The first cipher based on error-correcting codes was McEliece's public-key cipher ... correcting codes, however using the rank metric instead of the more usual ...
Cryptanalysis of Krouk’s Public-Key Cipher
∗
Valdemar C. da Rocha Jr. and David Lopes de Macˆedo Communications Research Group - CODEC Department of Electronics and Systems Federal University of Pernambuco P.O. Box 7800 50711-970, Recife, PE, Brasil
Abstract The cryptanalysis of a recently proposed public-key cipher is presented. The mathematical structure of this cipher is based on linear complementary subspaces over a finite field. The cipher is broken simply by multiplying the ciphertext by a matrix which is the multiplicative inverse of a matrix formed with the public information available.
1
Introduction
The first cipher based on error-correcting codes was McEliece’s public-key cipher proposed in 1978 [1]. In 1991 Gabidulin et alli [2] proposed a public-key cipher also based on errorcorrecting codes, however using the rank metric instead of the more usual Hamming metric. In 1993 Krouk [3] introduced a public-key cryptosystem based on linear error-correcting block codes. We noticed that the mathemetical structure of Krouk’s cipher is based on linear complementary block codes. Two linear block codes C1 and C2 of the same blocklength n, over a finite field GF (q), are defined as a complementary code pair [4] if and only if their only codeword in common is the all-zero codeword, i.e., {C1 } ∩ {C2 } = {0}, and the direct sum of their codewords generates the vector space of n-tuples over GF (q), i.e., {C1 } ⊕ {C2 } = GF (q)n , where ⊕ denotes addition of n-tuples over GF (q).
2
Description of Krouk’s cipher
Let E 0 denote some subset of the l-dimensional vector space over a finite field GF (q), where q is a prime or a power of a prime. Let E denote the corresponding set of q-ary vectors ∗
Paper published in Electronics Letters, Vol.32, No.14, 4 July 1996, pp.1279-1280. This work received partial support from the Brazilian National Council for Scientific and Technological Development (CNPq) through the grant No.304214/77-9.
1
of length n obtained from the vectors in the set E 0 by the concatenation of n − l zeroes to the right end of each vector. The correspondence between an n-tuple e, e ∈ E, and a given l-tuple e0 , e0 ∈ E 0 , will be denoted as e = (e0 : 0n−l ). Let V be an (n, k) linear block code over GF (q), of blocklength n and dimension k, with generator matrix G and let this code correct the errors represented by elements of the set E by some reasonable decoding algorithm. Furthermore, let Q be some l × n matrix over GF (q), let P be some (n − l) × n matrix over GF (q) and let "
M=
Q P
#
,
(1)
be an n × n matrix, where Q and P are such that M has a multiplicative inverse in GF (q) denoted as M 0 , i.e., M M 0 = In , where In is the n × n identity matrix. The public-key for this cipher consists of the set E 0 and the matrices Q and G0 = GM . The secret-key consists of G and M 0 . The encryption consists of the following steps.
2.1
Encryption
1. For a given k-tuple u compute the codeword v0 = uG0 , where v0 belongs to the (n, k) linear block code V 0 whose generator matrix is G0 = GM . 2. Randomly choose an l-tuple e0 from the set E 0 and compute e0 Q. 3. Finally, the ciphertext y is given by y = v0 + e0 Q. Let e = (e0 : 0n−l ) in step 2 above. Therefore, it follows from (1) that e0 Q = eM .
2.2
Decryption
On receiving a ciphertext y the intended receiver, i.e., the only one who possesses the secretkey, proceeds as follows. 1. Compute the vector r from the received vector y as r = yM 0 = (uG0 +e0 Q)M 0 = uG+e. 2. Decode r using code V , i.e., correct the error e and obtain the codeword v = uG. 3. Extract the cleartext u from the codeword v.
3
Cryptanalysis of Krouk’s cipher
The key point for breaking Krouk’s cipher is to exploit the strong use of linearity that he made throughout. We notice that in order for the n × n matrix M to be invertible the rows in both matrices Q and P must be linearly independent over GF (q). We recall that the public-key contains the matrices G0 = GM and Q. As we show next we can ignore the public information about e0 when extracting the cleartext from the intercepted ciphertext y. 2
Lemma 1 If the n × n matrix M is invertible then the (k + l) × n matrix "
#
GM Q
D=
has a right inverse D−1 , which is an n × (k + l) matrix such that DD−1 = Ik+l , where Ik+l is the identity matrix of dimension k + l. If k + l = n then D−1 is obtained by ordinary matrix inversion techniques. If k + l < n then D−1 is given by D−1 = D2T (DD2T )−1 , where D2T is the transpose of a (k + l) × n parity-check matrix D2 of a code which forms a complementary pair with the code whose generator matrix is D. Proof:
We will write GM equivalently as follows. "
GM = G
Q P
#
"
= [G1 : G2 ]
Q P
#
= [G1 Q + G2 P ],
where G1 is a k × l matrix and G2 is a k × (n − l) matrix. Therefore we can represent the ciphertext y = uGM + e0 Q equivalently as "
y = (u : e0 )D = (u : e0 )
GM Q
#
"
= (u : e0 )
G1 Q + G2 P Q
#
.
(2)
(a) Let us suppose that k + l = n and that (2) is equal to the all-zeroes n-tuple for some nonzero n-tuple (u : e0 ). We can expand (2) and write u(G1 Q + G2 P ) + e0 Q = 0, or " 0
0
(uG1 + e )Q + uG2 P = (uG1 + e : uG2 )
Q P
#
= (uG1 + e0 : uG2 )M = 0,
which is true if and only if both uG1 + e0 = 0 and uG2 = 0, i.e., uG1 = −e0 uG2 = 0
)
⇒ u[G1 : G2 ] = [−e0 : 0],
i.e., uG = −e. However, by hypothesis, all errors e = [e0 : 0] are correctable by code V and thus uG = −e will happen if and only if both u = 0 and e0 = 0. Therefore the rows of D are linearly independent over GF (q) and since k + l = n it follows that D is invertible. 3
(b) If k + l < n, our conclusion that the rows of D are linearly independent over GF (q) remains valid, however D in this case is no longer a square matrix. We compute the right inverse of D by using the theory of linear complementary block codes [4, 5] as follows. Let D2T denote the transpose of a (k + l) × n parity-check matrix D2 of a code which forms a complementary pair with the code whose generator matrix is D. It follows from this theory [5] that the (k + l) × (k + l) matrix DD2T is nonsingular and thus that the n × (k + l) matrix D2T (DD2T )−1 is the right inverse of D. (c) The case where l > n−k cannot occur because it implies the existence of nonzero n-tuples in common between the code V 0 and the set of error patterns E. Therefore in this case the cleartext is not recoverable in a unique manner from the ciphertext and any decoder would be unable to perform its task well and consistently. As a consequence of Lemma 1 we can always extract the cleartext u from the ciphertext y and public information available as follows. yD−1 = (uGM + e0 Q)(D)−1 = (u : e0 )DD−1 = (u : e0 ).
4
Comments
We presented the cryptanalysis of a public-key cipher proposed by Krouk [3]. At first sight this cipher looks akin to the well known McEliece public-key cipher however the error patterns used in Krouk’s cipher have a linear structure which leads to a weakness in the cipher. In other words, the error patterns in E belong to a linear code whereas in McEliece’s publickey cipher and some secret-key ciphers [6] based on error-correcting codes the correctable error patterns can be seen as belonging to a non-linear code with no apparent useful mathematical structure. The motivation of the first author to study linear complementary codes (but not necessarily dual codes) started with the paper by Massey [7] on linear codes with complementary duals.
References [1] R.J. McEliece,“A public-key cryptosystem based on algebraic coding theory”, DSN Progress Report, Jet Propulsion Laboratory, Pasadena, CA, pp. 114-116, Jan./Feb. 1978. [2] E.M. Gabidulin, A.V. Paramonov and O.V. Tretjakov, “Ideals over a non-commutative ring and their application in cryptology”, Advances in Cryptology, EUROCRYPT’91 (Ed. D.W. Davies), Lecture Notes in Computer Science No.547. Berlin and Heidelberg:Springer, 1991, pp.482-489.
4
[3] E. Krouk, “A new public-key cryptosystem”, Proceedings 6th Joint Swedish-Russian International Workshop on Information Theory, 1993, pp.285-286. [4] V.C. da Rocha, Jr.,“Complementary cyclic codes”, Communications and Signal Processing Series: 3, Communication Theory and Applications II. Editors: B. Honary, M. Darnell and P.G. Farrell. HW Communications Ltd., pp. 37-40, 1994. [5] V.C. da Rocha, Jr.,“A secret-key cipher based on linear complementary codes”, in Abstracts of papers, IEEE International Symposium on Information Theory, Trondheim, Norway, 27 June - 01 July, 1994, p. 346. [6] V.C. da Rocha, Jr. and D.L. de Macˆedo, “An improved secret-key cipher based on linear complementary codes”, submitted to IEE Electronics Letters. [7] J.L. Massey, “Linear codes with complementary duals”, Discrete Mathematics, 106/107, 1992, pp.337-342.
5
