introduction to coding theory -  · introduction to coding theory clément pernet m2 cyber...

Introduction to Coding Theory

Clément PERNET

M2 Cyber Security,UFR IM2AG, Univ. Grenoble-Alpes.

ENSIMAG, Grenoble INP

December 8, 2017

Outline

Introduction

Linear Codes

Reed-Solomon codes

Application: Mc Eliece cryptosystem

Outline

Introduction

Linear Codes

Reed-Solomon codes

Application: Mc Eliece cryptosystem

Errors everywhere

Errors everywhere

Error models

Communication channel

I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash

Error models

Communication channel

I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash

Sender

MessageMessage Message

Receiver

Error models

Communication channel

I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash

Sender

MessageMessage Message

ErrorReceiver

Error models

Communication channel

I Radio transmission electromagnetic interferencesI Ethernet, DSL electromagnetic interferencesI CD/DVD Audio/Video/ROM scratches, dustI RAM cosmic radiationsI HDD magnetic field, crash

Error

Message Messagecode word received wordcode word

decod

ing

en

cod

ing

Sender Receiver

Generalities

Goals:Detect: require retransmission (integrity certificate)

Correct: i.e. when no interraction possibleTool: Adding redundancy

Example (NATO phonetic alphabet)

A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !

Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the

same treatment to each block

Generalities

Goals:Detect: require retransmission (integrity certificate)

Correct: i.e. when no interraction possibleTool: Adding redundancy

Example (NATO phonetic alphabet)

A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !

Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the

same treatment to each block

Generalities

Goals:Detect: require retransmission (integrity certificate)

Correct: i.e. when no interraction possibleTool: Adding redundancy

Example (NATO phonetic alphabet)

A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !

Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the

same treatment to each block

Generalities

Goals:Detect: require retransmission (integrity certificate)

Correct: i.e. when no interraction possibleTool: Adding redundancy

Example (NATO phonetic alphabet)

A→ Alfa, B→ Bravo, C→ Charlie, D→ Delta . . .Alpha Bravo India Tango Tango Echo Delta India Oscar UniformSierra !

Two categories of codes:stream codes: online processing of the stream of informationblock codes: cutting information in blocks and applying the

same treatment to each block

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)

→ (x1, x2, x3, s)→ Error detected

withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”

I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)

→ (x1, x2, x3, s)→ Error detected

withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”

I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”

I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”

I “a”→ “aaa”→ “aab”→ “aaa”→ “a”E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”I “a”→ “aaa”→ “aab”→ “aaa”→ “a”

E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Generalities

I A code is a sub-set C ⊂ E of a set of possible words.I Often, E is built from an alphabet Σ: E = Σn.

Parity check

(x1, x2, x3)→ (x1, x2, x3, s)→ (x1, x2, x3, s)→ Error detected withs =

∑3i=1 xi mod 2 ⇒

∑3i=1 xi + s = 0 mod 2

Repetition code

I “Say that again?”I “a”→ “aaa”→ “aab”→ “aaa”→ “a”

E : Σ −→ Σr

x 7−→ (x, . . . , x︸ ︷︷ ︸r times

) , and C = Im(E) ⊂ Σr

Types of channels

Symmetric binary channel

01−p //

p

��

0

1

p@@

1−p// 1

p: error rate

Floppy 10−9

CD 10−5 (7kB every 700MB)Optic fibre 10−9

Satellite 10−6

DSL 10−3 to 10−9

LAN 10−12

Capacity of a channelInput distribution: random var. X with val. in V: Pr[X = vi] = pi.Output distribution: random var. Y.Transition probabilities: pj|i = Pr[Y = vj|X = vi]

Mutual information

I(X,Y) =∑x,y

p(x, y)log(p(x, y))

log(p(x)) log(p(y))= H(X)− H(X|Y)

= H(Y)− H(Y|X).

I Mesures how much information is shared between X and Y

I how much information of the source has been transmitted

Definition (Channel capacity)

C = maxall probability distrib for X I(X,Y)

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− p

I symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− p

I symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Examples of channel capacitiesI If H(Y) = H(Y|X) ⇒input does not impact output ⇒C = 0I If H(Y|X) = 0 ⇒no uncertainty on the output for a given

input ⇒error free channel ⇒C = H(X).

