1. The document discusses the relationship between information leakage and combinatorial quantities of linear codes.
2. It presents nested coset coding and how it can be used for secret sharing, coding for wiretap channels, and secure network coding. A message is represented by a coset in the quotient space of two linear codes.
3. It analyzes how much information about the secret or message is leaked to an eavesdropper who observes part of the codeword. This amount of leakage can be expressed in terms of the dimensions of the intersections between the two codes and the kernel of the eavesdropping map.
Relation between Information Leakage and Combinatorial Quantities of Linear Codes
1. Relation between Information Leakage and
Combinatorial Quantities of Linear Codes
Ryutaroh Matsumoto
https://orcid.org/0000-0002-5085-8879
Tokyo Institute of Technology, Japan
26 September 2013 (updated on 16 May 2019)
Error-Correcting Code Workshop (http://manau.jp/WS/ECCWS/)
(Please ask your question at any time. Contact me if you can jointly
apply MEXT Grant-in-Aid for Scientific Research with these topics.
This slide is available from
https://www.slideshare.net/RyutarohMatsumoto.)
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 1 / 22
2. Structure of this talk
1 Nested coset coding
2 Information leakage of secret sharing
3 Its relation to relative generalized Hamming weight
4 Information leakage of network coding
5 Its relation to relative generalized rank weight
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 2 / 22
3. Nested coset coding
Applications:
Secret sharing
Coding for wiretap channels
Secure network coding
𝐶2 ⊂ 𝐶1 ⊂ F 𝑛
𝑞
A message 𝑆 is represented by a coset ∈ 𝐶1/𝐶2.
A codeword 𝑋 is chosen randomly from 𝑆, i.e., 𝑋 ∈ 𝑆.
𝑋 = (𝑋1, …, 𝑋 𝑛) is transmitted (secure network coding, wiretap channel),
or
𝑋𝑖 is distributed to the 𝑖-th participant (secret sharing).
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 3 / 22
4. Concrete example: Shamir’s secret sharing
Goal: Distribute a secret 𝑠 ∈ F 𝑞 to 𝑛(≤ 𝑞 − 1) participants such that
Any 𝑘 participants can recover 𝑠.
Any 𝑘 − 1 participants have no information on 𝑠.
Method: 𝛽1, …, 𝛽 𝑛: distinct elements in F 𝑞 ⧵ {0}
𝑎1, …, 𝑎 𝑘−1: randomly chosen elements in F 𝑞
𝑔(𝑦) = 𝑠 + 𝑎1 𝑦 + ⋯ + 𝑎 𝑘−1 𝑦 𝑘−1
𝑔(𝛽𝑖) is distributed to the 𝑖-th participants.
𝐶1 = {(𝑓(𝛽1), …, 𝑓(𝛽 𝑛)) ∶ deg 𝑓(𝑦) ≤ 𝑘 − 1}
𝐶2 = {(𝑓(𝛽1), …, 𝑓(𝛽 𝑛)) ∶ 𝑓(0) = 0, deg 𝑓(𝑦) ≤ 𝑘 − 1}
Coset 𝑆 = (𝑠, 𝑠, …, 𝑠) + 𝐶2 ∈ 𝐶1/𝐶2
Choosing 𝑋 randomly from 𝑆 amounts to choosing randomly 𝑎1, …, 𝑎 𝑘−1.
𝐶1 is an [𝑛, 𝑘] Reed-Solomon code over F 𝑞.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 4 / 22
5. Linear eavesdropping and information leakage
𝐶2 ⊂ 𝐶1 ⊂ F 𝑛
𝑞
A message 𝑆 is represented by a coset ∈ 𝐶1/𝐶2.
A codeword 𝑋 is chosen randomly from 𝑆, i.e., 𝑋 ∈ 𝑆.
Suppose an eavesdropper Eve who has partial information 𝑓(𝑋) of 𝑋 and
tries to guess 𝑆.
𝑓 is an F 𝑞-linear map for secret sharing and secure network coding.
𝑓 is a probability transition matrix (or stochastic mapping) for
wiretap channel coding.
