Twisted Hermitian Codes

Abstract

We define a family of codes called twisted Hermitian codes, which are based on Hermitian codes and inspired by the twisted Reed–Solomon codes described by Beelen, Puchinger, and Nielsen. We demonstrate that these new codes can have high-dimensional Schur squares, and we identify a subfamily of twisted Hermitian codes that achieves a Schur square dimension close to that of a random linear code. Twisted Hermitian codes allow one to work over smaller alphabets than those based on Reed–Solomon codes of similar lengths.

1. Introduction

Reed–Solomon and Hermitian codes are algebraic geometry codes based on the projective line and the Hermitian curve, respectively. To define an algebraic geometry code, let X be a smooth, projective, absolutely irreducible curve over a finite field $\mathbb{F}$. Let G and $D:=P_1+\cdots +P_n$ be divisors on X such that $P_1,\cdots ,P_n$ are distinct $\mathbb{F}$-rational points and the support of G does not contain any of the $P_i$. An algebraic geometric code is of the form

$$C(D,G)=\left\{\left(f\left(P_1\right),f\left(P_2\right),\cdots ,f\left(P_n\right)\right):f\in \mathcal{L}\left(G\right)\right\}\subseteq {\mathbb{F}}^n$$

where $\mathcal{L}\left(G\right)=\left\{f:\left(f\right)\ge -G\right\}\cup \left\{0\right\}$ and $\left(f\right)$ denotes the divisior of the rational function f on X. In this paper, we will modify this construction for Hermitian codes to yield a new family of codes, called twisted Hermitian codes, with the goal of producing codes which have large Schur squares. Given a finite field $\mathbb{F}$ and a positive integer n, the Schur product of vectors $\mathbf{x}=(x_1,\cdots ,x_n),\mathbf{y}=(y_1,\cdots ,y_n)\in {\mathbb{F}}^n$ is

$$\mathbf{x}\ast \mathbf{y}≔\left(x_1{y}_1,\dots ,x_n{y}_n\right)\in {\mathbb{F}}^n.$$

The Schur product of two linear codes ${\mathcal{C}}_1,{\mathcal{C}}_2\subseteq {\mathbb{F}}^n$ is

$${\mathcal{C}}_1\ast {\mathcal{C}}_2≔〈{\mathbf{c}}_{\mathbf{1}}\ast {\mathbf{c}}_{\mathbf{2}}\mid {\mathbf{c}}_{\mathbf{1}}\in {\mathcal{C}}_1,{\mathbf{c}}_{\mathbf{2}}\in {\mathcal{C}}_2〉,$$

meaning ${\mathcal{C}}_1\ast {\mathcal{C}}_2$ is the set of all linear combinations of vectors of the form ${\mathbf{c}}_{\mathbf{1}}\ast {\mathbf{c}}_{\mathbf{2}}$ with coefficients in $\mathbb{F}$ and ${\mathbf{c}}_{\mathbf{1}}\in {\mathcal{C}}_1,{\mathbf{c}}_{\mathbf{2}}\in {\mathcal{C}}_2$. The Schur square of a linear code $\mathcal{C}$ is ${\mathcal{C}}^2≔\mathcal{C}\ast \mathcal{C}$. Schur products were originally used to define error-locating pairs [1] and now arise in several applications, such as secret sharing [2] and code-based cryptography [3]. A challenge in coding theory is to specify explicit codes with high-dimensional Schur squares.

When either a Reed–Solomon code or a Hermitian code is squared, the result is typically a code of the same type which limits its dimension. To obtain a code of the same dimension whose square is much larger, twisted Reed–Solomon codes were defined by Beelen, Puchinger, and Nielsen [4], drawing upon ideas from the twisted Gabidulin codes of Sheekey [5]. These same ideas serve as inspiration for the recent work [6]. In this paper, we introduce twisted Hermitian codes which have an advantage over twisted Reed–Solomon codes in that codes of similar lengths can be obtained over smaller alphabets. Utilizing smaller alphabets can reduce the computational complexity of the finite field arithmetic. For instance, to obtain a (twisted) Reed–Solomon code of length 4096, one must use an alphabet of size 4096 whereas a (twisted) Hermitian code of the same length only requires an alphabet size of 256; hence, one can work over the field with 256 elements rather than the field of cardinality 4096. Twisted Hermitian codes can have a large Schur square, as demonstrated herein, by making use of field extensions.

The motivation is to explicitly construct codes whose behavior, loosely speaking, mimics that of random codes. While this is interesting in its own right, it is also prompted by the McEliece cryptosystem, which is a code-based cryptosystem introduced by McEliece in 1978 [7]. The public key in the McEliece cryptosystem is an obfuscation of the underlying linear code (chosen by McEliece to be a binary Goppa code), disguised to appear as a random code, meaning one lacking any recognizable structure. The security of the McEliece cryptosystem is derived from the NP-hardness of decoding a random linear code, proven by Berlekamp, McEliece, and Tilborg in 1978 [8]. Though the McEliece cryptosystem remains unbroken to this day (even with quantum algorithms), its reliance on binary Goppa codes results in large key sizes that hinder practical implementation. As a result, many variants of the McEliece cryptosystem have been introduced, with other linear codes (including the algebraic geometry codes [9]) substituted within. Additional structure can lead to a reduction in key size but often at the cost of introducing vulnerabilities that allow an attacker to extract identifying characteristics of the underlying code from the public-key matrix; see, for instance, the recent work by Couvreur, Márquez-Corbella, and Pellikaan on algebraic geometry codes [10] as well as that of Márquez-Corbella, Martínez-Moro and Pellikaan [3]. Once the attacker can identify the underlying code, the fundamental assumption that secures the McEliece cryptosystem is no longer valid. The twisted construction presents a challenge to the attacker in that its square is not readily identifiable due to its large dimension. However, Lavauzelle and Renner recently demonstrated that for many parameter choices, twisted Reed–Solomon codes have a subfield subcode which is vulnerable to attack [11]. We discuss the possibility of such an attack for twisted Hermitian codes, pointing out a few key differences.

This paper is organized as follows. This section concludes with a brief guide to notation. Necessary background is covered in Section 2. In Section 3, we define the twisted Hermitian codes and explore their properties. In Section 4, we consider the McEliece cryptosytem employing certain families of twisted Hermitian codes. Section 4 considers a potential attack by casting the ideas of Lavauzelle and Renner in the Hermitian setting. A conclusion may be found in Section 5.

Notation. Given a vector space V over a field $\mathbb{F}$ and $B:=\left\{v_1,\cdots ,v_t\right\}\subseteq V$, we write ${〈v_1,\cdots ,v_t〉}_{\mathbb{F}}:=\left\{{\sum }_{i=1}^t{a}_i{v}_i:a_i\in \mathbb{F}\right\}$ to denote the span of the set B; at times, we write $〈B〉$ and when it is clear from the context, we omit the subscript $\mathbb{F}$ and simply write $〈v_1,\cdots ,v_t〉$. The set of all $m\times n$ matrices with entries from a field $\mathbb{F}$ is written as ${\mathbb{F}}^{m\times n}$, and $I_m\in {\mathbb{F}}^{m\times m}$ denotes the $m\times m$ identity matrix over $\mathbb{F}$.

