On the Support Splitting Algorithm for Induced Codes

As shown by N. Sendrier in 2000, if a \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$[n{\text{,}}\,k{\text{,}}\,d]$$\end{document}-linear code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$C( \subseteq \mathbb{F}_{q}^{n})$$\end{document} with length \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n$$\end{document}, dimensionality \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k$$\end{document} and code distance \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$d$$\end{document} has a trivial group of automorphisms \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text{PAut}}(C)$$\end{document}, it allows one to construct a determined support splitting algorithm in order to find a permutation \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma $$\end{document} for a code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$D$$\end{document}, being permutation-equivalent to the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$C$$\end{document}, such that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma (C) = D$$\end{document}. This algorithm can be used for attacking the McEliece cryptosystem based on the code\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$C$$\end{document}. This work aims the construction and analysis of the support splitting algorithm for the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb{F}_{q}^{l} \otimes C$$\end{document}, induced by the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$C$$\end{document}, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$l \in \mathbb{N}$$\end{document}. Since the group of automorphisms PAut\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathbb{F}_{q}^{l} \otimes C)$$\end{document} is nontrivial even in the case of that trivial for the base code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$C$$\end{document}, it enables one to assume a potentially high resistance of the McEliece cryptosystem on the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb{F}_{q}^{l} \otimes C$$\end{document} to the attack based on a carrier split. The support splitting algorithm is being constructed for the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb{F}_{q}^{l} \otimes C$$\end{document} and its efficiency is compared with the attack to a McEliece cryptosystem based on the code \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb{F}_{q}^{l} \otimes C.$$\end{document}


INTRODUCTION
In the post-quantum era, the McEliece cryptosystems [1] are considered as possible alternatives to asymmetric cryptosystems whose resistance is currently based on factorization complexity of large integers or discrete logarithmization in a finite group [2]. A prerequisite for constructing the McEliece cryptosystems based on linear codes is the existence of effective (polynomial) decoding algorithms for these codes. Meanwhile, this condition is not sufficient. Although the Reed-Solomon and Reed-Maller codes possess fast decoding algorithms [3], the related McEliece cryptosystems are shown to give way to structural attacks [4,5]. As found for the McEliece cryptosystems, the more the code is structurally similar to a random code, the more difficult is the analysis of the corresponding McEliece cryptosystem. Among the feasible ways to construct a robust McEeliece cryptosystem, there is the search or the construction of a code with an available effective decoder and a random-like structure.
It is shown in work [6] that for a base code disposing the effective majority decoder, one can also construct a decoder for the induced code , . In connection with this, the McEliece cryptosystem was developed on the base of an induced code [7]. If a McEliece cryptosystem based on the code is unstable to attacks on keys, one can carefully select the induced code parameters so that the attack on the key of a related cryptosystem based on the induced code will fail. This work aims at the development of support splitting algorithms for induced codes and the estimation of its efficiency in finding a secret key of the McEeliece cryptosystem based on the induced code . The monograph has the following structure. The second section provides information on codes, support splitting algorithms and preliminary results on induced codes. The support splitting algorithm for induced codes is considered, as well. The third section gives the example of applying this algorithm in the determination of a secret permutation of a McEliece cryptosystem on the induced code, and its efficiency is compared with that obtained in work [7]. The feasible use of induced codes in the identification algorithm is also within the scope of this study.