Example of secret sharing: 𝑋 = (𝑋1, …, 𝑋 𝑛). When the eavesdropper Eve
has 𝑑 shares, 𝑓(𝑋) = (𝑋𝑖1
, …, 𝑋𝑖 𝑑
).
Q: How much information of 𝑆 is leaked to 𝑓(𝑋)?
A: Their mutual information 𝐼(𝑆; 𝑓(𝑋)).
Notation: dim
𝑉
𝑊
means dim 𝑉/𝑊 = dim 𝑉 − dim 𝑊 for linear spaces
𝑉 ⊃ 𝑊.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 5 / 22
6. Algebraic expression of the uncertainty 𝐻(𝑆|𝑓(𝑋))
𝑆 and 𝑋 are assumed to have uniform distributions.
𝑓: F 𝑞-linear map from F 𝑛
𝑞.
𝐼(𝑆; 𝑓(𝑋)) = 𝐻(𝑓(𝑋)) − 𝐻(𝑓(𝑋)|𝑆).
𝐻(𝑓(𝑋)) = log 𝑞
|𝑓(𝐶1)|
= dim 𝑓(𝐶1)
= dim 𝐶1 − dim(ker(𝑓) ∩ 𝐶1).
(continues to the next page)
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 6 / 22
7. 𝐻(𝑓(𝑋)|𝑆) = log 𝑞
the number of possible 𝑓(𝑋) given fixed 𝑆 = 𝑠
= log 𝑞
the number of possible 𝑓(𝑋) given 𝑆 = 𝐶2
= log 𝑞
|𝑓(𝐶2)|
= dim 𝑓(𝐶2)
= dim 𝐶2 − dim(ker(𝑓) ∩ 𝐶2).
𝐼(𝑆; 𝑓(𝑋)) = dim
𝐶1
𝐶2⏟⎵⏟⎵⏟
=𝐻(𝑆)
− dim
ker(𝑓)∩𝐶1
ker(𝑓)∩𝐶2⏟⎵⎵⎵⏟⎵⎵⎵⏟
=𝐻(𝑆|𝑓(𝑋))
𝐻(𝑆|𝑓(𝑋)) is Eve’s uncertainty of 𝑆 under her observation 𝑓(𝑋).
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 7 / 22
8. Algebraic expression of the information leakage
𝐼(𝑆; 𝑓(𝑋))
An extension of Forney’s second duality lemma
For any space 𝑉 ⊂ F 𝑛
𝑞 we have
dim
𝐶⟂
2 ∩ 𝑉⟂
𝐶⟂
1 ∩ 𝑉⟂
= dim
𝐶1
𝐶2
− dim
𝐶1 ∩ 𝑉
𝐶2 ∩ 𝑉
.
Substituting the above with 𝑉 = ker(𝑓) into
𝐼(𝑆; 𝑓(𝑋)) = dim
𝐶1
𝐶2
− dim
ker(𝑓) ∩ 𝐶1
ker(𝑓) ∩ 𝐶2
yields
𝐼(𝑆; 𝑓(𝑋)) = dim
𝐶⟂
2 ∩ ker(𝑓)⟂
𝐶⟂
1 ∩ ker(𝑓)⟂
.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 8 / 22
9. Worst-case information leakage of a secret sharing
scheme
A secret sharing scheme can be constructed from any 𝐶2 ⊂ 𝐶1. It is
important to know how much information is leaked when 𝑑 shares are
stolen. The stolen 𝑑 shares is 𝑓(𝑋) = (𝑋𝑖1
, …, 𝑋𝑖 𝑑
).
The linear map 𝑓 is a projection from F 𝑛
𝑞 to F 𝑑
𝑞.
For an index set 𝐼 ⊂ {1, …, 𝑛}, 𝑉𝐼 ∶= { ⃗𝑥 ∈ F 𝑛
𝑞 : 𝑥𝑖 = 0 if 𝑖 ∉ 𝐼}.
