Cryptography and Coding, 7 conf

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 1746 3 Berlin Heidelberg New Yo...

Author: Michael Walker

26 downloads 1804 Views 4MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1746

3

Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore Tokyo

Michael Walker (Ed.)

Cryptography and Coding 7th IMA International Conference Cirencester, UK, December 20-22, 1999 Proceedings

13

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editor Michael Walker Vodafone Limited The Courtyard, 2-4 London Road Newbury, Berkshire RG14 1JX, UK E-mail: [email protected]

Cataloging-in-Publication data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme Cryptography and coding : . . . IMA international conference . . . ; proceedings. 5[?]-. - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 1995[?](Lecture notes in computer science ; . . . ) 7. Cirencester, UK, December 20 - 22, 1999. - 1999 (Lecture notes in computer science ; 1746) ISBN 3-540-66887-X

CR Subject Classification (1998): E.3-4, G.2.1, C.2, J.1 ISSN 0302-9743 ISBN 3-540-66887-X Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. © Springer-Verlag Berlin Heidelberg 1999 Printed in Germany Typesetting: Camera-ready by author SPIN: 10750021 06/3142 – 5 4 3 2 1 0

Printed on acid-free paper

Pref ce

The IMA conferences on Crypto raphy and Codin are not only a blend of these two aspects of information theory, but a blend of mathematics and en ineerin and of theoretical results and applications. The papers in this book show that the 1999 conference was no exception. Indeed, we a ain saw the mathematics underlyin crypto raphy and error correctin codin bein applied to other aspects of communications, and we also saw classical mathematical concepts ndin new applications in communications theory. As usual the conference was held at the Royal A ricultural Colle e, Cirencester, shortly before Christmas - this time 20-22 December 1999. The papers appear in this book in the order in which they were presented, rouped into sessions, each session be innin with an invited paper. These invited papers were intended to reflect the invitees’ views on the future of their subject - or more accurately where they intended to take it. Indeed the focus of the conference was the future of crypto raphy and codin as seen throu h the eyes of youn researchers. The rst roup of papers is concerned with mathematical bounds, concepts, and constructions that form a common thread runnin throu h error correctin codin theory, crypto raphy, and codes for multiple access schemes. This is followed by a roup of papers from a conference session concerned with applications. The papers ran e over various topics from arithmetic codin for data compression and encryption, throu h ima e codin , biometrics for authentication, and access to broadcast channels, to photo raphic si natures for secure identi cation. The third set of papers deals with theoretical aspects of error correctin codin , includin raph and trellis decodin , turbo codes, convolution codes and low complexity soft decision decodin of Reed Solomon codes. This is followed by a collection of papers concerned with some mathematical techniques in crypto raphy - elliptic curves, the theory of correlations of binary sequences, primality testin , and the complexity of nite eld arithmetic. The nal collection of papers is concerned primarily with protocols and schemes. There is a diversity of papers coverin lattice based cryptosystems, protocols for sharin public key parameters and for dele atin decryption, and arithmetic codin schemes. It is my pleasure to record my appreciation to the members of the conference or anisin committee for their help in refereein the papers that make up this volume. They were Michael Darnell, Paddy Farrell, Mick Ganley, John Gordon, Bahram Honary, Chris Mitchell, and Fred Piper. Sincere thanks also to Pamela Bye, Hilary Hill, Adrian Lepper, and Deborah Sullivan of the IMA for all their help with the or anisation of the conference and with the publication of this collection of papers.

VI

Pref ce

Finally, I hope that those of you who attended the conference found it rewardin and stimulatin . For those of you who did not, I hope this book of papers will encoura e you to participate in the next one. December 1999

Mike Walker

Contents

Applications of Exponential Sums in Communications Theory . . . . . . . . . . . . . 1 K.G. Paterson Some Applications of Bounds for Desi ns to the Crypto raphy . . . . . . . . . . . . 25 S. Nikova and V. Nikov Further Results on the Relation Between Nonlinearity and Resiliency for Boolean Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 E. Pasalic and T. Johansson Combinatorial Structure of Finite Fields with Two Dimensional Modulo Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 E. Mart nez-Moro, F.J. Galan-Simon, M.A. Bor es-Trenard, and M. Bor es-Quintana A New Method for Generatin Sets of Ortho onal Sequences for a Synchronous CDMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 H. Donelan and T. O’Farrell New Self-Dual Codes over GF(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 S. Geor iou and C. Koukouvinos Desi ns, Intersectin Families, and Wei ht of Boolean Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 E. Filiol Codin Applications in Satellite Communication Systems . . . . . . . . . . . . . . . . . 81 S. McGrath A Uni ed Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 X. Liu, P. Farrell, and C. Boyd Enhanced Ima e Codin for Noisy Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 P. Chippendale, C. Tanriover, and B. Honary Perfectly Secure Authorization and Passive Identi cation for an Error Tolerant Biometric System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 G.I. Davida and Y. Frankel

VIII

Contents

An Encodin Scheme for Dual Level Access to Broadcastin Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 T. Amornraksa, D.R.B. Bur ess, and P. Sweeney Photo raph Si natures for the Protection of Identi cation Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 B. Bellamy, J.S. Mason, and M. Ellis An Overview of the Isoperimetric Method in Codin Theory . . . . . . . . . . . . . 129 J.-P. Tillich and G. Zemor Rectan ular Basis of a Linear Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 J. Maucher, V. Sidorenko, and M. Bossert Graph Decodin of Array Error-Correctin Codes . . . . . . . . . . . . . . . . . . . . . . . 144 P.G. Farrell and S.H. Razavi Catastrophicity Test for Time-Varyin Convolutional Encoders . . . . . . . . . . 153 C. O’Dono hue and C. Burkley Low Complexity Soft-Decision Sequential Decodin Usin Hybrid Permutation for Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 M.-s. Oh and P. Sweeney On E cient Decodin of Alternant Codes over a Commutative Rin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 G.H. Norton and A. Sala ean Reduced Complexity Slidin Window BCJR Decodin Al orithms for Turbo Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 J. Gwak, S.K. Shin, and H.-M. Kim Advanced Encryption Standard (AES) - An Update . . . . . . . . . . . . . . . . . . . . . 185 L.R. Knudsen The Pilin -Up Lemma and Dependent Random Variables . . . . . . . . . . . . . . . . 186 Z. Kukorelly A Crypto raphic Application of Weil Descent . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 S.D. Galbraith and N.P. Smart Edit Probability Correlation Attack on the Bilateral Stop/Go Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 R. Menicocci and J.Dj. Golic

Contents

IX

Look-Up Table Based Lar e Finite Field Multiplication in Memory Constrained Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 M.A. Hasan On the Combined Fermat/Lucas Probable Prime Test . . . . . . . . . . . . . . . . . . . 222 S. M¨ uller On the Cryptanalysis of Nonlinear Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 S.W. Golomb Securin Aeronautical Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 S. Blake-Wilson Tensor-Based Trapdoors for CVP and Their Application to Public Key Crypto raphy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 R. Fischlin and J.-P. Seifert Dele ated Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Y. Mu, V. Varadharajan, and K.Q. N uyen Fast and Space-E cient Adaptive Arithmetic Codin . . . . . . . . . . . . . . . . . . . . 270 B. Ryabko and A. Fionov Robust Protocol for Generatin Shared RSA Parameters . . . . . . . . . . . . . . . . 280 A.M. Barmawi, S. Takada, and N. Doi Some Soft-Decision Decodin Al orithms for Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 S. Wesemeyer, P. Sweeney, and D.R.B. Bur ess Weaknesses in Shared RSA Key Generation Protocols . . . . . . . . . . . . . . . . . . . 300 S.R. Blackburn, S. Blake-Wilson, M. Burmester, and S.D. Galbraith Di ital Si nature with Messa e Recovery and Authenticated Encryption (Si ncryption) - A Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 C.Y. Yeun Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Applications of Exponential Sums in Communications Theory [Invited Paper] Kenne h G. Pa erson Mathematics, Crypto raphy and Security Group, Hewlett-Packard Laboratories, Filton Road, Stoke-Gi ord, Bristol BS34 8QZ, U.K. [email protected]

Abs rac . We provide an introductory overview of how exponential sums, and bounds for them, have been exploited by codin theorists and communications en ineers.

1

Introduction

An exponen ial sum is a sum of complex numbers of absolu e value one in which each erm is ob ained by evalua ing a func ion of addi ive and/or mul iplica ive charac ers of a ni e eld Fq , and where he sum is aken over he whole of F q . Exponen ial sums da e back o early work of Lagrange and Gauss, he la er explici ly evalua ing cer ain basic exponen ial sums now called Gauss sums in his honour. Since hen, much more general exponen ial sums have been considered, bu generally, i is impossible o nd explici expressions evalua ing hese more complica ed sums. However heir evalua ion is in ima ely connec ed o he problem of coun ing he numbers of poin s on rela ed curves (more generally, algebraic varie ies) de ned over ni e ex ensions of F q and deep me hods in algebraic geome ry have been developed o nd good bounds on such numbers. Two major achievemen s of hese me hods are Weil’s 1940 announcemen of he proof of he Riemann hypo hesis for curves over ni e elds [66] and Deligne’s Fields medal winning proof of he Weil conjec ures for algebraic varie ies [8]. These resul s are jus ly regarded as being high-poin s of wen ie h cen ury ma hema ics, and from hem, good bounds for many classes of exponen ial sums can easily be deduced. In con ras o he dep h and sophis ica ion of he echniques used by Weil and Deligne, he bounds hey proved are ra her easy o s a e and o use. Coding heoris s and communica ions engineers have been ex raordinarily fecund in exploi ing his ease of use. In his paper, we quo e some bounds for exponenial sums, briefly ske ch he connec ion o curves over ni e elds and examine some applica ions of exponen ial sums in communica ions heory. We make no a emp o be exhaus ive in our coverage. Ra her our aim is o provide an in roduc ory our, focusing on salien poin s, basic echniques and a few applica ions. M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 1 24, 1999. c Sprin er-Verla Berlin Heidelber 1999

2

Kenneth G. Paterson

For his reason, all of our applica ions will involve, in various guises, a class of codes called dual BCH codes. We provide poin ers o he vas li era ure for more advanced opics, and immedia ely recommend he survey [21] for a snapsho of he whole area. We show how he minimum dis ances of dual BCH codes and o her cyclic codes can be evalua ed in erms of exponen ial sums. We hen consider he problem, impor an in mul iple-access spread-spec rum communica ions, of designing sequence se s whose periodic cross-correla ions and au o-correla ions are all small. Then we look a how exponen ial sums can be used o s udy binary sequences wi h small par ial and aperiodic correla ions. These are also impor an in spread-spec rum applica ions. We also consider he applica ion of exponen ial sums in a rela ively new communica ions applica ion, he power con rol problem in Or hogonal Frequency Division Mul iplexing (OFDM). Finally, we briefly consider some more advanced applica ions of exponen ial sums.

2

inite Codes

ields, Their Characters, and the Dual BCH

We se ou some fac s concerning he race map on a ni e eld, assuming he reader o be familiar wi h he basic proper ies of ni e elds (exis ence, uniqueness, primi ive elemen s and so on). Basic references for ni e elds are [23, 31, 32]. We will almos exclusively be concerned wi h elds of charac eris ic wo in his paper, hough almos every hing we say can be generalised o charac eris ic p wi h appropria e modi ca ions. Throughou , m n will deno e posi ive in egers wi h m n. Also, F 2n deno es he ni e eld wi h 2n elemen s and F2n he se of non-zero elemen s of F 2n . The rela ive race func ion from F 2n o F 2m is de ned by n m−1

rnm (x)

m

x2

= i=0

The race map rnm (x) has he following proper ies: I is an F 2m -linear mapping on o F2m . For each b F 2m , he equa ion rnm (x) = b has exac ly 2n−m solu ions x F 2n . In o her words, he race map is ‘equidis ribu ed’ on sub- elds. n n F 2n . rm 1 ( rm (x)) = r1 (x) for x Nex we in roduce he charac ers of F2n . Of course hese can be de ned more generally for any ni e eld F q . Even more generally, he charac ers of an abelian group are jus he homomorphisms from ha group on o he se U of complex numbers of absolu e value 1. The eld F 2n con ains wo abelian subgroups of

Applications of Exponential Sums in Communications Theory

3

par icular in eres , namely he addi ive and mul iplica ive groups of he ni e eld, and so we have wo corresponding se s of charac ers. For each b F 2n , de ne a map b from F2n o he se 1 −1 by wri ing b (x)

n = (−1) r1 (bx)

x

F 2n

The maps b are called he additive characters of F 2n : by lineari y of race, i can be seen ha hese maps are homomorphisms from he group (F 2n +) o U . The map 0 is called he trivial addi ive charac er because 0 (x) = 0 for all F2n . No ice ha if b = 0, hen x b (x)

=0

(1)

x2F2n

because of he equi-dis ribu ion proper ies of he race map. = exp(2 i N ) be a complex N - h roo of uni y. Now le N = 2n −1 and le Le be a primi ive elemen in F2n . For each in eger j wi h 0 j < 2n − 1, we de ne a map j from F2n o he se U of powers of by wri ing j(

i

ji

)=

0

i < 2n − 1

The maps j are called he multiplicative characters of F 2n : hey are homomorphisms from (F 2n ) o U . The map 0 is called he trivial mul iplica ive charac er. For much more informa ion abou charac ers of ni e elds, see [22, 23, 32] Nex we de ne he main class of codes ha we’ll work wi h in his paper, he dual BCH codes. In fac , we work wi h a sub-class of hese codes, more properly called binary, primi ive, dual BCH codes. Le be primi ive in F 2n and le t be a posi ive in eger wi h 1 2t − 1 2dn 2e + 1. Le Gt deno e he se of polynomials Gt = For each

1x

+

3 3x

+

+

2t−1 2t−1 x

:

i

F 2n

G, de ne a leng h 2n − 1, binary word c = ( rn1 ( (1)) rn1 ( ( ))

rn1 ( (

2n −2

)))

and de ne a code Ct by: Ct = c :

Gt

So he words of Ct are ob ained by evalua ing cer ain degree 2t − 1 polynomials 2n −2 of F2n , and hen applying he race on he non-zero elemen s 1 map. I follows from he lineari y of he race map ha he code Ct is linear. I can be shown ha he dimension of he code is equal o nt over F 2 , he se of i t c F2n leading o a basis for he code. By polynomials cx2i−1 : 1 examining hese ‘basis polynomials’, i ’s now easy o show ha he code is cyclic.

4

Kenneth G. Paterson

I is a consequence of a heorem of Delsar e ha he code Ct is he dual of he primi ive, binary BCH code wi h designed dis ance 2t + 1 whose zeros include 3 2t−1 . See [34, Chap ers 8 and 9] for more background on BCH codes and heir duals. In Sec ion 4 we will ob ain bounds on he minimum Hamming dis ances of he codes Ct by using Weil’s bound on he size of exponen ial sums wi h polynomial argumen .

