LESS IS M ORE : C ODE -B ASED S IGNATURES WITHOUT S YNDROMES J.-F. Biasse, G. Micheli, E. Persichetti and P . Santini 20 July 2020 E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 1 / 17
T RADITIONAL C ODE - BASED A PPROACH McEliece: first cryptosystem using error correcting codes (1978). E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 2 / 17
T RADITIONAL C ODE - BASED A PPROACH McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 2 / 17
T RADITIONAL C ODE - BASED A PPROACH McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Important that the chosen code is indistinguishable from random. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 2 / 17
T RADITIONAL C ODE - BASED A PPROACH McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Important that the chosen code is indistinguishable from random. → the Code Equivalence Problem. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 2 / 17
C ODE E QUIVALENCE N OTIONS P ERMUTATION C ODE E QUIVALENCE Two codes C and C ′ are permutationally equivalent , or C PE ∼ C ′ , if there is a permutation π ∈ S n that maps C into C , i.e. C ′ = { π ( x ) , x ∈ C } . E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 3 / 17
C ODE E QUIVALENCE N OTIONS P ERMUTATION C ODE E QUIVALENCE Two codes C and C ′ are permutationally equivalent , or C PE ∼ C ′ , if there is a permutation π ∈ S n that maps C into C , i.e. C ′ = { π ( x ) , x ∈ C } . This notion can be extended using linear isometries. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 3 / 17
C ODE E QUIVALENCE N OTIONS P ERMUTATION C ODE E QUIVALENCE Two codes C and C ′ are permutationally equivalent , or C PE ∼ C ′ , if there is a permutation π ∈ S n that maps C into C , i.e. C ′ = { π ( x ) , x ∈ C } . This notion can be extended using linear isometries. L INEAR C ODE E QUIVALENCE Two codes C and C ′ are linearly equivalent , or C LE ∼ C ′ , if there is a q ⋊ S n such that C ′ = µ ( C ) , i.e. linear isometry µ = ( v , π ) ∈ F ∗ n C ′ = { µ ( x ) , x ∈ C } . E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 3 / 17
T HE C ODE E QUIVALENCE P ROBLEM Code equivalence can be described using generator matrices. Clearly: E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 4 / 17
T HE C ODE E QUIVALENCE P ROBLEM Code equivalence can be described using generator matrices. Clearly: C PE ∼ C ′ ⇐ ⇒ ∃ ( S , P ) ∈ GL k ( q ) × S n s.t. G ′ = SGP , C LE ∼ C ′ ⇐ ⇒ ∃ ( S , Q ) ∈ GL k ( q ) × M n ( q ) s.t. G ′ = SGQ , where P is a permutation matrix, and Q a monomial matrix. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 4 / 17
T HE C ODE E QUIVALENCE P ROBLEM Code equivalence can be described using generator matrices. Clearly: C PE ∼ C ′ ⇐ ⇒ ∃ ( S , P ) ∈ GL k ( q ) × S n s.t. G ′ = SGP , C LE ∼ C ′ ⇐ ⇒ ∃ ( S , Q ) ∈ GL k ( q ) × M n ( q ) s.t. G ′ = SGQ , where P is a permutation matrix, and Q a monomial matrix. P ERMUTATION (L INEAR ) C ODE E QUIVALENCE P ROBLEM Let C and C ′ be two [ n , k ] linear codes over F q , having generator matrices G and G ′ , respectively. Determine whether the two codes are permutationally (linearly) equivalent, i.e. if there exist matrices S ∈ GL and P ∈ S n ( Q ∈ M n ( q ) ) such that G ′ = SGP ( G ′ = SGQ ). E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 4 / 17
H ARDNESS AT A G LANCE Studied for a very long time. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 5 / 17
H ARDNESS AT A G LANCE Studied for a very long time. Unlikely to be NP-complete (unless polynomial hierarchy collapses). (Petrank and Roth, 1997) E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 5 / 17
H ARDNESS AT A G LANCE Studied for a very long time. Unlikely to be NP-complete (unless polynomial hierarchy collapses). (Petrank and Roth, 1997) Existing algorithms efficiently attack particular cases, however... E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 5 / 17
H ARDNESS AT A G LANCE Studied for a very long time. Unlikely to be NP-complete (unless polynomial hierarchy collapses). (Petrank and Roth, 1997) Existing algorithms efficiently attack particular cases, however... ...underlying exponential complexity makes it easy to find intractable instances. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 5 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? The situation for linear isometries recalls that of DLP (although without commutativity). E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? The situation for linear isometries recalls that of DLP (although without commutativity). This means several existing constructions could be adapted to be based on Code Equivalence, with evident computational advantages. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? The situation for linear isometries recalls that of DLP (although without commutativity). This means several existing constructions could be adapted to be based on Code Equivalence, with evident computational advantages. In this work, we construct a ZK protocol based exclusively on the hardness of the linear code equivalence problem. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? The situation for linear isometries recalls that of DLP (although without commutativity). This means several existing constructions could be adapted to be based on Code Equivalence, with evident computational advantages. In this work, we construct a ZK protocol based exclusively on the hardness of the linear code equivalence problem. This can be then transformed into a full-fledged signature scheme via Fiat-Shamir. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
A PPLICATIONS IN C RYPTOGRAPHY Could Code Equivalence be used as a stand-alone problem? The situation for linear isometries recalls that of DLP (although without commutativity). This means several existing constructions could be adapted to be based on Code Equivalence, with evident computational advantages. In this work, we construct a ZK protocol based exclusively on the hardness of the linear code equivalence problem. This can be then transformed into a full-fledged signature scheme via Fiat-Shamir. Since the scheme does not rely on decoding hardness, very small codes can be employed, leading to very practical instances. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 6 / 17
LESS I DENTIFICATION S CHEME K EY G ENERATION Choose linear code C with generator matrix G . SK: invertible matrix S and monomial matrix Q . PK: matrix G ′ = SGQ . P ROVER ’ S C OMPUTATION Choose random monomial matrix ˜ Q Set ˜ G = G ˜ Q and h = Hash ( SystForm ( ˜ G )) . (After receiving challenge bit b ) If b = 0 respond with µ = ˜ Q . If b = 1 respond with µ = Q − 1 ˜ Q . V ERIFIER ’ S C OMPUTATION If b = 0 verify that Hash ( SystForm ( G µ )) = h . If b = 1 verify that Hash ( SystForm ( G ′ µ )) = h . E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 7 / 17
S ECURITY R EQUIREMENTS The three main security aspects of a zero-knowledge identification scheme are easily proved (sketch below). E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 8 / 17
S ECURITY R EQUIREMENTS The three main security aspects of a zero-knowledge identification scheme are easily proved (sketch below). Completeness: this is immediate, and it is possible thanks to the use of the systematic form. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 8 / 17
S ECURITY R EQUIREMENTS The three main security aspects of a zero-knowledge identification scheme are easily proved (sketch below). Completeness: this is immediate, and it is possible thanks to the use of the systematic form. Zero-Knowledge: the produced responses do not leak information about the private key. In fact, in both cases, the response is distributed uniformly at random over the set of all monomial matrices. E. P ERSICHETTI F LORIDA A TLANTIC U NIVERSITY 20 J ULY 2020 8 / 17
Recommend
More recommend