New perspectives for code based public key cryptography - CLC2006

Hard probl. PKC Choice of codes RS exam. Short descr.

New perspectives for code based public key cryptography Thierry P. BERGER XLIM, Universit´ e de Limoges, France

Darmstadt, 25 september 2006

T.P. Berger

XLIM, UMR CNRS 6172, Limoges

Code based PKC



1

Hard probl. Coding Theory NP-complete probl. Hard probl. Decoding

2

PKC McEliece Niederreiter Attacks Choice of codes Criteria Permutation Subfield Subcodes RS exam. GRS Goppa Subcodes Punctured Diagonal (U,U+V)

3

4

5

Short descr. Short description Quasi cyclic codes

T.P. Berger


Code based PKC



Coding Theory NP-complete probl. Hard probl. Decoding

Recalls on Coding Theory C : a linear code, i.e. a subspace of GF (q)n of length n over GF (q) is a subspace of GF (q)n . n: length k: dimension G : a generator matrix of C C ⊥ : the dual code H: a parity check matrix

G Ht = 0

d: minimum distance of C t = b(d − 1)/2c, the error correction capacity Singleton bound: k + d ≤ n + 1

T.P. Berger


Code based PKC




NP-complete problems in Coding Theory Problem (Coset weight) Input: H a (n − k) × n binary parity check matrix,, s a binary vector of length n − k, w a natural integer. Problem: Is there any binary vector e of length n such that weight(e) ≤ w and eH t = s.

Problem (Weight of a code) Input: H a (n − k) × n binary parity check matrix, w a natural integer. Problem: Is there any vector c of length n such that weight(c) = w and cH t = 0.

T.P. Berger


Code based PKC




Related hard problems I Problem (Decoding) Input: H a (n − k) × n binary parity check matrix, s a binary vector of length n − k, w a natural integer. Output: a binary vector e of length n such that weight(e) ≤ w and eH t = s.

Problem (Given weight codeword) Input: H a (n − k) × n binary parity check matrix, w a natural integer. Output: a vector c of length n, such that weight(c) = w and cH t = 0.

T.P. Berger


Code based PKC




Related hard problems II Problem (Bounded decoding) Input: H a (n − k) × n binary parity check matrix, s a binary vector of length n − k, w such that 2w + 1 ≤ d. Output: a binary vector e of length n such that weight(e) ≤ w and eH t = s, if it exists, if not return ”false”. Problem (Minimal weight codeword) Input: A binary linear code C . Output: a codeword c of minimal weight. Problem (Minimum distance) Input: A binary linear code C . Output: The minimum distance d of C . T.P. Berger


Code based PKC




Hierarchy of problems

Bounded Decoding ≤ Decoding Minimum Distance ≤ Minimum weight codeword ≤ Given weight codeword Bounded Decoding ≤ Given weight codeword

References E.R. Berlekamp, R.J. McEliece and H.C. Van Tilborg. On the inherent intractability of certain coding problems IEEE Transactions on Information Theory, 24(3), may 1978.

A. Canteaut and N. Sendrier. Cryptanalysis of the original McEliece cryptosystem. In K. Ohta and D. Pei, editors, Advances in Cryptology ASIACRYPT’98, number 1514 in LNCS, pages 187–199, 1998.

T.P. Berger


Code based PKC




Decoding technique for random codes

General principle: Research of an information set without error. An information set: k coordinates of a codeword corresponding to a non-zero determinant of the generator matrix. n n−t Numb. of Inf. Sets: ≈ without errors: ≈ k k n−t n Probability of success: p= / k k Full cost for a [n, k, d] code:

O(k 3 /p)

In our examples we compute

m × k 3 /p

T.P. Berger


Code based PKC




Decoding technique for random codes: the binary case Improvements for binary codes: Heuristic search method to found an Information Set: verification faster. Search of Information Set with at most r errors (typically, r = 2 or 3. Cost of the best method given by A. Canteaut (PhD Thesis): nH2 (k/n)

2 18 +12 binary operations for a [n, k, d] binary code over the Gilbert Varshamov bound. Research problem: What appends for codes over GF (2m )? T.P. Berger


Code based PKC



McEliece Niederreiter Attacks

McEliece based public key cryptosystems Public key: a linear code C of parameters [n, k, d], given by a generator matrix G . An integer t. Private key: an efficient decoding algorithm for C until the error correcting capacity t. Encryption: m plaintext of length k. e: a random error of length n and weight t. Ciphertext c = mG + e Decryption: decode c with the secret algorithm. Recover m. R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pages 114 - 116, 1978.

