Applications of Galois Geometries to Coding Theory and ... › summer_school... · Galois...

Galois geometriesGeometry and cryptography

Applications of Galois Geometries to CodingTheory and Cryptography

Leo Storme

Ghent UniversityDept. of Mathematics

Krijgslaan 281 - Building S229000 Ghent

Belgium

Albena, July 1, 2013

Leo Storme Galois geometries and cryptography


1. Affine spaces2. Projective spaces

OUTLINE

1 GALOIS GEOMETRIES1. Affine spaces2. Projective spaces

2 GEOMETRY AND CRYPTOGRAPHY1. Secret sharing scheme2. Message Authentication code (MAC)3. Anonymous database search4. Application in pay television




FINITE FIELDS

q = prime number.

Prime fields Fq = {0,1, . . . ,q − 1} (mod q).Binary field F2 = {0,1}.Ternary field F3 = {0,1,2} = {−1,0,1}.

Finite fields Fq: q prime power.




AFFINE SPACE AG(n,q)

V (n,q) = n-dimensional vector space over Fq.AG(n,q) = V (n,q) plus parallelism.k -dimensional affine subspace = (translate) ofk -dimensional vector space.




PARALLELISM IN AFFINE SPACE AG(n,q)

Let Πk be k -dimensional vector space of V (n,q).Πk + b, for b ∈ V (n,q), are the affine k -subspaces parallelto Πk .Two parallel affine k -subspaces are disjoint or equal.Parallelism leads to partitions of AG(n,q) into (parallel)affine k -subspaces.




AFFINE PLANE AG(2,3) OF ORDER 3




FROM V (3,q) TO PG(2,q)








THE FANO PLANE PG(2,2)





Gino Fano (1871-1952)




THE PLANE PG(2,3)












PG(3,2)




FROM V (n + 1,q) TO PG(n,q)

1 From V (1,q) to PG(0,q) (projective point),2 From V (2,q) to PG(1,q) (projective line),3 · · ·4 From V (i + 1,q) to PG(i ,q) (i-dimensional projective

subspace),5 · · ·6 From V (n,q) to PG(n − 1,q) ((n − 1)-dimensional

subspace = hyperplane),7 From V (n + 1,q) to PG(n,q) (n-dimensional space).




LINK BETWEEN AFFINE AND PROJECTIVE SPACES

AG(n,q) = PG(n,q) minus one hyperplane (the hyperplaneat infinity).




LINK BETWEEN AG(2,3) AND PG(2,3)



1. Secret sharing scheme2. Message Authentication code (MAC)3. Anonymous database search4. Application in pay television

OUTLINE

1 GALOIS GEOMETRIES1. Affine spaces2. Projective spaces

2 GEOMETRY AND CRYPTOGRAPHY1. Secret sharing scheme2. Message Authentication code (MAC)3. Anonymous database search4. Application in pay television




SECRET SHARING SCHEME

1 Secret sharing scheme: cryptographic equivalent of vaultthat needs several keys to be opened.

2 Secret S divided into shares.3 Authorised sets: have access to secret S by putting their

shares together.4 Unauthorised sets: have no access to secret S by putting

their shares together.




(n, k)-THRESHOLD SCHEME

1 n participants.2 Each group of k participants can reconstruct secret S, but

less than k participants have no way to learn anythingabout secret S.




SHAMIR’S k -OUT-OF-n SECRET SHARING SCHEME

1 Fq = finite field of order q.2 Dealer chooses polynomial

f (X ) = f0 + f1X + · · ·+ fk−1X k−1 ∈ Fq[X ], and,3 gives participant number i , point (xi , f (xi)) on graph of f

(xi 6= 0).4 Value f (0) = f0 is secret S.




SHAMIR’S k -OUT-OF-n SECRET SHARING SCHEME

1 Set of k participants can reconstructf (X ) = f0 + f1X + · · ·+ fk−1X k−1 by interpolating theirshares (xi , f (xi)). Then they can compute secret f (0).