3

Exponential Sums

As we s a ed in he in roduc ion, exponen ial sums are sums in which each erm is ob ained by evalua ing a func ion of addi ive and/or mul iplica ive charac ers of a ni e eld F q , and where he sum is aken over he whole of Fq . Here we consider some classes of sums over ni e elds of charac eris ic 2, s a ing bounds for such sums. We also ske ch he connec ion be ween exponen ial sums and he problem of coun ing he numbers of poin s on cer ain curves over ni e elds. For a much more de ailed exposi ion of he heory of exponen ial sums, we recommend [32, Chap er 5]. be a polynomial of Le be a non- rivial addi ive charac er of F2n and le odd degree r < 2n over F 2n . We are in eres ed in sums of he form ( (x)) x2F2n

which are called exponential sums with polynomial ar ument or Weil sums. For special choices of , he sums can be evalua ed explici ly (for example, when (x) = x we know from (1) ha he sum is iden ically zero). Usually hough, we have o se le for bounds on he size of he sums. The following resul , known as Weil’s heorem or he Carli z-Uchiyama/Weil bound, is he fundamen al esima e on he size of Weil sums: Result 1 [66, 4] With notation as above, ( (x))

(r − 1)2n

2

x2F2n

No ice he Weil sums, being sums of 2n complex numbers of absolu e magni ude 1, are po en ially of size O(2n ). The above bound shows ha (a leas when r is no oo large), he Weil sums are much smaller han his. No ice also ha he case r = 1 of Weil’s bound recovers (1). The condi ion ha have odd degree r can be replaced by much weaker cri eria, for example ha he polynomial y 2 + y + (x) in wo variables be absolu ely irreducible, or ha he polynomial not be of he form h(x)2 + h(x) + d for any polynomial h over F 2n and any d F 2n .


3.1

Exponential Sums and Curves over

inite

5

ields

We ske ch he connec ion be ween Weil exponen ial sums and he problem of coun ing poin s on curves over ni e elds and ou line how Weil’s heorem is proved using algebraic-geome ric me hods. For modern and accessible approaches o he proof of Weil’s heorem and rela ed resul s, see he books [36, 61]. For an elemen ary approach avoiding algebraic geome ry, see [54]. For in roducory explana ions, see [22, Chap ers 10 and 11] and [32, No es o Chap er 6]. To make he connec ion, we need he following simple resul :

F2n , we have trn1 (b) = 0 if and only if

Lemma 1 [32, Theorem 2.25] For b y 2 + y = b for some y F 2n . Now consider he exponen ial sum n (−1) r1 (

(x))

=

x

F 2n : rn1 ( (x)) = 0 − x

F 2n : rn1 ( (x)) = 1

xinF2n

=2 x

F 2n : rn1 ( (x)) = 0 − 2n

Bu we know ha rn1 ( (x)) = 0 if and only if here exis s a solu ion y F 2n o he equa ion y 2 + y = (x), in o her words, if and only if here is a y such ha (x y) is a poin on he a ne curve C whose equa ion is h(x y) = 0 where h(x y) = y 2 + y + (x). No ice hough ha if y is a solu ion o h(x y) = 0, hen so oo is y + 1. So he poin s on C come in pairs and are in 2-1 correspondence wi h he x sa isfying rn1 ( (x)) = 0. We deduce ha n (−1) r1 (

(x))

= C − 2n

x2F2n

where C deno es he number of poin s on he a ne curve C. Nex we in roduce a projec ive version of C. We consider a homogeneous version of he equa ion de ning C: H(x y z) = y 2 z r−2 + yz r−1 + z r (x z) (where r is he degree of ) and coun he projec ive poin s [x y z] sa isfying H(x y z) = 0. No ice ha H(x y 1) = h(x y) for all x y, so he se of projec ive poin s [x y z] sa isfying H(x y z) = 0 accoun s for all he poin s on he a ne curve, once each. Bu he projec ive curve has one addi ional poin [0 1 0], called a poin a in ni y. So if N deno es he number of projec ive poin s on C, hen we have N = C + 1 and n (−1) r1 (

(x))

= N − 1 − 2n

(2)

x2F2n

In his paper [66], Weil considered he numbers of poin s on general absolu ely irreducible projec ive curves. Le C be such a curve de ned over a ni e eld F q .

6

Kenneth G. Paterson

For s 1, le Ns deno e he number of projec ive poin s on C whose coordina es all lie in he ex ension F qs , called F q s -ra ional poin s. Then he func ion 1

Ns u s s

Z(u) = exp s=1

is called he ze a func ion of C. This func ion con ains all he informa ion abou he numbers of projec ive poin s on C over ex ensions of F q . Weil was able o show ha Z(u) is ac ually a ra ional func ion of u, in fac , he showed: P (u) (1 − u)(1 − qu)

Z(u) =

where P (u) is a degree 2 polynomial wi h in eger coe cien s and cons an erm 1. Here , he genus of C, is a opological number associa ed wi h he curve. Wri ing 2

(1 −

P (u) =

i u)

i=1

Weil also showed ha he 2 complex numbers 1 2 all sa isfy i = q 1 2 . This las fac , conjec ured by Ar in and proved by Weil, is the Riemann hypothesis for curves over nite elds, so-called by analogy wi h he Riemann hypo hesis for he classical ze a func ion. Now a s raigh forward calcula ion shows ha u

1

d log Z(u) = du

Ns u s s=1

On he o her hand, Z 0 (u) d log Z(u) =u =u u du Z(u) 1

2

j=1

− 1−

i iu

+

1 q + 1 − u 1 − qu

2

( i )s + 1 + q s

= s=1

us

i=1

By comparing he wo power series, we ge 2

Ns = q + 1 − s

( i )s i=1

and so Ns − q s − 1

2 q1

2

(3)


7

We can now specialise o he projec ive curve C arising from our exponen ial sum. I urns ou ha he curve is always absolu ely irreducible when r is odd and has genus = (r −1) 2. Taking q = 2n and s = 1, he bound (3) ells us ha N = N1 , he number of projec ive poin s on our curve, sa is es N − 2n − 1 (r − 1)q 1 2 . Comparing wi h he iden i y (2), we now ob ain he bound of Resul 1. These resul s have been generalised considerably o he si ua ion where C is replaced by any non-singular algebraic varie y V . Dwork [12] showed ha he analogous ze a func ion is ra ional while Deligne [8] nally proved Weil’s conjec ures concerning he analogue of he Riemann hypo hesis for such varie ies. These deep resul s have also been exploi ed by coding heoris s. We will summarise his work briefly in he nal sec ion. 3.2

Hybrid Exponential Sums

We loosely de ne hybrid exponen ial sums o be exponen ial sums in which he summand is a produc of a mul iplica ive and an addi ive charac er. Perhaps he simples hybrid sums are he Gaussian sums: De nition 1 Let be an additive character and a multiplicative character of F 2n . Then the Gaussian sum G( ) is de ned by G(

(x) (x)

)= x2F2n

The following resul abou Gaussian sums is basic; elemen ary proofs can be found in [32, Theorem 5.11] and [22, Proposi ion 8.2.2]. Result 2 Let be a non-trivial additive character and plicative character of F 2n . Then G(

) = 2n

a non-trivial multi-

2

Why should his resul be surprising? The sum is of size 2n 2 , only sligh ly bigger han he square roo of he size of he domain over which he sum is aken. Moreover, he sum has exac ly his absolu e value for every pair of non- rivial charac ers. Hybrid exponen ial sums wi h polynomial argumen s have also been considered; he following is a useful general purpose bound on such sums, again due o Weil [66]. Result 3 Let be a non-trivial multiplicative character of F 2n of order d with d (2n −1). Let be a non-trivial additive character of F2n . Let f (x) F 2n [x] have m distinct roots and (x) F 2n [x] have de ree r. Suppose that gcd(d deg f ) = 1 and that r is odd. Then ( (x)) (f (x)) x2F2n

(m + r − 1)2n

2

8

Kenneth G. Paterson

Here, he echnical condi ions on he polynomials f and are needed o rule ou various degenera e cases. They can be replaced by weaker condi ions see [54, Theorem 2G, p.45]. We emphasise again ha he bound shows ha he hybrid sums are much smaller han he size of he eld over which he sum is aken.

4

Application: Minimum Distance of Dual BCH Codes

When t = 1, he code Ct is called he simplex code. The minimum Hamming dis ance of his code is exceedingly simple o calcula e. Recall ha he code is linear, so we need o nd he minimum Hamming weigh of a non-zero codeword of C1 . Now a non-zero codeword c has componen s of he form rn1 (b i ) where 2n − 2, so i b F 2n and 0 i < 2n − 1. As i runs hrough he range 0 1 runs over he whole of F 2n , he non-zero elemen s of F 2n . Consider he exponen ial sum (1): b (x)

0= x2F2n

n (−1) r1 (bx)

=1+ x2F2n

F 2n : rn1 (bx) = 0 − x = 1 + (2n − 1 − w H (c)) − w H (c) = 2n − 2w H (c) =1+

F 2n : rn1 (bx) = 1

x

Here we have used he fac ha he number of componen s in which c equals 0 is jus he code leng h less he Hamming weigh of c. I follows from our las equali y ha w H (c) = 2m−1 . So every non-zero codeword of C1 has Hamming weigh equal o 2m−1 , and he minimum dis ance of he code is also 2m−1 . We can apply he same echnique, and he Weil bound, o bound he minimum dis ance of he code Ct . Recall ha a non-zero codeword c of Ct comes from a non-zero polynomial (x) wi h zero cons an erm and of odd degree a mos 2t − 1. Reversing he s eps in he previous calcula ion, we ge : 2n − 2w

H (c

n (−1) r1 (

)=

(x))

=

x2F2n

1(

(x))

Bu his las sum is bounded in absolu e value by (2t − 2)2n Resul 1. We deduce ha 2n−1 − (t − 1)2n

2

w

(4)

x2F2n

H (c

)

2n−1 + (t − 1)2n

2

according o

2

and he following heorem is now obvious: Theorem 4. Suppose 1 2t − 1 2dn 2e + 1. Then the minimum Hammin n−1 − (t − 1)2n 2 . distance of Ct is at least 2 This bound can be improved in cer ain cases [38].


5

9

Application: Sequence Sets with Low Periodic Correlations

The correla ion proper ies of se s of binary sequences are impor an in CodeDivision Mul iple-Access (CDMA) spread-spec rum communica ions as well as in ranging and synchronisa ion applica ions. We begin in his sec ion by de ning he periodic correla ion func ions for sequences and hen s a ing a basic sequence design problem. This is mo iva ed by a simpli ed descrip ion of how sequences wi h favourable correla ion proper ies are used in CDMA communica ions. Then we de ne a class of sequences, he m-sequences, and look a heir correla ion proper ies. Finally, we show how exponen ial sums can be used o bound he correla ions of some se s of sequences ob ained from m-sequences and he dual BCH codes. 5.1

Periodic Correlation unctions

and v = v0 v1 v2 be wo complex-valued sequences of Le u = u0 u1 u2 period N (by which we mean ui+N = ui and vi+N = vi for all i 0). We de ne he periodic cross-correlation of u and v a a rela ive shif , 0 < N , o be: N −1

xi yi+

CC(u v)( ) = i=0

and call CC(u v)( ) he periodic cross-correlation function of u and v. This func ion is a measure of he similari y of he sequences u and v a various shif s. We also de ne he periodic auto-correlation of u a a shif , 0 < N , o be: AC(u)( ) = CC(u u)( ) The periodic au o-correla ion is a measure of he self-similari y of he sequence u when compared o shif s of i self. The au o-correla ion of u a shif 0, AC(u)(0) = N −1 2 i=0 ui , is in many applica ions a measure of he energy in he ransmi ed signal corresponding o sequence u. The au o-correla ions of u a non-zero shif s are usually called non-trivial auto-correlations. 5.2

A Simpli ed Model for CDMA Communications

We nex discuss a simpli ed model for CDMA communica ions. In our model, we have K users, all ransmi ing da a simul aneously and wi hou coordina ion or synchronisa ion on he same channel. The ransmi ed signal is he sum of users’ individual signals, and is corrup ed by noise. The users are ransmi ing o a single receiver, whose job i is o ake he received signal and process i o ob ain individual user’s da a. Each user is assigned a spreadin code, which in our model is jus a complexvalued sequence of period N . User j is assigned he sequence uj = uj0 uj1 uj2

10

Kenneth G. Paterson

To send a da a bi aj 0 1 , user j ac ually ransmi s he sequence (−1)aj uj , i.e. he sequence of bi s: (−1)aj uj0 (−1)aj uj1 (−1)aj uj2 In o her words, he ransmi s a +1 −1 -version of his da a bi spread by his sequence uj . where The received signal can be modelled by a sequence s = s0 s1 s2 K−1

(−1)aj uji+

si =

j

j=0

Here j is he delay of user j rela ive o he receiver. Because he users are ransmi ing in an uncoordina ed fashion, hese delays are unknown o he receiver. We have also assumed an ideal si ua ion where here he ransmission channel is noiseless. Now suppose he receiver wishes o es ima e he da a bi a for user . The receiver calcula es, for each wi h 0 < N , he func ion CC(s u )( ). No ice ha : N −1

K−1

(−1)aj uji+

CC(s u )( ) = i=0

j=0

K−1

N −1

((−1)aj uji+

= j=0

ui+

j

j

ui+

i=0

= (−1)a AC(u )( − l ) +

(−1)aj CC(uj u )( −

j)

j6=

Now suppose ha all he non- rivial au ocorrela ions and all he crosscorrela ions of he sequences uj are small. In o her words, we assume ha for every and = 0, AC(u )( ) is small and ha for every j and every , CC(uj u )( ) is small. Then when = , he expression above for CC(s u )( ) has a rs erm (−1)a AC(u )(0) whose sign reveals a , and whose rela ively large magni ude hen all he erms are domina es he remaining correla ion erms. When = small. Thus he receiver, af er calcula ing CC(s u )( ) for each should focus and use he on he larges resul ing correla ion value o es ima e he delay sign of his value o es ima e he da a bi a . Clearly, he success of his approach o ransmi ing informa ion crucially depends on he erm (−1)a AC(u )(0) no being swamped by he o her correla ions. In o her communica ions applica ions, for example, in synchronisa ion, single sequences wi h small non- rivial au o-correla ions are called for. Thus we are mo iva ed o consider he following basic sequence design problem: For a se U con aining K complex-valued sequences of period N , de ne ACmax (U) =

max

u2U 1 D(M ) if and only if G (M Q

+2 )

− 2)

be an inte er.

< 0.

Theorem 2.5. [11] Let M be antipodal PMS. Then, any BM -extremal polynomial of de ree + 3 ( = 2k + ) has the form f ( ) (z; + 3) = (1 + z) [q(z + 1) + (1 − z)][ 1 Q1k−1 (z) + where q,

1

and

2

1 2 Qk

(z) + Q1k+1 (z)]2

are suitable constants.

Corollary 2.6 [11] Let M be an antipodal PMS and let B(M )

be an inte er.Then

S(M ) = Ω(f ( ) (z; + 3))

). The ortho Let us consider the Hammin space M = Hvn (n v = 2 3 onal arrays are commonly denoted by OA ( n v) and their cardinality satisfy C = v . The ZSF for the Hammin space are the Krawtchouk polynomials Kkn v (z).

