Lecture Notes in Computer Science 4851

Commenced Publication in 1973

Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
University of Dortmund, Germany
Madhu Sudan
Massachusetts Institute of Technology, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Moshe Y. Vardi
Rice University, Houston, TX, USA
Gerhard Weikum
Max-Planck Institute of Computer Science, Saarbruecken, Germany
Serdar Boztaş Hsiao-Feng (Francis) Lu (Eds.)

Applied Algebra,
Algebraic Algorithms and
Error-Correcting Codes

17th International Symposium, AAECC-17

Bangalore, India, December 16-20, 2007
Proceedings

13
Volume Editors

Serdar Boztaş
RMIT University, School of Mathematical and Geospatial Sciences
GPO Box 2476V, Melbourne 3001, Australia
E-mail: [email protected]

Hsiao-Feng (Francis) Lu
National Chung-Cheng University, Department of Communications Engineering
168 University Rd., Min-Hsiung, Chia-Yi, Taiwan
E-mail: [email protected]

Library of Congress Control Number: 2007940905

CR Subject Classification (1998): E.4, I.1, E.3, G.2, F.2

LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

ISSN 0302-9743
ISBN-10 3-540-77223-5 Springer Berlin Heidelberg New York
ISBN-13 978-3-540-77223-1 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
Springer is a part of Springer Science+Business Media
springer.com
© Springer-Verlag Berlin Heidelberg 2007
Printed in Germany
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper SPIN: 12202058 06/3180 543210
 Preface

The AAECC Symposia Series was started in 1983 by Alain Poli (Toulouse), who,
together with R. Desq, D. Lazard and P. Camion, organized the first conference.
Originally the acronym AAECC meant “Applied Algebra and Error-Correcting
Codes.” Over the years its meaning has shifted to “Applied Algebra, Algebraic
Algorithms and Error-Correcting Codes,” reflecting the growing importance of
complexity, particularly for decoding algorithms. During the AAECC-12 sym-
posium the conference committee decided to enforce the theory and practice of
the coding side as well as the cryptographic aspects. Algebra was conserved, as
in the past, but slightly more oriented to algebraic geometry codes, finite fields,
complexity, polynomials, and graphs.
For AAECC-17 the main subjects covered were:

– Block codes, including list-decoding algorithms

– Algebra and codes: rings, fields, algebraic geometry codes
– Algebra: rings and fields, polynomials, permutations, lattices
– Cryptography: cryptanalysis and complexity
– Computational algebra: algebraic algorithms and transforms
– Sequences and boolean functions

Seven invited speakers characterize the aim of AAECC-17:

– Ralf Koetter, “Error Correction for Network Coding Channels”
– Tor Helleseth, “New Attacks on the Filter Generator”
– Tanja Lange, “Arithmetic on Edwards Curves”
– Gary McGuire, “Spectra of Boolean Functions, Subspaces of Matrices, and
Going up Versus Going Down”
– Priti Shankar, “Algebraic Structure Theory of Tail-biting Trellises”
– Henning Stichtenoth, “Nice Codes from Nice Curves”
– Manindra Agrawal, “Determinant versus Permanent”
In addition, an Invited List Decoding Session was organized by Madhu Sudan:
– Venkatesan Guruswami, “List Decoding and Pseudorandom Constructions”
– Tom Høholdt, “Iterative List decoding of LDPC Codes”
– Ralf Koetter, “Optimizing Multivariate Interpolation”
– Atri Rudra, “Efficient List Decoding of Explicit Codes with Optimal
Redundancy”
Except for AAECC-1 (Discrete Mathematics 56, 1985) and AAECC-7 (Dis-
crete Applied Mathematics 33, 1991), the proceedings of all the symposia have
been published in Springer’s Lecture Notes in Computer Science (Vols. 228, 229,
307, 356, 357, 508, 539, 673, 948, 1255, 1719, 2227, 2643, 3857). It is a policy of
AAECC to maintain a high scientific standard, comparable to that of a journal.
VI Preface

This was made possible thanks to the many referees involved. Each submitted
paper was evaluated by at least two international researchers.
AAECC-17 received and refereed 61 submissions. Of these, 1 was withdrawn
and 33 were selected for publication in these proceedings.
The symposium was organized by P. Vijay Kumar, Tom Høholdt, Heeralal
Janwa, Serdar Boztaş and Hsiao-feng (Francis) Lu, with the help of Govindar
Rangarajan, C.E. Veni Madhavan and Priti Shankar, under the Indian Institute
of Science Mathematics Initiative (IMI). It was sponsored by the Department of
Science and Technology, India; the Defence Research and Development Organi-
zation, India; and Microsoft Research India.
We express our thanks to the Springer staff, especially Alfred Hofmann, for
their help in the preparation of these proceedings.

October 2007 Serdar Boztaş

Hsiao-Feng (Francis) Lu
 Organization

Steering Commitee
Conference Co-chairs P. Vijay Kumar (Univ. of Southern California,
USA)
Tom Høholdt (Technical Univ. of Denmark,
Denmark)
Heeralal Janwa (Univ. of Puerto Rico, Puerto Rico)
Program Co-chairs Serdar Boztaş (RMIT Univ., Australia)
Hsiao-feng (Francis) Lu (National Chung Cheng
University, Taiwan)

Conference Committee
J. Calmet K. Horadam O. Moreno
G. Cohen H. Imai H. Niederreiter
G.L. Feng H. Janwa A. Poli
M. Giusti R. Kohno T.R.N. Rao
J. Heintz H.W. Lenstra, Jr. S. Sakata
T. Høholdt S. Lin P. Solé

Program Committee
I.F. Blake J. Heintz F. Özbudak
J. Calmet K. Horadam A. Poli
C. Carlet H. Imai S.S. Pradhan
G. Cohen N. Kashyap A. Rao
C. Ding S. Lin S. Sakata
G-L. Feng O. Moreno H-Y. Song
M. Giusti W.H. Mow P. Udaya
G. Gong H. Niederreiter C. Xing

Local Organizing Committee

Govindar Rangarajan C.E. Veni Madhavan Priti Shankar

Sponsoring Institutions
Department of Science and Technology, India
Defence Research and Development Organization, India
Microsoft Research India
 Table of Contents

Invited Contributions
List Decoding and Pseudorandom Constructions . . . . . . . . . . . . . . . . . . . . . 1
Venkatesan Guruswami

A Survey of Recent Attacks on the Filter Generator . . . . . . . . . . . . . . . . . . 7

Sondre Rønjom, Guang Gong, and Tor Helleseth

Iterative List Decoding of LDPC Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Tom Høholdt and Jørn Justesen

Inverted Edwards Coordinates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Daniel J. Bernstein and Tanja Lange

Spectra of Boolean Functions, Subspaces of Matrices, and Going Up

Versus Going Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Gary McGuire

Efficient List Decoding of Explicit Codes with Optimal Redundancy . . . . 38

Atri Rudra

Algebraic Structure Theory of Tail-Biting Trellises . . . . . . . . . . . . . . . . . . . 47

Priti Shankar

Nice Codes from Nice Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Henning Stichtenoth

Regular Contributions
Generalized Sudan’s List Decoding for Order Domain Codes . . . . . . . . . . . 50
Olav Geil and Ryutaroh Matsumoto

Bent Functions and Codes with Low Peak-to-Average Power Ratio for
Multi-Code CDMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Jianqin Zhou, Wai Ho Mow, and Xiaoping Dai

Determining the Nonlinearity of a New Family of APN Functions . . . . . . 72

Carl Bracken, Eimear Byrne, Nadya Markin, and Gary McGuire

An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes

with Very Short Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Koji Nuida, Satoshi Fujitsu, Manabu Hagiwara, Takashi Kitagawa,
Hajime Watanabe, Kazuto Ogawa, and Hideki Imai
X Table of Contents

Space-Time Codes from Crossed Product Algebras of Degree 4 . . . . . . . . 90

Grégory Berhuy and Frédérique Oggier

On Non-randomness of the Permutation After RC4 Key Scheduling . . . . 100

Goutam Paul, Subhamoy Maitra, and Rohit Srivastava

Correctable Errors of Weight Half the Minimum Distance Plus One for
the First-Order Reed-Muller Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Kenji Yasunaga and Toru Fujiwara

Fault-Tolerant Finite Field Computation in the Public Key

Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Silvana Medoš and Serdar Boztaş

A Note on a Class of Quadratic Permutations over F2n . . . . . . . . . . . . . . . 130

Yann Laigle-Chapuy

Constructions of Orthonormal Lattices and Quaternion Division

Algebras for Totally Real Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
B.A. Sethuraman and Frédérique Oggier

Quaternary Plotkin Constructions and Quaternary Reed-Muller

Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
J. Pujol, J. Rifà, and F.I. Solov’eva

Joint Source-Cryptographic-Channel Coding Based on Linear Block

Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Haruhiko Kaneko and Eiji Fujiwara

On the Key-Privacy Issue of McEliece Public-Key Encryption . . . . . . . . . 168

Shigenori Yamakawa, Yang Cui, Kazukuni Kobara,
Manabu Hagiwara, and Hideki Imai

Lattices for Distributed Source Coding: Jointly Gaussian Sources and

Reconstruction of a Linear Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Dinesh Krithivasan and S. Sandeep Pradhan

Linear Complexity and Autocorrelation of Prime Cube Sequences . . . . . . 188

Young-Joon Kim, Seok-Yong Jin, and Hong-Yeop Song

The “Art of Trellis Decoding” Is NP-Hard . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Navin Kashyap

On the Structure of Inversive Pseudorandom Number Generators . . . . . . 208

Harald Niederreiter and Arne Winterhof

Subcodes of Reed-Solomon Codes Suitable for Soft Decoding . . . . . . . . . . 217

Safitha J. Raj and Andrew Thangaraj
 Table of Contents XI

Normalized Minimum Determinant Calculation for Multi-block and

Asymmetric Space-Time Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Camilla Hollanti and Hsiao-feng (Francis) Lu

On the Computation of Non-uniform Input for List Decoding on

Bezerra-Garcia Tower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
M. Prem Laxman Das and Kripasindhu Sikdar

Dense MIMO Matrix Lattices—A Meeting Point for Class Field Theory
and Invariant Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Jyrki Lahtonen and Roope Vehkalahti

Secure Cross-Realm Client-to-Client Password-Based Authenticated

Key Exchange Against Undetectable On-Line Dictionary Attacks . . . . . . 257
Kazuki Yoneyama, Haruki Ota, and Kazuo Ohta

Links Between Discriminating and Identifying Codes in the Binary

Hamming Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Irène Charon, Gérard Cohen, Olivier Hudry, and Antoine Lobstein

Construction of Rotation Symmetric Boolean Functions on Odd

Number of Variables with Maximum Algebraic Immunity . . . . . . . . . . . . . 271
Sumanta Sarkar and Subhamoy Maitra

A Path to Hadamard Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

P. Embury and A. Rao

The Tangent FFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Daniel J. Bernstein

Novel Algebraic Structure for Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Dang Hoai Bac, Nguyen Binh, and Nguyen Xuan Quynh

Distribution of Trace Values and Two-Weight, Self-orthogonal Codes

over GF (p, 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
N. Pinnawala, A. Rao, and T.A. Gulliver

Generalized Rotation Symmetric and Dihedral Symmetric Boolean

Functions – 9 Variable Boolean Functions with Nonlinearity 242 . . . . . . . 321
Selçuk Kavut and Melek Diker Yücel

On Quasi-cyclic Codes over Integer Residue Rings . . . . . . . . . . . . . . . . . . . . 330

Maheshanand and Siri Krishan Wasan

Extended Norm-Trace Codes with Optimized Correction Capability . . . . 337

Maria Bras-Amorós and Michael E. O’Sullivan

On Generalized Hamming Weights and the Covering Radius of Linear

Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
H. Janwa and A.K. Lal
XII Table of Contents

Homomorphic Encryptions of Sums of Groups . . . . . . . . . . . . . . . . . . . . . . . 357

Akihiro Yamamura

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

List Decoding and Pseudorandom Constructions

Venkatesan Guruswami

Department of Computer Science & Engineering

University of Washington
Seattle, WA 98195
[email protected]

There is a rich interplay between coding theory and computational complexity

theory that has enriched both disciplines over the years. In particular, list de-
coding and closely related notions have been instrumental in several advances in
explicit constructions of combinatorial objects with strong “random-like” prop-
erties, such as expander graphs, randomness extractors, and pseudorandom gen-
erators. Our aim here is to present
(i) a unified list-decoding-centric view of the definition of these objects, and
(ii) the details of recent work due to the author, C. Umans, and S. Vadhan [3],
where this viewpoint yields powerful results, namely the construction of un-
balanced bipartite graphs with very strong expansion properties based on the
list-decodable codes due to Parvaresh and Vardy [4]. In turn these expanders
yield simple constructions of randomness extractors that are optimal up to
constant factors.

A List Decoding Lens on Pseudorandom Objects

We begin with a discussion of how a variety of central combinatorial objects
in the theory of pseudorandomness can be captured by an appropriate list-
decoding-like property. The list decoding viewpoint has been implicitly or ex-
plicitly used in several works over the years, for example [8,7,5,6,1], and most
recently, is explicitly discussed in [3, Sec. 2.1].
For an integer M  1, let [M ] denote the set {1, 2, . . . , M }. A code C ⊆ Σ D
with N codewords1 with encoding function E : [N ] → Σ D can be naturally
viewed as a map Γ : [N ] × [D] → [D] × Σ as follows:

Γ (x, i) = (i, E(x)i )

where E(x)i is the i’th symbol of the codeword corresponding to message x. In

an equivalent graph view, we think of Γ as specifying the vertex neighborhoods
in a bipartite graph with N vertices on the left each of degree D.

Currently on leave at the School of Mathematics, Institute for Advanced Study,
Princeton, NJ 08540. Supported by NSF Career Award CCF-0343672, NSF CCR-
0324906, and a Packard Fellowship.
1
We are using symbols that are non-standard in coding theory to be consistent with
the typical choices in the target pseudorandom objects.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 1–6, 2007.

c Springer-Verlag Berlin Heidelberg 2007
2 V. Guruswami

We say that a code C ⊆ Σ D is (t, L)-list-decodable if for all r ∈ Σ D , the

number of codewords of C that agree with r on at least t locations is at most L.
Here D − t represents the number of “errors” that can be list decoded with an
output list size of L. An equivalent view of the (t, L)-list-decodability property
is that for all subsets T ⊆ [D] × Σ of size D of the form T = {(i, ri ) | i ∈ [D]},
we have |LIST(T )|  L where

def
LIST(T ) = {x ∈ [N ] | #{i | Γ (x, i) ∈ T }  t} . (1)

(In words, LIST(T ) is the set of vertices on the left at least t of whose neighbors
belong to T .)
Turning to expander graphs, we say that a bipartite graph G = (VL , VR , E)
is a (K, A)-expander if for all S ⊆ VL with |S|  K, the neighborhood of S,
N (S) = {Γ (s, i) | s ∈ S, i ∈ [D]}, satisfies |N (S)|  A|S|. Here A is the
expansion factor, which is clearly at most D. Expanders where A = D(1 − ε)
(here ε > 0 is a parameter that can be picked to be an arbitrarily small constant)
are called lossless expanders. The equivalent “list decoding” based definition of
(K, A)-expanders is the following: The graph defined by Γ is a (K, A)-expander
iff for all K   K and T ⊆ [D] × Σ with |T | < AK  , we have |LIST(T )| < K 
where
def
LIST(T ) = {x ∈ [N ] | ∀i ∈ [D], Γ (x, i) ∈ T } . (2)
(In words, LIST(T ) is the set of vertices on the left all of whose neighbors belong
to T .)
The map Γ is a (k, ε)-extractor if for all T ⊆ [D] × Σ, we have |LIST(T )| < 2k
where
def |T |
LIST(T ) = {x ∈ [N ] | Pri∈[D] [Γ (x, i) ∈ T ]  + ε} . (3)
D|Σ|
(In words, LIST(T ) is the set of vertices on the left which have ε fraction more
neighbors in T than the density of T .)
Note that unlike the case of codes and expanders, for extractors we require a
small LIST(T ) for all subsets T on the right. In turn this means that for sets S of
size at least 2k on the left (k is called the min-entropy of the source distribution
on the left), the distribution on the right induced by taking a random neighbor
of a random element of S is within distance ε from the uniform distribution.
If we are able to guarantee a small LIST(T ) (as defined in (3)) only for sets
of bounded size, then we get a weaker object called a randomness condenser.
A condenser’s output need not be close to uniform, but must be close to a
distribution with good min-entropy. (For this to be non-trivial the right hand
side must be much smaller than the left, and the name condenser refers to the
fact that the min-entropy of the distribution on the left is condensed, perhaps
with some small loss, into a distribution over the smaller universe on the right.)
For a formal description of this connection, see [3], but roughly, the condition
“If the input has min-entropy log(L/ε), then the output is ε-close to having
min-entropy log(Q/ε),” is implied by the following list decoding condition: For
 List Decoding and Pseudorandom Constructions 3

all T ⊆ [D] × Σ with |T |  Q, we have |LIST(T )|  L where

def
LIST(T ) = {x ∈ [N ] | Pri∈[D] [Γ (x, i) ∈ T ]  ε} . (4)
(In words, LIST(T ) is the set of vertices on the left a fraction ε of whose neighbors
belong to T .)
Note that all the above objects are captured by similar definitions, of the
form: For all sets of T that obey a certain property, a suitably defined LIST(T ),
which can viewed as the list decoding of T , has small size. For codes, the sets
T are very small (of size D) with additional special structure; for expanders
and condensers, the sets T of interest are arbitrary sets of certain size; while for
extractors, we need a list decoding guarantee for all subsets T on the right. For
list-decodable error-correcting codes, one usually also demands an efficient list
decoding algorithm to compute LIST(T ). For the other pseudorandom objects,
the “decoding” occurs only in the analysis and a combinatorial bound on LIST(T )
is all that is needed.
A generalization of list decoding called list recovering has been very influential
in several recent works. Under list recovering, the input to the decoder is a set
Ri of at most  possible values for the i’th symbol for each i, and the goal is to
output all codewords whose i’th symbol belongs to Ri for at least α fraction of
the positions i (and there should be at most L such codewords). List recovering
serves as a crucial primitive in decoding concatenated codes — for example,
the best known explicit binary list-decodable codes use a strong list recovering
algorithm for an outer folded Reed-Solomon code [2]. List recovering can also be
clearly captured in the above framework. In fact, the list recovering requirement
is very similar to the condenser requirement. In the latter we only restrict the
union of the Ri ’s to be small instead of stipulating that each of them be small.
It is worth remarking that the algebraic list recovering algorithms such as for
Reed-Solomon codes and folded RS codes work just as well when the union of
the Ri ’s is small.
We stress that though all these objects can be uniformly captured in a list
decoding like set-up, there are key differences in the parameters of interest in
these objects. (As a result, often different techniques are required to optimize the
parameters in each setting.) For example, in extractors we want D to be small
(this corresponds to a small seed length) and |Σ| to be large (this corresponds to
outputting many nearly uniform bits). Clearly for codes we want the alphabet
size |Σ| to be small (constant or polynomial in the block length). As another
example, for list-decodable codes, the exact size of |LIST(T )| is not too crucial,
and generally any bound that is polynomial in the message length is sufficient.
For the lossless expander construction in the next section, the exact relation
between |LIST(T )| and |T | is crucial; a factor 2 increase in the bound on list
size (for T of the same size) would change the expansion factor A from the
near-optimal (1 − ε)D to D/2.
Yet, the intuition and constructions from one setting have often lead to
progress in constructing other objects. Trevisan’s breakthrough extractors were
based on an insightful use of pseudorandom generators and list-decodable
4 V. Guruswami

codes [8]. Ta-Shma and Zuckerman [6] gave a construction of codes with very
good list-recoverability properties, albeit over very large alphabets, using the
above view of the Trevisan extractors, along with an “algorithmic” version of
the analysis used to bound |LIST(T )|. In [1], a similar framework was applied
to an extractor construction due to Ta-Shma, Zuckerman, and Safra [7] along
with other ideas to give a list-decodable code better than RS codes for low rates.
Shaltiel and Umans [5] used list-decodability of Reed-Muller codes to construct
extractors, as well as their computational counterpart, pseudorandom genera-
tors. In fact the similarity of their extractor to the folded Reed-Solomon codes
from [2] (which achieved the optimal trade-off between rate and list-decoding ra-
dius) was the inspiration for our research leading to a new algebraic construction
of unbalanced expanders [3], which we discuss in the next section.
There are several more fruitful connections between list decoding and other
pseudorandom objects. As the next section shows, sometimes the argument un-
derlying the construction of a particular object (a list-decodable code in our
case) can be ported to give non-trivial constructions of one of the related ob-
jects (lossless bipartite expanders in our case).

Lossless Expanders from Parvaresh-Vardy Codes

We begin with a description of the Parvaresh-Vardy codes [4]. There are several
parameters in this construction: integers n, m, h, a finite field Fq , and an irre-
ducible polynomial E(X) of degree n over Fq . The messages of the code belong
to Fnq which is identified in the obvious way with polynomials of degree at most
(n − 1) over Fq . The codewords have q symbols, one corresponding to each ele-
ment of Fq . Each codeword symbol is an m-tuple of symbols over Fq . The map
Γ : Fnq × Fq → Fq × Fm q is given by:

Γ (f (X), α) = (α, f (α), f1 (α), . . . , fm−1 (α)) (5)

i
where for i = 1, 2, . . . , m − 1, fi (X) = f (X)h mod E(X). (Note that each fi (X)
is also a polynomial of degree less than n.)
Viewing the above map Γ as defining a degree q bipartite graph G with q n
nodes on the left and q m+1 nodes on the right, the following expansion property
of G is proved in [3].
Theorem 1. The graph G is a (hm , q − nmh)-expander.
We will soon sketch the idea behind the proof of the above theorem. But first
we discuss the implications to randomness extraction. The left degree D of the
expander equals q, and thus if q  nmh/ε, the expansion factor A = q − nmh
satisfies A  (1 − ε)D. Since sets of size K = hm expand by nearly a factor
of q, the right hand side must have at least qhm vertices. By picking q  h1+δ
for a small constant δ > 0, the right hand side has only about DK 1+δ vertices.
It is known that lossless expanders (which expand by a (1 − ε)D factor) are
equivalent to condensers that lose no entropy. In the condenser view, the small
 List Decoding and Pseudorandom Constructions 5

right hand side of our construction implies that the entropy rate of the output
distribution on the right is  1/(1 + δ) and thus very close to 1. Since all the
min-entropy of the distribution on the left is preserved, the above expander
reduces the task of constructing an extractor for arbitrary min-entropy to the
much easier task of construction an extractor for entropy rate 99%. Together
with a back-end extractor that works for such high entropy rates, we get an
extractor that achieves the best known parameters. We refer the reader to [3]
for the detailed statements about the final extractor construction.
We conclude the paper with a brief discussion of the proof of Theorem 1. Let
K = hm and A = q − nmh. With the list decoding view, we need to prove that
for any T ⊆ Fm+1q with |T |  AK − 1, the set LIST(T ) defined in (2) satisfies
|LIST(T )|  K − 1. (We actually need to prove this for any K   K, but the
proof for this case uses similar ideas.) The proof consists of three steps.

1. Since |T |  AK − 1, there must exist a non-zero (m + 1)-variate polynomial

Q ∈ Fq [X, Z1 , Z2 , . . . , Zm ] of degree at most (h − 1) in each of the Zi ’s
and degree at most (A − 1) in X such that Q(a) = 0 for all a ∈ T . This
is because there are Ahm monomials X j Z1i1 · · · Zm im
that obey the imposed
degree restrictions, and only AK − 1 homogeneous linear constraints on the
coefficients of these monomials.
2. Any f (X) ∈ LIST(T ) must satisfy Q(X, f (X), f1 (X), . . . , fm−1 (X)) = 0.
This is because if f (X) ∈ LIST(T ), then for every α ∈ Fq ,

Q(α, f (α), f1 (α), . . . , fm−1 (α)) = 0 .

The univariate polynomial Q(X, f (X), f1(X), . . . , fm−1 (X)) thus has at
least q roots, but on the other hand its degree is at most A − 1 + (n −
1)m(h − 1) < A + nmh = q. It must thus be the zero polynomial.
3. This is the most important step where the specifics of the construction (the
choice of the correlated polynomials fi (X)) plays a critical role. Recalling the
i
definition of fi (X) = f (X)h mod E(X), and viewing the polynomials f (X)
and fi (X) as elements of the extension field Λ = Fq [X]/(E(X)), we observe
that each f (X) ∈ LIST(T ) must be a root of the univariate polynomial
Q∗ ∈ Λ[Y ] defined as

Q∗ (Y ) = Q(X, Y, Y h , Y h , . . . , Y h
def 2 m−1
) mod E(X) .

It can be argued that Q∗ (Y ) is a non-zero polynomial. Therefore, we can

bound |LIST(T )| from above by the degree of Q∗ . This degree is clearly at
most

(h − 1) + (h − 1)h + (h − 1)h2 + · · · + (h − 1)hm−1 = hm − 1 = K − 1 ,

leading to the desired bound |LIST(T )|  K − 1.

6 V. Guruswami

References
1. Guruswami, V.: Better Extractors for Better Codes? In: 36th Annual ACM Sym-
posium on Theory of Computing, pp. 436–444 (2004)
2. Guruswami, V., Rudra, A.: Explicit Capacity-Achieving List-Decodable Codes. In:
38th Annual ACM Symposium on Theory of Computing, pp. 1–10 (2006)
3. Guruswami, V., Umans, C., Vadhan, S.: Unbalanced Expanders and Randomness
Extractors from Parvaresh-Vardy Codes. In: 22nd IEEE Conference on Computa-
tional Complexity, pp. 96–108 (2007)
4. Parvaresh, F., Vardy, A.: Correcting Errors Beyond the Guruswami-Sudan Radius in
Polynomial Time. In: 46th Annual IEEE Symposium on Foundations of Computer
Science, pp. 285–294 (2005)
5. Shaltiel, R., Umans, C.: Simple Extractors for All Min-Entropies and a New Pseu-
dorandom Generator. J. ACM 52(2), 172–216 (2005)
6. Ta-Shma, A., Zuckerman, D.: Extractor Codes. IEEE Trans. Inform. Theory 50(12),
3015–3025 (2004)
7. Ta-Shma, A., Zuckerman, D., Safra, S.: Extractors from Reed-Muller codes. In: 42nd
Annual Symposium on Foundations of Computer Science, pp. 638–647 (2001)
8. Trevisan, L.: Extractors and Pseudorandom Generators. J. ACM 48(4), 860–879
(2001)
 A Survey of Recent Attacks on the Filter
Generator

Sondre Rønjom1 , Guang Gong2 , and Tor Helleseth1

The Selmer Center,

1

Department of Informatics, University of Bergen, PB 7803 N-5020 Bergen, Norway

2
Department of Electrical and Computer Engineering
University of Waterloo, Waterloo, Ontario N2L 3G1, Canada

Abstract. The filter generator consists of a linear feedback shift regis-

ter (LFSR) and a Boolean filtering function that combines bits from the
shift register to create a key stream. The nonlinear combiner generator
employs several (LFSRs) and a Boolean function that combines bit from
all the registers to generate the key stream. A new attack on the filter
generator has recently been described by Rønjom and Helleseth who also
extended the attack to linear feedback shift registers over an extension
field GF (2m ). Some extensions and improvements of the attacks to the
filter generator have been given by Rønjom, Gong and Helleseth. The
purpose of this paper is to give a short overview of these attacks and to
discuss how to extend these attacks to the nonlinear combiner generator.

Keywords: Boolean function, filter generator, nonlinear combiner gen-

erator, m-sequences, stream ciphers.

1 Introduction
The binary filter generator is an important building block in many stream ciphers.
The generator consists of a linear feedback shift register of length n that generates
a maximal linear sequence {st } (an m-sequence) of period 2n − 1 and a Boolean
function of degree d that combines bits from the shift register and produces an output
bit zt at any time t. An illustration of the filter generator is shown in Figure 1.
The sequence {st } obeys the recursion

n
cj st+j = 0, cj ∈ {0, 1}
j=0
n j
where c0 = cn = 1. The characteristic polynomial g(x) = j=0 cj x , of the
linear recursion, is a primitive polynomial of degree n and period 2 − 1. The
n
i
zeros of g(x) are α2 for i = 0, 1, . . . , n − 1, where α is a primitive element in
GF (2 ), the finite field with 2n elements. The m-sequence can be written as
n

st = T r1n (βαt ) (1)

n−1 i
where β ∈ GF (2n ) and T r1n (x) = i=0 x2 .

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 7–17, 2007.

c Springer-Verlag Berlin Heidelberg 2007
8 S. Rønjom, G. Gong, and T. Helleseth

s t+n
LFSR

zt
F

Fig. 1. Filter generator

The sequence {st } is determined by the initial state (s0 , s1 , . . . , sn−1 ) and
the characteristic polynomial g(x). The 2n sequences generated by g(x), corre-
sponding to the different initial states, form a vector space over GF (2) denoted
by Ω(g(x)). For further information on linear shift registers the reader is referred
to the recent book by Golomb and Gong [2]. By repeated use of the recursion
we can write st as a linear combination of the n bits in the initial state. Thus,
we have


n−1
st = si lit (2)
i=0

for n binary sequences {lit } for i = 0, 1, . . . , n − 1. Note that each of these n

sequences are nonzero and obey the same recursion as {st } and thus are m-
sequences.
At each time t, a keystream bit zt is calculated as a function of certain bits in
some positions (e0 , e1 , . . . , em−1 ) in the LFSR state (st , st+1 , . . . , st+n−1 ) at time
t using a Boolean polynomial function f (x0 , x1 , . . . , xm−1 ) of degree d in m ≤ n
variables. The key stream is defined by zt = f (st+e0 , st+e1 , . . . , st+em−1 ). Since
each st is determined by the initial state we will consider f = f0 (s0 , s1 , . . . , sn−1 )
as a polynomial of n variables s0 , s1 , . . . , sn−1 .
By using the function f (s0 , . . . , sn−1 ) of degree d and expressing the se-
quence bits st as linear combinations of s0 , s1 , . . . , sn−1 given by (2), we define
ft (s0 , s1 , . . . , sn−1 ) = f (st , st+1 , . . . , st+n−1 ). This leads to the following system
of nonlinear equations of degree d relating the n unknowns s0 , s1 , . . . , sn−1 to the
keystream, zt = ft (s0 , s1 , . . . , sn−1 ) for t = 0, 1, . . . which has the initial state of
the LFSR as a solution.
Various methods exist for solving the above nonlinear system of equations.
The number of monomials of degree at most d over GF (2) is given by the number
d  
D = i=1 ni . If D bits of the keystream is known, one may try to solve the
above system directly using linear algebra techniques. General matrix reduction
methods have complexity O(Dω ), where ω is commonly taken to be Strassen’s
reduction exponent log2 7 ≈ 2.807. Thus for increasing n and d this approach
becomes infeasable. If less keystream bits are known, one may instead try to
experiment with Gröbner basis methods using for instance variations of Faugères
algorithms, although the complexity then becomes more difficult to evalutate.
 A Survey of Recent Attacks on the Filter Generator 9

As described in Courtois and Meier [1], the keystream generator may be vul-
nerable to algebraic attacks even if the degree of the algebraic function is high.
Let St = (st , st+1 , . . . , st+n−1 ) be the n-bit state of the linear shift register at
time t and let AN (f ) denote the annihilator ideal of the Boolean function f in
n variables, i.e.,

AN (f ) = {g | g(x)f (x) = 0 for all x = (x0 , x1 , . . . , xn−1 )}.

Thus any function g in AN (f ) leads to an equation of the form

f (St )g(St ) = zt g(St ) = 0,

which when zt = 1, implies that g(St ) = 0. Similarly any function g  in AN (1+f )

leads to an equation of the form g  (St ) = 0 whenever zt = 0. This when the
annihilators contain polynomials of small degree we may collect several equations
of small degree and thus reduce the number of unknowns. Therefore one defines
the algebraic immunity of the Boolean function f , AI(f ), as the smallest degree
of a polynomial in AN (f ) ∪ AN (1 + f ). It is therefore important to use Boolean
functions with high algebraic immunity. Furthermore, is holds that AI(f ) ≤
m/2 if m is the number of variables in f .
Most of the previous attacks on binary filter generators have considered the
equation systems stemming from the filter generator as ”random” or generic
systems and have applied standard techniques for solving equations when ana-
lyzing the filter generator. The attacks described in the next sections utilize the
structure of the finite field defined by the LFSR, and show that these systems
are much simpler to solve than generic systems.
Since the paper contains an overview of some recent attacks several details
will be omitted. The interested reader will find complete details including proofs
and examples in [8], [7] and [10].

2 Attack Using Coefficient Sequences

For a subset I = {i0 , i1 , . . . , ir−1 } of In = {0, 1, . . . , n − 1} define sI =
si0 si1 · · · sir−1 . Let KI,t be the binary coefficient of sI in the equation zt =
ft (s0 , s1 , . . . , sn−1 ). Then we can represent the system of equations in a compact
manner as

zt = sI KI,t (3)
I

where the summation is taken over all subsets I of In . The binary sequence {KI,t }
of coefficients of sI is called the coefficient sequence. The main observation is that
these sequences obey nice recursions so that when we add together equations ac-
cording to these recursions we may remove the contribution of monomials of higher
degree and arrive at a simple nonsingular system of n equations in n variables.
For simplicity, consider the contribution to the keystream from a the function
consisting of a single monomial of degree r, say f ∗ = xa0 xa1 . . . xar−1 leading
10 S. Rønjom, G. Gong, and T. Helleseth

to zt = st+a0 st+a1 . . . st+ar−1 , where 0 ≤ a0 < a1 < · · · < ar−1 < n. Let
A = {a0 , a1 , . . . , ar−1 }, then using (2) we obtain

zt = st+a0 st+a1 · · · st+ar−1 = sI KI,A,t
I

where

KI,A,t = li0 ,t+a0 li1 ,t+a1 · · · lir−1 ,t+ar−1 . (4)
(i0 ,i1 ,...,ir−1 ),I={i0 ,i1 ,...,ir−1 }

The summation runs over all combinations of i0 , i1 , . . . , ir−1 where the ij ’s are
in In and such that I = {i0 , i1 , . . . , ir−1 }.
The polynomial
 function f can in general be written as a sum of monomial
terms as f = A cA xA . Note in particular that each subset A of In such that
|A| ≥ |I| contributes to the coefficient sequence {KI,t }. We therefore obtain

zt = f (st , st+1 , . . . , st+n−1 ) = sI KI,t
I

where

KI,t = cA KI,A,t . (5)
A,|A|≥|I|

Lemma 1. Let wt(l) be the Hamming weight of the binary representation of l,

and let 
gq (x) = (x + αl ).
l,wt(l)=q

Let |I| = k and let {KI,t } be the coefficient sequence corresponding to sI for a
Boolean function f of degree d. Then,

{KI,t } ∈ Ω(gk (x)gk+1 (x) · · · gd (x)).

Proof (Sketch). The idea behind the proof is that from (4) it follows that KA,I,t
is a linear combination of products of r(≤ d) shifted versions of the same m-
sequence. Thus using (1) we get

KA,I,t = bJ αJt .
wt(J)≤d

A detailed investigation shows that surprisingly bJ = 0 when wt(J) < |I| = k.

Since KI,t is a linear combination of terms of the form KA,I,t the result holds
for KI,t .
The main consequence of this lemma is that all coefficient sequences {KI,t }, |I| ≥
2, for the nonlinear terms, obey the recursion with characteristic polynomial
p(x) = g2 (x)g3 (x) · · · gd (x). Thus using this recursion on the equation system
leads to a linear system of n equations in n unknowns.
 A Survey of Recent Attacks on the Filter Generator 11

Algebraic Attack D−n

1. Pre-compute p(x) = g2 (x)g3 (x) · · · gd (x) and let p(x) = j=0 pj xj .
2. Pre-compute the linear part of the equation system determined by the Boolean
function f (st , st+1 , . . . , st+n−1 ) = ft (s0 , s1 , . . . , sn−1 ) for t = 0, 1, . . . , D − 1.
D−n
Compute the linear part of f0∗ = j=0 pj fj (s0 , s1 , . . . , sn−1 ) from the linear
parts of fj (s0 , s1 , . . . , sn−1 ), and thereafter compute f1∗ , f2∗ , . . . , fn−1
∗
(by increas-
ing indices by 1 and replace sn by its linear combination of s0 , s1 , . . . , sn−1 ).
D−n
3. For a given keystream zt of D bits compute zt∗ = j=0 pj zt+j . Determine the
initial state (secret key) (s0 , s1 , . . . , sn−1 ) from the linear system of equations
zt∗ = ft∗ (s0 , s1 , . . . , sn−1 ) for t = 0, 1, . . . , n − 1.
Note that if f0∗ = 0 then the coefficient matrix of the system will be nonsingular.
This is due to the fact that the rows of the coefficient matrix can be considered
to be n successive powers of α, where α is the primitive zero of the primitive
polynomial g(x) of degree n.
The best previous attacks haveessentially
  been to reduce the problem to
solve a nonlinear system of D = di=1 ni equations in n unknowns, giving a
complexity essentially O(Dω ) where ω = log2 7. The new attack above provides
an improved algorithm that breaks the filter generator in complexity O(D) after
a pre-computation of complexity O(D(log2 D)3 ) needed to find p(x).
The case when f0∗ = 0 that, if the Boolean function is selected randomly, has
a probability of about 2−n . For n = 128 this is a small probability even though
it is possible to compute such functions constructivly. In this case we need to
modify the attack to avoid this (unlikely) problem. The modified attack do not
need the properties of coordinate sequences. However, the overall complexity is
essentially the same. The modifications are due to Rønjom, Gong and Helleseth
and [7] and will be briefly described in Section 4.
Furthermore, the attack has been extended by Rønjom and Helleseth in [9]
to special cases when the LFSR is over the extension field GF (2m ).

3 More About the Coefficient Sequences

In this section we give a description of the nonlinear filter generator using a linear
transformation. The coefficient sequences in the previous section are shown by
Rønjom and Helleseth [10] to play a natural role in this linear transformation.
The non-singular matrix
⎛ ⎞
0 0 . . . 0 c0
⎜ 1 0 . . . 0 c1 ⎟
⎜ ⎟
T1 = ⎜ . . . . . ⎟ ,
⎝ .. .. . . .. .. ⎠
0 0 . . . 1 cn−1
is the companion matrix of g(x) and also the characteristic polynomial of T1 and
thus it is known that
g(T1 ) = T1n + cn−1 T1n−1 + cn−2 T1n−2 + . . . + T10 = 0.
12 S. Rønjom, G. Gong, and T. Helleseth

Let S0 = (s0 , s1 , ..., sn−1 ) denote the initial state of the LFSR. Any state St
at time t is found by taking appropriate powers of T1 starting from the initial
state
St = (st , st+1 , . . . , st+n−1 ) = (s0 , . . . , sn−1 )T1t ,
and the consecutive states of the LFSR are

S0 , S0 T1 , S0 T12 , . . . , S0 T1t , . . .

which is an n-dimensional cyclic vector space.

Let Ŝt denote the vector with components st+I for I ⊂ In in some ordering, say
graded reverse lexicographic. We call Ŝt the (extended) state of the usual n-bit
state St = (st , st+1 , . . . , st+n−1 ). We illustrate the definition with an example.

Example 1. Let g1 (x) = g(x) = x3 + x + 1 be the generator polynomial for the

LFSR. Then for n = 3 and t = 0 we have

Ŝ0 = (s0 , s1 , s2 , s0 s1 , s0 s2 , s1 s2 , s0 s1 s2 ).

Using the linear recursion st+3 = st+1 + st or s3 = s1 + s0 we obtain the next

(extended) state by increasing all indices by one. Thus the (extended) state at
time t = 1 is
Ŝ1 = (s1 , s2 , s3 , s1 s2 , s1 s3 , s2 s3 , s1 s2 s3 ).
Note that using the linear recursion of the LFSR each component in Ŝ1 is a
linear combination of the components in Ŝ0 . In this case we observe that the
components in Ŝ1 not containing s3 equals directly a component in Ŝ0 , while the
components involving s3 can be written as

s3 = s1 + s0
s1 s3 = s1 + s0 s1
s2 s3 = s0 s2 + s1 s2
s1 s2 s3 = s0 s1 s2 + s1 s2 .

Therefore the linear transformation that transforms Ŝ0 to Ŝ1 (or equivalently
Ŝt+1 = Ŝt T for any integer t) can be described by the 7 × 7 matrix T given by
⎛ ⎞
s0 0010000
s1 ⎜ ⎜1 0 1 0 1 0 0⎟
⎟
s2 ⎜ 0 1 0 0 0 0 0 ⎟
⎜
⎟
T = s0 s1 ⎜ ⎟
⎜0 0 0 0 1 0 0⎟.
s0 s2 ⎜ 0 0 0 0 0 1 0 ⎟
⎜
⎟
s1 s2 ⎝ 0 0 0 1 0 1 1 ⎠
s0 s1 s2 0 0 0 0 0 0 1

The columns are indexed as the rows but all indices are increased by one. For
example the fifth column represents s1 s3 = s1 + s0 s1 .
For any subset J = {j0 , j1 , . . . , jr−1 } ⊂ In , we define st+J to be st+J =
st+j0 st+j1 · · · st+jr−1 . The rows and columns are indexed by the subsets of In
 A Survey of Recent Attacks on the Filter Generator 13

and the value of T in position (I, J) is given by KI,J,1 , since this is the coefficient
of sI in s1+J , i.e.,

s1+J = sI KI,J,1 . (6)
I

This matrix T also occurred in the paper by Hawkes and Rose [4] in their
study of algebraic attacks. The (2n − 1) × (2n − 1) transformation matrix T
given by Ŝt+1 = Ŝt T has more consequences for attacking the filter generator
than anticipated in [4]. The interesting observation to be showed later is that the
elements in the powers T t of the matrix T are equal to the coefficient sequences
KI,J,t defined by Rønjom and Helleseth in [8] as the coefficient of sI in st+J =
st+j0 st+j1 · · · st+jr−1 where J = {j0 , j1 , . . . , jr−1 }, or in other words

st+J = sI KI,J,t . (7)
I

This is a consequence of the following theorem.

Theorem 1. Let TI,J t
denote the element in row I and column J in T t . Let
t
KI,J,t be defined as the coefficient of sI in the term st+J . Then TI,J = KI,J,t .

Proof. The proof follows directly from (7) and Ŝt = Ŝ0 T t .
Let vf denote the binary vector of length 2n − 1 (we may assume without loss of
generality there is no constant termin f ) with component vf,I in position I being
the coefficient of sI in f , i.e., f = I vf,I sI . Then since, popular speacking, the
effect of T is to increase the indices by one, this implies that the binary vector
representation of f1 (s0 , s1 , . . . , sn−1 ) = f0 (s1 , s2 , . . . , sn )(= f (s1 , s2 , . . . , sn )) is
related by
vf1 = T vf0 .
Therefore, in general each output bit zt from the filter generator leads to the
equation
zt = Ŝ0 T t vf0 (= Ŝ0 vft ). (8)
Let Tr be the
 submatrices along the diagonal of T , i.e., Tr equals T restricted
to the nr × nr submatrix corresponding to the positions (I, J) where |I| =
|J| = r. An interestinf property of Tr , proved in [10], is the following.
Theorem 2. The minimal    polynomial mTr (x) and characteristic polynomial
cTr (x) of the square nr × nr matrix Tr are equal. Moreover, we have that

cTr (x) = mTr (x) = gr (x) = (x + αe ). (9)
e,wt(e)=r

Consequently, we have that


n
n
−1
mT (x) = cT (x) = mTi (x) = g1 (x)g2 (x) · · · gn (x) = x2 + 1.
i=1
14 S. Rønjom, G. Gong, and T. Helleseth

Let vf denote the length D support vector for a function f (s0 , . . . , sn−1 ) of
degree d where the coefficients are ordered in the same order as the columns of
T , and therefore in the same order as the expanded LFSR state St satisfying

Sˆt T = Ŝt+1 , Sˆt T 2 = Ŝt+2 , . . . .

Since a keystream bit is given by zt = Ŝt vf and zt+r = Ŝt T r vf = Ŝt+r vf , a

matrix relating sequence bits st , . . . st+D−1 with keystream bits zt , . . . , zt+D−1
is given by column vectors
⎛ ⎞

At = ⎝ T t vf T t+1 vf . . . T t+D−1 vf ⎠

and thus Ŝ0 At = Ŝt A0 = Ŝ0 T t A0 = [zt , zt+1 , . . . , zt+D−1 ]. The columns of the
matrix At are the coefficient vectors of the functions studied in algebraic attacks.
Let as before p(x) = g2 (x)g3 (x) · · · gd (x) = D−n j
j=0 pj x . The algebraic attack

in the previous section can now be described by computing ft∗ = D−n j=0 pj ft+j
and

D−n 
D−n
zt∗ = pj ft+j = pj zt+j = Ŝ0 T t p2 (T )vf = Ŝ0 vft∗ ,
j=0 j=0


where vft∗ = T t p(T )vf . Let p(T ) = T , then

Ŝ0 p(T )At = Ŝ0 [vft∗ , T vft∗ , . . . , T D−1 vft∗ ] = [zt∗ , zt+1
∗ ∗
, . . . , zt+D−1 ],

is a system of D linear equations. Note that p(T ) is only nonzero in the first
n rows since KI,J,t is generated by p(x) for any I when |I| ≥ 2, due to the
proofs of Lemma 1 and Theorem 1. Clearly, it therefore suffices to compute

v = p(T )vf restricted to a length-n vector and then compute the columns of
  
an n × n matrix given by v , T1 v , . . . , T1n−1 v . Thus we have an system of n
equations in the n unknown bits in the initial state (s0 , s1 , . . . , sn−1 ) which can
therefore be determined.

4 Extending the Attack

Let st = T r1n (βαt ) then we need to determine β to find the initial state of the
LFSR used in the filter generator. We can write the bits in the key stream zt in
terms of its trace representation
 m
zt = T r1 k (Ak (βαt )k )
k

where the k’s are (cyclotomic) coset leaders modulo N = 2n − 1, and mk | n is

the size of the coset {k, 2k, 22k, . . .} mod N , which contains k. Here wt(k) ≤ d
where d is the degree of the Boolean function f .
 A Survey of Recent Attacks on the Filter Generator 15

The main idea is to determine β directly from zt . The attack in Rønjom and
Helleseth [8] applied the shift operator to the key stream zt using the polynomial
p(x) = g2 (x)g3 (x) · · · gd (x) with all zeros αJ of weight 2 ≤ wt(J) ≤ d, leading to


D−n 
p(E)zt = pj zt+j = T r1mk (Ak β k p(αk )αtk ) = T r1n (A1 βp(α)αt ).
j=0 k

The left hand side is linear in the bits in the initial state and thus leads to a linear
equation system which is considered in Rønjom and Helleseth [8]. Furthermore,
A1 was explicitly given in [8].
In the case when A1 = 0 we select another k such that Ak = 0 and gcd(k, 2n −
1) = 1 and let instead p(x) be defined to have all possible zeros αJ where
1 ≤ wt(J) ≤ d, except for αk . Then using the shift operator for this p(x), we get

p(E)zt = T r1n (Ak β k p(αk )αtk ).

The aim is to calculate β. This is done in two steps.

Step 1. In the first step we determine r = Ak β k p(αk ) from

ut = p(E)zt = T r1n (rαtk ) for t = 0, 1, . . . , n − 1.

i
This is a linear equation system with n equations in n unknowns xi = r2 for
i = 0, 1, . . . , n − 1. Since the coefficient matrix is a Vandermonde matrix and
(u0 , u1 , . . . , un−1 ) is known this gives us r = Ak β k pk (αk ) and therefore

β k = rA−1 k −1
k [pk (α )]

where r and pk (αk ) are known. Thus it remains to determine Ak .

Step 2. The second step is to find Ak . Note that {Ak } is related to a discrete
Fourier transform of {zt }, which can be computed through expansion of zt . An
explicit formulae for Ak is given in Gong [3] or derived from results in [5] and
[6]. For further details including a detailed example the reader is referred to [7].
Step 3. Compute the initial state by st = T r1n (βαt ) for t = 0, 1, . . . , n − 1.
The complexity of this attack is asymptotically essentially the same as in [8],
but also works in the case when A1 = 0 (or equivalently f0∗ = 0) which needed
some modifications in the original attack.

5 Attacking the Combiner Generator

The combiner generator uses several LFSRs, each generating a different m-
sequence. The output from the different LFSRs are combined by a Boolean
function to produce a key stream bit zt . Usually one bit is taken from each
register and a Boolean function f combines these bits to a key stream bit. The
methods for analyzing the filter generator can be extended rather directly to the
combiner case with minor changes. In this section we discuss this briefly.
16 S. Rønjom, G. Gong, and T. Helleseth

For the filter generator the key stream zt can be represented as


zt = βi αti ,
i

where αi is a product of ≤ d(= deg(f )) zeros from the LFSR. Thus the zeros
are of the form αJ where the Hamming weight of the binary representation of
J is at most d. The reason is that zt is a sum of products of ≤ d products of
shifted version of the same m-sequence.
In the linear combiner case the key stream can be represented similarly but
now each αi is a product of zeros from the characteristic polynomials of the differ-
ent shift registers. For example if we have three LFSRs generating m-sequences,
{at }, {bt } and {ct } and f = x1 x2 x3 + x1 , and we select x1 = at , x2 = bt and
x3 = ct , then the keystream can written

zt = βi αti ,
i

where each αi is either a product of three elements being one zero from each
of the characteristic polynomials or a zero from the characteristic polynomials
generating the {at } sequence.
In this case (when one variable enters linearly) we can define p(x) to contain
all these zeros except the zeros from the characteristic polynomial of {at }. Then
we have 
p(E)zt = βi p(αi )αti = T r1na (β1 p(α1 )αt1 )
i

where α1 is a zero of the polynomial a(x) of degree na . We can use methods

similar to previous section to determine the initial state of {at }
We will consider the slightly more general case when the Boolean function
may take more than one bit from each LFSR.
Example 2. Let a(x) = x4 + x + 1 and b(x) = x5 + x2 + 1 be two LFSRs. Let {at }
and {bt } denote the m-sequences generated by the characteristic polynomials
a(x) and b(x) respectively. Let f be the filter function

f (at , bt ) = ft (a0 , a1 , a2 , a3 , b0 , b1 , b2 , b3 , b4 ) = zt .

For the n = 9 unknown variables:

(a0 , a1 , a2 , a3 , b0 , b1 , b2 , b3 , b4 ) = (x0 , x1 , x2 , x3 , x4 , x5 , x6 , x7 , x8 ).

Let f (x0 , x1 , x2 , x3 , x4 , x5 , x6 , x7 , x8 ) = x0 + x5 + x0 x5 + x1 x3 + x5 x6 .
Then

zt = f (x0 , x1 , x2 , x3 , x4 , x5 , x6 , x7 , x8 )
= f (at , at+1 , at+2 , at+3 , bt , bt+1 , bt+2 , bt+3 , bt+4 )
= at + bt + at bt + at+1 at+2 + bt bt+1 .
 A Survey of Recent Attacks on the Filter Generator 17

In this case we can study the coordinate sequences for the polynomials ft as a
function of the coordinate sequences for aI and bJ . The methods in the previous
sections apply with minor adjustments.

Acknowledgements

This work was supported by the Norwegian Research Council.

References
1. Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feed-
back. In: Biham, E. (ed.) EUROCRPYT 2003. LNCS, vol. 2656, pp. 345–359.
Springer, Heidelberg (2003)
2. Golomb, S.W., Gong, G.: Signal Design for Good Correlation: For Wireless Com-
munication, Cryptography and Radar. Cambridge University Press, Cambridge
(2005)
3. Gong, G.: Analysis and Synthesis of Phases and Linear Complexity of Non-Linear
Feedforward Sequences. Ph.D. thesis, University of Elec. Sci. and Tech. of China
(1990)
4. Hawkes, P., Rose, G.: Rewriting Variables: The Complexity of Fast Algebraic At-
tacks on Stream Ciphers. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152,
pp. 390–406. Springer, Heidelberg (2004)
5. Herlestam, T.: On Functions of Linear Shift Register Sequences. In: Pichler, F. (ed.)
EUROCRYPT 1985. LNCS, vol. 219, pp. 119–129. Springer, Heidelberg (1986)
6. Paterson, K.G.: Root Counting, the DFT and the Linear Complexity of Nonlinear
Filtering. Codes and Cryptography 14, 247–259 (1998)
7. Rønjom, S., Gong, G., Helleseth, T.: On Attacks on Filtering Generators Using
Linear Subspace Structures. In: SSC 2007, pp. 141–153 (2007)
8. Rønjom, S., Helleseth, T.: A New Attack on the Filter Generator. IEEE Trans.
Inform. Theory 53(5), 1752–1758 (2007)
9. Rønjom, S., Helleseth, T.: Attacking the Filter Generator over GF (2m ). In: WAIFI
2007. LNCS, vol. 4547, Springer, Heidelberg (2007)
10. Rønjom, S., Helleseth, T.: The Linear Vector Space Spanned by the Nonlinear
Filter Generator. In: SSC 2007, pp. 141–153 (2007)
11. Rueppel, R.A.: Analysis and Design of Stream Ciphers. Springer, Heidelberg (1986)
 Iterative List Decoding of LDPC Codes

Tom Høholdt1 and Jørn Justesen2

1
Department of Mathematics, The Technical University of Denmark Bldg.303
DK-2800 Lyngby, Denmark
[email protected]
2
COM, The technical University of Denmark Bldg 343 DK-2800 Lyngby, Denmark
[email protected]

1 Extended Abstract
In the last decade two old methods for decoding linear block codes have gained
considerable interest, iterative decoding as first described by Gallager in [1] and
list decoding as introduced by Elias [2]. In particular iterative decoding of low-
density parity-check (LDPC) codes, has been an important subject of research,
see e.g. [3] and the references therein. “Good” LDPC codes are often randomly
generated by computer, but recently codes with an algebraic or geometric struc-
ture have also been considered e.g [3] and [4]. The performance of the iterative
decoder is typically studied by simulations and a theoretical analysis is more
difficult.
In this paper we combine the two decoding methods and present an iterative
list decoding algorithm. In particular we apply this decoder to a class of LDPC
codes from finite geometries and show that the (73, 45, 10) projective geometry
code can be maximum likelihood decoded with low complexity. Moreover the list
decoding approach enables us to give a complete analysis of the performance in
this case. We also discuss the performance of the list bit-flipping algorithm for
longer LDPC codes.
We consider hard-decision iterative decoding of a binary (n, k, d) code. For a
received vector, y, we calculate an extended syndrome s = Hy  , where H is a
parity check matrix, but usually has more than n − k rows. Let r denote the
length of the syndrome. The idea of using extended syndromes was also used in
[5]. Our approach is based on one of the common versions of bit flipping (BF)
[3], where the schedule is such that the syndrome is updated after each flip. In
each step we flip a symbol chosen among those positions that reduce the weight
of the extended syndrome, which we refer to briefly as the syndrome weight, u.
A decoded word is reached when u = 0. In this paper we consider a variation of
the common algorithm in the form of a tree-structured search. Whenever there is
a choice between several bits, all possibilities are tried in succession. The result
of the decoding algorithm is, in general, a list of codewords, obtained as leaves
of the search tree. This form of the bit flipping algorithm leads naturally to a
solution in the form of a list of codewords at the same smallest distance from
y [6]. This list decoding concept is somewhat different from list decoding in the
usual sense of all codewords within a certain distance from y. The paper is a
continuation of [7] including results on long codes from [8].

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 18–19, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Iterative List Decoding of LDPC Codes 19

References
1. Gallager, R.G.: Low-Density Parity-Check Codes. M.I.T. Press, Cambridge, MA
(1963)
2. Elias, P.: List Decoding for Noisy Channel. Res. Lab. Electron., MIT, Cambridge,
MA, Techn. Rep. 335 (1957)
3. Kou, Y., Lin, S., Fossorier, M.: Low-Density Parity-Check Codes Based on Finite
Geometries: A Rediscovery and New Results. IEEE Trans. Inform. Theory 47, 2711–
2736 (2001)
4. Liu, Z., Pados, D.A.: LDPC Codes from Generalized Polygons. IEEE Trans. Inform.
Theory 51, 3890–3898 (2005)
5. Bossert, M., Hergert, F.: Hard-and Soft-Decision Decoding Beyond the Half Mini-
mum Distance - An Algorithm for Linear Codes. IEEE Trans. Inform. Theory 32,
709–714 (1986)
6. Hjaltason, J.: List Decoding of LDPC Codes. M. Eng. Thesis, Department of Math-
ematics, Technical University of Denmark (2005)
7. Justesen, J., Høholdt, T., Hjaltason, J.: Iterative List Decoding of Some LDPC
Codes. IEEE Trans. Inform. Theory. (to appear, 2007)
8. Kristensen, J.T.: List Decoding of LDPC Codes. M. Eng. Thesis, COM, Technical
University of Denmark (2007)
 Inverted Edwards Coordinates

Daniel J. Bernstein1 and Tanja Lange2,

Department of Mathematics, Statistics, and Computer Science (M/C 249)

1

University of Illinois at Chicago, Chicago, IL 60607–7045, USA

[email protected]
2
Department of Mathematics and Computer Science
Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands
[email protected]

Abstract. Edwards curves have attracted great interest for several rea-
sons. When curve parameters are chosen properly, the addition formulas
use only 10M + 1S. The formulas are strongly unified, i.e., work without
change for doublings; even better, they are complete, i.e., work without
change for all inputs. Dedicated doubling formulas use only 3M + 4S,
and dedicated tripling formulas use only 9M + 4S.
This paper introduces inverted Edwards coordinates. Inverted Edwards
coordinates (X1 : Y1 : Z1 ) represent the affine point (Z1 /X1 , Z1 /Y1 ) on
an Edwards curve; for comparison, standard Edwards coordinates (X1 :
Y1 : Z1 ) represent the affine point (X1 /Z1 , Y1 /Z1 ).
This paper presents addition formulas for inverted Edwards coor-
dinates using only 9M + 1S. The formulas are not complete but still
are strongly unified. Dedicated doubling formulas use only 3M + 4S,
and dedicated tripling formulas use only 9M + 4S. Inverted Edwards
coordinates thus save 1M for each addition, without slowing down
doubling or tripling.

Keywords: Elliptic curves, addition, doubling, explicit formulas, Ed-

wards coordinates, inverted Edwards coordinates, side-channel counter-
measures, unified addition formulas, strongly unified addition formulas.

1 Introduction
In [8] Edwards proposed a new normal form for elliptic curves and gave an
addition law that is remarkably symmetric in the x and y coordinates. In [4],
using coordinates (X : Y : Z) to represent the point (X/Z, Y /Z) on an Edwards
curve, we showed that curve addition could be performed using only 10M + 1S
(i.e., 11 field multiplications, of which 1 is a squaring) and that curve doubling
could be performed using only 3M + 4S. We presented a comprehensive survey

Permanent ID of this document: 0ef034ea1cdbb58a5182aaaefbea6754. Date of this
document: 2007.10.03. This work has been supported in part by the European Com-
mission through the IST Programme under Contract IST–2002–507932 ECRYPT.
This work was carried out while the first author was visiting Technische Universiteit
Eindhoven.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 20–27, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Inverted Edwards Coordinates 21

of speeds of our formulas and previous formulas for elliptic-curve arithmetic in

various representations. The survey showed that Edwards curves provide the
fastest additions and almost the fastest doublings. The only faster doublings
were from doubling-oriented Doche/Icart/Kohel curves, which come with rather
inefficient addition formulas.
One of the attractive features of the Edwards addition law is that it is strongly
unified : the addition law works without change for doublings. We showed in
[4] that, when curve parameters are chosen properly, the addition law is even
complete: it works for all inputs, with no exceptional cases. Our fast addition
formulas in [4] have the same features. See Section 2 of this paper for a more
detailed review of Edwards curves.
In [2], together with Birkner and Peters, we showed that tripling on Edwards
curves could be performed using only 9M + 4S. We also analyzed the optimal
combinations of additions, doublings, triplings, windowing methods, on-the-fly
precomputations, curve shapes, and curve formulas, improving upon the analysis
in [6] by Doche and Imbert. Hisil, Carter, and Dawson independently developed
essentially the same tripling formulas; see [9].

New Contributions. This paper presents an even faster coordinate system for
elliptic curves: namely, inverted Edwards coordinates, using coordinates (X : Y :
Z) to represent the point (Z/X, Z/Y ) on an Edwards curve. In Section 4 we
present formulas for curve addition in inverted Edwards coordinates using only
9M + 1S, saving 1M compared to standard Edwards coordinates.
Inverted Edwards coordinates, unlike standard Edwards coordinates, do not
have complete addition formulas: some points, such as the neutral element, must
be handled separately. But our addition formulas still have the advantage of
strong unification: they can be used without change to double a point.
In Sections 5 and 6 we present formulas for doubling and tripling in inverted
Edwards coordinates using only 3M + 4S and 9M + 4S, matching the speeds of
standard Edwards coordinates.
All of the operation counts stated above assume small curve parameters and
disregard the cost of multiplying by a curve parameter. Arbitrary curve pa-
rameters cost 1M extra for each addition, each doubling, and each tripling. The
penalty for standard Edwards coordinates is smaller: arbitrary curve parameters
cost 1M extra for addition but nothing for doubling or tripling.
In Section 7 we revisit the comparison from [4], analyzing the impact of in-
verted Edwards coordinates and other recent speedups.

2 Review of Edwards Curves

Let k be a field. Throughout this paper we assume that 2 = 0 in k.
A curve in Edwards form is given by an equation

x2 + y 2 = 1 + dx2 y 2 ,
22 D.J. Bernstein and T. Lange

where d ∈/ {0, 1}. Every Edwards curve is birationally equivalent to an elliptic

curve in Weierstrass form. See [4, Section 3] for an explicit description of the
equivalence.
One reason for the great interest in Edwards curves is that the Edwards
addition law
 
x1 y2 + y1 x2 y1 y2 − x1 x2
(x1 , y1 ), (x2 , y2 ) → ,
1 + dx1 x2 y1 y2 1 − dx1 x2 y1 y2
is strongly unified : it applies to doubling as well as to general addition, unlike the
usual Weierstrass addition law. Strongly unified addition formulas had previously
been published for Jacobi intersections, Jacobi quartics, and Weierstrass curves
in projective coordinates, but the Edwards formulas are considerably faster.
We showed in [4, Theorem 3.3] that if d is not a square in k then the Edwards
addition law has an even more attractive feature: it is complete. This means
that there are no points (x1 , y1 ), (x2 , y2 ) on the curve where the denominators
vanish; the Edwards addition law produces the correct output for every pair
of input points. The neutral element (0, 1) does not cause any trouble. The
Edwards curve has two singularities at infinity, corresponding to four points √ on
the desingularization of the curve; but those four points are defined over k( d),
not over k.
To the best of our knowledge, the Edwards addition law is the only complete
addition law stated in the literature. Previous addition laws have exceptional
cases and require careful handling by the implementor to avoid the risk of in-
correct results and to avoid the risk of leaking secret information through side
channels. It should be possible to build a complete addition law for some Weier-
strass curves starting from the formulas in [5], but we would not expect the
resulting law to be nearly as fast as the Edwards addition law.
In [4] we suggested using homogeneous coordinates (X1 : Y1 : Z1 ), where
(X12 + Y12 )Z12 = Z14 + dX12 Y12 and Z1 = 0, to represent the point (X1 /Z1 , Y1 /Z1 )
on the Edwards curve. Here (X1 : Y1 : Z1 ) = (λX1 : λY1 : λZ1 ) for any λ = 0. In
[4, Section 4] we presented explicit formulas for addition in this representation
using 10M + 1S + 1D + 7a, where M denotes the cost of a field multiplication, S
the cost of a field squaring, D the cost of a multiplication by the curve parameter
d, and a the cost of a field addition.
Implementations can gain speed, at the expense of simplicity, by using dedi-
cated doubling formulas for additions where the inputs are known to be equal.
In [4, Section 4] we presented explicit doubling formulas using 3M + 4S + 6a.
Completeness remains beneficial in this situation: one does not need to check for
other exceptions if the curve parameter d is not a square.

3 Inverted Edwards Coordinates

In this and the following sections we consider a different representation of points
on an Edwards curve x2 +y 2 = 1+dx2 y 2 . We use three coordinates (X1 : Y1 : Z1 ),
where
(X12 + Y12 )Z12 = X12 Y12 + dZ14
 Inverted Edwards Coordinates 23

and X1 Y1 Z1 = 0, to represent the point (Z1 /X1 , Z1 /Y1 ) on the Edwards curve.
We refer to these coordinates as inverted Edwards coordinates. As before, (X1 :
Y1 : Z1 ) = (λX1 : λY1 : λZ1 ) for any λ = 0.
It is easy to convert from standard Edwards coordinates (X1 : Y1 : Z1 ) to
inverted Edwards coordinates: simply compute (Y1 Z1 : X1 Z1 : X1 Y1 ) with three
multiplications. The same computation also performs the opposite conversion
from inverted Edwards coordinates to standard Edwards coordinates.
For computations we use the vector (X1 , Y1 , Z1 ) to represent the point (X1 :
Y1 : Z1 ) in inverted Edwards coordinates.

Special points. The requirement X1 Y1 Z1 = 0 means that inverted Edwards

coordinates cannot represent points (x1 , y1 ) on the Edwards curve that satisfy
x1 y1 = 0. There are four such points: the neutral element (0, 1), the point (0, −1)
of order 2, and the points (±1, 0) of order 4. Additions that involve these points
as inputs or outputs must be handled by separate routines.
The four points (0, 1), (0, −1), (1, 0), (−1, 0) are (0 : 1 : 1), (0 : −1 : 1),
(1 : 0 : 1), (−1 : 0 : 1) in standard Edwards coordinates. Applying the aforemen-
tioned conversion to inverted Edwards coordinates, and ignoring the requirement
X1 Y1 Z1 = 0, produces points at infinity on the projective curve (X 2 + Y 2 )Z 2 =
X 2 Y 2 + dZ 4 : specifically, (1 : 0 : 0), (−1 : 0 : 0), (0 : 1 : 0), (0 : −1 : 0).
But then the rule (X1 : Y1 : Z1 ) = (λX1 : λY1 : λZ1 ) equates (1 : 0 : 0) with
(−1 : 0 : 0), losing the distinction between (0, 1) and (0, −1), and similarly losing
the distinction between (1, 0) and (−1, 0).
To have unique representations for the computations it is convenient to use
the vectors (1, 0, 0), (−1, 0, 0), (0, −1, 0), (0, 1, 0) to represent (0, 1), (0, −1), (1, 0),
(−1, 0). Note that these representations are not homogeneous and that for algo-
rithmic reasons (±1, 0) correspond to (0, ∓1, 0). One must be careful to check for
Z1 = 0 before adding (X1 : Y1 : Z1 ) to another point, and to check for X1 Y1 = 0
before applying the conversions to and from standard Edwards coordinates.
In many applications one restricts attention to a subgroup of odd order, so
the only special point is the neutral element and fewer checks are required. One
can also randomize computations so that special points have a negligible chance
of occurring; see [4, Section 8] for pointers to the literature.

Geometry.
√ Recall that the desingularization of an Edwards curve has, over
k( d), four points that map to the two singularities at infinity on the curve. It
also has four points that map without ramification to (0, 1), (0, −1), (1, 0), and
(−1, 0).
Mapping the same desingularization to the projective curve (X 2 √ + Y 2 )Z 2 =
X√ Y + dZ takes the first four points without ramification to (0 : ± d : 1) and
2 2 4

(± d : 0 : 1), and takes the second four points to two singularities at infinity.
When d is not a square, the first map has no ramification points over k and
allows a complete addition law on the Edwards curve. The second map always
has ramification points, and in particular is ramified at the neutral element.
For mathematicians it is perhaps more satisfying to start from the projective
curve (X 2 + Y 2 )Z 2 = X 2 Y 2 + dZ 4 and define an addition law on it, including
24 D.J. Bernstein and T. Lange
√ √
the points (0 : ± d : 1) and (± d : 0 : 1), without mapping to an Edwards
curve. We restricted to points (X1 : Y1 : Z1 ) with X1 Y1 Z1 = 0 to maintain the
link with Edwards curves and the Edwards addition law.

4 Addition
Obtaining more efficient addition formulas was our main goal in investigating
inverted Edwards coordinates. Inspecting the addition formulas in [4, Section
4] one notices that the computations of the resulting X3 and Y3 each involve a
multiplication by Z1 Z2 .
Inserting Zi /Xi for xi and Zi /Yi for yi in the Edwards addition law (assuming
Xi Yi Zi = 0) we obtain
Z Z1   Z2 Z2   (X2 Y1 + X1 Y2 )Z1 Z2 (X1 X2 − Y1 Y2 )Z1 Z2   Z3 Z3 
1
, + , = , = ,
X1 Y1 X2 Y2 X1 X2 Y1 Y2 + dZ12 Z22 X1 X2 Y1 Y2 − dZ12 Z22 X3 Y3
where

X3 = (X1 X2 − Y1 Y2 )(X1 X2 Y1 Y2 + dZ12 Z22 )

Y3 = (X2 Y1 + X1 Y2 )(X1 X2 Y1 Y2 − dZ12 Z22 )
Z3 = (X1 X2 − Y1 Y2 )(X2 Y1 + X1 Y2 )Z1 Z2 .

This shows the idea behind inverted Edwards coordinates, namely that in this
representation only Z3 needs to be multiplied with Z1 Z2 , which saves 1M in
total. Compared to the addition in Edwards coordinates the degree of these
formulas is only 6 as opposed to 8 in that representation.

We then eliminate multiplications from these formulas, as in [4, Section 4],

obtaining the following formulas to compute the sum (X3 : Y3 : Z3 ) = (X1 : Y1 :
Z1 ) + (X2 : Y2 : Z2 ) in inverted Edwards coordinates, given (X1 : Y1 : Z1 ) and
(X2 : Y2 : Z2 ):

A = Z1 · Z2 ; B = dA2 ; C = X1 · X2 ; D = Y1 · Y2 ; E = C · D;
H = C − D; I = (X1 + Y1 ) · (X2 + Y2 ) − C − D;
X3 = (E + B) · H; Y3 = (E − B) · I; Z3 = A · H · I.

One readily counts 9M + 1S + 1D + 7a, as advertised in the introduction. We

have added these formulas to the EFD [3] for formal verification that the re-
sults coincide with the original Edwards addition law and that the formulas are
strongly unified.

Restricted additions. Mixed addition means that Z2 is known to be 1. There

is an obvious saving of 1M in this case since A = Z1 · Z2 = Z1 , leading to a total
cost of 8M + 1S + 1D + 7a.
Readdition means that (X2 : Y2 : Z2 ) has been added to another point before.
This means that computations depending only on (X2 : Y2 : Z2 ), such as X2 +Y2 ,
 Inverted Edwards Coordinates 25

can be cached from the previous addition. We have not found a way to save M
or S in this case.
Special points. The above description of addition ignored the possibility of
the special points (0, 1), (0, −1), (1, 0), (−1, 0) appearing as summands or as the
sum. We now deal with that possibility. We represent these points as the vectors
(1, 0, 0), (−1, 0, 0), (0, −1, 0), (0, 1, 0) respectively, as discussed in Section 3. We
assume that d is not a square.
Special points as summands are easy to handle. If Z1 = 0 or Z2 = 0 then the
sum of (X1 , Y1 , Z1 ) and (X2 , Y2 , Z2 ) is (X1 X2 − Y1 Y2 , X2 Y1 + X1 Y2 , Z1 + Z2 ).
Even if neither summand is a special point, the sum could be a special point.
If I = 0 and Y2 Z1 = Y1 Z2 then the sum is (1, 0, 0). If I = 0 and Y2 Z1 = −Y1 Z2
then the sum is (−1, 0, 0). If H = 0 and Y2 Z1 = −X1 Z2 then the sum is (0, 1, 0).
If H = 0 and Y2 Z1 = X1 Z2 then the sum is (0, −1, 0).
To derive these output rules, observe that two points (x1 , y1 ) and (x2 , y2 ) on
the Edwards curve have sum (0, 1) if and only if (x2 , y2 ) = (−x1 , y1 ). In this case
(Z2 /X2 , Z2 /Y2 ) = (−Z1 /X1 , Z1 /Y1 ) so, in the notation of our explicit formulas,
I = X1 Y2 + Y1 X2 = X1 Y1 Z2 /Z1 − Y1 X1 Z2 /Z1 = 0 and Y2 Z1 = Y1 Z2 . Similarly,
two points (x1 , y1 ) and (x2 , y2 ) having sum (0, −1) end up with I = 0 but with
Y2 Z1 = −Y1 Z2 ; two points (x1 , y1 ) and (x2 , y2 ) having sum (1, 0) end up with
H = 0 and Y2 Z1 = X1 Z2 ; two points (x1 , y1 ) and (x2 , y2 ) having sum (−1, 0)
end up with H = 0 but with Y2 Z1 = −X1 Z2 .
To see that the output rules are exclusive, suppose that H = 0 and I = 0. Then
X1 X2 = Y1 Y2 and X1 Y2 + X2 Y1 = 0, so X12 X2 = X1 Y1 Y2 and X1 Y1 Y2 + X2 Y12 =
0, so (X12 + Y12 )X2 = 0; all variables are nonzero, so X12 + Y12 = 0. The curve
equation (X12 + Y12 )Z12 = X12 Y12 + dZ14 now implies 0 = X12 (−X12 ) + dZ14 ; i.e.,
d = (X1 /Z1 )4 , contradicting the assumption that d is not a square.

5 Doubling

Doubling refers to the case that the inputs (X1 : Y1 : Z1 ) and (X2 : Y2 : Z2 ) are
known to be equal. If X1 Y1 Z1 = 0 the special formulas from Section 4 apply.
Otherwise inserting Z1 /X1 for x1 and x2 and Z1 /Y1 for y1 and y2 in the Edwards
addition law we obtain
   
2X1 Y1 Z12 (X12 − Y12 )Z12 2X1 Y1 X12 − Y12
2(x1 , y1 ) = , = , .
X12 Y12 + dZ14 X12 Y12 − dZ14 X12 + Y12 X12 + Y12 − 2dZ12

In the second equality we have used the curve equation to replace X12 Y12 by
(X12 + Y12 )Z12 − dZ14 , and then cancelled Z12 , reducing the overall degree of the
formulas to 4. The resulting coordinates are

X3 = (X12 + Y12 )(X12 − Y12 )

Y3 = 2X1 Y1 (X12 + Y12 − 2dZ12 )
Z3 = 2X1 Y1 (X12 − Y12 ).
26 D.J. Bernstein and T. Lange

The explicit formulas in this case need 3M + 4S + 1D + 6a:

A = X12 ; B = Y12 ; C = A + B; D = A − B; E = (X1 + Y1 )2 − C;

Z3 = D · E; X3 = C · D; Y3 = E · (C − 2d · Z12 ).

6 Tripling
In Edwards coordinates tripling (9M + 4S + 8a, or alternatively 7M + 7S + 16a)
is faster than the sequential computation of a doubling (3M + 4S + 6a) followed
by an addition (10M + 1S + 1D + 7a). The main speedup comes from using the
curve equation to reduce the degree of the tripling formulas. See Section 1 for
credits and references.
For inverted Edwards coordinates with X1 Y1 Z1 = 0 we now provide two
sets of tripling formulas. Both sets have been added to the EFD [3] for formal
verification. The first set needs 9M + 4S + 1D + 10a:

A = X12 ; B = Y12 ; C = Z12 ; D = A + B; E = 4(D − d · C);

H = 2D · (B − A); P = D2 − A · E; Q = D2 − B · E;
X3 = (H + Q) · Q · X1 ; Y3 = (H − P ) · P · Y1 ; Z3 = P · Q · Z1 .

The second set needs 7M + 7S + 1D + 17a:

A = X12 ; B = Y12 ; C = Z12 ; D = A + B; E = 4(D − d · C);

H = 2D · (B − A); P = D2 − A · E; Q = D2 − B · E;
X3 = (H + Q) · ((Q + X1 )2 − Q2 − A); Y3 = 2(H − P ) · P · Y1 ;
Z3 = P · ((Q + Z1 )2 − Q2 − C).

The second set is faster if S/M is small.

Triplings, like doublings, have similar speeds for inverted Edwards coordinates
and standard Edwards coordinates. Inverted Edwards coordinates speed up ad-
dition by reducing the degree of the formulas, but the curve equation already
appears to have produced the minimal degrees for doublings and triplings, so
the lack of further improvements does not come as a surprise.

Special points. Tripling special points is very easy: 3(X1 , Y1 , 0) = (X1 , −Y1 , 0).

7 Comparison
The EFD [3] is meant to provide an up-to-date database with all curve forms and
coordinate systems ever proposed. A comparison in a paper can only give a snap-
shot of what is known today. Most of the conclusions in [4] remain unchanged,
but science has developed even in the short time since then!
Duquesne in [7] proposed what we call “extended Jacobi-quartic coordi-
nates,” now described in detail in the EFD. Duquesne’s addition formulas use
 Inverted Edwards Coordinates 27

9M+2S+1D, saving 1M−1S compared to standard Edwards coordinates. These

addition formulas are strongly unified but not complete: they can be used for
doublings but have some exceptional cases. In the EFD we improve Duquesne’s
formulas to use 8M + 3S + 1D, saving another 1M − 1S.
Hisil, Carter, and Dawson in [9] improved various elliptic-curve addition for-
mulas, and in particular gave doubling formulas for extended Jacobi-quartic
coordinates using 3M + 4S. This is as fast as doubling in standard Edwards
coordinates.
However, addition in inverted Edwards coordinates is even faster, saving an
additional 2S−1M, and has just as fast doublings (for small d). Inverted Edwards
coordinates have the same advantage of being strongly unified.
The comparisons of different coordinate systems for scalar multiplications
using DBNS in [2] have been updated to include the speeds of [7] and [9], and
to include inverted Edwards coordinates. The comparison shows that, out of
currently known methods for scalar multiplication on elliptic curves, inverted
Edwards coordinates (with very few triplings) are the fastest.
To conclude we summarize the current situation: Edwards coordinates offer
the only complete addition law stated in the literature. If completeness is not
required then inverted Edwards coordinates are the new speed leader.

References
1. Barua, R., Lange, T. (eds.): INDOCRYPT 2006. LNCS, vol. 4329. Springer, Hei-
delberg (2006)
2. Bernstein, D.J., Birkner, P., Lange, T., Peters, C.: Optimizing Double-Base
Elliptic-Curve Single-Scalar Multiplication. In: Srinathan, K., Pandu Rangan, C.,
Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 167–182. Springer, Hei-
delberg (2007)
3. Bernstein, D.J., Lange, T.: Explicit-Formulas Database,
http://www.hyperelliptic.org/EFD
4. Bernstein, D.J., Lange, T.: Faster Addition and Doubling on Elliptic Curves. In:
Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer,
Heidelberg (2007), http://cr.yp.to/newelliptic/
5. Bosma, W., Lenstra Jr., H.W.: Complete Systems of Two Addition Laws for Elliptic
Curves. J. Number Theory 53, 229–240 (1995)
6. Doche, C., Imbert, L.: Extended Double-Base Number System with Applications to
Elliptic Curve Cryptography. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006.
LNCS, vol. 4329, pp. 335–348. Springer, Heidelberg (2006)
7. Duquesne, S.: Improving the Arithmetic of Elliptic Curves in the Jacobi Model.
Information Processing Letters 104, 101–105 (2007)
8. Edwards, H.M.: A Normal Form for Elliptic Curves. Bulletin of the American Math-
ematical Society 44, 393–422 (2007), http://www.ams.org/bull/2007-44-03/
S0273-0979-07-01153-6/home.html
9. Hisil, H., Carter, G., Dawson, E.: New Formulae for Efficient Elliptic Curve Arith-
metic. In: Srinathan, K., Pandu Rangan, C., Yung, M. (eds.) INDOCRYPT 2007.
LNCS, vol. 4859, Springer, Heidelberg (2007)
10. Kurosawa, K. (ed.): ASIACRYPT 2007. LNCS, vol. 4833. Springer, Heidelberg
(2007)
 Spectra of Boolean Functions, Subspaces of
Matrices, and Going Up Versus Going Down

Gary McGuire

School of Mathematical Sciences

University College Dublin, Ireland
[email protected]

Abstract. We will discuss two different but related topics. We first give
a connection between the Fourier spectrum of Boolean functions and
subspaces of skew-symmetric subspaces where each nonzero element has
a lower bound on its rank. Secondly, we discuss some connections between
bent and near-bent functions.

1 Introduction

Let Vn denote any n-dimensional vector space over F2 . The Fourier transform
of a function f : Vn −→ Vm is defined by

f(a, b) := (−1)b,f (x)+a,x
x∈Vn

for a ∈ Vn and b ∈ Vm , b = 0. The angular brackets  ,  denote any inner

product on the relevant vector spaces. The Fourier spectrum of f is the subset of
Z consisting of the set of values of f, over all a and b (b = 0), and is independent
of the inner products used.
If m = 1 then Vm = V1 = F2 and any function f : Vn −→ F2 is called a
Boolean function.
Bent functions are Boolean functions which have Fourier spectrum {±2n/2 }.
Since the spectrum values are integers, bent functions can only exist when n
is even. We shall call a Boolean function near-bent if its Fourier spectrum is
{0, ±2(n+1)/2}. Near-bent functions can only exist when n is odd. Near-bent
functions have also been called ”Gold-like” in the literature.
A function from Vn −→ Vn is said to be almost bent if it has Fourier spectrum
{0, ±2(n+1)/2}. As for near-bent functions, almost bent functions can only exist
when n is odd.
An important case is when the vector space is actually a field. For this paper
let L denote F2n , the finite field with 2n elements. Let tr denote the trace map
from L to F2 . We usually use the inner product x, y = tr(xy) when Vn = L.

Research supported by the Claude Shannon Institute, Science Foundation Ireland
Grant 06/MI/006.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 28–37, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Spectra of Boolean Functions, Subspaces of Matrices 29

For a function f : L −→ L the formula for f becomes


f(a, b) := (−1)tr(bf (x)+ax) . (1)
x∈L

In this context, f is almost bent if and only if each of the Boolean functions
tr(bf (x)) is near-bent, for all b ∈ L, b = 0. If f is a monomial permutation, say
f (x) = xd where (d, 2n − 1) = 1, then f is almost bent if and only if tr(f (x)) is
near-bent. This is because we may write any b ∈ L as cd , and then replacing x
by x/c in (1) gives
 
f(a, b) = (−1)tr(x +ac x) = f(ac−1 , 1).
d d d −1
(−1)tr(c x +ax) =
x∈L x∈L

It follows that the Fourier spectrum of f (x) = xd will be the same as the Fourier
spectrum of the Boolean function tr(xd ), when (d, 2n − 1) = 1. The most famous
k
examples of this are the almost bent Gold functions f (x) = x2 +1 where k is
relatively prime to n and n is odd. Bent and near-bent functions are discussed
in section 4.
Let us next introduce the topic of subspaces of matrices where all nonzero
matrices have a certain rank. In differential topology, one important problem is
the construction of immersions from real projective space Pn (R) into Euclidean
space Rn+k . There are open problems dating from the early 1960s concerning
the minimal possible k for which such an immersion exists. Let Mn,n (F ) denote
the vector space of all n × n matrices over a field F . It can be shown that the
highest possible dimension of a subspace of Mn,n (R) not containing any elements
of rank 1 is directly related to the question of which k are possible. It has also
been shown that subspaces consisting of all symmetric matrices, or all skew-
symmetric matrices, are of similar importance to the problem of constructing
embeddings into Euclidean space. Also, connections have been found between
the embedding problem and the immersion problem, so the symmetric case has
implications for the immersion problem. More details can be found in [9].
Connections between subspaces of matrices with good rank properties and
spacetime codes are studied in Calderbank et al [2] and Lu-Kumar [7].
Let L(n, k, F ) denote the maximal dimension of a subspace of Mn,n (F ) all
of whose nonzero elements have rank at least k. Let LS (n, k, F ) denote the
maximal dimension of a subspace of Mn,n (F ) all of whose nonzero elements are
skew-symmetric and have rank at least k. In section 2 we will discuss the case of
F = F2 and k large. In particular, we discuss LS (n, n−1, F2 ) and LS (n, n−3, F2 )
when n is odd and its relationship to the Fourier spectrum of functions. These
methods carry over easily to finite fields of odd characteristic, and are well known.
We will discuss carrying over the methods to infinite fields.

2 The Connection Between Subspaces and Values

First we shall outline the connection between the values in the Fourier spectrum,
and the ranks of the elements in some subspaces of matrices. The connection
30 G. McGuire

goes through bilinear forms. This work is all implicit in Delsarte and Goethals
[4]. They translate the results on bilinear forms into results in coding theory.
It is known that such results in coding theory can be translated into results on
the Fourier spectra of Boolean functions. We will directly translate results from
Boolean functions to results on subspaces of matrices. Therefore, we are not
going to present any new results in section 2.1, but we feel that it is useful to
directly explain the connection without going through coding theory. In section
2.2 we will present a direction for future research, and a new result.
We recall some definitions for bilinear forms. Let L = F2n as before. A bilinear
form B : L × L −→ F2 is said to be symplectic if B(x, x) = 0 for all x. By
definition the radical of B is

rad(B) = {x ∈ L : B(x, y) = 0 for all y ∈ L}.

The rank of B is defined to be n − dim(rad(B)), and a well known theorem

states that the rank must be even.
Finally, let us state that although we only consider forms like tr(x2 y + xy 2 )
in characteristic 2, the arguments in this section carry over in a straightforward
manner to alternating forms tr(xp y − xy p ) in characteristic p.

2.1 Background

Nothing in this section is new. We will use some motivating examples, which
illustrate all the important ideas. In this section n is odd. For a ∈ L the function

Ba (x, y) = tr(a(x2 y + xy 2 ))

a symplectic bilinear form on L. The rank of Ba is n − wa where wa =

dim rad(Ba ). By definition,

rad(Ba ) = {x ∈ L : tr(a(x2 y + xy 2 )) = 0 ∀y ∈ L}
n−1 n−1
= {x ∈ L : tr((ax2 + a2 x2 )y) = 0 ∀y ∈ L}.
Since the trace form is nondegenerate, x is in rad(Ba ) if and only if ax2 +
n−1 n−1
a2 x2 = 0. Squaring this gives

a2 x4 + ax = 0. (2)

Initially it appears possible that this equation could have 4 solutions in L. How-
ever this would imply that Ba has odd rank, since n is odd. Thus, the equation
has two solutions in L. (Alternatively one can solve: if ax = 0 this implies
ax3 = 1, which has a unique solution for x.) Thus wa = 1 for all a = 0. This
also shows Ba is the zero form if and only if a = 0. Therefore, Ba has rank n − 1
for all a = 0.
We note that the same argument works for any tr(a(xσ y − xy σ )) where σ is
a generating automorphism.
 Spectra of Boolean Functions, Subspaces of Matrices 31

Now we introduce subspaces of skew-symmetric matrices. Observe that the

Ba (a ∈ L) form a vector space over F2 . Choosing a basis of L over F2 , the
matrices corresponding to these forms will yield an n-dimensional vector space
of n × n (skew) symmetric matrices with zero diagonal such that all nonzero
members have rank n − 1. This is the maximum dimension for such a subspace,
by a theorem in [4]. All this is well known over finite fields.
Next, we relate this to the Fourier spectrum of the function x3 . To see the
connection it is best to review the calculation of the spectrum. The standard
method is to square f(a, b), perform a substitution, and rearrange to get

f(a, b)2 = 2n
3
(−1)tr(au +bu) .
u∈rad(Ba )

Now we see the connection to finding the radical of Ba . We computed the radical
above and we saw that it has dimension 1. It is then clear that f(a, b)2 is 2n ±2n ,
and so is either 0 or 2n+1 .
In summary, the point we wish to make is that x3 being an almost bent
function is closely related to all nonzero elements in the vector space of skew-
symmetric matrices Ba having rank n − 1. In general the two facts are not
equivalent, however. The ranks of the bilinear forms are the real connection, and
although in this example this allowed us to determine the true values in the
spectrum, in general more work has to be done in order to determine the precise
spectrum.
Next, one could ask for subspaces where all ranks are n − 1 or n − 3. By
[4], the maximum dimension for such a subspace is 2n. A function with spec-
trum {0, ±2(n+1)/2, ±2(n+3)/2 } should correspond to such a subspace, under the
connection we have illustrated. Here is an example (from [4]).
Consider the set of bilinear forms
Bc,d (x, y) = tr(c(x2 y + xy 2 ) + d(x4 y + xy 4 ))
over all c, d ∈ L. This set of bilinear forms is an F2 -vector space of dimension
2n. We claim that each nonzero form has rank n − 1 or n − 3. This is the same
as saying that the radicals have dimension 1 or 3. To show this, write
Bc,d (x, y) = tr(y 4 (c4 x8 + c2 x2 + d4 x16 + dx))
and then x ∈ rad(Bc,d ) if and only if
c4 x8 + c2 x2 + d4 x16 + dx = 0.
Initially it appears possible that this equation could have 16 solutions in L.
However, because the dimension of the solution space is odd (because the rank
of Bc,d is even), the dimension must be 1 or 3. We are done.
k i i
The same argument repeated for the forms tr( i=1 ci (x2 y + xy 2 )) will give
kn-dimensional subspaces of matrices of ranks n − 1, n − 3, ... n − 2k + 1. This
recovers a result of Delsarte and Goethals [4], which also appears in [6]. For
example, in the 3n-dimensional space of forms
tr(c(x2 y + xy 2 ) + d(x4 y + xy 4 ) + e(x8 y + xy 8 ))
32 G. McGuire

all nonzero elements have rank n − 1, n − 3 or n − 5.

This 3n-dimensional subspace contains three obvious 2n-dimensional sub-
spaces, consisting of all elements where one of c, d, e is 0. The e = 0 subspace
has no elements of rank n − 5, as shown above. What about the d = 0 subspace?
This consists of forms Bc,e (x, y) = tr(c(x2 y + xy 2 ) + e(x8 y + xy 8 )). We try the
same argument: x is in the radical of this form if and only if

c8 x16 + c4 x4 + e8 x64 + ex = 0. (3)

Since the rank of the form is even, it follows that this equation has 2j solutions
in L, where j ∈ {1, 3, 5}. It is true, but not obvious, that this equation cannot
have 32 solutions in L. (This is proved as part of the calculation of the Fourier
spectrum of Kasami-Welch functions – we give a more general proof in the next
section.) This implies that the forms Bc,e have rank n−1 or n−3. It is somewhat
surprising that rank n − 5 does not appear, and that the same result holds for
the subspace of forms tr(c(x2 y + xy 2 ) + e(x8 y + xy 8 )) as holds for the subspace
of forms tr(c(x2 y + xy 2 ) + d(x4 y + xy 4 )).

2.2 Future Work

Firstly, the known bounds on LS (n, k, F2 ) when n is odd due to Delsarte and
Goethals have not been generalised to infinite fields. For example, the value of
LS (n, n − 1, F ) is not known if F is an infinite field. The conjectured value is n,
as in the finite field case. This is one area for future work.
Secondly, one can try to generalize the connections outlined in section 2.1.
Gow and Quinlan [5] have generalised some results on bilinear forms over finite
fields to arbitrary field extensions with a cyclic Galois group. In particular we
quote the following theorem, which we will use.

Theorem 1. Let L/K be a cyclic extension of degree n, with Galois group gen-
erated by σ. Let k be an integer with 1 ≤ k ≤ n, and let w be a polynomial of
degree k in L[t]. Let
R = {x ∈ L : w(σ)x = 0}.
Then we have dimK (R) ≤ k.

We now present a result promised in the previous section.

Theorem 2. Let L/K be a cyclic extension of degree n, n odd, with Galois group
3
generated by σ. Consider the set of bilinear forms tr(c(xσ y + xy σ ) + e(xσ y +
3
xy σ )) where c, e ∈ L. Then the ranks of these forms are n − 1 or n − 3.
3 3
Proof: Let Bc,e = tr(c(xσ y + xy σ ) + e(xσ y + xy σ )). By definition,
3 3
rad(Bc,e ) = {x ∈ L : tr(c(xσ y + xy σ ) + e(xσ y + xy σ )) = 0 ∀y ∈ L}
−1 −1 3 3 −3 −3
= {x ∈ L : tr((cxσ + cσ xσ + eσ xσ + eσ xσ )y) = 0 ∀y ∈ L}.
 Spectra of Boolean Functions, Subspaces of Matrices 33

Since the trace form is nondegenerate, x is in rad(Ba ) if and only if

−1 −1 3 3 −3 −3
cxσ + cσ xσ + eσ xσ + eσ xσ = 0.

Applying σ 3 to this equation gives

3 4 2 2 6 6
cσ xσ + cσ xσ + eσ xσ + ex = 0.
3 2 6
This can be written w(σ)x = 0 where w(t) is the polynomial cσ t4 +cσ t2 +eσ t6 +
e in L[t]. Putting u = t2 , w(t) = w (u) where w (u) = cσ u2 + cσ u + eσ u3 + e.
3 2 6

Letting τ = σ 2 , we may conclude

rad(Bc,e ) = {x ∈ L : w (τ )x = 0}.

Since n is odd, τ also generates the Galois group of L/K. By Theorem 1,

rad(Bc,e ) has K-dimension at most 3. It follows that the rank of Bc,e is n − 1
or n − 3.

We remark that Theorem 1 applied directly to the forms in Theorem 2 would

imply that ranks are n − 1, n − 3 and n − 5. We also remark that the proof of
k k 3k
Theorem 2 applies to the Kasami-Welch forms tr(c(x2 y + xy 2 ) + e(x2 y +
3k
xy 2 )) in the case L = F2n , (k, n) = 1. In particular, this theorem proves that
equation (3) cannot have 32 solutions, as we remarked in the previous section.

3 Even n

Suppose n is even. The situation is quite different with regard to subspaces of

matrices.
It is well known that the Walsh spectrum of x3 is {0, ±2n/2 , ±2(n+2)/2 } in
this case. It is no longer true that each function tr(bx3 ) has the same Fourier
spectrum. There are two types. If b is a cube, then we may do as in the n odd case
and the spectrum of tr(bx3 ) is the same as that of tr(x3 ), which is {0, ±2(n+2)/2}.
However, if b is not a cube then the spectrum of tr(bx3 ) is {±2n/2 }. In other
words, the subspace of bilinear forms tr(c(x2 y +xy 2 )) for c ∈ L contains elements
of rank n (when c is not a cube) and rank n − 2 (when c is a cube).
Since the cubes (and the non-cubes) are not closed under addition, we do not
get subspaces in the same way as when n is odd.

4 Going Up and Down

This section concerns a different topic. Because bent functions exist in even
dimensions, and near-bent functions exist in odd dimensions, the possibility
exists of moving up and down between bent and near-bent functions. In this
section we will discuss each of the four possibilities.
34 G. McGuire

4.1 Going Up From a Bent Function

Given a bent function on Vn , n even, we wish to consider adding one variable to
create a near-bent function in n + 1 variables. This is straightforward to prove.
Let f (x) be a bent function on Vn , where n is even. Let y be a new Boolean
variable, and consider the function g(x, y) = f (x) + y on the n + 1 dimensional
vector space Vn ⊕ V1 . It is easy to see that g is near-bent, as follows.
Any linear functional λ on Vn ⊕ V1 can be written as λ(x, y) = λ (x) + δy
where λ is a linear functional on Vn and δ is 0 or 1. Then

g(λ) = (−1)g(x,y)+λ(x,y) (4)
(x,y)
 
= (−1)f (x)+y+λ (x)+δy (5)
(x,y)
⎧ 
⎪ f (x)+λ (x)
⎨2 x (−1) if δ = 1
= (6)
⎪
⎩ f (x)+y+λ (x)
(x,y) (−1) if δ = 0
⎧
⎪  
⎨2f (λ ) if δ = 1
= (7)
⎪
⎩
0 if δ = 0.

If f is bent, then clearly the spectrum of g is {0, ±2(n+2)/2 } so g is near-bent.

We remark that g is what is called partially bent – the sum of a bent function
and a linear function.
One might ask whether all near-bent functions arise in this way? The answer
is no. Because, note that the function g is a bent function (namely f ) when
restricted to the hyperplane y = 0. There are near-bent functions that are not
bent when restricted to any hyperplane – we have checked this by computer for
some Kasami-Welch near-bent functions, for example. Such near-bent functions
cannot arise from this construction.

4.2 Going Down from a Bent Function

Given a bent function on Vn , n even, we wish to consider restriction to a hyper-
plane to create a near-bent function in n − 1 variables. This has been proved to
be always true in Canteaut et. al. [1], see Theorem V.3 there. In that paper, the
authors state that they do not know another way to prove that Dillon’s P Sap
bent functions restrict to near-bent functions. We shall give such a proof now.
The construction of the P Sap bent functions starts with a balanced function
g : K −→ F2 where K = F2t . Dillon’s result states that the function f (x, y) =
g(xy 2 −2 ) is bent on K × K (actually the result is more general, concerning
n

partial spread bent functions). Note that g(xy 2 −2 ) = g(x/y) if y = 0.

n

In K × K let Ha denote the line {(x, ax) : x ∈ K} and let H∞ = {(0, y) :

y ∈ K}. These 2t + 1 lines intersect pairwise in (0, 0) and partition K × K. The
linear span of any two of these lines is K × K.
 Spectra of Boolean Functions, Subspaces of Matrices 35

Let H be a hyperplane in K × K. We must show that the Fourier transform

of f |H takes values 0, ±2t.
Let Ha := Ha ∩ H, for a ∈ P1 (K). Let λ be a linear functional on H. We shall
break the sum over H up into sums over each Ha , taking care to remove (0, 0)
first.
f |H (λ)


= (−1)f (x,y)+λ(x,y)
(x,y)∈H

=1+ (−1)f (x,y)+λ(x,y)
(x,y)=(0,0)∈H
  
=1+ (−1)λ(x,y) + (−1)g(x/y)+λ(x,y)
 \{0,0}
(x,y)∈H∞ a=∞ (x,y)∈Ha \{0,0}
  
= (−1)λ(x,y) + (−1)g(Ha ) (−1)λ(x,y)

(x,y)∈H∞ a=∞ (x,y)∈Ha \{0,0}
  
= (−1)λ(x,y) + (−1)g(Ha ) (−1)λ(x,y) − 1

(x,y)∈H∞ a=∞ (x,y)∈Ha
   
= (−1)λ(x,y) − (−1)g(Ha ) + (−1)g(Ha ) (−1)λ(x,y)

(x,y)∈H∞ a=∞ a=∞ (x,y)∈Ha
  
= (−1)λ(x,y) + (−1)g(Ha ) (−1)λ(x,y)

(x,y)∈H∞ a=∞ (x,y)∈Ha
 
= (−1)g(Ha ) (−1)λ(x,y)
a∈P1 (K) (x,y)∈Ha

where we used the fact that g is balanced, so a=∞ (−1)g(Ha ) = 0. We write
g(Ha ) to denote the value of g at any element of Ha .
We must now distinguish some cases in order to finish the proof. If λ = 0 then
it is easy to check that f |H (λ) = 2t . For the remainder, assume λ = 0. First
we assume that H does not contain any Ha . Then each Ha is a hyperplane in
Ha . The inner summation is 0 unless λ vanishes on Ha , and there are precisely
two such a for any λ, as λ = 0. So f |H (λ) = ±2t−1 ± 2t−1 which is 0 or ±2t .
Secondly, assume that H does contain one of the Ha , say H . (H cannot contain
two Ha since two Ha ’s generate the whole space K × K.) Then the inner sum
will be 0 unless λ is the unique linear functional whose kernel is H . Thus the
value of f |H (λ) in this case is (−1)g(H ) 2t .
We thank John Dillon for discussions about these functions.

4.3 Going Up from an Near-Bent Function

Given a near-bent function f (x) on Vn , n odd, we wish to consider adding one
variable to create a bent function in n + 1 variables. The same argument as in
36 G. McGuire

section 4.1 does not work, because adding one variable results in a function of
n+1 variables with Fourier spectrum {0, ±2(n+3)/2}, which is therefore not bent.
However, it is sometimes possible to go up by other methods. Suppose there
exists another near-bent function h(x) on Vn , such that the support of  h does
not intersect the support of f. (The supports both have cardinality 2n−1 and so
they partition Vn .) In this case, let y be another Boolean variable, and define
g(x, y) = yf (x) + (y + 1)h(x) on the n + 1 dimensional vector space Vn ⊕ V1 .
Then

g(λ) = (−1)g(x,y)+λ(x,y)
(x,y)∈Vn ⊕V1
 
= (−1)h(x)+λ(x,0) + (−1)f (x)+λ(x,1)
(x,0)∈Vn ⊕V1 (x,1)∈Vn ⊕V1

=
h(λ) + f(λ).

Since h and f have disjoint support, and both have Fourier spectrum
{0, ±2(n+1)/2}, the values of g(λ) are ±2(n+1)/2 , so g is bent.
An example of this is f (x) = x3 and h(x) = x5 + x, where Vn = L. The
support of a Gold function such as x3 (or x5 ) is known to be the complement of
the hyperplane H of trace 0 elements. It is easy to show that the support of h is
H. Therefore, by the argument above, yf (x)+ (y + 1)h(x) = yx3 + (y + 1)(x5 + x)
is a bent function (of algebraic degree 3). We do not know if this is a new bent
function. Perhaps new bent functions can be constructed in this way.

4.4 Going Down from a Near-Bent Function

Given a near-bent function on Vn , n odd, we wish to consider restriction to a
hyperplane to create a bent function in n−1 variables. This is sometimes possible,
but not always possible. In [1] some conditions are given for the restriction to
a hyperplane of a near-bent function to be bent. In [8] the restriction of Gold
k
functions is considered. It is proved that the restriction of f (x) = x2 +1 (where
(k, n) = 1) to a hyperplane h⊥ is bent if and only if tr(h) = 1. Here Vn is L,
the finite field of order 2n . We give a different proof here: we need the fact that
the support of f is the complement of the hyperplane H of trace 0 elements. Fix
h∈/ H. For a ∈ L, define g by
1 
g(a) = f (a) + f(a + h) .
2
This is well-defined on the quotient space L/h. Since exactly one of a, a + h
is in H, one of f(a), f(a + h) is 0 and the other is ±2(n+1)/2 . Therefore g(a) =
±2(n−1)/2 , so g is bent.
Note that the proof did not require H to be a hyperplane; the argument only
required that exactly one of a, a + h is in H. For the Kasami-Welch function
k(x) = x4 −2 +1 with 3k ≡ ±1 (mod n), the support of 
k k
k is the set of a ∈ L
k
with tr(a2 +1 ) = 1. Since exactly one of a, a + 1 is in the support, the same
 Spectra of Boolean Functions, Subspaces of Matrices 37

argument works to show that k(x) is bent when restricted to the hyperplane 1⊥
(i.e., the trace 0 elements).
In [3] the Kasami-Welch functions x4 −2 +1 are considered in greater detail.
k k

Acknowledgements. We thank John Dillon, Carl Bracken, Philippe Langevin,

Gregor Leander and Rod Gow for discussions which have helped this article.

References
1. Canteaut, A., Carlet, C., Charpin, P., Fontaine, C.: On Cryptographic Properties
of the Cosets of R(1, m). IEEE Trans. Inform. Theory 47(4), 1494–1513 (2001)
2. Calderbank, A.R., Diggavi, S.N., Al-Dhahir, N.: Space-Time Signaling Based on
Kerdock and Delsarte-Goethals Codes. In: IEEE ICC 2004, vol. 1, pp. 483–487
(2004)
3. Dillon, J.F., McGuire, G.: Kasami-Welch Functions on a Hyperplane (submitted)
4. Delsarte, P., Goethals, J.M.: Alternating Bilinear Forms over GF(q). J. Comb. Th.
Ser. A 19, 26–50 (1975)
5. Gow, R., Quinlan, R.: On the Vanishing of Subspaces of Alternating Bilinear Forms.
Linear and Multilinear Algebra 54, 415–428 (2006)
6. Gow, R., Quinlan, R.: Galois Extensions and Subspaces of Alternating Bilinear
Forms with Special Rank Properties (submitted)
7. Lu, H.F.F., Kumar, P.V.: Rate-Diversity Tradeoff of Space-Time Codes with Fixed
Alphabet and Optimal Constructions for PSK Modulation. IEEE Trans. Inform.
Theory 49(10), 2747–2751 (2003)
8. Lahtonen, J., McGuire, G., Ward, H.N.: Gold and Kasami-Welch Functions,
Quadratic Forms, and Bent Functions. In: Advances in Mathematics of Commu-
nications (2007)
9. Petrovic, Z.: Nonsingular Bilinear Maps, Spaces of Matrices, Immersions and
Embeddings. In: Contemporary Geometry and Related Topics, Belgrade (2006),
http://www.emis.de/proceedings/CGRT2005/
 Efficient List Decoding of Explicit Codes with
Optimal Redundancy

Atri Rudra

Department of Computer Science and Engineering

University of Buffalo, State University of New York
Buffalo, 14260, USA
[email protected]

Abstract. Under the notion of list decoding, the decoder is allowed to

output a small list of codeword such that the transmitted codeword is
present in the list. Even though combinatorial limitations on list decoding
had been known since the 1970’s, there was essentially no algorithmic
progress till the breakthrough works of Sudan [14] and Guruswami-
Sudan [11] in the mid to late 1990’s. There was again a lull in algorithmic
progress till a couple of recent papers [12,8] closed the gap in our knowl-
edge about combinatorial and algorithmic limitations of list decoding (for
codes over large alphabets). This article surveys these latter algorithmic
progress.

1 Introduction

Under the list decoding problem (introduced in [1,16]), given a code C ⊆ Σ n , an

error parameter 0  ρ  1 and a received word y ∈ Σ n ; the decoder should out-
put all codewords in C that are within Hamming distance ρn of y. Suppressing
the motivation for considering such an error recovery model for the time being,
let us consider the following natural trade-off: Given that one wants to correct
ρ fraction of errors via list decoding, what is the maximum rate R that a code
can have?
Before we address this question, let us formally define the notion of list de-
coding we will consider in this survey. For a real 0  ρ  1 and an integer L  1,
we will call a code C ⊆ Σ n to be (ρ, L)-list decodable if for every received word
y ∈ Σ n , |{c ∈ C|Δ(c, y)  ρn}|  L where Δ(c, y) denotes the Hamming dis-
tance between the vectors c and y. Note that the problem is interesting only
when L is small: in this survey L is considered to be small if it is polynomially
bounded in n.
Using a standard random coding argument it can be show that there exists
(ρ, O(1/ε)) list decodable codes over alphabets
 of size q with rate R  1 −
Hq (ρ) − o(1) where Hq (x) = −x logq q−1 x
− (1 − x) logq (1 − x) is the q-ary
entropy function (cf. [17,2]). Further, a simple counting argument shows that R
must be at most 1 − Hq (ρ) (for R > 1 − Hq (ρ) the list size L needs to be super-
polynomial in n). In other words, the maximum fraction of errors that can be

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 38–46, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Efficient List Decoding of Explicit Codes with Optimal Redundancy 39

corrected (via list decoding) using a rate R code (or the list decoding capacity),
is given by the trade-off Hq−1 (1 − R). For q = 2Ω(1/ε) , Hq−1 (1 − R)  1 − R − ε
(cf. [13]). In other words, for large enough alphabets, the list decoding capacity
is ρcap (R) = 1 − R.
Now is a good time to compare the list decoding capacity with what can be
achieved with “usual” notion of decoding for the worst-case noise model (called
unique decoding), where the decoder has to always output the transmitted word.
Note that list decoding is a relaxation where the decoder is allowed to output
a list of codewords (with the guarantee that the transmitted codeword is in
the list). It is well known that unique decoding can only correct up to half the
minimum distance of the code, which along with the Singleton bound implies the
following limit on the fraction of errors that can be corrected: ρU (R) = (1−R)/2.
In other words, list decoding has the potential to correct twice as many errors
than unique decoding.
However, in order to harness the real potential of list decoding, we need ex-
plicit codes along with efficient list decoding algorithms that can achieve the list
decoding capacity. For this survey, a list decoding algorithm with a polynomial
running time is considered to be efficient. (Note that this puts an a priori re-
quirement that the worst case list size needs to be bounded by a polynomial
in the block length of the code.) Even though the notion of list decoding was
defined in the late 1950’s, there was essentially no algorithmic progress in list
decoding till the breakthrough works of Sudan [14] and Guruswami-Sudan√[11]
which can list decode Reed-Solomon codes up to the trade-off ρGS (R) = 1 − R.
One can check that ρGS (R) > ρU (R) for every rate R (with the gains being more
pronounced for smaller rates). This fact lead to a spurt of research activity in list
decoding including some surprising applications outside the traditional coding
domain: see for example [15], [4, Chap. 12]. However, this result failed to achieve
the list decoding capacity for any rate (with the gap being especially pronounced
for larger rates).
The bound of ρGS resisted improvements for about seven years till in a recent
breakthrough paper [12], Parvaresh
√ and Vardy presented codes that are list-
decodable beyond the 1 − R radius for low rates √ R. For any m  1, they
(m)
achieve the list-decoding radius ρPV (R) = 1 − m+1
mm Rm . For rates R → 0,
choosing m large enough, they can list decode up to radius 1 − O(R log(1/R)),
which approaches the capacity 1 − R. However, for R  1/16, the best choice
of m is in √ fact m = 1, which reverts back to RS codes and the list-decoding
radius 1 − R. Building on works of Parvaresh and Vardy [12], Guruswami and
Rudra [8] present codes that get arbitrarily close to the list decoding capacity
ρcap (R) for every rate. In particular, for every 1 > R > 0 and every ε > 0,
they give explicit codes of rate R together with polynomial time list decoding
algorithm that can correct up to a fraction 1 − R − ε of errors. These are the
first explicit codes (with efficient list decoding algorithms) that get arbitrarily
close to the list decoding capacity for any rate. This article surveys the results
of [12,8] and some of their implications for list decoding of explicit codes over
small alphabets.
40 A. Rudra

2 Folded Reed-Solomon Codes and the Main Results

The codes used in [8] are simple to state. They are obtained from the Reed-
Solomon code by careful bundling together of codeword symbols (and hence, are
called folded Reed-Solomon codes). We remark that the folded RS codes are a
special case of the codes studied by [12]. However, for the ease of presentation, we
will present all the results in terms of folded Reed-Solomon codes: this would be
sufficient to highlight the algorithmic techniques used in [12]. See the survey [5] in
these proceedings for a more detailed description of the Parvaresh-Vardy codes.
Consider a Reed-Solomon (RS) code C = RSF,F∗ [n, k] consisting of evaluations
of degree k polynomials over some finite field F at the set F∗ of nonzero elements
of F. Let q = |F| = n+1. Let γ be a generator of the multiplicative group F∗ , and
let the evaluation points be ordered as 1, γ, γ 2, . . . , γ n−1 . Using all nonzero field
elements as evaluation points is one of the most commonly used instantiations
of Reed-Solomon codes.
Let m  1 be an integer parameter called the folding parameter. For ease of
presentation, it will assumed that m divides n = q − 1.
Definition 1 (Folded Reed-Solomon Code). The m-folded version of the
RS code C, denoted FRSF,γ,m,k , is a code of block length N = n/m over Fm . The
encoding of a message f (X), a polynomial over F of degree at most k, has as its
j’th symbol, for 0  j < n/m, the m-tuple (f (γ jm ), f (γ jm+1 ), · · · , f (γ jm+m−1 )).
In other words, the codewords of C  = FRSF,γ,m,k are in one-one correspondence
with those of the RS code C and are obtained by bundling together consecutive
m-tuple of symbols in codewords of C.
The following is the main result of Guruswami and Rudra.
Theorem 1 ([8]). For every ε > 0 and 0 < R < 1, there is a family of folded
Reed-Solomon codes that have rate at least R and which can be list decoded up
to a fraction 1 − R − ε of errors in time (and outputs a list of size at most)
−1
(N/ε2 )O(ε log(1/R)) where N is the block length of the code. The alphabet size
2
of the code as a function of the block length N is (N/ε2 )O(1/ε ) .
The result of [8] also works in a more general setting called list recovery, which
is defined next.
Definition 2 (List Recovery). A code C ⊆ Σ n is said to be (ζ, l, L)-list re-
coverable if for every sequence of sets S1 , . . . , Sn where each Si ⊆ Σ has at most
l elements, the number of codewords c ∈ C for which ci ∈ Si for at least ζn
positions i ∈ {1, 2, . . . , n} is at most L.
A code C ⊆ Σ n is said to (ζ, l)-list recoverable in polynomial time if it is
(ζ, l, L(n))-list recoverable for some polynomially bounded function L(·), and
moreover there is a polynomial time algorithm to find the at most L(n) code-
words that are solutions to any (ζ, l, L(n))-list recovery instance.
Note that when l = 1, (ζ, 1, ·)-list recovery is the same as list decoding up to a
(1 − ζ) fraction of errors. Guruswami and Rudra have the following result for
list recovery.
 Efficient List Decoding of Explicit Codes with Optimal Redundancy 41

Theorem 2 ([8]). For every integer l  1, for all R, 0 < R < 1 and ε > 0, and
for every prime p, there is an explicit family of folded Reed-Solomon codes over
fields of characteristic p that have rate at least R and which can be (R + ε, l)-list
recovered in polynomial time. The alphabet size of a code of block length N in
−2
the family is (N/ε2 )O(ε log l/(1−R)) .
Theorem 2 will be put to good use in Section 4.

3 Informal Description of the Algorithms

In this section, we will give an overview of the list decoding algorithms

that are needed to prove Theorem 1. Along the way we will encounter the
main algorithmic techniques used in [14,11,12]. We start by stating more pre-
cisely the problem that needs to be solved for Theorem 1. We need list-
decoding algorithms for the folded Reed-Solomon code FRSFq ,γ,m,k of rate
R. More precisely, for every 1  s  m and δ > 0, given a received
word y = (y0 , . . . , ym−1 ), . . . , (yn−m , . . . , yn−1 ) (where recall n = q − 1), we
want to output all codewords in FRSFq ,γ,m,k that disagree with y in at most
 s/(s+1)
1 − (1 + δ) m−s+1mR
fraction of positions in polynomial time. In other
words, we need to output all degree k polynomials f (X) such that for at least
 s/(s+1)
mR
(1 + δ) m−s+1 fraction of 0  i  n/m − 1, f (γ im+j ) = yim+j (for ev-
ery 0  j  m − 1). By picking the parameters m, s and δ carefully, we will get
folded Reed-Solomon codes of rate R that can be list decoded up to a 1 − R − ε
fraction of errors (for any ε > 0). We will now present the main ideas needed to
design the required list-decoding algorithm.
For the ease of presentation we will start with the case when s = m. As a
warm up, let us consider the case when s = m = 1. Note that for m = 1, we
are interested in list decoding Reed-Solomon codes. More precisely, given the
received word y = y0 , . . . , yn−1 , we√are interested in all degree k polynomials
f (X) such that for at least (1 + δ) R fraction of positions 0  i  n − 1,
f (γ i ) = yi . We now sketch the main ideas of the algorithms in [14,11]. The
algorithms have two main steps: the first is an interpolation step and the second
one is a root finding step. In the interpolation step, the list-decoding algorithm
finds a bivariate polynomial Q(X, Y ) that fits the input. That is,
for every position i, Q(γ i , yi ) = 0.
Such a polynomial Q(·, ·) can be found in polynomial time if we search for
one with large enough total degree (this amounts to solving a system of linear
equations). After the interpolation step, the root finding step finds all factors of
Q(X, Y ) of the form Y − f (X). The crux of the analysis is to show that
i
√ degree k polynomial f (X) that satisfies f (γ ) = yi for at least
for every
(1 + δ) R fraction of positions i, Y − f (X) is indeed a factor of Q(X, Y ).
42 A. Rudra

However, the above is not true for every bivariate polynomial Q(X, Y ) that
satisfies Q(γ i , yi ) = 0 for all positions i. The main ideas in [14,11] were to intro-
duce more constraints on Q(X, Y ). In particular, the work of Sudan [14] added
the constraint that a certain weighted degree of Q(X, Y ) is below a fixed up-
per bound. Specifically, Q(X, Y ) was restricted to have a non-trivially bounded
(1, k)-weighted degree. The (1, k)-weighted degree of a monomial X i Y j is i + jk
and the (1, k)-weighted degree of a bivariate polynomial Q(X, Y ) is the maxi-
mum (1, k)-weighted degree among its monomials. The intuition behind defining
such a weighted degree is that given Q(X, Y ) with weighted (1, k) degree of D,
the univariate polynomial Q(X, f (X)), where f (X) is some degree k polyno-
mial, has total degree at most D. The upper bound D is chosen carefully such
that if f (X) is a codeword that needs to be output, then Q(X, f (X)) has more
than D zeroes and thus Q(X, f (X)) ≡ 0, which in √ turn implies that Y − f (X)
divides Q(X, Y ). To get to the bound of 1 − (1 + δ) R, Guruswami and Sudan
in [11], added a further constraint on Q(X, Y ) that requires it to have r roots at
(γ i , yi ), where r is some parameter (in [14] r = 1 while in [11], r is roughly 1/δ).
We now consider the next non-trivial case of m = s = 2 (the ideas for this
case can be easily generalized for the general m = s case). Note that now given
the received word (y0 , y1 ), (y2 , y3 ), . . . , (yn−2 , yn−1 )√we want to find all degree
3
k polynomials f (X) such that for at least (1 + δ) 2R2 fraction of positions
0  i  n/2 − 1, f (γ 2i ) = y2i and f (γ 2i+1 ) = y2i+1 . As in the previous case,
we will have an interpolation and a root finding step. The interpolation step is
a straightforward generalization of m = 1 case: we find a trivariate polynomial
Q(X, Y, Z) that fits the received word, that is, for every 0  i  n/2 − 1,
Q(γ 2i , y2i , y2i+1 ) = 0. Further, Q(X, Y, Z) has an upper bound on its (1, k, k)-
weighted degree (which is a straightforward generalization of the (1, k)-weighted
degree for the bivariate case) and has a multiplicity of r at every point. For
the root finding step, it suffices to show that for every degree k polynomial
f (X) that needs to be output Q(X, f (X), f (γX)) ≡ 0. This, however does not
follow from weighted degree and multiple root properties of Q(X, Y, Z). Here we
will need two new ideas, the first of which is to show that for some irreducible
polynomial E(X) of degree q − 1, f (X)q ≡ f (γX) mod (E(X)) [8]. The second
idea, due to Parvaresh and Vardy [12], is the following. We first obtain the
bivariate polynomial (over an appropriate extension field) T (Y, Z) ≡ Q(X, Y, Z)
mod (E(X)). Note that by the first idea, we are looking for solutions on the
curve Z = Y q (Y corresponds to f (X) and Z corresponds to f (γX) in the
extension field). The crux of the argument is to show that all the polynomials
f (X) that need to be output correspond to (in the extension field) some root of
the equation T (Y, Y q ) = 0.
As was mentioned earlier, the extension of the m = s = 2 case to the general
m = s > 2 case is fairly straightforward. To go from s = m to any s  m requires
another simple idea from [8]: We will reduce the problem of list decoding folded
Reed-Solomon code with folding parameter m to the problem of list decoding
folded Reed-Solomon code with folding parameter s. We then use the algorithm
outlined in the previous paragraph for the folded Reed-Solomon code with folding
 Efficient List Decoding of Explicit Codes with Optimal Redundancy 43

parameter s. A careful tracking of the agreement parameter in the reduction,

brings down the final agreement fraction (that is required for the√original folded
Reed-Solomon code with folding parameter m) from (1 + δ) m+1 mRm (which
can be obtained
 without the reduction and is the bound achieved by [12]) to

s+1 m s
(1 + δ) m−s+1 R .

4 Codes over Small Alphabets

2
To get within ε of capacity, the codes in Theorem 1 have alphabet size N Ω(1/ε )

where N is the block length. This leads to the following natural questions:
1. Can we achieve the list decoding capacity for smaller alphabets, say for
2Ω(1/ε) (for which the list decoding capacity as we saw in the introduction
is 1 − R)?
2. Can we achieve list decoding capacity for codes over fixed alphabet sizes, for
example, binary codes?
The best known answers to both of the questions above use the notion of
code concatenation and Theorem 2. We now digress for a bit to talk about con-
catenated codes (and along the way motivate why list recovery is an important
algorithmic task).
Concatenated codes were defined in the seminal thesis of Forney [3]. Concate-
nated codes are constructed from two different codes that are defined over alpha-
def
bets of different sizes. Say we are interested in a code over [q] = {0, 1, . . . , q − 1}
(in this section, we will think of q  2 as being a fixed constant). Then the
outer code Cout is defined over [Q], where Q = q k for some positive integer
k. The second code, called the inner code is defined over [q] and is of dimen-
sion k (Note that the message space of Cin and the alphabet of Cout have the
same size). The concatenated code, denoted by C = Cout ◦ Cin , is defined as
follows. Let the rate of Cout be R and let the block lengths of Cout and Cin be
N and n respectively. Define K = RN and r = k/n. The input to C is a vector
m = m1 , . . . , mK  ∈ ([q]k )K . Let Cout (m) = x1 , . . . , xN . The codeword in C
corresponding to m is defined as follows

C(m) = Cin (x1 ), Cin (x2 ), . . . , Cin (xN ).

