Low-Rank Parity-Check Codes Over Finite Commutative Rings And

Low-Rank Parity-Check Codes Over Finite Commutative Rings and Application to Cryptography Hermann Tchatchiem Kamche, Herve´ Tale´ Kalachi, Franck Rivel Kamwa Djomou, Emmanuel Fouotsa

Abstract—Low-Rank Parity-Check (LRPC) codes are a class third round of this competition and the recent generic attacks of rank metric codes that have many applications specifically [6], [7] which considerably improved the cost of all known in cryptography. Recently, LRPC codes have been extended to decoding attacks. And this, even if we are only talking about Galois rings which are a specific case of finite rings. In this paper, we first define LRPC codes over finite commutative local rings, a reduction of security levels of rank based candidates. which are bricks of finite rings, with an efficient decoder and Note that the attacks from [6], [7] exploit the fact that the derive an upper bound of the failure probability together with code used is defined on a finite field. A natural question that the complexity of the decoder. We then extend the definition to generally arises is that of knowing what would become these arbitrary finite commutative rings and also provide a decoder attacks if we are dealing with a code defined on another poorer in this case. We end-up by introducing an application of the corresponding LRPC codes to cryptography, together with the algebraic structure such as finite rings for example. In this case new corresponding mathematical problems. of finite rings, it is interesting to precede such a question by defining LRPC codes over finite rings as well as an application Index Terms—Cryptography; Decoding Algorithm; Finite Rings; Galois Extension; LRPC Codes; Local Rings; Rank Metric to cryptography. Codes. It was recently shown in [8] that LRPC codes can be generalized to the ring of integers modulo a prime power. This work was followed by [9] where the authors generalized the I.INTRODUCTION results of [8] to Galois rings. LRPC codes over finite fields were first introduced in [1] si- In this paper, we use the structure theorem for finite commu- multaneously with an application to cryptography. These codes tative rings [10] to generalize the definition of LRPC codes have two peculiarities which make them attractive enough for over finite commutative rings. We also provide a decoding cryptographic applications. First, LRPC codes are rank metric algorithm, a correction capability together with an upper bound codes [2]. In code-based cryptography, this metric is very of the failure probability of our decoding algorithm. We end- famous because it makes generic attacks [3], [4] in the context up by introducing an application of the corresponding LRPC of Hamming metric impracticable. Therefore, decoding attacks codes to cryptography, together with the corresponding new are more expensive in practice for rank metric compared mathematical problems. to Hamming metric. Second, LRPC codes are by definition The rest of the paper is organized as follows: in Section analogues of low-density parity-check codes [5]. Thus, they II, we give some properties and mathematical notions that have a poor algebraic structure, which makes several known will be needed throughout the paper. That is, the resolution structural attacks impracticable. of linear systems, the rank, the free-rank and the product of Rank metric based cryptography and LRPC codes have re- two submodules in the Galois extension of finite commutative ceived a lot of attention these recent years thanks to the NIST 1 local rings. In Section III, we define LRPC codes over finite arXiv:2106.08712v1 [cs.IT] 16 Jun 2021 competition for Post-Quantum Cryptography Standardization, commutative local rings with a decoding algorithm and its where several code based candidates using LRPC codes went complexity. We also give an upper bound for the failure prob- up to the second round of the competition. However, it is ability. In Section IV, we generalize the definition of LRPC today difficult to ignore the existence of a link between the codes to finite commutative rings and propose in Section V a absence of a candidate from rank based cryptography in the cryptosystem for its applications in cryptography and finally, conclusions and perspectives are given in Section VI. Hermann Tchatchiem Kamche is with the Department of Mathemat- ics, Faculty of Science, University of Yaounde I, Cameroon e-mail: II.PRELIMINARIES [email protected]. Herve´ Tale´ Kalachi is with the Department of Computer Engineering, Let R be a finite commutative ring. The set of units in R will National Advanced School of Engineering of Yaounde,´ University of Yaounde be denoted by R∗. The set of all m × n matrices with entries I, Cameroon e-mail: (see http://perso.prema-a.org/herve.tale-kalachi/). from R will be denoted by Rm×n. The k × k identity matrix Franck Rivel Kamwa Djomou is with the Department of Mathematics and m×n Computer Science, Faculty of Science, University of Dschang, Cameroon e- is denoted by Ik. Let A ∈ R , we denote by row (A) and mail: [email protected]. col (A) the R−submodules generated by the row and column Emmanuel Fouotsa is with the Department of Mathematics, Higher vectors of A, respectively. Teacher Training College, University of Bamenda, Cameroon e-mail: em- n [email protected]. Let {a1,..., ar} be a subset of R . The R−submodule of 1 n National Institute of Standards and Technology R generated by {a1,..., ar} is denoted by ha1,..., ariR. 2