30

Svetla Nikova and Ventsislav Nikov

A stron er version of the Theorem 2.1 is the followin : Theorem 2.7. [5] Let C M be an d-code (reps. -desi n) and let n nv (z) be a real non-zero polynomial such that f (z) = =0 f K (C1) f (0) > 0, f (i) 0 for i = d n, (resp. (D1) f (0) > 0, f (i) 0 for i = 1 2 0 for i = 1 n. (C2) f0 > 0, f 0 for i = d + 1 (resp. (D2) f0 > 0, f Then, C

n), n.)

maxΩ(f )), where Ω(f ) = f (0) f0 .

minΩ(f ) (resp. C

Let us denote by Av (n d) = min Ω(f ) for polynomials f satisfyin the conditions (C1), (C2) ; Bv (n d) = max Ω(f ) for polynomials f satisfyin the conditions (D1), (D2) ; and Bv (n d) = max Ω(f ): for polynomials f satisfyin the conditions (D1) (D2) and de f d . Theorem 2.8. [2,5] For any inte ers n, d, v (1

d

n+1 v

Av (n d)Bv (n d − 1) = v n

2), (2)

Here we will present well known pairs of universal bounds, i.e. inequalities which are valid for all codes C Hvn . The rst pair is the Sin leton bound [15] for a code C Hvn v

C

v n−d+1

where any of the bounds is attained if and only if d + d0 = n + 2, (d0 − 1 = ). The second pair of bounds is formed by Rao and Hammin [15] bounds for a code C Hvn . D(Hvn

)

C

vn D(Hvn d − 1)

(3)

Codes, which cardinality is equal to the left-hand side or the ri ht-hand side of (3) are called ti ht desi ns and perfect codes, respectively. The third pair universal bounds for any code C Hvn is the Levenshtein bound [5]. L(Hvn

vn ( + 1))

C

L(Hvn

(d))

First two pairs of bounds are obtained by means of combinatorial methods, but all of them can be obtained usin Theorem 2.1 or Theorem 2.7. Applyin Theorem 2.8 for our bound we have Hvn

Theorem 2.9. [12] For any code C S(Hvn

)

C

vn d − 1)

S(Hvn

(4)

Some Applications of Bounds for Desi ns to the Crypto raphy

31

In the Johnson space X = Jwn (n = 2 3 ;w = 1 n 2 ) desi ns are the classical t − (v k ) and codes are called constant wei ht codes. The ZSF are the Hahn polynomials Jkn w (z). For Jwn an analo of the Theorem 2.7 is also valid and there are known several pairs of bounds. Jnw

Theorem 2.10. [12] For any desi n C S(Jwn

3

)

C

(5)

Resilient and Correlation-Immune Functions

In [14] Stinson ave the connection between correlation-immune function, resilient function and ortho onal arrays. Theorem 3.1. [1] A function f : Zvn − Zw is correlation-immune of order t if and only if Zvn is partitioned into w ortho onal arrays OA (t n v). Theorem 3.2. [1] A function f : Zvn − ZvT is resilient of order t if and only if Zvn is partitioned into v T ortho onal arrays OAvn−T −t (t n v). Note that in the rst theorem need not be identical. A lar e set of ortho onal arrays LOA (t n v) is a set of v n−t simple arrays OA (t n v) such that all have the same value. Corollary 3.3 [1] There exists a function f : Zvn − ZvT that is resilient of order t if and only if there exists an LOAvn−T −t (t n v). A necessary condition for the existence of a correlation-immune function of order t and for existence of a (n T t)-resilient function are as follows: vn = Av (n t + 1) Bv (n t)

w

lo v (Bv (n t))

n−T

(6)

One is concerned with developin upper bounds for the optimum value of t for a iven n and T . It is easy to see that n T + t and so the trivial upper bound is t n − T . If we substitute the Delsarte bound instead of Bv (n t) we obtain another upper bound for t [1]. The upper bounds based on the Delsarte (Rao) bound for ortho onal arrays are stron er than the ones obtained usin the trivial bound. We can improve this bound usin our previous result in Theorem 2.9. Theorem 3.4. Suppose there exists an correlation-immune function of order t. vn Then w S(H n t) v

Theorem 3.5. Suppose there exists a (n T t)-resilient function. Then lo v (S(Hvn t))

n−T

32


However, we can often do better by usin Delsarte’s linear pro rammin bound. Let W (n t) be the optimal solution to the linear pro rammin problem Theorem 2.7. In view of the equation (6), this implies that lo v (W (n t) + 1) n − T . For lar e values of t, the ortho onal array bounds obtained by the linear pro rammin technique are usually much better than the Delsarte (Rao) bound and our new bound S(Hvn t). The disadvanta e of this method is that one needs to solve a di erent linear pro ram for every parameter situation. Thus it is of interest to derive explicit bounds as corollaries of the linear pro rammin bound. In the cases v = 2, t + 1 < n < 2t + 2 and v = 2, t + 1 < n < 2t + 3 the most important bounds are as follows : Theorem 3.6. [1,4] Suppose there exists a (n T t)-resilient function and v = 2. T −2 2T −1 n t 2 2 2T(n+1) −1 Then t −1 2T −1 − 1

4

Desi ns in Product Association Schemes. Maximum Independent Resilient System of Functions

Let (P ) be a partially ordered set (poset). If there exist constants 0 t such that, for 0 i t and x P , y D : x y = then the set i m, let (Y A ) be a D P d is called a poset t-desi n in (P ). For 1 d -class association scheme with adjacency matrices A . The direct product of (Ym Am ) dethese schemes is the association scheme (X A) = (Y1 A1 ) m Ym and A = A 1 i m where ned by X = Y1 =1 M : M m =1 M is the m-fold Kronecker product of matrices. Assume that each com). Consider the Delsarte ponent scheme (Y A ) has an attached Q-poset (P T -desi n (T = T − 0 ) in ( Y A) as poset desi ns in the product poset P where T is any downset in the product chains C. Let (X A) be the product of i m). Each matrix M A Q-polynomial association schemes (Y A ) (1 may be expanded in the form M = v j2C j Ej. If we chan e the bases, we have A , where = C). For j C, let fj = rankEj . M= 2C 2C Q j j , (i Theorem 4.1. [9] Let (X A) be the product of Q-polynomial association schemes (Y A ) (1 i m). Let T be a downset in C and let D X be a Delsarte T -desi n. Consider the matrices M satisfyin the conditions (i) M is non-ne ative matrix; (ii) j 0 for j T ; (iii) 0 = 1. Then, the lower bound on the size of a T -desi n is D

0.

Theorem 4.2. (Delsarte bound)[9] Let (X A) be the product of Q-polynomii m). Let T be a downset in C and let al association schemes (Y A ) (1 C satis es (E + E) \ C T , then D X be a Delsarte T -desi n. If E D j2E fj .

Some Applications of Bounds for Desi ns to the Crypto raphy

33

Here are some examples from [9]. nm qm t) of stren th t are studied Mixed-level ortho onal arrays OA(M q1n1 by Sloane and Stufken in [13]. This object is equivalent to the Delsarte T -desi n H(nm qm ), where T = j : j t . in the scheme H(n1 q1 ) Mixed t-desi ns [8] is the product of Johnson schemes J(v1 k1 ) J(v2 k2 ), which is the Delsarte T -desi n for T = (i1 i2 ) : i1 + i2 t . Fused ortho onal array desi n of stren th t can be considered as a product scheme of the form H(n q) J(v k). Split ortho onal arrays SOA (t n; T N ; v) are introduced by Levenshtein [6]. The cardinality of SOA (t n; T N ; v) is v t+T . Given q n N t T we wish q − 1 such that, upon to nd an M (n + N ) array with entries in Zq = 0 choosin any t columns from amon the rst n columns and any T columns from amon the last N columns, all (t + T )-tuples over the alphabet Zq occur equally often. This is equivalent to a T -desi n in the product scheme H(n1 q) H(n2 q) i1 t1 0 i2 t2 . For such objects, the Delwhere T = (i1 i2 ) : 0 sarte linear pro rammin bound is equivalent to the followin : let f (z) = 1 + n nv N v (z) and (z) = 1 + N (z) be polynomials satisfyin the =1 f K j=1 j Kj f (0) (0). condition (D1) and f j 0 for i t + 1 or j T + 1 then D Theorem 4.3. [6] If D is split ortho onal array then D

max(Bv (n t)Bv (N T ) Bv (n t)Bv (N T ))

Hence we have the followin bound D Theorem 2.9 we obtain the next statement.

D(Hvn t)D(HvN T ). Usin a ain

Theorem 4.4. If D is split ortho onal array then D

max(S(Hvn t)D(HvN T ) D(Hvn t)S(HvN T ))

A system of N functions in n variables over Zv is called T -wise independent t-resilient if any subset of T functions of the system forms a t-resilient system. Our oal is to nd the maximum number N , such that there exists a T -wise independent t-resilient system. The connection between this crypto raphic objects and the ortho onal arrays was studied by Levenshtein in [6]. Theorem 4.5. [6]The existence of T -wise independent t-resilient system is equivalent to that of split ortho onal array SOA (t n; T N ; v) with ( = v n−t−T ). Corollary 4.6 We derive the inequality vn

max(S(Hvn t)D(HvN T ) D(Hvn t)S(HvN T ))

Summarizin the results our bounds (Theorems 3.4, 3.5, 4.4 and Corollary 4.6) ive a necessary condition for the existence of the above considered crypto raphic objects.

34


References 1. J.Bierbrauer, K.Gopalakrishnan, D.R.Stinson, Ortho onal arrays, resilient functions, error correctin codes and linear pro rammin bounds, SIAM J.Discrete Math. 9, 1996, 424-452. 2. J.Bierbrauer, K.Gopalakrishnan, D.R.Stinson, A note on the duality of linear prorammin bounds for ortho onal arrays and codes, Bulletin of the ICA 22, 1998, 17-24. 3. P.Delsarte, An Al ebraic Approach to Association Schemes in Codin Theory, Philips Research Reports Suppl., 10, 1973. 4. J.Friedman, On the bit extraction problem. Proc. 33rd IEEE Symp. on Foundations of Computer Science, 1992, 314-319. 5. V.I.Levenshtein, Krawtchouk polynomials and universal bounds for codes and desi ns in Hammin spaces, IEEE Trans. Inf. Theory 41, 5, 1995, 1303-1321. 6. V.I.Levenshtein, Split ortho onal arrays and maximum independent resilient systems of functions, Desi ns, Codes and Crypto raphy 12, 1997, 131-160. 7. V.I.Levenshtein, Universal bounds for codes and desi ns, Chapter 6 in Handbook of Codin Theory, V.Pless and W.C.Hu man, 1998 Elsevier Science B.V., 449-648. 8. W.J. Martin, Mixed block desi ns, J.Combin.Desi ns 6, 2, 1998, 151-163. 9. W.J. Martin, Desi ns in product association schemes Desi ns, Codes and Crypto raphy 16, 3, 1999, 271-289. 10. S.I. Nikova, Bounds for desi ns in in nite polynomial metric spaces, Ph.D. Thesis, Eindhoven University of Technolo y, 1998. 11. S.I.Nikova, V.S.Nikov, Improvement of the Delsarte bound for -desi ns when it is not the best bound possible, submitted in Desi ns Codes and Crypto raphy. 12. S.I.Nikova, V.S.Nikov, Improvement of the Delsarte bound for -desi ns in nite polynomial metric space, to be published. 13. N.J.A. Sloane, J.Stufken, A linear pro rammin bound for ortho onal arrays with mixed levels, J. Stat. Plan. Inf 56, 1996, 295-306. 14. D.R.Stinson, Resilient functions and lar e sets of ortho onal arrays,Con ressus Numer. 92, 1993, 105-110. 15. F.J.MacWilliams, N.J.A.Sloane, The Theory of Error-Correctin Codes, North Holland, Amsterdam, 1977.

Further Re ult on the Relation Between Nonlinearity and Re iliency for Boolean Function Enes Pasalic and Thomas Johansson Dept. of Information Technolo y Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas, enes @ t.lth.se

Abstract. A ood desi n of a Boolean function used in a stream cipher requires that the function satis es certain criteria in order to resist different attacks. In this paper we study the tradeo between two such criteria, the nonlinearity and the resiliency. The results are twofold. Firstly, we establish the maximum nonlinearity for a xed resiliency in certain cases. Secondly, we present a simple search al orithm for ndin Boolean functions with ood nonlinearity and some xed resiliency.

1

Introduction

A Boolean function used in a stream cipher requires that the function satis es certain criteria in order to resist di erent attacks. Here we study the tradeo between two such criteria, the nonlinearity and the resiliency of the Boolean function. The resiliency is de ned as the number of arbitrary input variables to the function that can be kept xed without makin the output unbalanced, when runnin throu h all the other input variables. This criteria is directly related to the class of correlation attacks [9,13]. The nonlinearity of a Boolean function is de ned as the Hammin distance to the nearest a ne function when we run throu h all the input variables. It has many times been pointed out [10,4] that usin a Boolean function close to an a ne function is probably not a ood choice, althou h no direct attack related to this criteria is known to the authors. The results in this paper are twofold. Firstly, for a Boolean function in n variables, we establish the maximum nonlinearity for a xed resiliency in certain cases. We use linear pro rammin as well as al ebraic proofs. Interestin results that can be mentioned is that the maximum nonlinearity for a 1-resilient function on n = 6 variables is 24 (whereas it is known to be 26 for a balanced function and 28 for unbalanced functions (bent functions)). It is also shown that the maximum nonlinearity for an (n − 3)-resilient function on n variables is 2n−2 . These results relate to the al ebraic construction in [2], which provide optimal constructions for these cases. Motivated by the fact that desi ners may avoid al ebraic constructions due to the possibility of a (very) weak property, we consider in the second part of the paper random eneration of a Boolean function with ood properties. We M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 35 44, 1999. c Sprin er-Verla Berlin Heidelber 1999

36

Enes Pasalic and Thomas Johansson

present a simple search al orithm for ndin Boolean functions with ood nonlinearity and some xed form of resiliency. Such search al orithms have previously been considered in [11,12]. Compared with the al orithm in [11], the proposed al orithm could nd better functions (hi her nonlinearity) in certain cases. This paper is or anized as follows. Section 2 provides basic de nitions and briefly discuss the current knowled e re ardin the nonlinearity of Boolean functions. The results from an al ebraic construction [2] are reviewed, since many important observations follow from it. In Section 3 we establish, in certain cases, the maximum nonlinearity that can be obtained for a xed resiliency usin e. . linear pro rammin methods. Section 4 describes a simple search al orithm for ndin hi hly nonlinear balanced Boolean functions, and rst order resilient functions. Results and comparison with the enetic al orithm [11] are presented. Section 5 is a brief conclusion.

