information set decoding in the lee metric
play

Information Set Decoding in the Lee Metric Violetta Weger joint - PowerPoint PPT Presentation

Nov 18, 2023 •26 likes •276 views

Information Set Decoding in the Lee Metric Violetta Weger joint work with Franco Chiaraluce, Marco Baldi, Massimo Battaglioni, Anna-Lena Horlemann-Trautmann, Edoardo Persichetti and Paolo Santini University of Zurich CBCrypto 2020 9 May 2020

  1. Information Set Decoding in the Lee Metric Violetta Weger joint work with Franco Chiaraluce, Marco Baldi, Massimo Battaglioni, Anna-Lena Horlemann-Trautmann, Edoardo Persichetti and Paolo Santini University of Zurich CBCrypto 2020 9 May 2020 Violetta Weger Information Set Decoding in the Lee Metric

  2. Motivation Changing the Metric The original McEliece cryptosystem using Goppa codes remains unbroken but sufgers from large key sizes. Many attempts of fjxing this issue by exchanging the family of codes. Example: Niederreiter proposed to use GRS codes, which have the highest error correction capacity, hence promise low key sizes, but are vulnerable to algebraic attacks. Within the 7 code-based cryptosystems in the NIST round 2, the ones that are achieving the lowest key sizes are based on the rank metric. Violetta Weger Information Set Decoding in the Lee Metric

  3. Motivation Rank Metric Defjnition (Rank Metric) q we defjne the rank weight to be with the rank metric. Violetta Weger Information Set Decoding in the Lee Metric For A , B ∈ F m × n wt R ( A ) = rk ( A ) and the rank distance between A and B to be d R ( A , b ) = wt R ( A − B ) . Defjnition ( F q -linear Rank Metric Code) C is a F q -linear rank metric code of length n and dimension k, if C is a k -dimensional linear subspace of Mat m × n ( F q ) equipped

  4. Motivation Rank Metric Defjnition (Rank Metric) rank metric. metric codes. Violetta Weger Information Set Decoding in the Lee Metric For x , y ∈ F n q m we defjne the rank weight to be wt R ( x ) = dim ( ⟨ x 1 , . . . , x n ⟩ F q ) and the distance between x and y to be d R ( x , y ) = wt R ( x − y ) . Defjnition ( F q m -linear Rank Metric Code) C is a F q m -linear rank metric code of length n and dimension k, if C is a k -dimensional linear subspace of F n q m equipped with the Note: all F q m -linear rank metric codes are also F q -linear rank

  5. Motivation Bruteforce cost Violetta Weger t Difgerence between Rank and Hamming Metric t Information Set Decoding in the Lee Metric Rank q m . Hamming Let x ∈ F n Supp ( x ) { 1 ≤ i ≤ n | x i ̸ = 0 } ⟨ x 1 , . . . , x n ⟩ F q wt ( x ) | Supp ( x ) | dim ( Supp ( x )) t − 1 ( q m − 1 ) t q t − q i ∼ q ( m − t ) t q m − q i ( n ) [ m ] q = ∏ i = 0

  6. Motivation Difgerence between Rank and Hamming Metric Hamming Rank NP-complete SDP more costly Advantages studied thoroughly low key sizes large key sizes not studied thoroughly Disadvantages only randomized reduction Violetta Weger Information Set Decoding in the Lee Metric

  7. Lee Metric Properties Defjnition (Lee Weight) Violetta Weger Information Set Decoding in the Lee Metric Let x ∈ Z / m Z , then wt L ( x ) = min { x , | m − x |} . Example ( Z / 8 Z ) wt L ( 0 ) = 0 wt L ( 1 ) = wt L ( 7 ) = 1 wt L ( 2 ) = wt L ( 6 ) = 2 wt L ( 3 ) = wt L ( 5 ) = 3 wt L ( 4 ) = 4

  8. Lee Metric Properties Defjnition (Lee Weight) Violetta Weger Information Set Decoding in the Lee Metric Let x ∈ Z / m Z , then wt L ( x ) = min { x , | m − x |} .

