Signature scheme with chained linear-codes Omessaad HAMDI
Ammar BOUALLEGUE
Sami HARARI
SIS Laboratory USTV, France BP 20132 La Garde Cedex Fax 0494142744 Email:
[email protected]
SYSCOM Laboratory ENIT BP 37, le Bebelvedere, Tunis Tunisia
SIS Laboratory USTV BP 20132 La Garde Cedex France Fax 0494142744
Abstract— In this paper, we will introduce a new digital signature scheme based on the well-known problem: Syndrom Decoding (SD). It consists in chaining a set of linear-codes. Our scheme generates a short and fast signature. In addition to that, it has a smaller public key size than the McEliece signature introduced in[8]. The resulting matrix of chaining these codes forms the trap of our algorithm.The obtained results show the efficiency of our scheme in public key size and in signature length.
I. I NTRODUCTION The concept of digital signatures was proposed by Diffie and Hellman when they introduced the public key cryptography in their paper [1]. When a transactor wants to send a signed message m to the receiver, he sends the pair (m, s) where s is the signature s = D(m) (D is the signature algorithm). The receiver can, then, verify the signature by applying the sender’s public verification algorithm E to s (i.e. the relation E(s) = E(D(m)) = m must hold). Digital signatures are playing an important role in electronic commerce as they can replace a written signature. Several digital signature schemes are based on the discrete logarithm problem as ElGamal [2] and the large integer factorization problem as RSA [3]. People are now trying to design new digital signature schemes based on other mathematical hard problems. The problem of decoding linear codes is one of those, which has been proved by Berlekamp, McEliece and Van Tilborg to be NP-complete [4]. The first public-key cryptosystem based on linear error-correcting codes was proposed by McEliece in 1978[5]. This cryptosystem derives its security from the well known decoding problem. Since then, several other cryptographical schemes based on errorcorrecting codes have been proposed, such as Niederreiter cryptosystem [6 ]and the Harari identification scheme [7]. Some public-key cryptosystems, such as RSA, are also digital signature schemes [3]. Unlike RSA, McEliece’s public-key cryptosystem can not be used directly as a digital signature scheme because its encryption function maps binary k-tuples to binary n-tuples and this mapping is not surjective. After 25 years, N.courtois, M.Finiasz and N.Courtois have shown several ways to produce a practical signature schemes based on McEliece cryptosystem [8]. In this paper, we will present new signature schemes similar
to that of McEliece based on chained linear error-correcting codes. Our schemes claim that their security relies on the properties of error correcting codes (we will discuss this in section ??) and the difficulty of factorizing large matrices. We will begin by defining ”chained linear codes”. Then, we will introduce algorithm parameters and haw keys are generated. Before concluding, we will study scheme performances and we will discuss algorithm security. The obtained results show the efficiency of our scheme in public key size and in signature length. II. D EFINITION In order to build a system based on chained error correcting code, we need a family of linear codes with given parameters, that has some ”good” cryptographic properties. The family must be large enough to forbid an exhaustive attack, and each code Ci of the family is defined by its generating matrix Gi . The obtained system from chaining these codes called ”chained error-correcting codes” has a generating matrix with the following form: G1 0 0 0 0 ... 0 0 0 ... G ... G= k ... ... ... 0 0 0 0 Gl III. PARAMETERS OF ALGORITHM Let GF (2) be the field of two elements {1, 2}. In this paper, Ci denotes a binary linear code of length n and dimension ki , that is a subspace of dimension ki of the vector space GF (2)n . Elements of GF (2)n are called words and elements of Ci are called codewords of Ci . A code is usually defined by its generating matrix. The distance between two words of GF (2)n will be the hamming distance, that is the number of positions in which they differ. The weight of a word of GF (2)n is its Hamming distance to zero-words. C will denote a family of linear codes. A code Ci of C will be defined by its length n, its dimension ki and its correction capacity ti .
We will denote by BCH[n, ki , ti ] a BCH code of length n, dimension ki and correction capacity ti and by C(k, m) a repetition code of dimension k and of length k × m. In order to obtain an efficient digital signature we need two things: an algorithm able to compute a signature for any document and a fast verification algorithm to anyone. Thus, the chosen family of BCH-codes can not satisfy the first point. In fact, if we consider a random word of length n (n is the length of the chosen code) for these codes, it is chosen usually at a distance greater than the decoding capacity of this code. In other terms, we can obtain a word which is not decodable. One solution to this problem is to construct an algorithm able to decode any word of the space GF (2n ). In their paper [8], N.Courtois, M.Finiasz and N.Sendrier have introduced a method named complete decoding to resolve this problem. Complete decoding consists in finding the nearest codeword to any given word of the space GF (2n ). To achieve this goal, we do not decode with the correction capacity t but in a distance c = t + δ. In [8], authors evaluate the smallest δ for which the volume of the sphere of radius c is greater than 2n−k . δmin = min {δ ∈ N |
t+δ X
Cni > 2n−k }
(1)
i=0
Next, we will introduce the algorithm parameters. A. Secret parameters • • •
A linear-codes family C. A secret binary permutation matrix P . A secret binary invertible matrix S.
