VSAG CODES. CRYPTANALYSIS OF PKC. PROOFS. ALGEBRAIC GEOMETRY CODES. § Let: X be an algebraic curve of genus g defined over the finite field ...
E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
I NTRODUCTION C URVES DEFINED BY QUADRATIC EQUATIONS
E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC
I. M A´ RQUEZ -C ORBELLA
1
E. M ART´I NEZ -M ORO
2
R. P ELLIKAAN
3
P ROOFS 1 Department of Algebra, Geometry and Topology, University of Valladolid. Supported by a FPU grant AP2008-01598 by Spanish MEC. 2 Department of Applied Mathematics, University of Valladolid. 3 Department of Mathematics and Computing Science, Eindhoven University of Technology.
3ICMCTA 3rd International Castle Meeting on Coding Theory and Applications
O VERVIEW E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
I NTRODUCTION
1
I NTRODUCTION
2
C URVES DEFINED BY QUADRATIC EQUATIONS
3
D ETERMINATION OF I2 (Q)
4
VSAG CODES
5
C RYPTANALYSIS OF PKC
6
P ROOFS
C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
P ROJECTIVE SYSTEMS AND LINEAR CODES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
r - DIMENSIONAL PROJECTIVE SPACE OVER Fq : Pr (Fq ) The Pr (Fq ) is defined by
I NTRODUCTION
r
P (Fq ) =
P ROJECTIVE SYSTEMS AND LINEAR
� � r +1 Fq \ {(0, . . . , 0)} \ ∼
CODES
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY
where (x0 , . . . , xr ) ∼ (y0 , . . . , yr ) ⇐⇒ ∃α ∈ F∗ q : xi = αyi for all i ∈ {0, . . . , r }
REPRESENTATIONS OF A CODE
Ü We write (x0 : x1 : . . . : xr ) for the equivalence class of (x0 , x1 , . . . , xr ) in Pr (Fq ).
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC
P ROJECTIVE SYSTEM An n-tuple of points (P1 , . . . , Pn ) in Pr (Fq ) is a projective system if not all these points lie in a hyperplane.
P ROOFS 1
Let C be a nondegenerate [n, k] code over Fq with generator matrix G. Ü Take the columns of G as homogeneous coordinates of points in Pk −1 (Fq ). Ü This gives the projective system PG over Fq of G. 2
Let P = (P1 , . . . , Pn ) be a projective system in Pr (Fq ). (r +1)×n
Ü We define the matrix GP ∈ Fq as the matrix with PjT as j-th column. Ü Then GP is the generator matrix of a nondegenerate [n, r + 1] code over Fq .
A LGEBRAIC GEOMETRY CODES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
Let X be an algebraic curve over Fq defined by the polynomial F (X ) ∈ Fq [X ]. R ATIONAL F UNCTIONS
I NTRODUCTION P ROJECTIVE SYSTEMS AND LINEAR CODES
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY
The function field or the field of rational functions on X is �� � � g(X ) are homogeneous Fq (X ) = | g, h ∈ Fq [X ] ∪ {0} \ ∼ of the same degree h(X )
REPRESENTATIONS OF A CODE
D UAL CODES ON CURVES
C URVES DEFINED BY
where
g h
∼
g0 h0
⇐⇒ gh0 − g 0 h ∈ hF i.
QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
D IVISORS ON C URVES P Every divisor D on X over Fq is of the form D = nQ Q where nQ ∈ Z and Q is a point on X . P The degree of D is deg D = nQ deg(Q). The support of D is supp(D) = {Q | nQ 6= 0}
D IVISORS OF RATIONAL FUNCTIONS The divisor of f ∈ Fq (X ) is defined to be: (f ) = (zeros of f ) − (poles of f ).
A LGEBRAIC GEOMETRY CODES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
I NTRODUCTION P ROJECTIVE SYSTEMS AND LINEAR CODES
Ü Let: X be an algebraic curve of genus g defined over the finite field Fq , P = (P1 , . . . , Pn ) be an n-tuple of distinct Fq -rational points on X E be a divisor of X with supp(E) ∩ P = ∅ and deg(E) = m.
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
S PACE OF RATIONAL FUNCTIONS ASSOCIATED TO E The space of rational functions associated to E is L(E) = {f ∈ Fq (X ) | f = 0 or (f ) + E ≥ 0}
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
Ü Since supp(E) ∩ P = ∅ the following evaluation map is well defined: evP :
L(E) f
−→ 7−→
Fnq evP (f ) = (f (P1 ), . . . , f (Pn ))
R IEMMAN -R OCH T HEOREM dim L(E) ≥ m + 1 − g. Furthermore if m > 2g − 2 then dim L(E) = m + 1 − g.
A LGEBRAIC GEOMETRY CODES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
A LGEBRAIC G EOMETRY CODES (AG CODES ) I NTRODUCTION
The AG code associated to X , P = (P1 , . . . , Pn ) and E is
P ROJECTIVE SYSTEMS AND LINEAR CODES
CL (X , P, E) = {evP (f ) | f ∈ L(E)}
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES
T HEOREM : PARAMETERS OF AN AG CODE If n > m then CL (X , P, E) is an [n, k, d] code over Fq where k ≥m+1−g
and
d ≥n−m
Moreover, if m > 2g − 2 then k = m + 1 − g.
C RYPTANALYSIS OF PKC P ROOFS
Ü If {f1 , . . . , fk } is a basis of L(E) then f1 (P1 ) . . . . G= . . fk (P1 ) . . .
f1 (Pn ) . ∈ Fk ×n . q . fk (Pn )
is a generator matrix of the code CL (X , P, E)
A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
W EAKLY A LGEBRAIC -G EOMETRIC (WAG) I NTRODUCTION P ROJECTIVE SYSTEMS AND LINEAR CODES
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
A code C over Fq is WAG if C = CL (X , P, E) for some triple (X , P, E) where: X is an algebraic curve over Fq . P = (P1 , . . . , Pn ) is an n-tuple of mutually distinct Fq -rational points of X . E is a divisor with supp(E) ∩ P = ∅ and deg(E) = m. Ü Then (X , P, E) is called a WAG representation of C.
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC
T HEOREM [P ELLIKAAN -S HEN - VAN W EE (1991)] Every code has a WAG representation.
P ROOFS
A WAG representation (X , P, E) is called: Ü Algebraic-geometric (AG) if deg(E) < n. Ü t-strong algebraic-geometric (t-SAG) if 2g − 2 + t < m < n − t. Ü A 0-SAG representation is a SAG representation.
A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
E QUIVALENT REPRESENTATIONS Two representations (X , P, E) and (Y, Q, F ) are:
I NTRODUCTION
Ü equivalent if there exists an isomorphism of curves
P ROJECTIVE SYSTEMS AND LINEAR CODES
ϕ:
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY
X
−→
Y
such that ϕ(P) = Q and ϕ(E) ≡ F i.e. ∃f ∈ Fq (Y) | F = ϕ(E) + (f ).
REPRESENTATIONS OF A CODE
D UAL CODES ON CURVES
C URVES DEFINED BY
strict equivalent if there exists an isomorphism of curves
QUADRATIC EQUATIONS
ϕ:
D ETERMINATION OF I2 (Q)
X
−→
Y
VSAG CODES
such that ϕ(P) = Q and ϕ(E) ≡Q F
C RYPTANALYSIS OF PKC
i.e. ∃f ∈ Fq (Y) such that: f has no poles at the points of Q, ϕ(E) = F + (f ), f (Qj ) = 1 for all j and supp(ϕ(E)) ∩ supp(F ) = ∅.
P ROOFS
P ROPOSITION Let (X , P, E) and (Y, Q, F ) be WAG representations of the codes C and D, respectively. Then: 1
If (X , P, E) and (Y, Q, F ) are equivalent then C ≡ D.
2
If (X , P, E) and (Y, Q, F ) are strict equivalent then C = D.
A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
P ROPOSITION [M UNUERA - P ELLIKAAN (1993)] Let:
I NTRODUCTION P ROJECTIVE SYSTEMS AND LINEAR CODES
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY
X be a curve over Fq of genus g P be an n-tuple of mutually distinct Fq -rational points of X . If E and F are divisors on X of degree m with 2g − 1 < m < n − 1 then:
REPRESENTATIONS OF A CODE
CL (X , P, E) = CL (X , P, F ) ⇐⇒ E ≡P F
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES
P ROPOSITION 6 Let (X , P, E) be a representation of the code C where:
C RYPTANALYSIS OF PKC
X is an algebraic curve over Fq of genus g.
