7

I am reading the paper The Steganographic File System by Ross Anderson, Roger Needham, and Adi Shamir. On page 4, paragraph 2, the authors write:

Finally, we use the Gram-Schmidt method to orthonormalise all the vectors from $i$ onwards by subtracting from the candidate $K_i$ all its components along later $K_j$ which the user knows by the chaining property of the $p_j$’s.

This simply means that the authors use the Gram-Schmidt algorithm with the ground field GF$(2)$, and from the context, each of the original vectors the algorithm is applied to has norm $1$. However, in this case the algorithm produces a basis which is not necessarily orthonormal, not even orthogonal. Am I right? Is this a serious flaw?

Rodrigo de Azevedo
  • 23,223
Eulerrr
  • 309

1 Answers1

5

The answer below was posted before the piece of information about all the participating vectors get tagged with random bits to make sure their weights are odd.

IMHO a more serious problem with using Gram-Schmidt over $GF(2)$ is that Gram-Schmidt may call for division by zero! This is because in the projection formula $$ y\mapsto y-\frac{(y,x)}{(x,x)}x $$ the denominator $(x,x)$ vanishes when $x$ is orthogonal to itself.

For example consider the following subspace of $GF(2)^3$: $$ V=\{(a,b,c)\in GF(2)^3\mid a+b+c=0\}. $$ You will quickly realize that every vector of $V$ is orthogonal to itself. Have fun trying to Gram-Schmidt orthogonalize e.g. the basis $v_1=(1,1,0)$, $v_2=(1,0,1)$ of $V$ :-)

Jyrki Lahtonen
  • 140,891
  • A careful look at the entire paragraph in question shows that you've hit the nail squarely on the head: "We now map each $p_i$ into a random binary vector with an odd number of $1$’s (so that its dot product with itself is $1$)." – Branimir Ćaćić Jul 17 '18 at 18:26
  • You are right; I forgot to indicate that all the original vectors are of norm $1$. I will edit my post now. – Eulerrr Jul 17 '18 at 18:28
  • Even if the participating vectors $v_1, \dots, v_m$ have odd Hamming weight, couldn't you have some $u_j$ have even Hamming weight? If so, won't that lead to division by zero at the later steps of computing $u_{j+1}, \dots, u_{m}$ as the Gram-Schmidt process continues? – gen Nov 30 '23 at 19:19
  • Assume $v_1 = 10^{n-1}$, $v_2 = 1110^{n-3}$. Then $u_2 = v_2 - v_1 = 0110^{n-3}$. How do you proceed from there? – gen Nov 30 '23 at 19:21