On nested code pairs from the Hermitian curve

Abstract

Nested code pairs play a crucial role in the construction of ramp secret sharing schemes [15] and in the CSS construction of quantum codes [14]. The important parameters are (1) the codimension, (2) the relative minimum distance of the codes, and (3) the relative minimum distance of the dual set of codes. Given values for two of them, one aims at finding a set of nested codes having parameters with these values and with the remaining parameter being as large as possible. In this work we study nested codes from the Hermitian curve. For not too small codimension, we present improved constructions and provide closed formula estimates on their performance. For small codimension we show how to choose pairs of one-point algebraic geometric codes in such a way that one of the relative minimum distances is larger than the corresponding non-relative minimum distance.

Introduction

In this paper we study improved constructions of nested code pairs from the Hermitian curve. Here the phrase ‘improved construction’ refers to optimizing those parameters important for the corresponding linear ramp secret sharing schemes as well as stabilizer asymmetric quantum codes. Our work is a natural continuation of [7], where improved constructions of nested code pairs were defined from Cartesian product point sets. The analysis in the present paper includes a closed formula estimate on the dimension of order bound improved Hermitian codes, which is of interest in its own right, i.e. also without the above mentioned applications.

A linear ramp secret sharing scheme is a cryptographic method to encode a secret message in ${\mathbb{F}}_q^{\ell }$ into n shares from ${\mathbb{F}}_q$. These shares are then distributed among a group of n parties and only specified subgroups are able to reconstruct the secret. A secret sharing scheme is characterized by its privacy number t and its reconstruction number r. The first is defined as the largest number such that no subgroup of this size can obtain any information on the secret. The second is defined to be the smallest number such that any subgroup of this size can reconstruct the entire secret. A linear ramp secret sharing scheme can be understood as the following coset construction. Consider linear codes $C_2\subset C_1\subseteq {\mathbb{F}}_q^n$. Let $\{{\overrightarrow{b}}_1,\dots ,{\overrightarrow{b}}_{k_2}\}$ be a basis for $C_2$ and extend it to a basis $\{{\overrightarrow{b}}_1,\dots ,{\overrightarrow{b}}_{k_2},{\overrightarrow{b}}_{k_2+1},\dots ,{\overrightarrow{b}}_{k_2+\ell }\}$ for $C_1$. Here, of course, ℓ is the codimension of $C_1$ and $C_2$. Choose elements $a_1,\dots ,a_{k_2}$ uniformly and independent at random and encode the secret $\overrightarrow{s}=(s_1,\dots ,s_{\ell })$ as the codeword $\overrightarrow{c}=(c_1,\dots ,c_n)=a_1{\overrightarrow{b}}_1+\cdots +a_{k_2}{\overrightarrow{b}}_{k_2}+s_1{\overrightarrow{b}}_{k_2+1}+\cdots +s_{\ell }{\overrightarrow{b}}_{k_2+\ell }$. Then use $c_1,\dots ,c_n$ as the shares. The crucial parameters for the construction are the codimension of the pair of nested codes and their relative minimum distances $d(C_1,C_2)$ and $d(C_2^{\perp },C_1^{\perp })$. Recall that these are defined as

$$d(C_1,C_2)=\min \{w_H(\overrightarrow{c})|\overrightarrow{c}\in C_1\backslash C_2\}$$

and similar for the dual codes. The following well-known theorem (see for instance [15]) shows how to determine the privacy number and the reconstruction number.

Theorem 1

Given ${\mathbb{F}}_q$-linear codes $C_2\subset C_1$ of length n and codimension ℓ, the corresponding ramp secret sharing scheme encodes secrets $\overrightarrow{s}\in {\mathbb{F}}_q^{\ell }$ into a set of n shares from ${\mathbb{F}}_q$. The privacy number equals $t=d(C_2^{\perp },C_1^{\perp })-1$, and the reconstruction number is $r=n-d(C_1,C_2)+1$.

A linear q-ary asymmetric quantum error-correcting code is a $q^k$ dimensional subspace of the Hilbert space ${\mathbb{C}}^{q^n}$ where error bases are defined by unitary operators Z and X, the first representing phase-shift errors, and the second representing bit-flip errors [2], [21], [14]. In [13] it was identified that in some realistic models phase-shift errors occur more frequently than bit-flip errors, and the asymmetric codes were therefore introduced [13], [19], [5], [16], [25] to balance the error correcting ability accordingly. For such codes we write the set of parameters as ${[[n,k,d_z/d_x]]}_q$ where $d_z$ is the minimum distance related to phase-shift errors and $d_x$ is the minimum distance related to bit-flip errors. The CSS construction transforms a pair of nested classical linear codes $C_2\subset C_1\subseteq {\mathbb{F}}_q^n$ into an asymmetric quantum code. From [19] we have

Theorem 2

Consider linear codes $C_2\subset C_1\subseteq {\mathbb{F}}_q^n$. Then the corresponding asymmetric quantum code defined using the CSS construction has parameters

$${[[n,\ell =\dim C_1-\dim C_2,d_z/d_x]]}_q$$

where $d_z=d(C_1,C_2)$ and $d_x=d(C_2^{\perp },C_1^{\perp })$.

Quantum codes with $d(C_1,C_2)>d(C_1)$ or $d(C_2^{\perp },C_1^{\perp })>d(C_2^{\perp })$ are called impure, and they are desirable due to the fact that one can take advantage of this property in connection with the error-correction. More precisely, one can tolerate $\lfloor (d(C_1,C_2)-1)/2\rfloor$ phase-shift errors and $\lfloor (d(C_2^{\perp },C_1^{\perp })-1)/2\rfloor$ bit-flip errors, respectively, but in the decoding algorithms it is only necessary to correct up to $\lfloor (d(C_1)-1)/2\rfloor$ and $\lfloor (d(C_2^{\perp })-1)/2\rfloor$ errors, respectively. Despite this observation, only few impure codes have been presented in the literature.

With the above two applications in mind, the challenge is to find nested codes $C_2\subset C_1$ such that two of the parameters ℓ, $d(C_1,C_2)$, $d(C_2^{\perp },C_1^{\perp })$ attain given prescribed values, and the remaining parameter is as large as possible. In this paper we analyse two good constructions from the Hermitian function field. In the first we consider code pairs such that $C_1$ is an order bound improved primary code [1], [10] and such that $C_2$ is the dual of an order bound improved dual code [12]. Considering in this case the minimum distances rather than the relative distances is no restriction due to the optimized choice of codes – the minimum distances $d(C_1)$ and $d(C_2^{\perp })$ being so good that there is essentially no room for $d(C_1,C_2)>d(C_1)$ or $d(C_2^{\perp },C_1^{\perp })>d(C_2^{\perp })$ to hold. For this construction to work, the codimension cannot be very small. For small codimension when $d(C_1)$ and $d(C_2^{\perp })$ are far from each other we then show how to choose ordinary one-point algebraic geometric codes such that one of the relative distances becomes larger than the corresponding ordinary minimum distance. In particular, this construction leads to impure asymmetric quantum codes.

The paper is organized as follows. In Section 2 we collect material from the literature on how to determine parameters of primary and dual codes coming from the Hermitian curve, and we introduce the order bound improved codes.¹ In Section 3 we establish closed formula lower bounds on the dimension of order bound improved Hermitian codes of any designed minimum distance. We then continue in Section 4 by determining the pairs $({\delta }_1$, ${\delta }_2)\in \{1,\dots ,n\}\times \{1,\dots ,n\}$ for which the order bound improved primary code $C_1$ of designed distance ${\delta }_1$ contains $C_2$, the dual of an order bound improved dual code of designed distance ${\delta }_2$. This and the information from Section 3 is then translated into information on improved nested code pairs of not too small codimension in Section 5. Next, in Section 6 we determine parameters of nested one-point algebraic geometric code pairs of small codimension for which one of the relative distances is larger than the non-relative. Finally, in Section 7 samples of the given constructions are compared with known asymmetric quantum codes, with existence bounds on asymmetric quantum codes, and with non-existence bounds on linear ramp secret sharing schemes. Section 8 is the conclusion.