It is easy to check that C has rate rR, dimension kK and block length nN .
Notice that to construct a q-ary code C we use another q-ary code Cin . How-
ever, the nice thing about Cin is that it has small block length. In particular,
since R and r are constants (and typically Q and N are polynomially related),
n = O(log N ). This implies that we can use up exponential time (in n) to search
for a “good” inner code. Further, one can use the brute force algorithm to (list)
decode Cin .
44 A. Rudra

1
List decoding capacity
Zyablov bound
Blokh Zyablov bound

0.8

0.6
R (RATE) --->

0.4

0.2

0
0 0.1 0.2 0.3 0.4 0.5
ρ (ERROR-CORRECTION RADIUS) --->

Fig. 1. Rate R of binary codes from [8,9] plotted against the list-decoding radius ρ
of their respective algorithms. The best possible trade-off, i.e., list-decoding capacity,
ρ = H2−1 (1 − R) is also plotted.

Finally, we motivate why we are interested in list recovery. Consider the fol-
lowing natural decoding algorithm for the concatenated code Cout ◦ Cin . Given
a received word in ([q]n )N , we divide it into N blocks from [q]n . Then we use a
decoding algorithm for Cin to get an intermediate received word to feed into a
decoding algorithm for Cout . Now one can use unique decoding for Cin and list
decoding for Cout . However, this loses information in the first step. Instead, one
can use the brute force list-decoding algorithm for Cin to get a sequence of lists
(each of which is a subset of [Q]). Now we use a list-recovery algorithm for Cout
to get the final list of codewords.
By concatenating folded RS codes of rate close to 1 (that are list recoverable by
Theorem 2) with suitable inner codes followed by redistribution of symbols using
an expander graph (similar to a construction for linear-time unique decodable
codes in [6]), one can get within ε of capacity with codes over an alphabet of
−4
size 2O(ε log(1/ε)) [8].
For binary codes, recall that the list decoding capacity is known to be
ρbin (R) = H2−1 (1 − R). No explicit constructions of binary codes that approach
this capacity are known. However, concatenating the Folded RS codes with suit-
ably chosen inner codes, one can obtain polynomial time constructable binary
codes that can be list decoded up to the so called “Zyablov bound” [8]. Us-
ing a generalization of code concatenation to multilevel code concatenation, one
can achieve codes that can be list decoded up to the so called “Blokh-Zyablov”
bound [9]. See Figure 1 for a pictorial comparison of the different bounds.
 Efficient List Decoding of Explicit Codes with Optimal Redundancy 45

5 Concluding Remarks
The results in [8] could be improved with respect to some parameters. The
size of the list needed to perform list decoding to a radius that is within ε of
−1
capacity grows as N O(ε log(1/R)) where N and R are the block length and
the rate of the code respectively. It remains an open question to bring this list
size down to a constant independent of N (recall that the existential random
coding arguments work with a list size of O(1/ε)). The alphabet size needed to
approach capacity was shown to be a constant independent of N . However, this
involved a brute-force search for a rather large (inner) code, which translates to a
−2
construction time of about N O(ε log(1/ε)) (instead of the ideal construction time
where the exponent of N does not depend on ε). Obtaining a “direct” algebraic
construction over a constant-sized alphabet, such as the generalization of the
Parvaresh-Vardy framework to algebraic-geometric codes in [7], might help in
addressing these two issues.
Finally, constructing binary codes (or q-ary codes for some fixed, small value
of q) that approach the respective list decoding capacity remains a challenging
open problem. In recent work [10], it has been shown that there exist q-ary linear
concatenated codes that achieve list decoding capacity (in the sense that every
Hamming ball of radius Hq−1 (1−R−ε) has polynomially many codewords, where
R is the rate). In particular, this results holds when the outer code is a folded
RS code. This is somewhat encouraging news since concatenation has been the
preeminent method to construct good list-decodable codes over small alphabets.
But realizing the full potential of concatenated codes and achieving capacity
(or even substantially improving upon the Blokh-Zyablov bound) with explicit
codes and polynomial time decoding remains a huge challenge.

References
1. Elias, P.: List Decoding for Noisy Channels. Technical Report 335, Research Lab-
oratory of Electronics, MIT (1957)
2. Elias, P.: Error-Correcting Codes for List Decoding. IEEE Trans. Inform. The-
ory 37(5), 5–12 (1991)
3. Forney, G.D.: Concatenated Codes. MIT Press, Cambridge, MA (1966)
4. Guruswami, V.: List Decoding of Error-Correcting Codes. LNCS, vol. 3282.
Springer, Heidelberg (2004)
5. Guruswami, V.: List Decoding and Pseudorandom Constructions. In: Boztaş, S.,
Lu, H.F. (eds.) AAECC 2007. LNCS, vol. 4851, Springer, Heidelberg (2007)
6. Guruswami, V., Indyk, P.: Linear-Time Encodable/Decodable Codes with Near-
Optimal Rate. IEEE Trans. Inform. Theory 51(10), 3393–3400 (2005)
7. Guruswami, V., Patthak, A.: Correlated Algebraic-Geometric Codes: Improved
List Decoding over Bounded Alphabets. In: FOCS 2006, pp. 227–236 (2006)
8. Guruswami, V., Rudra, A.: Explicit Capacity-Achieving List-Decodable Codes. In:
38th Annual ACM Symposium on Theory of Computing, pp. 1–10 (2006)
9. Guruswami, V., Rudra, A.: Better Binary List-Decodable Codes Via Multilevel
Concatenation. In: 11th International Workshop on Randomization and Compu-
tation. pp. 554–568 (2007)
46 A. Rudra

10. Guruswami, V., Rudra, A.: Concatenated Codes Can Achieve List Decoding Ca-
pacity. In: 19th Annual ACM-SIAM Symposium on Discrete Algorithms (to appear,
2008)
11. Guruswami, V., Sudan, M.: Improved Decoding of Reed-Solomon and Algebraic-
Geometric Codes. IEEE Trans. Inform. Theory 45, 1757–1767 (1999)
12. Parvaresh, F., Vardy, A.: Correcting Errors Beyond the Guruswami-Sudan Ra-
dius in Polynomial Time. In: 46th Annual IEEE Symposium on Foundations of
Computer Science. pp. 285–294 (2005)
13. Rudra, A.: List Decoding and Property Testing of Error Correcting Codes. PhD
thesis, University of Washington (2007)
14. Sudan, M.: Decoding of Reed-Solomon Codes Beyond the Error-Correction Bound.
J. Complexity 13(1), 180–193 (1997)
15. Sudan, M.: List Decoding: Algorithms and Applications. SIGACT News 31, 16–27
(2000)
16. Wozencraft, J.M.: List Decoding. Quarterly Progress Report, Research Laboratory
of Electronics. MIT 48, 90–95 (1958)
17. Zyablov, V.V., Pinsker, M.S.: List Cascade Decoding. Problems of Information
Transmission 17(4), 29–34 (1981)
 Algebraic Structure Theory of Tail-Biting
Trellises

Priti Shankar

Department of Computer Science and Automation

Indian Institute of Science
Bangalore, India 560012
[email protected]

It is well known that there is an intimate connection between algebraic descrip-

tions of linear block codes in the form of generator or parity-check matrices, and
combinatorial descriptions in the form of trellises. A conventional trellis for a
linear code C is a directed labelled layered graph with unique start and final
nodes, and all paths from the start to the final node spell out codewords. The
trellis can be thought of as being laid out on a linear time axis. There is a rich
theory of conventional trellises for linear block codes. Every linear block code has
a unique minimal trellis, and several seemingly different constructions proposed,
all yield this minimal trellis, which simultaneously minimizes all measures of
trellis complexity. Tail-biting trellises are defined on circular time axes, and the
underlying theory is a little more involved as there is no unique minimal trellis.
Interestingly, the complexity of a tail-biting trellis can be much lower than that
of the best possible conventional trellis. We extend the well-known BCJR con-
struction for conventional trellises to linear tail-biting trellises, introducing the
notion of a displacement matrix. This implicitly induces a coset decomposition
of the code. The BCJR-like labeling scheme yields a very simple specification for
the tail-biting trellis for the dual code, with the dual trellis having the same state-
complexity profile as that of the primal code . We also show that the algebraic
specification of Forney for state spaces of conventional trellises has a natural
extension to tail-biting trellises. Finally we provide an automata-theoretic view
of trellises and display some connections between well known results in finite
automata and trellis theory.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, p. 47, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Nice Codes from Nice Curves

Henning Stichtenoth

Sabancı University - FENS

Orhanli - Tuzla 34956 Istanbul, Turkey
[email protected]

The well-known Tsfasman-Vladut-Zink (TVZ) theorem states that for all prime
powers q = 2 ≥ 49 there exist sequences of linear codes over Fq with increasing
length whose limit parameters R and δ (rate and relative minimum distance) are
better than the Gilbert-Varshamov bound. The basic ingredients in the proof
of the TVZ theorem are sequences of modular curves (or their corresponding
function fields) having many rational points in comparison to their genus (more
precisely, these curves attain the so-called Drinfeld-Vladut bound). Starting with
such a sequence of curves and using Goppa’s construction of algebraic geometry
(AG) codes, one easily obtains sequences of linear codes whose limit parameters
beat the Gilbert-Varshamov bound.
However, this construction yields just linear codes, and the question arises if
one can refine the construction to obtain good long codes with additional nice
properties (e.g., codes with many automorphisms, self-orthogonal codes or self-
dual codes). This can be done. We give a brief outline of some results in this
direction.
Our starting point is the sequence of function fields (Fi )i≥0 over Fq which are
defined as
xi
Fi = Fq (x0 , x1 , ..., xn ) with the relation xi+1 − xi+1 =
1 − x−1
i

for all i ≥ 0. It is known that the curves corresponding to these function fields
have many rational points; in fact they attain the Drinfeld-Vladut bound. The
idea is now to replace the fields Fi by their Galois closure over some basis field
(it is well-known in algebra that Galois extensions of fields have often much nicer
properties than ”ordinary” extensions).
We proceed as follows: we fix the element u := (x0 − x0 )−1 ∈ F0 = Fq (x0 )
and consider the fields

Ei := Galois closure of Fi over Fq (u), i = 0, 1, 2, ...

This sequence (Ei )i≥0 has particularly nice properties, e.g.

– all extensions Ei /Fq (u) are Galois,
– the corresponding curves attain the Drinfeld-Vladut bound,
– the Galois groups operate transitively on a large number of rational points,
– only 2 points of Fq (u) are ramified in Ei .

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 48–49, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Nice Codes from Nice Curves 49

Using these (and some other) properties of the function fields Ei , one can
then construct AG codes in the usual manner and obtains:

Theorem 1. The following classes of linear codes over Fq are better than the
Gilbert-Varshamov bound for all q = 2 with  ≥ 7:
1. self-orthogonal codes,
2. self-dual codes,
3. transitive codes.

Here a transitive code means one, whose automorphism group acts transitively
on the coordinates. Note however that we cannot construct asymptotically good
cyclic codes in this way (cyclic codes are a subclass of transitive codes).
The above theorem works over quadratic fields Fq (i.e., q = 2 ). If one starts
with a similar sequence of function fields over a cubic field Fq (i.e., q = 3 ) one
can prove an analogous result.

References
1. Stichtenoth, H.: Transitive and Self-Dual Codes Attaining the Tsfasman-Vladut-
Zink Bound. IEEE Trans. Inform. Theory 52, 2218–2224 (2006)
2. Bassa, A., Garcia, A., Stichtenoth, H.: A New Tower over Cubic Finite Fields
(preprint, 2007)
3. Bassa, A., Stichtenoth, H.: Asymptotic Bounds for Transitive and Self-Dual Codes
over Cubic Finite Fields (in preparation, 2007)
 Generalized Sudan’s List Decoding for Order
Domain Codes

Olav Geil1 and Ryutaroh Matsumoto2

1
Department of Mathematical Sciences, Aalborg University, Denmark
[email protected]
2
Department of Communications and Integrated Systems, Tokyo Institute of
Technology, Japan
[email protected]

Abstract. We generalize Sudan’s list decoding algorithm without mul-

tiplicity to evaluation codes coming from arbitrary order domains. The
number of correctable errors by the proposed method is larger than the
original list decoding without multiplicity.

1 Introduction
Høholdt et al. [6] proposed the new framework for algebraic code construction,
which they called evaluation codes. Evaluation codes are defined by either gen-
erator matrices or parity check matrices. Evaluation codes defined by parity
check matrices include many classes of algebraic codes, including generalized
Reed-Muller, Reed-Solomon, and one-point geometric Goppa codes CΩ (D, G),
and they provided lower bounds on the minimum Hamming distance and de-
coding algorithms in a unified manner, while relatively little work was done for
evaluation codes defined by generator matrices in [6]. The framework of evalua-
tion codes and order domains was later generalized by O’Sullivan [7], Geil and
Pellikaan [3].
Andersen and Geil [1] studied the evaluation codes defined by generator ma-
trices, which also include generalized Reed-Muller, Reed-Solomon, and one-point
geometric Goppa codes CL (D, G), and they also provided lower bounds on the
minimum Hamming distance in a unified manner. Their work [1] can be regarded
as a generator matrix counterpart of [6]. In this paper we study evaluation codes
defined by generator matrices.
On the other hand, Sudan [10] and Guruswami-Sudan [5] proposed the list
decoding algorithms for Reed-Solomon and one-point geometric Goppa codes,
and the latter method dramatically increased the number of correctable errors of
the conventional bounded distance decoding algorithm, such as the Berlekamp-
Massey algorithm. Following those work, Shokrollahi and Wasserman [9] gener-
alized the Sudan method [10] to one-point geometric Goppa codes, and Pellikaan

This research is in part supported by the Danish National Science Research Coun-
cil Grant FNV-21040368 and the MEXT 21st Century COE Program: Photonics
Nanodevice Integration Engineering.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 50–59, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Generalized Sudan’s List Decoding for Order Domain Codes 51

and Wu [8] generalized the Guruswami-Sudan method [5] to generalized Reed-

Muller codes as the first algorithm among three new list decoding algorithms in
[8]. Augot and Stepanov [2] improved the estimation of error-correcting capabil-
ity of the first algorithm in [8].
However, up to now, nobody has successfully generalized the list decoding
algorithms [10,5] to evaluation codes from arbitrary order domains. The diffi-
culty lies in the fact that existing methods [10,5,8] deal with codes coming from
polynomial rings or their factor rings and utilize their polynomial structure such
as the degree of a polynomial and the pole order of an algebraic function.
We will distill essential ingredients from Sudan’s original decoding method
[10], which allow us to carry over it to evaluation codes from arbitrary order
domains. After that, we examine the error-correcting capability of the proposed
generalization when we apply it to generalized Reed-Muller and one-point ge-
ometric Goppa codes, and show that the proposed method can correct more
errors than [9] and the first algorithm in [8]. We have to note that the proposed
method usually cannot correct more errors than the Guruswami-Sudan method
[5] with multiplicity.
The paper is organized as follows. In Section 2 we present the modified Sudan
decoding algorithm without multiplicity. Our description does not require that
the reader has any previous experience with order domains. Some knowledge
about generalized Reed-Muller and one-point geometric Goppa codes should do.
In Section 3 we study decoding of generalized Reed-Muller codes. We compare
our findings to the results by the first algorithm of Pellikaan and Wu in [8] and
by Augot and Stepanov in [2]. Then in Section 4 we apply our method to some
codes coming from norm-trace curves.

2 Decoding of Order Domain Codes

In this section we state the modified decoding algorithm for a large family of
codes defined from order domains. We provide translations into the case of gen-
eralized Reed-Muller codes and one-point geometric Goppa codes. Our presen-
tation relies on [1,3,7].
Definition 1. Let R be an Fq -algebra and let Γ be a subsemigroup of Nr0 for
some r. Let ≺Nr0 be a monomial ordering on Nr0 . A surjective map ρ : R →
Γ−∞ := Γ ∪ {−∞} that satisfies the following six conditions is said to be a
weight function

(W.0) ρ(f ) = −∞ if and only if f = 0

(W.1) ρ(af ) = ρ(f ) for all nonzero a ∈ Fq
(W.2) ρ(f + g) Nr0 max{ρ(f ), ρ(g)} and equality holds when ρ(f ) ≺Nr0 ρ(g)
(W.3) If ρ(f ) ≺Nr0 ρ(g) and h = 0, then ρ(f h) ≺Nr0 ρ(gh)
(W.4) If f and g are nonzero and ρ(f ) = ρ(g), then there
exists a nonzero a ∈ Fq such that ρ(f − ag) ≺Nr0 ρ(g)
(W.5) If f and g are nonzero then ρ(f g) = ρ(f ) + ρ(g).
52 O. Geil and R. Matsumoto

An Fq -algebra with a weight function is called an order domain over Fq . The

triple (R, ρ, Γ ) is called an order structure and Γ is called the value semigroup
of ρ.
We have the following two standard examples of weight functions.
Example 1. Consider the polynomial ring R = Fq [X1 , . . . , Xm ] and let ≺Nm 0
be
the graded lexicographic ordering on Nm 0 given by (i 1 , . . . , i m ) ≺ N0
m (j1 , . . . , jm)
if either i1 + · · · + im < j1 + · · · + jm holds or i1 + · · · + im = j1 + · · · + jm
holds, but left most non-zero entry of j1 − i1 , . . . , jm − im ) is positive. The map
ρ : R → Nm 0 ∪ {−∞}, ρ(F ) := max≺Nm {(i1 , . . . , im ) | X1i1 · · · Xm im
∈ Supp(F )} if
0
F = 0 and ρ(0) := −∞ is a weight function.
Example 2. Let Q be a rational place of a function field in one variable over
Fq . Then R = ∪∞m=0 L(mQ) is an order domain with a weight function given
by ρ(f ) = −νQ (f ). Clearly, in this case the value semigroup Γ is simply the
Weierstrass semigroup corresponding to Q and the monomial ordering is the
unique monomial ordering on N0 .
For the code construction we will need a few results.
Theorem 1. Let (R, ρ, Γ ) be an order structure. Then any set B = {fγ |
ρ(fγ ) = γ}γ∈Γ constitutes a basis for R as a vector space over Fq . In particular
{fλ ∈ B | λ  γ} constitutes a basis for Rγ := {f ∈ R | ρ(f )  γ}.
A basis as in Theorem 1 is known in the literature as a well-behaving basis.
In the remaining part of this section we will always assume that some fixed
well-behaving basis has been chosen for the order domain under consideration.
Definition 2. Let R be an Fq -algebra. A surjective map ϕ : R → Fnq is called
a morphism of Fq -algebras if ϕ is Fq -linear and ϕ(f g) = ϕ(f ) ∗ ϕ(g) for all
f, g ∈ R, where ∗ denotes the componentwise multiplication of two vectors.
The class of codes E(λ) below includes as we shall recall generalized Reed-Muller
codes as well as one-point geometric Goppa codes.
Definition 3. Consider an order domain R over Fq and a corresponding mor-
phism ϕ : R → Fnq . For λ ∈ Γ we define E(λ) := ϕ(Rλ ).
m
Example 3. This is a continuation of Example 1. Consider Fqq = {P1 , . . . , Pqm }
m
and let ϕ : Fq [X1 , . . . , Xm ] → Fqq be given by ϕ(F ) = (F (P1 ) . . . , F (Pqm )).
If we choose λ = (u, 0, . . . , 0) then E(λ) is simply the generalized Reed-Muller
code RMq (u, m) no matter how the well-behaving basis for the order domain
R = Fq [X1 , . . . , Xm ] has been chosen. For simplicity we choose in this paper
always the well-behaving basis B to be the set of monomials in X1 , . . . , Xm .
Example 4. This is a continuation of Example 2. Let {P1 , . . . , Pn } be ratio-
nal places different from Q and consider the morphism ϕ : R → Fnq given by
ϕ(f ) = (f (P1 ), . . . , f (Pn )). The code E(λ) is the one-point geometric Goppa
code CL (D, λQ) where D = P1 + · · · + Pn .
 Generalized Sudan’s List Decoding for Order Domain Codes 53

We next consider some terminology from [1].

Definition 4. Let α(1) := 0 and define for i = 2, 3, . . . , n recursively α(i) to be
the smallest element in Γ that is greater than α(1), α(2), . . . , α(i−1) and satisfies
ϕ(Rγ )  ϕ(Rα(i) ) for all γ < α(i). Write Δ(R, ρ, ϕ) = {α(1), α(2), . . . , α(n)}.
Definition 5. For η ∈ Δ(R, ρ, ϕ) = {α(1), α(2), . . . , α(n)} define
M (η) := (η + Γ ) ∩ Δ(R, ρ, ϕ)
where η + Γ means {η + λ | λ ∈ Γ }. Let σ(η) := #M (η).
The first part of the following theorem plays a fundamental role in our modifi-
cation of the Sudan decoding algorithm without multiplicity.
Theorem 2. If c ∈ E(λ) but c ∈ E(η) for any η with η ≺Nr0 λ then wH (c) ≥
σ(λ) holds. In particular we have d(E(λ)) ≥ min{σ(η) | η ∈ Δ(R, ρ, ϕ), η  λ}.
Example 5. The above bound gives the true minimum distances of generalized
Reed-Muller codes and of Hermitian codes. For the case of one-point geomet-
ric Goppa codes the bound is an improvement to the usual bound by Goppa
which states that the minimum distance of a one-point geometric Goppa code
CL (D, λQ) is at least n − λ. More precisely, we have σ(λ) ≥ n − λ for any
λ ∈ Δ(R, ρ, ϕ). For high dimensions the inequality is in general sharp.
Theorem 2 suggests the following improved code construction.
Definition 6. Given any fixed basis B = {fγ | ρ(fγ ) = γ}γ∈Γ as in Theorem 1
we define Ẽ(δ) := SpanFq {ϕ(fα(i) ) | α(i) ∈ Δ(R, ρ, ϕ) and σ(α(i)) ≥ δ}.
We have
Theorem 3. d(Ẽ(δ)) ≥ δ.
The codes Ẽ(δ) are sometimes very much better than the corresponding codes
E(λ). This is for instance the case for the improved generalized Reed-Muller
codes known as hyperbolic codes (or Massey-Costello-Justesen codes). Regard-
ing one-point geometric Goppa codes the picture very much relies on which
particular curve we consider, but the improvement may also in this case be sig-
nificant. The idea of controlling the minimum distance of a code by choosing the
functions fλ to be used in the code construction in a clever way will be one of the
main ingredients of our modified Sudan decoding algorithm without multiplicity.
We now describe the modified Sudan decoding algorithm without multiplicity
for the codes E(λ) and Ẽ(δ). To ease notation we state the algorithm for a larger
class of codes, namely for any code C of the form
C = SpanFq {ϕ(fλ1 ), . . . , ϕ(fλk )} where {λ1 , . . . , λk } ⊆ Δ(R, ρ, ϕ). (1)
The first part of the decoding algorithm is to find a proper interpolation poly-
nomial Q(Z) with coefficients from the order domain R. To set up the decoding
procedure for a given fixed code C we first need to describe sets from which
we will allow the coefficients to be chosen. To this end consider the following
definition.
54 O. Geil and R. Matsumoto

Definition 7. Given a code C as above let E be some fixed value (representing

the number of errors we would like to correct). For s ∈ N0 define

L(E, s) := {λ ∈ Δ(R, ρ, ϕ) | for all i1 , . . . , is ∈ {1, . . . , k} we have

s
fλ fλiv ∈ Span{fα(1) , . . . , fα(n) } and (2)
v=1

s
σ(λi ) > E for all fλi ∈ SuppB (fλ fλiv )}, (3)
v=1

where SuppB (f ) of f ∈ R is the set of g ∈ B that appears in the unique linear

combination of f by elements in B.

Note, that there is no requirement that i1 , . . . , is are pairwise different. Note also
that the set L(E, s) relies on the actual choice of well-behaving basis {fλ }λ∈Γ .
Further we observe that for large values of s we have L(E, s) = ∅. What we
will need for the modified version  of Sudan type decoding without multiplicity
∞
to work is a number E such that s=0 #L(E, s) > n. As indicated above the
value E will be the number of errors we can correct and therefore we would of
course like to find a large value of E such that the above condition is met. On
the other hand the smallest value t such that

t
#L(E, s) > n (4)
s=0

holds will to some extent reflect the complexity of the decoding algorithm. So
in some situations it might be desirable to choose a smaller value of E than
the largest possible one to decrease the complexity of the algorithm. Choosing
parameters E and t and calculating the corresponding sets L(E, 0), . . . , L(E, t)
is something that is done when setting up the decoding system. Hence, the
complexity of doing this is not of very high importance. However, as we will
demonstrate in the case of generalized Reed-Muller codes, there are often tricks
to ease the above procedure. We are now able to describe the modified Sudan
decoding algorithm without multiplicity.

Algorithm 1
Input: A code C as in (1), parameters E, t such that (4) is met and corresponding
sets L(E, 0), . . . , L(E, t). A received word r
Output: A list of at most t codewords that contains all codewords within distance
at most E from r
Step 1. Find Q0 , . . . , Qt ∈ R not all zero such that Qs ∈ SpanFq {fλ | λ ∈ L(E, s)}

for s = 0, . . . , t and such that ts=0 (ϕ(Qs )) ∗ rs = 0 holds. (Here rs means the
component wise product t of r with itself s times and r 0 = 1.)
Step 2. Factorize s=0 Qs Z s ∈ R[Z] and detect all possible f ∈ R such that
Z − f appears as a factor, which can be done by the method of Wu [11].
Step 3. Return {ϕ(f ) | f is a solution from step 2}.
 Generalized Sudan’s List Decoding for Order Domain Codes 55

Theorem 4. Algorithm 1 gives the claimed output.

Proof: Condition (4) ensures that the set of linear equations in step 1 has
more indeterminates than equations. Therefore Q0 , . . . , Qt as described in step
1 indeed do exist.
Consider any code word c. That is, let c = ϕ(f ) where f is of the form

f = kv=1 βv fλv . From the conditions (2) and (3) we get that

s
Qi f i ∈ Span{fα(1) , . . . , fα(n) } (5)
i=0

holds and that

s
all fα(v) ∈ SuppB ( Qi f i ) satisfies σ(α(v)) > E. (6)
i=0

Assume now that c = ϕ(f ) is a code word within Hamming

t distance at most
t
E from r. But then s=0 (ϕ(Qs )) ∗ (ϕ(f ))s differs from s=0 (ϕ(Qs )) ∗ rs = 0
in at most E positions implying
t
wH (ϕ( Qs f s )) ≤ E (7)
s=0

Combining (5), (6) and (7) with the first part of Theorem 2
lead to the conclusion
that ϕ( ts=0 Qs f s ) = 0 must hold, and Eq. (2) implies ts=0 Qs f s = 0. That
is, f is a zero of Q(Z). But order domains are integral domains and therefore
Quot(R) is a field. It follows that Z − f divides Q(Z) ∈ Quot(R)[Z]. As the
leading coefficient of Z − f is 1 we conclude that Q(Z) = (Z − f )K(Z) for some
K(Z) with coefficients in R. Hence, indeed Z − f appears in the factorization in
step 2 of the algorithm. Finally, as Q(Z) has degree at most t the list in step 3
is of length at most t. 
Remark 1. We have used the Hamming weight to ensure Q(Z) = 0 in the above
argument. The conventional method [10,9] used the degree of a polynomial and
the pole order of an algebraic function to ensure Q(Z) = 0. The use of Hamming
weight allows us to list-decode codes from any order domains.
The following example illustrates the nature of our modification.
Example 6. Consider a one-point geometric Goppa code E(η) where η < n. Let,
g be the genus of the function field or equivalently let g = #N0 \Γ . The set
L (E, s) = {λ ∈ Γ | λ + sη < n − E}
is easily calculated and we have L (E, s) ⊆ L(E, s). Replacing L(E, s) with
L (E, s) in Algorithm 1 gives the traditional algorithm [9] without multiplicity
for the one-point geometric Goppa code E(η). Hence, for one-point geometric
Goppa codes the modified algorithm can correct at least as many errors as the
original one and in cases where the sets L(E, s) are larger than the sets L (E, s)
we will be able to correct more errors by the modified algorithm.
56 O. Geil and R. Matsumoto

3 Generalized Reed-Muller Codes

In this section we consider the implementation of Algorithm 1 to the case of

generalized Reed-Muller codes of low dimensions. Recall, from Example 1 that we
have a weight function ρ : Fq [X1 , . . . , Xm ] → Nm 0 given by ρ(F ) = (i1 , . . . , im ) if
X i1 · · · X im is the leading monomial of F with respect to the monomial ordering
from Example 1. Recall from Example 3 that we always choose the well-behaving
basis B of Fq [X1 , . . . , Xm ] to be simply the set of monomials in X1 , . . . , Xm . From
Definition 4, for the weight function under consideration the σ function is easily
calculated as follows

m
σ ((i1 , . . . , im )) = (q − iv ).
v=1

We get the following Lemma that significantly eases the job with finding L(E, s).

Lemma 1. Let u < q and consider the generalized Reed-Muller code RMq (u, m).
The description of L(E, s) simplifies to

L(E, s) = {(l1 , . . . , lm ) ∈ Nm
0 |
l1 + su, . . . , lm + su < q, (8)
(q − l1 − su)(q − l2 ) · · · (q − lm ) > E,
.. (9)
.
(q − l1 ) · · · (q − lm−1 )(q − lm − su) > E}

Proof: To see that (9) corresponds to (3) we observe that the σ function from
this section is concave. The fact that (8) corresponds to (2) follows from similar
arguments. 

To decide how many errors our algorithm can correct we  should according to (4)
look for the largest possible E such that a t exists with ts=0 #L(E, s) > n = q m .
Of course such an E can always be found by an extensive trial and error. For the
case of m = 2 that is, codes of the form RMq (u, 2) we now give an approximative
trial and error method that requires only few calculations. It turns out that this
approximative method is actually rather precise.
For a fixed s the conditions to be satisfied are

l1 + su < q, l2 + su < q (10)

(q − l1 − su)(q − l2 ) > E, (q − l1 )(q − l2 − su) > E (11)

We make the (natural) assumption

0 ≤ l1 , l2 < q. (12)

Equations (11) and (12) imply (10) which we therefore can forget about. When
E < q, it is easy to lower-bound the number of solutions to (11) and (12). Under
the assumption E ≥ q we now want to count the number of possible solutions
 Generalized Sudan’s List Decoding for Order Domain Codes 57

to (11) and (12). The number of such solutions is bounded below by the area in
the first quadrant of the points that are under both the curve
E
l2 = q − (13)
q − l1 − su
as well as are under the curve
E
l2 = q − su − (14)
q − l1
By symmetry these two curves intersect in two points of the form (γ, γ). We
have to use the point closer to the origin, which we calculate to be
√
2q − su − s2 u2 + 4E
γ= .
2
Therefore (again by symmetry) the area is
 γ 
E 1
2 (q − su − )dl1 − γ 2
0 q − l1 2
1
= 2(γ(q − su) − E(ln(q) − ln(q − γ)) − γ 2 )
2
A rougher but simpler estimate is found by approximating the above area with
the area of the polygon with corners (0, 0), (0, q − Eq − su), (γ, γ), (q − Eq − su, 0).
Here the second point is found by substituting l1 = 0 in (14) and the fourth
point is found by substituting l2 = 0 in (13). The estimate can serve as a lower
bound due to the fact that both functions in (13) and (14) are concave. The
area of the polygon is found to be γ(q − (E/q) − su). Whether we use the first
estimate or the second estimate we would next like to know the largest value of
t such that L(E, t) = ∅. But this is easily calculated from the requirement γ ≥ 0
implying t = (q − (E/q))/u. Combining the above results with Theorem 4 we
get.
Proposition 1. Consider the code RMq (u, 2) with u < q. For E ≥ q Algo-
rithm 1 can correct at least E errors if the following holds
(q−E/q)/u
 1
(2(γ(q − su) − E(ln(q) − ln(q − γ)) − γ 2 )) > q 2 .
s=0
2

Corollary 1. Consider the code RMq (u, 2) with u < q. For E ≥ q Algorithm 1
can correct at least E errors if the following holds
(q−E/q)/u
 E
(γ(q − − su)) > q 2 .
s=0
q

Augot and Stepanov in [2] gave an improved estimate of the sum of multiplicities
in terms of the total degree of a multivariate polynomial as follows
58 O. Geil and R. Matsumoto

Theorem 5. The sum of multiplicities in Fm q of an m-variate polynomial of

total degree d is upper bounded by dq m−1 . The number of zeros with multiplicity
r of such a polynomial is upper bounded by dq m−1 /r.

The above bound is better than the combination of Lemmas 2.4 and 2.5 in [8].
As noted by Augot and Stepanov Theorem 5 allows us to use more monomials
in the first list decoding algorithm in [8], and the resulting decoding algorithm
has the larger error-correcting capability.
The error correcting capability of the modified list decoding algorithm with
Theorem 5 is compared with ours and the original Pellikaan-Wu. The multiplic-
ity used in Augot and Stepanov’s estimate is 10. EP W , EP W A , Eours are the
error correcting capability of the original Pellikaan-Wu, Augot-Stepanov, and
our method, respectively. Finally, EP W A1 respectively EP W A2 are the error cor-
recting capability of the Augot-Stepanov modified the Pellikaan-Wu algorithm
when multiplicity is 1 respectively 2. q = 16, m = 2, n = 256.

u 2 3 4 5 6 7 8 9 10 11 12
EP W 63 46 34 26 19 14 10 7 5 3 2
Eours 76 55 44 34 27 21 15 13 11 9 6
EP W A 118 99 83 70 59 49 41 33 25 19 11
EP W A1 47 31 15 -1 -17 -33 -33 -49 -49 -65 -65
EP W A2 87 63 47 31 23 7 -1 -9 -17 -25 -25

Remark 2. The authors of the present paper have done a lot of computer experi-
ments regarding the error correcting capability of the proposed decoding method
for generalized Reed-Muller codes. In all of these experiments we were able to
correct as many errors as Remark 2.1 in [8] guarantees Pellikaan-Wu algorithm
(with multiplicity) to be able to.

4 One-Point Geometric Goppa Codes

As already mentioned our proposed decoding algorithm applies among other
things to one-point geometric Goppa codes. In this section we will be concerned
with codes defined from the norm-trace curve introduced in [4]. These are defined
by the polynomial X (q −1)/(q−1) −Y q −Y q −· · · Y ∈ Fqr [X, Y ]. We consider
r r−1 r−2

codes
CL (P1 + · · · + Pq2r−1 , sP∞ ) (15)
where P1 , . . . , Pq2r−1 , P∞ are the rational places of the corresponding function
field and P∞ is the unique place among these with νP∞ (x) < 0. We do not go
into detail with how to implement the proposed algorithm but present only some
examples.
Example 7. In this example we consider the norm-trace curve corresponding to
q = 2 and r = 6. These are of length n = 211 . In the table below s is the value
used in (15) whereas Eour is the error correcting capability of the proposed
 Generalized Sudan’s List Decoding for Order Domain Codes 59

method and EGS1 is the error correcting capability of Sudan’s algorithm [10]
without multiplicity. By 900-929 we indicate that maximal performance is a
number between 900 and 929. With multiplicity, Guruswami-Sudan’s algorithm
[5] outperform the proposed method.
s 64 96 192 288 480
Eour 1008 900-929 660-669 527 346
EGS1 962 804 479 237 14

Example 8. In this example we consider the norm-trace curve corresponding to

q = 3 and r = 3. These are of length n = 35 . In the table below s is the value used
in (15) whereas Eour is the error correcting capability of the proposed method
and EGS1 is the error correcting capability of Sudan’s algorithm [10] without
multiplicity. With multiplicity, Guruswami-Sudan’s algorithm [5] outperform the
proposed method.
s 63 70 80 88
Eour 55 51 43 38
EGS1 53 47 39 33

References
1. Andersen, H.E., Geil, O.: Evaluation Codes From Order Domain Theory. Finite
Fields and Their Appl. (2007) doi:10.1016/j.ffa.2006.12.004
2. Augot, D., Stepanov, M.: Decoding Reed-Muller Codes with the Guruswami-
Sudan’s Algorithm. In: Slides of Talk Given by D. Augot at Workshop D1 Spe-
cial Semester on Gröbner Bases and Related Methods, RICAM, Linz (2006),
http://www.ricam.oeaw.ac.at/specsem/srs/groeb/download/Augot.pdf
3. Geil, O., Pellikaan, R.: On the Structure of Order Domains. Finite Fields and Their
Appl. 8, 369–396 (2002)
4. Geil, O.: On Codes From Norm-Trace Curves. Finite Fields and Their Appl. 9,
351–371 (2003)
5. Guruswami, V., Sudan, M.: Improved Decoding of Reed-Solomon and Algebraic-
Geometry Codes. IEEE Trans. Inform. Theory 45(4), 1757–1767 (1999)
6. Høholdt, T., van Lint, J., Pellikaan, R.: Algebraic Geometry Codes. In: Pless,
V.S., Huffman, W.C. (eds.) Handbook of Coding Theory, pp. 871–961. Elsevier,
Amsterdam (1998)
7. O’Sullivan, M.E.: New Codes for the Berlekamp-Massey-Sakata Algorithm. Finite
Fields and Their Appl. 7, 293–317 (2001)
8. Pellikaan, R., Wu, X.-W.: List Decoding of q-ary Reed-Muller Codes. IEEE Trans.
Inform. Theory 50, 679–682 (2004)
9. Shokrollahi, M.A., Wasserman, H.: List Decoding of Algebraic-Geometric Codes.
IEEE Trans. Inform. Theory 45(2), 432–437 (1999)
10. Sudan, M.: Decoding of Reed Solomon Codes Beyond the Error Correction Bound.
J. Complexity 13, 180–193 (1997)
11. Wu, X.-W.: An Algorithm for Finding the Roots of the Polynomials Over Order
Domains. In: 2002 IEEE International Symposium on Information Theory, p. 202.
IEEE Press, New York (2002)
 Bent Functions and Codes with Low
Peak-to-Average Power Ratio for Multi-Code
CDMA

Jianqin Zhou1, , Wai Ho Mow2 , and Xiaoping Dai1

1
Department of Computer Science,
Anhui University of Technology, Ma’anshan, 243002 China
[email protected]
2
Dept. of Electrical & Electronic Engineering,
Hong Kong Univ. of Science and Technology, Clear Water Bay, Hong Kong

Abstract. In this paper, codes which reduce the peak-to-average power

ratio (PAPR) in multi-code code division multiple access (MC-CDMA)
communication systems are studied. It is known that using bent
functions to define binary codewords gives constant amplitude signals.
Based on the concept of quarter bent functions, a new inequality
relating the minimum order of terms of a bent function and the
maximum Walsh spectral magnitude is proved, and it facilitates the
generalization of some known results. In particular, a new simple proof
of the non-existence of the homogeneous bent functions of degree m in
2m boolean variables for m > 3 is obtained without invoking results
from the difference set theory. We finally propose a new coding approach
to achieve the constant amplitude transmission of codeword length 2m
for both even m as well as odd m.

Keywords: CDMA, multi-code, Walsh-Hadamard transform, PAPR,

bent function.

1 Introduction
Code-Division Multiple-Access (CDMA) in one form or another is likely to be
at the heart of future cellular wireless communications systems, third genera-
tion and beyond, and the orthogonal multi-code system has been drawing much
attention in the last two decades.
The orthogonal multi-code system can achieve the code division multiplexing
by assigning each orthogonal code to each user, and one user can utilize plural
orthogonal code sequences. This means that the peak signal power in an MC-
CDMA system can be as large as n times the average signal power. Typically
n = 2m where m lies between 2 and 6 [1]. Thus, an MC-CDMA signal can have a
significantly higher peak-to-average power ratio (PAPR) than a basic rate signal.

Corresponding author. The research was supported by the Chinese Natural Sci-
ence Foundation (No. 60473142) and the Hong Kong Research Grants Council (No.
617706).

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 60–71, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 61

Usually, the high power amplifier(HPA) that has non-linear characteristic is

used to obtain the high power efficiency. Particularly, the high power efficiency is
required on the reverse link (mobile to base station), where low cost components
and low power consumption are vital. Thus, transmitting MC-CDMA signals
without distortion requires either a more expensive power amplifier that is linear
across a wider range of amplitudes, or the signal with low PAPR. In [1,8,9,10],
it is shown that using bent functions to define binary codewords gives constant
amplitude signals. Constant amplitude binary codes of length n = 22 and 24 are
classified in [8], which can also be obtained by computer search. However, binary
constant amplitude codes of length n = 2m exist only for m even.
In this paper, we first review a simple communication model proposed in [1]
for MC-CDMA which captures the key features of an MC-CDMA reverse link
in Section 2. The concept of quarter bent functions is presented in Section 3.
Based on the new concept, a simpler method to find all 30 homogeneous bent
functions of degree 3 in 6 boolean variables is given.
It is proved in [7] that homogeneous bent functions of degree m in 2m variables
do not exist for m > 3 . The proof uses a certain decomposition of a Menon
difference set, which corresponds to any bent function. In section 4, it is proved
that if the order of every term in a Boolean function f (x) with 2m variables
is more than m − k, and |S(f ) (w)| ≤ 2−m+t , where m, k and t are positive
 
integers, then 2(m−k)
m−k ≤ 2m+t , from which it follows that there do not exist
homogeneous bent functions of degree m in 2m boolean variables for m > 3 .
Thus the result obtained here generalizes the main work in [7]. The property
obtained here implies that the order of terms in spectrally bounded f (x) over
Vn is distributed flatly, or can not limited in a small range, under the condition
that deg(f (x)) is almost n2 . Thus it can be used to guide the construction of
bent functions.
We finally present a new coding approach to achieve the constant amplitude
transmission of codeword length 2m for both even m as well as odd m in Section 5.

2 Preliminaries

In this section we first review the communication model of the reverse link of an
MC-CDMA system. Throughout Section 2 and Section 5 n will be a power of 2.
We write n = 2m .
The Walsh-Hadamard matrix W Hn can be defined recursively by W H1 = (1)
and
 
W H2j−1 W H2j−1
W H2j =
W H2j−1 −W H2j−1

This matrix is a {+1, −1}-matrix and is symmetric and orthogonal, so that:

W Hn · W Hn = nIn , where In denotes the n × n identity matrix. Thus, the rows
(or columns) of W Hn are orthogonal vectors of length n, called Walsh-Hadamard
sequences.
62 J. Zhou, W.H. Mow, and X. Dai

It is easy to show by induction that

jt
m−1
k k
W H2m = ((−1) k=0 )jt


m−1 
m−1
where j = jk 2k and t = tk 2k are radix-2 decompositions of j and t,
k=0 k=0
respectively.
Let j = (j0 , j1 , . . . , jm−1 ) and t = (t0 , t1 , . . . , tm−1 ). Then,
T
W H2m = ((−1)j·t )jt

where superscript T denotes the transposition, subscripts j and t still denote

integers.
We start with considering an MC-CDMA system without coding. We have
n parallel streams of bits and the signal transmitted by a user on the re-
verse link corresponding to a vector c = (c0 , c1 , . . . , cn−1 ) of data bits (one
bit ci ∈ {0, 1} from each stream) is the time-domain vector of real values
S(c) = (S(c)0 , S(c)1 , . . . , S(c)n−1 ) where


n−1 
n−1
T
S(c)t = (−1)cj (W Hn )jt = (−1)cj (−1)j·t (1)
j=0 j=0

Writing (−1)c = ((−1)c0 , (−1)c1 , . . . , (−1)cn−1 ), we have S(c) = (−1)c · W Hn

In a real MC-CDMA system, the power required to transmit a signal is pro-
portional to the square of the signal value. Since we are interested only in the
peak-to-average power ratio, we define the instantaneous power of the signal
S(c) at time t to be P (c)t = S(c)2t . From (1), the peak (i.e. largest) value of
P (c)t can be as large as n2 .


n−1
P (c)t = S(c)(S(c))T = (−1)c · W Hn W Hn · ((−1)c )T
t=0
= n(−1)c · ((−1)c )T = n · n = n2

It follows that the average value of P (c)t over 0 ≤ t < n is equal to n. Therefore
we define the peak-to-average power ratio of the vector of data bits c (and the
corresponding signal S(c)) to be
1
P AP R(c) = max P (c)t
n 0≤t<n

From the above discussion we know that 1 ≤ P AP R(c) ≤ n.

Now we consider coding for MC-CDMA. We let C be an arbitrary binary
code of length n and rate R, that is a set of 2nR binary length n vectors. An
encoder for C maps k = nR information bits at a time onto vectors c ∈ C. In
MC-CDMA with coding, we have k parallel data streams that are fed into an
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 63

encoder for C and hence to a Walsh-Hadamard transform. Thus, only codewords

c in C are selected for transmission, though (1) still describes the transmitted
signal.
We define the PAPR of the code C to be P AP R(C) = max P AP R(c). A code
c∈C
C with P AP R(C) = 1 is called a constant amplitude code. Such a code attains
the lowest and therefore best possible value of PAPR. The main focus of this
paper is the construction of codes for MC-CDMA with low PAPR.
Let Vm be the vector space of k-tuples of element from GF (2). Let α =(a1 ,
· · · , am ) and x = (x1 , · · · , xm ). The inner product of x and α is defined as
α · x = a1 x1 ⊕ · · · ⊕ am xm .
The Walsh-Hadamard transform of Boolean function f : Vm → V1 is defined
as follows,

S(f ) (w) = 2−m (−1)f (x) (−1)w·x, where w ∈ Vm .
x∈Vm

Definition 1. The function f (x) is bent if |S(f ) (w)| = 2− 2 for all w ∈ Vm .

m

The function f (x) is semi bent if |S(f ) (w)| = 0 or 2− 2 for all w ∈ Vm .

m−1

Comparing this definition with those of S(c), we see that


m−1
S(c)t = ĉ(t0 , t1 , . . . , tm−1 ), t = tk 2 k
k=0

The following lemma is now immediate [1].

Lemma 1. Let c be a word of length n = 2m . Then P AP R(c) = 1
max
n u∈V |ĉ(u)|2 .
m
Moreover c has PAPR equal to 1 if and only if ĉ is a bent function. In particular,
constant amplitude codes of length n = 2m exist only for m even.
In the discussion that follows, we will occasionally refer to a Boolean function
f : Vm → V1 as a codeword of length 2m .

3 The Quarter Bent Functions and Homogeneous Bent

Functions
Let f (x) be a boolean function: Vn → V1 . The support set of its spectrum is
defined as follows:

suppS(f ) = w ∈ Vn |S(f ) (w) = 0

Obviously, the support set of spectrum for a bent function f (x) in n variables
is Vn .  2
From Parseval identity, S(f ) (w) = 1, we know that the support set of
spectrum for a semi bent function f (x) has 2n−1 elements, namely | suppS(f ) | =
2n−1 .
64 J. Zhou, W.H. Mow, and X. Dai

Lemma 2. Let X1 = (x1 , x2 , · · · , xn−1 ), X = (X1 , xn ), g1 (X1 ) = f (X1 , 0), and

g2 (X1 ) = f (X1 , 1). Then f (X) is a bent function if and only if both g1 and g2
are semi bent functions in n − 1 variables, and g1 and g2 have disjoint support
sets of spectrum.
Proof. As g1 (X1 ) = f (X1 , 0), g2 (X1 ) = f (X1 , 1), hence f (X) = g1 (X1 )(xn +
1) + g2 (X1 )xn .
Let W1 = (w1 , w2 , · · · , wn−1 ), W = (W1 , wn ), X1 = (x1 , x2 , · · · , xn−1 ), and
X = (X1 , xn ) . Then,

S(f ) (W ) = 2−n (−1)f (X) (−1)W ·X
X∈Vn

−n
=2 (−1)g1 (X1 )(xn +1)+g2 (X1 )xn (−1)W1 ·X1 +wn xn
X∈Vn
 
−n
=2 ( (−1)g1 (X1 )+W1 ·X1 + (−1)wn (−1)g2 (X1 )xn +W1 ·X1 )
X∈Vn−1 X∈Vn−1
−1 wn
=2 (S(g1 ) (W1 ) + (−1) S(g2 ) (W1 )) (2)
Since f (X) is a bent function, and wn is 0 or 1, thus,

|S(g1 ) (W1 ) + S(g2 ) (W1 )| = 2 · 2− 2

n

|S(g1 ) (W1 ) − S(g2 ) (W1 )| = 2 · 2− 2 .

n

It is easy to show that (|S(g1 ) (W1 )|, |S(g2 ) (W1 )|) = (2− 2 , 0) or (|S(g1 ) (W1 )|,
n−2

|S(g2 ) (W1 )|) = (0, 2− 2 ). Therefore, both g1 and g2 are semi bent functions in
n−2

n − 1 variables, and g1 and g2 have disjoint support sets of spectrum. On the

other hand, if (|S(g1 ) (W1 )|, |S(g2 ) (W1 )|) = (2− 2 , 0) or (|S(g1 ) (W1 )|,
n−2

|S(g2 ) (W1 )|) = (0, 2− 2 ) , then it is easy to show that f (X) is a bent function.
n−2



Definition 2. The function f (x) is quarter bent if the Walsh-Hadamard trans-
form |S(f ) (w)| = 0 or 2− 2 or 2− 2 for all w ∈ Vn .
n n−2

In a similar way to the above discussion, it is easy to prove the following lemmas.
Lemma 3. Let X1 = (x1 , x2 , · · · , xn−1 ), X = (X1 , xn ), g1 (X1 ) = f (X1 , 0),
g2 (X1 ) = f (X1 , 1), and f (X) be a semi bent function, then both g1 and g2
are quarter bent functions in n − 1 variables.
Lemma 4. Let X1 = (x1 , x2 , · · · , xn−1 ), X = (X1 , xn ), g1 (X1 ) = f (X1 , 0),
g2 (X1 ) = f (X1 , 1), and both g1 and g2 be bent functions. Then f (X) is a semi
bent function.
We now discuss the homogeneous bent functions of degree k(k > 1) over Vn .
Let f (X) be a bent function over Vn . It is known that the degree of f (X) is
not greater than n/2 . If only we ensure that f (X) does not contain the terms
with a degree less than n/2, then f (X) must be a homogeneous bent function.
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 65

Suppose that f (X) has the following unique algebraic normal form:

f (x1 , x2 , · · · , xn ) = a0 + a1 x1 + a2 x2 + · · · + an xn
+a1,2 x1 x2 + · · · + an−1,n xn−1 xn + · · · + a1,2,··· ,n x1 x2 · · · xn

Let f (X) be a homogeneous bent functions of degree k, then a0 =0, which is

equivalent to f (0, 0, · · · , 0) = 0 .
Similarly, as a0 =0, then a1 =0 is equivalent to f (1, 0, · · · , 0) = 0, a2 =0 is
equivalent to f (0, 1, · · · , 0) = 0, · · · , an =0 is equivalent to f (0, 0, · · · , 1) = 0 .
As a0 , a1 , a2 , · · · , an are 0, then a1,2 = 0 is equivalent to f (1, 1, 0 · · · , 0) =
0, a1,3 = 0 is equivalent to f (1, 0, 1, 0 · · · , 0) = 0, · · · .
Similarly, if one term with a degree less than k is not contained in f (X), then
there must exists a α ∈ Vn , such that f (α) = 0.
From Lemma 2, f (X) = g1 (X1 )(xn + 1) + g2 (X1 )xn = g1 (X1 ) + (g1 (X1 ) +
g2 (X1 ))xn .
Let f (X) be a homogeneous bent functions of degree k, then g1 (X1 ) does not
contain any term with a degree less than k, correspondingly g1 (X1 ) is zero on
those points of Vn−1 ; g2 (X1 ) does not contain any term with a degree less than
k − 1, correspondingly g2 (X1 ) is zero on those points of Vn−1 .

n
Let I(x1 , x2 , · · · , xn ) = xi 2i−1 , here the addition is in general mean-
i=1
ing. Then I : Vn → {0, 1, 2, · · · , 2n − 1} is a one-to-one mapping. Therefore
(x1 , x2 , · · · , xn ) ∈ Vn can be represented by an integer I(x1 , x2 , · · · , xn ). For
example, (1,1) can be represented by 3.
Now we can discuss the homogeneous bent functions of degree 3 over V6 .
Let f(X) be a homogeneous bent functions of degree 3. From the discussion
above, the points belonging to {0,1,2,3,4,5,6, 8,9,10,12,16,17, 18,20,24, 32,33,
34,36,40,48} are zero points of f (X). For example, as f (0, 0, 0, 0, 1, 1) = 0, thus
48 is one of the zero points of f (X).
Let f (X) = g1 (X1 ) + (g1 (X1 ) + g2 (X1 ))x6 . Then g1 (X1 ) does not contain
any term with a degree less than 3, thus the points belonging to {0,1,2,3,4,5,6,
8,9,10,12,16,17,18,20,24} must be zero points of g1 (X1 ); g2 (X1 ) does not contain
any term with a degree less than 2, thus the points belonging to {0,1,2,4, 8,16}
must be zero points of g2 (X1 ).
From Lemma 2, we know that g1 (X1 ) is a semi bent function, therefore,
 
|S(g1 ) (0)| = 2−5 (−1)g1 (X1 ) (−1)0·X1 = 2−5 (−1)g1 (X1 ) = 0 or 2−2
X1 ∈V5 X1 ∈V5

If S(g1 ) (0) = −2−2 = − 32 8

, then g1 (X1 ) must take on the value 1 with 20
points and take on the value 0 with 12 points. This contradicts the fact that the
points belonging to {0,1,2,3,4,5,6,8,9,10,12,16,17,18,20,24} must be zero points
of g1 (X1 ).
If S(g1 ) (0) = 0, then g1 (X1 ) must take on the value 1 with the points not
belonging to {0,1,2,3,4,5,6,8,9,10,12,16,17, 18,20,24}. It is easy to show that the
g1 (X1 ) with these conditions is not a semi bent function.
66 J. Zhou, W.H. Mow, and X. Dai

If S(g1 ) (0) = 2−2 = 328

, then g1 (X1 ) must take on the value 0 with 20 points
and take on the value 1 with 12 points. It is easy to verify by computer that
there are 15 cases that g1 (X1 ) with these conditions is a semi bent function.
As S(g1 ) (0) = 2−2 , from Lemma 1, hence S(g2 ) (0) = 0. Therefore g2 (X1 ) must
take on the value 0 with 16 points and take on the value 1 with 16 points. It is
easy to verify by computer that there are 64056 cases that g2 (X1 ) is a semi bent
function with these conditions.
For every g1 (X1 ) of the 15 cases, there is only 2 g2 (X1 ) in the 64056 cases
that g1 (X1 ) and g2 (X1 ) have disjoint support sets of spectrum. Therefore, for
every g1 (X1 ) of the 15 cases, there are 2 homogeneous bent functions of degree
3. Thus there are totally 30 homogeneous bent functions of degree 3.
For example, let g1 (X1 )={7,11,13,14,19,21,23,26,27,28,29, 30}. Then the spec-
trum set of 25 S(g1 ) (W ) is {8,8,8,0,8,0,8, -8, 8,8,0,-8,0,-8,-8,8, 8,0,0,0,0,0,-8,0, 0,-
8,0,0,0,0,0,8}, where W is in the sequence of 0, 1, 2, · · · , 25 − 1; g2 (X1 ) can be
{3,6,7,9,11,12,13,14,17, 18,20,21,22,24,25,26}, the spectrum set of 25 S(g2 ) (W ) is
{0,0,0,8,0,8,0,0, 0,0,8,0,8,0,0,0, 0,8,8, -8,8,8,0,-8, 8,0,8,-8,-8,-8,-8,0}, where W is
in the sequence of 0, 1, 2, · · · , 25 − 1.
Obviously, g1 (X1 ) and g2 (X1 ) have disjoint support sets of spectrum, hence
constructing a homogeneous bent functions of degree 3, namely f (X)= {7, 11,
13, 14, 19, 21, 23, 26, 27, 28, 29, 30, 35, 38, 39, 41, 43, 44, 45, 46, 49, 50, 52,
53, 54, 56, 57, 58}, with the following unique algebraic normal form: f (X) =
x1 x2 x3 + x1 x2 x4 + x1 x2 x5 + x1 x2 x6 + x1 x3 x4 + x1 x3 x5 + x1 x4 x6 + x1 x5 x6 +
x2 x3 x4 + x2 x3 x6 + x2 x4 x5 + x2 x5 x6 + x3 x4 x5 + x3 x4 x6 + x3 x5 x6 + x4 x5 x6 .

4 Spectrally Bounded Functions of Degree m over V2m

It is easy to verify by computer that there are 28 homogeneous bent functions
of degree 2 over V4 . For example, x1 x2 + x1 x3 + x1 x4 + x2 x3 + x2 x4 + x3 x4 ={3,
5, 6, 7, 9, 10, 11, 12, 13, 14} is a homogeneous bent functions of degree 2.
We know that there are 30 homogeneous bent functions of degree 3 over V6 .
However, we will prove that homogeneous bent functions of degree m over
V2m do not exist for m > 3.
Let f (X) be a homogeneous bent function of degree m over Vn , where n = 2m.
Then f (X) does not contain the terms with a degree less than m.
Since f (X) = g1 (X1 ) + (g1 (X1 ) + g2 (X1 ))xn , then g1 (X1 ) is a semi bent
function that does not contain the terms with a degree less than m.
From Lemma 3, g1 (X1 ) = h1 (X2 ) + (h1 (X2 ) + h2 (X2 ))xn−1 , where X2 =
(x1 , · · · , xn−2 ), X1 = (X2 , xn−1 ), h1 (X2 ) = g1 (X2 , 0), h2 (X2 ) = g1 (X2 , 1), thus
h1 (X2 ) is a quarter bent function that does not contain the terms with a degree
less than m.
In h1 (X2 ), the biggest number of the terms with a degree 0 is 1;
  2(m−1)
The biggest number of the terms with a degree 1 is n−2 1 = ; ······;
 1
The biggest number of the terms with a degree m − 1 is m−1 . 2(m−1)

Therefore,
  the2(m−1)
biggest
 number
2(m−1)of the terms with
2(m−1)  a degree less than m is,
c0 = 2(m−1) 0 + 1 + 2 + · · · + m−1
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 67
2(m−1) 2(m−1) 2(m−1)
Since 22(m−1) = (1+1)2(m−1) = c0 + m +· · ·+ 2(m−1)
= 2c0 − m−1
Thus
 
2(m−1) 2(m − 1)
2c0 = 2 + (3)
m−1
Moreover, the fact that h1 (X2 ) does not contain a term with a degree less
than m, is equivalent to that there exists a α ∈ V2(m−1) that h1 (α)=0, thus the
number of points α ∈ V2(m−1) that h1 (α)=0 is not less than c0 .
On the other hand, as h1 (X2 ) is a quarter bent function over V2(m−1) , hence

22(m−1) S(h1 ) (0) = (−1)h1 (X2 ) ≤ 22(m−1) 2−m+2 = 2m .
X2 ∈V2(m−1)
Suppose the number of points α ∈ V2(m−1) that h1 (α)=0 is y, then y −
(22(m−1) − y) ≤ 2m , namely y ≤ (22(m−1) + 2m )/2. Hence, the number of points
α ∈ V2(m−1) that h1 (α)=0 is not more than (22(m−1) + 2m )/2.
 
m−1 /2 ≤ (2
From equality (3), (22(m−1) + 2(m−1) 2(m−1)
+ 2m )/2, namely,
 
2(m − 1)
≤ 2m (4)
m−1
  
For m = 3, 2(m−1) = 42 = 6 < 23 = 8, inequality (4) holds. For m = 4,
2(m−1) 6 m−1

m−1 = 3 = 20 > 24 = 16, inequality (4) does not hold.

Now we consider the case m > 3.
Since 2(m − 1) − (m − 2) = m ≥ 4 = 22 , and 2m − 2 = 2(m − 1), 2m − 3 >
  (2m−2)(2m−3)···m
2(m − 2), · · · , so 2(m−1)
m−1 = (m−1)(m−2)···1 > 2m ; thus inequality (4) does not
hold.
Hence we have the following theorem.
Theorem 1. Homogeneous bent functions of degree m over V2m do not exist
for m > 3.
We now discuss a more general case. First we introduce a lemma.

Lemma 5. If a Boolean function f (x) over Vn , n = 2m, has a bounded Walsh-

Hadamard transform, say |S(f ) (w)| ≤ 2−m+t . Let g(x1 , · · · , x2m−k )=f ( x1 , · · · ,
x2m−k , 0, · · · , 0) be a Boolean function in 2m − k variables, where k is a positive
integer. Then |S(g) (w1 , · · · , w2m−k )| ≤ 2−m+t+k .

Proof. For k = 1, the proof is similar to that of Lemma 2

Clearly we can continue in this way. 


The main result of this section is the following.

Theorem 2. If the order of every term in a Boolean function f (x) over V2m is
 
more than m − k, and |S(f ) (w)| ≤ 2−m+t , then 2(m−k)
m−k ≤ 2m+t .

Proof. Let g(x1 , · · · , x2(m−k) ) = f (x1 , · · · , x2(m−k) , 0, · · · , 0) be a Boolean func-

tion in 2(m − k) variables, where k is a positive integer. We know that
68 J. Zhou, W.H. Mow, and X. Dai

|S(g) (w1 , · · · , w2(m−k) )| ≤ 2−m+t+2k , and the order of every term in g(x1 ,· · · ,
x2(m−k) ) is more than m − k.
Very similar to the discussion of Theorem 1, we know that the biggest number
of the terms in g(x1 , · · · , x2(m−k) ) with a degree less than m − k + 1 is c0 =
2(m−k) 2(m−k) 2(m−k)  
0 + 1 + 2 + · · · + 2(m−k)
m−k . Thus
 
2(m−k) 2(m − k)
2c0 = 2 + (5)
m−k

On the other hand, as g(x1 , · · · , x2(m−k) ) is a function over V2(m−k) , hence


22(m−k) S(g) (0) = (−1)g(X2 ) ≤ 22(m−k) 2−m+t+2k = 2m+t .
X2 ∈V2(m−k)

Furthermore, the number of points α ∈ V2(m−k) that g(α)=0 is not more than
 
(22(m−k) + 2m+t )/2. From equality (5), we have 2(m−k)
m−k ≤ 2m+t . 

 
Let t = 0 (here |S(f ) (w)| = 2−m ), and k = 1. Then 2(m−1)
m−1 ≤ 2m implies that
m <= 3. Therefore, Theorem 1 is a corollary of Theorem 2. Let t = 0 (here
 
|S(f ) (w)| = 2−m ), and k = 2. Then 2(m−2)
m−2 ≤ 2m implies that m <= 5.

5 A New Coding Approach to Achieve the Constant

Amplitude Transmission

We now present a new coding approach to achieve the constant amplitude trans-
mission of codeword length 2m for both odd and even m.
Let us define the new code as a function g : Vm → {−1, 0, 1}, which takes
m boolean variables and assigns a value from {−1, 0, 1}. The ternary Walsh
spectrum is defined as follows:

Sg (u) = g(x)(−1)x·u , u ∈ Vm
x∈Vm

Let Sg = (Sg (0, 0, . . . , 0), Sg (1, 0, . . . , 0), . . . , Sg (1, 1, . . . , 1)), and g =

(g(0, 0, . . . , 0), g(1, 0, . . . , 0), . . . , g(1, 1, . . . , 1)). Then Sg2 (0, 0, . . . ,0) + Sg2 (1, 0,
. . ., 0) +. . . + Sg2 ( 1 , 1 , . . ., 1) = Sg SgT = g(W H)2m (W H)T2m g T = 2m gg T .
Let weight(g)=|{x|g(x) = 0 and x ∈ Vm }|. Then the average value of Sg2 (u)
over Vm is gg T = weight(g).
Now we can construct codes to achieve the constant amplitude transmission
for both odd and even m. Given integer k, suppose that 2m ≤ k, and f (x) is a
bent binary function over V2m . Let

(−1)f (x) , x2m+1 = . . . = xk = 0

g(x, x2m+1 , . . . , xk ) =
0, otherwise
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 69

where x ∈ V2m . Then we have

PAPR(g)
⎛

= max ⎝ g(x, x2m+1 , . . . , xk )
(u,u2m+1 ,...,uk )∈Vk
(x,x2m+1 ,...,xk )∈Vk
T 2
(−1)(x,x2m+1 ,...,xk )(u,u2m+1 ,...,uk ) /weight(g)
 T
= max ( (−1)f (x) (−1)xu )2 /22m
(u,u2m+1 ,...,uk )∈Vk
(x,0,...,0)∈Vk

= max 22m /22m = 1

(u,u2m+1 ,...,uk )∈Vk

Now we consider the number of codewords with PAPR equal to 1. It is known

that x1 x2 is a bent function over V2 . x1 x2 + c1 x1 + c2 x2 + c0 , where c0 , c1 , c2
are in GF (2), are totally 8 bent functions, and the minimum distance of these 8
codewords is 2. The distance between x1 x2 and x1 x2 + 1 is 4.
Let m = 5. Now we consider a code C of length n = 25 . Suppose g ∈ C.
Let f be a bent function over V2 . We define g as follows: Weight(g)=4;
g(u0 ) = (−1)f (0,0) ; g(u1 ) = (−1)f (1,0) ; g(u2 ) = (−1)f (0,1) ; g(u3 ) = (−1)f (1,1) .
Here {u0 , u1 , u2 , u3 } ⊂ V5 and u0 < u1 < u2 < u3 , such that PAPR(g) = 1.
Case A. Among {0, 1, 2, . . . , 25 −1}, select any two even integers 2i < 2j. Then let
 4
u0 = 2i, u1 = 2i + 1, u2 = 2j, u3 = 2j + 1. There are totally 22 such codewords.
Based on the following example, it is straightforward to give the detailed
proof, which is omitted here.
Let i = 2, j = 8, u0 = 2, u1 = 3, u2 = 8, u3 = 9. Then the radix-2 decomposi-
tions of {u0 , u1 , u2 , u3 } are the following,
⎛ ⎞
01000
⎜1 1 0 0 0⎟
⎜ ⎟
⎝0 0 0 1 0⎠
10010

Thus, Sg (w0 , w1 , w2 , w3 , w4 ) = g(x0 , x1 , x2 , x3 , x4 ) ·
(x0 ,x1 ,x2 ,x3 ,x4 )∈V5
T 
(−1)(x0 ,x1 ,x2 ,x3 ,x4 )(w0 ,w1 ,w2 ,w3 ,w4 ) = (−1)f (v0 ,v1 )+w1 (1+v1 ) ·
(v0 ,v1 )∈V2
T
(−1)(v0 ,v1 )(w0 ,w3 ) . Since f (v0 , v1 ) + w1 (1 + v1 ) is still a bent function over V2 ,
16= 2 = 4 for any (w0 , w1 , w2 , w3 , w4 ) ∈ V5 .
2 2
(Sg (w0 , w1 , w2 , w3 , w4 ))
Note that there are 2 ways to select two even integers 2i < 2j among {0, 1, 2,
 
. . . , 25 − 1}, hence it is easy to show that there are totally 16 2 codewords in this
case.
Case B. Among {0, 1, 2, . . . , 25 −1}, select any two integers divisible by 4, namely,
 3
4i < 4j, then let 4i ≤ u0 < u1 < 4j ≤ u2 < u3 . There are totally 22 × 23 such
codewords.
70 J. Zhou, W.H. Mow, and X. Dai

For example, let i = 4, j = 16, u0 = 4, u1 = 6, u2 = 16, u3 = 18. Then the

radix-2 decompositions of {u0 , u1 , u2 , u3 } are the following,
⎛ ⎞
00100
⎜0 1 1 0 0⎟
⎜ ⎟
⎝0 0 0 0 1⎠
01001
 T
Thus, Sg (w0 , w1 , w2 , w3 , w4 ) = (−1)f (v0 ,v1 )+w2 (1+v1 ) (−1)(v0 ,v1 )(w1 ,w4 ) .
(v0 ,v1 )∈V2
Hence PAPR(g) = 1.
Let u0 = 5, u1 = 6, u2 = 16, u3 = 19. Then the radix-2 decompositions of
{u0 , u1 , u2 , u3 } are the following,
⎛ ⎞
10100
⎜0 1 1 0 0⎟
⎜ ⎟
⎝0 0 0 0 1⎠
11001

Thus,

Sg (w0 , w1 , w2 , w3 , w4 )
 T
= (−1)f (v0 ,v1 )+w0 (1+v0 +v1 )+w2 (1+v1 ) (−1)(v0 ,v1 )(w1 ,w4 )
(v0 ,v1 )∈V2

Hence PAPR(g) = 1.
Suppose that f (v0 , v1 ) is a bent function over V2 . Then we know that f (v0 , v1 )
+ w0 (c0 v0 + c1 v1 + c2 ), c0 , c1 , c2 ∈ GF (2), is still a bent function over V2 . Thus,
 3
it is easy to show that there are totally 22 × 23 codewords in this case.
Case C. Among {0, 1, 2, . . . , 25 −1}, select any two integers divisible by 8, namely,
 2
8i < 8j, then let 8i ≤ u0 < u1 < 8j ≤ u2 < u3 . There are totally 22 × (23 )2
such codewords.
Case D. Among {0, 1, 2, . . . , 25 − 1}, select any two integers divisible by 16,
namely,
 16i < 16j, then let 16i ≤ u0 < u1 < 16j ≤ u2 < u3 . There are totally
2 × (2 ) such codewords.
2 3 3

Considering both Case A and Case B, it is easy to show Case C and Case D.
By using bent functions x1 x2 and x1 x2 + 1, it is easy to verify by computer
 4  3  2  
that the size of C is 2 × [ 22 + 22 × 8 + 22 × ×(8)2 + 22 × (8)3 ] = 2480. The
minimum distance of C is 4 and PAPR(C)=1.
In a similar way, for general n we can have the following theorem.
Theorem 3. The following constant amplitude code can be constructed.
Case 1. If only using x1 x2 + c1 x1 + c2 x2 + c0 and x1 x2 + c1 x1 + c2 x2 + c0 + 1,
 n−1   n−2 
where c0 , c1 , c2 are in GF (2), then the size of C is 2 × [ 2 2 + 2 2 × 8 +
2
· · · + 2 × 8n−2 ]. The minimum distance of C is 4 and PAPR(C)=1.
 Bent Functions and Codes with Low Peak-to-Average Power Ratio 71

Case 2. If using all x1 x2 + c1 x1 + c2 x2 + c0 , where c0 , c1 , c2 are in GF (2), then

 n−2   n−2  
the size of C is [8×[ 2 2 + 2 2 ×8+· · ·+ 22 ×8n−2 ]. The minimum distance
of C is 2 and PAPR(C)=1.
Let m = 5, f a bent function over V4 . Suppose g ∈ C. Let us define g as follows,
Weight(g)=16; g(u0 ) = (−1)f (0,0,0,0) ; g(u1 ) = (−1)f (1,0,0,0) ;
g(u2 ) = (−1)f (0,1,0,0) ; · · · ; g(u15 ) = (−1)f (1,1,1,1) . Here {u0 , u1 , u2 ,· · · , u15 } ⊂ V5
and u0 < u1 < u2 < · · · < u15 , such that PAPR(g) = 1. In a similar way, one
can consider a code C of length n = 25 .
It is shown in [8] that an information bit stream with 9 information bits can be
transmitted with constant amplitude by using the Hadamard code sequences of
length 24 . It follows from the fact that the number of bent functions over V4 is 896.
From Theorem 3, by using all 8 bent functions over V2 , we know that the
 2  2
number of constant amplitude codewords of length 24 is 8 × [ 22 + 22 × 8 +
2
2 × 8 ] = 1120.
2

Note that 210 < 1120 < 211 , thus 10 information bits can be transmitted with
constant amplitude codewords of length 24 .
Similarly, we know that the number of constant amplitude codewords of length
 2  
23 is 8 × [ 22 + 22 × 8] = 112.
Thus, 6 bits can be transmitted with constant amplitude.

References
1. Paterson, K.G.: On Codes with Low Peak-To-Average Power Ratio for Multi-Code
CDMA. IEEE Trans. Inform. Theory 50(3), 550-559 (2004)
2. Paterson, K.G.: generalised Reed-Muller Codes and Power Control in OFDM Mod-
ulation. IEEE Trans. Inform. Theory 46, 104-120 (2000)
3. Paterson, K.G., Jones, A.E.: Effcient Decoding Algorithms for Generalised Reed-
Muller Codes. IEEE Trans. Commun. 48(8), 1272-1285 (2000)
4. Paterson, K.G., Tarokh, V.: on the Existence and Construction of Good Codes with
Low Peak-To-Average Power Ratios. IEEE Trans. Inform. Theory 46(6), 1974-1987
(2000)
5. Qu, C., Seberry, J., Pieprzyk, J.: Homogeneous Bent Functions. Discrete Applied
Mathematics 102, 133-139 (2000)
6. Rothaus, O.S.: On ”Bent” Functions. J. Combin. Theory Ser.A 20, 300-305 (1976)
7. Xia, T., Seberry, J., Pieprzyk, J., Charnes, C.: Homogeneous Bent Functions pf
Degree n in 2n Variables Do Not Exist for n > 3. Discrete Applied Mathematics
142, 127-132 (2004)
8. Wada, T: Characteristic of Bit Sequences Applicable to Constant Amplitude Or-
thogonal Multicode Systems. IEICE Trans. Fundamentals E83-A(11), 2160-2164
(2000)
9. Wada, T., Yamazato, M., Ogawa, A.: A Constant Amplitude Coding for Orthog-
onal Multi-Code CDMA Systems. IEICE Trans. Fundamentals E80-A(12), 2477-
2484 (1997)
10. Wada, T., Yamazato, T., Katayama, M., Ogawa, A.: Error Correcting Capability
of Constant Amplitude Coding for Orthogonal Multi-Code CDMA Systems. IEICE
Trans. Fundamentals E81-A(10), 2166-2169 (1998)
 Determining the Nonlinearity of a New Family
of APN Functions

Carl Bracken, Eimear Byrne , Nadya Markin , and Gary McGuire

School of Mathematical Sciences

University College Dublin
Ireland
[email protected], [email protected], [email protected],
[email protected]

Abstract. We compute the Walsh spectrum and hence the nonlinearity

of a new family of quadratic multi-term APN functions. We show that
the distribution of values in the Walsh spectrum of these functions is
the same as the Gold function.

Key words: Almost perfect nonlinear, APN, almost bent, AB, nonlin-
earity, Walsh transform, Walsh spectrum, discrete binary Fourier trans-
form.

1 Introduction
Let L = GF (2n ) for some positive integer n and let Tr(x) denote the absolute
trace map on L. Let f : L −→ L be a function. The map f is said to be almost
perfect nonlinear (APN) on L if the number of solutions in L of the equation
f (x + q) − f (x) = p (1)
is at most 2, for all p, q ∈ L, q = 0. If Equation (1) has at most r solutions,
then the function is called differentially r-uniform. Therefore APN functions are
also called differentially 2-uniform. It is clear that Equation (1) cannot have just
one solution in even characteristic: for any solution x0 , there is a corresponding
solution x0 + q. In odd characteristics, however, it is possible to have functions
permitting just one solution in the equation for all p, q ∈ L, q = 0. Such functions
are called perfect nonlinear.
Definition 1. The Walsh transform of f at (a, b) is defined by

f W (a, b) := (−1)Tr(ax+bf (x)) ,
x∈L

for each a, b ∈ L.

Research supported by Irish Research Council for Science, Engineering and Tech-
nology Postdoctoral Fellowship.

Research supported by the Claude Shannon Institute, Science Foundation Ireland
Grant 06/MI/006.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 72–79, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Determining the Nonlinearity of a New Family of APN Functions 73

The Walsh transform of f (x) at (a, b) is the discrete binary Fourier transform
of g(x) = (−1)Tr(bf (x)) at a.
The Walsh spectrum of f is the set
Λf := {f W (a, b) : a, b ∈ L, b = 0}.
A quantity related to the Walsh spectrum is the the nonlinearity of f , defined
as
1
N L(f ) := 2n−1 − max{|f W (a, b)| : a, b ∈ L, b = 0}.
2
n+1
If n odd and Λf = {0, ±2 2 }, then the function has largest possible nonlinearity
n−1
2n−1 − 2 2 , and we say that f is almost bent (AB) or maximally nonlinear.
When n is odd, every AB function on L is also APN [7]. If f is quadratic (so
that each of its exponents is of the form 2i +2j for some integers i, j) and f is also
APN, then f is necessarily an AB function [6]. However, for a quadratic APN
function defined on a field of even degree, the APN property does not determine
its nonlinearity.
Vectorial Boolean functions used as S-boxes in block ciphers must have high
nonlinearity and low differential uniformity in order to be resistant to linear [7]
and differential [11] cryptanalysis. The AES (advanced encryption standard) uses
a differentially 4-uniform function on eight variables called the inverse function.
Defined on a field of odd degree this function is APN, however, for implemen-
tation reasons S-boxes use functions defined on an even number of variables. In
AES, the inverse function was chosen above the possible APN functions as it
is a permutation and at present there are no known APN permutations defined
on fields of even degree. This function also has the best known nonlinearity for
n
vectors of even length, that is 2n−1 − 2 2 .
Carlet-Charpin-Zinoviev (CCZ) equivalence, introduced in [6], is a standard
measure to determine whether or not two APN functions are essentially the
same. This relation generalizes extended affine (EA) equivalence. A pair of CCZ
equivalent functions have the same resistance to linear and differential crypt-
analysis. A family of APN functions is determined to be new if its members are
CCZ inequivalent to functions of any previously known family.
Until recently, all known APN functions had been found to be EA equivalent
to one of a short list of monomial functions, namely the Gold, Kasami-Welch,
inverse, Welch, Niho and Dobbertin functions. For some time it was conjectured
that this list was the complete list of APN functions up to EA equivalence. The
Gold and Kasami-Welch functions are APN on fields of even and odd degree.
When the field has even degree both these functions have the same nonlinearity
as the inverse function.
In 2006, new examples of APN functions began to appear in the literature.
In [10] the function x3 + θx36 , with θ having order 3, was shown to be APN
on GF (210 ) and CCZ inequivalent to any power mapping. This function has
not been generalised to an infinite family. An infinite family of APN binomials
on fields GF (2n ), where n is divisible by 3 but not 9, was presented in [2] and
shown to be EA inequivalent to any power mapping, and CCZ inequivalent to
the Gold, Kasami-Welch, inverse and Dobbertin functions in [3].
74 C. Bracken et al.

It is shown in [4] that if the Walsh spectrum of a quadratic APN function is

n n+2
limited to the five values {0, ±2 2 , ±2 2 }, then the distribution of these values
is the same as the Gold function. Not all quadratic APN functions have this
property: a counterexample is given in [9]. Let u be primitive in GF (26 ). Then

g(x) = x3 + u11 x5 + u13 x9 + x17 + u11 x33 + x48

is a quadratic APN function on GF (26 ) whose Walsh transform takes 7 distinct

values.
In [1] two new APN families are presented, one a trinomial which generalizes
the binomial from [2] and the other a multiterm polynomial defined on all fields
of degree divisible by 2 but not 4. In this article we show that the second of these
two new functions has the same Walsh spectrum (and indeed the same spectral
distribution) as a Gold function.

2 A New Family of APN Functions

Let k, s be a pair of odd relatively prime integers. In [1] the following quadratic
function was shown to be APN over the field GF (22k ):

s k k+s 
k−1
+2k k k+i
+2i
F (x) := αx2 +1
+ α2 x2 + βx2 +1
+ γi x2 , (2)
i=1

where α and β are primitive elements of GF (22k ) and γi ∈ GF (2k ) for each i.
Observe that since GF (22k ) has even degree, the Walsh spectrum of F is not
determined even though it is APN. Our main result is that F has the same
Walsh spectrum as a Gold function. Before we compute the Walsh spectrum of
this family of functions we need the following lemma and its corollary. While
both of these results are well-known, we include proofs here for the convenience
of the reader.
Let K be a field and let H1 , H2 be extensions of K that are both subfields of a
field extension M of K. We say that H1 is linearly disjoint from H2 over K if any
set of K-linearly independent elements of H1 forms a H2 -linearly independent
set in M .
Lemma 1. Let n, s be positive integers satisfying (n, s) = 1. Let K be a field
and let H1 , H2 be finite extensions of K of degrees n and s respectively. Let M
be the compositum of H1 and H2 . Then H1 and H2 are linearly disjoint over K.

Proof. Let S = {c1 , . . . , ct } be a set of K-linearly independent elements of H1 .

We’ll show that S is linearly independent in M over H2 .
Let {a1 , . . . , an } be a K-basis of H1 and let {b1 , . . . , bs } a K-basis of H2 . Then
the set {ai · bj | 1 ≤ i ≤ n, 1 ≤ j ≤ s} generates M as a vector space over K. It is
clear that the set {a1 · b1 , . . . , an · b1 } generates M as a vector space over the field
H2 , and hence [M : H2 ] ≤ n. On the other hand, since (n, s) = 1, [M : H2 ] = n.
 Determining the Nonlinearity of a New Family of APN Functions 75

Moreover, without loss of generality we may assume that b1 = 1 from which we

conclude that {a1 , . . . , an } is a basis of M over H2 .
Now extend S to a basis {c1 , . . . , ct , . . . , cn } of H1 over K. Since this set forms a
H2 -basis of M , its subset {c1 , . . . , ct } is a fortiori linearly independent over H2 . 


Corollary 1. Let d, n, s be positive integers satisfying (n, s) = 1 and let


d
si
g(x) = ri x2 ∈ L[x].
i=0

Then the equation g(x) = 0 has at most 2d solutions in L.

Proof. Let V denote the set of zeroes of g(x) in L. We may assume that V = {0}.
Since g(x) is a linearized polynomial, V is a vector space over GF (2) of finite
dimension v for some positive integer v. Let V  ⊂ GF (2sn ) denote the vector
space generated by the elements of V over the field GF (2s ). Since (n, s) = 1, by
Lemma 1, V  is a v-dimensional vector space over GF (2s ). Furthermore, for all
c ∈ GF (2s ) and w ∈ GF (2sn ) we have g(cw) = cg(w). Therefore all the elements
of V  are also solutions of g(x) = 0. Since the dimension of V over GF (2) is v,
the size of V  is 2sv and it follows that there are at least 2sv zeroes of g(x) in
GF (2sn ). On the other hand, a polynomial of degree 2ds can have at most 2ds
zeroes. We conclude that v ≤ d. 


We now prove our main result.

Theorem 1. Let n = 2k and let F (x) be defined on L = GF (22k ) as in (2).

n n+2
The Walsh spectrum of F (x) is {0, ±2 2 , ±2 2 }.

Proof. By definition, we have


F W (a, b) = (−1)Tr(ax+bF (x)) .
x∈L

The square of which is given by


|F W (a, b)|2 = (−1)Tr(ax+bF (x)+a(x+u)+bF (x+u)) ,
x∈L u∈L

An explicit representation of F (x) in the first of these expressions gives

 2s +1 k
+α2 x2
k+s +2k
+βx2
k +1 γ x 2k+i +2i
F W (a, b) = (−1)Tr(ax+b(αx + i ))
.
x∈L

Using the fact that Tr(θ) = Tr(θ2 ) for any θ ∈ L, this can be written as
 2k
)αx2
s +1 b 2−i
γi 2
−i
)x2
k +1
F W (a, b) = (−1)Tr(ax+(b+b +(bβ+ )
.
x∈L
76 C. Bracken et al.

Therefore, the square is given by

 
|F W (a, b)|2 = (−1)Tr(au+bF (u)) (−1)Tr(xLb (u))
u∈L x∈L

where s −s −s k
Lb (u) = cu2 + c2 u2 + eu2
k k k  −i −i k−i k−i
for c = (b + b2 )α and e = bβ + b2 β 2 + (b2 γi 2 + b2 γi 2 ). First we
k
make some observations about the coefficients of this equation. As e = e2 , we
can say that e ∈ GF (2k ). Note also that as k is odd, all elements of GF (2k )
k
are cubes in L. It is clear that b + b2 ∈ GF (2k ) and is therefore a cube. If
k
b∈/ GF (2k ) then c = (b + b2 )α and hence c is not a cube since α is primitive.
On the other hand, if b ∈ GF (2k ) then c = 0.
Recall that for any character χ of a group G, we have
 
|G| if χ is trivial
χ(g) = (3)
0 otherwise.
g∈G

We apply this simple principle twice here. First note that for any R ∈ L, x →
(−1)Tr(Rx) is a character of L, which gives
  n
2 if R = 0
(−1)Tr(Rx) =
0 otherwise.
x∈L

and hence 
|F W (a, b)|2 = 2n (−1)Tr(au+bF (u)) ,
u∈Kb

where Kb is the kernel of Lb (u). Secondly, it is easy to verify that

χa,b : u → (−1)Tr(au+bF (u)) ,
is a character of Kb , from which we deduce that

2n |Kb | if χa,b (u) = 1 ∀ u ∈ Kb
|F W (a, b)| = (4)
0 otherwise.

Furthermore, as n is even and |F W (a, b)| is an integer, we know that |Kb | must
be an even power of 2. Therefore, in order to demonstrate that F (x) has a five
valued spectrum, we need only to show that |Kb | < 16.
s −s −s k
First we demonstrate that Lb (u) = cu2 + c2 u2 + eu2 has no more than
k
4 zeroes when either c or e is zero. If c = (b + b2 )α = 0 then b ∈ GF (2k ) and
hence
k k 
k−1
−i −i k−i k−i
e = bβ + b2 β 2 + (b2 γi 2 + b2 γi 2 )
i=0

k 
k−1
−i −i k−i k
= b(β + β 2 ) + b2 (γi 2 + γi 2 ) = b(β + β 2 ),
i=0
 Determining the Nonlinearity of a New Family of APN Functions 77

since γi ∈ GF (2k ) for each i. Then e = 0 since otherwise β ∈ GF (2k ), contra-

k
dicting our choice of β as primitive in L. Then Lb (u) = eu2 , which has only
u = 0 as a root.
s −s −s
Now suppose e = 0. Then c = 0 and Lb (u) = cu2 + c2 u2 . Then Lb (u) = 0
s 2s
implies c2 u2 + cu = 0. As (s, n) = 1, this has no more than 4 solutions by
Corollary 1.
We now assume that both c and e are non-zero. Let u be an arbitrary nonzero
element of Kb . Consider
s −s −s k
uLb (u) = cu2 +1
+ c2 u 2 +1
+ eu2 +1
= 0.
k s −s −s
It is clear that eu2 +1
∈ GF (2k ). Hence Lb (u) = 0 implies cu2 +1
+c2 u2 +1
∈
GF (2k ) and that
s −s −s k k+s
+2k k−s k−s
+2k
cu2 +1
+ c2 u 2 +1
= c2 u 2 + c2 u2 .

Rearranging the terms gives

s k k+s
+2k s k k+s
+2k 2−s
cu2 +1
+ c2 u 2 = (cu2 +1
+ c2 u 2 ) .
s k k+s k
Then cu2 +1 + c2 u2 +2 ∈ GF (2s ) and as s and n are relatively prime, we
s k k+s k s k k+s k s
have cu2 +1 + c2 u2 +2 ∈ GF (2). If cu2 +1 + c2 u2 +2 = 0, then cu2 +1 ∈
s
GF (2k ) which implies it is a cube in GF (22k ). However, u2 +1 is a cube (as s
is odd) which means c must be a cube (when u = 0), contradicting an earlier
claim. Therefore, we may assume that u is a nonzero element of Kb if and only
if it is a root of s k k+s k
G(u) := cu2 +1 + c2 u2 +2 + 1.
The following trick, taken from [8], is useful when dealing with an expression
that contains non-linear terms but is known to have a solution set that forms
an additive group. It exploits the fact that the term cu2 in u−1 G(u) is a linear
s

power and will therefore cancel in the computations. Now choose some fixed
nonzero v ∈ Kb that is different from u and consider the expression

uv(u + v)(u−1 G(u) + v −1 G(v) + (u + v)−1 G(u + v)) = 0,

which is equal to
k k+s k+s k k
c2 (u2 v + v2 u)(u2 v + v 2 u) + u2 + v 2 + uv = 0. (5)

For fixed nonzero v = u in Kb , the expression on the left in (5) is a polynomial

in indeterminate u, whose set of zeroes S contains Kb . Let u = vw and divide
(5) by v 2 to obtain
k k+s
+2k k+s k
c2 v 2 (w + w2 )(w + w2 ) + w2 + w + 1 = 0. (6)

Observe that there is a one-to-one correspondence between the solution set v −1 S

of (6) and the solution set S of (5). We will obtain an upper bound on the size
of v −1 S in L and hence on |Kb |.
78 C. Bracken et al.

k
If w0 ∈ GF (2k ) is a solution to (6) then substituting w0 2 = w0 in (6) gives
w0 2 + w0 + 1 = 0, in which case w0 ∈ GF (4)\GF (2). Since k is odd, this
means w0 ∈ / GF (2k ), giving a contradiction. It follows that any solution w to
k
(6) satisfies w + w2 = 0.
Raising (6) to the 2k -th power and adding it to (6) we get
k s k s k k+s
+2k k+s k k
(w+w2 )(cv 2 +1
(w2 +w2 )+c2 v 2 (w+w2 ))+(w+w2 )2 +(w+w2 ) = 0.
(7)
k k
The assumption w + w2 = 0 means we can divide (7) by w + w2 to get
s k s k k+s
+2k k+s k
cv 2 +1
(w2 + w2 ) + c2 v 2 (w + w2 ) + (w + w2 ) + 1 = 0. (8)
s k k+s
+2k
As v ∈ Kb , it obeys the expression G(v) = cv 2 +1
+ c2 v 2 + 1 = 0, and so
(8) becomes
s s k k+s
+2k k k+s
cv 2 +1
(w + w2 ) + c2 v 2 (w2 + w2 ) + 1 = 0. (9)

Any element of v −1 S is a solution of (9), so an upper bound on the size of the

solution set of (9) will give an upper bound on the size of Kb .
Now return to our original equation Lb (u) = 0 and replace u with vw to get
s s −s −s −s k k
Lb (vw) = cv 2 w2 + c2 v 2 w2 + ev 2 w2 = 0. (10)

From this we derive two equations. First, a simple rearrangement of (10) gives
−s −s −s
w2 = e−1 (cv 2 −2k −2k
k s s
w 2 + c2 v 2 w2 ). (11)

Next take (11) to the power of 2s to get

= e−2 (c2 v 2 −2k+s

k+s s s 2s 2s k+s
w2 w2 + cv 1−2 w). (12)
k k+s
Substituting the expressions of w2 and w2 given by (11) and (12) respec-
tively, into (9), we obtain the following:
−s −s −s
(e−1 (cv 2 −2k −2k
s s k k+s
+2k s s
cv 2 +1
(w + w2 ) + c2 v 2 w 2 + c2 v 2 w2 )

+e−2 (c2 v 2 −2k+s

s s 2s 2s k+s
w2 + cv 1−2 w)) + 1 = 0.
s
Take a 2 -th power of this equation to obtain an equation of the form
s 2s 3s
r0 w + r1 w2 + r2 w2 + r3 w2 + 1 = 0,

which has the same number of solutions as there are zeroes of the linearized
polynomial
s 2s 3s
r0 w + r1 w2 + r2 w2 + r3 w2 . (13)
 Determining the Nonlinearity of a New Family of APN Functions 79

Since, for example,

k+s
+1 −2s 2k+2s −2k+s +1
r0 = c2 e v = 0,

for nonzero c, e and v, the polynomial in (13) is not identically zero. Then by
Corollary 1, (13) can have no more than eight zeroes in w. Furthermore, as |Kb |
must be an even power of 2, it follows that |Kb | ≤ 4 and we conclude from (4)
n n+2
that F W (a, b) ∈ {0, ±2 2 , ±2 2 }. 

Recall that if the Walsh spectrum of a quadratic APN function is limited to the
n n+2
five values {0, ±2 2 , ±2 2 }, then the distribution of these values is the same as
the Gold function. We therefore have the following immediate corollary to our
theorem.
Corollary 2. Let F (x) be defined as in (2). Then the Walsh spectrum of F (x)
has the same distribution as the Gold function.
This is equivalent to saying that exactly 23 (2n − 1) of the Boolean functions
Tr(bF (x)) are bent, the fewest number possible.

References
1. Bracken, C., Byrne, E., Markin, N., McGuire, G.: New Families of Quadratic Al-
most Perfect Nonlinear Trinomials and Multinomials (preprint, 2007)
2. Budaghyan, L., Carlet, C., Felke, P., Leander, G.: An Infinite Class of Quadratic
APN Functions Which Are Not Equivalent to Power Mappings. In: 2006 IEEE
Internation Symposium on Information Theory, IEEE Press, New York (2006)
3. Budaghyan, L., Carlet, C., Leander, G.: A Class of Quadratic APN Binomials
Inequivalent to Power Functions (preprint, 2007)
4. Carlet, C.: Vectorial Boolean Functions for Cryptography. In: Hammer, P., Crama,
Y. (eds.) Boolean methods and models, Cambridge University Press, Cambridge
5. Canteaut, A., Charpin, P., Dobbertin, H.: Weight Divisibility of Cyclic Codes,
Highly Nonlinear Functions on GF (2m ) and Crosscorrelation of Maximum-Length
Sequences. SIAM J. Discrete Mathematics 13(1), 105–138 (2000)
6. Carlet, C., Charpin, P., Zinoviev, V.: Codes, Bent Functions and Permutations
Suitable for Des-Like Cryptosystems. Designs, Codes and Cryptography 15(2),
125–156 (1998)
7. Chabaud, F., Vaudenay, S.: Links Between Differential and Linear Cryptanalysis.
In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer,
Heidelberg (1995)
8. Dobbertin, H.: Another Proof of Kasami’s Theorem. Designs, Codes and Cryptog-
raphy 17, 177–180 (1999)
9. Dillon, J.: Polynomials over Finite Fields and Applications. Slides from talk given
at Banff International Research Station (2006)
10. Edel, Y., Kyureghyan, G., Pott, A.: A New APN Function Which is not Equivalent
to a Power Mapping. IEEE Trans. Inform. Theory 52(2), 744–747 (2006)
11. Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T.
(ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)
 An Improvement of Tardos’s Collusion-Secure
Fingerprinting Codes with Very Short Lengths

Koji Nuida1 , Satoshi Fujitsu2 , Manabu Hagiwara1, Takashi Kitagawa1,

Hajime Watanabe1 , Kazuto Ogawa2, and Hideki Imai1,3
1
Research Center for Information Security (RCIS), National Institute of Advanced
Industrial Science and Technology (AIST); Akihabara-Daibiru Room 1102, 1-18-13
Sotokanda, Chiyoda-ku, Tokyo 101-0021, Japan
{k.nuida, hagiwara.hagiwara, t-kitagawa, h-watanabe, h-imai}@aist.go.jp
2
Science & Technical Research Laboratories, Japan Broadcasting Corporation
(NHK); 1-10-11 Kinuta, Setagaya-ku, Tokyo 157-8510, Japan
{fujitsu.s-hc, ogawa.k-cm}@nhk.or.jp
3
Faculty of Science and Engineering, Chuo University
1-13-27 Kasuga, Bunkyo-ku, Tokyo 112-8551, Japan

Abstract. The code length of Tardos’s collusion-secure fingerprinting

code (STOC’03) is of theoretically minimal order with respect to the
number of malicious users (pirates); however, the constant factor should
be further reduced for practical implementation. In this paper we give a
collusion-secure fingerprinting code by mixing recent two improvements
of Tardos code and modifying their pirates tracing algorithms. Our code
length is significantly shorter than Tardos code, especially in the case
of fewer pirates. For example, the ratio of our length relative to Tardos
code in some practical situation with 4 pirates is 4.33%; while the lowest
among the preceding codes in this case (S̆korić et al., 2007) is 9.87%.

1 Introduction

Recent development of computer and network technologies rapidly grows amount

of trades of digital contents. This has increased not only convenience for both
contents servers and users, but also risks of the contents being illegally copied
and redistributed without permission. Although many DRM technologies have
been introduced so far, most of them prevent copying of contents even by right
users, so these may decrease the convenience for innocent users too much.
Fingerprinting codes are technology that is hoped to be an alternative solu-
tion. It does not prevent an innocent user to copy his contents for his own use;
while any malicious user (called a pirate) illegally redistributing his contents
will be detected from the fingerprinting codeword embedded into each content
by the contents server beforehand. However, even if each codeword is embedded
as being unrecognizable by a single user, there exists a strong collusion-attack

This study has been sponsored by the Ministry of Economy, Trade and Industry,
Japan (METI) under contract, New-generation Information Security R&D Program.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 80–89, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes 81

by two or more pirates [1]; they can recognize parts of the embedded codewords
from differences of their contents and then modify or erase these parts. Thus any
practical fingerprinting code should be prudently designed and be equipped with
a tracing algorithm, which can detect at least one pirate even from the modified
codeword (called a pirated codeword). A fingerprinting code is called c-secure
with ε-error if the tracing algorithm fails (i.e. detects either no pirate or some
innocent user) with probability at most ε when there are up to c pirates.
Tardos [9] recently gave a uniform construction of c-secure codes (Tardos
codes) for all c, whose code length is of theoretically minimal order with respect
to c. There have been several variants and improvements of Tardos codes; e.g.
[2,3,5,6,7,8]. Their common idea in the tracing algorithm is to first assign a
“score” to each user, which measures how his codeword is similar to the pirated
codeword, and then output all users as pirates whose score exceeds a suitably
determined threshold. However, such a scheme seems not to be optimal, since if
the score of a pirate is much higher than the threshold and that of an innocent
user is only slightly higher than the threshold, then the latter user is also accused
though most suspect user is obviously the former.
In this paper, we modify such a tracing algorithm as outputting just one user
with highest score instead. Then we investigate sufficient code lengths to make
our code c-secure with ε-error; e.g. in some practical setting, it is about 3.01%
of length of Tardos code for c = 2 and 4.33% of Tardos code for c = 4 (Table 4).
Our numerical examples show that our code lengths are significantly shorter
than the preceding improvements of Tardos code.
This paper is organized as follows. Section 2 summarizes our model for fin-
gerprinting codes, with a slightly weaker version of the widely adopted Marking
Assumption (cf. [1]), and construction of Tardos codes. Section 3 gives our code
construction, which is a mixture of [7] and [8], and aforementioned tracing algo-
rithm. Section 3 also gives a bound of tracing error probability and a formula of
code lengths. Section 4 shows some numerical examples and comparison of code
lengths with Tardos code and preceding improvements. Finally, an appendix is
given in the last of this paper and devoted to the proof of our main results.

2 Preliminary
2.1 Our Model for Fingerprinting Codes
In our model, a contents server embeds a binary codeword wi = (wi,1 , . . . , wi,m )
of length m into the content distributed to i-th user ui . When a pirated content
involving pirated codeword y = (y1 , . . . , ym ) is found, the contents server perform
some tracing algorithm with y and all the codewords wi as input for detecting
the pirates. It should be designed for decreasing as much as possible the tracing
error probability, i.e. the probability that either no pirate or some innocent user
is detected. Note that it is possible for some bits in y to be undecodable; such
bits are denoted by ‘?’.
If there are two or more pirates, they can recognize some parts of the embed-
ded codewords by finding differences of their contents, and then modify or erase
82 K. Nuida et al.

codewords in these positions by certain strategy. Here we put the following two
assumptions for the pirates’ strategy:

δ-Marking Assumption. The number of positions 1 ≤ j ≤ m with w1,j =

w2,j = · · · = w,j (such positions are called undetectable; where w1 , . . . , w
are the pirates’ codewords) and yj = w1,j does not exceed mδ.
Pirates’ Knowledge. Pirates have no knowledge about innocent (non-pirate)
users’ codewords; so y is chosen independently of those codewords.
Remark 1. Our δ-Marking Assumption is a relaxation of the classical Marking
Assumption [1] (corresponding to the case δ = 0). Our δ-Marking Assumption
allows some undetectable bits in y to be flipped or erased. This is motivated by
difficulty of the Marking Assumption being satisfied in practical situations.
A fingerprinting code is called c-secure (with ε-error) if the tracing error proba-
bility does not exceed a negligibly small value ε whenever the number  of pirates
is up to c; i.e.  ≤ c.

2.2 Essence of Tardos Code and Its Generalizations

Essences of the construction and tracing algorithms of c-secure Tardos codes [9]
and its generalizations [2,6,7] required here are summarized as follows. See the
references for details.
First, the contents server chooses the random values p(j) , 0 < p(j) < 1, in-
dependently for every 1 ≤ j ≤ m according to a given probability distribution
P (referred to as the bias distribution). Tardos [9] used certain continuous bias
distributions, while those used in [2,6,7] are finite and symmetric; i.e. outputting
p and 1 − p with the same probability. In this paper we follow the latter choice.
The resulting sequence P = (p(1) , . . . , p(m) ) should be stored and be kept secret
throughout the construction and the pirates tracing process (pirates are allowed
to guess the values p(j) from their codewords and knowledge on the distribution
P, but not to know about the actual choices of p(j) ). Then, secondly, the server
chooses bits wi,j of the codewords independently, in the following probabilistic
manner: Pr(wi,j = 1) = p(j) and Pr(wi,j = 0) = 1 − p(j) for j-th position, where
Pr denotes the probability.
In the tracing algorithm, the server computes a score Si of each user ui by
n (j) (j) (j)
Si = j=1 Si , where Si = σ(p(j) ) if (yj , wi,j ) = (1, 1), Si = −σ(1 − p(j) )
(j) 
if (yj , wi,j ) = (1, 0) and Si = 0 if yj ∈ {0, ?}, with σ(p) = (1 − p)/p. The
output of the tracing algorithm is the (possibly empty) set of all users ui with
Si ≥ Z, where Z is a suitably determined threshold parameter.

3 Our Contribution
3.1 Code Construction and Tracing Algorithm
Our c-secure fingerprinting code is constructed by slightly modifying the frame-
work given in Sect. 2.2. First, we define the bias distribution P = Pc as follows:
 An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes 83

Definition 1. Let Lk (t) = ( dt ) (t − 1)k /(k! 2k ) be the k-th Legendre polyno-

d k 2

mial, and L k (t) = Lk (2t−1). Then define P2k−1 = P2k to be the finite probability
distribution whose values are the k zeroes of Lk (t), with each value p taken with
 −3/2 
probability C · p(1 − p)  (p)−2 , where C is the normalized constant.
L k

The above bias distribution was introduced in [6,7] for optimizing the memory
amount required to record the sequence P . Note that we would have to use some
approximation instead of the original Pc in practical implementation, since the
values of Pc and corresponding probabilities are irrational numbers in general.
Secondly, the scoring rule in the tracing algorithm is modified as follows: the
(j)
bitwise score Si is left unchanged if yj = 1, but it is changed in the case
(j)
yj ∈ {0, ?} so that Si = σ(1 − p(j) ) if wi,j = 0 and −σ(p(j) ) if wi,j = 1. (Such a
“symmetric” scoring rule was introduced in [5,8] to reduce the lengths of Tardos
codes). Again, we would have to use approximated values of these bitwise scores
in practical implementation.
Moreover, in contrast with the original tracing algorithm that outputs all users
with S ≥ Z, our tracing algorithm does not use the threshold Z and outputs
just one user whose score is the highest. (The way of choosing one user in the
case that two or more users have the same highest score may be arbitrary, since
it is not relevant to our security proof below.) Then a simple and easy argument
can prove the following fact, which assures the merit of our modification.
Proposition 1. The tracing error probability of our code with the modified trac-
ing algorithm (i.e. without threshold) does not exceed that with the original trac-
ing algorithm (i.e. using threshold).

3.2 Tracing Error Probability and Code Lengths

From now, we give a bound of tracing error probability of our code, and then
show a formula of code length which makes our code c-secure with ε-error.
Before stating the result, we prepare some further notations and terminology.
Let p0 denote the minimal possible output of a bias distribution P, and put
η = σ(p0 ). For 1 ≤  ≤ c and 0 ≤ x ≤ , put
   
R,x = max 0, Ex px (1 − p)−x xσ(p) − ( − x)σ(1 − p) ,
where the expectation value Ex is taken over the values p of P. Let
−1  

R = Ex (1 − p) −1/2 1/2
p − R,x .
x=1
x

Let δ  denote the approximation error of the bitwise scores, and put Δ = δ  +2ηδ,
which is referred to as the error tolerance rate of our code (where δ is the same as
that in δ-Marking Assumption). Then take a value R such that 2cΔ ≤ R ≤ R
for all 1 ≤  ≤ c. Moreover, define the following functions
etη + η 2 e−t/η etη − 1 − tη
B1 (t) = , B2, (t) = 1 + − 2tR , Φ(t) = t(1 − log t) ,
η2 + 1 η 2
84 K. Nuida et al.

where log = loge denotes the natural logarithm, and put

Tc = B1 (βc)B2,c (β)e2βcΔ .

Now we state the following result, which will be proved in the appendix. Some
numerical examples concerning this result will be provided below.

Theorem 1. Assume that there are at most N users, involving up to c pirates.

Let 0 < ε < 1, and let β > 0 be chosen so that N Tc m < 1.
1. If Tc ≤ T0 and N T0 m < 1, then the tracing error probability of our code is
less than or equal to Φ(N T0 m ). Hence our code is c-secure with ε-error if
Φ(N T0 m ) ≤ ε.
2. Let a > 1 such that ε ≤ ae1−a (e.g. a = 10/9 if ε ≤ 0.99). Then our code is
c-secure with ε-error if
 
1 N a a
m≥− log + log + log log . (1)
log Tc ε a−1 ε

Remark 2. If Δ = δ  + 2ηδ is getting larger, then Tc also becomes larger, so

Theorem 1 infers that our code length becomes longer as well.

3.3 Choice of the Parameter β

In order to reduce code lengths, the parameter β should be chosen so that the
value Tc becomes as small as possible. Since it seems to be hopeless to express
the optimal β in a closed form for general case, here we give a “pretty good”
closed formula of β instead.
Let j1 = 2.40482 · · · be the smallest positive zero of the Bessel function
∞
J0 (t) = k=0 (−1)k (t/2)2k /(k!)2 . Then our formula of β is
 
1 2η
βformula = 2 log 1 + (R − ηj1 Δ) .
η j1 c

It can be shown that this formula becomes optimal in the limit case c → ∞ (the
proof is omitted here due to limited pages, and will appear in the full version
of this paper). Moreover, the following numerical example suggests that this
formula approximates the optimal β well, at least in the case c ∈ {2, 4, 6, 8}.

4 Numerical Example
4.1 Our Approximation of Bias Distribution
In this section, we consider the cases c ∈ {2, 3, 4, 6, 8}. We use the approximation
P = Pc of the bias distributions defined in Definition 1 in the former part of
Table 1. Here columns p and q denote the values of Pc and the corresponding
probabilities, respectively. On the other hand, the latter part of Table 1 gives
 An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes 85

approximation of bitwise scores, where p0 < p1 < · · · are possible values of P and
Uj denotes the approximated value of σ(pj ). (Note that Uc/2−1−j , where x
denotes the smallest integer n with n ≥ x, is an approximation of σ(1−pj ).) The
approximation error is δ  = 0 if c = 1, 2 and δ  = 10−5 if 3 ≤ c ≤ 8. Moreover,
the values R and approximation of η for these cases are given in Table 2.

Table 1. Approximations of bias distributions P = Pc and bitwise scores

c p q c p q
1, 2 0.50000 1.00000 7, 8 0.06943 0.24833 c U0 U1 U2 U3
3, 4 0.21132 0.50000 0.33001 0.25167 2 1
0.78868 0.50000 0.66999 0.25167 4 1.93187 0.51763
5, 6 0.11270 0.33201 0.93057 0.24833 6 2.80590 1 0.35639
0.50000 0.33598 8 3.66101 1.42485 0.70182 0.27314
0.88730 0.33201

Table 2. Auxiliary values for our example

c 2 3 4 6 8
R 0.50000 0.40823 0.40823 0.37796 0.36291
η 1.00000 1.93188 1.93188 2.80591 3.66102

Table 3. Length comparison under δ-Marking Assumption

Here Δ = 0.01. Lengths in parentheses are computed by using βformula .

c Case 1 Case 2 Case 3 Case 4 βoptimal
Ours 403 444 273
2 (404) (444) (274) 0.16921
Tardos 12400 14000 8400
% 3.25 3.17 3.25 2.97
Ours 1514 1646 1014
3 (1630) (1771) (1091) 0.057404
Tardos 28800 31500 18900
% 5.26 5.23 5.37 4.89
Ours 2671 2879 1774
4 (2672) (2880) (1775) 0.034093
Tardos 51200 56000 33600
% 5.22 5.14 5.28 4.81
Ours 7738 8244 5079
6 (7743) (8249) (5082) 0.013798
Tardos 115200 126000 75600
% 6.72 6.54 6.72 6.13
Ours 16920 17879 11015
8 (16934) (17894) (11024) 0.0071633
Tardos 211200 224000 134400
% 8.01 7.98 8.20 7.47
86 K. Nuida et al.

4.2 Calculation and Comparison of Code Lengths

Table 3 shows code lengths of our code under δ-Marking Assumption. Here the
error tolerance late Δ = δ  + 2ηδ is set to 0.01; so slightly fewer than m/(200η)
undetectable bits are allowed to be flipped or erased. We consider the following
three cases: (1) N = 100c and ε = 10−11 ; (2) N = 109 and ε = 10−6 ; (3) N = 106
and ε = 10−3 . Our code lengths are calculated from Theorem 1(1) (instead of
slightly looser formula (1) in Theorem 1(2)) by using βformula and the numerically
searched optimal parameter βoptimal . The table also gives the percentages of our
code lengths relative to lengths 100c2 log(N/ε) of Tardos codes [9]. Moreover,
Case 4 in this table gives the percentages in the limit case N/ε → ∞ (i.e. N → ∞
or ε → 0); by Theorem 1(2), the percentage m/ c2 log(N/ε) converges to
 −1
− c2 log Tc when N/ε → ∞. Table 4 is a similar table under the Marking
Assumption; where Δ is equal to the approximation error δ  of bitwise scores.
These two tables show that our c-secure codes have lengths significantly
shorter than Tardos codes and its preceding improvements [2,3,5,6,7,8], at least
for the case of smaller c. For example, under the classical Marking Assumption,
the code lengths in [7] for Case 1 are 6278, 19750, 41594 and 71552, respec-
tively, when c = 2, 4, 6 and 8. On the other hand, in [8], S̆korić et al. proved
that the code lengths of Tardos codes under the Marking Assumption, with the
symmetric scoring rule same as our code, can be reduced to π 2 ≈ 9.87% of the

Table 4. Length comparison under Marking Assumption

Here Δ = δ  . Lengths in parentheses are computed by using βformula .

c Case 1 Case 2 Case 3 Case 4 βoptimal
Ours 373 410 253
2 (374) (411) (253) 0.17549
Tardos 12400 14000 8400
% 3.01 2.93 3.01 2.74
Ours 1309 1423 877
3 (1390) (1511) (931) 0.061345
Tardos 28800 31500 18900
% 4.55 4.52 4.64 4.23
Ours 2190 2360 1454
4 (2190) (2360) (1454) 0.037405
Tardos 51200 56000 33600
% 4.28 4.21 4.33 3.95
Ours 5546 5909 3640
6 (5547) (5909) (3641) 0.016111
Tardos 115200 126000 75600
% 4.81 4.69 4.81 4.39
Ours 10469 11062 6815
8 (10469) (11062) (6816) 0.0089586
Tardos 211200 224000 134400
% 4.96 4.94 5.07 4.62
 An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes 87

original code lengths; and to π 2 /2 ≈ 4.93% under certain statistical assumption

on scores of innocent users (see the reference for detail; see also [5]). Table 4
shows that our code lengths are shorter than the latter lengths in almost all
cases considered here, without any statistical assumption.

5 Conclusion
In this paper, we give a c-secure fingerprinting code with very short code length.
This is done by mixing two preceding improvements [7,8] of Tardos code, and by
modifying its tracing algorithm so that it simply outputs one user with highest
score and thus does not use a threshold any more. In case of smaller c, our code
has indeed shorter length than Tardos code and its preceding improvements.

References
1. Boneh, D., Shaw, J.: Collusion-secure Fingerprinting for Digital Data. IEEE Trans.
Inform. Theory 44, 1897–1905 (1998)
2. Hagiwara, M., Hanaoka, G., Imai, H.: A Short Random Fingerprinting Code Against
a Small Number of Pirates. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.)
AAECC 2006. LNCS, vol. 3857, pp. 193–202. Springer, Heidelberg (2006)
3. Isogai, T., Muratani, H.: Reevaluation of Tardos’s Code. In: IEICE Technical Re-
port, ISEC2006-96, pp. 7–12 (2006)
4. Carter, M., van Brunt, B.: The Lebesgue-Stieltjes Integral: A Practical Introduction.
Springer, Heidelberg (2000)
5. Katzenbeisser, S., S̆korić, B., Celik, M.U., Sadeghi, A.-R.: Combining Tardos Fin-
gerprinting Codes and Fingercasting. In: IH 2007. LNCS, vol. 4567, Springer, Hei-
delberg (2007)
6. Nuida, K., Hagiwara, M., Watanabe, H., Imai, H.: Optimal Probabilistic Finger-
printing Codes Using Optimal Finite Random Variables Related to Numerical
Quadrature, http://www.arxiv.org/abs/cs/0610036
7. Nuida, K., Hagiwara, M., Watanabe, H., Imai, H.: Optimization of Tardos’s Finger-
printing Codes in a Viewpoint of Memory Amount. In: IH 2007. LNCS, vol. 4567,
Springer, Heidelberg (2007)
8. S̆korić, B., Katzenbeisser, S., Celik, M.U.: Symmetric Tardos Fingerprinting Codes
for Arbitrary Alphabet Sizes, http://eprint.iacr.org/2007/041
9. Tardos, G.: Optimal Probabilistic Fingerprint Codes. J. ACM. In: 2003 ACM Sym-
posium on Theory of Computing, pp. 116–125 (to appear)

Appendix: Proof of Theorem 1

This appendix is devoted to give an outline of the proof of Theorem 1; due to
limited pages, details of the proof are omitted here and will appear in the full
version of this paper.
We prepare the following lemmas, whose proofs follow the arguments in [2].
Lemma 1 (cf. [2], Lemma 1). If z ∈ R and α > 0, then for any fixed P and
y, the probability that the score S of at least one innocent user satisfies S ≥ z is
less than or equal to ϕ(z) = min{N B1 (α)m e−αz , 1}.
88 K. Nuida et al.

Proof (Sketch). Since there

 are at most N innocent users, this probability is less
than or equal to N Ex eαS e−αz by the Markov’s inequality. For bitwise scores
Sj , by definition of p0 , an elementary analysis shows that

Ex eαSj = p(j) eασ(p ) + (1 − p(j) )e−ασ(1−p )
(j) (j)

≤ p0 eασ(p0 ) + (1 − p0 )e−ασ(1−p0 ) = B1 (α) ,


where p(j) = p(j) if yj = 1 and 1 − p(j) if yj ∈ {0, ?}. Thus we have Ex eαS ≤
B1 (α)m , so the claim follows.

Lemma 2 (cf. [2], Lemma 2). If z ∈ R, β > 0 and there are  pirates, then
for any fixed pirates’ strategy satisfying Marking Assumption, the probability that
no pirate’s score exceeds z is less than or equal to F (z) = min{B2, (β)m eβz , 1}.

Proof (Sketch). This probability does not exceed the probability that the sum
Spsum of  pirates’ scores is less than or equal to z. By the Markov’s inequality,
the latter probability is less than or equal to Ex e−βSpsum eβz . Now by a similar
     m
argument to [2,9], we have Ex e−βSpsum ≤ x=0 x Mx , where M0 = N0,0 ,
M = N1, , Mx = max{N0,x , N1,x } for 1 ≤ x ≤  − 1, with
 
N0,x = Ex eβLx,p px (1 − p)−x , N1,x = Ex e−βLx,p px (1 − p)−x

(the last two expectation values are taken over the values p of P) and Lx,p =
xσ(p) − ( − x)σ(1 − p). Since |Lx,p | ≤ η, an elementary analysis shows that
e±βLx,p ≤ 1 ± βLx,p + r(βη)β 2 Lx,p 2 , respectively, where r(t) = (et − 1 − t)/t2 .
Thus we have
 
Mx ≤ Ex px (1 − p)−x − βEx px (1 − p)−x Lx,p

+ r(βη)β 2 Ex px (1 − p)−x Lx,p 2 + 2βR,x
  
for 1 ≤ x ≤  − 1; so by the fact that x=0 x px (1 − p)−x Lx,p k = 1, 0,  for
k = 0, 1, 2, respectively (cf. [2], Lemma 3), we have

  −1  

  0 
Mx ≤ 1 + 2βEx p (1 − p) L0,p + r(βη)β  + 2β
−0 2
R,x
x=0
x x=1
x
= 1 + r(βη)β 2  − 2βR ≤ B2, (β) .

Hence we have Ex e−βSpsum ≤ B2, (β)m , so the claim follows.

Now we come back to the proof of Theorem 1. Let y  be obtained by modifying

y so that yj = w1,j whenever j-th bits w1,j , . . . , w,j of the  pirates coincide;
i.e. y  satisfies the Marking Assumption. Then y and y  differ at up to mδ bits.

Let Simax denote the highest score of innocent users, and Simax be the highest
score of innocent users which is calculated by using precise bitwise scores and
the modified pirated codeword y  instead of y. Write the corresponding scores for
 An Improvement of Tardos’s Collusion-Secure Fingerprinting Codes 89

 
pirates by Spmax and Spmax . Then we have |Simax − Simax | ≤ mδ ·2η + mδ  = mΔ

and |Spmax − Spmax | ≤ mΔ by definition of Δ; so the tracing error probability
 
does not exceed Pr(Simax ≥ Spmax ) ≤ Pr(Simax + 2mΔ ≥ Spmax ).
The following result is the key ingredient of our proof.

Lemma 3. Put G(z) = Pr(Spmax  ≤ z) and ϕ(z)
 = ϕ(z − 2mΔ). Then we have
 
Pr(Simax + 2mΔ ≥ Spmax ) ≤ R ϕ  dG, where the last integral is the Lebesgue-
Stieltjes integral with respect to the function G (cf. [4]).
Proof (Sketch). Now we only give an intuitive argument, since the formal proof
is too long to be included here (see the forthcoming full version of this paper for
 
details). We evaluate the probability that Simax + 2mΔ < Spmax ; the probability

that this event occurs and Spmax lies in a sufficiently minute interval (z, z + dz]
  
is ≥ 1 − ϕ(z)
 G(z + dz) − G(z) by Lemma 1. By taking the sum over these
disjoint intervals covering the whole of R, we have

 
  
Pr(Simax + 2mΔ < Spmax )≥ 1 − ϕ(z)
 G(z + dz) − G(z)
  G(z + dz) − G(z)
= G(z + dz) − G(z) − 
ϕ(z) dz
 ∞ dz 
dz→0 
→ 1− 
ϕ(z)G (z) dz = 1 − ϕdG

−∞ R

(Note that limz→∞ G(z) = 1, limz→−∞ G(z) = 0; while the function G(z) is
piecewise-linear, since now the number of the user’s possible scores is finite).
This infers the claim.
Moreover, since ϕ  ≥ 0 is weakly decreasing and G(z) ≤ F (z), we can derive the
following fact from general properties of Lebesgue-Stieltjes integral.
 
Lemma 4. We have R ϕ  dG ≤ R ϕ dF (see Lemma 2 for definition of F ).

Hence the tracing error probability is bounded by R ϕ  dF . Moreover, by putting
α = β, a direct computation shows that R ϕ  dF = Φ(N T m ), where T =
B1 (β)B2, (β)e2βΔ . Now Theorem 1(1) follows from the fact that T ≤ Tc for
any 1 ≤  ≤ c and Φ(t) is increasing for 0 < t < 1.
To prove Theorem 1(2), we consider the function Φε (t) = Φ(t) − ε, which is
increasing and concave up for 0 < t < 1. Since limt→+0 Φε (t) = − < 0 and
limt→1−0 Φε (t) = 1 − ε > 0, we have Φε (t0 ) = 0 for a unique 0 < t0 < 1. Now if
a > 1 and ε ≤ ae1−a , then we have Φε (ε/a) = (ε/a) (1 − log(ε/a)) − ε ≥ 0 (note
that log(ε/a) ≤ 1 − a), so t0 ≤ ε/a < 1. Then put
ε Φε (ε/a) a−1 ε
t1 = −  = ,
a Φε (ε/a) a log(a/ε)
which is the x-intercept of the tangent line of the curve y = Φε (x) at x = ε/a.
Since Φε (t) is increasing and concave up, we have t1 ≤ t0 and so Φε (t1 ) ≤ 0
(note that t1 > 0). Thus we have Φ(N Tc m ) ≤ Φ(t1 ) ≤ ε whenever N Tc m ≤ t1 ,
i.e. m ≥ − log(N/t1 )/ log Tc . Hence Theorem 1(2) is proved.
 Space-Time Codes from Crossed Product
Algebras of Degree 4

Grégory Berhuy1 and Frédérique Oggier2

1
School of Mathematics
University of Southampton, UK
[email protected]
2
Department of Electrical Engineering
California Institute of Technology, USA
[email protected]

Abstract. We study crossed product algebras of degree 4, and present a

new space-time code construction based on a particular crossed product
division algebra which exhibits very good performance.

1 Introduction
Wireless systems are nowadays part of every day life. However, to answer the
need of higher and higher data rate, researchers have started to investigate wire-
less systems where both the transmitter and receiver end are equipped with
multiple antennas. This new kind of channel required new coding techniques,
namely space-time coding [10]. Unlike classical coding, space-time coding in-
volves the design of families of matrices, with the property, called full diversity,
that the difference of any two distinct matrices is full rank.
Following the seminal work of Sethuraman et al. [7,8], codes based on division
algebras have been investigated. This algebraic approach has generated a lot of
interest, since division algebras naturally provide linear codes with full diver-
sity. Quaternion algebras [1] and their maximal orders [3], cyclic algebras [8,4],
Clifford algebras [9] and crossed product algebras [6] have been studied.
In this paper, we study crossed product algebras of degree 4, and, unlike in
[6], we focus on the case where the Galois group is not cyclic. For this scenario,
we derive conditions for crossed product algebras to be division algebras, which
yields the full diversity property, and optimize the code design.

