Showing 1–36 of 36 results for author: Gorla, E

The complexity of the SupportMinors Modeling for the MinRank Problem

Authors: Daniel Cabarcas, Giulia Gaggero, Elisa Gorla

Abstract: In this note, we provide proven estimates for the complexity of the SupportMinors Modeling, mostly confirming the heuristic complexity estimates contained in the original article. In this note, we provide proven estimates for the complexity of the SupportMinors Modeling, mostly confirming the heuristic complexity estimates contained in the original article. △ Less

Submitted 6 June, 2025; originally announced June 2025.

Latroids and code invariants

Authors: Elisa Gorla, Flavio Salizzoni

Abstract: Latroids were introduced by Vertigan, who associated a latroid to a linear block code and showed that its Tutte polynomial determines the weight enumerator of the code. We associate a latroid to a code over a ring or a field endowed with a general support function, and show that the generalized weights of the code can be recovered from the associated latroid. This provides a uniform framework for… ▽ More Latroids were introduced by Vertigan, who associated a latroid to a linear block code and showed that its Tutte polynomial determines the weight enumerator of the code. We associate a latroid to a code over a ring or a field endowed with a general support function, and show that the generalized weights of the code can be recovered from the associated latroid. This provides a uniform framework for studying generalized weights of linear block codes, linear codes over a ring, rank-metric and sum-rank metric codes. Under suitable assumptions, we show that the latroid determines the weight distribution of the code. △ Less

Submitted 4 March, 2025; originally announced March 2025.

The complexity of solving a random polynomial system

Authors: Giulia Gaggero, Elisa Gorla

Abstract: A multivariate cryptograpic instance in practice is a multivariate polynomial system. So the security of a protocol rely on the complexity of solving a multivariate polynomial system. In this paper there is an overview on a general algorithm used to solve a multivariate system and the quantity to which the complexity of this algorithm depends on: the solving degree. Unfortunately, it is hard to co… ▽ More A multivariate cryptograpic instance in practice is a multivariate polynomial system. So the security of a protocol rely on the complexity of solving a multivariate polynomial system. In this paper there is an overview on a general algorithm used to solve a multivariate system and the quantity to which the complexity of this algorithm depends on: the solving degree. Unfortunately, it is hard to compute. For this reason, it is introduced an invariant: the degree of regularity. This invariant, under certain condition, give us an upper bound on the solving degree. Then we speak about random polynomial systems and in particular what "random" means to us. Finally, we give an upper bound on both the degree of regularity and the solving degree of such random systems. △ Less

Submitted 18 November, 2024; v1 submitted 7 September, 2023; originally announced September 2023.

Integer sequences that are generalized weights of a linear code

Authors: Elisa Gorla, Elisa Lorenzo García, Umberto Martínez-Peñas, Flavio Salizzoni

Abstract: Which integer sequences are sequences of generalized weights of a linear code? In this paper, we answer this question for linear block codes, rank-metric codes, and more generally for sum-rank metric codes. We do so under an existence assumption for MDS and MSRD codes. We also prove that the same integer sequences appear as sequences of greedy weights of linear block codes, rank-metric codes, and… ▽ More Which integer sequences are sequences of generalized weights of a linear code? In this paper, we answer this question for linear block codes, rank-metric codes, and more generally for sum-rank metric codes. We do so under an existence assumption for MDS and MSRD codes. We also prove that the same integer sequences appear as sequences of greedy weights of linear block codes, rank-metric codes, and sum-rank metric codes. Finally, we characterize the integer sequences which appear as sequences of relative generalized weights (respectively, relative greedy weights) of linear block codes. △ Less

Submitted 13 July, 2023; originally announced July 2023.

Comments: 19 pages

MacWilliams' Extension Theorem for rank-metric codes

Authors: Elisa Gorla, Flavio Salizzoni

Abstract: The MacWilliams' Extension Theorem is a classical result by Florence Jessie MacWilliams. It shows that every linear isometry between linear block-codes endowed with the Hamming distance can be extended to a linear isometry of the ambient space. Such an extension fails to exist in general for rank-metric codes, that is, one can easily find examples of linear isometries between rank-metric codes whi… ▽ More The MacWilliams' Extension Theorem is a classical result by Florence Jessie MacWilliams. It shows that every linear isometry between linear block-codes endowed with the Hamming distance can be extended to a linear isometry of the ambient space. Such an extension fails to exist in general for rank-metric codes, that is, one can easily find examples of linear isometries between rank-metric codes which cannot be extended to linear isometries of the ambient space. In this paper, we explore to what extent a MacWilliams' Extension Theorem may hold for rank-metric codes. We provide an extensive list of examples of obstructions to the existence of an extension, as well as a positive result. △ Less

Submitted 26 April, 2023; originally announced April 2023.

