Decoding of (Interleaved) Generalized Goppa Codes
Hedongliang Liu, Sabine Pircher, Alexander Zeh, Antonia Wachter-Zeh
aa r X i v : . [ c s . I T ] F e b Decoding of (Interleaved) Generalized Goppa Codes
Hedongliang Liu , ∗ , Sabine Pircher , , ∗ , Alexander Zeh , Antonia Wachter-Zeh Institute for Communications Engineering, Technical University of Munich (TUM), Munich, Germany HENSOLDT Cyber GmbH, Research & Development, Ottobrunn, Munich, Germany { lia.liu, antonia.wachter-zeh } @tum.de, { sabine.pircher, alexander.zeh } @hensoldt-cyber.de Abstract —Generalized Goppa codes are defined by a codelocator set L of polynomials and a Goppa polynomial G ( x ) .When the degree of all code locator polynomials in L is one,generalized Goppa codes are classical Goppa codes. In this work, binary generalized Goppa codes are investigated. First, a parity-check matrix for these codes with code locators of any degreeis derived. A careful selection of the code locators leads to alower bound on the minimum Hamming distance of generalizedGoppa codes which improves upon previously known bounds. Aquadratic-time decoding algorithm is presented which can decodeerrors up to half of the minimum distance. Moreover, interleavedgeneralized Goppa codes are introduced and a joint decodingalgorithm is presented which can decode errors beyond half theminimum distance with high probability. I. I
NTRODUCTION
Goppa codes [1] are currently receiving renewed attentiondue to their applicability in the McEliece public-key cryptosys-tem [2], which has remained unbroken for more than 40 years.
Generalized Goppa codes (GGCs) are an extension of Goppacodes to a new class of codes which are defined by a set of code locator polynomials and a
Goppa polynomial [3], [4].Classical Goppa codes are GGCs with code locators of degreeone. The minimum Hamming distance of GGCs reduces withthe maximum degree of the code locators. They are useful todecode localized errors due to their error correction capabilityon locations of different degrees [5]. A special class of binaryGGCs which is perfect in the weighted Hamming metric wasintroduced in [6] and cyclic GGCs were investigated in [7],[8]. Recent works [9], [10] present a construction of binaryGGCs with irreducible code locator polynomials of first andsecond degree.The McEliece cryptosystem is believed to be secure againstattacks of a capable quantum computer and the Niederre-iter’s [11] dual version of the McEliece cryptosystem is afinalist in the ongoing post-quantum NIST competition [12]under the name
Classic McEliece [13]. A disadvantage ofthe McEliece cryptosystem is that the key size is significantlylarger than that for currently employed public-key cryptosys-tems, e.g., RSA. Wild Goppa codes [14] are shown to havea larger minimum distance than classical Goppa codes andare deployed in
Wild McEliece [15], which is also part of
Classic McEliece . In [10],
Classic McEliece using binaryGGCs with code locator polynomials of first and second * The first two authors contributed equally to this work.The work A. Wachter-Zeh has been supported by the European ResearchCouncil (ERC) under the European Union’s Horizon 2020 research andinnovation programme (grant agreement no. 801434). The work of H. Liuhas been supported by the DFG with a German Israeli Project Cooperation(DIP) under grant no. KR3517/9-1. degree is proposed. Compared to classical Goppa codes, thelength of GGCs can be increased by using higher-degree codelocators for a fixed field size or, vice versa, for a fixed length,GGCs require a smaller field size. In practice, performingcomputations over smaller field sizes reduces the complexityof calculations and might therefore lead to more efficientencryption and decryption procedures.In this work, we investigate binary GGCs. Our main con-tributions are: we derive a parity-check matrix for GGCs withcode locators of any degree, which is essential to constructthe public key of