2 Crossed Product Algebras of Degree 4

Let L/K be a Galois extension. A central simple K-algebra is called a crossed
product algebra over L/K if it contains L as a maximal commutative subfield.
A crossed product algebra can be described nicely in terms of generators and

This work was partly supported by the Nuffield Newly Appointed Lecturers Scheme
2006 NAL/32706, F. Oggier is now visiting RCIS, AIST, Tokyo, Japan.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 90–99, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Space-Time Codes from Crossed Product Algebras of Degree 4 91

√ √
L = K( d, d )
 HH
2 2
 H
√ √
K( d) K( d )
HH 
τ H
H 
 σ
K

Fig. 1. A biquadratic extension of K

relations, and when L/K has cyclic Galois group, we recover the concept of
cyclic algebra. Since in degree 2 and 3 Galois extensions have necessarily cyclic
groups, the first interesting example of crossed product algebra arises in degree
4. This is the case we focus on in this work. For definitions and basic facts on
crossed product algebras, the reader may refer to [2].

2.1 Definition and Examples

Consider a Galois extension L/K of degree 4. Its Galois group is either cyclic of
order 4 or a product of two cyclic groups of order 2. We focus on the latter, and
consider the case where L/K is a biquadratic extension (see Fig. 1), namely
√ √
L = K( d, d ).

We set G = Gal(L/K) = {1, σ, τ, στ }, where σ, τ are defined by

√ √ √ √
σ( d) = d, σ( d ) = − d
√ √ √ √
τ ( d) = − d, τ ( d ) = d .
In this case, using a suitable change of generators, one can show that a crossed
product algebra A over L/K may be described as follows:

A = L ⊕ eL ⊕ f L ⊕ ef L

with e2 = a, f 2 = b, f e = ef u, λe = eσ(λ), λf = f τ (λ) for all λ ∈ L, for

some elements a, b, u ∈ L× satisfying
a σ(b)
σ(a) = a, τ (b) = b, uσ(u) = , uτ (u) = . (1)
τ (a) b
Definition 1. A crossed product algebra A over a biquadratic extension L/K
will be called a biquadratic crossed product algebra. We write A = (a, b, u, L/K).
√ √
Remark 1. Note from (1) that we have that a ∈ K( d) and b ∈ K( d ) .
√ √
Example 1. Take K = Q(i), d = 3 and d = 5, so that L = Q(i)( 3, 5). The
following choice of a, b, u is well defined:
√ √
a = 3, b = 5, u = i.
92 G. Berhuy and F. Oggier

We need to verify that the conditions (1) are satisfied. Recall that here
√ √ √ √
σ( 5) = − 5, τ ( 3) = − 3.

Clearly σ(a) = a and τ (b) = b. Finally

√ √
3 − 5
uσ(u) = −1 = √ and uτ (u) = −1 = √ .
− 3 5
Example 2. Take again K = Q(i), d = 5, but now d = 2. Let ζ8 be a primitive
√ 1
8th root of unity. Note that L = Q(i)(ζ8 , 5) since ζ8 = √ (1 + i). We have
2
√ √ √ √
σ( 5) = − 5, τ ( 2) = − 2, τ (ζ8 ) = −ζ8 .

The following choice of a, b, u is also suitable:

√
a = ζ8 , b = 5, u = i.

Clearly σ(a) = a and τ (b) = b. Finally

√
ζ8 − 5
uσ(u) = −1 = and uτ (u) = −1 = √ .
−ζ8 5
Remark 2. It is known that every central simple algebra over a number field
is isomorphic to a cyclic algebra. However, for coding purposes, the algebra
representation does matter, as it will be illustrated in the following (Remark 3).

2.2 Matrix Formulation and Encoding

In order to design codewords, we now explain how to identify A to a subalgebra
of M4 (L), or in other words, how to get a correspondence between a matrix
X ∈ M4 (L), which will be a codeword, and an element x ∈ A. This is done by
associating to X its left multiplication matrix.

Proposition 1. Let x = x1 + exσ + f xτ + ef xστ ∈ A. Its left multiplication

matrix X is given by
⎛ ⎞
x1 aσ(xσ ) bτ (xτ ) abτ (u)στ (xστ )
⎜ xσ σ(x1 ) bτ (xστ ) bτ (u)στ (xτ ) ⎟
⎜ ⎟
⎝ xτ τ (a)uσ(xστ ) τ (x1 ) τ (a)στ (xσ ) ⎠ . (2)
xστ uσ(xτ ) τ (xσ ) στ (x1 )

Proof. It is enough to do the computation on the basis elements. We have

ae = x1 e + exσ e + f xτ e + ef xστ e = eσ(x1 ) + aσ(xσ ) + f eσ(xτ ) + ef eσ(xστ ).

Now we have f e = ef u, and ef e = eef u = af u = f τ (a)u. Hence

ae = aσ(xσ ) + eσ(x1 ) + f τ (a)uσ(xστ ) + ef uσ(xτ ).

 Space-Time Codes from Crossed Product Algebras of Degree 4 93

We have also
af = x1 f + exσ f + f xτ f + ef xστ f = f τ (x1 ) + ef τ (xσ ) + bτ (xτ ) + ebτ (xστ ).
Hence,
af = bτ (xτ ) + ebτ (xστ ) + f τ (x1 ) + ef τ (xσ ).
Finally,
aef = x1 ef + exσ ef + f xτ ef + ef xστ ef
= ef στ (x1 ) + af στ (xσ ) + f ef στ (xτ ) + ef ef στ (xστ ).
We have
f ef = ef uf = ebτ (u),
and ef ef = e(ebτ (u)) = abτ (u). Thus,
aef = ef στ (x1 ) + f τ (a)στ (xσ ) + ebτ (u)στ (xτ ) + abτ (u)στ (xστ ).
Therefore,
aef = abτ (u)στ (xστ ) + ebτ (u)στ (xτ ) + f τ (a)στ (xσ ) + ef στ (x1 ).
For a matrix X of the form (2) to be a codeword, it further requires an
encoding, that is a way to map the information symbols to be transmitted into
the matrix X. This can be easily done as follows. Let {ω1 , ω2 , ω3 , ω4 } be a Q(i)-
basis of L. Let G be the matrix of the embeddings of the basis:
⎛ ⎞
ω1 ω2 ω3 ω4
⎜ σ(ω1 ) σ(ω2 ) σ(ω3 ) σ(ω4 ) ⎟
G=⎜ ⎝ τ (ω1 ) τ (ω2 ) τ (ω3 ) τ (ω4 ) ⎠ .
⎟ (3)
στ (ω1 ) στ (ω2 ) στ (ω3 ) στ (ω4 )
Let x = (x1 , x2 , x3 , x4 ) be a vector containing 4 information symbols to be
transmitted. Let x = x1 ω1 + x2 ω2 + x3 ω3 + x4 ω4 be an element of L, which can
be seen as a linear combination of the 4 information symbols. We have
Gx = (x, σ(x), τ (x), στ (x))T .
We can thus encode 16 information symbols into X as follows. Let
Gx1 = (x1 , σ(x1 ), τ (x1 ), στ (x1 ))T .
Gxσ = (xσ , σ(xσ ), τ (xσ ), στ (xσ ))T .
Gxτ = (xτ , σ(xτ ), τ (xτ ), στ (xτ ))T .
Gxστ = (xστ , σ(xστ ), τ (xστ ), στ (xστ ))T .
Let Γi , i = 1, 2, 3, 4, be given by Γ1 = I4 , the identity matrix, and
⎛ ⎞ ⎛ ⎞ ⎛ ⎞
0a0 0 0 0 b 0 0 0 0 abσ(u)
⎜1 0 0 0 ⎟ ⎜ 0 0 0 bσ(u) ⎟ ⎜0 0 b 0 ⎟
Γ2 = ⎜ ⎟ ⎜ ⎟ ⎜
⎝ 0 0 0 τ (a) ⎠ , Γ3 = ⎝ 1 0 0 0 ⎠ , Γ4 = ⎝ 0 τ (a)τ (u) 0 0 ⎠ .
⎟

001 0 0 στ (u) 0 0 1 0 0 0
94 G. Berhuy and F. Oggier

The codeword X is encoded as follows:

X = Γ1 diag(Gx1 ) + Γ2 diag(Gxσ ) + Γ3 diag(Gxτ ) + Γ4 diag(Gxστ ).

3 A Criterion for Full Diversity

For square codewords, the full diversity property [10] is given by
det(X − X ) = 0, X = X ∈ A,
where A is identified with a subalgebra of a matrix algebra. Therefore, in order
to satisfy this property, it is enough to require A to be a division algebra.
Theorem 1. Let K be a number field, and let A = (a, b, u, L/K). Then the
following conditions are equivalent:
1. A is a division algebra,
2. the quaternion algebra (d, NK(√d )/K (b)) is not split,
3. the quaternion algebra (d , NK(√d)/K (a)) is not split.
Proof. Since K is a number field, then the index of A is equal to its exponent.
Thus A is a division algebra if and only if its exponent is not 1 or 2, that
is 2[A] = 0 in the Brauer group Br(K). To conclude, it is enough to use the
following equalities, that we will not prove here by lack of space:

2[A] = (d, NK(√d )/K (b)) = (d , NK(√d)/K (a)) in Br(K).

Lemma 1. Let u ∈ L. The following conditions are equivalent:
(1) NL/K (u) = 1.
(2) There exists a ∈ L× such that
a
σ(a) = a, uσ(u) = .
τ (a)
(3) There exists b ∈ L× such that
σ(b)
τ (b) = b, uτ (u) = .
b
Moreover, if u satisfies one of the above conditions, then whether the quaternion
algebra (d , NK(√d)/K (a)) is split only depends on u, and not on the choice of a.
Proof. 1. If NL/K (u) = 1, then
uσ(u)τ (u)σ(τ (u)) = 1,
so that
NK(√d)/K (uσ(u)) = 1, NK(√d )/K (uτ (u)) = 1,
and thus we get both (2) and (3) by Hilbert’s 90. Now, if (2) holds, then

a a
NL/K (u) = uσ(u)τ (u)σ(τ (u)) = τ = 1,
τ (a) τ (a)
and similarly (3) implies (1).
 Space-Time Codes from Crossed Product Algebras of Degree 4 95

2. Let u be given, and consider a, a such that

a a
uσ(u) = = ,
τ (a) τ (a )
so that
a τ (a) = aτ (a ) = τ (a τ (a)).
Since we further have that

σ(a τ (a)) = σ(a )τ (σ(a)) = a τ (a),

we conclude that a τ (a) = λ ∈ K, and thus

NK(√d)/K (a τ (a)) = λ2 .

In other words,
2
λ
NK(√d)/K (a ) = NK(√d)/K (a)
NK(√d)/K (a)

and (d , NK(√d)/K (a)) is split if and only if (d , NK(√d)/K (a )) is, which
concludes the proof.

Lemma 2. Let u ∈ L such that NL/K (u) = 1. If uσ(u) = −1, then we have
a √
uσ(u) = , where a = d, and (d , NK(√d)/K (a)) = (−d, d ). (4)
τ (a)
a
If uσ(u) = −1, then we have uσ(u) = , where
τ (a)

a = 1 + uσ(u), and (d , NK(√d)/K (a)) = (2 + TrK(√d)/K (uσ(u)), d ). (5)

Proof. (4) is obvious. Now, assume that uσ(u) = −1 and set a = 1 + uσ(u). We
have that uσ(u) + NL/K (u) = uσ(u)τ (1 + uσ(u)), so that

uσ(u) + NL/K (u) uσ(u) + 1 a

uσ(u) = = = .
τ (1 + uσ(u)) τ (1 + uσ(u)) τ (a)

To conclude, for a = uσ(u) + 1, we have

NK(√d)/K (a) = (uσ(u) + 1)τ (uσ(u) + 1)

= 1 + T rK(√d)/K (uσ(u)) + NL/K (u)
= 2 + T rK(√d)/K (uσ(u)).

Example √ Consider the algebra defined in Example 1, namely K = Q(i), L =

√ 3.
Q(i)( 3, 5) with √ √
a = 3, b = 5, u = i.
96 G. Berhuy and F. Oggier

Since uσ(u) = −1, by Lemma 2, we have to check whether √ (−3, 5) is split. This
is equivalent to check whether −3 is a norm in Q(i)( 5)/Q(i), namely whether
a2 − 5b2 = −3 has a solution for a, b ∈ Q(i). If such a solution exists, then
it is easy to see that the denominators of a and b are not divisible by (2 + i).
Therefore, reducing modulo (2+i), we get that −3 is a square in Z[i]/(2+i). Since
5Z[i] = (2+i)(2−i), the inertial degree [5, p.84] of 2+i is 1, and Z[i]/(2+i) ∼ = F5 .
Since −3 is not a square modulo 5, we conclude that (−3, 5) is not split.
√
Example 4. We now continue Example 2, where K = Q(i) and L = Q(i)(ζ8 , 5),
with ζ8 a primitive 8th root of unity. Furthermore, we have
√
a = ζ8 , b = 5, u = i.

Again uσ(u) = −1, and we have to check, by Lemma 2, whether (−2, 5) is split.
Since −2 is not a square modulo 5, we show as above that (−2, 5) is not split.

4 Codes and Performance

From the above (see Examples 1, 3, 2 and 4), we now have two examples of
division crossed product algebras:
√ √ √ √
1. (a, b, u, L/K) = ( 3,√ 5, i, Q(i)(√ 3,√ 5)/Q(i)),
2. (a, b, u, L/K) = (ζ8 , 5, i, Q(i)( 2, 5)/Q(i)).
We thus have two fully-diverse codes with a linear encoding. However, it is now
known that this is not enough to get efficient codes, and a crucial other parameter
is a good shaping (following the terminology of [4]), or in other words, the codes
should be information lossless [6]. Both requirements can actually be shown to
boil down to the same property: the matrices G and Γi , i = 2, 3, 4 used for the
encoding (see Subsection 2.2) have to be unitary.
√ √
4.1 The Algebra on Q(i)( 3, 5)/Q(i)
Recall that the encoding matrix Γ3 is given by
⎛ ⎞
0 0 b 0
⎜ 0 0 0 bσ(u) ⎟
Γ3 = ⎜
⎝1 0 0 0 ⎠.
⎟

0 στ (u) 0 0

In order for Γ3 to be unitary, we clearly need, since σ and τ commute with √

the
complex conjugation, that |u|2 = 1, |b|2 = 1. Since u = i, we focus on b = 5.
Of course b is not of modulus 1, but this can be remedied by normalizing it as
follows:
1 + 2i 1 + 2i
b= = √ .
1 − 2i 5
 Space-Time Codes from Crossed Product Algebras of Degree 4 97

Similarly, we need |a|2 = 1 in order for Γ2 to be unitary, where

⎛ ⎞
0a0 0
⎜1 0 0 0 ⎟
Γ2 = ⎜ ⎟
⎝ 0 0 0 τ (a) ⎠ .
001 0

Since such a normalization is not possible for 3, we focus on the other algebra.
√ √
4.2 The Algebra on Q(i)( 2, 5)/Q(i)

As seen in the previous subsection, we need |a|2 = 1, |b|2 = 1, |u|2 = 1. This is

however fine here, since a and u are roots of unity, while b can be normalized.
We thus finally take
1 + 2i
a = ζ8 , b = , u = i.
1 − 2i
Thus the encoding matrices Γi , i = 2, 3, 4 are unitary. We are thus left with
making sure that G is unitary. Recall from (3) that G is given by:
⎛ ⎞
ω1 ω2 ω3 ω4
⎜ σ(ω1 ) σ(ω2 ) σ(ω3 ) σ(ω4 ) ⎟
G=⎜ ⎝ τ (ω1 ) τ (ω2 ) τ (ω3 ) τ (ω4 ) ⎠ ,
⎟

στ (ω1 ) στ (ω2 ) στ (ω3 ) στ (ω4 )

where {ω1 , ω2 , ω3 , ω4 } is a basis of L. We can obtain a matrix G unitary by

restricting to an ideal of L, as follows. Set
√
1+ 5
θ= , α = 1 + i − iθ.
2
Then the following basis

ω1 = α, ω2 = αθ, ω3 = αζ8 , ω4 = αθζ8

1
is such that √ G is unitary. This can be easily checked since
10
 
α αθ 1 ζ8
G = G2 ⊗ G1 with G1 = , G2 =
σ(α) σ(α)σ(θ) 1 τ (ζ8 )

and G1 , G2 satisfy
G1 G∗1 = 5I2 , G2 G∗2 = 2I2 .

Remark 3. Note that the crossed product algebra described in this subsection is
isomorphic to the cyclic algebra (i, Q(i)(51/4 )/Q(i), σ), where σ(51/4 ) = i51/4 .
However, the code construction is not available on the cyclic representation,
since the orthonormal lattice does not exist.
98 G. Berhuy and F. Oggier

4.3 Minimum Determinant and Simulations

Once a code satisfies the full diversity property and the shaping constraint, its
performance is then governed by its minimum determinant [10], given by
min | det(X)|2 .
X=0
√ √
In the case of the code on Q(i)( 2, 5)/Q(i), we have that [4]
|N (α)|4 1 1 1
min | det(X)|2 = √ 8 =
10 |1 − 2i|
X=0 2 400 5
where the first equality comes from the following observations: the factor
ασ(α) = N (α) appears squared in the determinant of X, while the terms in
√ 1
10 comes from the normalization of G, that is √ G. The term in 1 − 2i
10
comes√from√ the denominator of b. Note that 400 is actually the discriminant of
Q(i)( 2, 5)/Q(i).
The performance of this new code is shown in Fig. 2, compared to the best
known code built on division algebras, namely on a cyclic division algebra [4],
using a cyclic extension of discriminant 1125. The new code performs clearly
better when using 4-QAM (that is ±1 ± i as information symbols). It looses
a bit of its advantage when using 16-QAM. This can be easily explained. The
discriminant of the new code is 400, and a further factor of 5 appears only when
the term involving b is non-zero. So on average, the new code still performs better
than the code based on cyclic algebra. However, when increasing the constellation
size, the event of having the term in b non-zero occurs with smaller probability,
and on average, the code still performs better, but with less advantage than in
the 4-QAM case.

Fig. 2. New code from crossed product algebra, compared with the known code from
cyclic algebra, using 4-QAM and 16-QAM
 Space-Time Codes from Crossed Product Algebras of Degree 4 99

5 Conclusion

In this paper, we studied crossed product algebras of degree 4, in order to design

new space-time code constructions. We provided conditions for crossed product
algebras to be division algebras, and optimized the code design.

References
1. Belfiore, J.-C., Rekaya, G.: Quaternionic lattices for space-time coding. In: 2003
Information Theory Workshop, Paris (2003)
2. Draxl, P.K.: Skew fields. L.M.S.Lect. Note Serie, vol. 81. Cambridge Univ. Press,
Cambridge (1982)
3. Hollanti, C., Lahtonen, J., Ranto, K., Vehkalahti, R.: Optimal Matrix Lattices for
MIMO Codes from Division Algebras. In: 2006 IEEE Int. Symp. on Inform. Theory,
Seattle (2006)
4. Oggier, F.E., Rekaya, G., Belfiore, J.-C., Viterbo, E.: Perfect Space-Time Block
Codes. IEEE Trans. Inform. Theory 52(9), 3885–3902 (2006)
5. Samuel, P.: Théorie algébrique des nombres. Available in English. Hermann collec-
tion Méthodes, Paris (1967)
6. Vummintala, S., Sundar Rajan, B., Sethuraman, B.A.: Information-Lossless Space-
Time Block Codes from Crossed-Product Algebras. IEEE Trans. Inform. The-
ory 52(9), 3913–3935 (2006)
7. Sethuraman, B.A., Sundar Rajan, B.: Full-Rank, Full-Rate STBCs from Division
Algebras. In: 2002 Information Theory Workshop, Bangalore (2002)
8. Sethuraman, B.A., Sundar Rajan, B., Shashidhar, V.: Full-Diversity, High-Rate
Space-Time Block Codes from Division Algebras. IEEE Trans. Inform. The-
ory 49(10), 2596–2616 (2003)
9. Susinder Rajan, G., Sundar Rajan, B.: STBCs from Representation of Extended
Clifford Algebras. In: 2007 IEEE Int. Symp. on Inform. Theory, Nice (2007)
10. Tarokh, V., Seshadri, N., Calderbank, R.: Space-Time Codes for High Data Rate
Wireless Communication: Performance Criterion and Code Construction. IEEE
Trans. Inform. Theory 44, 744–765 (1998)
 On Non-randomness of the Permutation After
RC4 Key Scheduling

Goutam Paul1 , Subhamoy Maitra2 , and Rohit Srivastava3

1
Department of Computer Science and Engineering, Jadavpur University,
Kolkata 700 032, India
goutam [email protected]
2
Applied Statistics Unit, Indian Statistical Institute,
203, B T Road, Kolkata 700 108, India
[email protected]
3
Department of Computer Science and Engineering, Institute of Technology,
Banaras Hindu University, Varanasi 221 005 (UP), India
[email protected]

Abstract. Here we study a weakness of the RC4 Key Scheduling

Algorithm (KSA) that has already been noted by Mantin and Mironov.
Consider the RC4 permutation S of N (usually 256) bytes and denote
it by SN after the KSA. Under reasonable assumptions we present a
simple proof that each permutation byte after the KSA is significantly
biased (either positive or negative) towards many values in the range
0, . . . , N − 1. These biases are independent of the secret key and
thus present an evidence that the permutation after the KSA can be
distinguished from random permutation without any assumption on the
secret key. We also present a detailed empirical study over Mantin’s
work when the theoretical formulae vary significantly from experimental
results due to repetition of short keys in RC4. Further, it is explained
how these results can be used to identify new distinguishers for RC4
keystream.

Keywords: Bias, Cryptography, Cryptanalysis, Key Scheduling Algo-

rithm, RC4, Stream Cipher.

1 Introduction
RC4, one of the most popular stream ciphers till date, was proposed by Rivest in
1987. The cipher gained its popularity from its extremely simple structure and
substantially good strength in security, as even after lots of explored weaknesses
in the literature (see [1,2,3,4,5,6,7,9,10,11,12,13,14] and the references in these
papers), it could not be thoroughly cracked. Studying weaknesses of RC4 received
serious attention in the literature and these studies are believed to be quite useful
in further development of stream ciphers that exploit shuffle-exchange paradigm.
Before getting into our contribution, let us briefly present the Key Scheduling
Algorithm (KSA) and the Pseudo Random Generation Algorithm (PRGA) of
RC4. The data structure consists of (1) an array of size N (in practice 256

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 100–109, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 On Non-randomness of the Permutation After RC4 Key Scheduling 101

which is followed in this paper) which contains a permutation of 0, . . . , N − 1,

(2) two indices i, j and (3) the secret key array K. Given a secret key k of l
bytes (typically 5 to 32), the array K of size N is such that K[i] = k[i mod l]
for any i, 0 ≤ i ≤ N − 1. All additions used in the description of the algorithm
are modulo N additions.

Algorithm KSA Algorithm PRGA

Initialization: Initialization:
For i = 0, . . . , N − 1 i = j = 0;
S[i] = i; Output Keystream Generation Loop:
j = 0; i = i + 1;
Scrambling: j = j + S[i];
For i = 0, . . . , N − 1 Swap(S[i], S[j]);
j = (j + S[i] + K[i]); t = S[i] + S[j];
Swap(S[i], S[j]); Output z = S[t];

RC4 KSA has been analysed deeply in [13,14,2,11]. All these works discuss the
relationship of the permutation bytes after the KSA with the secret key. For a
proper design, the permutation S after the KSA should not have any correlation
with the secret keys. However, weaknesses of RC4 in this aspect have already
been reported [13,14,2,11]. These weaknesses, in turn, leak information about
RC4 secret key in the initial keystream output bytes [10].
Another approach of study is to look at the permutation after the KSA in
a (secret) key independent manner and try to distinguish it from random per-
mutations. In [9], the sign of the permutation after the KSA has been studied
(see [9] for the definition of the sign of a permutation). There it has been shown
that, after the KSA, the sign of the permutation can be guessed with probability
56%.
In [8, Chapter 6 and Appendix C] and later in [9], the problem of estimating
P (SN [u] = v) has been discussed. A complete proof for these results has been
presented in [8, Chapter 6 and Appendix C]. We present an independent proof
technique in this paper which looks simpler. We argue in more detail in Section 2
how our technique is different from that in [8]. Due to the small keys (say 5 to 32
bytes) generally used in RC4, some of the assumptions differ from practice and
hence the theoretical formulae do not match with the experimental results. We
also detail this over the already identified anomalies in [8]. Further, we discuss
applications to show how these results can be used to present new distinguishers
for RC4. The distinguishers discussed in this paper are different from the earlier
ones [1,3,5,7,12].

2 Bias in Each Permutation Byte

We denote the initial identity permutation by S0 and the permutation at the
end of the r-th round of the KSA by Sr , 1 ≤ r ≤ N (note that r = i + 1,
for the deterministic index i, 0 ≤ i ≤ N − 1). Thus, the permutation after the
102 G. Paul, S. Maitra, and R. Srivastava

KSA will be denoted by SN . By jr , we denote the value of the index j after it

is updated in round r. We consider the index j of each round to be distributed
uniformly at random. Further, we replace the joint probabilities with the product
of the probabilities of the individual events, assuming that the events under
consideration are statistically independent.
2(N −1)
Lemma 1. P (S2 [0] = 1) = N2 .

Proof. In the first round, we have i = 0, and j1 = 0 + S[0] + K[0] = K[0]. In

the second round, i = 1 and j2 = j1 + S1 [1] + K[1]. We consider two mutually
exclusive and exhaustive cases, namely, K[0] = 1 and K[0] = 1.
1. Take K[0] = 1. So, after the first swap, S1 [0] = 1 and S1 [1] = 0. Now,
j2 = K[0] + 0 + K[1] = K[0] + K[1]. Thus, after the second swap, S2 [0] will
remain 1, if K[0] + K[1] = 0. Hence the contribution of this case to the event
(S2 [0] = 1) is P (K[0] = 1) · P (K[0] + K[1] = 0) = N1 · NN−1 = NN−1
2 .

2. Take K[0] = 1. Then after the first swap, S1 [1] remains 1. Now, j2 = K[0] +
1 + K[1] = K[0] + K[1] + 1. Thus, after the second swap, S2 [0] will get the
value 1, if K[0] + K[1] + 1 = 0. Hence the contribution of this case to the
event (S2 [0] = 1) is P (K[0] = 1) · P (K[0] + K[1] + 1 = 0) = NN−1 · N1 = NN−1
2 .

2(N −1)
Adding the two contributions, we get the total probability as N2 . 


We here calculate P (Sv+1 [u] = v) for the special case u = 0, v = 1. Note that
the form of P (Sv+1 [u] = v) for v ≥ u + 1 in general (see Lemma 2 later) does
not work for the case u = 0, v = 1 only. This will be made clear in Remark 1
after the proof of Lemma 2.

Proposition 1. P (Sv [v] = v) = ( NN−1 )v , for v ≥ 0.

Proof. In the rounds 1 through v, the deterministic index i touches the permu-
tation indices 0, 1, . . . , v − 1. Thus, after round v, Sv [v] will remain the same as
S0 [v] = v, if v has not been equal to any of the v many pseudo-random indices
j1 , j2 , . . . , jv . The probability of this event is ( NN−1 )v . So the result holds for
v ≥ 1. Furthermore, P (S0 [0] = 0) = 1 = ( NN−1 )0 . Hence, for any v ≥ 0, we have
P (Sv [v] = v) = ( NN−1 )v . 


Proposition 2. For v ≥ u + 1, P (Sv [u] = v) = 1

N · ( NN−1 )v−u−1 .

Proof. In round u + 1, the permutation index u is touched by the deterministic

index i for the first time and the value at index u is swapped with the value at
a random location based on ju+1 . Hence, P (Su+1 [u] = v) = N1 . The probability
that the index u is not touched by any of the subsequent v − u − 1 many j
values, namely, ju+2 , . . . , jv , is given by ( NN−1 )v−u−1 . So, after the end of round
v, P (Sv [u] = v) = N1 · ( NN−1 )v−u−1 . 


Lemma 2. For v ≥ u + 1 (except for the case “u = 0 and v = 1”), P (Sv+1 [u] =
v) = N1 · ( NN−1 )v−u + N1 · ( NN−1 )v − N12 · ( NN−1 )2v−u−1 .
 On Non-randomness of the Permutation After RC4 Key Scheduling 103

Proof. In round v+1, i = v and jv+1 = jv +Sv [v]+K[v]. The event (Sv+1 [u] = v)
can occur in two ways.
1. Sv [u] already had the value v and the index u is not involved in the swap in
round v + 1.
2. Sv [u] = v and the value v comes into the index u from the index v (i.e.,
Sv [v] = v) by the swap in round v + 1.
From Proposition 1, we have P (Sv [v] = v) = ( NN−1 )v and from Proposition 2,
we have P (Sv [u] = v) = N1 · ( NN−1 )v−u−1 . Hence, P (Sv+1 [u] = v)
= P (Sv [u] = v) · P (jv + Sv [v] + K[v] = u)
+ P (Sv [u] = v) · P (Sv [v] = v) · P (jv + Sv [v] + K[v] = u)
 (except  for the case
 “u = 0 and v = 1”, see Remark 1)
N −1 v−u−1
= N ·( N )
1
· ( N ) + 1 − N1 · ( NN−1 )v−u−1 · ( NN−1 )v · N1
N −1

= 1
N · ( NN−1 )v−u + 1
N · ( NN−1 )v − 1
N2 · ( NN−1 )2v−u−1 . 

Remark 1. Case 1 in the proof of Lemma 2 applies to Lemma 1 also. In case 2,
i.e., when Sv [u] = v, in general we may or may not have Sv [v] = v. However,
for u = 0 and v = 1, (S1 [0] = 1) ⇐⇒ (S1 [1] = 1), the probability of each of
which is NN−1 (note that there has been only one swap involving the indices 0
and K[0] in round 1). Hence the contribution of case 2 except for “u = 0 and
v = 1” would be P (Sv [u] = v) · P (Sv [v] = v) · P (jv + Sv [v] + K[v] = u), and
for “u = 0 and v = 1” it would be P (S1 [0] = 1) · P (j1 + S1 [1] + K[1] = 0) or,
equivalently, P (S1 [1] = 1) · P (j1 + S1 [1] + K[1] = 0).
Lemma 3. Let pu,v r = P (Sr [u] = v), for 1 ≤ r ≤ N . Given pu,v
t , i.e., P (St [u] =
v) for any intermediate round t, max{u, v} < t ≤ N , P (Sr [u] = v) after the
r-th round of the KSA is given by  
pu,v
t · ( NN−1 )r−t + (1 − pu,v 1 N −1 v
t )· N( N ) · 1−( N )
N −1 r−t
, t ≤ r ≤ N.

Proof. After round t (> max{u, v}), there may be two different cases: St [u] = v
and St [u] = v. Both of these can contribute to the event (Sr [u] = v) in the
following ways.
1. St [u] = v and the index u is not touched by any of the subsequent r − t
many j values. The contribution of this part is P (St [u] = v) · ( NN−1 )r−t
= pu,v
t · ( NN−1 )r−t .
2. St [u] = v and for some x in the interval [t, r − 1], Sx [x] = v which comes into
the index u from the index x by the swap in round x + 1, and after that the
index u is not touched by any of the subsequent r − 1 − x many j values. So
the contribution of the second part is given by
r−1 
P (St [u] = v) · P (Sx [x] = v) · P (jx+1 = u)·( NN−1 )r−1−x .
x=t

Suppose, the value v remains in location v after round v. By Proposition 1,

this probability, i.e., P (Sv [v] = v), is ( NN−1 )v . The swap in the next round
104 G. Paul, S. Maitra, and R. Srivastava

moves the value v to a random location x = jv+1 . Thus, P (Sv+1 [x] = v) =

P (Sv [v] = v) · P (jv+1 = x) = ( NN−1 )v · N1 . For all x > v, until x is touched by the
deterministic index i, i.e., until round x + 1, v will remain randomly distributed.
Hence, for all x > v, P (Sx [x] = v) = P (Sv+1 [x] = v) = N1 ( NN−1 )v and

r−1 
P (St [u] = v) · P (Sx [x] = v) · P (jx+1 = u)·( NN−1 )r−1−x
x=t

r−1 
1 N −1 v
= (1 − pu,v
t )· N( N ) · 1
N · ( NN−1 )r−1−x
x=t

r−1   
1 N −1 v
= (1 − pu,v
t )· N2 ( N ) · ( NN−1 )r−1−x = (1 − pu,v
t )·
1 N −1 v
N2 ( N ) · 1−ar−t
1−a ,
x=t
N −1
where a = N . Substituting the value of a and simplifying,
 we get the above
1 N −1 v N −1 r−t
probability as (1 − pu,vt ) · N ( N ) · 1 − ( N ) .
Now, combining the above two contributions, we get 
pu,v
r = pu,v
t · ( NN−1 )r−t + (1 − pu,v 1 N −1 v
t )· N( N ) · 1−( N )
N −1 r−t
. 


Corollary 1. Given pu,vt , i.e., P (St [u] = v) for any intermediate round t,
max{u, v} < t ≤ N , P (SN [u] = v) after the
 complete KSA
 is given by
pu,v
t · ( NN−1 )N −t + (1 − pu,v
t )·
1 N −1 v
N( N ) · 1 − ( NN−1 )N −t .

Proof. Substitute r = N in Lemma 3. 



Theorem 1.
(1) For 0 ≤ u ≤ N − 2, u + 1 ≤ v ≤ N − 1,  
N −1 N −1−v N −1 v N −1 N −1
P (SN [u] = v) = pu,vv+1 ·( N ) +(1−p u,v
v+1 N)· 1
· ( N ) −( N ) , where
 2(N −1)
if u = 0 and v = 1;
pu,v = N2
N −1 v−u N −1 v N −1 2v−u−1
v+1 1
N · ( N ) + 1
N · ( N ) − N
1
2 · ( N ) otherwise.
(2) For 0 ≤ v ≤ N − 1, v ≤ u ≤ N − 1,
P (SN [u] = v) = N1 · ( NN−1 )N −1−u + N1 · ( NN−1 )v+1 − 1
N · ( NN−1 )N +v−u .

Proof. First we prove item (1). Since v > u, so for any t > v, we will have
t > max{u, v}. Substituting t = v + 1 in Corollary 1, we have  
N −1 N −1−v 1 N −1 v N −1 N −1−v
P (SN [u] = v) = pu,v
v+1 · ( N ) + (1 − pu,v
v+1 ) · N ( N ) · 1 − ( N )
 
N −1 N −1−v N −1 v N −1 N −1
= pu,v
v+1 ·( N ) +(1−p u,v
)·
v+1 N
1
· ( N ) −( N ) . Now, from Lemma 2,
N −1 v−u
we get pu,v
v+1 = N · ( N )
1
+ N1 · ( NN−1 )v − N12 · ( NN−1 )2v−u−1 , except for “u = 0
−1)
and v = 1”. Also, Lemma 1 gives p0,1 2 = 2(N N 2 . Substituting these values of
u,v
pv+1 , we get the result.
Now we prove item (2). Here we have u ≥ v. So for any t > u, we will have
t > max{u, v}. Substituting t = u + 1 in Corollary 1, we have  
N −1 N −1−u 1 N −1 v N −1 N −1−u
P (SN [u] = v) = pu,v
u+1 · ( N ) + (1 − pu,v
u+1 ) · N ( N ) · 1 − ( N ) .
 On Non-randomness of the Permutation After RC4 Key Scheduling 105

As pu,v 1
u+1 = P (Su+1 [u] = v) = N (see proof of Proposition 2), substituting this
in the above expression, we get  
P (SN [u] = v) = N1 · ( NN−1 )N −1−u + (1 − N1 ) · N1 ( NN−1 )v · 1 − ( NN−1 )N −1−u
= 1
N · ( NN−1 )N −1−u + 1
N · ( NN−1 )v+1 − 1
N · ( NN−1 )N +v−u . 


We like to mention that our final formulae in Theorem 1 are very close to the
results presented in [8] apart from some minor differences as terms with N 2 in
the denominator or a difference in 1 in the power. These differences are negligible
and we have also checked by calculating the numerical values of the theoretical
results that for N = 256, the maximum absolute difference between our results
and the results of [8] is 0.000025 as well as the average of absolute differences is
0.000005.
However, our approach is different from that of [8]. In [8], the idea of rel-
ative positions is introduced. If the current deterministic index is i, then rel-
ative position a means the position (i + 1 + a) mod N . The transfer function
T (a, b, r), which represents the probability that value in relative position a in
S will reach relative position b in the permutation generated from S by ex-
ecuting r RC4 rounds, has the following explicit form by [8, Claim C.3.3]:
T (a, b, r) = p(q a +q r−(b+1) −q a+r−(b+1) ) if a ≤ b and T (a, b, r) = p(q a +q r−(b+1) )
if a > b, where p = N1 and q = ( NN−1 ). This solution is obtained by solv-
ing a recurrence [8, Equation C.3.1] which expresses T (a, b, r) in terms of
T (a − 1, b − 1, r − 1). Instead, we use the probabilities P (St [u] = v) in order to
calculate the probabilities P (Sr [u] = v) which immediately gives P (SN [u] = v)
with r = N . When v > u, we take t = v + 1 and when v ≤ u, we take t = u + 1
(see Theorem 1). However, the values u+1 and v+1 are not special. If we happen
to know the probabilities P (St [u] = v) at any round t between max{u, v} + 1
and N , then we can arrive at the probabilities P (Sr [u] = v) using Lemma 3.
The recurrence relation in [8] is over three variables a, b and r, and at each step
each of these three variables is reduced by one. On the other hand, our model
has the following features.

1. It relates four variables u, v, t and r which respectively denote any index u

in the permutation (analogous to b), any value v ∈ [0, . . . N − 1] (analogous
to the value at a), any round t > max{u, v} and a particular round r ≥ t.
2. Though in our formulation we do not solve any recurrence relation and pro-
vide a direct proof, it can be considered analogous to a recurrence over a
single variable r, the other two variables u and v remaining fixed.

3 Anomaly Pairs and New Distinguishers

To evaluate how closely our theoretical formulae tally with the experimental
results, we use average percentage absolute error ¯. Let pu,v u,v
N and qN respectively
denote the theoretical and the experimental value of the probability P (SN [u] =
 pu,v −qu,v 
| N N |
v), 0 ≤ u ≤ N − 1, 0 ≤ v ≤ N − 1. We define u,v = qu,v
· 100%
N
106 G. Paul, S. Maitra, and R. Srivastava

Table 1. The anomaly pairs for key length 32 bytes

¬ ¬
u,v u,v ¬ u,v u,v ¬
¬p −q
N ¬ u,v
u v p q  (in %)
N N N
38 6 0.003846 0.003409 0.000437 12.82
38 31 0.003643 0.003067 0.000576 18.78
46 31 0.003649 0.003408 0.000241 7.07
47 15 0.003774 0.003991 0.000217 5.44
48 16 0.003767 0.003974 0.000207 5.21
66 2 0.003882 0.003372 0.000510 15.12
66 63 0.003454 0.002797 0.000657 23.49
70 63 0.003460 0.003237 0.000223 6.89
128 0 0.003900 0.003452 0.000448 12.98
128 127 0.003303 0.002440 0.000863 35.37
130 127 0.003311 0.003022 0.000289 9.56


N −1 N
 −1
1
and ¯ = N2 u,v . We ran experiments for 100 million randomly chosen
u=0 v=0
secret keys of 32 bytes and found that ¯ = 0.22%. The maximum of the u,v ’s was
35.37% and it occured for u = 128 and v = 127. Though the maximum error is
quite high, we find that out of N 2 = 65536 (with N = 256) many u,v ’s, only 11
( < 0.02% of 65536) exceeded the 5% error margin. These cases are summarized
Table 1 below. We call the pairs (u, v) for which u,v > 5% as anomaly pairs.
The experimental values of P (SN [u] = v) match with the theoretical values
38,v
given by our formula except at these few anomaly pairs. For example, qN
follows the pattern predicted by p38,v
N for all v’s, 0 ≤ v ≤ 255 except at v = 6
and v = 31 as pointed out in Table 1.
We experimented with different key lengths (100 million random keys for
each key length) and found that the location of the anomaly pairs and the total
number of anomaly pairs vary with the key lengths in certain cases. Table 2
shows the number n5 of anomaly pairs (when u,v > 5%) for different key lengths
l (in bytes) along with the average ¯ and the maximum max of the u,v ’s. umax
and vmax are the (u, v) values which correspond to max . Though for some key
lengths there are more than a hundred anomaly pairs, most of them have u,v ≤
10%. To illustrate this, we add the column n10 which shows how many of the
anomaly pairs exceed the 10% error margin. The two rightmost columns show

Table 2. The number and percentage of anomaly pairs along with the average and
maximum error for different key lengths
l 
¯ (in %) max (in %) umax vmax n5 n10 n5 (in %) n10 (in %)
5 0.75 73.67 9 254 1160 763 1.770 1.164
8 0.48 42.48 15 255 548 388 0.836 0.592
12 0.30 21.09 23 183 293 198 0.447 0.302
15 0.25 11.34 44 237 241 2 0.368 0.003
16 0.24 35.15 128 127 161 7 0.246 0.011
20 0.20 5.99 30 249 3 0 0.005 0.000
24 0.19 4.91 32 247 0 0 0.000 0.000
30 0.19 6.54 45 29 1 0 0.002 0.000
32 0.22 35.37 128 127 11 6 0.017 0.009
48 0.18 4.24 194 191 0 0 0.000 0.000
64 0.26 35.26 128 127 6 4 0.009 0.006
96 0.21 4.52 194 191 0 0 0.000 0.000
128 0.34 37.00 128 127 3 2 0.005 0.003
256 0.46 2.58 15 104 0 0 0.000 0.000
 On Non-randomness of the Permutation After RC4 Key Scheduling 107

what percentage of 2562 = 65536 (total number of (u, v) pairs) are the numbers
n5 and n10 .
These results indicate that as the key length increases, the proportion of
anomaly pairs tends to decrease. With 256 bytes key, we have no anomaly pair
with u,v > 5%, i.e., n5 = 0. It has also been pointed out in [8] that as the
key length increases, the actual random behaviour of the key is demonstrated
and that is why the number of anomaly pairs decrease and experimental results
match the theoretical formulae. In [8, Section 6.3.2] the anomalies are discussed
for rows and columns 9, 19 and also for the diagonal given short keys as 5 bytes.
We now discuss these results with more details and how they can be applied to
distinguish the RC4 keystream from random streams.
We denote the permutation after r-th round of PRGA by SrG for r ≥ 1.
Lemma 4. Consider B ⊂ [0, . . . , N −1] with |B| = b. Let P (SN [r] ∈ B) = Nb +,
where  can be positive or negative. Then P (Sr−1 G
[r] ∈ B) = Nb + δ, where
 
δ = ( Nb + ) · ( NN−1 )r−1 + 1 − ( NN−1 )r−1 · ( Nb−1 b b N −1 r−1
−1 − N ) − N · ( N ) , r ≥ 1.

G
Proof. The event (Sr−1 [r] ∈ B) can occur in three ways.
1. SN [r] ∈ B and the index r is not touched by any of the r − 1 many j values
during the first r − 1 rounds of the PRGA. The contribution of this part is
( Nb + ) · ( NN−1 )r−1 .
2. SN [r] ∈ B and index r is touched by at least one of the r − 1 many j
values during the first r − 1 rounds of the PRGA. Further, after the swap(s),
the value SN [r] remains in the set B. This will happen with probability
( Nb + ) · 1 − ( NN−1 )r−1 · Nb−1
−1 .
3. SN [r] ∈/ B and index r is touched by at least one of the r − 1 many j values
during the first r − 1 rounds of the PRGA. Due to the swap(s), the value
SN [r] comes to the set B. This will happen with probability (1 − Nb − ) ·
 
1 − ( NN−1 )r−1 · Nb .

Adding these contributions, we get the total probability as ( Nb + )· ( NN−1 )r−1 +
  
1 − ( NN−1 )r−1 · ( Nb−1 b b b N −1 r−1
−1 − N ) + N − N · ( N ) . 


Lemma 5. If P (Sr−1G
[r] ∈ B) = Nb + δ, then P (zr ∈ C) = b
N + 2δ
N, where
C = {c |c = r − b where b ∈ B}, r ≥ 1.
  

Proof. The event (zr ∈ C) can happen in two ways.

G
1. Sr−1 [r] ∈ B and zr = r − Sr−1 G
[r]. From Glimpse theorem [4,6], we have
P (zr = r − Sr−1 [r]) = N for r ≥ 1. Thus, the contribution of this part is
G 2
2 b
N ( N + δ).
G
2. Sr−1 [r] ∈
/ B and still zr ∈ C due to random association. The contribution of
this part is (1 − N2 ) Nb .
Adding these two contributions, we get the result. 

108 G. Paul, S. Maitra, and R. Srivastava

Theorem 2. If P (SN [r] ∈ B) = Nb + , then P (zr ∈ C) = Nb + N2 · ( Nb + ) ·
   
( NN−1 )r−1 + 1 − ( NN−1 )r−1 · ( Nb−1
−1 − b
N ) − Nb · ( NN−1 )r−1 , where C = {c |c =
r − b where b ∈ B}, r ≥ 1.

Proof. The proof immediately follows by combining Lemma 4 and Lemma 5. 



From the above results, it follows that for a single value v, if P (SN [r] = v) =
N + , then P (zr = r − v) = N + N , where the value of δ can be calculated by
1 1 2δ

substituting b = 1 in Lemma 5. This presents a non-uniform distribution of the

initial keystream output bytes zr for small r.
In [9, Section 6], it has been pointed out that z1 (referred as z0 in [9]) may not
be uniformly distributed due to non-uniform distribution of SN [1]. The experi-
mental results presented in [9, Figure 6] show some bias which does not match
with our theoretical as well as experimental
 results. According
 to our Theorem 2,
if P (SN [1] = v) = N1 + , then P z1 = (1 − v) mod 256 = N1 + 2 N and this
presents the theoretical distribution of z1 .
When the bias of SN [r] towards a single value v is propagated to zr , the final
bias at zr is very small and difficult to observe experimentally. Rather, if we
start with the bias of SN [r] towards many values in some suitably chosen set
B, then a sum of b = |B| many probabilities is propagated to zr according to
Theorem 2, making the bias of zr empirically observable too. For example, given
1 ≤ r ≤ 127, consider the set B as the set of integers [r + 1, . . . , r + 128], i.e.,
b = |B| = 128. The theoretical formulae as well as the experimental results give
P (SN [r] ∈ B) > 0.5, and in turn we get P (zr ∈ C) > 0.5, which is observable at
the r-th keystream output byte of RC4. We have experimented with key length 32
bytes and 100 million runs for different r’s and the experimental results support
this theoretical claim. It is important to note that the non-uniform distribution
can be observed even at the 256-th output byte z256 , since the deterministic
index i at round 256 becomes 0 and SN [0] has a non-uniform distribution as
follows from Theorem 1. For random association, P (zr ∈ C) should be Nb , which
is not the case here and thus all these results provide distinguishers for RC4.
We have earlier pointed out that for short key lengths, there exist many
anomaly pairs. We can exploit these to construct some additional distinguishers
by including in the set B those values which are far away from being random.
We illustrate this in the two examples below. For 5 byte secret keys, we exper-
imentally observe over 100 million runs that P (SN [9] ∈ B) = 0.137564 (which
is much less than the theoretical value 0.214785), where B is the set of all even
integers greater than or equal to 128 and less than 256, i.e., b = |B| = 64
and Nb = 0.25. Using Theorem 2 we get P (z9 ∈ C) = 0.249530 < 0.25,
where C = {c |c = 9 − b where b ∈ B}. Again, for 8 byte secret keys, we
observe that P (SN [15] ∈ B) = 0.160751 (which is much less than the theo-
retical value 0.216581), where B is the set of all odd integers greater than or
equal to 129 and less than 256, i.e., b = |B| = 64 once again. Theorem 2 gives
P (z15 ∈ C) = 0.249340 < 0.25, where C = {c |c = 15 − b where b ∈ B}. Direct
experimental observations also confirm these biases of z9 and z15 . Further, given
 On Non-randomness of the Permutation After RC4 Key Scheduling 109

the values of δ approximately −0.1 in the above two examples, one can get new
linear distinguishers for RC4 with 5 byte and 8 byte keys.
It is interesting to note that since the anomaly pairs are different for different
key lengths, by suitably selecting the anomaly pairs in the set B, one can also
distinguish among RC4 of different key lengths.

Acknowledgments. We thank the anonymous reviewers for detailed comments

that improved editorial as well as technical presentation of this paper.

References
1. Fluhrer, S.R., McGrew, D.A.: Statistical Analysis of the Alleged RC4 Keystream
Generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer,
Heidelberg (2001)
2. Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm
of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp.
1–24. Springer, Heidelberg (2001)
3. Golic, J.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy,
W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg
(1997)
4. Jenkins, R.J.: ISAAC and RC4 (1996),
http://burtleburtle.net/bob/rand/isaac.html
5. Mantin, I., Shamir, A.: A Practical Attack on Broadcast RC4. In: Matsui, M. (ed.)
FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)
6. Mantin, I.: A Practical Attack on the Fixed RC4 in the WEP Mode. In: Roy,
B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 395–411. Springer, Heidelberg
(2005)
7. Mantin, I.: Predicting and Distinguishing Attacks on RC4 Keystream Genera-
tor. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506.
Springer, Heidelberg (2005)
8. Mantin, I.: Analysis of the Stream Cipher RC4. Master’s Thesis. The Weizmann
Institute of Science, Israel (2001)
9. Mironov, I.: Random Shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS,
vol. 2442, pp. 304–319. Springer, Heidelberg (2002)
10. Paul, G., Rathi, S., Maitra, S.: On Non-negligible Bias of the First Output Byte
of RC4 towards the First Three Bytes of the Secret Key. In: 2007 International
Workshop on Coding and Cryptography, pp. 285–294 (2007)
11. Paul, G., Maitra, S.: Permutation after RC4 Key Scheduling Reveals the Secret
Key. In: SAC 2007. 14th Annual Workshop on Selected Areas in Cryptography,
Ottawa, Canada (2007)
12. Paul, S., Preneel, B.: A New Weakness in the RC4 Keystream Generator and an
Approach to Improve the Security of the Cipher. In: Roy, B., Meier, W. (eds.) FSE
2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)
13. Roos, A.: A class of weak keys in the RC4 stream cipher (1995), Available at
http://marcel.wanda.ch/Archive/WeakKeys
14. Wagner, D.: My RC4 weak keys (1995),
http://www.cs.berkeley.edu/∼ daw/my-posts/my-rc4-weak-keys
Correctable Errors of Weight Half the Minimum
Distance Plus One for the First-Order
Reed-Muller Codes

Kenji Yasunaga and Toru Fujiwara

Graduate School of Information Science and Technology,

Osaka University, Suita 565-0871, Japan
{k-yasunaga, fujiwara}@ist.osaka-u.ac.jp

Abstract. The number of correctable/uncorrectable errors of weight

half the minimum distance plus one for the first-order Reed-Muller
codes is determined. From a cryptographic viewpoint, this result
immediately leads to the exact number of Boolean functions of m
variables with nonlinearity 2m−2 + 1. The notion of larger half and
trial set, which is introduced by Helleseth, Kløve, and Levenshtein to
describe the monotone structure of correctable/uncorrectable errors,
plays a significant role in the result.

Keywords: Syndrome decoding, Reed-Muller code, correctable error,

Boolean function, nonlinearity, larger half.

1 Introduction

In syndrome decoding, the correctable errors are coset leaders of a code. The
syndrome decoding performs maximum likelihood decoding if a minimum weight
vector in each coset is taken as the coset leader. When there are two or more
minimum weight vectors in a coset, we have choices of the coset leader. If the
lexicographically smallest minimum weight vector is taken as the coset leader,
then both the correctable errors and the uncorrectable errors have a monotone
structure. That is, when y covers x (the support of y contains that of x), if
y is correctable, then x is also correctable, and if x is uncorrectable, then y
is also uncorrectable [1]. Using this monotone structure, Helleseth, Kløve, and
Levenshtein introduced larger halves of codewords and trial sets for codes to
describe the monotone structure of errors and gave an improved upper bound
on the number of uncorrectable errors using these notions [3].
The binary r-th order Reed-Muller code of length 2m corresponds to the
Boolean functions of m variables with degree at most r. The first-order Reed-
Muller code of length 2m , denoted by RMm , corresponds to the set of affine
functions of m variables. The nonlinearity of a Boolean function f of m vari-
ables is defined as the minimum distance between f and affine functions, and is
equal to the weight of the coset leader in the coset f belongs to. Hence the weight
distribution of coset leaders of RMm represents the distribution of nonlinearity

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 110–119, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Correctable Errors of Weight Half the Minimum Distance Plus One 111

of Boolean functions. When the number of coset leaders of weight i is p, the num-
ber of Boolean functions with the nonlinearity i is given by p|RMm | = p2m+1 .
Nonlinearity is an important criterion for cryptographic system, in particular,
block ciphers and stream ciphers. There has been much study of nonlinearity of
Boolean functions in cryptography, see [4,5] and references therein. The weight
distributions of the cosets of RM5 are completely determined in [6]. In general,
however, it is infeasible to obtain the weight distributions of the cosets (even
only the coset leaders) of RMm . Since the minimum distance of RMm is 2m−1 ,
the problem is to know the number of the coset leaders of weight ≥ 2m−2 . The
explicit expression of the number of coset leaders of weight w, which is equal to
the number of correctable errors of weight w, is given only for w = 2m−2 [7].
In this paper, we determine the number of correctable/uncorrectable errors
of weight 2m−2 + 1 for RMm , from which the number of Boolean functions with
nonlinearity 2m−2 + 1 is immediately obtained. To derive this result, we mainly
use the properties of larger halves and trial sets.

2 Larger Halves and Trial Sets

Let Fn be the set of all binary vectors of length n. Let C ⊆ Fn be a binary linear
code of length n, dimension k, and minimum distance d. Then Fn is partitioned
2n−k
into 2n−k cosets C1 , C2 , . . . , C2n−k ; Fn = i=1 Ci and Ci ∩ Cj = ∅ for i = j,
where each Ci = {vi + c : c ∈ C} with vi ∈ Fn . The vector vi is called the coset
leader of the coset Ci , and any vector in Ci can be taken as vi .
Let H be a parity check matrix of C. The syndrome of a vector v ∈ Fn is
defined as vH T . All vectors having the same syndrome are in the same coset.
Syndrome decoding associates an error vector to each syndrome. The syndrome
decoder presumes that the error vector added to the received vector y is the
coset leader of the coset which contains y. The syndrome decoding function
D : Fn → C is defined as
D(y) = y + vi if y ∈ Ci .
If each vi has the minimum weight in its coset Ci , the syndrome decoder performs
as a maximum likelihood decoder.
In this paper, we take as vi the minimum element in Ci with respect to the
following total ordering :

w(x) < w(y), or
x y if and only if
w(x) = w(y) and v(x) ≤ v(y),
where w(x) denotes the Hamming weight of a vector x = (x1 , x2 , . . . , xn ) and
v(x) denotes the numerical value of x:

n
v(x) = xi 2n−i .
i=1

We write x ≺ y if x y and x = y.
112 K. Yasunaga and T. Fujiwara

Let E 0 (C) be the set of all coset leaders of C. In the syndrome decoding,
E (C) is the set of correctable errors and E 1 (C) = Fn \ E 0 (C) is the set of
0

uncorrectable errors. Since we take the minimum element with respect to

in each coset as its coset leader, both E 0 (C) and E 1 (C) have the following
well-known monotone structure, see [1, Theorem 3.11]. Let ⊆ denote a partial
ordering called “covering” such that

x ⊆ y if and only if S(x) ⊆ S(y),

where
S(v) = {i : vi = 0}
is the support of v = (v1 , v2 , . . . , vn ). Consider x and y with x ⊆ y. If y
is a correctable error, then x is also correctable. If x is uncorrectable, then
y is also uncorrectable. For example, let C = {000, 001} be a code. Then
E 0 (C) = {110, 100, 010} and E 1 (C) = {001, 101, 111}. In this case, even if
we only know the fact that the vector 110 is correctable, we can deduce the
vectors 100 and 010 are correctable, since they are covered by 110. A similar
thing happens when we know 001 is uncorrectable. Using this structure, Zémor
showed that the residual error probability after maximum likelihood decoding
displays a threshold behavior [2]. Helleseth, Kløve, and Levenshtein [3] studied
this structure and introduced larger halves and trial sets.
Since the set of uncorrectable errors E 1 (C) has a monotone structure, E 1 (C)
can be characterized by minimal uncorrectable errors in E 1 (C). An uncorrectable
error y ∈ E 1 (C) is minimal if there exists no x such that x ⊂ y in E 1 (C). If we
know all minimal uncorrectable errors, all uncorrectable errors can be determined
from them. We denote by M 1 (C) the set of all minimal uncorrectable errors in
C. Larger halves of a codeword c ∈ C \ {0} are introduced to characterize
the minimal uncorrectable errors, and are defined as minimal vectors v with
respect to covering such that v + c ≺ v. Any larger half v of a codeword c is
an uncorrectable error, since v + c ≺ v and they are in the same coset. The
following condition is a necessary and sufficient condition that v ∈ Fn is a larger
half of c ∈ C \ {0}:

v ⊆ c, (1)
w(c) ≤ 2w(v) ≤ w(c) + 2, (2)

= l(c), if 2w(v) = w(c),
l(v) (3)
> l(c), if 2w(v) = w(c) + 2,

where l(x) is the smallest element in S(x), that is, l(x) is the leftmost non-zero
coordinate in the vector x. The proof of equivalence between the definition and
the above condition is found in the proof of Theorem 1 of [3]. Let LH(c) be the
set of all larger halves of c ∈ C \ {0}. For a subset U of C \ {0}, let

LH(U ) = LH(c).
c∈U
 Correctable Errors of Weight Half the Minimum Distance Plus One 113

A trial set T for a code C is defined as follows:

T ⊆ C \ {0} is a trial set for C if M 1 (C) ⊆ LH(T ). (4)

A codeword c is called minimal if c ⊂ c for c ∈ C implies c = 0. Let C ∗ be

the set of all minimal codewords in C. It is shown that a trial set can consist of
only minimal codewords [3, Corollary 5]. Therefore, C ∗ is a trial set of C.
In the rest of paper, for u, v ∈ Fn , we write u ∩ v as the vector in Fn whose
support is S(u) ∩ S(v).

3 Uncorrectable Errors of Weight 2m−2 + 1 for RMm

In this section, we determine the number of correctable/uncorrectable errors of
weight half the minimum distance plus one for the first-order Reed-Muller code
of length n = 2m , denoted by RMm .
RMm is a code of dimension k = m + 1, and minimum distance d = 2m−1 ,
and is defined recursively as

RM0 = {0, 1},


RMm = {c ◦ c, c ◦ c},
c∈RMm−1

where u ◦ v denotes the concatenation of u and v, and v  1 + v. Since all

codewords in RMm except all-zero and all-one codewords are minimum weight
codewords, RM∗m = RMm \ {0, 1}.
The weights of vectors in LH(RM∗m ) are 2m−2 and 2m−2 + 1 from the
condition (2). Let LH − (c) and LH + (c) denote the sets of larger halves of
∗
 ∈ RMm of−weight 2
c m−2
and 2m−2 + 1, respectively. Also let LH − (RM∗m ) =
+ ∗ +
c∈RM∗ m
LH (c) and LH (RMm ) = c∈RM∗m LH (c).
Let E2m−2 +1 (RMm ) be the set of uncorrectable errors of weight d+1 = 2m−2 +
1

1 in RMm . The set, E21m−2 +1 (RMm ), contains LH + (RM∗m ), and LH + (RM∗m )

contains all minimal uncorrectable errors of the weight from (4). Therefore, the
remaining uncorrectable errors in E21m−2 +1 (RMm ) are non-minimal.
We will evaluate |E21m−2 +1 (RMm )| by partitioning the set into two subsets.
The first subset consists of the vectors that is covered by some codeword in
RM∗m . Any v ∈ Fn of weight 2m−2 + 1 covered by c ∈ RMm is uncorrectable,
since the coset to which v belongs contains the smaller weight vector c + v. The
second one consists of the remaining non-minimal vectors.
Now, we evaluate the number of vectors in the first subset. It contains
 2m−1  ∗ ∗
 2m−1 
2m−2 +1 vectors for each codeword in RMm , and all |RMm | · 2m−2 +1 such
vectors are distinct. This is because, if v ⊆ c1 and v ⊆ c2 for a vector v in the
set, then we have w(c1 ∩ c2 ) ≥ w(v) = 2m−2 + 1, which contradicts the following
Lemma 1.
114 K. Yasunaga and T. Fujiwara

Lemma 1. Let c1 , c2 ∈ RM∗m with c1 = c2 . Then, it holds that

 m−2
2 , if c1 + c2 = 1,
w(c1 ∩ c2 ) =
0, otherwise.

Proof. The statement follows from the fact that w(c1 + c2 ) = w(c1 ) + w(c2 ) −
2w(c1 ∩ c2 ). That is,
w(c1 ) + w(c2 ) − w(c1 + c2 )
w(c1 ∩ c2 ) =
2
2m−1 + 2m−1 − w(c1 + c2 )
=
2
2m − w(c1 + c2 )
= .
2


Next, we evaluate the number of vectors in the second subset. The vectors in
the subset are non-minimal uncorrectable errors that are not covered by any
codeword in RM∗m . Such a error covers a minimal uncorrectable error of weight
2m−2 in LH − (RM∗m ), since 2m−2 is the smallest weight in uncorrectable errors.
Therefore, we consider the set of vectors obtained by adding a weight-one vector
to a larger half in LH − (RM∗m ) that are not covered by any codeword in RM∗m .
Let

En = {e ∈ Fn : w(e) = 1},
En (c) = {e ∈ En : e ∩ c = 0}, for c ∈ RM∗m .

Then, the second subset can be represented as Xm \ Ym , where

Xm = {v + e : v ∈ LH − (c) with c ∈ RM∗m , e ∈ En (c)},

Ym = {u ∈ Xm : u ⊆ c for some c ∈ RM∗m }.

From the above discussion, we have

2m−1
|E21m−2 +1 (RMm )| = 2(2m − 1) + |Xm \ Ym |. (5)
2m−2 + 1

For Xm and Ym , we define the corresponding multisets X̃m and Ỹm . That is, X̃m
is a multiset of vectors obtained by adding a weight-one vector e to larger halves
v ∈ LH − (c) satisfying c ∩ e = 0 for each c ∈ RM∗m . The set Ỹm is a multiset of
vectors in X̃m that are covered by some codeword in RM∗m . Then we have

2m−1 − 1
|X̃m | = |RM∗m | · · 2m−1
2m−2 − 1
(6)
2m−1
=2 (2 − 1) m−2 ,
m−1 m
2
 m−1 
since the number of larger halves of each codeword is 22m−2 −1
−1 from (1)–(3).
 Correctable Errors of Weight Half the Minimum Distance Plus One 115

We will evaluate |Xm \ Ym | by using X̃m and Ỹm . First, we will show that the
multiplicity of vectors in X̃m \ Ỹm is not greater than 2 by using the following
lemma.
Lemma 2. Let c1 , c2 , c3 be distinct codewords in RM∗m . Then it holds that
⎧ m−2
⎨2 , if c1 + c2 + c3 = 1,
w(c1 ∩ c2 ∩ c3 ) = 0, if ci + cj = 1 for some i, j with 1 ≤ i = j ≤ 3,
⎩ m−3
2 , otherwise.

Proof. The statement follows from the fact that w(c1 + c2 + c3 ) = w(c1 ) +
w(c2 ) + w(c3 ) − 2(w(c1 ∩ c2 ) + w(c2 ∩ c3 ) + w(c1 ∩ c3 )) + 4w(c1 ∩ c2 ∩ c3 ) and
Lemma 1. 


From the lemma, we see that w(c1 ∩ c2 ∩ c3 ) = 2m−3 if and only if c1 , c2 , c3 , 1

are linearly independent, that is, a1 c1 + a2 c2 + a3 c3 + a4 1 = 0 yields a1 = a2 =
a3 = a4 = 0.

Lemma 3. The multiplicity of any vector in X̃m \ Ỹm is less than or equal to 2
for m ≥ 5.

Proof. Let c1 , c2 , c3 be distinct codewords in RM∗m . For 1 ≤ i ≤ 3, suppose

there exist vi , ei , u such that vi ∈ LH − (ci ), ei ∈ En (ci ), u = vi + ei , and there
exists no c4 ∈ RM∗m satisfying u ⊆ c4 . First note that c1 , c2 , c3 , and 1 must be
linearly independent for existing the above vi , ei , u for 1 ≤ i ≤ 3 for m ≥ 4.
If v1 = v2 , then v1 = c1 ∩ c2 ⊆ 1 + c1 + c2 and e1 = e2 ⊆ 1 + c1 + c2 ,
and thus v1 + e1 ⊆ 1 + c1 + c2 , leading to the contradiction. Therefore v1 ,
v2 , v3 are distinct, and so are e1 , e2 , e3 . Then w(v1 ∩ v2 ∩ v3 ) = 2m−2 − 2,
and thus w(c1 ∩ c2 ∩ c3 ) ≥ w(v1 ∩ v2 ∩ v3 ) = 2m−2 − 2. On the other hand,
w(c1 ∩ c2 ∩ c3 ) = 2m−3 from Lemma 2. Thus we have 2m−3 ≥ 2m−2 − 2. The
contradiction arises when m ≥ 5. 


Thus, the size of Xm \ Ym is represented as follows.

|Z̃m |
|Xm \ Ym | = |X̃m | − |Ỹm | − , (7)
2

where Z̃m is the multiset defined as

Z̃m = {v ∈ X̃m : v  c for any c ∈ RM∗m , the multiplicity of v is 2}.

We will determine |Ỹm | and |Z̃m |. The next lemma is useful to evaluate |Ỹm |.

Lemma 4. Let c1 , c2 ∈ RM∗m . Then

1. there exist v ∈ LH − (c1 ), e ∈ En (c1 ) such that v + e ⊆ c2 if and only if

c1 = c2 and l(c1 ) ∈ S(c2 ); (8)

116 K. Yasunaga and T. Fujiwara

2. if (8) holds,

{(v, e) : v ∈ LH − (c1 ), e ∈ En (c1 ), v + e ⊆ c2 }

= {(c1 ∩ c2 , e) : e ∈ En , S(e) ⊆ S(c2 ) \ S(c1 )}. (9)

Proof. (First part) The only if part is obvious. We prove the if part. Let v =
c1 ∩ c2 . Since c1 = c2 and c1 + c2 = 1 from (8), we have w(v) = 2m−2 from
Lemma 1. We have l(v) = l(c1 ) from l(c1 ) ∈ S(c2 ). Thus v ∈ LH − (c1 ). Clearly,
we can take e ∈ En (c1 ) such that v + e ⊆ c2 .
(Second part) The ⊇ part is obvious, so we show the ⊆ part. Since v ⊆ c1
and v ⊆ c2 , it holds w(c1 ∩ c2 ) ≥ w(v) = 2m−2 . On the other hand, w(c1 ∩
c2 ) = 2m−2 . Therefore we have v = c1 ∩ c2 . It immediately follows that S(e) ⊆
S(c2 ) \ S(c1 ) from c1 ∩ e = 0 and v + e ⊆ c2 . 


From Lemma 4, v + e ∈ X̃m is covered by every c2 ∈ RM∗m satisfying (8). The

number of codewords c2 satisfying (8) is |RMm |/2 − 2 = 2m − 2. There are
|S(c2 ) \ S(c1 )| = 2m−2 choices of e from (9). Thus we have

|Ỹm | = |RM∗m | · (2m − 2) · 2m−2

= 2m (2m − 1)(2m−1 − 1). (10)

The following lemma is useful to derive |Z̃m |.

Lemma 5. Let u ∈ X̃m of multiplicity 2. That is, u is represented as u =

v1 + e1 = v2 + e2 where vi ∈ LH − (ci ), ci ∈ RM∗m , ei ∈ En (ci ) for i = 1, 2, and
c1 = c2 . Then,

1. for m ≥ 3, c1 + c2 = 1,
2. for m ≥ 5, there exists c3 ∈ RM∗m such that u ⊆ c3 if and only if e1 = e2 .

Proof. The first part holds, since v1 + e1 = v2 + e2 cannot hold for m ≥ 3 if

c1 + c2 = 1. Now we prove the second part.
(Only if part) We have c1 = c3 from v1 + e1  c1 and v1 + e1 ⊆ c3 . Since
v1 ⊆ c1 , and v1 ⊆ c3 , we have v1 = c1 ∩ c3 . Equivalently, v2 = c2 ∩ c3 . Then
v1 ∩ v2 = c1 ∩ c2 ∩ c3 , and hence w(v1 ∩ v2 ) = w(c1 ∩ c2 ∩ c3 ). Since c1 , c2 ,
c3 are distinct, w(c1 ∩ c2 ∩ c3 ) is either 2m−2 , 2m−3 , or 0. On the other hand,
w(v1 ∩ v2 ) is 2m−2 if v1 = v2 , and is 2m−2 − 2 otherwise, since v1 + e1 = v2 + e2 .
Therefore w(v1 ∩ v2 ) = 2m−2 for m ≥ 5, since 2m−3 = 2m−2 − 2. Hence v1 = v2 ,
and thus e1 = e2 .
(If part) Since e1 = e2 and c1 = c2 , we have v1 = v2 = c1 ∩ c2 ⊆ 1 + c1 + c2 .
Since e1 ∩ c1 = e2 ∩ c2 = e1 ∩ c2 = 0, we have e1 ⊆ 1 + c1 + c2 . By taking
c3 = 1 + c1 + c2 , we have u = v1 + e1 ⊆ c3 . 


From Lemma 5, for each c1 ∈ RM∗m , |Z̃m | is obtained by counting all patterns
in {v1 + e1 : v1 ∈ LH − (c1 ), e1 ∈ En (c1 )} such that v1 + e1 = v2 + e2 for some
 Correctable Errors of Weight Half the Minimum Distance Plus One 117

v2 , e2 with v2 ∈ LH − (c2 ), c2 ∈ RM∗m \ {c1 }, e2 ∈ En (c2 ) and e1 = e2 . We will

count such v1 + e1 for each c1 ∈ RM∗m .
We introduce some notations. Let Sm = {l(c) : c ∈ RMm }. From the defini-
tion of RMm , Sm = {s1 , s2 , . . . , sk }, where

1, for i = 1,
si =
2i−2 + 1, for 2 ≤ i ≤ k = m + 1.

Also define
Cm (si ) = {c ∈ RM∗m : l(c) = si }.

Then, we have

2m − 1, for i = 1,
|Cm (si )| = (11)
2m+1−i , for 2 ≤ i ≤ m + 1.

Now we are ready to evaluate |Z̃m |. There are three cases to be considered.

1. When l(c1 ) = l(c2 ); we choose w such that w ⊆ c1 ∩ c2 , w(w) = 2m−2 − 1,

and l(w) = l(c1 ∩c2 ). We choose e2 so that S(e2 ) ⊆ S(c1 )\S(c2 ), and choose
e1 so that S(e1 ) ⊆ S(c2 ) \ S(c1 ). Then letting v1 = w + e2 and v2 = w + e1
gives vectors as v1 + e1 = v2 + e2 . There are (2m−2 − 1) · 2m−2 · 2m−2 such
v1 + e1 .
For each codeword c1 in Cm (si ), there are |Cm (si )| − 1 codewords c2 in
RM∗m satisfying l(c1 ) = l(c2 ).
2. When l(c1 ) > l(c2 ); since v1 ∈ LH − (c1 ) and v2 ∈ LH − (c2 ), the l(c2 )-th
bit of e1 is one.
(a) If the l(c1 )-th bit of c2 is one; we choose w such that w ⊆ c1 ∩c2 , w(w) =
2m−2 − 1, and l(w) = l(c1 ∩ c2 ). We choose e2 so that S(e2 ) ⊆ S(c1 ) \
S(c2 ). Then letting v1 = w + e2 and v2 = w + e1 gives vectors as
v1 + e1 = v2 + e2 . There are (2m−2 − 1) · 2m−2 such v1 + e1 .
For each codeword  c1 in Cm (si ) with i ≥ 2, there are
 ∗
j<i |Cm (sj )| + 1 /2 − 1 codewords c2 in RMm satisfying l(c1 ) ∈
S(c2 ).
(b) If the l(c1 )-th bit of c2 is zero; then e2 must be the vector having one
in the l(c1 )-th bit. We choose w such that w ⊆ c1 ∩ c2 and w(w) =
2m−2 − 1. Then letting v1 = w + e2 and v2 = w + e1 gives vectors as
v1 + e1 = v2 + e2 . There are 2m−2 such v1 + e1 .
For each codeword  c1 in Cm (si ) with i ≥ 2, there are
 ∗
j<i |Cm (sj )| + 1 /2 − 1 codewords c2 in RMm satisfying l(c1 ) ∈ /
S(c2 ) and c1 + c2 = 1.
3. When l(c1 ) < l(c2 ); the number of vectors we should count is equal to that
for the second case.
118 K. Yasunaga and T. Fujiwara

From the above analysis, we have


m+1
|Z̃m | = |Cm (si )|(|Cm (si )| − 1) · (2m−2 − 1)(2m−2 )2
i=1
⎛⎛ ⎞ ⎞

m+1 i−1
1
+2 |Cm (si )| ⎝⎝ |Cm (sj )| + 1⎠ · − 1⎠ · (2m−2 − 1)2m−2
i=2 j=1
2
⎛⎛ ⎞ ⎞

m+1 i−1
1
+2 |Cm (si )| ⎝⎝ |Cm (sj )| + 1⎠ · − 1⎠ · 2m−2
i=2 j=1
2

2m
= 22m−3 . (12)
3
From (5), (6), (7), (10), and (12), we can determine the number of uncor-
rectable errors of weight 2m−2 + 1 for RMm .
Theorem 1. For m ≥ 5,
2m−1 2m
|E21m−2 +1 (RMm )| = 4(2m − 1)(2m−3 + 1) − (4 m−2
+ 3) .
2m−2 + 1 3

The number of correctable errors of weight 2m−2 + 1, |E20m−2 +1 (RMm )|, is ob-
tained from the equation,
2m
|E20m−2 +1 (RMm )| + |E21m−2 +1 (RMm )| = .
2m−2 +1

On the number of Boolean functions with m variables of nonlinearity 2m−2 +1,

we have Corollary 1.
Corollary 1. For m ≥ 5, the number of Boolean functions with m variables of
nonlinearity 2m−2 + 1 is equal to 2m+1 |E20m−2 +1 (RMm )|, which is

2m 2m−1 2m
2m+1 − 4(2 m
− 1)(2 m−3
+ 1) + (4 m−2
+ 3) .
2m−2 + 1 2m−2 + 1 3

The results of the calculation of |E20m−2 +1 (RMm )| and |E21m−2 +1 (RMm )| for 5 ≤
m ≤ 9 are listed in Table
√ 1. These expressions can be approximated by Stirling’s
approximation, n! ≈ 2πn(n/e)n . Thereby,
 2m−1
3 16
|E2m−2 +1 (RMm )| ≈
0
√ ,
2m−3 π 3 3

2m m m−1
|E2m−2 +1 (RMm )| ≈
1
(2 + 8)22 .
π
The ratio, |E21m−2 +1 (RMm )|/|E20m−2 +1 (RMm )|, approaches zero as m increases.
 Correctable Errors of Weight Half the Minimum Distance Plus One 119

Table 1. The number of correctable/uncorrectable errors of weight 2m−2 + 1 for RMm

correctable uncorrectable
m n k |E20m−2 +1 (RMm )| |E21m−2 +1 (RMm )|
5 32 6 21,288,320 6,760,480
6 64 7 1.378 × 1015 1.283 × 1012
7 128 8 4.299 × 1030 1.535 × 1022
8 256 9 5.625 × 1061 7.938 × 1041
9 512 10 1.329 × 10124 7.605 × 1080

4 Conclusion
In this paper, we have determined the number of correctable/uncorrectable errors
of weight half the minimum distance plus one for the first-order Reed-Muller
codes. We mainly use the notion of larger halves to derive this result.
Future work includes deriving the number of correctable errors of weight ≥
2m−2 + 2 for RMm using the larger half technique and applying the technique to
other codes, for example, the second-order Reed-Muller codes and BCH codes.

References
1. Peterson, W.W., Weldon Jr., E.J.: Error-Correcting Codes, 2nd edn. MIT Press,
Cambridge (1972)
2. Zémor, G.: Threshold Effects in Codes. In: Cohen, G., Lobstein, A., Zémor, G., Lit-
syn, S.N. (eds.) Algebraic Coding. LNCS, vol. 781, pp. 278–286. Springer, Heidelberg
(1994)
3. Helleseth, T., Kløve, T., Levenshtein, V.: Error-Correction Capability of Binary
Linear Codes. IEEE Trans. Infom. Theory 51(4), 1408–1423 (2005)
4. Canteaut, A., Carlet, C., Charpin, P., Fontaine, C.: On Cryptographic Properties
of the Cosets of R(1, m). IEEE Trans. Inform. Theory 47(4), 1513–1949 (2001)
5. Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes. In:
Crama, Y., Hammer, P. (eds.) Boolean Methods and Models, Cambridge University
Press, Cambridge (press)
6. Berlekamp, E.R., Welch, L.R.: Weight Distributions of the Cosets of the (32,6)
Reed-Muller Code. IEEE Trans. Inform. Theory 18(1), 203–207 (1972)
7. Wu, C.K.: On Distribution of Boolean Functions with Nonlinearity ≤ 2n−2 : Aus-
tralasian. Journal of Combinatorics 17, 51–59 (1998)
 Fault-Tolerant Finite Field Computation in the
Public Key Cryptosystems

Silvana Medoš and Serdar Boztaş

School of Mathematical and Geospatial Sciences,

RMIT University, GPO Box 2476V, Melbourne 3001, Australia
{silvana.medos, serdar.boztas}@ems.rmit.edu.au

Abstract. In this paper, we propose a new method for fault tolerant

computation over GF (2k ) for use in public key cryptosystems. In par-
ticular, we are concerned with the active side channel attacks, i.e., fault
attacks. We define a larger ring in which new computation is performed
with encoded elements while arithmetic structure is preserved. Com-
putation is decomposed into parallel, mutually independent, identical
channels, so that fault effects do not spread to the other channels. By
assuming certain fault models, our proposed model provides protection
against their error propagation. Also, we provide an analysis of the error
detection and correction capabilities of our proposed model.

1 Introduction and Motivation

The arithmetic structure of finite fields is utilized in public key cryptography
(smart card technology, e-commerce, and internet security), as well as in coding
theory (error-free communications and data storage). Public key cryptographic
applications rely on computation in very large finite fields (with more than 2160
elements for Elliptic Curve Cryptography, and more than 21024 elements for
RSA). Unfortunately, a single fault in computation can yield an erroneous out-
put, which can then be used by an adversary to break cryptosystem–we describe
the details below. Since we require high reliability and robustness, fault tolerant
finite field computation in the public key cryptosystems is crucial. Security of
cryptosystems does not only depend on the mathematical properties; an adver-
sary can attack the implementation rather than algorithmic specification. In this
paper we are concerned with protecting finite field computation against active
side channel attacks, i.e., fault attacks, where an adversary induces faults into a
device, while it executes the correct program. After outlining the fault model, and
discussing a specific example of how fault-inducing attacks can be catastrophic
for public key cryptosystems, we make use of well-known error correcting codes
in order to provide countermeasures to some fault-inducing attacks.

1.1 Security of Public Key Cryptosystems

To quantify the security of public key cryptosystems, the concept of computa-
tional security is widely used. Here, an adversary is assumed to have limited

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 120–129, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Fault-Tolerant Finite Field Computation in the Public Key Cryptosystems 121

computation time and memory available (polynomial in the input parameters)

and the security of the cryptosystem is based on the fact that the problem of
breaking the system is reducible to solving a problem that is strongly believed
to be computationally hard, such as factoring a product of two large random
primes and taking discrete logarithms in a large finite field. As a rule, one as-
sumes that an adversary always has access to all data being transmitted by two
communicating parties and exact knowledge of every aspect of the used cryp-
tographic scheme, except for the secret key–this is referred to as the Kerchoffs’
Principle. Moreover an adversary can request encryptions of polynomially many
(in the size of the input parameters) chosen messages to achieve his objective.
This scenario is usually referred to as a black-box assumption, since it allows
purely theoretical proofs on paper. However, cryptosystems are used in the real
world where cryptographic protocols are implemented in software or hardware,
obeying laws of physics. The circuits used leak information, e.g., power and tim-
ing information, over side channels. Thus, one has a gray box, where an adversary
has access to several side-channels.

2 Fault Models and Fault Attacks

2.1 Fault Models

Since smartcards are in exposed conditions and receive their power and clock
signals from the smartcard reader, they can be subjected to physical attacks by
using X-rays, heat/infrared radiation, power spikes, optical energy, etc. We refer
the reader to the CHES proceedings (in the Springer LNCS series) for many
papers illustrating such attacks. Our discussion of the fault models is broadly
based on [9]. The crucial point is how to model the faults which result from such
physical attacks. As a list of possibilities include:

– The attacker’s control of the location of the fault (hardware memory cell, or
software instruction) can be strong, weak, or nonexistent.
– The attacker’s control of the timing of the fault can be precise, within an
interval, or nonexistent.
– The type of fault can be, e.g., random, bit-flip, or stuck-at.
– The fault duration may be permanent or transient.

We now discuss some of these in more detail. Note that any fault induced
in a variable x can be described by means of an additive error term x → x =
x + e(x) but the error term e(x) can itself take on quite different characteristics,
depending on the type of the fault:

Stuck-at Faults. Let b be an arbitrary bit stored in memory. Assume that b is

modified by a stuck-at fault. Then b → b = c, where the constant c = 1 or c = 0.
The value of the affected bit is not changed any more, even if a variable x, which
uses these bits, is overwritten. Clearly stuck-at faults will have a noticeable effect
only if the variable is overwritten at some point.
122 S. Medoš and Serdar Boztaş

Bitflip Faults. Let b be an arbitrary bit stored in memory. Assume that b

is modified by a bitflip fault. Then b → b = b + 1 (mod 2). The effect may
be transient, permanent or destructive. A bitflip fault is easy to visualize, and
always results in a fault on a variable using the bit which is faulty.
Random Faults. Let b be an arbitrary bit stored in memory. Assume that b is
modified by a random fault. Then b → b where b is a random variable taking
on the values 0 or 1. The effect may be transient, permanent or destructive.
Since several physical methods of fault induction are difficult to control precisely,
random faults are considered to be the most realistic fault type. The random
variable which models the fault may be uniform or non-uniform.
Note that the above faults can be considered for an arbitrary but unknown
set of bits B, where assumptions about how the adversary controls the choice
of B can also model different attack scenarios, but we do not proceed further in
this direction due to space constraints.

2.2 An Attack on ElGamal Signatures

To generate a public/private key pair in this scheme, one first chooses a prime
p and two integers g, x such that both are in Zp , and g is a generator of Z∗p .
The private key is x while the public key is (y, g, p) where y = g x (mod p). The
following attack is from [1].
To generate a signature on a message m the signer picks a random k with
gcd(k, p − 1) = 1, and computes

w = g k (mod p) and s = (m − xw)/k (mod (p − 1)).

The signature is the pair (w, s) and to verify the signature, the verifier confirms
that
y w ws = g m (mod p).
If a fault leads to a change in bit xi of x by a bit-flip during the process of
signing a message, a corrupted version x of x will result and we will have the
outputs.

w = g k (mod p) and s = (m − x w)/k (mod (p − 1)).

Using w, s , m and the signer’s public key (y, p, g) the attacker can now compute
 
T = y w ws (mod p) = g m g w(x−x ) (mod p).
i
Let Ri = g w2 (mod p) for i = 0, 1, . . . , t − 1 where t is the bitlength of x. Then

T Ri = g m (mod p), if xi = 0,

(since xi = 0 implies that x − x = −2i ) and

T Ri−1 = g m (mod p), if xi = 1,

 Fault-Tolerant Finite Field Computation in the Public Key Cryptosystems 123

(since xi = 1 implies that x − x = 2i ). The attacker can compute (T Ri , T Ri−1)

for i = 0, 1, . . . , t − 1 and checks to see if either equals g m (mod p) and if a match
is found then one bit of x is found.
By using the fault tolerant computation technique–applied to multiplying field
elements x , w defined above–discussed later on in this paper, it is possible to
detect the fault which leads to the attack described above, which could be used
to alert a higher level monitoring system that something has gone wrong in the
signature computation.
In related work, [6] presents fault-tolerant computation over the integers based
on the modulus replication residue number system, which allows modular arith-
metic computations over identical channels. [11] presents multipliers for fields
GF (2k ) whose operations are resistant to errors caused by certain faults. They
can correct single errors caused by one, or more faults in the multiplier circuits.
[5] introduces scaled embedding for Fault-Tolerant Public Key Cryptography
based on arithmetic codes and binary cyclic codes in order to achieve robust
fault tolerant arithmetic in the finite field.

3 Finite Field Encoding

We want to protect computation over the field GF (2k ), which can be represented
as the set of polynomials modulo a primitive polynomial f (x), deg(f (x)) = k,
i.e., GF (2)[x]/ < f (x) >= {a0 + . . . + ak−1 xk−1 |ai ∈ GF (2)}, and where f (α) =
0, so that GF (2k ) = {0, 1, α, α2 , . . . , α2 −2 }. The inputs to the computation
k

k
are elements from the field GF (2 ) represented as a polynomials. The input
polynomials gi from GF (2)[x]/ < f (x) > are evaluated at the minimum required
number of distinct elements from the set T = {αj |αj ∈ GF (2k )} such that there
are enough values to represent the polynomial resulting from the computation.
Evaluating input polynomials gi ∈ GF (2)[x]/ < f (x) > at distinct elements
αj ∈ T is same as taking remainder modulo x − αj . Let n be the expected
degree of the output, which is not reduced modulo f (x). Then, there exists a
mapping φ

φ : GF (2)[x]/ < f (x) >→ GF (2k )[x]/ < x−α0 > × . . .×GF (2k )[x]/ < x−αn >,

such that each input polynomial gi (x) ∈ GF (2)[x]/ < f (x) > is evaluated at
n + 1 distinct elements from the set T = {αj |αj ∈ GF (2k )}, i.e.,

gi (x) ↔ (gi (α0 ), gi (α1 ), . . . , gi (αn )) , (1)

where, gi (αj ) ∈ GF (2k ) (or equivalently gi (αj ) ∈ GF (2)k ) are evaluations of the
input polynomials gi ∈ GF (2)[x]/ < f (x) > at distinct elements from the set
T . Equivalently, gi (αj ) is remainder of gi (x) on division by linear polynomial
(x − αj ), i.e., gi (x) ≡ gi (αj ) mod (x − αj ).
124 S. Medoš and Serdar Boztaş

3.1 Computation in the Larger Ring

The computation of the finite field GF (2k ) will be performed with encoded
operands (as in (1)) in the direct product ring:

R = GF (2k )[x]/ < x − α0 > × . . . × GF (2k )[x]/ < x − αn >∼

= GF (2k )n+1 , (2)

while preserving ∼ k
narithmetic structure. Note that R = GF (2 )[x]/ < m(x) >,
where m(x) = i=0 (x−αi ), such that deg (m (x)) = 1+max {deg (g(x) ∗ h(x))},
where g(x), h(x) ∈ GF (2)[x]/ < f (x) > are input polynomials, and ∗ is an oper-
ation (addition or multiplication) in the GF (2k ) without modulo f (x) reduction.
By the well-known Lagrange Interpolation Theorem (LIT), interpolating n + 1
output components r(αj ) ∈ GF (2k ) at distinct elements αj ∈ GF (2k ) will de-
termine a unique polynomial r(x) ∈ GF (2k )[x]/ < m(x) > of degree n.

4 Fault-Tolerant Computation

To protect computation in the finite field we add redundancy by adding more

parallel channels than the minimum required to represent the output polynomial
of a certain expected degree, i.e., see Figure 1. Thus, input polynomials are
evaluated at additional distinct elements αj ∈ GF (2k ). Let n be expected degree
of the output polynomial without modulo f (x) reduction. We use a total of
c > n + 1 evaluations so that computation now happens in the even larger direct
product ring

R = GF (2k )[x]/ < x − α0 > × . . . × GF (2k )[x]/ < x − αc−1 >∼

= GF (2k )c .

g(x) h(x)

g(α0) h(α0) L g(αn) h(αn) L g(αc-1) h(αc-1)

PROCESSOR c - 1
PROCESSOR 0

PROCESSOR n

g(α0) ◊ h(α0) L g(αn) ◊ h(αn) L g(αc-1) ◊ h(αc-1)

r′ (α0) L r′ (αn) L r′(αc-1)

Lagrange interpolation

r′(x)
Error detection and correction

r(x)

Fig. 1. Fault tolerant computation of the finite field GF (2k ) in the ring R
 Fault-Tolerant Finite Field Computation in the Public Key Cryptosystems 125

As before, let each input polynomial gi (x) be evaluated at c > n + 1 distinct

elements from the set T = {αj |αj ∈ GF (2k )}, i.e.,
gi (x) → (gi (α0 ), gi (α1 ), . . . , gi (αn ), gi (αn+1 ), gi (αn+2 ), . . . , gi (αc−1 )) ∈ R ,
where gi (α0 ), gi (α1 ), . . . , gi (αn ) are non-redundant components of i-th input
polynomial, and gi (αn+1 ), gi (αn+2 ), . . . , gi (αc−1 ) are redundant components of
i-th input polynomial. Now, let r ∈ R be an output vector of the computation
which is in the form
r = (r(α0 ), r(α1 ), . . . , r(αn ), r(αn+1 ), r(αn+2 ), . . . , r(αc−1 )). (3)
By the uniqueness of LIT, if there are no fault effects, the c output components
r(αj ) ∈ GF (2k ) at distinct elements will determine a unique polynomial r (x) ∈
GF (2k )[x]/ < m (x) > of degree n with coefficients ai ∈ GF (2), otherwise,
n < deg(r (x)) with coefficients ai ∈ GF (2k ). This leads to:
Definition 1. The set of correct results of computation, where n is expected
degree of output polynomial of the computation without modulo f (x) reduction, is
   
C = r (x) ∈ GF 2k [x] / < m (x) > | deg (r (x)) < n + 1, ai ∈ GF (2) .

4.1 Complexity of Interpolation and Evaluation

Input polynomials are only evaluated at the beginning, while interpolation is
performed at the end of the computation. We do modulo f (x) reduction only if
there are no errors.
Lemma 1. Computational complexity of evaluating input polynomials gi ∈
GF (2)[x]/ < f (x) > at c > n + 1 distinct elements from set T , where n is ex-
pected degree of the output polynomial without modulo f (x) reduction is O (ck),
since the required number of operations in GF (2k ) is 2c (k − 1).

Proof. Let gi (x) = k−1
i=0 ai x ∈ GF (2 ), and use Horner’s rule
i k

gi (x) = (. . . (ak−1 x + ak−2 ) x + . . . + a1 ) x + a0 .

Thus, gi can be evaluated at a single point αi ∈ T by k − 1 addition and k − 1
multiplications. Therefore, evaluating gi (x) at c > n+1 distinct elements from T
it will require 2c(k − 1) operations in GF (2k ). So the computational complexity
of input polynomial evaluation is O(ck).
 
 2  2. Computational complexity of interpolating output vector r ∈ R is
Lemma
O c , c > n + 1.
Proof. For a proof see, e.g., [4].
Theorem 1. Total computational complexity of evaluating input polynomials
gi (x) ∈ GF (2)[x]/ < f (x) > at the beginning of computation, and interpolation
of the result of the computation at the end of computation is O(c2 ).
Proof. Since the computational complexity of evaluating inputs gi is O(ck),
where k < c, and complexity of interpolating the resulting vector is O(c2 ), then
total complexity is O(c2 ).
126 S. Medoš and Serdar Boztaş

5 Error Detection and Correction

There is one processor per independent channel, i.e., see Figure 1. Let us assume
that we have c processors, where processor i computes i-th polynomial evaluation
and all processors perform operations over the finite field GF (2k ).
We define a fault attack as any method and/or algorithm which when applied
to the attacked processor return desired effects. We assume that a fault attack
induces faults into processors by some physical set up, exposing the processor
to a physical stress (x-rays, heat/infrared radiation, power spikes, clock glitches,
etc.) An adversary can run the attack several times while inducing faults into
structural elements of an attacked processor, till the desired effect occur. As a
reaction, the attacked processor malfunctions, i.e., memory cells change their
voltage, bus lines transmit different signals, or structural elements are damaged.
The processor is now faulty, i.e., it does not compute the correct output given
its input. We identify memory cells with their values, and we say that faults are
induced into variables, or bits.
We are concerned with the effect of a fault as it manifests itself in a modified
data, or a modified program execution. Therefore, we consider the following
fault models (inspired by [9], see also Section 2 for more general background on
modeling):
Random Fault Model (RFM) 2. Assume that an adversary does not know
much about his induced faults to know its effect, but he knows the affected poly-
nomial evaluation. Therefore, we assume that affected polynomial evaluation
f (αi ) ∈ GF (2k ) is changed to some random value from the finite field GF (2k ),
assumed to be uniformly distributed in that field.

Arbitrary Fault Model (AFM) 3. Assume that an adversary can target spe-
cific line of code, targeting specific channel, but without knowing the effects of
the fault. This is modelled as the addition of an arbitrary and unknown element
ei to ri .

Since, computation is decomposed into parallel, mutually independent channels,

adversary can use either RF M , or AF M on each channel. Assume that at most
c−n−1 channels have faults. Let r ∈ R be computed vector with c components
as in (3), where ej ∈ GF (2k ) is the error at j -th position; then the computed
component at the j-th positions is

rj = r(αj ) + ej , (4)

and each processor will have as an output component


r(αj ) + ej , j ∈ {j1 , . . . , jt },
rj =
r(αj ), else.

Here, we have assumed that the set of error positions are {j1 , . . . , jt }, i.e., ej is
the effect of the fault in the channel ji . By LIT, the computed vector r ∈ R
 Fault-Tolerant Finite Field Computation in the Public Key Cryptosystems 127

with corresponding set of c distinct elements αj ∈ GF (2k ) gives as a output

unique polynomial r (x) ∈ GF (2k )[x]/ < m (x) >,
x − αj
r (x) = ri
αi − αj
0≤i≤c−1 0≤j≤c−1, i=j
x − αi
= r(x) + ejl = r(x) + e(x), (5)
αjl − αi
1≤l≤t 0≤i≤c−1, jl =i

where r(x) is correct expected polynomial of degree ≤ n with coefficients from

the ground field GF (2), and e(x) is the error polynomial which obeys the fol-
lowing:
Theorem 4. Let effects of the fault ej1 = 0, . . . , ejt = 0 be any set of 1 ≤ t ≤
c − n − 1 elements of GF (2k ), c > n + 1, then deg(e(x)) > n whose coefficients
ai ∈ GF (2k ).

Proof. We have that

x − αi
e(x) = ejl
αjl − αi
1≤l≤t 0≤i≤c−1,jl =i

ej1
= (x − αi )  + ...
(x − αj1 ) 0≤i≤c−1,j1 =i (αj1 − αi )
0≤i≤c−1

ejt
... + 
(x − αj1 ) 0≤i≤c−1, j1 =i (αjt − αc−1 )
 
0≤i≤c−1 (x−αi ) 0≤i≤c−1 (x−αi )
Since, deg = c−1, . . . , deg = c−1, c > n+1
(x−αj1 ) (x−αjt )
ejk
then deg (e(x)) = c − 1 > n with coefficients in
(x−αj1 ) 0≤i≤c−1 j1 =i (αjk −αi )
GF (2k ).

Therefore, faulty processors affect the result in an additive manner. From here
on it is straightforward to appeal to standard coding theory results to show that:

Theorem 5. (i) If the number of parallel, mutually independent, identical re-

dundant channels is d + t ≤ c − n − 1 (d ≥ t), then up to t faulty processors can
be corrected, and up to d simultaneously detected. (ii) By adding 2t redundant
independent channels at most t faulty processors can be corrected.

While it is true that arbitrarily powerful adversaries can simply create faults in
enough channels and overwhelm the system proposed here, it is part of the design
process to decide on how much security is enough, since all security (i.e. extra
channels) has a cost. We also remark that the Welch-Berlekamp algorithm is
suitable for correcting the faults induced by the attacks described in this paper.
Note that to specify the algorithm we choose a set of n + 1 indices
K = {0, 1, . . . , n}, and K = {0, . . . , c − 1} \ K.
128 S. Medoš and Serdar Boztaş

Algorithm 1. Welch-Berlekamp Decoding of the Output Vector.

Inputs: output vector of computation r  = (r0 , . . . , rn , rn+1 , . . . , rc ), set of c distinct
points T = {αj |αj ∈ GF (2k )}, set of indices K = {0, 1, . . . , n}, polynomial g(x) =
i∈K (x − xi )
Outputs: polynomials d(x), r  (x).

1. By Lagrange interpolation, interpolate output vector r  in order to get polynomial

r  (x), if deg(r  (x)) ≤ n and ai ∈ GF (2) then STOP, else
2. for i ∈ K find r  (x), where deg(r ) ≤ n,
3. evaluate r  (x), at αl , l ∈ K,
4. determine syndromes Sl = rl − r  (xl ), l ∈ K,
5. determine yl = g(x Sl
l)
,
6. solve key equation d(xl )yl = r  (xl ).

6 Conclusions and Current Work

We have described fault attacks on cryptosystems and proposed a means of pro-
tecting computation of the finite field GF (2k ) against side-channel attacks, by
decomposing computation over parallel, independent, identical channels. This
offers a great advantage, since computations are mutually independent (fault
effects do not spread to the other channels), and they are performed over the
same field. Fault-tolerant computation is obtained by the use of redundancy. By
adding d + t, d ≥ t redundant channels we can correct up to t faulty processors,
and simultaneously detect d faulty processors. Either of two proposed fault mod-
els, RFM, or AFM can be used on each channel. Our method covers random
and burst errors that can be caused by malicious fault insertion by an adversary,
or transient faults. Also, efficient error correction is possible through the use of
Welch-Berlekamp decoding algorithm. Moreover, it is part of the design process
to decide on how much security is enough, since all security (i.e. extra channels)
has a cost.
In current work, we are directly applying the method developed in this paper
to the algorithm specific computations which are used in elliptic and hyperel-
liptic curve cryptosystems. Since the group addition in such cryptosystems is
built up of a specific sequence of finite field additions and multiplications–to
which the results of this paper directly apply–this is a natural progression in our
research.

Acknowledgment
The authors would like to thank the Australian Research Council for its support
through the ARC Linkage grant, LP0455324. The authors would also like to
thank the anonymous referees whose comments vastly improved the presentation
and content of the paper.
 Fault-Tolerant Finite Field Computation in the Public Key Cryptosystems 129

References
1. Bao, F., Deng, R.H., Han, Y., Jeng, A.B., Narasimhalu, A.D., Ngair, T-H.: Break-
ing Public Key Cryptosystems on Tamper Resistant Devices in the Presence of
Transient Faults. In: Christianson, B., Lomas, M. (eds.) Security Protocols. LNCS,
vol. 1361, pp. 115–124. Springer, Heidelberg (1998)
2. Beckmann, P.E., Musicus, B.R.: Fast Fault-Tolerant Digital Convolution Using a
Polynomial Residue Number System. IEEE Trans. Signal Processing 41(7), 2300–
2313 (1993)
3. Boneh, D., DeMilo, R.A., Lipton, R.J.: On the Importance of Eliminating Errors
in Cryotographic Computations. J. Cryptology 14, 101–119 (2001)
4. Gathen, J., Gerhard, J.: Modern Computer Algebra. Cambridge University Press,
UK (1999)
5. Gaubatz, G., Sunar, B.: Robust Finite Field Arithmetic for Fault-Tolerant Public-
Key Cryptography. In: 2005 Workshop on Fault Diagnosis and Tolerance in Cryp-
tography, Edinburgh, Scotland (2005)
6. Imbert, L., Dimitrov, L.S., Jullien, G.A.: Fault-Tolerant Computation Over Repli-
cated Finite Rings. IEEE Trans. Circuits Systems-I: Fundamental Theory and
Applications 50(7), 858–864 (2003)
7. Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.)
CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
8. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications.
Cambridge University Press, London (1986)
9. Otto, M.: Fault Attacks and Countermeasures. PhD Thesis (2004)
10. Reed, I.S., Solomon, G.: Polynomial Codes over Certain Finite Fields. J. Society
for Industrial and Applied Mathematics 8(2), 300–304 (1960)
11. Reyhani-Masoleh, A., Hasan, M.A.: Towards Fault-Tolerant Cryptographic Com-
putations over Finite Fields. ACM Trans. Embedded Computing Systems 3(3),
593–613 (2004)
12. Welch, L., Berlekamp, E.R.: Error Corrections for Algebraic Block Codes. U.S.
Patent 4 633 470 (1983)
13. Wicker, S.B., Bhargava, V.K.: Reed-Solomon Codes and Their Applications. IEEE
Press, New York (1994)
 A Note on a Class of Quadratic Permutations
over F2n

Yann Laigle-Chapuy

INRIA, Domaine de Voluceau, BP 105,

78153 Rocquencourt, Le Chesnay Cedex, France
[email protected]

Abstract. Finding new classes of permutation polynomials is a chal-

of polynomials of the form


lenging problem. Blockhuis at al. investigated the permutation behavior
n−1
i=0 ai X
2i +1
over F2n . In this paper, we
extend their results and propose as a new conjecture that if n = 2e then
X 2 is the only unitary permutation polynomial of this type.

1 Introduction
Let F2n be the field of order 2n and F2n [X] denote the ring of polynomials in
the indeterminate X with coefficients in F2n . A polynomial P ∈ F2n [X] which
permutes F2n under evaluation is called a permutation polynomial over F2n . For
a general introduction to permutation polynomials, we refer to [1,2]. Discovering
new classes of permutation polynomials is an old problem with applications in
cryptography, coding theory and in combinatorial designs. For instance, Patarin
introduced the HFE cryptosystem [3] based on quadratic polynomials, which are
polynomials of the form
 i j
ai,j X 2 +2 , ai,j ∈ F2n .
0≤i,j≤n−1

In his paper, he raised the problem of finding quadratic permutation polynomials

and stated that it seems to be difficult to characterize them. Only few families
of such quadratic permutation polynomials are known. We can cite for example
Dobbertin’s permutation [4] over F2n
m+1
X2 +1
+ X 3 + X, with n = 2m + 1.

Also families of binomials have been found recently by Budaghyan et al. [5].
Quadratic polynomials restricted to j equal to 0,
 i
ai X 2 +1 , ai ∈ F2n ,
0≤i≤n−1

is an interesting subclass that has been introduced by Blockhuis et al. in [6]

where they studied their permutation behavior.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 130–137, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 A Note on a Class of Quadratic Permutations over F2n 131

The purpose of this paper is to extend their results. In Section 2 we state the
definitions and notations. We will then define in Section 3 a new class of bilinear
permutation polynomials which will lead us to a new conjecture. Finally, in
Section 4, we discuss some related problems and give arguments supporting our
conjecture.

2 Preliminaries

For most cryptographic purposes, compositions with a linear application will not
change the properties of the function. We will therefore define linear equivalence.
First, let us recall the shape of polynomials corresponding to linear applications,
that is linearized polynomials.

Definition 1. A linearized polynomial P ∈ F2n [X] is a polynomial of the shape


n−1
i
P (X) = ai X 2 with ai ∈ F2n .
i=0

Let L(n) be the set of all such polynomials.

We will consider equivalence classes under the action of bijective linearized poly-
nomials.

Definition 2. Two polynomials P and Q in F2n [X] are linearly equivalent if

there exists L1 and L2 linearized permutation polynomials in L(n) such that

L1 ◦ P ◦ L2 = Q.

We will now present the class of polynomials which we will study. According to
the work of Blockhuis et al., we will focus on a subclass of quadratic polynomials.

Definition 3. A bilinear polynomial P ∈ F2n [X] is a polynomial of the shape

P (X) = L1 (X)L2 (X) with L1 , L2 ∈ L(n).

Moreover, as we are only interested in equivalence classes, we can extract an

even smaller family.

Proposition 1 (cf. [6]). Every P ∈ F2n [X] bilinear permutation is linearly

equivalent to a polynomial XL(X) with L ∈ L(n).

Proof. To be a permutation, P (X) = L1 (X)L2 (X) must have only 0 as a root.

Therefore L1 and L2 , as they are linearized polynomials, must be permutations
and thus invertibles.
Composing P with L−1 1 which is also linearized, we obtain an equivalent
polynomial P ◦ L−1
1 (X) = XL(X) with L = L2 ◦ L−1
1 . 

 132 Y. Laigle-Chapuy

This allows us to restrict ourselves to study only the permutation behavior of

polynomials of the shape
 i
XL(X) = ai X 2 +1 with ai ∈ F2n .
0≤i≤n−1

In the following, B(n) will denote the set of such polynomials.

Notice that all the terms of those polynomials are quadratic, except possibly
a term of linear degree 2.

3 Permutations Amongst B(n)

At the time being, only few permutations amongst B(n) are known. The only
study of this class of polynomials is found in the article of Blokhuis et al. [6] and
we will recall their results.
Theorem 1 (cf. [6]). Let k and n be any integer and set d = Gcd(n, k). The
following three classes define permutations amongst B(n):
k
(i) X 2 +1 where n/d is odd.
(ii) X 2 +1 + aX 2 +1 where n/d is odd and a(2 −1)/(2 −1) = 1.
k n−k n d

(iii) X 2 +1 + (aX)2 +1 + aX 2 where n = 3k and a(2 −1)/(2 −1) = 1.

2k k n k

Moreover, (ii) and (iii) are linearly equivalent to (i).

All those classes are linearly equivalent to a monomial and the proof gives ex-
plicitly L1 and L2 such that
k n
L1 ◦ XL(X) ◦ L2 = X 2 +1
mod X 2 + X.
Blokhuis et al. also introduced a last family of bilinear permutation using the
trace function.
Definition 4. Recall the notation for the field trace:

k−1
i
Trk (X) = TrF2k /F2 (X) = X2
i=0

Theorem 2. Let k be odd and  be any positive integer. Set n = k and

a ∈ F2 \ F2 . Then the following polynomial is a bilinear permutation over F2n .
 
(iv) X Trk (X) + aX .

We will now give an extension to their results, constructing recursively new

bilinear permutation polynomials.
Theorem 3 (a new class). Let k be odd and  be any positive integer. Set
n = k, a ∈ F2 a non zero element of the subfield and L ∈ L() a linearized
polynomial over F2 such that XL(X) ∈ B() is a bilinear permutation over F2 .
Then the following polynomial is a bilinear permutation over F2n .
 A Note on a Class of Quadratic Permutations over F2n 133
 
(v) X L(Trk (X)) + aTrk (X) + aX .

Proof. The case (iv) is deduced from (v), with L(X) = X, by applying the
following transformation:
   
a a
X Trk (X) + aX = (a + 1)X Trk (X) + Trk (X) + X .
a+1 a+1

Let’s now prove

 (v). 
Let P (X) = X L(Trk (X)) + aTrk (X) + aX) ∈ F2n [X] with Q(X) = XL(X)
in B() a permutation over F2 . For all x ∈ F2n ,

Trk (P (x)) = Trk (x)Trk (L(Trk (x))).

Moreover, as k is odd, L(Trk (x)) which lies in F2 is equal to its trace. We thus
obtain
Trk (P (x)) = Q(Trk (x)).
Let x and y be such that P (x) = P (y). We have in particular

Q(Trk (x)) = Q(Trk (y)),

and since Q permutes F2 ,

Trk (x) = Trk (y).
Let t denote this trace.

P (x) = P (y) ⇔ x(L(t) + at + ax) = y(L(t) + at + ay)

⇔ a(x + y)(a−1 L(t) + t + x + y) = 0

This implies that x + y = a−1 L(t) + t or x + y = 0 which in both cases gives

x + y ∈ F2 .
Finally, applying the trace operator, x + y = Trk (x + y) = t + t = 0 and P (X)
is a permutation polynomial, which conclude the proof.

In order to clarify these results, we will give a few examples.

Example 1. In F29 , taking α as a primitive element, we obtain two classes of

bilinear permutations non linearly equivalent neither to monomials nor to each
other, one of type (iv) and one of type (v).
 
type (iv) X 65 + X 9 + α73 X 2 = X Tr33 (X) + α219 X 
type (v) X 129 + X 65 + X 17 + X 9 + X 3 = X Tr33 (X)2 + Tr33 (X) + X

Example 2. Starting from the type (iv) permutation polynomial in B(6)

P6 (X) = X 17 + X 5 + aX 2
134 Y. Laigle-Chapuy

where a ∈ F4 \ F2 and taking b ∈ F215 non zero, we construct the following

permutation of F230
 
P6 (X)
P30 (X) = X ◦ Tr56 (X) + bTr56 (X) + bX
X
28 26 22 20 16 14 10 8
= X2 +1
+ X2 +1
+ X2 +1
+ X 2 +1 + X 2 +1 + X 2 +1 + X 2 +1 + X 2 +1
4 2
 24 18 12 6

+X 2 +1 + X 2 +1 + (a + b) X 2 +1 + X 2 +1 + X 2 +1 + X 2 +1 + aX 2 .

Example 3. In F215 , the following polynomials are type (v) permutations.

X 2049 + aX 1025 + X 65 + aX 33 + X 3 a ∈ F32

X 4097 + aX 1025 + X 129 + aX 33 + X 5 a ∈ F32
X 8193 + aX 1025 + X 257 + aX 33 + X 9 a ∈ F32
X 8193 + aX 4097 + X 1025 + aX 513 + X 129 + aX 65 + X 17 + aX 9 + X 3 a ∈ F8
X 16385 + aX 1025 + X 513 + aX 33 + X 17 a ∈ F32
X 16385 + aX 4097 + X 2049 + aX 513 + X 257 + aX 65 + X 33 + aX 9 + X 5 a ∈ F8

Conjecture 1. The class (v) contains an infinite class of permutation polynomials

non linearly equivalent to monomials.
We can see that all the families (i) to (v) need the degree of the extension n to
have an odd factor. We also verified with an exhaustive search for n ≤ 7 that,
up to linear equivalence, there are no other bilinear permutations. This leads us
to the two following conjectures.
Conjecture 2. Their is no other bilinear permutation than aX 2 in B(n) with
n = 2e .
Conjecture 3. Their is no non monomial bilinear permutation in B(p) with p
prime.
Moreover, we will give in the following section a result in the direction of Con-
jecture 2.

4 Discussions
4.1 On Linearized Permutation
We would like to emphasize the role of linear permutations. They appear twice
in our context. First, we use them to define linear equivalences, as cryptographic
properties are mainly invariant under their action. Secondly, as stated in Propo-
sition 1, every bilinear permutation comes from a linearized permutation polyno-
mial. We can therefore deduce from Theorem 3 a class of linearized permutation.
Corollary 1 (new linearized permutations). Let k be odd and  be any
positive integer. Set n = k, a ∈ F2 a non zero element of the subfield and
L ∈ L() a linearized polynomial over F2 such that XL(X) ∈ B() is a bilinear
 A Note on a Class of Quadratic Permutations over F2n 135

permutation over F2 . Then the following polynomial is a linearized permutation

polynomial over F2n
L(Trk (X)) + aTrk (X) + aX.

It is also interesting to consider our problem as characterizing the permutation

behavior of modified linearized permutations.
Our main result treats XL(X). We will now look at L(X)/X and L(X) + aX.
The first result is a theorem from Payne [7,8]. Originally dealing with ovoids
in Desarguian planes, we can restate it as follows.
Theorem 4 (Payne). Let L(X) ∈ L(n) be a linearized polynomial. Then

L(X) 
n
ai X 2 −1 ,
i
P (X) = = ai ∈ F2n
X i=0

is a permutation polynomial if and only if

i
−1
P (x) = a0 + ai X 2

with ai = 0 and Gcd(2i − 1, 2n − 1) = 1.

We can deduce from this theorem a nice corollary.

Corollary 2. Let L(X) ∈ L(n) be a linearized polynomial. Then there exists

a ∈ F2n such that L(X) + aX is a linearized permutation polynomial.

Proof. We have to consider three cases.

– If L(X) = a0 X then any a = a0 is solution.
i
– If L(X) = a0 X + ai X 2 , 0 < i ≤ n with ai = 0, then taking a = a0 we
obtain i
L(X) + aX = ai X 2
which has clearly no other root than 0 and is thus bijective.
i
– If L(X) is not of the form a0 X + ai X 2 , then from Theorem 4 we know that
P (X) = L(X)
X is not a permutation. If we choose a ∈ F2n \ Im(P ) outside of
its image, then
L(X) + aX = X (P (X) + a)
has its kernel reduced to {0} and is therefore bijective.

4.2 The Case F22n

We give here a result in the direction of Conjecture 2

Theorem 5. Let n0 be an integer such that the only unitary bilinear permuta-
tion over F22n0 is X 2 .
Then for all n ≥ n0 , the only unitary bilinear permutation over F22n with
coefficients in F22n0 is X 2 .
136 Y. Laigle-Chapuy

Proof. Suppose that it is true until n − 1, n > n0 . Set t = 2n−1 . Let


2t−1
i
P (X) = λi X 2 +1
∈ B(22t )
i=0

with λi ∈ F22n0 be a permutation over F22n . P must in particular permute F2t .

t
It follows from our hypothesis that P mod X 2 + X must be equal to X 2 giving:

t−1
i
(λi + λi+t )X 2 +1
= X 2.
i=0

This allows us to write


t−1
i
P (X) = XH(X) with H(X) = X + Tr2t λi X 2 .
i=1

Note that H induces the identity over F2t .

If P (X) = X 2 , there exists x ∈ F22t \ F2t such that H(x) + x = β = 0. We then
have
P (x + β) = P (x) + β (H(x) + x + β) = P (x)
proving that P is not a permutation polynomial.
The theorem follows by induction.
Corollary 3. For all n ≥ 2, the only unitary bilinear permutation over F22n
with coefficients in F16 is X 2 .
Proof. For n0 = 2, we can establish the result by exhaustive search. We then
apply the previous theorem.

5 Conclusion
We described a new recursive family of quadratic permutation polynomials over
F2n . It enables us to construct easily many quadratic bilinear permutation polyno-
mials over binary fields. Due to the recursive structure, the more odd factors n have,
the more distincts permutation polynomials over F2n we will be able to construct.
On the other hand, if the degree of extension n is prime or if n = 2e , we only
obtain monomials. We thus conjecture that there exists no others. Moreover, for
the case n = 2e , we gave an argument supporting this conjecture.
beginthebibliography1

References
1. Lidl, R., Mullen, G.: When does a Polynomial over a Finite Field Permute the
Elements of the Field? Amer. Math. Monthly 100, 71–74 (1993)
2. Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Cambridge University Press, Cam-
bridge (1997)
 A Note on a Class of Quadratic Permutations over F2n 137

3. Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP):
Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EURO-
CRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)
4. Dobbertin, H.: Almost Perfect Nonlinear Power Functions on GF(2N): The Niho
Case. Inf. Comput. 151(1-2), 57–72 (1999)
5. Budaghyan, L., Carlet, C., Leander, G.: A Class of Quadratic APN Binomials In-
equivalent to Power Functions. Cryptology ePrint Archive, Report 2006/445 (2006),
http://eprint.iacr.org/
6. Blokhuis, A., Coulter, R.S., Henderson, M., O’Keefe, C.M.: Permutations Amongst
the Dembowski-Ostrom Polynomials. In: 1999 Finite Fields and Applications, pp.
37–42. Springer, Berlin (2001)
7. Payne, S.: A Complete Determination of Translation Ovoids in Finite Desarguian
Planes. Lincei - Rend. Sc. fis. mat. e nat. (1971)
8. Berger, T., Canteaut, A., Charpin, P., Laigle-Chapuy, Y.: Almost Perfect Nonlinear
Functions. Technical Report RR-5774, INRIA Rocquencourt (2005),
http://www.inria.fr/rrrt/rr-5774.html
 Constructions of Orthonormal Lattices and
Quaternion Division Algebras for Totally Real
Number Fields

B.A. Sethuraman1 and Frédérique Oggier2

1
Department of Mathematics
California State University, Northridge
[email protected]
2
Department of Electrical Engineering
California Institute of Technology
[email protected]

Abstract. We describe some constructions of orthonormal lattices in to-

tally real subfields of cyclotomic fields, obtained by endowing their ring of
integers with a trace form. We also describe constructions of quaternion
division algebras over such fields. Orthonormal lattices and quaternion
division algebras over totally real fields find use in wireless networks in
ultra wideband communication, and we describe the application.

1 Introduction
1.1 Algebraic Coding for Wireless Networks
We consider the problem of designing codes for a wireless relay network with
k + 2 nodes, each of them equipped with one antenna. Communication between
the source node and the sink node is done with the help of k relay nodes. Several
communication protocols have been proposed in the literature, and the one we
will consider [1] belongs to the family of amplify-and-forward protocols, where
each relay node just amplifies the signal it receives from the transmitter, before
forwarding it to the receiver.
This protocol [1] is composed of k phases. During phase j, the source transmits
in two steps. It sends a first signal to the jth relay and the destination. While the
relay forwards the signal to the destination, the source further sends a second
signal to the destination. This is repeated for each j, j = 1, . . . , k.
For this protocol, the code design [16,2] consists of constructing invertible
2k × 2k codewords, defined by

C = diag(C1 , . . . , Ck ),

where Cj is a 2 × 2 matrix, j = 1, . . . , k, containing 4k information symbols. The

block diagonal form of C reflects the sequential nature of the protocol. Division
algebras [13,10] have proved useful to design such invertible codewords.

The first author is supported in part by NSF grant DMS-0700904.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 138–147, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Constructions of Orthonormal Lattices and Quaternion Division Algebras 139

Codewords are usually (in narrow band systems) built over the complex field,
but for ultra wideband communication, one needs to design them over the real
field. Complex code constructions based on cyclic division algebras are proposed
in [16]. In [2], examples of real codes are described for the case where the number
of relays is at most 5. In this paper, we provide systematic code constructions
for arbitrary number of relays, generalizing the approach in [2].
The general code design [2] consists of the following steps:
1. Choose a totally real number field F of degree k over Q, which is√cyclic,
with Galois group generated by σ, √ is such that F and Q( 5) are
√ and which
√ over Q. Let√τ : 5 → − 5 be the generator of the Galois
linearly disjoint
group of Q( 5)/Q. Then √F ( 5) is Galois over Q with Galois group σ×τ .
The Galois group of F ( 5)/F is hence generated by τ .
2. Furthermore, choose F such that one can find a trace lattice (M, bα ) (see
Subsection 1.2) inside the ring of integers of F that is isometric to the stan-
dard lattice Zk ⊆ Rk . The orthonormal structure of M allows an efficient
encoding [2] of information symbols, as detailed
√ in Steps 4 and 5 below.
3. Now consider the cyclic algebra: A = (F ( 5)/F, τ, γ), where γ is in F ∗ ,
and choose γ such that A is a division algebra. This will give us invertible
codewords in Steps 4 and 5 below. Note that since A is a cyclic algebra of
degree 2, it is also the quaternion algebra

A = (5, γ). (1)

4. Denote by C0 a codeword from A, that is of the form

√  
αλ  0 a + bν c + dν
C0 =
0 ατ (λ) γ(c + dτ (ν)) a + bτ (ν)
√
−1
√
where ν = 1+2 5 , α ∈ DM defines the trace form bα and λ = 2/( 5 + 5),
√ √  
chosen so that ( λ, λν) and ( τ (λ), τ (λ)τ (ν)) are orthonormal in R2 .
Furthermore, if ω1 , . . . , ωk is an orthonormal basis for (M, bα ), then a =
k k k k
i=1 ωi si , b = i=1 ωi sk+i , c = i=1 ωi s2k+i , d = i=1 ωi s3k+i , where
s1 , . . . , s4k are information symbols from Q.
5. We now define
C = diag(σ(C0 ), . . . , σ k−1 (C0 ), C0 )
where σ(C0 ) is obtained by applying σ to every entry of C0 . Furthermore
⎛ √ √  ⎞⎛ ⎞
 λ  λν ⊗ G 0 s1
⎜ τ (λ) τ (λ)τ (ν) ⎟⎜ .. ⎟
vec(C)
˜ = P⎜
⎝
 √ √  ⎟
⎠⎝ . ⎠
γ λ  γ λν
0 ⊗G s4k
τ (λ) τ (λ)τ (ν)

where vec(C)
˜ denotes the matrix C vectorized where the zero entries are
removed, P is a permutation matrix, G is the generator matrix of M . Effi-
cient encoding (or “shaping” [2,16]) requires the matrix that multiplies the
140 B.A. Sethuraman and F. Oggier

information symbols vector to be orthonormal, for which it is sufficient1 that

G be orthonormal.
To implement these steps above for an arbitrary number of relay nodes k, we
thus need to find a totally real number field F of degree√ k over Q that is cyclic
with generator σ, and that is linearly disjoint from Q( 5), whose ring of integers
allows the construction of an orthonormal√trace lattice. Furthermore, we need
to find a γ ∈ F ∗ such that the algebra (F ( 5)/F, τ, γ) (which is the√quaternion
√
algebra (5, γ)) is a division algebra, where τ is the map that sends 5 to − 5.
We will discuss the cases where k is a power of 2 and a power of an odd prime
separately in Sections 2 and 3, and then combine the cases in Section 4.