Comments: 12 pages

MSC Class: 94B05 (Primary) 15A03 (Secondary)

Sum-rank metric codes

Authors: Elisa Gorla, Umberto Martínez-Peñas, Flavio Salizzoni

Abstract: Sum-rank metric codes are a natural extension of both linear block codes and rank-metric codes. They have several applications in information theory, including multishot network coding and distributed storage systems. The aim of this chapter is to present the mathematical theory of sum-rank metric codes, paying special attention to the $\mathbb{F}_q$-linear case in which different sizes of matrice… ▽ More Sum-rank metric codes are a natural extension of both linear block codes and rank-metric codes. They have several applications in information theory, including multishot network coding and distributed storage systems. The aim of this chapter is to present the mathematical theory of sum-rank metric codes, paying special attention to the $\mathbb{F}_q$-linear case in which different sizes of matrices are allowed. We provide a comprehensive overview of the main results in the area. In particular, we discuss invariants, optimal anticodes, and MSRD codes. In the last section, we concentrate on $\mathbb{F}_{q^m}$-linear codes. △ Less

Submitted 24 April, 2023; originally announced April 2023.

Generalized column distances

Authors: Elisa Gorla, Flavio Salizzoni

Abstract: We define a notion of r-generalized column distances for the j-truncation of a convolutional code. Taking the limit as j tends to infinity allows us to define r-generalized column distances of a convolutional code. We establish some properties of these invariants and compare them with other invariants of convolutional codes which appear in the literature. We define a notion of r-generalized column distances for the j-truncation of a convolutional code. Taking the limit as j tends to infinity allows us to define r-generalized column distances of a convolutional code. We establish some properties of these invariants and compare them with other invariants of convolutional codes which appear in the literature. △ Less

Submitted 23 December, 2022; originally announced December 2022.

Comments: 13 pages, submitted

Generalized weights of convolutional codes

Authors: Elisa Gorla, Flavio Salizzoni

Abstract: In 1997 Rosenthal and York defined generalized Hamming weights for convolutional codes, by regarding a convolutional code as an infinite dimensional linear code endowed with the Hamming metric. In this paper, we propose a new definition of generalized weights of convolutional codes, that takes into account the underlying module structure of the code. We derive the basic properties of our generaliz… ▽ More In 1997 Rosenthal and York defined generalized Hamming weights for convolutional codes, by regarding a convolutional code as an infinite dimensional linear code endowed with the Hamming metric. In this paper, we propose a new definition of generalized weights of convolutional codes, that takes into account the underlying module structure of the code. We derive the basic properties of our generalized weights and discuss the relation with the previous definition. We establish upper bounds on the weight hierarchy of MDS and MDP codes and show that that, depending on the code parameters, some or all of the generalized weights of MDS codes are determined by the length, rank, and internal degree of the code. We also prove an anticode bound for convolutional codes and define optimal anticodes as the codes which meet the anticode bound. Finally, we classify optimal anticodes and compute their weight hierarchy. △ Less

Submitted 25 July, 2022; originally announced July 2022.

Quasi optimal anticodes: structure and invariants

Authors: Elisa Gorla, Cristina Landolina

Abstract: It is well-known that the dimension of optimal anticodes in the rank-metric is divisible by the maximum m between the number of rows and columns of the matrices. Moreover, for a fixed k divisible by m, optimal rank-metric anticodes are the codes with least maximum rank, among those of dimension k. In this paper, we study the family of rank-metric codes whose dimension is not divisible by m and who… ▽ More It is well-known that the dimension of optimal anticodes in the rank-metric is divisible by the maximum m between the number of rows and columns of the matrices. Moreover, for a fixed k divisible by m, optimal rank-metric anticodes are the codes with least maximum rank, among those of dimension k. In this paper, we study the family of rank-metric codes whose dimension is not divisible by m and whose maximum rank is the least possible for codes of that dimension, according to the Anticode bound. As these are not optimal anticodes, we call them quasi optimal anticodes (qOACs). In addition, we call dually qOAC a qOAC whose dual is also a qOAC. We describe explicitly the structure of dually qOACs and compute their weight distributions, generalized weights, and associated q-polymatroids. △ Less

Submitted 19 January, 2022; originally announced January 2022.

