COMPLEMENTARY DUAL CODES FOR COUNTER-MEASURES TO SIDE-CHANNEL ATTACKS

. We recall why linear codes with complementary duals (LCD codes) play a role in counter-measures to passive and active side-channel analyses on embedded cryptosystems. The rate and the minimum distance of such LCD codes must be as large as possible. We recall the known primary construction of such codes with cyclic codes, and investigate other constructions, with expanded Reed-Solomon codes and generalized residue codes, for which we study the idempotents. These constructions do not allow to reach all the desired parameters. We study then those secondary constructions which preserve the LCD property, and we characterize conditions under which codes obtained by direct sum, direct product, puncturing, shortening, extending codes, or ob- tained by the Plotkin sum, can be LCD. and to t -th order residues (instead of quadratic ). Our work goes beyond insofar as we consider any length co-prime with the ﬁeld characteristic q (for our application, q = 2).


Introduction
Codes play a central role in digital communication. Recently, it has been shown that codes can also help improve the security of the information processed by sensitive devices, especially against so-called side-channel attacks (SCA) and fault noninvasive attacks. This paper recalls that linear codes with complementary duals (called LCD), which are linear codes whose intersection with their dual is trivial, play an important role in armoring implementations against these two kinds of non-invasive attacks. LCD codes, introduced by Massey [20], provide an optimum linear coding solution for the two-user binary adder channel. Some constructions are known: [12,13,27]. Some of them are within cyclic codes and in particular quadratic residue (QR) codes. As another example, maximum rank distance (MRD) codes generated by the trace-orthogonal-generator matrices are LCD codes [17]. Asymptotically good LCD codes exist [23].
However, SCA sheds a new light on LCD codes and poses more accurately the question of their effective construction achieving good minimum distance, especially in the context of large rate.
QR codes are not well adapted to this context and we explore generalized residue codes (GRC), candidates for being LCD and for which theoretical results exist regarding their minimum distance [7]. However, in practically relevant cases, the results about minimum distances are void. Therefore, we complement the state-ofthe-art of GRC, with the viewpoint of their construction and of the need for a lower bound on their minimum distance. We also introduce a way of constructing LCD codes by expanding Reed-Solomon codes. Finally, we study secondary constructions of LCD codes, which help reaching the exact parameters needed in our framework.

Motivation
Implementations of cryptographic algorithms are prone to SCA and fault attacks that aim at extracting the secret key when the algorithm is running over some device. Non-invasive attacks observe some leakage (such as electromagnetic emanations) or perturb internal data (for example with electromagnetic impulses), without damaging the system. They are a special concern insofar as they leave no evidence that they have been perpetrated. Those attacks can be classified into two categories: • Side-channel attacks (SCA), which consist in passively recording some leakage, that is the source of information to retrieve the key; • Fault injection attacks (FIA), which consist in actively perturbing the computation so as to obtain exploitable differences at the output.
Few generic protections, demonstrably provable against both threats, have been proposed. The best understood and most studied protection against SCA is achieved with masking. Every sensitive data x, say a binary vector, employed in the cryptographic algorithm is exclusived-or with one uniformly distributed random vector of the same length, called mask. We are interested in this article in a homomorphic computation. This means that the computations are carried out on the masked data itself. Therefore, it must be possible, from a masked sensitive variable, denoted by z, to recover x (e.g., for the final demasking at the end of the computation). This is possible if the sensitive data and the masks belong to two supplementary subspaces of a larger space vector. Indeed, by definition of supplementary subspaces, any element of the large space vector decomposes itself in a unique way as the sum of two elements (in Boolean vector spaces, the sum is the exclusive-or, denoted by "+" in the sequel). It is thus decided to interpret those two elements as the sensitive data and the mask. This method is called Orthogonal Direct Sum Masking (ODSM), see [8].
We call n the dimension of this large vector space, which practically is F n 2 . Now, we call C and D the two supplementary vector spaces: The masks are the codewords of code D. By the rank-nullity theorem, if the dimension of C is k, then the dimension of D is n − k. Let us consider generator matrices G and G of C and D, respectively. Then every vector z ∈ F n 2 can be written in a unique way as z = xG + yG , x ∈ F k 2 , y ∈ F n−k 2 . If C and D are furthermore Proposition 1. Let C be a linear code. Let G be a generator matrix of C and H a parity-check matrix. Then the three following properties are equivalent: 1. C is LCD, 2. the matrix HH T is invertible, 3. the matrix GG T is invertible.
We deduce from zH T = yHH T and zG T = xGG T , and from Proposition 1 that if C is LCD, the matrices of the two projections z = xG + yH → x and z → y are respectively (see also [20,Proposition 1]): Note that, G T (GG T ) −1 is also known as the pseudo-inverse (or Moore-Penrose inverse [1]) G + of G.