T.P. Berger


Code based PKC




The Niederreiter public key cryptosystem Public key: a linear code C of parameters [n, k, d], given by a parity check matrix H. An integer t. Private key: an efficient decoding algorithm for C until the error correcting capacity t. Encryption: the plaintext is encoded as a vector m = e of length n and weight t. Ciphertext: c = mH. Decryption: c is the syndrome of the error e: compute a word c 0 of length n such that c 0 H = c. Apply the decoding algorithm and recover the error e. H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory, 15(2):159 - 166, 1986. T.P. Berger


Code based PKC




Known attacks

There exist 2 kinds of attacks: Decoding techniques for random codes. Research of the secret algorithm, i.e. recover the hidden algebraic structure.

T.P. Berger


Code based PKC




Practical parameters Public key ration Encryption Decryption Cryptanalysis

Niederreiter n = 2048, t = 40 88440 bytes 60, 5% 55 8029

RSA 1024 bits e = 17 256 bytes 100% 5120 1572000

2102

2100

From A. Canteaut, N. Sendrier, Cryptanalysis of the Original McEliece Cryptosystem, Asiacrypt 98.

Advantages/Disadvantages Efficient encryption and decryption algorithms. Size of the public key. Plaintext expansion.

T.P. Berger


Code based PKC



Criteria Permutation Subfield Subcodes

Criteria to choose a code

The code must be efficiently decodable. The size of the public key must be as small as possible. systematic matrix: m × k × (n − k) It will resist to cryptanalysis: Resistant to generic decoding algorithms The structure must be masked.

T.P. Berger


Code based PKC




Codes with an algebraic decoding algorithm

Reed-Muller codes Reed Solomon family: Generalized Reed Solomon codes Alternant codes Goppa codes BCH codes

Gabidulin codes (Rank metric)

T.P. Berger


Code based PKC




How to reduce the size of the public key?

Use near MDS codes over extension fields Use codes with a small description, e.g. quasi-cyclic codes. Use near MRD codes and rank metric.

T.P. Berger


Code based PKC




How to mask the structure of a code

Concatenation Permutation. . . Subfield subcode technique Subcode

T.P. Berger


Code based PKC




Concatenation, permutation Concatenation:

Can be easily recovered

N. Sendrier: On the concatenated structure of a linear code. AAECC vol. 9, n.3, 1998, pp.221-242

Permutation:

generally can be easily recovered.

exceptions: dim(C ∩ C ⊥ ) is large The permutation group of the code is large N. Sendrier: Finding the permutation between equivalent codes: the support splitting algorithm IEEE Transaction on Information Theory, vol. 46, n.4, 2000, pp.1193-1203. G. Skersys, Calcul du groupe d’automorphisme des codes. D´etermination de l’´equivalence des codes. Ph D Thesis Limoges, 1999. T.P. Berger


Code based PKC




An example:

Permuted Reed Muller codes were used by Sidel’nikov in a public-key cryptosystem based on codes. Parameters: [1024, 176, 128] t = 200 Size of Public key: 19 KBytes Resistance against decoding attacks: less than 275 .

V.M. Sidel’nikov, A public-key cryptosystem based on Reed-Muller codes. Discrete Mathematics and Application, vol.4 n. 3, 1994, pp.191-207.

