Linear codes of good error control performance Tsonka Baicheva Institute of Mathematics and Informatics Bulgarian Academy of Sciences Bulgaria

 Biham E., Shamir A., Differential fault analysis of secret key cryptosistems, LNCS, vol. 1294, pp ,  Boneh D., DeMillo R.A., Lipton R.J., On the importance of checking cryptographic protocols for faults, LNCS, vol. 1233, pp , »The erroneous output of the cryptographic algorithm could be used to perform an attack.

Basic definitions F q =GF(q) »Linear code C is a k-dimensional subspace of F q n »Minimum distance d(C) = min d(c 1,c 2 ), c 1,c 2 є C, c 1 ≠c 2 t=|(d-1)/2| [n,k,d] q linear code with length n, dimension k, minimum distance d, over F q

Basic definitions A i the number of codewords of C of weight i. {A i | i=0, …, n} a weight distribution/spectrum of the code C. The polynomial is called weight enumerator of the code C.

Basic definitions x+C={x+c | c є C} a coset of the code C determined by the vector x є F q n. »Coset leader is a vector with the smallest weight in the coset.  i the number of coset leaders of weight i.  {  i | i=0, …,n} a coset leaders weight distribution/spectrum of the code C.

Communication system transmitterreceiverchannel error vector

Decoding to the nearest codeword through a BSC 1. Find the unique code word v for which the Hamming distance d(v,w) is minimal and to decode correctly w to v. The probability of correct decoding The probability of error

Decoding to the nearest codeword through a BSC 2. To detect an error if there are more than one codewords with minimal Hamming distance d(v,w). 3. To decode erroneously to a different codeword v' if the channel error have changed v in such a way that the closest codeword to w is v', i.e. to have an undetectable error.

Undetected error probability v+e=w=v’+e’ => v’=v+e-e’ =v+e’’ Undetected error occurs iff e’’ is a nonzero codeword. »The probability of undetected error

Undetected error probability after t-error correction Q h,l the number of vectors of weight l in the cosets of minimum weight h, excluding the coset leaders. » Probability of an undetected error after t-error correction » Optimal code P ue (t) (C,ε) is minimal

Criteria whether a code is suitable for error correction A code C is called t-proper (or proper when t=0 and the code is only used for error detection) if P ue (t) (C,ε) is monotonous A code C is called t-good if P ue (t) (C,ε) ≤ P ue (t) (C,(q-1)/q) for all ε є [0,(q-1)/q]

Discrete sufficient conditions Dodunekova and Dodunekov’98 Theorem If then C is t-good for error correction. Theorem If then C is t-proper for error correction. A i (t) the weight distribution of the vectors in the cosets with coset leaders of weight at most t, excluding the leaders. V q (t) the volume of the q-ary sphere of radius t in F q n m (i) =m(m-1)…(m-i+1)

Complexity of checking t-goodness and t-properness » The problem of finding the weight distribution of C is NP hard. » The determination of  i and Q h,l are computationally hard problems.

Results All binary cyclic codes of n ≤ 33 (Downie&Sloane’85) Some binary distance-optimal codes of n ≤ 33 (Jaffe’97) »Having A i (B i ),  i and Q h,l determined the values of P ue (t) and P corr can be calculated and compared in a linear time.

Examples [21,10,4] binary cyclic code, P ue (t) for t=0, t=1

Examples [21,10,5] binary cyclic code, P ue (t) t=0, t=1, t=2

Examples [25,5,12] binary distance-optimal codes, P ue (t)

Examples [25,5,12] binary distance-optimal codes, P ue (t)

 Wright A., Kinast J., McCarty J., Low-Latency Cryptographic Protection for SCADA Communications, LNCS, vol. 3089, pp , »Cryptographic protocol that uses the Cyclic Redundancy Check (CRC) transmitted by the existing SCADA (Supervisory Control And Data Acquisition) equipment to achieve string integrity while introducing minimal latency.

Cyclic Redundancy Check Codes Let C be a cyclic code If c 0,c 1,…,c n-1 є C, then c n-1,c 0,…,c n-2 є C »C and all its shortenings C` are CRC codes or polynomial codes C` are almost always non cyclic It is possible to use the same fast encoders and decoders as can be used with the original cyclic code

Error detection performance of CRC »g(x) is the generator polynomial of the CRC code of degree p ‼ g(x) is not divisible by x  has at least 2 nonzero coefficients Theorem 1 A CRC code with generator polynomial of degree p can detect any single error.

Burst error detection »Burst-error pattern of length d+1. All corrupted bits are concentrated between bits j and d+j Theorem 2 A CRC code with generator polynomial of degree p can detect all burst errors of length p or less.

Burst error detection Let f(b) be the fraction of undetected burst errors of length b  If b<p+1  If b=p+1  If b>p+1

8-bits CRC code  DARC x 8 +x 5 +x 4 +x 3 +1 ‼ Standardized polynomial might not be good for most lengths Optimal for 9≥n≥17 (d=5), but with d=2 for n≥18 It is used for 24≤n≤56, where performs far from the optimal

Comparison between some CRCs for n=17 P ue for DARK-8, CRC-8, ATM HEC-8, C 1

Comparison between some CRCs for n=56 P ue for DARK-8, CRC-8, CRC-7, P 1 (7-bit CRC)

Notes The usual practice is to select a standardized CRC polynomial, but very often they provide less error control capability than may be achieved for the given number of CRC bits. Even if a good published polynomial is available, there is generally no published guidance on what range of data word lengths it is good.

‼ Complete investigations of all possible polynomials with given degree will help in selecting the most effective polynomial for any particular application all CRC codes of up to 10 bit redundancy are classified and their orders are determined weight spectra of the duals coset leaders weight spectra minimum distances of all codes and of all its shortenings are computed

Procedure for polynomial selection Fix the degree p of the polynomial. Choose polynomials of ord (g(x)) ≥ max n. Consider only the polynomials of maximum minimum distance. If they are too much, choose only those having the smallest number of codewords of minimum weight. For the particular channel error probability ε at which the code will operate, choose the code with smallest P ue. If the code will be used for error correction, choose the one with the biggest P corr.

t=| ̱( d-1)/2 ̱ |, Covering radius R

Quasi-perfect codes »t=R Perfect codes [n,n,1] q 0 codes for n≥1; [2s+1,1,2s+1] q s repetition codes for s≥1; Hamming codes; binary and ternary Golay codes; »t=R+1 Quasi-perfect codes

Classification of binary linear quasi-perfect codes k/n ? 11 ?? 12 ? 13 ????? 14 ???