U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES C ODING T HEORY D ECODING P ROBLEM U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE I NTRODUCTION M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ P UBLIC -K EY C RYPTOSYSTEMS ETRIQUES M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES S UBCODES OF GRS CODES A. C OUVREUR 1 ARQUEZ -C ORBELLA 1 R. P ELLIKAAN 2 I. M ´ B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES 1INRIA Saclay & LIX D ECODING BY ECP ECP FOR GRS 2Department of Mathematics and Computing Science, TU/e. ECP FOR AG C ONTEXT Caramel Seminars - Thursday June 19, 2014 P-F ILTRATION § 5.1 C OMPUTE B T HE A TTACK N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 1 / 51 C ONCLUSIONS
I NTRODUCTION TO C ODING T HEORY U NE ATTAQUE POLYNOMIALE DU SCH ´ An [ n , k ] linear code C over F q is a k -dimensional subspace of F n EMA q . DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES Its size is M = q k , the information rate is R = k n and the redundancy is n − k . The generator matrix of C is a k × n matrix G whose rows form a basis of C , C ODING T HEORY i.e. D ECODING P ROBLEM � x G | x ∈ F k � C = I NTRODUCTION . q P UBLIC -K EY C RYPTOSYSTEMS The parity-check matrix of C is an ( n − k ) × n matrix H whose nullspace is M C E LIECE C RYPTOSYSTEM generated by the codewords of C , i.e. P ROPOSALS GRS CODES q | H y T = 0 � � y ∈ F n C = . S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES AG CODES The hamming distance between x , y ∈ F n q is d H ( x , y ) = |{ i | x i � = y i }| . B INARY G OPPA CODES The minimum distance of C is D ECODING BY ECP ECP FOR GRS d ( C ) = min { d H ( c 1 , c 2 ) | c 1 , c 2 ∈ C and c 1 � = c 2 } . ECP FOR AG C ONTEXT P-F ILTRATION § 5.1 C OMPUTE B y y x 1 x 2 x 1 x 2 T HE A TTACK N ON DEGENERATE B C OMPLEXITY F IGURE : If d ( C ) = 3 F IGURE : If d ( C ) = 4 E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 2 / 51 C ONCLUSIONS
D ECODING L INEAR C ODES U NE ATTAQUE The Decoding problem: POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES Input: a Generator matrix G ∈ F k × n of C and the received word y ∈ F n q q Output: A closest codeword c , i.e. C ODING T HEORY D ECODING P ROBLEM c ∈ C : d H ( c , y ) = min { d H (ˆ c , y ) | ˆ c ∈ C} I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS Decoding arbitrary linear codes : Exponential complexity M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES D ECODING S PECIAL C LASSES OF C ODES S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES Efficient decoding algorithms up to half the minimum distance for: AG CODES B INARY G OPPA CODES Generalized Reed-Solomon codes 1 � n 3 � Polynomial complexity ∼ O D ECODING BY ECP Goppa codes 2 ECP FOR GRS Algebraic Geometry codes ECP FOR AG 3 C ONTEXT P-F ILTRATION § 5.1 C OMPUTE B Peterson, Arimoto, 1960 Sakata, 1990 T HE A TTACK Berlekamp-Massy, 1963 N ON DEGENERATE B Feng-Rao, Duursma 1993 Justensen-Larsen-Havemose-Jensen-Høholdt, C OMPLEXITY 1989 Sudam, Guruswami, 1997 E XAMPLES Skorobogatov-Vladut, 1990 H ERMITIAN CURVES S UZUKI CURVES 3 / 51 C ONCLUSIONS
P UBLIC -K EY C RYPTOSYSTEMS U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES C ODING T HEORY D ECODING P ROBLEM I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS M OST PKC ARE BASED ON N UMBER - THEORETIC PROBLEMS M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES ➜ It can be attacked in polynomial S UBCODES OF GRS CODES time using Shor’s algorithm B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES D ECODING BY ECP ECP FOR GRS ECP FOR AG ECDSA RSA C ONTEXT P-F ILTRATION ECC § 5.1 C OMPUTE B T HE A TTACK DSA N ON DEGENERATE B C OMPLEXITY HECC E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 4 / 51 C ONCLUSIONS
M C E LIECE CRYPTOSYSTEM U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES C ODING T HEORY ➜ McEliece introduced the first PKC based on Error-Correcting Codes in 1978 . D ECODING P ROBLEM I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES S UBCODES OF GRS CODES Advantages: B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES 1 Fast encryption Drawback: (matrix-vector multiplication) D ECODING BY ECP ECP FOR GRS and decryption functions. ➣ Large key size. ECP FOR AG 2 Interesting candidate for C ONTEXT post-quantum cryptography. P-F ILTRATION § 5.1 C OMPUTE B T HE A TTACK N ON DEGENERATE B R. J. McEliece. C OMPLEXITY A public-key cryptosystem based on algebraic coding theory . E XAMPLES DSN Progress Report, 42-44:114-116, 1978. H ERMITIAN CURVES S UZUKI CURVES 5 / 51 C ONCLUSIONS
