Applications of Galois Geometries to Coding Theory and Cryptography

Similar documents
Applications of finite geometry in coding theory and cryptography

Galois geometries contributing to coding theory

Galois geometries contributing to coding theory

Functional codes arising from quadric intersections with Hermitian varieties

Linear Point Sets and Rédei Type k-blocking

On the structure of the directions not determined by a large affine point set

Secret sharing schemes

Characterizations of the finite quadric Veroneseans V 2n

On small minimal blocking sets in classical generalized quadrangles

Codewords of small weight in the (dual) code of points and k-spaces of P G(n, q)

Finite affine planes in projective spaces

Lax embeddings of the Hermitian Unital

SUBSTRUCTURES OF FINITE CLASSICAL POLAR SPACES

A characterization of the finite Veronesean by intersection properties

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography Lecture 13

Generalized Veronesean embeddings of projective spaces, Part II. The lax case.

Two-intersection sets with respect to lines on the Klein quadric

Journal of Discrete Mathematical Sciences & Cryptography Vol. 9 (2006), No. 1, pp

Characterizations of Veronese and Segre Varieties

On sets without tangents and exterior sets of a conic

Elliptic Curve Cryptography

Tight Sets and m-ovoids of Quadrics 1

Local correctability of expander codes

European Journal of Combinatorics. Locally subquadrangular hyperplanes in symplectic and Hermitian dual polar spaces

How to Build Robust Shared Control Systems

On Ferri s characterization of the finite quadric Veronesean V 4 2

CPSC 467: Cryptography and Computer Security

On the geometry of regular hyperbolic fibrations

Hyperplanes of Hermitian dual polar spaces of rank 3 containing a quad

Division Property: a New Attack Against Block Ciphers

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Two-character sets as subsets of parabolic quadrics

Generalized quadrangles and the Axiom of Veblen

CPSC 467: Cryptography and Computer Security

Finite geometry codes, generalized Hadamard matrices, and Hamada and Assmus conjectures p. 1/2

Decomposing Bent Functions

Theorems of Erdős-Ko-Rado type in polar spaces

Optimal Ramp Schemes and Related Combinatorial Objects

A spectrum result on minimal blocking sets with respect to the planes of PG(3, q), q odd

Characterizations of Segre Varieties

On the nucleus of the Grassmann embedding of the symplectic dual polar space DSp(2n, F), char(f) = 2

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CPSC 467: Cryptography and Computer Security

Perfect Secret Sharing Schemes from Room Squares

Perfect Secret Sharing Schemes from Room. Squares. Ghulam-Rasool Chaudhry. Centre for Computer Security Research. University of Wollongong

MINIMAL CODEWORDS IN LINEAR CODES. Yuri Borissov, Nickolai Manev

Semifield flocks, eggs, and ovoids of Q(4, q)

Secret Sharing CPT, Version 3

Polynomials and Codes

The maximum size of a partial spread in H(4n + 1,q 2 ) is q 2n+1 + 1

Codes from generalized hexagons

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Shult Sets and Translation Ovoids of the Hermitian Surface

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

About Maximal Partial 2-Spreads in PG(3m 1, q)

Lines in higgledy-piggledy arrangement

Lecture 15 - Zero Knowledge Proofs

Linear Secret-Sharing Schemes for Forbidden Graph Access Structures

Notes 10: Public-key cryptography

Secret-sharing with a class of ternary codes

Characterizing Ideal Weighted Threshold Secret Sharing

CPSC 467b: Cryptography and Computer Security

Constructing Secret Sharing Schemes Based on Cyclic Codes

Every generalized quadrangle of order 5 having a regular point is symplectic

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

A Unified Approach to Combinatorial Key Predistribution Schemes for Sensor Networks

1 Number Theory Basics

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and

Incidence Structures Related to Difference Sets and Their Applications

Message Authentication Codes (MACs)

On linear sets on a projective line

Blocking sets of tangent and external lines to a hyperbolic quadric in P G(3, q), q even