Preliminary Results
Let be the Galois field with a strength , where is the degree of a prime number. For a vector from a space with dimensionality , the weight can be found as the power of a set of nonzero coordinates of the vector . Consider a -code with a dimensionality , a length and a code distance in a space . Let be a code generator matrix, . Codes and with dimensionality and length are called permutation-equivalent, if there is a permutation from a symmetric group , acting on the elements of a set , so that Hence, one uses the common designation . The next step is to determine the invariant and the signature from [8]. For some subset , designate a set of vectors, obtained from those of the code by zeroing the coordinates with numbers from , by . Let be a set of all codes with a length , . The mapping is called the invariant over a set , if any two permutation-equivalent codes and obey the equality: . A signature over a set is the mapping , so that any permutation and any code are referred to the equality: . Below we consider only the signatures based on the invariant that meets the following rule: . A discriminant of the code is a signature , for which and from result in Then a full discriminant for the code is a signature cal , so that for all different and from . The known fact can be summarized by the lemma below. Consider the SSA algorithm that finds a permutation for two permutation-equivalent codes and using , so that . Notice that in the general case, but by Lemma 1. The permutation σ', returned by the SSA algorithm, will be called suitable. If is the total discriminant, then σ = σ', and the permutation σ will be found at the first iteration of the cycle from this algorithm. As follows from statement 8 of the monograph [8], the complete discriminant fulfills for the code , when the group of automorphisms of the code C is trivial. Mention that codes with a trivial group of automorphisms exist [9].
According to work [8], even if the complete discriminant of the code exists, its calculation may be a computationally difficult task. In this respect, there was proposed the approach [8] that ensures the construction of computationally simple complete discriminants based on incomplete discriminants. Since it considers only signatures based on invariants (see Eq. (1)), the latter have to be computationally simple.
.., ∈ . ,..., An example of a computationally simple invariant for low-dimensionality codes is the mapping that assigns the code to its weight numerator where is the number of vectors with weights in the code , is the set of polynomials from one variable with coefficients from . Using this invariant, one can construct a signature , determined from the rule . Mention that the computation complexity of the invariant increases in a nonpolynomial order with dimensionality of the code . Hence a discriminant in work [8] is based on the computation of weight numerators of the code hull. A hull of the code [8] implies the intersection of the code with its dual code : (2) A choice of this characteristic is due to the fact that the hull dimensionality is typically much less than the dimensionality of the code , which enables one to efficiently calculate the numerators, as well as to plot computationally simple discriminant even in case of the large dimensionality of the code .

Induced Codes and Their Properties
Let be a -code with a generator matrix and a check matrix , . The Cartesian product of codes and is assumed to be a set in the following form: where is the concatenation of vectors and . It is easily to see that the generator and check matrices of the code can be presented as where is a zero -matrix. As follows from definition (2): (3) Let be a -code with a generator matrix , is the unit matrix of the order . A subspace, generated by the lines of a matrix , will be designated by and called the induced code (or the code induced by the code ) [7]. A generator matrix of this code has a block structure (4) where each block line has nonzero matrices and one matrix . Since then Lemma 2 yields Corollary 1. Let be a -code with a generator matrix and be a numerator of the code . Then (2) : = It also appears that a check matrix of the code can be written as , where is the check matrix of the code . As follows from Eq. (3), the hull of the code takes the form , , . A group of automorphisms of this code is nontrivial. Indeed, the generator matrix of the code is presented by a block diagonal structure (4), and any permutation of blocks of this matrix results in a generator matrix of the same code. The permutation of block columns of this matrix is equivalent to the permutation of block lines. There are such block column permutations in total. Hence the group of automorphisms of the code has a power of at least . It yields the following lemma.

Lemma 3. A group of automorphisms
of the code contains a subgroup , being isomorphic to a group .
Notice that each element of the group has the form (6) Let be, where , is a subgroup of the group , where the permutations involve only the elements of a set I i, n , and the elements of a set are fixed. Consider a group Q = , . It is easy to see that (7) We remind that an orbit of an element under the action of a subgroup is a set . Then , , are the orbits that form by a subgroup on the elements of a set . Expression (7) yields the following auxiliary lemma.

Lemma 4.
A length of each orbit, forming under the action of a group to the elements of a set is a multiple of .

Support Splitting Algorithm
As aforementioned, two permutation-equivalent codes with a complete discriminant for finding the most suitable permutation require not more than one iteration of the internal cycle of a SSA algorithm. It follows from Lemma 3, there is no complete discriminant for the code , because the group of automorphisms of this code is nontrivial. Consider an algorithm plotting problem for the codes and , which allows a suitable permutation to be determined so that .