T.P. Berger


Code based PKC




Subfield subcodes

C ⊂ GF (p m )n M

←

Duality

→

−→

M0 ←− C = C ∩ GF (p)n ← Duality → C 0⊥ 0

C ⊥ ⊂ GF (p m )n H ↓ H0 = Trace(C ⊥ ) ⊂ GF (p)n

Subfield subcode

Trace code

If x ∈ GF (p)n , x ∈ C0 ⇔ H tx = 0 d0 ≥ d T.P. Berger

and

k 0 ≥ n − m(n − k) = m − (n − k)(m − 1)


Code based PKC




An example: BCH codes and Reed Solomon codes α: primitive root of GF (p m ). Parity check matrix of RS(d) defined on GF (p m ):    H= 

α α2 .. .

α2 α4 .. .

... ... .. .

m

αp −1 m α2(p −1) .. .

αd−1 α(d−1)2 . . . α(d−1)(p

m −1)

    

BCH(d) = RS(d) ∩ GF (p)n : the cyclic code over GF (p) with roots α, α2 ,. . . , αd−1 .

T.P. Berger


Code based PKC




Subcodes Principle: Let C be a linear code with an efficient decoding algorithm. Choose C 0 ( C a subcode of C . C 0 is decodable with the decoding algorithm of C . It seems difficult to recover C from C 0 Advantages: C 0 is defined over the same field than C . d 0 ≥ d, k 0 = k − r , with r ≤ 10: the parameters remain good.

T.P. Berger


Code based PKC




Subcodes Practically: Choose a decodable code C of parameters [n, k, d]. Let HC be the (n − k) × n systematic parity check matrix of C . Construct a r × n matrix A of the form 0 B B B B B B B B B B B @

A=

0 . . . 0 1 0 . . . 0 a1,n−k+r .. .. .. . .. . . . . . . 0 . . . . .. .. .. .. .. . . . . .. . . 0 . . . . . 0 . . . 0 0 . . . 0 1 ar ,n−k+r

. . . a1,n .. .. . . .. .. . . . . . ar ,n

1 C C C C C C C C C C C A

Chose a (n − k) × (n − k) invertible matrix S. HC is a parity check matrix of a The matrix HC 0 = S A subcode of C of dimension k − r . T.P. Berger


Code based PKC



GRS Goppa Subcodes Punctured Diagonal (U,U+V)

GRS codes

Field: GF (2m ). α: a primitive root. n = p m − 1. Parity check matrix of Reed-Solomon code RS(d) 0 B B B B B B @

α α2 .. .

α2 α4 .. .

... ... .. .

m

αp −1 m α2(p −1) .. .

αd−1 α(d−1)2 . . . α(d−1)(p

m −1)

1 0 C B C B C B C×B C B C B A B @

λ1 0 .. . 0

0

... 0 . . λ2 . . .. .. .. . . 0 . . . 0 λn

1 C C C C C×P C C A

Generalized Reed-Solomon code GRS(d)

T.P. Berger


Code based PKC




It is necessary to mask the structure of GRS codes

It is possible to recover the structure of a GRS code from its generator matrix in O(n3 ) operations. Sidel’nikov et Shestakov, On cryptosystem based on Generalized Reed-Solomon codes Discrete Mathematics, vol.4, N.3, (1992), pp. 57-63

How to mask GRS codes? Subfield subcodes Subcodes Other methods?

T.P. Berger


Code based PKC




The Goppa codes: a good family of GRS subfield subcodes Goppa codes are particular subfield subcodes of Generalized Reed Solomon codes. Parity check matrix: 0 B B B B B B @

α .. . αd−1

... αn .. .. . . (d−1)(n) ... α

1 0 C B C B C B C×B C B C B A @

g (α)−1 . . . 0 .. .. .. . . . 0 . . . g (αn )−1

1 C C C C× C C A

P

There exists a bound on the minimum distance, and then on the error correcting capacity t. Decodable using the classical decoders of Reed Solomon codes. A very large class: for example, there are more than 2498 Goppa codes of parameters [1024, k 0 , 101], k 0 ≥ 524. They look like random codes. T.P. Berger


Code based PKC




Goppa codes over intermediate subfield The major problem is the size of the public key to be resistant to decoding attacks. Field Parameters GF (2) [2048, 1608, 81 ]

Security 2102

Size 88.5 KB

Another solution: Intermediate subfield subcode GRS(d): GRS code over GF (22m ) C : subfield subcode over GF (2m ) Field Parameters GF (32) [1024 , 956 , 34 ] GF (32) [1024 , 860 , 82 ]

T.P. Berger


Security 2100 2140

Code based PKC

41 88

Size KB KB




Subcodes of Generalized Reed Solomon codes I Subcodes of GRS codes: proposed by T.P. Berger and P. Loidreau. How to mask the structure of codes for a cryptographic use.

