A new class of codes for Boolean masking of cryptographic computations

We introduce a new class of rate one-half binary codes: {\bf complementary information set codes.} A binary linear code of length $2n$ and dimension $n$ is called a complementary information set code (CIS code for short) if it has two disjoint information sets. This class of codes contains self-dual codes as a subclass. It is connected to graph correlation immune Boolean functions of use in the security of hardware implementations of cryptographic primitives. Such codes permit to improve the cost of masking cryptographic algorithms against side channel attacks. In this paper we investigate this new class of codes: we give optimal or best known CIS codes of length $<132.$ We derive general constructions based on cyclic codes and on double circulant codes. We derive a Varshamov-Gilbert bound for long CIS codes, and show that they can all be classified in small lengths $\le 12$ by the building up construction. Some nonlinear permutations are constructed by using $\Z_4$-codes, based on the notion of dual distance of an unrestricted code.Comment: 19 pages. IEEE Trans. on Information Theory, to appea

Self-Dual Codes

Self-dual codes are important because many of the best codes known are of this type and they have a rich mathematical theory. Topics covered in this survey include codes over F_2, F_3, F_4, F_q, Z_4, Z_m, shadow codes, weight enumerators, Gleason-Pierce theorem, invariant theory, Gleason theorems, bounds, mass formulae, enumeration, extremal codes, open problems. There is a comprehensive bibliography.Comment: 136 page

On the Residue Codes of Extremal Type II Z4-Codes of Lengths 32 and 40

In this paper, we determine the dimensions of the residue codes of extremal Type II Z4-codes for lengths 32 and 40. We demonstrate that every binary doubly even self-dual code of length 32 can be realized as the residue code of some extremal Type II Z4-code. It is also shown that there is a unique extremal Type II Z4-code of length 32 whose residue code has the smallest dimension 6 up to equivalence. As a consequence, many new extremal Type II Z4-codes of lengths 32 and 40 are constructed.Comment: 19 page

Higher-order CIS codes

We introduce {\bf complementary information set codes} of higher-order. A binary linear code of length $tk$ and dimension $k$ is called a complementary information set code of order $t$ ($t$-CIS code for short) if it has $t$ pairwise disjoint information sets. The duals of such codes permit to reduce the cost of masking cryptographic algorithms against side-channel attacks. As in the case of codes for error correction, given the length and the dimension of a $t$-CIS code, we look for the highest possible minimum distance. In this paper, this new class of codes is investigated. The existence of good long CIS codes of order $3$ is derived by a counting argument. General constructions based on cyclic and quasi-cyclic codes and on the building up construction are given. A formula similar to a mass formula is given. A classification of 3-CIS codes of length $\le 12$ is given. Nonlinear codes better than linear codes are derived by taking binary images of $\Z_4$-codes. A general algorithm based on Edmonds' basis packing algorithm from matroid theory is developed with the following property: given a binary linear code of rate $1/t$ it either provides $t$ disjoint information sets or proves that the code is not $t$-CIS. Using this algorithm, all optimal or best known $[tk, k]$ codes where $t=3, 4, \dots, 256$ and $1 \le k \le \lfloor 256/t \rfloor$ are shown to be $t$-CIS for all such $k$ and $t$, except for $t=3$ with $k=44$ and $t=4$ with $k=37$.Comment: 13 pages; 1 figur

The codes and the lattices of Hadamard matrices

It has been observed by Assmus and Key as a result of the complete classification of Hadamard matrices of order 24, that the extremality of the binary code of a Hadamard matrix H of order 24 is equivalent to the extremality of the ternary code of H^T. In this note, we present two proofs of this fact, neither of which depends on the classification. One is a consequence of a more general result on the minimum weight of the dual of the code of a Hadamard matrix. The other relates the lattices obtained from the binary code and from the ternary code. Both proofs are presented in greater generality to include higher orders. In particular, the latter method is also used to show the equivalence of (i) the extremality of the ternary code, (ii) the extremality of the Z_4-code, and (iii) the extremality of a lattice obtained from a Hadamard matrix of order 48.Comment: 16 pages. minor revisio