1.2 Trace Lattices

Let F be a totally real number field of degree k over Q, and denote by OF its
ring of integers. Let σ1 , . . . , σk be the k embeddings of F into R, and write TrF/Q
(or TrF when the context is clear) for the trace from F to Q. We call an element
x ∈ F totally positive if σi (x) ≥ 0, i = 1, . . . , k. Let M ⊂ OF be an integer
lattice, that is, a subgroup of the additive group of OF . Being a Z-submodule
of a finitely generated and free Z-module, M will also be finitely generated and
free. We will focus on those M whose rank as a free Z-module is exactly k (called
−1
full lattices). We denote by DM the codifferent of M , defined by
−1
DM = {x ∈ F | TrF (xM ) ∈ Z}. (2)
Definition 1. A trace lattice is an integral lattice (M, bα ), where M ⊆ OF
−1
is a (full) integer lattice, α is some totally positive element in DM , and bα :
M × M → Z is the bilinear form given by bα (x, y) = TrF (αxy). We refer to bα
as a trace form on M . We say that the trace lattice (M, bα ) is orthonormal if
there exists a basis {ω1 , . . . , ωk } such that bα (ωi , ωj ) = δi,j , in which case we say
that the basis above is orthonormal.
If {ω1 , . . . , ωk } is a Z-basis of M , then the trace lattice (M, bα ) can be embedded
isometrically in Rk endowed with its standard bilinear form  ,  (the “dot
√ √ √
product”) by the map ωi → f (ωi ) = α1 σ1 (ωi ), α2 σ2 (ωi ), . . . , αk σk (ωi ) ,
where αj = σj (α), j = 1, . . . , k (note that α is totally positive). We may collect
the f (ωi ) into a matrix known as the generator matrix of M , given by
⎛√ √ √ ⎞
α1 σ1 (ω1 ) α2 σ2 (ω1 ) . . . αk σk (ω1 )
⎜ .. .. .. ⎟
G=⎝ . . ... . ⎠. (3)
√ √ √
α1 σ1 (ωk ) α2 σ2 (ωk ) . . . αk σk (ωk )

One easily verifies that GGT = {TrF (α ωi ωj )}ki,j=1 , reflecting the fact that
bα (ωi , ωj ) = f (ωi ), f (ωj ). The basis {ω1 , . . . , ωk } is an orthonormal basis if
and only if GGT is the identity matrix.
1
γ should also be such that |γ|2 = 1, which here prevents A to be a division algebra.
This can be overcome, we refer the reader to [2, III.A.] for this discussion.
 Constructions of Orthonormal Lattices and Quaternion Division Algebras 141

2 Totally Real Fields of Degree a Power of 2

Consider the cyclotomic field L = Q(ω), where ω is the primitive 2n -th root of
unity e2πı/n , for a positive integer n ≥ 3. We write θ for the element ω + ω −1 ,
so that the maximal totally real subfield of L is given by K = Q(θ). Note that
[L : Q] = 2n−1 and [K : Q] = 2n−2 . Let k = 2n−2 . We will work with the field K
in this section. We will first construct an orthonormal lattice in OK , and then a
suitable quaternion division algebra with center K.

2.1 OK as an Orthonormal Lattice

We show here that OK is an orthonormal lattice with respect to a suitable trace
form. We have constructed this lattice after studying the k = 2 case presented
in [2]. The existence of this lattice was sketched independently by Eva Bayer-
Fluckiger and Gabriele Nebe in [5, Prop. 4.3]. We provide expanded proofs and
some combinatorial remarks.
Note that OK = Z[θ] (see [9, Exer. 35, Chap. 2] for instance). We write θj
(j = 0, 1, . . . ,) for the element ω j + ω −j ; in particular, θ1 = θ and θ0 = 2.
Expanding each power θs binomially and collecting terms we find
⎧
⎪ s/2
 s
⎪
⎪
⎨ j θs−2j if s is odd,
j=0
θs = (s/2)−1 (4)
⎪
⎪ 
⎪
⎩
s s
j θs−2j + s/2 if s is even.
j=0

It is easy to see that the relations (4) can inductively be inverted to write θs
as a Z-linear combination of θs . It follows that 1, θ1 = θ, θ2 ,. . . , θk−1 is also a
Z-basis for OK .
We start by proving a property of the trace of the elements of the form θj .
Lemma 1. For 1 ≤ j < 2k,

TrK/Q (θj ) = 0 (5)

and for 1 ≤ i, j ≤ k − 1

0 if i = j
TrK/Q (θi θj ) = (6)
2k if i = j

Proof. First consider the case where j is odd. Since ω raised to any odd power is
also a primitive 2n -th root of unity, ω j has minimal polynomial xk ± ı over Q(ı),
and consequently, ω j has trace zero from L to Q(ı). The same reasoning holds
for ω −j = (ω −1 )j since ω −1 is also a primitive 2n -th root of unity. It follows that
TrL/Q(ı) (θj ) = 0. Since TrK/Q (θj ) = TrL/Q(ı) (θj ), our result is proved when j is
odd. (Notice that these arguments for odd j hold even if j > 2k.)
When j is even, we first assume that j < k. (This case is vacuous if n = 3.)
If j = 2m, we write 2m as 2e a for some e ≥ 1 and odd integer a. Then ω j is a
142 B.A. Sethuraman and F. Oggier

primitive 2n−e -root of unity, and [L : Q(ω j )] = 2e . Since, by assumption, e < n−

2, Q(ω j ) strictly contains Q(ı). Now, TrL/Q(ı) (ω j ) = TrQ(ωj )/Q(ı) TrL/Q(ωj ) (ω j ) =
2e TrQ(ωj )/Q(ı) (ω j ). Just as in the previous paragraph, TrQ(ωj )/Q(ı) (ω j ) is zero
n−e−2
since the minimal polynomial of ω j is x2 ± ı. Since similar arguments hold
−j
for ω , we find TrL/Q(ı) (θj ) = TrK/Q (θj ) = 0.
Now assume k ≤ j < 2k. Note that ω k = ı and ω −k = −ı. Thus, when
j = k, TrL/Q(ı) (θj ) = TrK/Q (θj ) = ı − ı = 0. For j > k, ω j = ıω j−k , and by the
considerations of the previous paragraph, TrL/Q(ı) (ω j ) = ıTrL/Q(ı) (ω j−k ) = 0.
Similarly, TrL/Q(ı) (ω −j ) = 0, so once again, TrL/Q(ı) (θj ) = TrK/Q (θj ) = 0.
For the second assertion, note that θi θj = θi+j + θj−i , where we can assume
without loss of generality that j − i ≥ 0. The result immediately follows from
the calculations of TrK/Q (θj ) above, noting that i + j < 2k, and θ0 = 2.

Corollary 1. For all x in OK = Z[θ], the expression TrK/Q (1/k − θ/2k)x takes
values in Z.

Proof. Since trace is Z-bilinear, this assertion can be checked for x coming from
the basis 1, θ1 = θ, θ2 , . . . , θk−1 . For such x the assertion is immediate from
Lemma 1 above.

Write α for 1/k − θ/2k. Any element σ ∈ Gal(K/Q) sends θ to θr for some
odd r, so σ(θ)/2 is a real number strictly between 1 and −1. Hence, α is totally
positive, so as in Definition 1, we have the trace form bα : Z[θ] × Z[θ] → Z given
by bα (x, y) = TrK/Q (1/k − θ/2k)xy.
We first calculate the value of this bilinear form on the basis elements 1,
θ1 = θ, θ2 , . . . , θk−1 . (Note that this is really [5, Prop. 4.3], except that the
authors in [5] work with the element 1/k + θ/2k.)

Lemma 2. For 1 ≤ j ≤ i ≤ k − 1, we have the formulas:

bα (1, 1) =1 (7)

−1 if i=1
bα (1, θi ) = (8)
0 if i>1
⎧
⎪
⎨2 if j =i
bα (θi , θj ) = −1 if j =i+1 (9)
⎪
⎩
0 if j >i+1

Proof. The first two formulas arise from a direct application of the formulas in
Lemma 1. For the third, we compute: bα (θi , θj ) = TrK/Q (1/k − θ/2k)θi θj =
(1/k)TrK/Q (θi θj ) − (1/2k)TrK/Q (θθi θj ). Now the formulas in Lemma 1 show
that (1/k)TrK/Q (θi θj ) is zero except when i = j, in which case it is 2. As for the
term (θθi θj ), note that like in the proof of Lemma 1, θθi θj = θ1 (θi+j + θj−i ) =
θi+j+1 + θi+j−1 + θj−i+1 + θj−i−1 . When i = j and when j > i + 1, Lemma
1 shows that (1/2k)TrK/Q (θθi θj ) is zero. When i = j + 1 the term θj−i−1 = 2
contributes −(1/2k)2k to the trace. This establishes the formula. 

 Constructions of Orthonormal Lattices and Quaternion Division Algebras 143

The lemma above immediately leads to the following (see the remark in [5] at
the end of the proof of their Prop. 4.3):

Theorem 1. The vectors w0 = 1, w1 = 1 + θ1 , w2 = 1 + θ1 + θ2 , . . . , wk−1 =

1 + θ1 + θ2 + · · · + θk−1 form an orthonormal basis for OK with respect to the
trace form bα (x, y) described above.

Proof. We prove this inductively. The assertion that bα (w0 , w0 ) = 1 is just the
first formula in Lemma 2 above. Now assume that we have proved that the
vectors w0 , . . . , wi are orthonormal. First, for a given j < k and l < k, we
expand wj as 1 + θ1 + · · · + θj and using the bilinearity of bα , we see that
bα (wj , θl ) = 0 whenever l > j + 1, and bα (wj , θl ) = −1 if l = j + 1. From
this and the induction assumption, it follows that for j ≤ i, bα (wj , wi+1 ) =
bα (wj , wj ) + bα (wj , θj+1 ) + · · · + bα (wj , θi+1 ) = 1 − 1 = 0. Also, bα (wi+1 , wi+1 ) =
bα (wi , wi ) + 2bα (wi , θi+1 ) + bα (θi+1 , θi+1 ) = 1 − 2 + 2 = 1. This proves the
theorem. 


To compute the generator matrix for this lattice, note that the Galois group
Gal(K/Q) is generated by the action on K of σ : ω → ω r , where r is some
generator of the multiplicative group (Z/2n−1 Z)∗ . Thus, σ(θ1 ) = θr , σ(θ2 ) = θ2r ,
σ(1/k − θ1 /2k) = 1/k − θr /2k etc.
Some combinatorial remarks: There is a nice interplay between the two Z-bases
1, θ, θ2 , . . . , θk−1 (consisting of powers of θ), and the basis 1, θ1 = θ, θ2 , . . . ,
θk−1 , which leads to some interesting combinatorial considerations. For instance,
we can compute the codifferent of OK in terms of the two bases, and doing so,
we are led to the Hankel transform of the binomial sequence 2n n : these have
been studied by various authors ([12], [8],[15], for example) and is defined as the
sequence hn , n = 1, 2, · · · , where hn is the determinant of the n × n matrix
⎛ ⎞
1 ···
0 2 2(n−1)
0 n−1
⎜ ⎟
2 ···
2 4 2n
⎜ ⎟
⎜ 1
.. .. ..
n
.. ⎟. (10)
⎜ ⎟
⎝ . . . . ⎠
n · · · 2(n−1)
2(n−1) 2n 4(n−1)
n−1

We will be exploring this connection in [14].

In a different direction, one can check that the vectors wi described in Theorem
1 above can be defined in terms of the powers θi by the following inductive
l−1 (l)
scheme: w0 = 1, wl = s=0 as ws + θl for l ≥ 1, where

(l)
(−1)s+1 t−2ts+1  , l = 2t;
as = 2t+1
2 (11)
(−1)s t− s
 , l = 2t + 1.
2

(Indeed, this is the form in which we originally discovered our lattice. The
(l)
various expressions on the right side of the definition of the as above are all the
l
binomial coefficients of the form j , starting from the middle and and working
144 B.A. Sethuraman and F. Oggier

towards both ends, taking one alternately on each side.) Proving the orthonor-
mality of the wi directly in this form without invoking Theorem 1 above leads
to the following interesting combinatorial identities:

l  2 2l + 2
1+ a(l+1)
s = ,
s=0
l+1

and, for j > i,



i−1
(j) − i+j
if i + j is odd,
a(i)
s as
(j)
− ai = (i+j+1)/2−1
i+j (12)
s=0 (i+j)/2 if i + j is even.

2.2 A Quaternion Division Algebra over K

We now need to build a suitable quaternion divison algebra A = (5, γ) on K
(see (1)). We will prove in this subsection the following result:
Theorem 2. The algebra A = (5, 2 − θ) defined over K is a division algebra.
√
Proof. We need to show that 2 − θ is not a norm from K( 5) to K. Observe
that 2 − θ = (1 − ω)(1 − ω −1 ). It is a standard fact that there is a unique prime
ideal P̃ in OL that lies over 2, that it has ramification index e = [L : Q] = 2n−1
and inertial degree f = 1, and that it is generated by both 1 − ω and 1 − ω −1
(see for instance [9, Chap 3, Theo. 26]; note that ω −1 is also a primitive 2n -th
root of unity). It follows that there is a unique prime ideal lying over 2 in OK ,
call it P , and that P OL = P̃ 2 . But P̃ 2 = (1 − ω)OL (1 − ω −1 )OL = (2 − θ)OL .
Since 2 − θ is already in OK , it follows that √ P = P̃ ∩ OK = (2 − θ)OK .
2

Now we consider how P extends √ to K( 5). To do this, note that the prime
2 of Z stays prime in the field Q( 5) (see [9, Chap. 3, Theo. 25] for instance.)
Call this prime of OQ(√5) P  , so e(P  |2Z) = 1 and f (P  |2Z) = 2. Now if Q is any
prime of OK(√5) lying over P , then e(Q|2Z) = e(Q|P )e(P |2Z) ≥ e(P |2Z) = k,
and√f (Q|2Z) = f (Q|P  )f (P  |2Z) ≥ f (P  |2Z) = 2. Since
√ k · 2 already equals
[K( 5) : Q], we find that Q is the unique prime in K( 5) lying over 2 and that
e(Q|2Z) = k and f (Q|2Z) = 2. In particular, this means that Q is the unique
prime of OK lying over P , and that e(Q|P ) = 1 and√f (Q|P ) = 2.
Now assume that 2 − θ √ = N (x), for some x ∈ K( 5), where we have written
N for the norm from K( 5) to K. Further writing x = y/z for y and z in
OK(√5) , we find N (z)(2 − θ) = N (y). Assume that the ideal yOK(√5) has the
factorization Ql · Ql11 · · · Qlrr where the Qi are primes other than Q and l and the
li are nonnegative integers. Assume similarly that zOK(√5) has the factorization
  
Ql · (Q1 )l1 · · · (Qr )lr . Then the ideal N (y)OK in OK has the factorization
P 2l · P1f1 l1 · · · Prfr lr , where the fi are the inertial degrees of the primes Qi , and
Pi = Qi ∩ OK . (This follows, for instance from [9, Chap 3, Exer. 14]; note that
we have used the fact that f (Q|P ) = 2.) Similarly, N (z)OK in OK has the
    
factorization P 2l · (P1 )f1 l1 · · · (Pr )fr lr . But then, since the ideal (2 − θ)OK is
 Constructions of Orthonormal Lattices and Quaternion Division Algebras 145

just P , we find that the powers of P in the associated factorization of ideals

N (y)OK = P N (z)OK do not match up, a contradiction. Hence, (5, 2 − θ) is a
division algebra over K.

3 Totally Real Fields of Odd Degree

3.1 An Orthonormal Lattice in OK
An example of an orthonormal lattice in totally real number fields K of degree
p an odd prime was given by Erez ([7]). It was later pointed out in [6] that Erez’
construction works, without any modification, for any odd degree k. We quote
the construction from [6] with minor changes in notation:
– Pick a (guaranteed to exist) odd prime p ≡ 1 (mod k).
2πı
– Set ω = ωp = e p and let σ denote the generator of the cyclic Galois group
Gal(Q(ω)/Q).
– Find a primitive element r of the multiplicative group (Z/pZ)∗ .
m−1 rj
– For m = p−12 , create α = j=0 (1 − ω ).
– Find a (guaranteed to exist) λ such that λ(r − 1) ≡ 1 (mod p) and let
z = ω λ α(1 − ω).
 p−1
– For σ(ω) = ω r , let x = j=1
k
σ jk (z).
The element x is hence in the field K, the subfield of Q(ω) fixed by σ k , of degree
k over Q. Then the matrix G given below is unitary:
⎛ ⎞
x σ(x) · · · σ k−2 (x) σ k−1 (x)
⎜ σ(x) σ 2 (x) · · · σ k−1 (x) x ⎟
1⎜⎜ σ 2 (x) σ 3 (x) · · · x σ(x)
⎟
⎟
G= ⎜ ⎟. (13)
p⎜ .. .. ⎟
⎝ . . ⎠
σ k−1 (x) x · · · σ k−3 (x) σ k−2 (x)
Note that since k divides m as well, any element fixed by σ k is also fixed by
σ . Thus, K is contained in the fixed field of σ m , which is the totally real field
m

Q(ω + ω −1 ). K is hence totally real. Also, note that since z is integral over Q,
the element x is in Ok . The fact that this matrix above is unitary says that the
elements x, σ(x), . . . , σ k−1 (x) form an orthonormal basis for M with respect to
the trace form bγ : M × M → Z given by bγ (s, t) = TrK/Q (γst), where γ = 1/p2
(see the matrix G in the remark following Definition 1).
Remark: For the field K = Q(ω + ω −1 ), where ω is a primitive pn -th root of
unity, and p is an odd prime, it would be interesting to see if, just as for p = 2
in Subsection 2.1, there exists a suitable trace form for which OK turns out
to be an orthonormal lattice. Such a trace form is known to exist if n = 1
[4], but this construction does not hold for n ≥ 2. The existence of such trace
forms for general p and n is open as far as we know. For the special case of
K = Q(ω9 + ω9−1 ), where we have written ω9 for e2πı/9 , one can check that the
vectors −(1 − θ)θ, −θ, −1 + θ (where θ = ω9 + ω9−1 ) form an orthonormal basis
146 B.A. Sethuraman and F. Oggier

for OK with respect to the trace form bα (x, y) = T rK (αxy), where α is the
(totally positive) element (16 − θ − 5θ2 )/9.

3.2 A Quaternion Division Algebra over K

To construct a quaternion division algebra A = (5, γ) over K (as described in

(1)), it is sufficient to take a quaternion division algebra over Q and consider it
as an algebra over K: this follows from the result that if D is a division algebra
of index m over a field F and if L/F is a field extension of degree n relatively
prime to m, then D ⊗F L remains a division algebra ([11, Chap. 13, §4, Prop.]).
For this, note, for algebra over Q. For, if 2 is
√ example, that (5, 2) is a division√
the norm from Q( 5) to Q of an element x = (a + b 5)/m, where a, b, and m
are integers, then we find 2m2 = a2 − 5b2 . If m is divisible by 5, so must a, and
then, so must b. Hence, we can repeatedly cancel 52 from both sides until m is
not divisible by 5. Now reducing mod 5 and noting m is not zero mod 5, we find
2 = (a/m)2 . But this is a contradiction as 2 is not a square mod 5. Hence, we
may use (5, 2) as our quaternion division algebra over K.

4 Totally Real Fields of Arbitrary Degree

Finally, to construct lattices and quaternion division algebras over totally real
number fields of arbitrary degree, we just have to combine the constructions
in the previous two sections. Given an arbitrary positive integer k ≥ 2, write
k = 2m k  , where k  is odd. We may assume that m ≥ 1 and k  ≥ 3, else we are in
the situation of the previous sections. Write Ke for the field obtained in Section
2 of degree 2m over Q. Write Me for the lattice obtained in that same section, bαe
for its bilinear form, and Ge for the generator matrix that defines its isometric
m
embedding in R2 . Similarly, write Ko for the field obtained in Section 3 of degree
k  , Mo for the lattice obtained in that section, bαo for its bilinear form, and Go

for the generator matrix that defines its isometric embedding in Rk . Then, since
the degrees of Ke and Ko are relatively prime, the compositum K = Ke Ko has
degree k = 2m k  over Q. It is totally real since both Ke and Ko are totally real.
(In fact, K is Galois over Q with Galois group Gal(Ke /Q) × Gal(Ko /Q).)
If {ci } (ci ∈ Ke ) is an orthonormal basis for Me , and if {dj } (dj ∈ Ko ) is
an orthonormal basis for Mo , it is easy to see that the set {ci dj } is Z-linearly
independent, and hence generates a free submodule N of OK . We have the
bilinear form bαe αo , defined on the basis by

bαe αo (ci dj , cs dt ) = TrK/Q (αe αo ci dj cs dt ) = TrKe /Q (TrK/Ke (αe αo ci dj cs dt ))

= TrKe /Q (αe ci cs TrK/Ke (αo dj dt )) = TrKe /Q (αe ci cs TrKo /Q (αo dj dt ))
= TrKe /Q (αe ci cs )TrKo /Q (αo dj dt ) = be (ci , cs )bo (dj , dt ).

The basis {ci dj } is orthonormal: bαe αo (ci dj cs dt ) = δ(i,j),(s,t) . Since Gal(K/Q) ∼

=
Gal(Ke /Q) × Gal(Ko /Q), we may write every element φ ∈ Gal(K/Q) as a
product στ of elements σ ∈ Gal(Ke /Q) and τ ∈ Gal(Ko /Q). Hence, φ(αe αo ) =
 Constructions of Orthonormal Lattices and Quaternion Division Algebras 147

σ(αe )τ (αo ), φ(ci dj ) = σ(ci )τ (dj ), etc. Using this, it is easy to see that the
orthonormal trace lattice (N, bαe αo ) embeds isometrically into Rk via the Kro-
necker product of the matrices Ge and Go .
To obtain a quaternion division algebra over K, we simply consider the quater-
nion division algebra A obtained over Ke in Section 2 as an algebra over K. Since
K is of odd degree over Ke , A ⊗Ke K remains a division algebra by ([11, Chap.
13, §4, Prop.]).

References
1. Azarian, K., El Gamal, H., Schniter, P.: On the Achievable Diversity-Multiplexing
Tradeoff in Half-Duplex Cooperative Channels. IEEE Trans. Inform. The-
ory 51(12), 4152–4172 (2005)
2. Abou-Rjeily, C., Daniele, N., Belfiore, J.-C.: Distributed Algebraic Space Time
Codes for Ultra Wideband Communications. Kluwer Journal, Special Issue on Co-
operative Diversity (2006)
3. Bayer-Fluckiger, E.: Lattices and Number Fields. Contemporary Mathematics 241,
69–84 (1999)
4. Bayer, E., Oggier, F., Viterbo, E.: New Algebraic Constructions of Rotated Zn
Lattice Constellations for the Rayleigh Fading Channel. IEEE Trans. Inform. The-
ory 50(4), 702–714 (2004)
5. Bayer-Fluckiger, E., Nebe, G.: On the Euclidean Minimum of Some Real Number
Fields. J. Théo. Nombres Bordeaux 17, 437–454 (2005)
6. Elia, P., Sethuraman, B.A., Kumar, P.V.: Perfect Space-Time Codes with Mini-
mum and Non-Minimum Delay for Any Number of Antennas. IEEE Trans. Inform.
Theory (to appear)
7. Erez, B.: The Galois structure of the Trace Form in Extensions of Odd Prime
Degree. J. of Algebra 118, 438–446 (1988)
8. Layman, J.W.: Then Hankel Transform and Some of Its Properties. J. Integer
Sequences 4, Article 01.1.5 (2001)
9. Marcus, D.A.: Number Fields. Universitext. Springer, NY (1977)
10. Oggier, F.E., Rekaya, G., Belfiore, J.-C., Viterbo, E.: Perfect Space-Time Block
Codes. IEEE Trans. Inform. Theory 52(9), 3885–3902 (2006)
11. Pierce, R.S: Associative Algebras. GTM88. Springer, NY (1982)
12. Radoux, C.: Calcul effectif de certains determinants de Hankel. Bull. Soc. Math.
Belg. 31(1), 49–55 (1979)
13. Sethuraman, B.A., Rajan, B.S., Shashidhar, V.: Full-diversity, High-Rate Space-
Time Block Codes from Division Algebras. IEEE Trans. Inform. Theory 49, 2596–
2616 (2003)
14. Sethuraman, B.A., Oggier, F.E.: The Hankel Transform of the Central Binomial
Coefficients and Orthonormal Lattices in Cyclotomic Fields (in preparation)
15. Spivey, M.Z., Steil, L.L.: The k-Binomial Transform and the Hankel Transform. J.
Integer Sequences 9, Article 06.1.1 (2006)
16. Yang, S., Belfiore, J.-C.: Optimal Space-Time Codes For The Mimo Amplify-And-
Forward Cooperative Channel. IEEE Trans. Inform. Theory 53(2), 647–663 (2007)
 Quaternary Plotkin Constructions and
Quaternary Reed-Muller Codes

J. Pujol1 , J. Rifà1 , and F.I. Solov’eva2

1
Department of Information and Communications Engineering,
Universitat Autònoma de Barcelona, 08193-Bellaterra, Spain
2
Sobolev Institute of Mathematics,
Novosibirsk State University, Novosibirsk, Russia

Abstract. New quaternary Plotkin constructions are given and are used
to obtain new families of quaternary codes. The parameters of the ob-
tained codes, such as the length, the dimension and the minimum dis-
tance are studied. Using these constructions new families of quaternary
Reed-Muller codes are built with the peculiarity that after using the
Gray map the obtained Z4 -linear codes have the same parameters as the
codes in the classical binary linear Reed-Muller family.

Keywords: Quaternary codes, Plotkin constructions, Reed-Muller codes,

Z4-linear codes.

1 Introduction

In [13] Nechaev introduced the concept of Z4 -linearity of binary codes and later
Hammons, Kumar, Calderbank, Sloane and Solé, see [7], showed that several
families of binary codes are Z4 -linear. In [7] it is proved that the binary linear
Reed-Muller code RM (r, m) is Z4 -linear for r = 0, 1, 2, m − 1, m and is not
Z4 -linear for r = m − 2 (m ≥ 5). In a subsequent work, Hou, Lahtonen and
Koponen, [8] proved that RM (r, m) is not Z4 -linear for 3 ≤ r ≤ m − 2.
In [7] the construction of Reed Muller codes, QRM(r, m), based on Z4 linear
codes is introduced such that after doing modulo two we obtain the usual binary
linear Reed-Muller (RM ) codes. In [2,3] such family of codes is studied and their
parameters are computed as well as the dimension of the kernel and rank. In [15]
some kind of Plotkin construction was used to build a family of additive Reed-
Muller codes and also in [17] the Plotkin construction was utilized to obtain
a sequence of quaternary linear Reed-Muller like codes. In both last quoted
constructions, images of the obtained codes under the Gray map are binary
codes with the same parameters as the classical binary linear RM codes.
Moreover, on the other hand, in [9,10] all the non-equivalent Z4 -linear ex-
tended 1-perfect codes and their duals, the Z4 -linear Hadamard codes, are clas-
sified. It is a natural question to ask if there exist families of quaternary linear

This work has been partially supported by the Spanish MEC and the European
FEDER Grant MTM2006-03250 and also by the UAB grant PNL2006-13.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 148–157, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Quaternary Plotkin Constructions and Quaternary Reed-Muller Codes 149

codes such that, after the Gray map, the corresponding Z4 -linear codes have
the same parameters as the well known family of binary linear RM codes. In
this new families, like in the usual RM (r, m) family, the code with parame-
ters (r, m) = (1, m) should be a Hadamard code and the code with parameters
(r, m) = (m − 2, m) should be an extended 1-perfect code.
It is well known that an easy way to built the RM family of codes is by using
the Plotkin construction (see [12]). So, it seems a good matter of study to try
to generalize the Plotkin construction to the quaternary codes and try to obtain
new families of codes which contain the above mentioned Z4 -linear Hadamard
codes and Z4 -linear extended 1-perfect codes and fulfil the same properties (from
a parameters point of view) than the binary RM family.
The present paper is organized as follows. In Section 2 we introduce the con-
cept of quaternary code and give some constructions that could be seen as quater-
nary generalizations of the well known binary Plotkin construction. In Section 3,
we construct several families of Z4 -linear RM codes and prove that they have
similar parameters as the classical RM codes but they are not linear. Finally, in
Section 4 we give some conclusions and further research in the same topic. The
family of codes presented in the paper contains codes from [17].

2 Constructions of Quaternary Codes

2.1 Quaternary Codes
Let Z2 and Z4 be the ring of integers modulo two and modulo four, respectively.
Let Zn2 be the set of all binary vectors of length n and ZN 4 be the set of all
quaternary vectors of length N . Any non-empty subset C of Zn2 is a binary
code and a subgroup of Zn2 is called a binary linear code or a Z2 -linear code.
Equivalently, any non-empty subset C of ZN 4 is a quaternary code and a subgroup
of ZN4 is called a quaternary linear code. In general, any non-empty subgroup C
β
of Z2 × Z4 is an additive code.
α

The Hamming weight w(v) of a vector v in Zn2 is the number of its nonzero
coordinates. The Hamming distance d(u, v) between two vectors u, v ∈ Zn2 is
d(u, v) = w(u − v). For quaternary codes it is more interesting to use the Lee
metric (see [11]). In Z2 the Lee weight coincides with the Hamming weight, but
in Z4 the Lee weight of their elements is wL (0) = 0, wL (1) = wL (3) = 1, and
wL (2) = 2. The Lee weight wL (v) of a vector v in ZN 4 is the addition of the
Lee weight of all the coordinates. The Lee distance dL (u, v) between two vectors
u, v ∈ ZN 4 is dL (u, v) = wL (u − v).
β
Let C be an additive code, so a subgroup of Zα 2 × Z4 and let C = Φ(C), where
β
Φ : Z2 × Z4 −→ Z2 , n = α + 2β, is given by Φ(x, y) = (x, φ(y)) for any x
α n
β β 2β
from Zα 2 and any y from Z4 , where φ : Z4 −→ Z2 is the usual Gray map,
so φ(y1 , . . . , yβ ) = (ϕ(y1 ), . . . , ϕ(yβ )), and ϕ(0) = (0, 0), ϕ(1) = (0, 1), ϕ(2) =
(1, 1), ϕ(3) = (1, 0). Hamming and Lee weights, as well as Hamming and Lee
β
distances, can be generalized, in a natural way, to vectors in Zα 2 × Z4 by adding
β
the corresponding weights (or distances) of the Zα 2 part and the Z4 part.
150 J. Pujol, J. Rifà, and F.I. Solov’eva

β
Since C is a subgroup of Zα 2 × Z4 , it is also isomorphic to an abelian structure
γ
like Z2 × Z4 . Therefore, we have that |C| = 2γ 4δ and the number of order two
δ

codewords in C is 2γ+δ . We call such code C an additive code of type (α, β; γ, δ)

and the binary image C = Φ(C) a Z2 Z4 -linear code of type (α, β; γ, δ). In the
specific case α = 0 the code C is quaternary linear and the code C is called
a Z4 -linear code. Note that the binary length of the binary code C = Φ(C) is
n = α + 2β.
The minimum Hamming distance d of a Z2 Z4 -linear code C is the minimum
value of d(u, v), where u, v ∈ C and u = v. Notice that the Hamming distance of a
Z2 Z4 -linear code C coincides with the Lee distance defined for the additive code
C = φ−1 (C). From now on, when we work with distances it must be understood
that we are working with Hamming distances in the case of binary codes or Lee
distances in the additive case.
Although C could not have a basis, it is important and appropriate to define
a generator matrix for C as:
 
B2 Q 2
G= ,
B1 Q1
where B2 is a γ × α matrix; Q2 is a γ × β matrix; B1 is a δ × α matrix and Q1 is
a δ × β matrix. Matrices B1 , B2 are binary and Q1 , Q2 are quaternary, but the
entries in Q2 are only zeroes or twos.
Two additive codes C1 and C2 both of the same length are said to be monomial
equivalent, if one can be obtained from the other by permuting the coordinates
and changing the signs of certain coordinates. Additive codes which differ only
by a permutation of coordinates are said to be permutational equivalent.
β
2 × Z4 :
We will use the following definition (see [16]) of the inner product in Zα
α 
α+β
u, v = 2( ui vi ) + uj vj ∈ Z4 , (1)
i=1 j=α+1

β
where u, v ∈ Zα2 × Z4 . Note that when α = 0 the inner product is the usual one
for vectors over Z4 and when β = 0 it is twice the usual one for binary vectors.
The additive dual code of C, denoted by C ⊥ , is defined in the standard way
C ⊥ = {u ∈ Zα β
2 × Z4 | u, v = 0 for all v ∈ C}.

The corresponding binary code Φ(C ⊥ ) is denoted by C⊥ and called the Z2 Z4 -

dual code of C. In the case α = 0, C ⊥ is also called the quaternary dual code of
C and C⊥ the Z4 -dual code of C.
The additive dual code C ⊥ is also an additive code, that is a subgroup of
Z2 × Zβ4 . Its weight enumerator polynomial is related to the weight enumerator
α

polynomial of C by the MacWilliams identity (see [6]). Notice that C and C⊥

are not dual in the binary linear sense but the weight enumerator polynomial of
C⊥ is the McWilliams transform of the weight enumerator polynomial of C.
Given an additive code C it is well known the value of the parameters of the
additive dual code (see [4] for additive codes with α = 0 and [7] for additive
codes with α = 0).
 Quaternary Plotkin Constructions and Quaternary Reed-Muller Codes 151

From now on we focus our attention specifically to additive codes with α = 0,

so quaternary linear codes such that after the Gray map they give rise to Z4 -
linear codes. Given a quaternary linear code of type (0, β; γ, δ) we will write
(N ; γ, δ) to say that α = 0 and β = N .

2.2 Plotkin Construction

In this section we show that the well known Plotkin construction can be gener-
alized to quaternary codes. Let A and B be any two quaternary linear codes of
types (N ; γA , δA ) and (N ; γB , δB ) and minimum distances dA , dB respectively.

Definition 1 (Plotkin Construction). Given the quaternary linear codes A

and B, we define a new quaternary linear code as

C 2N = {(u|u + v) : u ∈ A, v ∈ B}.

It is easy to see that if GA and GB are the generator matrices of A and B then
the matrix  
GA GA
GP =
0 GB
is the generator matrix of the code C 2N .

Proposition 1. The quaternary code C 2N defined above is a quaternary linear

code of type (2N ; γ, δ) where γ = γA + γB , δ = δA + δB , binary length n = 4N ,
size 2γ+2δ and minimun distance d = min{2dA , dB }.

2.3 BQ-Plotkin Construction

Applying two Plotkin constructions, one after another but slightly changing
the submatrices in the generator matrix we obtain a new construction with
interesting properties regarding the minimum distance of the generated code.
We call this new construction BQ-Plotkin construction.
Let A, B and C be any three quaternary linear codes of types (N ; γA , δA ),
(N ; γB , δB ), (N ; γC , δC ) and minimum distances dA , dB , dC respectively.

Definition 2 (BQ-Plotkin Construction). Let GA , GB and GC be the gener-

ator matrices of the quaternary linear codes A, B and C. We define a new code
C 4N as the quaternary linear code generated by
⎛ ⎞
GA GA GA GA
⎜ 0 GB 2GB 3GB ⎟
GBQ = ⎜⎝ 0 0 ĜB ĜB ⎠ ,
⎟

0 0 0 GC

where GB is the matrix obtained from GB after switching twos by ones in their
γB rows of order two and GˆB is the matrix obtained from GB after removing their
γB rows of order two.
152 J. Pujol, J. Rifà, and F.I. Solov’eva

Proposition 2. The quaternary linear code generated by the BQ-Plotkin con-

struction in Definition 2 is a quaternary code of type (4N ; γ, δ) where γ =
γA + γC , δ = δA + γB + 2δB + δC , binary length n = 8N , size 2γ+2δ and minimum
distance d = min{4dA , 2dB , dC }.

3 Quaternary Reed-Muller Codes

The usual linear binary RM family of codes is one of the oldest and interesting
family of codes. The codes in this family are easy to decode and their combinatorial
properties are of great interest to produce new optimal codes from that.
For any integer m ≥ 1 the family of binary linear RM codes is given by the
sequence RM (r, m), where 0 ≤ r ≤ m; RM (r, m) is called the rth order binary
Reed-Muller code of length n = 2m and

RM (0, m) ⊂ RM (1, m) ⊂ · · · ⊂ RM (r − 2, m) ⊂ RM (r − 1, m) ⊂ RM (r, m).

Let 0 < r < m, m ≥ 1 and use the symbols 0, 1 for the all zeroes and the all
ones vectors, respectively. According [12] the RM (r, m) code of order r can be
constructed by using the Plotkin construction in the following way:
m
1. RM (0, m) = {0, 1}, RM (m, m) = F2 ,
(2)
2. RM (r, m) = {(u|u + v) : u ∈ RM (r, m − 1), v ∈ RM (r − 1, m − 1)}.

It is important to note that if we fix m, once we know the sequence RM (r, m)

for all 0 ≤ r ≤ m, then it is easy to obtain the new sequence RM (r, m + 1) using
the Plotkin construction (2).
Codes in the RM family fulfil the basic properties summarized in the following
Theorem (see [12]):

Theorem 1. The binary linear Reed-Muller family of codes RM (r, m) has the
following properties:
1. length n = 2m ;
2. minimum distance d = 2m−r , 0 ≤ r ≤ m;
 r  
m
3. dimension k = ;
i=0
i
4. each code RM (r − 1, m) is a subcode of RM (r, m), r > 0. RM (0, m) =
m
{0, 1}; RM (m, m) = F2 and RM (r − 1, m) is the even code (so the code
m
with all the vectors of even weight from F2 );
5. RM (1, m) is the binary linear Hadamard code and RM (r − 2, m) is the
extended 1-perfect Hamming code of parameters (2m , 2m − m − 1, 4);
6. the code RM (r, m) is the dual code of RM (m − 1 − r, m) for r < m.

In the recent literature several families of quaternary linear codes has been
proposed and studied [7,18,2,3] trying to generalize the RM codes, but when take
the corresponding Z4 -linear codes they do not satisfy all the above properties.
 Quaternary Plotkin Constructions and Quaternary Reed-Muller Codes 153

This is the main goal of the present work, to construct new families of quaternary
linear codes such that, after the Gray map, we obtain Z4 -linear codes with the
parameters and properties quoted in Theorem 1 except for the duality.
We will refer to the quaternary linear Reed-Muller codes as RM to distinguish
them from the binary linear Reed-Muller codes RM . Contrary to the linear
binary case, where there is only one RM family, in the quaternary case we have
m+1
2 families for each value of m. We will distinguish the families we are talking
about by using subindexes s (s ∈ {0, . . . , m−1
2 }).

3.1 The Family of RM(r, 1) Codes

We start by considering the case of m = 1, so the case of codes of binary length
n = 21 . The quaternary linear Reed-Muller code RM(0, 1) is the repetition code
with only one nonzero codeword (the vector with only one quaternary coordinate
of value 2). This quaternary linear code is of type (1; 1, 0). The code RM(1, 1)
is the whole space Z14 , so a quaternary linear code of type (1; 0, 1).
These codes, RM(0, 1) and RM(1, 1), after the Gray map, give binary codes
with the same parameters of the corresponding binary RM (r, 1) codes and with
the same properties described in Theorem 1. In this case, when m = 1, not only
these codes have the same parameters, but they have the same codewords. We
will refer to these codes as RM0 (0, 1) and RM0 (1, 1), respectively.
From now on and because we will need an specific representation for the
above mentioned codes we will agree in to use the following matrices as the
generator matrices for each one of them. The generator matrix of RM0 (0, 1) is
G0 (0, 1) = 2 and the generator matrix of RM0 (1, 1) is G0 (1, 1) = 1 .

3.2 Plotkin and BQ-Plotkin Constructions

The first important point is to apply the Plotkin construction to quaternary
linear Reed-Muller codes.
Let RMs (r, m − 1) and RMs (r − 1, m − 1), 0 ≤ s ≤ m−1 2 , be any two RM
codes with parameters (N ; γ  , δ  ) and (N ; γ  , δ  ); binary length n = 2m−1 ; num-
 
ber of codewords 2k and 2k ; minimum distance 2m−r−1 and 2m−r respectively,
where
r   r−1 
 
m−1 m−1
k = , k  = .
i=0
i i=0
i
Using Proposition 1 we can prove the following result:
Theorem 2. For any r and m ≥ 2, 0 < r < m, the code obtained by using the
Plotkin construction:
RMs (r, m) = {(u|u + v) : u ∈ RMs (r, m − 1), v ∈ RMs (r − 1, m − 1)}
is a quaternary linear code of type (2N; γ, δ), where γ = γ  + γ  and δ = δ  + δ  ;
r  
m k m
binary length n = 2 ; number of codewords 2 , where k = , minimum
i=0
i
distance 2m−r and RMs (r − 1, m) ⊂ RMs (r, m).
154 J. Pujol, J. Rifà, and F.I. Solov’eva

For r = 0, RMs (0, m) is the repetition code with only one nonzero codeword
(2m−1 )
(the all twos vector). For r = m, the code RMs (m, m) is the whole space Z4 .

Applying Theorem 2 and the above mentioned codes RM0 (r, m) with m = 1
we obtain the codes in Table 1a. The generator matrices for these codes are:
   
02 01
RM0 (0, 2) : 2 2 ; RM0 (1, 2) : ; RM0 (2, 2) : .
11 11

Table 1. RMs (r, m) codes for (a: m = 2 and b: m = 3)

(r, m)
(r, m)
(0, 3) (1, 3) (2, 3) (3, 3)
(0, 2) (1, 2) (2, 2)
N (γ, δ)
N (γ, δ)
4 (1, 0) (2, 1) (1, 3) (0, 4) RM0 (r, 3)
2 (1, 0) (1, 1) (0, 2) RM0 (r, 2)
4 (1, 0) (0, 2) (1, 3) (0, 4) RM1 (r, 3)

For m = 3 there exist two quaternary linear Hadamard codes. So, our goal is
to find two families of quaternary Reed-Muller codes as it is shown in Table 1b.
Codes in the first row in Table 1b can be obtained using Plotkin construction
from the codes in the first row of Table 1a. But, codes in the second row can not
be obtained using only Plotkin constructions. It is in this point that we need to
use the new BQ-Plotkin construction.
The constructions of additive codes whose images are binary codes with pa-
rameters of RM codes using the Plotkin construction were initiated in [15,17].
Let RMs−1 (r, m−2), RMs−1 (r−1, m−2) and RMs−1 (r−2, m−2), 0 < s ≤
m−1
2 , m ≥ 3, be any three RM codes with parameters (N ; γ  , δ  ), (N ; γ  , δ  )
 
and (N ; γ  , δ  ); binary length n = 2m−2 ; number of codewords 2k , 2k and

2k ; minimum distances 2m−r−2 , 2m−r−1 and 2m−r respectively, where

r   r−1 
  r−2 
 
m−2 m−2 m−2
k = , k  = , k  = .
i=0
i i=0
i i=0
i

Using Proposition 2 we are able to prove

Theorem 3. For any r and m ≥ 3, 0 < r < m − 1, the code RMs (r, m),
s > 0, obtained by using the BQ-Plotkin construction and with generator matrix
Gs (r, m):
⎛ ⎞
Gs−1 (r, m − 2) Gs−1 (r, m − 2) Gs−1 (r, m − 2) Gs−1 (r, m − 2)
⎜ 0 
Gs−1 
(r − 1, m − 2) 2Gs−1 
(r − 1, m − 2) 3Gs−1 (r − 1, m − 2) ⎟
⎜ ⎟
⎝ 0 0 Ĝs−1 (r − 1, m − 2) Ĝs−1 (r − 1, m − 2) ⎠
0 0 0 Gs−1 (r − 2, m − 2)
 Quaternary Plotkin Constructions and Quaternary Reed-Muller Codes 155

is a quaternary linear code of type (4N; γ, δ), where γ = γ  + γ  and δ =

δ  + γ  + 2δ  + δ  ; binary length n = 2m ; number of codewords 2k , where
r  
m
k= , minimum distance 2m−r and RMs (r − 1, m) ⊂ RMs (r, m).
i=0
i

To be coherent with all the notations, for r = −1, the code RMs (−1, m) is
defined as the all zero codeword code. For r = 0, the code RMs (0, m) is defined
as the repetition code with only one non zero codeword (the all twos quaternary
vector). For r = m−1 and r = m, the codes RMs (m−1, m) and RMs (m, m) are
(2m−1 )
defined as the even Lee weight code and the whole space Z4 , respectively.
Using both Theorems 2 and 3 we can construct the RM codes in two rows of
Table 1b. We do not write the generator matrices for codes RM0 (r, 3) because
they can be directly obtained from the respective codes for m = 2 by using
the Plotkin construction. For the codes in the family RM3 (r, 3) we present the
generator matrices as a direct application of Theorem 3:
⎛ ⎞
  2000
1111 ⎜1 1 1 1⎟
RM3 (0, 3) : 2 2 2 2 ; RM3 (1, 3) : ; RM3 (2, 3) : ⎜
⎝0 1 2 3⎠
⎟
0123
0011

(22 )
the remaining code RM3 (3, 3) in the family is the whole space Z4 .
All these codes, after the Gray map, give binary codes with the same parame-
ters as the RM (r, 3) codes and with the same properties described in Theorem 1.
In this case under consideration, when m = 3, like in the case m = 2 not only
these codes have the same parameters, but they have the same codewords. This
is not in this way for all the other values of m > 3.
Now, from Table 1b and by using the Plotkin construction we can construct
the two families of RMs (r, 4) codes for s = 0, 1, as it shown in Table 2.

Table 2. RMs (r, m) codes for m = 4

(r, m)
(0, 4) (1, 4) (2, 4) (3, 4) (4, 4)
N (γ, δ)
8 (1, 0) (3, 1) (3, 4) (1, 7) (0, 8) RM0 (r, 4)
8 (1, 0) (1, 2) (1, 5) (1, 7) (0, 8) RM1 (r, 4)

From codes in Table 1b and Table 2 applying the BQ-Plotkin and the Plotkin
constructions, respectively, we can construct the three families of RMs (r, 5) for
s = 0, 1, 2, as it is shown in Table 3.
As it is proved in Theorems 2 and 3 the constructed families of RM codes
satisfy the same properties we stated for linear binary Reed-Muller codes in
Theorem 1 except for the duality.
156 J. Pujol, J. Rifà, and F.I. Solov’eva

Table 3. RMs (r, m) codes for m = 5

(r, m)
(0, 5) (1, 5) (2, 5) (3, 5) (4, 5) (5, 5)
N (γ, δ)
16 (1, 0) (4, 1) (6, 5) (4, 11) (1, 15) (0, 16) RM0 (r, 5)
16 (1, 0) (2, 2) (2, 7) (2, 12) (1, 15) (0, 16) RM1 (r, 5)
16 (1, 0) (0, 3) (2, 7) (0, 13) (1, 15) (0, 16) RM2 (r, 5)

Notice that the constructed RM families of quaternary linear Reed-Muller

codes have not only the same parameters as the classical binary linear family of
RM codes, but the characteristic codes RMs (1, m) and RMs (m − 2, m) satisfy
the following Lemma.

Lemma 1. For any integer m ≥ 1 and 0 ≤ s ≤ m, the code RMs (1, m) is a

Hadamard quaternary linear code and the code RMs (m − 2, m) is an extended
quaternary linear 1-perfect code.

4 Conclusion
New constructions based on quaternary linear codes has been proposed such that,
after the Gray map, the obtained Z4 -linear codes fulfil the same properties and
characteristics as the usual binary linear RM codes. Apart from the parameters
characterizing each code an important property which remains in these new
presented families is that the first order RM code is a Hadamard quaternary
code and the (m − 2)-th order RM code is a quaternary code which give rise to
an extended 1-perfect code, like in the usual binary case. So the families of codes
obtained in the paper contain the families of quaternary perfect and Hadamard
codes from [9,10].
There are several questions and subjects related to this work where would be of
great interest to go deeply. The first one is the generalization of the constructions
of RM codes to the case of general additive codes, so the case of additive
codes with α = 0. It is known that there exist additive non Z4 -linear 1-perfect
codes [5] and the corresponding Hadamard additive dual codes. This observation
could be taken as the starting point to produce the new families of Reed-Muller
codes. Another important question is duality. It is well known that binary codes
RM (r, m) and RM (m − r − 1, m) are dual each other. The constructed RM
families have a similar, but not exactly the same, property. Code RM(m − r −
1, m) is equivalent, but not equal, to the additive dual of the code RM(r, m).
Given any RM family would be interesting to find the dual family, in the sense
that all the codes in the first family have the additive dual in the second family.
Other open questions are related to uniqueness (up to equivalence) of obtained
codes, their weight distribution, etc.
 Quaternary Plotkin Constructions and Quaternary Reed-Muller Codes 157

References
1. Bonnecaze, A., Solé, P., Calderbank, A.R.: Quaternary Quadratic Residue Codes
and Unimodular Lattices. IEEE Trans. Inform. Theory 41, 366–377 (1995)
2. Borges, J., Fernandes, C., Phelps, K.T.: Quaternary Reed-Muller Codes. IEEE
Trans. Inform. Theory 51(7), 2686–2691 (2005)
3. Borges, J., Fernandes, C., Phelps, K.T.: ZRM Codes. IEEE Trans. Inform. Theory
(to appear)
4. Borges, J., Fernández, C., Pujol, J., Rifà, J., Villanueva, M.: On Z2 Z4 -Linear Codes
and Duality. In: V Jornades de Matemàtica Discreta i Algorı́smica, Soria, Spain,
pp. 171–177 (2006)
5. Borges, J., Rifà, J.: A Characterization of 1-Perfect Additive Codes. IEEE Trans.
Inform. Theory 45(5), 1688–1697 (1999)
6. Delsarte, P.: An Algebraic Approach to the Association Schemes of Coding Theory.
Philips Research Rep. Suppl. 10 (1973)
7. Hammons, A.R., Kumar, P.V., Calderbank, A.R., Sloane, N.J.A., Solé, P.: The
Z4 -Linearity of Kerdock, Preparata, Goethals and Related Codes. IEEE Trans.
Inform. Theory 40, 301–319 (1994)
8. Hou, X-D., Lahtonen, J.T., Koponen, S.: The Reed-Muller Code R(r, m) Is Not
Z4 -Linear for 3 ≤ r ≤ m − 2. IEEE Trans. Inform. Theory 44, 798–799 (1998)
9. Krotov, D.S.: Z4 -Linear Perfect Codes. Discrete Analysis and Operation Research,
Novosibirsk, Institute of Math. SB RAS 7(4), 78–90 (2000)
10. Krotov, D.S.: Z4 -Linear Hadamard and Extended Perfect Codes. In: 2001 Int.
Workshop on Coding and Cryptography, Paris, France, pp. 329–334 (2001)
11. Lee, C.Y.: Some Properties of Nonbinary Error-Correcting Codes. IRE Trans. In-
form. Theory 4(4), 77–82 (1958)
12. MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. North-
Holland Publishing Company, Amsterdam (1977)
13. Nechaev, A.A.: Kerdock Codes in a Cyclic Form. Disc. Math. 1(4), 123–139 (1989)
14. Plotkin, M.: Binary Codes with Specified Minimum Distances. IEEE Trans. Inform.
Theory 6, 445–450 (1960)
15. Pujol, J., Rifà, J.: Additive Reed-Muller pCodes. In: 1997 Int. Symp. on Inform.
Theory, Ulm, Germany, p. 508. IEEE Press, NewYork (1997)
16. Rifà, J., Pujol, J.: Translation Invariant Propelinear Codes. IEEE Trans. Inform.
Theory 43, 590–598 (1997)
17. Solov’eva, F.I.: On Z4-Linear Codes with Parameters of Reed-Muller Codes. Prob-
lems of Inform. Trans. 43, 32–38 (2007)
18. Wan, Z.X.: Quaternary codes. World Scientific Publishing Co., Singapore (1997)
 Joint Source-Cryptographic-Channel Coding
Based on Linear Block Codes

Haruhiko Kaneko and Eiji Fujiwara

Graduate School of Information Science and Engineering,

Tokyo Institute of Technology
2-12-1 Ookayama, Meguro-ku, Tokyo, 152-8552 Japan
[email protected], [email protected]

Abstract. This paper proposes a joint coding with three functions:

source coding, channel coding, and public-key encryption. A codeword
is simply generated as a product of an encoding matrix and a sparse
information word. This encoding method has much lower encoding com-
plexity than the conventional coding techniques in which source coding,
encryption, and channel coding are successively applied to an informa-
tion word. The encoding matrix is generated by using two linear error
control codes and randomly generated nonsingular matrices. Encryption
is based on the intractableness of factorizing a matrix into randomly con-
structed factor matrices, and of decoding an error control code defined
by a random parity-check matrix. Evaluation shows that the proposed
joint coding gives a lower bit error rate and a superior compression ratio
than the conventional codings.

1 Introduction
Compact communication devices will play an important role in future network
systems such as sensor networks and ubiquitous computing networks. For an
efficient and reliable data transmission, these devices should have source and
channel coding capabilities. In addition, data should be encrypted when such de-
vices are used in an insecure environment. Many data compression techniques are
available for efficient source coding [1][2][3][4], and also strong error control codes
have been developed for channel coding [5][6][7]. In addition, some encryption al-
gorithms have been standardized for secure data transmission. Recent source and
channel codings and encryption algorithms require considerable computational
power for encoding and decoding. Compact communication devices, however,
usually have limited computational resources. Therefore, low-complexity joint
source-cryptographic-channel coding is preferable for such resource constrained
devices.
Techniques for joint source-channel coding have been proposed aimed at de-
coding noisy compressed data as reliably as possible. Unequal error protection
(UEP) coding can be used to protect important parts of compressed data, such as
header information, from errors. UEP coding techniques have been proposed for
several types of compressed data, such as compressed text [8] and video data [9].

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 158–167, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Joint Source-Cryptographic-Channel Coding Based on Linear Block Codes 159

These coding techniques, however, generally increase the encoding complexity.

Another approach to this joint coding is to utilize source dependencies for a be-
lief propagation decoding algorithm of low-density generator-matrix code [10].
MacKay-Neal (MN) Code [6] can also be used for the joint source-channel coding
that efficiently encodes a sparse information word m to codeword c = Am, where
m and c are column vectors, and A is a matrix generated from a low-density
parity-check (LDPC) matrix. The MN code provides joint source-channel cod-
ing capability with simple exclusive-OR (EX-OR) operations in encoding. The
above joint codings, however, do not have encryption capabilities.
This paper proposes a joint coding with three functions: source coding, channel
coding, and public-key encryption. The proposed joint coding encodes a sparse
information word m to a codeword c = Am, where A is defined as the product of
a generator matrix, a parity-check matrix, and randomly constructed nonsingular
matrices. Hence, the codeword c can be generated from the information word m
by simple EX-OR operations, which means that the encoding complexity of the
proposed joint coding is comparable to that of the conventional linear error control
codes encoded by generator matrix or systematic parity-check matrix.
This paper is organized as follows. Section 2 reviews the related work of the
joint coding. Section 3 presents a system model, and Section 4 shows a new joint
coding under this model. Sections 5 and 6 demonstrate the security and the
entropy conversion of this coding, respectively. Section 7 provides an evaluation
of the proposed joint coding, and Section 8 concludes the paper.

2 Related Work
2.1 MN Code for Joint Source-Channel Coding
MN code [6] has been proposed for joint source-channel coding. Let m = (m0 ,
m1 , . . . , mK−1 )T be an information word of length K bits, where mi , i ∈ {0,
1, . . . , K − 1}, is the i-th information bit. In general, the conventional error
control codes encode any input word m with arbitrary Hamming weight. On the
other hand, MN code encodes sparse information word m, i.e., the word with
low Hamming weight. Let H = [Cs |Cn ] be an M × N LDPC matrix, where Cs is
an M × (N − M ) matrix, and Cn is an M × M nonsingular matrix. Information
word m with length K = N − M bits is encoded as c = C−1 n Cs m = Am,
where C−1 n C s = A, the probability of information bit m i being 1 is q1 < 1/2,
the matrix [Cs |Cn ] is an LDPC matrix over binary symmetric channel (BSC)
with crossover probability  = q1 , and c = (c0 , c1 , . . . , cM−1 )T is a codeword
of length M bits. Let c = c + n be a received word, where vector addition is
performed over GF(2) and n is a noise vector of length M . The received word
c is decoded based on the following relation:
 
 m
Cn c = Cn c + Cn n = Cs m + Cn n = [Cs |Cn ] .
n
From this, the information word m can be generated from Cn c by the sum-
product algorithm [6] because m and n are sparse vectors and H = [Cs |Cn ] is
an LDPC matrix.
160 H. Kaneko and E. Fujiwara

2.2 McEliece’s Public-Key Cryptosystem (PKC) Using Linear

Block Code

McEliece has proposed a PKC based on Goppa code [11]. This McEliece’s PKC
based on LDPC code has been proposed in [12]. Let G be a K × N generator
matrix of (N, K, 2t+1) linear code C, where C is a random t-bit error correcting
code. Let Q be an N × N random permutation matrix, and let D be a K × K
random nonsingular matrix. Using the matrices G, Q, and D as a set of private-
keys, the public-key A is generated as A = QGT D, where A is an N ×K matrix.
Binary plaintext m = (m0 , m1 , . . . , mK−1 )T is encrypted using the public-key
as c = Am + n, where c is a ciphertext expressed by a binary column vector of
length N , and n is a random error vector with length N and Hamming weight
t. The ciphertext c is decrypted by using the private-keys as follows:
1. Calculate c = Q−1 c = GT Dm + Q−1 n.
2. Decode c using the linear code C to correct errors Q−1 n, and generate the
decoded word u = Dm.
3. Reconstruct the plaintext as m = D−1 u.
Although McEliece’s PKC is vulnerable to some practical attacks, modified ver-
sions of this PKC have proven to be semantically secure [13].

2.3 Niederreiter’s PKC for Joint Source-Cryptographic Coding

Niederreiter’s PKC [14] is also based on linear block error control codes. Un-
like McEliece’s PKC, which can encrypt a plaintext m with arbitrary Hamming
weight, Niederreiter’s PKC can only encrypt m with Hamming weight less than
or equal to t. Let H be an M × N parity-check matrix of t-symbol error cor-
recting code C over GF(q), such as Reed-Solomon code. Let T be an N × N
random permutation matrix, and let D be an M × M random nonsingular ma-
trix. Using the matrices H, T, and D as a set of private-keys, the public-key A
is generated as A = DHT, where A is an M × N matrix. Information word
m = (m0 , m1 , . . . , mN −1 )T is encrypted by using the public-key as c = Am,
where the Hamming weight of m is less than or equal to t, and c is the cipher-
text expressed by a column vector of length M . Note that deriving m directly
from A and c is difficult because rank(A) < N and A has no visible algebraic
structure. The ciphertext c is decrypted using the private-keys as follows:
1. Calculate c = D−1 c = HTm.
2. Find a column vector u that satisfies c = Hu and w(u) ≤ t using a decoding
algorithm for C, where w(u) is the Hamming weight of u.
3. Reconstruct the plaintext as m = T−1 u.
A security analysis has shown that McEliece’s and Niederreiter’s PKCs have
equivalent security [15].
Table 1 summarizes the functions of the above coding techniques. Here, MN
code and Niederreiter’s PKC have a source coding function because sparser in-
formation word m gives shorter codeword c.
 Joint Source-Cryptographic-Channel Coding Based on Linear Block Codes 161

Table 1. Functions of conventional coding techniques

Function MN code McEliece’s PKC Niederreiter’s PKC

Source coding Yes No Yes
Encryption No Yes Yes
Channel coding Yes No No

3 System Model
Recent communication and storage systems sometimes require three functions:
source coding for data compression, cryptographic coding for data encryption,
and channel coding for error correction/detection. Figure 1 (a) shows the con-
ventional sequential encoding process for source, cryptographic, and channel
codings, each performed independently, where the source coding contains pre-
processing and entropy coding steps. The preprocessing is dependent on the
type of input data. For example, still images are preprocessed by discrete cosine
transform, quantization, zigzag scan, and run length coding [3]. Video data are
first applied motion estimation/compensation, and then estimation errors are
encoded in a similar way to still image coding [4]. Text data are usually pre-
processed by dictionary coding [2] or block sorting. The preprocessing is usually
followed by an entropy coding step, such as Huffman coding [1] and arithmetic
coding. The compressed data is encrypted and then encoded by a channel code.
This paper proposes a new joint coding shown in Fig. 1 (b), where the con-
ventional entropy, cryptographic, and channel codings are replaced by an entropy
conversion and a joint coding based on an encoding matrix A. Unlike conventional
PKC based on integer factoring problem or discrete logarithm problem which re-
quire many arithmetic operations, the proposed coding provides a PKC with sim-
ple EX-OR operations. In addition, this paper demonstrates in Section 7 that, for
some cases, the joint coding provides superior data compression ratio and higher
error correction capability than the conventional sequential coding.
This paper mainly focuses on the joint coding. The entropy conversion is
briefly described in Section 6.

(a) Video Still image Text (b) Video Still image Text
Motion estimation/ Dictionary coding, Motion estimation/ Dictionary coding,
compensation Block sorting compensation Block sorting
DCT / DWT / Predictive coding DCT / DWT / Predictive coding
Preprocessing
MV

MV

Quantization Quantization
Zigzag scan,RLC Bit-plane scan Zigzag scan,RLC Bit-plane scan

Entropy coding Entropy conversion

(Huffman coding, Arithmetic coding) m
Joint coding: c = Am
Cryptographic coding Channel coding A: Encoding matrix c: Codeword
Channel, storage Channel, storage
DCT: discrete cosine transform DWT: discrete wavelet transform MV: motion vector RLC: run-length coding

Fig. 1. (a) Conventional sequential coding. (b) Proposed joint coding.

162 H. Kaneko and E. Fujiwara

4 Joint Source-Cryptographic-Channel Coding

This section demonstrates a joint source-cryptographic-channel coding that
encodes a sparse binary information word m = (m0 , m1 , . . . , mNS −1 )T with
Hamming weight t to a binary codeword c = (c0 , c1 , . . . , cNC −1 )T , where the
probability of mi , i ∈ {0, 1, . . . , NS − 1}, being 1 is q1 = t/NS < 1/2. Here,
the joint coding has source coding capability because the code rate NS /NC is
determined based on both the source entropy H(S) = −q0 log q0 − q1 log q1 and
the channel capacity C, where q0 = 1 − q1 .

4.1 Code Construction and Encoding

Let HS be an MS×NS parity-check matrix of either a t-bit error correcting Goppa
code or an LDPC code over BSC with crossover probability  = q1 . Let HC be an
MC ×NC parity-check matrix of linear error correcting code C C designed for a
given communication channel C, where KC = NC −MC = MS . Generator matrix
GC for C C is expressed as a binary KC ×NC matrix. Square matrices D, Q, and
T are defined as follows: D is an MS ×MS random nonsingular matrix, Q is an
NC ×NC random permutation matrix, and T is an NS ×NS random permutation
matrix. The encoding matrix A is generated as follows:

A = Q−1 GTC D−1 HS T−1 ,

where A is an NC × NS matrix. The matrix A is a public-key for encoding, and

the other matrices are private-keys for decoding. Figure 2 illustrates how the
encoding matrix A is generated.
Using the matrix A, binary sparse information word m = (m0 , m1 , . . . ,
mNS −1 )T is encoded to a codeword c = (c0 , c1 , . . . , cNC −1 )T as c = Am, where
the probability of mi = 1, i ∈ {0, 1, . . . , NS − 1}, is q1 < 1/2.

4.2 Tandem Decoding

Let c = (c0 , c1 , . . . , cNC −1 )T = c + n be a received word, where ci , i ∈ {0, 1, . . . ,
NC − 1}, is an element of the channel output alphabet, and n is a noise vector

NC NC MS NS NS
Parity-check M
Parity-check D S
Permutation MC matrix H S Permutation
NC matrix H C NS
matrix Q matrix T
KC = Generator Nonsingular
MS matrix G C matrix
NS Inverse Transpose Inverse Inverse

Encoding D -1 HS
T
NC matrix A = Q -1 GC T -1
(Public-key)

Fig. 2. Generation of encoding matrix A

 Joint Source-Cryptographic-Channel Coding Based on Linear Block Codes 163

Decoding
Received
Decoding (GCT ) u u D ud v Decoded
Q c’ channel d for H S Tw
word c’ c" code C C u w word m

Fig. 3. Tandem decoding process

expressed as a column vector of length NC . To reconstruct the original informa-

tion word m, the received word c is decoded using the following relation:
c = c + n = Q−1 GTC D−1 HS T−1 m + n.
Firstly, the received word is permuted using Q as c = Qc . The column vector
c satisfies the following equation:
c = Qc = GTC D−1 HS T−1 m + Qn.
Since GTC D−1 HS T−1 m is a codeword of C C , and Qn is a permuted noise vector,
errors in c can be corrected by a decoding algorithm for C C . That is, the
decoding removes the noise vector Qn from the vector c . Then, c turns out
to be u = GTC D−1 HS T−1 m. The generator matrix GTC is eliminated as
ud = (GTC )† u = D−1 HS T−1 m,
where (GTC )† GTC = I. Here, (GTC )† is the KC × NC matrix generated by the
method shown in [16]. Then, the column vector v is calculated as
v = Dud = HS T−1 m = HS w,
where T−1 m = w. Since w is a sparse vector with Hamming weight t and HS is
a parity-check matrix of either a t-bit error correcting Goppa code or an LDPC
code for BSC with  = t/NS , w can be derived from v by using a decoding
algorithm for HS . Finally, the original information word is reconstructed as
Tw = TT−1 m = m. Figure 3 illustrates the above successive decoding process,
called tandem decoding.

4.3 Joint Decoding

If C C is a systematic LDPC code, and also HS and D are an LDPC matrix
and a sparse nonsingular matrix, respectively, we can employ joint decoding
using a three-layer Tanner graph, as shown in Fig.4(a). The top, middle, and
bottom layers are the Tanner graphs for HC , D, and HS , respectively, where the
top and middle layers share KC variable nodes (v-nodes), and the middle and
bottom layers share MS = KC check nodes (c-nodes). In comparison with the
tandem decoding, the NC v-nodes of the top layer correspond to c = Qc , the
KC v-nodes between the top and middle layers to ud , the MS c-nodes between
the middle and bottom layers to v, and the NS v-nodes of the bottom layer
to w = T−1 m. The permuted received word c = Qc is decoded by the sum-
product algorithm for Tanner graph shown in Fig. 4(b) whose node connections
are identical to those in Fig. 4(a).
164 H. Kaneko and E. Fujiwara

(a) (b) v
:c-nodes
HC Initialized using
c" = Qc’ :v-nodes
c
ud
D v HS HC
c K C = MS nodes v
v D
Initialized to
HS log( q0 / q1)
c"
Decoded word
w =T -1 m ud

Fig. 4. (a) Three-layer Tanner graph for joint decoding. (b) Equivalent one-layer
Tanner graph.

5 Security of the Proposed Joint Coding

Theorem 1. The security of the proposed joint coding is equivalent to that of
the Niederreiter’s PKC.

Proof. The encoding matrix of the Niederreiter’s PKC is given as AN = DHT,

where D is a random nonsingular matrix, H a parity-check matrix, and T a ran-
dom permutation matrix. The encoding matrix of the proposed joint coding is
given as A = Q−1 GTC D−1 HS T−1 , where Q and T are random permutation ma-
trices, GC is a generator matrix, D a random nonsingular matrix, HS a parity-
check matrix. By substituting Q−1 GTC D−1 by D , we have A = D HS T−1 ,
where D is a random nonsingular matrix. From this, the Niederreiter’s PKC
and the proposed joint coding have equivalent security. 


It is proved that the Niederreiter’s and the McEliece’s PKCs have equivalent
security [15], and hence the security of the proposed joint coding is equivalent to
that of the McEliece’s PKC. The security of the McEliece’s PKC using Goppa
code has been analyzed by Kobara and Imai [13], and they have shown that,
without partial knowledge on the target plaintext or a decryption oracle, there
exists no polynomial-time attack against ciphertext. Note that higher level of
security, that is, indistinguishability against adaptive chosen-ciphertext attacks
(IND-CCA2), can be achieved by appropriate preprocessings based on hash func-
tions and random number generators [13].

6 Entropy Conversion
This section proposes an entropy conversion based on Huffman tree [1]. The
following modified Huffman tree has a possibility to make an efficient entropy
conversion. That is, compared to the conventional Huffman tree having only one
edge type, this modified one has two edge types each determined according to
the source symbol distribution. Figure 5(a) shows an example of the modified
Huffman tree for 9-ary source symbols whose probability distribution is given by
Fig. 5(b). The modified Huffman tree generates two binary output words: mL
of length NSL and mH of length NSH , where mL is a sparse word with q0 > q1 ,
and mH is a dense word (compared to mL ) with q0  q1 . Here, q0 and q1
 Joint Source-Cryptographic-Channel Coding Based on Linear Block Codes 165

(a) a3 (b)
0
Pr( a 0 ) = 0.39894 Pr( a 5 ) = 0.00443
0 a0 0 a1 0 a2 0 a4 0 a5
1 Pr( a 1 ) = 0.24197 Pr( a 6 ) = 0.00443
0
a 6 Pr( a 2 ) = 0.24197 Pr( a 7 ) = 0.00014
1 1 1 1 1
root 0 Pr( a 3 ) = 0.05399 Pr( a 8 ) = 0.00014
1 a7
: Edge generating sparse word mL Pr( a 4 ) = 0.05399
: Edge generating dense word mH 1 a8

Fig. 5. (a) Modified Huffman tree. (b) Probability distribution of 9-ary source symbols.

are the probabilities of each bit having values 0 and 1, respectively. In Fig. 5,
edges indicated by dotted lines generate mL , and those indicated by solid lines
generate mH . Systematic construction of the tree is left to the future work.
In order to encode m = (mL , mH )T by the encoding matrix A, the matrices
HS and T in Section 4 are modified as follows:
    
HS O TL O
HS = , T = ,
R D O TH

where HS is an MSL × NSL parity-check matrix for compression of mL , R an

NSH × NSL random matrix, D an NSH × NSH random nonsingular matrix, TL an
NSL × NSL random permutation matrix, TH an NSH × NSH random permutation
matrix, and O a zero matrix. The remaining matrices of HC , D, and Q are
identical to those in Section 4.

7 Evaluation

This section evaluates the source and the channel coding capabilities of the pro-
posed joint coding. Figure 6(a) shows a simulation flow for the evaluation, where
nonbinary source sequences are transmitted over BSC. Note that the simula-
tion is performed for the proposed joint coding adopting the entropy conversion
described in the previous section. For comparison, the conventional sequential
coding using Huffman code [1] for source coding and LDPC code for channel
coding is also simulated according to Fig. 6(b).
Table 2 shows the compressed data size for 9-ary and 13-ary sources with
length 100,000 symbols, where source symbols are generated according to the
Gaussian and the Laplace distributions, and HS used for the compression is a
rate-1/2 irregular MS ×NS LDPC matrix having degree distribution 0.275698x+
0.25537x2 + 0.0765975x3 + 0.392335x8 [17]. Note that the compressed data size
of the joint coding is given by MS . In both source sequences, the compressed
data size of the joint coding is smaller than that of the Huffman coding in the
sequential coding.
Figure 7 shows the relation between the crossover probability of BSC and the
bit error rate (BER) of the decoded word, where rate-1/2 irregular LDPC codes
having the same degree distribution as HS are applied to the channel coding.
Here, the channel code lengths for the Gaussian and Laplace distribution sources
are 12,626 bits and 27,282 bits, respectively. This figure says that the joint coding
166 H. Kaneko and E. Fujiwara

(a) Proposed joint coding (b) Conventional sequential coding

Source sequence Received sequence Source sequence Received sequence
Entropy conversion Inverse conversion Huffman coding Huffman decoding
q0 > q1 mL mH q0 ~ = q1

BSC

BSC
Joint encoder Joint decoder LDPC encoder LDPC decoder

Fig. 6. Simulation flow

Table 2. Compressed data size

Source Compressed data size (bits)

Source Distribution length Entropy Proposed joint coding Sequential coding
(Symbols) (Huffman coding)
9-ary Gaussian distribution 100,000 2.04715 214,040 215,437
13-ary Laplace distribution 100,000 1.18892 139,641 143,253

gives lower BERs than the conventional sequential coding. This is because the
joint coding can utilize source redundancies in mL for channel error correction,
as indicated in Fig. 4(b).

1.0x10-1
Source: Gaussian distribution Source: Laplace distribution
NS =12626 bits NS =27282 bits
MS = 6313 bits MS =13641 bits
BER of decoded word

1.0x10-2
Sequential coding Sequential coding
(N=12626) (N=27282)
1.0x10-3
Joint coding Joint coding

1.0x10-4

1.0x10-5
0.086 0.090 0.094 0.098 0.102 0.086 0.090 0.094 0.098 0.102
Crossover probability of BSC Crossover probability of BSC

Fig. 7. Bit error rate of decoded word

8 Conclusion

This paper has proposed a joint source-cryptographic-channel coding using two

linear block codes and nonsingular matrices. The encoding matrix is generated
by multiplying several matrices, i.e., two permutation matrices, a code generator
matrix, a nonsingular matrix, and a parity-check matrix, which leads to simple
encoding. This paper has clarified that the cryptographic security is equivalent
to the McEliece’s PKC. Evaluation of the BER of the proposed coding over BSC
has shown that the proposed joint coding gives lower BER than the conventional
sequential coding. For a BSC with crossover probability  = 0.090 and code
length 12,626 bits, the BER of the proposed joint coding gives 1.9 × 10−4 , while
that of the conventional sequential coding 5.8 × 10−4 .
 Joint Source-Cryptographic-Channel Coding Based on Linear Block Codes 167

In future, we will improve the security level of the proposed joint coding. An
efficient algorithm converting redundant input data, such as image data, into
sparse information word is also left for future study.

References
1. Huffman, D.A.: A Method for the Construction of Minimum Redundancy Codes.
Proc. of the IRE 40(9), 1098–1101 (1952)
2. Ziv, J., Lempel, A.: A Universal Algorithm for Sequential Data Compression. IEEE
Trans. Inform. Theory 23(3), 337–343 (1977)
3. Wallace, G.K.: The JPEG Still Picture Compression Standard. Communications
of the ACM 34(4), 30–44 (1991)
4. Wieqand, T., Sullivan, G.J., Bjntegaard, G., Luthra, A.: Overview of the
H.264/AVC Video Coding Standard. IEEE Trans. Circuits and Systems for Video
Technology 13(7), 560–576 (2003)
5. Fujiwara, E.: Code Design for Dependable Systems: Theory and Practical Appli-
cations. Wiley, Chichester (2006)
6. MacKay, D.J.C.: Good Error-Correcting Codes Based on Very Sparse Matrices.
IEEE Trans. Inform. Theory 45(2), 399–431 (1999)
7. Richardson, T.J., Shokrollahi, M.A., Urbanke, R.L.: Design of Capacity-
Approaching Irregular Low-Density Parity-Check Codes. IEEE Trans. Inform. The-
ory 47(2), 619–637 (2001)
8. Fujiwara, E., Kitakami, M.: Unequal Error Protection in Ziv-Lempel Coding. IE-
ICE Trans. Inform. and Systems E86-D E86-D(12), 2595–2600 (2003)
9. Horn, U., Stuhlmüller, K., Ling, M., Girod, B.: Robust Internet Video Transmission
Based on Scalable Coding and Unequal Error Protection. Signal Processing: Image
Communication 15(1-2), 77–94 (1999)
10. Zhong, W., Garcia-Frias, J.: LDGM Codes dor Channel Coding and Joint Source-
Channel Coding of Correlated Sources. EURASIP J. Applied Signal Process-
ing 2005(6), 942–953 (2005)
11. McEliece, R.J.: A Public-Key Cryptosystem Based on Algebraic Coding Theory.
The Deep Space Network Progress Report, DSN PR, 42–44, 114–116 (1978)
12. Kabashima, Y., Murayama, T., Saad, D.: Cryptographical Properties of Ising Spin
Systems. Physical Review Letters 84(9), 2030–2033 (2000)
13. Kobara, K., Imai, H.: Semantically Secure McEliece Public-Key Cryptosystem.
IEICE Trans. Fundamentals 85(1), 74–83 (2002)
14. Niederreiter, H.: Knapsack-Type Cryptosystems and Algebraic Coding Theory.
Problems of Control and Information Theory 15(2), 157–166 (1986)
15. Li, Y.X., Deng, R.H., Wang, X.M.: On the Equivalence of McEliece’s and Nieder-
reiter’s Public-Key Cryptosystems. IEEE Trans. Inform, Theory 40(1), 271–273
(1994)
16. Fujiwara, E., Namba, K., Kitakami, M.: Parallel Decoding for Burst Error Control
Codes. Electronics and Communications in Japan, Part. III 87(1), 38–48 (2004)
17. http://lthcwww.epfl.ch/research/ldpcopt/
 On the Key-Privacy Issue of McEliece
Public-Key Encryption

Shigenori Yamakawa1, Yang Cui2 , Kazukuni Kobara2,

Manabu Hagiwara2, and Hideki Imai1,2

Chuo University, Japan

1

[email protected]
2
Research Center for Information Security (RCIS),
National Institute of Advanced Industrial Science & Technology (AIST), Japan
{y-cui, k-kobara, hagiwara.hagiwara, h-imai}@aist.go.jp

Abstract. The notion of key-privacy for encryption schemes was for-

mally defined by Bellare, Boldyreva, Desai and Pointcheval in Asiacrypt
2001. This security notion has the application possibility in circum-
stances where anonymity is important. In this paper, we investigate
the key-privacy issues of McEliece public-key encryption and its signif-
icant variants. To our best knowledge, it is the first time to consider
key-privacy for such code-based public-key encryption, in the literature.
We examine that the key-privacy is not available in the plain McEliece
scheme, but can be achieved by some modification, with showing a rigor-
ous proof. We believe that key-privacy confirmation will further magnify
the application of McEliece and other code-based cryptography.

1 Introduction
As we all know, the McEliece cryptosystem [7] is based on coding theory and en-
joys the merit of fast encryption and decryption. Besides that, McEliece public-
key encryption (PKE) is believed to be secure against the adversary with a
quantum computer (if it exists). Unlike popular RSA and El Gamal PKEs, the
security of McEliece PKE is based on hardness of decoding problem, which is
not known to be solvable by quantum computer in polynomial time. Therefore,
it appears that McEliece PKE is a promising candidate for the post-quantum
cryptography (i.e. If quantum computer is available, most of current PKEs col-
lapse. For such a long-term security consideration of quantum algorithms, we
call that post-quantum cryptography).
On the other hand, key-privacy as well as confidentiality (data-privacy) starts
to get notice, because of the significance of anonymity in numerous applica-
tions. This issue seems necessary in such as, some authenticated key exchange,
anonymous credential system, and electronic auction protocols [1]. Even a simi-
lar consideration exists in the block-cipher-based encryption scenario. Hence, it
is worth looking over carefully the privacy of key as well as data.
Although data-privacy of McEliece PKE has been considered for nearly thirty
years, to our best knowledge, its key-privacy issue has never been examined.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 168–177, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 On the Key-Privacy Issue of McEliece Public-Key Encryption 169

Hence, in this paper, we provide the first rigorous investigation of key-privacy

for McEliece PKE and its significant variants, in the literature.
In anonymous communication scenarios, the notion of key-privacy is impor-
tant. As a sender transfers a ciphertext encrypted by using the receiver’s public
key, anonymous communication requires that an adversary cannot determine
which user’s public key has been used to generate the ciphertext that she sees.
For example, the key-privacy doesn’t exist in the plain RSA cryptosystem which
is the most popularly used PKE. Because a ciphertext leaks the information
about the utilized public-key (ciphertext distribution over modulo N ). There-
fore, it is proposed some way to lift up RSA PKE to hold the key-privacy in [1].
For McEliece PKE, assuming the same system parameters (n, k, t) (see Sec. 2.3
for details) will not suffice to imply the key-privacy. Actually, the distribution
of the permuted error-correcting code (Goppa Code) plays a central role in our
proofs. Besides, we also take advantage of stronger data-privacy to achieve an
indistinguishable replacement of a random input for a chosen plaintext, which
is the reason why we require the IND-CPA security (Def. 2).
Next, we first explain the preliminary notions and provide a proof to show
no key-privacy is available for plain McEliece PKE, in Sec.2. Then, we further
check two significant variants of McEliece PKE in Sec.3, and describe a rigorous
proof in Sec.4.

2 Preliminaries
In the following, we first provide the security notion of key-privacy of public-
key encryption according to [1]. After giving explanation of McEliece PKE, we
show that the plain McEliece PKE actually has no key-privacy protection, in a
rigorous way. For the simplicity, we only describe the “indistinguishability of keys
under chosen plaintext attack” (IK-CPA). A stronger security notion defined in
chosen ciphertext attack (IK-CCA) setting, can be defined in a similar way.

2.1 Key-Privacy
Definition 1 (IK-CPA). ([1]) Consider a PKE scheme which consists of a
tuple of polynomial-time algorithms P KE = (Gen, Enc, Dec). The security of
key-privacy is defined as follows.
1. On input of security parameter κ, key generation algorithm Gen(1κ ) outputs
two independent sets of key pairs, (pk0 , sk0 ), (pk1 , sk1 ), at random.
2. Given (pk0 ), (pk1 ), a polynomial-time adversary A chooses a plaintext m,
and sends it to the encryption oracle (algorithm).
3. Encryption oracle randomly flips coin b ∈ {0, 1}, to output Encpkb (m) = c.
4. Given target ciphertext c, adversary A outputs b , where the advantage of
success probability over random guess is defined as follows 1 ,
1
Advik−cpa
A (κ) = |P r[b = b ] − |
2
1
The definition of advantage we defined is as twice as the one in [1], where they
actually tackle with the same essential issue.
170 S. Yamakawa et al.

If Advik−cpa
A (κ) is negligible in κ, then, we say the underlying PKE is IK-
CPA secure. Note that “negligible” means that for any constant cons, there
exists k0 ∈ N, s.t. for any κ > k0 , Adv is less than (1/κ)cons .
Remark. Note that in the above game, the adversary can choose whatever she
likes to challenge the encryption oracle, even after observing the two given public
keys. It immediately concludes that a deterministic (public-key) encryption can
never obtain the key-privacy.

2.2 McEliece Public-Key Encryption

The original McEliece PKE was proposed by McEliece [7] in 1978. It is the first
PKE based on assumptions other than factoring and discrete log problem, with
on-the-fly encryption and decryption speed. The McEliece PKE scheme McPKE
is described as follows.

McPKE=(Gen, Enc, Dec)

1. Gen: On input κ, output (pk, sk). n, t ∈ N, t  n

– sk (Private Key): (S, ϕ, P )
G : k × n generating matrix of a binary irreducible [n, k] Goppa code
which can correct a maximum of t bits. ϕ is an efficient decoding algo-
rithm of the underlying code.
S: k × k non-singular matrix.
P: n × n permutation matrix, chosen at random.
– pk (Public Key): (G, t)
G: k × n matrix given by a product of three matrices SG P .
2. Enc: Given pk and a k-bit plaintext m, randomly generate n-bit e with
Hamming weight t, output ciphertext c

c = mG ⊕ e

3. Dec: On input c, output m with private key sk.

– Multiply ciphertext c by inverse matrix P −1 of P .

cP −1 = (mS)G ⊕ eP −1

– Error correcting algorithm ϕ corresponding to G applies to cP −1 to

find mS.
mS = ϕ(cP −1 )
– Multiply the above mS by inverse matrix S −1 of S to find m.

m = (mS)S −1
 On the Key-Privacy Issue of McEliece Public-Key Encryption 171

2.3 No Key-Privacy for Plain McEliece PKE

We can prove that key-privacy doesn’t hold in the plain McEliece PKE, even
though the McEliece PKE is secure. Note that anyone who can invert McEliece
PKE can easily break its key-privacy. Thus, given two public keys and corre-
sponding encryption pair (plaintext and ciphertext), to distinguish which key is
used is an easier work than inverting McEliece PKE.
Since the different public parameters only lead to a trivial success of adversary,
we only consider the case where public parameters (n, k, t) are the same, in the
whole paper.

Proof. Assume two public keys are generated independently and randomly. It is
well known that the Hamming weight t (the number of 1) of error vector e for
encryption is small compared with n for typical setting of McEliece PKE. Thus,
the random error e inverts the exact t-bit of mG, which makes mG and c only
a little different.
On the other hand, as far as key-privacy is effected, ciphertext c must not leak
any information about public-key. But, in this case, the ciphertext leaks some
information about public-key utilized as a result. Because adversary can choose
plaintext m and knows corresponding ciphertext c, it is possible to distinguish
corresponding public-key G from mG.(i.e. c leaks mG.)
Let wt(x) denote the Hamming weight of x. Given G0 and G1 , the adversary
chooses m s.t.

wt(mG0 ⊕ mG1 ) ≥ 2t + 1
Note that such m can be found easily. Now for given c, the following is true,
– if b = b ,

wt(c ⊕ mGb ) = wt(e) = t

– otherwise,

wt(c ⊕ mGb ) = wt(e ⊕ mG0 ⊕ mG1 ) ≥ wt(mG0 ⊕ mG1 ) − wt(e) ≥ t + 1

It is easy to distinguish the Hamming weight of them with probability 1, i.e.

P r[b = b ] = 1.
From above, Advik−cpa
A (κ) is not negligible. So, we say that plain McEliece
PKE is not IK-CPA secure. 


3 Key-Privacy of Modified McEliece PKE

Due to the lack of key-privacy in the plain McEliece PKE, it is important to find
a way to guarantee anonymity as well as confidentiality, in some useful scenarios.
172 S. Yamakawa et al.

Luckily, it is common to use some security-enhanced variants of McEliece PKE

rather than the plain one. Based on this stronger data-privacy, we next show the
key-privacy is also available under appropriate assumptions.

3.1 Data Privacy

Definition 2 (IND-CPA). [2] Consider a PKE scheme which consists of a
tuple of polynomial-time algorithms, where P KE = (Gen, Enc, Dec).

1. On input of security parameter κ, key generation algorithm Gen(1κ ) outputs

the set of private-key and public-key, (pk, sk)
2. Given (pk, sk), a polynomial-time adversary A chooses two equal-length
plaintexts m0 , m1 (m0 = m1 ), and sends them to the encryption oracle.
3. Encryption oracle (algorithm) randomly flips coin b ∈ {0, 1}, to encrypt
Enc(pk, mb ) = c.
4. Given target ciphertext c, adversary A outputs b ∈ {0, 1}, where the advan-
tage of success probability over random guess is defined as follows,
1
Advind−cpa
A (κ) = |P r[b = b ] − |
2

If Advind−cpa
A (κ) is negligible, then, we say underlying PKE is IND-CPA
secure.

Remark. IND-CPA means that indistinguishability of encrypted data is pro-

tected against the chosen plaintext attack (CPA) of adversaries. For the chosen
ciphertext attack security (IND-CCA), the decryption oracle has to be consid-
ered additionally. We refer to [2] for a formal definition.
The reason why we need IND-CPA (resp. CCA) is that the complete control
of input plaintext gives adversary too much freedom to employ an attack, in the
IK-CPA (resp. CCA) notion. Our motivation is to deny such an advantage of
adversary.

3.2 IND-CPA McEliece PKE in the Standard Model

We first examine a recently proposed variant [9] of McEliece PKE, which is
provably secure in the standard model (i.e. without the assumption of ideal
hash functions, so-called random oracle model [3]).
The IND-CPA security is derived from padding random number r with plain-
text m, which makes difficult for adversaries to stay in control of the plaintext.
Let [r|m] denote the bit sequence concatenation of r and m. Then as what is
explained in the following, the randomized McEliece cryptosystem [9] achieves
IND-CPA (semantic security).
 On the Key-Privacy Issue of McEliece Public-Key Encryption 173

McPKE = (Gen , Enc , Dec )

1. Gen : On input κ, output (pk, sk). n, t ∈ N, t  n

– sk (Private Key): (S, ϕ, P )
– pk (Public Key): (G, t), where k = k1 + k2 , GT = [GT1 |GT2 ]
(G1 : k1 × n submatrix of G)
(G2 : k2 × n submatrix of G)
2. Enc : Given pk and a k2 -bit plaintext m, generate k1 -bit r at random, and
output ciphertext c

c = [r|m]G ⊕ e = (rG1 ⊕ e) ⊕ mG2

3. Dec : On input c, Dec works as the same as Dec, except that it outputs
k2 -bit m only.

The IND-CPA security of above scheme, relies on 1). the pseudorandomness of

G and 2). the one-wayness of McEliece PKE. The former guarantees the padded
r being masked and makes rG1 ⊕ e look random; the latter ensures the r cannot
be found by some message-inverting attack. It is worth noticing that r should
be long enough, where security evaluation is given in [9].
In the formal proof, the indistinguishability of permuted code is defined. This
fact is also used to build secure McEliece signature in [4].

Definition 3 (Pseudorandom Codes). [4] Let A be a polynomial-time ad-

versary, which outputs 1 with certain distribution, and 0 otherwise. Given a
uniform probability distribution C(n, k) of all binary linear [n, k] code G, and
any other probability distribution F (n, k). It is called a pseudorandom code if
C(n,k)
Advprc
A,G (κ) = | Pr[A (κ) = 1] − Pr[AF (n,k) (κ) = 1]|

is negligible.

Thus, it is easily concluded the following lemma,

Lemma 1. [9] The underlying scheme McPKE is IND-CPA secure, if the [n, k]
code is pseudorandom and inverting McEliece PKE is infeasible in the polynomial
time. More precisely,

Advind−cpa prc
A,Mc (κ) ≤ AdvA,G (κ) + AdvA,Mc (κ)
ow

where, Advind−cpa
A,Mc (κ) is the advantage of polynomial-time adversary A to dis-
tinguish input messages, and Advow
A,Mc (κ) is the success probability of inverting
McEliece PKE.
174 S. Yamakawa et al.

Remark. Intuitively, the requirement of IND-CPA (resp. IND-CCA), comes from

the motivation of blocking the free access of adversary to the input plaintext. As
we have shown in Sec. 2.3, the complete control of input gives too much power to
adversary, so that she can have enough room to cope with the target public keys.
IND-CPA (resp. IND-CCA) security, may guarantee the indistinguishability of
input plaintexts, which means it is difficult for adversary to distinguish a chosen
plaintext from a random message, under one public key. Then what left is to prove
the similar holds even under two public keys, as done in our proof in Sec. 4.

3.3 IND-CCA McEliece PKE in the Random Oracle Model

Assuming the random oracle model [3], Kobara and Imai [6] first proposed two
tailored conversions for McEliece cryptosystem to obtain IND-CCA security. In
the following, we simply provide one of their McEliece PKE conversions.

McPKE = (Gen , Enc , Dec )

1. Gen : On input κ, output (pk, sk). n, t ∈ N, t  n
– sk (Private Key): (S, ϕ, P )
– pk (Public Key): (G, t), cryptographic hash functions G, H, HE
2. Enc : Given pk, a k-bit encoded message m, output ciphertext c.
– Generate random number r, compute x1 , x2 as follows.

x1 = G(r) ⊕ m, x2 = r ⊕ H(x1 )

– Define x3 , x4 as, (x4 x3 ) = (x2 x1 )

– HE maps an integer r into Z(n) . A bijective mapping Conv converts
t
HE (r) to the corresponding error vector e.

e = Conv(HE (r))

– Output x4 with Encryption of (x3 , e).

c = x4 Encpk (x3 , e)

3. Dec : Simply reverse the Enc .

This scheme is IND-CCA secure. Note that it is a stronger security notion and
implies IND-CPA security immediately.

4 Security Proof
4.1 IND-CPA McEliece PKE in Section 3.2 is IK-CPA
We confirm the presence of key-privacy based on the IND-CPA McEliece PKE
in the standard model.
 On the Key-Privacy Issue of McEliece Public-Key Encryption 175

Theorem 1.The underlying modified McEliece PKE, McPKE’=(Gen’,Enc’,Dec’)

is IK-CPA secure, in particular,
Advik−cpa prc
A,Mc (κ) ≤ 2AdvA,G (κ) + 2AdvA,Mc (κ)
ow

Proof. We define a sequence of games to link the IK-CPA security with IND-
CPA security. Define Pr[Ei ] the probability of event Ei that b = b in each
ind−cpa
corresponding game. For simplicity, let  be AdvA (κ).
G1. On input of security parameter κ, key generation algorithm generates ran-
domly two pairs of keys (pk0 , sk0 ), (pk1 , sk1 ) (simply write as pk0 , pk1 ),
and gives public keys to a polynomial-time adversary A. A chooses m∗ as
she wants, to challenge the encryption oracle, and receive the corresponding
R
ciphertext c, as follows. ← means generate randomly and uniformly.
R
pk0 , pk1 ← Gen (1κ ).
m∗ ← A(pk0 , pk1 , 1κ ).
c ← Enc pkb (m∗ ).
b ← A(pk0 , pk1 , c, m∗ ).
It is easy to see that the above is the same as the Def. 1. Thus, Pr[E1 ]
should be the success probability of breaking IK-CPA game.
G2. G2 is the same as the G1, except that a random plaintext mR generated
from message domain M is provided.
R
pk0 , pk1 ← Gen (1κ ).
m∗ ← A(pk0 , pk1 , 1κ ).
R
mR ← M.
c ← Enc pkb (m∗ ).
b ← A(pk0 , pk1 , c, m∗ , mR ).
Note that the success probability of adversary A does not change, because
A can simply make use of m∗ . Thus,
Pr[E2 ] = Pr[E1 ] (1)
G3. G3 is obtained from G2 by modifying the encryption oracle query.
R
pk0 , pk1 ← Gen (1κ ).
m∗ ← A(pk0 , pk1 , 1κ ).
R
mR ← M.
c ← Enc pkb (mR ).
b ← A(pk0 , pk1 , c, m∗ , mR ).
It is easy to see that if a random mR and a carefully-chosen m∗ cannot be
distinguished, then success probability of A will not change. Let F be the
event that A correctly determines which plaintext is input to encryption
oracle. The following holds,
Pr[E2 ] = Pr[E3 |F̄ ]
176 S. Yamakawa et al.

By the well-known difference lemma [10], it concludes that

| Pr[E3 ] − Pr[E2 ]| ≤ Pr[F ] (2)
Let us consider the probability of event F occurs. Assume adversary outputs
δ = 1 when mR is detected to be sent to encryption oracle, and δ = 0 when
m∗ is detected. Because the input m of encryption oracle is either mR or
m∗ , a random plaintext mR and a chosen plaintext m∗ can be distinguished
at most with the following probability,
Pr[F ] ≤ | Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m∗ ]
−(Pr[δ = 0|m = mR ] + Pr[δ = 1|m = m∗ ])|
= | Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m∗ ]
−(1 − Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m∗ ])|
= 2| Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m∗ ] − 1/2| (3)
∗
Note that (Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m ]) is the success proba-
bility of IND-CPA adversary (Def.2), the right side of equation 3 is equal
to 2. Hence, the probability of F is bounded by,
Pr[F ] ≤ 2| Pr[δ = 1|m = mR ] + Pr[δ = 0|m = m∗ ] − 1/2| = 2 (4)
Now we evaluate the distribution D0 and D1 , in game G3.

D0 = { pk0 , pk1 , Enc pk0 (mR ) |(pk0 , sk0 ), (pk1 , sk1 ) ← Gen (1κ )}
R

D1 = { pk0 , pk1 , Enc pk1 (mR ) |(pk0 , sk0 ), (pk1 , sk1 ) ← Gen (1κ )}
R

It appears that with random input mR and pseudorandom code of public

keys of M cP KE  , the above distributions are only looking random, and their
distance is too close to be distinguished.
As a consequence, the best way to find b = b is to guess at random, which
means that the probability Pr[E3 ] is 1/2. Summarizing all above equations. There
is
Advik−cpa
A,Mc (κ) = | Pr[E1 ] − (1/2)| = | Pr[E1 ] − Pr[E2 ]| + | Pr[E2 ] − Pr[E3 ]|

≤ 2 = 2Advind−cpa
A,Mc (κ) (5)
Combined with Lemma 1, it is easy to prove the theorem, hence finishes the
proof. 


4.2 IND-CCA McEliece PKE in Section 3.3 is IK-CPA (resp.CCA)

In general, IND-CCA security places strict condition on the public-key cryp-
tosystem than IND-CPA security. Intuitively, we can consider that IND-CCA is
a special case of IND-CPA. In this sense, assuming the random oracle model, we
can prove that IND-CCA McEliece PKE suffices IK-CPA, analogously. Further-
more, it is possibly to be proven IK-CCA secure, which employs similar proofs
with some additional decryption simulation. We would like to show that in the
full version of this paper.
 On the Key-Privacy Issue of McEliece Public-Key Encryption 177

5 Conclusion

In this paper, we have examined key-privacy issue against the chosen plain-
text attack (CPA) for the plain McEliece PKE and its significant variants. We
first show that plain McEliece public-key cryptosystem doesn’t have key-privacy.
Then we provide solutions based on IND-CPA McEliece PKE, and rigorously
prove that these variants suffice IK-CPA. We believe that in more scenarios,
anonymity is as crucial as confidentiality. Hence, the key-privacy issue of public-
key encryption will play more important roles and attract more attentions.

Acknowledgement
We would like to thank anonymous reviewers for their helpful comments. Yang
Cui would like to thank for the support of JSPS postdoctoral fellowship.

References
1. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-Privacy in Public-Key
Encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582.
Springer, Heidelberg (2001)
2. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions
of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO
1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)
3. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing
Efficient Protocols. In: 1993 ACM Conf. Computer and Communications Security,
pp. 62–73 (1993)
4. Courtois, N., Finiasz, M., Sendrier, N.: How to Achieve a McEliece-Based Digital
Signature Scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp.
157–174. Springer, Heidelberg (2001)
5. Halevi, S.: A Sufficient Condition for Key-Privacy. Cryptology ePrint Archive:
Report 2005/005 (2005)
6. Kobara, K., Imai, H.: Semantically Secure McEliece Public-Key Cryptosystems-
Conversions for McEliece PKC. Public Key Cryptography, pp. 19–35 (2001)
7. McEliece, R.J.: A Public-Key Cryptosystem Based on Algebraic Coding Theory.
Deep Space Network Progress Rep. (1978)
8. Niederreiter, H.: Knapsack-type Cryptosystems and Algebraic Coding Theory.
Prob. of Control and Inf. Theory 15(2), 159–166 (1986)
9. Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic Security for the McEliece
Cryptosystem without Random Oracles. In: WCC 2007, pp. 257–268 (2007)
10. Shoup, V.: Sequences of Games: a Tool for Taming Complexity in Security Proofs.
Cryptology ePrint Archive: Report 2004/332 (2004)
Lattices for Distributed Source Coding: Jointly
Gaussian Sources and Reconstruction of a Linear
Function

Dinesh Krithivasan and S. Sandeep Pradhan

Department of Electrical Engineering and Computer Science,

University of Michigan, Ann Arbor, MI 48109, USA
[email protected], [email protected]

Abstract. Consider a pair of correlated Gaussian sources (X1 , X2 ). Two

separate encoders observe the two components and communicate com-
pressed versions of their observations to a common decoder. The de-
coder is interested in reconstructing a linear combination of X1 and X2
to within a mean-square distortion of D. We obtain an inner bound to
the optimal rate-distortion region for this problem. A portion of this in-
ner bound is achieved by a scheme that reconstructs the linear function
directly rather than reconstructing the individual components X1 and
X2 first. This results in a better rate region for certain parameter values.
Our coding scheme relies on lattice coding techniques in contrast to more
prevalent random coding arguments used to demonstrate achievable rate
regions in information theory. We then consider the case of linear re-
construction of K sources and provide an inner bound to the optimal
rate-distortion region. Some parts of the inner bound are achieved using
the following coding structure: lattice vector quantization followed by
“correlated” lattice-structured binning.

1 Introduction
In this work, we present a coding scheme for distributed coding of a pair of
jointly Gaussian sources. The encoders each observe a different component of the
source and communicate compressed versions of their observations to a common
decoder through rate-constrained noiseless channels. The decoder is interested
in reconstructing a linear function of the sources to within a mean squared error
distortion of D.
The problem of distributed source coding to reconstruct a function of the
sources losslessly was considered in [1]. An inner bound was obtained for the
performance limit which was shown to be optimal if the sources are condition-
ally independent given the function. In [2], the performance limit is given for
the case of lossless reconstruction of the modulo-2 sum of two correlated binary
sources and was shown to be tight for the symmetric case. This has been ex-
tended to several cases in [3] (see Problem 23 on page 400) and [4]. An improved

This work was supported by NSF grant (CAREER) CCF-0448115.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 178–187, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Lattices for Distributed Source Coding 179

inner bound was provided for this case in [5]. The key point to note is that the
performance limits given in [2,4,5] are outside the inner bound provided in [1].
While [1] employs random vector quantization followed by independent random
binning , the coding schemes of [2,4,5] instead use structured random binning
based on linear codes on finite fields. Further, the binning operation of the quan-
tizers of the sources are “correlated”. This incorporation of structure in binning
appears to give improvements in rates especially for those cases that involve
reconstruction of a function of the sources.
With this as motivation, in this paper we consider a lossy distributed coding
problem with K jointly Gaussian sources with one reconstruction. The decoder
wishes to reconstruct a linear function of the sources with squared error as fidelity
criterion. We consider a coding scheme with the following structure: sources are
quantized using structured vector quantizers followed by “correlated” structured
binning. The structure used in this process is given by lattice codes. We provide
an inner bound to the optimal rate-distortion region. We show that the proposed
inner bound is better for certain parameter values than an inner bound that
can be obtained by using a coding scheme that uses random vector quantizers
following by independent random binning. For this purpose we use the machinery
developed by [9,10,11,12] for the Wyner-Ziv problem in the quadratic Gaussian
case.
The paper is organized as follows. In Section 2, we give a concise overview
of the asymptotic properties of high-dimensional lattices that are known in the
literature and we use these properties in the rest of the paper. In Section 3, we
define the problem formally for the case of two sources and present an inner
bound to the optimal rate-distortion region given by a coding structure involv-
ing structured quantizers followed by “correlated” structured binning. Further,
we also present another inner bound achieved by a scheme that is based on the
Berger-Tung inner bound. Then we present our lattice based coding scheme and
prove achievability of the inner bound. In Section 4, we consider a generalization
of the problem that involves reconstruction of a linear function of an arbitrary fi-
nite number of sources. In Section 5, we provide a set of numerical results for the
two-source case that demonstrate the conditions under which the lattice based
scheme performs better than the Berger-Tung based scheme. We conclude with
some comments in Section 6. We use the following notation throughout this
paper. Variables with superscript n denote an n-length random vector whose
components are mutually independent. However, random vectors whose compo-
nents are not independent are denoted without the use of the superscript. The
dimension of such random vectors will be clear from the context.

2 Preliminaries on High-Dimensional Lattices

2.1 Overview of Lattice Codes
Lattice codes play the same role in Euclidean space that linear codes play in
Hamming space. Introduction to lattices and to coding schemes that employ
lattice codes can be found in [9,10,11]. In the rest of this section, we will briefly
180 D. Krithivasan and S.S. Pradhan

review some properties of lattice codes that are relevant to our coding scheme.
We use the same notation as in [10] for these quantities.
An n-dimensional lattice Λ is composed of all integer combinations of the
columns of an n × n matrix G called the generator matrix of the lattice. Associ-
ated with every lattice Λ is a natural quantizer namely one that associates with
every point in Rn its nearest lattice point. This quantizer can be described by the
function QΛ (x). The quantization error associated with the quantizer QΛ (·) is
defined by x mod Λ = x − QΛ (x). This operation satisfies the useful distribution
property

((x mod Λ) + y) mod Λ = (x + y) mod Λ ∀ x, y. (1)

The basic Voronoi region V0 (Λ) of the lattice Λ is the set of all points closer to
the origin than to any other lattice point. Let V (Λ) denote the volume of the
Voronoi region of Λ. The second moment of a lattice Λ is the expected value per
dimension of the norm of a random vector uniformly distributed over V0 (Λ) and
is given by

1 V0 (Λ)  x  dx
2
2
σ (Λ) =  (2)
n V0 (Λ) dx

The normalized second moment is defined as G(Λ)  σ 2 (Λ)/V 2/n (Λ).

In [12], the existence of high dimensional lattices that are “good” for quanti-
zation and for coding is discussed. The criteria used therein to define goodness
are as follows:
– A sequence of lattices Λ(n) (indexed by the dimension n) is said to be a good
channel σZ2
-code sequence if ∀ > 0, ∃N () such that for all n > N () the
following conditions are satisfied for some E() > 0:

) < 2−nE() .
1 2
V (Λ(n) ) < 2n( 2 log(2πeσZ )+) and Pe (Λ(n) , σZ
2
(3)

Here Pe is the probability of decoding error when the lattice points of Λ(n)
are used as codewords in the problem of coding for the unconstrained AWGN
2
channel with noise variance σZ as considered by Poltyrev [13].
– A sequence of lattices Λ(n) (indexed by the dimension n) is said to be a
good source D-code sequence if ∀ > 0, ∃N () such that for all n > N () the
following conditions are satisfied:

log(2πeG(Λ(n) )) <  and σ 2 (Λ(n) ) = D. (4)

2.2 Nested Lattice Codes

For lossy coding problems involving side-information at the encoder/decoder,
it is natural to consider nested codes [10]. We review the properties of nested
lattice codes here. Further details can be found in [10].
 Lattices for Distributed Source Coding 181

A pair of n-dimensional lattices (Λ1 , Λ2 ) is nested, i.e., Λ2 ⊂ Λ1 , if their

corresponding generating matrices G1 , G2 satisfy G2 = G1 · J where J is an
n × n integer matrix with determinant greater than one. Λ1 is referred to as the
fine lattice while Λ2 is the coarse lattice. In many applications of nested lattice
codes, we require the lattices involved to be a good source code and/or a good
channel code. We term a nested lattice (Λ1 , Λ2 ) good if (a) the fine lattice Λ1 is
both a good δ1 -source code and a good δ1 -channel code and (b) the coarse lattice
Λ2 is both a good δ2 -source code and a δ2 -channel code. The existence of good
lattice codes and good nested lattice codes (for various notions of goodness) has
been studied in [11,12,14] which use the random coding method of [15]. Using
the results of [11,12], it was shown in [14] that good nested lattices in the sense
described above do exist.

3 Distributed Source Coding for the Two-Source Case

3.1 Problem Statement and Main Result
In this section we consider a distributed source coding problem for the recon-
struction of the linear function Z  F (X1 , X2 ) = X1 − cX2 . Consideration of
this function is enough to infer the behavior of any linear function c1 X1 + c2 X2
and has the advantage of fewer variables.
Consider a pair of correlated jointly Gaussian sources (X1 , X2 ) with a given
joint distribution pX1 X2 (x1 , x2 ). The source sequence
n (X1n , X2n ) is independent
over time and has the product distribution i=1 pX1 X2 (x1i , x2i ). The fidelity
criterion used is average squared error. Given such a jointly Gaussian distribution
pX1 X2 , we are interested in the optimal rate-distortion region which is defined as
the set of all achievable tuples (R1 , R2 , D) where achievability is defined in the
usual Shannon sense. Here D is the mean squared error between the function
and its reconstruction at the decoder. Without loss of generality, the sources can
be assumed to have unit variance and let the correlation coefficient ρ > 0. In
this case, σZ2
 Var(Z) = 1 + c2 − 2ρc.
We present the rate region of our scheme below.
Theorem 1. The set of all tuples of rates and distortion (R1 , R2 , D) that satisfy
 2 −1
σZ
2−2R1 + 2−2R2 ≤ (5)
D
are achievable.
Proof. See Section 3.2. 

We also present an achievable rate region based on ideas similar to Berger-Tung
coding scheme [6,7].
Theorem 2. Let the region RD in be defined as follows.
 
1 (1 + q1 )(1 + q2 ) − ρ2
RD in = (R1 , R2 , D) : R1 ≥ log ,
2
2 q1 (1 + q2 )
(q1 ,q2 )∈R+
182 D. Krithivasan and S.S. Pradhan

1 (1 + q1 )(1 + q2 ) − ρ2 1 (1 + q1 )(1 + q2 ) − ρ2
R2 ≥ log , R1 + R2 ≥ log
2 q2 (1 + q1 ) 2 q1 q2

q1 α + q2 c2 α + q1 q2 σZ
2
D≥ . (6)
(1 + q1 )(1 + q2 ) − ρ2
where α  1 − ρ2 and R+ is the set of positive reals. Then the rate distortion
tuples (R1 , R2 , D) which belong to RD ∗in are achievable where ∗ denotes convex
closure.

Proof. Follows directly from the application of Berger-Tung inner bound with
the auxiliary random variables involved being Gaussian. 


For certain values of ρ, c and D, the sum-rate given by Theorem 1 is better than
that given in Theorem 2. This implies that each rate region contains rate points
which are not contained in the other. Thus, an overall achievable rate region for
the coding problem can be obtained as the convex closure of the union of all rate
distortion tuples (R1 , R2 , D) given in Theorems 1 and 2. A further comparison
of the two schemes is presented in Section 5. Note that for c < 0, it has been
shown in [8] that the rate region given in Theorem 2 is tight.

3.2 The Coding Scheme

In this section, we present a lattice based coding scheme for the problem of
reconstructing the above linear function of two jointly Gaussian sources whose
performance approaches the inner bound given in Theorem 1. In what follows, a
nested lattice code is taken to mean a sequence of nested lattice codes indexed
by the lattice dimension n.
We will require nested lattice codes (Λ11 , Λ12 , Λ2 ) where Λ2 ⊂ Λ11 and Λ2 ⊂
Λ12 . We need the fine lattices Λ11 and Λ12 to be good source codes (of appropriate
second moment) and the coarse lattice Λ2 to be a good channel code. The proof
of the existence of such nested lattices was shown in [14]. The parameters of the
nested lattice are chosen to be
2 4
DσZ σZ
σ 2 (Λ11 ) = q1 , σ 2 (Λ12 ) = 2 −D − q1 , and σ 2
(Λ 2 ) = 2 −D (7)
σZ σZ

where 0 < q1 < DσZ 2 2

/(σZ − D). The coding problem is non-trivial only for
D < σZ 2
and in this range, DσZ2 2
/(σZ − D) < σ 2 (Λ2 ) and therefore Λ2 ⊂ Λ11 and
Λ2 ⊂ Λ12 indeed.
Let U1 and U2 be random vectors (dithers) that are independent of each other
and of the source pair (X1 , X2 ). Let Ui be uniformly distributed over the basic
Voronoi region V0,1i of the fine lattices Λ1i for i = 1, 2. The decoder is assumed to
share this randomness with the encoders. The source encoders use these nested
lattices to quantize X1 and cX2 respectively according to equation

S1 = (QΛ11 (X1n + U1 )) mod Λ2 , S2 = (QΛ12 (cX2n + U2 )) mod Λ2 . (8)

 Lattices for Distributed Source Coding 183

Note that the second encoder scales the source X2 before encoding it. The de-
coder receives the indices S1 and S2 and reconstructs
 2 
σZ − D
Ẑ = 2 ([(S1 − U1 ) − (S2 − U2 )] mod Λ2 ) . (9)
σZ

In general, the rate of a nested lattice encoder (Λ1 , Λ2 ) with Λ2 ⊂ Λ1 is given

2
by R = 12 log σσ2 (Λ2)
(Λ1 ) . Thus, the rates of the two encoders are given by

4 4
1 σZ 1 σZ
R1 = log 2 − D) and R2 = log 2 − q (σ 2 − D) (10)
2 q1 (σZ 2 DσZ 1 Z

Clearly, for a fixed choice of q1 all rates greater than those given in equation (10)
are achievable. The union of all achievable rate-distortion tuples (R1 , R2 , D) over
all choices of q1 gives us an achievable region. Eliminating q1 between the two
rate equations gives the rate region claimed in Theorem 1. It remains to show
that this scheme indeed reconstructs the function Z to within a distortion D.
We show this in the following.
Using the distributive property of lattices described in equation (1), we can
reduce the coding scheme to a simpler equivalent scheme by eliminating the first
mod-Λ2 operation in both the signal paths. The decoder can now be described
by the equation
 2 
σZ − D
Ẑ = 2 ([(X1n + eq1 ) − (cX2n + eq2 )] mod Λ2 ) (11)
σZ
 2 
σZ − D
= 2 ([Z n + eq1 − eq2 ] mod Λ2 ) (12)
σZ

where eq1 and eq2 are dithered lattice quantization noises given by

eq1 = QΛ11 (X1n + U1 ) − (X1n + U1 ) , eq2 = QΛ12 (cX2n + U2 ) − (cX2n + U2 ). (13)

The subtractive dither quantization noise eqi is independent of both sources

X1 and X2 and has the same distribution as −Ui for i = 1, 2 [10]. Since the
dithers U1 and U2 are independent and for a fixed choice of the nested lattice eqi
is a function of Ui alone, eq1 and eq2 are independent as well. Let eq = eq1 −eq2 be
the effective dither quantization noise. The decoder reconstruction in equation
(12) can be simplified as
 2   2 
σZ − D n c.d σZ − D
Ẑ = 2 ([Z + e q ] mod Λ 2 ) = 2 (Z n + eq ) (14)
σZ σZ
 2  
σZ − D D n
= Zn + 2 e q − 2 Z  Z n + N. (15)
σZ σZ

c.d
The = in equation (14) stands for equality under the assumption of correct
decoding. Decoding error occurs if equation (14) doesn’t hold. Let Pe be the
184 D. Krithivasan and S.S. Pradhan

probability of decoding error. Assuming correct decoding, the distortion achieved

by this scheme is the second moment per dimension1 of the random vector N in
equation (15). This can be expressed as
 2  2
E  N 2 2
σZ −D E  eq  2 D E  Z n 2
= 2 + 2 (16)
n σZ n σZ n

where we have used the independence of eq1 and eq2 to each other and to the
sources X1 and X2 (and therefore to Z = X1 − cX2 ). Since eqi has the same dis-
tribution as −Ui , their expected norm per dimension is just the second moment
of the corresponding lattice σ 2 (Λ1i ). Hence the effective distortion achieved by
the scheme is
 2  
1 2
σZ −D DσZ2
D2 σZ
2
EZ n − Ẑ2 = + = D. (17)
n 2
σZ σZ − D
2 4
σZ

Hence, the proposed scheme achieves the desired distortion provided correct
decoding occurs at equation (14). Let us now prove that equation (14) in-
deed holds with high probability for an optimal choice of the nested lattice,
i.e., there exists a nested lattice code for which Pe → 0 as n → ∞ where,
Pe = P r ((Z n + eq ) mod Λ2 = (Z n + eq )) .
To this end, let us first compute the normalized second moment of (Z n + eq ).

1 σ2 D
E  Z n + eq 2 = σZ
2
+ q1 + 2 Z − q1 = σ 2 (Λ2 ). (18)
n σZ − D

It was shown in [9] that as n → ∞, the quantization noises eqi tend to a

white Gaussian noise for an optimal choice of the nested lattice. It can be shown
that, under these conditions, eq also tends to a white Gaussian noise of the same
variance as eq . The proof involves entropy power inequality and is omitted.
We choose Λ2 to be an exponentially good channel code in the sense defined
in Section 2.1 (also see [10]). For such lattices, the probability of decoding error
Pe → 0 exponentially fast if (Z n + eq ) is Gaussian. The analysis in [11] showed
that if (Z n + eq ) tends to a white Gaussian noise vector, the effect on Pe of
the deviation from Gaussianity is sub-exponential and the overall error behavior
is asymptotically the same. This implies that the reconstruction error Z n − Ẑ
tends in probability to the random vector N defined in equation (15). Since all
random vectors involved have finite normalized second moment, this convergence
in probability implies convergence in second moment as well, i.e., n1 E  Z n −
Ẑ 2 → D. Averaged over the random dithers U1 and U2 , we have shown that the
appropriate distortion is achieved. Hence there must exist a pair of deterministic
dithers that also achieve distortion D and we have proved the claim of Theorem 1.
1
We refer to this quantity also as the normalized second moment of the random vector
N . This should not be confused with the normalized second moment of a lattice as
defined in Section 2.1.
 Lattices for Distributed Source Coding 185

4 Distributed Source Coding for the K Source Case

In this section, we consider the case of reconstructing a linear function of an

arbitrary number of sources. In the case of two sources, the two strategies used
in Theorems 1 and 2 were direct reconstruction of the function Z and estimating
the function from noisy versions of the sources respectively. In the presence of
more than two sources, a host of strategies which are a combination of these
two strategies become available. Some sets of sources might use the “correlated”
binning strategy of Theorem 1 while others might use the “independent” binning
strategy of Theorem 2. The union of the rate-distortion tuples achieved by all
such schemes gives an achievable rate region for the problem.
Let the sources be given by X1 , X2 , . . . , XK which are jointly Gaussian. The
decoder wishes to reconstruct a linear function given by Z = K i=1 ci Xi with
squared error fidelity criterion. The performance limit RD is given by the set
of all rate-distortion tuples (R1 , R2 , . . . , RK , D) that are achievable in the sense
defined in Section 3.
For any set A ⊂ {1, . . . , K}, let XA denote those sources whose indices are in
A, i.e., XA  {Xi : i ∈ A}. Let ZA be defined as i∈A ci Xi . Let Θ be a partition
of {1, . . . , K} with θ = |Θ|. Let πΘ : Θ → {1, . . . , θ} be a permutation. One can
think of πΘ as ordering the elements of Θ. Each set of sources XA , A ∈ Θ are
decoded simultaneously at the decoder with the objective of reconstructing ZA .
The order of decoding is given by πΘ (A) with the lower ranked sets of sources
decoded earlier. Let Q = (q1 , . . . , qK ) ∈ RK + be a tuple of positive reals. For any
partition Θ and ordering πΘ , let us define recursively a positive-valued function
σΘ2
: Θ → R+ as σΘ 2
(A) = E (ZA − fA (SA ))2 where fA (SA ) = E(ZA |SA ),
SA = {ZB + QB : B ∈ Θ, πΘ (B) < πΘ (A)} and {QA : A ∈ Θ} is a collection of
|Θ| independent zero-mean Gaussian random variables with variances given by
qA = Var(QA )  i∈A qi , and this collection is independent of the sources. Let
f ({ZA + QA : A ∈ Θ})  E (Z|{ZA + QA : A ∈ Θ}).

Theorem 3. For a given tuple of sources X1 , . . . , XK and tuple of real numbers

(c1 , c2 , . . . , cK ), we have RD ∗in ⊂ RD, where ∗ denotes convex closure and
  1 σ 2 (A) + qA
RDin = (R1 , . . . , RK , D) : Ri ≥ log Θ for i ∈ A,
2 qi
Θ,πΘ ,Q

2
D ≥ E [(Z − f ({ZA + QA : A ∈ Θ})) ] (19)

Proof. This inner bound to the optimal rate region can be proved by demon-
strating a coding scheme that achieves the rates given. As in Section 3.2, we use
“correlated” binning based on lattice codes. The basic idea of the proof is to
use high dimensional lattices to mimic the Gaussian test channels used in the
description of Theorem 3. The details are omitted. We remark that the general
K-user rate region described above can be used to re-derive Theorems 1 and 2
by appropriate choices of the partition Θ.
186 D. Krithivasan and S.S. Pradhan

5 Comparison of the Rate Regions

In this section, we compare the rate regions of the lattice based coding scheme
given in Theorem 1 and the Berger-Tung based coding scheme given in Theorem
2 for the case of two users. The function under consideration is Z = X1 − cX2 .
To demonstrate the performance of the lattice binning scheme, we choose the
sum rate of the two encoders as the performance metric.
In Fig. 1, we compare the sum-rates of the two schemes for ρ = 0.8 and c = 0.8.
Fig. 1 shows that for small distortion values, the lattice scheme achieves a smaller
sum rate than the Berger-Tung based scheme. We observe that the lattice based
scheme performs better than the Berger-Tung based scheme for small distortions
provided ρ is sufficiently high and c lies in a certain interval. Fig. 2 is a contour
plot that illustrates this in detail. The contour labeled R encloses that region in
which the pair (ρ, c) should lie for the lattice binning scheme to achieve a sum
rate that is at least R units less than the sum rate of the Berger-Tung scheme
for some distortion D. Observe that we get improvements only for c > 0.

Comparison between Berger−Tung and Lattice based Coding Schemes Region where lattice scheme outperforms Berger−Tung scheme
7 1.8
Berger−Tung Sum rate
Lattice Sum rate 1.6
6

1.4
5 rho = 0.8
c = 0.8 1.2
0.3
0
4 1.5
Sum Rate

1
0.1 0.8
c

0.8
3

0.6
2
0.4

1
0.2

0 0
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Distortion D rho

Fig. 1. Comparison of the sum-rates Fig. 2. (ρ, c) region for lower sum rate

6 Conclusion
We have thus demonstrated a lattice based coding scheme that directly encodes
the linear function that the decoder is interested in instead of encoding the
sources separately and estimating the function at the decoder. For the case of two
users, it is seen that the lattice based coding scheme gives a lower sum-rate for
certain values of ρ, c, D. Hence, using a combination of the lattice based and the
Berger-Tung based coding schemes results in a better rate-region than using any
one scheme alone. For the case of reconstructing a linear function of K sources,
we have extended this concept to provide an inner bound to the optimal rate-
distortion function. Some parts of the inner bound are achieved using a coding
scheme that has the following structure: lattice vector quantization followed by
“correlated” lattice-structured binning.
 Lattices for Distributed Source Coding 187

Acknowledgements

The authors would like to thank Dr. Ram Zamir and Dr. Uri Erez of Tel Aviv
University for helpful discussions.