Designs, Codes and Cryptography, 35, 63-79, April 2005.

r = 3, C is a [255, 129 = 132 − 3, 123] code. Size of the public key: 16254 bytes. Field Parameters GF (255) [255, 129, 123]

Security 2100 ?

Size 16, 2 KB

Recent attack on subfields of GRS codes: C. Wieschebrink, An attack on a Modified Niederreiter Encryption Scheme, PKC 06. 2 2r +1 0 3 0

Cost: O(r n + n k r ) where k = k − r With proposed parameters r 2 n + n2r +1 k 0 r 3 ≈ 287 . Broken?

T.P. Berger


Code based PKC




Subcodes of Generalized Reed Solomon codes II For n = 256, k = 150 and r = 8, Field Parameters GF (255) [255, 142, 107]

r 2 n + n2r +1 k 0 r 3 ≈ 2152 . Security 298

Size 16 KB

Is it Secure? Problem research: More investigations on the effectiveness of this attack and the security parameter r . Remark: This attack is only available on Generalized Reed Solomon codes, the technique of subcode remains promising.

T.P. Berger


Code based PKC




Construction based on Punctured Code Problem NP-complete problem: Problem (Punctured Code) Given two codes C and D of length n and n + r . Is it possible to obtain C by puncturing r positions of D? C. Wieschebrink, Two NP-Complete Problems in Coding Theory with an Application in Code Based Cryptography, ISIT 06.

Application: add r random columns in random positions to a GRS code. Proposed parameters: GRS code over GF (256): [256, 169, 88], r = 39. Decoding attack: 284 Size of Public Key: 20.8 KBytes.

T.P. Berger


Code based PKC




Equivalence of Subcode of Code Problem The Punctured Code Problem can be easily reduced to Problem (Equivalent Subcode of Code) Given two codes C and C 0 of length n and dimension resp. k and k − r . Is the code C 0 be equivalent by permutation to a subcode of C? Proof: Reformulation of PC problem in term of ESC problem Is D equivalent by permutation to a subcode of C 0 generated by MC | 0 GC 0 = 0 | Ir ×r

T.P. Berger


Code based PKC




A diagonal construction

Field: GF (2m ), n = p m − 1 or n = p m GRS1 (d), GRS2 (d): generator matrices of GRS codes Parameters: [n, k = n + 1 − d, d] A: random k × n matrix over GF (2m )   GRS1 (d) | A −−− ×P G =S × −−− 0k2 ,n | GRS2 (d) G : generator matrix of a [2n, 2k, d] code over GF (2m ).

T.P. Berger


Code based PKC




Practical values

Field Parameters GF (256) [512 , 348 , 83 ] GF (256) [512 , 372 , 71 ]

Security

GF (512) [1024, 956 , 35 ] GF (512) [1024, 542 , 242]

2100

GF (2)

2102

[2048, 1608, 81 ]

2100 2100

2171

57 52

Size KB KB

51 242

KB KB

88, 5 KB

What about the security of this construction? Is it necessary to take a subcode?

T.P. Berger


Code based PKC




A kind of (U,U+V) construction Field: GF (2m ), n = p m − 1 or n = p m RS(d): generator matrix of RS code [n, k1 = n + 1 − d, d] RS(2d): generator matrix of RS code [n, k2 = n + 1 − 2d, 2d] Scal1 , Scal2 , Scal3 : diagonal invertible n × n matrices (GRS codes) P, P3 : permutation n × n matrix 

 RS(d) × Scal1 | RS(d) × Scal2 −−−−−−−−− ×P G = S ×  − − − − −− 0k2 ,n | RS(2d) × Scal3 × P3 G : generator matrix of a [2n, k1 + k2 , 2d] code over GF (2m ). T.P. Berger


