On the direct construction of recursive MDS matrices

MDS matrices allow to build optimal linear diffusion layers in the design of block ciphers and hash functions. There has been a lot of study in designing efficient MDS matrices suitable for software and/or hardware implementations. In particular recursive MDS matrices are considered for resource constrained environments. Such matrices can be expressed as a power of simple companion matrices, i.e., an MDS matrix \(M = C_g^k\) for some companion matrix corresponding to a monic polynomial \(g(X) \in \mathbb {F}_q[X]\) of degree k. In this paper, we first show that for a monic polynomial g(X) of degree \(k\ge 2\), the matrix \(M = C_g^k\) is MDS if and only if g(X) has no nonzero multiple of degree \(\le 2k-1\) and weight \(\le k\). This characterization answers the issues raised by Augot et al. in FSE-2014 paper to some extent. We then revisit the algorithm given by Augot et al. to find all recursive MDS matrices that can be obtained from a class of BCH codes (which are also MDS) and propose an improved algorithm. We identify exactly what candidates in this class of BCH codes yield recursive MDS matrices. So the computation can be confined to only those potential candidate polynomials, and thus greatly reducing the complexity. As a consequence we are able to provide formulae for the number of such recursive MDS matrices, whereas in FSE-2014 paper, the same numbers are provided by exhaustively searching for some small parameter choices. We also present a few ideas making the search faster for finding efficient recursive MDS matrices in this class. Using our approach, it is possible to exhaustively search this class for larger parameter choices which was not possible earlier. We also present our search results for the case \(k=8\) and \(q=2^{16}\).     

The generalized Goertzel algorithm and its parallel hardware implementation

Reed-Solomon (RS) and Bose-Chaudhuri-Hocquenghem (BCH) error correcting codes are widely used in digital technology. An important problem in the implementation of RS and BCH decoding is the fast finding of the error positions (the roots of error locator polynomials). Several fast root-finding algorithms for polynomials over finite fields have been proposed. In this paper we give a generalization of the Goertzel algorithm. Our algorithm is suitable for the parallel hardware implementation and the time of multiplications used is restricted by a constant.     

Linear codes using skew polynomials with automorphisms and derivations

In this work the definition of codes as modules over skew polynomial rings of automorphism type is generalized to skew polynomial rings, whose multiplication is defined using an automorphism and a derivation. This produces a more general class of codes which, in some cases, produce better distance bounds than module skew codes constructed only with an automorphism. Extending the approach of Gabidulin codes, we introduce new notions of evaluation of skew polynomials with derivations and the corresponding evaluation codes. We propose several approaches to generalize Reed-Solomon and BCH codes to module skew codes and for two classes we show that the dual of such a Reed-Solomon type skew code is an evaluation skew code. We generalize a decoding algorithm due to Gabidulin for the rank metric and derive families of Maximum Distance Separable and Maximum Rank Distance codes.     

Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes

We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. The aforementioned constraint on the public and secret keys implies to choose very structured permutations. We prove that this variant is not secure by producing many linear equations that the entries of the secret permutation matrix have to satisfy by using the fact that the secret code is a subcode of a known BCH code. This attack has been implemented and in all experiments we have performed the solution space of the linear system was of dimension one and revealed the permutation matrix. The other variant uses quasi-cyclic low density parity-check (LDPC) codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on LDPC codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. This cryptanalysis adopts a polynomial-oriented approach and basically consists in searching for two polynomials of low weight such that their product is a public polynomial. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered with time complexity O(n ³) where n is the length of the considered code. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic LDPC codes requires the search of codewords of low weight which can be done with about 2³⁷ operations for the specific parameters proposed.     

On the number of inequivalent Gabidulin codes

Maximum rank-distance (MRD) codes are extremal codes in the space of \(m\times n\) matrices over a finite field, equipped with the rank metric. Up to generalizations, the classical examples of such codes were constructed in the 1970s and are today known as Gabidulin codes. Motivated by several recent approaches to construct MRD codes that are inequivalent to Gabidulin codes, we study the equivalence issue for Gabidulin codes themselves. This shows in particular that the family of Gabidulin codes already contains a huge subset of MRD codes that are pairwise inequivalent, provided that \(2\leqslant m\leqslant n-2\).     

Improved cryptanalysis of rank metric schemes based on Gabidulin codes

We prove that any variant of the GPT cryptosystem which uses a right column scrambler over the extension field as advocated by the works of Gabidulin et al. with the goal to resist to Overbeck’s structural attack are actually still vulnerable to that attack. We show that by applying the Frobenius operator appropriately on the public key, it is possible to build a Gabidulin code having the same dimension as the original secret Gabidulin code but with a lower length. In particular, the code obtained by this way corrects less errors than the secret one but its error correction capabilities are beyond the number of errors added by a sender. Consequently, an attacker is able to decrypt any ciphertext with this degraded Gabidulin code. We also considered the case where an isometric transformation is applied in conjunction with a right column scrambler which has its entries in the extension field. We proved that this protection is useless both in terms of performance and security. Consequently, our results show that all the existing techniques aiming to hide the inherent algebraic structure of Gabidulin codes have failed.     

