Construction of optimal locally recoverable codes and connection with hypergraph

Locally recoverable codes are a class of block codes with an additional property called locality. A locally recoverable code with locality r can recover a symbol by reading at most r other symbols. Recently, it was discovered by several authors that a q-ary optimal locally recoverable code, i.e., a locally recoverable code achieving the Singleton-type bound, can have length much bigger than q + 1. In this paper, we present both the upper bound and the lower bound on the length of optimal locally recoverable codes. Our lower bound improves the best known result in [12] for all distance d ≥ 7. This result is built on the observation of the parity-check matrix equipped with the Vandermonde structure. It turns out that a parity-check matrix with the Vandermonde structure produces an optimal locally recoverable code if it satisfies a certain expansion property for subsets of Fq. To our surprise, this expansion property is then shown to be equivalent to a well-studied problem in extremal graph theory. Our upper bound is derived by an refined analysis of the arguments of Theorem 3.3 in [6]

How Long Can Optimal Locally Repairable Codes Be?

A locally repairable code (LRC) with locality r allows for the recovery of any erased codeword symbol using only r other codeword symbols. A Singleton-type bound dictates the best possible tradeoff between the dimension and distance of LRCs - an LRC attaining this tradeoff is deemed optimal. Such optimal LRCs have been constructed over alphabets growing linearly in the block length. Unlike the classical Singleton bound, however, it was not known if such a linear growth in the alphabet size is necessary or, for that matter, even if the alphabet needs to grow at all with the block length. Indeed, for small code distances 3 and 4, arbitrarily long optimal LRCs were known over fixed alphabets. Here, we prove that for distances d ≥5, the code length n of an optimal LRC over an alphabet of size q must be at most roughly O(dq3)}. For the case d= 5, our upper bound is O(q2). We complement these bounds by showing the existence of optimal LRCs of length Ωd, rq1+1/ lfloor ( d- 3)/ 2 rfloor ) when d \ r+ 2. These bounds match when d = 5, thus pinning down n = Θ(q2) as the asymptotically largest length of an optimal LRC for this case

Efficient multi-point local decoding of Reed-Muller codes via interleaved codex

Reed-Muller codes are among the most important classes of locally correctable codes. Currently local decoding of Reed-Muller codes is based on decoding on lines or quadratic curves to recover one single coordinate. To recover multiple coordinates simultaneously, the naive way is to repeat the local decoding for recovery of a single coordinate. This decoding algorithm might be more expensive, i.e., require higher query complexity. In this paper, we focus on Reed-Muller codes with usual parameter regime, namely, the total degree of evaluation polynomials is d=Θ {q), where q is the code alphabet size (in fact, d can be as big as q/4 in our setting). By introducing a novel variation of codex, i.e., interleaved codex (the concept of codex has been used for arithmetic secret sharing), we are able to locally recover arbitrarily large number k of coordinates of a Reed-Muller code simultaneously with error probability exp (-Ω (k)) at the cost of querying merely O(q2k) coordinates. It turns out that our local decoding of Reed-Muller codes shows (perhaps surprisingly) that accessing k locations is in fact cheaper than repeating the procedure for accessing a single location for k times. Precisely speaking, to get the same success probability by repeating the local decoding algorithm of a single coordinate, one has to query Ω (qk2) coordinates. Thus, the query complexity of our local decoding is smaller for k=Ω (q). If we impose the same query complexity constraint on both algorithm, our local decoding algorithm yields smaller error probability when k=Ω (qq). In addition, our local decoding is efficient, i.e., the decoding complexity is Poly(k,q). Construction of an interleaved codex is based on concatenation of a codex with a multiplication friendly pair, while the main tool to realize codex is based on algebraic function fields (or more precisely, algebraic geometry codes)

How long can optimal locally repairable codes be?

A locally repairable code (LRC) with locality r allows for the recovery of any erased codeword symbol using only r other codeword symbols. A Singleton-type bound dictates the best possible trade-off between the dimension and distance of LRCs - an LRC attaining this trade-off is deemed optimal. Such optimal LRCs have been constructed over alphabets growing linearly in the block length. Unlike the classical Singleton bound, however, it was not known if such a linear growth in the alphabet size is necessary, or for that matter even if the alphabet needs to grow at all with the block length. Indeed, for small code distances 3,4, arbitrarily long optimal LRCs were known over fixed alphabets. Here, we prove that for distances d >=slant 5, the code length n of an optimal LRC over an alphabet of size q must be at most roughly O(d q^3). For the case d=5, our upper bound is O(q^2). We complement these bounds by showing the existence of optimal LRCs of length Omega_{d,r}(q^{1+1/floor[(d-3)/2]}) when d <=slant r+2. Our bounds match when d=5, pinning down n=Theta(q^2) as the asymptotically largest length of an optimal LRC for this case

Beating the probabilistic lower bound on perfect hashing

For an integer q > 2, a perfect q-hash code C is a block code over [q]:= {1,..., q} of length n in which every subset {c1, c2,..., cq} of q elements is separated, i.e., there exists i ∈ [n] such that {proji(c1),..., proji(cq)} = [q], where proji(cj) denotes the ith position of cj. Finding the maximum size M(n, q) of perfect q-hash codes of length n, for given q and n, is a fundamental problem in combinatorics, information theory, and computer science. In this paper, we are interested in asymptotical behavior of this problem. More precisely speaking, we will focus on the quantity Rq := li