Classic McEliece with GGCs. With specialchoices of the code locators, we derive a better lower boundon the minimum Hamming distance of GGCs compared tothe known bound for GGCs with arbitrary code locators inSection III. Section IV provides a decoding algorithm forGGCs and we show that it can uniquely decode any error upto half of the minimum distance. To deal with burst errors, weintroduce interleaved generalized Goppa codes in Section Vand provide a joint decoding algorithm which can decodebeyond half of the minimum distance with high probability.Moreover, we list some code parameters of GGCs and discusstheir applicability to the McEliece cryptosystem in Section VI.II. P
RELIMINARIES
We denote by [ a, b ] the set of integers { i | a ≤ i ≤ b } andif a = 1 , we omit it from our notation and write [ b ] . A finitefield of size q is denoted by F q . Row vectors are denotedby bold lower-case letters (e.g., c ) and column vectors by c ⊤ . Denote supp( c ) := { i | c i = 0 } . Denote matrices by boldcapital letters (e.g., C ) and its i -th row by c ( i ) . We considerthe Hamming metric for weight and distance. Sets are denotedby calligraphic letters (e.g., L ) and its size is denoted by |L| .Let F q [ x ] denote a polynomial ring with coefficients in F q .For a polynomial f ( x ) , its degree is denoted by deg f ( x ) andits formal derivative is denoted by f ′ ( x ) . The greatest commondivisor of two polynomials is denoted by gcd( f ( x ) , g ( x )) . Lemma 1 (Roots of Irreducible Polynomials [16, p. 52]) . Let q be a prime power. Any irreducible polynomial f ( x ) ∈ F q [ x ] of degree k can be represented as f ( x ) = ( x − β )( x − β q ) · · · ( x − β q k − ) , where β ∈ F q k and F q k is called the splitting field of f ( x ) . Lemma 2 (Number of Irreducible Polynomials [17, p. 225]) . The number I q ( t ) of irreducible polynomials of degree t over F q can be calculated by I q ( t ) = 1 t X k | t µ ( k ) · q tk here µ ( t ) is the M¨obius function (cf. [17, p. 224]) µ ( t ) = if t = 1( − s if t is a product of s distinct prime otherwise. Given two polynomials a ( x ) , b ( x ) ∈ F q [ x ] where a ( x ) = 0 and deg a ( x ) > deg b ( x ) , the Extended Euclidean Algo-rithm (EEA) [17, Sec. 6.4] outputs tuples of polynomials d ( x ) , s ( x ) , t ( x ) such that • d ( x ) = a ( x ) s ( x ) + b ( x ) t ( x ) , • gcd( s ( x ) , t ( x )) = 1 , • deg t ( x ) + deg d ( x ) < deg a ( x ) .We denote the EEA algorithm by d ( x ) , s ( x ) , t ( x ) ← EEA ( a ( x ) , b ( x )) . (1)In the special case of gcd( a ( x ) , b ( x )) = 1 the multiplicativeinverse b ( x ) − mod a ( x ) is t ( x ) since a ( x ) s ( x ) + b ( x ) t ( x )1 = b ( x ) t ( x ) mod a ( x ) . (2)III. B INARY G ENERALIZED G OPPA C ODES
In this section, we introduce binary generalized Goppacodes (GGCs), develop a parity-check matrix of the code withcode locators of any degree, prove a lower bound on theminimum Hamming distance of GGCs stated in [9] and showthat with special choice of code locators, the lower bound canbe slightly improved.
Definition 1.
Let m, n, r, q be positive integers such that rm n and q = 2 m . Given a polynomial G ( x ) ∈ F q [ x ] of degree r and a set of irreducible polynomials L = { f ( x ) , f ( x ) , . . . , f n ( x ) } (3) with gcd( f i ( x ) , f j ( x )) = 1 , ∀ i = j , and gcd( f i ( x ) , G ( x )) =1 , ∀ i ∈ [ n ] . Then, the binary generalized Goppa code is definedby Γ( L , G ) := ( c ∈ F n | n X i =1 c i f ′ i ( x ) f i ( x ) = 0 mod G ( x ) ) , (4) where f ′ i ( x ) is the formal derivative of f i ( x ) . We call G ( x ) the Goppa polynomial and L the set of code locators . In [9], a parity-check matrix for generalized Goppa codeswith code locators of first and second degree is given. How-ever, a formal proof is missing. In the following theorem, wederive a parity-check matrix for generalized Goppa codes withcode locators of arbitrary degree.