2

Preliminarie

Althou h, we will only study the properties of Boolean functions, it can be bene cial to consider its application in the nonlinear combinin enerator, which is a classic technique for utilizin linear feedback shift re isters (LFSRs) in the F2 construction of stream ciphers [10]. Here, the Boolean function f (x) : F n2 takes as input the output sequences of n LSFRs. The function f (x) can be written in al ebraic normal form (ANF), i.e., f (x1

xn ) =a0 + a1 x1 +

+ an xn +

+ a12 x1 x2 + a13 x1 x3 +

+ a12n x1 x2

xn

(1)

where addition and multiplication are in F 2 . The truth table of the function f (x), denoted in this paper by f , is a vector of 2n bits representin the output of the f2n −1 ]T , where fi F2 . The al ebraic function for each input, i.e., f = [f0 f1 de ree of f (x), denoted de (f ), is de ned to be the maximum de ree appearin in the ANF. As mentioned, a Boolean function f (x) must ful ll certain properties in order to increase the time/space complexity of di erent attacks. Common attacks are Si enthaler correlation attack [13] and Berlekamp-Massey linearity synthesis attack [10]. There are at least four main criteria that f (x) should ful ll. These are: balancedness, hi h nonlinearity, hi h al ebraic de ree, and some correlation immunity. The de nition of some of these criteria can be derived from the Walsh Hadamard transform, which is a very convenient way to study the crypto raphic properties of Boolean functions. The Walsh Hadamard transform of a Boolean function f (x) is de ned to be the real-valued function F ( ) over the vector space F n2 iven by f (x)(−1)

F( ) = x

x

(2)

Further Results on the Relation Between Nonlinearity and Resiliency

37

where a dot product of vectors x and is de ned as x = x1 1 + + xn n . In matrix form the Walsh Hadamard coe cients of the function can be expressed as F =A f

(3)

where F is a column vector of Walsh Hadamard coe cients, and A is a 2n 2n matrix of 1 correspondin the terms (−1) x in the Walsh Hadamard transform for every possible choice of x and (a Hadamard matrix). We say that the Boolean function f (x) is balanced if P (f (x) = 1) = P (f (x) = 0) = 0 5. Alternatively, usin the Walsh Hadamard transform, the Boolean function f (x) is balanced i F (0) = 2n−1 . We de ne the nonlinearity of a Boolean function f (x), denoted by Nf , as the Hammin distance to the nearest a ne function, i.e., Nf = min 2An dH (f ). Here, f and are the truth tables of f (x) and (x), An is the set of a ne functions on n variables and dH (f ) is the Hammin distance between two vectors f and , i.e., the number of positions where f and di er. Alternatively, the nonlinearity of f (x) can be obtained as Nf = 2n−1 − max F ( )

=0

(4)

This means that the nonlinearity is determined by the lar est absolute value in the transform vector F . Let Fn be the set of all Boolean functions in n variables. The maximal nonlinearity that is possible for a Boolean function f (x) Fn in n variables is denoted by N L(Fn ). The current knowled e about N L(Fn ) is summarized below. n

n even: N L(Fn ) = 2n−1 − 2 2 −1 and this nonlinearity is obtained by bent functions. We note however that bent functions are not balanced. 9, the exact value of n odd: N L(Fn ) is known, when n = 3 5 7. For n N L(Fn ) is not known [6]. Note that if we restrict ourselves to balanced Boolean functions, the maximal nonlinearity will decrease when n is even. For n = 6 it is known to be 26, for n = 8 it is known to be either 116 or 118, etc [11]. xn ) is said to be m-th order correlaFinally, the Boolean function f (x1 tion immune (m-CI) , if for any m-tuple of independent identically distributed Xim , it is valid that binary random variables Xi1 I(Xi1 Xi2

Xim ; Z) = 0

1

i1 < i2
a= > 2G0 p1 E genvalues Mult pl c ty > > > > 1 13 < P where: b = n2G0 p2 4 1 > > > a 4 > > > :c = Pn b 4 2G0 p3 c 4

51

j

j

= exp( 213 ).

j

Hexagonal Schemes

Clearly, if we take now = with the construction in the previous section we get and association scheme, and we will call it hexagonal scheme. Example 2 Let us represent GF (13) as ZZ[ ]3+4 . We have a p ctor al representat on of t as n gure 1. the orb ts are g ven by: G0 p0 = 0 G0 p1 = 1 10 9 12 3 4 G0 p2 = 5 11 6

2 7

the relat ons are: D0 = [1 0 0 0 0 0 0 0 0 0 0 0 0], D1 = [0 1 0 1 1 0 0 0 0 1 1 0 1], D2 = [0 0 1 0 0 1 1 1 1 0 0 1 0] Matr x D0 D1 D2

3

E genvalues. 8 Pn > E genvalues Mult pl c ty : 4 1 = exp( 213 ) a 12

j

Patterns

We present here a valuable tool for describing the orbits of our association schemes. For our purpose we have to review some well known results in combinatorics on cycle sums and patterns. Most of the material in this section can be found in [4]. First we will x our notation, let Γ a group of permutations on a nite set D (domain) and R (range) another nite set. We will call the elements in the domain places and the ones in the range gures. The functions RD where RD are called con gurations. If we consider the action: Γ RD Γ is a group isomorphic ( f) ( f ) = f ( d) d D Then Γ to Γ acting on RD . Finally a pattern is an equivalence class of con gurations under Γ . Let now Γ = Sn : De n t on 2 We call error patterns of the Mannhe m scheme or the Hexagonal scheme to the equ valence relat ons of the act on g ven n (8) where the group H= or H = respect vely.

52

Edgar Mart nez-Moro et al.

Lemma 2 The error patterns of the Mannhe m scheme or the Hexagonal scheme are completely determ ned by the orb ts of the act on:

(

ZZ[ ] − x)

ZZ[ ] k x

k

(14)

Proof. It follows directly from the discussion above and Lehmann’s lemma. Ol . Hence two We recall the set of gures the orbits of the action above O1 xn ) and (y1 yn ) are in the same pattern if there error gures given by (x1 O n ) such that xj − y (j) O j . is a permutation Sn and gures (O 1 Of course for n = 1 the gures are the patterns. Clearly from this setting we are looking for properties of the set of orbits of Ol of orbits of the action in (14). Sn on the range O1 De n t on 3 Let A an arb trary commutat ve r ng and let : R A a funct on. We call (r) the we ght of gure r. The k-th gure sum s de ned as the P k D = (r) , and the we ght con gurat on of f R s g ven by sum sk Q r2R (f ) = a2D (f (a)) Clearly two equivalent con gurations under Γ have the same weight, P so we (O ) de ne (O ) = (f ), where f O . 1 and the pattern sum as: S = Next theorem allow us deriving of the pattern sum: Theorem 1 Let Γ = Sn X

(O ) =

X j1 +2j2 ++njn =n

1 sj1 sj2 jk j ! 1 2 k k k=1

Qn

sjnn

Proof. For a proof see [4] pp. 2 1 theorem 23 and pp.290 example 65. Example 3 If we let (r) = 1 for all r we get the number of poss ble error patterns, ndeed sk s the number of orb ts n the act on (14). From Burns de’s lemma we get the number of orb ts n (14) and then we compute the number of error patterns. In a Mannhe m scheme the number of orb ts of (14) s just 1 1 4 ( X + 3) and n Hexagonal scheme 6 ( X + 5), where respect vely: ( X =

p p2

fp fp

1 mod 4 3 mod 4

( or

X =

p p2

fp fp

1 5

mod 6 mod 6

and hence the number of Sn -orb ts for d mens on n s just: X j1 +2j2 ++njn 1

1 Qn jk k=1 k jk ! =n

j1 +j2 ++jn 1 ( X + 3) 4

We denote by O? the orb ts of Γ ? and O the orb ts of act on (14).

Comb nator al Structure of F n te F elds

53

and X

1 jk k=1 k jk !

Qn

j1 +2j2 ++njn =n

j1 +j2 ++jn 1 ( X + 5) 6

respect vely. P O we get sk = k=1 x , the result ng Example 4 If we let (r) = x f r xl . For example, cons der pattern sum s an homogeneous polynom al n x1 GF (13) represented as ZZ[ ]3+2 (see example 1), and cons der the case n = 2. The pattern sum s: S=

X j1 +2j2 =2

1

Q2

jk k=1 k jk !

(x0 + x1 + x2 + x3 )j1 (x20 + x21 + x22 + x23 )j1

1 1 = (x0 + x1 + x2 + x3 )2 + (x20 + x21 + x22 + x23 ) 2 2 Indeed, we get no much nformat on s nce we get all degree two monom als as the poss ble patterns of errors, .e. all the comb nat ons of two errors taken from the orb ts. Follow ng example g ves us some more nformat on: O . For example, cons der GF (13) Example 5 If we let (r) = xd( ) f r represented as ZZ[ ]3+2 (see example 1), and cons der the case n = 2. The pattern sum n th s case s: S=

1 1 (x0 + x1 + 2x2 )2 + (x20 + x21 + 4x22 ) 2 2

For example, an error has we ght x0 x2 f t as error pattern of d stance two, thus the number of such patterns s the coe c ent of the monom al x0 x2 n S Note that many other weight functions can be proposed, and indeed, there is a close relationship in last two examples with weight enumerators of codes. Also in those examples seems reasonable let x0 = 1 since it denotes no error has been made. If we are concerned only with distance patterns, the usual weight imposed is: (r) = xd( ) if r O . Therefore last example becomes: S=

4

1 1 (1 + x + 2x2 )2 + (1 + x2 + 4x2 ) 2 2

Conclus ons

As we have seen, 1-dimensional schemes de ned here are translation invariant, therefore their eigenvalues are easy to compute (see [16]) as partitions on the set. Also Lehmman lemma gives us a tool for calculating the eigenvalues of higher dimensional schemes giving us descriptions of the orbits (they are also translation

54

Edgar Mart nez-Moro et al.

invariant). Therefore we can de ne all the parameters of a code de ned in two dimensional metrics as functions of its weight distribution and the eigenvalues of the scheme as well as de ne the Lloyd polynomial [17,1 ]. Also MacWilliams theorem can be recover from them in a natural way, not only for linear codes [ ], but also for a general code following the construction on [17]. Moreover, the construction in this paper seems to be more natural for two dimensional metrics that the use of complete weight enumerator (see [ ]). Anyway, there is a clear relationship between the scheme de ned above an the composition schemes for the Abelian groups 1 , 1 (1 + ) of unit steps (see [5,10]) and also with group characters [1,11]. Further investigations points towards the classi cation of perfect codes over these metrics which must ful ll the constrains and equalities on the eigenvalues [17,1 ] and on the Lloyd polynomials2 . Also the isometry classes of these codes are proposed for a deeper investigation.

References 1. J.L. Alper n , R.B. Bell, Groups and representat ons, Graduate Text n Mathemat cs 162, Spr nger Verlag (1995). 2. E. Banna , T. Ito Algebra c comb nator cs I: Assoc at on Schemes Benjam n Cumm mgs Publ shers (1983) 3. N. B ggs, Algebra c Graph theory, 2nd. ed t on, Cambr dge Un vers ty Press (1993). 4. B. Bollobas, Modern graph theory, Graduate text n Mathemat cs. Spr nger. New York (1998). 5. P. Cam on, Codes and Assoc at on Schemes: Bas c Propert es of Assoc at on Schemes Relevant to Cod ng, n Handbook of Cod ng Theory vol 2 , pp. 1441 1566, Ed. V.S. Pless, W.C. Hu man, North-Holland 1999 6. Hardy,G.H., Wr ght,E.M. And ntroduct on to the theory of numbers. Oxford Sc ence Publ cat ons. 5th. ed t on. (1979) 7. K. Huber, Codes over Gauss an ntegers., IEEE Trans. on Inf. Theory, 40 (1), 207-216 (1994). 8. K. Huber, The Mac W ll ams Theorem for Two-d mens onal modulo metr cs., AAECC, 8 (1), 41-48 (1997). 9. P. Delsarte, An algebra c approach to the assoc at on schemes of cod ng theory., Techn cal report, Ph l ps Research Laboratory, 1973 10. P. Delsarte,V.I. Levenshte n, Assoc at on schemes and cod ng theory., IEEE Trans. on Inf. Theory, vol. 44, 6, pp.2477 2504. October 1998 11. W. Ledermann, Introduct on to group characters., Cambr dge Un vers ty Press, 1986 12. H. Lehmann, E n vere nhe tl chender Ansatz f¨ ur d e Red eld-Polya-de Bru jnsche Abz¨ ahltheory., PhD. Thes s Un vers t¨ at G essen, 1976 13. E. Mart nez, F.J. Galan: Comb nator al structure of ar thmet c codes., W nter School on Cod ng and Informat on Theory 1998 (Ebeltoft, Denmark) 2

For a computer algebra construct on of these polynom als see [15]

Comb nator al Structure of F n te F elds

55

14. E. Mart nez,M.A. Borges, M. Borges : Comb nator al structure of r ngs of complex ntegers w th Mannhe m metr c., 1st. Workshop on Comb nator cs, Geometry, Cod ng Theory and related areas. CIMAF’99 La Habana, Cuba, March 1999. 15. E. Mart nez: Computat ons on character tables of assoc at on schemes., Computer Algebra n Sc ent c Comput ng 99, pp. 293 307, Spr nger-Verlag, 1999. 16. H. Tarnanen , On Abel an Schemes, TUCKS Techn cal Report no. 88. Turku Centre for Computer Sc ence 1996 17. P.Sole, On the parameters of codes for the Lee and modular d stance., D screte Mathemat cs 89 (1991), pp. 185 194. 18. P.Sole, A Lloyd theorem n weakly metr c assoc at on schemes., Europ. J. of Comb nator cs. 10 189 196 (1989)

A New Method for Generatin Sets of Ortho onal Sequences for a Synchronous CDMA System Helen Donelan and Timothy O’Farrell University of Leeds, Leeds, LS2 9JT, UK eenhmd@electen .leeds.ac.uk

Abs rac . A new, systematic method of eneratin ortho onal sets of sequences with ood correlation properties is described. An ortho onal set is de ned as a collection of n sequences, of len th n chips, that are mutually ortho onal. Althou h there are many possible combinations of sequences formin ortho onal sets of a speci ed len th, few have been identi ed with a structured method of eneration such as Walsh codes and ortho onal Gold codes. The application of the new sequences discussed is ortho onal spreadin codes in a synchronous code division multiple access (CDMA) system and their correlation properties are considered accordin ly.

1

Introduction

Ortho onal sequences are utilised in many speci cations, in particular CDMA spread spectrum systems to improve the bandwidth e ciency. The most common ortho onal sequences and those employed in or proposed for today’s communications systems are Walsh codes[1] and more recently ortho onal Gold codes[2]. The new al orithm proposed is related to that used to enerate ortho onal Gold codes but produces lar e numbers of di erent ortho onal sets with favourable crosscorrelation values between sets of the same size. The procedure enerates (n − 1) distinct, ortho onal sets of n sequences of len th n. Sequences are represented by the notation iven in (1). x

= (x0 x1 x2

xn−2 )

The sets of sequences are represented by the notation iven in (2). o n n−1 x1 x x(k) = x0

(1)

(2)

The sequences contain elements of the alphabet 1 −1 or equivalent de nitions can be used by mappin 1 0 and −1 1 and replacin multiplication operations between elements with modulo-2 addition. The second and third sections of this paper detail the novel construction method used to create the ortho onal sets. The fourth and fth sections outline some of their properties, the set cross correlation and mean-square correlation parameters which have been described in relation to their consideration in a CDMA spread spectrum system. M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 56 62, 1999. c Sprin er-Verla Berlin Heidelber 1999

A New Method for Generatin Sets of Ortho onal Sequences

2

57

Method of Construction

The ortho onal sequences are developed from a set of sequences created usin the Gold sequence construct. Gold sequences are constructed from a preferred pair of maximal len th sequences, by the element-by-element multiplication of one sequence with every phase shift of the second sequence. Ortho onal Gold sequences can then be constructed from this family of Gold sequences by appendin an additional ’1’ on the end of each sequence. Althou h, for optimum periodic crosscorrelation the two m-sequences should be preferred pairs[3], this construct can be applied to any pair of m-sequences of the same len th to produce ortho onal sets of sequences. Usin the new method, ortho onal sequences are developed from a family of sequences enerated usin the Gold sequence construct, i.e. sequences enerated by the multiplication of one m-sequence with all shifts of a second m-sequence. The two sequences are not necessarily preferred pairs. Two m-sequences of len th (n− 1) are represented by a and b where: a

= (a0 a1 a2

an−2 )

(3)

b

= (b0 b1 b2

bn−2 )

(4)

Usin the Gold construct method on these quences iven in (5). 8 Tk b o < a n (k) a = : 0

two sequences forms the set of sefor 0 k < n − 1 for k = n − 1 otherwise

(5)

Where T k b represents a cyclic shift of b by k chips and is the element by element multiplication. The nal member of the set is one of the ori inal m-sequences a . For future reference, the set of sequences de ned by (5) will be referred to as a Gold constructed set of sequences. Performin the followin procedure on the above Gold constructued sequences produces a set of ortho onal sequences. Step 1: Make the entry in the rst column a ’1’ (the rst chip of the sequence). Step 2: If the rst chip of the sequence was already a ’1’ and has not therefore been altered by step 1 then a x a ’-1’ on the end of the sequence. Step 3: If the rst chip of the sequence was a ’-1’ to be in with and has therefore, been altered by step 1 then a x a ’1’ on the end of the sequence. Step 4: Repeat steps 1 to 3 for all sequences of the Gold constructed set. This procedure can be represented as follows: (k) Let u(k) be the set of sequences (k) with the rst chip, 0 of every sequence removed. Then, the ortho onal set of sequences can be represented by (6). o n o n v (k)

= 1

u(k)

−

(k) 0

(6)

58

Helen Donelan and Timothy O’Farrell

The set of sequences v(k) is a set of n sequences of len th n that are ortho onal to each other. By followin the same procedure with the same m-sequences but with the m-sequences in a di erent initial phase shift, an entirely di erent set of ortho onal sequences is enerated. a

2

= (a1 a2

an−2 a0 ) = T 1 a

(7)

b

2

= (b1 b2

bn−2 b0 ) = T 1 b

(8)

For each of the initial phases of the m-sequences, where the circular shift is the same on both m-sequences, there is a di erent ortho onal set. These have been called base sets and are distinct from each other. No sequence appears in more than one set. For a pair of m-sequences of len ths (n − 1) there exists (n − 1) base sets of n sequences of len th n.