When 𝑓 is a projection to 𝐼, we have ker(𝑓)⟂
= 𝑉𝐼.
max
𝑓
𝐼(𝑆; 𝑓(𝑋)) = max
𝑓
dim
𝐶⟂
2 ∩ ker(𝑓)⟂
𝐶⟂
1 ∩ ker(𝑓)⟂
= max
𝐼∶|𝐼|=𝑑
dim
𝐶⟂
2 ∩ 𝑉𝐼
𝐶⟂
1 ∩ 𝑉𝐼⏟⎵⎵⎵⎵⎵⏟⎵⎵⎵⎵⎵⏟
=𝑑-th RDLP of 𝐶⟂
2 ⊃𝐶⟂
1
(Kurihara et al. (2012))
RDLP = relative dimension length profile proposed by Luo et al. (2005).
RDLP is a generalization of Forney’s DLP for nested coset coding.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 9 / 22
10. DLP and RDLP of 𝐶1 ⊃ 𝐶2
𝑑-th DLP = max
𝐼∶|𝐼|=𝑑
dim 𝐶1 ∩ 𝑉𝐼.
𝑑-th RDLP = max
𝐼∶|𝐼|=𝑑
dim
𝐶1 ∩ 𝑉𝐼
𝐶2 ∩ 𝑉𝐼
= max
𝐼∶dim 𝑉 𝐼≤𝑑
dim
𝐶1 ∩ 𝑉𝐼
𝐶2 ∩ 𝑉𝐼
⟹ 𝑑-th DLP of 𝐶1 = 𝑑-th RDLP of 𝐶1 ⊃ {0}⏟
=𝐶2
.
DLP determines the state complexity of the trellis decoding applied to
𝐶1.
DLPs have one-to-one correspondence with GHW (generalized
Hamming weight).
𝑟-th GHW of 𝐶1 = min{|𝐼| ∶ dim 𝐶1 ∩ 𝑉𝐼 ≥ 𝑟}
Q: Is there any generalization of GHW for 𝐶1 ⊃ 𝐶2?
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 10 / 22
11. RGHW of 𝐶1 ⊃ 𝐶2 and its relation to information leakage
𝑟-th RGHW = min{|𝐼| ∶ dim
𝐶1 ∩ 𝑉𝐼
𝐶2 ∩ 𝑉𝐼
≥ 𝑟}.
The 1st RGHW = min{𝑤( ⃗𝑥) ∶ ⃗𝑥 ∈ 𝐶1 ⧵ 𝐶2}.
𝑟-th GHW of 𝐶1 = 𝑟-th RGHW of 𝐶1 ⊃ {0}.
Operational meaning of RGHW
When a secret sharing is constructed from 𝐶1 ⊃ 𝐶2,
the maximum information leakage 𝐼(𝑆; 𝑓(𝑋)) to 𝑑 shares < 𝑟
⇔ 𝑟-th RGHW of 𝐶⟂
2 ⊃ 𝐶⟂
1 > 𝑑.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 11 / 22
12. F 𝑞0
-linear network coding
F 𝑞0
: subfield of F 𝑞
Consider
Single source multicast by network coding
Each intermediate node outputs an F 𝑞0
-linear combination of its
input symbols ∈ F 𝑞0
.
Source outputs 𝑚 × 𝑛 symbols in F 𝑞0
during 𝑚 time slots over its 𝑛
outgoing links (𝑞 = 𝑞0
𝑚
).
Eve eavesdrops fixed 𝑑 links during 𝑚 time slots.
To hide the message from Eve, the source employs the nested coset coding:
𝐶2 ⊂ 𝐶1 ⊂ F 𝑛
𝑞.
A message 𝑆 is represented by a coset ∈ 𝐶1/𝐶2.
A codeword 𝑋 = (𝑋1, …, 𝑋 𝑛) is chosen randomly from 𝑆, i.e., 𝑋 ∈ 𝑆.
Each 𝑋𝑖 ∈ F 𝑞 is decomposed to 𝑚 F 𝑞0
-symbols then transmitted over the
𝑖-th outgoing link of the source.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 12 / 22
13. Eavesdropping on F 𝑞0
-linear network coding
Each intermediate node outputs an F 𝑞0
-linear combination of its
input symbol ∈ F 𝑞0
.
Source outputs 𝑚 × 𝑛 symbols in F 𝑞0
during 𝑚 time slots over its 𝑛
outgoing links (𝑞 = 𝑞0
𝑚
).
Eve eavesdrops fixed 𝑑 links during 𝑚 time slots.