Generalized weights of codes over rings and invariants of monomial ideals

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: We develop an algebraic theory of supports for $R$-linear codes of fixed length, where $R$ is a finite commutative unitary ring. A support naturally induces a notion of generalized weights and allows one to associate a monomial ideal to a code. Our main result states that, under suitable assumptions, the generalized weights of a code can be obtained from the graded Betti numbers of its associated… ▽ More We develop an algebraic theory of supports for $R$-linear codes of fixed length, where $R$ is a finite commutative unitary ring. A support naturally induces a notion of generalized weights and allows one to associate a monomial ideal to a code. Our main result states that, under suitable assumptions, the generalized weights of a code can be obtained from the graded Betti numbers of its associated monomial ideal. In the case of $\mathbb{F}_q$-linear codes endowed with the Hamming metric, the ideal coincides with the Stanley-Reisner ideal of the matroid associated to the code via its parity-check matrix. In this special setting, we recover the known result that the generalized weights of an $\mathbb{F}_q$-linear code can be obtained from the graded Betti numbers of the ideal of the matroid associated to the code. We also study subcodes and codewords of minimal support in a code, proving that a large class of $R$-linear codes is generated by its codewords of minimal support. △ Less

Submitted 15 January, 2022; originally announced January 2022.

The complexity of solving Weil restriction systems

Authors: Alessio Caminata, Michela Ceria, Elisa Gorla

Abstract: The solving degree of a system of multivariate polynomial equations provides an upper bound for the complexity of computing the solutions of the system via Groebner bases methods. In this paper, we consider polynomial systems that are obtained via Weil restriction of scalars. The latter is an arithmetic construction which, given a finite Galois field extension $k\hookrightarrow K$, associates to a… ▽ More The solving degree of a system of multivariate polynomial equations provides an upper bound for the complexity of computing the solutions of the system via Groebner bases methods. In this paper, we consider polynomial systems that are obtained via Weil restriction of scalars. The latter is an arithmetic construction which, given a finite Galois field extension $k\hookrightarrow K$, associates to a system $\mathcal{F}$ defined over $K$ a system $\mathrm{Weil}(\mathcal{F})$ defined over $k$, in such a way that the solutions of $\mathcal{F}$ over $K$ and those of $\mathrm{Weil}(\mathcal{F})$ over $k$ are in natural bijection. In this paper, we find upper bounds for the complexity of solving a polynomial system $\mathrm{Weil}(\mathcal{F})$ obtained via Weil restriction in terms of algebraic invariants of the system $\mathcal{F}$. △ Less

Submitted 3 February, 2023; v1 submitted 20 December, 2021; originally announced December 2021.

Comments: Final version. To appear in Journal of Algebra

Solving degree, last fall degree, and related invariants

Authors: Alessio Caminata, Elisa Gorla

Abstract: In this paper we study and relate several invariants connected to the solving degree of a polynomial system. This provides a rigorous framework for estimating the complexity of solving a system of polynomial equations via Groebner bases methods. Our main results include a connection between the solving degree and the last fall degree and one between the degree of regularity and the Castelnuovo-Mum… ▽ More In this paper we study and relate several invariants connected to the solving degree of a polynomial system. This provides a rigorous framework for estimating the complexity of solving a system of polynomial equations via Groebner bases methods. Our main results include a connection between the solving degree and the last fall degree and one between the degree of regularity and the Castelnuovo-Mumford regularity. △ Less

Submitted 1 June, 2022; v1 submitted 10 December, 2021; originally announced December 2021.

Comments: Final version. To appear in Journal of Symbolic Computation

Optimal anticodes, MSRD codes, and generalized weights in the sum-rank metric

Authors: Eduardo Camps Moreno, Elisa Gorla, Cristina Landolina, Elisa Lorenzo García, Umberto Martínez-Peñas, Flavio Salizzoni

Abstract: Sum-rank metric codes have recently attracted the attention of many researchers, due to their relevance in several applications. Mathematically, the sum-rank metric is a natural generalization of both the Hamming metric and the rank metric. In this paper, we provide an Anticode Bound for the sum-rank metric, which extends the corresponding Hamming and rank-metric Anticode bounds. We classify then… ▽ More Sum-rank metric codes have recently attracted the attention of many researchers, due to their relevance in several applications. Mathematically, the sum-rank metric is a natural generalization of both the Hamming metric and the rank metric. In this paper, we provide an Anticode Bound for the sum-rank metric, which extends the corresponding Hamming and rank-metric Anticode bounds. We classify then optimal anticodes, i.e., codes attaining the sum-rank metric Anticode Bound. We use these optimal anticodes to define generalized sum-rank weights and we study their main properties. In particular, we prove that the generalized weights of an MSRD code are determined by its parameters. As an application, in the Appendix we explain how generalized weights measure information leakage in multishot network coding. △ Less

Submitted 21 December, 2021; v1 submitted 28 July, 2021; originally announced July 2021.