2 If k ′ < k persons try to reconstruct secret, for every y ∈ Fq,there are exactly |Fq|k−k ′−1 polynomials of degree at mostk − 1 which pass through their shares and the point (0, y).Thus they gain no information about f (0).




REALISATION OF SHAMIR’S k -OUT-OF-n SECRET

SHARING SCHEME

ut ut

ut

ut

ut

S1

S2

S3

S4

S5 rs

secret point




GEOMETRICAL REALISATION OF SHAMIR’S k -OUT-OF-nSECRET SHARING SCHEME (BLAKLEY)

1 Secret S = point of PG(3,q).2 Shares = planes of PG(3,q) such that exactly three of

them only intersect in S.3 Classical example: Normal rational curve of planes

X0 + tX1 + t2X2 + t3X3 = 0, t ∈ Fq,

andX3 = 0.





1 Secret S = point of PG(k ,q).2 Shares = hyperplanes of PG(k ,q) such that exactly k of

them only intersect in S.3 Classical example: Normal rational curve of hyperplanes

X0 + tX1 + t2X2 + · · ·+ tkXk = 0, t ∈ Fq,

andXk = 0.








GEOMETRICAL REALISATION OF SHAMIR’S k -OUT-OF-nSECRET SHARING SCHEME




GEOMETRICAL REALISATION OF SHAMIR’S k -OUT-OF-nSECRET SHARING SCHEME




CODING-THEORETICAL REALISATION OF SHAMIR’S

k -OUT-OF-n SECRET SHARING SCHEME

(McEliece and Sarwate)1 C : [n + 1, k ,n − k + 2]q MDS code.2 For secret c0 ∈ Fq, dealer creates codeword

c = (c0, c1, . . . , cn) ∈ C. Share of participant number i issymbol ci .

3 Since C is MDS code with minimum distance n − k + 2,codeword c can be uniquely reconstructed if only ksymbols are known.

4 So any set of k persons can compute secret c0.5 On the other hand, less than k persons do not learn

anything about secret, since for any possible secret c′, thesame number of codewords that fit to secret c′ and theirshares exist.




MORE GENERAL SECRET SHARING SCHEME

DEFINITION

Support of c = (c1, . . . , cn) ∈ Fnq :

sup(c) = {i | ci 6= 0}.

Let C be linear code. Nonzero codeword c ∈ C is calledminimal if

∀c′ ∈ C \ {0} : sup(c′) ⊆ sup(c) =⇒ c′ = ρc,

ρ ∈ Fq \ {0}.

(In binary case, c minimal if no non-zero codeword c′ withsup(c′) ⊂ sup(c), sup(c′) 6= sup(c))




MORE GENERAL SECRET SHARING SCHEME

LEMMA (MASSEY)

Let C be an [n + 1, k ]q-code. Secret sharing scheme isconstructed from C by choosing codeword c = (c0, . . . , cn).Secret is c0 and shares of participants are coordinates ci(1 ≤ i ≤ n).Minimal authorized sets of secret sharing scheme correspondto minimal codewords of C⊥ with 0 in their supports.




BINARY REED-MULLER CODES

DEFINITION

Binary r -th order Reed-Muller code RM(r ,m) (0 ≤ r ≤ m) = setof all binary vectors f of length n = 2m associated with Booleanpolynomials f (x1, x2, ..., xm) of degree at most r :

c = (f (0, . . . ,0), . . . , f (1, . . . ,1)).

Minimum weight d = 2m−r .Minimum weight codewords of RM(r ,m) = incidencevectors of AG(m − r ,2) in AG(m,2).





THEOREM (KASAMI, TOKURA, AND AZUMI)

Let f (x1, ..., xm) be Boolean function of degree at most r , wherer ≥ 2, such that |sup(f )| < 2m−r+1. Then f can be transformedby an affine transformation into

f = x1 · · · xr−2(xr−1xr +· · ·+xr+2µ−3xr+2µ−2), 2 ≤ 2µ ≤ m−r +2,

or

f = x1 · · · xr−µ(xr−µ+1 · · · xr +xr+1 · · · xr+µ), 3 ≤ µ ≤ r , µ ≤ m−r .





