p-ary Weight problems in designs, coding, and cryptography (preceded by a brief research overview)

Size: px

Start display at page:

Download "p-ary Weight problems in designs, coding, and cryptography (preceded by a brief research overview)"

Beatrice Warren
6 years ago
Views:

1 p-ary Weight problems in designs, coding, and cryptography (preceded by a brief research overview) Henk Hollmann Singapore, Nanyang Technological University, 29 Sept (mostly joint work with Qing Xiang and others)

2 Contents 1. Introduction of the speaker 2. Brief research overview 3. p-ary weight problems I: Difference sets and their p-ranks Difference sets in abelian groups Gauss and Jacoby sums Stickelberger s theorem Modular p-ary add-with-carry Examples 4. p-ary weight problems II: Few-weight codes Cyclic codes, m-sequences Pless power moments Counting low-weight codewords McEliece s Theorem Examples 5. p-ary weight problems III: Algebraic immunity

3 Introduction Background: Masters (Association schemes) & Ph.D. (Modulation codes) both from Eindhoven Technical University, the Netherlands, supervisor Jack van Lint (and Paul Siegel) : CNET (Centre National d Études des Télécommunications), Issy-les-Moulineaux (Paris), France Main research: FFT (Fast Fourier Transforms) and NTT (Number Theoretic Transforms) Hardware design, patent convolver prototype Factorisation of x N q over Q. Co-inventor (with Pierre Duhamel) of split-radix FFT.

4 : Philips Research Laboratories, Eindhoven, the Netherlands ( : Principal Scientist) Responsible for Discrete Mathematics within Philips Research Consultancy and research in Discrete Mathematics, Coding Theory, Cryptography, Information Theory, and Digital Signal Processing : Eindhoven University of Technology, the Netherlands Own math consultancy firm

5 More applied research topics: published on Fourier Transforms (FFT, NTT) Finite fields (arithmetic) Signal processing algorithms (filtering, write-equalization) Testing of IC s (Integrated Circuits) Switching networks (self-routing optical switching) LFSR s (Linear Feedback Shift Registers), m-sequences Block-designs and various design-like stuff Optimization, and algorithms [Pascal, Fortran, C, C++,...] Constrained (modulation) codes (Magnetic recording, CD) Error-correcting codes, decoding (RS, iterative erasure) Video-on-demand Cryptography (timing attacks, visual crypto, whitebox crypto) 9 US patents (algorithms, arithmetic, constrained codes, crypto)

6 More pure research topics: published on Association schemes (schemes related to conic in PG(2, q), q even, and PSL(2, q), fusion schemes, finite geometry, Metz/Wilbrink SR graphs, pseudocyclic association schemes) Permutation polynomials Kloosterman sum identities Cryptography - IPP (Codes with Identifiable Parent Property) p-rank problems in difference sets, bent functions, sequences Coding theory - many topics (with Qing Xiang: proof of Welch and Niho conjectures)

7 Research interests: very broad, with emphasis on Algebraic combinatorics Finite fields and their applications Linear algebra and its applications I like to collaborate: about 80% of my publications with co-authors Co-authors include: Aart Blokhuis, Gary Ebert (Geometry) Janós Körner, Simon Lytsyn, Jack van Lint [7x] (Combinatorics) Tor Helleseth, Qing Xiang [13x] (Algebraic combinatorics) Ludo Tolhuizen [14x] (Coding theory/cryptography/combinatorics) Pierre Duhamel [7x] (FFT/NTT) Kees Schouhamer Immink [5x] (constrained coding)

8 p-ary weight problems and applications I: Difference sets and their p-ranks (G, ) abelian group, G = v. D G is a (v, k, λ)-difference set in G if D = k and a 1 G # (d 1, d 2 ) in D 2 for which d 1 d 1 2 = a equals λ. ( d D )( d d D ) d 1 = (k λ)1 G + λ g. g G Consequence: k(k 1) = λ(v 1). G cyclic, then D cyclic difference set.

9 (Complex) character χ : (G, ) (C, ), homomorphism χ 0 : g 1 (g G): trivial character. Theorem (Character characterization) Let G = v, and let k, λ satisfy λ(v 1) = k(k 1). Then a k-subset D G is (v, k, λ)-difference set iff χ(d)χ(d) = k λ for every nontrivial ( 1) complex multiplicative character χ. Here χ(d) = d D χ(d). Proof by Fourier inversion.

10 Proof? Example Classical parameters: Singer difference sets. H := {x F qm Tr(x) = 0}, Tr(x) = Tr Fq m /F q (x) = x + x q + + x qm 1. Tr(ax) = atr(x) (a F q), so H F q m/f q. Theorem H is a ((q m 1)/(q 1), (q m 1 1)/(q 1), (q m 2 1)/(q 1)) (cyclic) difference set in F q m/f q.