The quality of the masking is an important factor. Let φ : F n 2 → R be a leakage function, that describes how z is leaked outside of device. The masked word z conceals the information x at first degree if for all pseudo-Boolean function φ : F n 2 → R of unitary numerical degree [9, Sec. 2.1], all the averages of φ(z) over the masks d ∈ D for a given x are equal irrespective of x. Indeed, first-degree attacks consist in correlating the measured leakage with a leakage model, the latter being precisely independent of x, since equal to the expectation of φ(z) knowing x [22]. This means that ∀x ∈ F k 2 , y∈F n−k φ(xG + yH) are the same, i.e., equal to y∈F n−k φ(yH) (for x = 0). Now, this notion can be generalized (see [3,Def. 2]). A zero-offset masking countermeasure is of degree at least d if ∀x ∈ F k 2 , y∈F n−k φ(xG + yH) = y∈F n−k φ(yH) for all φ of numerical degree at most d. The greater the degree of the countermeasure, the harder to pass a successful SCA. Actually, it is known from [8,Proposition 3] that the countermeasure is (d − 1)-th degree secure if D has dual distance d, i.e., if C has minimum distance d. This result has been independently validated in [15] for d ∈ {1, 2}.
Let us now consider a fault injection attack (FIA). The state z is modified into z + ε, for some random ε ∈ F n 2 . By supplementarity of C and D, there exists a unique ordered pair (e, f ) ∈ F k 2 ×F n−k 2 such that ε = eG+f H. A detection strategy could consist in decoding z into (x, y), and checking that we recover the genuine values unchanged. However, x is sensitive: the purpose of the protection is exactly to avoid representing x by replacing it by z. The random variable y, from its side, does not convey any (statistically) exploitable information. So, checking whether or not the mask has been altered, i.e., zH T (HH T ) −1 ?
= y, is a harmless detection strategy. This happens if and only if f = 0, i.e., ε ∈ C. As ε = 0 is pointless (since without observable effect), harmful faults only happen if ε ∈ C \ {0}. In particular, the Hamming weight of ε must be greater or equal to the minimum distance d of code C for the fault not to be detected. Now, given that the minimum distance d of C is a design parameter, it is set as high as possible.
Therefore, have C be LCD of greatest possible minimum distance simultaneously improves the resistance against SCA and FIA.
There are two kinds of designs that can benefit from the described protection. The first one is the implementation of hardware accelerators for block ciphers, such as the AES. In this case, the data to protect are typically bytes, with k = 8 (see for instance this case study [8]). It is shown that an optimal linear code of parameters [16,8,5] is LCD, and is very suitable for embedded devices, as the length n = 2k = 16 consists in one word (two bytes). Besides, it happens that the [16,8,5] code is unique, as proven by Betsumiya and Harada in [2,Corollary 6,page 19]. Remarkably, this code is not only LCD, but also CIS (i.e., with Complementary Information Sets) [11, Sec. V.A, page 6004] while being odd formally self-dual. The second kind is a general-purpose processor executing software cryptography (see for instance [6], where a tiny processor is protected). Its registers can be protected individually (hence k = 8, 16, 32). For an improved security, it can be advantageous to mask all the registers seen as one unique resource, made up of a few hundreds to a few thousands bits. Therefore, we are interested in codes of various dimensions, ranging from k = 8 to k ≈ 4096.
Side-channel analysis starts to be difficult even at low degrees (e.g., d is equal to a few units, such as d = 2, 3, 4). The same applies to perturbation attacks: if all faults on d = 1, 2, 3, 4 bits are detected, then the success of FIA is compromised. Now, hardware trojan horses (HTHs) make up a special threat. HTHs are gates added by an adversary (e.g., a silicon foundry) into the design at fabrication time. Those gates allow to deliver a malicious payload on a crafted activation condition. The activation results from a triggering, decided based on the value of some bits of the circuit. Thus, in a circuit protected by a LCD code C of minimum distance d, the HTH must connect to at least d bits to receive enough bits for a partial demasking of the state. Symmetrically, the payload is delivered by altering some bits of the circuit. Consequently, the HTH must modify at least d bits to bypass an integrity check. Therefore, in order to preventively refrain the insertion of HTH trigger logic and in order to proactively detect the effect of the HTH payload, the minimum distance d of LCD codes must be set has high as possible (refer to [6] for more details). Now, it is known that for too large a value of d (e.g., d > 16), then the added gates making up the HTH will be so numerous that the HTH will be trivially disclosed, e.g., by some visual inspection [5].
The problem is thus the following: for a given dimension k (architecture parameter) and minimum distance d (security parameter), find a LCD code of length n as small as possible (and therefore, of rate k/n as large as possible).
Remark 2 (More general formalization). Let us consider two codes C and D which are supplementary in F n 2 , but not necessarily dual. We denote by d the minimum distance of C and by d the dual distance of D. Then the researched compromise is between min(d, d ) and the dimension of code C. Indeed, if C is a subcode of C 1 and D is a supercode of D 1 , then d ≥ d 1 and d ≥ d 1 (since D ⊥ is a subcode of D ⊥ 1 ), which implies that min(d, d) ≥ min(d 1 , d 1 ). An application of remark 2 can be found in [4,10]. The context is that of an asymmetrical defense against HTH: the HTH must connect to at least d bits to be able to trigger itself, and must modify at least d bits to be able to deliver its payload.
In the sequel, we will consider only LCD codes, for which C = D ⊥ hence d = d .
The rest of the paper is organized as follows.
