A new algorithm for finding minimum-weight words in a linear code: application to primitive narrow-sense BCH codes of length 511

Transcription

1 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE A new algorithm for finding minimum-weight words in a linear code: application to primitive narrow-sense BCH codes of length 511 Anne Canteaut et Florent Chabaud N 685 octobre 1995 PROGRAMME apport de recherche ISSN

2

3 A new algorithm for nding minimum-weight words in a linear code: application to primitive narrow-sense BCH codes of length 511 Anne Canteaut et Florent Chabaud Programme Calcul symbolique, programmation et genie logiciel Projet Codes Rapport de recherche n685 octobre pages Abstract: An algorithm for nding small-weight words in large linear codes is developed. It is in particular able to decode random [51,56,57]-linear codes in 9 hours on a DEC alpha computer. We determine with it the minimum distance of some binary BCH codes of length 511, which were not known. Key-words: error-correcting codes, decoding algorithm, minimum weight, random linear codes, BCH codes. (Resume : tsvp) submitted to IEEE Transactions on Information Theory Also with Ecole Nationale Superieure de Techniques Avancees, laboratoire LEI, boulevard Victor, F Paris. Laboratoire d'informatique de l'ecole Normale Superieure, 5 rue d'ulm, 750 Paris Cedex 05 Unité de recherche INRIA Rocquencourt Domaine de Voluceau, Rocquencourt, BP 105, 7815 LE CHESNAY Cedex (France) Téléphone : ( 1) Télécopie : ( 1)

4 Un nouvel algorithme pour trouver des mots de poids minimum dans un code lineaire : application aux codes BCH primitifs au sens strict de longueur 511 Resume : Nous developpons un algorithme de recherche de mots de poids minimum dans un code lineaire. Cet algorithme nous permet notamment de decoder les codes lineaires aleatoires de parametres [51,56,57] en 9 heures sur une station DEC alpha. Gr^ace a lui, nous determinons la distance minimale de certains codes BCH binaires de longueur 511, lesquelles etaient jusqu'alors inconnues. Mots-cle : codes correcteurs d'erreurs, algorithme de decodage, poids minimum, codes lineaires aleatoires, codes BCH

5 A new algorithm for nding minimum-weight words in a linear code 1 Introduction In this paper we present a probabilistic algorithm for nding small-weight words in any linear code. This algorithm could be applied to two important NP-complete problems []: computing the minimum distance of a linear code and decoding. It associates an iterative procedure stemming from linear programming for reducing the computational cost of many Gaussian eliminations and a heuristic proposed by Stern. We then give a very precise analysis of the complexity of our algorithm which enables us to optimize the parameters it depends from. Hence our algorithm is to our knowledge the best procedure for decoding without using the structure of the code. Section describes our algorithm for binary codes but it could be generalized to linear codes over GF(q) (see []). Using Markov chain theory we show in section how to compute the number of elementary operations it requires; we give then the parameters which minimize this theoretical running-time and an explicit expression which approximates the number of operations performed for decoding and for nding a minimum-weight word in a random [n; k]-binary code. Two applications of our algorithm are then exposed: section presents experimental results for decoding [56,18]-binary linear codes which validate the previous theoretical approach; section 5 gives new results for the true minimum distance of some narrow-sense BCH codes of length 511. Description of the algorithm As usual wt(x) will denote the Hamming weight of the binary word x. Let C be a linear code over GF() of length n and dimension k. We try now to nd a codeword of weight w where w is small..1 The probabilistic method Enumerating randomly selecting codewords in hope than one of weight w will be found is obviously not a suitable algorithm because the probability that the weight of a random codeword will be w is very small. It is then necessary to bias this random selection by only examining codewords verifying a given property so that their weight will be a priori small, for example codewords which vanish on a randomly chosen coordinate subset. The problem is therefore to nd a compromise between the number of operations required by searching such particular codewords and the success probability, i.e. the probability that the weight of such a codeword will be w. All algorithms for nding short codewords use therefore the same method [10], [11], [1]: they only take in account codewords which are particular linear combinations of a small number of rows of a systematic generator matrix. The algorithm proposed by Stern [1] and slightly modied was shown to give the best results [5]. RR n685

6 A. Canteaut et F. Chabaud Let N = f1; ; ng be the set of all coordinates. For any subset I of N, G = (V; W ) I denotes the decomposition of matrix G onto I, that means V = (G i ) ii and W = (G j ) jnni, where G i is the ith column of matrix G. denition 1 Let I be a k-element subset of N. I is an information window for code C i G = (Id k ; Z) I is a systematic generator matrix for the code. The complementary set, J = N n I, is called a redundancy window. From now on we index the rows of Z with I since G = (Id k ; Z) I is a generator matrix for the code and we denote by Z i the i-th row of matrix Z. The idea suggested by Stern is to randomly choose at each iteration an information window I which is split into two parts I 1 and I of same size, and a subset L of J of size `. We only examine codewords c verifying the following property, where p is a xed parameter for the algorithm: wt(c ji1 ) = wt(c ji ) = p and wt(c jl ) = 0 (1) until we nd such a particular codeword whose restriction on J n L has weight w? p. All codewords which verify condition 1 can easily be constructed as soon as the corresponding systematic generator matrix G = (Id k ; Z) I is known: randomly split the rows of Z into two subsets Z 1 et Z corresponding to I 1 and I. for each linear combination 1 of p rows of matrix Z 1, compute 1jL. for each linear combination of p rows of matrix Z, compute jl. if 1jL = jl, check whether wt(( 1 + ) jjnl ) = w? p.. The iterative procedure The previous algorithm therefore explores a set of randomly selected information windows by performing at each iteration a Gaussian elimination on an (n k)-generator matrix. In order to avoid this time-consuming procedure, we here propose to choose at each step the new information window by modifying only one element of the previous one. This method is analogous to the one used in the simplex method as suggested in [1] and [15, ]. denition Two information windows I and I 0 are close i: 9 I; 9 N n I; such that I 0 = (I n fg) [ fg As any two information windows can be joined by a sequence of close information windows, we use this iterative method in order to nd one which enables us to discover a codeword of weight w. The following proposition shows how choosing and such that I 0 is still an information window. INRIA

7 A new algorithm for nding minimum-weight words in a linear code 5 proposition 1 Let I be an information window such that G = (Id k ; Z) I is a generator matrix for C. Let be I, J and I 0 = (I n fg) [ fg. I 0 is an information window i z ; = 1, where Z = (z i;j ) ii;jj Proof. Since G = (Id k ; Z) I, we have: G = z ; G + P iinfg z i;g i As the columns indexed by I are linearly independent, G and (G i ) iinfg are linearly independent i z ; = 1. As the probabilistic method procedure only deals with the redundant part of the systematic generator matrix, we only need a procedure able to obtain the redundant matrix Z 0 corresponding to I 0 from Z. proposition Let I and I 0 be two close information windows such that I 0 = (I nfg)[fg. Let (Id k ; Z) I and (Id k ; Z 0 ) I 0 be the corresponding systematic generator matrices. Then Z 0 is obtained from Z by: 8j J 0 ; z 0 ;j = z ;j 8i I 0 n fg; { 8j J 0 n fg; z 0 i;j = z i;j + z i; z ;j { z 0 i; = z i; Proof. As I 0 = (I n fg) [ fg, (Id k ; Z 0 ) I 0 is obtained by exchanging the -th and -th columns of (Id k ; Z) I. This can be done by a simple pivoting operation in position (; ), i.e. by adding the -th row of matrix Z to all other rows Z i i the corresponding element z i; is not equal to zero.. Description of the iterative algorithm The use of this iterative procedure leads then to the following algorithm: Initialization: Randomly choose an information window I and apply a Gaussian elimination in order to obtain a systematic generator matrix (Id k ; Z) I. Until a codeword of weight w will be found: randomly split I in two subsets I 1 and I where ji 1 j = bk=c and ji j = dk=e. The rows of Z are then split in two parts Z 1 and Z. randomly select an `-element subset L of J. RR n685

8 6 A. Canteaut et F. Chabaud for each linear combination 1 of p rows of matrix Z 1, compute 1jL. for each linear combination of p rows of matrix Z, compute jl. if 1jL = jl, check whether wt(( 1 + ) jjnl ) = w? p. randomly choose I and J. Replace I with (I n fg) [ fg by updating matrix Z according to the preceding proposition. Remark: This algorithm can also be used for decoding. Let x = c+e be a corrupted message where c is a codeword and e an error-vector of weight w such that w t = b d?1 c where d is the minimum distance of the code. Matrix G? = x is a generator matrix of an [n; k + 1; t]-code. Our algorithm then enables us to recover the minimum-weight word of this new code, which is the error-vector e. Theoretical running-time We give here an explicit and computable expression for the work factor of this algorithm, i.e. the average number of elementary operations it requires..1 Average number? of operations by iteration k= 1. There are exactly p linear combinations of p rows of matrix Z1 (resp. Z ); computing each of them on an `-bit selection requires p` binary additions.. The average number of collisions i.e. the average number of pairs ( 1 ; ) such that ( 1 + ) jl = 0 is equal to (k=. For each collision we must perform p? 1 additions ` of (n? k? `)-bit? words for computing ( 1 + ) jjnl and a weight-checking. k=. We need K(p p + `) more operations to perform the dynamic memory allocation where K is the size of a computer word (K= or 6). p ). For updating matrix Z according to proposition we have to add row Z to all other rows Z i when z i; = 1. Assuming that the average weight of column Z is k=, the work factor involved in this procedure is 1 k(n? k). Hence the average number of elementary operations performed at each iteration is:? k= k= p k= k(n? k) p;` = p` + p(n? k? `) + K(p + `) + p ` p () INRIA

9 A new algorithm for nding minimum-weight words in a linear code 7. Expected number of iterations The average number of iterations performed by the algorithm is not the same as the one performed by the initial Stern's algorithm since the successive information windows are not independent anymore. Hence the algorithm must be modeled by a discrete-time stochastic process. Let c be the codeword of weight w to recover and supp(c) its support. Let I be the information window and I 1, I and L the other selections corresponding to the i-th iteration. The i-th iteration can then be associated with the random variable X i whose state space is E = f0; : : :; p? 1g [ f(p) S ; (p) F g [ fp + 1; : : :; wg where X i = u i ji \ supp(c)j = u; 8u f0; : : :; p? 1g [ fp + 1; : : :; wg X i = (p) F i ji \ supp(c)j = p and (ji 1 \ supp(c)j 6= p or ji \ supp(c)j 6= p or jl \ supp(c)j 6= 0) X i = (p) S i ji 1 \ supp(c)j = ji \ supp(c)j = p and jl \ supp(c)j = 0 The success space is then S = f(p) S g and the failure space is F = f0; : : :; (p) F ; : : :; wg. proposition The stochastic process fx i g in associated with the algorithm is an homogeneous Markov chain. Proof. The selections I, I 1, I and L corresponding to the i-th iteration only depend on the previous information window since I 1, I and L are randomly chosen. Then we have for all i and for all (u 0 ; u 1 ; ; u i ) E; P r[x i = u i =X i?1 = u i?1 ; X i? = u i? ; ; X 0 = u 0 ] = P r[x i = u i =X i?1 = u i?1 ]: Furthermore this probability does not depend on the iteration. Hence there exists a matrix P such that : 8i N; 8(u; v) E ; P r[x i = v=x i?1 = u] = P u;v fx i g in is therefore completely determined by its starting distribution 0 and its transition matrix P. proposition The transition matrix P associated with the homogeneous Markov chain representing the algorithm is given by: P u;u = k? u k P u;u?1 = u k P u;u+1 = k? u k n? k? (w? u) n? k n? k? (w? u) n? k w? u n? k + u k w? u n? k for all u E n f(p) S; (p) F g for all u 6= p + 1 for all u 6= p? 1 RR n685