Generalized Gabidulin codes over fields of any characteristic

We generalize Gabidulin codes to a large family of fields, non necessarily finite, possibly with characteristic zero. We consider a general field extension and any automorphism in the Galois group of the extension. This setting enables one to give several definitions of metrics related to the rank-metric, yet potentially different. We provide sufficient conditions on the given automorphism to ensure that the associated rank metrics are indeed all equal and proper, in coherence with the usual definition from linearized polynomials over finite fields. Under these conditions, we generalize the notion of Gabidulin codes. We also present an algorithm for decoding errors and erasures, whose complexity is given in terms of arithmetic operations. Over infinite fields the notion of code alphabet is essential, and more issues appear that in the finite field case. We first focus on codes over integer rings and study their associated decoding problem. But even if the code alphabet is small, we have to deal with the growth of intermediate values. A classical solution to this problem is to perform the computations modulo a prime ideal. For this, we need study the reduction of generalized Gabidulin codes modulo an ideal. We show that the codes obtained by reduction are the classical Gabidulin codes over finite fields. As a consequence, under some conditions, decoding generalized Gabidulin codes over integer rings can be reduced to decoding Gabidulin codes over a finite field.     

On transform-domain error and erasure correction by Gabidulin codes

Gabidulin codes are the rank metric analogues of Reed–Solomon codes and have found many applications including network coding. In this paper, we propose a transform-domain algorithm correcting both errors and erasures with Gabidulin codes. Interleaving or the direct sum of Gabidulin codes allows both decreasing the redundancy and increasing the error correcting capability for network coding. We generalize the proposed decoding algorithm for interleaved Gabidulin codes. The transform-domain approach allows to simplify derivations and proofs and also simplifies finding the error vector after solving the key equation.     

A class of almost MDS codes

MDS codes and almost MDS (AMDS) codes are special classes of linear codes, and have important applications in communications, data storage, combinatorial theory, and secrete sharing. The objective of this paper is to present a class of AMDS codes from some BCH codes and determine their parameters. It turns out the proposed AMDS codes are distance-optimal and dimension-optimal locally repairable codes. The parameters of the duals of this class of AMDS codes are also discussed.     

Local and superlinear convergence of quasi-Newton methods based on modified secant conditions

For solving unconstrained minimization problems, quasi-Newton methods are popular iterative methods. The secant condition which employs only the gradient information is imposed on these methods. Several researchers paid attention to other secant conditions to get a better approximation of the Hessian matrix of the objective function. Recently, Zhang et al. [New quasi-Newton equation and related methods for unconstrained optimization, J. Optim. Theory Appl. 102 (1999) 147–167] and Zhang and Xu [Properties and numerical performance of quasi-Newton methods with modified quasi-Newton equations, J. Comput. Appl. Math. 137 (2001) 269–278] proposed the modified secant condition which uses both gradient and function value information in order to get a higher order accuracy in approximating the second curvature of the objective function. They showed the local and q-superlinear convergence property of the BFGS-like and DFP-like updates based on their proposed secant condition. In this paper, we incorporate one parameter into this secant condition to smoothly switch the standard secant condition and the secant condition of Zhang et al. We consider a modified Broyden family which includes the BFGS-like and the DFP-like updates proposed by Zhang et al. We prove the local and q-superlinear convergence of our method.     

On the Distance Distributions of BCH Codes and Their Duals

Based on new bounds on the values of Krawtchoukpolynomials, we improve earlier known estimates forcomponents of the distance distributions of BCH codes and theirduals. Moreover, we show that if one uses estimates on Krawtchoukpolynomials for bounding the error term in the binomial approximationto the distance distribution of BCH codes, the given results are actuallythe best possible. One of the advantages of the proposed approach isthat it provides estimates with no restrictions on the minimumdistance of the code.     

广义鞍点问题的松弛维数分解预条件子

本文将Benzi等提出的松弛维数分解(Relaxed dimensionalfactorization, RDF)预条件子进一步推广到广义鞍点问题上,并称为GRDF(Generalized RDF)预条件子.该预条件子可看做是用维数分裂迭代法求解广义鞍点问题而导出的改进维数分裂(Modified dimensional split, MDS)预条件子的松弛形式, 它相比MDS预条件子更接近于系数矩阵, 因而结合Krylov子空间方法(如GMRES)有更快的收敛速度.文中分析了GRDF预处理矩阵特征值的一些性质,并用数值算例验证了新预条件子的有效性.     

On the Key Equation Over a Commutative Ring

We define alternant codes over a commutative ring R and a corresponding key equation. We show that when the ring is a domain, e.g. the p-adic integers, the error-locator polynomial is the unique monic minimal polynomial (equivalently, the unique shortest linear recurrence) of the finite sequence of syndromes and that it can be obtained by Algorithm MR of Norton.WhenR is a local ring, we show that the syndrome sequence may have more than one (monic) minimal polynomial, but that all the minimal polynomials coincide modulo the maximal ideal ofR . We characterise the set of minimal polynomials when R is a Hensel ring. We also apply these results to decoding alternant codes over a local ring R: it is enough to find any monic minimal polynomial over R and to find its roots in the residue field. This gives a decoding algorithm for alternant codes over a finite chain ring, which generalizes and improves a method of Interlando et. al. for BCH and Reed-Solomon codes over a Galois ring.     

MDS and AMDS symbol-pair codes constructed from repeated-root cyclic codes

Symbol-pair codes introduced by Cassuto and Blaum in 2010 are designed to protect against the pair errors in symbol-pair read channels. One of the central themes in symbol-error correction is the construction of maximal distance separable (MDS) symbol-pair codes that possess the largest possible pair-error correcting performance. Based on repeated-root cyclic codes, we construct two classes of MDS symbol-pair codes for more general generator polynomials and also give a new class of almost MDS (AMDS) symbol-pair codes with the length lp. In addition, we derive all MDS and AMDS symbol-pair codes with length 3p, when the degree of the generator polynomials is no more than 10. The main results are obtained by determining the solutions of certain equations over finite fields.     

On construction of involutory MDS matrices from Vandermonde Matrices in GF(2 q )

Due to their remarkable application in many branches of applied mathematics such as combinatorics, coding theory, and cryptography, Vandermonde matrices have received a great amount of attention. Maximum distance separable (MDS) codes introduce MDS matrices which not only have applications in coding theory but also are of great importance in the design of block ciphers. Lacan and Fimes introduce a method for the construction of an MDS matrix from two Vandermonde matrices in the finite field. In this paper, we first suggest a method that makes an involutory MDS matrix from the Vandermonde matrices. Then we propose another method for the construction of 2 ⁿ × 2 ⁿ Hadamard MDS matrices in the finite field GF(2 ^q ). In addition to introducing this method, we present a direct method for the inversion of a special class of 2 ⁿ ?× 2 ⁿ Vandermonde matrices.     

Modified Niederreiter type of GPT cryptosystem based on reducible rank codes

GPT public key cryptosystem was proposed by Gabidulin, Paramonov and Tretjakov in 1991. This cryptosystem is based on rank error correcting codes. The main advantage of using rank codes in cryptography is that, it has smaller key size as compared to other code based public key cryptosystems. Several attacks against this system were published and some modifications were also proposed withstanding these attacks. In this paper, we have proposed a modified Niederreiter type GPT cryptosystem based on reducible rank codes by properly choosing the column scrambler matrix to withstand these attacks. Although, the idea of choosing column scrambler matrix from extension field is not new but the approach proposed in this paper, provides more elements of column scrambler matrix from extension field as compared to any previous modifications which makes system more secure against attacks.     

Hyperbolicity cones of elementary symmetric polynomials are spectrahedral

We prove that the hyperbolicity cones of elementary symmetric polynomials are spectrahedral, i.e., they are slices of the cone of positive semidefinite matrices. The proof uses the matrix-tree theorem, an idea already present in Choe et al.     

Some new non-additive maximum rank distance codes

In this paper, a construction of maximum rank distance (MRD) codes as a generalization of generalized Gabidulin codes is given. The family of the resulting codes is not covered properly by additive generalized twisted Gabidulin codes, and does not cover all twisted Gabidulin codes. When the basis field has more than two elements, this family includes also non-affine MRD codes, and such codes exist for all parameters. Therefore, these codes are the first non-additive MRD codes for most of the parameters.     

Generating Polynomials and Symmetric Tensor Decompositions

This paper studies symmetric tensor decompositions. For symmetric tensors, there exist linear relations of recursive patterns among their entries. Such a relation can be represented by a polynomial, which is called a generating polynomial. The homogenization of a generating polynomial belongs to the apolar ideal of the tensor. A symmetric tensor decomposition can be determined by a set of generating polynomials, which can be represented by a matrix. We call it a generating matrix. Generally, a symmetric tensor decomposition can be determined by a generating matrix satisfying certain conditions. We characterize the sets of such generating matrices and investigate their properties (e.g., the existence, dimensions, nondefectiveness). Using these properties, we propose methods for computing symmetric tensor decompositions. Extensive examples are shown to demonstrate the efficiency of proposed methods.     

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.