References
1. Gelfand, S., Pinsker, M.: Coding of Sources on the Basis of Observations with
Incomplete Information. Problemy Peredachi Informatsii 15, 45–57 (1979)
2. Korner, J., Marton, K.: How to Encode the Modulo-Two Sum of Binary Sources.
IEEE Trans. Inform. Theory 25, 219–221 (1979)
3. Csiszár, I., Korner, J.: Information Theory: Coding Theorems for Discrete Memo-
ryless Systems. Academic Press, London (1981)
4. Han, T.S., Kobayashi, K.: A Dichotomy of Functions F(X,Y) of Correlated Sources
(X,Y). IEEE Trans. on Inform. Theory 33, 69–76 (1987)
5. Ahlswede, R., Han, T.S: On Source Coding with Side Information via a Multiple-
Access Channel and Related Problems in Multi-User Information Theory. IEEE
Trans. on Inform. Theory 29, 396–412 (1983)
6. Berger, T.: Multiterminal Source Coding. Lectures presented at CISM summer
school on the Inform. Theory approach to communications (1977)
7. Tung, S.-Y.: Multiterminal Source Coding. PhD thesis. Cornell University, Ithaca,
NY (1978)
8. Wagner, A.B., Tavildar, S., Viswanath, P.: The Rate-Region of the Quadratic Gus-
sian Two-Terminal Source-Coding Problem. arXiv:cs.IT/0510095
9. Zamir, R., Feder, M.: On Lattice Quantization Noise. IEEE Trans. Inform. The-
ory 42, 1152–1159 (1996)
10. Zamir, R., Shamai, S., Erez, U.: Nested Linear/Lattice Codes for Structured Mul-
titerminal Binning. IEEE Trans. Inform. Theory 48, 1250–1276 (2002)
11. Erez, U., Zamir, R.: Achieving 1/2 log(1+SNR) on the AWGN Channel with Lat-
tice Encoding and Decoding. IEEE Trans. Inform. Theory 50, 2293–2314 (2004)
12. Erez, U., Litsyn, S., Zamir, R.: Lattices Which Are Good for (Almost) Everything.
IEEE Trans. Inform. Theory 51(10), 3401–3416 (2005)
13. Poltyrev, G.: On Coding Without Restrictions for the AWGN Channel. IEEE
Trans. Inform. Theory 40, 409–417 (1994)
14. Krithivasan, D., Pradhan, S.S.: A Proof of the Existence of Good Nested Lattices,
http://www.eecs.umich.edu/techreports/systems/cspl/cspl-384.pdf
15. Loeliger, H.A.: Averaging Bounds for Lattices and Linear Codes. IEEE Trans.
Inform. Theory 43, 1767–1773 (1997)
Linear Complexity and Autocorrelation of Prime
Cube Sequences

Young-Joon Kim, Seok-Yong Jin, and Hong-Yeop Song

Department of Electrical and Electronic Engineering

Yonsei University, Seoul, 121-749, Korea
{yj.kim, sy.jin, hysong}@yonsei.ac.kr

Abstract. We review a binary sequence based on the generalized cyclo-

tomy of order 2 with respect to p3 , where p is an odd prime. Linear com-
plexities, minimal polynomials and autocorrelation of these sequences
are computed.

1 Introduction

Let n ≥ 2 be a positive integer and Zn∗ be the multiplicative group of the integer
ring Zn . For a partition {Di |i = 0, 1, · · · , d − 1} of Zn∗ , if there exist elements
g1 , · · · , gd of Zn∗ satisfying Di = gi D0 for all i where D0 is a multiplicative
subgroup of Zn∗ , the Di are called generalized cyclotomic classes of order d. In
1998, Ding and Helleseth [1] introduced the new generalized cyclotomy with
respect to pe11 · · · pet t and defined a balanced binary sequence based on their own
generalized cyclotomy, where p1 , · · · , pt are distinct odd primes and e1 , · · · , et are
positive integers. Before them, there have been lots of studies about cyclotomy,
but they are only about ones with respect to p or p2 or pq where p and q are
distinct odd primes [1,4,7,8]. In [1] they also introduced how to construct a
balanced binary sequence based on their generalized cyclotomy. Let it call the
generalized cyclotomic sequences. Those sequences includes the binary quadratic
residue sequences also known as Legendre Sequences because these sequences can
be understood as the generalized cyclotomic sequences with respect to p.
In 1998, C. Ding [4] presented some cyclotomy sequences with period p2 which
are not balanced. They are defined in a slightly different way from the generalized
cyclotomic sequences with respect to p2 . In that paper, he calculated the linear
complexities with minor errors. Y.-H. Park and others [5] corrected the errors.
The linear complexity of the sequence is not so good. In general, the linear
complexity of a sequence is considered as good when it is not less than half
of the period of the sequence. Recently, in [7], Yan et al. calculated the linear
complexity and autocorrelation of generalized cyclotomic sequences of order 2
with respect to p2 .
In this paper, we compute the linear complexity and autocorrelation of the
generalized cyclotomic sequences with respect to p3 . Hereafter we will call these
sequences as prime cube sequences.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 188–197, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 Linear Complexity and Autocorrelation of Prime Cube Sequences 189

2 Prime Cube Sequences

Let p be an odd prime. Let g be a primitive root of p2 . Then it’s well known that
g is also a primitive root of pk for k ≥ 1[2]. The order of g modulo p is p − 1,
the order of g modulo p2 is p(p − 1) and the order of g modulo p3 is p2 (p − 1).
Define
(p) (p) (p)
D0 = (g 2 ) (mod p) D1 = gD0 (mod p)
(p2 ) (p2 ) (p2 )
D0 = (g 2 ) (mod p2 ) D1 = gD0 (mod p2 )
3 3
(p ) (p ) (p3 )
D0 = (g 2 ) (mod p3 ) D1 = gD0 (mod p3 )
(p2 ) (p2 ) (p3 ) (p3 )
Then Zp∗ = D0 ∪ D1 ,Zp∗2 = D0 and Zp∗3 = D0
(p) (p)
∪ D1 ∪ D1 . For
(pi )
i = 0, 1, 2, the Dj are called generalized cyclotomic classes of order 2 with
j
respect to p . Note that
(p3 ) (p3 ) (p2 ) (p2 ) (p) (p)
Zp3 = D0 ∪ D1 ∪ pD0 ∪ pD1 ∪ p2 D0 ∪ p2 D1 ∪ {0}.
i
p3 (p ) p3
Here and hereafter, pi Dj are sets of elements obtained by multiplying pi to
(pi )
the elements of Dj over Zp3 for i = 0, 1, 2 and j = 0, 1.
In [1], the authors define the binary prime cube sequence {s(n)} as follows[1]:

0, if (i mod p3 ) ∈ C0
s(i) = (1)
1, if (i mod p3 ) ∈ C1 .
 p3 (d)  p3 (d)
where C0 = d|p3 ,d>1 d D0 and C1 = {0} ∪ d|p3 ,d>1 d D1 .

3 Linear Complexity and Minimal Polynomial

Let {s(n)} be a sequence of period L over a field F . The linear complexity of

{s(n)} is defined to be least positive integer l such that there are constants
c0 = 1, c1 , · · · , cl ∈ F satisfying

−s(i) = c1 s(i − 1) + c2 s(i − 2) + · · · + cl s(i − l) for all l ≤ i < L

The polynomial c(x) = c0 + c1 x + · · · + cl xl is called a minimal polynomial

of {s(n)}. Let {s(n)} be a sequence of period L over a field F , and S(x) =
s(0) + s(1)x + · · · + s(L − 1)xL−1 . It is well known that[3]

1. the mimimal polynomial of {s(n)} is given by

c(x) = (xL − 1)/ gcd(xL − 1, S(x))

2. the linear complexity of {s(n)} is given by

CL = L − deg(gcd(xL − 1, S(x)))
190 Y.-J. Kim, S.-Y. Jin, and H.-Y. Song

Lemma 1. For a ∈ Zp∗3 and 1 ≤ i ≤ 3

 
(pi ) (pi ) (pi ) (pi )
(pi ) D0 , if a ∈ D0 (pi ) D1 , if a ∈ D0
aD0 = (pi ) (pi )
, aD1 = (pi ) (pi )
.
D1 , if a ∈ D1 D0 , if a ∈ D1

Proof. It can be proved in the same way as [4].

(p3 ) (p3 ) (p2 ) (p2 )

Lemma 2. Let b be any integer. Then Di +bp = Di and Di +bp = Di
for i = 0, 1.

Proof. It can also be proved in the same way as [4].

(p3 ) (p2 )
Lemma 3. −1 (mod p3 ) ∈ D0 if and only if −1 (mod p2 ) ∈ D0 if and
(p)
only if −1 (mod p) ∈ D0 if and only if p ≡ 1 (mod 4).
(p)
Proof. It is well known that −1 (mod p) ∈ D0 if and only if p ≡ 1 (mod 4)[2].
(p) (p2 )
Using Lemma 2, we can show −1 (mod p) ∈ D0 implies −1 (mod p2 ) ∈ D0
3
(p )
and −1 (mod p3 ) ∈ D0 . The converse is obvious.

(p3 ) (p2 ) (p)

Lemma 4. 2 ∈ Di if and only if 2 ∈ Di if and only if 2 ∈ Di for i = 0, 1.

Proof. It can be proved in the same way as [4].

Let m be the order of 2 modulo p3 and θ a primitive p3 th root of unity in

GF (2m ). Define
   
S(x) = xi = 1 + ( + + )xi ∈ GF (2)[x].
i∈C1 (p3 ) (p2 ) (p)
i∈D1 i∈pD1 i∈p2 D1

Then S(x) is generating function of the prime cube sequence {s(n)} defined
before. To compute S(θ), we use the generalized cyclotomic numbers of order 2
with respect to pi for i ≥ 1 defined by

(pk ) (pk )
(i, j)pk = |(Di + 1) ∩ Dj | i, j = 0, 1, and k = 0, 1, 2. (2)

Lemma 5. [1] If p ≡ 3 (mod 4), then

pk−1(p−3) pk−1(p+1)
(1,0)pk = (0,0)pk = (1,1)pk = , and (0,1)pk = .
4 4
If p ≡ 1 (mod 4), then

pk−1(p−1) pk−1(p−5)
(0,1)pk = (1,0)pk = (1,1)pk = , and (0,0)pk = .
4 4
 Linear Complexity and Autocorrelation of Prime Cube Sequences 191

Note that
3 2 2 2 2 2
0 = θp − 1 = (θp )p − 1 = (θp − 1)(1+θp +θ2p + · · · +θ(p−1)p ). (3)
It follows that
2 2 2  
1 + θp + θ2p + · · · + θ(p−1)p = 1 + θi + θi = 0. (4)
(p) (p)
i∈p2 D0 i∈p2 D1

(3) can be rewritten as follows:

3 2 2
−1)p
0 = θp − 1 = (θp )p − 1 = (θp − 1)(1 + θp + · · · + θ(p ).
It follows that

2
−1)p
1 + θp + · · · + θ(p =1+ θi = 0. (5)
(p) (p) (p2 ) (p2 )
i∈p2 D0 ∪p2 D1 ∪pD0 ∪pD1

From (4) and (5), we obtain

 
θi = θi . (6)
(p2 ) (p2 )
i∈pD0 i∈pD1
p3 −1
Since i=0 θi = 0, by (5) we obtain
 
θi = θi . (7)
(p3 ) (p3 )
i∈D0 i∈D1
2
Assume θ1 = θp , θ2 = θp , then θ1 is a primitive p2 th root of unity and θ2 is
a primitive pth root of unity in GF (2m ). Define
 
t1 (θ1 ) = θ1i and t2 (θ2 ) = θ2i .
(p2 ) (p)
i∈D1 i∈D1
 
Lemma 6. [5] i∈pZp θ1i + i∈D(p2 ) θ1i = 0 if p is an odd prime.
1
 
Lemma 7. i∈D
i
(p2 ) θ1 =
i∈D
i
(p2 ) θ1 = t1 (θ1 ) = 0.
0 1

Proof. From (4),(6) and Lemma 6, obvious.

(p)
Lemma 8. [6] t2 (θ2 ) ∈ {0, 1} if and only if 2 ∈ D0 if and only if p ≡ ±1 (mod 8)
Lemma 9. Let the symbols be the same as before,
⎧ p+1
⎪
⎪ 2 (mod 2), if a = 0
⎪
⎪ (p3 )
⎪
⎪ S(θ), if a ∈ D0
⎪
⎪
⎪
⎪ if a ∈ D1
(p3 )
⎨ S(θ) + 1,
(p2 )
S(θa ) = p+1 + t2 (θ2 ), if a ∈ pD0
⎪
⎪ 2
⎪
⎪ p−1
if a ∈ pD1
(p2 )
⎪
⎪ 2 + t2 (θ2 ),
⎪
⎪ (p)
⎪ 1 + t2 (θ2 ),
⎪ if a ∈ p2 D0
⎩ (p)
t2 (θ2 ), if a ∈ p2 D1 .
192 Y.-J. Kim, S.-Y. Jin, and H.-Y. Song

p3 +1
Proof. For the case a = 0, we have S(θa ) = S(1) = 2 ≡ p+1
2 (mod 2). If
3
(p )
a∈ D0 , by definition there is an integer s such that a = g . It follows that 2s

(p3 ) (p3 )
aD1 = {g 2s+2t+1 |t = 0, 1, · · · , p2 (p − 1) − 1} = D1
(p2 ) (p2 )
apD1 = p{g 2s+2t+1 |t = 0, 1, · · · , p(p − 1) − 1} = pD1
(p) (p2 )
ap2 D1 = p2 {g 2s+2t+1 |t = 0, 1, · · · , (p − 1) − 1} = p2 D1 .

Hence
     
S(θa ) = 1 + ( + + )θai = 1 +( + + )θi = S(θ).
(p3 ) (p2 ) (p) (p3 ) (p2 ) (p)
i∈D1 i∈pD1 i∈p2 D1 i∈D1 i∈pD1 i∈p2 D1

(p3 ) (p3 ) (p3 ) (p2 ) (p2 ) (p) (p2 )

If a ∈ D1 , then aD1 = D0 , apD1 = pD0 , ap2 D1 = p2 D0 . By
(4), (6) and (7)
  
S(θa ) = 1 + ( + + )θi = S(θ) + 1.
(p3 ) (p2 ) (p)
i∈D0 i∈pD0 i∈p2 D0

(p3 ) (p) (p3 ) (p) 2

Note that D1 mod p=D1 , |D1 | = p2 |D1 |, θ1p = 1 and θ2p = 1.
(p2 ) (p2 )
For a = a1 p, a1 ∈ Zp∗2 = D0 ∪ D1 , we have
  
S(θa ) = 1 + ( + + )θai
(p3 ) (p2 ) (p)
i∈D1 i∈pD1 i∈p2 D1
  
=1+ θa1 pi + θa1 pi + θa1 pi
(p3 ) (p2 ) (p)
i∈D1 i∈pD1 i∈p2 D1
  p−1
=1+ θ1i + θ2i + .
(p3 ) (p2 )
2
i∈a1 D1 i∈a1 D1

(p2 ) (p3 ) (p3 ) (p2 ) (p2 )

If a1 ∈ D0 , a1 D 1 = D1 and a1 D1 = D1 . we have
p+1   p+1  
S(θa ) = + θ1i + θ2i = +p θ1i + p θ2i
2 3 2
2 2 (p)
(p ) (p ) (p )
i∈D1 i∈D1 i∈D1 i∈D1

p+1 p+1
= + t1 (θ1 ) + t2 (θ2 ) = + t2 (θ2 ).
2 2
(p2 ) (p3 ) (p3 ) (p2 ) (p2 )
If a1 ∈ D1 , a1 D 1 = D0 and a1 D1 = D0 . we have
p+1  
S(θa ) = + θ1i + θ2i
2 3 2 (p ) (p )
i∈D0 i∈D0
p+1 p−1
= + t1 (θ1 ) + 1 + t2 (θ2 ) = + t2 (θ2 ).
2 2
 Linear Complexity and Autocorrelation of Prime Cube Sequences 193

For a = a2 p2 , a2 ∈ Zp∗ = D0 ∪ D1 , we have

(p) (p)

  
S(θa ) = 1 + ( + + )θai
(p3 ) (p2 ) (p)
i∈D1 i∈pD1 i∈p2 D1
 2  2  2
=1+ θp i + θ1a2 p i + θ2a2 p i

(p3 ) (p2 ) (p)

i∈a2 D1 i∈D1 i∈D1
 p2 − p p − 1
=1+ θ2i + + .
(p3 )
2 2
i∈a2 D1

(p) (p3 ) (p3 ) (p2 ) (p2 )

If a2 ∈ D0 , a2 D1 = D1 and a2 D1 = D1 . we have

p2 + 1  p2 + 1 
S(θa ) = + θ2i = + p2 θ2i = 1 + t2 (θ2 ).
2 3
2 (p)
(p )
i∈D1 i∈D1

(p2 ) (p3 ) (p3 ) (p2 ) (p2 )

If a2 ∈ D1 , a2 D 1 = D0 and a2 D1 = D0 . we have

p2 + 1  p2 + 1 
S(θa ) = + θ2i = + p2 θ2i = t2 (θ2 ).
2 3
2 (p)
(p )
i∈D0 i∈D0

(p3 ) (p2 ) (p)

Define di (x) = a∈Di
(p3 ) (x−θa ), di (x) = a∈Di
(p2 ) (x−θ1a ) and di (x) =
a∈Di
(p) (x − θ2a ), i = 0, 1. Then

3 (p) (p) (p2 ) (p2 ) (p3 ) (p3 )

xp − 1 = (x − 1)d0 (x)d1 (x)d0 (x)d1 (x)d0 (x)d1 (x).

(p) (p2 ) (p3 )

Lemma 10. di (x), di (x), di (x) ∈ GF (2)[x] if and only if p ≡ ±1 mod 8.

Proof. Almost the same proof in [4] can be applied . If p ≡ ±1 mod 8, from
(p) (p2 ) (p3 )
Lemma 4 and 8, 2 ∈ D0 ∩ D0 ∩ D0 . Then for i = 0, 1, 2, we have

(pi ) i i i (pi )
(di (x))2 = x2 − θ2p a ) = (x2 − θp a ) = (x2 − θp a ) = di (x2 ).
(pi ) (pi ) (pi )
a∈Di a∈2Di a∈Di

(pi )
Thus di (x) ∈ GF (2)[x], i = 0, 1, 2. If p ≡ ±3 mod 8, from Lemma 4 and 8,
(p) (p2 ) (p3 )
2∈ D1 ∩ D1 ∩ D1 . Then for i = 0, 1, 2, we have

(pi ) i (pi ) (pi )

(di (x))2 = (x2 − θp a ) = di+1(mod 2) (x2 ) = di (x2 ).
(pi )
a∈Di+1(mod 2)

(pi )
Hence di (x) ∈ GF (2)[x], i = 0, 1, 2.
194 Y.-J. Kim, S.-Y. Jin, and H.-Y. Song

Theorem 1. Let p be an odd prime and {s(n)} be a prime cube sequence of

period p3 . Then the linear complexity CL of {s(n)} is as follows:
⎧ p3 +1
⎪ 32 , if p ≡ 1 mod 8
⎪
⎨
p − 1, if p ≡ 3 mod 8
CL =
⎪
⎪ p3 , if p ≡ 5 mod 8
⎩ p3 −1
2 , if p ≡ 7 mod 8.
Proof. If p ≡ 1 mod 8, from Lemmas 8, t2 (θ2 ) ∈ {0, 1}. Furthermore, since
(p) (p2 ) (p3 )
2 ∈ D0 ∩ D0 ∩ D0 by Lemma 4 and 8, S(θ2 ) = S(θ). Hence, S(θ) ∈ {0, 1}.
Applying Lemma 9, we have
⎧
⎪
⎪
(p3 ) (p2 ) (p)
(x−1)d1 (x)d0 (x)d0 (x),if (S(θ),t2 (θ2 )) = (0, 0)
⎪
⎪
3
xp − 1 ⎨ (p3
) (p2
) (p)
(x−1)d1 (x)d1 (x)d1 (x),if (S(θ),t2 (θ2 )) = (0, 1)
c(x) = =
gcd(xp3 − 1, S(x)) ⎪
3 2
(p ) (p ) (p)
⎪(x−1)d0 (x)d0 (x)d0 (x),if (S(θ),t2 (θ2 )) = (1, 0)
⎪
⎪
⎩ 3
(p ) 2
(p ) (p)
(x−1)d0 (x)d1 (x)d1 (x),if (S(θ),t2 (θ2 )) = (1, 1)

It follows that CL = deg (c(x)) = 1 + p −p + p 2−p + p−1

3 2 2 3
p +1
2 2 = 2 .
For the cases of p ≡ 3, 5 and 7 mod 8, we can reach easily by similar procedure
with the case p ≡ 1 mod 8.

4 Autocorrelation
The periodic autocorrelation of a binary sequence {s(n)} of period N is defined
L
by Cs (τ ) = n=0 (−1)s(n+τ )−s(n) where 0 ≤ τ < L. Define ds (i, j; τ ) = |Ci ∩
(Cj + τ )|, 0 ≤ τ < L, i, j = 0, 1
Theorem 2. Let p be an odd prime. Then the autocorrelation profile of the
binary prime cube sequence of period p3 which is defined at (1) is as follows:
1. p ≡ 1 (mod 4)
⎧ 3
⎪ p , τ = 0 (mod p3 )
⎪
⎪
⎪
⎪ p − p − 3,
3
τ
(p)
∈ p2 D0
⎪
⎪
⎪
⎪ 3
−
(p)
∈ p2 D1
⎪
⎨ p p + 1, τ
(p2 )
Cs (τ ) = p − p − p − 2, τ
3 2
∈ pD0
⎪
⎪ (p2 )
⎪
⎪ p3 − p2 − p + 2, τ ∈ pD1
⎪
⎪
⎪
⎪ −p2 − 2, ∈ D0
(p3 )
⎪
⎪ τ
⎩ 2 (p3 )
−p + 2, τ ∈ D1
2. p ≡ 3 (mod 4)
⎧ 3
⎪
⎪ p , τ = 0 (mod p3 )
⎪
⎨ p3 − p − 1, τ (p) (p)
∈ p2 D0 ∪ p2 D1
Cs (τ ) = (p2 ) (p2 )
⎪
⎪ p3 − p2 − p, τ ∈ pD0 ∪ pD1
⎪
⎩ 2 (p3 ) (p3 )
−p , τ ∈ D0 ∪ D1 .
 Linear Complexity and Autocorrelation of Prime Cube Sequences 195

Proof. Since Cs (τ ) = p3 − 4ds (1, 0; τ ), we need to calculate ds (1, 0; τ ). Note that

ds (1, 0; τ ) =|C1 ∩ (C0 + τ )|
(p) (p2 ) (p3 )
=|C1 ∩(p2 D0 +τ )| + |C1 ∩(pD0 +τ )| + |C1 ∩(D0 +τ )| (8)
Denote the first, the second and the third term in (8) as A(τ ), B(τ ) and C(τ ),
respectively. To begin with, we are going to compute A(τ ). Note that
(p) (p) (p) (p)
A(τ ) = |C1 ∩ (p2 D0 + τ )| = |{0} ∩ (p2 D0 + τ )| + |p2 D1 ∩ (p2 D0 + τ )|
(p2 ) (p) (p3 ) (p)
+ |pD1 ∩ (p2 D0 + τ )| + |D1 ∩ (p2 D0 + τ )|. (9)
Denote the first, the second, the third and the fourth term in (9) as A1 (τ ),
A2 (τ ), A3 (τ ) and A4 (τ ), respectively. Let us compute A1 (τ ) first. When τ = 0,
(p) (p2
A1 (τ ) = |{0} ∩ p2 D0 | = 0. When τ ∈ pDi for i = 0, 1, by Lemma 2, any
(p) (p2 )
element of p2 D0 + τ is an element of pDi for i = 0, 1, respectively. Similarly,
(p3 ) (p) (p3 )
when τ ∈ Di 2
for i = 0, 1, any element of p D0 + τ is an element of Di for
(p2 ) (p2 ) (p3 ) (p3 )
i = 0, 1, respectively. Therefore, when τ ∈ {0} ∪ pD0 ∪ pD1 ∪ D0 ∪ D1 ,
A1 (τ ) = 0. Next thing to do is to compute the value of A1 (τ ) when τ belongs
(p) (p) (p)
to the set p2 D0 ∪ p2 D1 . From Lemma 1 and 3, if p ≡ 1 mod 4, τ ∈ p2 Di
(p)
implies −τ ∈ p2 Di for i = 0, 1, respectively. Hence, in this case, A1 (τ ) = 1 if
(p) (p) (p)
τ ∈ p2 D0 and A1 (τ ) = 0 if τ ∈ p2 D1 . Likewise if p ≡ 1 mod 4, τ ∈ p2 Di
(p)
implies −τ ∈ p2 D for i = 0, 1, respectively. Hence, A1 (τ ) = 0 if
i+1 mod 2
2 (p) (p)
τ ∈ p D0 and A1 (τ ) = 1 if τ ∈ p2 D1 . Summarizing these, we have
⎧
⎪ (p2 ) (p2 ) (p3 ) (p3 )
⎪ 0, τ ∈ {0} ∪ pD0 ∪ pD1 ∪ D0 ∪ D1
⎪
⎪
⎪
⎪ (p)
⎨ 1, τ ∈ p2 D0 and p ≡ 1 mod 4
A1 (τ ) = 0, τ ∈ p2 D0(p) and p ≡ 3 mod 4 (10)
⎪
⎪
⎪
⎪
(p)
0, τ ∈ p D1 and p ≡ 1 mod 4
2
⎪
⎪
⎩ 1, τ ∈ p2 D(p) and p ≡ 3 mod 4
1

(p2 ) (p2 )
Next let us consider A2 (τ ). Similarly A2 (τ ) = 0 if τ ∈ {0} ∪ pD0 ∪ pD1 ∪
(p3 ) (p3 ) (p) (p) (p) (p)
D0 ∪ D1 . When τ ∈ p2 D0 ∪ p2 D1 , A2 (τ ) = |p2 D1 ∩ (p2 D0 + τ )| =
(p) (p) (p) (p) (p)
|p2 D1 ∩ (p2 D0 + p2 a)| for some a ∈ D0 ∪ D1 . Therefore A2 (τ ) = |D1 ∩
(D0 + a)| = |a−1 D1 ∩ (a−1 D0 + 1)| and by Lemma 1 and the definition of
(p) (p) (p)

the generalized cyclotomic numbers of order 2 with respect to p, we have

⎧
⎪ (p2 ) (p2 ) (p3 ) (p3 )
⎨0, τ ∈ {0} ∪pD0 ∪pD1 ∪D0 ∪D1
A2 (τ ) = (0, 1)p ,τ ∈ p2 D0(p) .
⎪
⎩ 2 (p)
(1, 0)p ,τ ∈ p D1
(p3 ) (p3 )
In the case of A3 (τ ), A3 (τ ) = 0 if τ ∈ {0} ∪ D0 ∪ D1 with the same reason
(p2 ) (p2 )
as A1 (τ ) and A2 (τ ). If τ ∈ ∪pD0 ∪ pD1 , then for i = 0, 1, any element
196 Y.-J. Kim, S.-Y. Jin, and H.-Y. Song

(p)
of p2 Di + τ is a multiple of p2 mod p3 so that it can not be an element of
(p2 ) (p2 )
pD1 . Thus, in these cases, A3 (τ ) = 0. In the case of τ ∈ pDi for i = 0, 1,
2
(p) (p ) (p2 )
we have p2 D0 + τ ⊂ pDi . Therefore, A3 (τ ) = |∅| = 0 if τ ∈ pD0 and
(p) (p2 )
A3 (τ ) = |p 2
+ τ| =
D0 if τ ∈ p−1
2 pD1 . Similarly, we can compute A4 (τ ).
Summarizing these calculation, we have
 
(p2 ) (p3 )
0, τ ∈ Zp3 \ pD1 0, τ ∈ Zp3 \ D1
A3 (τ ) = (p2 )
, A4 (τ ) = (p3 )
.
p−1
2 , τ ∈ pD1 p−1
2 , τ ∈ D1

Combining the results of A1 (τ ), A2 (τ ), A3 (τ ) and A4 (τ ), we have

⎧
⎪
⎪ 0, τ =0
⎪ p+3
⎪ (p)
⎪
⎪ 4 , τ ∈ p2 D0 and p≡1 mod 4
⎪ p+1
⎪
⎪
⎪
(p)
∈ p2 D0 p≡3
⎪
⎪ 4 , τ and mod 4
⎪
⎪ p−1 (p)
∈ p2 D1 p≡1
⎪ 4 ,τ
⎨ p+1 and mod 4
 (p)
A(τ ) = Ai (τ ) = 4 , τ ∈ p2 D1 and p≡3 mod 4 (11)
⎪
⎪ (p2 )
1≤i≤4 ⎪
⎪ 0, τ ∈ pD0
⎪
⎪
⎪
⎪ p−1
∈ pD1
(p2 )
⎪
⎪ 2 ,τ
⎪
⎪ (p3 )
⎪
⎪ 0, τ ∈ D0
⎪
⎩ p−1 (p3 )
2 ,τ ∈ D1

Next we are going to compute B(τ ) and C(τ ). Note that

(p2 ) (p) (p2 )

B(τ ) = |{0} ∩ (pD0 + τ )| + |p2 D1 ∩ (pD0 + τ )|
2 2 3 2
(p ) (p ) (p ) (p )
+ |pD1 ∩ (pD0 + τ )| + |D1 ∩ (pD0 + τ )|. (12)

(p3 ) (p) (p3 )

C(τ ) = |{0} ∩ (D0 + τ )| + |p2 D1 ∩ (D0 + τ )|
2 3 3 3
(p ) (p ) (p ) (p )
+ |pD1 ∩ (D0 + τ )| + |D1 ∩ (D0 + τ )|. (13)

Denote the first, the second, the third and the fourth term in (12) as B1 (τ ),
B2 (τ ), B3 (τ ) and B4 (τ ), respectively. Likewise denote the first, the second, the
third and the fourth term in (13) as C1 (τ ), C2 (τ ), C3 (τ ) and C4 (τ ), respectively.
With almost the same way, we can reach the following:

p ≡ 1 mod 4 B1 (τ ) B2 (τ ) B3 (τ ) B4 (τ ) B(τ )
(p2 ) p2 +p+2
τ ∈ pD0 1 p−1
2
(0, 1)p2 0 4
2
(p )
τ ∈ pD1 0 0 (1, 0)p2 0 p(p−1)
4
(14)
(p3 ) p2 −p p2 −p
τ ∈ D1 0 0 0 2 2
otherwise 0 0 0 0 0
 Linear Complexity and Autocorrelation of Prime Cube Sequences 197

p ≡ 3 mod 4 B1 (τ ) B2 (τ ) B3 (τ ) B4 (τ ) B(τ )
(p2 ) p(p+1)
pD0 0 0 (0, 1)p2 0 4
2
(p ) p2 −p+2
τ ∈ pD1 1 p−1
2 (1, 0)p2 0 4
(15)
3
(p ) p2 −p p2 −p
τ∈ D1 0 0 0 2 2
otherwise 0 0 0 0 0

By doing the same procedure repeatedly, we can reach the following:

p ≡ 1 mod 4 C1 (τ ) C2 (τ ) C3 (τ ) C4 (τ ) C(τ )
(p3 ) p2 −p p3 +p2 +2
τ ∈ D0 1 p−1
2 2
(0, 1)p3 4
(p3 ) 3 2
τ ∈ D1 0 0 0 (1, 0)p3 p −p 4
otherwise 0 0 0 0 0
(16)
p ≡ 3 mod 4 C1 (τ ) C2 (τ ) C3 (τ ) C4 (τ ) C(τ )
(p3 ) p3 +p2
τ ∈ D0 0 0 0 (0, 1)p3 4
3
(p ) p2 −p p3 −p2 +2
τ ∈ D1 1 p−1
2 2
(1, 0) p 3
4
otherwise 0 0 0 0 0

Combining (11),(14), and (16), we can compute ds (1, 0; τ ). Since Cs (τ ) =

p3 − 4ds (1, 0; τ ), it completes the proof.

References
1. Ding, C., Helleseth, T.: New Generalized Cyclotomy and Its Application. Finite
Fields and Their Applications 4, 140–166 (1998)
2. Burton, D.M.: Elementary Number Theory, 4th edn. McGraw-Hill, New York (1998)
3. Golomb, S.W.: Shift Register Sequences, Revised edn. Aegean Park Press, Laguna
Hills (1982)
4. Ding, C.: Linear Complexity of Some Generalized Cyclotomic Sequences. Int. J.
Algebra and Computation 8, 431–442 (1998)
5. Park, Y.H., Hong, D., Chun, E.: On the Linear Complexity of Some Generalized
Cyclotomic Sequences. Int. J. Algebra and Computation 14, 431–439 (2004)
6. Cusick, T., Ding, C., Renvall, A.: Stream Ciphers and Number Theory. Elservier
Science, Amsterdam (1998)
7. Yan, T., Sun, R., Xiao, G.: Autocorrelation and Linear Complexity of the New
Generalized Cyclotomic Sequences. IEICE Trans. Fundamentals E90-A, 857–864
(2007)
8. Bai, E., Liu, X., Xiao, G.: Linear Complexity of New Generalized Cyclotomic Se-
quences of Order Two of Length pq. IEEE Trans. Inform. Theory 51, 1849–1853
(2005)
 The “Art of Trellis Decoding” Is NP-Hard

Navin Kashyap

Dept. Mathematics and Statistics,

Queen’s University, Kingston, ON, K7L 3N6, Canada
[email protected]

Abstract. Given a linear code C, the fundamental problem of trellis

decoding is to find a coordinate permutation of C that yields a code
C  whose minimal trellis has the least state-complexity among all codes
obtainable by permuting the coordinates of C. By reducing from the
problem of computing the pathwidth of a graph, we show that the prob-
lem of finding such a coordinate permutation is NP-hard, thus settling
a long-standing conjecture.

1 Introduction

Maximum-likelihood (ML) decoding of a linear code can be implemented us-

ing the Viterbi algorithm on a trellis representation of the code. The run-time
complexity of such an implementation depends on the complexity (size) of the
trellis representation, and so it is desirable to find, for a given code C, a low-
complexity trellis representing C. The theory of trellis representations of a linear
code is well understood, and we refer the reader to the review by Vardy [11]
for an excellent survey of this theory. A fundamental result of this theory is
that a linear code has a unique minimal trellis that simultaneously minimizes
several important measures of trellis complexity, including the number of states,
the number of edges, and the so-called state-complexity of the trellis. There are
several efficient algorithms known for determining the minimal trellis for a given
linear code (again, see [11] and the references therein).
It is a somewhat surprising fact that permuting the coordinates of a code can
result in a drastic change in the complexity of the minimal trellis. To be precise,
if C  is a code obtained by permuting the coordinates of C, then the minimal
trellises of C and C  may have very different sizes. However, the simple action
of coordinate permutation does not affect the performance of the code from an
error-correction viewpoint. Therefore, given a code C, one may as well use the
code C  obtained by permuting the coordinates of C, such that the minimal trellis
of C  has the least complexity among the minimal trellises of codes obtained
from C via coordinate permutations. The problem of determining the coordinate
permutation of C that minimizes the complexity of the resulting minimal trellis
has been termed the “art of trellis decoding” by Massey [8].

This work was supported in part by a research grant from the Natural Sciences and
Engineering Research Council (NSERC) of Canada.

S. Boztacs and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 198–207, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 The “Art of Trellis Decoding” Is NP-Hard 199

It now matters which measure of trellis complexity is to be minimized, as

the coordinate permutation of C that yields a minimal trellis with, say, the
least state-complexity need not be the same as the coordinate permutation that
yields a minimal trellis with the smallest number of states. The prior literature
has most often focused on the problem of finding the coordinate permutation
of a given code that minimizes the state-complexity of the resulting minimal
trellis, and it has repeatedly been conjectured that this problem is NP-hard [5],
[6], [11, Section 5]. To put it another way, the following decision problem was
conjectured to be NP-complete:
Problem: Trellis State-Complexity
Let Fq be a fixed finite field.
Instance: An m×n generator matrix for a linear code C over Fq , and an integer
w > 0.
Question: Is there a coordinate permutation of C that yields a code C  whose
minimal trellis has state-complexity at most w?
This decision problem was called “Maximum Partition Rank Permutation” in
[5], and “Maximum Width” in [6]. Forney [4] has referred to the resolution of the
aforementioned conjecture as the “only significant open problem” in the context
of trellis representations.
In this paper, we settle the conjecture in the affirmative. We show that, for
any fixed finite field Fq , given an arbitrary code C over Fq , the problem of finding
the coordinate permutation of C that yields a minimal trellis with the least pos-
sible state-complexity is indeed NP-hard. Thus, Trellis State-Complexity
is NP-complete. Our proof is by reduction from the problem of computing the
pathwidth of a graph, which is known to be NP-hard [1],[2].
The rest of the paper is organized as follows. In Section 2, we lay down the def-
initions and notation necessary for our development. In Section 3, we sketch out
a proof of the fact that for any fixed finite field Fq , Trellis State-Complexity
is NP-complete. We have had to omit some of the details of the proof due to
space limitations; the complete proof can be found in our full paper [7]. We make
some concluding remarks in Section 4.

2 Preliminaries
A trellis T for a length-n linear code C over a finite field Fq is an edge-labelled
directed acyclic graph with certain properties. The vertex set, V , of T can be
partitioned into n + 1 disjoint subsets V0 , V1 , . . . , Vn , such that each (directed)
edge of T starts at Vi and ends at Vi+1 for some i ∈ {0, 1, . . . , n − 1}. The set Vi
is called the set of states at time index i. The set V0 consists of a unique initial
state v0 , and the set Vn consists of a unique terminal state vn . It is further
required that each state v ∈ V lie on some (directed) path from v0 to vn . Note
that each path from v0 to vn is of length exactly n. The edges of T are given
labels from Fq in such a way that the set of all label sequences associated with
paths from v0 to vn is precisely the code C.
200 N. Kashyap

It turns out that if T is the minimal trellis for a linear code C, then the
cardinalities of the sets Vi are all powers of q. It is thus convenient to define the
state-complexity profile of T to be the (n + 1)-tuple s = (s0 , s1 , . . . , sn ), where
si = logq (|Vi |). The state-complexity of T is then defined as smax = maxi si .
When T is the minimal trellis of C, there is an explicit expression known for the
si ’s. We will find it convenient to give this expression in terms of the connectivity
function of C, as defined below.
def
The set [n] = {1, 2, . . . , n} is taken to be the coordinate set of the length-
n code C. Given a subset J ⊂ [n], we let C|J denote the restriction of C to
the coordinates with labels in J. In other words, C|J is the code obtained by
puncturing the coordinates in J c = [n] − J. The connectivity function of the
code C is the function λC : 2[n] → Z defined by

λC (J) = dim(C|J ) + dim(C|J c ) − dim(C), (1)

for each J ⊂ [n]. It is obvious that for any J ⊂ [n], we have λC (J) ≥ 0 and
λC (J) = λC (J c ). Observe also that λC (∅) = λC ([n]) = 0. Furthermore, some
elementary linear algebra suffices to verify that λC (J) = λC ⊥ (J) for any J ⊂ [n].
The state-complexity profile of the minimal trellis of C can now be expressed as
s(C) = (s0 (C), s1 (C), . . . , sn (C)), where s0 (C) = sn (C) = 0, and for 1 ≤ i ≤ n − 1,

si (C) = λC ({1, 2, . . . , i}). (2)

Thus, the state-complexity of the minimal trellis of C is given by smax (C) =

maxi∈[n] si (C). Note that since λC (J) = λC ⊥ (J) for any J ⊂ [n], we have s(C) =
s(C ⊥ ), and hence, smax (C) = smax (C ⊥ ).
As mentioned in Section 1, different coordinate permutations of the same
code may result in codes with minimal trellises of very different complexities
[11, Example 5.1]. Therefore, letting [C] denote the set of all codes that can be
obtained from a code C by means of coordinate permutations, it is of interest to
define the trellis-width of the family [C] as follows:

tw[C] = min

smax (C  ) = min

max si (C  ). (3)
C ∈[C] C ∈[C] i∈[n]

The main aim of this paper is to show that, given a code C, the problem of
computing the trellis-width of [C] is NP-hard. We accomplish this by reduction
from the known NP-hard problem of computing the pathwidth of a graph.

3 NP-Hardness of Trellis-Width
The notion of graph pathwidth was introduced by Robertson and Seymour in
[10]. Let G be a graph with vertex set V . An ordered collection V = (V1 , . . . , Vt ),
t ≥ 1, of subsets of V is called a path-decomposition of G, if
t
(i) i=1 Vi = V ;
(ii) for each pair of adjacent vertices u, v ∈ V , we have {u, v} ⊂ Vi for some
i ∈ [t]; and
 The “Art of Trellis Decoding” Is NP-Hard 201

G G’

Fig. 1. Construction of G  from G

(iii) for 1 ≤ i < j < k ≤ t, Vi ∩ Vk ⊂ Vj .

The width of such a path-decomposition V is defined to be wG (V) = maxi∈[t] |Vi | −
1. The pathwidth of G, denoted by pw(G), is the minimum among the widths of
all its path-decompositions. A path-decomposition V such that wG (V) = pw(G) is
called an optimal path-decomposition of G.
Let Fq be an arbitrary finite field. Given a graph G with vertex set V , our aim is to
produce, in time polynomial in |V |, a matrix A that generates a code C over Fq such
that pw(G) can be directly computed from tw[C]. The NP-hardness of computing
graph pathwidth then implies the NP-hardness of computing the trellis-width of [C]
for an arbitrary code C over Fq . We now describe our construction of the matrix A.
Let G  be a graph defined on the same vertex set, V , as G, having the following
properties (see Figure 1):
(P1) G  is loopless;
(P2) a pair of distinct vertices is adjacent in G  iff it is adjacent in G; and
(P3) in G  , there are exactly two edges between each pair of adjacent vertices.
It is evident from the definition that (V1 , . . . , Vt ) is a path-decomposition of G iff it
is a path-decomposition of G  . Therefore, pw(G  ) = pw(G).
Define G to be the graph obtained by adding an extra vertex, henceforth denoted
by x, to G  , along with a pair of parallel edges from x to each v ∈ V (see Figure 2).
We will denote by V and E the vertex and edge sets, respectively, of G. Clearly, G is
constructible directly from G in O(|V |2 ) time. But more importantly, the desired
matrix A can be readily obtained from the graph G. Indeed, letting D(G) be any
directed graph obtained by arbitrarily assigning orientations to the edges of G, we
simply take A to be the vertex-edge incidence matrix of D(G). This is the |V | × |E|
matrix whose rows and columns are indexed by the vertices and directed edges,
respectively, of D(G), and whose (i, j)th entry, ai,j , is determined as follows:
⎧
⎪
⎨1 if vertex i is the tail of non-loop edge j
ai,j = −1 if vertex i is the head of non-loop edge j
⎪
⎩
0 otherwise.

Denote by C the linear code over Fq generated by the matrix A. The trellis-width
of [C] relates very simply to the pathwidth of the original graph G, as made precise
by the following proposition.
202 N. Kashyap

G’ G

Fig. 2. Construction of G from G 

Proposition 1. tw[C] = pw(G) + 1.

Before proving the above proposition, we observe that it yields the desired NP-
hardness result. Indeed, it is easily checked that the matrix A can be constructed
directly from G in O(|V |3 ) time. Now, suppose that there were a polynomial-time
algorithm for computing the trellis-width of [C] for an arbitrary code C over Fq , the
code C being specified by some generator matrix. Then, given any graph G, we can
construct the matrix A, and then compute the trellis-width of [C], all in polynomial
time. Therefore, by Proposition 1, we have a polynomial-time algorithm to com-
pute the pathwidth of G. However, the graph pathwidth problem is NP-hard [1],[2].
So, if there exists a polynomial-time algorithm for it, then we must have P = N P .
This implies our main result.

Theorem 1. Let Fq be a fixed finite field. The problem of computing the trellis-
width of an arbitrary linear code over Fq , specified by any of its generator matrices,
is NP-hard.

Corollary 1. For any fixed finite field Fq , the decision problem Trellis State-
Complexity is NP-complete.
The remainder of this section is devoted to the proof of Proposition 1. Since pw(G  )
= pw(G), for the purpose of our proof, we may assume that G  = G. Thus, from now
until the end of this section, we take G to be a loopless graph satisfying property
(P3) above. Note that G also satisfies (P3). For each pair of adjacent vertices u, v
in G or G, we denote by luv and ruv the two edges between u and v. Recall that V
and E denote the sets of vertices and edges, respectively, of G, and that V and E
· ·
denote
 the corresponding
 sets of G. We thus have V = V ∪ {x}, and E = E ∪
v∈V {lxv , rxv } .
We will make much use of a basic fact, stated next, about the |V | × |E| matrix A
whose construction was described above. For any J ⊂ E, if A|J denotes the matrix
obtained by restricting A to the columns indexed by the edges in J, then
rank(A|J ) = dim(C|J ) = r(J), (4)
 The “Art of Trellis Decoding” Is NP-Hard 203

where rank and dim above are computed over the field Fq , and r(J) denotes the
number of edges in any spanning forest of the subgraph of G induced by J. To
be precise, letting G[J] denote the subgraph of G induced by J, we have r(J) =
|V (G[J])|−ω(G[J]), where ω(G[J]) is the number of connected components of G[J].
Equation (4) can be inferred from [9, Proposition 5.1.2].
We shall identify the set E with the coordinate set of the code C generated by
A. Given an ordering π = (e1 , e2 , . . . , en ) of the elements of E, we will denote by
C π the code obtained by putting the coordinates of C in the order specified by π.
For any J ⊂ E, and any ordering, π, of E, we have by virtue of (4),
λC π (J) = λC (J) = r(J) + r(E − J) − r(E)
= r(J) + r(E − J) − |V |, (5)
the last equality above following from the fact that ω(G) = 1 since G is connected
(each v ∈ V is adjacent to x), so that r(E) = |V | − 1 = |V |.
We are now in a position to begin the proof of Proposition 1. We will first prove
that tw[C] ≤ pw(G) + 1. Let V = (V1 , . . . , Vt ) be a path-decomposition of G. We
need the following fact about V: for each j ∈ [t],

Vi ∩ Vk = Vj . (6)
i≤j k≥j

The above equality follows from the fact that a path-decomposition, by definition,
has the property that for 1 ≤ i < j < k ≤ t, Vi ∩ Vk ⊂ Vj .
For j ∈ [t], let Fj be the set of edges of G that have both their end-points in Vj .
t
By condition (ii) in the definition of path-decomposition, j=1 Fj = E. Now, let
 t
Fj = Fj ∪ v∈Vj {lxv , rxv } , so that j=1 Fj = E.

Definition 1. An ordering (e1 , . . . , en ) of the edges of G is said to induce an ordered

partition (E1 , . . . , Et ) of E if for each j ∈ [t], {enj−1 +1 , enj−1 +2 , . . . , enj } = Ej ,

where nj = i≤j Ei (and n0 = 0).

Let π = (e1 , . . . , en ) be any ordering of E that induces

 the ordered partition
(E1 , E2 , . . . , Et ), where for each j ∈ [t], Ej = Fj − i<j Fi . We claim that the
state-complexity of the minimal trellis of C π is at most one more than the width of
the path-decomposition V.

Lemma 1. smax (C π ) ≤ wG (V) + 1.

Proof. Observe first that

⎛ ⎞

smax (C π ) = max max λC π ⎝ Ei ∪ {enj−1 +1 , . . . , enj−1 +k }⎠

j∈[t] 1≤k≤nj −nj−1
i<j
⎛ ⎞

≤ max max

λC π ⎝ Ei ∪ E  ⎠ . (7)
j∈[t] E ⊂Ej
i<j
204 N. Kashyap


Let X = Ei ∪ E  for some j ∈ [t] and E  ⊂ Ej . By (5), λC π (X) = r(X) +
i<j
 ·
r(E − X) − |V |. If v is a vertex of G incident with an edge in X, then v ∈ i≤j Vi ∪
 ·
{x}. So, the subgraph of G induced by X has its vertices contained in i≤j Vi ∪ {x}.
 · 
Therefore, r(X) ≤ i≤j Vi ∪ {x} − 1 = i≤j Vi .

Next, consider E − X = ( k>j Ek ) ∪ (Ej − E  ). Reasoning as above, the sub-
 ·
graph of G induced by E − X has its vertices contained in k≥j Vk ∪ {x}. Hence,

r(E − X) ≤ k≥j Vk .
Therefore, we have

λC π (X) ≤ Vi + Vk − |V | = Vi ∩ Vk = |Vj |,
i≤j k≥j i≤j k≥j

the last equality arising from (6). Hence, carrying on from (7),

smax (C π ) ≤ max |Vj | = wG (V) + 1,

j∈[t]

as desired.

The fact that tw[C] ≤ pw(G) + 1 easily follows from the above lemma. Indeed,
we may choose V to be an optimal path-decomposition of G. Then, by Lemma 1,
there exists an ordering π of E such that smax (C π ) ≤ pw(G) + 1. Hence, pw(M ) ≤
smax (C π ) ≤ pw(G) + 1.
We prove the reverse inequality in two steps, first showing that pw(G) = pw(G)+
1, and then showing that tw[C] ≥ pw(G).

Lemma 2. pw(G) = pw(G) + 1.

Proof. Clearly, if V = (V1 , . . . , Vt ) is a path-decomposition of G, then V = (V1 ∪

{x}, . . . , Vt ∪{x}) is a path-decomposition of G. Hence, choosing V to be an optimal
path-decomposition of G, we have that pw(G) ≤ wG (V) = wG (V) + 1 = pw(G) + 1.
For the inequality in the other direction, we will show that there exists an op-
timal path-decomposition, V  = (V1 , . . . , Vs ), of G such that x ∈ Vi for all i ∈ [s].

We then have V = (V1 − {x}, . . . , Vs − {x}) being a path-decomposition of G, and
hence, pw(G) ≤ wG (V) = wG (V)  − 1 = pw(G) − 1.
Let V = (V 1 , . . . , V t ) be an optimal path-decomposition of G, and let i0 =
min{i : x ∈ V i } and i1 = max{i : x ∈ V i }. Since V i ∩ V k ⊂ V j for i < j < k, we
must have x ∈ V i for each i ∈ [i0 , i1 ].
We claim that (V i0 , V i0 +1 , . . . , V i1 ) is a path-decomposition of G. We only have
i1
to show that i=i 0
V i = V , and that for each pair of adjacent vertices u, v ∈ V ,
{u, v} ⊂ V i for some i ∈ [i0 , i1 ]. To see why the first assertion is true, consider
any v ∈ V , v = x. Since x is adjacent to v, and V is a path-decomposition of G,
 The “Art of Trellis Decoding” Is NP-Hard 205

{x, v} ⊂ V i for some i ∈ [t]. However, x ∈ V i iff i ∈ [i0 , i1 ], and so, {x, v} ⊂ V i

for some i ∈ [i0 , i1 ]. In particular, v ∈ V i for some i ∈ [i0 , i1 ].
For the second assertion, suppose that u, v is a pair of vertices adjacent in G.
Obviously, {u, v} ⊂ V j for some j ∈ [t]. Suppose that j ∈ / [i , i ]. We consider the
i1 0 1
case when j > i1 ; the case when j < i0 is similar. As i=i 0
V i = V , there exist
i2 , i3 ∈ [i0 , i1 ] such that u ∈ V i2 and v ∈ V i3 . Without loss of generality (WLOG),
i2 ≤ i3 . If i2 = i3 , then there exists i ∈ [i0 , i1 ] such that {u, v} ⊂ V i . If i2 < i3 , we
have u ∈ V i2 ∩ V j and i2 < i3 < j. Hence, u ∈ V i3 as well, and so once again, we
have an i ∈ [i0 , i1 ] such that {u, v} ∈ V i .
Thus, (V i0 , V i0 +1 , . . . , V i1 ) is a path-decomposition of G, with the property that
x ∈ V i for all i ∈ [i0 , i1 ]. It must be an optimal path-decomposition, since it is a
subsequence of the optimal path-decomposition V.

To complete the proof of Proposition 1, it remains to show that tw[C] ≥ pw(G). We

introduce some notation at this point. Recall that the two edges between a pair of
adjacent vertices u and v in G (or G) are denoted by luv and ruv . We define

LG = {luv : u, v are adjacent vertices in G},

RG = {ruv : u, v are adjacent vertices in G},
 
Lx = v∈V {lxv } and Rx = v∈V {rxv }, where x is the distinguished vertex in
V − V . For L ⊂ Lx , define the closure of L to be the set cl(L) = L ∪ {rxu : lxu ∈
L} ∪ {luv , ruv : lxu , lxv ∈ L}. Note that cl(Lx ) = E.
Our argument rests on the next lemma, whose somewhat technical proof we omit
here. We refer the reader instead to the proof given in [7].

Lemma 3. There exists an ordering π = (e1 , . . . , en ) of E with the following prop-

erties:
(a) smax (C π ) = tw[C].
(b) The ordering π induces an ordered partition of E of the form

(L1 , A1 , B1 , R1 , L2 , A2 , B2 , R2 , . . . , Lt , At , Bt , Rt ),

where for each j ∈ [t], Lj ⊂ Lx , Aj ⊂ LG , Bj ⊂ RG and Rj ⊂ Rx . Moreover, for

each u, v ∈ V , luv ∈ Lj ∪ Aj iff ruv ∈ Bj ∪ Rj .
(c) For the ordered partition in (b), we have for each j ∈ [t],

Aj ∪ Bj ⊂ cl( Li ) − cl( Li ).
i≤j i<j

We can now furnish the last remaining piece of the proof of Proposition 1.

Lemma 4. tw[C] ≥ pw(G).

206 N. Kashyap

Proof. Let π = (e1 , . . . , en ) be an ordering of E having the properties guaranteed

by Lemma 3. This ordering induces an ordered partition (L 1 , A1 , B1 , R1 , . . . , Lt ,
At , Bt , Rt ) of E, as in Lemma 3(b). For j ∈ [t], define Yj = i<j (Li ∪ Ai ∪ Bi ∪

Ri ) ∪ (Lj ∪ Aj ), and Yj = E − Yj = i>j (Li ∪ Ai ∪ Bi ∪ Ri ) ∪ (Bj ∪ Rj ). Letting
G[Yj ] and G[Yj ] denote the subgraphs of G induced by Yj and Yj , respectively, set
Vj = V (G[Yj ]) ∩ V (G[Yj ]). In other words, Vj is the set of vertices common to both
G[Yj ] and G[Yj ]. It is easily checked that V = (V1 , . . . , Vt ) is a path-decomposition
of G. Note that
|Vj | = |V (G[Yj ])| + |V (G[Yj ])| − |V |.

We next observe that  G[Yj ] and G[Yj ] are connected graphs. From Lemma  3(c),
we have that Yj ⊂ cl( i≤j Li ). Therefore, for any edge luv (or ruv ) in Yj − i≤j Li ,
both lxu and lxv must be in some Li , i ≤ j. Thus, in G[Yj ], each vertex v = x is
adjacent to x, which shows that G[Yj ] is connected.
Consider any vertex v = x in G[Yj ], such that rxv ∈ / Yj . Then, ruv 
 ∈ Yj for
 u = x. So, ruv ∈ Bk for some k ≥ j. By Lemma 3(c), ruv ∈ cl( i≤k Li ) −
some
cl( i<k Li ). This implies that either lxu ∈ Lk or lxv ∈ Lk . Hence, either rxu ∈ Rk
or rxv ∈ Rk . However, rxv cannot be in Rk , since rxv ∈ / Yj , and so, rxu ∈ Rk . Thus,
(rxu , ruv ) forms a path in G[Yj ] from x to v. It follows that G[Yj ] is connected.


Therefore, by (5),
λC π (Yj ) = r(Yj ) + r(Yj ) − |V |
= (|V (G[Yj ])| − 1) + (|V (G[Yj ])| − 1) − (|V | − 1) = |Vj | − 1.
Hence, from Lemma 3(a),
tw[C] = smax (C π ) ≥ max λC π (Yj ) = max |Vj | − 1 = wG (V) ≥ pw(G),
j∈[t] j∈[t]

which proves the lemma.

The proof of Proposition 1 is now complete.

4 Concluding Remarks
The main contribution of this paper was to show that the decision problem Trel-
lis State-Complexity is NP-complete, thus settling a long-standing conjecture.
Now, the situation is rather different if we consider a variation of the problem in
which the integer w is not taken to be a part of the input to the problem. In other
words, consider the following problem:
Problem: Weak Trellis State-Complexity
Let Fq be a fixed finite field, and let w be a fixed positive integer.
Instance: An m × n generator matrix for a linear code C over Fq .
Question: Is there a coordinate permutation of C that yields a code C  whose
minimal trellis has state-complexity at most w?
There is good reason to believe that this problem is solvable in polynomial time.
We again refer the reader to our full paper [7] for evidence in support of this belief.
 The “Art of Trellis Decoding” Is NP-Hard 207

Acknowledgment

The author would like to thank Jim Geelen for contributing some of his ideas to
this paper.

References
1. Arnborg, S., Corneil, D.G., Proskurowski, A.: Complexity of Finding Embeddings
in a K-Tree. SIAM J. Alg. Disc. Math 8, 277–284 (1987)
2. Bodlaender, H.L.: A Tourist Guide Through Treewidth. Acta Cybernetica 11, 1–23
(1993)
3. Forney Jr., G.D.: Dimension/Length Profiles and Trellis Complexity of Linear Block
Codes. IEEE Trans. Inform. Theory 40(6), 1741–1752 (1994)
4. Forney Jr., G.D.: Codes on Graphs: Constraint Complexity of Cycle-Free Realiza-
tions of Linear Codes. IEEE Trans. Inform. Theory 49(7), 1597–1610 (2003)
5. Horn, G.B., Kschischang, F.R: On The Intractability of Permuting a Block Code to
Minimize Trellis Complexity. IEEE Trans. Inform. Theory 42(6), 2042–2048 (1996)
6. Jain, K., Măndoiu, I., Vazirani, V.V.: The “Art of Trellis Decoding” is Computa-
tionally Hard — for Large Fields. IEEE. Trans. Inform. Theory 44(3), 1211–1214
(1998)
7. Kashyap, N.: Matroid Pathwidth and Code Trellis Complexity. SIAM J. Discrete
Math. ArXiv e-print 0705.1384 (to appear)
8. Massey, J.L.: Foundation and Methods of Channel Encoding. In: 1978 Int. Conf.
Inform. Theory and Systems, vol. 65, NTG-Fachberichte, Berlin, Germany (1978)
9. Oxley, J.G.: Matroid Theory. Oxford University Press, Oxford, UK (1992)
10. Robertson, N., Seymour, P.D.: Graph Minors. I. Excluding a Forest. J. Combin. The-
ory, Ser. B 35, 39–61 (1983)
11. Vardy, A.: Trellis Structure of Codes. In: Brualdi, R., Huffman, C., Pless, V. (eds.)
Handbook of Coding Theory, Elsevier, Amsterdam, The Netherlands (1998)
 On the Structure of Inversive Pseudorandom
Number Generators

Harald Niederreiter1 and Arne Winterhof2

Department of Mathematics
1

National University of Singapore

2 Science Drive 2, Singapore 117543
Republic of Singapore
[email protected]
2
Johann Radon Institute for Computational and Applied Mathematics
Austrian Academy of Sciences
Altenbergerstr. 69
4040 Linz, Austria
[email protected]

Abstract. We analyze the lattice structure and linear complexity of a

new inversive pseudorandom number generator recently introduced by
Niederreiter and Rivat. In particular, we introduce a new lattice test
which is much stronger than its predecessors and prove that this new
generator passes it up to very high dimensions. Such a result cannot be
obtained for the conventional inversive generator with currently known
methods. We also analyze the behavior of two explicit inversive gener-
ators under this new test and present lower bounds on the linear com-
plexity profile of binary sequences derived from these three inversive
generators.

1 Introduction

Let (ηn ), n = 0, 1, . . ., be a T -periodic sequence over the finite field IFq of q

elements. For given integers s ≥ 1, 0 < d1 < d2 < . . . < ds−1 < T , and N ≥ 2,
we say that (ηn ) passes the s-dimensional N -lattice test with lags d1 , . . . , ds−1 if
the vectors {η n − η 0 : 1 ≤ n ≤ N − 1} span IFsq , where

η n = (ηn , ηn+d1 , . . . , ηn+ds−1 ), 0 ≤ n ≤ N − 1.

In the case di = i for 1 ≤ i ≤ s − 1, this test coincides essentially with the lattice
test introduced in [6] and further analyzed in [4,5,6,7,11,24]. The latter lattice
test is closely related to the concept of the linear complexity profile, see [6,7,22].
If additionally q is a prime and N ≥ T , this special lattice test was proposed by
Marsaglia [13].
If (ηn ) passes the s-dimensional N -lattice test for all possible choices of lags,
then it passes all s -dimensional N -lattice tests for all possible choices of lags
for s ≤ s as well. Conversely, if (ηn ) fails the s-dimensional N -lattice test for

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 208–216, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 On the Structure of Inversive Pseudorandom Number Generators 209

a particular choice of lags, then it fails all s -dimensional N -lattice tests with
the same first s lags for s ≥ s. The greatest s such that (ηn ) satisfies the
s-dimensional N -lattice test for all lags d1 , . . . , ds−1 is denoted by S(ηn , N ), i.e.,

S(ηn , N ) = max {s : ∀0 < d1 < . . . < ds−1 < T :

   
ηn − η0 , ηn+d1 − ηd1 , . . . , ηn+ds−1 − ηds−1 , 1 ≤ n < N = IFsq .

For given α ∈ IF∗q and β ∈ IFq , let ψ be the permutation of IFq defined by
 −1
αγ + β if γ = 0,
ψ(γ) = (1)
β if γ = 0.

We can construct a sequence (γn ) of elements of IFq by the recurrence relation

γn = ψ(γn−1 ) for n = 1, 2, . . . , (2)

where γ0 is the initial value. It is obvious that the sequence (2) is purely periodic
with least period t ≤ q. Conditions on α and β that guarantee the largest possible
value t = q are known (see [3,18]).
The map ψ in (1) is the basis for the family of inversive generators of pseudo-
random numbers which can be traced back to the paper [8]. This family includes
the recursive inversive generator, the compound inversive generator, the digi-
tal inversive generator, and others. Pseudorandom numbers produced by inver-
sive generators have attractive distribution and structural properties. We refer
to [10,21,23] for surveys on inversive and related generators.
In [12] and [20] the study of the (non-)linear complexity profile and the distri-
bution properties of the sequence (2), respectively, used the sequence R0 , R1 , . . .
of rational functions over IFq defined by

R0 (X) = X, Rn (X) = Rn−1 (αX −1 + β) for n = 1, 2, . . . ,

where again α ∈ IF∗q and β ∈ IFq . It was proved in [20, Lemma 2] that there
exist distinct elements ε1 , . . . , εt−1 of IFq such that
(β − εn )X + α
Rn (X) = for 1 ≤ n ≤ t − 1.
X − εn
In [19, Lemma 1] this result was extended by proving that the sequence of
rational functions R0 , R1 , . . . is purely periodic with least period T ≤ q + 1
(obviously t ≤ T ), and that there exist distinct elements ε1 , . . . , εT −1 of IFq such
that the same equality above holds.
For 0 ≤ n ≤ t − 1, using the fact that ψ is a permutation, by (1) we have
Rn (γ) = ψ n (γ) for all but at most n elements γ ∈ IFq . For the purposes of the
papers [12,20], it was possible to keep the influence of this exceptional set under
control, but this is not always the case. Therefore for 1 ≤ n ≤ T − 1, Niederreiter
and Rivat [19] introduced the alternative permutations of IFq defined by

Rn (γ) if γ = εn ,
ψn (γ) =
β − εn if γ = εn ,
210 H. Niederreiter and A. Winterhof

and built from a seed γ0 ∈ IFq a sequence (γn ) of elements of IFq , purely periodic
of period T , by putting
γn = ψn (γ0 ) for 1 ≤ n ≤ T − 1. (3)
The least period of this sequence can be smaller than T .
The advantage of this construction is that for m, n ≥ 0, we have
ψm (ψn (γ)) = Rm+n (γ) for γ = εn and ψn (γ) = εm . (4)
The price is a slightly more complicated algorithm to compute γn (see [19, Sec-
tion 2]). The new construction allowed the authors of [19] to prove much stronger
distribution and correlation properties of the generated sequences, as compared
to the case of the standard generator (2). It will also allow us to prove a strong
lower bound on S(γn , N ).
Let us observe that both constructions (2) and (3) need β = 0 to be of interest.
We will assume this condition in the sequel. Moreover, it is reasonable to assume
that
γ02 = βγ0 + α. (5)
Indeed if γ02 = βγ0 + α, then for 1 ≤ n ≤ T − 1 such that εn = γ0 we have
(β − εn )γ0 + α γ 2 − εn γ0
γn = ψn (γ0 ) = Rn (γ0 ) = = 0 = γ0 ,
γ0 − εn γ0 − εn
so that the sequence (γn ) generated by (3) is almost constant and not of much
interest. In [19, Lemma 2] it was shown that for β ∈ IF∗q and γ0 satisfying (5), the
sequence (γn ) defined by (3) is purely periodic with least period T and contains
at least T − 1 distinct elements of IFq . It has least period T = q + 1 if the
polynomial X 2 − βX − α is primitive over IFq by [19, Theorem 1].
Our main goal in this paper is to study the behavior of the sequence defined
by (3) under the new lattice test. Essentially the same method also provides
lower bounds on the linear complexity profile over IFq of these sequences.
We recall that the linear complexity profile L(ηn , N ) of an infinite sequence
(ηn ), n = 0, 1, . . ., over the field IF is the function which for every integer N ≥ 1
is defined as the length L of a shortest linear recurrence relation
ηn+L = aL−1 ηn+L−1 + · · · + a0 ηn , 0 ≤ n ≤ N − L − 1,
with a0 , . . . , aL−1 ∈ IF, which is satisfied by the first N terms of this sequence.
If (ηn ) starts with N − 1 zeros, then we define L(ηn , N ) = 0 if ηN −1 = 0 and
L(ηn , N ) = N if ηN −1 = 0.
In contrast to the generator (2), we are able to analyze the behavior of the
following two explicit inversive generators under the new lattice test.
For a prime p ≥ 3, the explicit inversive congruential generator of period p
was introduced in [9] as the sequence (zn ) defined by
zn = (an + b)p−2 , n = 0, . . . , p − 1, zn+p = zn , n ≥ 0, (6)
with a, b ∈ IFp , a = 0. Its linear complexity profile was analyzed in [16].
 On the Structure of Inversive Pseudorandom Number Generators 211

Explicit inversive generators can also be defined for other periods, see [17]
where also a lower bound on the linear complexity profile of these sequences is
given. Let α, β, γ ∈ IF∗q and t|(q − 1) be the order of γ in the group IF∗q . We call
a sequence (ηn ) defined by

ηn = αγ n + β, n ≥ 0, (7)

an explicit inversive pseudorandom number generator of least period t, where

 −1
η if η ∈ IF∗q ,
η=
0 if η = 0.

In [19, Section 5],[15], and [2], corresponding pseudorandom binary sequences

were considered and bounds on their correlation measures in the sense of Mauduit
and Sárközy [14] were established. We use a general inequality of [1] to derive a
lower bound on the linear complexity profile of these binary sequences from the
bound on their correlation measure. These bounds cannot be obtained for the
conventional inversive generator (2) with current methods.

2 Lattice Structure
In the algorithm for the generation of the sequence (3), we continue to assume
the conditions β = 0 and (5).
Theorem 1. For the sequence of elements (γn ) defined by (3), we have
N
S(γn , N ) ≥ −1 for 2 ≤ N ≤ T.
3
Proof. We assume that the sequence (γn ) does not pass the s-dimensional N -
lattice test for some lags 0 < d1 < d2 < . . . < ds−1 < T . Put

γ n = (γn , γn+d1 , γn+d2 , . . . , γn+ds−1 ) for n ≥ 0

and let V be the subspace of IFsq spanned by all γ n − γ 0 for 0 ≤ n ≤ N − 1. Then

dim(V ) < s and dim(V ⊥ ) ≥ 1. Take 0 = α ∈ V ⊥ , then

α · (γ n − γ 0 ) = 0 for 0 ≤ n ≤ N − 1,

and thus
α · γ n = α · γ 0 =: b for 0 ≤ n ≤ N − 1,
where · denotes the usual inner product. If α = (α0 , α1 , . . . , αs−1 ), then let j be
the smallest index with αj = 0 (so 0 ≤ j < s). Then with d0 := 0 if j = 0,

αj γn+dj + αj+1 γn+dj+1 + · · · + αs−1 γn+ds−1 = b for 0 ≤ n ≤ N − 1. (8)

Next we show that for at least N −2s different elements γn+dj , 0 ≤ n ≤ N −1,
we have
γn+di = Rdi −dj (γn+dj ) for j + 1 ≤ i ≤ s − 1.
212 H. Niederreiter and A. Winterhof

If we have γn+di = Rdi −dj (γn+dj ) for some j + 1 ≤ i ≤ s − 1, then by (3) and
(4) we have either

ψn+di (γ0 ) = Rn+di (γ0 ), ψn+dj (γ0 ) = Rn+dj (γ0 ),

or ψdi −dj (γn+dj ) = Rdi −dj (γn+dj ),

or equivalently

γ0 = εn+di , γ0 = εn+dj , or γn+dj = εdi −dj .

(Otherwise we had Rdi −dj (γn+dj ) = ψdi −dj (γn+dj ) = ψdi −dj (ψn+dj (γ0 )) =
Rn+di (γ0 ) = ψn+di (γ0 ) = γn+di .) Here εm = εr if r is the least residue of m ∈ ZZ
modulo T , with ε0 arbitrary but not in IFq (since ψ0 (X) = X has no pole, but
the notation is more convenient if we use a fixed ε0 ∈ IFq ). For fixed i the first
equation can occur for at most one n, giving at most s − 1 − j exceptions. The
second equation can occur at most once. The third equation leads again to at
most s − 1 − j exceptions. Summarizing we get at most 2(s − 1 − j) + 1 ≤ 2s − 1
exceptions. By a remark in Section 1, at least N − 1 of the N terms γn+dj ,
0 ≤ n ≤ N − 1, of the sequence (γn ) are distinct. Hence in view of (8),

αj γn+dj + αj+1 Rdj+1 −dj (γn+dj ) + · · · + αs−1 Rds−1 −dj (γn+dj ) = b

for at least (N − 1) − (2s − 1) = N − 2s different elements γn+dj . Using the

explicit representation of the rational functions Rn in Section 1, we see that the
polynomial of degree s − j ≤ s given by


s−1
F (X) = (αj X − b) (X − εdi −dj )
i=j+1
s−1 
s−1
+ αk ((β − εdk −dj )X + α) (X − εdi −dj )
k=j+1 i=j+1
i=k

has at least N − 2s zeros. This implies s ≥ N − 2s, whence the result. 2

Corollary 1. For the sequence of elements (γn ) defined by (3), the linear com-
plexity profile over IFq satisfies

N
L(γn , N ) ≥ −1 for 1 ≤ N ≤ T.
4
Proof. We start with a linear recurrence relation of length L, say

αj γn+j + · · · + αL γn+L = 0 for 0 ≤ n ≤ N − L − 1,

where αj = 0 and αL = −1. Then as in the previous proof we can construct a

nonzero polynomial of degree at most L + 1 with at least N − 3(L + 1) zeros and
get L + 1 ≥ N − 3(L + 1), which implies the result. 2
 On the Structure of Inversive Pseudorandom Number Generators 213

Theorem 2. For the sequences of elements (zn ) defined by (6) and (ηn ) defined
by (7), we have
N
S(zn , N ) ≥ − 1 for 2 ≤ N ≤ p
2
and
N
S(ηn , N ) ≥ − 1 for 2 ≤ N ≤ t.
2
Proof. As in the proof of Theorem 1 we assume that (zn ) does not pass the
s-dimensional N -lattice test for some lags d1 , . . . , ds−1 , and we get with the
definition d0 := 0 a recurrence relation

αj zn+dj + · · · + αs−1 zn+ds−1 = β for 0 ≤ n ≤ N − 1,

with some αj = 0. If a(n + di ) + b = 0 for j ≤ i ≤ s − 1, then we have

zn+di = (a(n + di ) + b)−1 for j ≤ i ≤ s − 1,

and we see easily that the polynomial


s−1 s−1 
s−1
F (X) := −β (a(X + di ) + b) + αk (a(X + di ) + b)
i=j k=j i=j
i=k

of degree at most s has at least N − s zeros. If β = 0, then the degree of F (X)

is exactly s − j > 0, and otherwise we have F (−a−1 b − dj ) = 0. In both cases
F (X) is a nonzero polynomial, and the first result follows. The second result is
shown in an analogous way. 2

3 Linear Complexity of Binary Sequences

We choose for the prime power q an odd prime p and identify IFp with the set
{0, 1, . . . , p − 1} of integers. Given an arbitrary sequence (ηn ) of elements of IFp ,
we build a binary sequence e0 , e1 , . . . of elements of {0, 1} by writing

0 if 0 ≤ ηn ≤ (p − 1)/2,
en := (9)
1 if (p + 1)/2 ≤ ηn ≤ p − 1.

The correlation measure of order k ≥ 1 of a binary sequence (en ) of period T

is defined as
M−1
Ck (en , N ) = max (−1)en+d1 +en+d2 +···+en+dk for 1 ≤ N ≤ T,
M,D
n=0

where the maximum is taken over all D = (d1 , d2 , . . . , dk ) with nonnegative

integers d1 < d2 < . . . < dk and integers M ≥ 1 such that dk ≤ N − M . This
correlation measure was introduced in [14].
For IF = IF2 we have the following relation between L(en , N ) and the corre-
lation measure which is obtained from the proof of [1, Theorem 1].
214 H. Niederreiter and A. Winterhof

Lemma 1. Let (en ) be a T -periodic binary sequence. For 1 ≤ N ≤ T we have

L(en , N ) ≥ N − max Ck (en , N ).

1≤k≤L(en ,N )+1

Now we take a sequence (γn ) of elements of IFp generated by (3). We assume

again β ∈ IF∗p and (5), so that the sequence is purely periodic with least period
T by [19, Lemma 2].
Corollary 2. The binary sequence (en ) defined by (9) and (3) satisfies

log(N p−1/2 )
L(en , N ) = Ω for T ≥ N > p1/2 .
log log p

Proof. By [19, Theorem 5] we have the upper bound

 4
k
k2k N
Ck (en , N ) < 2k (14k)1/2 N 1/2 p1/4 + kp1/2 + 8k log p + 1.72 +
π2 p
and the result follows from Lemma 1 after simple calculations. 2
Corollary 3. The binary sequence (en ) defined by (9) and (6) satisfies

log(N p−1/2 )
L(en , N ) = Ω for p ≥ N > p1/2 .
log log p

Proof. By [15, Theorem 2] and the remarks following it, we have

Ck (en , N ) = O(kp1/2 (log p)k+1 )

which implies the result after simple calculations. 2

Corollary 4. The binary sequence (en ) defined by (9) and (7) satisfies

log(N p−1/2 )
L(en , N ) = Ω for t ≥ N > p1/2 .
log log p

Proof. From the proofs of [2, Theorem 2] and [25, Theorem 4] we get

Ck (en , N ) = O(k2k p1/2 (log p)k log t)

which implies the result after simple calculations. 2

Acknowledgments
The research of the first author is partially supported by the project NUGET
of the Agence Nationale de la Recherche (France). The second author was sup-
ported by the Austrian Science Fund (FWF) under the grant P-19004-N18. This
work was done during a pleasant visit by A. W. to the National University of
Singapore whose hospitality is gratefully acknowledged.
 On the Structure of Inversive Pseudorandom Number Generators 215

References
1. Brandstätter, N., Winterhof, A.: Linear Complexity Profile of Binary Sequences
With Small Correlation Measure. Period. Math. Hungar 52, 1–8 (2006)
2. Chen, Z.X.: Finite Binary Sequences Constructed by Explicit Inversive Methods.
Finite Fields Appl. (to appear)
3. Chou, W.S.: The Period Lengths of Inversive Pseudorandom Vector Generations.
Finite Fields Appl. 1, 126–132 (1995)
4. Dorfer, G.: Lattice Profile and Linear Complexity Profile of Pseudorandom Number
Sequences. In: Mullen, G.L., Poli, A., Stichtenoth, H. (eds.) Finite Fields and
Applications. LNCS, vol. 2948, pp. 69–78. Springer, Heidelberg (2004)
5. Dorfer, G., Meidl, W., Winterhof, A.: Counting Functions and Expected Values
for the Lattice Profile at n. Finite Fields Appl. 10, 636–652 (2004)
6. Dorfer, G., Winterhof, A.: Lattice Structure and Linear Complexity Profile of Non-
linear Pseudorandom Number Generators. Appl. Algebra Engrg. Comm. Com-
put. 13, 499–508 (2003)
7. Dorfer, G., Winterhof, A.: Lattice Structure of Nonlinear Pseudorandom Number
Generators in Parts of the Period. In: Niederreiter, H. (ed.) Monte Carlo and
Quasi-Monte Carlo Methods 2002, pp. 199–211. Springer, Berlin (2004)
8. Eichenauer, J., Lehn, J.: A Non-Linear Congruential Pseudo Random Number
Generator. Statist. Papers 27, 315–326 (1986)
9. Eichenauer-Herrmann, J.: Statistical Independence of a New Class of Inversive
Congruential Pseudorandom Numbers. Math. Comp. 60, 375–384 (1993)
10. Eichenauer-Herrmann, J., Herrmann, E., Wegenkittl, S.: A Survey of Quadratic
and Inversive Congruential Pseudorandom Numbers. In: Niederreiter, H., et al.
(eds.) Monte Carlo and Quasi-Monte Carlo Methods 1996. Lecture Notes in Statis-
tics, vol. 127, pp. 66–97. Springer, Heidelberg (1998)
11. Fu, F.-W., Niederreiter, H.: On the Counting Function of the Lattice Profile of
Periodic Sequences. J. Complexity (to appear)
12. Gutierrez, J., Shparlinski, I.E., Winterhof, A.: On the Linear and Nonlinear Com-
plexity Profile of Nonlinear Pseudorandom Number Generators. IEEE Trans. Inf.
Theory 49, 60–64 (2003)
13. Marsaglia, G.: The Structure of Linear Congruential Sequences. In: Zaremba, S.K.
(ed.) Applications of Number Theory to Numerical Analysis, pp. 249–285. Aca-
demic Press, New York (1972)
14. Mauduit, C., Sárközy, A.: On Finite Pseudorandom Binary Sequences. I. Measure
of Pseudorandomness. The Legendre Symbol. Acta Arith. 82, 365–377 (1997)
15. Mauduit, C., Sárközy, A.: Construction of Pseudorandom Binary Sequences by
Using the Multiplicative Inverse. Acta Math. Hungar. 108, 239–252 (2005)
16. Meidl, W., Winterhof, A.: On the Linear Complexity Profile of Explicit Nonlinear
Pseudorandom Numbers. Inf. Process. Lett. 85, 13–18 (2003)
17. Meidl, W., Winterhof, A.: On the Linear Complexity Profile of Some New Explicit
Inversive Pseudorandom Numbers. J. Complexity 20, 350–355 (2004)
18. Niederreiter, H.: Pseudorandom Vector Generation by the Inversive Method. ACM
Trans. Modeling and Computer Simulation 4, 191–212 (1994)
19. Niederreiter, H., Rivat, J.: On the Correlation of Pseudorandom Numbers Gener-
ated by Inversive Methods. Monatsh. Math. (to appear)
20. Niederreiter, H., Shparlinski, I.E.: On the Distribution of Pseudorandom Num-
bers and Vectors Generated by Inversive Methods. Appl. Algebra Engrg. Comm.
Comput. 10, 189–202 (2000)
216 H. Niederreiter and A. Winterhof

21. Niederreiter, H., Shparlinski, I.E.: Recent Advances in the Theory of Nonlinear
Pseudorandom Number Generators. In: Fang, K.T., Hickernell, F.J., Niederreiter,
H. (eds.) Monte Carlo and Quasi-Monte Carlo Methods 2000, pp. 86–102. Springer,
Berlin (2002)
22. Niederreiter, H., Winterhof, A.: Lattice Structure and Linear Complexity of Non-
linear Pseudorandom Numbers. Appl. Algebra Engrg. Comm. Comput. 13, 319–326
(2002)
23. Topuzoğlu, A., Winterhof, A.: Pseudorandom Sequences. In: Garcia, A.,
Stichtenoth, H. (eds.) Topics in Geometry, Coding Theory and Cryptography, pp.
135–166. Springer, Dordrecht (2007)
24. Wang, L.-P., Niederreiter, H.: Successive Minima Profile, Lattice Profile, and Joint
Linear Complexity Profile of Pseudorandom Multisequences. J. Complexity (to
appear)
25. Winterhof, A.: On the Distribution of Some New Explicit Inversive Pseudorandom
Numbers and Vectors. In: Niederreiter, H., Talay, D. (eds.) Monte Carlo and Quasi-
Monte Carlo Methods 2004, pp. 487–499. Springer, Berlin (2006)
 Subcodes of Reed-Solomon Codes Suitable for
Soft Decoding

Safitha J. Raj and Andrew Thangaraj

Department of Electrical Engineering

Indian Institute of Technology Madras, Chennai, India
[email protected]

Abstract. Reed-Solomon (RS) codes over GF(2m ) have traditionally

been the most popular non-binary codes in almost all practical appli-
cations. The distance properties of RS codes result in excellent perfor-
mance under hard-decision bounded-distance decoding. In this work, we
consider certain subcodes of RS codes over GF(q m ) whose q-ary traces
are BCH codes over GF(q). The properties of these subcodes are stud-
ied and low-complexity hard-decision and soft-decision decoders are pro-
posed. The decoders are analyzed, and their performance is compared
with that of comparable RS codes. Our results suggest that these sub-
codes of RS codes could have some advantages when compared to RS
codes.

1 Introduction
Reed-Solomon (RS) codes [1] are the most prevalent and commonly used codes
today with applications ranging from satellite communications to computer
drives. RS codes are popular, in theory, for their elegant algebraic construction.
In practice, RS codes can be encoded and decoded with manageable complexity
and high speed. RS codes continue to remain objects of active research with
most recent interest being in list and soft-decision decoding [2][3].
Efficient soft decoding of RS codes has traditionally been a problem of im-
portance. Early methods for soft decoding of RS codes included Chase decoding
and Generalized Minimum Distance (GMD) decoding [4]. Other methods for soft
decoding RS codes include [5][6]. Recently, the Koetter-Vardy algorithm [3] and
belief-propagation-based iterative algorithm [7] have been proposed. Common
themes in the above methods include (1) a coding gain of around 1dB, (2) an
increase in complexity with size of the field, and (3) an increase in complexity for
higher coding gain. As a result, efficient soft decoders are not readily available
for high rate RS codes over large fields.
In this work, we study certain subcodes of q m -ary RS codes that are more
amenable to efficient decoding. Specifically, we consider subcodes whose traces
are q-ary BCH codes. Suitable non-consecutive zeros are added to the set of
zeros of a parent RS code to enable the trace to be a BCH code. Though the
subcode is not typically maximum-distance-separable (MDS), our analysis shows
that a large fraction of errors beyond minimum distance are correctable. Hence,

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 217–226, 2007.

c Springer-Verlag Berlin Heidelberg 2007
218 S.J. Raj and A. Thangaraj

the performance of these subcodes of RS codes is comparable to that of a MDS

RS code at the same rate. We refer to these select subcodes of RS codes as sub
Reed-Solomon (SRS) codes in the rest of this article.
Because of the trace structure, the SRS codes are amenable to efficient soft-
decision decoding. Since the image of a q m -ary code is a concatenation of its
q-ary trace, a soft decoder for the trace can be efficiently used to process soft
input for the image. Using this idea, we propose simple soft decoders for SRS
codes. Our simulations show that the proposed soft decoders for high-rate (> 0.9)
SRS codes over large fields (GF(256)) perform close to other comparable soft
decoders of MDS RS codes at the same rate. However, the complexity of soft
decoding SRS codes is significantly lesser. Our results suggest that SRS codes
could be competent alternatives to RS codes in certain situations.

2 Preliminaries
A finite field GF(q m ) (q: power of prime) is an m-dimensional vector space over
GF(q). A set of m elements of GF(q m ) linearly independent over GF(q) form
a basis for this vector space. See [8] for more details on the definitions and
preliminary results in this section.

2.1 Definitions
Trace of an element α ∈ GF(q m ) is a linear mapping Tm : GF(q m ) → GF(q) de-
m−1 i
fined by Tm (α) = i=0 αq . If C is a code over GF(q m ), trace of C consists of the
traces of all codewords of C. Let B = {β1 , β2 , . . . , βm } be a basis for GF(q m ) over
GF(q). Each element α ∈ GF(q m ) can be represented as a linear combination of
the elements in the basis. Let B  = {β1 , β2 , . . . ,
βm } be the dual basis of B. Each
element α ∈ GF(q ) can be expanded as α = i=1 ai βi , where ai = Tm {αβi } .
m m

The element α ∈ GF(q m ) can be viewed as the vector [a1 a2 . . . am ] over GF(q)
through expansion by basis B. The vector [a1 a2 . . . am ] is also called the image
of α ∈ GF(q m ) over GF(q). If C is a code over GF(q m ), image of C, denoted by
Ci , consists of the images (with respect to a chosen basis) of all codewords of C.
Image of an (n, k, d) linear code over GF(q m ) will be an (nm, km, ≥ d) linear
code over GF(q).

2.2 Preliminary Results

Let C be a linear code of length n over GF(q m ) and Ci be the image of C over
GF(q) through expansion by basis B. The image of any codeword in C can be
viewed as an n×m matrix over GF(q). If ci is the ith component of the codeword,
ith row of the image matrix will be [Tm {ci β1 } Tm {ci β2 } . . . Tm {ci βm

}].
Proposition 1. Each column of an image matrix in Ci will belong to the trace
of the code C.
 Subcodes of Reed-Solomon Codes Suitable for Soft Decoding 219

Proof. Let c = [c1 c2 . . . cn ]T ∈ C. The j th column of the image matrix will be

[Tm {c1 βj } Tm {c2 βj } . . . Tm {cn βj }]T .

c ∈ C ⇒ βj c ∈ C . (1)

Hence [Tm {c1 βj } Tm {c2 βj } . . . Tm {cn βj }]T will belong to the trace of C. 


Let the subfield subcode of C over GF(q) be denoted by Css .

Proposition 2. Minimum distance of Ci is less than or equal to the minimum
distance of Css .

Proof. Css consists of the set of all codewords of C with elements over GF(q).
Suppose c = [c1 c2 . . . cn ]T ∈ Css ⊆ C is a minimum weight codeword of Css .
Since ci ∈ GF(q), image of ci β1 is

[ci Tm {β1 β1 } ci Tm {β1 β2 } . . . ci Tm {β1 βm


}]T = [ci 0 . . . 0]T . (2)

Hence, weight of the image of β1 c ∈ C is equal to the weight of c. Since minimum

distance of Ci is upper bounded by the weight of an arbitrary codeword such as
the image of β1 c, the result follows. 


In summary, if d, dss and di are the minimum distances of C, Css and Ci , respec-
tively, we have d ≤ di ≤ dss .

3 Sub Reed-Solomon Codes

In this section, we discuss the construction and basic properties of sub Reed-
Solomon (SRS) codes with a nontrivial trace. We restrict ourselves to images of
GF(2m ) over GF(2) for simplicity. All results extend to the general case.

3.1 Construction
Let α be a primitive element of GF(2m ). Let C(t) be the (n, n − 2t, 2t + 1)
primitive, narrow-sense t-error correcting RS code of length n = 2m − 1. The
code has 2t consecutive powers of α as zeros. The zero set is Zrs = {1, 2, . . . , 2t}.

The generator polynomial of the code, C(t) is given by 2t i
i=1 (x + α ).
 
A SRS code C(t, t ) (for t ≤ t) is a subcode of C(t) with zero set Zrs ∪ Zbch ,
where Zbch is the zero set of the primitive, narrow-sense t -error-correcting binary
BCH code i.e.
Zbch = C1 ∪ C2 ∪ · · · ∪ C2t , (3)
where Ci denotes the cyclotomic coset of i modulo n = 2m − 1 under multipli-
cation by 2.
Example 1. Let α be a primitive element of GF(256).
1. C(8, 1) is the subcode of the 8-error-correcting (255, 239, 17) RS code (C(8))
with zeros {1, 2, · · · , 16, 32, 64, 128}. C(8, 1) is a (255, 236, ≥ 17) code.
220 S.J. Raj and A. Thangaraj

2. C(8, 2) is the subcode of the 8-error-correcting (255, 239, 17) RS code with
zeros {1, 2, · · · , 16, 24, 32, 48, 64, 96, 128, 129, 192}. C(8, 2) is a (255, 231, ≥
17) code.
3. C(6, 1) is the subcode of the 6-error-correcting (255, 243, 13) RS code with
zeros {1, 2, · · · , 12, 16, 32, 64, 128}. C(6, 1) is a (255, 239, ≥ 13) code.

3.2 Properties
The following properties can be proved for the SRS code C(t, t ) of length n =
2m − 1 over GF(2m ).
Proposition 3. The trace of C(t, t ) is the t -error-correcting binary BCH code.

Proof. This follows from Delsarte’s theorem [8, Chap. 7]. 



Thus, by Proposition 1, we see that when a codeword of the binary image of

C(t, t ) is written down as a n × m matrix, each column will belong to the t -
error-correcting binary BCH code.

Proposition 4. The subfield subcode of the SRS code C(t, t ) is the t-error-
correcting primitive binary BCH code of length n. If the primitive t-error-correcting
binary BCH code has minimum distance 2t + 1, then the minimum distance of
C(t, t ) is 2t + 1.

Proof. The result follows from Proposition 2. 



As an example, consider the (255, 239, ≥ 13) code C(6, 1) over GF(256). The
trace of the code is the length-255 binary Hamming code. The subfield subcode is
the 6-error-correcting length-255 binary BCH code with exact minimum distance
13 [9]. Hence, C(6, 1) is a (255, 239, 13) code over GF(256).

4 Analysis of Error-Correcting Capability

Though an SRS code is not likely to be MDS in many cases of interest, simple
decoders can be designed to correct a significant fraction of errors above half the
minimum distance. We analyze the error-correcting capability by introducing
and studying list decoders.

4.1 List Decoders

Consider the SRS code C(t, t ) over GF(2m ). As seen before, every codeword of
the binary image of C(t, t ) can be written down as a n × m matrix with each
column belonging to the t -error-correcting binary BCH code.
The proposed list decoder works as follows. The input to the decoder is the
n × m matrix R of received bits. Let Ri denote the ith column of R. The first
block of the decoder is a bounded-distance decoder for the t -error correcting
 Subcodes of Reed-Solomon Codes Suitable for Soft Decoding 221

binary BCH code of length n. The BCH decoder runs on each column Ri , 1 ≤
i ≤ m. The output of the ith BCH decoder is denoted R̂i . In case of decoder
failure, R̂i = Ri . The next step in the decoding is performed by a bank of L
t-error-correcting bounded-distance RS decoders. The ith decoder (1 ≤ i ≤ L)
is parametrized by a set Si , which is a subset of {1, 2, · · · , m}. The input to the
ith RS decoder is a n × m matrix whose j th column is R̂j if j ∈ Si or Rj if
j∈ / Si (1 ≤ j ≤ m). The matrix is converted to a n × 1 vector over GF(2m ) for
decoding by the ith RS decoder.
Note that the set Si specifies the columns that are decoded by the t -error-
correcting binary BCH decoder before input to the ith RS decoder. Different RS
decoders have different Si . The output from the L RS decoders forms the list of
possible codewords. The maximum list size is seen to be 2m .

4.2 Analysis of the List Decoder

We devise an algorithm to calculate the fraction of weight-w errors correctable
by C(t, t ) using the proposed list decoder with list size set as 2m . For w ≤ t, the
fraction is 1. The calculation is done for w > t.
Let Pm (w) denote the set of partitions of w into not more than m parts. Let
p be the partition given by w = w1 + w2 + · · · + wl where w1 ≥ w2 ≥ · · · ≥ wl .
The numbers w1 , w2 , . . . , wl denote the number of bit errors affecting l out of
the m columns of the n × m codeword matrix. Equivalently, we can think of
w1 , w2 , . . . , wl as the weights of l out of the m columns of the n × m binary error
matrix E.
For a given partition p ≡ w1 +w2 +· · ·+wl of w, an ensemble of error patterns
E(p) exists with the column weight distribution {w1 , w2 , . . . , wl }. The size of the
set E(p) is seen to be
 l  
l! m n
|E(p)| = , (4)
n1 !n2 ! · · · nr ! l i=1 wi

where r is the number of distinct weights in the set of weights {w1 , w2 , . . . , wl },

and ni is the number of times the i-th distinct weight occurs in the set of weights.
For instance, if the set of weights is {4, 3, 3, 1, 1}, then r = 3, n1 = 1, n2 = 2,
and n3 = 2.
Thus, the fraction of correctable errors for weight w, denoted fw is given by

p Pc (p)|E(p)|
fw = nm , (5)
w

where Pc (p) is the probability that an error vector with column weight distribu-
tion p is correctable.
To determine Pc (p), the partitions in Pm (w) are modified by deleting the parts
that are lesser than t to account for the BCH decoder. Since the list size is 2m ,
there exists an RS decoder parametrized by the set of columns corresponding to
the parts in p of weight less than t . For example, let t = 1 and w = 9. Let p be
222 S.J. Raj and A. Thangaraj

the partition given by 9 = 4+3+1+1; p is modified as p̂ given by p̂ ≡ 4+3. Hence,

a suitable RS decoder will see an error matrix with column weight distribution
p̂. Each partition in Pm (w) is modified in a similar way to form a set P̂m (w).
Let p̂ be given by p̂ ≡ w1 + w2 + · · · + wk . The sum ŵ = w1 + w2 + · · · + wk need
not be equal to w; it is less than or equal to w. Based on the modified partition
p̂, we have four different cases.

1. If p̂ is empty, it implies that all elements in the partition p were ≤ t . A

suitable RS decoder will output the correct codeword, and Pc (p) = 1.
2. If ŵ ≤ t, then whatever way errors are distributed along different columns,
the total number of rows affected cannot exceed t. A suitable RS decoder
will output the correct codeword, and Pc (p) = 1.
3. If w1 > t ≥ t , then more than t rows will be in error for all RS decoders.
By the bounded-distance property, we assume that such error patterns can
never be corrected, and Pc (p) = 0.
4. If p̂ does not fall into any of the above three categories, the error pattern
may or may not be correctable depending on how the errors are distributed
along the columns. For this case, a more detailed analysis has been done to
find the probability with which the given pattern is correctable. In this case,
0 < Pc (p) < 1.

For Case 4 above, finding Pc (p) is more involved. An error matrix E ∈ E(p)
for p̂ ≡ w1 + w2 + · · · + wk is modeled by a discrete random process that involves
k steps. The ith step corresponds to the random placement of wi ones in one of
the m columns. Let {Y1 , Y2 , . . . , Yk } be a sequence of discrete random variables.
The random variable Yi denotes the total number of rows of E affected after
the ith step. For instance, Y1 denotes the number of rows of E affected after
the 1st step, which will be w1 with probability 1. Y2 denotes the number of
rows affected after the 2nd step. Y2 can take any value from w1 to (w1 + w2 )
with different probabilities. The probability mass function (pmf) of Y2 can be
determined from the pmf of Y1 and the value w2 . Similarly, we can find the pmfs
of all the random variables Y1 to Yk starting from the pmf of Y1 and the values
w1 , w2 , . . . , wk . Finally,
Pc (p) = Prob{Yk ≤ t} . (6)
Fig. 1 shows a comparison of the 8-error-correcting (255, 239, 17) RS code
(C(8)) over GF(256) and the (255, 239, 13) SRS code (C(6, 1)) over GF(256).
The simulation was done over an AWGN channel with hard-decision decoding.
We see that the analysis matches with the simulated list decoder, and the SRS
code is competitive with the MDS RS code of same rate down to a block-error
rate of 10−10 .

5 Soft-Input Decoders

Because of the special structure of SRS codes, several suboptimal soft decoders
of varying complexity are possible. We propose three types of soft-input decoders
 Subcodes of Reed-Solomon Codes Suitable for Soft Decoding 223

0
10
HDD for RS(255,239,17)
Analysis of adhoc HDD
for SRS(255,239,13)
−2 Simulation of adhoc HDD
10
for SRS(255,239,13)
Probability of Block Error

−4
10

−6
10

−8
10

−10
10
5 5.5 6 6.5 7 7.5 8 8.5 9
Eb/No in dB

Fig. 1. Comparison of C(6, 1) and C(8) over GF(256) by analysis and simulation

of increasing complexity. The codes C(6, 1) and C(8) over GF(256) are chosen
for comparison. Soft decoders for other codes yield similar gains.
We assume BPSK modulation over an AWGN channel. For an SRS code
C(t, t ) of length n = 2m − 1 over GF(2m ), the received information R is a n × m
real-valued matrix. The decoders work in two stages. The first stage decodes the
columns of R according to the t -error-correcting binary BCH code. We restrict
ourselves to t = 1 (Hamming code) for simplicity. The second stage decodes
the output of the first stage according to the t-error-correcting RS code over
GF(2m ).

5.1 Soft-Guided Decoders

In the first stage, hard-decision syndromes for the Hamming code are computed
for all m columns of R. If the syndrome for the ith column is 1 and the absolute
received value at the error location (t is assumed to be 1) is below a fixed
threshold, the location is confirmed to be in error; otherwise, the location is
assumed to be error-free. Hard decisions are made, and the confirmed error
locations are flipped. The output is a n × m binary vector. The threshold is a
parameter that needs to be fixed. Note that several other similar suboptimal
first stages can be designed.
The second stage involves one t-error-correcting bounded-distance RS decoder
on the output of the first stage. The performance of the soft-guided decoder is
shown in Fig. 2. We see that the performance of a simple soft-guided decoder for
224 S.J. Raj and A. Thangaraj

0
10
HDD RS(255,239,17)
List L=256 SRS(255,239,13)
Soft−guided SRS(255,239,13)

−1
10
Probability of Block Error

−2
10

−3
10

−4
10
5 5.5 6 6.5 7 7.5
Eb/No in dB

Fig. 2. Performance of soft-guided decoder

the SRS code is comparable to that of the hard-decision decoder for the MDS
RS code at the same rate.

5.2 Hybrid Decoders

In hybrid soft-input decoders, the first stage is an optimal soft decoder for Ham-
ming codes. An efficient implementation for bitwise-MAP decoders for Hamming
codes can be found in [10]. The second stage is a t-error-correcting bounded-
distance RS decoder. The complexity of the first stage in hybrid decoders is
higher than that of soft-guided decoders.
The performance of hybrid decoders is shown in Fig. 3. We see that the
hybrid decoders provide a coding gain of about 0.5 dB more than hard-decision
decoders of MDS RS codes at the same rate. We also notice that additional gain
is obtained by extending the SRS code.

5.3 Soft Decoders

The most complex among the soft-input decoders are the soft decoders. In the
first stage, we employ the optimal bitwise MAP decoders for Hamming codes.
In the second stage, the Koetter-Vardy (KV) soft-input decoder for RS codes
presented in [3] is employed.
The performance of soft decoders is depicted in Fig. 4. We see that gains
of about 0.9 dB over comparable hard-decoded RS codes are possible with soft
 Subcodes of Reed-Solomon Codes Suitable for Soft Decoding 225

0
10

−1
10
Probability of Block Error

−2
10

−3
10

Classical HDD for

RS(255,239,17)
−4
10 Hybrid decoder for
SRS(255,239,13) code
Hybrid decoder for
(256,239,14) code
−5
10
5 5.5 6 6.5 7 7.5
Eb/No in dB

Fig. 3. Performance of hybrid decoder

0
10

−1
10
Probability of Block Error

−2
10

−3
10

HDD RS(255,239,17)
−4 Soft RS(255,239,17), mmax=8
10
Soft SRS(255,239,13), mmax=2
Soft SRS(255,239,13), mmax=4
Soft SRS(255,239,13), mmax=8
−5
10
5 5.2 5.4 5.6 5.8 6 6.2 6.4 6.6 6.8
Eb/No in dB

Fig. 4. Performance of soft decoder

226 S.J. Raj and A. Thangaraj

decoders. Gains of about 0.5 dB are obtained over KV soft decoding of RS codes
of same rate. The parameter ‘mmax’ (from [3]) indicates the complexity of the
second stage.

6 Conclusion

We have studied Sub Reed-Solomon (SRS) codes, which are certain subcodes of
Reed-Solomon codes with a nontrivial trace code. The trace structure results in
the possibility of hard-decision list decoding beyond half the minimum distance
and efficient soft-input decoding. The performance results, when compared to
that of maximum-distance-separable Reed-Solomon codes, show a best-possible
gain of about 0.9 dB. With reasonable complexity, gains of about 0.5 dB are
possible.

References
1. Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. SIAM 8,
300–304 (1960)
2. Guruswami, V., Sudan, M.: Improved decoding of Reed-Solomon and algebraic-
geometry codes. IEEE Trans. on Info. Theory 45(6), 1757–1767 (1999)
3. Koetter, R., Vardy, A.: Algebraic Soft-decision Decoding of Reed-Solomon Codes.
IEEE Trans. Inform. Theory 49(11), 2809–2825 (2003)
4. Forney, D.: Generalized Minimum Distance Decoding. IEEE Trans. Inform. The-
ory 12(2), 125–131 (1966)
5. Vardy, A., Beery, Y.: Bit-level Soft-decision Decoding of Reed-Solomon Codes.
IEEE Trans. on Comm. 39(3), 440–444 (1991)
6. Ponnampalam, V., Vucetic, B.: Soft Decision Decoding of Reed-Solomon Codes.
IEEE Trans. on Comm. 50(11), 1758–1768 (2002)
7. Jiang, J., Narayanan, K.R.: Iterative Soft Decoding of Reed-Solomon Codes. IEEE
Commun. Lett. 8(4), 244–246 (2004)
8. MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. North-
Holland, The Netherlands, Amsterdam (1977)
9. Augot, D., Charpin, P., Sendrier, N.: Studying the Locator Polynomials of Mini-
mum Weight Codewords of BCH Codes. IEEE Trans. Inform. Theory 38(3), 960–
973 (1992)
10. Ashikhmin, A., Litsyn, S.: Simple MAP Decoding of First-Order Reed-Muller and
Hamming Codes. IEEE Trans. Inform. Theory 50(8), 1812–1818 (2004)
 Normalized Minimum Determinant Calculation
for Multi-block and Asymmetric Space-Time
Codes

Camilla Hollanti1 and Hsiao-feng (Francis) Lu2

1
Department of Mathematics, FIN-20014 University of Turku, Finland
[email protected]
2
Department of Communication Engineering,
National Chung-Cheng University, Chia-yi, Taiwan
[email protected]

Abstract. The aim of this paper is to show the connection between

certain, previously constructed multi-block and asymmetric space-time
codes. The Gram determinants of the two constructions coincide, and
hence the corresponding lattices share the same density. Using the no-
tion of density, we define the normalized minimum determinant and give
an implicit lower bound depending on the center of the cyclic division
algebra in use. The calculation of the normalized minimum determinant
is then performed in practice by using explicit code constructions.

Keywords: Asymmetric space-time block codes (ASTBCs), cyclic di-

vision algebras (CDAs), dense lattices, discriminants, diversity-multi-
plexing tradeoff (DMT), maximal orders, multi-block, multiple-input
multiple-output (MIMO) channels, nonvanishing determinant (NVD).

1 Background
Previously, different methods for constructing asymmetric [1],[2] and multi-block
[3] space-time codes have been proposed. Asymmetric codes are targeted at
the code design for downlink transmission where the number of Rx antennas is
strictly less than the number of Tx antennas. Typical examples of such situations
are 3+G mobile phones and DVB-H (Digital Video Broadcasting-Handhelds)
user equipment, where only a very small number of antennas fits at the end user
site. The best code in [1] was shown to improve upon the punctured Perfect code
[2] as well as the DjABBA code [2] in the BLER performance at the data rate 4
bpcu, hence proving that the methods proposed therein come into good use.
Multi-block codes, for their part, are used when one wishes to obtain vanishing
error probability in addition to the D-M tradeoff optimality. In this work, we
concentrate on the minimal delay multi-block construction given in [3] and the
asymmetric construction given in [1] by Method 1. In [4] an approach similar to
Method 1 was used for the MIMO amplify-and-forward cooperative channel.
Already in [1] we stated that Method 1 can be converted to produce multi-
block ST codes [3] that do achieve the DMT. Here, we shall show this explicitly

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 227–236, 2007.

c Springer-Verlag Berlin Heidelberg 2007
228 C. Hollanti and H.-f. (Francis) Lu

and prove that maximizing the density (i.e. finding the most efficient packing
in the available signal space) of asymmetric and multi-block codes arising from
this method is equivalent to minimizing the discriminant of a certain order.
We define a lattice to be a discrete finitely generated free abelian subgroup L
of a real or complex finite dimensional vector space, called the ambient space.
In the space-time (ST) setting a natural ambient space is the space Mn (C) of
complex n × n matrices. The Gram matrix is defined as
 
G(L) = tr(xi xH
j ) 1≤i,j≤k , (1)

where H indicates the complex conjugate transpose of a matrix, tr is the matrix

trace (=sum of the diagonal elements), and xi , i = 1, ..., k, form a Z-basis
of L. The rank k of the lattice is upper bounded by 2n2 . The Gram matrix
has a positive determinant equal to the squared measure of the fundamental
parallelotope m(L)2 . A change of basis does not affect the measure m(L).
Any lattice L with the nonvanishing determinant (NVD) property [5] can be
scaled, i.e. multiplied by a real constant r, either to satisfy detmin (L) = 1 or
to satisfy m(L) = 1. This is because detmin (rL) = rn detmin (L) and m(rL) =
rk m(L). As the minimum determinant determines the asymptotic pairwise error
probability (PEP), this gives rise to natural numerical measures for the quality
of a lattice. Following [6], we denote by δ(L) the normalized minimum determi-
nant of the lattice L, i.e. here we first scale L to have a unit size fundamental
parallelotope. Dually we denote by ρ(L) = 1/m(L) the normalized density of
the lattice L, when we first scale the lattice to have unit minimum determinant,
and only then compute the quantity 1/m(L).
It has been shown in [7] that CDA-based square ST codes with the NVD
property achieve the diversity-multiplexing tradeoff (DMT) introduced in [8].
This result also extends over multi-block space-time codes [3].
For more information on matrix representations of division algebras and their
use as MIMO STBCs the reader can refer to [9]-[13], just to name a few.

2 Cyclic Division Algebras and Orders

The theory of cyclic algebras and their representations as matrices are thoroughly
considered in [9] and [14]. We are only going to recapitulate the essential facts
here. For a more detailed introduction on orders, see [15].
In the following, we consider number field extensions E/F , where F denotes
the base field and F ∗ (resp. E ∗ ) denotes the set of the non-zero elements of F
(resp. E). The rings of algebraic integers are denoted by OF and OE respectively.
Let E/F be a cyclic field extension of degree n with Galois group Gal(E/F ) =
σ, where σ is the generator of the cyclic group. Let A = (E/F, σ, γ) be the
corresponding cyclic algebra of degree n (n is also called the index of A and in
practice it determines the number of transmitters), that is

A = E ⊕ uE ⊕ u2 E ⊕ · · · ⊕ un−1 E,
 Normalized Minimum Determinant Calculation 229

with u ∈ A such that eu = uσ(e) for all e ∈ E and un = γ ∈ F ∗ . An element

x = x0 + ux1 + · · · + un−1 xn−1 ∈ A has the following representation as a matrix
⎛ ⎞
x0 γσ(xn−1 ) γσ 2 (xn−2 ) · · · γσ n−1 (x1 )
⎜ x1 σ(x0 ) γσ 2 (xn−1 ) γσ n−1 (x2 ) ⎟
⎜ ⎟
⎜ 2
γσ n−1 (x3 ) ⎟
A = ⎜ x2 σ(x1 ) σ (x0 ) ⎟. (2)
⎜ .. .. ⎟
⎝ . . ⎠
xn−1 σ(xn−2 ) σ 2 (xn−3 ) · · · σ n−1 (x0 )

Definition 1. An algebra A is called simple if it has no nontrivial ideals. A

cyclic algebra A = (E/F, σ, γ) is central if its center Z(A) = {x ∈ A | xx =
x x for all x ∈ A} = F .

All algebras considered here are finite dimensional associative central simple
algebras over a field. From now on, we identify the element x of an algebra with
its standard matrix representation defined above in (2).
Definition 2. The determinant of the matrix A is called the reduced norm of
the element x ∈ A and is denoted by nr(x).

Remark 1. The connection between the usual norm map NA/F (a) and the re-
duced norm nr(a) of an element a ∈ A is NA/F (a) = (nr(a))n , where n is the
degree of E/F .

In the following we give a condition when an algebra is a division algebra, i.e.

each of its non-zero elements has a multiplicative inverse. For the proof, see [14,
Theorem 11.12, p. 184].
Proposition 1. An algebra A = (E/F, σ, γ) of index n is a division algebra if
and only if the smallest factor t ∈ Z+ of n such that γ t is the norm of some
element in E ∗ is n.
Let R (e.g. R = Z[i]) denote a Noetherian integral domain with a quotient field
F (e.g. F = Q(i)), and let A be a finite dimensional F -algebra.

Definition 3. An R-order in the F -algebra A is a subring Λ of A, having the

same identity element as A, and such that Λ is a finitely generated module over
R and generates A as a linear space over F .

As usual, an R-order in A is said to be maximal, if it is not properly contained

in any other R-order in A.
Next we describe an order from where the elements are drawn in a typical
CDA based MIMO space-time block code. For the proof of Proposition 2, see
[15, Theorem 10.1, p. 125]. Some optimization to this can be done e.g. with the
aid of ideals as in [10] or by using a maximal order [13].
230 C. Hollanti and H.-f. (Francis) Lu

Definition 4. In any cyclic division algebra we can always choose the element
γ ∈ F ∗ determining the 2-cocycle in H 2 (E/F ) to be an algebraic integer. We
immediately see that the OF -module

ΛN AT = OE ⊕ uOE ⊕ · · · ⊕ un−1 OE

is an OF -order in the cyclic algebra (E/F, σ, γ). We refer to this OF -order as

the natural order. An alternative appellation would be layered order, as the cor-
responding MIMO-lattice of this order has the layered structure described in [16].
Proposition 2. For any non-zero element x ∈ ΛN AT its reduced norm nr(x)
is a non-zero element of the ring of integers OF of the center F . In particular,
if F is an imaginary quadratic number field or a cyclotomic field, then the min-
imum determinant of the lattice ΛN AT is nonvanishing and equal to one. More
generally, if x is an element of an R-order Λ, then nr(x) ∈ R.
Remark 2. Note that if γ ∈ F ∗ is not an algebraic integer, then an order Λ
fails to be closed under multiplication. This may adversely affect the minimum
determinant of the resulting matrix lattice as elements not belonging to an order
may have non-integral and hence small norms. One of the motifs underlying the
perfect codes [10] is the requirement that the variable γ should have a unit
modulus. Relaxing this restriction on the size of γ will lead to an antenna power
imbalance in both space and time domains. The measure of the fundamental
parallelotope varies with different algebras. Hence, one has to keep in mind
that, on the other hand, an algebra with a unit γ may still admit larger average
energy than a different algebra with a non-unit γ so the size of γ is not the only
parameter to stare at.
Definition 5. Let m = dimF A. The discriminant of the R-order Λ is the ideal
d(Λ/R) in R generated by the set

i,j=1 | (x1 , ..., xm ) ∈ Λ }.

{det tr(xi xj )m m

√ √
In the interesting cases of F = Q(i), √ i = −1 (resp. F = Q( −3)) the ring
R = Z[i] (resp. R = Z[ω], ω = (−1+ −3)/2) is a Euclidean domain, so in these
cases as well as in the case R = Z it makes sense to speak of the discriminant
as an element of R rather than as an ideal. We simply compute the discriminant
i,j=1 , where {x1 , . . . , xm } is any R-basis of Λ.
as d(Λ/R) = det tr(xi xj )m
Remark 3. It is readily seen that whenever Λ ⊆ Γ are two R-orders, then d(Γ/R)
is a factor of d(Λ/R). It also turns out (cf. [15, Theorem 25.3]) that all the
maximal orders of a division algebra share the same discriminant. In this sense
a maximal order has the smallest possible discriminant among all orders within
a given division algebra, as all the orders are contained in the maximal one.
To conclude the section, we include the following simple but interesting result on
maximal orders explaining why using a principal one-sided (left or right) ideal
instead of the entire order will not change the density of the code. For the proof,
see [13, Lemma 7.1].
 Normalized Minimum Determinant Calculation 231

Lemma 1. Let Λ be a maximal order in a cyclic division algebra over an imagi-

nary quadratic number field. Assume that the minimum determinant of the lattice
Λ is equal to one. Let x ∈ Λ be any non-zero element. Let ρ > 0 be a real pa-
rameter chosen such that the minimum determinant of the lattice ρ(xΛ) is also
equal to one. Then the fundamental parallelotopes of these two lattice have the
same measure
m(Λ) = m(ρ(xΛ)).

3 Block Diagonal Asymmetric ST Lattices

In this section, we recall Method 1 from [1]. Let us rename this method as Block
Diagonal Method (BDM).
Let us consider an extension tower F ⊆ L ⊆ E with the degrees [E : L] =
r, [L : F ] = m and with the Galois groups Gal(E/F ) = τ , Gal(E/L) = σ =
τ m . Let B = (E/L, σ, γ) = E + · · · + ur−1 E be an index r division algebra,
where the center L is fixed by σ = τ m . We denote by #Tx = n = rm.
Note that if one has a symmetric, index n = rm CDA based STBC, the
algebra B can be constructed by just picking a suitable intermediate field L ⊆ E
of a right degree as the new center.
An element b = x0 + · · · + ur−1 xr−1 , xi ∈ E, i = 0, ..., r − 1 of the algebra B
has a representation as an r × r matrix B = (bij )1≤i,j≤r as given in (2).
However, we can afford an n × n packing as we are using n transmitters.
This can be achieved by using the isomorphism τ . Let us denote by τ k (B) =
(E/L, σ, τ k (γ)), k = 0, ..., m − 1 the m isomorphic copies of B and the respective
matrix representations by
τ k (B) = (τ k (bij ))1≤i,j≤r , k = 0, ..., m − 1. (3)
The next proposition shows that by using these copies as diagonal blocks we
obtain an infinite lattice with nonvanishing determinant. For the proof, see [1].
Proposition 3. (BDM) Let b ∈ Λ ⊆ B and F = Q(δ), where δ ∈ {i, ω}.
Assume γ ∈ OL . The lattice
 
C(Λ) = M = diag B, τ (B), . . . , τ m−1 (B)

built from (3) has a nonvanishing determinant det C(Λ) = m−1 i=0 det τ (B) ∈
i

Z[δ]. Thus, the minimum determinant is equal to one for all numbers of fading
blocks m. The code rate equals r2 m/rm = r.
Now the natural question is how to choose a suitable division algebra. In [7]
and [12] several systematic methods for constructing extensions E/L are pro-
vided. All of them make use of cyclotomic fields. In [1] we proved that, in the
asymmetric scheme, maximizing the code density (i.e. minimize the volume of
the fundamental parallelotope, see [13]) with a given minimum determinant is
equivalent to minimizing a certain discriminant. In the next section we shall
show that this also holds for the multi-block codes from [3].
First we need the following result. For the proof, see [15, p. 223].
232 C. Hollanti and H.-f. (Francis) Lu

Lemma 2. Suppose Λ ⊆ A = (E/L, τ, γ) is an OF -order and that F ⊆ L. The

discriminants then satisfy

d(Λ/OF ) = NL/F (d(Λ/OL )) d(OL /OF )dimL A .

The same naturally holds in the commutative case when we replace A with E.

The definition of the discriminant closely resembles that of the Gram matrix of
a lattice, so the following results are rather unsurprising. For the proof, see [1].

Proposition 4. Assume that F is an imaginary quadratic number field and that

{1, ρ} forms a Z-basis of its ring of integers OF . Let r = [E : L], m = [L : F ],
2
n = rm, and s = | ρ|mr . If the order C(Λ) defined as in Proposition 3 is a free
OF -module (which is always the case if OF is a principal ideal domain), then
the measure of the fundamental parallelotope equals
2
m(C(Λ)) = s|d(Λ/OF )| = s|d(OL /OF )r NL/F d(Λ/OL )|
m−1
2
= s|d(OL /OF )r τ i (d(Λ/OL ))|.
i=0

Corollary 1. In the case F = Q(i)√we get m(C(Λ)) = |d(Λ/Z[i])|. For F =

2
Q(ω) the volume equals m(C(Λ)) = ( 23 )mr |d(Λ/Z[ω])|.

Now we can conclude that the extensions E/L, L/F and the order Λ ⊆ B should
be chosen such that the discriminants d(OL /OF ) and d(Λ/OL ) are as small as
possible. By choosing a maximal order within a given division algebra we can
minimize the norm of d(Λ/OL ) (cf. Remark 3). As in practice an imaginary
quadratic number field F is contained in L, we know that L is totally complex.
In that case the fact that

d(Λ/OL ) ≥ (P1 P2 )r(r−1) , (4)

where P1 and P2 are prime ideals ∈ OL with the smallest norms (to Q) helps us
in picking a good algebra (for the proof, see [13, Theorem 3.2]).

Remark 4. Note that as opposed to [13], here we do not achieve nice, explicit
lower bounds for d(Λ/OL ). That is a consequence of the fact that the center
L can now be almost anything that just contains Z[i] or Z[ω]. An exact lower
bound of course exists, but we have not been searching for it yet. We hope to
provide this lower bound in a forthcoming paper.

Remark 5. In [13] we have studied the use of maximal orders in the design of
dense, symmetric, CDA based MIMO STBCs in more detail. The same ideas
can be adapted to asymmetric and multi-block scheme as well.
 Normalized Minimum Determinant Calculation 233

4 Minimal Delay Multi-block ST Codes

The nTx+rRx antenna AST code from Proposition 3 can be transformed into
an rTx+rRx antenna multi-block code [3] by an evident rearrangement of the
blocks:    
diag B, τ (B), . . . , τ m−1 (B) ↔ B, · · · , τ m−1 (B) . (5)
As the Gram matrices of an AST lattice and a multi-block ST lattice coincide,
Lemma 4 also holds for multi-block ST codes with the same parameters. Let the
notation be as in Section 3.
Proposition 5. Let b ∈ Λ ⊆ B and F = Q(δ), where δ ∈ {i, ω}. Assume
γ ∈ OL . As the lattice
 
C  (Λ) = M = B, τ (B), . . . , τ m−1 (B)
built from (3) satisfies the generalized nonvanishing determinant property (cf.
[3],[11]), it is optimal with respect to the D-M tradeoff for all numbers of fading
m−1
blocks m. Similarly as in Proposition 3, i=0 det τ i (B) ≥ 1. The code rate
equals r2 m/rm = r.
Proof. For the proof, see [3].
Proposition 6. The Gram determinants (cf. (1)) of the lattices C(Λ) and C  (Λ)
coincide:
det G(C(Λ)) = det G(C  (Λ)).
Proof. This is obvious, as tr(diag(BB H , .., τ m−1 (B)τ m−1 (B)H )) =
m−1 m−1
= i=0 tr(τ i (B)τ i (B)H ) = tr( i=0 (τ i (B)τ i (B)H )).
An immediate consequence of Proposition 6 is
Corollary 2. The lattices C(Λ) and C  (Λ) share the same density, i.e. Proposi-
tion 4 can be adapted as such to the multi-block scheme.

5 Explicit Codes
In this section we provide explicit asymmetric constructions for the important
case of 4Tx + 2Rx antennas. These codes can be modified for 2 × 2 multi-block
use (cf. (5). The primitive nth root of unity will be denoted by ζn . The first three
examples are given in terms of an asymmetric construction, whereas the last one
is described as a multi-block code. However, with the aid of (5), an asymmetric
code can always be transformed into a multi-block code and vice versa.

5.1 Perfect Algebra PA

Let us consider an algebra with the same maximal subfield that was used for the
[10]. We have the nested sequence of fields F ⊆ L ⊆ E, where
4×4 Perfect code in √
−1
F = Q(i), L = Q( 5, i), and E = Q(θ, i) with θ = ζ15 + ζ15 = 2cos(2π/15).
234 C. Hollanti and H.-f. (Francis) Lu

We denote this algebra by √PA = (E/L,√ σ = τ 2 , γ) = E ⊕ uE, where u2 = γ = i

and τ (θ) = θ − 2. As τ ( 5) = − 5, the field L is indeed fixed by σ = τ 2 . By
2

embedding the algebra PA as in Proposition 3 we obtain the AST code

⎧⎛ ⎞ ⎫
⎪
⎪ x0 iσ(x1 ) 0 0  ⎪
⎪
⎨⎜ ⎟  ⎬
⎜ x 1 σ(x0 ) 0 0 ⎟ 
PA1 ⊆ ⎝  x ∈ O .
⎪
⎪ 0 0 τ (x0 ) iτ (σ(x1 )) ⎠  i E
⎪
⎪
⎩ ⎭
0 0 τ (x1 ) τ (σ(x0 ))
√
As the center is L with [L : Q(i)] = 2 and OL = Z[i, μ = (1 + 5)/2], the
elements xi in the matrix are of the form a1 + a2 μ + a3 θ + a4 μθ, where ai ∈ Z[i]
for all i. Thus, the code transmits, on the average, 2 independent QAM symbols
per channel use.
We can further improve the performance by taking the elements xi from the
ideal aOE , where a = 1 − 3i + iθ2 ∈ OE . Moreover, a change of basis given by
⎛ ⎞
1 0 00
⎜ 0 1 0 0⎟
⎜ ⎟
⎝ 0 −3 0 1⎠
−1 −3 1 1
guarantees an orthogonal basis.