Stronger bounds on the cost of computing Groebner bases for HFE systems

Authors: Elisa Gorla, Daniela Mueller, Christophe Petit

Abstract: We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate change… ▽ More We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate changes. △ Less

Submitted 2 November, 2020; originally announced November 2020.

Comments: 15 pages

Semi-regular sequences and other random systems of equations

Authors: M. Bigdeli, E. De Negri, M. M. Dizdarevic, E. Gorla, R. Minko, S. Tsakou

Abstract: The security of multivariate cryptosystems and digital signature schemes relies on the hardness of solving a system of polynomial equations over a finite field. Polynomial system solving is also currently a bottleneck of index-calculus algorithms to solve the elliptic and hyperelliptic curve discrete logarithm problem. The complexity of solving a system of polynomial equations is closely related t… ▽ More The security of multivariate cryptosystems and digital signature schemes relies on the hardness of solving a system of polynomial equations over a finite field. Polynomial system solving is also currently a bottleneck of index-calculus algorithms to solve the elliptic and hyperelliptic curve discrete logarithm problem. The complexity of solving a system of polynomial equations is closely related to the cost of computing Groebner bases, since computing the solutions of a polynomial system can be reduced to finding a lexicographic Groebner basis for the ideal generated by the equations. Several algorithms for computing such bases exist: We consider those based on repeated Gaussian elimination of Macaulay matrices. In this paper, we analyze the case of random systems, where random systems means either semi-regular systems, or quadratic systems in n variables which contain a regular sequence of n polynomials. We provide explicit formulae for bounds on the solving degree of semi-regular systems with m > n equations in n variables, for equations of arbitrary degrees for m = n+1, and for any m for systems of quadratic or cubic polynomials. In the appendix, we provide a table of bounds for the solving degree of semi-regular systems of m = n + k quadratic equations in n variables for 2 <= k; n <= 100 and online we provide the values of the bounds for 2 <= k; n <= 500. For quadratic systems which contain a regular sequence of n polynomials, we argue that the Eisenbud-Green-Harris Conjecture, if true, provides a sharp bound for their solving degree, which we compute explicitly. △ Less

Submitted 2 November, 2020; originally announced November 2020.

Comments: 27 pages, 4 tables

MSC Class: Primary: 94A60; 13P10; 13P15; 13P25; Secondary: 13D40

The complexity of MinRank

Authors: Alessio Caminata, Elisa Gorla

Abstract: In this note, we leverage some of our results from arXiv:1706.06319 to produce a concise and rigorous proof for the complexity of the generalized MinRank Problem in the under-defined and well-defined case. Our main theorem recovers and extends previous results by Faugère, Safey El Din, Spaenlehauer (arXiv:1112.4411). In this note, we leverage some of our results from arXiv:1706.06319 to produce a concise and rigorous proof for the complexity of the generalized MinRank Problem in the under-defined and well-defined case. Our main theorem recovers and extends previous results by Faugère, Safey El Din, Spaenlehauer (arXiv:1112.4411). △ Less

Submitted 10 March, 2022; v1 submitted 6 May, 2019; originally announced May 2019.

Comments: Final version. Theorem numbering adjusted to match the published version

MSC Class: 94A60; 13P10; 13P15; 13C40; 13P25

Journal ref: Women in Numbers Europe III. Association for Women in Mathematics Series, vol 24, pp. 163-169, Springer, Cham, 2021

Rank-metric codes

Authors: Elisa Gorla

Abstract: This is a chapter of the upcoming "A Concise Encyclopedia of Coding Theory", W.C. Huffman, J.-L. Kim, and P. Sole' Eds., CRC Press. The chapter gives an introduction to the mathematical theory of rank-metric codes. Treated topics include: definition of rank metric, equivalence of codes, support of a codeword and of a code, duality, weight enumerators and MacWilliams identities, higher rank weights… ▽ More This is a chapter of the upcoming "A Concise Encyclopedia of Coding Theory", W.C. Huffman, J.-L. Kim, and P. Sole' Eds., CRC Press. The chapter gives an introduction to the mathematical theory of rank-metric codes. Treated topics include: definition of rank metric, equivalence of codes, support of a codeword and of a code, duality, weight enumerators and MacWilliams identities, higher rank weights, MRD codes, optimal anticodes, and q-polymatroids associated to a rank-metric code. △ Less

Submitted 7 February, 2019; originally announced February 2019.

