Linear codes of good error control performance Tsonka Baicheva Institute of Mathematics and Informatics Bulgarian Academy of Sciences Bulgaria.

Linear codes of good error control performance

Tsonka Baicheva

Institute of Mathematics and Informatics Bulgarian Academy of Sciences

Bulgaria

Biham E., Shamir A., Differential fault analysis of secret key cryptosistems, LNCS, vol. 1294, pp. 513-525, 1997.

Boneh D., DeMillo R.A., Lipton R.J., On the importance of checking cryptographic protocols for faults, LNCS, vol. 1233, pp. 37-51, 1997.

» The erroneous output of the cryptographic algorithm could be used to perform an attack.

Basic definitions

• Fq=GF(q) » Linear code C is a k-dimensional subspace

of Fqn

» Minimum distance d(C) = min d(c1,c2), c1,c2 є C, c1≠c2

t=|(d-1)/2|

• [n,k,d]q linear code with length n, dimension k, minimum distance d, over Fq

Basic definitions

• Ai the number of codewords of C of weight i. {Ai | i=0, …, n} a weight distribution/spectrum of the code C.

• The polynomial is called weight enumerator of the code C.

n

i

ii zAzA

0

)(

Basic definitions

• x+C={x+c | c є C} a coset of the code C determined by the vector x є Fq

n.

» Coset leader is a vector with the smallest weight in the coset.

i the number of coset leaders of weight i.

» {i | i=0,…,n} a coset leaders weight distribution/spectrum of the code C.

Communication system

transmitter receiverchannelv w

error vector

e

w v e

Decoding to the nearest codeword through a BSC

1. Find the unique code word v for which the Hamming distance d(v,w) is minimal and to decode correctly w to v.

The probability of correct decoding

The probability of error 1err corrP P

0

(1 )1

in

n icorr i

i

Pq

Decoding to the nearest codeword through a BSC

2. To detect an error if there are more than one codewords with minimal Hamming distance d(v,w).

3. To decode erroneously to a different codeword v' if the channel error have changed v in such a way that the closest codeword to w is v', i.e. to have an undetectable error.

Undetected error probability

v+e=w=v’+e’ => v’=v+e-e’ =v+e’’

• Undetected error occurs iff e’’ is a nonzero codeword.

» The probability of undetected error

1

( , ) (1 )1

1 (1 )1

inn i

ue ii

k n ni

P C Aq

qq B

q

Undetected error probability after t-error correction

• Qh,l the number of vectors of weight l in the cosets of minimum weight h, excluding the coset leaders. » Probability of an undetected error after t-error correction

» Optimal code Pue(t)(C,ε) is minimal

( ),

0 0

( , ) (1 )1

lt nt n l

ue h lh l

P C Qq

Criteria whether a code is suitable for error correction

• A code C is called t-proper (or proper when t=0 and the code is only used for error detection) if

Pue(t)(C,ε) is monotonous

• A code C is called t-good if

Pue(t)(C,ε) ≤ Pue

(t)(C,(q-1)/q)

for all ε є [0,(q-1)/q]

Discrete sufficient conditionsDodunekova and Dodunekov’98

Theorem If

then C is t-good for error correction.Theorem If

then C is t-proper for error correction. Ai

(t) the weight distribution of the vectors in the cosets with coset leaders of weight at most t, excluding the leaders.

Vq(t) the volume of the q-ary sphere of radius t in Fqn

m(i)=m(m-1)…(m-i+1)

l

ti

l

ti

ti

i

iti

i

i ntlforAn

lqA

n

l

1

1

1

)(

)(

)()(

)(

)( ...2)1(

ntlforAn

lqtVqq

l

ti

ti

i

ilq

nkn ...1)(1

)(

)(

)()(

Complexity of checking t-goodness and t-properness

» The problem of finding the weight distribution of C is NP hard.

» The determination of i and Qh,l are computationally hard problems.

