on the security of some compact keys for mceliece scheme
play

On the security of Some Compact Keys for McEliece Scheme lise - PowerPoint PPT Presentation

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX, CNRS UMR 7161 cole Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June


  1. On the security of Some Compact Keys for McEliece Scheme Élise Barelli INRIA Saclay and LIX, CNRS UMR 7161 École Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 1 / 35

  2. 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 2 / 35

  3. McEliece scheme 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 3 / 35

  4. McEliece scheme McEliece scheme It is the first public key cryptosystem based on error-correcting codes. Advantages: Fast encryption and decryption. Candidate for post-quantum cryptography Drawback: Large key size E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 4 / 35

  5. McEliece scheme McEliece scheme It is the first public key cryptosystem based on error-correcting codes. Advantages: Fast encryption and decryption. Candidate for post-quantum cryptography Drawback: Large key size Structural attacks → Let F be any family of linear codes. → Let G be a random looking generator matrix of a code C ∈ F . From G , can we recover the structure of the code C ? E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 4 / 35

  6. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  7. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  8. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  9. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] Concatenation of AG codes (Janwa, Moreno, 1996) → [Sendrier,1998] (for all concatenated codes) E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  10. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] Concatenation of AG codes (Janwa, Moreno, 1996) → [Sendrier,1998] (for all concatenated codes) Subfied subcodes of AG codes (Janwa, Moreno, 1996) → No structural attack E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  11. McEliece scheme Some propositions with compact keys Quasi-cyclic alternant codes (Berger, Cayrel, Gaborit, Otmani, 2009) Quasi-dyadic alternant codes (Misoczki, Baretto, 2009) Structural attacks: → [Faugère, Otmani, Perret, Tillich, 2010] → [Faugère, Otmani, Perret, Portzamparc, Tillich, 2015] → [B., 2017] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 6 / 35

  12. Algebraic-geometry codes 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 7 / 35

  13. Algebraic-geometry codes Functions on a curve X We consider an algebraic curve X ⊂ P 2 ( F q m ) , with affine equation: F ( x , y ) = 0 . The function field over F q m of X , denoted by F q m ( X ) is the fraction field of F q m [ x , y ] / ( F ) . A divisor of X is a formal sum, with integer coefficients, of points of X . For g ∈ F q m ( X ) , the principal divisor of g, denoted by ( g ) , is defined as the formal sum of zeros and poles of g , counted with multiplicity. We denote by L ( G ) := { g ∈ F q m ( X ) | ( g ) ≥ − G } ∪ { 0 } , the Riemann-Roch space associated to a divisor G . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 8 / 35

  14. Algebraic-geometry codes AG codes on X Definition Let P = { P 1 , . . . , P n } be a set of n distinct rational points of X and G be a divisor, then the AG code C L ( X , P , G ) is defined by: C L ( X , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . Dual � C L ( X , P , G ′ ) F q m C L ( X , P , G ) � Subfield Subcode C L ( X , P , G ′ ) ∩ F n F q q A r ( X , P , G ) := C L ( X , P , G ′ ) ∩ F n q , where r = dim ( C L ( X , P , G )) . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 9 / 35

  15. Security of Quasi-cyclic Alternant Codes on P 1 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 10 / 35

  16. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes AG codes on P 1 Let P = { P 1 , . . . , P n } be a set of n distinct points of P 1 F qm and G be a divisor, then the AG code C L ( P 1 , P , G ) is defined by: C L ( P 1 , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 11 / 35

  17. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes AG codes on P 1 Let P = { P 1 , . . . , P n } be a set of n distinct points of P 1 F qm and G be a divisor, then the AG code C L ( P 1 , P , G ) is defined by: C L ( P 1 , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . Proposition The AG code C L ( P 1 , P , G ) is the GRS code : GRS k ( x , y ) := { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | f ∈ F q m [ X ] < k } . where: → P := { ( x i : 1 ) | i ∈ { 1 , . . . , n }} , → G := ( k − 1 ) P ∞ − ( g ) , with g ∈ F q m ( P 1 ) a function such that for all i ∈ { 1 , . . . , n } , g ( x i ) = y i � = 0 . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 11 / 35

  18. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Automorphim group of P 1 PGL 2 ( F q m ) is the automorphism group of the projective line P 1 defined by: P 1 P 1 � a , b , c , d ∈ F q m , → � � � F qm F qm PGL 2 ( F q m ) := . � ( x : y ) �→ ( ax + by : cx + dy ) ad − bc � = 0 � E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 12 / 35

  19. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Automorphim group of P 1 PGL 2 ( F q m ) is the automorphism group of the projective line P 1 defined by: P 1 P 1 � a , b , c , d ∈ F q m , → � � � F qm F qm PGL 2 ( F q m ) := . � ( x : y ) �→ ( ax + by : cx + dy ) ad − bc � = 0 � Remark The permutations of PGL 2 ( F q m ) have also a matrix representation, ie: � a � b ∀ σ ∈ PGL 2 ( F q m ) , we write σ := , with ad − bc � = 0 . c d Where the elements a , b , c and d are defined up to a multiplication by a nonzero scalar. E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 12 / 35

  20. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Support and divisor σ -invariant Let σ be an automorphism of P 1 F qm . For a point Q ∈ P 1 , we denote Orb σ ( Q ) := { σ j ( Q ) | j ∈ { 1 ..ℓ }} . We define the support : n /ℓ � (1) P := Orb σ ( Q i ) , i = 1 where the points Q i ∈ P 1 F qm are pairwise distinct with trivial stabilizer subgroup. E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 13 / 35

Recommend


More recommend