10 8 A. Canteaut et F. Chabaud P u;v = 0 for all v = fu? 1; u; u + 1g k? p n? k? (w? p) P (p)f ;(p) F = (1? ) + p k n? k k w? p n? k p + 1 n? k? (w? (p + 1)) P p+1;(p)f = (1? ) k n? k k? (p? 1) w? (p? 1) P p?1;(p)f = (1? ) k n? k p + 1 n? k? (w? (p + 1)) P p+1;(p)s = k n? k k? (p? 1) w? (p? 1) P p?1;(p)s = k n? k k? p n? k? (w? p) P (p)f ;(p) S = + p k n? k k w? p n? k P (p)s;(p) S = 1 P (p)s;u = 0 for all u 6= (p) S The initial probability vector is 0 =? w n?w! u? k?u? n k 0uw : Since the single success state is an absorbing state, fx i g in is a transient chain. The following theorem can then be applied for computing the excepted number of iterations performed by the algorithm. proposition 5 [9] If fx i g in is a transient chain with transition matrix P, and Q is the sub-stochastic matrix corresponding to transitions among the transient states, i.e. Q = (P u;v ) u F then (Id? Q) has an inverse R called the fundamental matrix of the chain v F and R = 1X m=0 Q m = (Id? Q)?1 : theorem 1 The expectation N of the number of iterations required until X n reaches a success state is given by: X X N = 0 (u) R u;v uf vf where R is the corresponding fundamental matrix. INRIA

11 A new algorithm for nding minimum-weight words in a linear code 9 Proof. N = X n0np r[n = n] = X n1p r[n n] = X n0p r[x n F]: As the initial probability distribution is vector 0, we have: Let Q = (P u;v ) u F v F N = X n0 then we have X uf P r[x n F=X 0 = u] 0 (u) P r[x i F=X 0 = u] = X vf(q i ) u;v : Thanks to the preceding proposition we nally obtain X X N = 0 (u) R u;v uf vf proposition 6 Suppose that the number of codewords of weight w is A w. The overall work factor required by the algorithm is: where N is given by theorem 1 and p;` by equation. W p;l = p;` N A w (). Theoretical running-time for the general decoding and minimum-weight problems Using the implicit formula we now give the optimal parameters p and ` for some basic problems. The following work factors are computed for some [n; k]-random binary codes whose minimum distance is obtained with the Gilbert-Varshamov's bound. Comparisons with other decoding algorithms [10, 11, 1] are made in []; the work factor required by the initial Stern's algorithm is shown to be at least times higher for the following problems. RR n685

12 10 A. Canteaut et F. Chabaud..1 Decoding random linear codes We here give the optimal parameters and the work factors required for recovering an errorvector of weight t = b d?1 c. We recall that p corresponds to the number of rows of each part of the generator matrix we use for the linear combinations and that ` is the size of the selection L on which the examined words vanish. Note that the code we consider for computing the work factor is an [n; k + 1]-code according to the remark in section.. code [6,,7] [18,6,15] [56,18,9] [51,56,57] [768,8,85] t optimal p = 1 p = 1 p = 1 p = 1 p = parameters ` = ` = 6 ` = 7 ` = 9 ` = 17 work factor 15:9 19:6 6:51 0:8 5:55 [10,51,11] [156,768,170] [08,10,6] p = p = p = ` = 18 ` = 19 ` = 0 68:51 96:87 15:50 Table 1: Optimal parameters for decoding random [n; n=] binary codes We see in gure 1 that, for a xed rate r = k=n, log (W ) linearly depends on n when parameters p and ` are optimized and that the work factor can be written in the form W opt = na(r)+b. Figure shows how parameters p and ` act on the work factor for decoding a random [n; n=] code: if they are not optimized, log (W ) does not linearly depend on n anymore. Furthermore we see in gure that a(r) is closed to the entropy function H (r) multiplied by a xed coecient, where H (x) =?x log (x)? (1? x) log (1? x). proposition 7 The theoretical work factor required for decoding a random [n; k]-binary code can be approximated by the following formula: W opt = nah(k=n)+b where a = 5:511 10? and b = 1.. Finding minimum-weight codewords We now give the theoretical complexity of the algorithm for recovering a word of weight d in a random [n; k] binary code, where d is given by the Gilbert-Varshamov's bound. We assume that all these codes contain exactly one word of weight d. INRIA

