: G =
1 0. . .
0 1
G
Parity check matrix
1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0
2. basis of ker(GT): HGT = 0
ExerciceFind G and H of the binary parity check and of the k-repetition codes.
Gpar =
1 1. . .
...1 1
,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar
Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG
Systematic form: G =
1 0. . .
0 1
G
Parity check matrix
1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0
2. basis of ker(GT): HGT = 0
ExerciceFind G and H of the binary parity check and of the k-repetition codes.
Gpar =
1 1. . .
...1 1
,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar
Role of the parity check matrix
c ∈ C ⇔ Hc = 0
I Certificate for detecting errorsI Syndrom: sx = Hx = H(c + e) = He
⇒a first correction algorithm:I pre-compute all se for wH(e) ≤ t in a table SI For x received. If sx 6= 0, look for sx in the table SI return the corresponding codeword
s=Hxx s==0? Return xO
Return ccs
N
Role of the parity check matrix
c ∈ C ⇔ Hc = 0
I Certificate for detecting errorsI Syndrom: sx = Hx = H(c + e) = He⇒a first correction algorithm:I pre-compute all se for wH(e) ≤ t in a table SI For x received. If sx 6= 0, look for sx in the table SI return the corresponding codeword
s=Hxx s==0? Return xO
Return ccs
N
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code?
(n, k) = (7, 4)
I Generator matrix?
G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance?
δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code?
δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code? (n, k) = (7, 4)
I Generator matrix?
G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance?
δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code?
δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code? (n, k) = (7, 4)
I Generator matrix? G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance?
δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code?
δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code? (n, k) = (7, 4)
I Generator matrix? G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance? δ ≤ 3.
I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code?
δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code? (n, k) = (7, 4)
I Generator matrix? G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance? δ ≤ 3.
I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code? δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Hamming codes
Let H =
1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1
I Parameters of the corresponding code? (n, k) = (7, 4)
I Generator matrix? G =
1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1
I Minimal distance? δ ≤ 3.
I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3
I Is it a perfect code? δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect
Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7
Some bounds
Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.
Sphere packing: qk∑ti=0
(ni
)(q− 1)i ≤ qn , t = b δ−1
2 c.
Singleton bound: δ ≤ n− k + 1
Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k
2 .
Some bounds
Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.
Sphere packing: qk∑ti=0
(ni
)(q− 1)i ≤ qn , t = b δ−1
2 c.Singleton bound: δ ≤ n− k + 1
Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k
2 .
Some bounds
Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.
Sphere packing: qk∑ti=0
(ni
)(q− 1)i ≤ qn , t = b δ−1
2 c.Singleton bound: δ ≤ n− k + 1
Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.
⇒How to build codes correcting up to n−k2 .
Some bounds
Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.
Sphere packing: qk∑ti=0
(ni
)(q− 1)i ≤ qn , t = b δ−1
2 c.Singleton bound: δ ≤ n− k + 1
Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k
2 .
Outline
Introduction
Linear Codes
Reed-Solomon codes
Application: Mc Eliece cryptosystem
Reed-Solomon codes
Definition (Reed-Solomon codes)
Let K be a finite field, and x1, . . . , xn ∈ K distinct elements. TheReed-Solomon code of length n and dimension k is defined by
C(n, k) = {(f (x1), . . . , f (xn)), f ∈ K[X]; deg f < k}
Example
(n, k) = (5, 3), f = x2 + 2x + 1 over Z/31Z.(1, 2, 1, 0, 0)
Eval−−→ (f (1), f (5), f (8), f (10), f (12)) = (4, 17, 5, 7, 17)
(4, 17, 5, 7, 17)Interp.−−−→ (1, 2, 1, 0, 0) x2 + 2x + 1
(4, 17, 13, 7, 17)Interp.−−−→ (12, 8, 11, 10, 1) x4 + 10x3 + 11x2 + 8x + 12
Reed-Solomon codes
Definition (Reed-Solomon codes)
Let K be a finite field, and x1, . . . , xn ∈ K distinct elements. TheReed-Solomon code of length n and dimension k is defined by
C(n, k) = {(f (x1), . . . , f (xn)), f ∈ K[X]; deg f < k}
Example
(n, k) = (5, 3), f = x2 + 2x + 1 over Z/31Z.(1, 2, 1, 0, 0)
Eval−−→ (f (1), f (5), f (8), f (10), f (12)) = (4, 17, 5, 7, 17)
(4, 17, 5, 7, 17)Interp.−−−→ (1, 2, 1, 0, 0) x2 + 2x + 1
(4, 17, 13, 7, 17)Interp.−−−→ (12, 8, 11, 10, 1) x4 + 10x3 + 11x2 + 8x + 12
Minimal distance of Reed-Solomon codes
Property
δ = n− k + 1 (Maximum Distance Separable codes)
Proof.Singeton bound: δ ≤ n− k + 1
Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.
