Cryptographic applications of codes in rank metric Pierre Loidreau - PowerPoint PPT Presentation

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit´ e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009

Cryptographic applications of codes in rank metric Introduction Rank metric and cryptography Gabidulin codes and linearized polynomials McEliece type cryptosystems AF-like cryptosystems

Cryptographic applications of codes in rank metric Rank metric and cryptography

Cryptographic applications of codes in rank metric History of Cryptographic applications Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91] − → Trapdoor: Difficulty of decoding in rank metric. Authentification codes, [Johannson95] ZK-identification scheme, [Chen96] Hash functions for MAC, [Savafi-Naini-Charnes 05]

Cryptographic applications of codes in rank metric Rank metric Definition (Rank of a vector) γ 1 , . . . , γ m , a basis of F q m / F q , e = ( e 1 , . . . , e n ) ∈ ( F q m ) n , e i �→ ( e i 1 , . . . , e in ) ,   e 11 · · · e 1 n   . . Rk( e ) def ... . . ∀ e ∈ F q m , = Rk   . . · · · e m 1 e mn Definition C ⊂ F n q m is a ( n , M , d ) r -code if M = |C| Min. rank distance: d = min c 1 � = c 2 ∈C Rk( c 1 − c 2 )

Cryptographic applications of codes in rank metric Bounds in rank metric Volume of sphere: q ( m + n − 1) t − t 2 ≤ S t ≤ q ( m + n +1) t − t 2 Volume of ball: q ( m + n − 1) t − t 2 ≤ B t ≤ q ( m + n +1) t − t 2 +1 Classical Bounds Singleton: M ≤ q min ( m ( n − d +1) , n ( m − d +1)) − → MRD codes Sphere-packing: M B ⌊ ( d − 1) / 2 ⌋ ≤ q mn − → perfect codes GV-like: M B d − 1 < q mn = ⇒ ∃ ( n , M + 1 , d ) r code

Cryptographic applications of codes in rank metric Singleton: M ≤ q min ( m ( n − d +1) , n ( m − d +1)) − → MRD codes Sphere-packing: M B ⌊ ( d − 1) / 2 ⌋ ≤ q mn − → perfect codes GV-like: M B d − 1 < q mn = ⇒ ∃ ( n , M + 1 , d ) r code Proposition ( [L.06]) No perfect codes exist For C on GV: if mn ≥ log q M = o ( n )( m + n ) � � log q M 1 + ( m − n ) 2 1 d n → + ∞ ∼ 2 − 4 log q M , m + n m + n

Cryptographic applications of codes in rank metric Decoding problems for linear codes Parameters C generated by matrix G y ∈ F n q m , received vector t an integer Problems MDD: Find x , s.t. Rk( y − xG ) = min c ∈C (Rk( y − c )) BDD: Find, if exists, x , s.t. Rk( y − xG ) ≤ t LD: Find all x such that Rk( y − xG ) ≤ t Are these search problems NP-hard ?

Cryptographic applications of codes in rank metric Solving BDD( t ) for t ≤ ⌊ ( d − 1) / 2 ⌋ Principle: Find min. rank codewords in code generated by � G � G ′ = = S ( I k +1 | R ) y System: ( β 1 , . . . , β t ) ( U 2 − U 1 R ) = 0 Methods Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02] Algo. type Complexity ≤ ( k + t ) 3 q ( t − 1)( m − t )+2 Basis enumeration ≤ ( k + t ) 3 t 3 q ( t − 1)( k +1) Coordinates enumeration Projection on base field and use of Groebner bases techniques, [Levy-Perret 06]

Cryptographic applications of codes in rank metric Why use rank metric for cryptographic applications Complexities of solving BDD( t ) for a [ n , k , d ] code over F 2 m IS Decoding: ∼ M ( F 2 m ) n 3 2 n ( H 2 ( t / n ) − (1 − R ) H 2 ( t / ((1 − R )) n )) = m 2 n 3 2 α n Coord. Enum.: ≤ ( k + t ) 3 t 3 2 ( α 1 n − 1)( α 2 n +1) Use of smaller public-keys in McEliece type system.

Cryptographic applications of codes in rank metric Gabidulin codes and linearized polynomials

Cryptographic applications of codes in rank metric Gabidulin codes Let a = ( a 1 , . . . , a n ) ∈ F q m , where a i ’s are l.i. over F q . Consider   a 1 · · · a n  . .  ...  , where [ i ] def . . = q i G = (1)  . . a [ k − 1] a [ k − 1] · · · n 1 Definition ( [Gabidulin85]) The code generated by G is denoted Gab k ( a ) .

Cryptographic applications of codes in rank metric Properties of the codes They are MRD codes (implies also MDS codes) Dual of Gab k ( a ) is a Gab n − k ( h ) Rank distribution is known Permutation group trivial, [Berger 03]

Cryptographic applications of codes in rank metric Decoding algorithms Algorithm Complexity (mult. in F q m ) Ext. Euclidean 2 t ( n + 5 t ) [Gabidulin85] Linear system [Gabidulin91] 2 t ( n + t 2 / 2) solving [Roth91] 2 t ( n + 3 t + t 2 / 4) BM-like [Richter-Plass 05] WB-like 2 t (4 n − t ) [L.05] Table: Decoding rank t = ⌊ ( d − 1) / 2 ⌋ errors in Gab n − d +1 ( g ) code

Cryptographic applications of codes in rank metric McEliece like cryptosystems

Cryptographic applications of codes in rank metric Description [Gabidulin-Paramonov-Tretjakov 91] Parameters g = ( g 1 , . . . , g n ) ∈ F q m Private key G generates Gab k ( g ), correcting rank t errors T isometry of rank metric Z size k × t 1 over F q m Public-key G pub = S ( G | Z ) T (2) ���� t 1 cols

Cryptographic applications of codes in rank metric Encryption y = xG pub + e , Rk( e ) ≤ t − t 1 Decryption Compute yT − 1 = x ( G | Z ) + eT − 1 Puncture on last t 1 positions and decode Security assumption: BDD( t ) difficult

Cryptographic applications of codes in rank metric Properties in rank metric Advantages Fast in Encryption-Decryption Enables small keys ( ≤ 50 000 bits) Security against reaction attacks Drawbacks Not optimal transmission rate Weakness against message resend attacks ONLY ONE family of decodable codes is known → Mandatory to scramble the structure

Cryptographic applications of codes in rank metric History of systems G , G 1 , G 2 , generator matrices of Gabidulin codes H , parity-check matrix of Gabidulin codes Scrambling [Gabidulin-Paramonov- G pub = SG + X matrix Tretjakov91] Right scram- G pub = S ( G | Z ) T [Gabidulin-Ourivski 01] bler � H � H pub = S Subcodes [Berger-L. 02] A � G 1 � [Ourivski-Gabidulin- 0 Reducible G pub = S T Honary-Ammar03] A G 2 Rank codes [Berger-L. 04 ]

Cryptographic applications of codes in rank metric Structural attacks [Overbeck06] Principle for G pub = S ( G | Z ) T Quasi-stability under action of Frobenius: α �→ α q def = α [1] � g [1] � Gab k ( g ) ∩ [ Gab k ( g )] [1] = Gab k − 1 Use public-key G pub = S ( G | Z ) T and compute 0 1 0 1 0 1 G pub S · · · 0 G Z . . . . . ... . B C B . . C B . . C = T , . . . . . @ A @ A @ A G [ n − k − 1] S [ n − k − 1] G [ n − k − 1] Z [ n − k − 1] 0 · · · pub | {z } | {z } | {z } G pub S ( G | Z )

Cryptographic applications of codes in rank metric Proposition If dim (ker r ( G pub )) = 1 → a decoder for public-code can be recovered in polynomial-time Proof. In that case ker r ( G pub ) = { T − 1 ( α h | 0 ) T , α ∈ F q m } ,

Cryptographic applications of codes in rank metric For security: Choose Z so that dim (ker r ( G pub )) > 1 Proposition If 1 ≤ Rk( Z ) ≤ ( t 1 − ℓ ) / ( n − k ) , then dim (ker r ( G pub )) ≥ 1 + ℓ Possible parameters m = n Rk( Z ) ℓ Key size Decoding k / n Rate Improv. k t 1 > 2 83 24 12 3 4 40 14 976 19% 35% > 2 83 24 12 4 4 52 18 432 15 . 8% 33% Same problem with Reducible Rank Codes Modifications imply increased public-key size

Cryptographic applications of codes in rank metric AF-like systems

Cryptographic applications of codes in rank metric q -polynomials Definition ( [Øre33]) t � p i z q i , p i ∈ F q m P ( z ) = i =0 If p t � = 0 , deg q ( P ) def = t is the q-degree of P. Properties Non-commutative ring with + , ◦ Euclidean algorithms on the left and on the right P. Time interpolation and root finding algorithms

Cryptographic applications of codes in rank metric Reconstruction problem Parameters g ∈ F n q m support vector y ∈ F n q m , k , t integers PR: Find P of q -degree ≤ k s.t. Rk( P ( g ) − y ) ≤ t Link with other problems: if t ≤ ⌊ ( n − k ) / 2 ⌋ , equivalent to decode Gab k ( g ) if t > ⌊ ( n − k ) / 2 ⌋ , supposed to be difficult ⇒ LD( y , t ) is difficult

Cryptographic applications of codes in rank metric Description of the cryptosystem Parameters g = ( g 1 , . . . , g n ) ∈ F q m , k Private key: E = ( E 1 , . . . , E n ) of rank W > ( n − k ) / 2. ⇒ exists Q ∈ GL n ( F q ) such that EQ = ( 0 | E ′ ) ���� n − W coords q -polynomial P of q -degree k − 1 ≤ n − W over F q m . Public-key: K = P ( g ) + E ���� ∈ Gab k ( g ) Security assumption: PR( K , W ) difficult

Cryptographic applications of codes in rank metric Encryption and decryption Encryption: y = x ( g ) + α K + e , where x has q -degree k − 2 ≤ n − W e of rank t ≤ ( n − k − W ) / 2 α ∈ F ∗ q m random n − W ���� Decryption: Let v def | V ′ ) = ( � v We have � eQ | Y ′ � x ( � gQ ) + α P ( � gQ ) + � yQ = Decode � yQ in Gab k ( � gQ ) ⇒ ( x + α P )( � gQ ) Since deg q ( x ) < deg q ( P ) ⇒ α Since k − 1 ≤ n − W ⇒ x Security assumption: BDD( x ( g ) + α K , t ) in some code is difficult