Comments: 26 pages, to appear in "A Concise Encyclopedia of Coding Theory", W.C. Huffman, J.-L. Kim, and P. Sole' Eds., CRC Press

Report number: ICERM-Fall2018

Rank-Metric Codes and $q$-Polymatroids

Authors: Elisa Gorla, Relinde Jurrius, Hiram H. López, Alberto Ravagnani

Abstract: This paper contributes to the study of rank-metric codes from an algebraic and combinatorial point of view. We introduce $q$-polymatroids, the $q$-analogue of polymatroids, and develop their basic properties. We associate a pair of q-polymatroids to a rank-metric codes and show that several invariants and structural properties of the code, such as generalized weights, the property of being MRD or… ▽ More This paper contributes to the study of rank-metric codes from an algebraic and combinatorial point of view. We introduce $q$-polymatroids, the $q$-analogue of polymatroids, and develop their basic properties. We associate a pair of q-polymatroids to a rank-metric codes and show that several invariants and structural properties of the code, such as generalized weights, the property of being MRD or an optimal anticode, and duality, are captured by the associated combinatorial object. △ Less

Submitted 5 September, 2019; v1 submitted 28 March, 2018; originally announced March 2018.

Comments: Previous version has a typo in M_2 in Example 2.5

Journal ref: Journal of Algebraic Combinatorics (2019)

Codes Endowed With the Rank Metric

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: We review the main results of the theory of rank-metric codes, with emphasis on their combinatorial properties. We study their duality theory and MacWilliams identities, comparing in particular rank-metric codes in vector and matrix representation. We then investigate the combinatorial structure of MRD codes and optimal anticodes in the rank metric, describing how they relate to each other. We review the main results of the theory of rank-metric codes, with emphasis on their combinatorial properties. We study their duality theory and MacWilliams identities, comparing in particular rank-metric codes in vector and matrix representation. We then investigate the combinatorial structure of MRD codes and optimal anticodes in the rank metric, describing how they relate to each other. △ Less

Submitted 5 October, 2017; originally announced October 2017.

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Authors: Giulia Bianco, Elisa Gorla

Abstract: We consider trace-zero subgroups of elliptic curves over a degree three field extension. The elements of these groups can be represented in compressed coordinates, i.e. via the two coefficients of the line that passes through the point and its two Frobenius conjugates. In this paper we give the first algorithm to compute scalar multiplication in the degree three trace-zero subgroup using these coo… ▽ More We consider trace-zero subgroups of elliptic curves over a degree three field extension. The elements of these groups can be represented in compressed coordinates, i.e. via the two coefficients of the line that passes through the point and its two Frobenius conjugates. In this paper we give the first algorithm to compute scalar multiplication in the degree three trace-zero subgroup using these coordinates. △ Less

Submitted 13 September, 2017; originally announced September 2017.

Comments: 23 pages

Solving multivariate polynomial systems and an invariant from commutative algebra

Authors: Alessio Caminata, Elisa Gorla

Abstract: The complexity of computing the solutions of a system of multivariate polynomial equations by means of Groebner bases computations is upper bounded by a function of the solving degree. In this paper, we discuss how to rigorously estimate the solving degree of a system, focusing on systems arising within public-key cryptography. In particular, we show that it is upper bounded by, and often equal to… ▽ More The complexity of computing the solutions of a system of multivariate polynomial equations by means of Groebner bases computations is upper bounded by a function of the solving degree. In this paper, we discuss how to rigorously estimate the solving degree of a system, focusing on systems arising within public-key cryptography. In particular, we show that it is upper bounded by, and often equal to, the Castelnuovo-Mumford regularity of the ideal generated by the homogenization of the equations of the system, or by the equations themselves in case they are homogeneous. We discuss the underlying commutative algebra and clarify under which assumptions the commonly used results hold. In particular, we discuss the assumption of being in generic coordinates (often required for bounds obtained following this type of approach) and prove that systems that contain the field equations or their fake Weil descent are in generic coordinates. We also compare the notion of solving degree with that of degree of regularity, which is commonly used in the literature. We complement the paper with some examples of bounds obtained following the strategy that we describe. △ Less

Submitted 21 September, 2022; v1 submitted 20 June, 2017; originally announced June 2017.

Comments: Final version. Theorem numbering adjusted to match the published version

MSC Class: 94A60; 13P10; 13P15; 13P25; 68W40

Journal ref: Lecture Notes in Computer Science, 2021, 12542 LNCS, pp. 3-36

An algebraic framework for end-to-end physical-layer network coding

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: We propose an algebraic setup for end-to-end physical-layer network coding based on submodule transmission. We introduce a distance function between modules, describe how it relates to information loss and errors, and show how to compute it. Then we propose a definition of submodule error-correcting code, and investigate bounds and constructions for such codes. We propose an algebraic setup for end-to-end physical-layer network coding based on submodule transmission. We introduce a distance function between modules, describe how it relates to information loss and errors, and show how to compute it. Then we propose a definition of submodule error-correcting code, and investigate bounds and constructions for such codes. △ Less

Submitted 13 November, 2016; originally announced November 2016.