11 Gauss and Jacoby sums q = p s, p prime, F q = GF(q), finite field with q elements, F = F \ {0} Tr(x) = Tr Fq/Fp = x p + x p2 + + x ps 1, trace function. ξ n complex n-th root of unity ψ : F q C, ψ(x) = ξ Tr(x) p is (nontrivial) additive character of F q χ : F q C multiplicative character of F q; define χ(0) = 0. χ q 1 = 1, the trivial character.

12 Gauss sum g(χ) = a F q χ(a)ψ(a). Elementary property: g(1) = 1, g(χ)g(χ) = q, χ 1. Note that g(χ) lives in Z[ξ q 1, ξ p ]. Jacoby sum J(χ 1, χ 2 ) = a F q χ 1 (a)χ 2 (1 a). χ 1, χ 2, χ 1 χ 2 1, then J(χ 1, χ 2 ) = g(χ 1 )g(χ 2 )/g(χ 1 χ 2 ), and so J(χ 1, χ 2 )J(χ 1, χ 2 ) = q, χ 1.

13 Character characterization theorem can be used to prove that D is difference set by expressing χ(d) in terms of Gauss and Jacoby sums! Example (Singer) χ non-trivial, then g(χ) = q χ(h ), hence χ(h )χ(h ) = q m 2 = k λ.

14 Maschietti difference sets: q = 2 m, k integer, (k, q 1) = 1. Theorem If τ : x x + x k two-to-one on F q then D k,m = Imτ \ {0} is a (2 m 1, 2 m 1 1, 2 m 2 1)-difference set in F q Proof: (k 1, q 1) = 1, so χ non-trivial, then φ : χ = φ k 1 ; now χ(d k,m ) = 1 2 J(φ, χ) (χ = φk ).

15 Possible parameters: (regular) k = 2 (translation) k = 2 r, (m, r) = 1, 1 < r < m/2 (Segre) k = 6 (Glynn type I) k = 2 2r + 2 r, m 7 odd, 4r 1 mod m (Glynn type II) k = 3 2 r + 4, m 11 odd, 2r 1 mod m Nonisomorphic? Compute p-ranks!

16 p-rank of D is F p -rank of incidence matrix A g,h = δ gh 1 D of associated (symmetric) design. Only interesting if p k λ [or p k] (det=0) Distinct p-ranks then distinct designs! p-rank = complexity of associated 0, 1-sequence char D. Theorem If char(f) v, F contains all v th roots of 1 (v = exp(g)), then p-rank of D equals # F-characters χ : G F with χ(d) 0 Proof: Fourier inversion. X χ,g = χ(g), then X 1 g,χ = v 1 χ( g), and if A g,h = δ gh 1 D, then XAX 1 = v diag(χ(d)) χ.

17 Stickelberger s theorem q = p s, α primitive in F q, f (x) minimal polynomial of α over F p p = (f (ξ q 1 ), p) prime ideal in Z[ξ q 1 ] lying over p: Z[ξ q 1 ]/p = F p [x] mod f (x) = F q, isomorphism: ω p : α ξ q 1 ω p : F q C Teichmüller character. If χ : F q Z[ξ v ] C complex multiplicative character, then χ mod p multiplicative F q -character F q F q (p = char(f q ) F q ).

18 Consequence: p-rank of D is # complex characters χ for which χ(d) mod p 0. Let P = (f (ξ q 1 ), ξ p 1, p) be the prime ideal in Z[ξ q 1, ξ p ] above p. (x 1) p 1 x p 1 + x p x + 1 mod p, so (ξ p 1) p 1 = 0 mod p and P p 1 = p, v P (p) = p 1 (v P is P-adic valuation).

19 q = p s, p prime. If a a 0 + a 1 p + + a p 1 p s 1 0 mod q 1, 0 a i p 1, then the p-ary weight of a. Theorem (Stickelberger) w(a) = w p (a) = a 0 + a 1 + a s 1, v P (g(ωp a )) = w p (a). So P wp(a) g(ωp a ) and p (p 1)wp(a) g(ωp a )

20 Example: Singer difference sets, q = p s. χ character on F q m/f q; χ = ω a(q 1) p, χ 1 iff (q 1)a 0 mod q m 1. Now g(ωp a(q 1 ) = q ωp a(q 1) (H ), v P (g(ω a(q 1) p )) = w p (a(q 1)), v P (q) = (p 1)s, and χ 0 = 1 gives χ 0 (H) = H 0 mod p. Conclusion: p-rank = 1+ # a, 0 < a < (q m 1)/(q 1), with w p ((q 1)a) = (p 1)s.