3

Alternative Constructs

By chan in the initial phases or shifts of the m-sequences, the base sets produced are di erent. The (n − 1) base sets can be used as a basis to study the influence of the initial shift of the m-sequences on the properties of the ortho onal sets produced by them. Firstly, interchan in a and b so that the Gold constructed family is derived from b multiplied by all shifts of a produces, as before, a Gold constructed family for each of the (n − 1) phase shifts. From these, new base sets are formed. The sequences produced are the same as those in the ori inal base sets, as the same combinations of shifted sequences are used in the construction, but in this case they appear in a di erent order and are therefore rouped into di erent base sets. These sets are still ortho onal, so the order of the m-sequences is irrelevant to the eneration of ortho onal sets. Secondly, shiftin the initial phase of one of the m-sequences with respect to the other, produces the same combination of sequences rouped into the same base sets but the order of the sequences within the base sets is dependent on the size of the circular shift on the one m-sequence. Investi ations were carried out to look at the e ects of chan in a di erent column to all ones (step 1) other than the rst column. Excludin the ori inal base sets, an additional [(n − 1) (n − 2)] ortho onal sets can be produced. These sets are not completely distinct from the ori inal base sets, some of the sequences from the base sets were repeated within these new sets. All the above variations on the new method still produce ortho onal sets of sequences. A pair of m-sequences produces (n − 1) base sets and all variations above, concernin the initial phase shift of the m-sequences and chan in di erent columns, are related back to these base sets.

4

Correlation Properties

In CDMA systems, ortho onal sequences are used to separate users sharin the same bandwidth. At the receiver, the si nal is correlated with the user’s unique


59

sequence to recover the information conveyed. Due to the ortho onality between the required user’s sequence and all other sequences, the correlation with all other users is zero, therefore there is no interference. Ortho onal spreadin can only be used if all the users are synchronised, as the crosscorrelation value between sequences at di erent time shifts is not zero[4]. In the TIA IS-95 CDMA system the forward channel is synchronous and therefore ortho onal spreadin can be used. 64 Walsh codes are used to provide ortho onality between users in the same cell. A user’s data is rst spread by one of the 64 Walsh codes and then masked by a lon pseudo-noise (PN) sequence unique to the cell so that the same 64 Walsh codes can be reused in each cell. In this case the interference between users of another cell behaves like any lon PN code. The new method presented here, enerates more than one set of distinct sequences for a iven sequence len th. To explore the possibility of usin more than one set simultaneously, ie. a di erent set allocated to each cell, the maximum interference between sequences of di erent cells must be quanti ed. This can be represented as the peak crosscorrelation value at zero time shift between sequences. All base sets of sizes n n for values of n = 8 16 32 64 128 and 256 were created and the peak crosscorrelation value at zero time shift between all combinations of sequences of the same len th measured and displayed in Table 1. The results improve in relation to set size as the set size increases. Sets of size 32 and above exhibit ood set cross correlation properties as the maximum value is less than half the sequence len th, Such sequence sets would therefore o er low intercell interference levels, thereby enhancin the capacity of a CDMA cellular system. Table 1. Values of set crosscorrelation Set Size Number of Sets Peak Correlation Value 8× 16× 32× 64× 128× 256×

5

8 16 32 64 128 256

7 15 31 63 127 256

4 8 8 16 20 32

Mean Square Correlation Parameters

In CDMA systems it is desirable to nd a set of sequence with low crosscorrelation between sequences for all shifts to minimise multiuser interference in a multipath environment. Also it is desirable to have low autocorrelation sidelobes for each sequence for all shifts except the in-phase position for antifadin capability and synchronisation purposes. However, in eneral if a set of sequences have

60


ood autocorrelation properties then the crosscorrelation properties are not very ood and vice versa[5]. Therefore some trade o between the two is required. There are many correlation parameters that can be investi ated when searchin for ’ ood’ sets of sequences. For CDMA systems the mean square value of the aperiodic correlation is considered a reasonable measurement[6]. The mean-square crosscorrelation parameter of a sequence l with each of the other K − 1 sequences of the set is iven by (9). (l) c

K−1 X

=

N −1 X

CSl Sk (m)

2

(9)

k=0 k6=l m=1

Where, number of sequences in a set (ie. possible number of simultaneous users) is K and len th of each of the sequences in the set is N . Therefore the mean-square crosscorrelation parameter of each sequence of the set with every other sequence of the set (ie. all possible combinations of sequences) is iven by (10). K−1 X (l) (10) c = c l=0

Similarly, the mean-square autocorrelation parameter of a sequence l is iven by (11). N −1 X 2 (l) CSl Sl (m) (11) a =2 m−1

This is the sidelobe ener y across the whole of the autocorrelation period, except at zero phase shift ie. m = 0. Therefore the mean-square autocorrelation parameter of all the sequences of the set is iven by (12). a

=

K−1 X

(l) a

(12)

l=0

Plottin 0a and 0c as iven in (13) , ives a representation of a set of sequences’ mean square cross and autocorrelation characteristics[7] as illustrated in Fi .1. 0 a

=

a

K(K − 1)N 2

and

0 c

=

c

K(K − 1)N 2

(13)

The values of 0a and 0c are bounded by the Welch bound, upper bound and maximum and minimum sidelobe ener y bounds as illustrated in Fi .1. The sequences plotted are of len th 16 and are compared to other sets of sequences of the same len th and number. Some are ortho onal sets, ie. Walsh codes(WC), several di erent sets of masked Walsh codes(mwc1-4) and ortho onal Gold codes (OGC), some are randomly selected sequences(rs1-4) and others are sets of sequences that are expected to ive relatively bad results(arbitrary), such as some sequences bein cyclic shifts of other sequences in the same set. It can be seen that for optimum mean-square autocorrelation a trade-o has to be made with


61

mean-square crosscorrelation values, emphasizin that both values may not be optimised simultaneously.The new codes exhibit ood cross and autocorrelation properties in comparison to the other sets of sequences illustrated.

Fi . 1. Mean-square correlation parameters for di erent sets of sequences, size 16 by 16

7

6

5 Ubd Wbd 4

OGC

µc'

new codes WC mwc1 3 mwc2 mwc3 mwc4 2

rs1 rs2 rs3 rs4

1 arbitrary

new codes, mwc2, mwc4, rs1, rs2, rs3,

µa'

0.34

0.32

0.3

0.28

0.26

0.24

0.2

0.22

0.18

0.16

0.14

0.1

0.12

0.08

0

62

6


Conclusion

In summary, a novel method for eneratin sets of ortho onal sequences has been described. For a pair of m-sequences of len th (n − 1), a total of (n − 1) distinct base sets can be produced. The investi ation into the properties of the sets included measurin the peak crosscorrelation between sequences of di erent sets of the same size and measurin mean-square correlation parameters of an individual set. Results were favourable for the set crosscorrelations for the lar er sets (sizes 32x32 and above) promotin the idea of usin all sequences of the same size (n (n − 1)) sequences in total, simultaneously, for ortho onal spreadin sequences in a synchronous CDMA spread spectrum system environment. Also the mean square auto and crosscorrelation values were calculated, for an indication of how the sequences would perform in a multipath environment. For a set of sequences of size 16x16 the new set of sequences exhibited ood mean-square correlation parameters.

References 1. Gar , V.K., Smolik, K., Wilkes, J.E.: Applications of CDMA in Wireless/Personal Communications. Prentice Hall (1997) 2. Tachikawa, S.: Recent Spreadin Codes for Spread Spectrum Communication Systems. Elec. and Comm. in Japan. Vol.75. No.6. (1992) 41 49 3. Popovic, B.M.: E cient despreaders for multi-code CDMA systems. Proc. ICUPC. (1997) 516 520 4. Dinan, E.H., Jabbari, B.: Spreadin codes for direct sequence CDMA and wideband CDMA cellular networks. IEEE Comms. Ma . (1998) 48-54 5. Sarwate, D.V.: Bounds on crosscorrelation and autocorrelation of sequences. IEEE Trans. on Communications. Vol.IT-25. No.6 (1979) 720 724 6. Pursley, M.B.: Performance evaluation for phase-coded spread-spectrum multipleaccess communications - Part I: System analysis. IEEE Trans.on Communications. Vol.COM-25. No.8. (1977) 795 799 7. Schotten, H.: Tutorial: Sequenzen und ihre Korrelationsei enschaften. University of Ulm.(1998)

New Self-Dual Codes over G (5) Stelios Geor iou and Christos Koukouvinos Department of Mathematics, National Technical University of Athens, Zo rafou 15773, Athens, Greece.

Abs rac . Self-dual codes and ortho onal desi ns have been studied for a lon time as separate research areas. In the present paper we show a stron relationship between them. The structure of ortho onal desi ns is such as to allow us a much faster and more systematic search for self-dual codes over GF(5). Usin our method we constructed the followin linear self-dual codes over GF (5):(i) [4,2,2], (ii) [8,4,4], (iii) [12,6,6], (iv) [16,8,6], (v) [20,10,8], (vi) [24,12,9], (vii) [28,14,10]. The codes (i), (ii), (iii), (v) are extremal. A [28,14,10] code is constructed here for the rst time.

Key words and phrases: Self-dual codes, construction, ortho onal desi ns.

1

Introduction

We rst ive some basic de nitions which are needed in order to explain our method for the construction of self-dual codes. Self-dual codes are important because many of the best codes known are of this type and have a rich mathematical su ) (s > 0), detheory. An ortho onal desi n of order n and type (s1 s2 su ), on the commutin variables x1 x2 xu is an n n noted OD(n; s1 s2 xu such that matrix D with entries from the set 0 x1 x2 u T

s x2 )In

DD = ( =1

Alternatively, the rows of D are formally ortho onal and each row has precisely s entries of the type x . In [2], where this was rst de ned, it was mentioned that u

DT D = (

s x2 )In =1

and so our alternative description of D applies equally well to the columns of D. It was also shown in [2] that u (n), where (n) (Radon’s function) is de ned by (n) = 8c + 2d , when n = 2a b, b odd, a = 4c + d, 0 d 4. For more details and construction methods of ortho onal desi n see [3]. In this paper we restrict our attention in two variable ortho onal desi ns, i.e in the case where u = 2. M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 63 69, 1999. c Sprin er-Verla Berlin Heidelber 1999

64

Stelios Geor iou and Christos Koukouvinos

For our consideration we also need some facts from codin theory. Our terminolo y and notation follow [6]. Let F = GF (q) be the eld with q elements where q is a prime power. An [n k] linear code C over F is a k-dimensional vector subspace of F n . In particular, codes over GF (2) and GF (3) is said binary and ternary codes, respectively. The elements of C are called codewords and the wei ht of the codeword is the number of its non-zero coordinates. A minimum wei ht is the smallest wei ht amon non-zero codewords. An [n k] code with a minimum wei ht d is called an [n k d] code. Two binary codes are equivalent if one can be obtained from the other by a permutation of the coordinates. The dual code C ? of C is de ned as C ? = x F n x y = 0 f or all y C . If C C ? , C is called a self-ortho onal code. C is called self-dual if C = C ? . Furthermore C is called doubly-even if the wei hts of all codewords of C are a multiple of four. A self-dual code is called sin ly-even if there exists at least one codeword whose wei ht is 2(mod4). A self-dual code C is called extremal if C has the lar est possible minimum wei ht. The known bounds of d for q = 2 3 4 are iven in [7] and [8]. In particular the followin theorem is known. Theorem 1 ([8]) The minimum distance d of a self-dual [n n 2] code C satises 2 n8 + 2 if q = 2 and C is sin ly-even n + 4 if q = 2 and C is doubly-even 4 24 d n 3 12 + 3 if q = 3 2

n 6

+ 2 if q = 4 and C is even.

For each len th, the details of the lar est possible minimum wei ht is listed in Table I in [1]. Conway and Sloane [1] also ave a list of the possible wei ht enumerators of binary extremal self-dual codes. The existence of some extremal self-dual codes is an open question in [1].

2

The Method

In this section we will show how we can use an ortho onal desi n in order to obtain a linear self-dual code over GF (5). We consider an ortho onal desi n OD(n; s1 s2 ). Then we replace the rst variable by 1 and the second variable by 2. This replacement of course does not a ect the ortho onality of the rows, and let us denote the derived matrix by A. We shall take the elements of GF(5) to be either 0 1 2 3 4 or 0 1 2 usin whichever form is more convenient. On the other hand since there are more ortho onal matrices with elements from GF(5) than ortho onal desi ns with elements from a set of commutin variables, we use both of them in order to construct the desired codes.

New Self-Dual Codes over GF(5)

65

u

Lemm 1 If we say c =

s x2 , where in our case u = 2, then the matrix =1

C = [aIn A] is the enerator matrix of a [2n n d; 5] linear self-dual code if and only if c + a2 is divisible by 5. Proof. We have that CC T = [aIn A][aIn A]T = (c + a2 )In Thus if c + a2 is divisible by 5 then CC T = 0n over GF (5), where 0n is the n n matrix whose entries are all zero, and then the matrix C = [aIn A] is the enerator matrix of a [2n n d; 5] linear self-dual code. On the other hand if the matrix C = [aIn A] is the enerator matrix of a [2n n d; 5] linear self-dual code then CC T = 0n over GF (5) and then c + a2 is divisible by 5. Ex mple 1 We consider the followin ortho onal desi n OD(8; 2 6).

D=

b a a −b b b −b b a b −b a b b b −b −a b b a −b b −b −b b −a a b b −b −b −b −b −b b −b b a a −b −b −b −b b a b −b a b −b b b −a b b a −b b b b b −a a b

Then we replace the rst variable by 1 and the second variable by 2. This replacement of course does not a ect the ortho onality of the rows, and let us denote the derived matrix by A. We shall take the elements of GF(5) to be 0 1 2 3 4 . Then [2I8 A] is the enerator matrix of a [16 8 6; 5] linear self-dual code where A is the followin matrix.