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Secret Sharing Schemes

Introduction to Modern Cryptography Lecture 11

Lecture notes on coding theory

UNIVERSITÀ DEGLI STUDI DI ROMA LA SAPIENZA. Semifield spreads

M.D.S. Codes and Arcs in PG(n, q) with q Even: An Improvement of the Bounds of Bruen, Thas, and Blokhuis

Correcting Codes in Cryptography

The classification of the largest caps in AG(5, 3)

CPSC 467b: Cryptography and Computer Security

Additional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs

Public Key Cryptography

The geometry of secants in embedded polar spaces

Secret Sharing. Qi Chen. December 14, 2015

The geometry of quantum codes. Jürgen Bierbrauer Giorgio Faina Massimo Giulietti Stefano Marcugini Fernanda Pambianco

Bounds and spectrum results in Galois geometry and coding theory. Eötvös Loránd University

Lax Embeddings of Generalized Quadrangles in Finite Projective Spaces

The structure of quaternary quantum caps

Security in Locally Repairable Storage

Interactive protocols & zero-knowledge

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Characterizing Ideal Weighted Threshold Secret Sharing

Strongly Regular (:, ;)-Geometries

Identifying codes in vertex-transitive graphs and strongly regular graphs

Perfect Secret Sharing Schemes Based on Generalized Kirkman Squares

The minimum weight of dual codes from projective planes

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7

Dense near octagons with four points on each line, III

Transcription:

Applications of Galois Geometries to Coding Theory and Cryptography Ghent University Dept. of Mathematics Krijgslaan 281 - Building S22 9000 Ghent Belgium Albena, July 1, 2013

1. Affine spaces 2. Projective spaces OUTLINE 1 GALOIS GEOMETRIES 1. Affine spaces 2. Projective spaces 2 GEOMETRY AND CRYPTOGRAPHY

1. Affine spaces 2. Projective spaces FINITE FIELDS q = prime number. Prime fields F q = {0, 1,..., q 1} (mod q). Binary field F 2 = {0, 1}. Ternary field F 3 = {0, 1, 2} = { 1, 0, 1}. Finite fields F q : q prime power.

1. Affine spaces 2. Projective spaces AFFINE SPACE AG(n, q) V (n, q) = n-dimensional vector space over F q. AG(n, q) = V (n, q) plus parallelism. k-dimensional affine subspace = (translate) of k-dimensional vector space.

1. Affine spaces 2. Projective spaces PARALLELISM IN AFFINE SPACE AG(n, q) Let Π k be k-dimensional vector space of V (n, q). Π k + b, for b V (n, q), are the affine k-subspaces parallel to Π k. Two parallel affine k-subspaces are disjoint or equal. Parallelism leads to partitions of AG(n, q) into (parallel) affine k-subspaces.

1. Affine spaces 2. Projective spaces AFFINE PLANE AG(2, 3) OF ORDER 3

1. Affine spaces 2. Projective spaces FROM V (3, q) TO PG(2, q)

1. Affine spaces 2. Projective spaces FROM V (3, q) TO PG(2, q)

1. Affine spaces 2. Projective spaces THE FANO PLANE PG(2, 2)

1. Affine spaces 2. Projective spaces THE FANO PLANE PG(2, 2) Gino Fano (1871-1952)

1. Affine spaces 2. Projective spaces THE PLANE PG(2, 3)

1. Affine spaces 2. Projective spaces FROM V (4, q) TO PG(3, q)

1. Affine spaces 2. Projective spaces FROM V (4, q) TO PG(3, q)

1. Affine spaces 2. Projective spaces PG(3, 2)

1. Affine spaces 2. Projective spaces FROM V (n + 1, q) TO PG(n, q) 1 From V (1, q) to PG(0, q) (projective point), 2 From V (2, q) to PG(1, q) (projective line), 3 4 From V (i + 1, q) to PG(i, q) (i-dimensional projective subspace), 5 6 From V (n, q) to PG(n 1, q) ((n 1)-dimensional subspace = hyperplane), 7 From V (n + 1, q) to PG(n, q) (n-dimensional space).

