codes used in cryptographyprasad.krishnan/prasad_codes_crypto_talk... · coding theory and...

Coding Theory and Cryptography BCH Codes Variants of BCH codes

Codes used in Cryptography

Prasad Krishnan

Signal Processing and Communications Research Center,International Institute of Information Technology,

Hyderabad

March 29, 2016

Codes used in Cryptography IIIT H


Outline

Coding Theory and CryptographyLinear CodesCodes and Cryptography

BCH CodesBCH CodesDecoding BCH Codes

Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes



Linear Codes

Outline






Linear Codes

What is a code

I A code is a finite subset of some mathematical structure.

I Used to encode messages passing through a channel.

I The elements of the subset are picked in such a way as toensure that errors occurring during transmission do not causeconfusion during decoding.

I Encoding function of a code C

E : Messages→ Codewords.



Linear Codes

Linear Codes over Fnq

I C is a linear code if E is linear in the message set.I If E : Fkq → Fnq, then we can represent E using a matrix Gk×n

over F such that c = xG .I G is called the generator matrix of C, which is a (n, k) code.I The linear code is completely defined by its generator matrix

Gk×n.

I Alternatively, one can used a parity check matrix Hn−k×n todefine the code, where H is any matrix such that GHT = 0.

I C = Span(G ) = Null space(H).



Linear Codes

Linear Codes over FnqI Received vector is r = c + eI e = (e0, e1, ..., en−1) captures the error occuring in the n

coordinates.

I Minimum distance: d = minc∈C(wH(c)).I Singleton bound: d ≤ n − k + 1.

Theorem (Error correction)

A linear code C with minimum distance ≥ 2t + 1 can correct any terrors.

Theorem (Independence of the H matrix)

A linear code C has minimum distance d if and only if any set ofd − 1 columns of H are linearly independent.



Linear Codes

Linear Codes over Fnq - Syndrome Decoding

I Received vector r = c + e ∈ Fnq.I Compute

s = rHT = cHT + eHT = xGHT + eHT = eHT ∈ Fn−kq .I 2t + 1 ≤ d ≤ n − k + 1.I Corresponding to any error vector of weight upto t there is an

unique syndrome.I Syndrome decoding for errors of weight upto t.

1. Find the syndrome s2. Find e corresponding to s (here code structure helps build

efficient algorithms).3. Find c = r − e. Map it back to x .



Codes and Cryptography

Outline







Linear Codes over Fnq - Connection to Crytography

I Public Key Cryptography: Want to convey a message secretly(make it easy for the intended receiver, but hard for everyoneelse).

I Encoding key is public, but decoding key is ideally known toreceiver alone.

{Ee : Plaintext→ Ciphertext|e ∈ KeySpace} . (1){Dd : Plaintext→ Ciphertext|d ∈ KeySpace} . (2)

I Given a (e, d) pair (e and d are mathematically related)

1. Dd(Ee(p)) = p ∀p ∈ Plaintext.2. Knowing e it is hard to get d .




McEliece Cryptosystem - Code-based Crypto SystemExample

I Want to transmit x ∈ Fkq secretly.I Choose

I A code C (i.e., an appropriate Gk×n) that can correct t errors,and has an efficient decoding algorithm = O(nt).

I An invertible matrix Sk×kI A permutation matrix Pn×n

McEliece Scheme

I Public Key: G ′ = SGP (generates code having same distanceproperties as C, but does not have an efficient decodingalgorithm).

I Send xG ′ + e, for some random t vector e with wH(e) = t.I Private Key: (S ,P, Efficient decoding algorithm for code G )




McEliece Cryptosystem - Code-based Crypto Example

I Receiver and wiretapper both see r = xG ′ + e.I Receiver knows S ,P and the efficient decoding algorithm for

G . Thus it does the following.

rP−1 = xSGPP−1 + eP−1 (3)= xSG + e′, (4)

Note that e and e′ have weight t.I From the above equation, receiver can decode for x ′ = xS by

the efficient algorithm. Finally get x = x ′S−1.I Wiretapper sees a ’random code’, G ′, in the sense that there

is no efficient algorithm to get x (the bruteforce method isexponential in n − k).