Lemma 5.
Let be a -code. Then for and any signature , found from the rule (1), the following equality is valid: Proof. According to definition (1) Since π is the nontrivial permutation, then the elements (6) of a group for result in: . This is a contradistinction. Taking the representation (6) into account, Lemma 5 yields a corollary below.

Corollary 2.
For the code and , the following equality is valid: = , for all .
Thus, any signature for the code , determined using the rule (1), has not more than various values. The more values the signature has for the code, the fewer cycles of the SSA algorithm are required for finding a suitable permutation.

Lemma 6. If
, then any signature for the code , found from the rule (1), has less than values.
Proof. It follows from Corollary 2 that any signature for the code , established from the rule (1), has not more than various values. Hence, in according to statement 8 [8], the group in a set leads to the formation of not more than different orbits. Let be, then there is an element , so that for some . Therefore, it obtains from Lemma 4 that at least one orbit has a length not less than . Hence, the group favors the formation of not more than orbits. Based on statement 8 [8], a signature has not more than various values.
where If is a -code, so that is its complete discriminant, then, according to Corollary 1 and generalizations of formula (10) to the case , a signature for the code has various values.
Then it follows from Corollary 3 that a group of automorphisms of the code is described in a simple manner. Lemma 7. Let 6 be a signature found from the rule (1). Then for any there are the following equalities: (1) ; (3) Proof. The proof of the equality (1) follows from Corollary 2; the equality (2) follows from the equality (1). Prove Statement (3). It appears from Statement (2) that Since is the arbitrary permutation from the group , then the statement is proved.
A symbol means a factor-class of a factor-set -.
Lemma 8. If a signature for the code is determined using the rule (1) and has various values, then and (11) hence .
Proof. It follows from Statement (3) of Lemma 7 and condition (11) that for any the following equalities are valid: Since in accordance with the condition, a signature has a maximum amount of various values , then with respect to the construction of a group ( is a maximum subgroup that does not change the order of elements in a set ).
Let be a factor-set of a group with respect to a group , Let also be a transversal of a factor-set , or a set of representatives of the adjacency classes , . Among the possible plotting schemes of a set , there is a algorithm.

Theorem 1.
Let be a -code, , is a signature defined from the rule (1) and having various values for the code , is a transversal of a factor-set . Then there is an algorithm with a computation complexity , which finds a suitable permutation , so that .

Proof.
Let . This permutation can be found by a simple calculation of signatures of codes and . Then Lemma 8 gives . As seen from Lemma 1, a suitable permutation that converts the code into a code , is a permutation , where . Since the signature has various values, then it obtains from Corollary 3 that . Hence a suitable permutation can be established by sorting out the elements in a transversal . Thus, a suitable permutation can be found via the SSAForTensor algorithm, whose complexity is , due to sorting out the elements with respect to a transversal .
Mention that Theorem 1 in the estimation of complexity of the algorithm takes only the power of the transversal into account, but neglects the computation complexity of signatures (steps 1 and 2), as well as the complexity of checking the coincidence of two codes (steps 4) and the complexity of constructing a transversal used as an input parameter. The coincidence of two codes can be verified by multiplying the generator matrix by a check matrix of the code . Thus, the complexity of this test depends polynomially on , i.e., the verification can be implemented by the effective way. On the other hand, plotting the effectively computable signatures is an individual task [8]. In particular [8], the effective signatures can be constructed using a numerator of a code hull, which is likely to have a small dimension. As follows from Eq. (5), the hull dimensionality for the induced code increases by times in comparison with a hull of the base code. In turn, this may substantially slow down the calculation of numerators of its projection in the general case and complicate the computation of signatures, because it requires that the vectors of the hull projection are sorted out for all coordinates. Plotting a transversal is also a complex problem at high enough values . The above proposed algorithm has a -nonpolynomial complexity, although it can be done in advance.
Meanwhile, while the code possess the effectively computational signature, determined from the rule (1) and offering various values along with a transversal , a algorithm is assumed to be more powerful than at establishing a suitable permutation. This is due to the fact that searches a suitable permutation over the whole adjacency class and algorithm makes a search over a set only, whose power is lower by times than because

A McEliece Cryptosystem Based on Induced Codes
Consider a McEliece cryptosystem based on a -code , where is a -code with a generator matrix . In this cryptosystem, an open key is a pair , and a secret key is a matrix pair , where is a random nondegenerate -matrxi, is a random permutation -matrix, where with as a unit matrix of dimensions . The coding rule of an arbitrary message has the form (12) where and .