13 A new algorithm for nding minimum-weight words in a linear code 11 code [6,,7] [18,6,15] [56,18,9] optimal p = 1 p = 1 p = 1 parameters ` = ` = 5 ` = 7 work factor 17:9 5:55 0:65 [8,19,] [51,56,57] [60,0,71] p = p = p = ` = 1 ` = 15 ` = 16 55:77 70:7 85:78 Table : Optimal parameters for nding a minimum-weight word in random [n; n=]-binary codes As for the general decoding problem log (W opt ) linearly depends on n for a xed rate r = k=n (see gure ). If this work factor is written in the form W opt = nc(r)n+d, gure 5 shows that c(r) is closed to the translated entropy function ch (r + r 0 ). proposition 8 The theoretical work factor required for nding a minimum-weight word in a random [n; k]-binary code can be approximated by the following formula: W opt = nch( k n +r0)+d where c = 0:1, d = 10 and r 0 = :15 10? Experimental results for decoding random [56; 18]- binary codes In order to check the correctness of our optimization we have made a great number of simulations for a small problem: decoding a random [56,18,9]-binary code, i.e. recovering an error-vector of weight 1. For each set of parameters 1000 computations have been made on a DEC alpha computer running at 175 MHz. The results given in table conrm the validity of the previous theory. We see that decoding a random [56,18,9]-code requires around seconds. Thus decoding a [51,56,57]-one requires around 9 hours on our computer. 5 True minimum distance of primitive binary narrowsense BCH codes of length 511 Let q = m and n = m? 1. Let be a primitive n-th root of unity in GF(q). RR n685

14 1 A. Canteaut et F. Chabaud theoretical theoretical experimental average corrected parameters work factor average average deviation CPU CPU log (W ) iteration iteration % time time number number (s) (s) p = 1, ` = p = 1, ` = p = 1, ` = p = 1, ` = p = 1, ` = p =, ` = p =, ` = p =, ` = p =, ` = p =, ` = Table : Decoding random [56; 18; 9]-binary codes denition The primitive binary narrow-sense BCH code of length n = m? 1 and designed distance, denoted by B(n; ), is the largest binary cyclic code of length n having zeros ; ; : : :;?1 The minimum distance d of B(n; ) satises the BCH bound: d. There is no general method for nding the true minimum distance of a BCH code although several innite classes are known to have minimum distance equal to their designed distance [1, 7, 1]. The true minimum distance has been determined for all narrow-sense BCH codes of length less than 511. For the length 511 the true minimum distance of 1 of them is still unknown [1]. Using the previously presented algorithm we show that the designed distance is reached for 5 of these codes. It is well-known that the automorphism group of an extended primitive BCH code contains the ane group on GF( m ); then we have the following proposition: proposition 9 If B( m? 1; ) contains a word of even weight w then it contains a word of weight w? 1. Thus we obtain: theorem B(511; 9), B(511; 7), B(511; 1), B(511; ) and B(511; 87) have minimum distance equal to their designed distance. Proof. Let us dene GF( 9 ) by = 0. For each of these B(511; ) a word of weight + 1 was found. We here list all the corresponding exponents. INRIA