  9. Lee Metric Properties Defjnition (Lee Weight) Violetta Weger Information Set Decoding in the Lee Metric Let x ∈ Z / m Z , then wt L ( x ) = min { x , | m − x |} .

  10. Lee Metric Properties Defjnition (Lee Metric) n Defjnition (Lee Metric Code) Violetta Weger Information Set Decoding in the Lee Metric Let x , y ∈ ( Z / m Z ) n , then the Lee weight is defjned as ∑ wt L ( x ) = wt L ( x i ) and the Lee distance between x and y is i = 1 d L ( x , y ) = wt L ( x − y ) . Clearly: For all x ∈ ( Z / m Z ) n : wt H ( x ) ≤ wt L ( x ) . C is a linear Lee metric code of length n and type | C | , if C is an additive subgroup of ( Z / m Z ) n equipped with the Lee metric.

  11. Lee Metric Quaternary Codes Defjnition (Quaternary Code) Defjnition (Gray Isometry) Violetta Weger Information Set Decoding in the Lee Metric C is a quaternary code of length n and type 4 k 1 2 k 2 , if C is an additive subgroup of ( Z / 4 Z ) n equipped with the Lee metric. ϕ : ( Z / 4 Z , wt L ) → ( F 2 2 , wt H ) 0 �→ ( 0 , 0 ) 1 �→ ( 0 , 1 ) 2 �→ ( 1 , 1 ) 3 �→ ( 1 , 0 ) We can extend ϕ n : ( Z / 4 Z ) n → F 2 n 2 .

  12. Lee Metric Quaternary Codes Defjnition (Quaternary Code) Defjnition (Gray Isometry) Violetta Weger Information Set Decoding in the Lee Metric C is a quaternary code of length n and type 4 k 1 2 k 2 , if C is an additive subgroup of ( Z / 4 Z ) n equipped with the Lee metric. ϕ : ( Z / 4 Z , wt L ) → ( F 2 2 , wt H ) 0 �→ ( 0 , 0 ) 1 �→ ( 0 , 1 ) 2 �→ ( 1 , 1 ) 3 �→ ( 1 , 0 ) We can extend ϕ n : ( Z / 4 Z ) n → F 2 n 2 .

  13. Lee Metric 4 Violetta Weger . 2 4 4 0 2Id k 2 2 F E The systematic form of the parity check matrix is given by Difgerences 2 . Information Set Decoding in the Lee Metric 2 C the systematic form of the generator matrix is given by A 2 0 2Id k 2 B Let C be a quaternary code of length n and type 4 k 1 2 k 2 , then ( Id k 1 ) G = , , B ∈ Z k 1 × ( n − k 1 − k 2 ) , C ∈ Z k 2 × ( n − k 1 − k 2 ) where A ∈ Z k 1 × k 2 ( D ) Id n − k 1 − k 2 H = , where D ∈ Z ( n − k 1 − k 2 ) × k 1 , E ∈ Z ( n − k 1 − k 2 ) × k 2 , F ∈ Z k 2 × k 1

  14. ISD in the Lee Metric Main idea: Assume no error happen in the information set. Violetta Weger A ISD over the Hamming Metric Information Set Decoding in the Lee Metric q q Prange’s algorithm: Given: H ∈ F ( n − k ) × n , s ∈ F n − k , t ∈ N . q , such that He ⊤ = s ⊤ and wt H ( e ) = t . Find: e ∈ F n ) ( 0 ) UHe ⊤ = ( = Us ⊤ . Id n − k e ′⊤ Thus we get the condition e ′⊤ = Us ⊤ .

  15. ISD in the Lee Metric Structure of ISD Algorithms 1. Choose an information set. 2. Bring the parity check matrix into systematic form and perform the same row operations on the syndrome. 3. By assuming a certain weight distribution of the error vector we get conditions on the error vector. 4. Go through all possible vectors and check if conditions are satisfjed, if they are output the error vector. 5. If not, start over with a new information set. Violetta Weger Information Set Decoding in the Lee Metric

  16. ISD in the Lee Metric Cost of ISD Algorithms The cost of an ISD algorithm is given by number of iterations = reciprocal of the success probability of one iteration. Example: Prange in the Hamming metric has a success probability of t t Violetta Weger Information Set Decoding in the Lee Metric number of iterations · cost of one iteration . ) − 1 ( n − k )( n .