A note on short invertible ring elements and applications to cyclotomic and trinomials number fields

Ring-SIS based $\Sigma$-protocols require a challenge set $\mathcal{C}$ in some ring $R$, usually an order in a number field $L$. These $\Sigma$-protocols impose various requirements on the subset $\mathcal{C}$, and finding a good, or even optimal, challenge set is a non-trivial task that involves making various trade-offs. Ring-SIS based $\Sigma$-protocols require a challenge set $\mathcal{C}$ in some ring $R$, usually an order in a number field $L$. These $\Sigma$-protocols impose various requirements on the subset $\mathcal{C}$, and finding a good, or even optimal, challenge set is a non-trivial task that involves making various trade-offs. In particular, (1) the set $\mathcal{C}$ should be `large', (2) elements in $\mathcal{C}$ should be `small', and (3) differences of distinct elements in $\mathcal{C}$ should be invertible modulo a rational prime $p$. Moreover, for efficiency purposes, it is desirable that (4) the prime $p$ is small, and that (5) it splits in many factors in the number field $L$. These requirements on $\mathcal{C}$ are subject to certain trade-offs, e.g., between the splitting behavior of the prime $p$ and its size. Lyubashevsky and Seiler (Eurocrypt 2018) have studied these trade-offs for subrings of cyclotomic number fields. Cyclotomic number fields possess convenient properties and as a result most Ring-SIS based protocols are defined over these specific fields. However, recent attacks have shown that, in certain protocols, these convenient properties can be exploited by adversaries, thereby weakening or even breaking the cryptographic protocols. In this work, we revisit the results of Lyubashevsky and Seiler and show that they follow from standard Galois theory, thereby simplifying their proofs. Subsequently, this approach leads to a natural generalization from cyclotomic to arbitrary number fields. We apply the generalized results to construct challenge sets in trinomial number fields of the form $\mathbb{Q}[X]/(f)$ with $f=X^n+aX^k+b \in \mathbb{Z}[X]$ irreducible. Along the way we prove a conjectured result on the practical applicability for cyclotomic number fields and prove the optimality of certain constructions. Finally, we find a new construction for challenge sets resulting in smaller prime sizes at the cost of slightly increasing the $\ell_2$-norm of the challenges

Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over Z/ pkZ

We study information-theoretic multiparty computation (MPC) protocols over rings Z/ pkZ that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C, such that C, C⊥ and C2 are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code C2 is not the whole space, i.e., has codimension at least 1 (multiplicative). Our approach is to lift such a family of codes defined over a finite field F to a Galois ring, which is a local ring that has F as its residue field and that contains Z/ pkZ as a subring, and thus enables arithmetic that is compatible with both structures. Although arbitrary lifts preserve the distance and dual distance of a code, as we demonstrate with a counterexample, the multiplicative property is not preserved. We work around this issue by showing a dedicated lift that preserves self-orthogonality (as well as distance and dual distance), for p≥ 3. Self-orthogonal codes are multiplicative, therefore we can use existing results of asymptotically good self-dual codes over fields to obtain arithmetic secret sharing over Galois rings. For p= 2 we obtain multiplicativity by using existing techniques of secret-sharing using both C and C⊥, incurring a constant overhead. As a result, we obtain asymptotically good arithmetic secret-sharing schemes over Galois rings. With these schemes in hand, we extend existing field-based MPC protocols to obtain MPC over Z/ pkZ, in the setting of a submaximal adversary corrupting less than a fraction 1 / 2 - ε of the players, where ε&gt; 0 is arbitrarily small. We consider 3 different corruption models. For passive and active security with abort, our protocols communicate O(n) bits per multiplication. For full security with guaranteed output delivery we use a preprocessing model and get O(n) bits per multiplication in the online phase and O(nlog n) bits per multiplication in the offline phase. Thus, we obtain true linear bit complexities, without the common assumption that the ring size depends on the number of players

Asymptotic Gilbert-Varshamov bound on frequency hopping sequences

Given a {q} -ary frequency hopping sequence set of length {n} and size {M} with Hamming correlation {H}, one can obtain a {q} -ary (nonlinear) cyclic code of length {n} and size nM with Hamming distance n-H. Thus, every upper bound on the size of a code from coding theory gives an upper bound on the size of a frequency hopping sequence set. Indeed, all upper bounds from coding theory have been converted to upper bounds on frequency hopping sequence sets [1]. On the other hand, a lower bound from coding theory does not automatically produce a lower bound for frequency hopping sequence sets. In particular, the most important lower bound, the Gilbert-Varshamov bound in coding theory, has not been transformed to a valid lower bound on frequency hopping sequence sets. The purpose of this paper is to transform the Gilbert-Varshamov bound from coding theory to frequency hopping sequence sets by establishing a connection between a special family of cyclic codes (which are called hopping cyclic codes in this paper) and frequency hopping sequence sets. We provide two proofs of the Gilbert-Varshamov bound. One is based on a probabilistic method that requires advanced tool-martingale. This proof covers the whole rate region. Another proof is purely elementary but only covers part of the rate region