Under the above assumption, Eve’s observation 𝑓(𝑋) is an F 𝑞0
-linear
mapping, and ker(𝑓) is an F 𝑞(not F 𝑞0
)-linear space.
The information leakage of 𝑆 to 𝑓(𝑋) is
𝐼(𝑆; 𝑓(𝑋)) = dim
𝐶⟂
2 ∩ ker(𝑓)⟂
𝐶⟂
1 ∩ ker(𝑓)⟂
.
dim is counted as an F 𝑞(not F 𝑞0
)-linear space.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 13 / 22
14. Possible eavesdropping map 𝑓
In the random linear network coding, linear combination coefficients are
randomly chosen and fixed during 𝑚 time slots. In that case, if
𝑓(𝑋) = 𝑋𝑀, the matrix 𝑀 can be any 𝑛 × 𝑑 matrix over F 𝑞0
. What is
max 𝑓 𝐼(𝑆; 𝑓(𝑋))?
To clarify max 𝑓 𝐼(𝑆; 𝑓(𝑋)), we examine the property of ker(𝑓).
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 14 / 22
15. 𝑞-th power of subspaces (Stichtenoth (1990))
⃗𝑥 = (𝑥1, …, 𝑥 𝑛) ∈ F 𝑛
𝑞,
⃗𝑥 𝑞0 = (𝑥
𝑞0
1 , …, 𝑥
𝑞0
𝑛 ).
𝑉 𝑞0 = { ⃗𝑥 𝑞0 ∶ ⃗𝑥 ∈ 𝑉} for an F 𝑞-linear subspace 𝑉 of F 𝑛
𝑞.
𝑉 𝑞0 is again an F 𝑞-linear subspace despite ⃗𝑥 ↦ ⃗𝑥 𝑞0 is F 𝑞-nonlinear.
Stichtenoth’s lemma
For an F 𝑞-subspace 𝑉 ⊆ F 𝑛
𝑞, 𝑉 𝑞0 = 𝑉 iff 𝑉 has an F 𝑞-basis written in F 𝑛
𝑞0
,
The above were given by Stichtenoth (1990) for studying subfield
subcodes.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 15 / 22
16. Characterization of ker(𝑓)
Stichtenoth’s lemma
For an F 𝑞-subspace 𝑉 ⊆ F 𝑛
𝑞, 𝑉 𝑞0 = 𝑉 iff 𝑉 has an F 𝑞-basis written in F 𝑛
𝑞0
,
⇓
When 𝑓(𝑋) = 𝑋𝑀 with 𝑀 ∈ F 𝑛×𝑑
𝑞0
,
F 𝑞-basis of ker(𝑓) can be chosen from F 𝑛
𝑞0
⇔ ker(𝑓) 𝑞0 = ker(𝑓) ⇔ (ker(𝑓)⟂
) 𝑞0 = ker(𝑓)⟂
.
Conversely, for any 𝑉 𝑞0 = 𝑉 with dim 𝑉 ≤ 𝑑 there exists 𝑀 ∈ F 𝑛×𝑑
𝑞0
such
that ker(𝑓)⟂
= 𝑉.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 16 / 22
17. Algebraic expression of max 𝐼(𝑆; 𝑓(𝑋)) for network
coding
max
𝑓
𝐼(𝑆; 𝑓(𝑋)) = max
𝑓
dim
𝐶⟂
2 ∩ ker(𝑓)⟂
𝐶⟂
1 ∩ ker(𝑓)⟂
= max{dim
𝐶⟂
2 ∩ 𝑉
𝐶⟂
1 ∩ 𝑉
∶ 𝑉 𝑞0 = 𝑉, dim 𝑉 ≤ 𝑑}
⏟⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⏟⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⎵⏟
= 𝑑-th RDIP of 𝐶⟂
2 ⊃ 𝐶⟂
1
Kurihara et al. (2015) named the last quantity as the 𝑑-th relative
dimension intersection profile (RDIP).
The difference between RDIP and RDLP is the range of 𝑉 in the
maximization of dim
𝐶⟂
2 ∩𝑉
𝐶⟂
1 ∩𝑉
(see p.10 for the second definition of RDLP).