The finite field with q elements is denoted by ${\mathbb{F}}_q$, where q is a power of a prime; $\mathbb{N}$ denotes the set of nonnegative integers; and ${\mathbb{Z}}^{+}$ denotes the set of positive integers. An $[n,k,d]$ code $\mathcal{C}$ over ${\mathbb{F}}_q$ is an ${\mathbb{F}}_q$-subspace of ${\mathbb{F}}_q^n$ with $k:={dim}_{{\mathbb{F}}_q}\mathcal{C}$ and minimum distance $d:=min\left\{wt\left(c\right):c\in \mathcal{C}\setminus \left\{0\right\}\right\}$. Here, $wt\left(w\right)=\mid \left\{i:w_i\ne 0\right\}\mid$ denotes the Hamming weight of a word $w\in {\mathbb{F}}_q^n$. Elements of $\mathcal{C}$ are called codewords. An $[n,k,d]$ code is MDS, or maximum distance separable, if and only if $d=n-k+1$. We say that a code is an $[n,k]$ code if its length is n and its dimension is k. A generator matrix for an $[n,k]$ code $\mathcal{C}$ over a field ${\mathbb{F}}_q$ is any matrix $M\in {\mathbb{F}}_q^{k\times n}$ whose rows form a basis for $\mathcal{C}$. A generator matrix $M=[I_k\mid A]$ is said to be in systematic form.

2. Preliminaries

We begin this section with a review of algebraic geometry codes and the necessary details on Hermitian codes followed by a discussion of the Schur product. There are a number of excellent references such as [12,13,14,15] which provide more comprehensive surveys.

Recall that an algebraic geometry code is of the form $C(D,G)$ as described in Section 1. If $degG<n$, then $C(D,G)$ is a $[n,dim\mathcal{L}(G),\ge n-degG]$ code. At times, it will be useful to consider nested codes. If $G\le G^{\prime }$, where $G^{\prime }$ is another divisor on X whose support does not contain any of the $P_i$, then $C(D,G)\subseteq C(D,G^{\prime })$. See [16] for more on nested Hermitian codes. In this paper, we restrict our attention to the case where $G=\alpha P$ with $\alpha \in {\mathbb{Z}}^{+}$, P is an $\mathbb{F}$-rational point on X, and D is the sum of the remaining $\mathbb{F}$-rational points; such codes are referred to as one-point codes in the literature and will be denoted here by $C\left(G\right)$.

Reed–Solomon codes are obtained from the construction above by taking $X=P^1\left({\mathbb{F}}_q\right)$, the projective line; $k<n\le q$; $G=kP$ where P denotes the unique point at infinity on X; and D to be the sum of all other rational points on X. It is well known that $C\left(kP\right)$ is an $[n,k,n-k+1]$ code; that is, $C\left(kP\right)$ is MDS. Notice that the alphabet size, meaning the cardinality of the field ${\mathbb{F}}_q$, is at least the length of the Reed–Solomon code; thus, to define a Reed–Solomon code of length n requires that $\mid {\mathbb{F}}_q\mid \ge n$.

Beyond Reed–Solomon codes, the best understood algebraic geometry codes are Hermitian codes. For a prime power q, let ${\mathcal{X}}_q$ denote the smooth, projective curve given by $y^q+y=x^{q+1}$ over the finite field ${\mathbb{F}}_{q^2}$; ${\mathcal{X}}_q$ is known as the Hermitian curve. The genus of ${\mathcal{X}}_q$ is $g=\frac{q(q-1)}{2}$, and there are $q^3$ affine ${\mathbb{F}}_{q^2}$-rational points of ${\mathcal{X}}_q$ in the projective plane, meaning points the form $\left(a:b:1\right)\in {\mathbb{P}}^2\left({\mathbb{F}}_{q^2}\right)$ with $b^q+b=a^{q+1}$, and a unique point at infinity $P_{\infty }=(0:1:0)$. Let $n:=q^3$ and $P_1,\dots ,P_n$ denote the affine rational points of ${\mathcal{X}}_q$. Given a vector space V of functions on ${\mathcal{X}}_q$ which do not have poles at any of the $P_i$, $1\le i\le n$, a code can be defined by taking the image of the evaluation map

$$\begin{array}{cccc}ev:\hfill & V\hfill & \to \hfill & {\mathbb{F}}_{q^2}^n\\ & f\hfill & \mapsto \hfill & \left(f\left(P_1\right),\dots ,f\left(P_n\right)\right).\end{array}$$

For $\alpha \in \mathbb{N}$ with $2g<\alpha <n$, we consider the space of functions

$$\mathcal{L}\left(\alpha P_{\infty }\right)=\langle x^i{y}^j:i,j\in \mathbb{N},j\le q-1,\delta \left(x^i{y}^j\right)\le \alpha \rangle$$

where $\delta \left(x^i{y}^j\right):=iq+j(q+1)$ is the pole order of $x^i{y}^j$ at $P_{\infty }$. The one-point Hermitian code determined by $\alpha$ is the algebraic geometry code $C\left(\alpha P_{\infty }\right)=ev\left(\mathcal{L}\left(\alpha P_{\infty }\right)\right)$. Henceforth, we use the term Hermitian code to mean one-point Hermitian curve. Notice that $C\left(\alpha P_{\infty }\right)$ is a code of length $q^3$, dimension at least $\alpha +1-g$, with equality achieved when $\alpha \ge 2g+1$, and minimum distance as given in [17].

Schur squares of algebraic geometry codes have been studied in [10,18]. Given a Hermitian code $C\left(\alpha P_{\infty }\right)$,

$$C{\left(\alpha P_{\infty }\right)}^2\subseteq C\left(2\alpha P_{\infty }\right),$$

and equality is achieved when $\alpha \ge 2g+1$. In this case, $C\left(\alpha P_{\infty }\right)$ has dimension $\alpha +1-g$ and

$$dimC{\left(\alpha P_{\infty }\right)}^2=dimC\left(2\alpha P_{\infty }\right)=2\alpha +1-g<<\left(\genfrac{}{}{0pt}{}{(\alpha +1-g)+1}{2}\right);$$

(1)

see also [19] for details. These ideas may be applied to more general algebraic geometry codes, meaning those constructed via evaluation maps analagous to $ev$ using curves other than ${\mathcal{X}}_q$ ([20] (Prop. 2)).

We seek a family of codes whose behavior under the Schur operation is indistinguishable from that of random codes. A guiding principle is the following result obtained by Cascudo, Cramer, Mirandola, and Zémor.

Proposition 1

([2] (Theorem 2.3)). Let $n:\mathbb{N}\to \mathbb{N}$ be such that $n\left(k\right)\ge \left(\genfrac{}{}{0pt}{}{k+1}{2}\right)$. Then for some positive real number δ and k large enough,

$$Pr\left[dim{\mathcal{C}}^2=\left(\genfrac{}{}{0pt}{}{k+1}{2}\right)\right]\ge 1-2^{-\delta \left(n\left(k\right)-\left(\genfrac{}{}{0pt}{}{k+1}{2}\right)\right)}$$

(2)

where $\mathcal{C}$ is chosen uniformly at random from the family of all $\left[n\right(k),k]$ codes over ${\mathbb{F}}_q$ whose generator matrices are in systematic form.

In keeping with Proposition 1, given a code $\mathcal{C}$ of dimension k, it is desirable for ${\mathcal{C}}^2$ to have dimension close to $\left(\genfrac{}{}{0pt}{}{k+1}{2}\right)$ or quadratic in k. This is in contrast to that seen in (1) where the dimension is linear in k. This serves as motivation to consider twisted Hermitian codes which are defined in the next section.