Exercice (Capacity of the symmetric binary channel)

I Let pX = Pr[X = 0], then Pr[X = 1] = 1− pX

I symmetric ⇒pi|j = p constant and pi|i = 1− pI symmectric ⇒H(Y|X) = H(Y|X = 0) = H(Y|X = 1)⇒independent from the probability distribution of X.

I H(Y)− H(Y|X) is maximal when H(Y) is maximal ⇒whenPr[Y = 0] = Pr[Y = 1] = 1/2.

I

{Pr[Y = 0] = pX(1− p) + (1− pX)p,Pr[Y = 1] = pXp + (1− p)(1− pX)

,

I for pX = 1/2 ⇒maximalI C = H(X)− H(Y|X) = 1 + p log p + (1− p) log(1− p)

I p=1/2 ⇒C = 0 but > 0 otherwise

Second theorem of Shannon

Theorem (Shannon)

Over a binary channel of capacity C, for any ε > 0, there is an(n, k) code of rate R = k/n that can decode with probability oferror < ε if and only if

0 ≤ R < C.

Outline

Introduction

Linear Codes

Reed-Solomon codes

Application: Mc Eliece cryptosystem

Linear Codes

Linear CodesLet E = Vn over a finite field V.A linear code C is a subspace of E .

I length: nI dimension: k = dim(C)I Rate (of information): k/n

Encoding function: E : Vk −→ Vn s.t. C = Im(E) ⊂ Vn

Example

I Parity code: k = n− 1 1-detectorI r-repetition code: k = n/r r − 1-detector,

b r−12 c-corrector

Linear Codes

Linear CodesLet E = Vn over a finite field V.A linear code C is a subspace of E .

I length: nI dimension: k = dim(C)I Rate (of information): k/n

Encoding function: E : Vk −→ Vn s.t. C = Im(E) ⊂ Vn

Example

I Parity code: k = n− 1 1-detectorI r-repetition code: k = n/r r − 1-detector,

b r−12 c-corrector

Distance of a codeI Hamming weight: wH(x) = |{i, xi 6= 0}|.

I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)

In a linear code: δ = minx∈C\{0} wH(x))

C is t-corrector if

I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t

Distance of a codeI Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|

I minimal distance of a code δ = minx,y∈C dH(x, y)In a linear code: δ = minx∈C\{0} wH(x))

C is t-corrector if

I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t

Distance of a code

I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)

In a linear code: δ = minx∈C\{0} wH(x))

t

δ

C is t-corrector if

I ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t

Distance of a code

I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)

In a linear code: δ = minx∈C\{0} wH(x))

t

C is t-corrector ifI ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1

I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t

Distance of a code

I Hamming weight: wH(x) = |{i, xi 6= 0}|.I Hamming distance: dH(x, y) = wH(x− y) = |{i, xi 6= yi}|I minimal distance of a code δ = minx,y∈C dH(x, y)

In a linear code: δ = minx∈C\{0} wH(x))

t

δ

C is t-corrector ifI ∀x ∈ E|{c ∈ C, dH(x, c) ≤ t}| ≤ 1I ∀c1, c2 ∈ C c1 6= c2 ⇒ dH(c1, c2) > 2t

Perfect codes

DefinitionA code is perfect if any detected error can be corrected.

Example

I 4-repetition is not perfectI 3-repetition is perfect

Property

A code is perfect if the balls of radius t around the codewordsform a partition of the ambiant space.

Perfect codes

DefinitionA code is perfect if any detected error can be corrected.

Example

I 4-repetition is not perfectI 3-repetition is perfect

Property

A code is perfect if the balls of radius t around the codewordsform a partition of the ambiant space.

Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG

Systematic form: G =

1 0. . .

0 1

G

Parity check matrix

1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0

2. basis of ker(GT): HGT = 0

ExerciceFind G and H of the binary parity check and of the k-repetition codes.

Gpar =

1 1. . .

...1 1

,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar

Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG

Systematic form: G =

1 0. . .