Recall that {a1,..., ar} is linearly independent over R if The solutions of Equation (3) are (3, 2, 2, 2); (1, 2, 3, 0); whenever α1a1 + ··· + αrar = 0 for some α1, . . . , αr ∈ R, (3, 2, 0, 2); (1, 2, 1, 0). then α1 = 0, . . . , αr = 0. If {a1,..., ar} is linearly inde- Thus, the solutions of Equation (2) are (3 + 2ξ, 2 + 2ξ); pendent, then we say that it is a basis of the free module (1 + 3ξ, 2); (3, 2 + 2ξ); (1 + ξ, 2). ha1,..., ariR. If the column vectors of A are linearly independent, then A local ring is a ring with exactly one maximal ideal. As an Equation (1) is easy to solve using the following: k m×n example, the ring Zpk of integers modulo p , p is a prime, is a Proposition 2.3: Let A ∈ R . Assume that the column local ring whose the maximal ideal is pZpk . By [10, Theorem vectors of A are linearly independent. Then there is an VI.2] each finite commutative ring can be decomposed as a invertible matrix P ∈ Rm×m such that direct sum of a local rings. Using this decomposition, some I PA = n results over local rings can naturally be extended to finite rings. 0 Thus, in this section, we will first study some properties that we will need over finite commutative local rings. Moreover, P can be calculated in time O (mn min {m, n}) = O mn2. Proof. In [12], Fan et al. proved the existence of P and A. Linear Equations Over Finite Commutative Local Rings calculated it using the Gaussian elimination. Thus, as in In the decoding algorithm, we will solve linear equations. the case of fields, the computation can be done in time 2 In [11], Bulyovszky and Horvath´ gave a good method to solve O (mn min {m, n}) = O mn . linear equations over finite local rings. In this subsection, we Corollary 2.4: Assume that the column vectors of the matrix assume that R is a local ring with maximal ideal m and residue A of Equation (1) are linearly independent. Then, Equation (1) can be solved in O (mn min {m, n}) = O mn2 operations. field Fq = R/m. By [10], there is a positive integer υ such that |R| = qυ and |m| = qυ−1 where |R| and |m| are respectively the cardinality of R and m. Set q = pµ where p is a prime B. Rank and Free-Rank of Modules ς number. Then the characteristic of R is p where ς is a non As in [13], we recall here the notions of Rank and Free-rank negative integer. As in [11], There is a subring R0 of R such for modules. ς that R0 is isomorphic to the Galois ring of characteristic p Definition 2.5: (Rank of a module) Let R be a finite µς and cardinality p , that is, a ring of the form Zpς [X] / (hµ) commutative ring. Let M be a finitely generated R−module. ς where hµ ∈ Zp [X] is a monic polynomial of degree µ, where (i) The rank of M, denoted by rkR (M), or simply by its projection in Zp [X] is irreducible. Considering R as an rk (M), is the smallest number of elements in M which R0−module, there are z1, . . . , zγ ∈ R such that R = R0z1 ⊕ generate M as an R−module. · · · ⊕ R0zγ . (ii) The free rank of M, denoted by frkR (M) or simply by Consider the linear system frk (M), is the maximum of the ranks of free R−submodules of M. Ax = b (1) Proposition 2.6: [14] Let F be a finitely generated with unknown x ∈ Rn×1, where A ∈ Rm×n and b ∈ Rm×1. free R−module and {e1, . . . , en} be a basis of F . Then In [11], Bulyovszky and Horvath´ transformed Equation (1) frkR (F ) = rkR (F ) = n and any generating set of F to a linear system of γm equations of γn unknowns over consisting of n elements is a basis of F . the Galois ring R0. Then, they used Hermite normal form to Corollary 2.7: Let M be a finitely generated R−module. solve them. In [11], the complexity of this algorithm is given Then, M is a free module if and only if frkR (M) = as follows: rkR (M). Proposition 2.1: Assume that for all r ∈ R we have computed ri ∈ R0 such that r = r1z1 + ··· + rγ zγ . Then C. Rank and Free-Rank Over Finite Local Rings 3 Equation (1) can be solved in time O mn min {m, n} γ . In this subsection, we give some characterizations of rank 2 Example 2.2: R = Z4 [X] / X is a local ring where and free-rank over finite local rings. As in Subsection II-A, 2 2 the maximal ideal is generated by 2 + X and X + X . we assume that R is a local ring with maximal ideal m and Set ξ = X + X2. Then a maximal Galois subring of R is residue field Fq = R/m. The natural projection R → R/m R0 = Z4 and we have R = R0 ⊕ R0ξ. Let’s consider the is denoted by Ψ. We extend Ψ coefficient-by-coefficient as a system n n map from R to Fq . Remark 2.8: Let M be an R−module. Then M/mM is 2 ξ + 1 x1 0 = (2) a vector space over R/m where the scalar multiplication is ξ 2ξ + 1 x2 ξ + 2 given by (a + m, x + mM) 7−→ ax + mM. Set x1 = x1,1 +x1,2ξ and x2 = x2,1 +x2,2ξ, where xi,j ∈ R0, By [10, Theorem V.5], we have the following: for 1 ≤ i ≤ 2 and 1 ≤ j ≤ 2. Then, Equation (2) is equivalent Proposition 2.9: Let M be a finitely generated R−module. to:       Then 2 1 0 0 x1,1 0 rkR (M) = rkR/m (M/mM) .  0 1 0 0   x2,1   2      =   (3) Remark 2.10: Let M be a finitely generated R−module and  0 1 2 1   x1,2   0  1 2 0 1 x2,2 1 N be a submodule of N. If R is not a finite principal ideal 3

ring, then we can have rkR (M) < rkR (N). For example, not. In the following, we will show how we can solve this 2 T = Z4 [X] / X is a local ring where the maximal ideal Q problem. 2 2 s×n is generated by 2+ X and X+ X . We have rkT (T ) = 1 Lemma 2.15: Let A ∈ R . Then, there are an invertible s×s and rkT (Q) = 2. matrix P ∈ R and an n × n permutation matrix Q such The following proposition gives the upper bound of the rank that A = PTQ, with of the submodules. T T Proposition 2.11: Let M be a finitely generated R−module T = 1 2 0 T and N be a submodule of M. Let R0 be a maximal Galois 3 subring of R and γ = rkR (R). Then, 0 where T1 is an r × r upper uni-triangular matrix, T2 is in r×(n−r) rkR (N) ≤ γrkR (M) . R and T3 is an (s − r) × (n − r) matrix with entries in m. R R Proof. The two rings and 0 have de same residue field Proof. Since R is a local ring with maximal ideal m, if x ∈ R , = R/m q = pµ p Fq . Set where is a prime number. Then, the then x is a unit or x ∈ m. So, if we take the pivots as invertible R pR N/pN −→ N/mN maximal ideal of 0 is 0. The map elements then using elementary row and column operations, x+pN 7−→ x+mN given by is a surjective Fq-linear map. So, the result follows. rk (N/mN) ≤ rk (N/pN). Therefore, by Proposition 2.9, Fq Fq Proposition 2.16: Let N be a submodule of Rn. Let A be rk (N) ≤ rk (N). Since N ⊂ M and R is a principal R R0 0 an s × n matrix whose rows generate N. Assume that A is ideal ring, by [15, Proposition 3.2], rk (N) ≤ rk (M). As R0 R0 decomposed as in Lemma 2.15. Then, frk (N) = r and N R is a R −module of rank γ, then rk (M) ≤ γrk (M). R 0 R0 R is a free module if and only if T = 0. Thus, the result follows. 3 Proof. The rows of TQ generate N. Therefore, by Proposition Lemma 2.12: Let F be a free R−module of rank n. Let 2.14, the result follows. {e , . . . , e } ⊂ F . Then {e , . . . , e } is a basis of F if and 1 n 1 n Example 2.17: See Appendix A. only if {e1 + mF, . . . , en + mF } is a basis of F/mF . Proof. See [10, Theorem V.5]. Algorithm 3 of Appendix B gives an implementation of Lemma 2.13: Let F be a free R−module of rank n . Let Proposition 2.16. As in the case of the row reduction algorithm over fields, we have the following: {x1, . . . , xr} ⊂ F . Then {x1, . . . , xr} is linearly independent Proposition 2.18: Let N be a submodule of Rn. Assume if and only if {x1 + mF, . . . , xr + mF } is linear independent. that N is generated by s elements. Then, the computation of Proof. Assume that {x1, . . . , xr} is linearly independent. the free-rank of N and the test to know if N is a free module Then, By [12, Proposition 2.11], there is {xr+1, . . . , xn} ⊂ F or not can be done in O (ns min {n, s}) operations in R. such that {x1, . . . , xn} is a basis of F . by Lemma 2.12, {x1 + mF, . . . , xn + mF } is a basis of F/mF . Thus, We end this subsection with the following lemmas which {x1 + mF, . . . , xr + mF } is linearly independent. will be used in the next section. Conversely, assume that {x1 + mF, . . . , xr + mF } is lin- Lemma 2.19: [16, Lemma 2.3 ] The number of ways of early independent. Since F/mF is a vector space over R/m, choosing r linearly independent vectors in Rn is there is {xr+1 + mF, . . . , xn + mF } ⊂ F/mF such that r−1 Y {x1 + mF, . . . , xn + mF } is a basis of F/mF . By Lemma q(υ−1)nr qn − qi . 2.12, {x1, . . . , xn} is a basis of F . Thus, {x1, . . . , xr} is i=0 linearly independent. n As the vector space Rn/mRn is isomorphic to (R/m)n, we Lemma 2.20: Let V be a free submodule of (R/m) of have the following: rank r. The number of free submodules U of Rn of rank r Proposition 2.14: Let N be a submodule of Rn. Then, such that Ψ(U) = V is qr(n−r)(υ−1). r Proof. Let V be the set of all (v1,..., vr) in V such frkR (N) = rkR/m (Ψ (N)) . that {v1,..., vr} is a basis of V . Let U be the set of all n r Proof. By Lemma 2.13, frkR (N) = 0 if and only if (u1,..., ur) in (R ) such that (Ψ (u1) ,..., Ψ(ur)) ∈ V. Ψ(N) = {0}. Now assume that frkR (N) 6= 0. Let K be By Lemma 2.13, if (u1,..., ur) ∈ U then {u1,..., ur} is n a free submodule of N such that frkR (N) = rkR (K). linearly independent. Let U be a free submodule of R of Then, by Lemma 2.13, rkR (K) = rkR/m (Ψ (K)). As rank r such that Ψ(U) = V . By Lemma 2.13, if {u1,..., ur} Ψ(K) ⊂ Ψ(N), we have rkR/m (Ψ (K)) ≤ rkR/m (Ψ (N)). is a basis of U then (u1,..., ur) ∈ U. Let GLr (R) be Thus, frkR (N) ≤ rkR/m (Ψ (N)). a set of r × r invertible matrices with entries in R. The Let {b1,..., br} ⊂ N such that {Ψ(b1) ,..., Ψ(br)} is a binary relation on U given by (u1,..., ur) is related to 0 0 basis of Ψ(N). Set L = hb1,..., bri. Then, by Lemma 2.13, (u1,..., ur) if and only if there is P ∈ GLr (R) such that 0 0 L is a free module and rkR (L) = rkR/m (Ψ (N)). But by (u1,..., ur) = (u1,..., ur) P is an equivalence relation. the definition of the free rank, frkR (N) ≥ rkR (L). Thus, Every equivalence class has the same number of elements as frkR (N) ≥ rkR/m (Ψ (N)). GLr (R). The number of equivalence classes, denoted by θ, is equal to the number of free submodules U of Rn of rank r By Proposition 2.14, the computation of the free-rank over such that Ψ(U) = V . Thus, |U| = θ |GLr (R)|. If y ∈ R/m, finite local rings is reduced to finite fields. However, this then the number of elements x ∈ R such that Ψ(x) = y proposition does not show whether N is a free module or is |m| . Consequently, |U| = |V| |m|nr. By Lemma 2.19, 4