First type of codewords(1)

f = x1 · · · xr−2(xr−1xr +· · ·+xr+2µ−3xr+2µ−2),2 ≤ 2µ ≤ m−r+2,

In PG(m − r + 2,2) defined by X1 = X0, . . . ,Xr−2 = X0,cone Ψ with vertex PG(m − r + 1− 2µ,2) at infinity, andbase non-singular parabolic quadric Q(2µ,2) in 2µdimensions having non-singular hyperbolic quadric atinfinity.




QUADRATIC CONE





Second type of codewords(2)

f = x1 · · · xr−µ(xr−µ+1 · · · xr +xr+1 · · · xr+µ),3 ≤ µ ≤ r , µ ≤ m−r .

(Symmetric difference): Union of two (m − r)-dimensionalaffine spaces α and β, but not (m − r − µ)-dimensionalaffine intersection space α ∩ β.




SYMMETRIC DIFFERENCE




COUNTING NON-MINIMAL CODEWORDS IN RM(r ,m)

Non-minimal codeword c = c1 + c2, with c1, c2 non-zerocodewords having disjoint supports.For w(c) < 3 · 2m−r , c1 codeword of smallest weight 2m−r ,and c2 codeword of weight 2m−r or quadric or symmetricdifference.Number of non-minimal codewords c of weight 2 · 2m−r

calculated by Borissov, Manev, and Nikova.Number of non-minimal codewords c of weight2 · 2m−r < w(c) < 3 · 2m−r calculated by Schillewaert,Storme, and Thas.




COUNTING NON-MINIMAL CODEWORDS IN RM(r ,m)




PROBLEM OF AUTHENTICATION

1 Problem: Alice wants to send Bob a message m.2 Attacker intercepts m and sends alternated message m′ to

Bob.




PROBLEM OF AUTHENTICATION

How can Bob be sure that message he gets is correct?Introduce authentication!




EXAMPLE OF MESSAGE AUTHENTICATION CODE

1 ` = line of PG(2,q).2 Message m = point of `.3 Authentication key K = point in PG(2,q)\`.4 Authentication tag = line through message m and key K .







EXAMPLE OF AUTHENTICATION CODE

1 If attacker wants to create message (m,K ) withoutknowing key K , he must guess an affine line through m.There are q possibilities, i.e. the chance for correct attackis 1

q .2 If attacker already knows authenticated message (m,K ),

he knows that key K must lie on the line mK .But for every of q affine points on line mK , there exists linethrough m. So he cannot do better than guess the keywhich gives probability of 1

q for successful attack.




SECURITY OF AUTHENTICATION CODE

1 pi = probability of attacker to construct pair (m,K ) withoutknowledge of key K , if he only knows i different pairs(mj ,K ).

2 Smallest value r for which pr+1 = 1 is called order ofauthentication code.

3 For r = 1, p0 = probability of impersonation attack andprobability p1 = probability of substitution attack.

THEOREM

If MAC has attack probabilities pi = 1/ni (0 ≤ i ≤ r ), then|K| ≥ n0 · · · nr .

MAC that satisfies this theorem with equality is called perfect.




GEOMETRICAL CONSTRUCTION OF PERFECT MAC

DEFINITION

Generalised dual arc D of order l with dimensionsd1 > d2 > · · · > dl+1 of PG(n,q) is set of subspaces ofdimension d1 such that:

1 each j subspaces intersect in subspace of dimension dj ,1 ≤ j ≤ l + 1,

2 each l + 2 subspaces have no common intersection.(n,d1, . . . ,dl+1) = parameters of dual arc.