P ROOFS
P is an n-tuple of mutually distinct Fq -rational points of X . E is a divisor with supp(E) ∩ P = ∅ and deg(E) = m > 2g. Let r = dim(L(E)) − 1 and {f0 , . . . , fr } be a basis of L(E). We consider the following map: ϕE : X −→ Pr (Fq ) P 7−→ ϕE (P) = (f0 (P), . . . , fr (P)) If Y = ϕE (X ), Q = ϕE (P) and F = ϕE (E) then (Y, Q, F ) is a representation of C that is strict isomorphic with (X , P, E).
D UAL CODES ON CURVES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
Let I NTRODUCTION P ROJECTIVE SYSTEMS AND LINEAR
Ü w be a differential form with a simple pole at Pj with residue 1 for all j = 1, . . . , n.
CODES
A LGEBRAIC GEOMETRY CODES A LGEBRAIC GEOMETRY REPRESENTATIONS OF A CODE
Ü K be the canonical divisor of w. Ü E be a divisor of X of degree m and disjoint support from P.
D UAL CODES ON CURVES
C URVES DEFINED BY QUADRATIC EQUATIONS
We define
D ETERMINATION OF I2 (Q)
E⊥ = P − E + K
m⊥ = deg(E ⊥ ) = 2g − 2 − m + n
and
VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
Then
⊥
CL (X , P, E) See Proposition 2.2.10 H. Stichtenoth. Algebraic function fields and codes. Springer, Berlin, 1993.
⊥
= CL (X , P, E )
C URVES DEFINED BY QUADRATIC EQUATIONS E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
The canonical model of a non-singular non-hyperelliptic projective curve of genus ≥ 3 is the intersection of quadrics and cubics. Ü And of quadrics only except in case of a trigonal curve and a plane quintic.
I NTRODUCTION See: C URVES DEFINED BY QUADRATIC EQUATIONS
D. W. Babbage.
D ETERMINATION OF I2 (Q)
A note on the quadrics through a canonical curve. Journ. London Math. Soc., volume 14, pp. 310–315, 1939.
VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
F. Enriques. Sulle cuve canoniche di genere p dello spazio a p − 1 dimensioni. Rend. Accad. Sci. Ist. Bologna, volume 23, pp. 80–82, 1919.
K. Petri. ¨ Uber die invariante Darstellung algebraischer Funktionen einer ¨ Veranderlichen. Math. Ann., volume 88, 1923.
This result for the canonical divisor was generalized for arbitrary divisors under certain constraints on the degree. See: E. Arbarello and E. Sernesi. Petri’s approach to the study of the ideal associated to a special divisor. Invent. Math., volume 49, pp. 99–119, 1978. D. Mumford. Varieties defined by quadratic equations. Questions on algebraic varieties, C.I.M.E, III Ciclo, Varenna, 1969, pp. 29–100, Edizioni Cremonese, Rome, 1970.
B. Saint-Donat. ´ ´ Sur les equatons definissant une ´ courbe algebrique. C. R. Acad. Sci. Paris Sr. A, volume 274, pp. 487–489, 1972.
C URVES DEFINED BY QUADRATIC EQUATIONS E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON
Id (Y)
ALGEBRAIC GEOMETRY CODES
Id (Y) is the ideal generated by the homogeneous elements of degree d in I(Y). I NTRODUCTION C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC
P ROPOSITION Let X be an absolutely irreducible and non-singular curve of genus g over the perfect field F and E be a divisor on X of degree m. 1
P ROOFS
If m ≥ 2g + 2 then ϕE (X ) = Y is a normal curve in Pm−g which is the intersection of quadrics.
Ü In particular I(Y) is generated by I2 (Y). B. Saint-Donat. ´ ´ ´ Sur les equatons definissant une courbe algebrique. C. R. Acad. Sci. Paris Sr. A, volume 274, pp. 487–489, 1972. 2
If m ≥ 2g + 1 then ϕE (X ) = Y is a normal curve in Pm−g which is the intersection of quadrics and cubics.
