**Decryption:**

(1) Calculate *c* = *cM*<sup>−</sup>1;

(2) Obtain *m* by syndrome decoding *c* in the code *C*.

Decryption is correct, since

$$w(hM^{-1}) = w(h),\tag{9}$$

it can be computed

$$\mathcal{L}^{\prime} = \mathcal{c}M^{-1} = (mH^{\prime} + h)M^{-1} = mH^{\prime}M^{-1} + hM^{-1} \tag{10}$$

$$c\mathcal{M}^{-1} = m\mathcal{H}^T \mathcal{M} \mathcal{M}^{-1} + h\mathcal{M}^{-1} \tag{11}$$

$$c\mathcal{M}^{-1} = m\mathcal{H}^T + h\mathcal{M}^{-1} \tag{12}$$

$$cM^{-1} - hM^{-1} = mH^T \tag{13}$$

and the procedure of syndrome decoding may be effectively used.

**Example 1.** *Consider an* [4, 2, 3]*-code <sup>C</sup> over* F3*. The generator matrix <sup>G</sup> and parity-check matrix H are*

$$G = \begin{pmatrix} 1 & 0 & 2 & 2 \\ 0 & 1 & 2 & 1 \end{pmatrix} \tag{14}$$

$$H = \begin{pmatrix} 1 & 1 & 1 & 0 \\ 1 & 2 & 0 & 1 \end{pmatrix}. \tag{15}$$

*C* = {0000, 0121, 0212, 1022, 1110, 1201, 2011, 2102, 2220}. Select any non-singular matrix *M* =  1 2 2 0 . The syndromes and coset leaders of C are as follows.


The size of different cosets of *C* is

$$3^{4-2} = 3^2 = 9.$$

So, there are also nine syndrome vectors, which are {00, 11, 12, 10, 01, 22, 21, 20, 02}. Calculate the matrix

$$H'=H^T \cdot M = \begin{pmatrix} 1 & 1 \\ 1 & 2 \\ 1 & 0 \\ 0 & 1 \end{pmatrix} \cdot \begin{pmatrix} 1 & 2 \\ 2 & 0 \end{pmatrix} = \begin{pmatrix} 0 & 2 \\ 2 & 2 \\ 1 & 2 \\ 2 & 0 \end{pmatrix} \tag{16}$$

and

$$M^{-1} = \begin{pmatrix} 0 & 2 \\ 2 & 2 \end{pmatrix}. \tag{17}$$

Let *h* be the syndrome vector (20). Since *d* = 3, *C* is the corrected *t* = 1 error. So, the public-key is

$$H' = \begin{pmatrix} 1 & 1 \\ 1 & 2 \\ 1 & 0 \\ 0 & 1 \end{pmatrix}, h = \begin{pmatrix} 20 \end{pmatrix} \tag{18}$$

and the private-key is

$$(G, H, M) = (\begin{pmatrix} 1 & 0 & 2 & 2 \\ 0 & 1 & 2 & 1 \end{pmatrix}) , \begin{pmatrix} 1 & 1 & 1 & 0 \\ 1 & 2 & 0 & 1 \end{pmatrix} , \begin{pmatrix} 1 & 2 \\ 2 & 0 \end{pmatrix}).\tag{19}$$

**Encryption:** Let the message vector be *m* = (1000) and *h* = (20). The cryptogram is

$$c = mH' + h = (1000) \cdot \begin{pmatrix} 0 & 2 \\ 2 & 2 \\ 1 & 2 \\ 2 & 0 \end{pmatrix} + (20) = (02) + (20) = (22). \tag{20}$$

**Decryption:** Calculate

*<sup>c</sup>* <sup>=</sup> *cM*−<sup>1</sup> = (22) ·  0 2 2 2 = (12). (21)

Since

$$c = mH' + h \tag{22}$$

and

$$H' = H^T \cdot M,\tag{23}$$

*c* is also equal to

$$\mathcal{L}^{\prime} = (mH^{\prime} + h)M^{-1} = mH^{\prime}M^{-1} + hM^{-1} = mH^{T}MM^{-1} + hM^{-1} \tag{24}$$

$$
\mathcal{c}' = m H^T + h M^{-1} . \tag{25}
$$

So,

$$(12) = (m\_1 m\_2 m\_3 m\_4) \cdot \begin{pmatrix} 1 & 1 \\ 1 & 2 \\ 1 & 0 \\ 0 & 1 \end{pmatrix} + (20) \cdot \begin{pmatrix} 0 & 2 \\ 2 & 2 \end{pmatrix}.\tag{26}$$

$$(12) = (m\_1 + m\_2 + m\_3, m\_1 + 2m\_2 + m\_4) + (01)\tag{27}$$

$$(12) - (01) = (m\_1 + m\_2 + m\_3, m\_1 + 2m\_2 + m\_4) \tag{28}$$

$$(11) = (m\_1 + m\_2 + m\_3, m\_1 + 2m\_2 + m\_4). \tag{29}$$

We get the message *m* = (1000) by solving the linear system.

**Proposition 1.** *The size of the plaintext is* log*<sup>q</sup>* ( *n t*).

**Proof.** The plaintext is an *n* − *q* tuple word of weight *t*. These are the integers between 1 and ( *n <sup>t</sup>*) to the set of words of weight *t* and length *n*. Therefore, the size of the plaintext is log*<sup>q</sup>* ( *n t*).

**Proposition 2.** *The size of the ciphertext is* (*n* − *k*).

**Proof.** Since the ciphertext is a (*n* − *k*) − *q* tuple word, the proof is clear.

**Corollary 2.** *The transmission rate of the new system is*

$$\frac{\log\_q(\binom{n}{t})}{(n-k)}.$$

**Proof.** The proportion of the number of information symbols to the number of transmitted symbols gives the transmission rate. So, it is

$$\frac{\log\_q(\binom{n}{t})}{(n-k)}.$$

**Proposition 3.** *Given a syndrome vector y of weight w, the number of eligible h's is* ( *w <sup>t</sup>*)(*<sup>q</sup>* − <sup>1</sup>)*<sup>t</sup>* .

**Proof.** It is known that the weight of *h* is *t*, and *h* is non-zero. Thus, the number of non-zero vectors of weight *t* among the vectors of *w* is ( *w <sup>t</sup>*)(*<sup>q</sup>* − <sup>1</sup>)*<sup>t</sup>* .

**Example 2.** *Let C be the extended binary Hamming code of parameters* [8, 4, 4]*. Its packing radius is 1. We examine some properties of the public-key cryptosystem based on C. The size of the plaintext is*

*The size of the ciphertext is*

*The transmission rate is*

log2 8 1 = log2 8 = 3. 8 − 4 = 4.

> log2 ( 8 1) (<sup>8</sup> <sup>−</sup> <sup>4</sup>) <sup>=</sup> 0, 75.