A=

21132232 12312223 42213233 24122333 33232113 33321231 23224221 32222412

Its wei ht enumerator is W (z) = 1 + 160z 6 + 192z 7 + 2880z 8 + 5568z 9 + 26848z 10+ +37824z 11 + 89568z 12 + 84480z 13 + 91392z 14+ +39936z 15 + 11776z 16

66


It is obvious that any ortho onal desi n with two variables can ive a linear code over GF (5) and if there exist a GF (5) such that Lemma 1 holds then this code is self-dual, but in order to nd a lar e enou h minimum wei ht d we must try a lot of ortho onal desi ns and ortho onal matrices. From the description of our method it is clear that this can also be applied in the construction of self-dual codes over GF(2) and GF(3). Thus we are able to construct a series of the previously known linear self-dual codes over GF(2) and GF(3) by this method. Ex mple 2 We consider the followin ortho onal desi n OD(4; 2 2).

D=

a b a −b b a −b a −a b a b b −a b a

Then we replace both variables by 1. This replacement of course does not a ect the ortho onality of the rows, and let us denote the derived matrix by A. We shall take the elements of GF(3) to be 0 1 2 . Then [I4 A] is the enerator matrix of a [8 4 4; 3] linear extremal self-dual code where A is the followin matrix.

A=

1112 1121 2111 1211

Its wei ht enumerator is W (z) = 1 + 24z 4 + 16z 5 + 32z 6 + 8z 8

3

The Results

In this section we present the results that we nd usin either ortho onal desi n or ortho onal matrices. In particular we construct the followin linear selfdual codes over GF (5):1. [4,2,2], 2. [8,4,4], 3. [12,6,6], 4. [16,8,6], 5. [20,10,8], 6. [24,12,9], 7. [28,14,10]. The codes (1), (2), (3), (5) are extremal. Self-dual codes over GF (5) with same parameters were constructed, but with a di erent method, in [4] and [5]. A [24,12,9] code was also constructed in [4]. A [28,14,10] code is constructed here for the rst time. Althou h it has not been proved yet if this code is extremal or not its minimum distance is quite lar e. 1. The matrix [I2 A] is the enerator matrix of an [4 2 2] extremal sin ly-even self-dual code where A is the followin matrix. A=

02 20

Its wei ht enumerator is W (z) = 1 + 8z 2 + 16z 4


67

2. The matrix [2I4 A] is the enerator matrix of an [8 4 4] extremal self-dual code where A is the followin matrix.

A=

3323 3332 3233 2333

Its wei ht enumerator is W (z) = 1 + 48z 4 + 32z 5 + 288z 6 + 128z 7 + 128z 8 3. The matrix [I6 A] is the enerator matrix of an [12 6 6] extremal self-dual code where A is the followin matrix.

A=

334340 433034 343403 201343 120334 012433

Its wei ht enumerator is W (z) = 1 + 440z 6 + 528z 7 + 2640z 8 + 2640z 9 + 5544z 10 + 2640z 11 + 1192z 12 4. The matrix [2I8 A] is the enerator matrix of a [16 8 6] self-dual code where A is the followin matrix.

A=

21132232 12312223 42213233 24122333 33232113 33321231 23224221 32222412

Its wei ht enumerator is W (z) = 1 + 160z 6 + 192z 7 + 2880z 8 + 5568z 9 + 26848z 10+ +37824z 11 + 89568z 12 + 84480z 13 + 91392z 14+ +39936z 15 + 11776z 16

68


5. The matrix [I10 A] is the enerator matrix of an [20 10 8] extremal self-dual code where A is the followin matrix.

A=

3341130002 1334123000 1133402300 4113300230 3411300023 2300031143 0230033114 0023043311 0002314331 3000211433

Its wei ht enumerator is W (z) = 1 + 2280z 8 + 23408z 10 + 72960z 11 + 241680z 12 + 437760z 13+ +1203840z 14 + 1586880z 15 + 2229840z 16 + 1901520z 17+ +1418160z 18 + 528960z 19 + 118336z 20 6. The matrix [2I12 A] is the enerator matrix of a [24 12 9] self-dual code where A is the followin matrix.

A=

411111114014 141111141140 114111411401 444411104441 444141041414 444114410144 441401411111 414014141111 144140114111 041114444411 410141444141 104411444114

Its wei ht enumerator is W (z) = 1 + 1056z 9 + 11088z 10 + 36960z 11 + 212352z 12 + 591360z 13+ +2382336z 14 + 5287040z 15 + 13796640z 16 + 23037696z 17+ +39528720z 18 + 46163040z 19 + 49252896z 20 + 35604800z 21+ +20240352z 22 + 6832320z 23 + 1161968z 24


69

7. The matrix [2I14 A] is the enerator matrix of a [28 14 10] self-dual code where A is the followin matrix.

A=

33303133343110 33330310334311 13333031033431 31333301103343 03133333110334 30313334311033 33031333431103 20442123313033 22044213331303 12204423333130 21220440333313 42122043033331 44212201303333 04421223130333

Its wei ht enumerator is W (z) = 1 + 3500z 10 + 9856z 11 + 99820z 12 + 362152z 13 + 1938224z 14+ +6041504z 15 + 22861496z 16 + 57103424z 17 + 154245868z 18+ +300198752z 19 + 575888012z 20 + 833084840z 21 + 1106507192z 22+ +1116111808z 23 + 955594024z 24 + 598184608z 25 + 281403808z 26+ +81992064z 27 + 11884672z 28

References 1. J.H.Conway and N.J.A.Sloane, A new upper bound on the minimal distance of self-dual codes, IEEE Trans. Inform. Theory, 36 (1990), 1319-1333. 2. A.V.Geramita, J.M.Geramita, and J.Seberry Wallis, Ortho onal desi ns, Linear and Multilinear Al ebra, 3 (1976), 281-306. 3. A.V.Geramita, and J.Seberry, Ortho onal desi ns: Quadratic forms and Hadamard matrices, Marcel Dekker, New York-Basel, 1979. 4. M.Harada, Double circulant self-dual codes over GF(5), Ars Combinatoria, to appear. 5. J.S.Leon, V.Pless, and N.J.A.Sloane, Self-dual codes over GF (5), J. Combin. Theory Ser. A, 32 (1982), 178-194. 6. F.J.MacWilliams and N.J.A.Sloane, The theory of error-correctin codes, NorthHolland, Amsterdam, 1977. 7. E.Rains and N.J.A. Sloane, Self-dual codes, in Handbook of Codin Theory, eds. V.Pless et al., Elsevier, Amsterdam, 1998. 8. V.D.Tonchev, Codes, in The CRC Handbook of Combinatorial Desi ns, ed. C.J.Colbourn and J.H.Dinitz, CRC Press, Boca Raton, Fla., 1996, 517-543.

Desi ns, Intersectin Families, and Wei ht of Boolean Functions Eric Filiol Ecoles Militaires de Saint-Cyr Coëtquidan DGER/CRECSC/DSI 56381 Guer Cedex [email protected]. ouv.fr

Abs rac . Determinin the wei ht of Boolean functions is of exponential complexity. By usin combinatorial results, it is proved that from their al ebraic normal form (ANF), it is possible to have polynomial time results on the wei ht, for some classes of functions. As a result, the structure of the majority functions M AJ2q −1 is iven.

1

Introduction

The wei ht of a Boolean function f : Fn2 wt(f ) =

x

F2 is de ned by F n2 f (x) = 1

and a balanced Boolean function is such that wt(f ) = 2n−1 . One important problem for these functions is precisely : computin their wei ht or at least identifyin functions which are balanced or not balanced. This problem occurs recurrently in di erent areas such as cryptolo y [12] (since unbalancedness means predictability that is to say weakness), in codin theory [15], in lo ic circuit desi n, circuit testin (fault testin [7], built-in self testin [8]). The applications are very numerous, and their theoretical role very important. Amon many, we can take the example of the propa ation criterion. It is precisely de ned by means of balanced Boolean functions [16]. Another very important example (in cryptolo y and codin theory) is that of bent functions. They are known to have stron resistance a ainst some cryptanalysis but they are not balanced. Di erent attempts have successfully succeeded in bypassin this drawback. Either partially-bent functions have been de ned [5] or balancedness has been obtained only with hi h nonlinearity, from bent functions [11]. Unfortunately, determinin or computin the wei ht of Boolean functions is of exponential complexity O(2n ) where n is the number of variables. So as soon as n has lar e values, the task becomes unfeasible. Consequently, constructin ?

also INRIA - Projet Codes - Domaine de Voluceau - Rocquencourt - BP 105 78153 Le Chesnay Cedex France - [email protected]

M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 70 80, 1999. c Sprin er-Verla Berlin Heidelber 1999

Desi ns, Intersectin Families, and Wei ht of Boolean Functions

71

Boolean functions with iven balancedness is as complex as computin their wei ht, except for some easy instances. In this paper, we will show how to construct some classes of functions with xed balancedness, by applyin combinatorial results on the al ebraic normal form (ANF) of the Boolean functions. Conversely, considerin this ANF, it is possible in polynomial time to have information on the wei ht. Such information is important in itself for usin these functions in the construction of balanced functions [6]. The chosen representation for Boolean functions is their Al ebraic Normal Form (ANF). It has the advanta e that it describes directly the function and yields a compact representation. Moreover, this representation is enerally preferred in as di erent areas as cryptolo y and lo ic testin for example. Recently [19], the ANF has been used to study the nonlinearity from a new point of view, by considerin the number of terms. The paper is or anized as follows. Section 2 contains a brief description of the combinatorial theory we need and some basic notation and de nitions on Boolean functions theory. Section 3 presents a new combinatorial view of the ANF by linkin it with combinatorial objects such as desi ns and exposes results on the wei ht of some functions. Section 4 ives a combinatorial characterization of the ANF structure of majority functions and proves they are very bad crypto raphic functions when n is small. An extended version of this paper is available by contactin the author. It contains construction and characterization al orithms to build balanced Boolean functions with totally controllable ANF structure.

2

Preliminaries

In all this paper, the addition will be done in the nite eld F 2 (modulo 2), unless otherwise stated. We limit ourself to the functions without constant since wt(1 + f ) = 2n − wt(f ). 2.1

Boolean Functions

Since we exclusively focus on the ANF of Boolean functions, some notation need F 2 . Its ANF will be described by to be set. Let f a Boolean function, f = F 2n X xn ) = a x a F2 f (x1 x2 2Fn 2

where x = (x1 x2 xn ) and x = x1 1 x2 2 xnn with i F 2 . The coe obius transform [15] : cients a of the ANF can be obtained by the M¨ X f( 1 2 a = ( )= n)

where said,

describes the partial orderin of the subset-lattice of F 2n . Otherwise obius transform is involutive we also i i i. Since the M¨

72

Eric Filiol

P have f (x) = x ( ). In a binary context, we can denote any monomial of f by and the ANF itself as the set : A(f ) =

F n2 a = 1

This set yields a more convenient way to manipulate the ANF. The minimum de ree of f , dmin (f ) of the ANF is de ned as : dmin (f ) = min

2A(f )

wt( )

where wt(.) denotes the Hammin wei ht. The minimum de ree is then the minimum total de ree of the di erent monomials composin the ANF. The de ree of f , seen as a multivariate polynomial, will be noted de (f ). We will use the F n2 : notion of support of supp( ) = i

N n

i

=1

n when we consider non-zero coordiSo supp( ) is a subset of N n = 1 2 nates of in its base 2 decomposition. Equivalently, supp( ) is identi ed to itself, since the context is binary. We will then need the notion of coverin of a monomial and we denote it cov( ) =

A(f ) supp( )

supp( )

When A(f ) then cov( ) 1 mod 2 and is equal to the Möbius coe cient 1 mod 2 and even otherwise. a . The coverin of will be said odd if cov( ) Finally, x is said to cover A(f ) if supp( ) supp(x) or equivalently denoted if x. We will note to describe the fact that and are non comparable elements for this partial orderin (antichain). Let us sum up the previous notation by a short example. Example 1 Let f (x3 x2 x1 ) = x1 + x1 x2 + x2 x3 + x1 x2 x3 over F23 . Then we have A(f ) = (0 0 1) (0 1 1) (1 1 0) (1 1 1) , and supp(111) = 1 2 3 and covers all the monomials. Moreover dmin (f ) = 1.

N n and A = supp(x) will be The notation f (x) and f (A) for some A equivalent. Evaluatin one of them consists in countin the monomials x (by involutivity of the M¨ obius transform). At last, f (x) = f (A) will denote 1 1). f (N n A) = f (x + 1) where 1 stands for (1 1 1 It is a known result [17] that ANF of balanced Boolean functions have de ree < n. We now ive such a characterization with the minimal de ree. Proposition 1 Let f be a Boolean function on F n2 . If dmin (f ) > underbalanced.

n 2

then f is

Proof. If dmin (f ) > n2 , then f (x) = 1 if and only if wt(x) dmin . Accordin to the parity of n, by usin the binomial expansion of 2n , it is easy to see that less than 2n−1 such values ive f (x) = 1. The proposition is proved.


2.2

73

Desi ns and Intersectin Families

De nition 1 A t − (v k ) desi n is a pair (V B) where V is a v-element set of points and B is a collection of k-element subsets of V (blocks) with the property that every t-element subset of V is contained in exactly blocks. When t = 2 such a desi n is called a Balanced Incomplete Block Desi n (BIBD). In this case, two other parameters are of reat use : r the replication number, that is to say the number of blocks in which each point is contained and b which is the number B of blocks of the desi n. Some necessary conditions on the parameters must be satis ed for the existence of such an object (admissible parameters) : r(k − 1) = (v − 1) bk = vr v b (Fisher’s inequality) Workin on F 2 , we will consider only simple desi ns, in other words, desi ns with no repeated blocks. Additionally, a desi n will be called complete if it is simple and contains kv blocks. A BIBD is symmetric (SBIBD for short) when b = v or equivalently k = r. Then is the constant number of points in every intersection of two blocks. An arc is a s-element subset of V containin no block of B and a s-arc will be said complete if it is not properly contained in a (s + 1)-arc. In order to unify the notation between combinatorial world and that used for Boolean functions, we will replace v by n where n denote the number of variables of the function. So we will talk about (n k ) desi n since we will use this kind of object to study Boolean functions. The other combinatorial concept which will be important for us is that of intersectin family. De nition 2 [4] Let if

be a family of subsets of a n-set. A

is said intersectin

A\B =

B

The interestin property of this kind of combinatorial objects, very important for characterizin the balanced Boolean functions, is now iven : Proposition 2 Let

be an intersectin family of subsets of a n-set. Then 2n−1

There exist intersectin families reachin this upper bound. Intersectin families of size 2n−1 are too numerous to even try to class them. See [4] for some examples. For an extended presentation of these precedin combinatorial objects see [2,4,10,13].

74

3

Eric Filiol

ANF and SBIBD

The stron re ularity and symmetry properties of SBIBD make them hopefully ood candidates as construction objects for balanced Boolean functions. Indeed, balancedness can itself be seen as a re ularity property. We will limit ourself in a rst time to the SBIBD, these combinatorial objects bein the most stron ly re ular but all the results can be easily eneralized to other t − (v k ) desi ns. First of all, we need to de ne precisely the links between desi ns (and more enerally combinatorial structures) and the ANF of a Boolean function.