• Sec. 3 gives several constructions of codes, which make up the bulk of the countermeasures. • Sec. 4 gives constructions from other codes, thereby allowing for optimizations. Especially, puncturing, shortening and extending allows to fine-tine a code that has the almost expected security level. Typically, it can be beneficial to start from a code whose dimension is little larger than the target dimension, in which case it can be shortened. This is beneficial as both the dimension and the length are decremented, which allows to reduce the cost of the implementation while at the same time have a code that better fits the intended dimension.

Constructions
In this section we study, with a practical viewpoint, how the known primary constructions 2 can allow to obtain effective LCD binary codes with large minimum distance and large rate. An important selection criterion is the existence of a bound on the minimum distance, that otherwise cannot be computed by testing all the possible Hamming weights of nonzero codewords since our codes can have lengths of the order of one or several thousands. LCD cyclic codes, which have a minoration on their minimum distance via the BCH bound, have been characterized in [27]. The condition for being LCD is rather simple and not difficult to achieve. Moreover, a potentially stronger lower bound on the minimum distance exists for the sub-class of quadratic-residue (QR) codes, which can also be LCD. A QR code has for length a prime number n and has a minimum distance d at least √ n. A binary QR code has length congruent with ±1 modulo 8 and is LCD if the length is congruent with 1 modulo 8 [19,Chp. 16, §6, page 495]. Asymptotically, √ n is a rather low value compared with the Gilbert Varshamov bound, but such value is not far from what we need in our framework. The main drawback of QR codes is that their dimension equals n±1 2 (namely n+1 2 if we exclude 1 as possible zero of QR codes, and n−1 2 otherwise), while we need larger dimensions. Indeed, given the dimension k (which can be of the order of one or several thousands) and some number δ (say, at most 64), we look for a LCD code of length n as small as possible such that d ≥ δ. This leads us to consider (in Sec. 3.3) a generalization of QR codes whose lengths are not prime.
We first recall in Sec. 3.1 the definition and some properties of cyclic codes in general, and of LCD cyclic codes in particular. We then prove in Sec. 3.2 that there exist LCD Reed-Solomon codes of any dimension over F 2 m ; but their length can hardly be controlled. Thus, we define in Sec. 3.3 the generalized residue codes 3 and study LCD codes within them.
3.1. LCD cyclic codes. In all this paper, q is a power of 2.
Definition 3.1 (Cyclic code). A linear code C of length n over a finite field F q is cyclic if it is stable by any circular rotation.
We shall always consider n co-prime with q. The codewords can also be represented as polynomials in the algebra A = F q [X]/(X n − 1). In this representation, a code is cyclic if and only if it is an ideal of A. A cyclic code C = {0} is generated by the (unique) normalized nonzero polynomial g(X) of the smallest degree in C, which is always a divisor of X n −1 (conversely, any divisor of X n −1 is the generator polynomial of a cyclic code of length n). The zeros of g(X) in the extension of F q equal to F q m where m is the multiplicative order of q modulo n (i.e., the smallest positive integer such that n divides q m − 1) are then n-th roots of unity. They are called the zeros of the code. The other n-th roots of unity are called the non-zeros of C. Since n is co-prime with q, the zeros of X n − 1 and then of g(X) are simple. This is because the derivative nX n−1 of X n − 1 has 0 for unique zero. The dimension of the code equals the number of its non-zeros because every codeword is in fact a multiple of degree at most n − 1 of g(X) in F q [X]. The set of zeros is stable under the Frobenius automorphism γ → γ q . Conversely, any set of n-th roots of unity stable under the Frobenius automorphism is the set of zeros of a cyclic code over F q . Let β be a primitive n-th root of unity. Let C be a cyclic code of zeros {β j , j ∈ J ⊆ Z/nZ}. The BCH bound states that the minimum distance of C is bounded below by the length of any string of consecutive elements in J, plus 1. The dual C ⊥ is the cyclic code whose zeros are the inverses of the non-zeros of C [19, Chap. 7, page 188] and C ∩ C ⊥ is the cyclic code whose set of zeros equals the union of the zeros of C and those of C ⊥ . It equals {0} if and only if this union equals the set of all n-th roots of unity. Hence: Proposition 2 ([27, Theorem at page 392]). A cyclic code C is LCD if and only if its set of zeros is stable by the multiplicative inverse, i.e., if and only if its generator polynomial g(X) is self-reciprocal. Example 1. The binary cyclic code of length 17 whose zeros are {β j , j = 0, 1, 2, 4, 8, 9, 13, 15, 16} is LCD and has parameters [17,8,6], and its generator polynomial is X 9 + X 6 + X 5 + X 4 + X 3 + 1. Note that the set of zeros is stable under the Frobenius γ → γ 2 , which makes the code binary, and that the string 15, 16, 0, 1, 2 in Z/17Z has length 5; the BCH bound is then tight for this code.

3.2.
Expanded LCD Reed-Solomon codes. According to Proposition 2, those Reed-Solomon codes whose sets of zeroes are stable under inversion are LCD codes. These codes provide full choice of the dimension (see the proof of Lemma 3.2 below), but not of the length, which must be primitive. Being MDS, they have optimal minimum distance. But they are not binary and are then less useful for the applications described in introduction. However, there exists a way of transforming them into binary LCD codes. Mapping a code C over F 2 m onto a code C over F 2 by replacing each coordinate by the binary vector of its coordinates relative to a fixed basis is called expanding the code. For doing so, we can use that F 2 m is a field extension of F 2 , and given an irreducible polynomial P over F 2 and denoting each element a ∈ F 2 m as According to [21, Theorem 5.1.18 page 103], there exists a self-dual basis of F q m over F q if and only if either q is even or both q and m are odd. Here, q = 2 and we can then consider a self-dual basis of F 2 m over F 2 . We have the simple observations: Proposition 3. If a code over F 2 m is LCD, then the expanded code relative to a self-dual basis of F 2 m over F 2 is also LCD.
Proof. Let (α 1 , . . . , α m ) be a self-dual basis of F 2 m over F 2 . It is such that tr(α i α j ) = 1 if i = j and 0 otherwise, where "tr" is the trace function from F 2 m to F 2 . Then the vectorx of the coordinates of x relative to this basis is (tr(α 1 x), . . . , tr(α m x)).
3.3. LCD generalized residue codes. Let n be any integer co-prime with a prime power q and let t be any positive integer. Let Q be the set of t-th powers in Z/nZ: Q = {i t , i ∈ Z/nZ} ⊆ Z/nZ . Then Q is stable under multiplication in the sense that, for any s ∈ Q, the mapping r ∈ Q → sr is valued in Q (indeed, for every i t , j t ∈ Q, we have i t j t = (ij) t ). Note that, since n is not assumed to be a prime, the image set of such mapping may be strictly included in Q (for the same reason, we do not exclude i = 0 in the definition of Q above since there can exist 0 divisors) and Z/nZ \ Q may not be stable under all such mappings. Assume that q belongs to Q. Then Q is stable under multiplication by q, in the strong sense that the mapping r ∈ Q → qr has image set Q, since q being co-prime with n, the multiplication by q is a permutation of Z/nZ, and Q * = Q \ {0} is also stable under multiplication by q.
Since we wish to construct binary codes, we take now q = 2, but the next proposition is easily extendable to the q-ary case.
Proposition 4. Let n be an odd positive integer and t be any positive integer. Let Q be the set of t-th powers in Z/nZ. Assume that 2 and −1 both belong to Q. Then the cyclic code C of length n whose zeros are where β is a primitive n-th root of unity in an extension field of F q , is a binary cyclic LCD code.
Proof. C is binary since its set of zeros is stable under the Frobenius automorphism, and Q being stable under multiplication by −1 in Z/nZ, C is LCD.
Note that, given t, it is easy to find integers n such that 2 and −1 are in Q: it is enough to take n as a common divisor of an integer of the form r t − 2 and of an integer of the form s t + 1.
But since n is not assumed to be a prime, the size of Q may be strictly smaller than 1 + n−1 gcd(t,n−1) (that is, n+1 2 if t = 2 and n is odd) and the dimension k = n − card(Q) of the code may be larger than (n − 1)(1 − 1 gcd(t,n−1) ) (that is, n−1 2 if t = 2 and n is odd).
We give in Table 1 the values of n ≤ 10, 000 such that 2 and −1 are quadratic residues (t = 2) and Q has size strictly smaller than n+1 2 . They are not numerous but they exist. We observe that card(Q) either is near n 2 or is near n 4 (which is of course more interesting for us since it gives a larger dimension). Note that the only way we know of bounding below the minimum distance is then by using the BCH bound.
Remark 3. For classical QR codes, n is a prime number (and Z/nZ is then a field) and t = 2. Given a nonzero codeword f (X) of minimum weight d in the code C of zeros β i , i ∈ Q * , and j a non-residue, the polynomial f (X j ) is a nonzero codeword in the code of zeros β i , i ∈ Z/nZ \ Q, and f (X)f (X j ) belongs then to the intersection of these two codes and is a multiple of n−1 i=0 X i which has weight n. Then d 2 ≥ n (but since the size of Q * equals n−1 2 , the dimension of the code is n±1 2 , which is too small for our purpose). We need then to generalize. Proposition 5. Let n be an odd prime number and t be any integer. Let e = gcd(n − 1, t) and Q be the set of t-th powers in Z/nZ. Assume that 2 and −1 both f (X α −i ) has any element β j , j ∈ (Z/nZ) * for zero and is then a multiple of n−1 i=0 X i . This completes the proof since w H ( We have then a trade-off between minimum distance and rate.
Remark 4. The article [7] also introduces generalized residue codes. Moreover, this article provides a lower bound on the minimum distance of such codes.
However, in our context of LCD codes, this bound is not exploitable. For instance, the first entry in Table 1 of rate close to 3/4 (and not only 1/2) has length n = 697. For this length, we have the decomposition X 697 −1 = (X −1)P (X)Φ n (X), where (using notations borrowed from [7]): • Φ n (X) is a product of 16 irreducible polynomials of degree 40, and • P (X) is a polynomial of degree 56, which decomposes into 2 irreducible polynomials of degree 8 and 2 irreducible polynomials of degree 20. Thus, the upper bound on d, the minimum distance of the code, is: 56d 16 ≥ 697, which does not give any information on d because this inequation is true for all d > 1.
Remark 5. The paper [18] also introduces a bound for minimal distances on generalized residue codes. However, for meaningful examples, it degenerates to d t ≥ n = 1, which does not learn anything on d (at least for the examples given in [18]).

3.4.
Generating the codes by the use of idempotents. The generator polynomial of a cyclic code C of length n may be complex to calculate, because this needs to calculate in the Galois extension of F q containing a primitive n-th root of unity β. An alternative way is to use an idempotent as generator of the code (this method is well-known and specially simple for classical quadratic residue codes, see [19,Chap. 16, §3, page 484]). Let g(X) be the generator polynomial of a cyclic code C. We have X n − 1 = g(X)h(X) where h(X) is co-prime with g(X) since n is odd (all zeros of X n − 1 being then simple). Bezout's theorem implies then the existence of two polynomials u(X), v(X) such that g(X)u(X) + h(X)v(X) = 1, which implies (g(X)u(X)) 2 = g(X)u(X) [mod X n − 1]. Then E(X) = g(X)u(X) is an idempotent in F q [X]/(X n − 1). Moreover, g(X) = (E(X) + h(X)v(X))g(X) = E(X)g(X) [mod X n − 1] implies that E(X) is also a generator of C. Using that E(X) is an idempotent, we have that f (X) ∈ C if and only if f (X)E(X) = f (X). This implies that E(X) is unique, since if another idempotent F (X) exists in C, we have F (X)E(X) = F (X) = E(X). Note that E applied to n-th roots of unity takes values in F 2 (this is in fact a necessary and sufficient condition for E(X) ∈ C to be an idempotent [19,Chap. 16, §3, Theorem 2 at page 484]). Proposition 6. Let C be a cyclic code over F q . Let E(X) be the idempotent of C. Then C is LCD if and only if E(X) is self-reciprocal, that is, if and only if the idempotent associated to C ⊥ is 1 + E(X).
Proof. If C is LCD, then g(X) and h(X) are self-reciprocal, and E(X) which is obtained from g(X) and h(X) by the extended Euclidean algorithm, is self-reciprocal as well. Conversely, if E(X) is self-reciprocal, then the zeros of the code, which are the common zeros of E(X) and X n − 1, are globally stable under inversion and C is LCD. The idempotent of C ⊥ equals the reciprocal of 1 + E(X), since 1 + E(X) is an idempotent whose common zeros with X n − 1 equal the non-zeros of the code.

Case of generalized residue codes:
Proposition 7. Let n be an odd positive integer and t be any positive integer. Let Q be the set of t-th powers in Z/nZ. Assume that 2 belongs to Q. Let C be the binary cyclic code of length n over F q whose zeros are β i , i ∈ Q * where β is a primitive n-th root of unity in an extension field of F q . Let P (X) = j∈Q X j . If every nonzero element in Q is co-prime with n, then the idempotent of code C is P (X) or 1 + P (X).
Proof. Since 2 ∈ Q, P (X) satisfies P 2 (X) = j∈Q X 2j ≡ P (X) [mod X n − 1] and is then an idempotent. For every t-th power residue r, we have P (β r ) = j∈Q β rj , and if r is co-prime with n then we deduce that P (β r ) = j∈Q β j = P (β) ∈ F 2 .
Note that adding β 0 = 1 to the zeros of the code (resp. withdrawing β 0 if it was a zero) corresponds to multiplying (resp. dividing) the generator polynomial by (X + 1). The idempotent becomes E(X) + X n +1 X+1 since the idempotent element X n +1 X+1 of the algebra A takes value 1 at 1 and value 0 at any other n-th root of unity. 3.5. When the length n is a prime power. We have now a simple way to practically generate LCD generalized residue codes. But we need to check that the conditions "2 ∈ Q", "−1 ∈ Q" and "every nonzero element in Q is co-prime with n" can be satisfied simultaneously. Of course if n is a prime, the last condition is satisfied. If t = 2 (which, as we saw above, can give good rates for some values of n which are not primes) and n is the square of a prime, we have: Proposition 8. Let p be any prime number and n = p r for some r ≥ 1. Let Q = {i t , i ∈ Z/nZ} where t ≥ r. Then every nonzero element in Q is co-prime with n.
Proof. Indeed, let 0 < i = kp + l < n, with l < p. Then i t ≡ l t [mod p] and if i t = 0 in Z/nZ then l = 0 and i t is then co-prime with p and then with n.
We give in Table 2 the first values of p and n = p 2 such that 2 and −1 are quadratic residues (note that all these values of p are congruent with 1 mod 8 since if 2 and −1 are quadratic residues mod p 2 they are also quadratic residues mod p and we know from [19, Chap. 16, §6, page 495] that p is then congruent with 1 mod 8) and the corresponding values of the size of Q. We observe that this size is smaller than n+1 2 which is easily proved in general since two elements i = kp + l and i = k p + l of Z/nZ have the same square if and only if p|(l 2 − l 2 ), that is, l = l or l = p − l, and in the case l = l , then k = k (since p|k − k), and in the case l = p − l, then k = k − p+1 2 . We can now generalize Proposition 5 to the case where n is not prime, but a power of a prime. Notice that Ling and Xing [18], and also Sharma, Bakshi and Raka [24], study generalized residue codes. However, the minimum distances given in [ Proposition 9. Let n = p r , where p is a prime and r ≥ 1, and let t ≥ r. Let e = gcd(p r−1 (p − 1), t) and Q be the set of t-th powers in Z/nZ. Assume that 2 and −1 both belong to Q. Then the binary LCD code C of Proposition 4 (with zeros in Q * ) has rate e−1+ 1 p e and minimum distance d satisfying d e ≥ p.