5.2 Cyclotomic Algebra CA

The algebra CA = (E/L, σ = τ 2 : ξ → −ξ, γ = 1 + s − i) = E ⊕ uE (cf. [11],
[13], [1]), for its part, has the nested sequence of fields F ⊆ L ⊆ E with F =
Q(i), L = Q(s = ζ8 ), and E = Q(ξ = ζ16 ). As we have τ : ξ → iξ, s → −s, the
field L is fixed by σ = τ 2 . Again by embedding the algebra CA as in Proposition
3, the AST code
⎧⎛ ⎞ ⎫
⎪
⎪ x0 γσ(x1 ) 0 0  ⎪
⎪
⎨⎜ ⎟  ⎬
⎜ x σ(x ) 0 0 ⎟
CA1 ⊆ ⎝ 1 0
 x ∈ O
⎪
⎪ 0 0 τ (x0 ) τ (γ)τ (σ(x1 )) ⎠  i E
⎪
⎪
⎩ ⎭
0 0 τ (x1 ) τ (σ(x0 ))
is obtained. The center is L with [L : Q(i)] = 2 and OL = Z[s]. The elements
xi in the matrix are of the form a1 + a2 s + a3 ξ + a4 sξ, where ai ∈ Z[i] for all
i. Hence the above code is transmitting again, on the average, 2 independent
QAM symbols per channel use.
Note that we have chosen here a suitable non-norm element γ from OL instead
of OF (cf. Section 3). We get some energy savings as |1 + s − i| < |2 + i|.

5.3 Algebra IA – An Improved Maximal Order

√ AST code IA1

Similarly as in the two previous subsections, we obtain an rate-2
by introducing yet
√ another algebra
√ IA = (E/L,
√ σ = τ 2
√ √ , γ = −3), where
√ F =
Q(i), L = Q(i, 3), E = L( 1 + i), and τ : 3 → − 3, 1 + i → − 1 + i.
Among our example algebras, IA has the densest maximal order.
 Normalized Minimum Determinant Calculation 235

5.4 Algebra QA – An Improved Natural Order

Let us use the multi-block notation for a change. Here we consider another
tower of number fields F ⊂ L ⊂ E, where E = Q(ζ5 , i), F = Q(i), and where
L = Q(θ, i) with θ = ζ5 + ζ5−1 . Clearly we have Gal(E/F ) = τ , τ (ζ5 ) = ζ52 , and
τ (θ) = θ2 − 2. Thus we obtain the CDA QA = (E/L, σ = τ 2 , γ) = E ⊕ uE, and
γ = u2 = i is a non-norm element. Embedding the algebra QA as in Proposition
3 yields the following multi-block ST code with coding over 2 consecutive fading
blocks:
     
x0 iσ(x1 ) τ (x0 ) iτ (σ(x1 )) 
QA1 ⊆ B = , τ (B) = x ∈ OE .
x1 σ(x0 ) τ (x1 ) τ (σ(x0 ))  i

The elements xi in the above are of the form xi = 3j=0 ai,j ζ5j , where ai,j ∈ Z[i],
hence the above code transmits on the average, 2 independent QAM symbols
per channel use.
Among our example algebras, QA has the densest natural order.

Table 1. Normalized minimum determinant δ and normalized density ρ = 1/m(Λ) of

natural and maximal orders of different algebras

PA PA CA CA IA IA QA
ΛNAT ΛM AX ΛNAT ΛM AX ΛNAT ΛMAX ΛNAT=M AX
δ 0.0298 0.0894 0.0361 0.1214 0.0340 0.1361 0.0894
−4 −6 −6 −16 −2 −9 −2 −10 −6 −2 −6
ρ 3 ·5 = 5 = 2 ·3 =2 ·3 =2 ·3 =2 ·3 = 5−6 =
7.9 · 10−7 6.4 · 10−5 1.7 · 10−6 2.2 · 10−4 1.4 · 10−6 3.4 · 10−4 6.4 · 10−5

Example 1. Let us calculate the normalized minimum determinant of the algebra

IA as an example (cf. Section 1, Definitions 4, 5, and Propositions 3 and 4). The
other algebras can be treated likewise. In Table 1 we have listed the normalized
minimum determinants δ and densities ρ of the natural and maximal orders of
the algebras PA, CA, IA, and QA. Note that for QA these two actually coincide.
We can conclude that among the natural orders, that of the algebra QA has the
largest normalized minimum determinant, i.e. the highest density. The algebra
IA, for its part, has the densest maximal order. The corresponding numbers are
shown bold in Table 1.
For the natural order of IA we have detmin (C(ΛN AT )) = 1 and ρ−1 =
m(C(ΛN AT )) = 210 · 36 , hence r = 2−5/8 · 3−3/8 . Now m(rC(ΛN AT )) = 1 and the
normalized minimum determinant is δ = detmin (rC(ΛN AT )) = 2−5/2 · 3−3/2 · 1 ≈
0.0340.
The maximal order of IA has detmin (C(ΛMAX )) = 1 and m(C(ΛMAX )) =
22 · 36 , thus r = 2−1/8 · 3−3/8 and δ = detmin (rC(ΛMAX )) = 3√12√3 ≈ 0.1361.
236 C. Hollanti and H.-f. (Francis) Lu

References
1. Hollanti, C., Ranto, K.: Asymmetric Space-Time Block Codes for MIMO Systems.
In: 2007 IEEE ITW, Bergen, Norway, pp. 101–105 (2007)
2. Hottinen, A., Hong, Y., Viterbo, E., Mehlführer, C., Mecklenbraüker, C.F.: A Com-
parison of High Rate Algebraic and Non-Orthogonal STBCs. In: 2007 ITG/IEEE
WSA 2007, Vienna, Austria (2007)
3. Lu, H.F.F.: Explicit Constructions of Multi-Block Space-Time Codes that Achieve
the Diversity-Multiplexing Tradeoff. In: 2006 IEEE ISIT, Seattle, pp. 1149–1153
(2006)
4. Yang, S., Belfiore, J.-C.: Optimal Space-Time Codes for the MIMO Amplify-and-
Forward Cooperative Channel. IEEE Trans. Inform. Theory 53, 647–663 (2007)
5. Belfiore, J.-C., Rekaya, G.: Quaternionic Lattices for Space-Time Coding. In: IEEE
ITW 2003, Paris, France (2003)
6. Lahtonen, J.: Dense MIMO Matrix Lattices and Class Field Theoretic Themes in
Their Construction. In: IEEE ITW 2007, Bergen, Norway, pp. 96–100 (2007)
7. Elia, P., Kumar, K.R., Pawar, S.A., Kumar, P.V., Lu, H.F.F.: Explicit Space-
Time Codes Achieving the Diversity-Multiplexing Gain Tradeoff. IEEE Trans. Inf.
Theory 52, 3869–3884 (2006)
8. Zheng, L., Tse, D.: Diversity and Multiplexing: A Fundamental Tradeoff in
Multiple-Antenna Channels. IEEE Trans. Inform. Theory 49, 1073–1096 (2003)
9. Sethuraman, B.A., Rajan, B.S., Shashidhar, V.: Full-Diversity, High-Rate Space-
Time Block Codes From Division Algebras. IEEE Trans. Inform. Theory 49, 2596–
2616 (2003)
10. Belfiore, J.-C., Oggier, F., Rekaya, G., Viterbo, E.: Perfect Space-Time Block
Codes. IEEE Trans. Inform. Theory 52, 3885–3902 (2006)
11. Kiran, T., Rajan, B.S.: STBC-Schemes with Non-Vanishing Determinant For Cer-
tain Number of Transmit Antennas. IEEE Trans. Inform. Theory 51, 2984–2992
(2005)
12. Lu, H.F.F., Elia, P., Kumar, K.R., Pawar, S.A., Kumar, P.V.: Space-Time Codes
Meeting the Diversity-Multiplexing Gain Tradeoff with Low Signalling Complexity.
In: 2005 CISS, Baltimore (2005)
13. Hollanti, C., Lahtonen, J., Ranto, K., Vehkalahti, R.: On the Densest MIMO Lat-
tices from Cyclic Division Algebras. IEEE Trans. Inform. Theory (submitted 2006).
http://arxiv.org/abs/cs.IT/0703052
14. Albert, A.A.: Structure of Algebras. AMS, New York (1939)
15. Reiner, I.: Maximal Orders. Academic Press, New York (1975)
16. El Gamal, H., Hammons Jr., A.R.: A New Approach to Layered Space-Time Coding
and Signal Processing. IEEE Trans. Inform. Theory 47, 2321–2334 (2001)
 On the Computation of Non-uniform Input for
List Decoding on Bezerra-Garcia Tower

M. Prem Laxman Das and Kripasindhu Sikdar

Indian Statistical Institute

203 B.T. Road, Kolkata 700108, West Bengal, India
prem [email protected]

Abstract. Guruswami and Patthak, among many results, gave a ran-

domized algorithm for computing the evaluation of regular functions of
the Garcia-Stichtenoth tower at a large degree place. An algorithm, along
the same lines, for Bezerra-Garcia tower is given. This algorithm uses
Kummer theorem.

1 Introduction

Algebraic-geometric codes are evaluation codes similar to Reed-Solomon codes.

These codes are constructed over function fields, F , of transcendence degree one
over a finite field. For more details refer [1]. Such codes are well-studied for their
asymptotic properties. In fact, codes constructed on the tower of function fields
introduced in [2] attain best known bounds. Encoding and decoding procedures
for linear codes constructed on function fields have attracted much research in the
last two decades. The encoding procedure involves finding a basis for Riemann-
Roch spaces of divisors. The functions of L(uQ) are evaluated at some places of
degree one to obtain the code.
A list decoding algorithm for a code gives as output a small list of codewords,
but corrects more errors than a classical algorithm can. Such an algorithm for
one-point codes was given in [3] and a suitable representation of the data involved
was discussed in [4]. The algorithm is a interpolate and root-find strategy. For
a received word y = (y1 , . . . , yn ) a polynomial in one variable over F is found,
such that each coefficient lies in L(D), where D is the underlying divisor and
the zeroes of this polynomial are the required words. Then the zeroes of the
interpolation polynomial are found and those which lie sufficiently close to the
received word are output. The zeros of the interpolation polynomial are known
to be elements of L(D) for the underlying divisor D. This data may be used
to design efficient root finding algorithms over function fields. Here the focus
is on the root finding step of the list decoding algorithm. In [4], the root-find
step involves computation of a non-uniform input, which is a evaluation of the
basis elements of L(D) at a large degree place. Hence, the non-uniform input is
independent of the received word.
In [5] the authors, among many other results, find the non-uniform input for
the function fields of the Garcia-Stichtenoth tower [2]. They use the structure of

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 237–246, 2007.

c Springer-Verlag Berlin Heidelberg 2007
238 M.P.L. Das and K. Sikdar

the quasi-regular functions used in the pole cancellation algorithm of [6]. Their
procedure for finding the non-uniform input is randomized, making uniformly
random choices for irreducible polynomials of a given degree over Fq2 . A simple
counting argument shows that there exist places of degree r of Fm lying above
places of same degree of F1 . Here F1 ⊂ F2 ⊂ F3 ⊂ . . . is the tower. The required
non-uniform input is obtained as a solution to a system of linearized equations,
using Kummer theorem(see [1, pp. 76]).
A similar procedure for the Bezerra-Garcia tower is given here. There is a
unique of x1 ∈ Fm , which is totally ramified throughout the tower. For con-
struction of codes, divisors of the form uP∞ are chosen. A nice dual basis for
the ring of such regular functions exist, such that it is sufficient of determine
the evaluations of the coordinate variables at a large degree place to evaluate
the basis elements themselves. There exist places of Fm of degree r lying above
a place of same degree of F1 for large enough r. Also the set {1, y, . . . , y q−1 }
is a integral basis for the large degree place. The required evaluations of the
coordinate variables are obtained by solving a system of linearized equations,
using Kummer’s theorem.
The plan of the paper is as follows. First some preliminaries on the Bezerra-
Garcia tower from [7] are recalled. Then some facts on number of places of a given
degree of a function field F/Fq of genus g are recalled from [1]. List decoding
procedure for one point codes is recalled. A bound on the number of places of
F1 of degree r lying below a place of the same degree of Fm is obtained. Hence,
the probability that a place of degree r of F1 chosen at random having the
above property is calculated. Finally, the randomized algorithm for finding the
non-uniform input on the function fields of the Bezerra-Garcia tower is given.

2 Preliminaries and Notations

Throughout Fq will denote a finite field of cardinality q having characteristic
p. We will be concerned with function fields of transcendence degree one F/Fq .
The genus of F will be denoted by g. Places of F will be denoted by P , Q, R,
etc. The discrete valuation associated with a place P is denoted by vP and the
valuation ring by OP . The set of places of F will be denoted by P(F ). For z ∈ F ,
the divisor (z) denotes the principal divisor of z. For D a divisor deg(D) and
dim(D) will denote the degree and dimension of the divisor respectively. Recall
that for D, a divisor

L(D) = {z ∈ F | (z) + D ≥ 0}.

Also supp(D) denotes the support of D, which is the set of places appearing
in the expression for D. Further for P  | P in a separable extension of function
fields e(P  | P ), f (P  | P ) and d(P  | P ) will denote respectively the ramification
index, the relative degree and the different exponent respectively.
 On the Computation of Non-uniform Input for List Decoding 239

2.1 The Bezerra-Garcia Tower

In this section, the tower studied in [7] is recalled. Some important properties of
this tower are listed.
Definition 1. Let K = Fq2 and let F1 := K(x1 ), be the rational function field.
For each m ≥ 1, we have Fm+1 := Fm (xm+1 ), where xm+1 satisfies
xm+1 − 1 xq − 1
q = m . (1)
xm+1 xm
Following facts regarding ramification of places lying above the pole and zeroes
of x1 and x1 − 1 of F1 may be recalled from [7].
Lemma 1. The following hold for the function field Fm of tower.
a. The unique pole of x1 in F1 is totally ramified throughout the tower.
b. The unique zero of x1 in F1 is totally ramified throughout the tower.
Proof. See [7, Lemma 2]. 

(m)
By regular functions, we mean functions of Fm having poles only at P∞ . Such
functions form a subring of Fm , denoted by Rm . This ring is the integral closure
of R1 = Fq2 [x1 ] in Fm .
For a separable extension of function fields, given any basis, there exists a
uniquely determined trace dual basis. Next, we state a simple result regarding
the existence of a nice (trace)basis-dual basis.
i
Theorem 1. Let ρi = (x1 − 1)q for i = 2, . . . , m. Let

m
Z := {1, ρi xi , ρi x2i , . . . , ρi xq−1
i }
i=2

and  

m
xi − 1 xi − 1 xi − 1 1
∗
Z := − q ,− q−1 ,...,− ,
i=2
ρi xi ρi xi ρi x2i ρi xi
be the sets obtaining by taking m − 1-fold products of the constituent sets. Then
 
R1 z ⊆ Rm ⊆ R1 z ∗ ,
z∈Z z ∗ ∈Z ∗

where the sums above are finite.

Hence, we have the following corollary.
Corollary 1. Any element ζ ∈ Fm having poles only at P∞ can be written as a
(finite) sum 
ζ= aξ (x1 )ξ,
ξ∈Z ∗

where aξ is a polynomial in x1 .
240 M.P.L. Das and K. Sikdar

The denominator of the dual basis for Fm /F1 above involves only x1 − 1 and
xj ’s. We shall use this result for finding the non-uniform input for this tower.
The above result uses the proof [1, Theorem III.5.10] and some simple facts
about the tower. This result and many other facts about the tower are dealt
with elsewhere. This tower is interesting because it attains the Drinfeld-Vlăduţ
bound. In fact, in [7] it is shown that this tower is a subtower of that in [2].
Lemma 2. The genus of the mth function field gm is given by
 m 2
q 2 −1 ,  m even
(q − 1) · gm = m−1 m+1 (2)
q 2 − 1 q 2 − 1 , m odd.

The rational places of F1 corresponding to the roots of xq1 + x1 − 1 = 0 are

completely splitting throughout the tower. Hence the number of rational places
for Fm , denoted by Nm , satisfies
Nm ≥ q m . (3)
Hence, the tower attains Drinfeld-Vlăduţ bound.

2.2 Number of Places of a Given Degree

Let F/Fq be a function field of genus g. Here, we recall estimates on the number
of places of a given degree of a function field over a finite field. Basic reference
for this topic is [1, Chapter V]. Let N = N (F ) denote the number of places
of F of degree one. Also, let Nr denote the number of places of degree one in
the constant field extension Fr = F Fqr for r ≥ 1. Further, let Br denote the
number of places of F of degree r. The bound on Br from [1, Corollary V.2.10]
is recalled.
Proposition 1. The estimate
qr q r/2
|Br − | < (2 + 7g) .
r r
This bound will be used to obtain an estimate of the number of places of degree
r of F1 lying below places of same degree of Fm of the tower.

2.3 Algebraic-Geometric Codes and Their List Decoding

In this section list decoding algorithm of [3] is outlined. Let us first recall the def-
inition of one-point algebraic-geometric codes on a function field. Basic reference
for this topic is the monograph [1].
Definition 2. Let F ⊃ Fq be a function field of genus g. Let P1 , . . . , Pn be
distinct places of degree 1, all distinct from a place Q. Let G = P1 + . . . + Pn
and uQ. Let
CL (u, G) = {(f (P1 ), . . . , f (Pn )) | f ∈ L(uQ)} ⊆ Fnq .
The code CL is known as a (One-point)Algebraic-Geometric(AG) code.
 On the Computation of Non-uniform Input for List Decoding 241

The next lemma gives the parameters of the one-point codes.

Lemma 3. Assume that u < n. Then CL (u, G) is an [n, k, d]q code with k ≥
u − g + 1 and d ≥ n − u.

It is assumed henceforth that u < n, so that the above lemma holds. List de-
coding algorithm for such one-point codes was given in [3] and a suitable rep-
resentation of the data involved was discussed in [4]. Suppose that the channel
corrupts at most n − t places of the sent word and y = (y1 , . . . , yn ) is received.
The list decoding algorithm of [3] finds an interpolation polynomial for y as the
first step. This polynomial has degree s for a suitably chosen parameter s and
has coefficients in L(D) for a suitably chosen divisor D. For more details consult
[3]. The required list of decoded words comprises of those zeroes of the interpo-
lation polynomial in L(uQ) whose evaluations at Pi agree with yi for at least t
coordinates.
In [4] the representation issues related to the list decoding algorithm are dis-
cussed. A strategy for finding the zeroes of the interpolation polynomial is given.
This strategy is based on finding a non-uniform input which doesn’t depend on
the received word. A basis for L(D) is assumed to be computable. The non-
uniform input is described below:
Non-Uniform Input: A place R in P(F ) of degree r greater than deg D rep-
resented as a l-tuple (ζ1R , . . . , ζlR ) over Fqr , obtained by evaluating a increasing
basis (Φ1 , . . . , Φl ) of L(D) at place R.
Let us begin by recalling [4, Lemma 5].

Lemma 4. If f1 , f2 ∈ L(A) for A 0 and f1 (R) = f2 (R) for some place R of

degree bigger than deg(A). Then f1 = f2 .

The strategy now is to first reduce the interpolation polynomial H(T ) modulo
R to obtain h(T ) over the underlying finite field and find the zeroes of the
polynomial equation h(T ) = 0 using some standard algorithm. Then for each
root compute βi ∈ L(D), if any, such that βi (R) = αi . This βi , by Lemma 4, is
unique. Those elements of the list β1 , . . . , βt are output which meet the distance
criterion. The root-find procedure of [4] is given below.

Algorithm 1 (ROOT-FIND)
d
Input: A degree d polynomial H(T ) = i=0 ai T i ∈ F [T ], where each ai ∈ L(D).
Output: All zeroes of H that lie in L(D)

1. Reduce H modulo a place R ∈ F of large enough degree, say r, to obtain

h(T ).
2. Compute the zeroes, say α1 , . . . , αt of h(T ) using a procedure for factoriza-
tion of polynomials over finite fields.
3. For each αi find the unique βi ∈ L(D), if any, which evaluates to αi at R.

The correctness of the algorithm hinges on the following remark.

242 M.P.L. Das and K. Sikdar

l(D)
Remark 1. If βi = j=1 aj Φj , then


l(D)
aj Φj (R) = αi
j=1

may be considered as a system of linear equations with a1 , . . . , al(D) as inde-

terminate over Fq after fixing a representation for Fqr ⊃ Fq . This system has a
unique solution by Lemma 4.
From the above discussion, it is clear that given
1. the non-uniform input,
2. a root-finding algorithm over a large finite field and
3. a procedure for solving a system of linear equations over Fq
the root finding algorithm may be efficiently implemented. There exist algo-
rithms to perform the second and third tasks above. Hence, given the non-
uniform input the entire root-find step of the list decoding algorithm may be
efficiently implemented.
In [5] the authors, among many other results, find the non-uniform input for
the function fields of the Garcia-Stichtenoth tower [2]. Suppose

F1 ⊂ F2 ⊂ F3 ⊂ . . .
(m)
denotes the tower and P∞ the unique pole of x1 in Fm . In [6] a pole cancella-
(m)
tion based algorithm for determining a basis for L(uP∞ ) is given, which uses
regular functions defined there. The procedure of [5] makes use of the structure
of quasi-regular functions. A simple counting argument of [5] shows that there
exist places of degree r of Fm lying above places of F1 of same degree. Their
procedure for finding the non-uniform input is randomized, making uniformly
random choices for irreducible polynomials of a given degree over Fq . The re-
quired non-uniform input is obtained as a solution of a system of linearized
equations using Kummer’s theorem(see [1, pg. 76]).

3 Places of a Special Type of Degree r of the Tower

We restrict our attention to function fields over finite fields of the type Fq2 . A
bound on the number of places of F1 of degree r lying below a place of the same
degree of Fm is obtained. Hence, the probability that a place of degree r of F1
chosen at random having the above property is calculated. Techniques used in
this section are from [1, Chapter V].
In the following the superscript m denotes the function field Fm of the tower.
(m)
Thus Br denotes the number of places of degree r of Fm /Fq2 .3
 On the Computation of Non-uniform Input for List Decoding 243

(m)
For Fm , let Ur denote the number of places of places of F1 of degree r lying
below a degree r place of Fm . Let
(m)
Br,1 :=the number of degree r places of Fm lying above a degree r
place of F1 and
(m)
Br,2 :=the number of degree r places of Fm not lying above a
degree r place of F1 .
(m) (m) (m)
Clearly we have Br = Br,1 + Br,2 . We have
(m)
Br,1 ≤ Ur(m) · [Fm : F1 ]. (4)
(m)
Now, we shall estimate Br,2 . We know that places of degree r of F1 are in one-
to-one correspondence with monic irreducible polynomials of degree r over Fq2 .
Also, if P  | P then deg(P ) divides deg(P  ). Hence Br,2 is utmost the number
(m)

of monic irreducible polynomials of degree utmost r/2 over Fq2 . Thus

(m)

r/2 2d
q − q2
Br,2 ≤
d (5)
d=1
≤q r+1
.
Next, we state and prove a simple lemma.
Lemma 5. For r ≥ m + 16 the following holds
q 2r
q m−1 · Ur(m) ≥ .
2r
Proof. Using Equations 4 and 5 and the bound on Br in Proposition 1, we obtain
q 2r 8gm q r
q m−1 · Ur(m) ≥ − − q r+1 .
r r
Using the fact that gm ≤ q m , we obtain
q 2r 8q r+m
q m−1 · Ur(m) ≥ − − q r+1 .
r r
Consequently, for r ≥ m + 16 the following holds
q 2r
q m−1 · Ur(m) ≥ .
2r
hence, the result. 

Finally we estimate the probability with which a degree r place of F1 chosen
uniformly at random has a degree r place of Fm above it. Notice that choosing a
degree r place of F1 is equivalent to choosing an irreducible polynomial of degree
r over Fq2 . The following is a easy corollary to the above lemma.
244 M.P.L. Das and K. Sikdar

Corollary 2. Let the notations be as in the previous lemma. Let r ≥ m + 16.

Then pr,m , the probability that a place of F1 of degree r chosen uniformly at
random lies below a degree r place of Fm , satisfies
1
pr,m ≥ .
2rq m+1
Thus with non-zero probability a degree r place of F1 chosen uniformly at ran-
dom has a degree r place of Fm above it. We use this fact to construct a ran-
domized algorithm for finding the non-uniform input in the next section.

4 Non-uniform Input on Bezerra-Garcia Tower

In this section, a randomized procedure for finding the required non-uniform in-
put is given. A basis for the underlying vector space Φ1 , . . . , Φl is assumed to be
given. The procedure of [5] applies for this tower too. The procedure, initially,
makes a random choice of an irreducible polynomial. The required data is ob-
tained as a solution of a system of linearized equations, by Kummer’s theorem.
It is been shown in the last section that there exist places of F1 having a place of
Fm of same degree above them. Thus the procedure must terminate in expected
polynomial time in the length of the code.
Recall that one-point codes are constructed by evaluating elements of a suit-
able Riemann-Roch space at places of degree one. For the Bezerra-Garcia tower,
since the unique pole of x1 is totally ramified throughout the tower, for each
(m)
level, a divisor Dm = um P∞ is chosen. There are at least q m places of degree
one for Fm , not lying above zeroes and poles of x1 (x1 − 1). The code is obtained
(m)
by evaluating elements of L(um P∞ ) at these q m places. The sequence of codes
thus obtained have asymptotically best properties.
There exist algorithms for finding a basis for the ring of regular functions on
Garcia-Stichtenoth tower. See [6] for example. But such an explicit algorithm
doesn’t exist for the Bezerra-Garcia tower. So, the entire exercise assumes that
a basis for the underlying vector space is given. The non-uniform input is cal-
culated by evaluating these basis elements at a high degree place. However, the
result in Lemma 1 guarantees that the non-uniform input may be effectively
computed.
Recall that, list decoding one-point codes uses a non-uniform input for the
root-finding step. Let r be chosen such that both:
(a). r > um and
(b). r ≥ m + 16
hold. A place of Fm of degree r may be constructed as follows. Places of degree
r of F1 are in one-to-one correspondence with monic irreducible polynomials
of degree r over Fq2 . Such a polynomial is chosen
 at random. Denote the place
x1
determined by this polynomial by ρ1 . Let γ2 = xq1 −1
(ρ1 ). Consider the system
of linearized equations.
 On the Computation of Non-uniform Input for List Decoding 245

x1
xq2 − x2 = −γ2
xq1 − 1
x2 x2
xq3 + q x3 = − q
x2 − 1 x2 − 1
(6)
..
.
xm−1 xm−1
q
xm + q xm = − q
xm−1 − 1 xm−1 − 1
A solution to this system gives a place of degree r, by Kummer’s theorem(refer
[1, pp. 76]). We first state the algorithm for finding the non-uniform input and
then prove its correctness.
Algorithm 2 (Non-uniform input)
Input: m, r and Φ1 , . . . , Φl
Output: (α1 , . . . , αm )
A. Choose an irreducible polynomial f of degree r over Fq2 . Let ρ1 denote the
place of F1 with uniformizing parameter f (x1 ).
B. Set α1 = x1 (ρ1 ) and γ2 = xqx−1 1
(ρ1 ). Find a solution of the system of
1
Equations 6, say (α2 , . . . , αm ).
C. If a solution exists compute the evaluations of Φ1 , . . . , Φl at this place using
(α1 , . . . , αm ), else report failure.
Notice that only the choice of irreducible polynomial is random. Rest of the
steps in the computation of the non-uniform input are deterministic. Thus with
probability p(r, m) the algorithm outputs the non-uniform input. The rest of
the steps of the list decoding algorithm may be carried out efficiently once the
non-uniform input is given, as discussed earlier. We start the proof of correctness
of this algorithm with a simple technical lemma.
Lemma 6. Let Pj and Pj−1 be places of Fj and Fj−1 with Pj | Pj−1 not lying
above zeroes and poles of x1 (x1 − 1) ∈ F1 . The set {1, xj , . . . , xq−1
j } is an integral
basis for Fj /Fj−1 , j ≥ 2 at Pj | Pj−1 .
Proof. By [1, Theorem III.5.10], the set {1, xj , . . . , xq−1
j } is an integral basis for
Pj | Pj−1 if and only if d(Pj | Pj−1 ) = vPj (φj (y)). Here φ denotes the formal
derivative. We have
xj−1
vPj (φj (y)) = vPj
xqj−1 − 1
= 0.
By [7, Lemma 2], we have Pj | Pj−1 is unramified. Thus
d(Pj | Pj−1 ) = e(Pj | Pj−1 ) − 1 = 0,

by Dedekind’s different theorem([1, Theorem III.5.1]). Thus {1, xj , . . . , xq−1

j } is
an integral basis for the extension Fj /Fj−1 , j ≥ 2 at Pj | Pj−1 . 

246 M.P.L. Das and K. Sikdar

We are now in a position to give the proof of correctness of the above algorithm.
Theorem 2. The Algorithm 2 gives the required non-uniform input.

Proof. For any level, we have shown that set {1, xj , . . . , xq−1j } is an integral
basis for Fj /Fj−1 , j ≥ 2 at Pj | Pj−1 . Notice that all the conditions of Kummer
theorem are satisfied. The first equation of the system is the reduced form the
defining equation. Also, if a solution to the system of linearized equations exists,
then (α1 , . . . , αm ) is the evaluation of the coordinate variables at a degree r
place of Fm . By Lemma 1, the basis elements may be evaluated using this tuple
(α1 , . . . , αm ), since the denominator of the dual basis involves only x1 − 1 and
the xj ’s. Hence the correctness of the algorithm is verified. 


Complexity: The main computational tasks involved in the procedure are the
following:
1. checking whether a given polynomial is irreducible or not and
2. finding a solution to a system of linear equations.
There exist deterministic algorithms for performing both the tasks. Also, the
procedure gives the required non-uniform input in expected polynomial time in
the length of the code.

References
1. Stichtenoth, H.: Algebraic Function Fields and Codes. In: Universitext, Springer,
Heidelberg (1993)
2. Garcia, A., Stichtenoth, H.: On the Asymptotic Behaviour of Some Towers of Func-
tion Fields over Finite Fields. Journal of Number Theory 61(2), 248–273 (1996)
3. Guruswami, V., Sudan, M.: Improved Decoding of Reed-Solomon and Algebraic-
Feometric Codes. IEEE Trans. Inform. Theory 45(6), 1757–1767 (1999)
4. Guruswami, V., Sudan, M.: On Representations of Algebraic-Geometric Codes.
IEEE Trans. on Inform. Theory 47(4), 1610–1613 (2001)
5. Guruswami, V., Patthak, A.: Correlated Algebraic-Geometric Codes: Improved List
Decoding Over Bounded Alphabets. Mathematics of Computation (to appear)
6. Shum, K., Aleshnikov, I., Kumar, P.V., Stichtenoth, H., Deolalikar, V.: A Low-
Complexity Algorithm for the Construction of Algebraic-Geometric Codes Better
Than the GIlbert-VArshamov Bound. IEEE Trans. on Inform. Theory 47(6), 2225–
2241 (2001)
7. Bezerra, J., Garcia, A.: A Tower with Non-GAlois Steps Which Attains the
DRinfeld-VLadut Bound. Journal of Number Theory 106(1), 142–154 (2004)
 Dense MIMO Matrix Lattices — A Meeting
Point for Class Field Theory and Invariant
Theory

Jyrki Lahtonen1 and Roope Vehkalahti2

1
University of Turku, Department of Mathematics, Finland, and Nokia Research
Center, Radio Communications Lab
2
University of Turku, Department of Mathematics, Finland and Turku Graduate
School in Computer Science

Abstract. The design of signal constellations for multi-antenna radio

communications naturally leads to the problem of finding lattices of
square complex matrices with a fixed minimum squared determinant.
Since [5] cyclic division algebras, their orders and related structures
have become standard material for researchers seeking to construct good
MIMO-lattices. In recent submissions [3], [8] we studied the problem of
identifying those cyclic division algebras that have the densest possible
maximal orders. That approach was based on the machinery of Hasse
invariants from class field theory for classifying the cyclic division al-
gebras. Here we will recap the resulting lower bound from [3], preview
the elementary upper bounds from [4] and compare these with some sug-
gested constructions. As the lattices of the shape E8 are known to be the
densest (with respect to the usual Euclidean metric) in an 8-dimensional
space it is natural to take a closer look at lattices of 2x2 complex matrices
of that shape. We derive a much tighter upper bound to the minimum
determinant of such lattices using the theory of invariants.

1 Background
In the symmetric MIMO-case the received signal is

Yn×n = Hn×n Xn×n + Nn×n ,

where H is the Rayleigh fading channel response, the elements of the noise
matrix N are i.i.d. complex Gaussian random variables. Here n is the number
of both transmitting and receiving antennas (= the symmetric case) and it is
often assumed that the receiver knows the channel matrix H. An analysis of
this situation gives rise to the so called determinant criterion: the receiver’s
ability to distinguish between signals X and X  is the better the larger the
determinant of the matrix (X − X  )(X H − X H ). Thus a natural choice for
a set of signals is a finite collection of low-energy matrices X within a lattice
L ⊂ Mn (C) with a large minimum determinant detmin (L), i.e. the infimum of
the absolute values of the determinants of all non-zero matrices in L. In this

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 247–256, 2007.

c Springer-Verlag Berlin Heidelberg 2007
248 J. Lahtonen and R. Vehkalahti

note we restrict ourselves to lattices of maximal rank k = 2n2 . We refer the

interested reader to [7] for some adaptations of this theory to the more general
asymmetric case. Following [9] we shall insist on the non-vanishing determinant
property detmin (L) > 0 guaranteeing that the resulting lattices achieve the
diversity-multiplexing tradeoff bound from [10].
The measure, or hypervolume, m(L) of the fundamental parallelotope of the
lattice L is the reciprocal of its center density. Any lattice L can be scaled to
satisfy m(L) = 1. This gives rise to a natural numerical measure for the quality
of a lattice. We shall denote by δ(L) the normalized minimum determinant of the
lattice L, i.e. here we first scale L to have a unit size fundamental parallelotope.

Definition 1. Fix the index n of a MIMO-lattice. Let us define the optimal

minimum determinant by
δ(n) = sup δ(L),
L

where the supremum is taken over the set of full rank lattices inside Mn (C)
normalized to unit fundamental parallelotope.

It is worth emphasizing that we do not seek to optimize the minimum Euclidean

distance of a lattice. The accumulated knowledge on that problem (cf. [1]) will
come into use, but e.g. it isn’t at all obvious, whether a lattice of rank 8 should
be isometric to the root lattice E8 in order to be optimal with respect to our
criterion.

2 Cyclic Algebras and Orders

We refer the interested reader to [12] and [5] for an exposition of the theory
of simple algebras, cyclic algebras, and their use in ST-coding. We only recall
the basic definitions and notations here. Consider an extension E/F of number
fields. In the
√ interesting cases F is an imaginary quadratic field, usually either
Q(i) or Q( −3). We assume that E/F is a cyclic field extension of degree n
with Galois group Gal(E/F ) = σ. Let A = (E/F, σ, γ) be the corresponding
cyclic algebra of index n:

A = E ⊕ uE ⊕ u2 E ⊕ · · · ⊕ un−1 E.

Here u ∈ A is an auxiliary generating element subject to the relations xu = uσ(x)

for all x ∈ E and un = γ ∈ F ∗ . An element a = x0 + ux1 + · · · + un−1 xn−1 ∈ A
has the following representation as a matrix
⎛ ⎞
x0 σ(xn−1 ) σ 2 (xn−2 ) · · · σ n−1 (x1 )
⎜ γx1 σ(x0 ) σ 2 (xn−1 ) σ n−1 (x2 ) ⎟
⎜ ⎟
⎜ γx2 γσ(x1 ) 2
σ (x0 ) σ n−1 (x3 ) ⎟
a → ⎜ ⎟.
⎜ .. .. ⎟
⎝ . . ⎠
γxn−1 γσ(xn−2 ) γσ 2 (xn−3 ) · · · σ n−1 (x0 )
 Dense MIMO Matrix Lattices 249

The determinant (resp. trace) of the matrix A above is called the reduced
norm (resp. reduced trace) of the element a ∈ A and is denoted by nr(a) (resp.
tr(a)).
Let R denote a Noetherian integral domain with a quotient field F , and let
A be a finite dimensional F -algebra.

Definition 2. An R-order in the F -algebra A is a subring Λ of A, having the

same identity element as A, and such that Λ is a finitely generated module over
R and generates A as a linear space over F . An order Λ is called maximal, if it
isn’t properly contained in another R-order.

Example 1. In any cyclic division algebra we can always choose the element
γ ∈ F ∗ determining the 2-cocycle in H 2 (E/F ) to be an algebraic integer. We
immediately see that the OF -module

Λ = OE ⊕ uOE ⊕ · · · ⊕ un−1 OE ,

where OE is the ring of integers, is an OF -order in the cyclic algebra (E/F, σ, γ).
We refer to this OF -order as the natural order.

For the purposes of constructing MIMO lattices the reason for concentrating on
orders is summarized in the following proposition (e.g. [11, Theorem 10.1, p.
125]). We simply rephrase it here in the language of MIMO-lattices.

Proposition 1. Let Λ be an order in a cyclic division algebra (E/F, σ, γ). Then

for any non-zero element a ∈ Λ its reduced norm nr(a) is a non-zero element
of the ring of integers OF of the center F . In particular, if F is an imaginary
quadratic number field, then the minimum determinant of the lattice Λ is equal
to one.

Definition 3. Let m = dimF A. The discriminant of the R-order Λ is the ideal

d(Λ/R) in R generated by the set

i,j=1 | (x1 , ..., xm ) ∈ Λ }.

{det(tr(xi xj ))m m

An important fact is that all the maximal orders of a given cyclic division algebra
have the same discriminant [11, Theorem 25.3]. The definition of the discriminant
closely resembles that of the Gram matrix of a lattice, so the following results
are unsurprising and probably well-known. We include them for easy reference.
Sample proofs are given in [3].

Lemma 1. Assume that F is an imaginary quadratic number field and that 1

and θ form a Z-basis of its ring of integers R. Assume further that the order Λ
is a free R-module (an assumption automatically satisfied, when R is a principal
ideal domain). Then the measure of the fundamental parallelotope equals
2
m(Λ) = | θ|n |d(Λ/R)|.
250 J. Lahtonen and R. Vehkalahti

Corollary 1. Let F = Q(i), R = Z[i], and assume that Λ ⊂ (E/F, σ, γ) is an

R-order. Then the determinant of the Gram matrix of the matrix representation
of Λ is
det(G(Λ)) = |d(Λ/Z[i])|2 ,
and the normalized minimum determinant is thus δ(Λ) = 1/|d(Λ/Z[i])|1/2n .
√ √
Corollary 2. Let ω = (−1 + −3)/2, F = Q( −3), R = Z[ω], and assume that
Λ ⊂ (E/F, σ, γ) is an R-order. Then the determinant of the Gram matrix of the
matrix representation of Λ is
2
det(G(Λ)) = (3/4)n |d(Λ/Z[ω])|2 ,
√
and the normalized minimum determinant is δ(Λ) = (2/ 3)n/2 /|d(Λ/Z[i])|1/2n .

So in both cases maximizing the density of the code is equivalent to minimizing

the discriminant. From Proposition 1 we also get that the minimum determinants
√
of any orders in any cyclic division algebra with center either Q(i) or Q( −3) are
equal to one. Thus in order to maximize the normalized minimum determinant
of a lattice we should use a maximal order. Furthermore, we need to look for
division algebras that have a maximal order with as small a discriminant as
possible. A point worth emphasizing is that using ideals of any order doesn’t
appear to improve the situation. This is because a cyclic submodule of any order
shares the same normalized density with the ‘mother code’ of the maximal order.
√
Also, when the center of the cyclic division algebra is either Q(i) or Q( −3
then Eichler’s theorem [11, Theorem 34.9] says that all the one-sided ideals of
a maximal order actually are cyclic. The use of ideals may change the shape of
the lattice, and this was a point exploited in [6].
√
Example 2. In the case of the Golden algebra (Q(i, 5)/Q(i), σ, i) from [6] the
natural
√ order turns out to be √ maximal. √ As the ring of algebraic integers of
Q(i, 5) has basis {1, i, (1 + 5)/2, i(1 + 5)/2} we can quickly compute that
the discriminant of the Golden algebra is 25. We thus recover from Corollary
1 the fact
√ [2] that the normalized minimum determinant of the Golden code is
δ = 1/ 5.

3 Maximal Orders with Minimal Discriminants and

Bounds on the Normalized Density
Let F be an algebraic number field that is finite dimensional over Q, OF its
ring of integers. Let us next recall the Main Theorem of [3]. The proof therein
uses the formula for the local discriminants for maximal orders in terms of the
Hasse invariants, the result of global class field theory that the Hasse invariants
must sum up to an integer, and some simple estimates. The relevant theoretical
background is contained in e.g. [11] and [13].
 Dense MIMO Matrix Lattices 251

Theorem 1 (Discriminant bound). Assume that F is a totally complex num-

ber field, and that P1 and P2 are the two smallest prime ideals in OF . Then the
smallest possible discriminant of all central division algebras over F of index n
is (P1 P2 )n(n−1) .

For us the importance of this result is twofold. It proves the existence of fully
multiplexing MIMO-lattices with a known normalized density and/or minimum
determinant. It also proves that using orders of cyclic division algebras (and their
cyclic submodules) one cannot do any better. The latter point was the upshot
of [3] but here we benefit from the first point. √
In the interesting cases F = Q(i) and F = Q( −3) Theorem 1 gives us
the following two corollaries. They are directly from [3], but we have partially
reformulated them in terms of the normalized minimum determinants. For the
purposes of finding the optimal normalized minimum
√ determinant the field Q(i)
is not nearly as interesting as the denser Q( −3). We list the gaussian results
here for reference, as the rectangular shapes enjoy certain practical advantages
in radio communications. It is also worth remarking that the assumption about
the center in Theorem 1 is essential. √Indeed, the quaternionic division algebra
with the real quadratic center F = Q( 5) has the well known ring of icosians as
a maximal order with unit discriminant. The difference comes from the fact that
in this case the only non-trivial Hasse invariants are at the two infinite places,
and they won’t contribute to the discriminant.

Corollary 3 (Discriminant bound). Let Λ be an order of a central division

algebra of index n over the field Q(i). Then the normalized minimum determi-
nant of the resulting lattice satisfies the inequality

δ(Λ) ≤ 1/10(n−1)/4.

Furthermore, there exist cyclic division algebras with center Q(i), whose maximal
orders achieve this bound.

Corollary 4 (Discriminant bound). Let Λ be √ an order of a central division

algebra of index n over the field Q(ω), ω = (−1 + −3)/2. Then the normalized
minimum determinants of the lattice satisfies the inequality
√
δ(Λ) ≤ (2/ 3)n/2 /12(n−1)/4 .

Furthermore, there exist cyclic division algebras with center Q(ω), whose maxi-
mal orders achieve this bound.

The construction of algebras achieving the bounds in the two previous corollaries
is done in [8]. These results can be viewed as giving a lower bound on the achiev-
able normalized minimum determinant δ(n). Can we get upper bounds on the
achievable normalized minimum determinant also? In general this is probably a
difficult problem, but the following simple upper bounds from [4] are elementary
to derive.
252 J. Lahtonen and R. Vehkalahti

Lemma √ 2 (Hadamard bound). Let A be an n × n complex matrix. Write

A = trAH A for its Frobenius-norm. We then have the inequality | det A| ≤
A n /nn/2 .
Proof. Let Aj , j = 1, 2, . . . , n be the rows of A. By the Hadamard inequality

n
| det A| ≤ Aj .
j=1

Squaring this inequality and using the fact that A 2 = nj=1 Aj 2 together
with the well-known inequality between the geometric and arithmetic means of
positive numbers gives the claimed bound.
Proposition 2 (Hadamard bound). For fully multiplexing 2 × 2 lattices we
have the upper bound δ(2) ≤ 1.

Proof. The root lattice E8 has the best minimum distance among 8-dimensional
lattices (cf. e.g. [1]). When we scale its fundamental
√ parallelotope to have unit
measure, the shortest vectors have length 2. In other words√in any lattice L of
rank 8 inside M2 (C) has a non-zero matrix A with A ≤ 2. Lemma 2 then
tells us that | det A| ≤ 1.

Proposition 3 (Rectangular Hadamard bound). For any rectangular lat-

tice L ⊂ Mn (C)
1
δ(L) ≤ n/2 .
n
Proof. When a rectangular lattice has a fundamental parallelotope of unit mea-
sure, at least one of the vectors in an orthogonal basis has length at most 1. The
determinant of such a matrix is at most 1/nn/2 by Lemma 2.
In order to get an idea how strong these bounds √ are let us consider the case
of 2 × 2 lattices. The Golden code has δ = 1/ 5 = 0.4472. By the bound of
Proposition 3 any rectangular or hypercubical lattice cannot have normalized
minimum determinant > 0.5, so in this sense the Golden code is very good. It
would not surprise us, if the Golden code turned out to have the highest possible
normalized minimum determinant among rectangular lattices.
On the other hand the non-rectangular lattice from the next section attains
the bound of Corollary 3 and thus has normalized minimum determinant δ =
10−1/4 = 0.5623. In light of this we might conclude that rectangular lattices
have no hope of achieving the density of the lattice from the next section. In
the same vein the hexagonal lattice in the next section achieves
√ the bound of
Corollary 4 and has a normalized minimum determinant δ = 2/33/4 = 0.6204.
Somewhat surprisingly the resulting hexagonal 2 × 2 MIMO-codes outperform
their rectangular cousins only at high data rates such as 8 bits per channel use.
All these constructions are still somewhat distant from the bound of Proposi-
tion 2. We believe that the actual value of δ(2) is most likely less than one, but
dare not guess the exact value of δ(2).
 Dense MIMO Matrix Lattices 253

In Table 1. we compare the normalized minimum determinant of the perfect

lattices from [6] to the bounds of Proposition 3 and Proposition 4 and also the
upper bounds of Proposition 3. The bound of Proposition 2 will be generalized
for higher n in [4], but the general bound is more difficult to compute as it is
expressed in terms of known bounds [1] for the minimum Euclidean distance of
high dimensional lattices. Such a bound is listed in the last column. A quick
summary of this table might be that the perfect codes are good within their
constrained class of rectangular (hexagonal) lattices, but all the constructions
are quite far away from the bound of Lemma 2. Most likely the simple bound is
not tight at all.

Table 1. Normalized minimum determinant δ of selected lattices and bounds

n Perfect CDA/Q(i) CDA/Q(ω) Rectangular bound simple bound

2 0.447 0.562 0.620 0.500 1.00
3 0.143 0.316 0.358 0.192 1.16
4 0.0298 0.178 0.207 0.0625 1.61
5 0.100 0.119 0.0179 2.57
6 0.00255 0.0562 0.0689 0.00463 4.59

4 Dense Example Lattices

In [3] it is shown that the following cyclic division algebra achieves the bound
of Corollary 3. Let λ be the square root of the complex number 2 + i belonging
to the first quadrant of the complex plane. Then the cyclic algebra GA+ =
(Q(λ)/Q(i), σ, i), where the automorphism σ is determined by σ(λ) = −λ, is a
division algebra.
In order to give a concrete description of a maximal order within GA+ we
describe it in terms of its Z[i]-basis. A maximal order Λ consists of the matrices
aM1 + bM2 + cM3 + dM4 , where a, b, c, d are arbitrary Gaussian integers, M1 is
the identity matrix, and Mi , i = 2, 3, 4 are the following matrices.

01 1 i + iλ i − λ 1 −1 − iλ i + iλ
M2 = , M3 = , M4 = .
i0 2 −1 + iλ i − iλ 2 −1 + λ −1 + iλ

It is then straightforward to verify that the fundamental parallelotope of this

lattice has measure 10,√and thus δ(Λ) = 10−1/4 .
Let z = 31/4 (1 + i)/ 2 be the prescribed fourth root of −3, and

1 1+z ω(1 + z)
ρ= .
2 (1 + ω)(1 − z) 1 − z

From [3] we also get that the cyclic algebra constructed from the datum E =
Q(z), F = Q(ω), σ(z) = −z, γ = −ω is a division algebra whose maximal
254 J. Lahtonen and R. Vehkalahti
√
orders achieve the bound δ = 2/33/4 of Corollary 4. We are indebted to Camilla
Hollanti for the extra piece of information that the set {1, ρ, z, zρ, ω, ωρ, ωz, ωzρ}
forms a Z-basis of one such maximal order. Do observe that in this listing, as
is always the case with the elements of the maximal subfield E, the element z
must be viewed as the diagonal matrix with entries z, σ(z) = −z.

5 A Sharper Bound for 2×2 Lattices with Shape E8

Throughout this section we assume that L is a rank 8 lattice of 2 × 2 complex
matrices. We identify such matrices with vectors of R8 via the natural mapping

x1 + ix2 x3 + ix4
f : (x1 , x2 , . . . , x8 ) → .
x5 + ix6 x7 + ix8

This mapping is an isometry with respect to the Euclidean norm of R8 and the
Frobenius norm of complex matrices. Let us denote by S(r) the sphere of radius
r in the 8-dimensional space. Whenever convenient we identify it with its image
in the matrix space. We shall be interested in the polynomial function
2
p(x1 , x2 , . . . , x8 ) = |det(f (x1 , x2 , . . . , x8 ))| .

Its space-consuming exact form doesn’t interest us but we do observe that the
polynomial

p(x1 , x2 , . . . , x8 ) − (x21 + x22 )(x27 + x28 ) − (x23 + x24 )(x25 + x26 )

only contains terms that are products of 4 distinct coordinates xi . Our immediate
goal is to determine the average value of the polynomial p on the sphere S(r).
It is well known (cf. e.g. [1]) that the lattice E8 can be constructed as the set
of vectors x = (x1 , x2 , . . . , x8 ) ∈ Z8 such that after reduction mod 2 it becomes
a word of the self-dual extended Hamming code of length 8, in other words
⎛ ⎞
1 1 1 1 1 1 1 1
⎜1 1 1 1 0 0 0 0⎟ T
⎝ ⎠ x̄ = 0.
1 1 0 0 1 1 0 0
1 0 1 0 1 0 1 0

This version of E8 has minimum Euclidean distance 2, m(E8 ) = 16 and it has

240 vector of minimal length 2: There are 16 vectors with a single ±2 component
together with seven zeros, and 14·16 = 224 vectors of 4 ±1s and 4 zeros congruent
(modulo 2) to one of the 14 words of weight 4 — every such word gives rise to
16 short vectors differing from each other by the combination of signs. We can
scale E8 to have any desired value r > √ 0 as the length of the shortest vectors,
and we already noted that scaling
√ r = 2 leads to a normalized version of E8
in the sense that m(E8 , r = 2) = 1.
Let us review the concept of a spherical t-design. A finite set X on a sphere
(centered at the origin) S ⊆ Rn is called a t-design, if for any polynomial
 Dense MIMO Matrix Lattices 255

q(x1 , x2 , . . . , xn ) ∈ R[x1 , . . . . , xn ] of degree at most t the average of the values

attained by q on the set X equals the average of the values on all of S (with
respect to the usual measure on S). From [1, p. 90] we pick up the crucial fact
that the set of 240 shortest vectors in E8 form a spherical 7-design X(E8 ). This
is a consequence of a general result due to B. Venkov. The argument depends on
the fact that the lattice E8 has a very large group G of symmetries (the Weyl
group of type E8 from the theory of Lie algebras), and the fact that the only
polynomial invariants of group G of degree less than 8 are polynomials of the
squared Euclidean norm x21 + · · · x28 .
The polynomial p(x1 , x2 , . . . , x8 ) has degree 4 so, in particular, we can com-
pute the average value of p on any S(r) by computing the same average value
on an appropriately scaled version of X(E8 ). Furthermore, p is homogeneous
of degree 4, so its average on S(r) will be proportional to r4 . As any rotated
version of X(E8 ) will do just as well, we can set r = 2 and do our calculations
with the version of E8 described above. It helps us to use the symmetries of
the sphere: obviously the expected value of any monomial of the form xi xj xk x ,
i < j < k < will be equal to zero as the sphere is symmetric under the mapping
xi → −xi . Similarly any permutation of the coordinates will be an isometry of
the sphere, so the averages of all the monomials x2i x2j , i < j will be equal to the
average of x21 x22 . There are exactly 3 words of weight 4 in the extended Hamming
code that have non-zero components at both the first and the second position:
11110000, 11001100 and 11000011. Therefore the monomial x21 x22 assumes the
value 1 at 3·16 = 48 points on X(E8 ) and the value zero at the remaining points.
Hence the average value of x21 x22 on S(r = 2) is 1/5 = r4 /80. The polynomial
p has altogether 8 monomial terms of the form x2i x2j , so we have proven the
following.

Theorem 2. The average value of the squared absolute value of the determinant
p(x1 , x2 , . . . , x8 ) on the sphere S(r) equals r4 /10. The same result holds for any
rotated and scaled copy of the collection of 240 shortest non-zero vectors of the
lattice E8 .

Corollary 5. The normalized minimum determinant of any rank 8 MIMO-

lattice L of 2 × 2-matrices and shape E8 is bounded from above by δ(L) ≤ 2/5.
√
Proof. Set r = 2 to achieve normalization. The minimum squared determinant
on any rotated version of X(E8 ) cannot be higher than the average squared
determinant.

A couple of closing remarks are due. The restricted upper bound 2/5 = 0.6325
is suggestively close to the lower bound 0.6204 of Corollary 4. Thus in order to
make significant improvement to that lower bound shapes other than E8 are
forced upon us. Of course, there are no guarantees that even that would help,
and the very restricted upper bound of Corollary 5 may apply to a much larger
set of MIMO-lattices.
The somewhat trivial averaging nature of the argument leading to Corollary 5
immediately asks the question of how tight is that bound. We know of no lattice
256 J. Lahtonen and R. Vehkalahti

with shape E8 that would have 2/5 as its normalized minimum determinant.
The best known lattice with shape E8 is a sublattice of index 64 in the Golden
code (cf. [14]), but being a cyclic submodule of the √ Golden algebra that lattice
shares the normalized minimum determinant of 1/ 5. On the other hand we
strongly believe that there are lattices of shape E8 that achieve the bound of
Corollary 5 on the ’first layer’ of the shortest 240 vectors. Before we discovered a
proof for Corollary 5 we set up a computer search based on simulated annealing.
The program found a copy of the first layer of E8 , where the squared minimum
determinant was larger than 0.399. Thus the squared minimum determinant of
2/5 will likely be achieved on the first layer.

References
1. Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Springer,
New York (1988)
2. Belfiore, J.-C., Rekaya, G., Viterbo, E.: The Golden Code: A 2x2 Full-Rate Space-
Time Code With Non-vanishing Determinant. IEEE Trans. Inform. Theory 51(4),
1432–1436 (2005)
3. Hollanti, C., Lahtonen, J., Ranto, K., Vehkalahtid, R.: On the Densest MIMO
Lattices from Cyclic Division Algebras, http://arxiv.org/abs/cs/0703052
4. Vehkalahti, R., Lahtonen, J.: Bounds on the Density of MIMO-lattices (in prepa-
ration)
5. Sethuraman, B.A., Rajan, B.S., Shashidhar, V.: Full-Diversity, High-Rate Space-
Time Block Codes From Division Algebras. IEEE Trans. Inform. Theory 49, 2596–
2616 (2003)
6. Belfiore, J.-C., Oggier, F., Rekaya, G., Viterbo, E.: Perfect Space-Time Block
Codes. IEEE Trans. Inform. Theory 52, 3885–3902 (2006)
7. Hollanti, C.: Asymmetric Space-Time Block Codes for MIMO Systems. In: 2007
IEEE ITW, Bergen, Norway (2007)
8. Vehkalahti, R.: Constructing Optimal Division Algebras for Space-Time Coding.
In: 2007 IEEE ITW, Bergen, Norway (2007)
9. Elia, P., Kumar, K.R., Pawar, S.A., Kumar, P.V., Lu, H.-F.: Explicit Space-Time
Codes Achieving the Diversity-Multiplexing Gain Tradeoff. IEEE Trans. Inform.
Theory 52, 3869–3884 (2006)
10. Zheng, L., Tse, D.: Diversity and Multiplexing: A Fundamental Tradeoff in
Multiple-Antenna Channels. IEEE Trans. Inform. Theory 49, 1073–1096 (2003)
11. Reiner, I.: Maximal Orders. Academic Press, New York (1975)
12. Jacobson, N.: Basic Algebra II. W. H. Freeman and Company, San Francisco (1980)
13. Milne, J.S.: Class Field Theory, http://www.jmilne.org/math/coursenotes/
14. Hong, Y., Viterbo, E., Belfiore, J.-C.: Golden Space-Time Trellis Coded Modula-
tion. arXiv:cs.IT/0604063v3
15. Elia, P., Sethuraman, B.A., Kumar, P.V.: Perfect Space-Time Codes with Mini-
mum and Non-Minimum Delay for Any Number of Antennas. IEEE Trans. Inform.
Theory (submitted), aXiv:cs.IT/0512023
 Secure Cross-Realm Client-to-Client
Password-Based Authenticated Key Exchange
Against Undetectable On-Line Dictionary
Attacks

Kazuki Yoneyama1, Haruki Ota2 , and Kazuo Ohta1

1
The University of Electro-Communications
2
KDDI R&D Laboratories, Inc.
[email protected]

Abstract. The cross-realm client-to-client password-based authentica-

ted key exchange (C2C-PAKE) is protocol which two clients in two dif-
ferent realms with different passwords exchange a session key through
their corresponding servers. Recently, a provably secure cross-realm C2C-
PAKE scheme with the optimal number of rounds for a client is pointed
out that the scheme is insecure against an undetectable on-line dictio-
nary attack and an unknown-key share attack. In this paper, we pro-
pose a new cross-realm C2C-PAKE scheme with the optimal number of
rounds for a client, which has resistances to previously considered attacks
which should be prevented, including undetectable on-line dictionary at-
tacks and unknown-key share attacks. Moreover, our scheme assumes no
pre-established secure channels between different realms, but just basic
setups of ID-based systems.

Keywords: Authenticated key exchange, different password, C2C-PAKE,

cross-realm setting, undetectable on-line dictionary attacks

1 Introduction
Recently, password-based authenticated key exchange (PAKE) protocols are re-
ceived much attention as practical schemes in order to share a mutual session
key secretly and reliably. Basic PAKE schemes enable two entities to authen-
ticate each other and agree on a large session key from a human memorable
password. Thus, PAKE schemes are regarded as practical key exchange schemes
since entities do not have any pre-shared cryptographic symmetric key, certifi-
cate or support from a trusted third party. Such basic schemes which two entities
pre-share a common password are classified into a model called same password-
authentication (SPA) model. The SPA model is most cultivated PAKE model
in previous studies and is usually used for client-to-server key exchanges. The
concept of PAKE was first introduced by Bellovin and Merritt [1] in 1992 known
as encrypted key exchange (EKE). First construction of password-only PAKE
in SPA model was proposed by Jablon [2] in 1996 known as simple password

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 257–266, 2007.

c Springer-Verlag Berlin Heidelberg 2007
258 K. Yoneyama, H. Ota, and K. Ohta

exponential key exchange (SPEKE). Formal definitions for this setting were first
given by Bellare et al. [3] and Boyko et al. [4], and a concrete construction was
also given in the random oracle (RO) model. And, various protocols have been
proposed to achieve secure PAKE scheme [5,6,7,8,9,10] in SPA model.
On the other hand, with a variety of communication environments such as
mobile network, it is considered as one of main concerns to establish a secure
channel between clients with different passwords. Several schemes have been
presented to provide PAKE between two entities with their different passwords.
Such schemes are classified into a model called different password-authentication
(DPA) model. In DPA model, entities carry out key exchange with the assistance
of intermediate servers since entities have no secret common information and
DPA model is usually used for client-to-client password-based authenticated key
exchanges (C2C-PAKE).
First construction of C2C-PAKE in DPA model was introduced by Steiner et
al. [11] in the single-server setting where two clients (or n clients) are in the same
realm. In the single-server setting, the model consists of two clients A and B (or
n clients) and a server S, where clients are in the realm of server S. Though
several schemes embrace the single-server setting [12,13,14,15,16,17], there is a
problem that it is unrealistic that clients trying to communicate each other are
registered in the same server.
From this viewpoint, Byun et al. [18] proposed C2C-PAKE in the cross-realm
setting where two clients are in two different realms and hence there existed two
servers involved. In the cross-realm setting, the model consists of two clients A
and B, and two servers SA and SB, where A and B are users of SA and SB,
respectively. They also newly defined the security notions according to their
framework for the special settings, and claimed their protocols’ security under
those definitions. However, some attacks are found against this scheme by Chen
[19] which showed a dictionary attack by a malicious server in a different realm,
Wang et al. [20] which showed three different dictionary attacks and Kim et al.
[21] which showed Denning-Sacco-style attack (a variant of dictionary attack)
by an insider with knowledge of the password of a client in a different realm.
Though Kim et al. also proposed an improved cross-realm C2C-PAKE in [21],
Phan and Goi [22] presented two unknown-key share attacks on it. To shake
off vicious circle of attack-and-remedy procedures, Byun et al. [23] introduced a
provably secure cross-realm C2C-PAKE scheme. However, it is also shown that
this scheme falls to an undetectable on-line dictionary attack by any adversary
and malicious servers can launch a successful man-in-the-middle attack by Phan
and Goi [24]. Similarly, the undetectable on-line dictionary attack to [23] also
works for lately proposed scheme [25].
On all the above schemes in the cross-realm setting, clients use their cor-
responding servers to obtain information for authentication and directly com-
municate for establishing their session key after obtaining these information.
So, we call these schemes have direct communication structure. On the other
hand, there are cross-realm C2C-PAKE schemes which have another structure,
called indirect communication structure. Clients communicate only through their
 Secure Cross-Realm C2C-PAKE 259

corresponding servers in the indirect communication structure. The advantage

of schemes which have the indirect communication structure is to be able to
reduce the optimal number of rounds for a client, i.e, 2-rounds, than the exist-
ing schemes which have the direct communication structure, i.e., 4-rounds, and
to remove communications of a client across different realms. So, the indirect
communication structure can reduce loads of clients. Yin and Bao [26] proposed
a first cross-realm C2C-PAKE scheme (Yin-Bao scheme) which have the indi-
rect communication structure and is provably secure. However, to prove the
security of this scheme it needs a strong setup assumption, i.e., pre-established
secure channels between realms. Also, despite its provable security defects of
their security model caused two attacks, an undetectable on-line dictionary at-
tack by any adversary and an unknown-key share attack by a malicious client
insider, which are found by Phan and Goi [24]. Ota et al. [27] proposed a gen-
eral construction of universally composable cross-realm C2C-PAKE which has
the indirect communication structure and a concrete construction. Though the
universal composability provides a security-preserving composition property in
concurrent execution environment, their concrete construction needs the large
number of total rounds.

Our contribution. We construct a cross-realm C2C-PAKE scheme which has

the indirect communication structure based on Yin-Bao scheme. Our scheme
only needs the optimal number of rounds for clients and servers, i.e., 2-rounds
between a client and a server, and 2-rounds between servers, as Yin-Bao scheme.
So, our scheme is more efficient than [27]. Furthermore, we show that our scheme
has resistances to previously considered attacks which should be prevented, in-
cluding undetectable on-line dictionary attacks, by applying the technique of [12]
with ID-based encryption (IBE) [28]. Therefore, the undetectable on-line dictio-
nary attack and the unknown-key share attack to Yin-Bao scheme don’t work
for our scheme. Also, our scheme assumes no pre-established secure channels
between different realms. Instead of that, we apply a secure message authenti-
cation code (MAC) based on Sakai et al.’s ID-based non-interactive key sharing
(IDNIKS) [29]. To use of IBE and IDNIKS, we need just basic setups of ID-based
systems, i.e., key extractions of servers by the trusted authority. That means we
consider the security in more natural setup model than the model of Yin-Bao
scheme. The comparison between previous schemes and our scheme is shown in
Table 1.

Table 1. Comparison between previous schemes and our scheme

number of undetectable on-line client’s universal

total rounds dictionary attack inside attack composability
Yin and Bao [26] 4 insecure insecure unsatisfied
Ota et al. [27] 12 secure secure satisfied
Our scheme 4 secure secure unsatisfied
260 K. Yoneyama, H. Ota, and K. Ohta

2 Preliminaries

2.1 Cross-Realm C2C-PAKE

Our cross-realm C2C-PAKE scheme contains four parties (two clients and two
servers) who will engage in the protocol. In cross-realm setting, each client is in a
realm and has a corresponding server belonging to the realm. Let each password
be pre-shared between a client and a corresponding server and be uniformly
and independently chosen from fixed low-entropy dictionary D of the size |D|.
An outside adversary or a malicious insider can obtain and modify messages on
unauthenticated-links channels.

2.2 Security Properties

It is desirable for C2C-PAKE protocols to possess the following security proper-

ties:

– Known-key security: The protocol should still achieve its goal in the face
of an adversary who has learned some other session keys - unique secret keys
which each run of a key exchange protocol between clients should produce.

– Forward secrecy: If a password of a client and the corresponding server

is compromised, secrecy of past session keys is not compromised.

– Resistance to key-compromise impersonation: When a client’s pass-

word is compromised, it may be desirable that this event does not enable an
outside adversary to impersonate other entities to the client.

– Resistance to unknown-key share: Client A should not be able to co-

erce into sharing a key with any client C including a malicious client insider
when in fact he thinks that he is sharing the key with client B.

– Resistance to undetectable on-line dictionary attacks: There is no

successful adversary as follows: The adversary attempts to use a guessed
password in an on-line transaction. He verifies the correctness of his guess
using responses of servers. If his guess fails he must start a new transaction
with servers using another guessed password. A failed guess can not be de-
tected and logged by servers, as servers are not able to depart an honest
request from a malicious request.

– Resistance to off-line dictionary attacks: There is no successful ad-

versary as follows: The adversary guesses a password and verifies his guess
off-line. No participation of servers is required, so servers don’t notice the
attack. If his guess fails the adversary tries again with another password,
until he finds the proper one.
 Secure Cross-Realm C2C-PAKE 261

– No key control: The secret session key between any two clients is deter-
mined by both users taking part in, and none of the two clients can influence
the outcome of the secret session key, or enforce the session key to fall into
a pre-determined interval.

3 Proposed Scheme
In this section, we show our cross-realm C2C-PAKE scheme.

3.1 Bilinear Map

Using the notation of Boneh and Franklin [28], we let G1 be an additive group of
prime order q and G2 be a multiplicative group of the same order q. We assume
the existence of an efficiently computable, non-degenerate, bilinear map ê from
G1 × G1 to G2 . Typically, G1 will be a subgroup of the group of points on an
elliptic curve over a finite field, G2 will be a subgroup of the multiplicative group
of a related finite field and the map ê will be derived from either the Weil or
Tate pairing on the elliptic curve. By ê being bilinear, we mean that for any
Q, W ∈ G1 and a, b ∈ Zq :

ê(aQ, bW ) = ê(Q, W )ab = ê(abQ, W ).

By ê being non-degenerate, we mean that for some element P ∈ G1 , we have

ê(P, P ) = 1G2 .

3.2 Notation
Let p be a prime and let g be a generator of a large subgroup from Z∗p of prime
order p. Note that g is not element of bilinear groups. A and B are identity
of two clients in two different realms, and SA and SB are identities of their
corresponding servers respectively. A and SA (resp. B and SB) shared common
secret password pwA (resp. pwB ), and SA and SB received their private keys
skSA = sH̄(SA) and skSB = sH̄(SB) from the trusted authority in the ID-
based system as [28] and [29] in advance, where s ∈ Zq is the master secret of
the trusted authority and H̄ : {0, 1}∗ → G1 is a collision-resistant hash func-
tion. (Enc, Dec) is Boneh-Franklin ID-based encryption (IBE) [28] with Fujisaki-
Okamoto conversion [30], which satisfies semantically secure against adaptive
chosen ciphertext attacks (ID-CCA), where Encid (m) is encryption algorithm
of a message m using an identity id and Decskid (c) is decryption algorithm of
a cipher-text c using a private key skid . MACmk is an existentially unforgeable
MAC scheme against adaptively chosen message attacks where mk ∈ G2 is a
MAC key. H1 , H2 , H3 : {0, 1}∗ → {0, 1}k are hash functions modeled as random
oracles, where k is a sufficiently large security parameter.
For simplicity, we omit “(mod p)” in this paper when computing the modular
R
exponentiation. “v ← V ” means randomly choosing an element v of a set V .
262 K. Yoneyama, H. Ota, and K. Ohta

Public information : g, p, q, ê, H̄, H1 , H2 , H3

Secret password between A and SA: pwA
Secret password between B and SB: pwB
Servers’ private key : skSA = sH̄(SA) for SA and skSB = sH̄(SB) for SB

Client A Server SA Server SB Client B

R R
x ← Zp y ← Zp
X := gx Y := gy
∗
X := X · H1 (pwA , A, B) Y ∗ := Y · H1 (pwB , B, A)
CA ← EncSA (X ∗ , pwA ) CB ← EncSB (Y ∗ , pwB )

A, B, CA B, A, CB
−
−−−−−−−→ ←−−−−−−− −

 ∗ , pw
(X   ∗ , pw

A) (Y B)
← Decsk (CA ) ← Decsk (CB )
SA SB
? ?

pw A = pwA 
pw B = pwB
R R
rA ← Z p rB ← Z p
R R
NA ← {0, 1}k NB ← {0, 1}k
X̂ := X ∗ /H (pw , A, B) Ŷ := Y  ∗ /H (pw , B, A)
1 A 1 B
X1 := X̂ rA Y1 := Ŷ rB
mkSA := ê(skSA , H̄(SB)) mkSB := ê(H̄(SA), skSB )
MSA ← MACmk (A, B, MSB ← MACmk (B, A,
SA SB
SA, SB, X1 ) SB, SA, Y1 )

A, B, SA, SB, X1 , MSA

−
−−−−−−−−−−−−−−−−−−− →
B, A, SB, SA, Y1 , MSB
←−−−−−−−−−−−−−−−−−−− −

? ?
MSB = MACmk (B, A, MSA = MACmk (A, B,
SA SB
SB, SA, Y1 ) SA, SB, X1 )
rA r
Y2 := Y1 X2 := X1 B
Ȳ ∗ := X̄ ∗ :=
Y2 · H2 (NA , pwA , CA ) X2 · H2 (NB , pwB , CB )

∗ ∗
SA, SB, NA , Ȳ SB, SA, NB , X̄
←−−−−−−−−−−−−− − −
−−−−−−−−−−−−− →

KA := KB :=

(Ȳ ∗ /H2 (NA , pwA , CA ))x (X̄ ∗ /H2 (NB , pwB , CB ))y
SKA := SKB :=
H3 (A, B, SA, SB, CA , H3 (A, B, SA, SB, CA ,
CB , X̄ ∗ , Ȳ ∗ , KA ) CB , X̄ ∗ , Ȳ ∗ , KB )

Fig. 1. A high-level overview of our protocol

3.3 Protocol Description

Here, we show the construction of our cross-realm C2C-PAKE scheme. Our
protocol has the indirect communication structure as Yin-Bao scheme. But, all
communication channels are unauthenticated-links unlike Yin-Bao scheme. A
high-level overview of our protocol appears in Figure 1.
Then, our protocol is described as follows:
First, clients A and B choose x, y ∈ Zp randomly, computes X = g x , Y = g y ,
and blind them as X ∗ = X ·H1 (pwA , A, B), Y ∗ = Y ·H1 (pwB , B, A) respectively.
Also, they generate CA ← EncSA (X ∗ , pwA ), CB ← EncSB (Y ∗ , pwB ) by using
their corresponding servers’ identities SA and SB respectively, and A sends
(A, B, CA ) to SA and B sends (B, A, CB ) to SB.
Secondly, servers SA and SB decrypt (X  ∗ , pw
A ) ← DecskSA (CA ), (Y ∗ , pw
B )
← DecskSB (CB ) by using skSA and skSB respectively.
A = pwA , then SA aborts the session, and if pw
If pw B = pwB , then SB aborts
the session too. Otherwise, SA computes X̂ = X  ∗ /H1 (pwA , A, B), blinds it as
X1 := X̂ rA where rA is SA’s first random value from Zp , computes his MAC
key mkSA = ê(skSA , H̄(SB)) by using Sakai et al.’s IDNIKS, and generates a
 Secure Cross-Realm C2C-PAKE 263

MAC MSA ← MACmkSA (A, B, SA, SB, X1 ). SB also computes Y1 , mkSB and
generates MSB similarly. Then SA and SB exchange (A, B, SA, SB, X1 , MSA )
and (B, A, SB, SA, Y1 , MSB ). After that, SA and SB verify MSB and MSA by
using their MAC keys respectively. If MACs are invalid, they abort the session.
Otherwise, SA blinds Y2 = Y1rA and computes Ȳ ∗ = Y2 ·H2 (NA , pwA , CA ) where
NA is SA’s second random value from {0, 1}k . SB performs similar operations
and obtains X̄ ∗ . At the end, SA sends Ȳ ∗ , NA to A, and SB sends X̄ ∗ , NB
to B.
Thirdly, A and B compute their ephemeral Diffie-Hellman keys KA = (Ȳ ∗ /
H2 (NA , pwA , CA ))x and KB = (X̄ ∗ / H2 (NB , pwB , CB ))y respectively. Session
keys are generated from the ephemeral Diffie-Hellman key and transcripts, SKA
= H3 (A, B, SA, SB, CA , CB , X̄ ∗ , Ȳ ∗ , KA ) and SKB = H3 (A, B, SA, SB,
CA , CB , X̄ ∗ , Ȳ ∗ , KB ). Note that transcripts of the protocol are public.
When session keys are honestly generated, SKA = SKB since KA = (g yrA rB )x
and KB = (g xrA rB )y .

3.4 Design Principles

Our protocol can be viewed as an extension of Yin-Bao scheme. The main def-
erence consists in the description of servers.
First, upon receiving an input from a client the corresponding server verifies
the validity of encrypted password of the client and him. This procedure prevents
undetectable on-line dictionary attacks as the technique of Lin et al. [12]. And,
by using IBE, clients don’t need to receive servers’ certificates of public keys
since IBE is able to encrypt a message with only the recipient’s identity.
Also, servers exchange ephemeral keys with MACs by using MAC keys com-
puted from their private keys. By using IDNIKS, servers are able to share the
same MAC key non-interactively. Thus, authenticity of ephemeral keys is guar-
anteed even if different realms are connected by unauthenticated-links channel
in our protocol.
Furthermore, when a client blinds X with his password, we make the client
include the identities of both clients into the computation of the password-based
blinding factors. This procedure prevents unknown-key share attacks by a mali-
cious client insider as the technique of Choo et al. [31].

4 Analysis of Security
In this section, we show security properties of our scheme. For space limitation,
we cannot give all detailed analyses here, only brief outline. In this paper, in
particular, we show resistance to unknown-key share attacks and resistance to
undetectable on-line dictionary attacks which Yin-Bao scheme does not satisfy.
We will show all details in the full paper.

4.1 Resistance to Unknown-Key Share

In the case of that a malicious client insider C wants to convince a client B in
the networks that B share a session key with C while in fact B shares the key
264 K. Yoneyama, H. Ota, and K. Ohta

with another client A, C is required to know the password pwA so that he could
pass the verification of B. Otherwise, the attack hardly works.
So, we consider the case of that a malicious insider C wants to share a session
key with a client B, while B believes that he shares the session key with a client
A. Then, C cannot validly modify (B, A, CB ) into (B, C, C B ) in the message to
SB since C cannot compute H1 (pwB , B, C) instead of H1 (pwB , B, A) without
the knowledge of pwC . If C doesn’t modify CB , then B’s session key is random-
ized by SB’s operation to compute Ŷ and C cannot obtain information of it.
Also, C cannot validly modify (A, B, SA, SB, X1 , MSA ) to (C, B, SC, SB, X 1 ,

M SA ) since he has no information of SA’s MAC key. Thus, the probability of C
successfully impersonates of A can be negligible.

4.2 Resistance to Undetectable On-Line Dictionary Attacks

A chance to attack is only when an adversary sends messages in the first phase as
a client to servers since messages in other phases to servers contain no informa-
tion of passwords. However, the adversary cannot replay to send messages in the
first phase according to guessed passwords, since if he computes the ciphertext
with a wrong password, then the server verifies it and will abort. Thus, since the
adversary successfully continues on-line dictionary attacks only if the adversary
successfully guesses the password, the success probability can be negligible close
to 1/|D|.

5 Conclusion

We proposed a new cross-realm C2C-PAKE scheme which clients only need the
optimal number of communication rounds and need no communication across
different realms. Furthermore, we showed our scheme is secure against unknown-
key share attacks and undetectable on-line dictionary attacks which successfully
work to Yin-Bao scheme.
A remaining problem of further researches is to give provable security to our
scheme. For proving formal security, since the formal security model of [26] has
some defects, we have to cultivate the model. It will be achieved by referring
to the recent formal model of authenticated key exchange, e.g., the model of
LaMacchia et al. [32].

References
1. Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols
Secure Against Dictionary Attacks. In: IEEE S&P 1992, pp. 72–84 (1992)
2. Jablon, D.P.: Strong Password-Only Authenticated Key Exchange. Computer
Communication Review, ACM SIGCOMM 26(5), 5–26 (1996)
3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure
against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS,
vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
 Secure Cross-Realm C2C-PAKE 265

4. Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure Password-Authenticated

Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000.
LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
5. Goldreich, O., Lindell, Y.: Session-Key Generation Using Human Passwords Only.
In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Hei-
delberg (2001)
6. Katz, J., Ostrovsky, R., Yung, M.: Efficient Password-Authenticated Key Exchange
Using Human-Memorable Passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001.
LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
7. Gennaro, R., Lindell, Y.: A Framework for Password-Based Authenticated Key
Exchange. In: Biham, E. (ed.) Advances in Cryptology – EUROCRPYT 2003.
LNCS, vol. 2656, pp. 408–432. Springer, Heidelberg (2003)
8. Nguyen, M.H., Vadhan, S.P.: Simpler Session-Key Generation from Short Random
Passwords. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 428–445. Springer,
Heidelberg (2004)
9. Abdalla, M., Pointcheval, D.: Simple Password-Based Encrypted Key Exchange
Protocols. In: Menezes, A.J. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208.
Springer, Heidelberg (2005)
10. Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally Com-
posable Password-Based Key Exchange. In: Cramer, R.J.F. (ed.) EUROCRYPT
2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)
11. Steiner, M., Tsudik, G., Waidner, M.: Refinement and Extension of Encrypted Key
Exchange. ACM Operating Systems Review 29(3), 22–30 (1995)
12. Lin, C.L., Sun, H.M., Hwang, T.: Three-party Encrypted Key Exchange: Attacks
and A Solution. ACM Operating Systems Review 34(4), 12–20 (2000)
13. Lee, T.F., Hwang, T., Lin, C.L.: Enhanced three-party encrypted key exchange
without server public keys. Elsevier Computers & Security 23(7), 571–577 (2004)
14. Chang, Y.F., Chang, C.C.: Password-authenticated 3PEKE with Round Efficiency
without Server’s Public Key. In: CW 2005, pp. 340–344 (2005)
15. Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-Based Authenticated Key
Exchange in the Three-Party Setting. In: Public Key Cryptography 2005, pp. 65–
84 (2005)
16. Byun, J.W., Lee, D.H.: N-Party Encrypted Diffie-Hellman Key Exchange Using
Different Passwords. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS
2005. LNCS, vol. 3531, pp. 75–90. Springer, Heidelberg (2005)
17. Lu, R., Cao, Z.: Simple three-party key exchange protocol. Elsevier Computers &
Security 26(1), 94–97 (2007)
18. Byun, J.W., Jeong, I.R., Lee, D.H., Park, C.S.: Password-Authenticated Key Ex-
change between Clients with Different Passwords. In: Deng, R.H., Qing, S., Bao,
F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 134–146. Springer, Heidelberg
(2002)
19. Chen, L.: A Weakness of the Password-Authenticated Key Agreement between
Clients with Different Passwords Scheme. In: ISO/IEC JTC 1/SC27 N3716 (2003)
20. Wang, S., Wang, J., Xu, M.: Weaknesses of a Password-Authenticated Key Ex-
change Protocol between Clients with Different Passwords. In: Jakobsson, M.,
Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 414–425. Springer,
Heidelberg (2004)
21. Kim, J., Kim, S., Kwak, J., Won, D.: Cryptanalysis and Improvement of Password
Authenticated Key Exchange Scheme between Clients with Different Passwords.
In: Laganà, A., Gavrilova, M., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.)
ICCSA 2004. LNCS, vol. 3043, pp. 895–902. Springer, Heidelberg (2004)
266 K. Yoneyama, H. Ota, and K. Ohta

22. Phan, R.C.W., Goi, B.M.: Cryptanalysis of an Improved Client-to-Client Password-

Authenticated Key Exchange (C2C-PAKE) Scheme. In: Ioannidis, J., Keromytis,
A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 33–39. Springer, Heidel-
berg (2005)
23. Byun, J.W., Lee, D.H., Lim, J.: Efficient and Provably Secure Client-to-Client
Password-Based Key Exchange Protocol. In: Zhou, X., Li, J., Shen, H.T., Kitsure-
gawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 830–836. Springer,
Heidelberg (2006)
24. Phan, R.C.W., Goi, B.M.: Cryptanalysis of Two Provably Secure Cross-Realm
C2C-PAKE Protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS,
vol. 4329, pp. 104–117. Springer, Heidelberg (2006)
25. Gang, Y., Dengguo, F., Xiaoxi, H.: Improved Client-to-Client Password-
Authenticated Key Exchange Protocol. In: IEEE ARES 2007, pp. 564–574 (2007)
26. Yin, Y., Bao, L.: Secure Cross-Realm C2C-PAKE Protocol. In: Batten, L.M.,
Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 395–406. Springer, Hei-
delberg (2006)
27. Ota, H., Yoneyama, K., Kiyomoto, S., Tanaka, T., Ohta, K.: Universally Compos-
able Client-to-Client General Authenticated Key Exchange. IPSJ Journal 48(9),
3073–3088 (2007)
28. Boneh, D., Franklin, M.K.: Identity-Based Encryption from the Weil Pairing. In:
Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg
(2001)
29. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: SCIS
2000 (2000)
30. Fujisaki, E., Okamoto, T.: How to Enhance the Security of Public-Key Encryption
at Minimum Cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp.
53–68. Springer, Heidelberg (1999)
31. Choo, K.K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based
Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT
2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)
32. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key
Exchange. In: Provsec (to appear, 2007)
 Links Between Discriminating and Identifying
Codes in the Binary Hamming Space

Irène Charon, Gérard Cohen, Olivier Hudry, and Antoine Lobstein

GET - Télécom Paris & CNRS - LTCI UMR 5141

46, rue Barrault, 75634 Paris Cedex 13 - France
{irene.charon,gerard.cohen,olivier.hudry,antoine.lobstein}@enst.fr

Abstract. Let F n be the binary n-cube, or binary Hamming space of

dimension n, endowed with the Hamming distance, and E n (respectively,
On ) the set of vectors with even (respectively, odd) weight. For r ≥ 1
and x ∈ F n , we denote by Br (x) the ball of radius r and centre x. A code
C ⊆ F n is said to be r-identifying if the sets Br (x) ∩ C, x ∈ F n , are all
nonempty and distinct. A code C ⊆ E n is said to be r-discriminating if
the sets Br (x) ∩ C, x ∈ On , are all nonempty and distinct. We show that
the two definitions, which were given for general graphs, are equivalent
in the case of the Hamming space, in the following sense: for any odd r,
there is a bijection between the set of r-identifying codes in F n and the
set of r-discriminating codes in F n+1 .

Keywords: Graph Theory, Coding Theory, Discriminating Codes, Iden-

tifying Codes, Hamming Space, Hypercube

1 Introduction
We define identifying and discriminating codes in a connected, undirected graph
G = (V, E), in which a code is simply a nonempty subset of vertices. These
definitions can help, in various meanings, to unambiguously determine a vertex.
The motivations may come from processor networks where we wish to locate a
faulty vertex under certain conditions, or from the need to identify an individual,
given its set of attributes.
In G we define the usual distance d(v1 , v2 ) between two vertices v1 , v2 ∈ V as
the smallest possible number of edges in any path between them. For an integer
r ≥ 0 and a vertex v ∈ V , we define Br (v) the ball of radius r centred at v, as
the set of vertices within distance r from v. Whenever two vertices v1 and v2 are
such that v1 ∈ Br (v2 ) (or, equivalently, v2 ∈ Br (v1 )), we say that they r-cover
each other. A set X ⊆ V r-covers a set Y ⊆ V if every vertex in Y is r-covered
by at least one vertex in X.
The elements of a code C ⊆ V are called codewords. For each vertex v ∈ V ,
we denote by
KC,r (v) = C ∩ Br (v)
the set of codewords r-covering v. Two vertices v1 and v2 with KC,r (v1 ) =
KC,r (v2 ) are said to be r-separated by code C, and any codeword belonging to
exactly one of the two sets Br (v1 ) and Br (v2 ) is said to r-separate v1 and v2 .

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 267–270, 2007.

c Springer-Verlag Berlin Heidelberg 2007
268 I. Charon et al.

A code C ⊆ V is called r-identifying [10] if all the sets KC,r (v), v ∈ V , are
nonempty and distinct. In other words, every vertex is r-covered by at least one
codeword, and every pair of vertices is r-separated by at least one codeword.
Such codes are also sometimes called differentiating dominating sets [8].
We now suppose that G is bipartite: G = (V = I ∪ A, E), with no edges inside
I nor A — here, A stands for attributes and I for individuals. A code C ⊆ A is
said to be r-discriminating [4] if all the sets KC,r (i), i ∈ I, are nonempty and
distinct. From the definition we see that we can consider only odd values of r.
In the following, we drop the general case and turn to the binary Hamming
space of dimension n, also called the binary n-cube, which is a regular bipartite
graph. First we need to give some specific definitions and notation.
We consider the n-cube as the set of binary row-vectors of length n, and as
so, we denote it by G = (F n , E) with F = {0, 1} and E = {{x, y} : d(x, y) = 1},
the usual graph distance d(x, y) between two vectors x and y being called here
the Hamming distance — it simply consists of the number of coordinates where
x and y differ. The Hamming weight of a vector x is its distance to the all-
zero vector, i.e., the number of its nonzero coordinates. A vector is said to be
even (respectively, odd) if its weight is even (respectively, odd), and we denote
by E n (respectively, On ) the set of the 2n−1 even (respectively, odd) vectors
in F n . Without loss of generality, for the definition of an r-discriminating code,
we choose the set A to be E n , and the set I to be On . Additions are carried
coordinatewise and modulo two.
Given a vector x ∈ F n , we denote by π(x) its parity-check bit: π(x) = 0 if x
is even, π(x) = 1 if x is odd. Therefore, if | stands for concatenation of vectors,
x|π(x) is an even vector. Finally, we denote by Mr (n) (respectively, Dr (n)) the
smallest possible cardinality of an r-identifying (respectively, r-discriminating)
code in F n .
In Section 2, we show that in the particular case of Hamming space, the two
notions of r-identifying and r-discriminating codes actually coincide for all odd
values of r and all n ≥ 2, in the sense that there is a bijection between the set
of r-identifying codes in F n and the set of r-discriminating codes in F n+1 .

2 Identifying Is Discriminating
As we now show with the following two theorems, for any odd r ≥ 1, any r-
identifying code in F n can be extended into an r-discriminating code in F n+1 ,
and any r-discriminating code in F n can be shortened into an r-identifying code
in F n−1 . First, observe that r-identifying codes exist in F n if and only if r < n.
Theorem 1. Let n ≥ 2, p ≥ 0 be such that 2p + 1 < n, let C ⊆ F n be a
(2p + 1)-identifying code and let
C  = {c|π(c) : c ∈ C}.
Then C  is (2p + 1)-discriminating in F n+1 . Therefore,
D2p+1 (n + 1) ≤ M2p+1 (n). (1)
 Links Between Discriminating and Identifying Codes 269

Proof. Let r = 2p + 1. By construction, C  contains only even vectors. We shall

prove that (a) any odd vector x ∈ On+1 is r-covered by at least one codeword
of C  ; (b) given any two distinct odd vectors x, y ∈ On+1 , there is at least one
codeword in C  which r-separates them.
(a) We write x = x1 |x2 with x1 ∈ F n and x2 ∈ F . Because C is r-identifying
in F n , there is a codeword c ∈ C with d(x1 , c) ≤ r. Let c = c|π(c).
If d(x1 , c) ≤ r − 1, then whatever the values of x2 and π(c) are, we have
d(x, c ) ≤ r; we assume therefore that d(x1 , c) = r = 2p + 1, which implies
that x1 and c have different parities. Since x1 |x2 and c|π(c) also have different
parities, we have x2 = π(c) and d(x, c ) = r. So the codeword c ∈ C  r-covers x.
(b) We write x = x1 |x2 , y = y1 |y2 , with x1 , y1 ∈ F n , x2 , y2 ∈ F . Since C is
r-identifying in F n , there is a codeword c ∈ C which is, say, within distance r
from x1 and not from y1 : d(x1 , c) ≤ r, d(y1 , c) > r. Let c = c|π(c).
For the same reasons as above, x is within distance r from c , whereas obvi-
ously, d(y, c ) ≥ d(y1 , c) > r. So c ∈ C  r-separates x and y.
Inequality (1) follows.
Theorem 2. Let n ≥ 3, p ≥ 0 be such that 2p + 2 < n, let C ⊆ E n be a (2p + 1)-
discriminating code and let C  ⊆ F n−1 be any code obtained by the deletion of
one coordinate in C. Then C  is (2p + 1)-identifying in F n−1 . Therefore,
M2p+1 (n − 1) ≤ D2p+1 (n). (2)
Proof. Let r = 2p + 1. Let C ⊆ E n be an r-discriminating code and C  ⊆ F n−1
be the code obtained by deleting, say, the last coordinate in C. We shall prove
that (a) any vector x ∈ F n−1 is r-covered by at least one codeword of C  ; (b)
given any two distinct vectors x, y ∈ F n−1 , there is at least one codeword in C 
which r-separates them.
(a) The vector x|(π(x)+1) ∈ F n is odd. As such, it is r-covered by a codeword
c = c |u ∈ C ⊆ E n : c ∈ C  , u = π(c ), and d(x|(π(x) + 1), c) ≤ r. This proves
that x is within distance r from a codeword of C  .
(b) Both x|(π(x) + 1) and y|(π(y) + 1) are odd vectors in F n , and there is a
codeword c = c |u ∈ C ⊆ E n , with c ∈ C  , u = π(c ), which r-separates them:
without loss of generality, d(x|(π(x) + 1), c) ≤ r whereas d(y|(π(y) + 1), c), which
is an odd integer, is at least r+2. Then obviously, d(x, c ) ≤ r and d(y, c ) ≥ r+1,
i.e., there is a codeword in C  which r-separates x and y.
Inequality (2) follows.
Corollary 1. For all n ≥ 2 and p ≥ 0 such that 2p + 1 < n, we have:
D2p+1 (n + 1) = M2p+1 (n).

3 Conclusion
We have shown the equivalence between discriminating and identifying codes;
the latter being already well studied, this entails a few consequences on discrim-
inating codes.
270 I. Charon et al.

For example, the complexity of problems on discriminating codes is the same

as that for identifying codes; in particular, it is known [9] that deciding whether
a given code C ⊆ F n is r-identifying is co-NP-complete.
For yet another issue, constructions, we refer to, e.g., [1]–[3], [6], [9], [10]
or [11]; visit also [12]. In the recent [7], tables for exact values or bounds on
M1 (n), 2 ≤ n ≤ 19, and M2 (n), 3 ≤ n ≤ 21, are given.
Discriminating codes have not been thoroughly studied so far; let us simply
mention [4] for a general introduction and [5] in the case of planar graphs.

References
1. Blass, U., Honkala, I., Litsyn, S.: On The Size of Identifying Codes. In: Fossorier,
M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC-13. LNCS, vol. 1719, pp. 142–147.
Springer, Heidelberg (1999)
2. Blass, U., Honkala, I., Litsyn, S.: On Binary Codes for Identification. J. of Combi-
natorial Designs 8, 151–156 (2000)
3. Blass, U., Honkala, I., Litsyn, S.: Bounds on Identifying Codes. Discrete Mathe-
matics 241, 119–128 (2001)
4. Charbit, E., Charon, I., Cohen, G., Hudry, O.: Discriminating Codes in Bipartite
Graphs. Electronic Notes in Discrete Mathematics 26, 29–35 (2006)
5. Charon, I., Cohen, G., Hudry, O., Lobstein, A.: Discriminating Codes in (Bipartite)
Planar Graphs. European Journal of Combinatorics (to appear)
6. Exoo, G.: Computational Results on Identifying t-codes (preprint, 1999)
7. Exoo, G., Laihonen, T., Ranto, S.: Improved Upper Bounds on Binary Identifying
Codes. IEEE Trans. Inform. Theory (to appear)
8. Gimbel, J., Van Gorden, B.D., Nicolescu, M., Umstead, C., Vaiana, N.: Location
with Dominating Sets. Congressus Numerantium 151, 129–144 (2001)
9. Honkala, I., Lobstein, A.: On the Complexity of the Identification Problem in
Hamming Spaces. Acta Informatica 38, 839–845 (2002)
10. Karpovsky, M.G., Chakrabarty, K., Levitin, L.B.: On a New Class of Codes for
Identifying Vertices in Graphs. IEEE Trans. Inform. Theory 44(2), 599–611 (1998)
11. Ranto, S.: Identifying and Locating-Dominating Codes in Binary Hamming Spaces.
Ph. D Thesis, University of Turku (2007)
12. http://www.infres.enst.fr/∼ lobstein/bibLOCDOMetID.html
 Construction of Rotation Symmetric Boolean
Functions on Odd Number of Variables with
Maximum Algebraic Immunity

Sumanta Sarkar and Subhamoy Maitra

Applied Statistics Unit, Indian Statistical Institute

203 B T Road, Kolkata 700108, India
{sumanta r, subho}@isical.ac.in

Abstract. In this paper we present a theoretical construction of Rota-

tion Symmetric Boolean Functions (RSBFs) on odd number of variables
with maximum possible algebraic immunity (AI) and further these func-
tions are not symmetric. Our RSBFs are of better nonlinearity than the
existing theoretical constructions with maximum possible AI. To get very
good nonlinearity, which is important for practical cryptographic design,
we generalize our construction to a construction cum search technique in
the RSBF class. We find 7, 9, 11 variable RSBFs with maximum possible
AI having nonlinearities 56, 240, 984 respectively with very small amount
of search after our basic construction.

Keywords: Algebraic Immunity, Boolean Function, Nonlinearity, Non-

singular Matrix, Rotational Symmetry, Walsh Spectrum.

1 Introduction

Algebraic attack has received a lot of attention recently in studying the secu-
rity of Stream ciphers as well as Block ciphers (see [1,2,3,4,5] and the references
therein). One necessary condition to resist this attack is that the Boolean func-
tion used in the cipher should have good algebraic immunity (AI). It is known
[2] that for any n-variable Boolean function, maximum possible AI is  n2 .
So far a few theoretical constructions of Boolean functions with optimal AI
have been presented in the literature. In [4], the first ever construction of Boolean
functions with maximum AI was proposed. Later, the construction of symmetric
Boolean functions with maximum AI was given in [6]. For odd number of in-
put variables, majority functions are the examples of symmetric functions with
maximum AI. Recently in [9], the idea of modifying symmetric functions to get
other functions with maximum AI is proposed using the technique of [5].
An n-variable Boolean function which is invariant under the action of the
cyclic group Cn on the set Vn = {0, 1}n is called Rotation Symmetric Boolean
functions (RSBFs). We denote the class of all n-variable RSBFs as S(Cn ). On the
other hand, an n-variable symmetric Boolean function is one which is invariant
under the action of the symmetric group Sn on the set Vn and we denote the

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 271–280, 2007.

c Springer-Verlag Berlin Heidelberg 2007
272 S. Sarkar and S. Maitra

class of all n-variable symmetric Boolean functions as S(Sn ). The class S(Cn )
has been shown to be extremely rich as the class contains Boolean functions
with excellent cryptographic as well as combinatorial significance (see [7,12] and
the references therein). As for example, in [7], 9-variable Boolean functions with
nonlinearity 241 have been discovered in S(C9 ) which had been open for a long
period. Also an RSBF has a short representation which is interesting for the
design purpose of ciphers. Since Cn ⊂ Sn , we have S(Sn ) ⊂ S(Cn ). Therefore
all the symmetric functions with maximum AI are also examples of RSBFs with
maximum AI. The class S(Cn )\ S(Sn ) becomes quite huge for larger n. However,
so far there has been no known construction method available which gives n-
variable RSBFs belonging to S(Cn ) \ S(Sn ), having the maximum AI. It has
been proved in [10,13], that the majority function (upto complementation) is
the only possible symmetric Boolean function on odd number of variables which
has maximum AI. Hence, there is a need to get a theoretical construction method
which provides new class of RSBFs with maximum AI, which are not symmetric.
In this paper we present a construction method (Construction 1) that gener-
ates RSBFs on odd variables (≥ 5) with maximum AI, which are not symmetric.
Note that up to 3 variables, RSBFs are all symmetric, and that is the reason we
concentrate on n ≥ 5. In this construction, complement of n-variable majority
function is considered and its outputs are toggled at the inputs of the orbits of
size  n2  and  n2  respectively. These orbits are chosen in such a manner that a
sub matrix associated to these points is nonsingular. This idea follows the work
of [5], where the sub matrix was introduced to reduce the complexity for deter-
mining AI of a Boolean function.
  We also show that the n−1 functions
n−1of
 this class
have nonlinearity 2n−1 − n−1 n + 2 which is better than 2 − , the lower
2 2
n
bound [11] on nonlinearity of any n (odd) variable function with maximum AI;
further the general theoretical constructions [4,6] could only achieve this lower
bound so far.
We present a generalization of the Construction 1 in Construction 2 which
is further generalized in Construction 3. In each of the generalizations we re-
lease the restrictions on choosing orbits and achieve better nonlinearity of the
constructed RSBFs with maximum AI. We present instances of RSBFs having
n−1
nonlinearities equal to or slightly less than 2n−1 − 2 2 for odd n, 7 ≤ n ≤ 11.
One may refer to [7,6] for basics of Boolean functions, and in particular,
symmetric and rotation symmetric Boolean functions. Also [5] gives detailed
description on algebraic immunity of a Boolean function.

2 Existing Results Related to Annihilators

We take the degree graded lexicographic order “<dgl ” on the set of all monomials
on n-variables {xm1 . . . xmk : 1 ≤ k ≤ n, 1 ≤ m1 , . . . , mk ≤ n}.

Let vn,d (x) = (m1 (x), m2 (x), . . . , m d (n) (x)), where mi (x) is the i-th
i=0 i
dgl
monomial as in the order (< ) evaluated at the point x = (x1 , x2 , . . . , xn ).
 Construction of Rotation Symmetric Boolean Functions 273

Definition 1. For an n-variable Boolean function f , let Mn,d (f ) be an wt(f ) ×

d n  T
i=0 i matrix defined as Mn,d (f ) = vn,d (P1 ), vn,d (P2 ), . . . , vn,d (Pwt(f ) ) ,
where 0 ≤ d ≤ n, Pi ∈ supp(f ), 1 ≤ i ≤ wt(f ) and P1 <dgl P2 <dgl · · · <dgl
Pwt(f ) .

Let h be an n-variable Boolean function defined as h(x) = 1 if and only if

wt(x) ≤ d for 0 ≤ d ≤ n. Then from [5] we know that Mn,d (h)−1 = Mn,d (h).
Let f be an n-variable Boolean function. Let a nonzero n-variable function g
be an annihilator of f , i.e., f (x1 , . . . , xn )∗g(x1 , . . . , xn ) = 0 for all (x1 , . . . , xn ) ∈
Vn . That means,

g(x1 , . . . , xn ) = 0 if f (x1 , . . . , xn ) = 1. (1)

If the degree of the function g is less than equal to d, then the ANF of g is of
the form

n 
g(x1 , . . . , xn ) = a0 + ai xi + · · · + ai1 ,...,id xi1 · · · xid ,
i=0 1≤i1 <i2 ···<id ≤n

where a0 , a1 , . . . , a12 , . . . an−d+1,...,n are from {0, 1} not all zero. Then the rela-
tion 1 gives a homogeneous linear equation

n 
a0 + ai xi + · · · + ai1 ,...,id xi1 · · · xid = 0, (2)
i=0 1≤i1 <i2 ···<id ≤n

with a0 , a1 , . . . , a12 , . . . an−d+1,...,n as variables for each input (x1 , . . . , xn ) ∈

supp(f ) and thus wt(f ) homogeneous linear equations in total. If this system of
equations has a nonzero solution, then g having the coefficients in its ANF which
is the solution of this system of equations is an annihilator of f of degree less
than or equal to d. Note that in this system of equations Mn,d (f ) is the coeffi-
d  
cient matrix. Then it is clear that if the rank of Mn,d (f ) is equal to i=0 ni , f
does not posses any annihilator. If for d =  n2 , both of f and 1 ⊕ f do not have
any annihilator of degree less than or equal to d, then f has maximum algebraic
immunity, i.e.,  n2 .

2.1 Existence of Boolean Functions with Maximum AI on Odd

Variables
Let us start with a few available results on n-variable Boolean functions with
maximum AI. Henceforth we will consider the <dgl ordering of the inputs of Vn
unless stated.

Proposition 1. [3] An odd variable Boolean function with maximum AI must

be balanced.

Proposition 2. Let f be an n (odd) variable Boolean function. Then AI of f is

 n2  if and only if f is balanced and Mn, n2 −1 (f ) has full rank.
274 S. Sarkar and S. Maitra

We denote by Gn , the n (odd) variable Boolean function with Gn (X) = 1 if

wt(X) ≤  n2  − 1, and Gn (X) = 0 if wt(X) ≥  n2 .
The function Gn is a balanced symmetric Boolean function and it has been
proved [6] that this function has maximum algebraic immunity, i.e.,  n2 . Then
both of the matrices Mn, n2 −1 (Gn ) and Mn, n2 −1 (1 ⊕ Gn ) are of the order
2n−1 × 2n−1 and nonsingular. Now we take a look at a construction of an
n-variable Boolean function having maximum AI by modifying some outputs
of Gn .
Let {X1 , . . . , X2n−1 } and {Y1 , . . . , Y2n−1 } be the support of Gn and 1 ⊕ Gn
respectively. Suppose X j = {Xj1 , . . . , Xjk } and Y i = {Yi1 , . . . , Yik }. Construct
the function Fn as

1 ⊕ Gn (X), if X ⊂ X j ∪ Y i ,
Fn (X) =
Gn (X), elsewhere.

In rest of the paper, we denote an n-variable Boolean function constructed as

above by Fn . The next result follows from Proposition 2.
Proposition 3. The function Fn has maximum AI if and only if the two k-sets
X j and Y i be such that Mn, n2 −1 (Fn ) is nonsingular.
This idea was first proposed in [5] and using this idea, a few examples of Boolean
functions on odd variables with maximum AI have been demonstrated in [9].
However, this has not been studied in the domain of RSBFs.
Let’s have a quick look at a result from linear algebra which is a consequence
of the Steinitz Exchange Lemma [8].
Theorem 1. Let V be a vector space over the field F of dimension τ and
{α1 , . . . , ατ } and {β1 , . . . , βτ } are two bases of V . Then for any k (1 ≤ k ≤ τ ),
there will be a pair of k-sets {βa1 , . . . , βak } and {αb1 , . . . , αbk } such that the set
{α1 , . . . , ατ } ∪ {βa1 , . . . , βak } \ {αb1 , . . . , αbk } will be a basis of V .
The row vectors vn, n2  (X1 ), . . . , vn, n2  (X2n−1 ) of Mn, n2  (Gn ) form a basis of
the vector space V2n−1 . Similarly the row vectors vn, n2  (Y1 ), . . . , vn, n2  (Y2n−1 )
of Mn, n2  (1 ⊕ Gn ) also form a basis of the vector space V2n−1 . By finding two
k-sets {vn, n2  (Xj1 ), . . . , vn, n2  (Xjk )} and {vn, n2  (Yi1 ), . . . , vn, n2  (Yik )} (which
always exist by Theorem 1), one can construct an n-variable Boolean function
Fn with maximum algebraic immunity if and only if the corresponding matrix
Mn, n2  (Fn ) is nonsingular. Complexity of checking the nonsingularity of the
 n2  n 3
matrix Mn, n2  (Fn ) is O(( t=0 t ) ), i.e., this construction will take huge time
for larger n. But this task can be done with lesser effort by forming a matrix,
W = Mn, n2  (1 ⊕ Gn ) × (Mn, n2  (Gn ))−1 and checking a sub matrix of it. Since
(Mn, n2  (Gn ))−1 = Mn, n2  (Gn ), then W = Mn, n2  (1 ⊕ Gn ) × Mn, n2  (Gn ). We
have the following proposition.
Proposition 4. [5] Let A be a nonsingular m × m binary matrix where the row
vectors are denoted as v1 , . . . , vm . Let U be a k × m matrix, k ≤ m, where the
vectors are denoted as u1 , . . . , uk . Let Z = U A−1 , be a k × m binary matrix.
 Construction of Rotation Symmetric Boolean Functions 275

Consider that a matrix A is formed from A by replacing the rows vi1 , . . . , vik of
A by the vectors u1 , . . . , uk . Further consider the k × k matrix Z  is formed by
taking the j1 -th, j2 -th, . . ., jk -th columns of Z. Then A is nonsingular if and
only if Z  is nonsingular.
From the construction of Fn it is clear that it is balanced. Now construct
the matrix W = Mn, n2  (1 ⊕ Gn ) × Mn, n2  (Gn ). Consider A to be the ma-
trix Mn, n2  (Gn ) and let U be the matrix formed by i1 -th, . . . , ik -th rows of
Mn, n2  (1 ⊕ Gn ) which are the row vectors vn, n2  (Yi1 ), . . . , vn, n2  (Yik ) respec-
tively. Now replace the j1 -th, . . ., jk -th rows of Mn, n2  (Gn ) which are respec-
tively the row vectors vn, n2  (Xj1 ), . . . , vn, n2  (Xjk ) by the rows of U and form the
new matrix A . Note that A is exactly the Mn, n2  (Fn ) matrix. Let W|Y i |×|X j | be
the matrix formed by taking i1 -th, . . . , ik -th rows and j1 -th, . . ., jk -th columns
of W . Then Mn, n2  (Fn ) is nonsingular if and only if W|Y i |×|X j | is nonsingular.
Thus we have the following theorem.
Theorem 2. The function Fn has maximum algebraic immunity if and only if
the sub matrix W|Y i |×|X j | is nonsingular.
The following proposition characterizes W .
Proposition 5. [5] The (q, p)-th element of the matrix W is given by W(q,p) =
n
2 −wt(Xp )
 wt(Yq ) − wt(Xp )
0 if W S(Xp ) ⊆ W S(Yq ) and W(q,p) = mod 2,
t=0
t
otherwise; where W S((x1 , . . . , xn )) = {i : xi = 1} ⊆ {1, . . . , n}.

3 New Class of RSBFs with Maximum AI

Proposition 6. Given odd n, all the orbits Oμ generated by μ = (μ1 , . . . , μn ) ∈
Vn of weight  n2  or  n2  have n elements.
Proof. From [12], it is known that if gcd(n, wt(μ)) = 1, then the orbit Oμ con-
tains n elements. Since gcd(n,  n2 ) = gcd(n,  n2 ) = 1, the result follows. 

Construction 1
1. Take odd n ≥ 5.
2. Take an element x ∈ Vn of weight  n2  and generate the orbit Ox .
3. Choose an orbit Oy by an element y ∈ Vn of weight  n2  such that
for each x ∈ Ox there is a unique y  ∈ Oy where W S(x ) ⊂ W S(y  ).
4. Construct

Gn (X) ⊕ 1, if X ∈ Ox ∪ Oy ,
Rn (X) =
Gn (X), elsewhere .

Henceforth, we will consider Rn as the function on n (≥ 5 and odd) variables

obtained from Construction 1. We have the following theorem.
276 S. Sarkar and S. Maitra

Theorem 3. The function Rn is an n-variable RSBF with maximum AI.

Proof. Rn is obtained by toggling all outputs of Gn corresponding to the inputs
belonging to the two orbits Ox and Oy . Therefore Rn is an RSBF on n variables.
By Proposition 6, we have |Ox | = |Oy |. Also it is clear that Gn (X) = 1 for all
X ∈ Ox and Gn (X) = 0 for all X ∈ Oy . So wt(Rn ) = 2n−1 − |Ox | + |Oy | = 2n−1 .
Thus Rn is a balanced RSBF on n-variables.
Let us now investigate the matrix W|Oy |×|Ox | . We reorder the elements in Ox
and Oy as x(1) , . . . , x(|Ox |) and y (1) , . . . , y (|Oy |) respectively where W S(x(p) ) ⊂
W S(y (p) ), for all 1 ≤ p ≤ |Ox | = |Oy |. As W S(x(p) ) ⊆ W S(y (q) ) for all q ∈
{1, . . . , |Oy |} \ {p}, then by Proposition 5, the value of W(q,p) = 0, for all q ∈
{1, . . . , |Oy |}\{p}. Again by Proposition 5, the value of W(p,p) can be determined
n
2 −wt(x
(p)
 2 − 2 
n n
 )
wt(y (p) ) − wt(x(p) )   n2  −  n2 
as W(p,p) = = = 1.
t=0
t t=0
t
Thus the matrix W|Oy |×|Ox | is a diagonal matrix where all the diagonal elements
are all equal to 1. Hence W|Oy |×|Ox | is nonsingular. Therefore Theorem 2 implies
that Rn has maximum AI. 

Example 1. Take n = 5. Consider x = (1, 0, 0, 1, 0) and y = (1, 0, 0, 1, 1) and
generate the orbits
Ox = {(1, 0, 0, 1, 0), (0, 1, 0, 0, 1), (1, 0, 1, 0, 0), (0, 1, 0, 1, 0), (0, 0, 1, 0, 1)} and
Oy = {(1, 0, 0, 1, 1), (1, 1, 0, 0, 1), (1, 1, 1, 0, 0), (0, 1, 1, 1, 0), (0, 0, 1, 1, 1)}.
Here, for each x ∈ Ox , there is a unique y  ∈ Oy such that W S(x ) ⊂ W S(y  ).
Therefore, by Theorem 3, the function

Gn (X) ⊕ 1, if X ∈ Ox ∪ Oy ,
Rn (X) =
Gn (X), elsewhere ,
is a 5-variable RSBF with maximum AI which is 3.
It is known [11] that for an n (odd)
 variable Boolean function f with maximum
AI, we have nl(f ) ≥ 2n−1 − n−1 2  . Therefore nonlinearity of the function Rn will
n
n−1
be at least 2 n−1
−  n  . Let us now examine the exact nonlinearity of Rn .
2
 
Theorem 4. The nonlinearity of the function Rn is 2n−1 − n−1  n  + 2.2

Proof. As per the assumptions of Construction 1, n ≥ 5 and it is odd; and

weights of the orbits Ox and Oy are respectively  n2  and  n2 . Now Gn being a
symmetric function, it is also RSBF. So Rn can be viewed as a function, which is
obtained by toggling the outputs of the RSBF Gn corresponding
  to the orbit Ox
and Oy . From [6], we know that nl(Gn ) = 2n−1 − n−1 n . Also it is known that
2 n−1
the maximum absolute Walsh spectrum value of Gn , i.e., 2  n  occurs at the
2
inputs corresponding to the orbits of weight 1 and n. We denote an  element
 of Vn
by Λn . Note that when, wt(Λn ) = n, the value of WGn (Λn ) is −2 n−1 2 or 2 n−1
2 
n n

according as  n2  is even or odd, and for wt(Λn ) = 1, WGn (Λn ) = −2 n−1   .
n
2
 Construction of Rotation Symmetric Boolean Functions 277

Let us first find the relation between the values of WRn (Λn ) and WGn (Λn ).
n R (ζ) ζ·Λn R (ζ) ζ·Λn
WR (Λ ) = (−1) n (−1) + (−1) n (−1)
n
ζ∈Vn \{Ox ∪Oy } ζ∈Ox
n
+ (−1)Rn (ζ) (−1)ζ·Λ
ζ∈Oy

G (ζ) ζ·Λn 1⊕Gn (ζ) ζ·Λn

= (−1) n (−1) + (−1) (−1)
ζ∈Vn \{Ox ∪Oy } ζ∈Ox

1⊕Gn (ζ) ζ·Λn

+ (−1) (−1)
ζ∈Oy

G (ζ) ζ·Λn G (ζ) ζ·Λn

= (−1) n (−1) − (−1) n (−1)
ζ∈Vn \{Ox ∪Oy } ζ∈Ox

G (ζ) ζ·Λn
− (−1) n (−1)
ζ∈Oy

G (ζ) ζ·Λn 1 ζ·Λn 0 ζ·Λn

= (−1) n (−1) −2 (−1) (−1) −2 (−1) (−1)
ζ∈Vn ζ∈Ox ζ∈Oy

n ζ·Λn ζ·Λn
= WG (Λ ) + 2 (−1) −2 (−1) (3)
n
ζ∈Ox ζ∈Oy

Consider that wt(Λn ) = 1. It can beproved that for any two 

orbits Oμ and Oν
of weight  n2  and  n2  respectively, ζ∈Oμ (−1)ζ·Λ = 1 and ζ∈Oν (−1)ζ·Λ =
 
−1. Thus ζ∈Ox (−1)ζ·Λ = 1 and ζ∈Oy (−1)ζ·Λ = −1. Therefore from Equation
 
3 we get, WRn (Λn ) = −2 n−1 n + 4.
2
Let us now check the Walsh spectrum value WRn (Λn ) for wt(Λn ) = n. We do
it in the following two cases.
CASE I :  n2  is even.
 n
We have, ζ∈Ox (−1)ζ·Λ = |Ox | = n, since ζ · Λn is  n2  which is even. Again for
 n
ζ ∈ Oy , we have, ζ · Λn =  n2  which is odd, so ζ∈Oy (−1)ζ·Λ = |Oy | = −n.
  n−1
Therefore from Equation 3, we get WRn (Λn ) = −2 n−1 n  +2n+2n = −2  n  +4n.
2 2

CASE II :  n2  is odd.
Using
 the similar argumentas applied in the previous case, we can show that
ζ·Λn n
ζ∈Ox (−1) = −n and ζ∈Oy (−1)ζ·Λ = n. Therefore from Equation 3, we
   
get WRn (Λn ) = 2 n−1n  − 2n − 2n = 2 n−1 n
 − 4n.
n−12 2
Note that 2  n  > 4n, except for the case n = 5. Therefore for both of the
2      
cases and for n ≥ 7, |WRn (Λn )| = 2 n−1 n  −4n. Also 2 n−1  n
 −4n < 2 n−1
 n
 −4, for
2 2 2
n ≥ 7. This implies that |WRn (Λ )| ≤ |WRn (Δ )| for n ≥ 7, where Δ ∈ Vn is an
n n n

input of weight 1. For n = 5, 2 n−1

n = 12 and thus, WRn (Λn ) = −8 = WRn (Δn ).
2
Therefore, |WRn (Λ )| ≤ |WRn (Δ )| for all n ≥ 5.
n n

Let us check the Walsh spectrum values of Rn at the other inputs, i.e., except
inputs of weight 1 and n. For n ≥ 7, the second maximum absolute value in the
Walsh spectrum of Gn occursat the  inputs  n−3 3 and n − 2. The exact
 n−3 of weight
value at weight 3 input is C = [ n−3 −2 + ], whereas at the input
2 −1 2 −2
n−1 n−1 n−1
2
of weight n − 2, the exact value is C when  2  is even and it is −C when  n2  is
n

odd. Equation 3 implies that when wt(Λn ) = 3 or n − 2, |WRn (Λn )| can attain
278 S. Sarkar and S. Maitra
   n−3   n−3 
value maximum up to |WGn (Λn )| + 4n, i.e., n−3 − 2 n−1 + n−1 −2 + 4n.
2 −1
n−1
n−3  n−3   n−3  2 n−1 2

But it is clear that, n−1 − 2 n−1 −1 + n−1 −2 + 4n ≤ 2  n  − 4 = |WRn (Δn )|.

2 2 2 2
For n = 5, it can be verified that for any choice of a pair of orbits Ox and Oy
assumed in Construction 1, the absolute Walsh spectrum value of Rn , for all the
inputs Λn of weight 3 is 8 which is equal to |WRn (Δn )|.
 Therefore,
 for all n ≥ 5, maximum absolute
 Walsh Spectrum value of Rn is
2 n−1
 
n − 4. Hence, nl(Rn ) = 2 n−1
− n−1
 
n + 2. 

2 2

4 Generalization of Construction 1

Construction 2. Take orbits Oz1 , . . . , Ozk with Gn (zi ) = 1, for zi ∈ Vn , 1 ≤

i ≤ k and Ow1 , . . . , Owl with Gn (wi ) = 0 for wi ∈ Vn , 1 ≤ i ≤ l. Assume that,
k l
1. t=0 |Ozt | = t=0 |Owt |.
2. for each x ∈ ∪kt=0 Ozt there is a unique y  ∈ ∪lt=0 Owt s.t. W S(x ) ⊂ W S(y  ).
 n2 −wt(x ) wt(y )−wt(x )
3. t=0 t is odd, for any x ∈ ∪kt=0 Ozt and corresponding
y ∪t=0 Owt such that W S(x ) ⊂ W S(y  ). Then construct,
 l


 Gn (X) ⊕ 1, if X ∈ {∪kt=0 Ozt } {∪lt=0 Owt }
Rn (X) =
Gn (X), elsewhere .

Theorem 5. The function Rn is an n-variable RSBF with maximum AI.

Proof. Following the same argument as used in Theorem 3 we can prove that
W|∪kt=0 Ozt |×|∪lt=0 Owt | is a diagonal matrix whose diagonal elements are all equal
to 1, i.e., it is nonsingular. Hence the proof. 


Example 2. Take n = 7. Consider z1 = (0, 0, 0, 1, 1, 0, 1), z2 = (0, 0, 1, 0, 1, 0, 1)

and w1 = (0, 0, 0, 1, 1, 1, 1), w2 = (0, 0, 1, 0, 1, 1, 1) and generate the orbits
Oz1 = {(0, 0, 0, 1, 1, 0, 1), (0, 0, 1, 1, 0, 1, 0), (0, 1, 1, 0, 1, 0, 0), (1, 1, 0, 1, 0, 0, 0),
(1, 0, 1, 0, 0, 0, 1), (0, 1, 0, 0, 0, 1, 1), (1, 0, 0, 0, 1, 1, 0)};

Oz2 = {(0, 0, 1, 0, 1, 0, 1), (0, 1, 0, 1, 0, 1, 0), (1, 0, 1, 0, 1, 0, 0), (0, 1, 0, 1, 0, 0, 1),

(1, 0, 1, 0, 0, 1, 0), (0, 1, 0, 0, 1, 0, 1), (1, 0, 0, 1, 0, 1, 0)};

Ow1 = {(0, 0, 0, 1, 1, 1, 1), (0, 0, 1, 1, 1, 1, 0), (0, 1, 1, 1, 1, 0, 0), (1, 1, 1, 1, 0, 0, 0),

(1, 1, 1, 0, 0, 0, 1), (1, 1, 0, 0, 0, 1, 1), (1, 0, 0, 0, 1, 1, 1)};

Ow2 = {(0, 0, 1, 0, 1, 1, 1), (0, 1, 0, 1, 1, 1, 0), (1, 0, 1, 1, 1, 0, 0), (0, 1, 1, 1, 0, 0, 1),

(1, 1, 1, 0, 0, 1, 0), (1, 1, 0, 0, 1, 0, 1), (1, 0, 0, 1, 0, 1, 1)}.

Here for each x ∈ Oz1 ∪ Oz2 , there exists a unique y  ∈ Ow1 ∪ Ow2 such that
 n2 −wt(x ) wt(y )−wt(x )
W S(x ) ⊂ W S(y  ) and t=0 t is odd. Then construct,

 Gn (X) ⊕ 1, if X ∈ {Oz1 ∪ Oz2 } {Ow1 ∪ Ow2 }
Rn (X) =
Gn (X), elsewhere .

Then by Theorem 5, Rn is an 7-variable RSBF with maximum AI which is 4.

 Construction of Rotation Symmetric Boolean Functions 279

As in Construction 2, outputs of Gn are toggled at more inputs, one can expect

better nonlinearity than the Construction 1.
For 7-variable functions with maximum AI 3, the lower bound on nonlinear-
ity is 44 [11] and that is exactly achieved in the existing theoretical construc-
tion [4,6]. Our Construction 1 provides the nonlinearity 46. Further we used
Construction 2 to get all possible functions Rn and they provide the nonlinear-
ity 48.

4.1 Further Generalization

Construction 3. Take n ≥ 5 and odd. Consider the orbits Oz1 , . . . , Ozk and
Ow1 , . . . , Owk such that the sub matrix W|∪kt=0 Ozt |×|∪lt=0 Owt | is nonsingular. Then
construct,

 Gn (X) ⊕ 1, if X ∈ {∪kt=0 Ozt } {∪lt=0 Owt }
Rn (X) =
Gn (X), elsewhere .

