Applications of Galois Geometries to Coding Theory and Cryptography Ghent University Dept. of Mathematics Krijgslaan 281 - Building S22 9000 Ghent Belgium Albena, July 1, 2013
1. Affine spaces 2. Projective spaces OUTLINE 1 GALOIS GEOMETRIES 1. Affine spaces 2. Projective spaces 2 GEOMETRY AND CRYPTOGRAPHY
1. Affine spaces 2. Projective spaces FINITE FIELDS q = prime number. Prime fields F q = {0, 1,..., q 1} (mod q). Binary field F 2 = {0, 1}. Ternary field F 3 = {0, 1, 2} = { 1, 0, 1}. Finite fields F q : q prime power.
1. Affine spaces 2. Projective spaces AFFINE SPACE AG(n, q) V (n, q) = n-dimensional vector space over F q. AG(n, q) = V (n, q) plus parallelism. k-dimensional affine subspace = (translate) of k-dimensional vector space.
1. Affine spaces 2. Projective spaces PARALLELISM IN AFFINE SPACE AG(n, q) Let Π k be k-dimensional vector space of V (n, q). Π k + b, for b V (n, q), are the affine k-subspaces parallel to Π k. Two parallel affine k-subspaces are disjoint or equal. Parallelism leads to partitions of AG(n, q) into (parallel) affine k-subspaces.
1. Affine spaces 2. Projective spaces AFFINE PLANE AG(2, 3) OF ORDER 3
1. Affine spaces 2. Projective spaces FROM V (3, q) TO PG(2, q)
1. Affine spaces 2. Projective spaces FROM V (3, q) TO PG(2, q)
1. Affine spaces 2. Projective spaces THE FANO PLANE PG(2, 2)
1. Affine spaces 2. Projective spaces THE FANO PLANE PG(2, 2) Gino Fano (1871-1952)
1. Affine spaces 2. Projective spaces THE PLANE PG(2, 3)
1. Affine spaces 2. Projective spaces FROM V (4, q) TO PG(3, q)
1. Affine spaces 2. Projective spaces FROM V (4, q) TO PG(3, q)
1. Affine spaces 2. Projective spaces PG(3, 2)
1. Affine spaces 2. Projective spaces FROM V (n + 1, q) TO PG(n, q) 1 From V (1, q) to PG(0, q) (projective point), 2 From V (2, q) to PG(1, q) (projective line), 3 4 From V (i + 1, q) to PG(i, q) (i-dimensional projective subspace), 5 6 From V (n, q) to PG(n 1, q) ((n 1)-dimensional subspace = hyperplane), 7 From V (n + 1, q) to PG(n, q) (n-dimensional space).
1. Affine spaces 2. Projective spaces LINK BETWEEN AFFINE AND PROJECTIVE SPACES AG(n, q) = PG(n, q) minus one hyperplane (the hyperplane at infinity).
1. Affine spaces 2. Projective spaces LINK BETWEEN AG(2, 3) AND PG(2, 3)
OUTLINE Galois geometries 1 GALOIS GEOMETRIES 1. Affine spaces 2. Projective spaces 2 GEOMETRY AND CRYPTOGRAPHY
SECRET SHARING SCHEME 1 Secret sharing scheme: cryptographic equivalent of vault that needs several keys to be opened. 2 Secret S divided into shares. 3 Authorised sets: have access to secret S by putting their shares together. 4 Unauthorised sets: have no access to secret S by putting their shares together.
(n, k)-threshold SCHEME 1 n participants. 2 Each group of k participants can reconstruct secret S, but less than k participants have no way to learn anything about secret S.
SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME 1 F q = finite field of order q. 2 Dealer chooses polynomial f (X) = f 0 + f 1 X + + f k 1 X k 1 F q [X], and, 3 gives participant number i, point (x i, f (x i )) on graph of f (x i 0). 4 Value f (0) = f 0 is secret S.
SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME 1 Set of k participants can reconstruct f (X) = f 0 + f 1 X + + f k 1 X k 1 by interpolating their shares (x i, f (x i )). Then they can compute secret f (0). 2 If k < k persons try to reconstruct secret, for every y F q, there are exactly F q k k 1 polynomials of degree at most k 1 which pass through their shares and the point (0, y). Thus they gain no information about f (0).
Galois geometries REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME secret point S 1 S 5 S 2 S 3 S 4
GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY) 1 Secret S = point of PG(3, q). 2 Shares = planes of PG(3, q) such that exactly three of them only intersect in S. 3 Classical example: Normal rational curve of planes X 0 + tx 1 + t 2 X 2 + t 3 X 3 = 0, t F q, and X 3 = 0.
GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY) 1 Secret S = point of PG(k, q). 2 Shares = hyperplanes of PG(k, q) such that exactly k of them only intersect in S. 3 Classical example: Normal rational curve of hyperplanes X 0 + tx 1 + t 2 X 2 + + t k X k = 0, t F q, and X k = 0.
GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (BLAKLEY)
GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME
GEOMETRICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME
CODING-THEORETICAL REALISATION OF SHAMIR S k -OUT-OF-n SECRET SHARING SCHEME (McEliece and Sarwate) 1 C : [n + 1, k, n k + 2] q MDS code. 2 For secret c 0 F q, dealer creates codeword c = (c 0, c 1,..., c n ) C. Share of participant number i is symbol c i. 3 Since C is MDS code with minimum distance n k + 2, codeword c can be uniquely reconstructed if only k symbols are known. 4 So any set of k persons can compute secret c 0. 5 On the other hand, less than k persons do not learn anything about secret, since for any possible secret c, the same number of codewords that fit to secret c and their shares exist.
MORE GENERAL SECRET SHARING SCHEME DEFINITION Support of c = (c 1,..., c n ) F n q : sup(c) = {i c i 0}. Let C be linear code. Nonzero codeword c C is called minimal if ρ F q \ {0}. c C \ {0} : sup(c ) sup(c) = c = ρc, (In binary case, c minimal if no non-zero codeword c with sup(c ) sup(c), sup(c ) sup(c))
MORE GENERAL SECRET SHARING SCHEME LEMMA (MASSEY) Let C be an [n + 1, k] q -code. Secret sharing scheme is constructed from C by choosing codeword c = (c 0,..., c n ). Secret is c 0 and shares of participants are coordinates c i (1 i n). Minimal authorized sets of secret sharing scheme correspond to minimal codewords of C with 0 in their supports.
BINARY REED-MULLER CODES DEFINITION Binary r-th order Reed-Muller code RM(r, m) (0 r m) = set of all binary vectors f of length n = 2 m associated with Boolean polynomials f (x 1, x 2,..., x m ) of degree at most r: c = (f (0,..., 0),..., f (1,..., 1)). Minimum weight d = 2 m r. Minimum weight codewords of RM(r, m) = incidence vectors of AG(m r, 2) in AG(m, 2).
BINARY REED-MULLER CODES THEOREM (KASAMI, TOKURA, AND AZUMI) Let f (x 1,..., x m ) be Boolean function of degree at most r, where r 2, such that sup(f ) < 2 m r+1. Then f can be transformed by an affine transformation into f = x 1 x r 2 (x r 1 x r + +x r+2µ 3 x r+2µ 2 ), 2 2µ m r +2, or f = x 1 x r µ (x r µ+1 x r +x r+1 x r+µ ), 3 µ r, µ m r.
BINARY REED-MULLER CODES First type of codewords (1) f = x 1 x r 2 (x r 1 x r + +x r+2µ 3 x r+2µ 2 ), 2 2µ m r+2, In PG(m r + 2, 2) defined by X 1 = X 0,..., X r 2 = X 0, cone Ψ with vertex PG(m r + 1 2µ, 2) at infinity, and base non-singular parabolic quadric Q(2µ, 2) in 2µ dimensions having non-singular hyperbolic quadric at infinity.
QUADRATIC CONE Galois geometries
BINARY REED-MULLER CODES Second type of codewords (2) f = x 1 x r µ (x r µ+1 x r +x r+1 x r+µ ), 3 µ r, µ m r. (Symmetric difference): Union of two (m r)-dimensional affine spaces α and β, but not (m r µ)-dimensional affine intersection space α β.
SYMMETRIC DIFFERENCE
COUNTING NON-MINIMAL CODEWORDS IN RM(r, m) Non-minimal codeword c = c 1 + c 2, with c 1, c 2 non-zero codewords having disjoint supports. For w(c) < 3 2 m r, c 1 codeword of smallest weight 2 m r, and c 2 codeword of weight 2 m r or quadric or symmetric difference. Number of non-minimal codewords c of weight 2 2 m r calculated by Borissov, Manev, and Nikova. Number of non-minimal codewords c of weight 2 2 m r < w(c) < 3 2 m r calculated by Schillewaert, Storme, and Thas.
COUNTING NON-MINIMAL CODEWORDS IN RM(r, m)
PROBLEM OF AUTHENTICATION 1 Problem: Alice wants to send Bob a message m. 2 Attacker intercepts m and sends alternated message m to Bob.
PROBLEM OF AUTHENTICATION How can Bob be sure that message he gets is correct? Introduce authentication!
EXAMPLE OF MESSAGE AUTHENTICATION CODE 1 l = line of PG(2, q). 2 Message m = point of l. 3 Authentication key K = point in PG(2, q)\l. 4 Authentication tag = line through message m and key K.
EXAMPLE OF AUTHENTICATION CODE 1 If attacker wants to create message (m, K ) without knowing key K, he must guess an affine line through m. There are q possibilities, i.e. the chance for correct attack is 1 q. 2 If attacker already knows authenticated message (m, K ), he knows that key K must lie on the line mk. But for every of q affine points on line mk, there exists line through m. So he cannot do better than guess the key which gives probability of 1 q for successful attack.