Code based PKC




Practical values

Field Parameters GF (256) [512 , 439 , 50 ] GF (256) [512 , 262 , 168] GF (256) [512 , 160 , 236]

Security

GF (512) [1024, 978 , 32 ] GF (512) [1024, 903 , 82 ] GF (512) [374 , 253 , 82 ]

2100

GF (2)

2102

[2048, 1608, 81 ]

2100 2122 2100

2161 2100

Size 32 KB 65, 5 KB 56 KB 51 123 31

KB KB KB

88, 5 KB

What about the security of this construction? Is it necessary to take a subcode?

T.P. Berger


Code based PKC




Synthesis

Construction Subcode of GRS code Punctured code (U,U+V) Interm. subfield subcode Diagonal construction Goppa code

T.P. Berger

Field GF (256) GF (256) GF (256) GF (32) GF (256) GF (2)


Parameters [256 , 142 , 107] [295 , 169 , 88 ] [512 , 439 , 50 ] [1024, 956 , 34 ] [512 , 372 , 71 ] [2048, 1608, 81 ]

Code based PKC

Security 298 284 2102 297 299 2102

Size 16 KB 20.8 KB 32 KB 41 KB 52 KB 88.5 KB



Short description Quasi cyclic codes

Codes with short description

A solution to decrease the size of the public key is to use some codes with a short description

Well structured codes have generally a short description: Goppa codes: Goppa polynomial Cyclic code: generator polynomial BCH codes: designed distance d. . . Unfortunately, generally the description gives the structure. . .

T.P. Berger


Code based PKC




Quasi-cyclic codes I

Recently, P. Gaborit presented a cryptosystem using quasi-cyclic codes: P. Gaborit. Shorter keys for code based cryptography. Proceedings of WCC 2005, Bergen (Norway) p. 81-91, March 2005.

Principle: A quasi-cyclic code of order s is a code invariant under a shift of s positions. Such a code has a short description: indeed, from one row of the generator matrix, it is possible to deduce n/s other rows.

T.P. Berger


Code based PKC




Quasi-cyclic codes II Proposed parameters Quasi-cyclic subcodes of BCH codes. Size of code: [4095, 3692, 53] Order s = 5 Size of public key: 2.5 KBytes Transmission rate: 0.9 Decoding attack: 2100 Structural attack: 291 Work to do: A more extensive study of the security of quasi-cyclic based cryptography: Is there exist more efficient decoding algorithms devoted to quasi-cyclic codes? How to construct efficiently large and secure quasi-cyclic codes families with an efficient secret decoding algorithm? T.P. Berger


Code based PKC


New perspectives for code based public key cryptography - CLC2006

New perspectives for code based public key cryptography - CLC2006

Suggest Documents

Hardware-Based Public-Key Cryptography with ... - People.csail.mit.edu

Public Key Cryptography - Stonehill College

Non-associative public-key cryptography

Public Key Cryptography - Google Sites

Non-associative public-key cryptography

Public-Key Cryptography for RFID-Tags

Secret-key agreement without public-key cryptography

Certificateless Public Key Cryptography

QC-LDPC Code-Based Cryptography

Novel Authentication Algorithm â Public Key Based Cryptography in ...

An Identity Based Public Key Cryptography Blind Signature Scheme ...

an efficeient encrpytion algorithm based on public key cryptography

e-voting protocol based on public-key cryptography - Al-Zaytoonah ...

Self-Generated-Certificate Public Key Cryptography and ...

mobile paymentmethodbased on public-key cryptography

Joint operation in public key cryptography - arXiv

Introduction to Cryptography and Public Key

Public Key Cryptography with Matrices - IEEE Xplore

The Mathematics of Public-Key Cryptography

Public Key Cryptography and Secret-sharing

The Mathematics of Public-Key Cryptography

Certificateless Public Key Cryptography - Cryptology ePrint Archive

Public key cryptography empowered smart dust is

Cryptography, Public Key Cryptosystems, Algorithms, Elliptic Curves

New perspectives for code based public key cryptography - CLC2006