Clearly, the function Rn is an n-variable RSBF with maximum AI. Construction
3 will provide all the RSBFs with maximum AI. In this case we need a heuristic to
search through the space of RSBFs with maximum AI as the exhaustive search
may not be possible as number of input variables n increases. One may note
that it is possible to use these techniques to search through the space of general
n
Boolean functions, but that space is much larger (22 ) compared to the space
2n
of RSBFs (≈ 2 n ) and getting high nonlinearity after a small amount of search
using a heuristic is not expected. We present a simple form of heuristic as follows
that we run for several iterations.
1. Start with an RSBF n having maximum AI using Construction 1.
2. Choose two orbits of same sizes having different output values and toggle
the outputs corresponding to both the orbits (this is to keep the function
balanced).
3. If the modified function is of maximum AI and having better nonlinearity
than the previous ones, then we store that as the best function.
By this heuristic, we achieve 7, 9, 11 variable RSBFs with maximum possible AI
having nonlinearities 56, 240, 984 respectively with very small amount of search.
n−1
Note that these nonlinearities are either equal or close to 2n−1 − 2 2 .

5 Conclusion
In this paper, we present the construction (Construction 1) of Rotation Sym-
metric Boolean functions on n ≥ 5 (odd) variables with maximum possible
algebraic immunity. We determine the nonlinearity of the RSBFs constructed in
Construction 1 and find that the nonlinearity is 2 more than the lower bound
of nonlinearity of n (odd) variable Boolean functions with maximum algebraic
immunity. Prior to our construction, the existing theoretical constructions could
280 S. Sarkar and S. Maitra

achieve only the lower bound. We also included little amount of search with the
construction method to get RSBFs having maximum possible AI and very high
nonlinearity. With minor modifications, our method will work for RSBFs on even
number of variables. This will be available in the full version of this paper.

References
1. Armknecht, F., Carlet, C., Gaborit, P., Kuenzli, S., Meier, W., Ruatta, O.: Efficient
computation of algebraic immunity for algebraic and fast algebraic attacks. In:
Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, Springer, Heidelberg
(2006)
2. Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feed-
back. In: Biham, E. (ed.) EUROCRPYT 2003. LNCS, vol. 2656, pp. 345–359.
Springer, Heidelberg (2003)
3. Dalai, D.K., Gupta, K.C., Maitra, S.: Results on Algebraic Immunity for Crypto-
graphically Significant Boolean Functions. In: Canteaut, A., Viswanathan, K. (eds.)
INDOCRYPT 2004. LNCS, vol. 3348, pp. 92–106. Springer, Heidelberg (2004)
4. Dalai, D.K., Gupta, K.C., Maitra, S.: Cryptographically Significant Boolean func-
tions: Construction and Analysis in terms of Algebraic Immunity. In: Gilbert, H.,
Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 98–111. Springer, Heidelberg
(2005)
5. Dalai, D.K., Maitra, S.: Reducing the Number of Homogeneous Linear Equations
in Finding Annihilators. In: Gong, G., Helleseth, T., Song, H.-Y., Yang, K. (eds.)
SETA 2006. LNCS, vol. 4086, pp. 376–390. Springer, Heidelberg (2006)
6. Dalai, D.K., Maitra, S., Sarkar, S.: Basic Theory in Construction of Boolean Func-
tions with Maximum Possible Annihilator Immunity. Design, Codes and Cryptog-
raphy 40(1), 41–58 (2006)
7. Kavut, S., Maitra, S., Sarkar, S., Yücel, M.D.: Enumeration of 9-variable Rotation
Symmetric Boolean Functions Having Nonlinearity > 240. In: Barua, R., Lange,
T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 266–279. Springer, Heidelberg
(2006)
8. Kurosh, A.G.: Theory of Groups. Chelsea Publishing Co., New York (1955)
9. Li, N., Qi, W.F.: Construction and Analysis of Boolean Functions of 2t+1 Variables
With Maximum Algebraic Immunity. In: Lai, X., Chen, K. (eds.) ASIACRYPT
2006. LNCS, vol. 4284, pp. 84–98. Springer, Heidelberg (2006)
10. Li, N., Qi, W.F.: Symmetric Boolean functions Depending on an Odd Number of
Variables with Maximum Algebraic Immunity. IEEE Trans. Inform. Theory 52(5),
2271–2273 (2006)
11. Lobanov, M.: Tight Bound Between Nonlinearity and Algebraic Immunity. Cryp-
tology ePrint Archive no. 2005/441 (2005)
12. Stănică, P., Maitra, S.: Rotation Symmetric Boolean Functions – Count and Cryp-
tographic Properties. Discrete Applied mathematics (to be published),
http://dx.doi.org/10.1016/j.dam.2007.04.029
13. Qu, L., Li, C., Feng, K.: A Note on Symmetric Boolean Functions with Maxi-
mum Algebraic Immunity in Odd Number of Variables. IEEE Trans. Inform. The-
ory 53(8), 2908–2910 (2007)
 A Path to Hadamard Matrices

P. Embury and A. Rao

School of Mathematics and Geospatial Sciences, RMIT University, Melbourne,

Australia
[email protected], [email protected]

Abstract. There are characteristics of Hadamard matrices that enable

an exhaustive search using algorithmic techniques. The search derives
primarily from the eigenvalues which are constant after the Hadamard
matrix is multiplied by its transpose. Generally this would be a perfor-
mance concern but there are additional properties that enable the eigen-
values to be predicted. Here an algorithm is given to obtain a Hadamard
matrix from a matrix of 1s using optimisation techniques on a row-by-
row basis.

Keywords: Hadamard Matrices, eigen values, optimization.

1 Introduction
Hadamard Matrices are named after Jacques Hadamard (1865-1963) and are
square matrices of order 1, 2, 4n, n = 1. . . ∞, whose entries are on the unit
circle, and whose rows are all orthogonal to each other. That is,

Hn HnT = nI (1)
where n is the order of matrix.
Hadamard Matrices currently are found using construction techniques which
have been generally classified [3] as recursion theorems, ”plug-in” methods or
direct constructions. These are summarised in the following table:

Multiplicative or Recur- Any Kronecker product of existing Hadamard ma-

sive Techniques trices is itself a Hadamard matrix.
“Plug-in” methods Named after James Sylvester, this is the earliest
(1863) and simplest construction and is also based
on the Kronecker product.
Direct Constructions The Paley HMs are two constructions found using
quadratic residues in a finite field.
Williamson Also a ”plug-in” algorithm where the HM is con-
structed from an existing HM plus 3 other HMs
that satisfy specific conditions.

Full details of the construction methods mentioned above can be found in [3]
while other methods can be found in [8] and are not included here. The important

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 281–290, 2007.

c Springer-Verlag Berlin Heidelberg 2007
282 P. Embury and A. Rao

aspect is that using any of the methods above, not all orders of Hadamard
matrices have been verified that they can be created since they are constructed
from matrices of lower orders. This is the long (since 1893) unsolved Hadamard
conjecture. In addition, the nature of equivalence is not fully understood and
only orders up to 28 have been fully explored, which has a known 427 equivalence
classes.
Hadamard matrices are formed into equivalence classes where they are deemed
to be equivalent if the following operations are performed on them to arrive at
the same matrix:

1. Any permutation of the existing rows and/or permutation of the columns

2. The multiplication of row(s) or column(s) by -1.

More recently [6] has defined Q-classes to enable more manageable categorisa-
tion of the equivalence classes by “extracting” common sub-matrices or substruc-
tures of Hadamard matrices and classifying those matrices with these common
sub-matrices as Q-equivalent.

2 Background
Instead of relying on construction techniques to construct, and sheer brute force
to test for, Hadamard matrices, there are characteristics that enable Hadamard
matrices be searched for using optimisation methods [4,7]. These characteristics
also provide clues to the nature of Hadamard equivalence classes.
There are two properties of matrices that offer the opportunity to search
for the existence of Hadamard matrices using optimisation techniques: the de-
terminant and the eigenvectors and eigenvalues. These are, of course related
measures.
The determinant for a Hadamard matrix is given by

detH = ±nn/2 . (2)

But one of the drawbacks in using the determinant is that it has sharp peaks
and exhibits properties analogous to the Hamming cliffs encountered when using
optimisation methods with binary strings as distinct from gray encoded strings.
This primarily arises from the fact that the determinant is 0 when it becomes
singular which can occur as soon as one row becomes identical to another. Also,
there are multiple matrices that have the same determinant with little or no
indication as to the direction a search could or should progress.
The eigenvectors of a Hadamard matrix all lie on the unit circle and the
absolute value of the eigenvalues are constant and equal to n, where n is the
order of the Hadamard matrix. Since the eigenvectors can be complex and half
the eigenvalues are negative, it is easier to consider the RHS of (1) and the effects
on it when looking at the optimisation path.
The question that arises is: what is the sensitivity of the eigenvalues to errors
that would enable its use in optimisation?
 A Path to Hadamard Matrices 283

It will be shown that the variance of the eigenvalues (EVV) of the RHS of (1)
can provide a suitable optimisation path since:

1. The intra-row errors describe an EVV path that is represented by the para-
bolic equation:  x
8x 1 − (3)
N
where x is the number of cells within a row that are inverted and N is the
order of the matrix. The variance of the eigenvalues is calculated as:
 
 n
(λi − Eλ)2
EV V = (4)
i=1
n

Note: Eλ = n
2. The inter-row errors are described by the recursive equation:

y (y − 1)
EV Vx = M (5)
2
where y is the number of non-orthogonal rows and M is the maximum EVV
for each row which occurs where x = N/2 in (3). Eg, for order 8, M = 16
and EVV for an entire order 8 matrix of ones = 448.

This information can be used to devise an optimisation path to a Hadamard

matrix from a unit matrix since at any stage it is known how many steps a
non-Hadamard matrix is from a Hadamard matrix.
It is inescapable that any algorithm that actually uses eigenvalues is not going
to be very efficient. Hence there needs to be an improvement to any algorithm
that does use the eigenvalues method that enables the eigenvalues to be pre-
dicted. Fortunately, for row-by-row optimisation, there are two criteria or tests
that can be used to assist. This will be developed in the next section.

3 The Search for a Path

Consider the normalised Hadamard matrix H4 of order 4 given by

 
1 1
H4 =
1 −1

and the Hadamard matrix of order 8 H8 given by:

 
H 4 H4
H4 −H4

As successive errors are introduced to a row, the eigenvalues (of the RHS of
(1)) are affected according to the following tables and the variance follows an
inverted parabolic path.
284 P. Embury and A. Rao

Number of cells inverted 0 1 2 3 4

4 0.5359 0 0.5359 4
4 4 4 4 4
Eigenvalues
4 4 4 4 4
4 7.4641 8 7.4641 4
Variance (EVV) 0 6 8 6 0

Number of cells inverted 0 1 2 3 4 5 6 7 8

8 2.7085 1.0718 .2540 0 .2540 1.0718 2.7085 8
8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8
Eigenvalues
8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8
8 13.2915 14.9282 15.7460 16 15.7460 14.9282 13.2915 8
Variance (EVV) 0 7 12 15 16 15 12 7 0

By the time all the entries in a row are inverted we have arrived at another (but
equivalent) Hadamard matrix. Not only do the eigenvalues follow a predicable
path, there is an indication of the number of rows that are not orthogonal to
each other.

Fig. 1. Orders 4, 8 and 12 EVV as successive cells are inverted

What if there are errors in more than one row? In a simple situation where
there is a single error in another row, and the particular column entries of the
two rows have the same sign, then the errors aggregate, not only in that column,
but also in other columns that have the same sign. When the column entries
have opposite signs, they tend to compensate. (Figure 2)
But it is not so simple and with multiple errors, the situation needs to be
viewed of sub-matrices of order 2 that include the respective rows. The EVV
induced by errors on odd-weighted sub-matrices is double that of even weighted
sub-matrices.
What if we overwrite two rows with ones within a Hadamard matrix (besides
the first row)? Three rows, four rows....? What is the total EVV that can be
found for a matrix consisting only of +1 in a matrix of a given order? The
results are in the following table for those of order 8.
The total EVV of a square matrix of ones, (eg for order 8 is 448) which is
the furthest a matrix can digress from Hadamard, can be broken down and it
 A Path to Hadamard Matrices 285

Fig. 2. Order 8 with same sign and opposite sign in another row as successive cells are
inverted

Rows Non-orthogonal EVV

1 0
2 16
3 48
4 96
5 160
6 240
7 336
8 448

Fig. 3. Successive EVV as more rows non-orthogonal

is possible to determine how many rows are not orthogonal to each other. In
other words, every Hadamard matrix of any order must comply with (5) since
replacing successive rows will automatically induce a known level of EVV until
it reaches a maximum.

Putting the aforementioned characteristics into practice can be investigated

in two separate ways.

1. The first method is to consider the matrix as a whole and successively test
individual cells as to the effect on the EVV. In other words, each cell has
a marginal contribution to the total EVV of the matrix. At each iteration,
the entire matrix can be searched for the cell that when inverted, gives the
greatest reduction in EVV, and then invert that cell. This will not always
give a complete path to a Hadamard matrix since there are other criteria
elaborated below that also need to be satisfied. Also, given that the eigenval-
ues are continually being calculated, this method is only suitable for matrices
of smaller orders.
2. A second method is to optimise to a Hadamard matrix from a matrix of
ones row-by-row. Exactly the opposite to successively substituting rows of a
Hadamard matrix by rows of ones. The objective is to find which combination
of cells within each row needs to be inverted to fit the expected EVV from (5).

By way of an example for the second method, start with a matrix of ones of
the desired order, say 8. (Assume the the matrix will be normalised whereby
286 P. Embury and A. Rao

there will be exactly 4 -1’s in every row or column except the first row and
column which will be all 1’s.)

1. Start with a matrix of ones.

2. Leave the first row and fill half the second row with -1s. Leave the first
column so that normalisation is maintained.
3. Calculate the ”Expected EVV” contributed by this row. That is, if this row is
orthogonal to all the preceding rows, what is the EVV by all the subsequent
rows. For the fourth row this is (using (3) where N = 8 and x = 4 and then
(5) where y = 5): 5 ∗ 4/2 * 16 = 160.
4. Determine all the combinations of columns 2. . . 8 in groups of 4 and calculate
the new EVV if they were chosen. If the EVV matches the Expected EVV,
then this combination forms part of a Hadamard matrix. Use it and move
onto the next row. It needs to borne that there are
N −1
n
2

possible combinations for each row.

Working through an example, in figure 4 we have the situation where rows 1,

2 and 3 are complete. To assist in clarification the terminology has been changed
and we will for the purposes of this example use ’.’ for a 1 and an X for -1. Any
new row will require the resultant matrix to have an EVV of 160 (using (5)).

. .
. . . . . .


 . .
. . X X X X


 . X
X . X X . . 


. .
. . . . . . 


 .. 

.
0 1 1 0 2 2 1 1

Fig. 4. 3 Completed Rows

Note that the last row in the table is the sum of the “weights” or number of
X s already in each of the columns.
Any of the 8 rows in figure 5 are valid possible insertions for the fourth row
since if they are inserted, the resultant EVV is 160 and each row has exactly 2
columns that match the -1s already in rows 2 and 3. Only one of these does not
include column 4 which stands to reason since there is only one way of matching
up exactly two columns with the existing rows 2 & 3. (Also note that this row
is the difference between rows 2 and 3. This characteristic may offer a method
of taking shortcuts in the algorithm or possibly lead to clues about the nature
of equivalence.)
 A Path to Hadamard Matrices 287


. X X . . . X X

 . X . X X . X . 


 . X . X X . . X

 . X . X . X X . 


 . . X X X . X . 


 . . X X X . . X
. . X X . X X . 
. . X X . X . X

Fig. 5. Possibilities for row 4

Now compare these rows with rows in figure 6 which will be rejected because
they do not have the desired EVV (These are only 6 out of the possible 26.)

Rows EVV Row 2 Corr. Row 3 Corr.

. XX X . . X . 164 1 2
. . . XXX . X 164 2 3
. XX XX . . . 168 1 3
. . X . XX . X 168 3 3
. XX . XX . . 176 4 0
. . . . XX XX 176 0 4

Fig. 6. Rejected Rows

The EVV column displays the resultant EVV of the matrix should that row
be used as the new row 4. The last two columns show the difference between the
candidate new row and the pre-existing rows 2 and 3 respectively. The last two
candidate rows are the same as the rows already inserted and hence should be
immediately rejected.
The important thing to note is that all the rows that result in the desired
EVV of 160, have exactly n4 matches between itself and all previous rows (not
including the first row). In other words, for every possible column permutation
for the next particular row, if there aren’t n4 matches then the combination
can be rejected immediately.
The other noticeable facet concerns the number of all the Xs (see the bot-
tom row of figure 4) or weights of the columns. Each successful combination or
candidate row satisfies:
 n
W eights = (row − 2) (6)
4
This is another rule that can be used to fine-tune the algorithm. For example,
the first successful candidate row tells us to insert Xs in columns 2, 3, 7 and 8.
These four coulmns have weights (from figure (4)) of

8
1 + 1 + 1 + 1 = 4 = (4 − 2) (7)
4
288 P. Embury and A. Rao

If we assume that the second candidate row is selected (from figure 5) for row
4, what are the circumstances for the next iteration?
Figure 7 has the starting position and figure 8 has the new possible rows for
row 5 (there are only 4 possibilities).

. .
. . . . . .


 . .
. . X X X X


 . X
X . X X . . 


 . X
. X X . X . 


. .
. . . . . . 


 .. 

.
0 2 1 1 3 2 2 1

Fig. 7. 4 Completed Rows and new column weights

Rows EVV Row 2 Corr. Row 3 Corr. Row 4 Corr.

. X X . . . X X 96 2 2 2
. X . X . X . X 96 2 2 2
. . X XX . . X 96 2 2 2
. . X X . XX . 96 2 2 2

Fig. 8. Candidate Rows for Row 5

All these rows have:

– the new desired EVV of 96
– exactly 2 matches with every row preceding it except row 1
– the sum of column weights = 6 which satisfies (5)
In summary, there are 3 criteria to be satisfied for each row:

1. The desired EVV for each successive row needs to satsify EV V = x(x−1)
2 M
where M is the maximum EVV for each row which occurs where x = N/2.
2. Each new row must have n4 matches of X with every preceding row
3. The weights of each column must satisfy W eights = (row − 2) n4

Criteria 1 & 2 are synonymous while criterion 3 forms a type of a classical

subset-sum problem [2] where the count of the weights subset is known and there
are possible multiple solutions. The solutions are not necessarily known to exist.

3.1 An Incomplete Path

This is an example of when these methods will not allow us to proceed on
our search for a Hadamard matrix. The following situation arises at the start of
 A Path to Hadamard Matrices 289

optimising to an order 12 matrix. After 3 rows we may have the following order
12 matrix:
. . . . . . . . . . . .


 . . . . . . X X X X X X

 . X X X . . . . . X X X

. . . . . . . . . . . . 

..
.

The following rows are all possible for the fourth row (there are others). . .
 
.XX X..X XX ...
 
.XX .X .X ..X X.
 
.XX .X .X ..X .X
 
.XX .X ..X .X X.
If the first row was selected then the situation could arise where we have. . .
. . . . . . . . . . . .


 . . . . . . X X X X X X

 . X X X . . . . . X X X

 . X X X . . X X X . . . 


. . . . . . . . . . . . 

..
.

This is a situation which could occur but the problem is there is no further
step. The EVV given by (5) is an expected 864 which satisfies criterion 1. Crite-
rion 2 is satisfied since each row matches exactly 3 times against each previous
row. However, criterion 3 fails, since the weights all = 2, and the required weights
to proceed needs 6 columns to add up to 9 which is an impossibility.
In other words, an additional constraint is needed to ensure that the subse-
quent steps are valid which could lead to a large recursive tree for matrices of
larger orders. This particular problem is easily circumvented by not choosing
this particular row for row 4. This is the only exception encountered so far from
other simulations on orders 8, 12, 16, 20 and 24 by randomly selecting any of
the valid available rows.

4 Conclusions

The methods presented in this paper are only the start of possible alternatives
using the eigenvalues and eigenvectors to search for Hadamard matrices. Can
they be investigated further?

The Eigenvectors. How are they affected by disturbing a Hadamard matrix?

Is there some clue in the direction they shift to that may help find the “way
home” and may improve the algorithm?
290 P. Embury and A. Rao

Equivalence. At what stage of the traversal of the optimisation path is it

decided whether a matrix belongs to another equivalence class or forms its
own equivalence class?
The Determinant. Although this was discarded as a measure on its own, this
may not necessarily be desirable because it is hard to discuss eigenvalues
without acknowledging the determinant because of their direct relationship.
Given that the calculation of the determinant is much more efficient to cal-
culate for larger matrices, can it be used?

Although, the optimisation method is discussed as a “Hill-climb”, the final

solution forms a series of “Subset-sum” optimisation problems [2]. If these be-
come too unwieldy, maybe alternatives as such “genetic algorithms” [1,5] could
be used.
The one example found that led to an incomplete path described above is
interesting because it may offer clues as to the existence of Hadamard matrices
(or the non-existence).

References
1. Goldberg, D.E.: Genetic Algorithms in Search, Optimization and Machine Learning,
1st edn. Addison-Wesley Longman Publishing Co., USA (1989)
2. Goodrich, M.T., Tamassia, R.: Algorithm Design: Foundations, Analysis, and Inter-
net Examples. John Wiley and Sons, New York (2002)
3. Horadam, K.J.: Hadamard Matrices and Their Applications. Princeton University
Press, Princeton, N.J. (2007)
4. Klima, R.E., Sigmon, N.P., Stitzinger, E.L.: Applications of Abstract Algebra with
MapleT M and Matlab , 2nd edn. Chapman & Hall/CRC, Boca Raton (2006)
5. Michalewicz, Z.: Genetic Algorithms + Data Structures = Evolution Programs, 2nd
edn. Springer, New York (1994)
6. Orrick, W.P.: Switching operations for Hadamard matrices (2007),
http://www.arxiv.org/abs/math.CO/0507515
7. Snyman, J.A.: Practical Mathematical Optimization: An Introduction to Basic Op-
timization Theory and Classical and New Gradient-Based Algorithms. Springer,
Cambridge, Massachusetts (2005)
8. Wallis, W.D., Street, A.P., Wallis, J.S.: Combinatorics: Room Squares, Sum-Free
Sets, Hadmard Matrices. Springer, New York (1972)
 The Tangent FFT

Daniel J. Bernstein

Department of Mathematics, Statistics, and Computer Science (M/C 249)

University of Illinois at Chicago, Chicago, IL 60607–7045, USA
[email protected]

Abstract. The split-radix FFT computes a size-n complex DFT, when

n is a large power of 2, using just 4n lg n−6n+8 arithmetic operations on
real numbers. This operation count was first announced in 1968, stood
unchallenged for more than thirty years, and was widely believed to be
best possible.
Recently James Van Buskirk posted software demonstrating that the
split-radix FFT is not optimal. Van Buskirk’s software computes a size-
n complex DFT using only (34/9 + o(1))n lg n arithmetic operations on
real numbers. There are now three papers attempting to explain the
improvement from 4 to 34/9: Johnson and Frigo, IEEE Transactions on
Signal Processing, 2007; Lundy and Van Buskirk, Computing, 2007; and
this paper.
This paper presents the “tangent FFT,” a straightforward in-place
cache-friendly DFT algorithm having exactly the same operation counts
as Van Buskirk’s algorithm. This paper expresses the tangent FFT as a
sequence of standard polynomial operations, and pinpoints how the tan-
gent FFT saves time compared to the split-radix FFT. This description
is helpful not only for understanding and analyzing Van Buskirk’s im-
provement but also for minimizing the memory-access costs of the FFT.

Keywords: Tangent FFT, split-radix FFT, modified split-radix FFT,

scaled odd tail, DFT; convolution,polynomial multiplication, algebraic
complexity, communication complexity.

1 Introduction
Consider the problem of computing the size-n complex DFT (“discrete Fourier
transform”), where n is a power of 2; i.e., evaluating an n-coefficient univariate
complex polynomial f at all of the nth roots of 1. The input is a sequence of n
complex numbers f0 , f1 , . . . , fn−1 representing the polynomial f = f0 + f1 x +
· · ·+fn−1 xn−1 . The output is the sequence f (1), f (ζn ), f (ζn2 ), . . . , f (ζnn−1 ) where
ζn = exp(2πi/n).
The size-n FFT (“fast Fourier transform”) is a well-known algorithm to com-
pute the size-n DFT using (5+o(1))n lg n arithmetic operations on real numbers.
One can remember the coefficient 5 as half the total cost of a complex addition

Permanent ID of this document: a9a77cef9a7b77f9b8b305e276d5fe25. Date of this
document: 2007.09.19.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 291–300, 2007.

c Springer-Verlag Berlin Heidelberg 2007
292 D.J. Bernstein

(2 real operations), a complex subtraction (2 real operations), and a complex

multiplication (6 real operations).
The FFT was used for astronomical calculations by Gauss in 1805; see, e.g., [6,
pages 308–310], published in 1866. It was reinvented and republished on several
subsequent occasions and was finally popularized in 1965 by Cooley and Tukey
in [2]. The advent of high-speed computers meant that users in the 1960s were
trying to handle large values of n in a wide variety of applications and could see
large benefits from the FFT.
The Cooley-Tukey paper spawned a torrent of FFT papers—showing, among
other things, that Gauss had missed a trick. The original FFT is not the optimal
way to compute the DFT. In 1968, Yavne stated that one could compute the
DFT using only (4+o(1))n lg n arithmetic operations, specifically 4n lg n−6n+8
arithmetic operations (if n ≥ 2), specifically n lg n − 3n + 4 multiplications and
3n lg n − 3n + 4 additions; see [13, page 117]. Nobody, to my knowledge, has ever
deciphered Yavne’s description of his algorithm, but a comprehensible algorithm
achieving exactly the same operation counts was introduced by Duhamel and
Hollmann in [3], by Martens in [9], by Vetterli and Nussbaumer in [12], and by
Stasinski (according to [4, page 263]). This algorithm is now called the split-
radix FFT.
The operation count 4n lg n − 6n + 8 stood unchallenged for more than thirty
years1 and was frequently conjectured to be optimal. For example, [11, page
152] said that split-radix FFT algorithms did not have minimal multiplication
counts but “have what seem to be the best compromise operation count.” Here
“compromise” refers to counting both additions and multiplications rather than
merely counting multiplications.
In 2004, James Van Buskirk posted software that computed a size-64 DFT
using fewer operations than the size-64 split-radix FFT. Van Buskirk then posted
similar software handling arbitrary power-of-2 sizes using only (34/9+o(1))n lg n
arithmetic operations. Of course, 34/9 is still in the same ballpark as 4 (and 5),
but it is astonishing to see any improvement in such a widely studied, widely
used algorithm, especially after 36 years of no improvements at all!
Contents of this paper. This paper gives a concise presentation of the tangent
FFT, a straightforward in-place cache-friendly DFT algorithm having exactly
the same operation counts as Van Buskirk’s algorithm. This paper expresses the
tangent FFT as a sequence of standard polynomial operations, and pinpoints how
the tangent FFT saves time compared to the split-radix FFT. This description
is helpful not only for understanding and analyzing Van Buskirk’s improvement
but also for minimizing the memory-access costs of the FFT.
1
The 1998 paper [14] claimed that its “new fast Discrete Fourier Transform” was much
faster than the split-radix FFT. For example, the paper claimed that its algorithm
computed a size-16 real DFT with 22 additions and 10 multiplications by various
sines and cosines. I spent half an hour with the paper, finding several blatant errors
and no new ideas; in particular, Figure 1 of the paper had many more additions than
the paper claimed. I pointed out the errors to the authors and have not received a
satisfactory response.
 The Tangent FFT 293

There have been two journal papers this year—[8] by Lundy and Van Buskirk,
and [7] by Johnson and Frigo—presenting more complicated algorithms with
the same operation counts. Both algorithms can be transformed into in-place
algorithms but incur heavier memory-access costs than the algorithm presented
in this paper.
I chose the name “tangent FFT” in light of the essential role played by tan-
gents as constants in the algorithm. The same name could be applied to all of
the algorithms in this class. Lundy and Van Buskirk in [8] use the name “scaled
odd tail,” which I find less descriptive. Johnson and Frigo in [7] use the name
“our new FFT . . . our new algorithm . . . our algorithm . . . our modified algo-
rithm” etc., which strikes me as suboptimal terminology; I have already seen
three reports miscrediting Van Buskirk’s 34/9 to Johnson and Frigo. All of the
credit for these algorithms should be assigned to Van Buskirk, except in contexts
where extra features such as simplicity and cache-friendliness play a role.

2 Review of the Original FFT

The remainder f mod x8 − 1, where f is a univariate polynomial, determines the
remainders f mod x4 − 1 and f mod x4 + 1. Specifically, if

f mod x8 − 1 = f0 + f1 x + f2 x2 + f3 x3 + f4 x4 + f5 x5 + f6 x6 + f7 x7 ,

then f mod x4 − 1 = (f0 + f4 ) + (f1 + f5 )x + (f2 + f6 )x2 + (f3 + f7 )x3 and

f mod x4 + 1 = (f0 − f4 ) + (f1 − f5 )x + (f2 − f6 )x2 + (f3 − f7 )x3 . Computing the
coefficients f0 +f4 , f1 +f5 , f2 +f6 , f3 +f7 , f0 −f4 , f1 −f5 , f2 −f6 , f3 −f7 , given the
coefficients f0 , f1 , f2 , f3 , f4 , f5 , f6 , f7 , involves 4 complex additions and 4 complex
subtractions. Note that this computation is naturally carried out in place with
one sequential sweep through the input. Note also that this computation is easy
to invert: for example, the sum of f0 + f4 and f0 − f4 is 2f0 , and the difference
is 2f4 .
More generally, let r be a nonzero complex number, and let n be a power of
2. The remainder f mod x2n − r2 determines the remainders f mod xn − r and
f mod xn + r, since xn − r and xn + r divide x2n − r2 . Specifically, if

f mod x2n − r2 = f0 + f1 x + · · · + f2n−1 x2n−1 ,

then f mod xn − r = (f0 + rfn ) + (f1 + rfn+1 )x + · · · + (fn−1 + rf2n−1 )xn−1 and
f mod xn + r = (f0 − rfn ) + (f1 − rfn+1 )x + · · · + (fn−1 − rf2n−1 )xn−1 . This
computation involves n complex multiplications by r; n complex additions; and
n complex subtractions; totalling 10n real operations. The following diagram
summarizes the structure and cost of the computation:

x2n − rL2
rr LL
rr r
r   LLLL
rrr 10n LLL
yrrr LL%
xn − r xn + r
294 D.J. Bernstein

Note that some operations disappear when multiplications

√ √ by
√ r are√easy:
 this
computation involves only 8n real operations if r ∈ i, − i, −i, − −i , and
only 4n real operations if r ∈ {1, −1, i, −i}.
The same idea can be applied recursively:

x8 − 1 O
ooo OOO
oooo   OOO
OOO
oooo 16 OOO
w o
o '
x4 − ?1 x4 + ?1
 ??  ??
 8 ???  8 ???
 ??  ??
 ?  ?
x −/ 1
2
x2 +/ 1 x −/ i
2
x2 +/ i
 //   //  //   //
   
  4 ///   4 ///   8 ///   8 ///
 /  /  /  /
√ √ √ √
x−1 x+1 x−i x+i x − i x + i x − −i x + −i

The final outputs f mod x − 1, f mod x + 1, f mod x − i, . . . are exactly the

(permuted) DFT outputs f (1), f (−1), f (i), . . ., and this computation is exactly
Gauss’s original FFT. Note that the entire computation is naturally carried out
in place, with contiguous inputs to each recursive step. One can further reduce
the number of cache misses by merging (e.g.) the top two levels of recursion.
This view of the FFT, identifying each FFT step as a simple polynomial
operation, was introduced by Fiduccia in [5]. Most papers (and books) suppress
the polynomial structure, viewing each intermediate FFT result as merely a
linear function of the input; but “f mod xn − r” is much more concise than a
matrix expressing the same function!
One might object that the concisely expressed polynomial operations in this
section and in subsequent sections are less general than arbitrary linear functions.
Is this restriction compatible with the best FFT algorithms? For example, does
it allow Van Buskirk’s improved operation count? This paper shows that the
answer is yes. Perhaps some future variant of the FFT will force Fiduccia’s
philosophy to be reconsidered, but for the moment one can safely recommend
that FFT algorithms be expressed in polynomial form.

3 Review of the Twisted FFT

The remainder f mod xn + 1 determines the remainder f (ζ2n x) mod xn − 1.
Specifically, if f mod xn + 1 = f0 + f1 x + · · · + fn−1 xn−1 , then

f (ζ2n x) mod xn − 1 = f0 + ζ2n f1 x + · · · + ζ2n

n−1
fn−1 xn−1 .

Computing the twisted coefficients f0 , ζ2n f1 , . . . , ζ2n n−1

fn−1 from the coefficients
2
f0 , f1 , . . . , fn−1 involves one multiplication by ζ2n , one multiplication by ζ2n , and
 The Tangent FFT 295

n−1
so on through ζ2n . These n − 1 multiplications cost 6(n − 1) real operations,
n/2
except that a few multiplications are easier: 6 operations are saved for ζ2n when
n/4 3n/4
n ≥ 2, and another 4 operations are saved for ζ2n , ζ2n when n ≥ 4.
The remainder f mod x2n − 1 determines the remainders f mod xn − 1 and
f mod xn + 1, as discussed in the previous section. It therefore determines the
remainders f mod xn −1 and f (ζ2n x) mod xn −1, as summarized in the following
diagram:

x2n − 1 Q
mmm QQQ
mmm   QQQ
mmm   QQQ
mmm 4n QQQ
v mmm QQ(
xn − 1 xn + 1
 
max{6n − 16, 0} ζ2n

xn − 1

The twisted FFT performs this computation and then recursively evaluates
both f mod xn − 1 and f (ζ2n x) mod xn − 1 at the nth roots of 1, obtaining the
same results as the original FFT. Example, for n = 8:

x8 − 1 O
ooo OOO
ooo   OOO
ooo 16 OOO
ooo OOO
w o '
x4 −/ 1 x4 + 1
 /
  ///  
8
√

 // i
// 
  //
 x4 − ?1
 //  ??
  
8
//   8 ???
//  ??
   ?
x2 −' 1 x2 + 1 x −' 1 2
x2 + 1
 '  ''
  '''  
0  '  
0
  '''
i i
 ''  
 ''  ''
  '' x2 −/ 1   '' x2 −/ 1
  //   //
  4 '''   4 ///   4 '''   4 ///
 '  /  '  /
x−1 x+1 x−1 x+1 x−1 x+1 x−1 x+1
       
0 −1 0 −1 0 −1 0 −1
   
x−1 x−1 x−1 x−1
296 D.J. Bernstein

Note that the twisted FFT never has to consider moduli other than xn ± 1.
The twisted FFT thus has a simpler recursive structure than the original FFT.
The recursive step does not need to distinguish f from f (ζ2n x): its job is simply
to evaluate an input modulo xn − 1 at the nth roots of 1.
One can easily prove that the twisted FFT uses the same number of real
operations as the original FFT: the cost of twisting
√ xn + 1 into xn − 1 is exactly
balanced by the savings from avoiding x − i etc. In fact, the algorithms have
n/4

the same number of multiplications by each root of 1. (One way to explain this
coincidence is to observe that the algorithms are “transposes” of each other.) One
might speculate at this point that all FFT algorithms have the same number of
real operations; but this speculation is solidly disproven by the split-radix FFT,
as discussed in Section 4.

4 Review of the Split-Radix FFT

The split-radix FFT applies the following diagram recursively:

x4n − 1 Q
mmm QQQ
mmm   QQQ
mmm   QQQ
mmm 8n QQQ
v mmm QQ(
x2n − 1 x2n + 1 Q
mmm QQQ
mmmmm   QQQ
QQQ
mm  4n QQQ
mmmm QQ(
v m
xn − i xn + i
   
max{6n − 8, 0} max{6n − 8, 0}
−1
ζ4n ζ4n
 
xn − 1 xn − 1

The notation here is the same as in previous sections:

• from f mod x4n − 1 compute f mod x2n − 1 and f mod x2n + 1;

• from f mod x2n + 1 compute f mod xn − i and f mod xn + i;
• from f mod xn − i compute f (ζ4n x) mod xn − 1;
−1
• from f mod xn + i compute f (ζ4n x) mod xn − 1;
• recursively evaluate f mod x2n − 1 at the 2nth roots of 1;
• recursively evaluate f (ζ4n x) mod xn − 1 at the nth roots of 1; and
−1
• recursively evaluate f (ζ4n x) mod xn − 1 at the nth roots of 1.

If f mod xn − i = f0 + f1 x + · · · + fn−1 xn−1 then f (ζ4n x) mod xn − 1 = f0 +

ζ4n f1 x + · · · + ζ4n
n−1
fn−1 xn−1 . The n − 1 multiplications here cost 6(n − 1) real
n/2
operations, except that 2 operations are saved for ζ4n when n ≥ 2. Similar
n
comments apply to x + i.
The split-radix FFT uses only about 8n+4n+6n+6n = 24n operations to divide
x4n −1 into x2n −1, xn −1, xn −1, and therefore only about (24/1.5)n lg n = 16n lg n
 The Tangent FFT 297

operations to handle x4n −1 recursively. Here 1.5 = (2/4) lg(4/2)+(1/4) lg(4/1)+

(1/4) lg(4/1) arises as the entropy of 2n/4n, n/4n, n/4n. An easy induction pro-
duces a precise operation count: the split-radix FFT handles xn − 1 using 0 oper-
ations for n = 1 and 4n lg n − 6n + 8 operations for n ≥ 2.
For the same split of x4n − 1 into x2n − 1, xn − 1, xn − 1, the twisted FFT
would use about 30n operations: specifically, 20n operations to split x4n − 1 into
x2n − 1, x2n − 1, and then 10n operations to split x2n − 1 into xn − 1, xn − 1, as
discussed in Section 3. The split-radix FFT does better by delaying the expensive
twists, carrying out only two size-n twists rather than one size-2n twist and one
size-n twist.
−1 3
Most descriptions of the split-radix FFT replace ζ4n , ζ4n with ζ4n , ζ4n . Both
−1
ζ4n and ζ4n are nth roots of −i; both variants compute (in different orders)
3
−1 3
the same DFT outputs. There is, however, an advantage of ζ4n over ζ4n in
k −k
reducing memory-access costs. The split-radix FFT naturally uses ζ4n and ζ4n as
multipliers at the same moment; loading precomputed real numbers cos(2πk/4n)
k
and sin(2πk/4n) produces not only ζ4n = cos(2πk/4n) + i sin(2πk/4n) but also
−k
ζ4n = cos(2πk/4n) − i sin(2πk/4n). Reciprocal roots also play a critical role in
the tangent FFT; see Section 5.

5 The Tangent FFT

The obvious way to multiply a + bi by a constant cos θ + i sin θ is to compute
a cos θ − b sin θ and a sin θ + b cos θ. A different approach is to factor cos θ + i sin θ
as (1 + i tan θ) cos θ, or as (cot θ + i) sin θ. Multiplying by a real number cos θ is
relatively easy, taking only 2 real operations. Multiplying by 1 + i tan θ is also
relatively easy, taking only 4 real operations.
This change does not make any immediate difference in operation count: ei-
ther strategy takes 6 real operations, when appropriate constants such as tan θ
have been precomputed. But the change allows some extra flexibility: the real
multiplication can be moved elsewhere in the computation. Van Buskirk’s clever
observation is that these real multiplications can sometimes be combined!
Specifically, let’s change the basis 1, x, x2 , . . . , xn−1 that we’ve been using to
represent polynomials modulo xn −1. Let’s instead use a vector (f0 , f1 , . . . , fn−1 )
to represent the polynomial f0 /sn,0 + f1 x/sn,1 + · · · + fn−1 xn−1 /sn,n−1 where
    
 4 2πk   4 2πk 
sn,k = 
max cos , sin .
n   n 
≥0

This might appear at first glance to be an infinite product, but 4 2πk/n is a

multiple of 2π once  is large enough, so almost all of the terms in the product
are 1.
This wavelet sn,k is designed to have two important features. The first is
periodicity: s4n,k = s4n,k+n . The second is cost-4 twisting: ζ4n
k
(sn,k /s4n,k ) is
±(1 + i tan · · · ) or ±(cot · · · + i).
298 D.J. Bernstein

The tangent FFT applies the following diagram recursively:

x8n − 1
xk /s8n,k
kk  SSS
kkk  SSS
kkk   SSS
kk 16n SSS
u k
k )
x4n − 1 x4n + 1
xk /s8n,k xk /s8n,k
G G
ww   GG ww   GG
www 8n GGG www 8n GGG
{ww G# {ww G#
x2n − 1 x2n + 1 x2n − i x2n + i
xk /s8n,k xk /s8n,k xk /s8n,k xk /s8n,k
   
4n − 2 4n − 2
     
x2n − 1 x2n + 1 8n − 6 8n − 6
xk /s2n,k xk /s4n,k
G
ww   GG
www 4n GGG ζ8n −1
ζ8n
{ww G#
  xn − i   xn + i
max{ max{
4n − 6 xk /s4n,k 4n − 6 xk /s4n,k
w w
 , 0}  www  , 0}  www
w w
{ww ζ4n {ww ζ4n−1
 
xn − 1 xn − 1 x2n − 1 x2n − 1
xk /sn,k xk /sn,k xk /s2n,k xk /s2n,k

This diagram explicitly shows the basis used for each remainder f mod x··· −
· · · . The top node, x8n − 1 with basis xk /s8n,k , reads an input vector (f0 , f1 , . . . ,
f8n−1 ) representing f mod x8n − 1 = k
0≤k<8n fk x /s8n,k . The next node to
the left, x4n − 1 with basis  xk /s8n,k , computes a vector (g0 , g1 , . . . , g4n−1 ) rep-
resenting f mod x − 1 = 0≤k<4n gk xk /s8n,k ; the equation s8n,k+4n = s8n,k
4n

immediately implies that

(g0 , g1 , . . . , g4n−1 ) = (f0 + f4n , f1 + f4n+1 , . . . , f4n−1 + f8n−1 ).

The next node to the left, x2n −1 with basis xk /s8n,k  , similarly computes a vector
(h0 , h1 , . . . , h2n−1 ) representing f mod x2n − 1 = 0≤k<2n hk xk /s8n,k . The next
node after that, x2n − 1 with basis xk /s2n,k (suitable for  recursion), computes
a vector (h0 , h1 , . . . , h2n−1 ) representing f mod x2n − 1 = 0≤k<2n hk xk /s2n,k ;
evidently hk = hk (s2n,k /s8n,k ), requiring a total of 2n real multiplications by
the precomputed real constants s2n,k /s8n,k , minus 1 skippable multiplication by
s2n,0 /s8n,0 = 1. Similar comments apply throughout the diagram: for example,
moving from x2n − i with basis xk /s8n,k to x2n − 1 with basis xk /s2n,k involves
k
cost-4 twisting by ζ8n s2n,k /s8n,k .
 The Tangent FFT 299

The total cost of the tangent FFT is about 68n real operations to divide
x8n − 1 into x2n − 1, x2n − 1, x2n − 1, xn − 1, xn − 1, and therefore about
(68/2.25)n lg n = (34/9)8n lg n to handle x8n − 1 recursively. Here 2.25 is the
entropy of 2n/8n, 2n/8n, 2n/8n, n/8n, n/8n. More precisely, the cost S(n) of
handling xn − 1 with basis xk /sn,k satisfies S(1) = 0, S(2) = 4, S(4) = 16, and
S(8n) = 60n−16+max{8n − 12, 0}+3S(2n)+2S(n). The S(n) sequence begins
0, 4, 16, 56, 164, 444, 1120, 2720, 6396, 14724, 33304, . . .; an easy induction shows
that S(n) = (34/9)n lg n − (142/27)n − (2/9)(−1)lg n lg n + (7/27)(−1)lg n + 7 for
n ≥ 2.
For comparison, the split-radix FFT uses about 72n real operations for the
same division. The split-radix FFT uses the same 16n to divide x8n − 1 into
x4n − 1, x4n + 1, the same 8n to divide x4n − 1 into x2n − 1, x2n + 1, the same
8n to divide x4n + 1 into x2n − i, x2n + i, and the same 4n to divide x2n + 1 into
xn − i, xn + i. It also saves 4n changing basis for x2n − 1 and 4n changing basis
for x2n + 1. But the tangent FFT saves 4n twisting x2n − i, another 4n twisting
x2n + i, another 2n twisting xn − i, and another 2n twisting xn + i. The 12n
operations saved in twists outweigh the 8n operations lost in changing basis.
What if the input is in the traditional basis 1, x, x2 , . . . , xn−1 ? One could scale
the input immediately to the new basis, but it is faster to wait until the first
twist:

x4n − 1
k T
jjjjjjjx  TTTTTTT
jjjj 8n TTTT
t jjj
j TTT*
x2n − 1 x2n + 1
xk mx J
k

mmmmm   JJJJ
mm 4n JJJ
vmmm $
x −i
n
xn + i
xk xk
   
max{6n − 8, 0}  ζ4n max{6n − 8, 0}  ζ4n
−1

xn − 1 xn − 1
xk /sn,k xk /sn,k

The coefficient of xk in f mod xn − i is now twisted by ζ4n k

sn,k , costing 6 real
0 n/2 √
operations except for the easy cases ζ4n sn,0 = 1 and ζ4n sn,n/2 = i.
The cost T (n) of handling xn − 1 with basis xk satisfies T (1) = 0, T (2) = 4,
and T (4n) = 12n + max{12n − 16, 0} + T (2n) + 2S(n). The T (n) sequence
begins 0, 4, 16, 56, 168, 456, 1152, 2792, 6552, 15048, 33968, . . .; an easy induction
shows that
34 124 2 16
T (n) = n lg n − n − 2 lg n − (−1)lg n lg n + (−1)lg n + 8
9 27 9 27
for n ≥ 2, exactly matching the operation count in [7, Equation (1)].
300 D.J. Bernstein

References
1. 1968 Fall Joint Computer Conference. In: AFIPS conference proceedings, vol. 33,
part one. See [13] (1968)
2. Cooley, J.W., Tukey, J.W.: An Algorithm for the Machine Calculation of Complex
Fourier Series. Mathematics of Computation 19, 297–301 (1965)
3. Duhamel, P., Hollmann, H.: Split-Radix FFT algorithm. Electronics Letters 20,
14–16 (1984)
4. Duhamel, P., Vetterli, M.: Fast Fourier Transforms: a Tutorial Review and a State
of the Art. Signal Processing 19, 259–299 (1990)
5. Fiduccia, C.M.: Polynomial Evaluation Via the Division Algorithm: the Fast
Fourier Transform Revisited. In: [10], pp. 88–93 (1972)
6. Gauss, C.F.: Werke, Band 3 Königlichen Gesellschaft der Wissenschaften.
Göttingen (1866)
7. Johnson, S.G., Frigo, M.: A Modified Split-Radix FFT with Fewer Arithmetic
Operations. IEEE Trans. on Signal Processing 55, 111–119 (2007)
8. Lundy, T.J., Van Buskirk, J.: A New Matrix Approach to Real FFTs and Convo-
lutions of Length 2k . Computing 80, 23–45 (2007)
9. Martens, J.B.: Recursive Cyclotomic Factorization—A New Algorithm for Calcu-
lating the Discrete Fourier Transform. IEEE Trans. Acoustics, Speech, and Signal
Processing 32, 750–761 (1984)
10. Rosenberg, A.L.: Fourth Annual ACM Symposium on Theory Of Computing. As-
sociation for Computing Machinery, New York (1972)
11. Sorensen, H.V., Heideman, M.T., Burrus, C.S.: On Computing the Split-Radix
FFT. IEEE Trans. Acoustics, Speech, and Signal Processing 34, 152–156 (1986)
12. Vetterli, M., Nussbaumer, H.J.: Simple FFT and DCT Algorithms with Reduced
Number of Operations. Signal Processing 6, 262–278 (1984)
13. Yavne, R.: An Economical Method for Calculating the Discrete Fourier Transform.
In: [1], pp. 115–125 (1968)
14. Zhou, F., Kornerup, P.: A New Fast Discrete Fourier Transform. J. VLSI Signal
Processing 20, 219–232 (1998)
 Novel Algebraic Structure for Cyclic Codes

Dang Hoai Bac1,2 , Nguyen Binh1 , and Nguyen Xuan Quynh1

1
Electronics Faculty, Posts & Telecommunications Institute of Technology
(PTIT)-Vietnam. Km 10 Hanoi-Hadong Road
[email protected]
2
Mobile Telecommunication Research Division, Electronics & Telecommunications
Research Institute (ETRI)-Korea

Abstract. The novel algebraic structure for the cyclic codes, Cyclic
Multiplicative Groups (CMGs) over polynomial ring, is proposed in this
paper. According to this algorithm, traditional cyclic codes can be con-
sidered as a subclass in these cyclic codes. With CMGs structure, more
plentiful good cyclic code cosets can be found in any polynomial rings
than other methods. An arbitrary polynomial in polynomial ring can gen-
erate cyclic codes in which length of codewords depend on order of the
polynomial. Another advantage of this method is that a longer code can
be generated from a smaller polynomial ring. Moreover, our technique is
flexibly and easily implemented in term of encoding as well as decoding.
As a result, the CMGs can contribute a new point of view in coding
theory. The significant advantages of proposed cyclic code cosets can be
applicable in the modern communication systems and crypto-systems.

1 Introduction
A very important class of codes is, arguably, the class of cyclic codes. Cyclic
codes were explored by Prange [1] in the early history of coding theory. A cyclic
code is a block code in which a cyclic shift of every code word yields another
codeword belonging to the same code [2,3,4]. Currently, cyclic codes are used in
a wide variety of communication systems, computer networks and data storage
devices to provide inexpensive and effective error detection capabilities.
Although there are advantages of traditional cyclic codes, it can be seen that
there is shortage in cyclic code generation. Specifically, the number of generator
polynomials is limited because they depend on the number of ideals in poly-
nomial ring, i.e. they depend on the ability of the factorization of (xk + 1) in
polynomial ring Z2 [x]/(xk + 1) [3,5].
To overcome this problem, the key idea in this paper is using Cyclic Multi-
plicative Group structure instead of the method in which cyclic codes generated
from ideals, i.e. depend on factorization of polynomial rings. We investigate, for
the first time, some properties of the Cyclic Multiplicative Groups in order to
find more plentiful good cyclic cosets and their applications than the traditional
methods, especially in polynomial rings with two cyclotomic cosets, i.e. the fac-
torization in these rings has only two factors. Based on our knowledge, the cyclic
codes in these rings have not been mentioned yet.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 301–310, 2007.

c Springer-Verlag Berlin Heidelberg 2007
302 D.H. Bac, N. Binh, and N.X. Quynh

Cyclic codes are built from an arbitrary polynomial in polynomial ring and
these codes become independent of the factors of the factorization with CMGs
structure. An arbitrary polynomial in polynomial ring can generate cyclic codes
with length depended on order of polynomial. This is the main difference in com-
parison with the traditional method. Traditional cyclic codes can be considered
as a subclass of the cyclic codes of the CMGs method.
The proposed method have significant advantages such as: the good con-
structed cyclic code cosets are larger than conventional; the longer cyclic code
can be generated from smaller polynomial ring, leading to easier and faster for
implementing. Furthermore, using properties of multiplicative group has much
lower critical path delays, thus allowing much faster operating clock rates in im-
plementing by VLSI, such as FPGA [6,7,10]. These properties are also suitable
for high-speed cryptographic applications such as elliptic curve cryptography
[12]. The effect of extension on the properties of CMGs can be used for fur-
ther study in PN generation, peak to average power ratio (PAPR) reduction in
OFDM, and building cypto-systems.

2 Cyclic Multiplicative Group over Polynomial Ring

2.1 Order of Polynomial

Based on the order of polynomials in polynomial ring, the cyclic multiplicative

groups can be generated. CMGs play an important role in new algebraic structure
mentioned in this paper.

Definition 1. Order of polynomial a(x) modulo (xk + 1) in polynomial ring

Z2 [x]/(xk + 1) is the positive integer n which satisfies:

a(x)n+1 = a(x) (mod (xk + 1)) or a(x)n = e(x) (mod (xk + 1)) (1)

where, e(x) is an idempotent polynomial in this ring, e(x) satisfies the property
e(x) = e2 (x) [2,3].

Consider polynomial ring Z2 [x]/(xk + 1), with k is an odd number, the formula
of xk + 1 is: 
xk + 1 = fi (x) (2)
i

where fi (x) are distinctive irreducible polynomials. With a(x) ∈ Z2 [x]/(xk + 1),
the maximum order of a(x) modulo xk + 1 (denote max(ord a(x))) is defined:

max(ord a(x)) = 2m − 1 (3)

where m = maxi deg fi (x).

In the polynomial ring Z2 [x]/(xk + 1), the available order of all polynomials
n is max(ord a(x)) or divisor of max(ord a(x)).
 Novel Algebraic Structure for Cyclic Codes 303

Example 1. With n = 5 , consider a(x) ∈ Z2 [x]/(x5 + 1). According to (3), we

have: x5 + 1 = f1 (x) · f2 (x) = (1 + x)(1 + x + x2 + x3 + x4 ) and f1 (x) = (1 + x) ⇒
deg f1 (x) = m1 = 1.
f2 (x) = (1 + x + x2 + x3 + x4 ) ⇒ deg f2 (x) = m2 = 4.
Hence, max(ord a(x)) is calculated as follows: (a(x) is an arbitrary polynomial
in polynomial ring Z2 [x]/(x5 + 1).

According to (3), max(ord a(x)) = 2m − 1 = 15 = 3 · 5, thus the available orders

of an arbitrary a(x) in Z2 [x]/(x5 + 1) are: n = 1, 3, 5, 15 ( n = 1 is order of
idempotents).
32 polynomials (2k − 1 = 32) in Z2 [x]/(x5 + 1) are divided into four groups
as follow:
– The group of polynomials with order 1: {Zero, (0), (01234), (1234)}.
– The group of polynomials with order 3: {(023), (024), (14), (23)}.
– The group of polynomials with order 5: {(1),(2),(3),(4), (0123), (0124),
(0134), (0234)}.
– The group of polynomials with order 15: {(01),(02),(03),(04), (012), (013),
(024), (034)}.
Remark: (023) denotes 1 + x2 + x3 , (0) denotes 1 and zero = 0.

2.2 Cyclic Multiplicative Groups

Depending on the order of polynomial a(x) modulo (xk + 1) in polynomial ring
Z2 [x]/(xk + 1), we can construct the cyclic multiplicative group (CMGs).
Consider the following CMG:

A = {ai (x) (mod (xk + 1)), i = 1 : n}. (4)

Some characteristics of CMGs are presented as follows:

– All the elements of a CMG have the same parity of weight.
– The quantity of elements in A is equal order of a(x) : |A = n. P
– According to Lagranges theorem [2,3] n is divisor of 2m − 1 : n|2m − 1.
– k is also divisor of 2m − 1 : k|2m − 1.
CMG I = {xi , i = 1, 2, ..., k} is called unity CMG.

2.3 Symmetric Polynomial ā(x) and Symmetric CMGs

Definition 2. With a(x) ∈ Z2 [x]/(xk + 1),
 ā(x) is called symmetric polynomial
of a(x) , if a(x) = i∈U x then ā(x) = j∈V xj where
i

U ∩ V = ∅ U ∪ V = S = {0, 1, 2, · · · , k − 1}.
k−1
e0 (x) = i=0 xi is called swallowing idempotent. e0 (x) have the following char-
acteristics:
304 D.H. Bac, N. Binh, and N.X. Quynh

– If a(x) is an arbitrary odd weight polynomial, then a(x)e0 (x) = e0 (x).

– If b(x) is an arbitrary event weight polynomial, then b(x)e0 (x) = 0.
Based on these characteristics, we can define: ā(x) = e0 (x) + a(x).
Lemma 1. Consider a(x) be generator element of CMG A. ā(x) be generator
of CMG Ā. We have
 
A = ai (mod xk + 1)
 
Ā = āi (mod xk + 1) (5)
 

|A| = Ā  i i
and ā (x) = a (x).

Proof. Consider a(x) be odd weight polynomial, we have:

ai (x) = ai−1 (x)a(x)

ai (x) = e0 (x) + ai (x)
ā(x) = e0 (x) + a(x)
āi (x) = āi−1 (x)ā(x) = āi−1 (x) [e0 (x) + a(x)] = āi−1 (x)a(x)
āi (x) = ā(x)ai−1 (x) = [e0 (x) + a(x)] ai−1 (x) = e0 (x) + ai (x) = ai (x)

Similarly, we have: |A| = |Ā| . The symmetric characteristic of CMGs is useful

for constructing cyclic codes.

3 Cyclic Code Based on Cyclic Multiplicative Group

Consider CMG A = {ai (x)}, the number of elements in A is: |A| = n. The cyclic
codes can be built from CMG A in the way described as follows.
Definition 3. Cyclic code with length n is called a code with its code digits that
are elements of a CMG.
Remark 1
– According to this definition, generator matrix has following form:
 
G = a(x)a2 (x) · · · an (x) .

– If I = {xi }√∈ A then cyclic code generated by A is symmetric code.

– If a(x) = j x then ith row of G is cyclic shift of (i − 1)th row to the right
with j.
For traditional cyclic codes, the generator matrix is built from the ideal of poly-
nomial ring. The limitation of the traditional method is the small number of
ideals. In some special polynomial rings, xk + 1 have only two factors as follow:
k−1
xk + 1 = (1 + x) xi (6)
i=0
 Novel Algebraic Structure for Cyclic Codes 305

These rings are called the polynomial rings with two cyclotomic cosets (with
k = 3, 5, 11, 13, 17, 19 and etc., see Appendix). In these rings, we can not
build good cyclic codes, except trivial codes which are repetition code (n, 1) and
even parity check code (n, n-1). The cyclic codes in these rings have not been
mentioned before. With CMGs structure mentioned above, many cyclic codes
can be yielded in polynomial rings with two cyclotomic cosets, as can be seen in
example below.

Example 2. Consider polynomial ring Z2 [x]/(x5 + 1). If we choose an arbitrary

polynomial a(x) in this ring with order 15 (maximum order in this ring), such
as:
a(x) = 1 + x2 + x4 ⇔ (024).

According to a(x), we can define CMG A as follow:

 
A = ai (x)
= {(024), (034), (1), (013), (014), (2), (124), (012), (3), (023), (123), (4),
(134), (234), (0)} .

Cyclic code based on A is (15,5,7) code. This is a systematic code with the
following generator matrix:
⎡ ⎤
110110010100001
⎢0 0 1 1 1 0 1 1 0 0 1 0 1 0 0⎥
⎢ ⎥
G = ⎢ ⎥
⎢1 0 0 0 0 1 1 1 0 1 1 0 0 1 0⎥
⎣0 1 0 1 0 0 0 0 1 1 1 0 1 1 0⎦
110010100001110

In G , we can see that:

– The 1st column (10101) is a(x) = (024).

– The 2nd column (10011) is a2 (x) = (034).
– ...
– The 15th column (10000) is a15 (x) = (0) and this element is the end of CMG
A.

In CMG A , we have (1 + x2 + x4 )3 = x ⇔ (024)3 = (1). Thus, ith row of G is

cyclic shift of (i − 1)th row to the right with 3. The encoding algorithm of cyclic
codes based on CMGs above can be given:
 i 
G = a (x) (mod x5 + 1) .

The decoding algorithm for this code can be performed by threshold algorithm
with two levels as follows:
306 D.H. Bac, N. Binh, and N.X. Quynh

– Orthogonal checksum system with pair of information digits [0] + [1] at first
level.
[0] + [1] = [012] + [2]
= [014] + [4]
= [034] + [134]
= [024] + [124]
= [013] + [3]
= [023] + [123]
– Second level of threshold decode for information digit [0] in pair of [0]+[1].
[0] = [04] + [4]
= [04] + [34] + [3]
= [01] + [12] + [2]
= [01] + [1]
= [023] + [23]
= [34] + [034]
In this code, the distant Hamming is: d0 = 7. The detail schematic for decod-
ing of this code is illustrated in Fig.1. In this scheme, clock rate of A register is
equal to three times of clock rate of B register, M is threshold decoder.
The number of possible cyclic codes in this case is can be calculated:
N = 1 + 2 · 15 + 1 = 32
According to CMGs above, the cyclic code (15,5,7) is built in Z2 [x]/(x5 + 1)
with simple way for encoding as well as decoding. Moreover, this cyclic code

Fig. 1. Decoder scheme for cyclic codes (15, 5) in Z2 [x]/(x5 + 1)

 Novel Algebraic Structure for Cyclic Codes 307

equivalent to traditional cyclic codes with the same parameter in larger ring
Z2 [x]/(x5 + 1). Here is also significant advantage of this method, thus allow
faster implementing.
Lemma 2. Given a(x) has odd weight, if A generates a cyclic (n,k,d ) then A
generates a cyclic code (n,k -1,d +1).
Example 3. In Z2 [x]/(x5 + 1). If a(x) = 1 + x2 + x4 ⇔ (024), according to
definition 2, we have ā(x) = x + x3 ⇔ (13), and then the CMG A can be defined
as: Ā = {āi (x)}= {(13), (12),(0234), (24),(23),(0134), (03), (34), (0124), (14),
(04), (0123), (02), (01), (1234)}
Cyclic code based on Ā is (15,4,8) code. Clearly, this is an optimal code
satisfying Griesmer bound [3].
Ā is equivalent to A = {ai (x) (mod 1 + x + x2 + x3 + x4 )}.
A’ = {(13),(12),(1),(013),(23),(2),(03),(012),(3), (023), (123), (0123), (02),
(01), (0)}

4 Cyclic Codes over CMGs and Traditional Cyclic Codes

Using CMGs brings more abilities to construct the cyclic codes than using tra-
ditional method. For supporting this opinion, we can consider again polynomial
ring Z2 [x]/(x5 + 1) . In this ring, the factorization of (x5 + 1) is:
4
5
x + 1 = (1 + x) xi
i=0
 
4 i
where (1 + x) and i=0 x are irreducible polynomials.
Based on the traditional cyclic code, only two trivial codes are can be built
in this ring. With generator polynomial f1 (x) = (1 + x), we yield (5, 4) code
which is even parity check code with Hamming distance d0 = 2. With generator
polynomial f2 (x) = (1 + x + x2 + x3 + x4 ) we yield repetition code (5,5) with
Hamming distance d0 = 5. However, in Z2 [x]/(x5 + 1), using the CMGs method,
as can be seen from example 2, we can construct more cyclic codes with good
properties than cyclic codes based on traditional method. This is because the
ability of available cyclic code is dependent on a(x) and the order of a(x). More-
over, traditional cyclic codes over ideals I can be a special case of cyclic codes
over CMGs.
Lemma 3. Unity CMG according to modulo h(x) with h(x)|(xk + 1) is a tradi-
tional cyclic code with the following generator polynomial g(x)
 k ∗
x +1
g(x) = (7)
h(x)
where where g ∗ (x) is reciprocal polynomial of g (x) :
g ∗ (x) = xdeg g(x) g(x−1 ) (8)
308 D.H. Bac, N. Binh, and N.X. Quynh

Fig. 2. Comparison of BER performance between proposed and traditional cyclic code
(15,5)

Lemma 4. In decomposition of polynomial ring according to unity CMG, coset

G with leader g (x) is a traditional cyclic code with generator polynomial g k (x)
 
G = g(x) · xi (9)

where g (x) is a divisor of xk + 1 : g(x)|xk + 1.

Example 4. Consider Z2 [x]/(x7 + 1). If we choose h(x) = 1 + x + x2 + x4 , we

can define the unity CMG with modulo h( x) as follow:
 
I = xi (mod h(x)) : i = 0 : 6
 
= 1, x, x2 , x3 , 1 + x + x2 , x + x2 + x3 , 1 + x + x3

Clearly, I is equivalent to cyclic code (7,4,3) with generator polynomial g(x) =

1 + x2 + x3 .

Clearly, traditional cyclic codes are only a special case of cyclic codes over CMGs.
Traditional cyclic codes are cyclic codes with clock x, cyclic codes over CMGs are
cyclic codes with arbitrary clock a(x) . The number of traditional cyclic codes
is limited and it depends on number of ideals. The number of cyclic codes over
CMGs is greater than that. The simulation results for the comparison between
BER performance of the proposed cyclic codes (PCC) based on CMG structure
 Novel Algebraic Structure for Cyclic Codes 309

and traditional cyclic codes (TCC) in an AWGN channel with BPSK modulation
are shown in Fig. 2. In this investigation, the (15,5) cyclic code with 5e+7 input
information bits is used. From Fig.2, it can be seen that the BER for the proposed
cyclic codes is lower than the BER for the traditional cyclic codes. The BER of
the proposed cyclic codes (15,5) at Eb/N0 = 7db has a good performance with
value 1.6e-7.

5 Conclusion
We have proposed an approach for the efficient construction of cyclic codes
from cyclic multiplicative group. Using the novel method, we can consider the
traditional cyclic codes as subclass of CMGs cyclic codes. This leads to new point
of view of cyclic codes with the ability to extend codewords generation. The
novel algebraic structure has significant advantages, the good constructed cyclic
code cosets are larger than conventional; the longer cyclic code can be generated
from smaller polynomial ring and the better BER performance. Moreover, the
characteristics of CMGs are very suitable for implementation of VLSI, such as
FPGA with high speed calculation. Our future works will focus on investigation
of application cyclic codes based on CMG for PN generation, PAPR reduction
in OFDM and cryptography.

References
1. Prange, E.: Cyclic Error-Correcting Codes in Two Symbols. Electronics Research
Directorate, Air Force Cambridge Res. Ctr. (1957)
2. MacWilliams, F.J., Sloane, N.J.A: The Theory of Error-Correcting Code. North-
Holland, Amsterdam (1977)
3. Van Lint, J.H.: Introduction to Coding Theory, 3rd edn. Springer, Heidelberg
(1999)
4. Blahut, R.E.: Theory and Practice of Error Control Coding. Addison-Wesley, Read-
ing, MA (1983)
5. Moon, T.K.: Error Correction Coding: Mathematical Methods and Algorithm.
John Wiley & Sons, Inc., Chichester (2005)
6. Pincin, A.: A New Algorithm for Multiplication in Finite Fields. IEEE Trans.
Computer 38(1), 1045–1049 (1989)
7. Namin, A.H., Wu, H., Ahmadi, M.: Comb Architectures for Finite Field Multipli-
cation in F 2m . IEEE Trans. Computers 56(7), 909–916 (2007)
8. Katti, R., Brennan, J.: Low Complexity Multiplication in a Finite Field Using Ring
Representation. IEEE Trans. Computers 52(4), 418–427 (2003)
9. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications,
2nd edn. Cambridge Univ. Press, Cambridge (1997)
10. Wang, C.C., Truong, T.K., Shao, H.M., Deutsch, L.J., Omura, J.K., Reed, I.S.:
VLSI Architectures for Computing Multiplications and Inverses in GF (2m ). IEEE
Trans. Computers 34(8), 709–717 (1985)
11. Wu, H., Hasan, M.A., Blake, I.F., Gao, S.: Finite Field Multiplier Using Redundant
Representation. IEEE Trans. Computers 51(11), 1306–1316 (2002)
12. Baodian, W., Liu, D., Ma, W., Wang, X.: Property of Finite Fields and Its Cryp-
tography Application. Electron. Lett. 39, 655–656 (2003)
310 D.H. Bac, N. Binh, and N.X. Quynh

Appendix

The value of “k” so that Z2 [x]/(xk + 1) is a polynomial ring with two cyclotomic
cosets.
k = 3, 5, 11, 13, 19, 29, 37, 53, 59, 61, 67, 83, 101, 107, 131, 139, 149, 163,
173, 179, 181, 197, 211, 227, 269, 293, 317, 347, 349, 373, 379, 389, 419, 421, 443,
461, 467, 491, 509, 523, 541, 547, 557, 563, 587, 613, 619, 653, 659, 661, 677, 701,
709, 757, 773, 787, 779, 821, 827, 829, 853, 859, 877, 883, 907, 941, 947.
 Distribution of Trace Values and Two-Weight,
Self-orthogonal Codes over GF (p, 2)

N. Pinnawala1, A. Rao1 , and T.A. Gulliver2

1
School of Mathematical and Geospatial Sciences, RMIT University, GPO Box
2476V, Melbourne, VIC - 3001, Australia
[email protected],[email protected]
2
Department of Electrical and Computer Engineering, University of Victoria,
P.O. Box 3055, STN CSC, Victoria, B.C., Canada V8W 3P6
[email protected]

Abstract. The uniform distribution of the trace map lends itself very
well to the construction of binary and non-binary codes from Galois fields
and Galois rings. In this paper we study the distribution of the trace map
with the argument ax2 over the Galois field GF (p, 2). We then use this
distribution to construct two-weight, self-orthogonal, trace codes.

Keywords: Trace map, self-orthogonal, non-binary, two-weight, Galois

fields.

1 Introduction

In [1] and [2] the trace map over Galois field GF (p, m) and ring GR(ps , m)
was used to construct linear codes over Z2s and Zps , respectively. At that time
the distribution of the trace map was very intriguing and the question arose of
whether this trace distribution was as straightforward when the argument was
changed. One encounter of a different argument was in the search for mutually
unbiased bases which can enable a quantum cryptosystem in d-dimensions [3].
The authors were unable to find any information in the literature about such
distribution of the trace map other than the fundamental properties. It does turn
out that this work is not straightforward and this paper looks at the distribution
of T r(ax2 ) over GF (p, 2) for odd primes p. The two-weight self-orthogonal codes
generated using this distribution are a by-product.
Let p be a prime and Znp be the vector space of all n-tuples over the finite
field Zp . If C is a k-dimensional subspace of Znp then C is called an [n, k] linear
code over Zp . The generator matrix G of an [n, k] code C is simply a matrix
whose rows are linearly independent and span the code. The inner product n of
x = (x1 , x2 , . . . xn ), y = (y1 , y2 , . . . yn ) ∈ Znp is defined by x · y = i=1 xi yi .
Using the inner product, the dual code C ⊥ of C is defined by C ⊥ = {x ∈
Znp |x · c = 0 ∀c ∈ C}. The code C is called self-orthogonal if C ⊆ C ⊥ .
Many authors look at self-orthogonal codes, for example, [4,5,6,7]. Following
are some preliminary results on self-orthogonal codes that are useful here:

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 311–320, 2007.

c Springer-Verlag Berlin Heidelberg 2007
312 N. Pinnawala, A. Rao, and T.A. Gulliver

Lemma 1 (Theorem 1.4.3, [8]). (i) If x ∈ Zn2 then wH (x) ≡ x · x (mod 2).
(ii) If x ∈ Zn3 then wH (x) ≡ x · x (mod 3).
Note that this result does not hold for x ∈ Znp when p > 3, the reason being that
p−1
when x ∈ Z n
p , wH (x) = i=1 ni , where ni is the number of non-zero i’s in x,
n
and x · x = i=1 x2i = n1 + n2 22 + n3 32 + . . . + np−1 (p − 1)2 . This does not imply
that wH (x) ≡ x · x (mod p). Lemma 1 does tell us whether a given ternary code
is self-orthogonal.
Lemma 2 (Theorem 1.4.10, [8]). Let C be an [n, k, d] code over Z3 . C is
self-orthogonal if and only if the weight of every non-zero codeword is divisible
by 3.
Again this result cannot check the self-orthogonality of codes over Zp for p > 3.
For this we need the following result.
Lemma 3 (Proposition 1 [7]). Let p be an odd prime and C be a linear code
over Zp . Then C is self-orthogonal if and only if c · c = 0 ∀ c ∈ C.
An important invariant of a code is the minimum distance between codewords.
The Hamming distance dH (x, y) between two vectors x, y ∈ Znp is defined to
be the number of coordinates in which x and y differ. The minimum distance
of a code C is the smallest distance between distinct codewords, and is simply
denoted by d. The higher the minimum distance, the greater the number of errors
that can be corrected. If the minimum distance d of an [n, k] code is known then
C is an [n, k, d] code. n
The weight enumerator of C is the polynomial WC (x, y) = i=0 Ai xn−i y i ,
where Ai is the number of codewords of weight i. A code is called a two-weight
code if |{i|i = 0 and Ai = 0}| = 2. More details on two-weight codes can be
found in [9,10,11], etc. and the references therein.
The trace map can be used to go down from a code defined over an extension
field to a code defined over the ground field. Let Fq be the ground field of the
extended field Fqr . Let C be an Fqr -linear code of length n and T r : Fqr → Fq be
the trace. The code T r(C), defined as the set of all (T r(x1 ), T r(x2 ), . . . , T r(xn )),
is called the trace code, where (x1 , x2 , . . . , xn ) ∈ C. We note that the codes found
in this paper could be classed as trace codes, since they are found using a trace
map. See [12] for example for details on trace codes.
We now have some of the tools required to classify the codes found in this pa-
per. In the next section we study the distribution of the trace map over GF (p, 2),
using the argument ax2 . In Section 3 we construct our codes and study their
properties. In the final section, we give some conclusions and detail further work.

2 Distribution of the T r(ax2 ) over GF (p, 2)

Let p(x) be a primitive polynomial of degree m over Zp . The Galois field of
characteristic p is defined to be the quotient field GF (p, m) = Zp [x]/(p(x)). Let
ζ be a root of p(x) and therefore GF (p, m) = Zp [ζ]. Any element in GF (p, m)
 Distribution of Trace Values and Two-Weight, Self-orthogonal Codes 313

can be written as a polynomial of ζ over Zp , and further it is well known that

GF (p, m) = {0, 1, ζ, ζ 2 , . . . , ζ p −2 }.
m

Definition 1. Let GF (p, m) be the Galois field of characteristic p. The trace

2 m−1
map T r : GF (p, m) → Zp is defined by T r(x) = x + xp + xp + . . . + xp .
Theorem 1. The trace map satisfies the following properties:
(i) T r(x + y) = T r(x) + T r(y) ∀ x, y ∈ GF (p, m).
(ii) T r(ax) = aT r(x) ∀ a ∈ Zp , x ∈ GF (p, m).
(iii) T r(xp ) = T r(x) ∀ x ∈ GF (p, m).
(iv) T r(a) = am ∀ a ∈ Zp .
(v) T r(x) = 0 if and only if x = y p − y for some y ∈ GF (p, m).
(vi) As x ranges over GF (p, m), T r(x) takes each element in Zp equally often
pm−1 -times.
Since every non-zero element of GF (p, 2) can be written as a power of the prim-
itive element ζ, we first identify the powers of ζ that have trace zero.
Lemma 4. Let T r be the trace map over GF (p, 2) defined by T r(x) = x + xp .
Let ζ t ∈ GF (p, 2)∗ = GF (p, 2) \ {0}, where 0 ≤ t ≤ p2 − 2. Then
p+1
i. T r(ζ 2 ) = 0.
ii. For 0 ≤ t < p+12 , T r(ζ ) = 0.
t

iii. If T r(ζ ) = 0 then T r(ζ t(2k+1) ) = 0, where k = 0, 1, . . . , p − 2.

t

Proof:
i. By using the definition of the trace map we have
 p+1 p  
p+1 p+1 p+1 p2 −1
T r(ζ 2 ) = ζ 2 + ζ 2 =ζ 2 1+ζ 2
.

Since ζp −1 is the only element in GF (p, 2)∗ such that ζ p −1

2 2
= 1, we have
p2 −1 p+1
ζ 2 = −1. Therefore T r(ζ 2 ) = 0.
ii. Let T r(ζ t ) = 0 for some t, 0 ≤ t < p+1
2 . This implies that

ζ t + ζ tp = 0 ⇒ ζ t = 0 or ζ (p−1)t = −1
Since ζ is a primitive element of GF (p, 2)∗ , ζ t = 0 for any t. Thus ζ (p−1)t =
−1 and ζ (p−1)2t = 1. Hence (p2 − 1)|(p − 1)2t, i.e., 2(p − 1)t = (p2 − 1)m
for some m ∈ Z+ . This implies that t = (p+1) 2 m, a contradiction to the
assumption. Therefore T r(ζ ) = 0 for any t, 0 < t < p+1
t
2 and the minimum
value of t such that T r(ζ t ) = 0 is t = p+1 2 .
iii. From the definition of the trace map if T r(ζ t ) = 0 then ζ t + ζ tp = 0 ⇒
(ζ t )2k = (ζ tp )2k . Therefore T r(ζ t(2k+1) ) = ζ t(2k+1) + ζ tp(2k+1) = ζ t ζ 2tk +
ζ 2tkp ζ tp = ζ t ζ 2tkp + ζ 2tkp ζ tp = 0. Thus if T r(ζ t ) = 0 then T r(ζ t(2k+1) ) = 0.
From part (vi) of Theorem 1 there are p − 1 elements in GF (p, 2)∗ such
that T r(x) = 0. Hence if T r(ζ t ) = 0 then T r(ζ t(2k+1) ) = 0 for all k =
0, 1, 2, . . . , p − 2.
314 N. Pinnawala, A. Rao, and T.A. Gulliver

Corollary 1. For x ∈ GF (p, 2)∗ , T r(x) = 0 if and only if

p+1 (p+1)
x = ζ ( 2 )(2k+1) = ζ (p+1)k ζ 2 , where k = 0, 1, 2, . . . , p − 2.

The base field GF (p, 1) ∼

= Zp is a subfield of the extended field GF (p, 2). The
next lemma gives us those indices t for which ζ t ∈ GF (p, 1)∗ .

Lemma 5. Let ζ t ∈ GF (p, 2)∗ , for some t, 0 ≤ t ≤ p2 − 1. If ζ t ∈ GF (p, 1)∗

then t = (p + 1)k.

Proof: Let ζ t ∈ GF (p, 2)∗ , for some t, 0 ≤ t ≤ p2 − 1. Now GF (p, 1) = ∼ Zp is

∗ ∼ t p+1
a subfield of GF (p, 2). Hence if ζ ∈ GF (p, 1) = Zp \ {0} then T r(ζ ζ 2 ) =
t
p+1
ζ t T r(ζ 2 ) = 0, from part (ii) of Theorem 1 and part (i) of Lemma 4.
But from Corollary 1, if x ∈ GF (p, 2)∗ , such that T r(x) = 0 then x =
p+1 (p+1) (p+1)
ζ ( 2 )(2k+1) = ζ (p+1)k ζ 2 . Hence ζ t ζ 2 = ζ (p+1)k ζ 2 ⇒ ζ t = ζ (p+1)k ,
p+1

(p+1)
since ζ 2 = 0. Therefore if ζ t ∈ GF (p, 1)∗ then t = (p+1)k, k = 0, 1, 2, . . . , p−
2, i.e., ζ t is an element of the subfield when t = (p+ 1)k, k = 0, 1, 2, . . . , p− 2.

Thus far we have identified the elements ζ t ∈ GF (p, 2)∗ which have trace 0 or are
in the base field. We are now in a position to study the distribution of T r(ax2 ),
when both a and x range over GF (p, 2). A useful tool in this study is to list
the elements of GF (p, 2)∗ in a two-dimensional array based on the powers of a
chosen primitive element ζ.
Let ζ be a primitive element of GF (p, 2). Then GF (p, 2)∗ = {1, ζ, ζ 2 , . . . ,
p+1 p+1 2p2 −3p+2p−3+p+1
p2 −2
} and ζ p −1 = ζ 0 = 1. Also ζ ( 2 )(2p−3)+( 2 ) = ζ
2
ζ 2 =
2(p2 −1)
= ζ p −1 = 1. The elements ∗
2
ζ 2  p+1 in GF (p,  2) can now be listed by means of
a (p − 1) × (p + 1) matrix: ζ ( 2 )(2k+1)+d , where k = 0, 1, 2, . . . , p − 2 ranges
over the rows of the matrix creating p − 1 rows and d = 0, 1, 2, . . . , p ranges over
the columns of the matrix creating p + 1 columns. This (p − 1) × (p + 1) matrix
is given by

ζ( 2 ) ζ ( 2 )+d ζ ( 2 )+ ( 2 ) ζ ( 2 )+p
p+1 p+1 p+1 p+1 p+1
... ... ...
 ζ ( p+1 2 )
3
ζ ( 2 )3+d
p+1
ζ ( 2 )3+( 2 )
p+1 p+1
ζ ( 2 )3+p
p+1 

 . ...
..
...
..
...
..


 .. ... . ... . ... . 

 ζ ( p+1 ,
2 ) ζ ( 2 )(2k+1)+d ζ ( 2 )(2k+1)+( 2 ) ( ) 
p+1 p+1 p+1 p+1
(2k+1) (2k+1)+p
... ... ... ζ 2
 . .. .. .. 

 .. ... . ... . ... . 
ζ ( 2 )(2p−3) ζ ( 2 )(2p−3)+d ( )
p+1 p+1 2 p+1
... ... ζ p −1 = 1 ... ζ 2
(2p−3)+p

This arrangement of the elements of GF (p, 2)∗ enables us to better understand

the distribution of the values of the trace map. For ease of reading let ak , k =
0, 1, . . . p − 2, be a listing of the non-zero elements of the base field.

Lemma 6. The trace of the elements of GF (p, 2)∗ is distributed in the following
manner:
 Distribution of Trace Values and Two-Weight, Self-orthogonal Codes 315

i. The trace of each element in the first column of the matrix representation of
GF (p, 2)∗ is zero.
ii. The trace of the elements in every other column of the matrix representation
of GF (p, 2)∗ takes every element in Zp \{0} once only.

Proof
i. From Corollary 1 it is clear that the trace of the elements in the first column

p+1
of the matrix representation of GF (p, 2)∗ is zero, i.e., T r ζ ( 2 )(2k+1) =
0, ∀ k = 0, 1, 2, . . . , p − 2.

ii. From Lemma 5 the trace of the elements in the dth column (d = 0) of the
matrix is given by
p+1
T r(ζ ( 2 )(2k+1)+d ) = T r(ζ (p+1)k ζ p+1
2 ζd)

p+2d+1
= T r(ak ζ 2 )( from Lemma 5)
p+2d+1
= ak T r(ζ 2 ) ; ak ∈ GF (p, 1)∗ ≡ Zp \{0}

From Corollary 1 we know that for x ∈ GF (p, 2)∗ , T r(x) = 0 if and only if
p+1
x = ζ ( 2 )(2k+1) , where k = 0, 1, 2 . . . , p − 2 and therefore T r(ζ 2 ) = 0
p+2d+1

p+2d+1
for all d = 1, 2, . . . , p, i.e., T r(ζ 2 ) is fixed for each column. In addition,
ak represents every element in Zp\{0} for k = 0, 1, 2, . . . , p − 2. Consequently
the trace of the elements in the dth column of the matrix representation of
GF (p, 2)∗ takes each element in Zp \{0} exactly once.

Example 1. Consider the primitive polynomial p(x) = x2 + x + 2 over Z5 . The

elements in GF (5, 2)∗ = {1, ζ, ζ 2 , . . . , ζ 23 } and their trace values are given in the
following table:
x x = a1 ζ + a0 T r(x) x x = a1 ζ + a0 T r(x) x x = a1 ζ + a0 T r(x)
1 0ζ + 1 2 ζ8 3ζ + 1 4 ζ 16 2ζ + 3 4
ζ 1ζ + 0 4 ζ9 3ζ + 4 0 ζ 17 1ζ + 1 1
ζ2 4ζ + 3 2 ζ 10 1ζ + 4 2 ζ 18 0ζ + 3 1
ζ3 4ζ + 2 0 ζ 11 3ζ + 3 3 ζ 19 3ζ + 0 2
ζ4 3ζ + 2 1 ζ 12 0ζ + 4 3 ζ 20 2ζ + 4 1
ζ5 4ζ + 4 4 ζ 13 4ζ + 0 1 ζ 21 2ζ + 1 0
ζ6 0ζ + 2 4 ζ 14 1ζ + 2 3 ζ 22 4ζ + 1 3
ζ7 2ζ + 0 3 ζ 15 1ζ + 3 0 ζ 23 2ζ + 2 2

The matrix representation of GF (5, 2)∗ is then:

⎡ 3 ⎤
ζ ζ4 ζ5 ζ6 ζ7 ζ8
⎢ ζ9 ζ 10 ζ 11 ζ 12 ζ 13 ζ 14 ⎥
GF (5, 2)∗ =⎢
⎣ ζ 15
⎥
ζ 16 ζ 17
ζ 18
ζ 19
ζ 20 ⎦
ζ 21 ζ 22 ζ 23 ζ 24 = 1 ζ 25 = ζ ζ 26 = ζ 2 4×6

and the corresponding trace matrix is:

316 N. Pinnawala, A. Rao, and T.A. Gulliver
⎡ ⎤
014434
⎢0 2 3 3 1 3⎥
T r(GF (5, 2)∗ )=⎢
⎣0 4 1 1 2 1⎦
⎥

0 3 2 2 4 2 4×6

It is clear that the first column is an all zero column and every non-initial column
contains each non-zero element of Z5 exactly once.

We can now examine the trace distribution for the specific case considered in
this paper: T r(ax2 ).

Theorem 2. Let T r be the trace map over GF (p, 2). As x ranges over GF (p, 2)∗
and for a ∈ GF (p, 2)∗ , T r(ax2 ) takes each element in Zp\{0} equally often either
p + 1 times or p − 1 times.

In the matrix representation of GF (p, 2)∗ (Lemma 6), we note that there are p+1
2
columns with odd powers of ζ and p+1 2 columns with even powers of ζ. We will
label these columns as odd and even, respectively. We call the matrix obtained
by taking the trace of each element in the matrix representation of GF (p, 2)∗ as
the trace matrix of GF (p, 2)∗ .
Before we can prove Theorem 2, we need to work out some more details of
the trace matrix. We consider the two cases, p ≡ 1 (mod 4) and p ≡ 3 (mod 4)
separately.
Case I: p ≡ 1 (mod 4) In this case p+1 ( p+1
2 )(2k+1) )
2 is odd. From Lemma 4, T r(ζ
= 0 for all k = 0, 1, 2, . . . , p − 2. Hence the first odd column (which is the first
column of the matrix representation of GF (p, 2)∗ ) has trace zero. Therefore there
∗
2 − 1 = 2 odd columns in the matrix representation of GF (p, 2) with
are p+1 p−1

non-zero trace.
From Lemma 6, the trace of the elements of each of these p−1 2 odd columns
contain each element in Zp\{0} exactly once. Thus the trace of all the odd powers
of ζ gives us each element in Zp \{0}, p−1 2 times, and so the trace of all the even
powers of ζ gives us each element in Zp \{0} , p+1 2 times.

Case II: p ≡ 3 (mod 4) Here p+1 ( p+1

2 )(2k+1) ) = 0 for
2 is even. As in case I, T r(ζ
all k = 0, 1, 2, . . . , p − 2 and the first even column has trace zero. Therefore there
∗
are other p+12 − 1 = 2 even columns in the matrix representation of GF (p, 2)
p−1

with non-zero trace and hence the trace of all the even powers of ζ gives us each
element in Zp \ {0}, p−1 2 times. Consequently the trace of all the odd powers of
ζ gives us each element in Zp \{0} , p+1 2 times.

Proof of Theorem 2 Let a ∈ GF (p, 2)∗ be an even (resp. odd) power of ζ and
consider the set {T r(ax2 ) | x ∈ GF (p, 2)∗ }. This set can be written as two
copies of the trace of the elements in the set {ζ 2h | h = 0, 1, 2, . . . , p 2−3 } (resp.
2

{ζ 2h+1 | h = 0, 1, 2, . . . , p 2−3 }) or its cyclic shifts.

2

Suppose p ≡ 1 (mod 4). If a ∈ GF (p, 2)∗ is an odd power of ζ then from

Case I above, as x ranges over GF (p, 2)∗ , T r(ax2 ) takes each element in Zp \{0}
 Distribution of Trace Values and Two-Weight, Self-orthogonal Codes 317

equally often p − 1 times. If a ∈ GF (p, 2)∗ is an even power of ζ then T r(ax2 )

takes each element in Zp \ {0} equally often p + 1 times.
Similarly if p ≡ 3 (mod 4), when a ∈ GF (p, 2)∗ is an even power of ζ then
from Case II above, as x ranges over GF (p, 2)∗ , T r(ax2 ) takes each element in
Zp \{0} equally often p − 1 times and when a ∈ GF (p, 2)∗ is an odd power of ζ,
T r(ax2 ) takes each element in Zp \{0} equally often p + 1 times. (See Examples
2 and 3.)

3 Two-Weight Self-orthogonal Codes Via T r(ax2 ) over

GF (p, 2)
Thus far we have studied the distribution of T r(ax2 ) for x ranging over the
Galois field GF (p, 2). In this section we apply this result to construct cyclic,
two-dimensional, two-weight, self-orthogonal codes over Zp .
Theorem 3 (Codes from T r(ax2 ))
Let GF (p, 2) be the Galois Field of characteristic p ≥ 3. Let T r be the trace
map over GF (p, 2). Consider the matrix H = [T r(ax2 )]a,x∈GF (p,2) .
i. H is a linear code over Zp with parameters [n, k, dH ] = [p2 , 2, (p−1)2 ], where
dH is the minimum Hamming distance.
ii. H is a two-weight code with Hamming weights p2 − 1 and (p − 1)2 .
iii. The code obtained by deleting the first column of H, denoted by H ∗ , is a
cyclic code with parameters [p2 − 1, 2, (p − 1)2 ] .
iv. For p > 3, H is a self-orthogonal code.
Proof
i. Let ζ be a primitive element of GF (p, 2) and ci be any element in GF (p, 2).
Consider the matrix
 
T r(c2i ), i = 1, 2, . . . , p2
GH = .
T r(ζc2i ), i = 1, 2, . . . , p2 2×p2

The two rows of GH are linearly independent: For a0 , a1 ∈ Zp , and for all i =
1, 2, . . . , p2 , a0 T r(c2i )+a1 T r(ζc2i ) = 0 ⇒ a0 +a1 ζ = 0 since c2i = 0 for some i
⇒ a0 = a1 = 0 since 1 and ζ are linearly independent over Zp .
Now consider all linear combinations of the two rows in GH . This gives
us a0 T r(c2i ) + a1 T r(ζc2i ) = T r((a0 + a1 ζ)c2i ), i = 1, 2, . . . , p2 . Thus GH is a
generator matrix for H, and consequently the length n and the dimension k
of H are p2 and 2, respectively, and H is a linear code.
Now from Theorem 2 every non-zero row of H contains every non-zero
element of Zp equally often either p + 1 times or p − 1 times. Since there
are p − 1 non-zero elements in Zp , the minimum Hamming weight of H is
(p − 1)2 .
ii. Since every non-zero codeword of H contains each element in Zp \{0} equally
often either p + 1 times or p − 1 times, the codewords have Hamming weights
either p2 − 1 or (p − 1)2 , and H is a two-weight code over Zp .
318 N. Pinnawala, A. Rao, and T.A. Gulliver

iii. Let H ∗ be obtained by deleting the first column of H: H ∗ =

T r(0) T r(0) ... T r(0) T r(0) T r(0) ... T r(0)


 (p2 −3) (p2 −3) 

 T r(1) T r(ζ 2 ) . . . T r(ζ
2
2 ) T r(1) T r(ζ 2 ) . . . T r(ζ
2
2 ) 

 (p2 −3) (p2 −3) 

 T r(ζ) T r(ζ 3 ) . . . T r(ζζ
2
2 ) T r(ζ) T r(ζ 3 ) . . . T r(ζζ
2
2 ) 

 (p2 −3) (p2 −3)


 T r(ζ 2 ) T r(ζ 4 ) . . . T r(ζ 2 ζ
2
T r(ζ 2 ) T r(ζ 4 ) . . . T r(ζ 2 ζ
2  .


2 ) 2 )


 . . . . . . 


.
.
.
. ...
.
.
.
.
.
. ...
.
. 
 (p2 −3) (p2 −3) 
2 2 2 2 2 2
T r(ζ p −2 ) T r(ζ p ) . . . T r(ζ p −2 ζ ) T r(ζ p −2 ) T r(ζ p ) . . . T r(ζ p −2 ζ
2 2
2 2 )

The second and third rows generate this code, the next consecutive two
rows are the left cyclic shift by one element of the second and third rows,
respectively, and so on. Thus H ∗ is a cyclic code.
iv. Let S be the dot product of every non-zero codeword of H with itself. Again
from Theorem 2 every non-zero codeword of H contains each element in
Zp \{0} equally often either p + 1 times or p − 1 times. Therefore either


p−1
p
S = (p + 1) i2 = (p + 1)(2p2 − 3p + 1)
i=1
6

or

p−1
p
S = (p − 1) i2 = (p − 1)(2p2 − 3p + 1)
i=1
6

If p > 3 we have S ≡ 0 mod p and from Theorem 3 H is a self-orthogonal

code over Zp for p > 3.

The following two examples illustrate Theorems 2 and 3.

Example 2. Consider the primitive polynomial p(x) = x2 + x + 2 over Z3 and
let ζ be a root of p(x). The elements of GF (3, 2) = Z3 [x]/(p(x)) = Z3 [ζ] can
be listed as {0, 1, ζ, ζ 2 , . . . , ζ 7 }. The following table provides the trace value of
these elements and their squares.
x x = a1 ζ T r(x) x2 T r(x2 ) x x = a1 ζ T r(x) x2 T r(x2 ) x x = a1 ζ T r(x) x2 T r(x2 )
+a0 +a0 +a0
0 0ζ + 0 0 0 0 ζ 2 2ζ + 1 0 ζ4 1 ζ 5 2ζ + 0 1 ζ2 0
1 0ζ + 1 2 1 2 ζ 3 2ζ + 2 2 ζ6 0 ζ 6 1ζ + 2 0 ζ4 1
ζ 1ζ + 0 2 ζ 0
2
ζ 4 0ζ + 2 1 1 2 ζ 7 1ζ + 1 1 ζ6 0

Taking a, x ∈ GF (3, 2) = {0, 1, ζ, ζ 2 , . . . , ζ 7 }, the 9 × 9 matrices A = [(ax2 )]a,x∈GF (3,2)

and H = [T r(ax2 )]a,x∈GF (3,2) are given by

0 0 0 0 0 0 0 0 0
 0 0 0 0 0 0 0 0 0


 0 ζ0 ζ2 ζ4 ζ6 ζ0 ζ2 ζ4 ζ6  
 0 2 0 1 0 2 0 1 0 

 0 ζ1 ζ3 ζ5 ζ7 ζ1 ζ3 ζ5 ζ7  
 0 2 2 1 1 2 2 1 1 
A=. .. .. .. .. .. .. .. ..  , H=. .. .. .. .. .. .. .. ..  .

 .. . . . . . . . . 
 
 .. . . . . . . . .
0 ζ6 ζ0 ζ2 ζ4 ζ6 ζ0 ζ2 ζ4  0 0 2 0 1 0 2 0 1
0 ζ7 ζ1 ζ3 ζ5 ζ7 ζ1 ζ3 ζ5 0 1 2 2 1 1 2 2 1
 Distribution of Trace Values and Two-Weight, Self-orthogonal Codes 319

A generator matrix for H is

0 0 0 0 0 0 0 0


 2 0 1 0 2 0 1 0 
   1
GH =
020102010
while
2
H ∗ = .
2
..
1
..
1
..
2
..
2
..
1
..

..  is obtained by
022112211 2×9


.. . . . . . . .
0 2 0 1 0 2 0 1
1 2 2 1 1 2 2 1 9×8
deleting the first column of H. H is a linear code over Z3 with parameters
[9, 2, 4]. The Hamming weight of each non-zero codeword is either 4 or 8. Thus
H is a two-weight code. The punctured code H ∗ , obtained by deleting the first
column of H, is an [8, 2, 4] cyclic code over Z3 . The weight of each non-zero
codeword is not divisible by 3 and from Theorem 2, H is not a self-orthogonal
code.
Example 3. Consider the primitive polynomial p(x) = x2 + x + 2 over Z5 and
let ζ be a root of p(x). The elements of GF (5, 2) = Z5 [x]/(p(x)) = Z5 [ζ] can
be listed as {0, 1, ζ, ζ 2 , . . . , ζ 23 }. The following table provides the trace values of
squares of these elements.
x x2 T r(x2 ) x x2 T r(x2 ) x x2 T r(x2 ) x x2 T r(x2 ) x x2 T r(x2 )
0 0 0 ζ4 ζ8 4 ζ9 ζ 18 1 ζ 14 ζ4 1 ζ 19 ζ 14 3
1 1 2 ζ5 ζ 10 2 ζ 10 ζ 20 1 ζ 15 ζ6 4 ζ 20 ζ 16 4
ζ ζ2 2 ζ6 ζ 12 3 ζ 11 ζ 22 3 ζ 16 ζ8 4 ζ 21 ζ 18 1
ζ2 ζ4 1 ζ7 ζ 14 3 ζ 12 1 2 ζ 17 ζ 10 2 ζ 22 ζ 20 1
ζ3 ζ6 4 ζ8 ζ 16 4 ζ 13 ζ2 2 ζ 18 ζ 12 3 ζ 23 ζ 22 3

Selecting a, x ∈ GF (5, 2) = {0, 1, ζ, ζ 2 , . . . , ζ 23 }, the matrix A = [(ax2 )]a,x∈GF (5,2)

is given by
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0


 0 ζ0 ζ2 ζ4 ζ6 ζ8 ζ 10 ζ 12 ζ 14 ζ 16 ζ 18 ζ 20 ζ 22 ζ0 ζ2 ... ζ 22 


 0 ζ1 ζ3 ζ5 ζ7 ζ9 ζ 11 ζ 13 ζ 15 ζ 17 ζ 19 ζ 21 ζ 23 ζ1 ζ3 ... ζ 23 


 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..  ,
 . . . . . . . . . . . . . . . . . 

 0 ζ 22 ζ0 ζ2 ζ4 ζ6 ζ8 ζ 10 ζ 12 ζ 14 ζ 16 ζ 18 ζ 20 ζ 22 ζ0 ... ζ 20 
0 ζ 23 ζ1 ζ3 ζ5 ζ7 ζ9 ζ 11 ζ 13 ζ 15 ζ 17 ζ 19 ζ 21 ζ 23 ζ1 ... ζ 21 25×25

and the matrix H = [T r(ax2 )]a,x∈GF (5,2) is given by

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


 0 2 2 1 4 4 2 3 3 4 1 1 3 2 2 1 4 4 2 3 3 4 1 1 3 

0 4 0 4 3 0 3 1 0 1 2 0 2 4 0 4 3 0 3 1 0 1 2 0 2 
H =. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..  .

 .. . . . . . . . . . . . . . . . . . . . . . . . .
0 3 2 2 1 4 4 2 3 3 4 1 1 3 2 2 1 4 4 2 3 3 4 1 1
0 2 4 0 4 3 0 3 1 0 1 2 0 2 4 0 4 3 0 3 1 0 1 2 0 25×25

The rows of H can be generated by

 
0221442334113221442334113
GH = .
0 4 0 4 3 0 3 1 0 1 2 0 2 4 0 4 3 0 3 1 0 1 2 0 2 2×25
320 N. Pinnawala, A. Rao, and T.A. Gulliver

Therefore H is a linear code over Z5 and its parameters are [25, 2, 16]. The
punctured code H ∗ , obtained by deleting the first column in H, is a [24, 2, 16]
cyclic code over Z5 . The Hamming weight of each non-zero codeword of H is
either 16 or 24. Thus H is a two-weight code. From part iv of Theorem 3, H is
a self-orthogonal code.

4 Conclusions and Further Work

Even though much work has been done on the classification of nonbinary self-
orthogonal codes ([4,5,13], these deal mostly with dimension 3 and larger. The
codes we find here are 2-dimensional.
In this paper we studied the distribution of T r(ax2 ) and used it to construct
two-dimensional, two-weight, cyclic, self-orthogonal codes over Zp . The questions
that arise are whether we can extend this construction to construct codes over
GF (p, 2) using T r(axλ ) for any integer λ > 0 and in general over GF (p, m). We
are currently doing this research.

References
1. Pinnawala, N., Rao, A.: Cocyclic Simplex Codes of Type α Over Z 4 and Z 2s .
IEEE Trans. Inform. Theory 50(9), 2165–2169 (2004)
2. Rao, A., Pinnawala, N.: New Linear Codes over Z ps Via The Trace Map. In: 2005
IEEE International Symposium on Information Theory, Adelaide, Australia, pp.
124–126 (2005)
3. Cerf, N.J., Bourennane, M., Karlsson, A., Gisin, N.: Security of Quantum Key
Distribution Using D-Level Systems. Physical Review Letters 88(127902) (2002)
4. Bouyukliev, I., Ostergard, P.R.J.: Classification of Self-Orthogonal Codes. Discrete
Math. 19(2), 363–370 (2005)
5. Gupta, M.K., Glynn, D.G., Gulliver, T.A.: On Some Quaternary Self Orthogonal
Codes. In: Bozta, S., Sphparlinski, I. (eds.) AAECC-14. LNCS, vol. 2227, pp. 112–
121. Springer, Heidelberg (2001)
6. Harada, M., Ostergard, P.R.J.: Self- Dual and Maximal Self-Orthogonal Codes over
f7 . Elsevier Disc. Math. 256, 471–477 (2002)
7. Wan, Z.X.: A Characteristic Property of Self-Orthogonal Codes and Its Application
to Lattices. Bull. Belg. Maths. Soc. 5, 477–482 (1998)
8. Huffman, W.C., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge
University Press, Cambridge (2003)
9. Calderbank, A.R., Kantor, W.M.: The Geometry of Two-Weight Codes. Bull. Lon-
don Maths. Soc. 18, 97–122 (1986)
10. Dodunekova, R., Dodunekov, S.M.: Error Detection with a Class of Q-Ary Two-
Weight Codes. In: IEEE ISIT 2005, pp. 2232–2235 (2005)
11. Helleseth, T.: Some Two-Weight Codes with Composite Parity-Check Polynomials.
IEEE Trans. Inform. Theory 22(5), 631–632 (1976)
12. Bierbrauer, J.: Introduction to Coding Theory. Discrete Mathematics and its Ap-
plications. Chapman & Hall/CRC, New York (2005)
13. Chen, Z., Fan, P., Jin, F.: New Results on Self-Orthogonal Unequal Error Protec-
tion Codes. IEEE Trans. Inform. Theory 36(5), 1141–1144 (1990)
 Generalized Rotation Symmetric and Dihedral
Symmetric Boolean Functions − 9 Variable
Boolean Functions with Nonlinearity 242

Selçuk Kavut and Melek Diker Yücel

Department of Electrical Engineering and Institute of Applied Mathematics,

Middle East Technical University (METU − ODTÜ), 06531, Ankara, Türkiye
{kavut, melekdy}@metu.edu.tr

Abstract. Recently, 9-variable Boolean functions having nonlinearity

241, which is strictly greater than the bent concatenation bound of 240,
have been discovered in the class of Rotation Symmetric Boolean Func-
tions (RSBFs) by Kavut, Maitra and Yücel. In this paper, we present
several 9-variable Boolean functions having nonlinearity of 242, which we
obtain by suitably generalizing the classes of RSBFs and Dihedral Sym-
metric Boolean Functions (DSBFs). These functions do not have any
zero in the Walsh spectrum values, hence they cannot be made balanced
easily. This result also shows that the covering radius of the first order
Reed-Muller code R(1, 9) is at least 242.

Keywords: Rotation symmetric boolean functions, dihedral symmetric

boolean functions, nonlinearity.

1 Introduction
Constructing Boolean functions with high nonlinearity is a challenging problem
in the area of cryptography and combinatorics. The problem is also related to
the covering radius of the first order Reed-Muller code. The Boolean functions
attaining maximum nonlinearity of 2n−1 − 2 2 −1 are called bent [27] which occur
n

only for even number of input variables n. For odd number of input variables
n, an upper bound of nonlinearity is given as 22n−2 − 2 2 −1  [13]. For odd n,
n

n−1
one can get Boolean functions having nonlinearity 2n−1 − 2 2 by concatenating
two bent functions on (n − 1) variables. That is the reason why the nonlinearity
n−1
value of 2n−1 − 2 2 for odd n is known as the bent concatenation bound.
Recently, 9-variable Boolean functions with nonlinearity 241, which is greater
than the bent concatenation bound of 240, have been discovered [15] in the RSBF
class. The question of whether it is possible to exceed the bent concatenation
bound for n = 9, 11, 13 was open for almost three decades. It was known for odd
n ≤ 7, that the maximum nonlinearity is equal to the bent concatenation bound,
n−1
2n−1 − 2 2 ; since the maximum nonlinearity of 5-variable Boolean functions
was found [1] as 12 in 1972, and that of 7-variable Boolean functions was com-
puted [23] as 56 in 1980. However, in 1983, 15-variable Boolean functions with

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 321–329, 2007.

c Springer-Verlag Berlin Heidelberg 2007
322 S. Kavut and M.D. Yücel

nonlinearity 16276 which exceeded the bent concatenation bound were demon-
strated [24] and using this result, it became possible to get Boolean functions
n−1 n−15
with nonlinearity 2n−1 − 2 2 + 20 × 2 2 for odd n ≥ 15. Until 2006, there was
a gap for n = 9, 11, 13 and the maximum nonlinearity known for these cases was
n−1
2n−1 − 2 2 . In 2006, 9-variable functions, which belong to the class of Rotation
9−1
Symmetric Boolean functions (RSBFs), with nonlinearity 241 (=29−1 −2 2 +1)
were discovered [15]. Such functions were attained utilizing a steepest-descent
based iterative heuristic that first appeared in [17], which was suitably modified
in [15] for a search in the class of RSBFs.
The class of RSBFs is important in terms of their cryptographic and combina-
torial properties [4,5,6,7,8,9,11,16,21,22,25,28,29]. The nonlinearity and correla-
tion immunity of such functions have been studied in detail [4,11,16,21,22,28,29].
It is now clear that the RSBF class is quite rich in terms of these properties and
the recently found 9-variable RSBFs [15] having nonlinearity 241 support this
fact. In [20], a subspace of RSBFs called Dihedral Symmetric Boolean Functions
(DSBFs), which are invariant under the action of the dihedral group are intro-
duced. It has been shown that some of the 9-variable RSBFs having nonlinearity
241 also belong to this subspace, confirming the richness of DSBFs.
2n
Since the space of the RSBF class is much smaller (≈ 2 n ) than the total space
n
of Boolean functions (22 ) on n variables, it is possible to exhaustively search
the space of RSBFs up to a certain value of n. In [14], an exhaustive search is
carried out for the whole space of 9-variable RSBFs exploiting some combinato-
rial results related to the Walsh spectra of RSBFs; and it has been shown that
there is no RSBF having nonlinearity > 241. In order to find functions with
higher nonlinearity, one needs to increase the search space. This motivated us to
generalize the classes of RSBFs and DSBFs, and our search in the generalized
DSBF and RSBF classes successfully ended up with 9-variable functions having
nonlinearity 242. However, since these functions do not have any zero in the
Walsh spectrum values, they cannot be made balanced easily.
Considering a Boolean function f as a mapping from GF (2n ) → GF (2), the
functions for which f (α2 ) = f (α) for any α ∈ GF (2n ), are referred to as idempo-
tents [8,9]. In [24], 15-variable Patterson-Wiedemann functions having nonlinear-
15−1
ity 16276 = 215−1 − 2 2 + 20 are identified in the idempotent class. As pointed
out in [8,9], the idempotents can be seen as RSBFs with proper choice of basis.
In the following section, we will propose the generalized k-RSBFs, as functions
k
which satisfy f (α2 ) = f (α), where 1 ≤ k|n. Note that if gcd(n, k) = 1, the
resulting functions are the same as idempotents; whereas for k = n the entire
space of n-variable Boolean functions is covered. In the space of generalized k-
RSBFs, imposing the condition of invariance under the action of dihedral group,
we obtain the class of generalized k-DSBFs as a subset of k-RSBFs.

2 Background
A Boolean function on n variables may be viewed as a mapping from Vn =
{0, 1}n into {0, 1}. The truth table of a Boolean function f (x0 , . . . , xn−1 ) is a
Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions 323

binary string of length 2n , f = [f (0, 0, . . . , 0), f (1, 0, . . . , 0), f (0, 1, . . . , 0), . . . ,

f (1, 1, . . . , 1)]. The Hamming weight of a binary string S is the number of 1’s
in S denoted by wt(S). An n-variable function f is said to be balanced if its
truth table contains an equal number of 0’s and 1’s, i.e., wt(f ) = 2n−1 . Also, the
Hamming distance between equidimensional binary strings S1 and S2 is defined
by d(S1 , S2 ) = wt(S1 ⊕ S2 ), where ⊕ denotes the addition over GF (2).
An n-variable Boolean function f (x0 , . . . , xn−1 ) can be considered to be a
multivariate polynomial over GF (2), called the algebraic normal form (ANF)
of f . The number of variables in the highest order product term with nonzero
coefficient is called the algebraic degree of f and denoted by deg(f ).
Functions of degree at most one are called affine functions. An affine function
with constant term equal to zero is called a linear function. The set of all n-
variable affine functions is denoted by A(n). The nonlinearity of an n-variable
function f is nl(f ) = ming∈A(n) (d(f, g)), i.e., the minimum distance from the
set of all n-variable affine functions.
Let x = (x0 , . . . , xn−1 ) and w = (w0 , . . . , wn−1 ) both belong to {0, 1}n and
x · w = x0 w0 ⊕ . . . ⊕ xn−1 wn−1 . Then the Walsh transform of the n-variable
Boolean function f (x) is a real valued function over {0, 1}n which is defined as

Wf (w) = n
(−1)f (x) (−1)w·x .
x∈{0,1}

In terms of the Walsh spectrum, the nonlinearity of f is given by

1 n
nl(f ) = (2 − max n |Wf (w)|).
2 w∈{0,1}

The autocorrelation function of a Boolean function f is given by


rf (d) = (−1)f (x) (−1)f (x⊕d), where d = (d0 , . . . , dn−1 ) ∈ {0, 1}n.
x∈{0,1}n

The autocorrelation value having maximum magnitude is also known as the

absolute indicator [30] and denoted as f = maxd=(0,...,0)∈{0,1}n |rf (d)|.

3 Generalized Rotation and Dihedral Symmetric Boolean

Functions
After briefly summarizing RSBFs, we propose the generalized classes of k- RSBFs
and k-DSBFs in Definition 2 and Definition 3 respectively. Letting (x0 , x1 , . . . ,
xn−1 ) ∈ Vn , the (left) k-cyclic shift operator ρk n on n-tuples is defined as
ρk n (x0 , x1 , . . . , xn−1 ) = (x(0+k)mod n , . . . , x(n−1+k)mod n ), for 1 ≤ k ≤ n.

Definition 1. A Boolean function f is called rotation symmetric if for each

input (x0 , . . . , xn−1 ) ∈ {0, 1}n, f (ρ1 n (x0 , . . . , xn−1 )) = f (x0 , . . . , xn−1 ).

That is, RSBFs are invariant under all cyclic rotations of the inputs. The in-
puts of a rotation symmetric Boolean function can be divided into orbits so
324 S. Kavut and M.D. Yücel

that each orbit consists of all cyclic shifts of one input. An orbit generated by
(x0 , x1 , . . . , xn−1 ) is denoted by Gn (x0 , x1 , . . . , xn−1 ) = {ρk n (x0 , x1 , . . . , xn−1 ) |
2n
1 ≤ k ≤ n} and  the number of such orbits is gn (≈ 2 n ). More specifically, gn
n
is equal to n1 t|n φ(t)2 t [28], where φ(t) is the Euler’s phi-function. The total
number of n-variable RSBFs is 2gn .
In the following, we define the generalized RSBFs as k-rotation symmetric
Boolean functions (k-RSBFs).
Definition 2. Let 1 ≤ k ≤ n, k|n. An n-variable Boolean function f is called
k-rotation symmetric if for each input (x0 , . . . , xn−1 ) ∈ {0, 1}n, f (ρk n (x0 , . . . ,
xn−1 )) = f (x0 , . . . , xn−1 ).
As can be seen, the k-rotation symmetric Boolean functions are invariant un-
der k-cyclic rotations of inputs. Therefore, an orbit of a k-RSBF generated by
(x0 , x1 , . . . , xn−1 ) is Gk n (x0 , x1 , . . . , xn−1 ) = {ρi n (x0 , x1 , . . . , xn−1 ) | i = k, 2k,
3k, . . . , n}. For example, G3 9 (001, 001, 111) = {(001, 001, 111), (001, 111, 001),
(111, 001, 001)}.
If gn,k is the number of distinct  orbits in the class of k-RSBFs of n variables,
n
one can show that gn,k = nk t| n φ(t)2 t , where φ(t) is the Euler’s phi function.
k
In [20], a subspace of RSBFs called Dihedral Symmetric Boolean Functions
(DSBFs), which are invariant under the action of dihedral group Dn are intro-
duced. In addition to the (left) k-cyclic shift operator ρk n on n-tuples, which
is defined previously, the dihedral group Dn also includes the reflection oper-
ator τn (x0 , x1 , . . . , xn−1 ) = (xn−1 , . . . , x1 , x0 ). The 2n permutations of Dn are
then defined as {ρ1 n , ρ2 n , . . . , ρn−1 n , ρn n , τ 1 n , τ 2 n , . . . , τ n−1 n , τ n n }. The dihe-
dral group Dn generates equivalence classes in the set Vn [26]. Let dn be the
number of such partitions. The following proposition gives the exact count of
dn [10, page 184], [20].
Proposition 1. Let dn be the total number of orbits induced  by the ndihedral
group Dn acting on Vn . Then dn = gn /2 + l, where, gn = n1 t|n φ(t)2 t is the
number of rotation symmetric classes [28], φ(t) is the Euler’s phi-function and
3 n
2 2 , if n is even,
l = 4 n−1
2 2 , if n is odd.

Since there are 2dn many n-variable DSBFs, a reduction in the size of the search
space over the size of RSBFs is provided.
Definition 3. Let 1 ≤ k ≤ n, k|n. An n-variable Boolean function f is called k-
dihedral symmetric if f is invariant under the group action Dk n = {ρi n , τn ρi n |
i = k, 2k, 3k, ..., n}.
As the class of DSBFs is a subspace of k-DSBFs, we call k-DSBFs ”generalized
dihedral symmetric Boolean functions”. One should observe that k-DSBFs is a
subspace of k-RSBFs.
When Proposition 1 is applied to k-dihedral symmetric functions, we obtain
the following corollary.
Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions 325

Corollary 1. Let dn,k be the number of distinct orbits, in the

class of k-DSBFs
n
of n variables. Then, dn,k = gn,k /2 + l, where, gn,k = nk t| n φ(t)2 t is the
k
number of k-rotation symmetric classes, φ(t) is the Euler’s phi-function and
⎧ n −1
⎨ 2 2 n , if n is even, k is even,
l = 34 2 2 , if n is even, k is odd,
⎩ n−1
2 2 , if n is odd.

Table 1 compares the orbit counts of k-rotational classes, k-dihedral classes,

RSBFs, and DSBFs for k|n, n ≤ 15.

Table 1. Comparison of the orbit counts gn , dn , gn,k and dn,k for n = 4, 6, . . . , 15, and
all integers k, which divide n

k 2 3 4 5 6 7
n
g4 = 6 g4,k 10 – – – – –
4
d4 = 6 d4,k 7 – – – – –
g6 = 14 g6,k 24 36 – – – –
6
d6 = 13 d6,k 16 24 – – – –
g8 = 36 g8,k 70 – 136 – – –
8
d8 = 30 d8,k 43 – 76 – – –
g9 = 60 g9,k – 176 – – – –
9
d9 = 46 d9,k – 104 – – – –
g10 = 108 g10,k 208 – – 528 – –
10
d10 = 78 d10,k 120 – – 288 – –
g12 = 352 g12,k 700 1044 1376 – 2080 –
12
d12 = 224 d12,k 382 570 720 – 1072 –
g14 = 1182 g14,k 2344 – – – – 8256
14
d14 = 687 d14,k 1236 – – – – 4224
g15 = 2192 g15,k – 6560 – 10944 – –
15
d15 = 1224 d15,k – 3408 – 5600 – –

4 Search Strategy

Our search strategy (refer to [15,16] for details) uses a steepest-descent like iter-
ative algorithm in the pre-chosen set of n-variable Boolean functions (3-DSBFs
or 3-RSBFs for n = 9). Each iteration step accepts the function f and outputs
the function fmin . Initiating the algorithm with a random Boolean function, at
each iteration all costs are calculated within a pre-defined neighborhood of f ,
and the function having the smallest cost is chosen as the iteration output fmin .
In some rare cases, the cost of fmin may be larger than or equal to the cost of f .
This is the crucial part of the search strategy, which provides the ability to es-
cape from local minima and its distinction from the steepest-descent algorithm.
Hence, the algorithm minimizes the cost until a local minimum is attained; then
it takes a step in the direction of nondecreasing cost. The deterministic step in
326 S. Kavut and M.D. Yücel

the reverse direction corresponds to the smallest possible cost increase within
the pre-defined neighborhood of the preceding Boolean function. The choice of
the cost function is also critical and it is chosen as:

Cost(f ) = |Wf (w)2 − 2n |2 ,
w

which
 is also equal to the sum of squares of the autocorrelation values given by
2
d,d=(0,...,0) rf (d), excluding rf (0, . . . , 0).

5 Results

We apply our search strategy to 9-variable 3-DSBFs, where the size of the 3-
DSBF search space is 2104 (see Table 1). We have found several unbalanced
Boolean functions having nonlinearity 242. Among them there are two different
absolute indicator values, which are 32 and 40. The following is the truth table
of a 9-variable, 3-dihedral symmetric Boolean function having nonlinearity 242,
absolute indicator value 40, and algebraic degree 7:

68B7EF2DA03B0D3EA00DB6A96DD99AEAFDB9C842B6D5DC8C4526CE0DD29020DB
B75FE3314568344E73688FF0CB2482E065231869E1AA4583765CC491F8A8DB12

And, the function below is another 9-variable 3-DSBF having nonlinearity 242,
absolute indicator value 32, and algebraic degree 7:

125425D30A398F36508C06817BEE122E250D973314F976AED58A3EA9120DA4FE
0E4D4575C42DD0426365EBA7FC5F45BE9B2F336981B5E1863618F49474F6FE00

Using a computer system with Pentium IV 2.8 GHz processor and 256 MB
RAM, and setting the maximum iteration number to N = 60, 000, a typical run
of the search algorithm takes 1 minute and 34 seconds. We have carried out 100
runs, each with N = 60, 000. Out of 6 million distinct 3-DSBFs, 152 functions
have the nonlinearity 241, and 36 many 3-DSBFs have the nonlinearity 242.
Additionally, we have applied the search strategy to 9-variable 3-RSBFs (the
size of the search space is now 2176 as can be seen from Table 1), for which
we initiate the search algorithm with a 9-variable 3-DSBF having nonlinearity
242. Then we have obtained some 9-variable 3-RSBFs having nonlinearity 242,
absolute indicator 56, and algebraic degree 7. The following is the truth table of
such a function:

3740B6A118A1E19642A85E2B7E2F3C3CB65FA0D95EC9DB1EA92BDB3666185AE0
087F5FE6E0757106A12FC918754C40E8A1BCCB7A714032A8961456E066E8A801

It is clear that using one of the above 9-variable functions (say f ) and a 2-
variable bent function (say g), the 11-variable function g(y0 , y1 ) ⊕ f (x0 , . . . , x8 )
11−1
with highest -till date- nonlinearity of 211−1 − 2 2 + 4 = 996, can be obtained.
Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions 327

Similarly h(y0 , y1 , y2 , y3 ) ⊕ f (x0 , . . . , x8 ) is the most nonlinear 13-variable func-

13−1
tion known to date, with nonlinearity 213−1 − 2 2 + 8 = 4040 where h is a
4-variable bent function and f is one of the above 9-variable functions with non-
linearity 242. We think this is a significant improvement on the results of [15].
n−1 n−9
However, since the nonlinearity 2n−1 − 2 2 + 2 × 2 2 , which can be obtained
by bent concatenation of 9-variable functions with nonlinearity 242 is less than
n−1 n−15
the nonlinearity 2n−1 − 2 2 + 20 × 2 2 given in [24] for odd n ≥ 15, this result
is significant only for odd 13 ≥ n ≥ 9.

6 Coding Theoretic Significance

The concept of urcoset was first presented in [12] and then in [2,3] as orphan
coset. The set D defines an urcoset, if the union of the support of the leaders
of D covers the full space; in other words, a coset D of the first order Reed-
Muller code R(1, n) with a set of coset leaders L(D) is an urcoset [18], when
∪g∈L(D) supp(g) = {0, 1, . . . , 2n − 1}.
In [9], orphan cosets having minimum weight of 240 have been reported, and
in [14] it is confirmed that each of the cosets f ⊕ R(1, 9) is an orphan or urcoset,
where f is any RSBF having nonlinearity 241.
We have checked by running a computer program that for any of the above
functions f having nonlinearity 242, each of the cosets f ⊕ R(1, 9) is an orphan
or urcoset. This is the first time orphan cosets having minimum weight 242 are
demonstrated.
In [2], it is conjectured that the covering radius [19,24] of R(1, n) is even.
Our results for n = 9 show that the covering radius is at least 242 and it is an
interesting open question to settle it. The upper bound presented in [13] for the
covering radius of R(1, 9) is 244.