B. Public parameters The public key of our scheme consists in: •
A matrix G0 defined by:
•
G0 = S × G × P The matrix G is obtained from chaining linear-codes. By the construction of the algorithm, G0 is a permuted and scrambled generating matrix. The sum of used code correction capacities.
G is, consequently, diagonal in blocs whose diagonal is formed by elementary generating matrices of used codes (see section ??). To hide the structure of G, we permute its columns and then it will be multiplied by an invertible matrix. V. S IGNING A DOCUMENT In the present section, we describe the signature of a message M by our new scheme. A. Signing algorithm The document M to be signed is given by a binary sequence of length N . The first step, that a signer must do, is to choose parameters shown in the previous section. Indeed, the signer chooses a generator of codes, an invertible matrix S and a permutation matrix P. In the second step, he constructs the generating matrix G of chained linear error-correcting codes. Then, he calculates the matrix product: G0 = S.G.P and publishes this entity G0 . The third stage, is the signature. The signer who wants to sign the message M formed by a binary sequence of length N bits. First, he permutes his message by multiplying it by the inverse of P . Then, he divides his message in words of length n to get a family of words mi and he decodes( he applies systematic decoding for BCH-codes, that means, he looks for the nearest codeword and he keeps the first ki bits of every mi , ki represents dimension of used code to decode mi ). The concatenated blocs obtained after decoding represent a binary chain of length K which depends on generated codes. This chain will be multiplied by a matrix S −1 to obtain a chain y of length K where y is the signature of M . Let’s regroup this scheme in an algorithm: •
Algorithm parameters: – The family of linear-codes of length n = 15 and of dimension ki . The resulting matrix G of the chained codes is a diagonal matrix.
IV. K EY GENERATION In our scheme, the public key is deduced from the secret key as described in the previous section. We need only to describe how the secret key, particularly, the generating matrix G is obtained. We consider a linear-codes family C. A BCH-code Ci is defined by its length n = 15, its dimension ki ∈ {5, 7, 11} and its correction capacity ti and a repetition-code Ci is defined by its length n = 15 and its dimension ki ∈ {3, 5} and correction capacity ti . Codes of C will be generated randomly. The generated matrix G is resulted from chained linear-codes.
– The N × N binary permutation matrix P . – The K × K binary random invertible matrix S. •
Public key: G0 = S.G.P
•
Secret key : {S, G, P }
•
Signature:
– M is a document to be signed of length N . – x = M.P −1 – x = (x1 , x2 , . . . , xl ), xi , i = 1 . . . l are sequences of n bits and l = N n is the number of codes. – ai = decki (xi ), i = 1 . . . l. – a = (a1 , a2 , · · · , al ) has a length K =
P i
ki
– y = a.S −1 y is the signature. B. Control algorithm
original text must be inferior to the completed codes correction capacities sum. In Our implementation we have chosen to sign a binary sequence of length 500 with BCH[15, 11, c = 1], BCH[15, 7, c = 3], BCH[15, 5, c = 5], C(5, 3) and C(3, 5) (c is the correction capacity of completed code calculated with (1)). The obtained signature is of overage length N = 200 bits. The following table summarizes the efficiency of our scheme. Signature Data size Correction capacity Signature length(bit) key size(bits)
Chained linear-codes 500 t ' 195 ' 200 ' 120000
TABLE I S IGNATURE WITH CHAINED LINEAR - CODES
To control the signature validity , the verifier receives the message M , its signature y and the sum of correction Results given in the previous tables are the overage of 100 capacities of used codes. He multiplies y by the resulting measurements. generating matrix G0 to get a binary chain b of length N and he compares the distance between b and M to the sum of the VII. S ECURITY used codes correction capacities. The signature is valid if the following There are two ways to cryptanalyse our scheme: P condition is satisfied: . dH (b, M ) < i ci 1) Decoding a random linear code. 2) Recovering the original structure of the code from the VI. I MPLEMENTATION public key. A. Cost of signature A. Difficulty of decoding The signature algorithm is very fast. It consists in: •
•
•
One multiplication of a binary vector of length N by a matrix N × N . Therefore it requires N 2 /2 binary operations. One multiplication of a binary vector of length K by a matrix K × K. Therefore it requires K 2 /2 binary operations. Decoding operations of BCH-codes and repetition-codes which are very fast.
B. Cost of verification The algorithm of verification is very fast since it consists in a multiplication of a binary vector of length K by a matrix KxN . Therefore, it requires KxN/2 binary operations. C. Performances Our scheme is determinist to sign and to verify the validity of the signature. Indeed, it permits to sign all messages since the signer, who possesses the secret key (S, G, P ), can sign any message after completing BCH[15, 7, t = 2] and BCH[15, 5, t = 3]. Moreover, our algorithm also permits to verify all signatures for all message by anyone possessing the public key G0 . Indeed, the vrifier calculates y.G0 = y.S.G.P = a.G.P Then, he codes the text a to get a text x0 . By multiplying x0 by P , the distance between the obtained message and the
Our signature scheme is based on the G-SD problem introduced by P.Vron in his paper[9]. 1) Instance : A binary matrix G, a binary vector y and a non-negative integer w. 2) Question : Is there a binary vector e of hamming weight ≤ w such that y + e is a linear combination of G lines.
P.Vron showed that this problem is NP-complete by reducing it polynomially to the Syndrome Decoding problem which is known to be NP-complete. Many secure cryptographical constructions are based on this problem such as G-SD authentification scheme [9] and Neiderreiter cryptosystem [6]. Many algorithms of attacks of Syndrome Decoding were proposed [11,12,13,14]. All these algorithms fails if we choose a work factor less than 245 [9]. We have respect this condition in our scheme. B. Structural attack This attack consists in finding secret key from public key. In this case, the adversary which wants to forge a signature should distinguish a permuted generating matrix resulting from chained repetition codes from a random code. This attacks consist in finding the hidden generating matrix. To release this forgery, the adversary must enumerate all combinations
of generated codes and then tests their equivalences with the public key. However, there is 5N/n possible K × N matrix, so this attack is never practical. The adversary may proceed in other way to check secret generating matrix. He tries to guess used codes. The probability to guess a code is ( 15 )N/n . The overage number of used codes is 33 codes. So, the probability to guess a code is 2−75 . VIII. C ONCLUSION In this paper, we have defined a new signature scheme based on the well-known Syndrom Decoding problem SD. Our scheme consists in chaining a set of some linear-codes with various dimensions. The resulting matrix of chaining these codes forms the trap of our algorithm. Our scheme offers a fast and short signature with less public key size than McEliece signature. We welcome attack from readers. In the following table, we summarize the efficiency of our scheme compared to the original McEliece scheme. Signature Data size Capac.cor Sig.len Key.siz(bit)
McEliece 1024 50 524 989527
Linear-Codes 500 ' 195 ' 200 ' 120000
TABLE II C OMPARAISON OF CHAINED LINEAR - CODES SIGNATURE WITH M C E LIECE SIGNATURE
IX. R EFERENCES [1] W.Deffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on information theory, vol 22, N.6, 1976, pp.644-654. [2] T.ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, Advances in Cryptography, Crypto’84, pp.10-18, 1985. [3] R.L. Rivest, A. Shamir and L.M. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM, Vol.21, No.2, pp.120- 126, 1978. [4] E.R. Berlekamp, R.J. McEliece, and H.C.A. van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, Vol.24, No.3,1978, pp.384-386. [5] R.J. McEliece. A public-key cryptosystem based on algebraic coding theory; DSN Prog. Rep., Jet Propulsion Laboratory, California Inst. Technol., Pasadena, CA, pp. 114116,January 1978. [6] H.Neiderreiter. Knapsack-type crytosystems and algebraic coding theory. Prob. Contr. Inform. Theory, 15(2):157166, 1986. [7] S.harari, Anew authentification algorithm, Proceeding of Coding Theory and Applications, Lectures Notes in Computers Sciences 388, 1988, pp91-105.
[8] N.Courtois, M.Finiasz, N.Sendrier. How to acheive a McEliece based digital signature scheme. In Asiacrypt 2001, number 2248 in LNCS, pages 157-174. Springer-Verlag, 2001. [9] P. Veron. A fast identification scheme. In IEEE Symposium on Information Theory, Canada, 1995. [10] Jacques Stern. A new identification scheme based on syndrome decoding. In Douglas R. Stinson, editor, Advances in Cryptology-CRYPTO ’93, volume 773 of Lecture Notes in Computer Science, pages 13-21. Springer-Verlag, 22-26 August 1993. [11] J.S.Leon, A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inform. Theory, IT-34(5), 1988, pp. 1354-1359. [12] P.J.Lee and E.F. Brikell, An observation on the security of McEliece’s public key cryptosystem, Lecture notes in Computer Science , Advances in Cryptology, Eurocrypt’88, 1989, pp. 275-280. [13] J.stern, A method for finding codewords of small weight, Coding Theory and Applications, Lecture Notes in Computer Science 434, pp. 173-180. [14] A.Canteaut and H.Chabbane, A further improvement of the worfactor in an attempt at breaking Mceliece’s cryptosystem, Proceeding of Eurocode’94, Inria, pp. 163-167.