r−1 r−1 (υ−1)r2 Q r i Q r i By [17, Proposition 3.3], |GLr (R)| = q q − q and |V| = q − q . i=0 i=0 αβ−m Thus, the result follows. Pr frkR/m (ψS (B) K) = αβ ≥ 1 − αq . Therefore, as |A0| / |A| = |K0| / |K| by (4) and (5), we have D. The Product of Two Submodules Over Local Rings Pr (frk (AB) = αβ) ≥ 1 − αqαβ−m. In this subsection, we prove that some results of [17, Section R 3] can be extended to finite local rings. We continue with the same notations as in Subsection II-A, that is, R is a local ring Similarly to [17, Proposition 3.5], we have the following: with maximal ideal m and residue field Fq = R/m. Let m be a Proposition 2.25: Let B be a fixed free submodule of S nonzero positive integer. By [10], R admits a Galois extension of rank β such that B2 := BB is a free module and 1 ∈ B. of dimension m, denoted by S. Moreover, S is also a local Assume that m is chosen such that the smallest intermediate 0 0 ring, with maximal ideal M = mS and residue field Fqm . So, ring R between R and S, R R ⊆ S has cardinality greater S is a free R−module of rank m. Therefore, the R−module than |R|β. Let A be drawn uniformly at random from the set S Rm is isomorphic to . As in [15], we have the following: of free submodules of S of rank α. Let {bi}1≤i≤β be a basis Lemma 2.21: Let y ∈ S. If {y} is linearly independent over −1 of B. Set V = AB and Vi = bi V , for i = 1, . . . , β. Then, R, then y is a unit. β (αβ(β+1)/2)−m Proof. The proof is similar to that [15, Lemma 2.4]. Pr ∩i=1Vi = A ≥ 1 − αq . Definition 2.22: Let A and B be two R−submodules of S. The product module of A and B, denoted by AB, is the Proof. Using Proposition 2.24, the proof is similar to that of R−submodule of S generated by {ab : a ∈ A, b ∈ B}. [17, Proposition 3.5] and [8, Theorem 14]. Remark 2.23: Let A and B be two R−submodules of S, then : III.LRPCCODES OVER FINITE LOCAL RINGS 1) A + B, A ∩ B and AB are not necessary free modules. In this Section, we use the same notations as in Subsection As an example, see Appendix A. II-D, that is to say, R is a local ring with maximal ideal m 2) rkR (AB) ≤ rkR (A) rkR (B). and residue field Fq = R/m and S is a Galois extension of R 3) if A and B are two free modules and frkR (AB) = of dimension m. rkR (A) rkR (B) then AB is a free module. As in [17, Proposition 3.3], we have the following: A. Encoding and Decoding LRPC Codes Over Local Rings Proposition 2.24: Let B be a fixed free submodule of S Definition 3.1: Let k, n, λ be positive integers with 0 < of rank β. Let A be drawn uniformly at random from the set k < n. Let F be a free R-submodule of S of rank λ. Let (n−k)×n of free submodules of S of rank α. Then, the probability that H = (hi,j) ∈ S such that frkS (row (H)) = n − AB is a free R−module of rank αβ is k and F = h1,1, . . . , h(n−k),n R. A low-rank parity-check αβ−m code with parameters k, n, λ is a code with a parity-check Pr (frkR (AB) = αβ) ≥ 1 − αq . matrix H. Proof. Let ψS : S → S/mS be the natural projection. Let A Remark 3.2: Let C ⊂ Sn. By [12, Proposition 2.9], if C is be the set of all free R−submodules of S of rank α. Let K a free code of rank k then the dual of C is a free code of rank be the set of all free R/m-submodules of S/mS of rank α. n − k. By using [16, Theorem 2.5], As in [8], we give the following: |A| = qα(m−α)(υ−1) |K| . (4) Definition 3.3: Let λ, F and H be defined as in Definition 3.1. Let {f1, . . . , fλ} be a basis of F. For i = 1, . . . , n−k and Let A0 be the set of all A in A such that frk (AB) = Pλ R j = 1, . . . , n, let hi,j,` ∈ R such that hi,j = `=1 hi,j,`f`. αβ. Let K0 be the set of all K in K such that Set 0 frkR/m (ψS (B) K) = αβ. By Lemma 2.14, if A ∈ A then   0 0 h1,1,1 h1,2,1 ··· h1,n,1 ψS (A) ∈ K . Moreover if K ∈ K and K = ψS (A) where  h1,1,2 h1,2,2 ··· h1,n,2  A ∈ A then A ∈ A0. The binary relation on A0 given by    . . .. .  A1 is related to A2 if and only if ψS (A1) = ψS (A2) is  . . . .  (n−k)λ×n Hext =   ∈ R . an equivalence relation. The number of equivalence classes is  h2,1,1 h2,2,1 ··· h2,n,1  0   equal to |K |. By Lemma 2.20, every equivalence class has the  h2,1,2 h2,2,2 ··· h2,n,2    same number of elements which is qα(m−α)(υ−1). Thus, ...... 0 α(m−α)(υ−1) 0 |A | = q |K | . (5) Then, H has the n Assume that A is drawn uniformly at random from A and 1) unique-decoding property if λ ≥ n−k and K is drawn uniformly at random from K. Then, frkR (col (Hext)) = n, 0 2) maximal-row-span property if every row of the parity- Pr (frkR (AB) = αβ) = |A | / |A| check matrix H spans the entire space F, and 3) unity property if each entry hi,j of H is chosen in the nPλ ∗ o 0 set i=1 αifi : αi ∈ R ∪ {0} . Pr frkR/m (ψS (B) K) = αβ = |K | / |K| . 5