SECURITY OF AUTHENTICATION CODE 1 p i = probability of attacker to construct pair (m, K ) without knowledge of key K, if he only knows i different pairs (m j, K ). 2 Smallest value r for which p r+1 = 1 is called order of authentication code. 3 For r = 1, p 0 = probability of impersonation attack and probability p 1 = probability of substitution attack. THEOREM If MAC has attack probabilities p i = 1/n i (0 i r), then K n 0 n r. MAC that satisfies this theorem with equality is called perfect.
GEOMETRICAL CONSTRUCTION OF PERFECT MAC DEFINITION Generalised dual arc D of order l with dimensions d 1 > d 2 > > d l+1 of PG(n, q) is set of subspaces of dimension d 1 such that: 1 each j subspaces intersect in subspace of dimension d j, 1 j l + 1, 2 each l + 2 subspaces have no common intersection. (n, d 1,..., d l+1 ) = parameters of dual arc.
GENERALISED DUAL ARCS THEOREM There exists generalised dual arc in PG( ( ) n+d+1 d+1 1, q), with dimensions d i = ( ) n+d+1 i d+1 i 1, i = 0,..., d + 1. 1 Spaces have dimension d 1 = ( ) n+d 1. 2 Two spaces intersect in space of dimension d 2 = ( ) n+d 1 d 1 1. 3 Three spaces intersect in space of dimension d 3 = ( ) n+d 2 1. 4 d 2 d
LINK BETWEEN MAC AND GENERALISED DUAL ARC 1 π = hyperplane of PG(n + 1, q) and D = generalised dual arc of order l in π with parameters (n, d 1,..., d l+1 ). 2 message m = element of D. 3 key K = point of PG(n + 1, q) not in π. 4 Authentication tag that belongs to message m and key K is generated (d 1 + 1)-dimensional subspace. 5 Perfect MAC of order r = l + 1 with attack probabilities p i = q d i+1 d i.
ANONYMOUS DATABASE SEARCH Anonymous database search: query a database anonomously. Peer-to-peer community: let users post queries on behalf of each other. Neighbourhood attack: can be modeled as the intersection of neighbourhoods that may return a single identified person in case of unique neighbourhoods. k-anonymous neighbourhoods: neighbourhood of person is also neighbourhood of at least k 1 other persons.
TRANSVERSAL DESIGNS Transversal design TD λ (k, n) = k-uniform structure (P, L) of points and blocks, with P = kn, that admits partition of P in k groups of cardinality n, and that satisfies: any group and block contain exactly one common point, every pair of points from distinct groups is contained in exactly λ blocks.
FROM AG(2, n) TO TD 1 (k, n) From affine plane AG(2, n) to transversal design TD 1 (k, n), 2 k n. Point set P of TD 1 (k, n) = points of AG(2, n) on k lines of one parallel class of AG(2, n), Groups = lines from this parallel class, Blocks of TD 1 (k, n) = lines of the other parallel classes of AG(2, n), restricted to the points in P.
FROM AG(2, n) TO TD 1 (k, n)
TRANSVERSAL DESIGN TD 1 (k, n) AND n-anonymous NEIGHBOURHOODS THEOREM Transversal design TD 1 (k, n) has n-anonymous neighbourhoods.
THEOREMS Galois geometries THEOREM (STOKES AND FARRÀS) Combinatorial (v, b, r, k)-configuration with n-anonymous neighbourhoods satisfies: There exists partition G = {g i } m i=1 of the point set such that the points in the same part are not collinear and g i n, for all i {1,..., m}, r n and m k.
THEOREMS Galois geometries THEOREM (STOKES AND FARRÀS) In combinatorial (v, b, r, k)-configuration C with n-anonymous neighbourhoods and anonymity partition G = {g i } m i=1 and g i = n for all i {1,..., m}, v = n iff m = k. In this case, C is transversal design TD 1 (k, n), and v = kn and b = n 2.
APPLICATION IN PAY TELEVISION (Korjik, Ivkov, Merinovich, Barg, and van Tilborg) subscribers = points of PG(2, q), codes = lines of PG(2, q), subscriber quits: codes of lines become invalid, new issue of codes: only necessary when codes of all lines through subscriber become invalid.
THE FANO PLANE PG(2, 2)
REFERENCES Galois geometries W.-A. Jackson, K.M. Martin, and C.M. O Keefe, Geometrical contributions to secret sharing theory. J. Geom. 79 (2004), 102 133. W.-A. Jackson, K.M. Martin, and M.B. Paterson, Applications of Galois geometry to cryptology. Chapter in Current research topics in Galois geometry (J. De Beule and L. Storme, Eds.), NOVA Academic Publishers (2012), 215 244.
Thank you very much for your attention!