Low weight polynomials in crypto Thomas Johansson Dept of EIT, - PowerPoint PPT Presentation

Low weight polynomials in crypto Thomas Johansson Dept of EIT, Lund University, Sweden FSE 2014 Thomas Johansson Low weight polynomials in crypto

Contents • PART I: Applications of low weight polynomials in crypto 1 Fast correlation attacks (cryptanalysis) 2 TCHo (design) 3 MDPC (design) • PART II: How to find a low weight multiple of a polynomial 1 Weight 3,4,5 and finding all existing multiples 2 Larger weight and finding all existing multiples Thomas Johansson Low weight polynomials in crypto

Problem Problem: Low-Weight Polynomial Multiple (LWPM) Given a polynomial P ( x ) ∈ F 2 [ x ] of degree d P . Find all multiples of P ( x ) of degree ≤ d (if such exists) with w nonzero coefficients. Thomas Johansson Low weight polynomials in crypto

I.1 Correlation attacks on stream ciphers z 1 , z 2 , . . . keystream generator ❥ ❄ m 1 , m 2 , . . . c 1 , c 2 , . . . ✲ ✲ • The keystream generator contains one or several LFSRs. • Observed keystream sequence z 1 , z 2 , . . . , z N . Thomas Johansson Low weight polynomials in crypto

Correlation attacks x ( 1 ) i LFSR 1 ❅ ❅ ✬✩ x ( 2 ) ❅ i PPP ❘ ❅ LFSR 2 z i P q ✲ f ✫✪ . . � ✒ . . . . � � x ( n ) � i LFSR n A nonlinear combining generator Thomas Johansson Low weight polynomials in crypto

Correlation attacks ✲ z i KEY GENERATOR ✲ u i LFSR • A correlation attack is possible if P ( z i = u i ) � = 0 . 5. LFSR BSC 1 − p ✲ 0 ❍❍❍❍❍ ✯ ✟ 0 ✟✟✟✟✟ u i ✲ p ✲ z i g ( x ) U Z p ❍ ✲ ❥ 1 1 1 − p Thomas Johansson Low weight polynomials in crypto

Meier-Staffelbach original approach • The feedback polynomial g ( x ) = 1 + g 1 x + g 2 x 2 + . . . + x l . • Recurrence relation u n = g 1 u n − 1 + g 2 u n − 2 + . . . + u n − l . • Assume a low weight of g ( x ) , weight w . • We get in this way w different low weight parity check equations for u n . Thomas Johansson Low weight polynomials in crypto

Correlation attacks Finding more low weight parity checks • Any multiple of g ( x ) gives a recurrence relation. • Use g ( x ) j = g ( x j ) for j = 2 i , • Create new polynomials by g k + 1 ( x ) = g k ( x ) 2 , k = 1 , 2 , . . . . • This squaring is continued until the degree of g k ( x ) is greater than the length N of the observed keystream. • Each g k ( x ) is of weight w and hence each gives w new parity check equations for a fixed position u n . Thomas Johansson Low weight polynomials in crypto

A simple distinguisher • z n = u n + e n , n = 1 , 2 , . . . . • Pr ( e n = 0 ) = 1 − p = 1 2 ( 1 + ǫ ) . • Recurrence relations of weight w , u n + g 1 u n − 1 + g 2 u n − 2 + . . . + u n − l = 0 . • Form S n = z n + g 1 z n − 1 + g 2 z n − 2 + . . . + z n − l . • Verify that P ( S n = 0 ) = P ( e n + g 1 e n − 1 + g 2 e n − 2 + . . . + e n − l = 0 ) = 1 / 2 + ǫ w . • Collect 1 /ǫ 2 w such samples to distinguish z 1 , z 2 , . . . , z N from a random sequence. Thomas Johansson Low weight polynomials in crypto

Correlation attacks LFSR BSC 1 − p ✲ 0 ❍❍❍❍❍ ✟ ✯ 0 ✟✟✟✟✟ u i p ✲ ✲ z i g ( x ) U Z p ❥ ✲ ❍ 1 1 1 − p • General case: g ( x ) is not of low weight. • How can we attack in this case? One answer: Find a low weight multiple of g ( x ) . • How do we find a multiple of g ( x ) of weight 3 , 4 , 5? • Example of an instance: If length of LFSR=90, length of received sequence N = 2 33 , what is the cost of finding a weight w = 4 multiple of g ( x ) ? Thomas Johansson Low weight polynomials in crypto

I.2 TCHo • TCHo is a public-key cryptosystem based on the low weight polynomial multiple problem (Aumasson, Finiasz, Meier, Vaudenay, 2006-2007). • Public key: polynomial P ( x ) , • Secret key: a multiple K ( x ) = q ( x ) P ( x ) , where w H ( K ( x )) = w is low. Thomas Johansson Low weight polynomials in crypto

TCHo , encryption • G rep , generator matrix of a repetition code of length n . • Plaintext m ∈ F k 2 . � � • Generate a random string r = r 0 r 1 · · · r n − 1 with bias Pr [ r i = 0 ] = 1 2 ( 1 + γ ) . • Generate an LFSR sequence p with feedback polynomial P ( x ) and a random starting state. Ciphertext generated as c = mG rep + r + p . Thomas Johansson Low weight polynomials in crypto