McEliece Cryptosystem - Code-based Crypto ExampleMcEliece chose the class of binary Goppa codes for his scheme,because

I Fast algorithms are available for codes with large k , n(required further for making the algorithm secure).

I McEliece gives an example of n = 1024, k = 524 with t = 50.

I Large number of Goppa codes exist so wiretapper finds it hardto find G .

I Unbroken, unlike other codes proposed like Reed Solomon, etc.(till 2008 :(, but suggested increase in size of parameters).

Rest of this talk : Focus on understanding construction anddecoding of Goppa Codes (well, kind of)




Why ”Kind of?”



BCH Codes

Outline






BCH Codes

Cyclic Codes

I Denote a codeword (c0, c1, ..., cn−1) as a polynomial in X ,c(X ) = c0 + c1X + c2X

2 + ...+ cn−1Xn−1.

I A cyclic code is a linear code where if c(X ) is a codeword,then Xc(X )mod(X n − 1), i.e.,(c0, c1, c2, ..., cn−1) ∈ C ⇒ (cn−1, c0, c1, ..., cn−2) ∈ C.

I For any (n, k) cyclic code C, we can identify one (n − k)degree polynomial g(X ), such that anyC = {m(X )g(X ) : m(X ) ∈ Fq[X ], deg(m(X )) ≤ k − 1}whichis known as the generator polynomial of C.

I Generator polynomial of n-length cyclic codes divide xn − 1.



BCH Codes

Bose-Chaudhari-Hocquenghem codes

I Let α be the nth root of unity in Fqm for a given m.

BCH CodesA (narrow-sense) BCH code with design distance 2t + 1 andlength n over Fq has generator polynomial

gBCH(X ) = LCM(minpolyq(α)minpolyq(α2)..minpolyq(α

2t)),

where minpolyq(αi ) is the minimum degree polynomial with

coefficients from Fq with αi as a root.



BCH Codes

BCH Codes Parity Check matrix

I Thus, any for any codeword c(X ),(c(α), c(α2), ..., c(α2t)) = 0.

I In other words, the parity check matrix

HBCH =

1 α α2 ... αn−1

1 α2 α4 ... α2n − 1...

......

......

1 α2t α4t ... α2t(n−1)

I BCHq(n, 2t) = NullSpace(HBCH) in Fnq.I Any set of 2t columns from HBCH is linearly independent over

Fq. Therefore BCH code with design distance 2t + 1 cancorrect any t errors.



Decoding BCH Codes

Outline






Decoding BCH Codes

Decoding BCH Codes

I r(X ) = c(X ) + e(X ), wH(e) ≤ t. Idea: find syndrome, finderror, find information symbols.

I For any αi , i = 1, 2, .., 2t we have

r(αi ) = c(αi ) + e(αi ) = e(αi ) =n−1∑j=0

ej(αi )j

I Suppose e has errors in ν locations for some ν ≤ t. Let thoselocations be j1, j2, ..., jν . Then,

r(αi ) =ν∑

l=1

ejl (αi )jl , i = 1, 2, .., 2t.



Decoding BCH Codes

Decoding BCH CodesI Let Xl = α

jl and Si = r(αi ). Therefore we have the set of

equations

S1 = ej1X1 + ej2X2 + ...+ ejνXν (5)

S2 = ej1X21 + ej2X

22 + ...+ ejνX

2ν (6)

..... (7)

S2t = ej1X2t1 + ej2X

2t2 + ...+ ejνX

2tν , (8)

I Note that Xl = αjl indicates the location of the l th error (i.e,

jl) while ejl is the error value at that position.I We want to get both Xls and the ejl s in that order. Direct

solving for Xls involve nonlinear equations.I So we use another trick.



Decoding BCH Codes

Decoding BCH Codes

I Error Locator Polynomial: A polynomial whose roots areX−1l , l = 1, .., ν.