Proof. The non invertible elements of Z/nZ are the multiples of p, and the group (say G) of invertible elements (the unities) is cyclic of order p k − p k−1 = p k−1 (p − 1) and of generator g = a(p + 1), where a is an element of order p − 1. Indeed, we have (p+1) p k = p k+1 q k +1 where q k is coprime with p, and this implies that p+1 has order p r−1 . If we take t ≥ r, then the t-th power of any non-invertible element is equal to 0 (note that this reduces the size of Q and thus increases the rate) and Q * is the cyclic group of unities generated by g t . Let us denote e = gcd(p r−1 (p − 1), t). The group Q * has order p r−1 (p−1) e , and G equals the union (X + β pj ). The β pj being all (n/p)-th roots of the unity, we have P (X) = X n/p + 1. Hence X n +1 P (X) has weight p and we have d e ≥ p. Finally, the rate is Remark 6. The bound on d given in Proposition 5 is interesting in some contexts, such as the codes given in Table 2, where it is the best known bound (as mentioned in Remarks 4 and 5, we recall that other state-of-the-art bounds do not apply).

Remark 7.
In some very particular cases (when their length is comparable with competing codes), expanded LCD Reed-Solomon codes (covered in Sec. 3.2) can be interesting substitutes to LCD generalized residue codes. For exemple, there is in Table 2 a code of dimension 6440, length 113 2 = 12769, and minimal distance ≥ 11. The expanded LCD Reed-Solomon code of Example 2 has the same dimension, but a smaller length (only 10230) and a minimal distance equal or greater than 380.

Constructing LCD codes from other codes
The constructions investigated in the previous section do not always allow to reach the precise parameters (length, dimension, minimum distance) needed in our framework. We must then study those secondary constructions which allow modifying the parameters of codes and to obtain LCD codes from other codes (which can be LCD or not). As far as we know, these secondary constructions have not yet been studied in the literature.
The LCD property is invariant under permutation of the codeword coordinates and, as seen in Subsection 3.2, under expansion. The only two other transformations that we know which preserve the LCD property are the direct sum and the direct product. They are detailed in Sec. 4.1. These preservations do not allow to construct LCD codes with large rate. But transformations of codes which do not preserve the LCD property can allow more constructions of LCD codes. Let φ be one of them. Then, we can express by means of a code C the fact that φ(C) is LCD, or by means of φ(C) the fact that C is LCD. This allows to have constraints different from C ∩ C ⊥ = {0}, that could possibly be satisfied by other classes of codes. The operations allowing to turn codes into LCD are studied in Sec. 4.2, which discusses puncturing, shortening, extending and the (u, u + v) construct. These operations allow to fine-tune a code, with a view to obtain LCD codes with adjusted parameters. Finally, Sec. 4.3 explains how to turn an arbitrary code into a LCD code by applying a linear automorphism.  and [n 2 , k 2 , d 2 ], then their direct sum (i.e. their Cartesian product), defined as C 1 ⊕ C 2 = {(c 1 , c 2 ), c 1 ∈ C 1 , c 2 ∈ C 2 }, is LCD of parameters [n 1 +n 2 , k 1 +k 2 , min(d 1 , d 2 )].
The name of direct sum (see [19,Problem 17 of Chp. 1, page 76]) comes from the fact that the indices of the codewords of C 1 and of those of C 2 being distinct, the sum of C 1 × {0} and {0} × C 2 as vector-spaces is direct.

4.1.2.
Constructing LCD codes using the direct product. , respectively. The direct product C 1 ⊗ C 2 between C 1 and C 2 is the code of parameters [n 1 n 2 , k 1 k 2 , d 1 d 2 ], whose codewords are equal to: for all c 1 ∈ C 1 and c 2 ∈ C 2 , where the square brackets operator represents the coordinate selection of a codeword.
Proof. In fact it is easily shown that the dual of C 1 ⊗ C 2 also equals (C ⊥ 1 ⊗ C 2 ) + (F n1 2 ⊗ C ⊥ 2 ) (this is between the lines of the proof of Proposition 11 below) when C 1 and C 2 are LCD. Actually, the sum in Lemma 4.3 is not direct, but the sum Proposition 11. If C 1 and C 2 are LCD, then C 1 ⊗ C 2 is also LCD.