Results

• All binary cyclic codes of n ≤ 33 (Downie&Sloane’85)

• Some binary distance-optimal codes of n ≤ 33 (Jaffe’97)

» Having Ai(Bi), i and Qh,l determined the values of Pue

(t) and Pcorr can be calculated and compared in a linear time.

Examples

[21,10,4] binary cyclic code, Pue(t) for t=0, t=1

Examples

[21,10,5] binary cyclic code, Pue(t) t=0, t=1, t=2

Examples

[25,5,12] binary distance-optimal codes, Pue(t)

Examples

[25,5,12] binary distance-optimal codes, Pue(t)

Wright A., Kinast J., McCarty J., Low-Latency Cryptographic Protection for SCADA Communications, LNCS, vol. 3089 , pp.263-277, 2004.

» Cryptographic protocol that uses the Cyclic Redundancy Check (CRC) transmitted by the existing SCADA (Supervisory Control And Data Acquisition) equipment to achieve string integrity while introducing minimal latency.

Cyclic Redundancy Check Codes

• Let C be a cyclic code If c0,c1,…,cn-1 є C, then cn-1,c0,…,cn-2 є C » C and all its shortenings C` are CRC codes or

polynomial codes

• C` are almost always non cyclic

• It is possible to use the same fast encoders and decoders as can be used with the original cyclic code

Error detection performance of CRC

» g(x) is the generator polynomial of the CRC code of degree p

‼ g(x) is not divisible by x has at least 2 nonzero coefficients

Theorem 1 A CRC code with generator polynomial of degree p can detect any single error.

Burst error detection

» Burst-error pattern of length d+1. All corrupted bits are concentrated between bits j and d+j

Theorem 2 A CRC code with generator polynomial of degree p can detect all burst errors of length p or less.

Burst error detection

• Let f(b) be the fraction of undetected burst errors of length b

If b<p+1

If b=p+1

If b>p+1

2 1

# of undetected errors of length p+1 1 1( )

total # of errors of length p+1 2 2b pf b

2

2

# of undetected errors of length > p+1 2 1( )

total # of errors of length > p+1 2 2

b p

b pf b

( ) 0f b

8-bits CRC code

DARC x8+x5+x4+x3+1

‼Standardized polynomial might not be good for most lengths

• Optimal for 9≥n≥17 (d=5), but with d=2 for n≥18

• It is used for 24≤n≤56, where performs far from the optimal

Comparison between some CRCs for n=17

Pue for DARK-8, CRC-8, ATM HEC-8, C1

Comparison between some CRCs for n=56

Pue for DARK-8, CRC-8, CRC-7, P1(7-bit CRC)

Notes

• The usual practice is to select a standardized CRC polynomial, but very often they provide less error control capability than may be achieved for the given number of CRC bits.

• Even if a good published polynomial is available, there is generally no published guidance on what range of data word lengths it is good.

‼ Complete investigations of all possible polynomials with given degree will help in selecting the most effective polynomial for any particular application

• all CRC codes of up to 10 bit redundancy are classified and their orders are determined

• weight spectra of the duals• coset leaders weight spectra• minimum distances of all codes and of all its

shortenings are computed

Procedure for polynomial selection

• Fix the degree p of the polynomial.• Choose polynomials of ord(g(x)) ≥ max n. • Consider only the polynomials of maximum

minimum distance. If they are too much, choose only those having the smallest number of codewords of minimum weight.

• For the particular channel error probability ε at which the code will operate, choose the code with smallest Pue. If the code will be used for error correction, choose the one with the biggest Pcorr.

t=| ̱(d-1)/2 ̱|, Covering radius R

nqF

Quasi-perfect codes

» t=R Perfect codes

• [n,n,1]q0 codes for n≥1;

• [2s+1,1,2s+1]qs repetition codes for s≥1;

• Hamming codes;• binary and ternary Golay codes;

» t=R+1 Quasi-perfect codes

Classification of binary linear quasi-perfect codes

k/n 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

2

3

4

5

6

7

8

9

10 ?11 ? ?12 ?13 ? ? ? ? ?14 ? ? ?