Theorem 1 (Parity-Check Matrix) . Given a binary generalizedGoppa code Γ( L , G ) as in Definition 1, where the codelocators in L are F q -irreducible polynomials f i ( x ) = l i − Y j =0 (cid:16) x − γ q j i (cid:17) , ∀ i ∈ [ n ] In the original definition [4], the code locators are defined by f ′ i ( x ) f i ( x ) . Forease of notation, we define the code locators by f i ( x ) here. of degree l i , where γ q j i ∈ F q li are the roots of f i ( x ) . Let r = deg G ( x ) and n = |L| . A parity-check matrix H of Γ( L , G ) such that Hc ⊤ = , ∀ c ∈ Γ( L , G ) is H = [ h ⊤ h ⊤ · · · h ⊤ n ] ∈ F r × nq (5) with h i = ( h i, h i, · · · h i,r ) , where h i,j = l i − X ι =0 γ ( j − q ι i G (cid:0) γ q ι i (cid:1) , ∀ i ∈ [ n ] , j ∈ [ r ] . Proof:
From Definition 1, requiring gcd( f i ( x ) , G ( x )) =1 implies that the roots of f i ( x ) are not roots of G ( x ) , i.e., G ( γ q j i ) = 0 , ∀ j = 0 , . . . , l i − , i ∈ [ n ] . The inverse of apolynomial f i ( x ) can be found by the extended Euclidean(EEA) Algorithm [17, Sec. 6.4] (see also (2)). Denote theGoppa polynomial by G ( x ) = G + G x + · · · + G r x r with G r = 0 . Using the EEA, we obtain f ′ i ( x ) f i ( x ) mod G ( x ) = l i − Y j =0 G (cid:16) γ q j i (cid:17) − · r − X t =0 x t r X k = t +1 G k l i − X j =0 γ ( k − − t ) q j i l i − Y ξ =0 ,ξ = j G (cid:16) γ q ξ i (cid:17) (6)Plugging (6) into (4) and equating the coefficients of x t , ∀ t ∈ [0 , r − to zero, it can be verified that c ∈ Γ( L , G ) if andonly if GH · c ⊤ = , where G = G r . . . G r − G r . . . ... ... . . . ...G G . . . G r . Therefore, f H = GH is a parity-check matrix of Γ( L , G ) .Since G is invertible, f H · c ⊤ = ⇐⇒ H · c ⊤ = , whichproves the statement.A binary parity-check matrix H bin ∈ F rm × n of Γ( L , G ) can be obtained by replacing every entry in H from (5) witha length- m column vector representation over F according tosome fixed basis of F q over F . Theorem 2 (Dimension, Minimum Distance) . Given a binarygeneralized Goppa code Γ( L , G ) as in Definition 1, thedimension is k (Γ) = n − rank( H bin ) > n − rm, (7) where H bin ∈ F rm × n is the F -representation of H ∈ F r × n m from Theorem 1. The minimum Hamming distance is d (Γ) > d g := r + 1 l , where l = max f ( x ) ∈L deg f ( x ) .Proof: It can be readily seen that Hc ⊤ = ⇐⇒ H bin c ⊤ = , ∀ c ∈ Γ( L , G ) . The dimension follows fromthe size of the parity-check matrix. To prove the minimumamming distance, consider a codeword c ∈ Γ . Define F c ( x ) := Y i ∈ supp( c ) f i ( x ) , where its formal derivative is denoted as F ′ c ( x ) := X i ∈ supp( c ) f ′ i ( x ) Y j ∈ supp( c ) j = i f j ( x ) . Furthermore, let R c ( x ) := X i ∈ supp( c ) f ′ i ( x ) f i ( x ) = F ′ c ( x ) F c ( x ) , (8)where f ′ i ( x ) is the formal derivative of f i ( x ) . Since all f i ( x ) have distinct roots, gcd( F ′ c ( x ) , F c ( x )) = 1 and since gcd( f i ( x ) , G ( x )) = 1 , ∀ i ∈ [ n ] , gcd( F c ( x ) , G ( x )) = 1 . Thenfrom (8), R c ( x ) = 0 mod G ( x ) ⇐⇒ G ( x ) | F ′ c ( x ) . Note that F ′ c ( x ) is the formal derivative of F c ( x ) . Since we areworking over a field of characteristic , F ′ c ( x ) only has evenpowers and is a perfect square. Let ¯ G ( x ) be the lowest-degreeperfect square which is divisible by G ( x ) , then G ( x ) | F ′ c ( x ) ⇐⇒ ¯ G ( x ) | F ′ c ( x ) . Thus, c ∈ Γ ⇐⇒ R c ( x ) = 0 mod G ( x ) ⇐⇒ ¯ G ( x ) | F ′ c ( x ) . (9)Denote l i = deg f i ( x ) , then deg F c ( x ) = P i ∈ supp( c ) l i and deg F ′ c ( x ) deg F c ( x ) − X i ∈ supp( c ) l i − . (10)Consider a vector c m whose support supp( c m ) concentrateson the locators of the highest degree l = max i l i , then deg F ′ c m ( x ) wt( c m ) · l − . (11)Let deg F ′ c m ( x ) ! > deg ¯ G ( x ) . We have wt( c m ) > (deg ¯ G ( x )+1) /l . To have (9) fulfilled, we require deg F ′ c ( x ) > deg ¯ G ( x ) ∀ c ∈ Γ . (12)Note that for any c with wt( c ) < wt( c m ) , deg F ′ c ( x ) < deg F ′ c m ( x ) , i.e., we cannot find a codeword c with wt( c ) < wt( c m ) such that deg F ′ c ( x ) > deg F ′ c m ( x ) . Therefore, tofulfill (12), d (Γ) = min c ∈ Γ wt( c ) > wt( c m ) > deg ¯ G ( x ) + 1 l > deg G ( x ) + 1 l = d g . Classical Goppa codes with a Goppa polynomial which hasonly distinct roots are known as separable
Goppa codes [18,Ch. 12]. In this paper we inherit this name and call the GGCswith a Goppa polynomial which has only distinct roots as separable generalized Goppa codes . Corollary 1.