Proof. We know that a linear code C of length n is LCD if and only if C +C ⊥ = F n 2 , since the dimension of C ⊥ equals the co-dimension of C. The code ( Proposition 12. Let C 1 and C 2 be two linear codes of dual distance d ⊥ 1 and d ⊥ 2 . Then, the dual distance of Example 3. Let n = 15 and k = 8. The best known linear code in the Magma database has parameters [15,8,4]. But this code is not LCD. However, let C 1 the cyclic linear code of parameters [5,4,2] of generating matrix  For any such (a, b), the double condition Note that the double condition "C ∩ C ⊥ is LCD and C ∩ C ⊥ = {0}" is satisfied when C and C ⊥ are supplementary in F n 2 since we have then C ∩ C ⊥ = C ∩ C ⊥ = {0}, but this double condition is much more general. In fact, the building blocks for this construction are a LCD code C, two subcodes C 1 and C 2 of C which are supplementary in C; we take then C = C 1 and C = C ⊥ 2 . Note that the rate of C is k+n−k 2n , the rate of its dual is k +n−k 2n , while that of the (u, u + v)-constructed code is k+k 2n . Hence, this construction allows increasing the rate in some cases.

4.2.
Constructing LCD codes by puncturing, shortening and extending codes.

4.2.1.
Puncturing and shortening codes. Let C be a binary linear code of length n and let T ⊆ {1, . . . , n}. Let C T be the punctured code obtained by deleting every coordinate c i such that i ∈ T in every codeword c of C and C T be the shortened code obtained by deleting every such coordinate in every codeword c of C such that c i = 0 for every i ∈ T . Then (see [16, Chap. 1, Theorem 1.5.7, page 17]): This can be easily checked: (C ⊥ ) T ⊆ (C T ) ⊥ is clear and every element of (C T ) ⊥ can be extended to an element of C ⊥ by adding zeroes, which proves that (C T ) ⊥ ⊆ (C ⊥ ) T . By applying this property to C ⊥ , we have also: Puncturing and shortening allow constructing LCD codes but the conditions on the original code C and on its dual are not straightforward to check. 1. The shortened code C T is LCD if and only if every c ∈ C, whose support is disjoint from T and for which there exists c ∈ C ⊥ coinciding with c outside T , is null. Code C T has parameters [n − |T |, k , d ] with k − |T | ≤ k ≤ k and d ≥ d. 2. The punctured code C T is LCD if and only if (C ⊥ ) T is LCD, that is, every c ∈ C ⊥ , whose support is disjoint from T and such that there exists c ∈ C coinciding with c outside T , is null.
Proof. We have C T ⊥ = (C ⊥ ) T and C T ∩ (C ⊥ ) T contains a nonzero vector if and only if there exists c ∈ C nonzero whose support is disjoint from T and c ∈ C ⊥ which coincides with c outside T . This proves 1 (the parameters of C T and C T are well known, see e.g. [16,Chap. 1.5]).
The fact that C T is LCD if and only if (C ⊥ ) T is LCD is a direct consequence of C T ⊥ = (C ⊥ ) T . Applying the characterization of the LCD property of C T to C ⊥ gives 2.
We investigate now hypotheses under which the conditions of Proposition 14 are satisfied.
Corollary 1. Let C be a linear code of length n and let T be a subset of {1, . . . , n} whose size is strictly smaller than the minimum distance of C + C ⊥ and such that every nonzero codeword of C ∩ C ⊥ has a nonzero coordinate at one (at least) of the positions in T . Then C T and C T are LCD codes.
Proof. Indeed, the vector c + c in 1 or 2 of Proposition 14 has support included in T and has then Hamming weight strictly smaller than the minimum distance of C + C ⊥ and is then null. Hence c = c has all its coordinates at positions in T null, and is then null, according to the hypothesis on T .
Corollary 2. Let C be a LCD code of length n and let T be a subset of {1, . . . , n} whose size is strictly smaller than the dual distance of C (the minimum distance of C ⊥ ). Let π be the linear projection over C parallel to C ⊥ (for every x ∈ F n 2 , π(x) is the unique element of C such that x ∈ π(x) + C ⊥ ). Let E T be the vector space {x ∈ F n 2 ; supp(x) ⊆ T } where supp(x) is the support {i ; x i = 0} of x, and let π T be the linear function from E T to F T 2 such that π T (x) is the restriction of the vector π(x) to the positions in T . Then C T is LCD if and only if π T is bijective.
Proof. We first show that the condition of bijectivity of π T is sufficient. Let c ∈ C be nonzero and have support disjoint from T , and let c ∈ C ⊥ be such that c and c coincide outside T . Let x = c + c . Then x belongs to E T and is nonzero since C and C ⊥ are supplementary. Then π T (x) is nonzero, that is, supp(π(x)) ∩ T = ∅, but by definition π(x) = c, a contradiction. We deduce according to Proposition 14 that C is LCD.
Let us prove now that the condition is necessary. Let x ∈ E T be nonzero and let c ∈ C and c ∈ C ⊥ be the unique elements such that x = c + c . Then c is nonzero since if c = 0 then x ∈ C ⊥ , a contradiction since x has Hamming weight strictly smaller than the minimum distance of C ⊥ . Moreover, c and c coincide outside T . Then, according to Proposition 14, c has nonzero coordinates among the positions in T and π T (x) = 0. Hence π T is injective and therefore bijective since the vector spaces E T and F T 2 have the same dimension |T |.