F 2 a Boolean function. Let B = supp( ) De nition 3 Let f : F 2n A(f ) and V = N n . Then f and the structure (V B) will be said associate. When (V B) is a t − (n k ) desi n for some parameters n, k and , it is called the associate desi n of f . The structure (V B) can be any of those known (PIBD, projective planes, desi ns, ortho onal arrays, ...[10]). So in case of t − (n k ) desi ns, the ANF contains only monomials of total de ree k, that is to say, dmin = k = de (f ). Each block is in fact the support of one monomial of the ANF. Hence, evaluatin f (x) for some x F 2n consists in considerin how many blocks are included in supp(x). Example 2 The ANF f (x3 x2 x1 ) = x1 x2 + x1 x3 + x2 x3 is associated with a (3 2 1) (complete) symmetric desi n with V = 1 2 3 and B = 1 2 1 3 2 3 .Then f (111) = 1 since supp(111) = 1 2 3 contains the three blocks (monomials). A rst property concernin SBIBD must be established for some further results. Proposition 3 In a 2 − (n k have bi

) SBIBD, with n = k, for all (bi bj )

bj = V

B

B we

k =n−1

Proof. By de nition bi = bj = k and by symmetry property bi \ bj = . If bi bj = V then we have = 2 k − n. With the symmetry property a ain we (k−1) . We easily obtain the followin equation in unknown k : also have = k n−1 2 2 k − (2n − 1) k + (n − n) = 0. The only possible solution ives k = n − 1. The converse is strai htforward to prove. Remark : the SBIBD relatin to proposition 3 are the (n n−1 n−2) complete symmetric desi n. To illustrate this combinatorial approach, we can di erently characterize a very simple result, enerally easily proved by polynomial approach :

F 2 a Boolean function associated with an (n n − Proposition 4 Let f : F 2n 1 n − 2) symmetric desi n. Then f is never balanced except for n 2 3 and its wei ht is iven by : n if n even wt(f ) = n + 1 if n odd


75

Proof. By de nition, the ANF of f only contains monomials of de ree n − 1. It follows that only the x F 2n of wei ht n and n − 1 could ive f (x) = 1 (by application of proposition 3). Those of wei ht n − 1 do. There are n such values correspondin to the number of blocks. It su ces to check for the sole x = 1 of wei ht n and we et the result on the wei ht. For f to be balanced, we must 2 3 . solve 2n−1 = n (n even) or 2n−1 = n+1 (n odd) which corresponds to n The only balanced Boolean functions associate to such SBIBD are then the linear function on two variables and the sole function of de ree 2 which is the function of the Example 2. In order to eneralize the result of Proposition 4, we will use the followin proposition : Proposition 5 Let be a (n k ) SBIBD. Then the number of subsets of N n containin at least one block of the SBIBD is lower or equal to 2n−1 . Proof. We use the fact that the blocks of a SBIBD consists of an intersectin family (since = 0). It follows that the subsets containin at least one of them consists of an intersectin family too. The result is obtained by applyin Proposition 2. Remark : It is not possible to forecast equality to 2n−1 . For example the (7 3 1) SBIBD (projective plane of order 2) reaches it but its complementary desi n (7 4 2) does not. We now can ive the eneral result : Theorem 1 Let be a (n k ) SBIBD with (n k) (2 1) (3 2) and f its associate Boolean function. Then f is underbalanced that is to say wt(f ) < 2n−1 Proof. We will take v > k since for this case the associate function is obviously underbalanced (its wei ht is moreover 1). Let us consider U = supp(x) f (x) = 1 and let denote the intersectin family, which consists of all subsets of N n containin at least one block. Clearly U (f (x) = 1 if there exists an odd number of blocks contained in supp(x)). If < 2n−1 the result is immediate. Suppose = 2n−1 and consider a = bi bj the union of any two blocks of B ( a = 2k − ). We have a U if and only if the number of blocks included in a is odd. Let us now show that the union of any two blocks contains only two blocks. So suppose that there exists a block bl such that bl (bi bj ) with i j k all distinct. This is equivalent to one of the three followin cases comin from the fact that bi bj bl = 2k − = 3k − 3 + bi \ bj \ bl : 2k − = 3k − 2 ( bl \ bj \ bi = ). This lead to the non-valid solution v = k. 2k − = 3k − 3 (all two-block intersection are disjoint). This equation yields a (2k − 1 k k2 ) SBIBD, or, since 2k − 1 odd and k even to (4q − 1 2q q) SBIBD for some q (which exists : consider the Br¨ uck-Ryser Chowla

76

Eric Filiol

theorem [10] and take q = p2 ). Now consider U = x f (x) = 0 . Thus k−1 X n n n(n−1) is the number of blocks. Thus + − b where b = k(k−1) U i k i=0 {z } | >2n−1

U = 2n − U < 2n−1 . 2k − = 3k − 2 0 − 3 00 ( bl \ bj \ bi = 0 and = 0 + 00 with 0 = 0 and 00 = 0 ; recall that in a SBIBD represents the number of common points in any two blocks). This easily yields the inequality < k < 2 . k(k+1) 0 < ). Since = n−1 it equivalent to k < n < 2k − 1 that is to (usin say k > n+1 2 . In this case, the function is underbalanced since the minimal de ree dmin is too hi h. The theorem is proved. Remark : if b is even the result is immediate since f (1) = 0 whence U < 2n−1 . The followin de nition will be useful later : De nition 4 Let property (i.e. any tersectin family support of at least

f a Boolean function whose ANF satis es the intersectin two blocks have non empty intersection). The associate inis the intersectin family, each subset of which contains the one monomials of A(f ).

Corollary 1 Let be a (n k Then we have :

) SBIBD and f its associate Boolean function.

k− X−1

bAin−k < wt(f ) < 2n−1

i=0

where b =

n(n−1) k(k−1)

is the number of block of the SBIBD.

Proof. The upper bound comes from Theorem 1. The lower bound expresses the number of x coverin only one block (so f (x) = 1) the wei ht of which is ran in from k to 2k − − 1 (since the intersection of any two blocks has points). To et a more optimal lower bound, we thus should take account of the number of s-arcs (2k − s m, m standin for the value of maximality for an arc in a SBIBD). Enumeratin these arcs is still an open problem since only existence results are known (particularly for partial eometries; for details see [3,14,18]) This corollary ives an interestin characterization of a family of underbalanced Boolean functions (and of course of overbalanced ones by takin 1 + f (x)) with bounded wei ht, only with knowled e of the structure of their ANF. Theorem 1, contrary to what one can think, is not disappointin at all. Indeed, it reinforces a very important principle of cryptolo y : structure is often equivalent to weakness. Here the stron properties of the SBIBD ive to its associate Boolean function imbalance, which constitutes a crypto raphic weakness. If we ive up the symmetry property of SBIBD, we have the very stron followin result :


77

Theorem 2 Let be f : F 2n F 2 with n = 2q − 1, whose ANF describes a 2q −3 q q−1 (2 − 1 2 2q−1 −2 ) desi n (associate desi n). Then f is balanced. q −1 Proof. Such a function (since associate to a complete desi n) contains 22q−1 monomials (blocks). Hence the associated intersectin family has clearly size of 2n−1 where n = 2q − 1. For any two distinct blocks bi and bj of this desi n we n−1 1 2 = K and bi bj = bi + bj − bi \ bj otherwise have bi \ bj 2 n+1 said bi bj = 2 2 − k = n + 1 − k where i K. So f will be balanced if the union of two blocks covers an odd number of blocks (without loss of enerality it su ces to consider the union of only two blocks; in fact in proof of theorem (6) we will show that considerin only this case is su cient) or equivalently said if n+1−k 1 mod 2 k K n+1 2

Since [1].

4

supp( n+1 2 )

supp(n + 1 − t), we et the result by applyin Lucas’ theorem

ANF Structure of the Majority Functions

The desi ns of theorem 2 are the complete desi n of order 2q − 1. The associate function also are the M AJ2q −1 . To prove it, we rst ive this followin stron result on the structure of the M AJn functions (balancedness of these functions is a known result [6]). Without loss of enerality, we limit ourself to the case of n odd. When n is even, nn functions are to be considered but the proof is the 2 same, yet sli htly more technical. The M AJn functions are widely used and thus very interestin : in conception of common lo ic circuits like n-bit adder, in lo ic circuits testin , crypto raphy (like in MD5,SHA or as local combinin functions in stream ciphers), in codin theory (majority decodin where these functions can be implemented directly in hard [9, Me it decoder,pp 1581]). But their use and implementation, for n hi h, is limited by the exponential complexity of computin their ANF. Proposition 6 Let f be a M AJn function. Its ANF satis es the followin conditions and then is balanced : 1. 2. 3.

A(f ) A(f ) supp( ) \ supp( ) = (intersectin property) A(f ) cov( ) 1 mod 2 (odd coverin parity property) A(f ) A(f ) cov( ) 1 mod 2 (odd union coverin parity property)

n Proof. by de nition of f and accordin to the parity of n, we will have n+1 2 (n odd) or at least 12 nn (n even) monomials. So by takin all the k-subsets of 2

n N n such that k dmin (dmin = n+1 of all subsets containin 2 or 2 ), the family at least the support of one monomial of A(f ) is intersectin and has size 2n−1 (by application of the intersectin property of the ANF and by the number of we have two cases to consider : monomials of total de ree dmin ). A

78

Eric Filiol

A(f ) such that supp( ) = A. The odd coverin parity ensures that A covers an odd number of so f (x) = 1 with supp(x) = A A A(f ). By maximality of the prebalancedness, A can be obtained by the n union of the supports of some A(f ) of wei ht n+1 2 (or 2 if n even) and the odd union coverin parity property ensures that f (x) = 1 for supp(x) = A. In fact, A(f ) I = i S for the last case, we should prove that for any I 1 mod 2 but in fact it su ces to prove it for i = 2. If I = cov( 2I ) I I and I and supposin that A(f ) by considerin I I and I are all three of odd cardinality (that is to say we consider the I is of odd cardinality too, by property true for i = 2), we easily show that I application of the M¨ obius inversion formula, since I

= I

+ I

+ I

−

X

Ii j \ Ij k + I

\I

\I

ijk

The eneralization to any i monomials of A(f ) (i > 3) is immediate. By construction it is easy to see that these functions are the M AJn functions since for all x such that wt(x) dmin f (x) = 1. Remark : By application of Theorem 2 and Proposition 6, we have totally de ned the structure of the ANF of the M AJ2q −1 functions. They consists of all the monomials of total de ree 2q−1 . This result is very important for lo ic circuits desi n. Indeed, we no lon er need to compute their ANF (exponential complexity) to completely know their structure. The properties 2 and 3 of Proposition 6 ensure that the intersectin family F0 ). containin A(f ) has not the union property (F F 0 = N n F Otherwise, accordin to the Daykin-Lovasz-Schönheim theorem [13], we would have < 2n−2 . Unfortunately, the M AJn functions are not ood crypto raphic functions, except for asymptotic values of n. Proposition 7 The Boolean functions M AJn have correlation order 1 and 1 P [M AJn (x) = xi ] = + 2

n−1 n−1 2

2n

Proof. In fact, by usin the fact that M AJn (x) + M AJn (x + 1) = 1 (selfdual functions [6]) it is easy to prove the correlation order by means of the Walsh transform but this technique don’t ive the correlation value. So we use a di erent approach, yet close to that of Walsh transform, to prove the complete result. Once a ain, we limit ourself to n odd, without loss of enerality. We have correlation order 1 if P [M AJn (x) = xi ] = 12 . So let us compute I = x F n2 M AJn (x) = xi for some arbitrary i. Two di erent cases are to be considered :


79

xi = 0 and M AJn (x) = 0. Once xi is xed to 0, we have to choose at n+1 most n−1 2 ones amon n − 1 positions . Then x will be of wei ht < 2 and n−1 P 2 n−1 such values. M AJn (x) = 0. There are j=0 j Pn−1 such xi = 1 and M AJn (x) = 1. In a similar way, we have j= n−1 n−1 j 2 values. Pn−1 P n−1 n−1 2 + j= n−1 n−1 that is to say I = 2n−1 + n−1 Finally I = j=0 n−1 . To j j 2 2 speak in terms of probability, we normalize by 2n and et the result.P Remark : It is easy to prove in the same way that P [M AJn (x) = i xi ] = 12 when the number of xi is even. When n and with the Stirlin approximation of n!, we easily see that the second term (deviation from 12 ) tends to 0. This means that asymptotically, M AJn (x) is a ood crypto raphic function.

5

Conclusion

By usin combinatorial results and objects, we have shown that it easy to have a direct knowled e on the wei ht and the structure of some Boolean functions. Particularly, by linkin the ANF of these functions with combinatorial objects like desi ns, it has been possible to build Boolean functions with iven balancedness in polynomial time. Characterization of the structure of some M AJn functions becomes also easy, by the same approach. However, and enerally speakin , these latter have been proven to be bad for crypto raphic use, except for an very hi h number of variables. These results yields e ective means of practical constructions of these di erent functions, as lon as characterization from their ANF. The al orithms are presented in the extended version.

6

Acknowled ements

I would like to thank Anne Canteaut and Pascale Charpin from INRIA. Their valuable comments helped me very much in writin this paper. I thank both and other members of the Codes project at INRIA for their kindness and their welcome.

References 1. E. R. Berlekamp, Al ebraic Codin Theory, McGraw-Hill, New-York, 1968 2. Th. Beth, D. Jun nickel, H. Lenz, Desi n Theory, Cambrid e University Press, Cambrid e, 1986 3. A. Beutelspacher, Classical Geometries in CRC Handbook of Combinatorial Desi ns, C. J. Colbourn, J. H. Dinitz eds., CRC Press, 1996 4. P. J. Cameron, Combinatorics : Topics, Techniques, Al orithms, Cambrid e University Press, 1996 5. C. Carlet, Partially Bent Functions, Desi ns, Codes and Crypto raphy, 3, 135-145, 1993

80

Eric Filiol

6. K. Chakrabarty, J.P. Hayes, Balanced Boolean Functions, IEE Proc.-Comput. Di it. Tech., Vol. 145, No. 1, January 1998 7. K. Chakrabarty, J.P. Hayes, Balance testin and balance-testable desi n of lo ic circuits, J. Electron. Testin : Theory Appl., 1996, 8, pp 81 86 8. K. Chakrabarty, J.P. Hayes, Cumulative balance testin of lo ic circuits, IEEE Trans. VLSI Syst., 1995, 3, pp 72 83 9. R.E. Blahut, Decodin of cyclic codes and codes on curves, in Handbook of Codin Theory, V. S. Pless and W. C. Hu man Editors, North-Holland, 1998 10. C. J. Colbourn, J. H. Dinitz eds. The CRC Handbook of Combinatorial Desi ns, CRC Press, 1996. 11. H. Dobbertin, Construction of Bent Functions and Balanced Boolean Functions with Hi h Nonlinearity, Fast Software Encryption, 1994, Lecture Notes in Computer Sciences, Vol. 1008, Sprin er Verla . 12. E. Filiol, C. Fontaine, Hi hly Nonlinear Balanced Boolean Functions with a ood Correlation-Immunity, Advances in Cryptolo y - Eurocrypt’98, Vol 1403, Lecture Notes in Computer Science, Sprin er Verla , 1998 13. P. Frankl, Extremal Set Systems, in Handbook of Combinatorics , R. L. Graham, M. Gr¨ otschel and L. Lovasz (eds), Elsevier, 1995 14. J. W. P. Hirshfeld, Projective Geometries over Finite Fields, Oxford University Press, 1979 15. F. J. MacWilliams, N. J. A. Sloane. The Theory of Error-Correctin Codes, NorthHolland Mathematical library, North-Holland, 1977. 16. B. Preenel, W. V. Leekwijck, L.V. Linden, R. Govaerts, J. Vandewalle, Propa ation Characteristics of Boolean Functions, in Advances in Cryptolo y, Eurocrypt’90, vol 437, Sprin er Verla , 1991 17. T. Sie enthaler, Correlation Immunity of Nonlinear Combinin Functions for Crypto raphic Applications, IEEE Transactions on Information Theory, Vol. IT 30, N. 5, 1984, pp 776 780 18. J. A. Thas, Partial Geometries, in CRC Handbook of Combinatorial Desi ns, C. J. Colbourn, J. H. Dinitz eds., CRC Press, 1996 19. Y. Zen , X.M. Zhan , H. Imai, Restriction, Terms and Nonlinearity of Boolean Functions, to appear in the Special Issue on Crypto raphy, Theoretical Computer Science, in honour of Professor Arto.