TCHo , decryption   · · · k 0 k 1 k d K k 0 k 1 · · · k d K     M =  . ... ... ...    · · · k 0 k 1 k d K P ( x ) divides K ( x ) , so pM T = 0 . Compute t = cM T . t = ( mG rep + r + p ) M T = mG rep M T + rM T + pM T = mG rep M T + rM T . Each bit in r was γ -biased. K ( x ) has weight w and consequently, each element in rM T will be γ w -biased. Majority decision decoding can be used to decode t = m ( G rep M T ) + rM T . Thomas Johansson Low weight polynomials in crypto

Parameters TCHo Example of an instance: • K ( x ) of degree d K = 44677 and weight w = 25, • Known polynomial P ( x ) of degree d P = 4433. • How do we find a weight 25 multiple of P ( x ) of degree 44677? Thomas Johansson Low weight polynomials in crypto

I.3 The McEliece PKC using QC-MDPC codes • Public-key cryptosystem (Misoczki, Tillich, Sendrier, Barreto) • Secret key: � � H = H 0 H 1 · · · H n 0 − 1 , where each H i is a circulant r × r matrix with weight w i in each row and with w = � w i . • Public key: � � G = I P , where   � � T   H − 1 n 0 − 1 H 0 P 0 � � T  H − 1  P 1 n 0 − 1 H 1       P =  = . .  .    . .   . .    � � T P n 0 − 2 H − 1 n 0 − 1 H n 0 − 2 Thomas Johansson Low weight polynomials in crypto

The McEliece PKC using QC-MDPC codes • m ∈ F ( n − r ) plaintext. 2 Multiply m with the public key G and add errors within the correction radius t of the code, i.e., c = m G + e , where w H ( e ) ≤ t . • Decoding: Given the secret low-weight parity check matrix H , a low-complexity decoding procedure is used to obtain the plaintext m . Thomas Johansson Low weight polynomials in crypto

The McEliece PKC using QC-MDPC codes • The scheme can be rewritten in polynomial form • For n 0 = 2: Let h 1 ( x ) represent H 1 and h 0 ( x ) represent H 0 . • Known P 0 is represented by P ( x ) , we have h 1 ( x ) P ( x ) ≡ h 0 ( x ) mod ( x r + 1 ) . (1) Thomas Johansson Low weight polynomials in crypto

The McEliece PKC using QC-MDPC codes Example of an instance: • r = degree of h i ( x ) = 4801. Weight w H ( h 0 ( x )) = w H ( h 1 ( x )) = 45. • For given P ( x ) find h 0 and h 1 such that h 1 ( x ) P ( x ) ≡ h 0 ( x ) mod ( x 4801 + 1 ) . Thomas Johansson Low weight polynomials in crypto

II.1 Algorithms for finding low weight polynomial multiples • Many different approaches have been given. • We are looking for multiples of the type q ( x ) P ( x ) = 1 + x i 1 + . . . + x i w − 1 , where i j ≤ N . • When the algorithm finds expressions like x i ′ 0 + x i ′ 1 + . . . + x i ′ w − 1 it can be shifted to produce a multiple of the desired form. Thomas Johansson Low weight polynomials in crypto

How large degree is needed? • d P = l • With a , b , c , d ≤ 2 l / 4 , create 2 l / 2 polynomials x a + x b mod P ( x ) , and equally many x c + x d mod P ( x ) . From the birthday paradox, collisions between the lists is expected, yielding g ( x ) | ( x a + x b + x c + x d ) . • Golić pointed out that a collision x a + x b = x c + x d ( mod P ( x )) also yields x a + γ + x b + γ + x c + γ + x d + γ = 0 ( mod P ( x )) for all γ > 0, thus creating additional collisions. But the birthday paradox does not suggest this many collisions. • For random polynomials, multiples of weight w start showing up at degrees around α t · 2 l / ( w − 1 ) , where α t ≈ 1. Thomas Johansson Low weight polynomials in crypto

Golić’s Modified Approach Golić formulated an algorithm that searches for checks of weights 2 v and 2 v + 1 � N � residues x i 1 + . . . + x i v mod P ( x ) . • Create a list of the v • Sort and look for 0-matches and 1-matches, i.e., ( x i 1 1 + . . . + x i 1 v ) + ( x i 2 1 + . . . + x i 2 v ) = b ( mod P ( x )) , giving rise to a multiple of weight at most 2 v + b . � N � • This algorithm requires time and memory about . v • If w = 2 v = 4 then we need time and memory about 2 2 l / 3 . Thomas Johansson Low weight polynomials in crypto

Using Zech’s Logarithm • Penzhorn and Kühn • Create F 2 l using P ( x ) . Use Zech’s logarithm defined from a primitive element α ∈ F 2 l . • Zech’s logarithm z ( i ) is defined through α z ( i ) = α i + 1 . • Multiples of weight 3 can be found by observing that x z ( i ) + x i + 1 is a multiple of g ( x ) . Therefore, logarithms z ( i ) for i = 1 , 2 , . . . , T are computed until z ( i ) ≤ N is found. • Logarithms can be computed rather efficiently, using e.g. a method by Coppersmith. Aiming at an overall success probability of 1 − e − 1 , one might e.g., use N = 2 l / 2 , T = 2 l / 2 . Thomas Johansson Low weight polynomials in crypto