A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` - PowerPoint PPT Presentation

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val´ erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit´ e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project), J.-P. Tillich (INRIA, SECRET project) May 12th, 2011

Introduction 1. (Generalized) McEliece Cryptosystem McE ( K n,k,t ) C a q − ary, length n , dimension k , t -error correcting code • Public key: G a k × n generator matrix of C in K ( n, k, t ) • Secret key: Ψ a t -error correcting procedure for C • Encryption: x → xG + e with e of Hamming weight t • Decryption: y → Ψ( y ) G − 1 with G − 1 a right inverse of G . 1/34

Introduction Alternant codes/Goppa codes ◮ x = ( x 1 , . . . , x n ) ∈ F n q m with x i � = x j if i � = j ◮ y = ( y 1 , . . . , y n ) ∈ F n q m with y i � = 0   y 1 y 2 · · · y n y 1 x 1 y 2 x 2 · · · y n x n def   For any r < n , let H r ( x , y ) = . . . . . .   . . .   y 1 x r − 1 y 2 x r − 1 y n x r − 1 · · · 1 2 n Definition 1. An alternant code is the kernel of an H of this type q | H r ( x , y ) v T = 0 . v ∈ F n � � A r ( x , y ) = . Goppa code : ∃ Γ , polynomial of degree r such that y i = Γ( x i ) − 1 . 2/34

Introduction Decoding Alternant and Goppa codes Proposition 1. [decoding alternant codes] r/ 2 errors can be decoded in polynomial time as long as x and y are known. Proposition 2. [The special case of binary Goppa codes] In the case of a binary Goppa code ( q = 2 ), r errors can be decoded in polynomial time, if x and Γ are known and if Γ has only simple roots. q More generally a factor q − 1 can be gained (exploited for instance in wild McEliece [Bernstein-Lange-Peters 2010] ) by a suitable choice of Γ . 3/34

Distinguisher (public key) 2. Distinguisher problem K Goppa ( n, k, t ) the ensemble of generator matrices of t -error correcting Goppa codes of length n , dimension k K alt ( n, k ) the ensemble of generator matrices of alternant codes of length n , dimension k K lin ( n, k ) the ensemble of generator matrices of linear codes of length n and dimension k . Can we distinguish between the cases (i) G ∈ K Goppa ( n, k, t ) (ii) G ∈ K alt ( n, k ) (iii) G ∈ K lin ( n, k ) ? 4/34

Distinguisher Niederreiter Nied ( K n,k,t ) C a q − ary, length n , dimension k , t − error correcting code. • Public key: H a ( n − k ) × n parity check matrix of C , H ∈ K n,k,t • Secret key: Ψ a t -error correcting procedure for C • Encryption: e → eH T with e of Hamming weight t • Decryption: To decipher s , choose any y of syndrome s , i.e. such that s = yH T , and output y − Ψ( y ) . 5/34

Distinguisher A probabilistic model of an attacker A ( T, ǫ ) adversary A for Nied ( K n,k,t ) is a program which runs in time at most T and is such that Prob H , e ( A ( H , eH T ) = e | H ∈ K n,k,t ) ≥ ǫ Most attacks actually deal with an adversary for Nied ( K lin ( n, k )) instead of Nied ( K Goppa ( n, k, t )) . 6/34

Distinguisher How the distinguisher appears def = Prob ( A ( H , eH T ) = e | H ∈ K Goppa n,k,t ) − Prob ( A ( H , eH T ) = e | H ∈ K lin Adv n,k ) Distinguisher D : input H ∈ F ( n − k ) × n q Step 1 : pick a random e ∈ F n q of weight t Step 2: if A ( H , eH T ) = e then return 1 , else return 0. Advantage of D = | Adv | . 7/34

Distinguisher Either a decoding algorithm on linear codes or a distinguisher for Goppa codes If ∃ ( T, ǫ ) -adversary against Nied ( K Goppa Proposition 3. n,k,t ) , then there exists either (i) a ( T, ǫ/ 2) -adversary against Nied ( K lin ( n, k ) (i.e. a decoder for general linear codes working in time T with success probability at ≥ ǫ/ 2 ). (ii) A distinguisher between H ∈ K Goppa n,k,t and H ∈ K lin n,k working in time T + O ( n 2 ) and with advantage at least ǫ/ 2 . 8/34

Algebraic approach 3. Algebraic approach for attacking the McEliece cryptosystem What is known: a basis of the code → rows of a generator matrix G = ( g ij ) of size k × n . What we also know: ∃ x , y ∈ F n q m s.t. H r ( x , y ) G T = 0 . (1) What we want to find: find in the case of an alternant code x , y , and in the special case of a binary Goppa code x and Γ . 9/34

algebraic approach The algebraic system H r ( x , y ) G T = 0 translates to  g 1 , 1 Y 1 + · · · + g 1 ,n Y n = 0  . .  . . . .      g k, 1 Y 1 + · · · + g k,n Y n = 0     g 1 , 1 Y 1 X 1 + · · · + g 1 ,n Y n X n = 0   . .  . .  . .  (2) g k, 1 Y 1 X 1 + · · · + g k,n Y n X n = 0  . .  . . . .     g 1 , 1 Y 1 X r − 1 + · · · + g 1 ,n Y n X r − 1  = 0  1 n  . .  . .  . .    g k, 1 Y 1 X r − 1 + · · · + g k,n Y n X r − 1  = 0  1 n where the g i,j ’s are known coefficients in F q and k ≥ n − r m . 10/34

algebraic approach Freedom of choice in (2) Proposition 4. Theoretically, the system has 2 n unknowns but we can take arbitrary values for one Y i and for three X i ’s (as long as these values are different). 11/34

algebraic approach Applications When the number of unknowns is small, ex: • Berger-Cayrel-Gaborit-Otmani proposal at AfricaCrypt’09 based on quasi-cyclic alternant codes • Misoczki-Barreto at SAC’09 variant based on quasi-dyadic Goppa codes ⇒ algebraic system can be solved by (dedicated) Grobner basis techniques. ◮ breaks all parameters proposed in these articles ([Faug` ere-Otmani-Perret- Tillich;Eurocrypt 2010] with the exception of binary dyadic codes. Related to [Leander-Gauthier Umana; SCC2010] 12/34

naive attack 4. A naive attack W.l.o.g. we can assume that G is systematic in its k first positions. k n−k=mr 1 0 G = P k 0 1 13/34

naive attack Step 1 – expressing the Y i X d i ’s in terms of the Y j X d j ’s for j ∈ { k + 1 , . . . , n } . P = ( p ij ) . We can rewrite (2) as 1 ≤ i ≤ k k +1 ≤ j ≤ n  � n Y i = j = k +1 p i,j Y j   � n  Y i X i = j = k +1 p i,j Y j X j  (3) . . .  � n  Y i X r − 1 j = k +1 p i,j Y j X r − 1 =   i j for all i ∈ { 1 , . . . , k } . 14/34

naive attack Step 2.– Exploiting Y i ( Y i X 2 i ) = ( Y i X i ) 2 � n  Y i = j = k +1 p i,j Y j  � n Y i X i = j = k +1 p i,j Y j X j (4) � n Y i X 2 j = k +1 p i,j Y j X 2 =  i j 2       n n n � � � p i,j Y j X 2  = ⇒ p i,j Y j p i,j Y j X j    j   j = k +1 j = k +1 j = k +1 n � � Y j Y j ′ X 2 j ′ + Y j ′ Y j X 2 p i,j p i,j ′ � � ⇒ = 0 j j ′ >j j = k +1 15/34

naive attack Step 3. – Linearization def Y j Y j ′ X 2 j ′ + Y j ′ Y j X 2 Z jj ′ = j n � � p i,j p i,j ′ Z jj ′ = 0 . j ′ >j j = k +1 ≈ m 2 r 2 � n − k � unknowns ◮ 2 2 ◮ k = n − mr equations ⇒ reveals Z jj ′ when n − mr ≥ m 2 r 2 ? 2 ◮ This happens for the Courtois-Finiasz-Sendrier scheme, ex: n = 2 21 , r = 10 , m = 21 which has to choose small values of r . 16/34

naive attack Linearized System Definition 2. Assume that the public key G of the McEliece cryptosystem is in systematic form ( I k | P ) The linearized system associated to G is  n � �  p 1 ,j p 1 ,j ′ Z jj ′ = 0      j = k +1 j ′ >j   n    � �  p 2 ,j p 2 ,j ′ Z jj ′ = 0  j ′ >j j = k +1 .  . .     n   � �  p k,j p k,j ′ Z jj ′ = 0      j = k +1 j ′ >j The dimension of the solution space is denoted by D . 17/34

Algebraic Distinguisher Solving this system requires that � n − k � • Number of equations k is greater than the number of unknowns 2 • rank is (almost) equal to the number of unknowns � �� � n − k If G is random then one would expect that the rank is min k, 2 � � n − k � � = ⇒ D = max 0 , − k 2 � �� � n − k But for several structured (Goppa, alternant) codes rank < min k, 2 and this defect can be quantified 18/34

Example q = 2 and m = 14 3 4 5 6 7 8 9 10 11 12 13 14 r � n − k � 861 1540 2415 3486 4753 6216 7875 9730 11781 14028 16471 19110 2 k 16342 16328 16314 16300 16286 16272 16258 16244 16230 16216 16202 16188 0 0 0 0 0 0 0 0 0 0 269 2922 D rand 42 126 308 560 882 1274 1848 2520 3290 4158 5124 6188 D alternant 252 532 980 1554 2254 3080 4158 5390 6776 8316 10010 11858 D Goppa 19/34

Example q = 2 and m = 14 15 16 17 18 19 20 21 22 23 24 25 26 27 r � n − k � 21945 24976 28203 31626 35245 39060 43071 47278 51681 56280 61075 66066 71253 2 k 16174 16160 16146 16132 16118 16104 16090 16076 16062 16048 16034 16020 16006 D rand 5771 8816 12057 15494 19127 22956 26981 31202 35619 40232 45041 50046 55247 D alternant 7350 8816 12057 15494 19127 22956 26981 31202 35619 40232 45041 50046 55247 D Goppa 13860 16016 18564 21294 24206 27300 30576 34034 37674 41496 45500 50046 55247 20/34

Alternant Case def � � Let ℓ = log q ( r − 1) . (2 ℓ + 1) r − 2 q ℓ +1 − 1 � � D alternant = 1 2 m ( r − 1) q − 1 � n − k � as long as − D alternant < k . 2 21/34