3. Twisted Hermitian Codes

In [4], Beelen, Puchinger, and Rosenkilde introduce a new code construction based on generalized Reed–Solomon codes; the resulting codes can have Schur squares with larger dimensions than the Schur squares of the generalized Reed–Solomon codes themselves. The study of these new codes is carried on in [21] by Beelen, Bossert, Puchinger, and Rosenkilde. In this section, we adapt the construction to Hermitian codes, determine their basic properties, and apply new tools to address subtleties that arise in considering their squares. Decoding is also discussed.

3.1. Properties of Twisted Hermitian Codes

We begin by defining the twisted Hermitian codes. To do so, let

$$B\left(\alpha P_{\infty }\right):=\left\{x^i{y}^j:i,j\in \mathbb{N},j\le q-1,\delta \left(x^i{y}^j\right)\le \alpha \right\},$$

which is a basis of $\mathcal{L}\left(\alpha P_{\infty }\right)$ on the Hermitian curve ${\mathcal{X}}_q:y^q+y=x^{q+1}$.

Definition 1.

Consider $\alpha =uq+v(q+1)\ge q^2-q-1$ where $u,v\in \mathbb{N}$. Let $\ell \in {\mathbb{Z}}^{+}$,

$$\mathbf{t}=\left((r_1,s_1),\dots ,(r_{\ell },s_{\ell })\right)\in {\left({\left(\mathbb{Z}\setminus \left\{0\right\}\right)}^2\right)}^{\ell }$$

be a vector whose coordinates are ℓ pairwise distinct ordered pairs of nonzero integers, and

$$\mathbf{h}=\left((a_1,b_1),\dots ,(a_{\ell },b_{\ell })\right)\in {\left({\mathbb{Z}}^2\right)}^{\ell }$$

be a vector whose coordinates are ℓ pairwise distinct ordered pairs of integers satisfying

$$a_{k}q+b_k(q+1)\le uq+v(q+1)<(u+r_k)q+(v+s_k)(q+1)<q^3$$

for $k=1,\dots ,\ell$. Let $\mathit{\eta }=({\eta }_1,\dots ,{\eta }_{\ell })\in {\left({\mathbb{F}}_{q^2}\setminus \left\{0\right\}\right)}^{\ell }$. The set of $(\mathbf{t},\mathbf{h},\mathit{\eta })$-twisted bivariate polynomials is

$$B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=\left(B\left(\alpha P_{\infty }\right)\setminus \bigcup _{k=1}^{\ell }\left\{x^{a_k}{y}^{b_k}\right\}\right)\cup \bigcup _{k=1}^{\ell }\left\{x^{a_k}{y}^{b_k}+{\eta }_k{x}^{u+r_k}{y}^{v+s_k}\right\}.$$

Let ${\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=\langle B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)\rangle$. The twisted Hermitian code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ is

$$C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)≔ev\left({\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\right)\subseteq {\mathbb{F}}_{q^2}^n.$$

Remark 1.

It is immediate from the construction that $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ has the same length as the code $C\left(\alpha P_{\infty }\right)$. Furthermore,

$$dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=dim{\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=|B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)|=|B\left(\alpha P_{\infty }\right)|=dimC\left(\alpha P_{\infty }\right).$$

In addition, a generator matrix for the twisted Hermitian code is

$${\mathcal{G}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=\left[\begin{array}{c}ev\left(f_1\right)\\ ev\left(f_2\right)\\ ⋮\\ ev\left(f_k\right)\end{array}\right]$$

where $B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)=〈f_1,f_2,\cdots ,f_k〉.$

We sometimes write $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}^{n,k}\left(\alpha P_{\infty }\right)$ to emphasize the length and dimension of a twisted Hermitian code.

Example 1.

Let $q=2$ and $\alpha =1\left(q\right)+1(q+1)=5$. The Hermitian curve ${\mathcal{X}}_2$ is given by $y^2+y=x^3$, and we consider ${\mathcal{X}}_2$ over a finite field of order $q^2=4$, which may be described as ${\mathbb{F}}_4=\{0,1,a,a+1\}\cong {\mathbb{Z}}_2\left[x\right]/\langle x^2+x+1\rangle$. Note that

$$B\left(5P_{\infty }\right)=\{1,x,y,x^2,xy\}.$$

The $q^3+1=8$ rational points on $X_2$ other than $P_{\infty }$ are enumerated below:

$$\begin{array}{ccc}{P}_1\hfill & =\hfill & (0:0:1)\hfill \\ P_2\hfill & =\hfill & (0:1:1)\hfill \\ P_3\hfill & =\hfill & (1:a:1)\hfill \\ P_4\hfill & =\hfill & (1:a+1:1)\hfill \\ P_5\hfill & =\hfill & (a:a:1)\hfill \\ P_6\hfill & =\hfill & (a:a+1:1)\hfill \\ P_7\hfill & =\hfill & (a+1:a:1)\hfill \\ P_8\hfill & =\hfill & (a+1:a+1:1).\hfill \end{array}$$

Choose $\ell =2$ and the following vectors:

$$\begin{array}{cc}\hfill \mathbf{t}& =\left((1,0),(2,0)\right),\hfill \\ \hfill \mathbf{h}& =\left((2,0),(1,1)\right),\hfill \\ \hfill \mathit{\eta }& =\left(1,a\right).\hfill \end{array}$$

Then

$$\bigcup _{k=1}^2\left\{x^{a_k}{y}^{b_k}\right\}=\{x^2,xy\},$$

and

$$\bigcup _{k=1}^2\{x^{a_k}{y}^{b_k}+{\eta }_k{x}^{u+r_k}{y}^{v+s_k}\}=\{x^2+x^{2}y,xy+a{x}^{3}y\}$$

so that

$$B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)=\{1,x,y,x^2+x^{2}y,xy+a{x}^{3}y\}.$$

The resulting space of functions is

$${\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)=\langle B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)\rangle ,$$

and the twisted Hermitian code is

$$C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)=ev\left({\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)\right).$$

A generator matrix ${\mathcal{G}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)$ for the twisted Hermitian code may be obtained by evaluating each element of $B_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)$ at each of the $P_i$, $1\le i\le 8$, to obtain

$${\mathcal{G}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(5P_{\infty }\right)=\begin{array}{cc}& \begin{array}{cccccccc}{P}_1& P_2& P_3& P_4& P_5& P_6& P_7& P_8\end{array}\\ \begin{array}{c}1\\ x\\ y\\ x^2+x^{2}y\\ xy+a{x}^{3}y\end{array}& \left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 1& 1& 1\\ 0& 0& 1& 1& a& a& a+1& a+1\\ 0& 1& a& a+1& a& a+1& a& a+1\\ 0& 0& a+1& a& a& 1& 1& a+1\\ 0& 0& 1& a& 0& 0& a& a+1\end{array}\right]\end{array}.$$

Because twisted Hermitian codes share some similarities with one-point Hermitian codes (such as length and dimension per Remark 1), it is reasonable to ask how the codes themselves compare and more pointedly if they are essentially the same codes. With this in mind, we next demonstrate that the twisted Hermitian codes are not one-point Hermitian codes.

To reveal the distinction between twisted Hermitian codes and one-point Hermitian codes, we determine the largest subcode of $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ which is a one-point Hermitian code as well as its smallest supercode which is a one-point Hermitian code. Recall that $\mathbf{t}=\left((r_1,s_1),\dots ,(r_{\ell },s_{\ell })\right)\in {\left({\left(\mathbb{Z}\setminus \left\{0\right\}\right)}^2\right)}^{\ell }$ and $\mathbf{h}=\left((a_1,b_1),\dots ,(a_{\ell },b_{\ell })\right)\in {\left({\mathbb{Z}}^2\right)}^{\ell }.$ Let

$${\alpha }^{\prime }=min\left\{a_{i}q+b_i(q+1):i=1,\cdots ,\ell \right\}-1$$

and

$${\alpha }^{″}=\alpha +max\left\{r_{i}q+s_i(q+1):i=1,\cdots ,\ell \right\}.$$

Then

$$\mathcal{L}\left({\alpha }^{\prime }{P}_{\infty }\right)\subseteq {\mathcal{L}}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)\subseteq \mathcal{L}\left({\alpha }^{″}{P}_{\infty }\right)$$

follows from the definition of the twisted code by considering basis elements of the space of functions that are used to define the codewords. Therefore,

$$C\left({\alpha }^{\prime }{P}_{\infty }\right)\subseteq C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)\subseteq C\left({\alpha }^{″}{P}_{\infty }\right).$$

Notice that

$$dimC\left({\alpha }^{\prime }{P}_{\infty }\right)=\mid \left\{x^i{y}^j\in B\left(\alpha P_{\infty }\right)\mid \delta \left(x^i{y}^j\right)<min\left\{a_{i}q+b_i(q+1):i=1,\cdots ,\ell \right\}\right\}\mid <k,$$

$a_{k}q+b_k(q+1)\le uq+v(q+1)$ for all $1\le k\le l$, and the $(a_k,b_k)$ are distinct. In addition,

$$dimC\left({\alpha }^{″}{P}_{\infty }\right)=\left(\alpha +max\left\{r_{k}q+s_k(q+1)\mid k=1,\cdots ,\ell \right\}\right)+1-g\ge k+q.$$

Hence, we conclude that twisted Hermitian codes are not one-point Hermitian codes. These observations are recorded in the next result, followed by their impact on bounding the minimum distance of the twisted Hermitian code.

Proposition 2.

Consider a twisted Hermitian code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ constructed as in Definition 1 with $\mathbf{t}=\left((r_1,s_1),\dots ,(r_{\ell },s_{\ell })\right)\in {\left({\left(\mathbb{Z}\setminus \left\{0\right\}\right)}^2\right)}^{\ell }$ and $\mathbf{h}=\left((a_1,b_1),\dots ,(a_{\ell },b_{\ell })\right)\in {\left({\mathbb{Z}}^2\right)}^{\ell }$. Then

$$C\left({\alpha }^{\prime }{P}_{\infty }\right)⫋C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)⫋C\left({\alpha }^{″}{P}_{\infty }\right)$$

where

$${\alpha }^{\prime }=min\left\{a_{i}q+b_i(q+1):i=1,\cdots ,\ell \right\}-1$$

and

$${\alpha }^{″}=\alpha +max\left\{r_{i}q+s_i(q+1):i=1,\cdots ,\ell \right\}.$$

According to Proposition 2, the minimum distance d of $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}^{n,k}\left(\alpha P_{\infty }\right)$ satisfies

$$n-{\alpha }^{″}\le d\left(C\left({\alpha }^{″}{P}_{\infty }\right)\right)\le d\le d\left(C\left({\alpha }^{\prime }{P}_{\infty }\right)\right).$$

Both $d\left(C\left({\alpha }^{″}{P}_{\infty }\right)\right)$ and $d\left(C\left({\alpha }^{\prime }{P}_{\infty }\right)\right)$ are known [17], being minimum distances of Hermitian codes. In the case that $2g-2<{\alpha }^{\prime }$ and ${\alpha }^{″}<n$, we have that

$$n-{\alpha }^{″}\le d\left(C\left({\alpha }^{″}{P}_{\infty }\right)\right)\le n-{\alpha }^{\prime }.$$

Thus, the twisted code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}^{n,k}\left(\alpha P_{\infty }\right)$ is capable of correcting at least $t=⎣\frac{n-{\alpha }^{″}-1}{2}⎦$ errors. We can use such a value of t for implementation within the McEliece cryptosystem (as detailed in Section 4), even though the code may be capable of correcting more errors.

Determining tighter bounds on the minimum distance of twisted Hermitian codes is an interesting but nontrivial problem. For instance, in the (perhaps simpler) Reed–Solomon situation, determining weights of codewords of twisted codes can amount to considering roots of sparse polynomials, which is a problem of current interest; see, for instance [22,23]. Another interesting question to consider is if the minimum distance of a twisted Hermitian code can attain that of a Hermitian code, especially given that there exist twisted Reed–Solomon codes which are MDS [4,24].

Example 2.

Consider the twisted Hermitian code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(12P_{\infty }\right)$ with $q=3$, $\alpha =12$,

$$\begin{array}{ccc}\mathbf{t}\hfill & =\hfill & \left((1,0),(0,1)\right),\hfill \\ \mathbf{h}\hfill & =\hfill & \left((1,2),(0,3)\right),\hfill \end{array}$$

and $\eta =\left({\eta }_1,{\eta }_2\right)$, where ${\eta }_1,{\eta }_2\in {\mathbb{F}}_9$ satisfy the conditions of Definition 1. By Proposition 2,

$${\alpha }^{″}=12+max\{r_{i}q+s_i(q+1):i=1,2\}=16$$

and

$${\alpha }^{\prime }=min\{a_{i}q+b_i(q+1):i=1,2\}-1=10$$

from which it follows that

$$C\left(10P_{\infty }\right)⫋C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(12P_{\infty }\right)⫋C\left(16P_{\infty }\right).$$

According to ([13] (Theorem 5)), $d\left(C\left(10P_{\infty }\right)\right)=17$ and $d\left(C\left(16P_{\infty }\right)\right)=11$ so that

$$11\le d\left(C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(12P_{\infty }\right)\right)\le 17.$$

3.2. Squares of Twisted Hermitian Codes

Recall from (1) that a Hermitian code $C\left(\alpha P_{\infty }\right)$ has a Schur square with relatively small dimension: $dimC{\left(\alpha P_{\infty }\right)}^2\le 2\alpha +1-g$. In this section, we show that the twisted Hermitian code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}^{n,k}\left(\alpha P_{\infty }\right)$ may have a Schur square with much larger dimension in comparison to the square of the code itself.

Because the codes of interest are obtained by evaluating sets of functions, it is useful to consider the Schur product of sets. Given $B,B^{\prime }\subseteq {\mathbb{F}}_q[x,y]$, let

$$B\underline{\ast }{B}^{\prime }≔\left\{\mathbf{b}·{\mathbf{b}}^{\prime }\mid \mathbf{b}\in B,{\mathbf{b}}^{\prime }\in B^{\prime }\right\},$$

and

$$B^{\underline{2}}≔B\underline{\ast }B.$$

Lemma 1.

Let $\mathcal{M}$ denote the set of bivariate monomials

$$\mathcal{M}≔\left\{x^i{y}^j:i,j\in \mathbb{N},0\le i\le q^2-1,0\le j\le q-1\right\}\subseteq {\mathbb{F}}_{q^2}[x,y].$$

Then the evaluation map $ev:〈\mathcal{M}〉\to {\mathbb{F}}_{q^2}^n$ is an injective mapping.

Proof. 

Let the domain of $ev$ be restricted to $\langle \mathcal{M}\rangle$ as described above. It suffices to show that $ker\left(ev\right)=\left\{0\right\}$. Assume to the contrary that $0\ne p(x,y)\in \langle \mathcal{M}\rangle$ such that $ev\left(p(x,y)\right)=\mathbf{0}\in {\mathbb{F}}_{q^2}^n$. Then every rational affine point $(x:y:1)$ of the Hermitian curve ${\mathcal{X}}_q$ also satisfies $p(x,y)=0$. Fix $a\in {\mathbb{F}}_{q^2}$. Then there are then q distinct $b_i\in {\mathbb{F}}_{q^2}$ such that $(a:b_i:1)$ is a rational point on the Hermitian curve ${\mathcal{X}}_q$. Then the univariate polynomial $p(a,y)$ has q distinct zeros in ${\mathbb{F}}_{q^2}$, despite the fact that $deg\left(p\right(a,y\left)\right)\le q-1$. Hence $p(a,y)\equiv 0$ for all $a\in {\mathbb{F}}_{q^2}$. On the other hand,

$$\begin{array}{c}\hfill p(x,y)=\sum _{j=0}^{q-1}\left(\sum _{i=0}^{q^2-1}{a}_{ij}{x}^i\right)y^j=\sum _{j=0}^{q-1}{q}_j\left(x\right)y^j\end{array}$$

where $q_j\left(x\right)={\sum }_{i=0}^{q^2-1}{a}_{ij}{x}^i$ and $q_j\left(a\right)=0$ for all $a\in {\mathbb{F}}_{q^2}$. This implies the univariate polynomial $q_j\left(x\right)$ has $q^2$ zeros in ${\mathbb{F}}_{q^2}^n$, despite the fact that $deg\left(q_j\right)\le q^2-1$. As a result, $p(x,y)\equiv 0$, which is a contradiction. □

We can use properties of the finite field to define a reduction scheme for bivariate polynomials.

Definition 2.

Suppose $i,j\in \mathbb{N}$ are such that $0\le i\le 2(q^2-1)$ and $0\le j\le q-1$. We define

$$\overline{x^i{y}^j}≔\left\{\begin{array}{cc}{x}^i{y}^j\hfill & \mathrm{if}0\le i\le q^2-1\hfill \\ x^{i-(q^2-1)}{y}^j\hfill & \mathit{otherwise}.\hfill \end{array}\right.$$

For $f(x,y)=\sum c_k{x}^{i_k}{y}^{j_k}\in {\mathbb{F}}_{q^2}[x,y]$, we define

$$\overline{f}≔\sum c_k\overline{x^{i_k}{y}^{j_k}}.$$

(3)

It follows immediately that for $f=\sum c_k{x}^{i_k}{y}^{j_k},g=\sum d_h{x}^{i_h}{y}^{j_h}\in \mathcal{L}\left(\alpha P_{\infty }\right)$,

$$ev(f·g)=ev\left(\overline{f·g}\right).$$

Given $f(x,y)={\sum }_{k=1}^n{c}_k{x}^{i_k}{y}^{j_k}\in {\mathbb{F}}_{q^2}[x,y]$,

$$\delta \left(f\right)≔max\left\{i_{k}q+j_k(q+1):k=1,\dots ,n\right\}.$$

(4)

If $B=\{f_1,\dots ,f_m\}\subseteq {\mathbb{F}}_{q^2}[x,y]$, then

$$\delta \left(B\right)≔\left\{\delta \left(f_k\right):k=1,\dots ,m\right\}.$$

(5)

We can now establish a lower bound on $dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}{\left(\alpha P_{\infty }\right)}^2$.

Lemma 2.

Let $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ be a twisted Hermitian code. Then

$$dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}{\left(\alpha P_{\infty }\right)}^2\ge \mid \overline{D}\mid$$

where $\overline{D}≔\{\delta \left(\overline{f·g}\right)\mid f,g\in \mathcal{L}\left(\alpha P_{\infty }\right)\}$.

Lemma 2 suggests that $dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}{\left(\alpha P_{\infty }\right)}^2$ can be made large by choosing $\mathbf{t},\mathbf{h},\eta$ to maximize the size of $\overline{D}$. Before applying it, we first establish a few relevant tools.

Given $\mathcal{M}$ as in Lemma 1, set

$${\mathcal{M}}_2≔\left\{x^i{y}^j\in \mathcal{M}:\delta \left(x^i{y}^j\right)\le \lceil \frac{max\delta \left(\mathcal{M}\right)}{2}\rceil \right\}.$$

Observe that for any prime power q,

$$\lceil \frac{max\delta \left(\mathcal{M}\right)}{2}\rceil =\lceil \frac{(q^2-1)q+(q-1)(q+1)}{2}\rceil \ge 2g+1.$$

It follows that

$$\mathcal{M}\subseteq {\mathcal{M}}_2^{\underline{2}}.$$

We make use of this observation in the following lemma.

Lemma 3.

Let $A\subseteq \mathbb{F}[x,y]$ be a set of elements with distinct pole orders such that $\delta \left(A\right)\subseteq \delta \left({\mathcal{M}}_2\right)$. Then $\mid \delta \left(A^{\underline{2}}\right)\setminus \delta \left(\mathcal{M}\right)\mid \le g$.

Proof. 

Since $\mathcal{M}\subseteq {\mathcal{M}}_2^{\underline{2}}$, $\delta \left(\mathcal{M}\right)\subseteq \delta \left({\mathcal{M}}^{\underline{2}}\right)$. Observe that

$$\mid \delta \left({\mathcal{M}}_2^{\underline{2}}\right)\setminus \delta \left(\mathcal{M}\right)\mid =\mid \delta \left({\mathcal{M}}_2^{\underline{2}}\right)\mid -\mid \delta \left(\mathcal{M}\right)\mid =\left[(q^3+q^2-q-1)+1-g\right]-q^3=g.$$

Since $\delta \left(A^{\underline{2}}\right)\subseteq \delta \left({\mathcal{M}}_2^{\underline{2}}\right)$, it follows that $\mid \left(\delta \left(A^{\underline{2}}\right)\setminus \delta \left(\mathcal{M}\right)\right)\mid \le g$. □

Next, we employ a few basic results from additive number theory; specifically, we make use of the notion of a Sidon set.

Definition 3.

A set $A\subseteq \mathbb{N}$ is a finite Sidon set provided it is finite and $\forall a,b,c,d\in A$, $a+b=c+d$ if and only if $(a,b)=(c,d)$ or $(a,b)=(d,c)$.

Erdös and Turan show in [25] that every subset of a Sidon set is itself a Sidon set and that every nonempty subset of $\mathbb{N}$ contains a Sidon set. For finite and nonempty $A\subseteq \mathbb{N}$, let $S\left[A\right]$ denote the largest subset of A that is a Sidon set. Gowers shows in [26] that $\mid S\left[A\right]\mid \le 2\sqrt{\mid A\mid }$.

We now introduce a family of twisted Hermitian codes with a large Schur square dimension. It will be useful to consider the map

$$\begin{array}{cccc}{\varphi }_q:\hfill & \mathbb{N}\hfill & \to \hfill & {\mathbb{Z}}^2\\ & w\hfill & \mapsto \hfill & ((q+1)\lfloor \frac{w}{q}\rfloor -w,w-q\lfloor \frac{w}{q}\rfloor ).\end{array}$$

Theorem 1.