1. Affine spaces 2. Projective spaces LINK BETWEEN AFFINE AND PROJECTIVE SPACES AG(n, q) = PG(n, q) minus one hyperplane (the hyperplane at infinity).

1. Affine spaces 2. Projective spaces LINK BETWEEN AG(2, 3) AND PG(2, 3)

OUTLINE Galois geometries 1 GALOIS GEOMETRIES 1. Affine spaces 2. Projective spaces 2 GEOMETRY AND CRYPTOGRAPHY

SECRET SHARING SCHEME 1 Secret sharing scheme: cryptographic equivalent of vault that needs several keys to be opened. 2 Secret S divided into shares. 3 Authorised sets: have access to secret S by putting their shares together. 4 Unauthorised sets: have no access to secret S by putting their shares together.

(n, k)-threshold SCHEME 1 n participants. 2 Each group of k participants can reconstruct secret S, but less than k participants have no way to learn anything about secret S.

SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME 1 F q = finite field of order q. 2 Dealer chooses polynomial f (X) = f 0 + f 1 X + + f k 1 X k 1 F q [X], and, 3 gives participant number i, point (x i, f (x i )) on graph of f (x i 0). 4 Value f (0) = f 0 is secret S.

SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME 1 Set of k participants can reconstruct f (X) = f 0 + f 1 X + + f k 1 X k 1 by interpolating their shares (x i, f (x i )). Then they can compute secret f (0). 2 If k < k persons try to reconstruct secret, for every y F q, there are exactly F q k k 1 polynomials of degree at most k 1 which pass through their shares and the point (0, y). Thus they gain no information about f (0).

Galois geometries REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME secret point S 1 S 5 S 2 S 3 S 4

GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY) 1 Secret S = point of PG(3, q). 2 Shares = planes of PG(3, q) such that exactly three of them only intersect in S. 3 Classical example: Normal rational curve of planes X 0 + tx 1 + t 2 X 2 + t 3 X 3 = 0, t F q, and X 3 = 0.

GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY) 1 Secret S = point of PG(k, q). 2 Shares = hyperplanes of PG(k, q) such that exactly k of them only intersect in S. 3 Classical example: Normal rational curve of hyperplanes X 0 + tx 1 + t 2 X 2 + + t k X k = 0, t F q, and X k = 0.

GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY)

GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME

GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME

CODING-THEORETICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (McEliece and Sarwate) 1 C : [n + 1, k, n k + 2] q MDS code. 2 For secret c 0 F q, dealer creates codeword c = (c 0, c 1,..., c n ) C. Share of participant number i is symbol c i. 3 Since C is MDS code with minimum distance n k + 2, codeword c can be uniquely reconstructed if only k symbols are known. 4 So any set of k persons can compute secret c 0. 5 On the other hand, less than k persons do not learn anything about secret, since for any possible secret c, the same number of codewords that fit to secret c and their shares exist.

MORE GENERAL SECRET SHARING SCHEME DEFINITION Support of c = (c 1,..., c n ) F n q : sup(c) = {i c i 0}. Let C be linear code. Nonzero codeword c C is called minimal if ρ F q \ {0}. c C \ {0} : sup(c ) sup(c) = c = ρc, (In binary case, c minimal if no non-zero codeword c with sup(c ) sup(c), sup(c ) sup(c))

MORE GENERAL SECRET SHARING SCHEME LEMMA (MASSEY) Let C be an [n + 1, k] q -code. Secret sharing scheme is constructed from C by choosing codeword c = (c 0,..., c n ). Secret is c 0 and shares of participants are coordinates c i (1 i n). Minimal authorized sets of secret sharing scheme correspond to minimal codewords of C with 0 in their supports.