15 A new algorithm for nding minimum-weight words in a linear code 1 = 9: (6, 1, 8, 51, 6, 7, 11, 16, 19, 1, 157, 188,, 7, 65, 70, 01, 06, 07, 17, 7, 5, 68, 69, 1, 15,, 1, 9, 98) = 7: (, 1, 7, 8, 56, 9, 10, 10, 115, 118, 1, 19, 15, 159, 197, 0, 15,, 0, 9, 50, 51, 90,, 7, 9, 59, 60, 67, 8, 96,, 61, 9, 9, 99, 50, 509) = 1: (9, 0, 0, 7, 8,,, 5, 66, 68, 8, 9, 95, 106, 108, 110, 111, 175, 185, 0,, 50, 6, 70, 1,, 6, 6, 79, 8, 85, 01, 0, 10, 6, 6, 6, 67, 78, 8, 99, 507) = : (0, 16, 5, 8, 56, 57, 58, 80, 8, 87, 115, 1, 17, 18, 156, 165, 167, 190, 196, 06, 9, 0,, 58, 69, 8, 95, 96, 09, 17, 1,,, 5, 6, 61, 75, 9, 05, 18, 9,, 60, 9) = 87: (18, 19,, 5, 7,, 50, 51, 6, 70, 7, 77, 81, 88, 96, 101, 10, 116, 117, 1, 16, 15, 158, 16, 165, 166, 17, 179, 19, 19, 195, 197, 199, 0, 10, 1, 5, 0, 0,, 5, 6, 7, 8, 87, 90, 9, 9, 95, 97, 01, 06, 0,, 7, 0, 9, 5, 61, 8, 85, 9, 9, 00, 11, 1, 17, 1,, 6, 6, 5, 59, 61, 66, 7, 75, 76, 80, 81, 8, 87, 89, 9, 50, 50, 505, 510) Table gives the list of all narrow-sense BCH codes of length 511, their minimum distance and the way they were found. Acknowledgements: We wish to thank Herve Chabanne who initiated this work. References [1] D. Augot, P. Charpin, and N. Sendrier. Studying the locator polynomials of minimum weight codewords of BCH codes. IEEE Trans. Inform. Theory, 8():960{97, 199. [] E.R. Berlekamp, R.J. McEliece, and H.C.A. Van Tilborg. On the inherent intractability of certain coding problems. IEEE Trans. Inform. Theory, IT-():8{86, May [] A. Canteaut and H. Chabanne. A further improvement of the work factor in an attempt at breaking McEliece's cryptosystem. In P. Charpin, editor, EUROCODE 9, pages 16{167. INRIA, 199. RR n685

16 1 A. Canteaut et F. Chabaud [] A. Canteaut and F. Chabaud. Improvements of the attacks on cryptosystems based on error-correcting codes. Rapport interne du Departement Mathematiques et Informatique LIENS-95-1, Ecole Normale Superieure, Paris, July [5] F. Chabaud. On the security of some cryptosystems based on error-correcting codes. In pre-proceedings of EUROCRYPT '9. Springer-Verlag, 199. [6] H.J. Helgert and R.D. Stina. Shortened BCH codes. IEEE Trans. Inform. Theory, pages 818{80, November 197. [7] T. Kasami and S. Lin. Some results on the minimum weight of primitive BCH codes. IEEE Trans. Inform. Theory, pages 8{85, November 197. [8] T. Kasami and N. Tokura. Some remarks on BCH bounds and minimum weights of binary primitive BCH codes. IEEE Trans. Inform. Theory, pages 08{1, May [9] J.G. Kemeny and J.L. Snell. Finite Markov chains. D.Van Nostrand, Princeton, New Jersey, [10] P.J. Lee and E.F. Brickell. An observation on the security of McEliece's public-key cryptosystem. In C.G. Gunther, editor, Advances in Cryptology { EUROCRYPT '88, number 0 in Lecture Notes in Computer Science, pages 75{80. Springer-Verlag, [11] J.S. Leon. A probabilistic algorithm for computing minimum weights of large errorcorrecting codes. IEEE Trans. Inform. Theory, IT-(5):15{159, September [1] J.K. Omura. Iterative decoding of linear codes by a modulo- linear program. Discrete Math, :19{08, 197. [1] W.W. Peterson and E.J. Weldon. Error-Correcting Codes. MIT Press, [1] J. Stern. A method for nding codewords of small weight. In G. Cohen and J. Wolfmann, editors, Coding Theory and Applications, number 88 in Lecture Notes in Computer Science, pages 106{11. Springer-Verlag, [15] J. van Tilburg. On the McEliece public-key cryptosystem. In S. Goldwasser, editor, Advances in Cryptology { CRYPT0 '88, number 0 in Lecture Notes in Computer Science, pages 119{11. Springer-Verlag, INRIA