0 1

G

Parity check matrix

1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0

2. basis of ker(GT): HGT = 0

ExerciceFind G and H of the binary parity check and of the k-repetition codes.

Gpar =

1 1. . .

...1 1

,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar

Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG

Systematic form: G =

1 0. . .

0 1

G

Parity check matrix

1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0

2. basis of ker(GT): HGT = 0

ExerciceFind G and H of the binary parity check and of the k-repetition codes.

Gpar =

1 1. . .

...1 1

,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar

Generator matrix and parity check matrixGenerator matrixThe matrix of the encoding function (depends on a choice of basis):E : xT −→ xTG

Systematic form: G =

1 0. . .

0 1

G

Parity check matrix

1. H ∈ K(n−k)×n s.t. ker(H) = C: c ∈ C ⇔ Hc = 0

2. basis of ker(GT): HGT = 0

ExerciceFind G and H of the binary parity check and of the k-repetition codes.

Gpar =

1 1. . .

...1 1

,Hpar = [1 . . . 1], Grep = Hpar,Grep = Hpar

Role of the parity check matrix

c ∈ C ⇔ Hc = 0

I Certificate for detecting errorsI Syndrom: sx = Hx = H(c + e) = He

⇒a first correction algorithm:I pre-compute all se for wH(e) ≤ t in a table SI For x received. If sx 6= 0, look for sx in the table SI return the corresponding codeword

s=Hxx s==0? Return xO

Return ccs

N

Role of the parity check matrix

c ∈ C ⇔ Hc = 0

I Certificate for detecting errorsI Syndrom: sx = Hx = H(c + e) = He⇒a first correction algorithm:I pre-compute all se for wH(e) ≤ t in a table SI For x received. If sx 6= 0, look for sx in the table SI return the corresponding codeword

s=Hxx s==0? Return xO

Return ccs

N

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code?

(n, k) = (7, 4)

I Generator matrix?

G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance?

δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code?

δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code? (n, k) = (7, 4)

I Generator matrix?

G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance?

δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code?

δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code? (n, k) = (7, 4)

I Generator matrix? G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance?

δ ≤ 3.I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code?

δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code? (n, k) = (7, 4)

I Generator matrix? G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance? δ ≤ 3.

I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code?

δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code? (n, k) = (7, 4)

I Generator matrix? G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance? δ ≤ 3.

I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code? δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Hamming codes

Let H =

1 0 1 0 1 0 10 1 1 0 0 1 10 0 0 1 1 1 1

I Parameters of the corresponding code? (n, k) = (7, 4)

I Generator matrix? G =

1 1 1 0 0 0 01 0 0 1 1 0 00 1 0 1 0 1 01 1 0 1 0 0 1

I Minimal distance? δ ≤ 3.

I If δ = 1, ∃i,Hi = 0I If δ = 2, ∃i 6= j,Hi = Hj ⇒δ = 3

I Is it a perfect code? δ = 3 ⇒t = 1 corrector.|C| = 2k ⇒# of elements in each ball of radius 1:2k(1 + 7) = 16 · 8 = 27 = |Kn| ⇒perfect

Generalization∀`: H(2` − 1, 2` − `), is 1-corrector, perfect.Example: Minitel, ECC memory: ` = 7

Some bounds

Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.

Sphere packing: qk∑ti=0

(ni

)(q− 1)i ≤ qn , t = b δ−1

2 c.

Singleton bound: δ ≤ n− k + 1

Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k

2 .

Some bounds

Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.

Sphere packing: qk∑ti=0

(ni

)(q− 1)i ≤ qn , t = b δ−1

2 c.Singleton bound: δ ≤ n− k + 1

Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k

2 .

Some bounds

Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.

Sphere packing: qk∑ti=0

(ni

)(q− 1)i ≤ qn , t = b δ−1

2 c.Singleton bound: δ ≤ n− k + 1

Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.

⇒How to build codes correcting up to n−k2 .

Some bounds

Let C be a code (n, k, δ) over a field Fq with q elements.k and δ can not be simulatneously large for a given n.