  17. ISD in the Lee Metric 2 C Violetta Weger t t New success probability: 2 1 Quaternary Prange 0 Information Set Decoding in the Lee Metric 4 4 Given: H ∈ Z ( n − k 1 ) × n , s ∈ Z n − k 1 , t ∈ N . 4 with He ⊤ = s ⊤ and wt L ( e ) = t . Find: e ∈ Z n ( A ) ( 0 ) ( s ⊤ ) UHe ⊤ = Id n − k 1 − k 2 = . e ′⊤ 2 s ⊤ From this we get the conditions e ′ = s 1 and s 2 = 0. ) − 1 ( 2 ( n − k 1 − k 2 ) )( 2 n .

  18. Performance j Violetta Weger j 4 n and minimum Lee distance d, such that GV - Bounds Information Set Decoding in the Lee Metric Let n and d be positive integers. There exists a linear binary 2 n Proposition (Gilbert-Varshamov Bound) code C of length n and minimum Hamming distance d, such that | C |≥ ) . ∑ d − 1 ( n j = 0 Furthermore there exists a linear quaternary code C of length n | C |≥ . ( ∑ d − 1 ( 2 n ) − 1 ) 3 + 1 j = 0

  19. Performance 256.33 cost Prange t H d H k n In the Hamming metric: 1887620 215 903 431 3 970 1943 14534 256.03 42 Key Size 451 334 708122 Violetta Weger 3730692 256.68 214 429 1931 3863 128.03 103 94 189 841 1683 203852 80.53 51 85 20 Performance for theoretical Parameters 101 463 1050 83.42 12 25 90 5 Key Size 3 cost Prange t L d L k 2 k 1 n In the Lee metric: 230 105 375 3106 372380 128.82 96 193 3 430 863 129.96 52 20 41 154 9 173 107180 80.29 Information Set Decoding in the Lee Metric

  20. Performance Disclaimer These are only theoretical parameters, since we are not actually proposing a code to be used within the quaternary McEliece cryptosystem! Violetta Weger Information Set Decoding in the Lee Metric

  21. Information Set Decoding in the Lee Metric . . . . 0 0 Diffjculties of Generalizing p Id k s 0 . . . . . . ... . . . . . . 0 0 Violetta Weger . and the systematic form of the parity check matrix is . ... . . . . . . matrix is Id k 1 0 p Id k 2 Lee Metric over Z p s Let C be a linear Lee metric code over Z p s of length n and type ( p s ) k 1 ( p s − 1 ) k 2 . . . p k s . Then the systematic form of the generator   . . . A 1 , s + 1 A 1 , 2 A 1 , s . . .  pA 2 , s + 1  G = pA 2 , s  ,      p s − 1 Id k s p s − 1 A s , s + 1 . . .   . . . Id n − K B 1 , 1 B 1 , 2 B 1 , s . . .   H = pB 2 , 1 pB 2 , 2  ,      p s − 1 B s , 1 p s − 1 Id k 2 . . . where K = ∑ s i = 1 k i .

  22. Information Set Decoding in the Lee Metric Simplifjcation for ISD For the purpose of ISD algorithms we can choose the following form Violetta Weger considering k 1 . A 0 pB This way we are putting all the zero-divisors together, only . and p s p s pD 0 Lee Metric over Z p s ( Id k 1 ) ( C ) Id n − K G = , H = , with A ∈ Z k 1 × ( n − k 1 ) , B ∈ Z ( K − k 1 ) × ( n − k 1 ) , C ∈ Z ( n − K ) × K p s − 1 D ∈ Z ( K − k 1 ) × K p s − 1

Recommend

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the stimulus? What aspects of the stimulus does the system encode? (capacity is limited) Mark van Rossum What information can be extracted from spike trains:

779 views • 16 slides
Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest

Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest

CSE 547/Stat 548: Machine Learning for Big Data Lecture by Adam Gustafson Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest neighbors ( k -nn) and other classification algorithms, one crucial choice

221 views • 8 slides
On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer

On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer

On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer Science Department, Technion, Haifa 32000, Israel. 1 Previous Work Berlekamp, 1968: Negacyclic codes for the Lee metric. Roth and Siegel, 1994:

850 views • 19 slides
Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is

Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is

Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is the topology generated by the basis = { B d ( X , ) : x X and > 0 } . The set X endowed with this topology is called the metric space (

52 views • 4 slides
Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric

Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric

Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric space X , d ( i , j ) where d ( i , j ) d ( i , k )+ d ( k , j ) , X is nodes of tree with edge weights d ( i , j ) = d ( j , i ) , and d ( i , j )

376 views • 4 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto, Sergio Jimenez, Eva Onaindia October 16, 2020 Universitat Polit` ecnica de Val` encia 1 What is decoding? What is decoding? Decoding : finding

848 views • 26 slides
Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest probability e best = argmax e p ( e | f ) Two types of

571 views • 34 slides
Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and RS) codes: R6 Reed-Solomon codes RS codes: R5.13 Mikael Skoglund, Information Theory 1/15 The BCH Bound Theorem : Let C be cyclic of

276 views • 8 slides
By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book (Corrective Reading) (3rd Revised edition) From McGraw-Hill Inc.,US By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation

233 views • 5 slides
Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum

Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum

Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum ISD | E.Kirshanova Information Set Decoding (ISD) The ISD Problem Given H P F p n k q n , s P F n k , find e P F n 2 s.t. He s 2 2 e

669 views • 38 slides
Wireless Notification without Packet Decoding International Conference on Autonomic Computing

Wireless Notification without Packet Decoding International Conference on Autonomic Computing

Wireless Notification without Packet Decoding International Conference on Autonomic Computing (USENIX : ICAC ), June 2013 Kevin Chen and H.T. Kung May 3, 2013 Receiver 1 Sensor Packet Decoding Speculative Packet Reception No information is

106 views • 6 slides
Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling Kyunghyun Cho New York University & Facebook AI Research Joint work with Jason Lee and Elman Mansimov Neural sequence modeling An arbitrary

461 views • 25 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs: Input string Bunch of statistical models A function to assign score to any translation Output: Best scoring translation

660 views • 34 slides
Information- -Velocity Metric Velocity Metric Information-Velocity Metric Information for the

Information- -Velocity Metric Velocity Metric Information-Velocity Metric Information for the

Information- -Velocity Metric Velocity Metric Information-Velocity Metric Information for the Flow of Information for the Flow of Information for the Flow of Information through an Organization: through an Organization: through an

519 views • 24 slides
Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the

Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the

Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the hypoxia-inducible factor prolyl hydroxylase inhibitor Roxadustat * Milan Meloun 1 , Lucie Pilaov 1 , Milan Javrek 2 and Tom Pekrek 3 1

178 views • 15 slides
Statistical models for neural encoding, decoding, information estimation, and optimal on-line

Statistical models for neural encoding, decoding, information estimation, and optimal on-line

Statistical models for neural encoding, decoding, information estimation, and optimal on-line stimulus design Liam Paninski Department of Statistics and Center for Theoretical Neuroscience Columbia University http://www.stat.columbia.edu/

725 views • 40 slides
Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The metric system is based on a base unit that corresponds to a certain kind of measurement Length = meter Volume = liter Weight (Mass) =

293 views • 11 slides
Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17 September 2020 Decoding 1 We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest

1.04k views • 61 slides
Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago Context: speed What is

500 views • 36 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by Point Based Rendering Bo Han, Bingfeng Zhou Peking University Outline Outline Motivation and Goal Previous work Review of video decoding

741 views • 30 slides
Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a

Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a

Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a subset of R n with the Euclidean norm. A map of metric spaces F : X Y is continuous at x X if it preserves the limits of convergent sequences,

409 views • 17 slides

More recommend