Given a Goppa polynomial G ( x ) whose rootsare all distinct, the binary separable generalized Goppa code Γ( L , G ) is the same code as Γ( L , G ) and the minimumdistance is d (Γ) > d sep := 2 r + 1 l . (13) Proof:
Since all roots of G ( x ) are distinct, ¯ G ( x ) = G ( x ) in the proof of Theorem 2. The statement follows herein.For a special choice of the code locators, the lower boundon the minimum distance is slightly larger. Corollary 2.
Given a code locator set L of even-degree polynomials, the minimum distance of a binary separablegeneralized Goppa code Γ( L , G ) is d (Γ) > d even := 2 r + 2 l . Proof:
Since deg f i ( x ) is even for all f i ( x ) ∈ L , deg F c ( x ) is even. Then deg F ′ c ( x ) P i ∈ supp( c ) l i − in (10)and deg F ′ c m ( x ) ≤ wt( c m ) · l − in (11) since we work over afield of characteristic . Together with the separable propertyfrom Corollary 1, the statement follows from the rest of theproof of Theorem 2.Compared to classical Goppa codes, the code length n of thegeneralized Goppa codes is not limited by the field size q =2 m , but by the number of irreducible polynomials in F m [ x ] .The result in the following theorem was stated in [9]. As acompletion to Theorem 1 and Theorem 2 for the properties ofbinary generalized Goppa codes, we include it here. Theorem 3 (Code Length [9]) . Let q = 2 m for someinteger m . Given a generalized Goppa code Γ( L , G ) . Denote l = max f ( x ) ∈L deg f ( x ) . The length of Γ( L , G ) is limited by n (Γ) l X t =1 I q ( t ) , (14) where I q ( t ) is the number of irreducible polynomials ofdegree t in the polynomial ring F q [ x ] (see Lemma 2). IV. D
ECODING OF G ENERALIZED G OPPA C ODES
In this section, we set up the key equation for decodinggeneralized Goppa codes, present a decoding algorithm andprove that the decoder can decode up to half of the minimumdistance.
Definition 2.
Consider a binary generalized Goppa code Γ( L , G ) and an error vector e ∈ F n where n = |L| . Let E = supp( e ) . Define the syndrome polynomial s ( x ) := X i ∈E e i f ′ i ( x ) f i ( x ) mod G ( x ) , (15) the error locator polynomial (ELP) Λ( x ) := Y i ∈E f i ( x ) , (16) and the error evaluator polynomial (EEP) Ω( x ) := X i ∈E e i f ′ i ( x ) Y j ∈E\{ i } f j ( x ) . (17)Assume transmitting a codeword c ∈ Γ( L , G ) and receivinga vector r = c + e ∈ F n . The syndrome polynomial can becalculated from the received word r by s ( x ) = n X i =1 r i f ′ i ( x ) f i ( x ) mod G ( x ) . (18)Denote s ( x ) = P ri =1 s i x r − i where s = ( s , . . . , s r ) = r f H ⊤ .e present a syndrome-based decoder for Γ( L , G ) in Al-gorithm 1. The main step of decoding is to determine Λ( x ) and Ω( x ) given s ( x ) . In the following lemma we set up a keyequation for decoding generalized Goppa codes. Lemma 3 (Key Equation) . Consider a binary generalizedGoppa code Γ( L , G ) . Assume an error e of weight t occurs.Then, the following equations hold, which are called the keyequation for decoding Γ( L , G ) : Ω( x ) = Λ( x ) s ( x ) mod G ( x ) (19) gcd(Λ( x ) , Ω( x )) = 1 (20) deg Ω( x ) < deg Λ( x ) t · l (21) where l = max f ( x ) ∈L deg f ( x ) .Proof: Denote E = supp( e ) and t = |E| . Eq. (19) followsfrom (15), (16), and (17) since s ( x ) = P i ∈E e i f ′ i ( x ) Q j ∈E\{ i } f j ( x ) Q i ∈E f i ( x ) = Ω( x )Λ( x ) mod G ( x ) . Eq. (20) holds since all f i ( x ) have distinct roots. From thedefinitions of ELP in (16), deg Λ( x ) = P i ∈E deg f i ( x ) t · max i ∈E deg f i ( x ) t · l . From (17), deg Ω( x ) = deg Λ ′ ( x ) < deg Λ( x ) . The degree constraints in (21) follow herein. Theorem 4 (Unique Decoding Radius) . Given a binary sep-arable generalized Goppa code Γ( L , G ) with d (Γ) > d sep ,Algorithm 1 can uniquely decode any error e of weight t t sep := j rl k = (cid:22) d sep (cid:23) , where r = deg G ( x ) and l = max f ( x ) ∈L deg f ( x ) .Proof: It follows from [17, Proposition 6.3, 6.4]that Line 2 of Algorithm 1 will find a unique solution of thepair ( λ ( x ) , ω ( x )) such that Λ( x ) = c · λ ( x ) , Ω( x ) = c · ω ( x ) for some constant c , if deg ω ( x ) < deg λ ( x ) deg( G ( x )) / .At Line 3 of Algorithm 1 we search for the roots of λ ( x ) .They are also roots of Λ( x ) if deg Λ( x ) = deg λ ( x ) deg( G ( x )) / . Namely, the error locations can be uniquelydetermined if deg Λ( x ) deg( G ( x )) / .Since the separable generalized Goppa code Γ( L , G ) is thesame code as Γ( L , G ) according to Corollary 1, we canapply Algorithm 1 on Γ( L , G ) to decode Γ( L , G ) . Then,the degree constraint for uniquely decoding Λ( x ) becomes deg( G ( x ) ) / . Thus, deg Λ( x ) t · l ! deg( G ( x ) )2 = r. It holds that r/l < r/l + 1 / (2 l ) = d sep / . In particular, ⌊ r/l ⌋ < ⌊ r/l + 1 / (2 l ) ⌋ only if l | (2 r +1) , which is impossiblefor positive integers r and l . Therefore the equality holds.V. J OINT D ECODING OF I NTERLEAVED G ENERALIZED G OPPA C ODES
Interleaved codes are known to be able to decode beyond theunique decoding radius [20]–[24], especially in appearance of burst errors . Burst errors can be modelled as an error matrix E that only has a few non-zero columns. We denote by supp( E ) the indices of the non-zero columns of E . Algorithm 1:
Syndrome-based Decoding Algorithm
Input:
Code Γ( L , G ) , received word r ∈ F n Calculate s ( x ) by (18) ω ( x ) , , λ ( x ) ← EEA ( G ( x ) , s ( x )) with the stoppingcondition that deg ω ( x ) < deg λ ( x ) deg G ( x ) / // See (1) for EEA E ← { i : λ ( γ i ) = 0 } ∗ // γ i is a root of f i ( x ) e ← ; e i ← , ∀ i ∈ E Output: ˆ c ← r − e ∗ Verifying λ ( γ i ) = 0 can be done by applying Chien Search [19] in eachsplitting field F q li if there is an f i ( x ) ∈ L of degree l i and we only needto do this evaluation at one of the roots of f i ( x ) . Definition 3 (Interleaved Goppa Codes) . Let w be the inter-leaving order. Given a generalized Goppa code Γ( L , G ) , a w - interleaved generalized Goppa code is denoted by w - I Γ( L , G ) and defined by w - I Γ( L , G ) := c (1) ... c ( w ) , ∀ c ( i ) ∈ Γ( L , G ) , i ∈ [ w ] . Consider transmitting a codeword C ∈ w - I Γ( L , G ) with n = |L| . An error E ∈ F w × n with E = supp( E ) occursand we receive R = C + E . We follow the definitionsfrom Definition 2 for the ELP Λ( x ) , the syndromes s ( i ) ( x ) and the EEPs Ω ( i ) ( x ) for E with E = supp( E ) . Lemma 4 (Key Equations for Joint Decoding) . The keyequations for decoding w - I Γ( L , G ) in occurrence of an error E with t non-zero columns are: Ω ( i ) ( x ) = Λ( x ) s ( i ) ( x ) mod G ( x )deg Ω ( i ) ( x ) < deg Λ( x ) t · l for all i ∈ [ w ] , where l = max f ( x ) ∈L deg f ( x ) . Instead of solving the key equations in Lemma 4 for the Λ( x ) and Ω ( i ) ( x ) which have specific algebraic structures,we solve the following general version of this problem:Given G ( x ) , s (1) ( x ) , . . . , s ( w ) ( x ) ∈ F q [ x ] , find a lowest-degree polynomial λ ( x ) such that there exist polynomials ω (1) ( x ) , . . . , ω ( w ) ( x ) ∈ F q [ x ] , not all zero, satisfying ω ( i ) ( x ) = λ ( x ) s ( i ) ( x ) mod G ( x )deg ω ( i ) ( x ) < deg λ ( x ) t · l (22)for all i ∈ [ w ] . This problem can be solved by the MgLFSRAlgorithm [25], by the
Feng-Tzeng Euclidean algorithm [26],or by solving a linear system of equations (LSE) for theunknown coefficients of λ ( x ) [27, Sec. 4.3.2]. We summarizethe decoding procedure in Algorithm 2. Theorem 5 (Maximum Decoding Radius) . Given a binaryinterleaved separable generalized Goppa code w - I Γ( L , G ) with d (Γ) > d sep , with high probability, Algorithm 2 candecode an error E with t non-zero columns if t t max := (cid:22) ww + 1 · rl (cid:23) (cid:22) ww + 1 · d sep (cid:23) where r = deg G ( x ) and l = max f ( x ) ∈L deg f ( x ) .roof: Note that the separable w - I Γ( L , G ) is the samecode as w - I Γ( L , G ) , therefore we can decode w - I Γ( L , G ) by applying Algorithm 2 on w - I Γ( L , G ) . By setting up theLSE for (22) according to [27, Sec. 4.3.2], we can get deg( G ( x ) ) − deg ω ( i ) − G ( x ) ) − deg λ ( x ) (23)equations for deg λ ( x ) unknowns (i.e., coefficients of λ ( x ) )from each congruence. The unknowns are the same for ev-ery congruence. In total we have at most w (deg( G ( x ) ) − deg λ ( x )) equations for deg λ ( x ) unknowns. To have a uniquesolution, the number of unknowns should not be more than thenumber of equations, i.e., deg λ ( x ) w (deg( G ( x ) ) − deg λ ( x )) , deg λ ( x ) ww + 1 deg( G ( x ) ) . (24)Suppose Λ( x ) = c · λ ( x ) , Ω ( i ) ( x ) = c · ω ( i ) ( x ) , ∀ i ∈ [ w ] . Then,we can get a unique solution for Λ( x ) , Ω ( i ) ( x ) by Algorithm 2if the solution for λ ( x ) is unique, i.e., if (24) is fulfilled. Thesecond inequality in the statement holds by plugging in d sep from (13). Corollary 3.
Given a binary interleaved separable general-ized Goppa code w - I Γ( L , G ) with all code locators of even-degree, with high probability, Algorithm 2 can decode an error E with t non-zero columns if t t (even)max := (cid:22) ww + 1 · r + 1 l (cid:23) (cid:22) ww + 1 · d even (cid:23) , where r = deg G ( x ) and l = max f ( x ) ∈L deg f ( x ) .Proof: For only even-degree code locators, deg Ω ( i ) ( x ) deg Λ( x ) − since we work in a field of characteristic .Therefore, when setting up the LSE, instead of (23), we willhave deg G ( x ) − deg λ ( x )+1 equations from each congruence.The rest of the proof remains the same as for Theorem 5.The maximum decoding radius t (even)max for interleaved sepa-rable GGCs with even-degree code locators can be increasedby upon t max in Theorem 5 if and only if we choose theinterleaving order w such that ( w + 1) | (2 r + 1) and l | w . Algorithm 2:
Decoding Algorithm for I Γ( L , G ) Input: w - I Γ( L , G ) , received word R ∈ F w × n Calculate w syndromes s ( i ) ( x ) , ∀ i ∈ [ w ] by (18) Solve (22) for λ ( x ) by solving LSE [27],MgLFSR [25] or Feng-Tzeng EEA [26] If λ ( x ) is not unique Return decoding failure E ← { i : λ ( γ i ) = 0 } ∗ // γ i is a root of f i ( x ) Calculate ω ( i ) ( x ) = λ ( x ) s ( i ) ( x ) mod G ( x ) , ∀ i ∈ [ w ] E ← ; denote by e ( i ) j the ( i, j ) -entry of E foreach i ∈ [ w ] , j ∈ E do e ( i ) j = ω ( i ) ( γ j ) /λ ′ ( γ j ) ∗∗ // γ j is a root of f j ( x ) Output: b C = R − E or decoding failure ∗ Apply Chien Search [19] for fast implementation. See also in Algorithm 1. ∗∗ This follows from
Forney’s Algorithm [28].
Remark 1.
Algorithm 2 may output decoding failure if the number of errors t > t sep in Theorem 4. The failure results from the linear dependency of equations in the LSE. Anupper bound on the failure probability of decoding interleavedalternant codes has been recently derived in [29], which holdsfor decoding interleaved GGCs with code locators of degreeone. Upper bounding the failure probability of the proposeddecoding algorithm for GGCs with code locators of any degreeis left for future work. However, simulation results indicatethat also for higher-degree locators, the failure probability isapproximately the same as that for classical interleaved Goppacodes.
VI. C
ODE P ARAMETERS
In Table I, we show some examples of the code parameters( k > , m , l , r , d sep ) of binary separable generalized Goppacodes Γ( L , G ( x )) for several values of length n .For a fixed code length n , the degree m of the extensionfield can be reduced according to (14) by increasing themaximum degree l of the code locators in L . By additionallyfixing the degree r of the Goppa polynomial, the lower boundon the minimum distance d sep is reduced by the factor of l ,according to Corollary 1. Keeping instead d sep fixed, thedegree r must be increased to r = ⌈ ( l · d sep − / ⌉ . Thedimension k is calculated by n − mr and is therefore smallerfor a higher degree of r . Table IC
ODE PARAMETERS FOR BINARY SEPARABLE
GGC
S ANDCORRESPONDING PUBLIC KEY SIZE FOR
Classic McEliece . n k > m l r d sep | pk | [bytes]
261 120
170 240
291 782
637 974
817 152
Table I also shows the corresponding public key size of
Classic McEliece [13], which is the Niederreiter’s dual versionof the original McEliece cryptosystem and currently a finalistof the NIST competition for post-quantum key encapsulationmechanisms [12]. This cryptosystem is efficient in encodingand decoding, but a disadvantage is the large public key.Therefore, it is desirable to reduce its public key size. Thepublic key T is determined by the systematic form of H bin =( I n − k | T ) and has size | pk | = ( nmr − m r ) / bytes. Wecould not find code parameters of separable GGCs with l > such that the public key size is improved over classical Goppacodes (where l = 1 ) for a fixed security level based on the Information Set Decoding (ISD) attack by Lee and Brickell[30], whose work factor depends on n, k, d . However, thefield size can be reduced at the cost of a smaller securitylevel or a larger public key size to improve the complexityof all calculations including the construction of a parity-checkmatrix.
EFERENCES[1] V. Goppa, “A new class of linear error correcting codes,”
Problems ofInformation Transmission , vol. 6, no. 3, pp. 207–212, 1970.[2] R. J. McEliece, “A public-key cryptosystem based on algebraic codingtheory,”
The Deep Space Network Progress Report , vol. 44, pp. 114–116,1978.[3] N. A. Shekhunova and E. T. Mironchikov, “Cyclic (L,G)-Codes,”
Probl.Peredachi Inf. , vol. 17, pp. 3–9, Sep. 1981.[4] S. V. Bezzateev and N. A. Shekhunova, “One generalization of goppacodes,” in
Proceedings of IEEE International Symposium on InformationTheory , 1997, p. 299.[5] ——, “Generalized goppa codes for correcting localized errors,” in
Pro-ceedings. 1998 IEEE International Symposium on Information Theory(Cat. No.98CH36252) , 1998, pp. 377–.[6] S. Bezzateev and N. Shekhunova, “Class of binary generalized goppacodes perfect in weighted hamming metric,”
Designs Codes and Cryp-tography , vol. 66, pp. 391–399, 08 2013.[7] S. Bezzateev, “One subclass of cyclic generalized (l,g) codes withseparable goppa polynomial,” in , 2014, pp.30–32.[8] S. Bezzateev, “Cyclic Generalized Separable (L, G) Codes,” in
