### Permutation decoding of \$\${\mathbb {Z}}_2{\mathbb {Z}}_4\$\$ Z 2 Z 4 -linear codes

José Joaquín Bernal, Joaquim Borges, Cristina Fernández-Córdoba, Mercè Villanueva
2014 Designs, Codes and Cryptography
Permutation decoding is a technique, introduced in [3] by MacWilliams, that strongly depends on the existence of special subsets, called PD-sets, of the permutation automorphism group PAut(C) of a linear code C. In [2], it is shown how to find s-PD-sets of minimum size s + 1 for partial permutation decoding for the binary simplex code S m of length 2 m − 1, for all m ≥ 4 and 1 < s ≤ 2 m −m−1 m . In [1], an alternative permutation decoding method is presented, which can be applied to any binary
more » ... ystematic code (not necessarily linear), in particular to any Z 4 -linear code. Nevertheless, this alternative method assumes that we know an appropriate PD-set for such codes. In this talk, we obtain s-PD-sets of size s + 1 for binary linear Hadamard codes (extended codes of S m ), following the techniques described in [2]. Furthermore, we provide a criterion to obtain s-PD-sets of the same size for partial permutation decoding for Z 4 -linear codes. As particular examples, we apply this criterion to (nonlinear) Hadamard Z 4 -linear codes, where we also prove that such sets are of minimum size. Finally, we present two recursive constructions to obtain s-PD-set for this family of Hadamard Z 4 -linear codes. [3] F. J. MacWilliams: Permutation decoding of systematics codes, Bell System Tech. J. 43 (1964), 485-505. Presentamos una variación del método de decodificación por permutación que es aplicable a cualquier sistema de codificación sistemático binario, tanto si el código usado es lineal como si no. En particular, para los códigos Z2Z4-lineales, binarios y no lineales en general, se prueba que todos ellos admiten un esquema de codificación sistemático, de modo que podemos utilizar el nuevo método de decodificación. Además, como un ejemplo concreto, se muestra como aplicarlo a algunos códigos Z2Z4-lineales denominados de Hadamard. As physical devices are involved in the generation of cash, forgery is (at least theoretically) possible. However, Wiesner proposed in [1] to take advantage of the non-cloning theorem of quantum mechanics to construct (quantum) money that is theoretically impossible to counterfeit (or more precisely, the probability of successful forging is exponentially small). This work was followed by several papers [3, 4, 2] that improved Wiesner's idea, and today's main efforts in quantum money research are put into constructing what is called public-key quantum money: quantum money that can be verified by anyone with a quantum device and not only by the bank that issued it as it was the case in [1]. The main proposal for public-key quantum money is Aaronson-Christiano's scheme [5] both in its noisefree and noisy version. We focus only in the noise-free version. Whereas the security of other proposals (for example [6]) is not well understood, Aaronson-Christiano's scheme is the first one that is proved to be cryptographically secure under a new non-quantum hardness assumption. This assumption states that, once we 'hide' two orthogonal subspaces by encoding each of them as the common zeros of a set of appropriate random multivariate polynomials of degree d over a finite field of prime size q, it is not possible to efficiently recover the subspaces hidden. The problem is hence called the hidden subspaces problem (or HSP q for short). We study of the hardness of HSP q . We present a randomized polynomial-time algorithm that solves HSP q for q > d with success probability approx1 − 1 q , which proves that the quantum money scheme over F q is not secure for big q, solving the open question in [5] of whether their scheme (defined over F 2 ) can be extended to F q or not. Finally we show that there is also a heuristic randomized polynomial-time algorithm solving HSP 2 with high probability and so their original noise-free scheme is conjectured to be broken too.