n Definition 3.4: Let u = (u1, . . . , un) ∈ S . The support of (i) frkR (S) = λt (syndrome condition); λ u is the R-submodule of S generates by {u1, . . . , un}. (ii) ∩i=1Si is a free module of rank t (intersection Lemma 3.5: (Unique Erasure Decoding) Assume the parity- condition). check matrix H fulfils the unique-decoding property. Let E Proof. Assume that the two conditions are fulfilled. As be a free support of rank t. If frkR (EF) = λt then, for any rkR (E) = t and rkR (F) = λ, then rkR (EF) ≤ λt. Since n−k n syndrome s ∈ S , there is at most one error vector e ∈ S S ⊂ EF and frkR (S) = λt, then frkR (EF) = rkR (EF) = with support E that fulfils HeT = sT . λt. So, by Corollary 2.7, EF is a free module of rank λt. λ Proof. The proof is similar to that of [8, Lemma 4]. Consequently, S = EF. Hence, E ⊂ ∩i=1Si. Therefore, since λ λ In the input of decoding algorithm given in [8, Algorithm ∩i=1Si and E are free modules of rank t, ∩i=1Si = E. As 1] , it is assumed that the receiver knows the rank of the frkR (EF) = λt and H fulfils the unique-decoding property, error. In the following, we give a similar algorithm without the erasure decoding with support E w.r.t. the syndrome s, as this condition. described in Lemma 3.5, allows to recover the error vector e.

Algorithm 1: Decoding Algorithm over Local Rings Remark 3.8: Note that in [8, Theorem 5] we have three Input: conditions. But in the proof of Theorem 3.7, we observe that • LRPC parity-check matrix H (as in Definition 4.3) the condition frkR (S) = λt implies the following condition: • a basis {f1, . . . , fλ} of F (iii) frkR (EF) = λt (product condition). • r = c + e , such that c is in the LRPC code C Thus, the three conditions (i), (ii), (iii) are equivalent to the given by H and e ∈ Sn. two conditions (i), (ii). Output: Code word c0of C or ”decoding failure”. T 1 s = (s1, . . . , sn−k) ←− rH B. Failure Probability 2 if s = 0 then In this subsection, we assume that F and H are defined 3 return r as in Definition 3.1. The lower bound on the product condi- 4 S ←− hs1, . . . , sn−kiR tion success probability is given by Proposition 2.24. More 5 if S is not a free module then specifically, we have the following: 6 return ”decoding failure” Lemma 3.9: Let t be a positive integer with tλ < m. Let E be the support of the error vector e ∈ Sn chosen uniformly 7 ν ←− frkR (S) 8 if λ does not divide ν then at random among all error vectors with free support of rank 9 return ”decoding failure” t. Then, 0 tλ−m 10 t ←− ν/λ Pr (frkR (EF) = tλ) ≥ 1 − tq 11 for i = 1, . . . , λ do −1 −1 Lemma 3.10: Let t be a positive integer with tλ < 12 S ←− f S = f s : s ∈ S i i i min {m, n − k + 1}. Let E be the support of the error vector 0 λ n 13 E ←− ∩i=1Si e ∈ S chosen uniformly at random among all error vectors 0 14 if E is not a free module then with free support of rank t. Let S be the support of the 15 return ”decoding failure” syndrome of e. Assume that H has the maximal-row-span 0 0 0 16 if frk (E ) 6= t or frk (E F) 6= ν then and unity properties and that frkR (EF) = λt. Then, 17 return ”decoding failure” tλ−1 Y i−(n−k) 0 18 if Erasure decoding with support E w.r.t. the Pr (frkR (S) = tλ|frkR (EF) = tλ) ≥ 1 − q syndrome s, i=0 as described in Lemma 3.5, has a solution e0 then Proof. Using Lemma 2.19, the proof is similar to that of [8, 0 19 return r − e Theorem 11]. 20 else Lemma 3.11: Let t be a positive integer with 21 return ”decoding failure” tλ (λ + 1) /2 < m. Let E be the support of the error vector e ∈ Sn chosen uniformly at random among all error vectors with free support of rank t. Assume that F 2 is a free Remark 3.6: Algorithm 1 corrects only errors whose sup- module and 1 ∈ F. Assume that m is chosen such that the ports are free modules. smallest intermediate ring R0 between R and S, R R0 ⊆ S λ Theorem 3.7: Let F and H be defined as in Definition has cardinality greater than |R| . Assume that the syndrome 3.1. Let c be a code word of the LRPC code with a parity- condition is fulfilled. Then, check matrix H. Assume that H fulfils the unique-decoding Pr ∩λ S = E|frk (S) = tλ ≥ 1 − tq(tλ(λ+1)/2)−m. property and that the support E of the error vector e ∈ Sn is i=1 i R a free module of rank t. Let s be the syndrome of the error Proof. As in the proof of Theorem 3.7, frkR (S) = tλ if and e and S be the support of s. Let {f1, . . . , fλ} be a basis of only if S = EF and EF is a free module of rank tλ. Thus, −1 F. Set Si = fi S, for i = 1, . . . , λ. Then, Algorithm 1 with by Proposition 2.25, the result follows. input r = c + e returns c if the following two conditions are Theorem 3.12: Let c be a code word of the LRPC code with fulfilled: a parity-check matrix H. Let t be a positive integer such that 6 tλ (λ + 1) /2 < m and tλ < n − k + 1. Let E be the support and n  0 0 0  of an error vector e ∈ S chosen uniformly at random among e1,1 e1,2 ··· e1,t0 0 0 0 all error vectors with free support of rank t. Assume that:  e2,1 e2,2 ··· e2,t0  E0 =   . • H has the unique-decoding, maximal-row-span and unity  . . . .   . . . .  properties; 0 0 0 e e ··· e 0 •F 2 is a free module and 1 ∈ F; n,1 n,2 n,t 0 • m is chosen such that the smallest intermediate ring R Since frkR (col (Hext)) = n, by Proposition 2.3, in between R and S, R R0 ⊆ S has cardinality greater than O (n − k)λ × n2 ⊂ O λ × n3 operations in R, we can λ |R| . I compute an invertible matrix P such that PH = n . Then, Algorithm 1 with input r = c + e returns c with a ext 0 Pr (success) 2 probability at least: In O (n − k) λ2t0 operations in R, we can compute PB tλ−1 and recover E0. As, frk (S ) = λt0 ≤ n − k, we have tλ−m (tλ(λ+1)/2)−m Y i−(n−k) u 1 − tq 1 − tq 1 − q 2 O (n − k) λ2t0 ⊂ O λn3. i=0 Recall that we compute the coordinates si,u,` of si in the Proof. Let A, B, C and D be the events respectively defined 0 basis {εuf`}1≤u≤t0,1≤`≤λ. We will estimate the complexity of by A := “frk (EF) = λt”, B :=“frk (S) = λt”, 0 R R this computation. As, S =∼ Rm, let U ∈ Rλt ×m where rows C :=“∩λ S is a free module of rank t” and D :=“∩λ S = i=1 i i=1 i are the vector representations of ε0 f in Rm (for u = 1, ..., t0 E”. Then, by Theorem 3.7 , u ` and ` = 1, ..., λ) and let V be a matrix where rows are the m Pr (success) = Pr (B ∧ C) vector representations of si in R (for i = 1, ..., n − k). Then = Pr (B) Pr (C|B) . WU = V where   But, s1,1,1 s1,2,1 ··· s1,1,2 s1,2,2 ···  s2,1,1 s2,2,1 ··· s2,1,2 s2,2,2 ··· Pr (C|B) = Pr (D|B) . W =    . . . .  Since B implies A, we have  . . . .  sn−k,1,1 sn−k,2,1 ··· sn−k,1,2 sn−k,2,2 ··· Pr (B) = Pr (A ∧ B) As frk (EF) = λt0, the rows of U are linearly independent. = Pr (A) Pr (B|A) R Thus, by Proposition 2.3, in O mt02λ2 ⊂ O mn2 opera- Therefore, tions in R , we can compute an invertible matrix Q such that 2 UQ = It0λ 0 . In O m (n − k) operations in R, we Pr (success) = Pr (A) Pr (B|A) Pr (D|B) can compute VQ and recover W . So, the result follows. Thus, by Lemma 3.9, Lemma 3.10 and Lemma 3.11, the result 2) Complexity of Intersection: Line 13 of Algorithm 1 follows. successively computes the intersection of a module and a free module. So, to give the complexity of this step, we will need C. Decoding Complexity the following: Lemma 3.14: Let N and G be two submodules of Rm such As in [9], we express complexities in terms of operations that G is a free module of rank r and rk (N) = s. Let R0 be in R. a maximal Galois subring of R and γ = rkR0 (R). Then the 1) Complexity of Erasure Decoding: Line 18 of Algorithm intersection of N and G can be done in O m2 max γ3s, r 1 solves a linear equation to recover the error vector. The operations. complexity of this step is given as follows: Proof. Let Nf and Ge be matrices that rows generate respec- Lemma 3.13: Line 18 of Algorithm 1 can be done in s 2 2 tively N and G. Let y ∈ N ∩ G. Then, there are x ∈ R O λn max n , m operations in R. 0 r 0 0 0 0 0 and x ∈ R such that y = xNf = x Ge. Since rows of Proof. Let E , s = (s1, . . . , sn−k), e = (e , . . . , e ), 2 1 n Ge are linearly independent, by Proposition 2.3, in O r m F = {f1, . . . , fλ} as in Algorithm 1 and Hext as in Definition 0 0 0 operations in R, one can compute the invertible matrix T 3.3. Let {ε1, . . . , εt0 } be a basis of E and let si,u,` ∈ R such 0 such that GT = Ir 0 . Set T = T1 T2 where Pλ Pt 0 e that si = si,u,`εuf`, for i = 1, . . . , n − k. Let `=1 u=1 0 T1 and T2 are respectively the m × r and m × (m − r) 0 0 Pt 0 0 0 also ei,u ∈ R such that ei = u=1 ei,uεu, for i = 1, . . . , n. submatrices of T . Then the equation xNf = x Ge is equivalent 0 0⊥ ⊥ 0 Note that ei,u are unknowns. The equation He = s is to x = xNTf 1 and xNTf 2 = 0. So, to find the inter- 0 equivalent to HextE = B where section of N and G it suffices to solve the linear equation   xNT = 0. By Proposition 2.1, this equation can be solved s1,1,1 s1,2,1 ··· s1,t0,1 f 2 in O γ3s (m − r) min {s, m − r} time. The product of two  s1,1,2 s1,2,2 ··· s1,t0,2     . . .  matrices Nf and T2 can be done in O (rm (m − r)) operations.  . . .  B =   Finally, as r ≤ m, the result follows.  s2,1,1 s2,2,1 ··· s2,t0,1    Lemma 3.15: Let R0 be a maximal Galois subring of R  s2,1,2 s2,2,2 ··· s2,t0,2  γ = rk (R)   and R0 . Line 13 of Algorithm 1 can be done in . . . 2 4 . . . O λnm γ operations in R. 7

j Proof. Let S and Si as in Algorithm 1. Set Nj = ∩u=1Su, for Fig. 1. The decoding success probability for λ = 2, k = 8, n = 20, m = 20 j = 1, . . . , λ. We have Nj+1 = Nj ∩ Sj+1. Therefore, to ﬁnd and R = Z4. the intersection of Si we successively compute Nj. By Propo- 0 sition 2.11, rkR (Nj) ≤ γλt , since Sj is a free R−module of 0 0 10 Bound of Renner et al.(2020) rank λt and Nj ⊂ Sj. So, by Lemma 3.14, the computation New Bound 2 3 0 0 Simulation of Nj ∩ Sj+1 can be done in O m max γ (γλt ) , λt ⊂ O nm2γ4, since λt0 ≤ (n − k) ≤ n. Thus, the computation λ 2 4 -1 of ∩u=1Su can be done in O λnm γ operations in R. 10 3) Overall Complexity: As in [9], we have the following: Lemma 3.16: An addition in S costs m additions in R. A multiplication in S can be done in

-2 2 10

O(mlog(m)log(log(m))) ⊂ O(m ) operations in R. rate failure Decoding Theorem 3.17: Let R0 be a maximal Galois subring of R and γ = rkR0 (R). Assume the inverse elements of f are precomputed. Then, Algorithm 1 costs i -3 O λγ4mn max n2, m2 operations in R. 10 Proof. Recall that ν = frk(S) ≤ n−k. We also have ν ≤ m.

0 1 2 3 4 5 6 7 Moreover at Line 10, we have ν = t λ. Error rank t • Line 1 computes the syndrome of the received word. This is a matrix multiplication by a vector. This is done with O(n(n − k)) ⊆ O(n2) operations in S, i.e. O(n2m2) operations in R. 1. We observe that the new bound of Theorem 3.12 is better • Lines 5-6 test whether S is a free module or not. By than the bound given by Renner et al.(2020). Proposition 2.18, This is done in O((n − k)m min{n − k, m}) ⊂ O(mn2) operations in R. • Lines 11-12 compute the submodules Si. Suppose we IV. LRPC CODES OVER ARBITRARY FINITE RINGS have a basis of S, then it obviously has cardinality ν. We have a generator family for Si by multiplying the In this section, we assume that R is finite commutative ring. −1 elements of the basis of S by fi . So we have ν By [10, Theorem VI.2] each finite commutative ring can be multiplications in S for every i. Thus the complexity decomposed as a direct sum of local rings. Thus, there is a 2 ∼ is O(λν) ⊂ O (λn) multiplications in S, i.e. O(λnm ) positive integer ρ such that R = R(1) × · · · × R(ρ), where operations in R. each R(j) is a finite commutative local ring, for j = 1, . . . , ρ. • Line 13 computes the intersection of the submodules Using this isomorphism, we identify R with R(1) ×· · ·×R(ρ). 2 4 Si. By Lemma 3.15, it can be done in O(λnm γ ) Let j ∈ {1, . . . , ρ}, we denote by m(j) the maximal ideal of

operations in R. R(j), Fq(j) = R(j)/m(j) its residue field and υ(j) the positive 0 υ(j) • Lines 14-15 test whether E is a free module or not. By integer such that R(j) = q(j) . Lemma 3.15, This can be done in O(mν min{m, ν}) ⊂ Let m be a positive integer and j ∈ {1, . . . , ρ}. By [10], 2 O(mn ) operations in R. R(j) admits a Galois extension of dimension m that we denote 0 0 0 • Lines 16-17 test whether frk(E ) 6= t or frk(E F) 6= γ. by S(j). Moreover, S(j) is also a local ring, with maximal The result of the first comparison is stored evaluated m ideal M(j) = m(j)S(j) and residue field Fq . Set S = S(1) × frk(E0) (j) in constant time since we already have from · · · × S(ρ). Then, S is a free R−module of dimension m. Let Line 14. The next step is then to compute the genera- Φ(j) : S −→ S(j) be the j-th projection map, for j = 1, . . . , ρ. E0F λt0 S n tors of ( multiplications in ) that is done in We extend Φ(j) coefficient-by-coefficient as a map from S to O(λt0m2) ⊂ O(nm2) R n operations in . By Proposition S . We also extend Φ(j) coefficient-by-coefficient as a map 0 (j) 2.18, the computation of the free-rank of E F can be from Sm×n to Sm×n. done in O(λt0m min{λt0, m} ⊂ O(nm2) operations in (j) Proposition 4.1: [12, Lemma 2.2] Let {a ,..., a } ⊂ Rn. R. 1 r 0 Then, {a1,..., ar} is R−linearly independent if and only • Line 18 recovers an error e by the Erasure decoding. if for all j ∈ {1, . . . , ρ} , Φ (a ) ,..., Φ (a ) is By Lemma 3.13, it can be done in O λn max n2, m2 (j) 1 (j) r R(j)−linearly independent. operations in R. n Proposition 4.2: Let N be a submodule of R . Set N(j) = The result follows with an appropriate mark-up. Φ(j) (N), for j = 1, . . . , ρ. Then, (i) rkR (N) = max1≤i≤ρ rkR(j) N(j) . D. Simulation Results (ii) N is a free R−module if and only if each N(j) is a free In the simulations, we compare the new bound of Theorem R(j)−module with the same rank. 3.12 and the bound given in [8, Theorem 15]. So, we use the (iii) frkR (N) = min1≤j≤ρ frkR(j) N(j) . same parameters as in [8], that is, λ = 2, k = 8, n = 20, Proof. (i) and (ii) have been proven in [13, Corollary 2.5]. m = 20 and R = Z4. The simulation results are in Figure (iii) follows from (ii). 8

By Proposition 4.2, the computation of rank and free-rank Theorem 4.6: Let R0(j) be the maximal Galois subring of over finite rings is reduced to local rings. R(j) and γ(j) = rkR0(j) (R(j)), for j = 1, . . . , ρ. Then the As in Definition 3.1, LRPC codes can be defined over the complexity of the decoding Algorithm 2 is arbitrary finite ring S. More precisely, we have the following: 2 2 4 O(ρλmn max n , m max {γ(j)}). Definition 4.3 (λ−FR-LRPC codes): Let k, n, λ be 1≤j≤ρ positive integers with 0 < k < n. Furthermore, let F be a free R-submodule of S with rank λ. Let H = Proof. The decoding Algorithm 2 consists in the application (n−k)×n (hi,j) ∈ S such that frkS (row (H)) = n − k and of Algorithm 1 in the LRPC codes C , for j = 1, . . . , ρ. Thus (j) F = h1,1, . . . , h(n−k),n R. A low-rank parity-check code C by Theorem 3.17, the result follows. over S, with parameters k, n, λ is a code with a parity-check Theorem 4.7: Let c be a code word of the LRPC code matrix H. with a parity-check matrix H. Let j ∈ {1, . . . , ρ}. Let t(j) be In the remaining of this section, we assume that C, F and a positive integer such that t(j)λ (λ + 1) /2 < m and t(j)λ < n H are defined as in Definition 4.3. The code C will be called n−k+1. Let E(j) be the support of an error vector e(j) ∈ S(j) a λ−FR-LRPC code. Set C(j) = Φ(j) (C), F(j) = Φ(j) (F) chosen uniformly at random among all error vectors with free n and H(j) = Φ(j) (H), for j = 1, . . . , ρ. By Proposition 4.2, support of rank t(j). Let e ∈ S such that Φ(j) (e) = e(j), for we have the following: j = 1, . . . , ρ. Assume that: Proposition 4.4: Let j ∈ {1, . . . , ρ}. Then, • H has the unique-decoding, maximal-row-span and unity (a) F(j) is a free R(j)-submodule of S(j) of rank λ. properties; •F 2 is a free module and 1 ∈ F; (b) frkS(j) row H(j) = n − k and the entries of H(j) generate F(j). • m is chosen such that the third assumption of Theorem (c) C(j) is an LRPC code over S(j) with parameters k, n, 3.12 is fulfilled for every S(j), j = 1, . . . , ρ. λ and a parity-check matrix H(j). Then, Algorithm 2 with input r = c + e returns c with a Since the projection of LRPC codes over a local ring is probability Pr (success) at least: also LRPC codes, we will use Algorithm 1 to give decoding ρ algorithm over the finite ring. Y t(j)λ−m (t(j)λ(λ+1)/2)−m 1 − t(j)q(j) 1 − t(j)q(j) P (j) j=1 Algorithm 2: Decoding algorithm Input: with t(j)λ−1 • LRPC parity-check matrix H (as in Definition 4.3) Y i−(n−k) P (j) = 1 − q • a basis {f1, . . . , fλ} of F (j) • r = c + e, such that c is in the LRPC code i=0 n C given by H and e ∈ S . Proof. Obvious since the Algorithm 2 fails if and only if Output: Codeword c0of C or ”decoding failure”. Algorithm 1 fails at least once when applied over the S(j). 1 if for j = 1, . . . , ρ, Algorithm 1 with input This means it succeeds if and only if Algorithm 1 succeeds Φ(j) (H), Φ(j) (f1) ,..., Φ(j) (fλ) and Φ(j) (r) over all the S , for j = 1, . . . , ρ. Thus by Theorem 3.12, the returns e0 (j) (j) result follows. then 0 2 return r − e 0 n where e is the element of S V. APPLICATION TO CRYPTOGRAPHY 0 0 such that Φ(j) (e ) = e(j) 3 else In this section, we explain how Low-Rank Parity-Check 4 return ”decoding failure” codes just defined over finite commutative rings can be used in cryptography and also setup the new corresponding mathematical problems. Recall that S = S(1) × · · · × S(ρ) n n Theorem 4.5: Let c be a code word of the LRPC code and Φ(j) : S −→ S(j) is the j-th projection map, for n with a parity-check matrix H. Let E be the support of the j = 1, . . . , ρ. For a vector u ∈ S , rkR(u) and frkR(u) will error vector e ∈ Sn. Let s be the syndrome of the error e respectively denote the rank and the free rank of the support of u. and S be the support of s. Let {f1, . . . , fλ} be a basis of F. −1 Set Si = fi S, for i = 1, . . . , λ. Let j ∈ {1, . . . , ρ}. Assume that Φ(j) (E) is a free module of rank t(j) and that H(j) fulfils the unique-decoding property. Then, Algorithm 2 with input A. Ring-LRPC Cryptosystem r = c + e returns c if the following conditions are fulfilled: The Ring-LRPC Cryptosystem is a natural use of Ring frk Φ (S) = λt j = 1, . . . , ρ (a) R(j) (j) (j), for ; LRPC codes in a McEliece setting [18]. Its key generation λ (b) ∩i=1Φ(j) (Si) is a free module of rank t(j), for j = algorithm takes as input the three positive integers k, n and 1, . . . , ρ. λ such that 0 < k < n and outputs the public key/private key Proof. The proof is a direct consequence of Theorem 3.7. pair (pk, sk). 9

