Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes used in Cryptography
Prasad Krishnan
Signal Processing and Communications Research Center,International Institute of Information Technology,
Hyderabad
March 29, 2016
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Linear Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Linear Codes
What is a code
I A code is a finite subset of some mathematical structure.
I Used to encode messages passing through a channel.
I The elements of the subset are picked in such a way as toensure that errors occurring during transmission do not causeconfusion during decoding.
I Encoding function of a code C
E : Messages→ Codewords.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Linear Codes
Linear Codes over Fnq
I C is a linear code if E is linear in the message set.I If E : Fkq → Fnq, then we can represent E using a matrix Gk×n
over F such that c = xG .I G is called the generator matrix of C, which is a (n, k) code.I The linear code is completely defined by its generator matrix
Gk×n.
I Alternatively, one can used a parity check matrix Hn−k×n todefine the code, where H is any matrix such that GHT = 0.
I C = Span(G ) = Null space(H).
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Linear Codes
Linear Codes over FnqI Received vector is r = c + eI e = (e0, e1, ..., en−1) captures the error occuring in the n
coordinates.
I Minimum distance: d = minc∈C(wH(c)).I Singleton bound: d ≤ n − k + 1.
Theorem (Error correction)
A linear code C with minimum distance ≥ 2t + 1 can correct any terrors.
Theorem (Independence of the H matrix)
A linear code C has minimum distance d if and only if any set ofd − 1 columns of H are linearly independent.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Linear Codes
Linear Codes over Fnq - Syndrome Decoding
I Received vector r = c + e ∈ Fnq.I Compute
s = rHT = cHT + eHT = xGHT + eHT = eHT ∈ Fn−kq .I 2t + 1 ≤ d ≤ n − k + 1.I Corresponding to any error vector of weight upto t there is an
unique syndrome.I Syndrome decoding for errors of weight upto t.
1. Find the syndrome s2. Find e corresponding to s (here code structure helps build
efficient algorithms).3. Find c = r − e. Map it back to x .
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
Linear Codes over Fnq - Connection to Crytography
I Public Key Cryptography: Want to convey a message secretly(make it easy for the intended receiver, but hard for everyoneelse).
I Encoding key is public, but decoding key is ideally known toreceiver alone.
{Ee : Plaintext→ Ciphertext|e ∈ KeySpace} . (1){Dd : Plaintext→ Ciphertext|d ∈ KeySpace} . (2)
I Given a (e, d) pair (e and d are mathematically related)
1. Dd(Ee(p)) = p ∀p ∈ Plaintext.2. Knowing e it is hard to get d .
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
McEliece Cryptosystem - Code-based Crypto SystemExample
I Want to transmit x ∈ Fkq secretly.I Choose
I A code C (i.e., an appropriate Gk×n) that can correct t errors,and has an efficient decoding algorithm = O(nt).
I An invertible matrix Sk×kI A permutation matrix Pn×n
McEliece Scheme
I Public Key: G ′ = SGP (generates code having same distanceproperties as C, but does not have an efficient decodingalgorithm).
I Send xG ′ + e, for some random t vector e with wH(e) = t.I Private Key: (S ,P, Efficient decoding algorithm for code G )
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
McEliece Cryptosystem - Code-based Crypto Example
I Receiver and wiretapper both see r = xG ′ + e.I Receiver knows S ,P and the efficient decoding algorithm for
G . Thus it does the following.
rP−1 = xSGPP−1 + eP−1 (3)= xSG + e′, (4)
Note that e and e′ have weight t.I From the above equation, receiver can decode for x ′ = xS by
the efficient algorithm. Finally get x = x ′S−1.I Wiretapper sees a ’random code’, G ′, in the sense that there
is no efficient algorithm to get x (the bruteforce method isexponential in n − k).
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
McEliece Cryptosystem - Code-based Crypto ExampleMcEliece chose the class of binary Goppa codes for his scheme,because
I Fast algorithms are available for codes with large k , n(required further for making the algorithm secure).
I McEliece gives an example of n = 1024, k = 524 with t = 50.