CodingTheory and Applications , ser. CIM Series in Mathematical Sciences,R. Pinto, P. Rocha Malonek, and P. Vettori, Eds. Cham: SpringerInternational Publishing, 2015, pp. 53–60.[9] I. K. Noskov and S. V. Bezzateev, “One realization of the generalized (l,g)-codes,” in , 2020, pp. 1–5.[10] I. Noskov and S. Bezzateev, “Effective implementation of modernmceliece cryptosystem on generalized (l,g)-codes (russian only),”
Scien-tific and Technical Journal of Information Technologies, Mechanics andOptics , vol. 20, pp. 539–544, 08 2020.[11] H. Niederreiter, “Knapsack-type Cryptosystems and Algebraic CodingTheory,”
Problems Control and Inf. Theory , vol. 15(2), pp. 159–166,Jan. 1986.[12] NIST CSRC, “Post-Quantum Cryptography,” 2020. [Online]. Available:https://csrc.nist.gov/Projects/post-quantum-cryptography[13] D. J. Bernstein, T. Chou, T. Lange, I. von Maurich, R. Misoczki,R. Niederhagen, E. Persichetti, C. Peters, P. Schwabe, N. Sendrier,J. Szefer, and W. Wang, “Classic McEliece: NIST submission,” 2019.[Online]. Available: https://classic.mceliece.org/nist.html[14] Y. Sugiyama, M. Kasahara, S. Hirasawa, and T. Namekawa, “Furtherresults on Goppa codes and their applications to constructing efficient[24] L. Holzbaur, H. Liu, S. Puchinger, and A. Wachter-Zeh, “On decodingand applications of interleaved Goppa codes,” in . IEEE, 2019, pp.1887–1891. binary codes,”
IEEE Transactions on Information Theory , vol. 22, no. 5,pp. 518–526, September 1976.[15] D. J. Bernstein, T. Lange, and C. Peters, “Wild McEliece,” in
Se-lected Areas in Cryptography , ser. Lecture Notes in Computer Science,A. Biryukov, G. Gong, and D. R. Stinson, Eds. Berlin, Heidelberg:Springer, 2011, pp. 143–158.[16] R. Lidl and H. Niederreiter,
Finite Fields , 2nd ed., ser. Encyclopedia ofMathematics and its Applications. Cambridge University Press, 1996.[17] R. M. Roth,
Introduction to Coding Theory . Cambridge UniversityPress, 2006.[18] F. J. MacWilliams and N. J. A. Sloane,
The Theory of Error CorrectingCodes . Elsevier, 1977, vol. 16.[19] R. Chien, “Cyclic decoding procedures for Bose-Chaudhuri-Hocquenghem codes,”
IEEE Transactions on Information Theory ,vol. 10, no. 4, pp. 357–363, October 1964.[20] J. J. Metzner and E. J. Kapturowski, “A general decoding techniqueapplicable to replicated file disagreement location and concatenated codedecoding,”
IEEE Transactions on Information Theory , vol. 36, no. 4, pp.911–917, 1990.[21] D. Bleichenbacher, A. Kiayias, and M. Yung, “Decoding of interleavedReed Solomon codes over noisy data,” in
International Colloquium onAutomata, Languages, and Programming . Springer, 2003, pp. 97–108.[22] J. Justesen, C. Thommesen, and T. Høholdt, “Decoding of concatenatedcodes with interleaved outer codes,” in
IEEE International Symposiumon Information Theory (ISIT) , 2004, pp. 328–328.[23] G. Schmidt, V. R. Sidorenko, and M. Bossert, “Interleaved Reed–Solomon codes in concatenated code designs,” in
IEEE InformationTheory Workshop , 2005, pp. 5–pp.[25] J. S. Nielsen, “Generalised multi-sequence shift-register synthesis usingmodule minimisation,” in
IEEE International Symposium on InformationTheory (ISIT) , 2013, pp. 882–886.[26] A. Zeh and A. Wachter, “Fast multi-sequence shift-register synthesiswith the euclidean algorithm,”
Adv. Math. Commun. , vol. 5, no. 4, pp.667–680, Nov 2011.[27] H. Liu, “Decoding of interleaved goppa codes and their applicationsin code-based cryptosystem,” Master’s thesis, Technische Universit¨atM¨unchen (TUM), 2019. [Online]. Available: http://mediatum.ub.tum.de/doc/1488548/1488548.pdf[28] G. Forney, “On decoding BCH codes,”
IEEE Transactions on Informa-tion Theory , vol. 11, no. 4, pp. 549–557, 1965.[29] L. Holzbaur, H. Liu, A. Neri, S. Puchinger, J. Rosenkilde, V. Sidorenko,and A. Wachter-Zeh, “Decoding of interleaved alternant codes,” 2020.[Online]. Available: https://arxiv.org/abs/2010.07142[30] P. J. Lee and E. F. Brickell, “An Observation on the Security ofMcEliece’s Public-Key Cryptosystem,” in