GENERALISED DUAL ARCS

THEOREM

There exists generalised dual arc in PG((n+d+1

d+1

)− 1,q), with

dimensions di =(n+d+1−i

d+1−i

)− 1, i = 0, . . . ,d + 1.

1 Spaces have dimension d1 =(n+d

d

)− 1.

2 Two spaces intersect in space of dimensiond2 =

(n+d−1d−1

)− 1.

3 Three spaces intersect in space of dimensiond3 =

(n+d−2d−2

)− 1.

4 · · ·




LINK BETWEEN MAC AND GENERALISED DUAL ARC

1 π = hyperplane of PG(n + 1,q) and D = generalised dualarc of order l in π with parameters (n,d1, . . . ,dl+1).

2 message m = element of D.3 key K = point of PG(n + 1,q) not in π.4 Authentication tag that belongs to message m and key K is

generated (d1 + 1)-dimensional subspace.5 Perfect MAC of order r = l + 1 with attack probabilities

pi = qdi+1−di .













ANONYMOUS DATABASE SEARCH

Anonymous database search: query a databaseanonomously.Peer-to-peer community: let users post queries on behalfof each other.Neighbourhood attack: can be modeled as the intersectionof neighbourhoods that may return a single identifiedperson in case of unique neighbourhoods.k-Anonymous neighbourhoods: neighbourhood of personis also neighbourhood of at least k − 1 other persons.







TRANSVERSAL DESIGNS

Transversal design TDλ(k ,n) = k -uniform structure (P,L)of points and blocks, with |P| = kn, that admits partition ofP in k groups of cardinality n, and that satisfies:

any group and block contain exactly one common point,every pair of points from distinct groups is contained inexactly λ blocks.




FROM AG(2,n) TO TD1(k ,n)

From affine plane AG(2,n) to transversal design TD1(k ,n),2 ≤ k ≤ n.

Point set P of TD1(k ,n) = points of AG(2,n) on k lines ofone parallel class of AG(2,n),Groups = lines from this parallel class,Blocks of TD1(k ,n) = lines of the other parallel classes ofAG(2,n), restricted to the points in P.




FROM AG(2,n) TO TD1(k ,n)




TRANSVERSAL DESIGN TD1(k ,n) AND n-ANONYMOUS

NEIGHBOURHOODS

THEOREM

Transversal design TD1(k ,n) has n-anonymousneighbourhoods.




THEOREMS

THEOREM (STOKES AND FARRÀS)

Combinatorial (v ,b, r , k)-configuration with n-anonymousneighbourhoods satisfies:

There exists partition G = {gi}mi=1 of the point set such thatthe points in the same part are not collinear and |gi | ≥ n,for all i ∈ {1, . . . ,m},r ≥ n and m ≥ k.




THEOREMS

THEOREM (STOKES AND FARRÀS)

In combinatorial (v ,b, r , k)-configuration C with n-anonymousneighbourhoods and anonymity partition G = {gi}mi=1 and|gi | = n for all i ∈ {1, . . . ,m},

v = n iff m = k .

In this case, C is transversal design TD1(k ,n), and v = kn andb = n2.




APPLICATION IN PAY TELEVISION

(Korjik, Ivkov, Merinovich, Barg, and van Tilborg)

subscribers = points of PG(2,q),codes = lines of PG(2,q),subscriber quits: codes of lines become invalid,new issue of codes: only necessary when codes of all linesthrough subscriber become invalid.








REFERENCES

W.-A. Jackson, K.M. Martin, and C.M. O’Keefe,Geometrical contributions to secret sharing theory. J.Geom. 79 (2004), 102–133.W.-A. Jackson, K.M. Martin, and M.B. Paterson,Applications of Galois geometry to cryptology. Chapter inCurrent research topics in Galois geometry (J. De Beuleand L. Storme, Eds.), NOVA Academic Publishers (2012),215–244.




Thank you very much for your attention!


Date post:	27-Jun-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Applications of Galois Geometries to Coding Theory and ... › summer_school... · Galois...

Documents