I Large number of Goppa codes exist so wiretapper finds it hardto find G .
I Unbroken, unlike other codes proposed like Reed Solomon, etc.(till 2008 :(, but suggested increase in size of parameters).
Rest of this talk : Focus on understanding construction anddecoding of Goppa Codes (well, kind of)
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Codes and Cryptography
Why ”Kind of?”
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
BCH Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
BCH Codes
Cyclic Codes
I Denote a codeword (c0, c1, ..., cn−1) as a polynomial in X ,c(X ) = c0 + c1X + c2X
2 + ...+ cn−1Xn−1.
I A cyclic code is a linear code where if c(X ) is a codeword,then Xc(X )mod(X n − 1), i.e.,(c0, c1, c2, ..., cn−1) ∈ C ⇒ (cn−1, c0, c1, ..., cn−2) ∈ C.
I For any (n, k) cyclic code C, we can identify one (n − k)degree polynomial g(X ), such that anyC = {m(X )g(X ) : m(X ) ∈ Fq[X ], deg(m(X )) ≤ k − 1}whichis known as the generator polynomial of C.
I Generator polynomial of n-length cyclic codes divide xn − 1.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
BCH Codes
Bose-Chaudhari-Hocquenghem codes
I Let α be the nth root of unity in Fqm for a given m.
BCH CodesA (narrow-sense) BCH code with design distance 2t + 1 andlength n over Fq has generator polynomial
gBCH(X ) = LCM(minpolyq(α)minpolyq(α2)..minpolyq(α
2t)),
where minpolyq(αi ) is the minimum degree polynomial with
coefficients from Fq with αi as a root.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
BCH Codes
BCH Codes Parity Check matrix
I Thus, any for any codeword c(X ),(c(α), c(α2), ..., c(α2t)) = 0.
I In other words, the parity check matrix
HBCH =
1 α α2 ... αn−1
1 α2 α4 ... α2n − 1...
......
......
1 α2t α4t ... α2t(n−1)
I BCHq(n, 2t) = NullSpace(HBCH) in Fnq.I Any set of 2t columns from HBCH is linearly independent over
Fq. Therefore BCH code with design distance 2t + 1 cancorrect any t errors.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Decoding BCH Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Decoding BCH Codes
Decoding BCH Codes
I r(X ) = c(X ) + e(X ), wH(e) ≤ t. Idea: find syndrome, finderror, find information symbols.
I For any αi , i = 1, 2, .., 2t we have
r(αi ) = c(αi ) + e(αi ) = e(αi ) =n−1∑j=0
ej(αi )j
I Suppose e has errors in ν locations for some ν ≤ t. Let thoselocations be j1, j2, ..., jν . Then,
r(αi ) =ν∑
l=1
ejl (αi )jl , i = 1, 2, .., 2t.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Decoding BCH Codes
Decoding BCH CodesI Let Xl = α
jl and Si = r(αi ). Therefore we have the set of
equations
S1 = ej1X1 + ej2X2 + ...+ ejνXν (5)
S2 = ej1X21 + ej2X
22 + ...+ ejνX
2ν (6)
..... (7)
S2t = ej1X2t1 + ej2X
2t2 + ...+ ejνX
2tν , (8)
I Note that Xl = αjl indicates the location of the l th error (i.e,
jl) while ejl is the error value at that position.I We want to get both Xls and the ejl s in that order. Direct
solving for Xls involve nonlinear equations.I So we use another trick.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Decoding BCH Codes
Decoding BCH Codes
I Error Locator Polynomial: A polynomial whose roots areX−1l , l = 1, .., ν.
Λ(x) = Πνi=1(1− Xlx) = 1 + Λ1x + Λ2x2 + ...+ Λνxν .
I If we have the coefficients Λi s, then getting the roots of Λ(x)is equivalent to finding error locations (can be done byevaluations of Λ(x)).
I If we have the error locations, we can use the equations in theprevious slide to get the error values.