Sphere packing: qk∑ti=0

(ni

)(q− 1)i ≤ qn , t = b δ−1

2 c.Singleton bound: δ ≤ n− k + 1

Sketch of proof:I Let H be the parity check matrix (n− k)× n.I δ is the smallest number of linearly dependent cols of H.I n− k + 1 = rank(H) + 1 cols are always linearly dependent.⇒How to build codes correcting up to n−k

2 .

Outline

Introduction

Linear Codes

Reed-Solomon codes

Application: Mc Eliece cryptosystem

Reed-Solomon codes

Definition (Reed-Solomon codes)

Let K be a finite field, and x1, . . . , xn ∈ K distinct elements. TheReed-Solomon code of length n and dimension k is defined by

C(n, k) = {(f (x1), . . . , f (xn)), f ∈ K[X]; deg f < k}

Example

(n, k) = (5, 3), f = x2 + 2x + 1 over Z/31Z.(1, 2, 1, 0, 0)

Eval−−→ (f (1), f (5), f (8), f (10), f (12)) = (4, 17, 5, 7, 17)

(4, 17, 5, 7, 17)Interp.−−−→ (1, 2, 1, 0, 0) x2 + 2x + 1

(4, 17, 13, 7, 17)Interp.−−−→ (12, 8, 11, 10, 1) x4 + 10x3 + 11x2 + 8x + 12

Reed-Solomon codes

Definition (Reed-Solomon codes)

Let K be a finite field, and x1, . . . , xn ∈ K distinct elements. TheReed-Solomon code of length n and dimension k is defined by

C(n, k) = {(f (x1), . . . , f (xn)), f ∈ K[X]; deg f < k}

Example

(n, k) = (5, 3), f = x2 + 2x + 1 over Z/31Z.(1, 2, 1, 0, 0)

Eval−−→ (f (1), f (5), f (8), f (10), f (12)) = (4, 17, 5, 7, 17)

(4, 17, 5, 7, 17)Interp.−−−→ (1, 2, 1, 0, 0) x2 + 2x + 1

(4, 17, 13, 7, 17)Interp.−−−→ (12, 8, 11, 10, 1) x4 + 10x3 + 11x2 + 8x + 12

Minimal distance of Reed-Solomon codes

Property

δ = n− k + 1 (Maximum Distance Separable codes)

Proof.Singeton bound: δ ≤ n− k + 1

Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.

⇒correct up to n−k2 errors.

Minimal distance of Reed-Solomon codes

Property

δ = n− k + 1 (Maximum Distance Separable codes)

Proof.Singeton bound: δ ≤ n− k + 1

Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.

⇒correct up to n−k2 errors.

Minimal distance of Reed-Solomon codes

Property

δ = n− k + 1 (Maximum Distance Separable codes)

Proof.Singeton bound: δ ≤ n− k + 1Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.

⇒correct up to n−k2 errors.

Minimal distance of Reed-Solomon codes

Property

δ = n− k + 1 (Maximum Distance Separable codes)

Proof.Singeton bound: δ ≤ n− k + 1Let f , g ∈ C: deg f , deg g < k.If f (xi) 6= g(xi) for d < n− k + 1 values xi,Then f (xj)− g(xj) = 0 for at least n− d > k − 1 values xj.Now deg(f − g) < k, hence f = g.

⇒correct up to n−k2 errors.

Rational fraction reconstructionProblem (RFR: Rational Fraction Reconstruction)

Given A,B ∈ K[X] with deg B < deg A = n, find f , g ∈ K[X], withdeg f ≤ dF, deg g ≤ n− dF − 1 and

f = gB mod A.

TheoremLet (f0 = A, f1 = B, . . . , f`) the sequence of remainders of theextended Euclidean algorithm applied on (A,B) and ui, vi thecoefficients s.t. fi = uif0 + vif1. Then, at iteration j s.t.deg fj ≤ dF < deg fj−1,

1. (fj, vj) is a solution of problem RFR.2. it is minimal: any other solution (f , g) writes

f = qfj, g = qvj for q ∈ K[X].

Reed-Solomon decoding with Extended Euclideanalgorithm

Berlekamp-Welch using extended Euclidean algorithm

I Erroneous interpolant: P = Interp((yi, xi))

I Error locator polynomial: Λ =∏

i|yiis erroneous(X − xi)

Find f with deg f ≤ dF s.t.. f and P match on ≥ n− t evaluationsxi.

Λf︸︷︷︸fj

= Λ︸︷︷︸gj

P modn∏

i=1

(X − xi)

and (Λf ,Λ) is minimal⇒computed by extended Euclidean Algorithm

f = fj/gj.

Another decoding algorithm: syndrom basedFrom now on: K = Fq, n = q− 1, xi = αi where α is a primitiven-th root of unity.

E(f ) = (f (α0), f (α1), f (α2), . . . , f (αn−1)) = DFTα(f )

Linear recurring sequences

Sequences (a0, a1, . . . , an, . . . ) such that

∀j ≥ 0 aj+t =t−1∑i=0

λiai+j

generator polynomial: Λ(z) = zt −∑t−1

i=0 λizi

minimal polynomial: Λ(z) of minimal degreelinear complexity of (ai)i: degree t of the minimal polynomial Λ

Computing Λmin: Berlekamp/Massey algorithm, from 2tconsecutive elements, in O

(t2)

Another decoding algorithm: syndrom basedFrom now on: K = Fq, n = q− 1, xi = αi where α is a primitiven-th root of unity.

E(f ) = (f (α0), f (α1), f (α2), . . . , f (αn−1)) = DFTα(f )

Linear recurring sequences

Sequences (a0, a1, . . . , an, . . . ) such that

∀j ≥ 0 aj+t =

t−1∑i=0

λiai+j

generator polynomial: Λ(z) = zt −∑t−1

i=0 λizi

minimal polynomial: Λ(z) of minimal degreelinear complexity of (ai)i: degree t of the minimal polynomial Λ

Computing Λmin: Berlekamp/Massey algorithm, from 2tconsecutive elements, in O

(t2)

Blahut theorem

Theorem ( [Blahut84], [Prony1795] )

The DFTα of a vector of weight t has linear complexity t.

Skecth of proof

I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.

I For v =∑t

j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =

∏tj=1(z− αij)

Corollary

The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator

Blahut theorem

Theorem ( [Blahut84], [Prony1795] )

The DFTα of a vector of weight t has linear complexity t.

Skecth of proof

I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.

I For v =∑t

j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =

∏tj=1(z− αij)

Corollary

The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator

Blahut theorem

Theorem ( [Blahut84], [Prony1795] )

The DFTα of a vector of weight t has linear complexity t.

Skecth of proof

I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.

I For v =∑t

j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =

∏tj=1(z− αij)

Corollary

The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator

Blahut theorem

Theorem ( [Blahut84], [Prony1795] )

The DFTα of a vector of weight t has linear complexity t.

Skecth of proof

I Let v = ei be a 1-weight vector. ThenDFTα(v) = Ev(α0,α1,...,αn)(Xi) = ((α0)i, (α1)i, . . . , (αn−1)i) islinearly generated by Λ(z) = z− αi.

I For v =∑t

j=1 eij , the sequence DFTα(v) is generated byppcmj(z− αij) =

∏tj=1(z− αij)

Corollary

The roots of Λ localize the non-zero elements les éléments nonnuls de v: αij . ⇒error locator

Syndrom Decoding of Reed-Solomon codes

C = {(f (x1), . . . , f (xn))| deg f < k}

f

error

P

0

=

0

+

f

Evaluation

Interpolation

m = f (x), deg f < k ey = Eval(f ), yi = f (xi)

z = y + e

Interp(e)

Syndrom Decoding of Reed-Solomon codes

C = {(f (x1), . . . , f (xn))| deg f < k}

���������������������������������������

���������������������������������������

f

error

g

0

=

0

+

f

Evaluation

Interpolation

f

Berlekamp Massey algorithm

m = f (x), deg f < k ey = Eval(f ), yi = f (xi)

z = y + e

Interp(e)

Codes derived from Reed Solomon codes

Generalized Reed-Solomon codes

CGRS(n, k, v) = {(v1f (x1), . . . , vnf (xn)), f ∈ K<k[X]}

I same dimension and minimal distance ⇒MDSI Allows to prove existence of a dual GRS code in the same

evaluation points

Codes derived from Reed Solomon codesGoppa codes

Motivation: allow arbitrary length n for a fixed field Fq. (GRScodes require q < n).