Ü In particular I(Y) is generated by I2 (Y) and I3 (Y). D. Mumford.
B. Saint-Donat.
Varieties defined by quadratic equations. Questions on algebraic varieties, C.I.M.E, III Ciclo, Varenna, 1969, pp. 29–100, Edizioni Cremonese, Rome, 1970.
´ ´ Sur les equatons definissant une courbe ´ algebrique. C. R. Acad. Sci. Paris Sr. A, volume 274, pp. 487–489, 1972.
D ETERMINATION OF I2 (Q) E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
Let: Y be an absolutely irreducible curve in Pr of degree m such that I(Y) = I2 (Y).
I NTRODUCTION
Q be an n-tuples of points that lies on the curve Y
(i.e. I(Y) ⊆ I(Q))
C URVES DEFINED BY QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q) VSAG CODES C RYPTANALYSIS OF PKC
Q UESTIONS TREATED ON THIS SECTION : 1
Under which hypothesis is true that I2 (Q) = I2 (Y)?
2
How we can compute I2 (Q) efficiently?
P ROOFS
P ROPOSITION 8
Proof
Let m, r , n, d ∈ Z such that r ≥ 2 and n > dm. Y be an absolutely irreducible curve in Pr of degree m. Q be an n-tuple of points that lies on the curve Y. Then I≤q (Q) = I≤q (Y).
D ETERMINATION OF I2 (Q) E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
Ü Let C be a k-dimensional subspace of Fn with basis {g1 , . . . , gk }.
I NTRODUCTION
We denote:
C URVES DEFINED BY QUADRATIC EQUATIONS
1
VSAG CODES C RYPTANALYSIS OF PKC P ROOFS
The second symmetric power of C by S 2 (C) S 2 (C) is the linear subspace in Fn with basis {gi gj | 1 ≤ i ≤ j ≤ n} and � dimension k2 .
D ETERMINATION OF I2 (Q)
2
The square code of C by hC ∗ Ci or by C 2 . C 2 is the linear subspace in Fn generated by {a ∗ b | a, b ∈ C}.
Ü We consider the linear map: S 2 (C) gi gj
σ:
−→ 7−→
C2 gi ∗ gj
We denote by K 2 (C) the kernel of this map, then 2
2
2
0 −→ K (C) −→ S (C) −→ C −→ 0 is an exact sequence.
D ETERMINATION OF I2 (Q) E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
P ROPOSITION 9
Proof
Let: Q be an n-tuple of points in Pk −1 over F not in a hyperplane.
I NTRODUCTION
GQ ∈ Fk×n be the matrix associated to Q.
C URVES DEFINED BY
C the k-dimensional subspace of Fn generated by the rows of GQ with basis
QUADRATIC EQUATIONS
D ETERMINATION OF I2 (Q)
{g1 , . . . , gk } .
VSAG CODES C RYPTANALYSIS OF PKC
Then
P ROOFS
I2 (Q) =
X
C OROLLARY 10
1≤i≤j≤k
aij xi xj |
X 1≤i≤j≤k
2
aij gi gj ∈ K (C)
.
Proof
Let Q be an n-tuple of points in Pr over�F not in a hyperplane. Then the complexity of �� the computation of I2 (Q) is at most O n2 2r . R EMARK Ü We define the spaces S d (C), C d and K d (C) for any d ∈ Z≥0 . Ü We can show the relation between Id (Q) and K d (C). � �� Ü Complexity of the computation of Id (Q) ∼ O n2 k +d−1 . d
V ERY S TRONG A LGEBRAIC -G EOMETRIC CODES E VALUATION OF PUBLIC - KEY CRYPTOSYSTEMS BASED ON ALGEBRAIC GEOMETRY CODES
V ERY S TRONG A LGEBRAIC -G EOMETRIC (VSAG) CODES I NTRODUCTION C URVES DEFINED BY
A code C has a VSAG representation if C = CL (X , P, E) where the curve X has genus g, P consists of n points and E has degree m such that
QUADRATIC EQUATIONS
2g + 2 < m