a) KeyGen(k, n, λ) = (pk, sk): Definition 5.1 (Free Rank Decoding Problem FRD): Let (n−k)×n k×n 1) Let H = (hi,j) ∈ S be a parity-check matrix G ∈ S whose rows are linear independent, y an element n of a λ−FR-LRPC code C of rank k such that each of S and t an integer. The Free Rank Decoding Problem is n k hi,j belongs to a free R−submodule F of rank λ, as to find e in S and m in S such that y = mG + e with in Definition 4.3. rk (Φ (e)) = frk (Φ (e)) ≤ t k×n R(j) (j) R(j) (j) 2) Compute from H a generator matrix Gpub ∈ S of C and set for all j ∈ {1, ..., ρ}. Definition 5.2 (Finite Ring LRPC Distinguishing Problem FR − LRPC − D): Let H be a full-rank matrix belonging tpub = min {2m/λ (λ + 1) ; (n − k + 1) /λ} . to S(n−k)×n that is a parity check matrix of a FR-LRPC code 3) Return C with k ≤ n. Let D be the following distribution: k×n T D = {G ∈ S , GH = 0 with frkS (row (G)) = k} pk = (Gpub, tpub) and sk = (H, F). k×n To encrypt a message m ∈ Sk, apply the following We say that FR − LRPC − DS,n,k hold if for all G ∈ S , function: an adversary A has a negligible function to distinguish whether b) Encrypt(m, pk) = z: G belongs to D or not. 1) Generate a random error-vector e ∈ Sn such that VI.CONCLUSIONAND FUTURE WORKS

rkR(j) (Φ(j)(e)) = frkR(j) (Φ(j)(e)) ≤ tpub We have generalized the definition of LRPC codes to finite for all j ∈ {1, ..., ρ}. commutative rings with an efficient decoder. To achieve this goal, we have used the fact that each finite commutative ring 2) Return z = mGpub + e can be decomposed as a direct sum of finite commutative Decrypt() The decryption function takes as input a cipher- local rings. Thus, we first defined LRPC codes over finite z sk text and the private key and outputs the corresponding commutative local rings with a decoder. An upper bound for message m. 0 the failure probability and the complexity of the decoder is also c) Decrypt(z, sk) = m : given. These results are similar to the case of finite fields. Next, T T T T T 1) Compute s = Hz = HGpubm + He = He . we have extended the definition of LRPC codes over finite 0 2) And e = Dec.(H,F)(s), where Dec.(H,F) is the de- commutative rings with decoder consisting of the application coding algorithm given in Algorithm 2. Note that by of the decoder over local rings. The complexity and the failure 0 Theorem 4.7, e = e with high probability since probability of the decoder are also given. As in the case of rk (Φ (e)) = frk (Φ (e)) ≤ t finite fields, we have proposed a cryptosystem using LRPC R(j) (j) R(j) (j) pub codes. The security of this cryptosystem is based on new for all j ∈ {1, ..., ρ}. mathematical problems which will be studied in our future 0 3) Compute c − e = mGpub. works. 4) Return m. As in [8] we have given an algorithm which corrects certain types of errors that we have used in cryptography. For other applications, it will be interesting to give the decoding B. Security Assumptions and Underlying Mathematical Prob- algorithm for all types of errors, as in [9]. lems. As it is traditionally known in code-based cryptography, an REFERENCES adversary who intercepts the cipher text z, has two possibilities of attack to find the associated plaintext m: [1] P. Gaborit, G. Murat, O. Ruatta, and G. Zemor,´ “Low rank parity check codes and their application to cryptography,” • Knowing that z is a noisy codeword of C with a special in Proceedings of the Workshop on Coding and Cryp- noise (each projection of the noise here has a support tography WCC’2013, Bergen, Norway, 2013, available on www.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf. that is a free module), the adversary can try to decode z [2] E. M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov, “Ideals with the knowledge of Gpub. We assume here that the over a non-commutative ring and their applications to cryptography,” adversary ignore the fact that is a Low-Rank Parity- in Advances in Cryptology - EUROCRYPT’91, ser. Lecture Notes in C Comput. Sci., no. 547, Brighton, Apr. 1991, pp. 482–489. Check code. So this is typically the general decoding [3] E. Prange, “The use of information sets in decoding cyclic codes,” IRE problem in a code defined over a finite commutative ring, Transactions on Information Theory, vol. 8, no. 5, pp. 5–9, 1962. with an additional constraint on the error we are looking [4] A. Becker, A. Joux, A. May, and A. Meurer, “Decoding random binary linear codes in 2n/20: How 1 + 1 = 0 improves information set for. decoding,” in Advances in Cryptology - EUROCRYPT 2012, ser. Lecture • The code C is a disguised LRPC code. So a second Notes in Comput. Sci. Springer, 2012. possibility for the adversary is to try to discover the [5] M. Baldi, QC-LDPC Code-Based Cryptography. Springer Science & Business, 2014. disguised structure of the code C and then try to use [6] M. Bardet, P. Briaud, M. Bros, P. Gaborit, V. Neiger, O. Ruatta, and the informations discovered for an easy decoding. J. Tillich, “An algebraic attack on rank metric code-based cryptosys- tems,” in Advances in Cryptology - EUROCRYPT, ser. Lecture Notes in To summarise, the Ring-LRPC Cryptosystem is secure assum- Computer Science, A. Canteaut and Y. Ishai, Eds., vol. 12107. Springer, ing the hardness of the two following problems: 2020, pp. 64–93. 10