Coding Applications in Satellite Communication Systems [Invited Paper] Dr Sean McGrath University of Limerick Ireland [email protected]

Abstract. This paper provides a brief insight in satellite communication systems from the perspective of coding applications. CDMA based systems for use in Low Earth Orbit (LEO) satellite systems is the focus of the paper. The code-division-multiple-access (CDMA) format is emerging as a dominant air interface technology for cellular, personal-communications-services (PCS) as well as satellite installations. This transmission technology relies on a combination of spread-spectrum modulation, Walsh coding, and sophisticated power-control techniques. In a typical CDMA transmitter, a data signal is encoded using a Walsh code and then mixed with the RF carrier, which has been spread using a pseudorandom-noise (PN) source. In a base-station transmitter, multiple data signals are assigned unique Walsh codes and combined. In the CDMA receiver, the signal is filtered and fed to a correlator, where it is despread and digitally filtered to extract the Walsh code. The paper examines some weaknesses of such systems.

LEO System The systems of Low-earth orbiting (LEO) satellites provide mobile voice, data and facsimile and other mobile satellite services for both domestic and international subscribers. The systems consists typically consist of a space segment, a user segment and a Ground segment, which connects to the terrestrial telephone network. The space segment consists of any thing from 10 to 66 satellites orbiting the earth at an altitude of over 1000Km. The user segment is composed of hand-held, mobile and fixed terminals. The ground segment consists of the satellite control center and Gateways. The systems of Low-earth orbiting (LEO) satellites provide mobile voice, data and facsimile and other mobile satellite services for both domestic and international subscribers. The systems consists typically consist of a space segment, a user segment and a Ground segment, which connects to the terrestrial telephone network. The space segment consists of any thing from 10 to 66 satellites orbiting the earth at an altitude of over 1000Km. The user segment is composed of hand-held, mobile and fixed terminals. The ground segment consists of the satellite control center and Gateways.

M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 81-83, 1999.  Springer-Verlag Berlin Heidelberg 1999

82

Sean McGrath

CDMA A CDMA spread spectrum signal is created by modulating the radio frequency signal with a spreading sequence known as a pseudo-noise (PN) digital signal because they make the signal appear wide band and "noise like". The PN code runs at a higher rate than the RF signal and determines the actual transmission bandwidth. Messages can also be cryptographically encoded to any level of secrecy desired with direct sequencing as the entire transmitted/received message is purely digital. An SS receiver uses a locally generated replica pseudo noise code and a receiver correlator to separate only the desired coded information from all possible signals. A SS correlator can be thought of as a specially matched filter -- it responds only to signals that are encoded with a pseudo noise code that matches its own code. Thus an SS correlator (SS signal demodulator) can be "tuned" to different codes simply by changing its local code. This correlator does not respond to man made, natural or artificial noise or interference. It responds only to SS signals with identical matched signal characteristics and encoded with the identical pseudo noise code.

Air-Interface CDMA was selected due to its interference tolerance as well as its security inherent in the modulation scheme. CDMA is able to provide good voice quality while operating at relatively low RF power levels. Path diversity is employed using rake receivers to receive and combine the signals from multiple sources. In the forward direction the use of diversity brings substantial gain if one of the satellites is obstructed. However, the reverse direction, because this is non-coherent diversity combining the gain is not as good. Assignment of the code channels transmitted by a gateway. Out of the 128 code channels the forward channel consist of pilot channel, one sync channel, up to seven paging channels, and a number of Forward Traffic Channels. Multiple Forward channels are used in a Gateway by placing each Forward channel on a different frequency, namely the forward link pilot, sync and paging channel. The pilot channel will generate an all zeros Walsh Code. This combined with the short code used to separate signals from different Gateways and different satellites. The pilot channel is modulo 2 added to 1.2288 Mc/s short code and is then QPSK spread across the 1.23 MHz CDMA bandwidth. The Sync Channel is interleaved, spread and modulated spread spectrum signal. The sync channel will generate a 1200b/s data stream that includes time, gateway identification and assigned paging channel. This convolutionally encoded and block Interleaved to combat fast fading. The resulting 4800 symbols per second data stream is modulo two added to the sync Walsh code at 1.2288Mc/s which is then modulated using QPSK across the 1.23MHz CDMA bandwidth. The paging Channel is used to transmit control information to the user terminal. The paging channel is convolutionally encoded at rate =1/2, constraint length K =9

Coding Applications in Satellite Communication Systems

83

and block interleaving. The resulting symbol rate is combined with the long code. The paging channel and long code are modulo two added, which is then modulo two added to the 1.2288Mc/s Walsh Code.

Modulation & Spreading The spreading sequence structure for a CDMA channel comprised on an inner PN sequence pair and a single outer PN sequence. The inner PN sequence has a chip rate of 1.2288 Mcps and a length of 1024, while the outer PN sequence has an outer chip rate of 1200 outer chips per second and a length of 288. The outer PN sequence modulates the inner PN sequence to produce the actual spreading sequence lasting 240msec. Exactly one inner PN period is contained within a single outer PN chip. Other parameters such as Link delay are important end-to-end parameters. The LEO satellites will provide a much more benign delay than the more common synchronous orbit satellites. Delay is held to 150ms in each direction. The vocoder uses a Code Exited Linear Prediction (CELP) algorithm which is similar to that used by the IS-96 coder.

Conclusion This paper provides an insight and overview LEO systems and the application of this current area and the possible next generation systems. Underlining focus was on coding used in satellite applications and in particular to CDMA systems. The discussion has involved coding in all aspects of the satellite system, from user terminals to ground stations are discussed. The implementation of the various blocks are discussed. Finally the paper looks at future satellite systems and examines the coding requirements.

A Uni ed Code Xian Liu1 , Patrick Farrell2 , and Colin Boyd3 1

Communications Research Group, School of En ineerin , University of Manchester, Manchester M13 9PL, UK mb [email protected] .man.ac.uk 2 Communications Research Centre, Lancaster University, Lancaster LA1 4YR, UK p. [email protected] 3 School of Data Communications, Queensland University of Technolo y, Brisbane Q4001, Australia [email protected]

Abs rac . We have proposed a novel scheme based on arithmetic codin , an optimal data compression al orithm in the sense of shortest len th codin . Our scheme can provide encryption, data compression, and error detection, all to ether in a one-pass operation. The key size used is 248 bits. The scheme can resist existin attacks on arithmetic codin encryption al orithms. A eneral approach to attackin this scheme on data secrecy is di cult. The statistical properties of the scheme are very ood and the scheme is easily mana eable in software. The compression ratio for this scheme is only 2 % worse than the ori inal arithmetic codin al orithm. As to error detection capabilities, the scheme can detect almost all patterns of errors inserted from the channel, re ardless of the error probabilities, and at the same time it can provide both encryption and data compression.

1

Introduction

Data compression, cryptolo ic al orithms, and error control codin are the central applications in information theory and are the key activities in a communication system. In fact, e ciency and reliability are the main concerns in a communication system. Data compression increases the e ciency by reducin the transmission and storin sizes without losin information si ni cantly; cryptolo ic al orithms denies the unauthorised users tryin to read or modify the messa es bein transmitted or stored; error control codin provides protection a ainst channel errors. For error control, there are two basic strate ies: forward error correctin (FEC) and automatic repeat request (ARQ). FEC works with an appropriate error correctin code and can, within the code’s ability, automatically recover the inverted bits resultin from channel errors at the receiver end. ARQ applies a suitable error detectin code so that the decoder at the receiver end is within the code capability able to detect if the encoded le received has been dama ed by channel errors and request the sender to retransmit the le. The essential fact in error control codin is that appropriate redundancy is introduced in the encoded le. M. Walker (Ed.): IMA - Crypto & Codin ’99, LNCS 1746, pp. 84 93, 1999. c Sprin er-Verla Berlin Heidelber 1999

A Uni ed Code

85

Arithmetic codin provides an e ective mechanism for removin redundancy in the encodin of data. It can achieve theoretical compression ratio bounds so it has ained widespread acceptance as an optimal data compression al orithm. The rst practical implementation for arithmetic codin was provided by Witten, Neal, and Cleary [1, 12] in 1987 (which is called the WNC implementation in this paper). Since then, many di erent implementations of arithmetic codin with di erent models have appeared. The authors of this paper have investi ated the possibilities of providin cryptolo y and error control based on arithmetic codin and proposed a scheme providin both encryption and data compression [8], a scheme providin both error correction and data compression [10], and a scheme providin encryption, data inte rity, and data compression, all to ether in a one-pass operation [9]. In this paper we will propose a uni ed code that can provide encryption, error detection, and data compression all to ether in a one-pass operation. The e ciencies in both encryption and data compression are the same as our previous schemes but also the scheme can detect almost all error patterns inserted from the channel, re ardless of the error probabilities.

2

Arithmetic Codin

Arithmetic codin is based on the fact that the cumulative probability of a sequence of statistically independent source symbols equals the product of the source symbol probabilities. In arithmetic codin each symbol in the messa e is assi ned a distinct subinterval of the unit interval of len th equal to its probability. This is the encodin interval for that symbol. As encodin proceeds, a nest of subintervals is de ned. Each successive subinterval is de ned by reducin the previous subinterval in proportion to the current symbol’s probability. When the messa e becomes lon er, the subinterval needed to represent it becomes smaller, and the number of bits needed to indicate that subinterval rows. The more likely symbols reduce the subinterval by less than the unlikely symbols and thus add fewer bits to the messa e. This results in data compression. When all symbols have been encoded, the nal interval has len th equal to the product of all the symbol probabilities and can be transmitted by sendin any number belon in to the nal interval. That means if the probability of the occurrence of a messa e is p, arithmetic codin can encode that messa e in −lo 2 p bits, which is optimal in the sense of the shortest len th encodin . The pseudocode of arithmetic codin is as follows: /* /* /* /* /* /* /*

In the model, symbols are numbered 1, 2, 3, ... The cum_prob[ ] stores the cumulative probabilities of symbols with cum_prob[i] increasin as i decreases and cum_prob[0]=1. The encodin transmits any value in the final [low, hi h) when it is finished.

*/ */ */ */ */ */ */

86

Xian Liu, Patrick Farrell, and Colin Boyd

Encodin : The initial encodin interval [low, hi h) = [0, 1) EncodeSymbol (symbol, cum_prob) ran e = hi h - low; hi h = low + ran e * cum_prob[symbol-1]; low = low + ran e * cum_prob[symbol]; Decodin : The initial decodin interval [low, hi h) = [0, 1) DecodeSymbol (cum_prob) find symbol such that cum_prob[symbol] 0 > 0, there exists m > 0 such that for any increasin set W satisfyin (W ) m, the set of p’s for which p (W ) takes values between and 1 − is an interval of len th smaller than . This emphasizes the threshold nature of the function p p (W ). The lar er (W ), the quicker p (W ) jumps suddenly from almost zero to almost one. Why is this relevant to codin ? Because it applies almost immediately to the decodin error probability f (p) in (1). In this case the decodin re ion W is not increasin , but it is a decreasin set, i.e. x W and y x imply y W : Mar ulis’s theorem will also apply. Furthemore, the quantity (W ) is directly dependent on the minimal distance of the code d, we have namely (W ) d 2. The consequence is that the decodin error probability f (p) behaves in a threshold manner, i.e. jumps suddenly from almost zero to almost one, and that the jump narrows as the minimum distance rows. Derivin such a result is not strai htforward and Mar ulis’s method is especially interestin . It relies on the followin identity, later to become known in percolation theory as Russo’s identity, which states that for any increasin set W : d

p (W )

dp

=

1 p

hW (x)d

p (x)

(2)

W

Mar ulis then oes on to lower bound the quantity W hW (x)d p (x) by a function of p (W ). Inte ratin the resultin di erential inequality then yields the threshold behaviour. The method can be named isoperimetric because the interal W hW (x)d p (x) can be thou ht of as a measure of the boundary of W and is lower bounded by a function of its volume p (W ). Mar ulis’s theorem was made much more explicit by Tala rand [3] who showed that the estimation of p (W ) can be made more precise by considerhW d p . in a modi ed measure of the boundary of W , namely Tala rand’s isoperimetric inequalities were re ned by Bobkov and Goetze [1], and improved a ain in [4]. After inte ration, these inequalities yield the followin result for increasin sets. Theorem 2 (Tillich Zemor 99) Let W be an increasin set of vectors of Fn2 , and let = (W ). Let be de ned by (W ) = 1 2. Then p (W ) satis es :

where

p (W )

2 ( − ln −

− ln p)

for 0 < p

Cryptography and Coding, 7 conf

Cryptography and Coding, 9 conf

Cryptography and Coding, 10 conf

Cryptography and Coding, 8 conf

Cryptography and Coding, 5 conf

Cryptography and Coding, 11 conf

Cryptography and Coding, 8 conf

Coding and cryptography

Coding Theory and Cryptography

Coding and Cryptography 001.ps.gz

Gröbner Bases, Coding, and Cryptography

Groebner bases, coding, and cryptography

Applied Cryptography and Network Security, 7 conf., ACNS 2009

Algebraic Geometry in Coding Theory and Cryptography

Topics in Geometry, Coding Theory and Cryptography

Algebraic geometry in coding theory and cryptography

Topics in Geometry, Coding Theory and Cryptography

Theory of Cryptography 6 conf

Theory of Cryptography 3 conf

Theory of Cryptography 4 conf

Theory of Cryptography 5 conf

Theory of Cryptography 1 conf

Theory of Cryptography 2 conf

Introduction to Cryptography with Coding Theory

UML 2004 7 conf

Compiler Construction 7 conf

Topics in Geometry, Coding Theory and Cryptography (Algebra and Applications)

Security Protocols, 7 conf

Cellular Automata, 7 conf

Experimental Algorithms 7 conf

Algebraic Coding 1 French-Soviet conf

Cryptography and Coding, 7 conf

Cryptography and Coding, 9 conf

Cryptography and Coding, 10 conf

Cryptography and Coding, 8 conf

Cryptography and Coding, 5 conf

Cryptography and Coding, 11 conf

Cryptography and Coding, 8 conf

Coding and cryptography

Coding Theory and Cryptography

Coding and Cryptography 001.ps.gz

Gröbner Bases, Coding, and Cryptography

Groebner bases, coding, and cryptography

Applied Cryptography and Network Security, 7 conf., ACNS 2009

Algebraic Geometry in Coding Theory and Cryptography

Topics in Geometry, Coding Theory and Cryptography

Algebraic geometry in coding theory and cryptography

Topics in Geometry, Coding Theory and Cryptography

Theory of Cryptography 6 conf

Theory of Cryptography 3 conf

Theory of Cryptography 4 conf

Theory of Cryptography 5 conf

Theory of Cryptography 1 conf

Theory of Cryptography 2 conf

Introduction to Cryptography with Coding Theory

UML 2004 7 conf

Compiler Construction 7 conf

Topics in Geometry, Coding Theory and Cryptography (Algebra and Applications)

Security Protocols, 7 conf

Cellular Automata, 7 conf

Experimental Algorithms 7 conf

Algebraic Coding 1 French-Soviet conf

Recommend Documents