For a given prime power $q_0$, let $\alpha \in \delta \left(\mathcal{M}\right)$ be such that $\alpha \le \frac{q^3+2\sqrt{q^3+1}+1}{4}$ and

$$\begin{array}{cc}\hfill \mathcal{P}& ≔\left\{\delta \left(x^i{y}^j\right):x^i{y}^j\in \mathcal{M},\delta \left(x^i{y}^j\right)\le \alpha \right\}\hfill \\ \hfill \mathcal{T}& ≔\left\{\delta \left(x^i{y}^j\right):x^i{y}^j\in \mathcal{M},\delta \left(x^i{y}^j\right)>\alpha \right\}=\{t_1,\dots ,t_{\ell }\}\hfill \\ \hfill \mathcal{H}& ≔\mathcal{P}\setminus S\left[\mathcal{P}\right]=\{h_1,\dots ,h_{\ell }\}\hfill \end{array}$$

satisfying $\ell ≔\mid \mathcal{H}\mid \le \mid \mathcal{T}\mid$. Let

$$\begin{array}{cc}\hfill \mathbf{h}& =\left(\varphi \left(h_1\right),\dots ,\varphi \left(h_{\ell }\right)\right);\hfill \\ \hfill \mathbf{t}& =\left(\varphi \left(t_1\right)-(u,v),\dots ,\varphi \left(t_{\ell }\right)-(u,v)\right);\hfill \end{array}$$

$s_1,\cdots ,s_{\ell }$ be prime powers such that

$${\mathbb{F}}_{q_0^2}={\mathbb{F}}_{s_0}⫋{\mathbb{F}}_{s_1}⫋\cdots ⫋{\mathbb{F}}_{s_{\ell }}={\mathbb{F}}_{q^2};$$

(6)

and $\mathit{\eta }=\left({\eta }_1,\dots ,{\eta }_{\ell }\right)$ be such that ${\eta }_i\in {\mathbb{F}}_{s_i}\setminus {\mathbb{F}}_{s_{i-1}}$ for $i=1,\dots ,\ell$. Then

$$dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}{\left(\alpha P_{\infty }\right)}^2\ge \left(\genfrac{}{}{0pt}{}{k+1}{2}\right)-g$$

where $k:=dim{C}_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right).$

Proof. 

Let $B=\left\{x^i{y}^j:\delta \left(x^i{y}^j\right)\in S\left[\mathcal{P}\right]\right\}$ and $B_t=\left\{x^{a_m}{y}^{b_m}+{\eta }_m{x}^{u+r_m}{y}^{v+s_m}:m=1,\dots ,\ell \right\}$. Then $C_{\mathbf{t},\mathbf{h},\eta }\left(\alpha P_{\infty }\right)=ev\langle B\cup B_t\rangle$ and $C_{\mathbf{t},\mathbf{h},\eta }{\left(\alpha P_{\infty }\right)}^2=ev\langle {\left(B\cup B_t\right)}^{\underline{2}}\rangle$. Note that $B\cup B_t$ is a set of functions with distinct pole orders. We claim that ${\left(B\cup B_t\right)}^{\underline{2}}$ is a linearly independent set. Consider $f_m:=x^{i_m}{y}^{j_m}\in B$ and $f_m^{\prime }:=x^{a_m}{y}^{b_m}+{\eta }_m{x}^{u+r_m}{y}^{v+s_m}\in B_t$. Then ${\left(B\cup B_t\right)}^{\underline{2}}$ can be written as ${\left(B\cup B_t\right)}^{\underline{2}}=A\cup C\cup D$ where $A:=\left\{f_m{f}_{m^{\prime }}:\delta \left(f_m\right),\delta \left(f_{m^{\prime }}\right)\in S\left[\mathcal{P}\right]\right\}$, $C:=\left\{f_m{f}_{m^{\prime }}^{\prime }:\delta \left(f_m\right)\in S\left[\mathcal{P}\right],m^{\prime }=1,\cdots ,\ell \right\}$, and $D:=\left\{f_m^{\prime }{f}_{m^{\prime }}^{\prime }:m,m^{\prime }=1,\cdots ,\ell \right\}$. Notice that if $\delta \left(x^{i+i^{\prime }}{y}^{j+j^{\prime }}\right)=\delta \left(x^{i^{″}+i^{‴}}{y}^{j^{″}+j^{‴}}\right)$ for $x^{i+i^{\prime }}{y}^{j+j^{\prime }},x^{i^{″}+i^{‴}}{y}^{j^{″}+j^{‴}}\in A$, then $\delta \left(x^i{y}^j\right)=\delta \left(x^{i^{″}}{y}^{j^{″}}\right)$ (in which case $\delta \left(x^{i^{\prime }}{y}^{j^{\prime }}\right)=\delta \left(x^{i^{‴}}{y}^{j^{‴}}\right)$) or $\delta \left(x^i{y}^j\right)=\delta \left(x^{i^{‴}}{y}^{j^{‴}}\right)$ (in which case $\delta \left(x^{i^{\prime }}{y}^{j^{\prime }}\right)=\delta \left(x^{i^{″}}{y}^{j^{″}}\right)$) follows from the properties of the Sidon set. In the first case, this implies that $i=i^{″}$ and $j=j^{″}$. In the second, $i=i^{″\prime }$ and $j=j^{″\prime }$. As a result, all elements of A have distinct pole orders. Furthermore, no pole order of an element of A is that of an element of C or D as $\delta \left(f_m{f}_{m^{\prime }}\right)\le \alpha \le \delta \left(f\right)$ for all $f_m{f}_{m^{\prime }}\in A$ and $f\in C\cup D$. Continuing in this way, we see that

$$\begin{array}{cc}\hfill \mid {\left(B\cup B_t\right)}^{\underline{2}}\mid & =\left(\genfrac{}{}{0pt}{}{\mid B\mid +\mid B_t\mid +1}{2}\right)\hfill \\ \hfill & =\left(\genfrac{}{}{0pt}{}{k+1}{2}\right).\hfill \end{array}$$

and applying Lemma 3 gives

$$\mid \delta {\left(\left(B\cup B_t\right)\right)}^{\underline{2}}\setminus \delta \left(\mathcal{M}\right)\mid \le g$$

which implies that at most g elements of $\delta {\left(B\cup B_t\right)}^{\underline{2}}$ are not in $\mathcal{M}$. Then at least $\left(\genfrac{}{}{0pt}{}{k+1}{2}\right)-g$ elements of $\delta \left({\left(B\cup B_t\right)}^{\underline{2}}\right)$ lie in $\mathcal{M}$; i.e., $dimev\langle {\left(B\cup B_t\right)}^{\underline{2}}\rangle \ge \left(\genfrac{}{}{0pt}{}{k+1}{2}\right)-g$. Thus, $dim{C}_{\mathbf{t},\mathbf{h},\eta }{\left(\alpha P_{\infty }\right)}^2\ge \left(\genfrac{}{}{0pt}{}{k+1}{2}\right)-g$. □

This particular subfamily achieves a large Schur square dimension by first maximizing the size of $\overline{D}$ as seen in Theorem 2 and then forcing linear independence by choosing coefficients according to the nested field structure shown in (6).

3.3. Decoding Twisted Hermitian Codes

Tailored decoding algorithms for twisted Hermitian codes can be designed by borrowing ideas from those for twisted Reed–Solomon codes given in [4]. For a twisted Hermitian code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ with $\mathbf{t}\in {\left({\mathbb{Z}}^2\right)}^{\ell }$ and received message $m\in {\mathbb{F}}_{q^2}^n$, ℓ coefficients ${\gamma }_1,...,{\gamma }_{\ell }\in {\mathbb{F}}_{q^2}$ may be guessed (or selected at random). A decoding algorithm for a Hermitian code may then be applied to $m-ev\left({\sum }_{i=1}^{\ell }{\eta }_i{\gamma }_{a_i,b_i}{x}^{u+r_i}{y}^{v+s_i}\right)$ as if it was a received word. This allows application of any Hermitian decoder. These rounds of guessing will only be successful if ${\gamma }_i=a_{a_i,b_i}$, for $i=1,...,\ell$. Because the alphabet size is $q^2$, this may require up to $q^{2^{\ell }}$ rounds of Hermitian decoding. As with twisted Reed–Solomon codes, these rounds might produce twisted Hermitian polynomials where ${\gamma }_i\ne a_{a_i,b_i}$. The polynomials that are produced with these characteristics will be discarded as they do not yield valid codewords.

The efficiency of decoding twisted Hermitian codes may be considered by taking the cost of the Hermitian decoder used and multiplying it by the number of guessing rounds. Two methods of decoding Hermitian codes that might be utilized are those that have sub-quadratic efficiency, which is the best complexity known for decoding Hermitian codes. The Guruswami-Sudan Algorithm [27] has a Hermitian decoding efficiency of $O\left(n^{2+\omega /3}{s}^{\omega }m\right)$, where m and s are the multiplicity and list size parameters respectively and $\omega \le 3$ is the exponent of matrix multiplication. This means that decoding twisted Hermitian codes using the Guruswami-Sudan Algorithm would have efficiency $O\left(q^{2^{\ell }}{n}^{2+\omega /3}{s}^{\omega }m\right)$. Power decoding also has a similar decoding efficiency for Hermitian codes, which is $O\left(n^{2+\omega /3}{p}^{\omega }\right)$, where p is the powering parameter and $\omega$ is as defined before [28]. This means that the efficiency of decoding twisted Hermitian codes using power decoding is $O\left(q^{2^{\ell }}{n}^{2+\omega /3}{p}^{\omega }\right)$. Determining more efficient and specialized decoding methods for twisted algebraic geometry codes remains a topic of study.

4. Applications of Twisted Hermitian Codes to the McEliece Cryptosystem

In this section, we consider the potential use of twisted Hermitian codes in a code-based cryptosystem. First, we abstract the key elements of the McEliece cryptosystem for use with an arbitrary linear code (in place of the Goppa code in [7]). Then we consider the role of squares in attacking the resulting system, noting how the twisted codes avoid direct distinguisher attack. This section concludes with considerations prompted by the recent attack of Lavauzelle and Renner [11] on a twisted Reed–Solomon code-based cryptosystem.

Let G be a $k\times n$ generator matrix for an $[n,k,d]$ linear code $\mathcal{C}$ over a finite field $\mathbb{F}$ capable of correcting at least t errors. The public key is $(G^{\mathrm{PUB}},t)≔SGP$, where $S\in {\mathbb{F}}^{k\times k}$ is nonsingular and $P\in {\mathbb{F}}^{n\times n}$ is a permutation matrix. The private key is $(S,P,D_{\mathcal{C}})$, where $D_{\mathcal{C}}$ is an efficient decoding algorithm of $\mathcal{C}$. To transmit a message to a receiver Alice, Bob encodes the message $m\in {\mathbb{F}}^k$ as $m{G}^{\mathrm{PUB}}+e$, where $e\in {\mathbb{F}}^{1\times n}$ has weight $wt\left(e\right)\le t$. Alice receives a transmission in the form $x:=mSGP+e$ and initiates deciphering by left-multiplying x by $P^{-1}$ to yield $mSG+e{P}^{-1}$. Alice then applies the decoding algorithm $D_{\mathcal{C}}$ to retrieve $mS$ and left-multiplies by $S^{-1}$ to recover m. To maintain security, the underlying code $\mathcal{C}$ must not be revealed.

Role of Squares in the McEliece Cryptosystem

The Schur square distinguisher is an attack applied to the McEliece cryptosystem implemented with Reed–Solomon codes in [18]. Though the attacker does not know the linear code $\mathcal{C}$ underlying $G^{\mathrm{PUB}}$, the distinguisher may allow the attacker to know $dim{\mathcal{C}}^2$. The low-dimensional squares of Reed–Solomon and Hermitian codes imply that $dim{\mathcal{C}}^2$ can be used to distinguish $\mathcal{C}$ from a random linear code. This is demonstrated in [18] where generalized Reed–Solomon codes are considered; Schur products are used to identify ${\mathcal{C}}^2$ within the family from which it is drawn; and the Sidelnikov and Shestakov algorithm may then be used to identify $\mathcal{C}$. See also [29] for other approaches involving generalized Reed–Solomon codes. Since $dim{\mathcal{C}}^2$ can be an identifying characteristic of the family of codes from which $\mathcal{C}$ is drawn, the attacker may then use a family-specific structural attack on intercepted messages. Both twisted Reed–Solomon and twisted Hermitian codes may avoid a direct application of this attack if constructed to have large dimensional squares.

Based on the attacks described above, it is desirable to implement this code-based cryptosystem with a family of codes whose Schur squares are indistinguishable from those of random codes. With this in mind twisted Reed–Solomon codes were introduced in [4] and can be defined as follows.

Definition 4.

Let ${\alpha }_1,\cdots ,{\alpha }_n\in {\mathbb{F}}_q$ be pairwise distinct field elements, and fix $1\le k\le n$, $\ell \ge 1$. Let $\mathbf{h}\in {\{0,\cdots ,k-1\}}^{\ell },\mathbf{t}\in {\{1,\cdots ,n-k\}}^{\ell }$ such that $\eta \in {({\mathbb{F}}_q\setminus \left\{0\right\})}^{\ell }$. A twisted Reed–Solomon code of length n and dimension k is given by:

$$C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(k\right)=\left\{\left(f\left({\alpha }_1\right),\cdots ,f\left({\alpha }_n\right)\right):f\in \left\{\sum _{i=0}^{k-1}{a}_i{x}^i+\sum _{j=1}^{\ell }{\eta }_j{a}_{h_j}{x}^{k-1+t_j}:a_i\in {\mathbb{F}}_q\right\}\right\}.$$

Consider the evaluation map

$$\begin{array}{cccc}e{v}_{\alpha }:\hfill & {\mathbb{F}}_q\left[x\right]\hfill & \to \hfill & {\mathbb{F}}_q^n\\ & f\hfill & \mapsto \hfill & \left(f\left({\alpha }_1\right),\cdots ,f\left({\alpha }_n\right)\right).\end{array}$$

Let $q_0$ be a prime, and $q=q_{\ell }=q_0^{2^{\ell }}$. Lavazuelle and Renner showed in [11] that the subfield subcode $C_{sub}=C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(k\right)\cap {\mathbb{F}}_{q_0}^n$ of $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(k\right)$ is given by

$$C_{sub}={〈e{v}_{\alpha }\left(x^i\right):i\in \{0,1,\cdots ,k-1\}\setminus \{h_1,h_2,\cdots ,h_{\ell }\}〉}_{{\mathbb{F}}_{q_0}}.$$

Given that $C_{sub}$ is not a Reed–Solomon code, the Sidelnikov-Shestakov attack cannot be directly applied. However, for $\ell \le \frac{1}{2}(\sqrt{n}-3)$ the Schur square $C_{sub}^2$ is a Reed–Solomon code of length n and dimension $2k-1$. This idea forms the basis for an efficient key-recovery attack on the code-based cryptosystem employing twisted Reed Solomon codes.