M C E LIECE C RYPTOSYSTEM U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES ➜ t ∈ N ∗ = ⇒ Error-correcting capacity of C CODES G ´ EOM ´ ETRIQUES C ODING T HEORY D ECODING P ROBLEM Consider any triplet: I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS M C E LIECE C RYPTOSYSTEM P ROPOSALS C , A C ( t ) GRS CODES S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES D ECODING BY ECP ECP FOR GRS ➜ [ n , k ] q linear code with an efficient decoding algorithm ECP FOR AG ➠ Let G be a non structured generator matrix of C . C ONTEXT P-F ILTRATION § 5.1 C OMPUTE B T HE A TTACK ➜ “Efficient” decoding algorithm for C which corrects up to t errors. N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 6 / 51 C ONCLUSIONS
M C E LIECE C RYPTOSYSTEM U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES K EY G ENERATION C ODING T HEORY Given: D ECODING P ROBLEM 1 McEliece Public Key: K pub = ( G , t ) I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS 2 McEliece Private Key: K secret = ( A C ) M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES E NCRYPTION S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES Encrypt a message m ∈ F k q as AG CODES B INARY G OPPA CODES y = m G + e D ECODING BY ECP ECP FOR GRS ECP FOR AG where e is a random error vector of weight at most t . C ONTEXT P-F ILTRATION D ECRYPTION § 5.1 C OMPUTE B T HE A TTACK Using K secret , the receiver obtain m . N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 7 / 51 C ONCLUSIONS
P ROPOSALS U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES Binary C ODING T HEORY Subcodes of GRS D ECODING P ROBLEM GRS codes Reed-Muller codes I NTRODUCTION codes P UBLIC -K EY C RYPTOSYSTEMS M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES Several Proposals AG CODES B INARY G OPPA CODES D ECODING BY ECP ECP FOR GRS ECP FOR AG C ONTEXT P-F ILTRATION Binary Goppa AG codes § 5.1 C OMPUTE B codes T HE A TTACK N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 8 / 51 C ONCLUSIONS
GRS CODES U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES ➮ The class of GRS codes was proposed by Niederreiter in 1986 C ODING T HEORY D ECODING P ROBLEM for code-based PKC. I NTRODUCTION P UBLIC -K EY C RYPTOSYSTEMS M C E LIECE C RYPTOSYSTEM ✖ Sidelnikov-Shestakov in 1992 introduced an algorithm that P ROPOSALS breaks this proposal in polynomial time. GRS CODES S UBCODES OF GRS CODES B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES D ECODING BY ECP ECP FOR GRS ECP FOR AG Parameters Key size Security level C ONTEXT 2 95 [ 256 , 128 , 129 ] 256 67 ko P-F ILTRATION § 5.1 C OMPUTE B T HE A TTACK N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 9 / 51 C ONCLUSIONS
S UBCODES OF GRS CODES I U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES ➮ Berger and Loidreau in 2005 propose another version of the C ODING T HEORY D ECODING P ROBLEM Niederreiter scheme designed to resist the Sidelnikov-Shestakov I NTRODUCTION attack. P UBLIC -K EY C RYPTOSYSTEMS ➜ Main idea: work with subcodes of the original GRS code. M C E LIECE C RYPTOSYSTEM P ROPOSALS GRS CODES ✖ Attacks: S UBCODES OF GRS CODES ✖ Wieschebrink: ( 2010 ) B INARY R EED -M ULLER CODES AG CODES B INARY G OPPA CODES Presents the first feasible attack to the Berger-Loidreau cryptosystem but is impractical for small subcodes. D ECODING BY ECP Notes that if the square code of a subcode of a GRS code of parameters [ n , k ] q ECP FOR GRS is itself a GRS code of dimension 2 k − 1 then we can apply ECP FOR AG Sidelnikov-Shestakov attack. C ONTEXT artinez-Pellikaan: ( 2012 ) Give a characterization of the possible ✖ M-M´ P-F ILTRATION parameters that should be used to avoid attacks on the Berger-Loidreau § 5.1 C OMPUTE B cryptosystem. T HE A TTACK N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 10 / 51 C ONCLUSIONS
S UBCODES OF GRS CODES II U NE ATTAQUE POLYNOMIALE DU SCH ´ EMA DE M C E LIECE BAS ´ E SUR LES CODES G ´ EOM ´ ETRIQUES C ODING T HEORY D ECODING P ROBLEM I NTRODUCTION ➮ Wieschebrick ( 2010 ) and Baldi et al. ( 2011 ) proposed other P UBLIC -K EY C RYPTOSYSTEMS M C E LIECE C RYPTOSYSTEM variants of the Niederreiter scheme. P ROPOSALS GRS CODES S UBCODES OF GRS CODES ✖ Attacks: Couvreur et al. ( 2013 ) provide a cryptanalysis of these B INARY R EED -M ULLER CODES AG CODES schemes. B INARY G OPPA CODES D ECODING BY ECP ECP FOR GRS ECP FOR AG C ONTEXT P-F ILTRATION § 5.1 C OMPUTE B T HE A TTACK N ON DEGENERATE B C OMPLEXITY E XAMPLES H ERMITIAN CURVES S UZUKI CURVES 11 / 51 C ONCLUSIONS
More recommend