⇒correct up to n−k2 errors.
Minimal distance of Reed-Solomon codes
Property
δ = n− k + 1 (Maximum Distance Separable codes)
Proof.Singeton bound: δ ≤ n− k + 1
Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.
⇒correct up to n−k2 errors.
Minimal distance of Reed-Solomon codes
Property
δ = n− k + 1 (Maximum Distance Separable codes)
Proof.Singeton bound: δ ≤ n− k + 1Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.
⇒correct up to n−k2 errors.
Minimal distance of Reed-Solomon codes
Property
δ = n− k + 1 (Maximum Distance Separable codes)
Proof.Singeton bound: δ ≤ n− k + 1Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.
⇒correct up to n−k2 errors.
Rational fraction reconstructionProblem (RFR: Rational Fraction Reconstruction)
Given A,B ∈ K[X] with deg B < deg A = n, find f , g ∈ K[X], withdeg f ≤ dF, deg g ≤ n− dF − 1 and
f = gB mod A.
TheoremLet (f0 = A, f1 = B, . . . , f`) the sequence of remainders of theextended Euclidean algorithm applied on (A,B) and ui, vi thecoefficients s.t. fi = uif0 + vif1. Then, at iteration j s.t.deg fj ≤ dF < deg fj−1,
1. (fj, vj) is a solution of problem RFR.2. it is minimal: any other solution (f , g) writes
f = qfj, g = qvj for q ∈ K[X].
Reed-Solomon decoding with Extended Euclideanalgorithm
Berlekamp-Welch using extended Euclidean algorithm
I Erroneous interpolant: P = Interp((yi, xi))
I Error locator polynomial: Λ =∏
i|yiis erroneous(X − xi)
Find f with deg f ≤ dF s.t.. f and P match on ≥ n− t evaluationsxi.
Λf︸︷︷︸fj
= Λ︸︷︷︸gj
P modn∏
i=1
(X − xi)
and (Λf ,Λ) is minimal⇒computed by extended Euclidean Algorithm
f = fj/gj.
Another decoding algorithm: syndrom basedFrom now on: K = Fq, n = q− 1, xi = αi where α is a primitiven-th root of unity.
E(f ) = (f (α0), f (α1), f (α2), . . . , f (αn−1)) = DFTα(f )
Linear recurring sequences
Sequences (a0, a1, . . . , an, . . . ) such that
∀j ≥ 0 aj+t =t−1∑i=0
λiai+j
generator polynomial: Λ(z) = zt −∑t−1
i=0 λizi
minimal polynomial: Λ(z) of minimal degreelinear complexity of (ai)i: degree t of the minimal polynomial Λ
Computing Λmin: Berlekamp/Massey algorithm, from 2tconsecutive elements, in O
(t2)
Another decoding algorithm: syndrom basedFrom now on: K = Fq, n = q− 1, xi = αi where α is a primitiven-th root of unity.
E(f ) = (f (α0), f (α1), f (α2), . . . , f (αn−1)) = DFTα(f )
Linear recurring sequences
Sequences (a0, a1, . . . , an, . . . ) such that
∀j ≥ 0 aj+t =
t−1∑i=0
λiai+j
generator polynomial: Λ(z) = zt −∑t−1
i=0 λizi
minimal polynomial: Λ(z) of minimal degreelinear complexity of (ai)i: degree t of the minimal polynomial Λ
Computing Λmin: Berlekamp/Massey algorithm, from 2tconsecutive elements, in O
(t2)
Blahut theorem
Theorem ( [Blahut84], [Prony1795] )
The DFTα of a vector of weight t has linear complexity t.
Skecth of proof
I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.
I For v =∑t
j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =
∏tj=1(z− αij)
Corollary
The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator
Blahut theorem
Theorem ( [Blahut84], [Prony1795] )
The DFTα of a vector of weight t has linear complexity t.
Skecth of proof
I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.
I For v =∑t
j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =
∏tj=1(z− αij)
Corollary
The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator
Blahut theorem
Theorem ( [Blahut84], [Prony1795] )
The DFTα of a vector of weight t has linear complexity t.
Skecth of proof
I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.
I For v =∑t
j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =
∏tj=1(z− αij)
Corollary
The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator
Blahut theorem
Theorem ( [Blahut84], [Prony1795] )
The DFTα of a vector of weight t has linear complexity t.
Skecth of proof
I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.