The next corollary deals with cyclic codes. We index then the coordinates of the codewords by 0, . . . , n − 1 instead of 1, . . . , n.
Corollary 3. Let C be a LCD cyclic code of length n over F q . Let E(X) be the idempotent of C. Let T = {n − t, n − t + 1, . . . , n − 1} where 1 ≤ t ≤ n − 1.
Then the shortened code C T is LCD if and only if, for every nonzero polynomial f (X) = f n−t X n−t + · · · + f n−1 X n−1 ∈ F q [X], the polynomial f (X)E(X) [mod X n − 1] has degree at least n − t. In particular, if t = 1 then C T is LCD if and only if the constant coefficient of E(X) is nonzero (i.e. equals 1 if q = 2).
In the framework of Corollary 3, let E(X) = n−1 j=0 e j X j , then C T is LCD if and only if the polynomials n−1−i j=n−t−i e j X i+j , where i ranges from n − t to n − 1, are linearly independent. Note that the matrix G whose i-th row is the list of the coefficients of the polynomial X i E(X) [mod X n −1], where i ranges over an interval of length k (the dimension of C), say where i ∈ {n − k, . . . , n − 1}, is a generator matrix of C. According to Corollary 3, C T is LCD if and only if the submatrix of the last t rows and the last t columns of G is non-degenerate, that is, the set {n − t, . . . , n − 1} is an information set of the subcode of C generated by the last t rows of G.
We obtain similar corollaries for characterizing the fact that C T is LCD when C is LCD, by exchanging the roles of C and C ⊥ .

4.2.2.
Extending codes. Let C be a binary linear code of length n. Let us extend it by adding a coordinate (x) to each codeword x ∈ C, where is a linear form on C. We assume that there exists a ∈ C such that (a) = 1 so that this extension of the code is not just adding a zero.
Proposition 15. Let C be a linear code and C = {(x, (x)), x ∈ C}, where is a nonzero linear form on C. Let a ∈ C be such that (a) = 1 and let us denote a, x by (x). Then C is LCD if and only if : Proof. According to the hypothesis, ker( ) is a hyperplane of C, and C is the direct sum of ker( ) and {0, a}. Denoting by , the usual inner product in F n 2 , we have then: Note that if C has dimension k then (C ∩ ker( )) ⊥ has dimension n − k + 1 and C ∩ (C ∩ ker( )) ⊥ has then dimension at least 1.
The particular case where this dimension equals 1 is of course particularly interesting. Note that (C ∩ ker( )) ⊥ is the union of C ⊥ and of one of its cosets, then if C is LCD, C ∩ (C ∩ ker( )) ⊥ has dimension 1.
The condition becomes then that the unique nonzero element of C ∩(C ∩ker( )) ⊥ does not belong to ker( + ).
Example 6. Let C as in Example 5. The generator matrix G of C is: This matrix generates a LCD code of parameters [18,9,5].
We notice that the best linear code of length 18 and dimension 9 has parameters [18,9,6]. However, the code example given by Magma is not LCD. 4.3. LCD codes obtained by applying a linear automorphism to a given code. Let C be a linear code of length n and L a linear automorphism of F n 2 . We consider the code L(C) = {L(c), c ∈ C}. Note that every linear code of length n and dimension k can be obtained from one such code by applying all linear automorphisms. We denote by L * the adjoint operator of L, characterized by the fact that, for every x, y ∈ F n 2 , we have x, L(y) = L * (x), y , and whose matrix is the transpose of that of L). Proof. The dual of L(C) equals L * −1 (C ⊥ ) since for every x ∈ F n 2 and every c ∈ C, we have that L(c), x = 0 for every c ∈ C if and only if L * (x) ∈ C ⊥ . Given C of dimension k, finding all LCD codes of length n and dimension k is then equivalent to finding all linear automorphisms L such that : C ⊥ ∩ (L * • L(C)) = {0}.
The applications L * • L are all the self-adjoint automorphisms A (whose matrices are invertible and symmetric). Using this proposition for constructing a LCD code corresponds to (1) determining an auto-adjoint automorphism A ∈ L such that C ⊥ ∩ A(C) = {0} and (2) finding L ∈ L such that A = L * • L. Example 7. The best known linear code of length 7 and dimension 4 has minimum distance 3. However, we have checked by computer search that no LCD code of parameters [7,4,3] exists. LCD codes of parameters [7,4,2] exist, and can be obtained by Proposition 16, starting from the Hamming code for C.

Conclusion and perspectives
Complementary dual codes have applications in information protection. An example is that of a cryptographic implementation, be it hardware or software, which must be simultaneously protected against information leakage and information corruption, since both threats enable successful attacks. We construct cyclic LCD codes, which can be used for that and need then to have large minimum distance and large rate, and find suitable codes within Reed-Solomon codes and the class of generalized residue codes. In addition to these codes, we detail some secondary constructions, using direct sum, direct product, puncturing, shortening, extension, (u, u + v) construction, and the application of a suitable linear automorphism.
As a perspective, we aim at defining bounds for the minimum distance of LCD codes, and at finding codes that approach those bounds. Besides, LCD codes of sparse generator matrices would help reduce the implementation complexity.