Rank distribution of Delsarte codes

Authors: Javier de la Cruz, Elisa Gorla, Hiram H. Lopez, Alberto Ravagnani

Abstract: In analogy with the Singleton defect for classical codes, we propose a definition of rank defect for Delsarte rank-metric codes. We characterize codes whose rank defect and dual rank defect are both zero, and prove that the rank distribution of such codes is determined by their parameters. This extends a result by Delsarte on the rank distribution of MRD codes. In the general case of codes of posi… ▽ More In analogy with the Singleton defect for classical codes, we propose a definition of rank defect for Delsarte rank-metric codes. We characterize codes whose rank defect and dual rank defect are both zero, and prove that the rank distribution of such codes is determined by their parameters. This extends a result by Delsarte on the rank distribution of MRD codes. In the general case of codes of positive defect, we show that the rank distribution is determined by the parameters of the code, together the number of codewords of small rank. Moreover, we prove that if the rank defect of a code and its dual are both one, and the dimension satisfies a divisibility condition, then the number of minimum-rank codewords and dual minimum-rank codewords is the same. Finally, we discuss how our results specialize to Gabidulin codes. △ Less

Submitted 4 October, 2015; originally announced October 2015.

MSC Class: 2010: 94B60; 94C99; 68P30

Journal ref: Designs, Codes and Cryptography, 86 (2018), no. 1, 1-16

Compression for trace zero points on twisted Edwards curves

Authors: Giulia Bianco, Elisa Gorla

Abstract: We propose two optimal representations for the elements of trace zero subgroups of twisted Edwards curves. For both representations, we provide efficient compression and decompression algorithms. The efficiency of the algorithm is compared with the efficiency of similar algorithms on elliptic curves in Weierstrass form. We propose two optimal representations for the elements of trace zero subgroups of twisted Edwards curves. For both representations, we provide efficient compression and decompression algorithms. The efficiency of the algorithm is compared with the efficiency of similar algorithms on elliptic curves in Weierstrass form. △ Less

Submitted 27 July, 2015; originally announced July 2015.

Equidistant subspace codes

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: In this paper we study equidistant subspace codes, i.e. subspace codes with the property that each two distinct codewords have the same distance. We provide an almost complete classification of such codes under the assumption that the cardinality of the ground field is large enough. More precisely, we prove that for most values of the parameters, an equidistant code of maximum cardinality is eithe… ▽ More In this paper we study equidistant subspace codes, i.e. subspace codes with the property that each two distinct codewords have the same distance. We provide an almost complete classification of such codes under the assumption that the cardinality of the ground field is large enough. More precisely, we prove that for most values of the parameters, an equidistant code of maximum cardinality is either a sunflower or the orthogonal of a sunflower. We also study equidistant codes with extremal parameters, and establish general properties of equidistant codes that are not sunflowers. Finally, we propose a systematic construction of equidistant codes based on our previous construction of partial spread codes, and provide an efficient decoding algorithm. △ Less

Submitted 7 July, 2015; originally announced July 2015.

MSC Class: 11T71; 14G50; 94B60; 51E23; 15A21

Subspace codes from Ferrers diagrams

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: In this paper we give new constructions of Ferrer diagram rank metric codes, which achieve the largest possible dimension. In particular, we prove several cases of a conjecture by T. Etzion and N. Silberstein. We also establish a sharp lower bound on the dimension of linear rank metric anticodes with a given profile. Combining our results with the multilevel construction, we produce examples of su… ▽ More In this paper we give new constructions of Ferrer diagram rank metric codes, which achieve the largest possible dimension. In particular, we prove several cases of a conjecture by T. Etzion and N. Silberstein. We also establish a sharp lower bound on the dimension of linear rank metric anticodes with a given profile. Combining our results with the multilevel construction, we produce examples of subspace codes with the largest known cardinality for the given parameters. △ Less

Submitted 13 June, 2014; v1 submitted 12 May, 2014; originally announced May 2014.

Comments: minor edits

An optimal representation for the trace zero subgroup

Authors: Elisa Gorla, Maike Massierer

Abstract: We give an optimal-size representation for the elements of the trace zero subgroup of the Picard group of an elliptic or hyperelliptic curve of any genus, with respect to a field extension of any prime degree. The representation is via the coefficients of a rational function, and it is compatible with scalar multiplication of points. We provide efficient compression and decompression algorithms, a… ▽ More We give an optimal-size representation for the elements of the trace zero subgroup of the Picard group of an elliptic or hyperelliptic curve of any genus, with respect to a field extension of any prime degree. The representation is via the coefficients of a rational function, and it is compatible with scalar multiplication of points. We provide efficient compression and decompression algorithms, and complement them with implementation results. We discuss in detail the practically relevant cases of small genus and extension degree, and compare with the other known compression methods. △ Less

Submitted 15 June, 2016; v1 submitted 12 May, 2014; originally announced May 2014.

Comments: submitted

MSC Class: primary: 14G50; 11G25; 14H52; secondary: 11T71; 14K15

Index Calculus in the Trace Zero Variety

Authors: Elisa Gorla, Maike Massierer

Abstract: We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implemen… ▽ More We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. △ Less

Submitted 23 February, 2015; v1 submitted 5 May, 2014; originally announced May 2014.

Comments: 20 pages

MSC Class: primary: 14G50; 11G25; 11Y40; secondary: 11T71; 14K15; 14H52

Computing the dimension of ideals in group algebras, with an application to coding theory

Authors: Michele Elia, Elisa Gorla

Abstract: The problem of computing the dimension of a left/right ideal in a group algebra F[G] of a finite group G over a field F is considered. The ideal dimension is related to the rank of a matrix originating from a regular left/right representation of G; in particular, when F[G] is semisimple, the dimension of a principal ideal is equal to the rank of the matrix representing a generator. From this obser… ▽ More The problem of computing the dimension of a left/right ideal in a group algebra F[G] of a finite group G over a field F is considered. The ideal dimension is related to the rank of a matrix originating from a regular left/right representation of G; in particular, when F[G] is semisimple, the dimension of a principal ideal is equal to the rank of the matrix representing a generator. From this observation, a bound and an efficient algorithm to compute the dimension of an ideal in a group ring are established. Since group codes are ideals in finite group rings, the algorithm allows efficient computation of their dimension. △ Less

Submitted 6 September, 2019; v1 submitted 31 March, 2014; originally announced March 2014.

Comments: 13 pages, submitted

Point compression for the trace zero subgroup over a small degree extension field

Authors: Elisa Gorla, Maike Massierer

Abstract: Using Semaev's summation polynomials, we derive a new equation for the $\mathbb{F}_q$-rational points of the trace zero variety of an elliptic curve defined over $\mathbb{F}_q$. Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompr… ▽ More Using Semaev's summation polynomials, we derive a new equation for the $\mathbb{F}_q$-rational points of the trace zero variety of an elliptic curve defined over $\mathbb{F}_q$. Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompression algorithm to recover the original point (up to some small ambiguity). The algorithms are efficient for trace zero varieties coming from small degree extension fields. We give explicit equations and discuss in detail the practically relevant cases of cubic and quintic field extensions. △ Less

Submitted 1 March, 2014; originally announced March 2014.

Comments: 23 pages, to appear in Designs, Codes and Cryptography

MSC Class: 14G50; 11G25; 14H52; 11T71; 14K15

Partial Spreads in Random Network Coding

Authors: Elisa Gorla, Alberto Ravagnani

Abstract: Following the approach by R. Kötter and F. R. Kschischang, we study network codes as families of k-dimensional linear subspaces of a vector space F_q^n, q being a prime power and F_q the finite field with q elements. In particular, following an idea in finite projective geometry, we introduce a class of network codes which we call "partial spread codes". Partial spread codes naturally generalize s… ▽ More Following the approach by R. Kötter and F. R. Kschischang, we study network codes as families of k-dimensional linear subspaces of a vector space F_q^n, q being a prime power and F_q the finite field with q elements. In particular, following an idea in finite projective geometry, we introduce a class of network codes which we call "partial spread codes". Partial spread codes naturally generalize spread codes. In this paper we provide an easy description of such codes in terms of matrices, discuss their maximality, and provide an efficient decoding algorithm. △ Less

Submitted 24 June, 2013; originally announced June 2013.

MSC Class: 11T71

An Algebraic Approach for Decoding Spread Codes

Authors: Elisa Gorla, Felice Manganiello, Joachim Rosenthal

Abstract: In this paper we study spread codes: a family of constant-dimension codes for random linear network coding. In other words, the codewords are full-rank matrices of size (k x n) with entries in a finite field F_q. Spread codes are a family of optimal codes with maximal minimum distance. We give a minimum-distance decoding algorithm which requires O((n-k)k^3) operations over an extension field F_{q^… ▽ More In this paper we study spread codes: a family of constant-dimension codes for random linear network coding. In other words, the codewords are full-rank matrices of size (k x n) with entries in a finite field F_q. Spread codes are a family of optimal codes with maximal minimum distance. We give a minimum-distance decoding algorithm which requires O((n-k)k^3) operations over an extension field F_{q^k}. Our algorithm is more efficient than the previous ones in the literature, when the dimension k of the codewords is small with respect to n. The decoding algorithm takes advantage of the algebraic structure of the code, and it uses original results on minors of a matrix and on the factorization of polynomials over finite fields. △ Less

Submitted 6 June, 2012; v1 submitted 27 July, 2011; originally announced July 2011.