I For v =∑t
j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =
∏tj=1(z− αij)
Corollary
The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator
Syndrom Decoding of Reed-Solomon codes
C = {(f (x1), . . . , f (xn))| deg f < k}
f
error
P
0
=
0
+
f
Evaluation
Interpolation
m = f (x), deg f < k ey = Eval(f ), yi = f (xi)
z = y + e
Interp(e)
Syndrom Decoding of Reed-Solomon codes
C = {(f (x1), . . . , f (xn))| deg f < k}
���������������������������������������
���������������������������������������
f
error
g
0
=
0
+
f
Evaluation
Interpolation
f
Berlekamp Massey algorithm
m = f (x), deg f < k ey = Eval(f ), yi = f (xi)
z = y + e
Interp(e)
Codes derived from Reed Solomon codes
Generalized Reed-Solomon codes
CGRS(n, k, v) = {(v1f (x1), . . . , vnf (xn)), f ∈ K<k[X]}
I same dimension and minimal distance ⇒MDSI Allows to prove existence of a dual GRS code in the same
evaluation points
Codes derived from Reed Solomon codesGoppa codes
Motivation: allow arbitrary length n for a fixed field Fq. (GRScodes require q < n).
Idea: use a GRS over Fqm , and restrict to Fq.
LetI K = Fq, K = Fqm and (α ∈ (K∗)n
I f ∈ Fqm [X], deg f = t − 1 and m(t − 1) < nI v = ( 1
f (αi))
I CK = CGRS(n, k, v) over K with parameters (n, k, t)
ThenCGoppa = CK ∩ Fn
q
I Minimum distance: ≥ tI Binary Goppa, with f square free⇒Minimum distance: = 2t + 1
Outline
Introduction
Linear Codes
Reed-Solomon codes
Application: Mc Eliece cryptosystem
A code based cryptosystem [Mc Eliece 78]
Designing a one way function with trapdoor
Use the encoder of a linear code:
message×[G]
= codeword
Encoding is easy (matrix-vector product)Decoding a random linear code is NP-completeTrapdoor: efficient decoding algorithm when the code familiy
is known
⇒requires a family F of codesI indistinguishable from random linear codesI with fast decoding algorithm
A code based cryptosystem [Mc Eliece 78]
Designing a one way function with trapdoor
Use the encoder of a linear code:
message×[G]
= codeword
Encoding is easy (matrix-vector product)Decoding a random linear code is NP-completeTrapdoor: efficient decoding algorithm when the code familiy
is known
⇒requires a family F of codesI indistinguishable from random linear codesI with fast decoding algorithm
Mc Eliece Cryptosystem
Key generation
I Select an (n, k) binary linear code C ∈ F correcting t errors,having an efficient decoding algorithm AC ,
I Form G ∈ Fk×nq , a generator matrix for C
I Select a random k × k non-singular matrix SI Select a random n-dimensional permutation P.I G = SGP
Public key: (G, t)
Private key: (S,G,P) and AC
Mc Eliece Cryptosystem
Encrypt
E(m) = mG + e = mSGP + e = y
where e is an error vector of Hamming weight at most t.
Decrypt
1. y′ = yP−1 = mSG + eP−1
2. m′ = AC(y′) = mS
3. m = m′S−1
Parameters for Mc Eliece in practice
(n, k, d) Code family key size Security Attack
(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]
subcodes of GRS [Wie10](1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262
(2048, 1608, 48)2 Goppa codes 412ko 296
Parameters for Mc Eliece in practice
(n, k, d) Code family key size Security Attack
(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]
(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262
(2048, 1608, 48)2 Goppa codes 412ko 296
Parameters for Mc Eliece in practice
(n, k, d) Code family key size Security Attack
(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]
(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13]
(171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262
(2048, 1608, 48)2 Goppa codes 412ko 296
Parameters for Mc Eliece in practice
(n, k, d) Code family key size Security Attack
(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]
(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14]
(1024, 524, 101)2 Goppa codes 67ko 262
(2048, 1608, 48)2 Goppa codes 412ko 296
Parameters for Mc Eliece in practice
(n, k, d) Code family key size Security Attack
(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]
(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262
(2048, 1608, 48)2 Goppa codes 412ko 296
Advantages of McEliece cryptosystem
Security
Based on two assumptions:I decoding a random linear code is hard (NP complete
reduction)I the generator matrix of a Goppa code looks random
(indistinguishability)
Pros:I faster encoding/decoding algorithms than RSA, ECC (for a
given security parameter)I Post quantum security: still robust against quantum
computer attacksCons:
I harder to use it for signature (non determinstic encoding)I large key size