Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D{\"{u}}r). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page

An exact solution method for binary equilibrium problems with compensation and the power market uplift problem

We propose a novel method to find Nash equilibria in games with binary decision variables by including compensation payments and incentive-compatibility constraints from non-cooperative game theory directly into an optimization framework in lieu of using first order conditions of a linearization, or relaxation of integrality conditions. The reformulation offers a new approach to obtain and interpret dual variables to binary constraints using the benefit or loss from deviation rather than marginal relaxations. The method endogenizes the trade-off between overall (societal) efficiency and compensation payments necessary to align incentives of individual players. We provide existence results and conditions under which this problem can be solved as a mixed-binary linear program. We apply the solution approach to a stylized nodal power-market equilibrium problem with binary on-off decisions. This illustrative example shows that our approach yields an exact solution to the binary Nash game with compensation. We compare different implementations of actual market rules within our model, in particular constraints ensuring non-negative profits (no-loss rule) and restrictions on the compensation payments to non-dispatched generators. We discuss the resulting equilibria in terms of overall welfare, efficiency, and allocational equity

Higher-order CIS codes

We introduce {\bf complementary information set codes} of higher-order. A binary linear code of length $tk$ and dimension $k$ is called a complementary information set code of order $t$ ($t$-CIS code for short) if it has $t$ pairwise disjoint information sets. The duals of such codes permit to reduce the cost of masking cryptographic algorithms against side-channel attacks. As in the case of codes for error correction, given the length and the dimension of a $t$-CIS code, we look for the highest possible minimum distance. In this paper, this new class of codes is investigated. The existence of good long CIS codes of order $3$ is derived by a counting argument. General constructions based on cyclic and quasi-cyclic codes and on the building up construction are given. A formula similar to a mass formula is given. A classification of 3-CIS codes of length $\le 12$ is given. Nonlinear codes better than linear codes are derived by taking binary images of $\Z_4$-codes. A general algorithm based on Edmonds' basis packing algorithm from matroid theory is developed with the following property: given a binary linear code of rate $1/t$ it either provides $t$ disjoint information sets or proves that the code is not $t$-CIS. Using this algorithm, all optimal or best known $[tk, k]$ codes where $t=3, 4, \dots, 256$ and $1 \le k \le \lfloor 256/t \rfloor$ are shown to be $t$-CIS for all such $k$ and $t$, except for $t=3$ with $k=44$ and $t=4$ with $k=37$.Comment: 13 pages; 1 figur

Numerical cubature using error-correcting codes

We present a construction for improving numerical cubature formulas with equal weights and a convolution structure, in particular equal-weight product formulas, using linear error-correcting codes. The construction is most effective in low degree with extended BCH codes. Using it, we obtain several sequences of explicit, positive, interior cubature formulas with good asymptotics for each fixed degree $t$ as the dimension $n \to \infty$. Using a special quadrature formula for the interval [arXiv:math.PR/0408360], we obtain an equal-weight $t$-cubature formula on the $n$-cube with O(n^{\floor{t/2}}) points, which is within a constant of the Stroud lower bound. We also obtain $t$-cubature formulas on the $n$-sphere, $n$-ball, and Gaussian $\R^n$ with $O(n^{t-2})$ points when $t$ is odd. When $\mu$ is spherically symmetric and $t=5$, we obtain $O(n^2)$ points. For each $t \ge 4$, we also obtain explicit, positive, interior formulas for the $n$-simplex with $O(n^{t-1})$ points; for $t=3$, we obtain O(n) points. These constructions asymptotically improve the non-constructive Tchakaloff bound. Some related results were recently found independently by Victoir, who also noted that the basic construction more directly uses orthogonal arrays.Comment: Dedicated to Wlodzimierz and Krystyna Kuperberg on the occasion of their 40th anniversary. This version has a major improvement for the n-cub

On the Structure of the Linear Codes with a Given Automorphism

The purpose of this paper is to present the structure of the linear codes over a finite field with q elements that have a permutation automorphism of order m. These codes can be considered as generalized quasi-cyclic codes. Quasi-cyclic codes and almost quasi-cyclic codes are discussed in detail, presenting necessary and sufficient conditions for which linear codes with such an automorphism are self-orthogonal, self-dual, or linear complementary dual

Frames of translates with prescribed fine structure in shift invariant spaces

For a given finitely generated shift invariant (FSI) subspace \cW\subset L^2(\R^k) we obtain a simple criterion for the existence of shift generated (SG) Bessel sequences E(\cF) induced by finite sequences of vectors \cF\in \cW^n that have a prescribed fine structure i.e., such that the norms of the vectors in \cF and the spectra of S_{E(\cF)} is prescribed in each fiber of \text{Spec}(\cW)\subset \T^k. We complement this result by developing an analogue of the so-called sequences of eigensteps from finite frame theory in the context of SG Bessel sequences, that allows for a detailed description of all sequences with prescribed fine structure. Then, given $0<\alpha_1\leq \ldots\leq \alpha_n$ we characterize the finite sequences \cF\in\cW^n such that $\|f_i\|^2=\alpha_i$, for $1\leq i\leq n$, and such that the fine spectral structure of the shift generated Bessel sequences E(\cF) have minimal spread (i.e. we show the existence of optimal SG Bessel sequences with prescribed norms); in this context the spread of the spectra is measured in terms of the convex potential P^\cW_\varphi induced by \cW and an arbitrary convex function $\varphi:\R_+\rightarrow \R_+$.Comment: 31 pages. Accepted in the JFA. This revised version has several changes in the notation and the organization of the text. There exists text overlap with arXiv:1508.01739 in the preliminary section

ε\varepsilon-Almost collision-flat universal hash functions and mosaics of designs

We introduce, motivate and study $\varepsilon$-almost collision-flat (ACFU) universal hash functions $f:\mathcal X\times\mathcal S\to\mathcal A$. Their main property is that the number of collisions in any given value is bounded. Each $\varepsilon$-ACFU hash function is an $\varepsilon$-almost universal (AU) hash function, and every $\varepsilon$-almost strongly universal (ASU) hash function is an $\varepsilon$-ACFU hash function. We study how the size of the seed set $\mathcal S$ depends on $\varepsilon,|\mathcal X|$ and $|\mathcal A|$. Depending on how these parameters are interrelated, seed-minimizing ACFU hash functions are equivalent to mosaics of balanced incomplete block designs (BIBDs) or to duals of mosaics of quasi-symmetric block designs; in a third case, mosaics of transversal designs and nets yield seed-optimal ACFU hash functions, but a full characterization is missing. By either extending $\mathcal S$ or $\mathcal X$, it is possible to obtain an $\varepsilon$-ACFU hash function from an $\varepsilon$-AU hash function or an $\varepsilon$-ASU hash function, generalizing the construction of mosaics of designs from a given resolvable design (Gnilke, Greferath, Pav{\v c}evi\'c, Des. Codes Cryptogr. 86(1)). The concatenation of an ASU and an ACFU hash function again yields an ACFU hash function. Finally, we motivate ACFU hash functions by their applicability in privacy amplification