Spread Codes and Spread Decoding in Network Coding

Authors: Felice Manganiello, Elisa Gorla, Joachim Rosenthal

Abstract: In this paper we introduce the class of Spread Codes for the use in random network coding. Spread Codes are based on the construction of spreads in finite projective geometry. The major contribution of the paper is an efficient decoding algorithm of spread codes up to half the minimum distance. In this paper we introduce the class of Spread Codes for the use in random network coding. Spread Codes are based on the construction of spreads in finite projective geometry. The major contribution of the paper is an efficient decoding algorithm of spread codes up to half the minimum distance. △ Less

Submitted 21 May, 2008; v1 submitted 5 May, 2008; originally announced May 2008.

Journal ref: Proceedings of the 2008 IEEE International Symposium on Information Theory, Toronto, ON, Canada, July 6 - 11, 2008

Efficient FPGA-based multipliers for F_{3^97} and F_{3^{6*97}}

Authors: Jamshid Shokrollahi, Elisa Gorla, Christoph Puttmann

Abstract: In this work we present a new structure for multiplication in finite fields. This structure is based on a digit-level LFSR (Linear Feedback Shift Register) multiplier in which the area of digit-multipliers are reduced using the Karatsuba method. We compare our results with the other works in the literature for F_{3^97}. We also propose new formulas for multiplication in F_{3^{6*97}}. These new f… ▽ More In this work we present a new structure for multiplication in finite fields. This structure is based on a digit-level LFSR (Linear Feedback Shift Register) multiplier in which the area of digit-multipliers are reduced using the Karatsuba method. We compare our results with the other works in the literature for F_{3^97}. We also propose new formulas for multiplication in F_{3^{6*97}}. These new formulas reduce the number of F_{3^97}-multiplications from 18 to 15. The fields F_{3^{97}} and F_{3^{6*97}} are relevant in the context of pairing-based cryptography. △ Less

Submitted 22 August, 2007; originally announced August 2007.

Comments: 6 pages, 3 figures, to appear in the proceedings of FPL07

Explicit formulas for efficient multiplication in F_{3^{6m}}

Authors: Elisa Gorla, Christoph Puttmann, Jamshid Shokrollahi

Abstract: Efficient computation of the Tate pairing is an important part of pairing-based cryptography. Recently with the introduction of the Duursma-Lee method special attention has been given to the fields of characteristic 3. Especially multiplication in F_{3^{6m}}, where m is prime, is an important operation in the above method. In this paper we propose a new method to reduce the number of F_{3^m} mul… ▽ More Efficient computation of the Tate pairing is an important part of pairing-based cryptography. Recently with the introduction of the Duursma-Lee method special attention has been given to the fields of characteristic 3. Especially multiplication in F_{3^{6m}}, where m is prime, is an important operation in the above method. In this paper we propose a new method to reduce the number of F_{3^m} multiplications for multiplication in F_{3^{6m}} from 18 in recent implementations to 15. The method is based on the fast Fourier tranmsform and explicit formulas are given. The execution times of our software implementations for F_{3^{6m}} show the efficiency of our results. △ Less

Submitted 22 August, 2007; originally announced August 2007.

Comments: 11 pages, to appear in the proceedings of SAC2007

Cryptanalysis of the CFVZ cryptosystem

Authors: J. J. Climent, E. Gorla, J. Rosenthal

Abstract: The paper analyzes a new public key cryptosystem whose security is based on a matrix version of the discrete logarithm problem over an elliptic curve. It is shown that the complexity of solving the underlying problem for the proposed system is dominated by the complexity of solving a fixed number of discrete logarithm problems in the group of an elliptic curve. Using an adapted Pollard rho algor… ▽ More The paper analyzes a new public key cryptosystem whose security is based on a matrix version of the discrete logarithm problem over an elliptic curve. It is shown that the complexity of solving the underlying problem for the proposed system is dominated by the complexity of solving a fixed number of discrete logarithm problems in the group of an elliptic curve. Using an adapted Pollard rho algorithm it is shown that this problem is essentially as hard as solving one discrete logarithm problem in the group of an elliptic curve. △ Less

Submitted 10 February, 2006; originally announced February 2006.

Comments: 12 pages