The similarity in construction of twisted Hermitian codes and twisted Reed–Solomon codes suggests a possible attack on the cryptosystem based on the twisted Hermitian codes. In the remaining part of this section, we consider the possible components of such an attack. Recall the code $C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ over ${\mathbb{F}}_{q^2}$ constructed in Theorem 1 where

$${\mathbb{F}}_{q_0^2}={\mathbb{F}}_{s_0}⫋{\mathbb{F}}_{s_1}⫋\cdots ⫋{\mathbb{F}}_{s_{\ell }}={\mathbb{F}}_{q^2},$$

and consider the subfield subcode

$$C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)\cap {\left({\mathbb{F}}_{q_0}^2\right)}^n$$

where $\mathbf{h}=\left((a_1,b_1),\dots ,(a_{\ell },b_{\ell })\right)\in {\left({\mathbb{Z}}^2\right)}^{\ell }$.

Lemma 4.

Let $f\in {〈\mathcal{M}〉}_{{\mathbb{F}}_{q^2}}\subseteq {\mathbb{F}}_{q^2}[x,y]$ and $P_1,\cdots ,P_n\in {\mathcal{X}}_{q_0^2}\left({\mathbb{F}}_{q_0^2}\right)$. Then $ev\left(f\right)\in {\mathbb{F}}_{q_0^2}^n$ if and only if $f\in {〈{\mathcal{M}}_0〉}_{{\mathbb{F}}_{q_0^2}}$ where ${\mathcal{M}}_0≔\left\{x^i{y}^j:i,j\in \mathbb{N},0\le i\le q_0^2-1,0\le j\le q_0-1\right\}.$

Proof. 

Suppose $f\in {〈{\mathcal{M}}_0〉}_{{\mathbb{F}}_{q_0^2}}$ and $P_1,\cdots ,P_n\in {\mathcal{X}}_{q_0^2}\left({\mathbb{F}}_{q_0^2}\right)$. Then it is clear that $ev\left(f\right)\in {\mathbb{F}}_{q_0^2}^n$. Conversely, consider $c:=ev\left(f\right)\in {\mathbb{F}}_{q_0^2}^n$ where $f\in {〈\mathcal{M}〉}_{{\mathbb{F}}_{q^2}}\subseteq {\mathbb{F}}_{q^2}[x,y]$. According to ([28] (Lemma 6)), there exists ${\displaystyle p=\sum _{\alpha \in {\mathbb{F}}_{q_0^2}}\prod _{{\alpha }^{\prime }\in {\mathbb{F}}_{q_0^2}\setminus \left\{\alpha \right\}}\frac{x-{\alpha }^{\prime }}{\alpha -{\alpha }^{\prime }}\left(\sum _{\beta \in B_{\alpha }}{\gamma }_{\alpha ,\beta }\prod _{{\beta }^{\prime }\in B_{\alpha }\setminus \left\{\beta \right\}}\frac{y-{\beta }^{\prime }}{\beta -{\beta }^{\prime }}\right)}$ such that $ev\left(p\right)=c.$ Notice that $p\in {〈{\mathcal{M}}_0〉}_{{\mathbb{F}}_{q_0^2}}\subseteq {〈\mathcal{M}〉}_{{\mathbb{F}}_{q^2}}$. Since $ev:{〈\mathcal{M}〉}_{{\mathbb{F}}_{q^2}}\to {\mathbb{F}}_{q^2}^n$ is an injective map (as shown in Lemma 1) and $c=ev\left(p\right)=ev\left(f\right)$, it follows that $f=p\in {〈{\mathcal{M}}_0〉}_{{\mathbb{F}}_{q_0^2}}$. □

Proposition 3.

Given a twisted Hermitian code $\mathcal{C}=C_{\mathbf{t},\mathbf{h},\mathit{\eta }}\left(\alpha P_{\infty }\right)$ and $P_1,\cdots ,P_n\in {\mathcal{X}}_{q_0^2}\left({\mathbb{F}}_{q_0^2}\right)$,

$$\mathcal{C}\cap {\mathbb{F}}_{q_0^2}^n=\left\{ev\left(f\right):f\in {〈B\left(\alpha P_{\infty }\right)\setminus \bigcup _{k=1}^{\ell }\left\{x^{a_k}{y}^{b_k}\right\}〉}_{{\mathbb{F}}_{q_0^2}}\right\}.$$

Proof. 

Consider $ev\left(f\right)$ where $f\in {〈B\left(\alpha P_{\infty }\right)\setminus {\bigcup }_{k=1}^{\ell }\left\{x^{a_k}{y}^{b_k}\right\}〉}_{{\mathbb{F}}_{q_0^2}}$. Then $ev\left(f\right)\in \mathcal{C}\cap {\mathbb{F}}_{q_0^2}^n$ as each $P_i\in {\mathcal{X}}_{q_0}\left({\mathbb{F}}_{q_0^2}\right)$. On the other hand, suppose that $ev\left(f\right)\in \mathcal{C}\cap {\mathbb{F}}_{q_0^2}^n$. Then Lemma 4 applies so that $f\in {〈B\left(\alpha P_{\infty }\right)\setminus {\bigcup }_{k=1}^{\ell }\left\{x^{a_k}{y}^{b_k}\right\}〉}_{{\mathbb{F}}_{q_0^2}}$. □

This result prompts the conjecture that the Schur square of the subfield subcode of a twisted Hermitian code in Proposition 3 is a Hermitian code. This is related to ([10] (Conjecture 19)). Positive resolution of these conjectures would lay the groundwork for an attack on a twisted Hermitian code-based cryptosystem.

5. Conclusions

In this paper, we present a new family of codes, called twisted Hermitian codes, whose construction is based on Hermitian codes. The length and dimension of the new codes is the same as the Hermitian codes, but these codes are not Hermitian codes. These new codes can have Schur squares larger than those of Hermitian codes. In particular, we identify a subfamily of the new codes that have Schur squares of dimension close to that expected of a random linear code. Codes of this subfamily are resistant to Schur square distinguishing when applied directly. However, the associated code-based cryptosystems may exhibit potential vulnerabilities related to square distinguisher attacks on particular subfield subcodes. This work leaves open several avenues that are worth investigation. Obtaining an improved lower bound on the twisted Hermitian codes, either in general or for the particular subfamily identified in this work, remains a challenge. Addressing it would allow one to consider if it is possible to obtain twisted Hermitian codes with parameters rivaling those of one-point Hermitian codes. It would also allow for the introduction of more noise in the associated code-based cryptosystem. We have not considered in this work the potential to construct twisted Hermitian codes C which are linearly complementary dual (LCD), meaning the intersection of C and its dual is trivial. In addition, the interested reader may find that it is possible to design tailored decoding algorithms for the twisted Hermitian codes beyond what is addressed in this work.