I Coefficients Λi s and the syndromes are related by Newton’sidentities.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Decoding BCH Codes
Decoding BCH CodesNewton’s identities:
S1 S2 ... SνS2 S3 ... Sν+1...
... . . ....
Sν Sν+1 ... S2ν−1
ΛνΛν−1
...Λ1
=
Sν+1Sν+2
...S2ν
I Above equation is well defined for ν ≤ t.I Set ν = t.I Form Mν (the matrix above) and find det(Mν).I If det(Mν) = 0 then set ν ← ν − 1 and repeat the previous
step.I If Mν is invertible, solve for coefficients Λi , i = 1, 2, .., ν.I Finally solve for the error values.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Reed Solomon and Generalised Reed Solomon Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Reed Solomon and Generalised Reed Solomon Codes
Generalised Reed Solomon CodesI RS Code is a BCH Code with n = qm − 1 over Fqm . Thus,
gRS(X ) = (X − α)(X − α2)...(X − α2t)I Another way to encode RS code: For any m(X ) (upto degree
k − 1), the codeword is (m(1),m(α), ...,m(αn−1)) (mindistance d = n − k + 1).
GRS Codes (also have max distance d = n − k + 1)
I v = (v1, v2, ..., vn) : non-zero elements in FqmI β = (β1, β2, ..., βn): distinct elements in Fqm .I The GRS(β, v ,) is the set of all vectors of the form
(v1m(β1), v2m(β2), ..., vnm(βn)), where m(X ) is anypolynomial of degree ≤ k − 1.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Reed Solomon and Generalised Reed Solomon Codes
Generalised RS CodesI The H matrix GRS Code takes the form,
HGRS =
1 1 . . . 1β1 β2 . . . βnβ21 β
22 . . . β
2n
......
......
βn−k−11 βn−k−12 . . . β
n−k−1n
y1 . . .y2 . . .
......
......
. . . yn
(9)
= XY , (10)
where y = (y1, ..., yn) is some vector (with non-zero yi s) suchthat HGRS is an appropriate H matrix to GRS(β, v).
I GRS(β, v) = NullSpace(HGRS) in Fqm .
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Alternant Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Alternant Codes
Alternant Codes
I Long BCH codes are not good (rate(k/n) and error correction(d/n)don’t keep growing together).
I Rectified by Alternant codes.
I Subcodes of GRS codes.
Alternant CodeFor β consisting of n distinct values from Fqm , and y beingnon-zero values from Fqm ,
A(β, y) = NullSpace(HGRS) in Fq .
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Goppa Codes
Outline
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Goppa Codes
Goppa Codes
I Let G (z) be a polynomial with coefficients from Fqm .I Let β = {β1, β2, ..., βn} be n elements such that
G (βi ) 6= 0, ∀i = 1, 2, ..., n.I For a vector a = (a1, ..., an) ∈ Fnq, we define associate the
rational function
Ra(z) =n∑
i=1
aiz − βi
.
I Note that 1z−βi has an polynomial inverse in
Fq [z](G(z)) .
I Goppa Code (β,G (z)) is defined as{a ∈ Fnq|Ra(z) ≡ 0(modG (z))
}.
Codes used in Cryptography IIIT H
Coding Theory and Cryptography BCH Codes Variants of BCH codes
Goppa Codes
Goppa Codes as Alternant Codes
I G (z) a polynomial with coefficients from Fqm .I β = {β1, β2, ..., βn} are n elements such that
G (βi ) 6= 0, ∀i = 1, 2, ..., n.I Let y = (G (β1)−1,G (β2)−1, ...,G (βn)−1).
Goppa Code
Goppa Code (β,G (z)) = A(β, y).
I If β is set of all non-zeros of G (z) then the Goppa code iscompletely determined by G (z).
I Has an optimised decoding algorithm because of its furtherstructure.
Codes used in Cryptography IIIT H
Coding Theory and CryptographyLinear CodesCodes and Cryptography
BCH CodesBCH CodesDecoding BCH Codes
Variants of BCH codesReed Solomon and Generalised Reed Solomon CodesAlternant CodesGoppa Codes