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 17 / 22
18. Dual of RDLP for 𝐶1 ⊃ 𝐶2
Similarly to RGHW, one can define the dual of RDIP as
min{dim 𝑉 ∶ 𝑉 𝑞0 = 𝑉, dim
𝐶1 ∩ 𝑉
𝐶2 ∩ 𝑉
≥ 𝑟}.
Kurihara et al. (2015) named it as the 𝑟-th relative generalized rank weight
(RGRW).
Operational meaning of RGRW
When the source node performs nested coset coding by 𝐶1 ⊃ 𝐶2,
the maximum information leakage 𝐼(𝑆; 𝑓(𝑋)) to 𝑑 links < 𝑟
⇔ 𝑟-th RGRW of 𝐶⟂
2 ⊃ 𝐶⟂
1 > 𝑑.
Q: Is there any relation to Gabidulin’s rank weight?
A: Yes.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 18 / 22
19. Review of Gabidulin’s rank weight
⃗𝑥 = (𝑥1, …, 𝑥 𝑛) ∈ F 𝑛
𝑞,
Recall 𝑞 = 𝑞0
𝑚
.
𝑥𝑖 can be decomposed to a column vector ⃗𝑥𝑖 ∈ F 𝑚
𝑞0
.
𝑤 𝑅( ⃗𝑥) = Gabidulin’s rank weight = the rank of matrix [ ⃗𝑥1, …, ⃗𝑥 𝑛] ∈ F 𝑚×𝑛
𝑞0
.
The minimum rank weight 𝑑 𝑅(𝐶1) of 𝐶1 = min{𝑤 𝑅( ⃗𝑥) ∣ ⃗0 ≠ ⃗𝑥 ∈ 𝐶1}.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 19 / 22
20. Relation to Gabidulin’s rank weight
Recall 𝐶2 ⫋ 𝐶1 ⊆ F 𝑛
𝑞.
The proposed 1st RGRW is expressed by 𝑤 𝑅 as
min{𝑤 𝑅( ⃗𝑥) ∶ ⃗𝑥 ∈ 𝐶1 ⧵ 𝐶2}.
The 1st RGRW of 𝐶1 ⊃ { ⃗0} = the minimum rank weight 𝑑 𝑅(𝐶1) of 𝐶1.
RGRW generalizes Gabidulin’s rank weight.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 20 / 22
21. Remark on the concurrent and independent result
The GRW (non-relative) and its relation to 𝐼(𝑆; 𝑓(𝑋)) on network coding
were also concurrently and independently reported in
F. Oggier and A. Sboui, “On the existence of generalized rank weights,” in
Proc. ISITA 2012, Honolulu, Hawaii, USA, Oct. 2012, pp. 406–410,
while Kurihara et al. reported them at the 2012 Allerton conference,
Monticello, IL, USA, Oct. 2012.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 21 / 22
22. References
Kurihara et al. (2012) J. Kurihara, T. Uyematsu and R. Matsumoto,
“Secret sharing schemes based on linear codes can be
precisely characterized by the relative generalized Hamming
weight,” IEICE Trans. Fundamentals, vol.E95-A, no.11, pp.
2067-2075, Nov. 2012.DOI 10.1587/transfun.E95.A.2067
Kurihara et al. (2015) J. Kurihara, R. Matsumoto and T. Uyematsu,
“Relative generalized rank weight of linear codes and its
applications to network coding,” IEEE Trans. Inform.
Theory, vol.61, no.7, pp.3912–3936, July 2015. DOI
10.1109/TIT.2015.2429713
Luo et al. (2005) Y. Luo, C. Mitrpant, A.J. Han Vinck and K. Chen, “Some
new characters on the wire-tap channel of type II,” IEEE
Trans. Inform. Theory, vol.51, no.3, pp.1222–1229, Mar.
2005. DOI 10.1109/TIT.2004.842763
Oggier&Sboui (2012) F. Oggier and A. Sboui, “On the existence of
generalized rank weights,” in Proc. ISITA 2012, Honolulu,
Hawaii, USA, Oct. 2012, pp. 406–410.
R. Matsumoto (Tokyo Tech.) Relation between Information Leakage and Combinatorial Quantities of Linear CodesECC WS 22 / 22