21 Answer: Hadama s formulae (q = p s ) ( ) p + m 1 s 1 +. m 2 Similar, but more complicated, for GMW difference sets (work with Arasu, Player, Xiang)

22 Example: Maschietti difference sets D k,m in F 2 m, (k, q 1) = (k 1, q 1) = 1 χ(d k,m ) = 1 2 J(φ, χ) (χ = φk ) = 2 1 g(χ k 1 )g(χ)/g(χ k ). χ = ω a p need # a in Z 2 m 1 \ {0} for which 1 + w 2 ((k 1)a) + w 2 (a) w 2 (ka) = 0.

23 s, a (1),..., a (k) Z p m 1; t 1, t 2,..., t k Z \ {0}, s t 1 a (1) + t 2 a (2) + + t k a (k) mod p m 1. t + = i, t i >0 t i, t = i, t i <0 t i. Theorem (Molular p-ary add-with-carry algorithm) unique γ = (γ i ) i Zm, indices mod m, so γ 1 = γ m 1, for which γ satisfies k j=1 t j a (j) i + γ i 1 = s i + pγ i, 0 i m 1. (1) (p 1)w(γ) = k t j w(a (j) ) w(s); (2) j=0 if j : a (j) 0 mod p m 1. c i modular carries for computation t γ i t + 1 (3)

24 Exampe: Segre case k = 6 Count a in Z 2 m 1 \ {0} for which w(a) + w(5a) = w(6a) + 1. Method: add-with-carry algorithms. Example: b = 5a = 4a + a, a i + a i 2 + γ i 1 = b i + 2γ i, indices in Z m, with γ i = 0, 1 for all i. Similar, s = 6a = a + b, a i + b i + δ i 1 = s i + 2δ i, indices in Z m, with δ i = 0, 1 for all i. [2w(a) = w(b) + w(γ)], w(a) + w(b) = w(s) + w(δ), so we want w(a) + w(b) w(s) = w(δ) = 1.

25 Think of computation as (a i 2, a i 1, γ i 1, δ i 1 ) a i (a i 1, a i, γ i, δ i ). Labelled digraph: states (vertices) and arcs whenever (a, a, γ, δ ) (a, a, γ, δ) a + a + γ 2γ = b {0, 1}, a + b + δ 2δ = s {0, 1}, so initial state + a determines b, γ, s, δ, hence terminal state of arc. V δ : states (a, a, γ, δ) (δ = 0, 1) Count B m = # closed directed paths of length m starting in v V 1, through V 0 only, then returning to v. Counting: tranfer matrix method, B m = Tr(A 10 A m 2 00 A 01 )

26 Minimal polynomial A 00 = f (X ) = X 6 X 5 X 4 + X 3 X 2 + X = X (X 1)(X 4 X 2 1), so In fact A 5 A 4 A 3 + A 2 A + I = O. B m = B m 2 + B m 4. Typically recursive relations for these p-ranks. Glynn I&II similar but much more complicated, especially Glynn I.

27 p-ary weight problems and applications II: Few-weight codes q = p s, p prime, m, t positive integers, (t, m) = 1. C 1,t cyclic code over F q, length n = q m 1, defining zero s α, α t, α primitive in F q m. (Usually dimension k = 2m.) c = (c 0, c 1,..., c n 1 ) C 1,t iff where c(α) = c(α t ) = 0, c(x) = c 0 + c 1 x + + c m 1 x m 1 F q [x] mod x n 1.

28 A 0 = 1, A 1,..., A n weights of C 1,t, where A w = {c C 1,t wt(c) = w}. C 1,t is dual code, weights B 0 = 1, B 1,..., B n. Sometimes C1,t few-weight code.

29 Relation with sequences: m-sequence a = a 0, a 1,..., a n 1 : codeword from simplex code C1. decimation by a factor t: b = a 0, a t, a 2t,..., a nt Ct. Cross-correlation n 1 θ a,b (τ) = ( 1) a i +b i+τ = n dist(a, b). i=0 is weight in C1,t! Preferred pair of m-sequences: θ a,b takes only values 1, 1 ± 2 (m+2)/2 ; equivalently, non-zero weights in C1,t are 2 m 1, 2 m 1 ± 2 (m+2)/2 1.

30 Not possible if m 0 mod 4; four known cases with m 2 mod 4 (character theory proofs for the two difficult ones) Known cases: with m odd: t = 2 r + 1, if (r, m) = 1 (Gold, 1968) t = 2 2r 2 r + 1, if (r, m) = 1 (Welch, 1969; Kasami, 1971) t = 2 r + 3, 2r 1 mod m (conjectured by Welch, 1972) t = 2 2r + 2 r 1, 4r 1 mod m (conjectured by Niho, 1972) More three-weight cases (bigger gaps/cc values) in Gold-Kasami cases with m/(r, m) = 1.