BINARY REED-MULLER CODES DEFINITION Binary r-th order Reed-Muller code RM(r, m) (0 r m) = set of all binary vectors f of length n = 2 m associated with Boolean polynomials f (x 1, x 2,..., x m ) of degree at most r: c = (f (0,..., 0),..., f (1,..., 1)). Minimum weight d = 2 m r. Minimum weight codewords of RM(r, m) = incidence vectors of AG(m r, 2) in AG(m, 2).

BINARY REED-MULLER CODES THEOREM (KASAMI, TOKURA, AND AZUMI) Let f (x 1,..., x m ) be Boolean function of degree at most r, where r 2, such that sup(f ) < 2 m r+1. Then f can be transformed by an affine transformation into f = x 1 x r 2 (x r 1 x r + +x r+2µ 3 x r+2µ 2 ), 2 2µ m r +2, or f = x 1 x r µ (x r µ+1 x r +x r+1 x r+µ ), 3 µ r, µ m r.

BINARY REED-MULLER CODES First type of codewords (1) f = x 1 x r 2 (x r 1 x r + +x r+2µ 3 x r+2µ 2 ), 2 2µ m r+2, In PG(m r + 2, 2) defined by X 1 = X 0,..., X r 2 = X 0, cone Ψ with vertex PG(m r + 1 2µ, 2) at infinity, and base non-singular parabolic quadric Q(2µ, 2) in 2µ dimensions having non-singular hyperbolic quadric at infinity.

QUADRATIC CONE Galois geometries

BINARY REED-MULLER CODES Second type of codewords (2) f = x 1 x r µ (x r µ+1 x r +x r+1 x r+µ ), 3 µ r, µ m r. (Symmetric difference): Union of two (m r)-dimensional affine spaces α and β, but not (m r µ)-dimensional affine intersection space α β.

SYMMETRIC DIFFERENCE

COUNTING NON-MINIMAL CODEWORDS IN RM(r, m) Non-minimal codeword c = c 1 + c 2, with c 1, c 2 non-zero codewords having disjoint supports. For w(c) < 3 2 m r, c 1 codeword of smallest weight 2 m r, and c 2 codeword of weight 2 m r or quadric or symmetric difference. Number of non-minimal codewords c of weight 2 2 m r calculated by Borissov, Manev, and Nikova. Number of non-minimal codewords c of weight 2 2 m r < w(c) < 3 2 m r calculated by Schillewaert, Storme, and Thas.

COUNTING NON-MINIMAL CODEWORDS IN RM(r, m)

PROBLEM OF AUTHENTICATION 1 Problem: Alice wants to send Bob a message m. 2 Attacker intercepts m and sends alternated message m to Bob.

PROBLEM OF AUTHENTICATION How can Bob be sure that message he gets is correct? Introduce authentication!

EXAMPLE OF MESSAGE AUTHENTICATION CODE 1 l = line of PG(2, q). 2 Message m = point of l. 3 Authentication key K = point in PG(2, q)\l. 4 Authentication tag = line through message m and key K.

EXAMPLE OF AUTHENTICATION CODE 1 If attacker wants to create message (m, K ) without knowing key K, he must guess an affine line through m. There are q possibilities, i.e. the chance for correct attack is 1 q. 2 If attacker already knows authenticated message (m, K ), he knows that key K must lie on the line mk. But for every of q affine points on line mk, there exists line through m. So he cannot do better than guess the key which gives probability of 1 q for successful attack.

SECURITY OF AUTHENTICATION CODE 1 p i = probability of attacker to construct pair (m, K ) without knowledge of key K, if he only knows i different pairs (m j, K ). 2 Smallest value r for which p r+1 = 1 is called order of authentication code. 3 For r = 1, p 0 = probability of impersonation attack and probability p 1 = probability of substitution attack. THEOREM If MAC has attack probabilities p i = 1/n i (0 i r), then K n 0 n r. MAC that satisfies this theorem with equality is called perfect.

GEOMETRICAL CONSTRUCTION OF PERFECT MAC DEFINITION Generalised dual arc D of order l with dimensions d 1 > d 2 > > d l+1 of PG(n, q) is set of subspaces of dimension d 1 such that: 1 each j subspaces intersect in subspace of dimension d j, 1 j l + 1, 2 each l + 2 subspaces have no common intersection. (n, d 1,..., d l+1 ) = parameters of dual arc.

GENERALISED DUAL ARCS THEOREM There exists generalised dual arc in PG( ( ) n+d+1 d+1 1, q), with dimensions d i = ( ) n+d+1 i d+1 i 1, i = 0,..., d + 1. 1 Spaces have dimension d 1 = ( ) n+d 1. 2 Two spaces intersect in space of dimension d 2 = ( ) n+d 1 d 1 1. 3 Three spaces intersect in space of dimension d 3 = ( ) n+d 2 1. 4 d 2 d

LINK BETWEEN MAC AND GENERALISED DUAL ARC 1 π = hyperplane of PG(n + 1, q) and D = generalised dual arc of order l in π with parameters (n, d 1,..., d l+1 ). 2 message m = element of D. 3 key K = point of PG(n + 1, q) not in π. 4 Authentication tag that belongs to message m and key K is generated (d 1 + 1)-dimensional subspace. 5 Perfect MAC of order r = l + 1 with attack probabilities p i = q d i+1 d i.

ANONYMOUS DATABASE SEARCH Anonymous database search: query a database anonomously. Peer-to-peer community: let users post queries on behalf of each other. Neighbourhood attack: can be modeled as the intersection of neighbourhoods that may return a single identified person in case of unique neighbourhoods. k-anonymous neighbourhoods: neighbourhood of person is also neighbourhood of at least k 1 other persons.

TRANSVERSAL DESIGNS Transversal design TD λ (k, n) = k-uniform structure (P, L) of points and blocks, with P = kn, that admits partition of P in k groups of cardinality n, and that satisfies: any group and block contain exactly one common point, every pair of points from distinct groups is contained in exactly λ blocks.

FROM AG(2, n) TO TD 1 (k, n) From affine plane AG(2, n) to transversal design TD 1 (k, n), 2 k n. Point set P of TD 1 (k, n) = points of AG(2, n) on k lines of one parallel class of AG(2, n), Groups = lines from this parallel class, Blocks of TD 1 (k, n) = lines of the other parallel classes of AG(2, n), restricted to the points in P.

FROM AG(2, n) TO TD 1 (k, n)

TRANSVERSAL DESIGN TD 1 (k, n) AND n-anonymous NEIGHBOURHOODS THEOREM Transversal design TD 1 (k, n) has n-anonymous neighbourhoods.

THEOREMS Galois geometries THEOREM (STOKES AND FARRÀS) Combinatorial (v, b, r, k)-configuration with n-anonymous neighbourhoods satisfies: There exists partition G = {g i } m i=1 of the point set such that the points in the same part are not collinear and g i n, for all i {1,..., m}, r n and m k.

THEOREMS Galois geometries THEOREM (STOKES AND FARRÀS) In combinatorial (v, b, r, k)-configuration C with n-anonymous neighbourhoods and anonymity partition G = {g i } m i=1 and g i = n for all i {1,..., m}, v = n iff m = k. In this case, C is transversal design TD 1 (k, n), and v = kn and b = n 2.

APPLICATION IN PAY TELEVISION (Korjik, Ivkov, Merinovich, Barg, and van Tilborg) subscribers = points of PG(2, q), codes = lines of PG(2, q), subscriber quits: codes of lines become invalid, new issue of codes: only necessary when codes of all lines through subscriber become invalid.

THE FANO PLANE PG(2, 2)

REFERENCES Galois geometries W.-A. Jackson, K.M. Martin, and C.M. O Keefe, Geometrical contributions to secret sharing theory. J. Geom. 79 (2004), 102 133. W.-A. Jackson, K.M. Martin, and M.B. Paterson, Applications of Galois geometry to cryptology. Chapter in Current research topics in Galois geometry (J. De Beule and L. Storme, Eds.), NOVA Academic Publishers (2012), 215 244.

Thank you very much for your attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback