Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, - PowerPoint PPT Presentation

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, ´ equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands

Computational Syndrome Decoding Problem: Syndrome Decoding H ∈ { 0 , 1 } r × n , s ∈ { 0 , 1 } r and w > 0 Instance: is there a word e of Hamming weight w such that He T = s ? Question: Problem: Computational Syndrome Decoding (CSD) Given H ∈ { 0 , 1 } r × n , s ∈ { 0 , 1 } r and w > 0 Find a word e of Hamming weight w such that He T = s NP-hard, conjectured hard in the average case We will denote CSD( H, s, w ) this problem as well as the set of its solutions Typically n = 2048, r = 352 and w = 32 1/31

Computational Syndrome Decoding – Multiple instances Problem: Syndrome Decoding One Out of Many H ∈ { 0 , 1 } r × n , S ⊂ { 0 , 1 } r and w > 0 Instance: is there a word e of Hamming weight w such that He T ∈ S ? Question: Problem: Computational Syndrome Decoding One Out of Many Given H ∈ { 0 , 1 } r × n , S ⊂ { 0 , 1 } r and w > 0 Find a word e of Hamming weight w such that He T ∈ S For convenience, we will also denote CSD( H, S , w ) this problem and the set of its solutions 2/31

Message Security of Code-Based Public-Key Cryptosystems The public key is a parity check matrix H 0 ∈ { 0 , 1 } r × n (or a generator matrix) of some binary ( n, k ) error correcting code ( r = n − k ) Solving CSD( H 0 , y, w ) for a cryptogram y and some prescribed value of w breaks the system • In McEliece system the cryptogram is a noisy codeword x ; we have y = H 0 x T and w = t = r/ ⌊ log 2 n ⌋ is the error correcting capability of the (secret) Goppa code • In Niederreiter system the cryptogram is the syndrome y and w = t as above • In CFS signature y is the hash of the message and either w = t and we decode one out of t ! instances, or w = t + δ = d GV (the Gilbert-Varshamov distance) 3/31

Best Decoding Algorithms Fixed binary ( n, k ) code, solve CSD for growing w � n � > 2 r codimension r = n − k , Gilbert-Varshamov distance d GV ISD: Information Set Decoding GBA: Generalized Birthday Algorithm  ISD  ISD GBA Linearization  w ✲ d GV r/ 4 0 In the present study we will consider w ≤ d GV and the impact of multiple instances on the complexity of GBA and ISD 4/31

Problem Statement The size of the problem (i.e. r and n ) is fixed Three facts: • Decoding one out of N is easier when N grows • One cannot gain more than a factor N • It is useless to let N grow indefinitely Two questions: • How easier is it to solve CSD( H, S , w ) rather than CSD( H, s, w ) when |S| = N grows ? • What is the largest useful value of N ? 5/31

Generalized Birthday Algorithm for Decoding

Generalized Birthday Algorithm for Decoding – Bibliography • Order 2 GBA Camion and Patarin, EUROCRYPT’91 • GBA Wagner, CRYPTO 2005 • GBA for decoding Coron and Joux, 2004 (IACR eprint), attack against FSB • GBA for decoding one out of many Bleichenbacher, 200? (unpublished), attack against CFS 6/31

Generalized Birthday Algorithm for Decoding – Order 2 CSD( H, s, w ) s = H = find w columns of H adding to s Order 2 Build 4 subsets of { 0 , 1 } r , i ∈ { 1 , 2 , 3 , 4 } ( ℓ is optimized later) W i ⊂ s i + { He T | wt( e ) = w i } i w i and | W i | = 2 ℓ with s = � i s i , w i ≈ w/ 4, w = � Next build W 1 , 2 and W 3 , 4 as W i,j = { x + y | x ∈ W i and y ∈ W j match on their first ℓ bits } Any element of W 1 , 2 ∩ W 3 , 4 provides a solution to CSD( H, s, w ) 7/31

Generalized Birthday Algorithm for Decoding – Complexity CSD( H, s, w ) s = H = find w columns of H adding to s Order 2 �� n ≥ 2 r/ 3 then one may choose ℓ = r/ 3 and W 1 , 2 ∩ W 3 , 4 � = ∅ with � 4 If w probability > 1 / 2 → complexity O ( r 2 r/ 3 ) �� n Else | W i | = 2 ℓ = � and W 1 , 2 ∩ W 3 , 4 � = ∅ with probability ≈ 2 r − 3 ℓ 4 w    r 2 r � r 2 r − 2 ℓ � → complexity O = O  � ( n w ) ≈ 2 r and the complexity is O ( r 2 r/ 2 ) � n � When w = d GV then w 8/31

Generalized Birthday Algorithm for Decoding – General Case CSD( H, s, w ) s = H = find w columns of H adding to s Order a The best value for ℓ is r �� n � �� 2 a ℓ = min a + 1 , log 2 w → complexity O ( r 2 r − aℓ ) � � r r �� n � � r 2 r 2 a � a +1 the complexity is O When ≥ 2 r 2 else it is O a +1 a w ( n 2 a w ) Only interesting for very large values of w 9/31

GBA for Decoding One Out of Many

Order 2 GBA with Multiple Instances CSD( H, S , w ) s = H = find w columns of H adding to s ∈ S , N = |S| Order 2 Build 3 subsets of { 0 , 1 } r , i ∈ { 1 , 2 , 3 } W i ⊂ s i + { He T | wt( e ) = w i } with s 1 + s 2 + s 3 = 0, w 1 + w 2 + w 3 ≤ w and a fourth set W 4 ⊂ S + { He T | wt( e ) = w 4 } where w 4 = w − w 1 − w 2 − w 3 (possibly w 4 = 0) and all | W i | = 2 ℓ ≥ N Next build W 1 , 2 and W 3 , 4 as W i,j = { x + y | x ∈ W i and y ∈ W j match on their first ℓ bits } Any element of W 1 , 2 ∩ W 3 , 4 provides a solution to CSD( H, S , w ) 10/31

Order 2 GBA with Multiple Instances – Complexity CSD( H, S , w ) s = H = find w columns of H adding to s ∈ S , N = |S| Order 2 � ≥ 2 r/ 3 then we may choose ℓ = r/ 3 and W 1 , 2 ∩ W 3 , 4 � = ∅ � n � 4 If N w with probability > 1 / 2 → complexity O ( r 2 r/ 3 ) �� n Else | W i | = 2 ℓ = � and W 1 , 2 ∩ W 3 , 4 � = ∅ with probability ≈ 2 r − 3 ℓ 4 w   r 2 r � r 2 r − 2 ℓ � → complexity O = O   � N ( n w ) √ � n � N as long as N ≤ 2 4 r/ 3 / There is a gain of a factor w ≈ 2 r and N = 2 r/ 3 ⇒ complexity O ( r 2 r/ 3 ) � n � When w = d GV then w 11/31

Bleichenbacher’s Attack For CFS (original counter version) one can build as many syndromes as needed by hashing many variants of a favorable message We need to decode w = t errors in a code of length n = 2 m and codimension r = tm �� n � n � � ≈ 2 r /t ! and the largest value for N is 3 For those value, t t (common size of the 4 lists) the complexity of CSD becomes � r 2 r/ 3 ( t !) 2 / 3 � O with t = 9 and m = 16 we get ≈ 2 67 . 5 with 2 42 instances which can be improved a bit (around 2 63 . 3 ) because we can use slightly larger �� n �� n � � 3 lists ( instead of ) 2 w/ 3 w Finally there is a small multiplicative constant (2 to 6) which seems difficult to avoid 12/31

Bleichenbacher’s Attack For CFS counterless version, the attacker needs to perform a com- plete decoding. As many variants as needed of a favorable message are hashed to produce the syndromes We need to decode w = d GV > t errors in a code of length n = 2 m and codimension r = tm � n ≥ 2 r and the good choice for N and the list size � For those value, w is 2 r/ 3 the complexity of CSD becomes � r 2 r/ 3 � O with w = 11 and m = 16 we get ≈ 2 53 . 6 with 2 48 instances However because w is not a multiple of 3, some ajustement are re- quired and the cost is 2 54 . 9 with 2 45 . 4 instances 13/31

GBA with Multiple Instances – General Case CSD( H, S , w ) s = H = find w columns of H adding to s ∈ S Order a The best value for ℓ is r � � �� 2 a � n ℓ = min a + 1 , log 2 N w → complexity O ( r 2 r − aℓ ) r r � � � 2 a � n � a +1 the complexity is O When ≥ 2 r 2 N a +1 w � � a r 2 r 2 a Else the complexity is O and we only gain a factor N a ( N ( n 2 a w )) 14/31

Information Set Decoding

Information Set Decoding – Bibliography • ISD Folklore, ≤ 1978 • Collision decoding Stern, 1989 Canteaut and Chabaud, IEEE-IT 1998 (1995) Bernstein, Lange, and Peters, PQCrypto 2008 • One out of many Johansson and J¨ onsson, IEEE-IT 2002 15/31

Information Set Decoding – First Step Problem: Solve CSD( H 0 , y, w ) The algorithm involves two parameters p and ℓ which will be chosen to minimize the cost Step 1: Column permutation and Gaussian elimination • Pick a random permutation matrix P r − ℓ k + ℓ ✛ ✲ ✛ ✲ 1 ❅ H ′′ ❅ ❅ • Compute H = UH 0 P = 1 ✻ H ′ 0 ℓ ❄ with U ∈ { 0 , 1 } r × r non singular and s = Uy e ∈ CSD( H, s, w ) ⇔ eP T ∈ CSD( H 0 , y, w ) 16/31

Information Set Decoding – Second Step r − ℓ k + ℓ ✛ ✲ ✛ ✲ 1 Problem: ❅ H ′′ s ′′ ❅ Solve CSD( H, s, w ) ❅ s = H = 1 ✻ H ′ s ′ 0 ℓ ❄ Step 2: Find (all) solutions of CSD( H ′ , s ′ , p )  W 1 ⊂ { H ′ e T | wt( e ) = ⌊ p/ 2 ⌋}  Build two subsets of { 0 , 1 } ℓ : W 2 ⊂ { H ′ e T | wt( e ) = ⌈ p/ 2 ⌉}  Any element of W 1 ∩ ( s ′ + W 2 ) corresponds to a pair ( e 1 , e 2 ) ∈ W 1 × W 2 such that e 1 + e 2 ∈ CSD( H ′ , s ′ , p ) � k + ℓ � Birthday attack with a search space of size , we expect that it p �� k + ℓ � is optimal for L = | W 1 | = | W 2 | = p 17/31

Information Set Decoding – Third Step r − ℓ k + ℓ ✛ ✲ ✛ ✲ 1 Problem: ❅ H ′′ s ′′ ❅ Solve CSD( H, s, w ) ❅ s = H = 1 ✻ H ′ s ′ 0 ℓ ❄ e = e ′′ e ′ p w − p weight Step 3: For all e ′ ∈ CSD( H ′ , s ′ , p ) found in Step 2. Let e ′′ = s ′′ + H ′′ e ′ T ∈ { 0 , 1 } r − ℓ and e = ( e ′′ , e ′ ) If wt( e ′′ ) = w − p then e = ( e ′′ , e ′ ) ∈ CSD( H, s, w ) ( → success ) 18/31