Idea: use a GRS over Fqm , and restrict to Fq.

LetI K = Fq, K = Fqm and (α ∈ (K∗)n

I f ∈ Fqm [X], deg f = t − 1 and m(t − 1) < nI v = ( 1

f (αi))

I CK = CGRS(n, k, v) over K with parameters (n, k, t)

ThenCGoppa = CK ∩ Fn

q

I Minimum distance: ≥ tI Binary Goppa, with f square free⇒Minimum distance: = 2t + 1

Outline

Introduction

Linear Codes

Reed-Solomon codes

Application: Mc Eliece cryptosystem

A code based cryptosystem [Mc Eliece 78]

Designing a one way function with trapdoor

Use the encoder of a linear code:

message×[G]

= codeword

Encoding is easy (matrix-vector product)Decoding a random linear code is NP-completeTrapdoor: efficient decoding algorithm when the code familiy

is known

⇒requires a family F of codesI indistinguishable from random linear codesI with fast decoding algorithm

A code based cryptosystem [Mc Eliece 78]

Designing a one way function with trapdoor

Use the encoder of a linear code:

message×[G]

= codeword

Encoding is easy (matrix-vector product)Decoding a random linear code is NP-completeTrapdoor: efficient decoding algorithm when the code familiy

is known

⇒requires a family F of codesI indistinguishable from random linear codesI with fast decoding algorithm

Mc Eliece Cryptosystem

Key generation

I Select an (n, k) binary linear code C ∈ F correcting t errors,having an efficient decoding algorithm AC ,

I Form G ∈ Fk×nq , a generator matrix for C

I Select a random k × k non-singular matrix SI Select a random n-dimensional permutation P.I G = SGP

Public key: (G, t)

Private key: (S,G,P) and AC

Mc Eliece Cryptosystem

Encrypt

E(m) = mG + e = mSGP + e = y

where e is an error vector of Hamming weight at most t.

Decrypt

1. y′ = yP−1 = mSG + eP−1

2. m′ = AC(y′) = mS

3. m = m′S−1

Parameters for Mc Eliece in practice

(n, k, d) Code family key size Security Attack

(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]

subcodes of GRS [Wie10](1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262

(2048, 1608, 48)2 Goppa codes 412ko 296

Parameters for Mc Eliece in practice

(n, k, d) Code family key size Security Attack

(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]

(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262

(2048, 1608, 48)2 Goppa codes 412ko 296

Parameters for Mc Eliece in practice

(n, k, d) Code family key size Security Attack

(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]

(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13]

(171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262

(2048, 1608, 48)2 Goppa codes 412ko 296

Parameters for Mc Eliece in practice

(n, k, d) Code family key size Security Attack

(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]

(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14]

(1024, 524, 101)2 Goppa codes 67ko 262

(2048, 1608, 48)2 Goppa codes 412ko 296

Parameters for Mc Eliece in practice

(n, k, d) Code family key size Security Attack

(256, 128, 129) Gen. Reed-Solomon 67ko 295 [SS92]subcodes of GRS [Wie10]

(1024, 176, 128) Reed-Muller codes 22.5ko 272 [MS07, CB13](2048, 232, 256) Reed-Muller codes 59.4ko 293 [MS07, CB13](171, 109, 61)128 Alg.-Geom. codes 16ko 266 [FM08, CMP14](1024, 524, 101)2 Goppa codes 67ko 262

(2048, 1608, 48)2 Goppa codes 412ko 296

Advantages of McEliece cryptosystem

Security

Based on two assumptions:I decoding a random linear code is hard (NP complete

reduction)I the generator matrix of a Goppa code looks random

(indistinguishability)

Pros:I faster encoding/decoding algorithms than RSA, ECC (for a

given security parameter)I Post quantum security: still robust against quantum

computer attacksCons:

I harder to use it for signature (non determinstic encoding)I large key size