[7] M. Bardet, M. Bros, D. Cabarcas, P. Gaborit, R. A. Perlner, D. Smith- Thus, by Proposition 2.16, B is a free module of rank Tone, J. Tillich, and J. A. Verbel, “Improvements of algebraic attacks 2. for solving the rank decoding and minrank problems,” in Advances in Cryptology - ASIACRYPT, ser. Lecture Notes in Computer Science, vol. 3) We have 12491. Springer, 2020, pp. 507–536. A + B = ha, b, c, di [8] J. Renner, S. Puchinger, A. Wachter-Zeh, C. Hollanti, and R. Freij- Hollanti, “Low-rank parity-check codes over the ring of integers modulo with a = 3θ3 + 2θ + 3, b = 2θ4 + 2θ3 + 3θ + 1, c = θ4 + a prime power,” in IEEE International Symposium on Information 2θ3 +1, d = 2θ4 +3θ3 +2θ +3. The matrix whose rows Theory, ISIT 2020, Los Angeles, CA, USA, June 21-26, 2020. IEEE, 2 3 4 2020, pp. 19–24. are vector representations in the basis 1, θ, θ , θ , θ [9] J. Renner, A. Neri, and S. Puchinger, “Low-rank parity-check codes over of the generators of A + B is galois rings,” Designs, Codes and Cryptography, pp. 1–36, 2020. [10] B. R. McDonald, Finite rings with identity. Marcel Dekker Incorpo-  3 2 0 3 0  rated, 1974, vol. 28.  1 3 0 2 2  [11] B. Bulyovszky and G. Horvath,´ “Polynomial functions over finite MA+B =   . commutative rings,” Theoretical Computer Science, vol. 703, pp. 76–  1 0 0 2 1  86, 2017. 3 2 0 3 2 [12] Y. Fan, S. Ling, and H. Liu, “Matrix product codes over finite commutative Frobenius rings,” Designs, codes and cryptography, vol. 71, no. 2, Using elementary row operations, the matrix MA+B is pp. 201–227, 2014. equivalent to [13] S. T. Dougherty, J.-L. Kim, and H. Kulosman, “MDS codes over finite principal ideal rings,” Designs, Codes and Cryptography, vol. 50, no. 1,  1 2 0 1 0  p. 77, 2009.  0 1 0 1 2  [14] T.-Y. Lam, Lectures on modules and rings, 1st ed., ser. Graduate Texts MÂ+B =   . in Mathematics 189. Springer-Verlag New York, 1999.  0 0 0 1 3  [15] H. T. Kamche and C. Mouaha, “Rank-metric codes over finite principal 0 0 0 0 2 ideal rings and applications,” IEEE Transactions on Information Theory, vol. 65, no. 12, pp. 7718–7735, 2019. Thus, by Proposition 2.16, frkR (A + B) = 3 and [16] S. T. Dougherty and E. Salturk,¨ “Counting codes over rings,” Designs, A + B is not a free module. codes and cryptography, vol. 73, no. 1, pp. 151–165, 2014. [17] N. Aragon, P. Gaborit, A. Hauteville, O. Ruatta, and G. Zemor,´ “Low 4) We have rank parity check codes: New decoding algorithms and applications A ∩ B = 2θ3 + 2 to cryptography,” IEEE Transactions on Information Theory, vol. 65, no. 12, pp. 7697–7717, 2019. and, by Proposition 2.16, A ∩ B is not a free module. [18] R. J. McEliece, A Public-Key System Based on Algebraic Coding Theory. Jet Propulsion Lab, 1978, pp. 114–116, dSN Progress Report 44. 5) We have AB = ha, b, c, di APPENDIX A with a = 3θ3 + 3θ2 + 1, b = θ3 + 2θ2 + 3θ + 1, c = EXAMPLEOF INTERSECTIONAND PRODUCTOF 3θ4 + 2θ3 + θ2 + 3θ, d = 3θ4 + 3θ3 + 2θ2 + θ + 1 and, SUBMODULES by Proposition 2.16, AB is not a free module. 5 2 Set R = Z4, S = R [θ] = R [X] / X + X + 1 , A = 3θ3 + 2θ + 3, 2θ4 + 2θ3 + 3θ + 1 , APPENDIX B FREE MODULE TEST ALGORITHM and Let R be a finite commutative local ring and let N be a B = θ4 + 2θ3 + 1, 2θ4 + 3θ3 + 2θ + 3 . submodule of Rn. Then, Algorithm 3 computes the free-rank of N and tests whether N is a free module or not. 1) The matrix whose rows are vector representations in the basis 1, θ, θ2, θ3, θ4 of the generators of A is 3 2 0 3 0 M = . A 1 3 0 2 2

Using elementary row operations, the matrix MA is equivalent to 1 2 0 1 0 M = . gA 0 1 0 1 2 Thus, by Proposition 2.16, A is a free module of rank 2. 2) The matrix whose rows are vector representations in the basis 1, θ, θ2, θ3, θ4 of the generators of B is 1 0 0 2 1 M = . B 3 2 0 3 2

Using elementary row operations, the matrix MB is equivalent to 1 0 0 2 1 M = . gB 0 2 0 1 3 11

Algorithm 3: Free Module Test

Input: {a1,..., as} a generator of a submodule N of Rn where R is a ﬁnite commutative local ring. Output: (r,”N is a free module”) or (r,”N is not a free module”) where r is a free rank of N. a1  .  1 A := (ai,j) ←  .  # the matrix whose rows as are a1,..., as. 2 L1← {} # the list of columns that content a pivot 3 L2← {} # the list of columns that do not content a pivot 4 h←1 and k←−1. 5 while h ≤ s and k ≤ n do 6 PivotIsUnit←false 7 l←h 8 while l ≤ s and PivotIsUnit=false do 9 if al,k is a unit then 10 PivotIsUnit←true 11 else 12 l←l + 1

13 if PivotIsUnit=false then 14 L2←L2 ∪ {k} 15 k←k + 1 16 else 17 L1←L1 ∪ {k} 18 switch k-th row by the l-th row of A −1 19 u←al,k 20 al,k←1 21 for j ∈ {k + 1, . . . , n} ∪ L2 do 22 ah,j←u × ah,j 23 for i = h + 1 to n do 24 ai,k←0 25 for j ∈ {k + 1, . . . , n} ∪ L2 do 26 ai,j←ai,j − ai,k × ah,j

27 r← |L1| # the cardinality of L1 28 if r = s then 29 return (r,”N is a free module”) 30 else 31 if the s − r last rows of A is zero then 32 return (r,” N is a free module”) 33 else 34 return (r,”N is not a free module”)