17 A new algorithm for nding minimum-weight words in a linear code log (W opt ) r = 1= + r = 1= r = = r = 1=8 r = 7= length of the code Figure 1: Evolution of the theoretical work factor with optimized parameters for decoding random [n; nr]-binary codes RR n685

18 Unité de recherche INRIA Lorraine, Technopôle de Nancy-Brabois, Campus scientifique, 615 rue du Jardin Botanique, BP 101, 5600 VILLERS LÈS NANCY Unité de recherche INRIA Rennes, Irisa, Campus universitaire de Beaulieu, 50 RENNES Cedex Unité de recherche INRIA Rhône-Alpes, 6 avenue Félix Viallet, 801 GRENOBLE Cedex 1 Unité de recherche INRIA Rocquencourt, Domaine de Voluceau, Rocquencourt, BP 105, 7815 LE CHESNAY Cedex Unité de recherche INRIA Sophia-Antipolis, 00 route des Lucioles, BP 9, 0690 SOPHIA-ANTIPOLIS Cedex Éditeur INRIA, Domaine de Voluceau, Rocquencourt, BP 105, 7815 LE CHESNAY Cedex (France) ISSN

19 16 A. Canteaut et F. Chabaud log ( Wp;` W opt ) p = 1; ` = 0 p = 1; ` = 5 p = 1; ` = 10 + p = ; ` = length of the code Figure : Inuence of parameters p and ` on the work factor for decoding [n; n=] random codes a 0:055H a =8 1= 1= = 7=8 1 r = k=n Figure : Evolution of coecient a vs. r = k=n INRIA

20 A new algorithm for nding minimum-weight words in a linear code log (W opt ) r = 1= r = 1= r = = r = 1=8 r = 7= length of the code Figure : Evolution of the theoretical work factor with optimized parameters for nding a minimum-weight word in random [n; nr]-binary codes RR n685

21 18 A. Canteaut et F. Chabaud n k d argument in n k d argument in RM(7) [7] PS(7,1) [1] RM(7) [7] RM(6) [7] ES [1] ID [1] RM(6) [7] ID [1] S [6] RM(15) [7] ES [1] ID [1] ID [1] # -DI [8] PS(7,) [1] RM() [7] 1 RM(5) [7] ID [1] S [6] RM(5) [7] # -DI [8] RM() [7] RM() [7] # -DI [8] PS(7,5) [1] RM() [7] ## NI [1] ID [1] # -DI [8] RM() [7] ES [1] 5 5 ID [1] ES [1] RM() [7] ES [1] ES [1] NI [1] RM() [7] RM() [7] PS(7,) [1] ID [1] 8 RM() [7] RM() [7] RM(1) [7] RM() [7] # d = + ## d = + new result ES exhaustive search ID idempotent NI Newton's identities RM(s) intersection with the shortened sth-order Reed-Muller code S code shortening PS(n ; ) product subcode: n = n 1 n and = n 1 where BCH(n ; ) has minimum distance equal to -DI -divisibility of RM() since B(511; ) is included in the punctured Reed-Muller code of order for all > 85 Table : BCH codes of length 511 INRIA

22 A new algorithm for nding minimum-weight words in a linear code 19 a 0:1 0:1 0:08 0:06 0:0 0:0 a 0:1H (r + 0:015) 0 1=8 1= 1= = 7=8 1 r = k=n Figure 5: Evolution of coecient c vs. r = k=n RR n685