References
1. Berlekamp, E.R., Welch, L.R.: Weight Distributions of the Dosets of the (32, 6)
Reed-Muller code. IEEE Trans. Inform. Theory 18(1), 203–207 (1972)
2. Brualdi, R.A., Cai, N., Pless, V.: Orphan Structure of the First Order Reed-Muller
Codes. Discrete Mathematics 102, 239–247 (1992)
3. Brualdi, R.A., Pless, V.S.: Orphans of the First Order Reed-Muller Codes. IEEE
Trans. Inform. Theory 36(2), 399–401 (1990)
4. Clark, J., Jacob, J., Maitra, S., Stanica, P.: Almost Boolean Functions: The Design
of Boolean Functions by Spectral Inversion. Computational Intelligence 20(3), 450–
462 (2004)
5. Cusick, T.W., Stanica, P.: Fast Evaluation, Weights and Nonlinearity of Rotation-
Symmetric Functions. Discrete Mathematics 258, 289–301 (2002)
6. Dalai, D.K., Gupta, K.C., Maitra, S.: Results on Algebraic Immunity for Crypto-
graphically Significant Boolean Functions. In: Canteaut, A., Viswanathan, K. (eds.)
INDOCRYPT 2004. LNCS, vol. 3348, pp. 92–106. Springer, Heidelberg (2004)
7. Dalai, D.K., Maitra, S., Sarkar, S.: Results on rotation symmetric Bent functions.
In: BFCA 2006. 2nd International Workshop on Boolean Functions: Cryptography
and Applications, pp. 137–156 (2006)
328 S. Kavut and M.D. Yücel

8. Filiol, E., Fontaine, C.: Highly nonlinear balanced Boolean Functions with a good
Correlation-Immunity. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403,
pp. 475–488. Springer, Heidelberg (1998)
9. Fontaine, C.: On Some Cosets of the First-Order Reed-Muller Code With High
Minimum Weight. IEEE Trans. Inform. Theory 45(4), 1237–1243 (1999)
10. Harary, F.: Graph Theory. Addison-Wesley Publishing Company, Reading (1972)
11. Hell, M., Maximov, A., Maitra, S.: On Efficient Implementation of Search Strategy
For Rotation Symmetric Boolean Functions. In: ACCT 2004, Black Sea Coast,
Bulgaria (2004)
12. Helleseth, T., Mattson Jr., H.F.: On the Cosets of the Simplex Code. Discrete
Math. 56, 169–189 (1985)
13. Hou, X.-d.: On the Norm and Covering Radius of the First Order Reed-Muller
codes. IEEE Trans. Inform. Theory 43(3), 1025–1027 (1997)
14. Kavut, S., Maitra, S., Sarkar, S., Yücel, M.D.: Enumeration of 9-variable Rotation
Symmetric Boolean Functions having Nonlinearity > 240. In: Barua, R., Lange,
T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 266–279. Springer, Heidelberg
(2006)
15. Kavut, S., Maitra, S., Yücel, M.D.: Search for Boolean Functions with Excellent
Profiles in the Rotation Symmetric Class. IEEE Trans. Inform. Theory 53(5), 1743–
1751 (2007)
16. Kavut, S., Maitra, S., Yücel, M.D.: Autocorrelation Spectra of Balanced Boolean
Functions on Odd Number Input Variables With Maximum Absolute Value <
n+1
2 2 . In: BFCA 2006, University of Rouen, France, pp. 73–86 (2006)
17. Kavut, S., Yücel, M.D.: A New Algorithm for the Design of Strong Boolean Func-
tions. In: First National Cryptology Symposium, METU, Ankara, Turkey, pp. 95–
105 (2005)
18. Langevin, P.: On the Orphans and Covering Radius of the Reed-Muller Codes.
In: Mattson, H.F., Rao, T.R.N., Mora, T. (eds.) AAECC-9. LNCS, vol. 539, pp.
234–240. Springer, Heidelberg (1991)
19. MacWillams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes. North
Holland, Amsterdam (1977)
20. Maitra, S., Sarkar, S., Dalai, D.K.: On Dihedral Group Invariant Boolean Func-
tions. In: BFCA 2007, University of Rouen, France (2007)
21. Maximov, A.: Classes of Plateaued Rotation Symmetric Boolean functions un-
der Transformation of Walsh Spectra. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS,
vol. 3969, pp. 325–334. Springer, Heidelberg (2006)
22. Maximov, A., Hell, M., Maitra, S.: Plateaued Rotation Symmetric Boolean Func-
tions on Odd Number of Variables. In: BFCA 2005, University of Rouen, France
(2005)
23. Mykkeltveit, J.J.: The Covering Radius of the (128, 8) Reed-Muller Code is 56.
IEEE Trans. Inform. Theory 26(3), 359–362 (1980)
24. Patterson, N.J., Wiedemann, D.H.: The Covering Radius of the (215 , 16) Reed-
Muller code is At Least 16276. IEEE Trans. Inform. Theory 29(3), 354–356 (1983)
25. Pieprzyk, J., Qu, C.X.: Fast Hashing and Rotation-Symmetric Functions. J. Uni-
versal Computer Science 5, 20–31 (1999)
26. Roberts, F.S.: Applied Combinatorics. Prentice-Hall, Inc., Englewood Ciffs, New
Jersey
Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions 329

27. Rothaus, O.S.: On Bent Functions. Journal of Combinatorial Theory, Series A 20,
300–305 (1976)
28. Stanica, P., Maitra, S.: Rotation Symmetric Boolean Functions – Count and Cryp-
tographic Properties. In: R. C. Bose Centenary Symposium on Discrete Mathemat-
ics and Applications. Electronic Notes in Discrete Mathematics, vol. 15, Elsevier,
Amsterdam (2004)
29. Stanica, P., Maitra, S., Clark, J.: Results on Rotation Symmetric Bent and Corre-
lation Immune Boolean Functions. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS,
vol. 3017, pp. 161–177. Springer, Heidelberg (2004)
30. Zhang, X.M., Zheng, Y.: GAC – The Criterion for Global Avalanche Characteristics
of Cryptographic Functions. J. Universal Computer Science 1(5), 316–333 (1995)
 On Quasi-cyclic Codes over Integer Residue
Rings

Maheshanand1 and Siri Krishan Wasan2

1
Centre for Development of Advanced Computing, Noida, India
[email protected]
2
Department of Mathematics, Jamia Millia Islamia, New Delhi, India
[email protected]

Abstract. In this paper we consider some properties of quasi-cyclic

codes over the integer residue rings. A quasi-cyclic code over Zk , the
ring of integers modulo k, reduces to a direct product of quasi-cyclic
codes over Zpei , k = si=1 pei i , pi a prime. Let T be the standard shift
i
operator. A linear code C over a ring R is called an l-quasi-cyclic code
if T (c) ∈ C, whenever c ∈ C. It is shown that if (m, q) = 1, q = pr ,
l

p a prime, then an l-quasi-cyclic code of length lm over Zq is a direct

product of quasi-cylcic codes over some Galois extension rings of Zq . We
have discussed about the structure of the generator of a 1-generator l-
quasi-cyclic code of length lm over Zq . A method to obtain quasi-cyclic
codes over Zq , which are free modules over Zq , has been discussed.

Keywords: Quasi-cyclic codes, circulant matrices, Galois rings, Hensel’s

lift.

1 Introduction

Quasi-cyclic codes form a remarkable generalization of cyclic codes [1], [5],

[18]. They are asymptotically good as they meet a modified version of Gilbert-
Varshamov bound [10]. They are closely linked to convolutional codes. Recently
there has been a great interest for their applications in studying Turbo codes [19]
and many Low-Density Parity Check (LDPC) codes [6]. It is well known that
Turbo codes and LDPC codes have been proved to be capacity approaching
codes.
In recent years, there has been a lot of interest in codes over finite rings since
the revelation in 1994, in a breakthrough paper by Hammons et al. [7], that some
non linear binary codes with very good parameters are actually binary images
under a certain map, of some linear codes over Z4 , the ring of integers modulo
4. Cyclic codes over some rings have been studied by a number of authors [2],
[3], [15], [16], however, there has been a limited study on quasi-cyclic codes over
rings [1], [12].
Let R be finite commutative ring with identity. A linear code C of length n
over R is a submodule of the R-module Rn . Such a submodule is not necessarily

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 330–336, 2007.

c Springer-Verlag Berlin Heidelberg 2007
 On Quasi-cyclic Codes over Integer Residue Rings 331

a free module. Let T be the standard shift operator. A linear code C over R
is called a quasi-cyclic code of index l (or an l-quasi-cyclic code ) if T l (c) ∈ C
whenever c ∈ C. For l = 1, a quasi-cyclic code is simply a cyclic code. We assume
that l divides the code length n and n = lm, for some positive integer m. Up
to equivalence, the generator matrix of an l-quasi-cyclic code of length n = lm
can be expressed as a block matrix of m × m circulant matrices [4]. It is well
known that a quasi-cyclic code of length n = lm over R can be regarded as
 l
an xR[x]
m −1 -submodule of
R[x]
x −1
m [1], [12]. If this module is generated by a
 l
single element g (x ) ∈ xR[x]
m −1 , then we say that the code is a 1-generator
quasi-cyclic code. The generator matrix of a 1-generator l-quasi-cyclic code of
length n = lm consists of a single row G = [G1 , G2 , . . . , Gl ] of m × m circulant
matrices. In this paper we consider some properties of quasi-cyclic codes over
integer residue rings.

2 Quasi-cyclic Codes over Zk

Now we consider quasi-cyclic codes over Zk , the ring of integers modulo k. As
usual, an l-quasi-cyclic code of length n = lm over Zk is a xZmk [x]
−1 -submodule of
 l 
Zk [x] s ei
xm −1 . Let k = i=1 pi be the canonical factorization of k. By the Chinese
Remainder Theorem

s
Zk ∼
= Zpei . (1)
i
i=1

Which induces the isomorphism

Zk [x] ∼  Zpei i [x]

s
= . (2)
xm − 1 i=1 xm − 1

From (2), it follows that

 l  l
Zk [x] 
s
Zpei i [x]
∼
= . (3)
xm − 1 i=1
xm − 1
 l
Every submodule of xZmk [x]
−1 (l - quasi-cyclic code over Zk ) is a direct prod-
 l
Zpei [x]
uct of submodules of xmi −1 (l - quasi-cyclic code over Zpei ), i = 1, 2, . . . , s.
i

Therefore, in order to study quasi-cyclic codes over Zk , it is sufficient to consider

them over Zpr , p a prime.
Let q = pr , p a prime.
332 Maheshanand and S.K. Wasan

3 Quasi-cyclic Codes over Zq

Definition 1. A polynomial f (x) ∈ Zq [x] is said to be basic irreducible if f (x)

(modulo p) is irreducible in Zp [x].

Definition 2. Let f (x) ∈ Zq [x] is a monic basic irreducible polynomial of degree

Z [x]
m. Then the Galois ring of degree m, over Zq , is defined by GR(q, m) = fq(x) .

Further, GR(q, 1) = Zq and GR(p, m) = Fpm , the finite field over Zp with pm
elements. The Galois ring R = GR(q, m) = GR(pr , m) is a local ring with the
maximal ideal (p) = pR and the residue field R/pR = Fpm . If ξ is a root of f (x),
then R = Zq (ξ).

Theorem 1 ([9]). If (m, q) = 1, then xm − 1 factorizes uniquely into monic

pairwise coprime basic irreducible polynomials over Zq .

Using Theorem (1) we can describe a structure of l-quasicyclic codes of length

n = lm over Zq . A more general structure of quasi-cyclic codes over finite chain
rings has been discussed in [12].

Theorem 2. If (m, q) = 1 then a quasi-cyclic code of length n = lm and index

l over Zq is a direct product of linear codes over Galois extension rings of Zq .

Proof. Let C be a quasi-cyclic code of length n = lm and index l over Zq . Then

 l
Z [x] Z [x]
C is a xmq −1 - submodule of xmq −1 . Since (m, q) = 1, therefore, xm − 1
factorizes uniquely into monic pairwise coprime basic irreducible polynomials
over Zq . Let xm −1 = f1 (x)f2 (x)...ft (x) be the factorization of xm −1 into monic
pairwise coprime basic irreducible polynomials over Zq . Then by the Chinese
Remainder Theorem
Zq [x] t
Zq [x]
= . (4)
xm − 1 i=1 fi (x)

Since fi (x) is a basic irreducible polynomial in Zq [x], i = 1, 2, . . . , t, therefore,

Zq [x] Zq [x]
fi (x) is a Galois ring over Zq . Let fi (x) = GR(q, mi ), where mi = deg
t  l
Z [x] Z [x]
(fi (x)). Then xmq −1 = i=1 GR(q, mi ) . From this, it follows that xmq −1 =
t  l
l Zq [x]
i=1 (GR(q, mi )) . Then every submodule of x −1
m is a direct product of
l l
submodules of (GR(q, mi )) . Since a submodule of (GR(q, mi )) is a linear code
of length l over GR(q, mi ), therefore, C is a direct product of linear codes over
the Galois rings GR(q, mi ), i = 1, 2, . . . , t. 


Thus, if (m, q) = 1 and Ci isa linear code of length l over the Galois ring
t
GR(q, mi ), i = 1, 2, . . . , t, then i=1 Ci is an l-quasi-cyclic code of length n = lm
t
over Zq with i=1 |C i | codewords.
 On Quasi-cyclic Codes over Integer Residue Rings 333

Example 1. Let q = 2, l = 3 and m = 7. Now x7 − 1 = (x − 1)(x3 + x + 1)(x3 +

x2 + 1) is the factorization of x7 − 1 into irreducible polynomials in Z2 [x]. Let C be
a 3-quasi-cyclic code of length 21 over Z2 . Then C = C1 C2 C3 , where C1 is a
Z2 [x]
linear code of length 3 over the Galois ring GR(2, 1) = x−1 = Z2 , and C2 and C3
Z2 [x] Z2 [x]
are linear codes of length 3 over the Galois ring GR(2, 3) = x3 +x+1 = x3 +x2 +1 .

The structure of 1-generator quasi-cyclic codes over the finite fields is well known
[17], [18]. We generalize the result for 1-generator quasi-cyclic codes over Zq .

Theorem 3. Let C be a 1-generator l-quasi-cyclic code over Zq of length n = lm.

 l
Z [x]
Then, a generator g(x) ∈ xmq −1 of C has the form

g(x) = (g1 (x), g2 (x), . . . , gl (x))

where gi (x) is a generator polynomial of a cyclic code of length m over Zq .

Proof. Let C be a 1-generator l-quasi-cyclic code of length n = lm over Zq . For a

 l
Z [x] Z [x]
fixed i, i = 1, 2, . . . , l, consider the projection xmq −1 −→ xmq −1 , defined by

(r1 (x), r2 (x), . . . , rl (x)) −→ ri (x)

Let the image of C under this projection be Ci , i = 1, 2, . . . , l. Obviously Ci ⊆

 l
Zq [x] Zq [x] Zq [x]
xm −1 . Now, since C is a xm −1 - submodule of xm −1 , therefore, for any
Z [x]
c(x ) = (c1 (x), c2 (x), . . . , cl (x)) ∈ C and a(x) ∈ xmq −1 , a(x)c(x ) ∈ C. Con-
sequently, for any ci (x) ∈ Ci , a(x)ci (x) ∈ Ci . It follows that Ci is an ideal of
Zq [x]
xm −1 . Therefore, Ci is a cyclic code of length m over Zq . Now, if g (x ) =
(g1 (x), g2 (x), . . . , gl (x)) is a generator of C, then the polynomial gi (x) generates
Z [x]
Ci , i = 1, 2, . . . , l. Therefore Ci is a principal ideal of xmq −1 generated by gi (x).


Z [x]
Now onward, we assume that (m, q) = 1. Then, xmq −1 is a principal ideal ring
[3] [9]. Therefore, every cyclic code of length m over Zq is generated by a single
polynomial. However, unlike the finite field case, the generator polynomial of a
cyclic code of length m over Zq does not necessarily divide xm − 1 in Zq [x] [1],
[20]. For the present case, (i. e. (m, q) = 1), an interesting class of quasi-cyclic
codes occurs when the cyclic code Ci , i = 1, 2, . . . , l, in Theorem (3), is generated
by a polynomial gi (x) dividing xm − 1 in Zq [x]. Ci is then a free Zq - module. In
fact, the following result is true.

Theorem 4 ([22]). Let (n, q) = 1 and C be a cyclic code of length n over Zq .

Then C is a free Zq -module if and only if it is generated by a polynomial g(x)
which divides xn − 1 in Zq [x]. In this case, the rank of C over Zq is n−deg g(x).

In [20], it is shown that if a cyclic code C of length n over Z4 is generated by a

polynomial g(x) | (xn − 1) then g(x), xg(x), . . . , xdegg(x)−1 g(x) form a basis for C
334 Maheshanand and S.K. Wasan

over Z4 . Applying the similar arguments, it is easy to show that if a cyclic code
C of length n, (n, q) = 1, over Zq , is generated by a polynomial g(x) | (xn − 1)
then g(x), xg(x), . . . , xdegg(x)−1 g(x) form a basis for C over Zq . Further, as in
the finite field case, it is straightforward to show that if a cyclic code of length
n over Zq is generated by a polynomial g(x) dividing  x − 1 in
n
 Zq [x], then it
−1 n
is also generated by a polynomial f (x)g(x) with f (x), xg(x) = 1 in Zq [x].
Therefore, for an l-quasi-cyclic code of length n = lm over Zq with a generator
g (x ) = (g1 (x), g2 (x), . . . , gl (x)) with gi (x) dividing xm − 1 in Zq [x], we can
also take its generator as g (x ) = (f1 (x)g1 (x), f2 (x)g2 (x), . . . , fl (x)gl (x)) with
 m
−1
fi (x), xgi (x) = 1.
Now we consider 1-generator l-quasi-cyclic codes of length n = lm with gener-
ators of the form g (x ) =(f1 (x)g(x), f2 (x)g(x), . . . , fl (x)g(x)) with g(x) dividing
m
−1
xm −1 and fi (x), xg(x) = 1. In [1] it is proved that a 1-generator l-quasi-cyclic
code of length n = lm, m odd, over Z4 , with a generator of the above form is
a free Z4 -module of rank m − degg(x). We generalize this result to quasi-cyclic
codes over Zq .
Theorem 5. Let C be a 1-generator l-quasi-cyclic code of length n = lm over
Zq with a generator of the form
g(x) = (f1 (x)g(x), f2 (x)g(x), . . . , fl (x)g(x))
 
m
−1
where g(x) | (xm − 1) and fi (x), xg(x) = 1 for i = 1, 2, . . . , l. Then C is a free
Zq -module of rank m−deg g(x).
 l
Zq [x]
Proof. Once again, for a fixed i, i = 1, 2, . . . , l, consider the projection xm −1
Zq [x]
−→ xm −1 , defined by

(r1 (x), r2 (x), . . . , rl (x)) −→ ri (x)

Let the image of C under this projection be Ci , i = 1, 2, . . . , l. Then, from
Theorem (3), we know that Ci is a cyclic code of length m over Zq , gener-
ated by the polynomial gi (x) = g(x) for each i = 1, 2, ..., l. Now if a rela-
Zq [x]
i ai x g(x) = 0, with ai ∈ Zq exists on xm −1 , then a
i
tion of the form
 l
Zq [x]
similar relation i a i xi
g (x ) = 0, with a i ∈ Zq , holds in x −1 . Also
m

Z [x]
if i ai xi g(x) = 0 with ai ∈ Zq in xmq −1 then so is i ai x g (x ) = 0 in
i
 l
Zq [x]
xm −1 . Thus g(x), xg(x), . . . , x g(x), for some s ≥ 0, are linearly indepen-
s

dent over Zq , if and only if, g (x ), xg (x ), . . . , xs g (x ) are linearly independent

over Zq . Now g(x) is a generator polynomial of the cyclic code Ci and g(x) di-
vides xm − 1 over Zq . Therefore, from Theorem (4), Ci is a free Zq -module and,
g(x), xg(x), . . . , xm−(degg(x)−1) g(x) form a basis for Ci over Zq . From above dis-
cussion, it follows that g (x ), xg (x ), . . . , xm−(degg(x)−1) g (x ) form a basis for C
over Zq . Hence C is a free Zq -module of rank m − degg(x). 

 On Quasi-cyclic Codes over Integer Residue Rings 335

Now we consider a method of generating quasi-cyclic codes over Zq .

Theorem 6 ([3]). If f1 (x) ∈ Zp [x] is a monic irreducible divisor of xm − 1

over Zp , then there is a unique monic irreducible polynomial f (x) ∈ Zq [x] which
divides xm − 1 over Zq such that f (x) (mod p) = f1 (x).

The polynomial f (x) in Theorem 6 is called the Hensel’s lift of the polynomial
f1 (x).
Hensel’s lift of a polynomial f1 (x) ∈ Z2 [x] to Z4 [x], can be obtained by the
Graeffe’s method [7], [8], described below. Let f1 (x) = e(x) + o(x), where e(x)
contains only even powers of x and o(x) contains only odd powers of x. Then the
Hensel’s lift f (x) ∈ Z4 [x] of f1 (x) is obtained by f (x) = ±(e(x)2 − o(x)2 ), where
the sign ± is chosen in such a way that the coefficient of the highest power of x
is 1. This is illustrated by the following example.

Example 2. We know that, x7 − 1 = (x − 1)(x3 + x + 1)(x3 + x2 + 1) is the

factorization of x7 − 1 into irreducible polynomials in Z2 [x]. Let f1 (x) = x3 +
x2 + 1. Then e(x) = x2 + 1 and o(x) = x3 . Let f (x) be the Hensel’s lift to Z4 [x],
of f1 (x). Then, f (x2 ) = −((x2 + 1)2 − (x3 )2 ) = x6 − x4 + 2x2 − 1 and thus
f (x) = x3 − x2 + 2x − 1.

To generate a 1-generator l-quasi-cyclic code C of length n = lm over Zq with a

generator of the  form gm(x ) =
 (f1 (x)g(x), f2 (x)g(x), . . . , fl (x)g(x)), with g(x) |
−1)
(xm − 1) and fi (x), (xg(x) = 1, i = 1, 2, . . . , l, we require a polynomial g(x)
which divides x −1 over Zq . Such a polynomial can be obtained by the following
m

procedure. Let gp (x) be a factor of xm − 1 in Zp [x]. Let g(x) be the Hensel’s lift
to Zq [x] of gp (x). Then g(x) divides xm − 1 over Zq . Now g(x) can be used to
find the generator g (x ) for C.

Example 3. Let q = 4, l = 3 and m = 7. Now x7 − 1 = (x − 1)(x3 + x + 1)(x3 +

x2 + 1) is the factorization of x7 − 1 into irreducible polynomials in Z2 [x]. Let
g2 (x) = x3 + x + 1. Then the Hensel’s lift of g2 (x), to Z4 [x], is the polynomial
g(x) = x3 + 2x2 + x − 1. Let f1 (x) = 1, f2 (x) = x + 1 and f3 (x) = x3 + x. Then,
g (x ) = (f1 (x)g(x), f2 (x)g(x), f3 (x)g(x)) = (x3 + 2x2 + x − 1, (x + 1)(x3 + 2x2 +
x − 1), (x3 + x)(x3 + 2x2 + x − 1)) = (x3 + 2x2 + x − 1, x4 + 3x3 + 3x2 − 1, x6 +
2x5 + 2x4 + x3 + x2 − x), which generates a 3-quasi-cyclic code of length 21 and
rank 4 over Z4 .

4 Conclusion

In this paper we have considered some quasi-cyclic codes over integer residue
rings. The study of quasi-cyclic codes over integer residue ring basically reduces
to quasi-cyclic codes over Zq , q = pr , p a prime. A decomposition of quasi-cyclic
codes over Zq into quasi-cyclic codes over some Galois extension rings of Zq
is given. Some properties of 1-generator quasi-cyclic codes over Zq have been
discussed.
336 Maheshanand and S.K. Wasan

References
1. Aydin, N., Ray-Chaudhuri, D.K.: Quasi-Cyclic Codes over Z4 and Some New Bi-
nary Codes. IEEE Trans. Inform. Theory 48, 2065–2069 (2002)
2. Blake, I.F.: Codes Over Certain Rings. Inform. Control 20, 396–404 (1972)
3. Calderbank, A.R., Sloane, N.J.A.: Modular and P-Adic Cyclic Codes. Designs
Codes and Cryptography 6, 21–35 (1995)
4. Chen, C.L., Peterson, W.W., Weldon, E.J.: Some Results on Quasi-Cyclic Codes.
Inform. Control 15, 407–423 (1969)
5. Daskalov, R., Hristov, P.: New Binary One-Generator Quasi-Cyclic Codes. IEEE
Trans. Inform. Theory 49, 3001–3005 (2003)
6. Fossorier, M.P.C.: Quasi-Cyclic Low-Density Parity-Check Codes From Circulant
Permutation Matrices. IEEE Trans. Inform. Theory 50, 1788–1793 (2004)
7. Hammons, A.R., Kumar, P.V., Calderbank, A.R., Sloane, N.J.A., Sole, P.: The Z4 -
Lnearity of Kerdock, Preparata, Goethal and Related Codes. IEEE Trans. Inform.
Theory 40, 301–319 (1994)
8. Huffman, W.C., Pless, V.: Fundamentals Of Error Correcting Codes. Cambridge
University Press, Cambridge (2003)
9. Kanwar, P., Lopez-Permouth, S.R.: Cyclic Codes Over the Integers Modulo pm .
Finite Fields and Their Applications 3, 334–352 (1997)
10. Kasami, T.: A Gibert-Varshamov Bound for Quasi-Cyclic Codes of Rate 1/2. IEEE
Trans. Inform. Theory 20, 679–680 (1974)
11. Ling, S., Sole, P.: On the Algebraic Structures of Quasi-Cyclic Codes I: Finite
Fields. IEEE Trans. Inform. Theory 47, 2751–2760 (2001)
12. Ling, S., Sole, P.: On the Algebraic Structures of Quasi-Cyclic Codes II: Chain
Rings. Designs Codes and Cryptography 30, 113–130 (2001)
13. Ling, S., Sole, P.: On the Algebraic Structures of Quasi-Cyclic Codes III: Generator
Theory. IEEE Trans. Inform. Theory 51, 2692–2700 (2005)
14. Macwilliams, F.J., Sloane, N.J.A.: The Theory Of Error Correcting Codes. North
Holland Publishing Company, Amsterdam (1977)
15. Norton, G.H., Salagean-Mandache, A.: On the Structures of Linear and Cyclic
Codes Over Finite Chain Rings. Applicable Algebra in Engineering Communication
and Computing 10, 489–506 (2000)
16. Pless, V., Quian, J.: Cyclic Codes and Quadratic Residue Codes Over Z4 . IEEE
Trans. Of Inform. Theory 42, 1594–1600 (1996)
17. Seguin, G.E.: A Class of 1-Generator Quasi-Cyclic Codes. IEEE Trans. Inform.
Theory 50, 1745–1753 (2004)
18. Siap, I., Aydin, N., Ray-Chaudhuri, D.K.: New Ternary Quasi-Cyclic Codes with
Better Minimum Distances. IEEE Trans. Inform. Theory 46, 1554–1558 (2000)
19. Tanner, R.M.: Towards Algebraic Theory of Turbo Codes. In: 2nd Int. Symp. on
Turbo Codes, Brest (2000)
20. Wan, Z.X.: Quaternary Codes. World Scientific, Singapore (1997)
21. Wasan, S.K.: On Codes over Zm . IEEE Trans. Inform. Theory 28, 117–120 (1982)
22. Woo, S.S.: Free Cyclic Codes Over Finite Local Rings. Bull. Korean Math. Soc. 43,
723–735 (2006)
 Extended Norm-Trace Codes with Optimized
Correction Capability

Maria Bras-Amorós1, and Michael E. O’Sullivan2

1
Departament d’Enginyeria Informàtica i Matemàtiques
Universitat Rovira i Virgili
[email protected]
2
Department of Mathematics and Statistics
San Diego State University
[email protected]

Abstract. We consider a generalization of the codes defined by norm

and trace functions on finite fields introduced by Olav Geil. The codes
in the new family still satisfy Geil’s duality properties stated for norm-
trace codes. That is, it is easy to find a minimal set of parity checks
guaranteeing correction of a given number of errors, as well as the set of
monomials generating the corresponding code. Furthermore, we describe
a way to find the minimal set of parity checks and the corresponding
generating monomials guaranteeing correction at least of generic errors.
This gives codes with even larger dimensions.

1 Introduction

Let q be a prime power and r an integer greater than or equal to 2. The curve
qr −1 r−1 r−2
defined over Fqr with affine equation x q−1 = y q + yq + · · · + y is called
the norm-trace curve associated to q and r. In fact, the defining equation is
equivalent to NFqr /Fq (x) = TFqr /Fq (y), where, for x ∈ Fqr , NFqr /Fq (x) denotes
the norm of x over Fq , and for y ∈ Fqr , TFqr /Fq (y) denotes the trace of y over Fq .
Norm-trace curves were introduced by Geil in [2]. They are a natural generaliza-
tion of Hermitian curves, these being norm-trace curves resulting from the field
extension Fq2 /Fq . Norm-trace curves have a single rational point P∞ at infinity
and n = q 2r−1 proper rational points.
In this work we consider a somewhat broader family of curves that include
norm-trace curves. For example, our family includes xu = TFqr /Fq (y), where u
divides (q r − 1)/(q − 1), and it also includes the maximal curves derived from
Hermitian curves studied in [3].

Part of this work is in the manuscript [1] submitted for publication.

This work was partly supported by the Catalan Government through a grant BE–
2 2006 and a grant 2005 SGR 00446 and by the Spanish Ministry of Education
through projects TSI2007-65406-C03-01 E-AEGIS and CONSOLIDER CSD2007-
00004 ARES.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 337–346, 2007.

c Springer-Verlag Berlin Heidelberg 2007
338 M. Bras-Amorós and M.E. O’Sullivan

One can check that the new family of curves also fit the conditions for the list
decoding algorithm for Hermitian codes using Gröbner basis presented by Lee
and O’Sullivan [4].
The codes we obtain from these curves can be seen as codes from order do-
mains. The theory of codes from order domains is developed in [5,6,7,8,9]. For
these codes there is a lower bound on the minimum distance and an efficient gen-
eralization of the Berlekamp-Massey algorithm based on Sakata’s algorithm for
finding linear recurrence relations in multidimensional arrays [10]. Using the ma-
jority voting method of Feng, Rao, and Duursma, [11,12] the algorithm corrects
up to half the above mentioned bound on the minimum distance. Improvements
to code dimension, while maintaining a fixed decoding radius were discovered
by Feng and Rao [11]. Our earlier work [13] considered a different improvement,
based on the observation that the decoding algorithm corrects an error vector
based not so much on the weight of the vector but rather the “footprint” of the
error locations [14]. For some codes, most error vectors of a given weight t have
a particular footprint. Those error vectors are called generic and are correctable
with fewer check symbols than are required to correct all error vectors of weight
t. These results may be combined with the Feng-Rao improvements to increase
the dimension of a code while maintaining a desired correction capability.
We show how the codes from the new family of curves still satisfy Geil’s
duality properties stated for norm-trace codes [2]. That is, it is easy to find a
minimal set of parity checks guaranteeing correction of a given number of errors,
as well as the set of monomials generating the corresponding code.
Furthermore, following the results in [13] we describe a way to find the minimal
set of parity checks and the corresponding generating monomials guaranteeing
correction at least of generic errors. This gives codes with larger dimensions.

2 Codes from Extended Norm-Trace Curves

A linearized polynomial over Fq —also called a q polynomial—is a polynomial

d i
over Fq whose terms all have degree a power of q [15, §3.4]. Let L(y) = i=0 ai y q
be a linearized polynomial such that a0 , ad are nonzero and such that L(y) = 0
has q d distinct solutions in Fqr . Then L gives a q d -to-one map from Fqr into
itself [15].
Let η be a primitive element of Fqr . Let v be any factor of q r − 1 and let D
be the powers of η v , along with 0: D = {0} ∪ {η vm : m ∈ {1, . . . , q v−1 }}. We
r

will assume that L(Fqr ) ⊇ D. Then for any u dividing v we consider the curve
Fqr [x, y]
xu = L(y) whose coordinate ring is A = u .
x − L(y)
A basis of A as a vector space over Fqr is given by the images in A of the set of
monomials B = {xa y b : b < q d }. Consider  the total ordering on A determined
by the (q d , u) weighted degree, degqd ,u xa y b = q d a + ub. One can check that any
monomial in Fq [x, y] has the same weighted degree as exactly one monomial in
B. In particular, no two monomials from B have the same weighted degree. Let
zi be the ith monomial in B with respect to , starting with z0 = 1. Notice that
 Extended Norm-Trace Codes with Optimized Correction Capability 339

if zi divides zj then i  j. We say that a set of monomials W is divisor-closed if

zi ∈ W whenever zi divides a monomial in W .
Since u is coprime to q, this curve has a unique point at infinity. We consider
all points (α, β) on the curve such that αu = L(β) ∈ D. Thus we have α is either
0 or α ∈ {η mv/u : m ∈ {1, . . . , (q −1)u }}. There are n = q d ( (q −1)u
r r

v v + 1) such
points, P1 , . . . , Pn .
Let ϕ : A −→ Fnq be such that f → (f (P1 ), . . . , f (Pn )) and let W be a set of
monomials in B. We call EW the linear code spanned by {ϕ(zi ) : zi ∈ W } and
CW the dual code.
Given W define Wϕ as the set {zi ∈ W : ϕ(zi ) is not in the span of ϕ(zj ), j ∈
W, j < i} and let M = {xa y b : a  (q −1)u
r

v , b < q d }. The next proposition shows

how the set W defining a code can be reduced to its intersection with M. For
the sake of brevity, the proof of this proposition has been omitted.

Proposition 1. – If W ⊆ M then Wϕ = W .
– If W is divisor-closed then Wϕ = W ∩ M.

The next proposition shows how to find the set W ⊥ defining the dual code of
the code defined by W . As before, for the sake of brevity, the proof of this
proposition has been omitted. The proofs of both propositions is in [1].

Proposition 2. Suppose that the prime divisor of q also divides v−u. If W ∈ M

is divisor-closed then CW = EW ⊥ where
(qr −1)u
W ⊥ = M \ {x −a −1−b
d
v yq : xa y b ∈ W }.

Example 1. Let q be a prime power, let i, j, k be positive integers with j, k > 1

and let r be a common multiple of ij and k. Consider the curve with affine
qij −1 k−1 k−2 2
equation x qi −1 = y q + yq + · · · + y q + y q + y. We may write this as
NFqij /Fqi (x) = TFqk /Fq (y) which is illustrated in the diagram of fields in Figure 1.
−1 −1
r ij
This curve matches the former scheme with v = qq−1 and u = qqi −1 . In this
case D = {0} ∪ {η vm
: m ∈ {1, . . . , q − 1}} = Fq , and we can verify that u
−1
· qqij−1 qr −1 qi −1
r i
divides v since v/u = qq−1 −1 = qij −1 · q−1 is an integer. Furthermore,

Fq r

Fqij

N Fq k

Fq i
T
Fq

Fig. 1. Field extensions defining the curve of Example 1

340 M. Bras-Amorós and M.E. O’Sullivan

both u and v are 1 modulo q so q divides v − u. Thus the assumptions of this

section are fulfilled. Because of our choice of D, the only points on the curve
that we are considering are in Fqij × Fqk and there are q k−1 (1 + (q − 1)u) of
them. There may be other points on the curve, but we have not been able to
show that the duality properties of this section can be extended to a larger set
of points.
Norm-trace curves as defined in [2] correspond to the curves in this example
when i = 1 and j = k = r, and Hermitian curves correspond to the case
when i = 1 and j = k = 2. Other curves can be obtained which are not
Hermitian curves or norm-trace curves as in [2]. In Table 1 we list the pos-
sible norm and trace functions for all the extensions of finite fields contained
in F28 .
As an example, the curve with affine equation

x3 = y 8 + y 4 + y 2 + y

over F24 is obtained taking q = 2, i = 1, j = 2, k = 4 and r = 4. In this

case u = 3 and v = 15 and the number of points in F4 × F16 is 32. Consid-
ering F16 = Z2 /(X 4 + X + 1) and taking α = [X], these 32 points are (0, 0),
(0, 1), (0, α), (0, α2 ), (0, α4 ), (0, α5 ), (0, α8 ), (0, α10 ), (1, α3 ), (1, α6 ), (1, α7 ),
(1, α9 ), (1, α11 ), (1, α12 ), (1, α13 ), (1, α14 ), (α5 , α3 ), (α5 , α6 ), (α5 , α7 ), (α5 , α9 ),
(α5 , α11 ), (α5 , α12 ), (α5 , α13 ), (α5 , α14 ), (α10 , α3 ), (α10 , α6 ), (α10 , α7 ), (α10 , α9 ),
(α10 , α11 ), (α10 , α12 ), (α10 , α13 ), (α10 , α14 ).

Table 1. For the field F256 the norm and trace functions appearing in Example 1 are
listed. The curves considered are obtained for a fixed q by setting any norm function
equal to any trace function.

q=2
i, j Norm functions on x k Trace functions on y
1,2 x3 2 y2 + y
1,4 x 15
4 y + y4 + y2 + y
8

1,8 x 255
8 y 128
+ y 64 + y 32 + y 16 +
2,2 x 5
+y 8 + y 4 + y 2 + y
2,4 x85
4,2 x17
q=4
i, j Norm functions on x k Trace functions on y
1,2 x5 2 y4 + y
1,4 x 85
4 y + y 16 + y 4 + y
64

2,2 x 17

q = 16
i, j Norm functions on x k Trace functions on y
1,2 x17 2 y 16 + y
 Extended Norm-Trace Codes with Optimized Correction Capability 341

3 Correction-Capability-Optimized Evaluation Codes

Given a field F and an F-algebra A, an order function on A is a map ρ : A −→

N−1 which satisfies: i) the set Lm = {f ∈ A : ρ(f )  m} is an m + 1 dimensional
vector space over F; ii) if f, g, z ∈ A and z is nonzero then ρ(f ) > ρ(g) =⇒
ρ(zf ) > ρ(zg) [6,5,16]. The pair A, ρ is often called an order domain. It is easy
to show that ρ must be surjective. The ring A defined in Section 2 admits an
order function in which  zi has order i. That is, we may define ρ by i) ρ(0) = −1,
ii) ρ(zi ) = i, iii) ρ( i∈I ai zi ) = max I, where the ai s are assumed to be nonzero.
Notice that in this case two elements f, g in A have the same order if and only
if vP∞ (f ) = vP∞ (g).
Given an order function ρ an operation ⊕ in N0 can be well defined by i ⊕ j =
ρ(f g) where f and g are such that ρ(f ) = i and ρ(g) = j. In our example,
i ⊕ j = k is equivalent to vP∞ (zi ) + vP∞ (zj ) = vP∞ (zk ). In fact N0 , ⊕ is a
commutative semigroup. We can define a partial ordering  on N0 by setting
i  j if and only if there exists k ∈ N0 such that i ⊕ k = j. When i  j we must
also have i  j. An important parameter for decoding is νi = |{j ∈ N0 : j  i}|.
Codes from order domains are defined by means of a surjective map ϕ :
A −→ Fn . Consider a basis B of A with an element of each order. Given a
subset W of B, define the order-prescribed evaluation code related to W as the
F-subspace EW generated by {ϕ(zi ) : zi ∈ W } and define CW to be its dual
code. For the codes considered here we take ϕ as the map which takes f ∈ A to
(f (P1 ), . . . , f (Pn )), where P1 , . . . , Pn are the points of the curve different than
the one at infinity.
The subsets W can be defined in order to achieve optimal correction capability.
The two results on decoding performance that we need are

Theorem 1. [11] All error vectors of weight t can be corrected by CW if W

contains all elements zi with νi < 2t + 1.

Theorem 2. [13] All generic error vectors of weight t can be corrected by CW

if W contains all elements zi with i ∈ {j ⊕ k : j, k  t}.

Theorem 1 can be used to design an optimal order-prescribed evaluation code


correcting t errors. Indeed, take R(t) = {zi ∈ N0 : νi < 2t + 1} and use the
code CR(t) . This construction is due to Feng and Rao [11]. Theorem 2 can be
used to design an optimal order-prescribed evaluation code correcting all generic
 ∗ (t) is N0 \ {i ⊕ j : i, j  t}. This
errors of weight t. Indeed, take CR∗ (t) where R
construction was introduced in [13].

Example 2. Consider the codes over the curve with affine equation x3 = y 8 +
y 4 + y 2 + y over F16 . The monomials in A are ordered by their (q d , u) = (8, 3)
graded degree, which in turn is the pole order of each monomial at infinity. Thus,
z0 = 1, z1 = y, z2 = y 2 , z3 = x, z4 = y 3 , z5 = xy, etc.
342 M. Bras-Amorós and M.E. O’Sullivan

The parity checks ϕ(xa y b ) can be represented by the corresponding monomials

x y and each monomial xa y b can be represented by the point with coordinates
a b

(a, b) in the N0 × N0 grid. This is illustrated in Figure 2(a) and Figure 2(b).
Figure 2(c) represents the pole order at infinity of each monomial represented
in Figure 2(a). In this case the ν-value corresponding to the monomial zi is
the number of monomials zj , zk with vP∞ (zj ) + vP∞ (zk ) = vP∞ (zi ). Figure 2(d)
represents these ν-values.
Suppose we want to correct 3 errors. Theorem 1 says that the minimum set
of parity checks that we need corresponds exactly to those monomials whose
ν-value is at most 6. This gives the set R(3)  = { z0 = 1, z1 = y, z2 = y 2 , z3 = x,
z4 = y , z5 = xy, z6 = y , z7 = xy , z8 = y 5 , z9 = x2 , z12 = x2 y}. These
3 4 2

monomials are represented in Figure 2(e).

If we just want to guarantee correction of generic errors, Theorem 2 says that
the minimum set of parity checks that we need corresponds exactly to those
monomials whose pole order at infinity is not the sum of the pole orders of two
monomials in z3 , z4 , z5 , . . . . This gives the set R  ∗ (3) = {z0 = 1, z1 = y, z2 = y 2 ,
z3 = x, z4 = y , z5 = xy, z6 = y , z7 = xy , z8 = y 5 }. These monomials are
3 4 2

represented in Figure 2(f). Notice that R 

 ∗ (3) ⊆ R(3) 
and that R(3) has two
more monomials than R (3).  ∗

6
y7
6
z14 216
y 6 xy 6 z11 z19 18 26
y 5 xy 5 z8 z16 15 23
.

.
..

..

..
y 4 xy 4 z6 z13 12 20
y 3 xy 3 x2 y 3 z4 z10 z18 9 17 25
y 2 xy 2 x2 y 2 z2 z7 z15 6 14 22
y xy x2 y x3 y z1 z5 z12 z20 3 11 19 27
y0 x x2 x3 - z0 z3 z9 z17 - 0 -
8 16 24

(a) Monomials in N0 × N0 (b) Basis elements (c) Pole orders at P∞

86 6 6
7 14
6 12 b ×
.

b
..

5 10 ×
4 8 12 b ×
3 6 9 b b ××
2 4 6 14 b b b ××
1 2 3 11 - b b b - ×× -
(d) ν-values (e) R(3) (f) R∗ (3)

Fig. 2.
 Extended Norm-Trace Codes with Optimized Correction Capability 343

Dimension and Generating Matrices of Correction-Capability-

Optimized Codes from Extended Norm-Trace Curves
In this subsection we see how the sets of check monomials giving correction-
capability-optimized codes from extended norm-trace curves behave well in the
sense that they are divisor-closed. Hence, we can find nice ways to determine the
actual dimensions of the codes, their parity-check matrices and their generating
matrices.

Lemma 1. The sets R(t) ∗ (t) are divisor-closed.
and R
Proof. Notice that for a subset W being divisor-closed is equivalent to being
-closed, that is, i ∈ W for all i  j with j ∈ W . If i  j and j ∈ R(t) then

νi  νj < 2t + 1, so i ∈ R(t). 
Thus R(t) ∗ (t)
is closed under . To prove that R
is closed under  notice that, if i  j then j = i ⊕ s for some s ∈ N0 . Suppose
i∈R ∗ (t). Then i = k ⊕l with k, l  t and j = i⊕s = k ⊕(l ⊕s) and so j ∈ R∗ (t).

Corollary 1. R  ∩ M, R
ϕ (t) = R(t) ∗ (t) = R
 ∗ (t) ∩ M.
ϕ

Corollary 2. CR(t) = CRϕ (t) = ER ⊥ , CR∗ (t) = CR∗ ϕ (t) = ER∗ (t)⊥ .
ϕ (t) ϕ

Example 3. Consider the codes CR(3) and CR∗ (3) over the curve x3 = y 8 + y 4 +
y 2 + y represented in Figure 2(e) and Figure 2(f). In this case (q −1)u
4

v = 3 and
q d − 1 = 7, so M = {xa y b : 0  a  3, 0  b  7} (see Figure 3(a)). Since all

checks in R(3) ∗ (3)) are inside M, by Corollary 1, they are all linearly
(resp. R
independent. So the dimension of CR(3) is 32 − 11 = 21 and the dimension of
CR∗ (3) is 32 − 9 = 23.

Now we can use Corollary 2 to derive, from R(3) and R∗ (3), the set of monomi-
a b a b
als x y such that the vectors ϕ(x y ) generate CR(3) and CR∗ (3) . In Figure 3(b)
we represented all these sets. In Figure 4 and Figure 5 we give the explicit parity
check matrices and generating matrices for these codes.

7 p6p p p 7 ×b6× p p
p p p p ×b × p p
×b p p p ×b ×b p p
×b p p p ×b ×b ×b p
×b p p p ×b ×b ×b p
×b ×b p p ×b ×b ×b p
×b ×b b p ×b ×b ×b ×b
×b ×b b p
- ×b ×b ×b ×-
b
3 3
(a) (b)

Fig. 3. Obtaining R(3)⊥ and Rϕ

∗
(3)⊥ from Rϕ (3) and Rϕ
∗
(3), respectively
 344

   
ϕ(1) 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
 ϕ(y) 
 
0
 1 α α2 α4 α5 α8 α10 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 

 ϕ(y 2 ) 
 
0
 1 α2 α4 α8 α10 α α5 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 

 ϕ(x)  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 α5 α5 α5 α5 α5 α5 α5 α5 α10 α10 α10 α10 α10 α10 α10 10 
   α 
12 
 ϕ(y 3 ) 
 
0
 1 α3 α6 α12 1 α9 1 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α 
 ϕ(xy) =
 
0
 0 0 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α8 α11 α12 α14 α α2 α3 α4 α13 α α2 α4 α6 α7 α8 α9 
 ϕ(y 4 ) 
 
0
 1 α4 α8 α α5 α2 α10 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 

8 
 ϕ(xy 2 ) 
 
0
 0 0 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α11 α2 α4 α8 α12 α14 α α3 α α7 α9 α13 α2 α4 α6 α 
5 10 
 ϕ(y ) 
 
0
 1 α5 α10 α5 α10 α10 α5 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α 
 ϕ(x2 )  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 α10 α10 α10 α10 α10 α10 α10 α10 α5 α5 α5 α5 α5 α5 α5 α5 
2
ϕ(x y) 0 0 0 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α13 α α2 α4 α6 α7 α8 α9 α8 α11 α12 α14 α α2 α3 α4
 ϕ(1)  1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

 ϕ(y)  0 1 α α2 α4 α5 α8 α10 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 
   
 ϕ(y 2 )  α4
 0 1 α2 α8 α10 α α5 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 
   10 
 ϕ(x)  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 α5 α5 α5 α5 α5 α5 α5 α5 α10 α10 α10 α10 α10 α10 α10 α 
 3   
 ϕ(y ) 
  α6
 0 1 α3
 α12 1 α9 1 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 

 ϕ(xy)  0 0 0 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α8 α11 α12 α14 α α2 α3 α4 α13 α α2 α4 α6 α7 α8 α9 
M. Bras-Amorós and M.E. O’Sullivan

   11 
 ϕ(y 4 ) 
  α8
 0 1 α4
 α α5 α2 α10 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α  
2
 ϕ(xy ) 
 
0 0 0
 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α11 α2 α4 α8 α12 α14 α α3 α α7 α9 α13 α2 α4 α6 α8 
5
 ϕ(y ) 
  α10
 0 1 α5
 α5 α10 α10 α5 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 10 
α 
 ϕ(x2 ) 
 
0 0 0
 0 0 0 0 0 1 1 1 1 1 1 1 1 α10 α10 α10 α10 α10 α10 α10 α10 α5 α5 α5 α5 α5 α5 α5 α5 
 ϕ(xy 3) =
 
0 0 0
 0 0 0 0 0 α9 α3 α6 α12 α3 α6 α9 α12 α14 α8 α11 α2 α8 α11 α14 α2 α4 α13 α α7 α13 α α4 α7 
6 9 
 ϕ(y ) 
  α12
 0 1 α6
 α9 1 α3 1 α3 α6 α12 α9 α6 α12 α3 α9 α3 α6 α12 α9 α6 α12 α3 α9 α3 α6 α12 α9 α6 α12 α3 α 
2
 ϕ(x y)  4 
 
0 0 0
 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α13 α α2 α4 α6 α7 α8 α9 α8 α11 α12 α14 α α2 α3 α 
 ϕ(xy 4) 
 
0 0 0
 0 0 0 0 0 α12 α9 α13 α6 α14 α3 α7 α11 α2 α14 α3 α11 α4 α8 α12 α α7 α4 α8 α α9 α13 α2 α6 
 ϕ(y 7 ) 
  α14
 0 1 α7
 α13 α5 α11 α10 α6 α12 α4 α3 α2 α9 α α8 α6 α12 α4 α3 α2 α9 α α8 α6 α12 α4 α3 α2 α9 α α8 
3 
 ϕ(x2 y 2 ) 
 
0 0 0
 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α α7 α9 α13 α2 α4 α6 α8 α11 α2 α4 α8 α12 α14 α α 
 ϕ(xy 5) 
 
0 0 0
 0 0 0 0 0 1 1 α5 1 α10 1 α5 α10 α5 α5 α10 α5 1 α5 α10 1 α10 α10 1 α10 α5 α10 1 α5 
 ϕ(x3 )  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
   
2 
 ϕ(x2 y 3 ) 
 
0 0 0
 0 0 0 0 0 α9 α3 α6 α12 α3 α6 α9 α12 α4 α13 α α7 α13 α α4 α7 α14 α8 α11 α2 α8 α11 α14 α 
 ϕ(x3 y)  0 0 0 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 
ϕ(x2 y 4 ) 00 0 0 0 0 0 0 α12 α9 α13 α6 α14 α3 α7 α11 α7 α4 α8 α α9 α13 α2 α6 α2 α14 α3 α11 α4 α8 α12 α

Fig. 4. Parity check matrix (above) and generating matrix (below) of CR(3)
    
ϕ(1) 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
 ϕ(y) 
 
0
 1 α α2 α4 α5 α8 α10 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 

 ϕ(y 2 ) 
 
0
 1 α2 α4 α8 α10 α α5 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 

 ϕ(x)  10 
 
0
 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 α5 α5 α5 α5 α5 α5 α5 α5 α10 α10 α10 α10 α10 α10 α10 α 
12 
 ϕ(y 3 ) =
 
0
 1 α3 α6 α12 1 α9 1 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α 
 ϕ(xy)  0 0 0 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α8 α11 α12 α14 α α2 α3 α4 α13 α α2 α4 α6 α7 α8 α9 
   
 ϕ(y 4 ) 
 
0
 1 α4 α8 α α5 α2 α10 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 

8 
 ϕ(xy 2)  0 0 0 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α11 α2 α4 α8 α12 α14 α α3 α α7 α9 α13 α2 α4 α6 α
5 10
ϕ(y ) 0 1 α5 α10 α5 α10 α10 α5 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α
 ϕ(1)  1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

 ϕ(y)  0 1 α α2 α4 α5 α8 α10 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 
   
 ϕ(y 2 )  α4
 0 1 α2 α8 α10 α α5 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 α6 α12 α14 α3 α7 α9 α11 α13 
   
 ϕ(x)  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 α5 α5 α5 α5 α5 α5 α5 α5 α10 α10 α10 α10 α10 α10 α10 α10 
   
 ϕ(y 3 )  α6
 0 1 α3 α12 1 α9 1 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 α9 α3 α6 α12 α3 α6 α9 α12 
   9 
 ϕ(xy) 
 
0 0 0
 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α8 α11 α12 α14 α α2 α3 α4 α13 α α2 α4 α6 α7 α8 α  
4
 ϕ(y ) 
  α8
 0 1 α4
 α α5 α2 α10 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 α12 α9 α13 α6 α14 α3 α7 α11 

 ϕ(xy 2) 
 
0 0 0
 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α11 α2 α4 α8 α12 α14 α α3 α α7 α9 α13 α2 α4 α6 α8 
 ϕ(y 5 ) 
  α10
 0 1 α5
 α5 α10 α10 α5 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 α10 1 1 α5 1 α10 1 α5 10 
α 
 ϕ(x2 ) 
 
0 0 0
 0 0 0 0 0 1 1 1 1 1 1 1 1 α10 α10 α10 α10 α10 α10 α10 α10 α5 α5 α5 α5 α5 α5 α5 5 
α 
3
 ϕ(xy ) 
 
0 0 0
 0 0 0 0 0 α9 α3 α6 α12 α3 α6 α9 α12 α14 α8 α11 α2 α8 α11 α14 α2 α4 α13 α α7 α13 α α4 α7 
 ϕ(y 6 ) =
  α12
 0 1 α6
 α9 1 α3 1 α3 α6 α12 α9 α6 α12 α3 α9 α3 α6 α12 α9 α6 α12 α3 α9 α3 α6 α12 α9 α6 α12 α3 α9 
 ϕ(x2 y)  4 
 
0 0 0
 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α13 α α2 α4 α6 α7 α8 α9 α8 α11 α12 α14 α α2 α3 α 
6 
 ϕ(xy 4) 
 
0 0 0
 0 0 0 0 0 α12 α9 α13 α6 α14 α3 α7 α11 α2 α14 α3 α11 α4 α8 α12 α α7 α4 α8 α α9 α13 α2 α 
7
 ϕ(y ) 
  α14
 0 1 α7
 α13 α5 α11 α10 α6 α12 α4 α3 α2 α9 α α8 α6 α12 α4 α3 α2 α9 α α8 α6 α12 α4 α3 α2 α9 α α8 
 ϕ(x2 y 2 ) 
 
0 0 0
 0 0 0 0 0 α6 α12 α14 α3 α7 α9 α11 α13 α α7 α9 α13 α2 α4 α6 α8 α11 α2 α4 α8 α12 α14 α α3 
5 
 ϕ(xy 5) 
 
0 0 0
 0 0 0 0 0 1 1 α5 1 α10 1 α5 α10 α5 α5 α10 α5 1 α5 α10 1 α10 α10 1 α10 α5 α10 1 α 
 ϕ(x3 )  0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
   
 ϕ(x2 y 3 ) 
 
0 0 0
 0 0 0 0 0 α9 α3 α6 α12 α3 α6 α9 α12 α4 α13 α α7 α13 α α4 α7 α14 α8 α11 α2 α8 α11 α14 α2 
4 
 ϕ(xy 6) 
 
0 0 0
 0 0 0 0 0 α3 α6 α12 α9 α6 α12 α3 α9 α8 α11 α2 α14 α11 α2 α8 α14 α13 α α7 α4 α α7 α13 α 
 ϕ(x3 y)  14 
 
0 0 0
 0 0 0 0 0 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α14 α3 α6 α7 α9 α11 α12 α13 α 
2 4
α12 α9 α13 α6 α14 α3 α7 α11 α7 α4 α8 α α9 α13 α2 α6 α2 α14 α3 α11 α4 α8 α12 α 
Extended Norm-Trace Codes with Optimized Correction Capability

 ϕ(x y )  0 0 0 0 0 0 0 0
ϕ(xy 7 ) 00 0 0 0 0 0 0 α6 α12 α4 α3 α2 α9 α α8 α11 α2 α9 α8 α7 α14 α6 α13 α α7 α14 α13 α12 α4 α11 α3

Fig. 5. Parity check matrix (above) and generating matrix (below) of CR∗ (3)
345
346 M. Bras-Amorós and M.E. O’Sullivan

4 Conclusion

We described a new family of curves generalizing the norm-trace curves intro-

duced by Geil. We showed how the associated correction-capability-optimized
codes behave well in the sense that the set of defining check monomials is divisor-
closed. This enables us to exactly determine the dimension of the codes and to
construct a parity check matrix and a generating matrix.

References
1. Bras-Amorós, M., O’Sullivan, M.E.: Duality for Some Families of Correction Ca-
pability Optimized Evaluation Codes (2007)
2. Geil, O.: On Codes From Norm-Trace Curves. Finite Fields Appl. 9(3), 351–371
(2003)
3. Koetter, R.: On the Determination of Error Values for Codes From a Class of
Maximal Curves. In: Proc. 35-th Allerton Conference on Communication, Control,
and Computing, pp. 44–53 (1997)
4. Lee, K., O’Sullivan, M.E.: List Decoding of Hermitian Codes Using Groebner Bases
(2006)
5. Hoeholdt, T., van Lint, J.H., Pellikaan, R.: Algebraic Geometry Codes. In: Hand-
book of Coding Theory, vol. I, pp. 871–961. North-Holland, Amsterdam (1998)
6. O’Sullivan, M.E.: New Codes for the Berlekamp-Massey-Sakata Algorithm. Finite
Fields Appl. 7(2), 293–317 (2001)
7. Geil, O., Pellikaan, R.: On the Structure of Order Domains. Finite Fields
Appl. 8(3), 369–396 (2002)
8. Geil, O.: Codes Based on an Fq -Algebra. PhD thesis, Aalborg University (1999)
9. Little, J.B.: The Ubiquity of Order Domains for the Construction Of Error Control
Codes. Adv. Math. Commun. 1(1), 151–171 (2007)
10. Sakata, S.: Extension of Berlekamp-Massey Algorithm to n Dimensions. IEEE
Trans. Inform. Theory 34(5), 1332–1340 (1988)
11. Feng, G.L., Rao, T.R.N.: Improved Geometric Goppa codes. I. Basic Theory. IEEE
Trans. Inform. Theory 41(6, part 1), 1678–1693 (1995)
12. Duursma, I.M.: Majority Coset Decoding. IEEE Trans. Inform. Theory 39(3),
1067–1070 (1993)
13. Bras-Amorós, M., O’Sullivan, M.E.: The Correction Capability of the Berlekamp-
Massey-Sakata Algorithm With Majority Voting. Appl. Algebra Engrg. Comm.
Comput. 17(5), 315–335 (2006)
14. Geil, O., Hoeholdt, T.: Footprints or Generalized Bezout’s Theorem. IEEE Trans.
Inform. Theory 46(2), 635–641 (2000)
15. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications, 1st
edn. Cambridge University Press, Cambridge (1994)
16. Bourbaki, N.: Commutative Algebra, ch. 1–7. Elements of Mathematics. Springer,
Berlin (1998)
 On Generalized Hamming Weights and the
Covering Radius of Linear Codes

H. Janwa1 and A.K. Lal2

1
Department of Mathematics and Computer Science, University of Puerto Rico
(UPR), Rio Piedras Campus, P.O. Box: 23355, San Juan, PR 00931 - 3355
[email protected]
2
Department of Mathematics and Statistics, Indian Institute of Technology Kanpur,
208016, INDIA
[email protected]

Abstract. We prove an upper bound on the covering radius of linear

codes over IFq in terms of their generalized Hamming weights. We show
that this bound is strengthened if we know that the codes satisfy the
chain condition or a partial chain condition. We show that this bound
improves all prior bounds. Necessary conditions for equality are also
presented.
Several applications of our bound are presented. We give tables of
improved bounds on the covering radius of many cyclic codes using their
generalized Hamming weights. We show that most cyclic codes of length
≤ 39 satisfy the chain condition or partial chain condition up to level 5.
We use these results to derive tighter bounds on the covering radius of
cyclic codes.

Keywords: Generalized Hamming weights, covering radius, Griesmer

bound, optimal codes, cyclic codes, chain condition, generalized Griesmer
bound.

1 Introduction
Let C be an [n, k, d] code over IFq (i.e., a linear subspace of IFqn of dimension
k and Hamming distance d) with a check matrix H, and let r = n − k be the
redundancy of C (for terminology and standard results on coding theory, we
refer to MacWilliaims and Sloane [22]).
The covering radius R(C) of C is defined by R(C) := maxn min d(x, c), where
x∈IFq c∈C
d(·, ·) is the Hamming distance. For more details on the covering radius of codes
and its applications, we refer to the book by Cohen et. al. [2]. An important
open problem is to determine the covering radii of cyclic codes, as this class con-
tains BCH codes, Reed-Solomon codes, extended Goppa codes (in general some
important AG codes), quadratic-residue codes, some extended algebraic geomet-
ric codes, finite geometric codes, and punctured Reed-Muller codes. Covering
radii of cyclic codes of length ≤ 64 and co-dimension ≤ 28 were determined by
Dougherty and Janwa [3] using a highly efficient parallel algorithm implemented

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 347–356, 2007.

c Springer-Verlag Berlin Heidelberg 2007
348 H. Janwa and A.K. Lal

on massively parallel computers (such as, 1024 node hypercube (at Caltech),
Connection Machines at UCLA, and the Los Alamos National Laboratories). In
[1,2], the authors have shown that the problem of computing covering radii of
codes is known to be both NP-hard and Co-NP-hard. Indeed, this problem is
strictly harder than any NP-Complete problem, unless NP = co-NP.
The complexity of computing covering radius of an [n, k, d] linear code is of
the order of O(2n−k ). Thus, finding exact covering radius of high co-dimensional
linear codes is very difficult, and finding good upper bounds on the covering
radii of such codes is an important problem. In this article, we give tight upper
bounds on the covering radii of q-ary linear codes in terms of their generalized
Hamming weights.
Generalized Hamming weights (GHWs) were introduced by Wei [26] to study
the linear coding scheme for the wire-tap channel of Type II. Ozarow and Wyner
[24] had introduced a linear coding scheme on this channel in connection with
Cryptography (wire-taping). Wei [26] has shown that the GHWs completely
characterize the performance of a linear code when it is used on the above
channel. The GHWs are also called the dimension/length profile and G.D. Forney
[5] has used it in determining the trellis complexity of linear block codes. A
connection between GHWs and list decoding was found by Guruswami [6]. Since
covering radius gives the limits of complete decoding, the results in [6] give
further evidence of connection between covering radii and GHWS.
Let C be [n, k] linear code over IFq . For 1 ≤ r ≤ k, the rth generalized
Hamming weight of C, denoted dr (C), was defined by Wei [26] as
dr (C) = min {|Supp(U )| : U ⊂ C and dim(U ) = r } (1)

where Supp(U ) = Supp(x) and Supp(x) is the support of the vector x, i.e.,
x∈U
the set of coordinates where x is not zero. Note that the minimum distance d
of C is precisely d1 (C). From now on we will use dr in place of dr (C), and d in
place of d1 .
In general, it is very difficult to compute the GHWs of arbitrary linear codes.
An efficient algorithm to compute the GHWs of cyclic codes was given by Janwa
and Lal [17]. That algorithm is efficient if the dimension of the code is small (and
hence the co-dimension is large). Thus, we are able to give tight upper bound
on the covering radii of high co-dimensional cyclic codes about which we do not
have much information.
The paper is arranged as follows: general background and a list of known
results are contained in Section 2. The main result is contained in Section III.
Section IV briefly discusses some improvements of the bounds. Some applications
of our results are contained in Section V and Table I.

2 Background
2.1 Preliminaries
In this section, we mention a few known results with their references. These
results will be used in later sections.
On Generalized Hamming Weights and the Covering Radius of Linear Codes 349

Fact 1. [26] Let C be an [n, k] linear code over IFq and let C ⊥ be the dual code
of C. Then {dr (C) : 1 ≤ r ≤ k} = {1, 2, . . . , n} \ {n + 1 − dr (C ⊥ ) : 1 ≤ r ≤ n − k}.
We now define the term “chain condition”, which was introduced by Wei and
Yang [27]. We also state a few results related to the chain condition. For more
results on codes satisfying the chain condition, we refer the reader to [4,8,21].
Definition 1. Let C be an [n, k] linear code with {d1 (C), d2 (C), . . . , dk (C)}
as the GHWs of C. Suppose the code C has k linearly independent vectors
r
X1 , X2 , . . . , Xk over IFq , satisfying dr (C) = | i=1 Supp Xi | for 1 ≤ r ≤ k.
Then the code C is said to satisfy the chain condition.
Fact 2. [27] If a linear code C satisfies the chain condition then so does its dual
code, C ⊥ .
Fact 3. [27] Let C be an [n, k] linear code over IFq satisfying the chain condition.
 vectors X1 , X2 , . . . , Xk of C are linearly independent over IFq and
Suppose the
dr (C) = | ri=1 Supp Xi | for 1 ≤ r ≤ k. Then, there exists a generator matrix G
of C having Xi for 1 ≤ i ≤ k as its ith row.
We now mention two results on the covering radius of codes.
Fact 4. [14] The [n, 1, n] code over IFq has covering radius  n(q−1)
q .

Theorem 1. [12,13] Let C be an [n, k, d] linear code over IFq . Then R ≤ n −

k
 qdi .
i=1


r 
r
For 1 ≤ r ≤ k, we define Hq (n, r, d) := n −  qdi  and gq (r, d) :=  qdi . Also,
i=1 i=1
for fixed positive integers k and d, let nq (k, d) denote the smallest possible length
of any linear [n, k, d] code over IFq . Then in Theorem 1, the bound Hq (n, k, d)
can be re-written either as
d d
n − gq (k, d) + d −  , or n − gq (k + 1, d) + d or n − gq (k,  ). (2)
qk q
The results that give conditions under which gq (., .) in (2) can be replaced by
the function nq (., .) are given in [12] and [20]. Indeed, Hq (n, k, d) can be replaced
by n − gq (k,  dq ) (see [20]) for complete proofs).

3 Upper Bounds on the Covering Radius in Terms of

GHWs
In this section, we find upper bounds on the covering radius of linear codes in
terms of their GHWs.
Let the generator matrix G of the code C be partitioned into
 
G1 0
G= . (3)
A G2
350 H. Janwa and A.K. Lal

With this notation, we state the next two lemmas. The proof of the first lemma
is immediate from the definition of covering radius and we give the proof of the
second for the sake of completeness.
Proposition 1. [14,23] Let C be a linear code with generator matrix as given
in (3). If, for i = 1, 2, the matrix Gi generates the code Ci , then

R(C) ≤ R(C1 ) + R(C2 ). (4)

Lemma 1. [18] Let C be a linear code with generator matrix as given in (3).
Suppose that for i = 1, 2, the matrix Gi generates the code Ci , rank (G1 ) = r
and |Supp(G1 )| = dr (C). Then the minimum distance of the code C2 , denoted
d(C2 ), satisfies
d(C2 ) ≥ dr+1 − dr . (5)
Furthermore, if the code C satisfies the chain condition then equality is attained
in (5).

Proof. Let x ∈ C2 be the code of minimum weight. Then by definition of GHWs

dr+1 (C) ≤ | Supp(G1 ) ∪ Supp(x)| = dr (C) + d(C2 ). Hence, d(C2 ) ≥ dr+1 − dr .
Furthermore, if C satisfies the chain condition, then by Fact 3, for the new
generator matrix G, dr+1 (C) = dr (C) + d(C2 ). Thus, the result follows.

Let C be an [n, k, d] code over IFq with its weight hierarchy {d1 , d2 , . . . , dk }. For
1 ≤ r ≤ k, Helleseth et. al [11] defined the excess sequence {1 , 2 , . . . , k } and
the δ−sequence {δ1 , δ2 , . . . , δk } of C, respectively, by

d
r := dr − gq (r, d) and δr :=  , (6)
q r−1

where d = d1 (C). Using the observation, dr − dr−1 ≥ gq (r, d) − gq (r − 1, d), they

proved that r ≥ r−1 ≥ 0, for 2 ≤ r ≤ k. For convention, let 0 = 0 = δ0 = d0 .
Then, we observe that

dr − dr−1 = r + gq (r, d) − (r−1 + gq (r − 1, d)) = r − r−1 + δr . (7)

The next result gives a bound on the covering radius of codes in terms of the
excess and the δ sequence. A preliminary proof of this result appeared in [18].

Theorem 2. Let C be an [n, k, d] code over IFq satisfying the chain condition.
Then with the convention 0 = δ0 = d0 = 0, we have

k
(dr − dr−1 )(q − 1) k
dr − dr−1
R(C) ≤  =n−   (8)
r=1
q r=1
q
k
(r − r−1 ) + δr
=n−   follows from (7). (9)
r=1
q
On Generalized Hamming Weights and the Covering Radius of Linear Codes 351

Proof. Without loss of generality, suppose C does not have a zero coordinate. We
use induction on the dimension of the subcode of C. For r = 1, the result follows
from Fact 4. Let the theorem be true for all subcodes Dr with dim(Dr ) = r for
1 ≤ r ≤ k − 1. Consider the subcode Dr+1 . Since the code C satisfies the chain
condition, by Fact 3, the generator matrix of Dr+1 can be partitioned as in (3),
in such a way that dim(C1 ) = r, |Supp(Dr )| = dr and C2 is a linear code with
parameters [dr+1 − dr , 1, . . .]. So, by the induction hypothesis and Proposition 1

r
(di − di−1 )(q − 1)
R(C) ≤ R(C1 ) + R(C2 ) ≤   + R(C2 ).
i=1
q

As the code satisfies the chain condition, using (5) and Fact 4, the result follows.


k
As an immediate corollary, we show that the bound n −  (r −r−1
q
)+δr
 on
r=1
the covering radius is better than the bound on the covering radius given by
Theorem 1. We also denote this new bound by CHq (n,k,d1 ,d2 ,. . ., dk ).

Corollary 1. Let C be an [n, k, d] code over IFq satisfying the chain condition.
Then
R(C) ≤ CHq (n, k, d1 , d2 , . . . , dk ) ≤ Hq (n, k, d). (10)
Furthermore, CHq (n, k, d1 , d2 , . . . , dk ) = Hq (n, k, d) only if

(r − r−1 ) + δr δr
  =  , ∀ r, 1 ≤ r ≤ k, (11)
q q

i.e., only if r ≤ r−1 + (q − 1), for all r, 1 ≤ r ≤ k. In particular, for q = 2, the

necessary conditions for equality are: for 1 ≤ r ≤ k, r ≤ r−1 + 1.

Proof. From Theorem 2 and (6), we get

k
(r − r−1 ) + δr k
δr k
1 d
R(C) ≤ n −  ≤n−  =n−   r−1 
r=1
q r=1
q r=1
q q
k
d
=n−  r .
r=1
q

Hence, if CHq (n, k, d1 , d2 , · · · , dk ) = Hq (n, k, d) then using (7), we have

k k (r −r−1 )+δr k k
i=1  qi  = r=1   ≤ r=1  δqr  = i=1  qdi . Therefore, we get
d
q
the required results.

The next two theorems are similar to Theorem 2. To prove them, we first need
to partition the generator matrix G of the code C as in (3) and then proceed on
the lines of Theorem 2. Thus, the proof is omitted.
352 H. Janwa and A.K. Lal

Theorem 3. Let C be an [n, k, d] code over IFq with GHWs {d1 , d2 , . . . , dk }.

Then,

R(C) ≤ n − max {Hq (dr , r, d1 ) + Hq (n − dr , k − r, dr+1 − dr )}. (12)

1≤r≤k−1

Theorem 4. Let C be an [n, k, d] code over IFq with GHWs {d1 , d2 , . . . , dk }.

Suppose we know that the code C partially satisfies the chain condition. That is,
for some l, 1 ≤ l ≤ k we know D1 ⊂ D2 ⊂ · · · ⊂ Dl ⊂ C with |Supp (Di )| = di .
Then
l
di − di−1
R(C) ≤ n −   − Hq (n − dl , k − l, dl+1 − dl ). (13)
i=1
q

In Table 1, GH2 (n, k, d1 , d2 , . . . , dk ) denotes the expression on the right hand

side of (12) and PCH2 (n, k, d1 , d2 , . . . , dk ) denotes the expression on the right
hand side of (13).

4 Further Improvements
Let Uq (n, k, d) (respectively, Uq (n, k, d1 , d2 , . . . , dk )) denote the best known up-
per bound on the covering radius R of an arbitrary [n, k, d] linear code over IFq
(respectively, with GHWs {d1 , d2 , . . . , dk }). Then Uq (n, k, d) ≤ min { Hq (n, k, d),
n − nq (k,  dq ) } and Uq (n, k, d1 , d2 , . . . , dk ) ≤ min { GHq (n, k, d1 , d2 , . . . , dk ),
Uq (n, k, d) }. Also, if we know that R ≤ d, then Uq (n, k, d) ≤ min{Hq (n, k, d), n−
nq (k + 1, d) + d}. Therefore, from Theorem 3, we have the following result.
Theorem 5

R ≤ Uq (dr , r, d1 , d2 , . . . , dr ) + Uq (n − dr , k − r, dr+1 − dr ).

Furthermore, if the code satisfies the chain condition, then the GHq (·) function
can be replaced by the CHq (·) function.

5 Some Applications
5.1 Existence of Chains
Remark 1. Let C be an [n, k] code with GHWs {d1 , d2 , . . . , dk }. Suppose that
k
n − i=1  (di −di−1
q
)(q−1)
 < R(C). Then the code C doesn’t satisfy the chain
condition as it contradicts Theorem 2.
For example, consider the code C generated by the matrix
⎡ ⎤
100010001
G = ⎣0 1 0 1 0 1 0 1 0⎦
001100110

which (after permuting the columns) can be written as

On Generalized Hamming Weights and the Covering Radius of Linear Codes 353

⎡ ⎤
111000000
G1 = ⎣ 0 0 0 1 1 1 1 0 0 ⎦ .
000001111
Using the matrix G1 one easily observes that the GHWs of C are {3, 6, 9}. The
code doesn’t satisfy the chain condition as there does not exist vectors X1 , X2
such that |supp(X1 )| = 3 and |supp (X1 , X2 ) | = 6. Observe that the matrix G
is of the form [C1 |C|C]. Hence, from (3), R(C) = 4. Now bounding the covering
3
radius with Theorem 2, we get R(C) ≤ 9 − i=1  di −d2 i−1  = 9 − 6 = 3 which
contradicts the actual value of the covering radius. Therefore, the code above
doesn’t satisfy the chain condition.
We have seen that if CHq (n, k, d1 , d2 , . . . , dk ) = Hq (n, k, d) then
 (r −r−1
q
)+δr
 =  δqr , ∀ r, 1 ≤ r ≤ k. Hence we have the following lemma.

Lemma 2. Suppose that CHq (n, k, d1 , d2 , . . . , dk ) = Hq (n, k, d). Then for each
r, 1 ≤ r ≤ k, the -sequence and the δ-sequence satisfy the following condition:
if δr ≡ t (mod q) for 0 ≤ t < q then r − r−1 ≤ q − t.

Therefore, CHq (n, k, d1 , d2 , . . . , dk ) = Hq (n, k, d) whenever the above condition

is violated for some r, 1 ≤ r ≤ k. For example, consider the Reed-Muller codes
R(u, m). It was shown (see [27]) that for all u and m, the codes R(u, m) satisfy
the chain condition. We also know (see [26]) that dr (R(1, m)) = 2m−1 + 2m−2 +
· · · + 2m−r for 1 ≤ r ≤ m, and dm+1 (R(1, m)) = 2m . Therefore R(R(1, m)) ≤
2m−1 − 1. For this code, it can be observed that
dr − dr−1 δr
  =  , for all r, 1 ≤ r ≤ k,
2 2
and thus H2 (n, k, d) = CH2 (n, k, d1 , d2 , . . . , dk ). But for q > 2, CHq ( n, k, d1 , d2 ,
. . . , dk ) < Hq (n, k, d) (using results from [7]).

5.2 GHWs and the Covering Radius of Cyclic Codes

Wei’s original paper [26] on the topic led to a tremendous interest in GHWs. In
[17], we have given an efficient algorithm for computing the Weight hierarchy of
cyclic codes. We use the results on the GHWs of cyclic codes from [17] to derive
tight upper bounds on the covering radii of cyclic codes of odd lengths ≤ 39
for which the function H2 (·), is strictly greater than the function, GH2 (·). We
obtain good bounds because most of the cyclic codes in our list satisfy the chain
or the partial chain condition. The results are given in Table I. We compare our
results with other known bounds listed in Section II.
The covering radius of cyclic codes of lengths ≤ 64 and co-dimension ≤ 28
were computed in [3]. We use the tables given in [3] to show that the bounds
proved here come very close to equality for many cyclic codes. In fact, for 21 of
the 85 cyclic codes listed in Table I, our bound attains equality.
354 H. Janwa and A.K. Lal

Table 1. Comparisons of Various Bounds

n Sl.no. k d1  n2  H2 (·) n − n2 (k,  d2 ) GH2 (·) CH2 (·) R

9 1 3 3 4 5 5 4 3= 3 n Sl.no. k d1  n2  H2 (·) n − n2 (k,  d2 ) GH2 (·) CH2 (·) R
15 3 9 3 7 5 5 4 4 3 33 8 13 3 16 19 19 18 11 8
33 9 12 10 16 14 12 13 13 11
15 5 8 4 7 6 6 5 5 4
33 10 12 6 16 18 16 17 12 9
15 8 7 3 7 7 7 6 5 3
33 11 11 11 16 14 12 13 13 P 10
15 12 5 3 7 9 9 8 5= 5
33 12 11 3 16 21 21 20 11 = 11
15 14 4 6 7 8 8 7 6= 6
33 13 10 12 16 15 13 14 14 P 11
15 15 3 5 7 9 9 7 6= 6 33 14 10 6 16 20 19 19 12 = 12
21 5 13 3 10 7 7 6 6P 3 33 15 3 11 16 22 22 18 15 = ≥ 15
21 7 12 4 10 8 8 7 7P 4 35 6 22 4 17 12 12 11 10 5
21 10 12 3 10 8 8 7 6 3 35 7 20 6 17 12 10 11 11 P 5
21 12 11 4 10 9 9 8 7 4 35 9 19 6 17 13 11 12 12 P 7
21 13 10 5 10 8 7 7 7P 6 35 10 19 4 17 15 15 14 11 6
21 14 10 4 10 10 10 9 8 4 35 11 19 4 17 15 15 14 13 6
21 16 9 4 10 11 11 10 9 = 9 35 12 18 4 17 16 17 15 13 8
21 17 9 6 10 9 8 8 8P 5 35 13 17 6 17 15 13 14 11 7
21 18 9 3 10 11 11 10 7 5 35 14 16 6 17 16 14 15 12 P 8
21 19 8 6 10 10 9 9 9P 7 35 15 16 7 17 15 13 14 13 P 7
21 20 8 6 10 10 9 9 8 6 35 16 16 4 17 18 18 17 14 7
21 21 7 8 10 10 9 9 9 6 35 17 15 8 17 16 141 15 14 P 9
21 22 7 3 10 13 13 12 7 = 7 35 18 15 4 17 19 19 18 15 = 15
21 23 6 8 10 11 10 10 10 9 35 19 13 8 17 18 16 17 15 9
21 24 6 6 10 12 11 11 8 = 8 35 20 12 8 17 19 17 18 16 15
21 25 6 7 10 11 10 9 9 6 35 21 11 5 17 21 20 18 14 10
21 27 4 9 10 10 10 9 9 8 35 22 10 10 17 18 16 17 14 11
21 29 3 7 10 14 14 11 9 = 9 35 23 8 7 17 23 22 19 14 12
27 1 9 3 13 17 17 16 9 = 9 35 24 7 14 17 18 17 16 16 13
27 2 8 6 13 16 15 15 10 = 10 35 25 7 5 17 25 24 22 14 = 14
35 26 6 10 17 22 19 19 15 ≥ 11
27 3 7 6 13 17 16 14 11 10
35 27 5 7 17 26 25 22 15 = ≥ 15
27 4 6 6 13 18 17 15 12 = 12
35 28 4 14 17 21 19 18 16 ≥ 15
27 5 3 9 13 17 17 14 12 = 12
35 29 4 15 17 20 20 17 16 ≥ 15
31 9 16 7 15 11 9 10 10 P 5
39 1 27 3 19 11 11 10 8 4
31 10 16 6 15 12 10 11 10 5 39 3 25 3 19 13 13 12 10 5
31 11 16 5 15 12 10 11 10 5 39 5 24 6 19 12 10 11 11 6
31 13 15 8 15 12 10 11 11 P 7 39 7 15 10 19 17 14 16 16 10
31 14 15 6 15 13 11 12 11 9 39 8 15 3 19 23 23 22 13 9
31 15 15 8 15 12 10 11 11 6 39 9 14 10 19 18 15 17 17 13
31 19 11 10 15 13 11 12 12 P 8 39 10 14 6 19 22 20 21 14 10
31 22 10 10 15 14 12 13 13 P 11 39 11 13 12 19 18 16 17 17 11
33 1 23 3 16 9 9 8 7P 3 39 12 13 3 19 25 25 24 13 = 13
33 3 21 3 16 11 11 10 8 5 39 13 12 12 19 19 17 18 17 15
33 5 20 6 16 10 8 9 9P 6 39 14 12 6 19 24 22 23 14 = 14
33 7 13 10 16 13 11 12 12 P 8 39 15 3 13 19 25 26 20 18 = 18

The following abbreviations have been used:

– Sl.no. := if Sl.no.= l, then this code is the lth cyclic code of length n listed in
[17].
– P := the particular code satisfies the partial chain condition up to certain level.
In this case we use the bound PCH2 (·).
– ‘ = the bound equals the actual value of the covering radius.
– H2 (·) := H2 (n, k, d), Theorem 1.
– GH2 (·) := H2 (n, k, d1 , d2 , . . . , dk ), Theorem 3.
– CH2 (·) := bound derived using chain or partial chain, Theorem 2.
– R := Actual value of covering radius computed in [3].

The bounds are computed from the values of GHWs of cyclic codes given in [17] and
the information regarding the chain condition.
On Generalized Hamming Weights and the Covering Radius of Linear Codes 355

For several examples of cyclic codes, our bounds improve other bounds that
have appeared in literature, for example, those that depend upon the dual
distance, and those that use powerful results from algebraic geometry. As an
example, the GHWs of the duals of the three error-correcting BCH code of
length 31 was determined in [17], and it turns out that it satisfies the par-
tial chain condition. So, for this example, our bound on the covering radius is
R(BCH ⊥ (3, 5)) = 11 (in Table I, this is the [31,15,8] code). This improves the
bound of 12 (for e = 3, m = 5) obtained by the following theorem of Tietäväinen
(see [2]). This bound was obtained by the use of powerful methods from algebraic
geometry:
Theorem 6. Let BCH(e, m) be an e-error correcting BCH code of length n =
2m − 1. Then
√ √
R(BCH ⊥ (e, m)) ≤ 2m−1 − 1 − ( e − e1/e ) 2m − e − 2.

Acknowledgment

The authors thank Prof. H.F. Mattson, Jr. for helpful comments on the paper.
The first author would like to thank Prof. T. Høholdt for enlightening discus-
sions.

References
1. Berlekamp, E.R., McEliece, R.J., van Tilborg, H.C.A.: On the Inherent Intractabil-
ity of Some Coding Problems. IEEE Trans. Inform. Theory 24(3), 384–386 (1996)
2. Cohen, G., Honkala, I., Litsyn, S., Lobstein, A.: Covering Codes. In: Sakata, S.
(ed.) AAECC-8. LNCS, vol. 508, pp. 173–239. Springer, Heidelberg (1991)
3. Dougherty, R., Janwa, H.: Covering Radius Computations for Binary Cyclic Codes.
Math. Comp. 57(195), 415–434 (1991)
4. Encheva, S., Kløve, T.: Codes Satisfying the Chain Condition. IEEE Trans. Inform.
Theory 40(1), 175–180 (1994)
5. Forney, G.D.: Dimension/Length Profiles and Trellis Complexity of Linear Block
Codes. IEEE Trans. Inform. Theory 40(6), 1741–1752 (1994)
6. Guruswami, V.: List Decoding From Erasures: Bounds and Code Constructions.
IEEE Trans. Inform. Theory 49(11), 2826–2833 (2003)
7. Heijnen, P., Pellikaan, R.: Generalized Hamming Weights of q-ARY Reed-Muller
Codes. IEEE Trans. Inform. Theory 44(1), 181–196 (1998)
8. Helleseth, T., Kløve, T., Ytrehus, Ø.: Codes, Weight Hierarchies, and Chains. In:
1992 ICCS/ISITA, Singapore, pp. 608–612 (1992)
9. Helleseth, T., Kløve, T., Ytrehus, Ø.: Generalized Hamming Weights of Linear
Codes. IEEE Trans. Inform. Theory 38(3), 1133–1140 (1992)
10. Helleseth, T., Kløve, T., Levenshtein, V.I., Ytrehus, Ø.: Bounds on the Minimum
Support Weights. IEEE Trans. Inform. Theory 41(2), 432–440 (1995)
11. Helleseth, T. , Kløve, T. , Levenshtein, V. I., Ytrehus, Ø.: Excess Sequences of
Codes and the Chain Condition. In: Reports in Informatics, no. 65, Department of
Informatics, University of Bergen (1993)
356 H. Janwa and A.K. Lal

12. Janwa, H.: On the Optimality and Covering Radii of Some Algebraic Geometric
Codes. In: Workshop on Coding Theory, IMA, University of Minnesota (1988)
13. Janwa, H.: Some New Upper Bounds on the Covering Radius of Binary Linear
Codes. IEEE Trans. Inform. Theory 35, 110–122 (1989)
14. Janwa, H.: On the Covering Radii of q-ary Codes. In: 1990 ISIT, San Diego
15. Janwa, H.: Some Optimal Codes From Algebraic Geometry and Their Covering
Radii. Europ. J. Combinatorics 11, 249–266 (1990)
16. Janwa, H.: On the Covering Radii of AG Codes (preprint, 2007)
17. Janwa, H., Lal, A.K.: On the Generalized Hamming Weights of Cyclic Codes. IEEE
Trans. Inform. Theory 43(1), 299–308 (1997)
18. Janwa, H., Lal, A.K.: Bounds on the Covering Radii of Codes in Terms of Their
Generalized Hamming Weights. MRI (preprint, 1997)
19. Janwa, H., Lal, A.K.: Upper Bounds on the Covering Radii of Some Important
Classes of Codes Using Their Generalized Hamming Weights (preprint, 2007)
20. Janwa, H., Mattson Jr., H.F.: Some Upper Bounds on the Covering Radii of Linear
Codes over Fq and Their Applications. Designs, Codes and Cryptography 18(1-3),
163–181 (1999)
21. Kløve, T.: Minimum Support Weights of Binary Codes. IEEE Trans. Inform. The-
ory 39(2), 648–654 (1993)
22. MacWilliaims, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. North-
Holland, Amsterdam (1977)
23. Mattson Jr., H.F.: An Improved Upper Bound on Covering Radius. In: Poli, A.
(ed.) AAECC-2. LNCS, vol. 228, pp. 90–106. Springer, Heidelberg (1986)
24. Ozarow, L.H., Wyner, A.D.: Wire-Tap Channel-II. AT & T Bell Labs Tech J. 63,
2135–2157 (1984)
25. Pless, V.S., Huffman, W.C., Brualdi, R.A.: An Introduction to Algebraic Codes.
In: Pless, V.S., Huffman, W.C. (eds.) Handbook of Coding Theory, pp. 3–139.
Elsevier, Amsterdam (1998)
26. Wei, V.K.: Generalized Hamming Weights for Linear Codes. IEEE Trans. Inform.
Theory 37(5), 1412–1418 (1991)
27. Wei, V.K., Yang, K.: The Feneralized Hamming Weights for Product Codes. IEEE
Trans. Inform. Theory 39(5), 1709–1713 (1993)
28. Yang, K., Kumar, P.V., Stichtenoth, H.: On the Weight Hierarchy of Geometric
Goppa Codes. IEEE Trans. Inform. Theory 40(3), 913–920 (1994)
 Homomorphic Encryptions of Sums of Groups

Akihiro Yamamura

National Institute of Information and Communications Technology,

4-2-1, Nukui-Kitamachi, Koganei, Tokyo, 184-8795 Japan
[email protected]

Abstract. We examine the mechanism of homomorphic encryptions

based on the subgroup membership problem. Using the mechanism, we
construct a homomorphic encryption of a direct sum of groups.

1 Introduction

A mapping between algebraic systems is called a homomorphism if it preserves

the algebraic structures. In cryptography, a trapdoor one-way homomorphism
between cyclic groups have been studied and applied to many cryptographic pro-
tocols. Such encryptions include ElGamal, Goldwasser-Micali, Paillier, Okamoto-
Uchiyama cryptosystems and so on [2,4,5]. Homomorphic encryptions share
many similarities, however, no uniform mechanism has been presented so far.
In this paper, we study homomorphic encryptions from the standpoint of group
theory, in particular, we use split exact sequences and the subgroup member-
ship problem to explain the mechanism, constructions and the indistinguishabil-
ity of homomorphic encryptions. We then construct a homomorphic encryption
of a direct sum of groups. Algebraic structure is useful to encrypt structured
data and relations among the data, and direct sums of cyclic groups possess
richer structure than cyclic groups. Therefore, applications of homomorphic en-
cryptions of direct sums of groups go beyond the encryptions between cyclic
groups for some applications. For example, a general n-cryptographic counter
can be constructed using a homomorphic encryption of a direct sum of n cyclic
groups.
Our first contribution in this paper is to explain the mechanism of homo-
morphic encryptions using uniform design via exact sequences and the subgroup
membership problem. This approach simplify the mechanism of numerous ho-
momorphic encryptions and enable us to explain functionality of homomorphic
encryptions in a mathematically sound way. Furthermore, the mechanism is wide
enough to include encryptions whose set of plaintexts is a direct sum of groups.
The second contribution is to construct a homomorphic encryption whose set of
plaintexts is a direct sum of groups. The encryption satisfies IND-CPA provided
the corresponding subgroup membership problem is intractable. We also define
an operation among several encryption functions; it gives the way to create a
new encryption function from the old ones in a way that the new one is closely
related to the old ones.

S. Boztaş and H.F. Lu (Eds.): AAECC 2007, LNCS 4851, pp. 357–366, 2007.

c Springer-Verlag Berlin Heidelberg 2007
358 A. Yamamura

2 Mechanism of Homomorphic Encryptions

We describe the mechanism of homomorphic encryption functions. First, we re-
δ d
call that a sequence of homomorphisms 1 −→ H −→ G −→ P −→ 1 is called
exact if the kernel Kerd coincides with the image Imδ. Following the mathemat-
ical convention, “1” stands for the trivial subgroup {1}. If the group operation
is additive, we may denote it by 0. Note that δ : H → G is an embedding and
G → P is surjective. Furthermore, if there exists a homomorphism  : P → G
such that d ◦  is the identity mapping of P , then we say that the exact sequence
splits. In such a case, G is isomorphic to a semidirect product of H by P .
Let k be the security parameter. For the input 1k , a probabilistic polynomial
time algorithm IG, called an instance generator, outputs the description of
a finite group P , the description of a finite group G, the description of a
subgroup H of G, the couple of public and private keys, and the description
of a probabilistic algorithm SAM, called a sampling algorithm, that chooses
randomly and uniformly an element of H. Elements in G and P are represented
by binary strings and operations in the groups, multiplication and taking
inverses, are efficiently computable. The subgroup H is called the subgroup of
randomizers. The group P is called the group of plaintexts. The encoder  is
an isomorphism of P into G, and there is an algorithm to compute  efficiently
with the public key. The decryption function d is a homomorphism of G onto P
such that d ◦  = idP and its kernel Ker d coincides with H. Furthermore, d is
efficiently computable with the private key. In such a case, by the basic algebra,

δ 
we have a split exact sequence 1 −→ H −→ G −→ P −→ 1. Then G = H(P )
and H ∩ (P ) = 1. This implies that G is a semidirect product of H and (P ).
Furthermore, G = (P ) × H ∼ = P × H and P ∼ = G/H and (P ) is the set of
representatives of H in G, that is, G = (m0 )H ∪ (m1 )H ∪ · · · ∪ (mn )H,
where P = {m0 , m1 , . . . , mn } (if P is finite).

Encryption: The encryption function e is computed by

e(m) = (m)r , (1)

where r is an output of SAM and m is a plaintext in P . We note that each

coset (m)H is the set of ciphertexts of the plaintext m. This means that e
can be considered a probabilistic algorithm choosing an element randomly and
uniformly from (m)H for each plaintext m ∈ P .

Decryption: The decryption is done just by computing d provided the private

key (secret information) is given. Since Ker d coincides with H and d ◦  = idP ,
we have d(e(m)) = d((m)r) = d((m))d(r) = idP (m) = m for every ciphertext
m ∈ P . Hence, d decrypts the ciphertext e(m). Note that we need the private
key to compute d.

Assumption: Let G be a group, and let H be its subgroup. The membership

problem is to decide whether or not a given element g in G belongs to H. A
 Homomorphic Encryptions of Sums of Groups 359

computation problem is called intractable if no efficient algorithm exists. The ef-

ficiency is characterized by the asymptotic behavior of an algorithm with respect
to the size of the input. For the input 1k , where k is the security parameter, a
probabilistic polynomial time algorithm IG outputs the description of a group
G, the description of a subgroup H of G and the trapdoor that provides a poly-
nomial time algorithm for the subgroup membership problem of H in G. The
algorithm IG is called the instance generator. Every element of G is represented
as a binary sequence of length k. Computation of the multiplication in G is
performed in polynomial time in k. The predicate for the membership of a sub-
group is denoted by Mem, that is, Mem is defined by Mem(G, H, x) = 1 if x ∈ H
and 0 otherwise, where IG outputs the pair (G, H) for 1k and x is in G. The
subgroup membership problem is to compute Mem in polynomial time in k when
we inputs 1k and obtain a pair of groups (G, H) and an element g in G, which
is uniformly and randomly chosen from H or G \ H according to the coin toss
R
b ← {0, 1}. If there does not exist a probabilistic polynomial time algorithm
that computes Mem with a probability substantially larger than 12 , then we say
that the membership problem is intractable. It is shown in [9] that the quadratic
residue problem and the decision Diffie-Hellman problem can be characterized
as a subgroup membership problem. We briefly review these two problems.

Quadratic Residue Problem: Let p, q be primes. Set N = pq. The primes

p and q are trapdoor information for the quadratic residue problem, on the
other hand, the integer N is a public information. Let G be the subgroup
of (Z/(N ))∗ consisting of the elements whose Jacobi symbol is 1, and let
H be the subgroup of G consisting of quadratic residues of G, that is,
H = {x ∈ G | x = y 2 mod N for y ∈ (Z/(N ))∗ }. The quadratic residue
problem (QR for short) of H in G is to decide whether or not, a given element
g ∈ G, g belongs to H. We can effectively determine the membership of g in
H provided that the information p and q are available. No polynomial time
algorithm is known for the membership of a randomly chosen element of G in
H without the information p and q. Hence, if we define an instance generator
for the QR problem as a probabilistic algorithm that outputs two primes p and
q of size k and a quadratic non-residue h whose Jacobi symbol is 1 for the
input 1k , then the QR problem is considered as a subgroup membership problem.

Decision Diffie-Hellman Problem: Let C be a cyclic group of prime order

p. Let g be a generator of C. The decision Diffie-Hellman problem (DDH for
short) is to decide whether or not h2 = g2a for the given quadruple (g1 , h1 , g2 , h2 )
of elements in C with h1 = g1a for some 1 ≤ a ≤ p − 1. If so, we say that
(g1 , h1 , g2 , h2 ) is a Diffie-Hellman quadruple. The integer a is the trapdoor of
the DDH problem. Knowing the trapdoor a, we can efficiently decide whether
or not h2 = g2a . Now we set G to be the direct product C × C. Then the
input to the DDH problem is (x, y) where x, y ∈ G, that is, x = (g1 , h1 ) and
y = (g2 , h2 ). It is obvious that (g1 , h1 , g2 , h2 ) is a Diffie-Hellman quadruple if
and only if y belongs to the subgroup < x > of G generated by x. It follows
360 A. Yamamura

Fig. 1. Exact Sequence and Mechanism of Homomorphic Encryption

that the DDH problem for the cyclic group C is equivalent to the subgroup
membership problem of the group H =< x >, where x = (g1 , g1a ), in the group
G = C × C =< g1 > × < g1 >.

Homomorphic Property: For any ciphertexts c1 = (m1 )r1 and c2 = (m2 )r2 ,
where r1 , r2 are outputs of SAM and m1 , m2 are plaintexts in P , we have
c1 c2 = (m1 )r1 (m2 )r2 = (m1 m2 )r1 r2 since  is a homomorphism. Note also
that r1 r2 ∈ H. Therefore, c1 c2 belongs to (m1 m2 )H and it is a ciphertext of
m1 m2 . Thus the encryption function e is homomorphic. In the language of group
theory, the homomorphic property is a natural consequence of the quotient group
G/H forms a group, that is, c1 Hc2 H = c1 c2 H for all cosets c1 H, c2 H.
We summarize the mechanism of a homomorphic encryption in Fig. 1. The
decryption d can be efficiently computed provided that the private key is given.

ElGamal Encryption: Let C = g be a cyclic group of prime order p.

Let P = C and G = C × C. The encoder  is defined to be the function
m → (1, m) ∈ G. It is clear that  is an isomorphism of P into G. Suppose that
the public key for the ElGamal encryption is (g, g b ), where b is uniformly and
randomly chosen. Let H = (g, g b ) the subgroup of G generated by the element
(g, g b ). We note that (P ) ∩ H = 1 and G = (P )H. Recall that a ciphertext
of m ∈ P is e(m) = (g a , g ab m) = (1, m)(g, g b )a = (m)r, where r = (g, g b )a
is randomly and uniformly chosen from the subgroup H of randomizers,
that is, a is randomly chosen, and e(m) belongs to (m)H. Since  is an
isomorphism, the encryption is homomorphic, that is, e(m1 m2 ) = e(m1 )e(m2 ),
or (m1 m2 )H = (m1 )H(m2 )H. The decryption d : G → P is defined by
(g x , g y ) → g −xb g y . Clearly d is a homomorphism. Moreover, it is easy to see
that Kerd is H and d ◦  = idP . Hence, we have the split exact sequence


1 −→ (g, g b ) −→ C × C −→ C −→ 1. We recall that the semantic security of
the ElGamal is equivalent to the DDH problem [7].

Goldwasser-Micali Encryption: Let G be the subgroup of (Z/(N ))∗ , where

N = pq, consisting of the elements whose Jacobi symbol is 1, and H be the
subgroup of G consisting of quadratic residues of G. Goldwasser-Micali encryp-
tion [2] is characterized as follows. Let P be the cyclic group of order two, that
is, (Z/2, +). The encoder  : P → G is defined by m → g m , where g is an
element of G \ H and the public key. The decryption d : G → P is defined by
d(x) = 0 if x ∈ H and d(x) = 1 otherwise. The message m ∈ P is encrypted
to be e(m) = g m r = (m)r, where r is uniformly and randomly chosen from H.
Clearly d is a homomorphism. Moreover, evidently Kerd is H and d ◦  = idP .
 Homomorphic Encryptions of Sums of Groups 361



Hence, we have the split exact sequence 1 −→ G2 −→ G −→ (Z/2, +) −→ 0. We
recall that the semantic security of the Goldwasser-Micali is equivalent to the
quadratic residue problem [2].
The textbook RSA has the homomorphic property, that is, e(m1 m2 ) =
(m1 m2 )e = me1 me2 = e(m1 )e(m2 ). In this case, the space of plaintexts does not
form a group unless the user restricts the domain of the plaintexts to (Z/n)∗ .
Instead, usually the domain of the plaintexts is just the semigroup Z/n. Thus,
the textbook RSA is not characterized as the scheme above.

3 Homomorphic Encryptions of Sums of Groups

In this section we introduce a homomorphic encryption whose group of plain-
texts is a direct sum of (more than one) cyclic groups with distinct prime orders
following the design of the encryption (1). The trivial method to construct en-
cryptions of direct sums of groups is to concatenate several simple homomorphic
encryptions based on cyclic groups. Ciphertexts of such encryptions can be easily
tampered. For example, it is quite easy to exchange a part of the ciphertext by
another ciphertext without the private key. Whereas it is hard to alter a cipher-
text in the proposed scheme. In addition, we shall construct a new encryption
e1  e2 from two encryptions e1 and e2 in Section 4. This property is desirable
for some applications such as an electronic voting schemes.
We note that a finitely generated abelian group is a direct sum of finite number
of cyclic groups. In particular, a finite abelian group is a direct sum of finite
number of cyclic groups of finite order.

3.1 Okamoto-Uchiyama Logarithmic Function

Let us recall the logarithmic function Lp introduced by Okamoto and Uchiyama
[4]. Suppose that p is a prime number of size k. Let Γp be the p-Sylow subgroup
of the group (Z/(p2 ))∗ of units, that is, Γp is the maximal subgroup whose order
is a power of p. The group (Z/(p2 ))∗ has order φ(p2 ) = p(p−1). Thus (Z/(p2 ))∗ is
an internal direct sum of Γp and the subgroup of order p − 1. Since the mapping
x(mod p2 ) → x(mod p) is a homomorphism of (Z/p2 )∗ onto (Z/p)∗ , we have
(Z/p2 )∗ /Γp ∼
= (Z/p)∗ . Therefore, the subgroup of order p − 1 is isomorphic to
∗
(Z/(p)) and so it is cyclic. On the other hand, Γp has order p and so it is cyclic.
It follows that (Z/(p))∗ is cyclic because p and p − 1 are coprime.
We next show that if x ≡ 1(mod p), then we have xp ≡ 1(mod p2 ). Suppose
x ≡ 1(mod
  p). Then x = cp + 1 for some c in Z. We have x = (cp + 1) =
p p

p p
i=0 (cp)p−i . Hence, xp = dp2 + 1 for some d in Z. It follows that
i
xp ≡ 1(mod p2 ) and Γp = {x ∈ (Z/(p2 ))∗ |x ≡ 1(mod p)}. Suppose now that
x is an element of Γp . Then x ≡ 1(mod p) and so there uniquely exists an in-
teger a such that x − 1 = ap. We define a mapping Lp by Lp (x) = a (modp).
Then Lp is a well-defined mapping of Γp into the additive group (Z/(p), +).
Furthermore, Lp is an isomorphism of Γp onto (Z/(p), +), that is, we have
362 A. Yamamura

Lp (ab) ≡ Lp (a) + Lp (b)(modp) for a, b in Γp . In particular, we have Lp (y) =

mLp (x) for every x, y in Γp with y = xm (m ∈ Z/(p)). Hence, m = Lp (y)Lp (x)−1
unless Lp (x) = 0. Note that Lp (x) = 0 if and only if x is the identity element of Γp .

3.2 Proposed Scheme

We construct a homomorphic
  public key encryption whose plaintexts form the
group Z/p1 Z/p2 · · · Z/ps , where pi are distinct primes of the same  size.
We discuss only the case that s = 2; the group P of plaintexts is Z/p1 Z/p2 ,
where p1 and p2 are primes of the same size, say |p1 | = k = |p2 |. We may assume
that p1 is not a prime factor of p2 −1 and p2 is not a prime factor of p1 −1 without
loss of generality. The construction of an encryption for s > 2 is an immediate
generalization of the case for s = 2. We set n = p1 × p2 and then |n| = 2k. For an
input 1k , the instance generator IG outputs the descriptions of groups G, H, P ,
the sampling algorithm SAM of H, the encoder  and the decryption function
d as well as public keys and private keys. The groups
 G, H, P are defined to be
G = (Z/n2 )∗ , H = Gn = {xn | x ∈ G}, P = Z/p1 Z/p2 , respectively. The pair
(p1 , p2 ) of the primes is the private key of the encryption. A public key is an
ordered pair (g1 , g2 ) ∈ G × G such that the order of g1 (mod p21 ) is p1 and the
order of g2 (mod p22 ) is p2 . Note that G ∼
= (Z/p21 )∗ × (Z/p22 )∗ and that (Z/p21 )∗
2 ∗
and (Z/p1 ) are the cyclic group of order p1 (p1 − 1) and p2 (p2 − 1), respectively.
We also note that P = Z/p1 Z/p2 ∼ = (Z/n, +).
Key Generation: A public key (g1 , g2 ) is established as follows. For primes p1
and p2 , we find an element g1 , g2 ∈ G such that |g1 (mod n2 )| = p1 and |g2 (mod
n2 )| = p2 . Then we set (g1 , g2 ) as a public key of the encryption. First, we choose
randomly hi ∈ Z/p2i . Then we make sure that hi ∈ (Z/p2i )∗ by checking whether
hi is not divisible by pi . Second, we check whether hpi i −1 = 1( mod p2i ). If so, then
the order of hpi i −1 (mod p2i ) is pi . Third, using the Chinese remainder theorem
algorithm, we obtain gi ∈ (Z/n2 )∗ (i = 1, 2) such that g1 = h1p1 −1 ( mod p21 ), g1 =
1(mod p22 ), g2 = h2p2 −1 (mod p22 ), and g2 = 1(mod p21 ). Then (g1 , g2 ) satisfies
|g1 (mod n2 )| = p1 and |g2 (mod n2 )| = p2 and is a public key of the encryption.

Sampling Algorithm: A sampling algorithm SAM is given as follows. Pick

randomly and uniformly an element r0 from G = (Z/n2 )∗ . We set r = r0n . This
gives the probabilistic algorithm choosing an element from H = Gn uniformly
and randomly.

Encoder: Recall that the set of plaintexts is P = Z/p1 Z/p2 . Suppose (g1 , g2 )
is a public key.The encoder  : P → G is given by (x1 , x2 ) = g1x1 g2x2 for
(x1 , x2 ) ∈ Z/p1 Z/p2 . Note that the order of g1 and g2 are p1 and p2 , respec-
tively. Thus  is well-defined.

Encryption: Suppose (m1 , m2 ) is a plaintext in P (m1 ∈ Z/p1 , m2 ∈ Z/p2 ).

The sampling algorithm SAM randomly and uniformly chooses an element r
from H. Using the encryption (1), we make a ciphertext e(m1 , m2 ) by
e(m1 , m2 ) = (m1 , m2 )r = g1m1 g2m2 r . (2)
 Homomorphic Encryptions of Sums of Groups 363

Decryption: We now give the decryption function d : G → P . Take an

arbitrary
element z from the group G. Then a mapping d of G into P = Z/p1 Z/p2 is
defined by
Lp1 (z (p1 −1)p2 (p2 −1) (mod p21 )) Lp2 (z p1 (p1 −1)(p2 −1) (mod p22 ))
d(z) = ( (p −1)p2 (p2 −1)
, p (p −1)(p2 −1)
) . (3)
Lp1 (g1 1 (mod p21 )) Lp2 (g2 1 1 (mod p22 ))
It is a routine to see that d ◦  is the identity mapping of P .
Take an arbitrary element z ∈ H = Gn . Then z = wn for some w ∈ G. Since
the order of G is p1 (p1 − 1)p2 (p2 − 1), we have z (p1 −1)(p2 −1) = wn(p1 −1)(p2 −1) =
wp1 (p1 −1)p2 (p2 −1) = 1. This implies that d ◦ δ is the trivial mapping, that is,
d(δ(z)) = (0 (mod p1 ), 0 (mod p2 )) for every z ∈ Gn and so Imδ ⊂ Ker d.
Let us now show the converse. Take z from Ker d. Since G is a direct product of
(Z/p21 )∗ and (Z/p22 )∗ , there are generators f1 , f2 of G such that |f1 | = p1 (p1 − 1)
and |f2 | = p2 (p2 − 1). Then we have z = f1a f2b for some a, b. Since d(z) = (0, 0),
a(p −1) a(p −1)
we have Lp1 (f1 1 ) = 0 and so (f1p1 −1 )a = f1 1 = 1. This implies p1 |a
p1 −1
since |f1 | = p1 . Similarly we have p2 |b. Then z = f1a f2b = f1c1 p1 f2c2 p2 for
some c1 , c2 . Note that |f1p1 | = p1 − 1 and p1 − 1 and p2 are coprime. Hence,
GCD(p1 (p1 − 1), p1 p2 ) = p1 and so p1 = αp1 (p1 − 1) + βn for some α, β.
αp (p −1)
Then f1βn = f1 1 1 f1βn = f1p1 . Similarly f2γn = f2p2 for some γ. Con-
sequently, we have z = f1c1 p1 f2c2 p2 = (f1c1 β f2c2 γ )n ∈ Imδ. Recall that δ is
the inclusion of Gn into G. Therefore, we have Imδ = Ker d. Now we have

δ 
the exact sequence 1 −→ ((Z/n2 )∗ )n −→ (Z/n2 )∗ −→ P −→ 0, where δ
is the inclusion of ((Z/n2 )∗ )n into (Z/n2 )∗ , and d is the homomorphism of
2 ∗
(Z/n ) onto Z/p1 Z/p2 defined above. On the other  hand,  is defined by
(x1 (mod p1 ), x2 (mod p2 )) = g1x1 g2x2 for (x1 , x2 ) ∈Z/p1 Z/p2 . As shown in
Section 2, e is a homomorphic encryption of Z/p1 Z/p2 . It is also clear that
d can be efficiently computed provided that the private key (p1 , p2 ) is given.

3.3 Security
For an asymmetric key encryption, the indistinguishability under chosen plain-
text attack (IND-CPA) [2], which is a standard requirement for encryption,
is defined below. An adversary is modeled by a probabilistic polynomial time
Turing machine, that is, the adversary participates in the game and yields a
guess after polynomial time computation. The challenger generates a key pair
(P K, SK) of public and private keys based on a security parameter k and pub-
lishes the public key P K to the adversary. On the other hand, the challenger
does not publish the private key SK. The adversary is allowed to perform en-
cryptions or other operations for his strategy to win the game. Eventually, the
adversary submits two distinct chosen plaintexts m0 and m1 to the challenger.
The challenger chooses a bit b ∈ {0, 1} uniformly and randomly, and sends the
ciphertext c = e(P K, mb ) to the adversary. The bit b is made secret to the ad-
versary. The adversary is allowed to perform additional computations to guess
the bit b. Finally, it answers a guess for b. A cryptosystem is called indistinguish-
able under chosen plaintext attack (IND-CPA) if every probabilistic polynomial
364 A. Yamamura

time adversary has only a negligible advantage over random guessing, that is,
if no adversary wins the game with probability significantly larger than 12 . The
indistinguishability of the proposed encryption (2) is equivalent to the subgroup
membership problem of the subgroup H of randomizers in G. We sketch the
proof and the detailed proof will be given in the full version of the paper.

Theorem 1. The proposed encryption e given by (2) satisfies IND-CPA if and

only if the subgroup membership problem of H in G is intractable.

Sketch of Proof. Suppose there exists an adversary who can attack the encryp-
tion with non-negligible probability. This implies that there exists a pair m1 , m2
of messages in P such that the adversary can distinguish a ciphertext e(mb ). Fol-
lowing the proof for the indistinguishability of ElGamal by Tsiounis and Yung
[7], we use the Hoeffding inequality to obtain a message m = (x1 , x2 ) ∈ P whose
encrypted message can be distinguishable from an encrypted message of a uni-
formly and randomly chosen message m (= (z1 , z2 )) from P with non-negligible
probability. Now we take an input to the subgroup membership problem of
H in G, that is, y = (y1 , y2 ). So we would like to determine whether or not
y belongs to G and so use the adversary as an oracle to solve this subgroup
membership problem. Suppose the public key for the encryption is (g1 , g2 ). We
set c = y(m) = y(g1x1 , g2x2 ). If y ∈ H, then y(m) = e(m). If y ∈ / H, then
y(m) = e(m ) for a certain uniformly distributed message m . By our assump-
tion, we can decide whether c is a ciphertext of m or a ciphertext of a uniformly
distributed plaintext m with non-negligible probability. Therefore, we can de-
cide whether or not the input y belongs to H and so we obtain an algorithm to
solve the subgroup membership problem using the adversary as an oracle.
On the other hand, we suppose we have an algorithm to solve the sub-
group membership problem. Let m1 = (0, 0) and m2 = (1, 1). Then we have
e(m1 ) = r(0, 0) = r for some r ∈ H. Thus, e(m1 ) always belongs to H. On the
other hand, e(m2 ) = r(1, 1) = r(g1 , g2 ) ∈
/ H. Using the algorithm to solve the
subgroup membership problem, we can determine whether given e(mi ) is an
encrypted message of m1 or m2 . Therefore, there exists an attack against the
encryption scheme. 
It is clear that if the discrete logarithm problem in the underlying group of
ElGamal is tractable, then it can be completely broken. On the other hand,
the relationship between the discrete logarithm problem and the homomorphic
encryption (2) is intricate. We should remark that solving the discrete logarithm
problem does not give any trivial attacks against the encryption (2) in the generic
group model by [6]. As a matter of fact, the security of the encryption is more
closely related to the multiple discrete logarithm problem which is introduced in
[8]. The multiple discrete logarithm problem is formulated as follows. Let G be
a finite group isomorphic to C × D, where C and D are cyclic group. Then, G =
g1 , g2 for some generators g1 and g2 . The multiple discrete logarithm problem
is to compute (x, y) for given g ∈ G, where g = g1x g2y . In the generic model, the
multiple discrete logarithm problem is shown essentially harder than the discrete
 Homomorphic Encryptions of Sums of Groups 365

logarithm problem [8]. This implies that an oracle of the discrete logarithm
problem does not help to break the cryptosystem (2) in the generic model.
Every element in the underlying group G is generated by two elements,
whereas the discrete logarithm oracle gives a correct answer only when it is
given the correct pair of group elements a and ax . The hardness of using the
discrete logarithm oracle to solve the multiple discrete logarithm problem comes
form the hardness of finding a non-trivial pair (h1 , h2 ) of group elements which
can be written as h1 = a and h2 = ax for some a and x. The trapdoor of the
scheme (2) is the Okamoto-Uchiyama logarithmic function with the primes p1 , p2
and it helps to solve the multiple discrete logarithmic problem with respect to
the public key. We should note that the generic model does not guarantee the
security against the attack using the properties of the representations of the un-
derlying group. We should also remark that the encryption can be completely
broken if integer factoring is efficiently computed.

4 Products of Encryptions

We now discuss how to construct a new encryption from the old ones related to
the proposed scheme (2). This implies that we define an operation on encryp-
tions. Suppose that e1 and e2 are encryptions (2) related to the group (Z/n21 )∗
and (Z/n22 )∗ , respectively, where n1 and n2 are composites of two primes of the
same size. We may assume that GCD(φ(n1 ), n2 ) = 1 and GCD(n1 , φ(n2 )) = 1.
Suppose the private key of e1 is retained by Alice, whereas the private key of e2
is retained by Bob.
Note that n1 and n2 are composites of primes of the same size, respectively,
(say n1 = p1 p2 , n2 = q1 q2 ). Then we can define the encryption related to n1 n2 ,
that is, P = Z/n1 n2 and G = (Z/(n1 n2 )2 )∗ . This is basically same as the general
case of s = 4 in (2), however, there exists a big difference in the sense that
the private key p1 , p2 are retained by Alice whereas q1 , q2 are retained by Bob.
Therefore, the private keys are divided into two parts and each half is retained
by each entities; Alice retains p1 , p2 and Bob retains q1 , q2 . So it is not necessarily
to appeal to a trusted third party to establish a new public key when the two
entities agree to share a public key encryption. Alice and Bob can compute
public keys for the new encryption without showing their private keys. Alice can
compute g1 , g2 ∈ (Z/(n1 n2 )2 )∗ such that |g1 | = p1 and |g2 | = p2 using Chinese
remainder algorithm, similarly Bob can compute g3 , g4 ∈ (Z/(n1 n2 )2 )∗ such that
|g3 | = q1 and |g4 | = q2 . Then a public key is (g1 , g2 , g3 , g4 ). The encryption of a
plaintext (x1 , x2 , x3 , x4 ) is computed as (x1 , x2 , x3 , x4 )r = g1x1 g2x2 g3x3 g4x4 r, where
r is chosen uniformly and randomly from ((Z/(n1 n2 )2 )∗ )n1 n2 . The decryption
is defined accordingly using Okamoto-Uchiyama logarithmic function. Let us
denote the resulting encryption by e1  e2 and call it the product of e1 and e2 .
The  e1 
encryption e2 has the following properties. The group2 of plaintexts is
Z/p1 Z/p2 Z/q1 Z/q2 and ciphertexts lies in (Z/(n1 n2 ) )∗ . Let us sup-
pose c = e1  e2 (x1 , x2 , x3 , x4 ). Then Alice can retrieve only x1 and x2 , whereas
Bob can retrieve only x3 and x4 .
366 A. Yamamura

A ciphertext of e1 e2 is an element of (Z/(n1 n2 )2 )∗ and so it is hard to tamper

a ciphertext. One can construct a new encryption just by concatenate two en-
cryptions, that is, a new encryption is defined by e(m1 , m2 ) = (e1 (m1 ), e2 (m2 ))
for two existing encryptions e1 and e2 . It is quite easy to tamper with e(m1 , m2 )
to obtain e(m1 , l2 ) because one may just replace e2 (m2 ) by e2 (l2 ). On the other
hand, e1  e2 is resistant to such an attack. This property is desired for con-
struction of electronic voting schemes with multi-authorities. In such schemes,
each authority would like to share homomorphic encryption, however, it would
like to retain its own secret information.
A homomorphic encryption of a direct sum of groups is also desirable for
multi-candidate election. Such a scheme is discussed in [1], in which a proof of
validity must be provided in addition to ciphertext by a homomorphic encryp-
tion. A general n-bit cryptographic counter is constructed using 1-bit counter
in [3]. The scheme also uses non-interactive zero-knowledge proof. It is possible
to construct a cryptographic counter without an additional proof of validity us-
ing the proposed scheme. We shall discuss applications to election schemes and
cryptographic counters in the full version of the paper.

References
1. Cramer, R., Gennaro, R., Schoenmakers, B.: A Secure and Optimally Efficient
Multi-Authority Election Scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS,
vol. 1233, pp. 103–118. Springer, Heidelberg (1997)
2. Goldwasser, S., Micali, S.: Probabilistic Encryption. Jounal of Computer and System
Sciences 28, 270–299 (1984)
3. Katz, J., Myers, S., Ostrovsky, R.: Cryptographic Counters and Applications to
Electronic Voting. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045,
pp. 78–92. Springer, Heidelberg (2001)
4. Okamoto, T., Uchiyama, S.: A New Public-key Cryptosystem as Secure as Factoring.
In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer,
Heidelberg (1998)
5. Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity
Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238.
Springer, Heidelberg (1999)
6. Shoup, V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Fumy,
W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg
(1997)
7. Tsiounis, Y., Yung, M.: On the security of ElGamal based encryption. In: Imai, H.,
Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 117–134. Springer, Heidelberg
(1998)
8. Yamamura, A., Kurosawa, K.: Generic Algorithms and Key Agreement Protocols
Based on Group Actions. In: Eades, P., Takaoka, T. (eds.) ISAAC 2001. LNCS,
vol. 2223, pp. 208–218. Springer, Heidelberg (2001)
9. Yamamura, A., Saito, T.: Private Information Retrieval Based on the Subgroup
Membership Problem. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS,
vol. 2119, pp. 206–220. Springer, Heidelberg (2001)
 Author Index

Bac, Dang Hoai 301 Kobara, Kazukuni 168

Berhuy, Grégory 90 Krithivasan, Dinesh 178
Bernstein, Daniel J. 20, 291
Lahtonen, Jyrki 247
Binh, Nguyen 301
Laigle-Chapuy, Yann 130
Boztaş, Serdar 120
Lal, A.K. 347
Bracken, Carl 72
Lange, Tanja 20
Bras-Amorós, Maria 337
Lobstein, Antoine 267
Byrne, Eimear 72
Lu, Hsiao-feng (Francis) 227
Charon, Irène 267 Maheshanand 330
Cohen, Gérard 267 Maitra, Subhamoy 100, 271
Cui, Yang 168 Markin, Nadya 72
Matsumoto, Ryutaroh 50
Dai, Xiaoping 60 McGuire, Gary 28, 72
Das, M. Prem Laxman 237 Medoš, Silvana 120
Mow, Wai Ho 60
Embury, P. 281
Niederreiter, Harald 208
Nuida, Koji 80
Fujitsu, Satoshi 80
Fujiwara, Eiji 158 O’Sullivan, Michael E. 337
Fujiwara, Toru 110 Ogawa, Kazuto 80
Oggier, Frédérique 90, 138
Geil, Olav 50 Ohta, Kazuo 257
Gong, Guang 7 Ota, Haruki 257
Gulliver, T.A. 311
Paul, Goutam 100
Guruswami, Venkatesan 1
Pinnawala, N. 311
Pradhan, S. Sandeep 178
Hagiwara, Manabu 80, 168
Pujol, J. 148
Helleseth, Tor 7
Hollanti, Camilla 227 Quynh, Nguyen Xuan 301
Hudry, Olivier 267
Høholdt, Tom 18 Raj, Safitha J. 217
Rao, A. 281, 311
Rifà, J. 148
Imai, Hideki 80, 168
Rønjom, Sondre 7
Rudra, Atri 38
Janwa, H. 347
Jin, Seok-Yong 188 Sarkar, Sumanta 271
Justesen, Jørn 18 Sethuraman, B.A. 138
Shankar, Priti 47
Kaneko, Haruhiko 158 Sikdar, Kripasindhu 237
Kashyap, Navin 198 Solov’eva, F.I. 148
Kavut, Selçuk 321 Song, Hong-Yeop 188
Kim, Young-Joon 188 Srivastava, Rohit 100
Kitagawa, Takashi 80 Stichtenoth, Henning 48
368 Author Index

Thangaraj, Andrew 217 Yamakawa, Shigenori 168

Yamamura, Akihiro 357
Vehkalahti, Roope 247 Yasunaga, Kenji 110
Yoneyama, Kazuki 257
Wasan, Siri Krishan 330 Yücel, Melek Diker 321
Watanabe, Hajime 80
Winterhof, Arne 208 Zhou, Jianqin 60