31 Uniform method to prove few-weight results Step 1: Pless power moment identities MacWilliams transforms relating weights and dual weights n v w=0 ( n w (v = 0, 1,..., n) gives P i = v ) B w = q k v v w=0 ( ) n w A w v w n w i B w = expr(n, k, A 0,..., A i ) w=1

32 0 < w 1 w 2 w 3 w 4 < n, n E = (w w 1 )(w w 2 )(w w 3 )(w w 4 )B w = expr(n, k, A 3, A 4 ) w=1 (A 0 = 1, A 1 = A 2 = 0 ) C no weights in (w 1, w 2 ) (w 3, w 4 ) then E 0, equality iff C has only nonzero weights w 1, w 2, w 1, w 4. In our case: take w 2 = w 3 = 2 m 1, w 1, w 4 = 2 m 1 ± 2 m 1 M

33 Step 2: Compute low weights of C Compute A 3, A 4, or show min dist(c) 5. Often difficult! Breakthrough result by Hans Dobbertin: both Welch and Niho codes have minimum distance 5. If few-weight assumption correct, then now E = 0.

34 Step 3: Find restrictions on weights of C = C1,t : McEliece s lemma Theorem (McEliece) C binary cyclic code, B w weight enumerator, l smallest positive number for which l nonzero s of C (repetitions allowed, not all 1) have product 1. Then 2 l 1 B w (w > 0), w : 2 l B w. Some proof method involve Gauss-sums and Stickelberger s theorem!

35 Example: C = C 1,t. Now C = C 1,t has zero s α i for i one of 1, 2, 4,..., 2 m 1 ; t, 2t, 4t,..., 2 m 1 t. nonzero s of C = C 1,t are (Fourier inversion) αj for j one of 1, 2, 4,..., 2 m 1 ; t, 2t, 4t,..., 2 m 1 t. product is 1 iff b a b ta 0 mod 2 m 1, b ta mod 2 m 1; # is w(b) + w(a) = m w( b) + w(a) = m (w(ta) w(a) ( ) l = m M(m; t), M(m; t) = max w(ta) w(a). a Z 2 m 1 \{0}

36 Gold case: Proof: M(m; 2 r + 1) = M(m; 2 r + 1) = s = (2 r + 1)a = 2 r a + a, with γ i = 0, 1. { m/2, m/(r, m) even; (m (r, m))/2, m/(r, m) odd. ( ) max w((2 r + 1)a) w(a). a Z 2 m 1 \{0} a i + a i r + γ i 1 = s i + 2γ i, i Z m, 2w(a) = w(s) + w(γ). Put ω = a i γ i = w(s) w(a) = w(ω). ω i = 1 = a i = 1, γ i = 0 = a i r = 0 = ω i r 0.

37 Partition ω 0,..., ω m 1 into groups (ω i, ω i r,..., ω i+r ). # groups e = (r, m), each size L = m/(r, m). Weight per group L/2 Kasami case similar. Welch and especially Niho cases much more complicated! Niho digraph (after trick) has 1296 vertices.

38 p-ary weight problem III: Algebraic immunity Boolean functions on m variables: Algebraic immunity f : F 2 m F 2, f = x a = x a 0 0 x a 1 1 x a m 1 m 1, a Z 2 m 1 f a x a, deg(x a ) = w(a), a = a 0 + a a m 1 2 m 1. AI m (f ) = min{deg(g) g 0, f g = 0 or (f + 1) g = 0}. AI m (f ) m 2 (Courtois)

39 α primitive in F 2 m. = {α 0 = 1, α, α 2,..., α 2m 1 }, Define g : F 2 m F 2, supp(g) = ; f : F 2 m F 2 m F 2, f (x, y) = g(xy 2m 2 ). Ψ = supp(f ) = {(γy, y) γ, y F 2 m} f is bent (Dillon) Conjecture (Tu, Deng) AI 2m (f ) = m, maximal.

40 Conjecture (Tu, Deng) h(x, y) = a,b Z 2 m 1 h a,b x a y b zero on Ψ, then deg(h) m. If not, then h a,b = 0, w(a) + w(b) m. h a,b γ a = 0 (γ ) a,b Z a+b=s for all s Z 2 m 1 \ {0}. h (s) = (h 0,s, h 1,s 1,..., h s,0, h s+1,2 m 2,..., h 2 m 2,s+1) BCH( ), so 0, or weight 2 m Conjecture (Tu,Deng) # (a, b) with a, b Z 2 m 1 \ {0} and a + b s for which w(a) + w(b) m 1 is at most 2 m 1. Almost solved using modular 2-ary add-with-carry techniques

41 Conclusions weight (in)equalities mostly derived by deep and powerful algebraic methods (character theory, p-adic methods,... ) Leads to interesting mathematics. p-ary weight techniques are a valuable tool in algebraic combinatorics.

A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity

A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity Ziran Tu and Yingpu deng Abstract In this paper, we propose a combinatoric conjecture