Λ(x) = Πνi=1(1− Xlx) = 1 + Λ1x + Λ2x2 + ...+ Λνxν .

I If we have the coefficients Λi s, then getting the roots of Λ(x)is equivalent to finding error locations (can be done byevaluations of Λ(x)).

I If we have the error locations, we can use the equations in theprevious slide to get the error values.

I Coefficients Λi s and the syndromes are related by Newton’sidentities.



Decoding BCH Codes

Decoding BCH CodesNewton’s identities:

S1 S2 ... SνS2 S3 ... Sν+1...

... . . ....

Sν Sν+1 ... S2ν−1

ΛνΛν−1

...Λ1

=

Sν+1Sν+2

...S2ν

I Above equation is well defined for ν ≤ t.I Set ν = t.I Form Mν (the matrix above) and find det(Mν).I If det(Mν) = 0 then set ν ← ν − 1 and repeat the previous

step.I If Mν is invertible, solve for coefficients Λi , i = 1, 2, .., ν.I Finally solve for the error values.



Reed Solomon and Generalised Reed Solomon Codes

Outline







Generalised Reed Solomon CodesI RS Code is a BCH Code with n = qm − 1 over Fqm . Thus,

gRS(X ) = (X − α)(X − α2)...(X − α2t)I Another way to encode RS code: For any m(X ) (upto degree

k − 1), the codeword is (m(1),m(α), ...,m(αn−1)) (mindistance d = n − k + 1).

GRS Codes (also have max distance d = n − k + 1)

I v = (v1, v2, ..., vn) : non-zero elements in FqmI β = (β1, β2, ..., βn): distinct elements in Fqm .I The GRS(β, v ,) is the set of all vectors of the form

(v1m(β1), v2m(β2), ..., vnm(βn)), where m(X ) is anypolynomial of degree ≤ k − 1.




Generalised RS CodesI The H matrix GRS Code takes the form,

HGRS =

1 1 . . . 1β1 β2 . . . βnβ21 β

22 . . . β

2n

......

......

βn−k−11 βn−k−12 . . . β

n−k−1n

y1 . . .y2 . . .

......

......

. . . yn

(9)

= XY , (10)

where y = (y1, ..., yn) is some vector (with non-zero yi s) suchthat HGRS is an appropriate H matrix to GRS(β, v).

I GRS(β, v) = NullSpace(HGRS) in Fqm .



Alternant Codes

Outline






Alternant Codes

Alternant Codes

I Long BCH codes are not good (rate(k/n) and error correction(d/n)don’t keep growing together).

I Rectified by Alternant codes.

I Subcodes of GRS codes.

Alternant CodeFor β consisting of n distinct values from Fqm , and y beingnon-zero values from Fqm ,

A(β, y) = NullSpace(HGRS) in Fq .



Goppa Codes

Outline






Goppa Codes

Goppa Codes

I Let G (z) be a polynomial with coefficients from Fqm .I Let β = {β1, β2, ..., βn} be n elements such that

G (βi ) 6= 0, ∀i = 1, 2, ..., n.I For a vector a = (a1, ..., an) ∈ Fnq, we define associate the

rational function

Ra(z) =n∑

i=1

aiz − βi

.

I Note that 1z−βi has an polynomial inverse in

Fq [z](G(z)) .

I Goppa Code (β,G (z)) is defined as{a ∈ Fnq|Ra(z) ≡ 0(modG (z))

}.



Goppa Codes

Goppa Codes as Alternant Codes

I G (z) a polynomial with coefficients from Fqm .I β = {β1, β2, ..., βn} are n elements such that

G (βi ) 6= 0, ∀i = 1, 2, ..., n.I Let y = (G (β1)−1,G (β2)−1, ...,G (βn)−1).

Goppa Code

Goppa Code (β,G (z)) = A(β, y).

I If β is set of all non-zeros of G (z) then the Goppa code iscompletely determined by G (z).

I Has an optimised decoding algorithm because of its furtherstructure.





codes used in cryptographyprasad.krishnan/prasad_codes_crypto_talk... · coding theory and...

Documents