Algorithm 3:
SSAForTensor The decoding uses a rule , where is the decoder of the code , which guarantees the correction of and less errors and recovers a vector . A McEliece cryptosystem based on the code will be designated by .
Since the code with a generator matrix and the code are permutation-equivalent, the cryptosystem can be hacked by finding a matrix pair (S',P'), so that [4], and the permutation referred to a permutation matrix belongs to .
As shown in work [7], if the McE(C) cryptosystem on the base code is unstable to attacks, there is an algorithm for establishing a suitable permutation matrix for the cryptosystem, whose complexity is estimated by . Using the Stirling formula, it obtains that Furthermore, a suitable permutation in case of a discriminant existing for the code can be found using the SSA. Consider the most favorable condition in the viewpoint of the attacker, when the effectively calculated signature with various values is known for the code and a transversal is constructed for a factor-set . Thus, the conditions of Theorem 1 are fulfilled, and SSAForTensor can be substituted for . It follows from Theorem 1 that the persistence of a cryptosystem is evaluated by . Using the Stirling formula gives Notice that expressions (13) and (14) are the estimated powers of sets of keys, where suitable permutations are being searched by sorting out via the algorithm [7] and SSAForTensor. According to monograph [10], sorting out with respect to a key set with a power of and higher is considered computationally impracticable. In order to compare estimations (13) and (14), take as an example the construction of the induced code using a double Ride-Maller -code , where and . Tables 1 and 2 show the values calculated for a hacked cryptosystem , , where the parameter in Table 2 is evaluated from expression (13), and that in Table 1 is obtained from formula (14). The cells highlighted in both tables correspond to the parameters of the induced code , for which the sort complexity is not less than . A comparative analysis of the corresponding values in tables reveals that hacking based on a SSAForTensor splitting algorithm is much more efficient than that described in work [7]. However, this hacking in selecting parameters and can also be impracticable.
As shown in monograph [11], the use of induced codes in McEliece cryptosystems causes the weakening of the resilience of a system to attacks on cipher based on the dataset decoding method. The acceptable resilience to these attacks is achieved at large code lengths, which is due to the fact that dimensionality and length of induced codes increase by times at a fixed code distance. Meanwhile, a cryptosystem can be applied when coding involves the error vectors with weights beyond the capacity of a decoder . So, a shared secret key generation protocol was obtained based on the above cryptosystem [7]. The next subsection is dedicated to another application of induced codes, i.e., their use in cryptographic identification protocols.

Identification Protocol Based on Induced Codes
An identification protocol based on the complexity in finding the permutation for two permutationequivalent codes over a binary field was constructed by Girault [12]. Consider this protocol for a case . Let be a -matrix over a field , shared by all protocol users. Each user randomly chooses a vector with a small weight and calculates . The vector is a public identifier of a user . If the relying party intends to authenticate a user , i.e., to check that the authenticated user knows a vector , a 3-step protocol is being implemented.
Step 1: randomly and equally likely choses a permutation -matrix and an undegenerated -matrix , calculates and and sends a matrix and a vector s'to .
Step 2: randomly and equally likely choses a bit and sends it to .
Step 3a: If , then transfers the matrices and to that verifies that and .
Step 3b: If , then transfers to that verifies that and .
This protocol is running times, where a safety parameter is chosen so that a proving party fraud probability is less than a predetermined threshold. Let the communication complexity of this protocol to be estimated. In Step 1, the proving party passes bit of data. In Step 2, the relying party transfers one bit. The amount of data transferred at Step 3 depends on the bit value : at there are bit, and at there are bit transferred. Taking into account the fact that the bit value is chosen randomly and equally likely, then iterations result in the following communication complexity of a protocol: