Weight two Masking in the McEliece system Violetta Weger University - PowerPoint PPT Presentation

Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system

Outline 1 Preliminaries 2 BBCRS Scheme 3 Distinguisher Attack 4 Weight two Masking Violetta Weger Weight two Masking in the McEliece system

Preliminaries Violetta Weger Weight two Masking in the McEliece system

McEliece System Choose n = 2 m , t < n m and Γ a binary Goppa code of length n , dimension k ≥ n − mt , which can correct upto t errors. Γ has a generator matrix G of size k × n . Choose a k × k invertible matrix S and a n × n permutation matrix P and compute G ′ = SGP . ( G ′ , t ) Public Key = Private Key = ( S, G, P ) Violetta Weger Weight two Masking in the McEliece system

McEliece System Encryption: Let x ∈ F k 2 be the message and e ∈ F n 2 the error vector, s.t. wt( e ) ≤ t , then the cipher is computed as y = xG ′ + e. Decryption: Compute yP − 1 = xSG + eP − 1 , then xSG is a code word of Γ and since wt( eP − 1 ) ≤ t , we can apply the decoding algorithm and get xS and by multiplication with the inverse of S we get the message x . Violetta Weger Weight two Masking in the McEliece system

Niederreiter system Let F q be a finite field. Let 1 ≤ k < n ≤ q be integers. Construct a [ n, k ]-linear code C , that can correct upto t errors and has an efficient decoding algorithm. C has a parity check matrix H of size r × n , where r = n − k . Choose a r × r invertible matrix S and a n × n permutation matrix P and compute H ′ = SHP . ( H ′ , t ) Public Key = Private Key = ( S, H, P ) Violetta Weger Weight two Masking in the McEliece system

Niederreiter system Encryption: Let x ∈ F n q be the message, s.t. wt( x ) ≤ t , then the cipher is computed as y T = H ′ x T . Decryption: Compute S − 1 y T = HPx T = H ( xP T ) T . Since wt( xP T ) ≤ t , we can apply syndrome decoding to get xP T and by multiplication with the inverse of P T we get the message x . Violetta Weger Weight two Masking in the McEliece system

Square Code Definition (Schur Product) Let x, y ∈ F n q . The Schur product of x and y is x ⋆ y = ( x 1 y 1 , . . . , x n y n ) . Violetta Weger Weight two Masking in the McEliece system

Square Code Definition (Schur Product) Let x, y ∈ F n q . The Schur product of x and y is x ⋆ y = ( x 1 y 1 , . . . , x n y n ) . Definition (Schur Product of Codes and Square Code) Let A, B be two codes of length n . The Schur product of A and B is � A ⋆ B � = �{ a ⋆ b | a ∈ A, b ∈ B }� . If A = B , then we call � A ⋆ A � the square code of A and denote it by � A 2 � . Violetta Weger Weight two Masking in the McEliece system

Definitions Definition (Schur Matrix) Let G be a k × n matrix, with rows g i for 1 ≤ i ≤ k . We denote by S ( G ) the Schur matrix of G , which consists of the rows 2 ( k 2 + k ) × n . g i ⋆ g j for 1 ≤ i ≤ j ≤ k. Thus S ( G ) is of the size 1 Proposition Let A be a code of length n and dimension k , then � � k + 1 �� dim ( � A 2 � ) ≤ min n, (1) 2 Violetta Weger Weight two Masking in the McEliece system

Properties of Square Codes Proposition (M´ arquez-Corbella, Pellikaan (2016)) Let A be an [ n, k ] linear code chosen at random, then with high probability the square code of A has maximal dimension. Violetta Weger Weight two Masking in the McEliece system

Properties of Square Codes Proposition (M´ arquez-Corbella, Pellikaan (2016)) Let A be an [ n, k ] linear code chosen at random, then with high probability the square code of A has maximal dimension. Proposition If 2 k − 1 < n � GRS n,k ( α, β ) 2 � = GRS n, 2 k − 1 ( α, β ⋆ β ) (2) Violetta Weger Weight two Masking in the McEliece system

BBCRS Scheme Violetta Weger Weight two Masking in the McEliece system

BBCRS Scheme Baldi, Bianchi, Chiaraluce, Rosenthal and Schipani proposed a variant of the McEliece cryptosystem, in order to reconsider the use of GRS codes as secret code. Instead of the permutation matrix they use as scrambling matrix the sum T + R , where T is a sparse matrix of row weight m and R is a matrix of rank z . Violetta Weger Weight two Masking in the McEliece system

BBCRS Scheme for m = 1 , z = 1 Let F q be a finite field. Let 1 ≤ k < n ≤ q be integers. Let = k × n generator matrix of GRS code , G T = n × n permutation matrix , n × n rank 1 matrix , R = α T β, = R Q = n × n invertible matrix , Q = R + T, = k × k invertible matrix . S Compute: G ′ = S − 1 GQ − 1 and t pub = t = ⌊ n − k 2 ⌋ . Public Key = ( G ′ , t ) Private Key = ( G, T, R, Q, S ) Violetta Weger Weight two Masking in the McEliece system

BBCRS Scheme for m = 1 , z = 1 Encryption: Let x ∈ F k q be the message and e ∈ F n q , s.t. wt( e ) ≤ t be the error vector. Compute the cipher as y = xG ′ + e. Decryption: Guess the value of eR . Then compute y ′ = yQ − eR = xS − 1 G + eT. Since wt( eT ) ≤ t by decoding algorithm we get xS − 1 and by multiplication with S we get the message x . Violetta Weger Weight two Masking in the McEliece system

Distinguisher Attack Violetta Weger Weight two Masking in the McEliece system

Distinguisher Attack Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani and Tillich presented for some parameters a distinguisher attack on the BBCRS scheme. Proposition (Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani, Tillich (2015)) Let C pub denote the public code of length n and dimension k of the BBCRS scheme. Then dim ( �C 2 pub � ) ≤ 3 k − 1 . Violetta Weger Weight two Masking in the McEliece system

Overview Distinguisher Attack Violetta Weger Weight two Masking in the McEliece system

Overview Distinguisher Attack 1. Find subcode C sub Take a basis g 1 , . . . , g k of C pub and random other elements z 1 , z 2 , z 3 from C pub . Then define B = �{ z i ⋆ g j | 1 ≤ i ≤ 3 , 1 ≤ j ≤ k }� . Proposition (Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani, Tillich (2015)) If dim ( B ) ≤ 2 k + 2 , then z i is in C sub for i ∈ { 1 , 2 , 3 } . 2. Find GRS n,k ( x, y ) Remark (M´ arquez-Corbella, Mart´ ınez-Moro, Pellikaan (2013)) Let A be an ℓ dimensional subspace of GRS n,k ( α, β ) . If ℓ is large enough, then with high probability we have �A 2 � = � GRS n,k ( α, β ) 2 � . Violetta Weger Weight two Masking in the McEliece system

Weight two Masking Violetta Weger Weight two Masking in the McEliece system

McEliece Version Let F q be a finite field and 1 ≤ k < n ≤ q integers. Let G be a k × n generator matrix of GRS n,k ( α, β ) code over F n q , which is able to correct upto t = ⌊ n − k 2 ⌋ errors. We choose a k × k invertible matrix S , and a n × n invertible matrix Q , which is of row and column weight 2, both over F q . We define t pub = ⌊ t 2 ⌋ and compute G ′ = S − 1 GQ − 1 . ( G ′ , t pub ) Public Key = Private Key = ( G, S, Q ) Violetta Weger Weight two Masking in the McEliece system

McEliece Version Encryption: Let x ∈ F k q be the message and e ∈ F n q be the error vector, s.t. wt( e ) ≤ t pub and compute the cipher y = xG ′ + e. Decryption: Compute y ′ = yQ = xS − 1 G + eQ. Since wt( eQ ) ≤ t we can decode and get xS − 1 and by multiplication with S we get the message x . Violetta Weger Weight two Masking in the McEliece system

Key Size In order for the ISD attack to reach a work factor greater than 2 80 the following key sizes are needed with the different systems. n k Key Size McEliece 1632 1269 460647 BBCRS scheme 346 252 199899 Weight two Masking 450 225 447326 Violetta Weger Weight two Masking in the McEliece system

Experimental Results Monte Carlo test with 1000 tries q n r Success rate 512 500 250 1 256 255 100 1 151 100 50 1 128 100 50 1 Violetta Weger Weight two Masking in the McEliece system

Security Let Q n be a matrix of row and column weight two of the following form   x 1 y n   y 1 x 2   Q n = (3)    . ... ...  y n − 1 x n Remark For every n × n matrix R over F q of row and column weight two, there exist permutation matrices P, P ′ , s.t.   Q 1 n 1   PRP ′ = ... (4)   Q l n l where Q i n i are n i × n i matrices of the form (3) for 1 ≤ l < n . Violetta Weger Weight two Masking in the McEliece system

Security Let H n,r denote a generator matrix of GRS code of length n and dimension r . Let m denote the maximal square code dimension of an [ n, r ] code, i.e. � � n, 1 2( r 2 + r ) m = min . Define � � R n is of the form (4) } , A n = { R n ∈ GL n ( F q ) � � � � S ( H n,r R T R T G H n,r = n ∈ A n n ) has rank m . Violetta Weger Weight two Masking in the McEliece system

Security Lemma Let F q be a finite field and 1 ≤ n ≤ q integers. Let p be a nontrivial homogeneous polynomial in F q [ x 1 , . . . , x n , y 1 , . . . , y n ] , of total degree 2 n , in each variable of degree at most 2 , which has that each monomial is of the form n � i y 2 − d i x d i , i i =1 for 0 ≤ d i ≤ 2 , ∀ 1 ≤ i ≤ n . Then there exist at least (( q − 1) 2 − 2( q − 1)) n choices for x 1 , . . . , x n , y 1 , . . . , y n in F × q , s.t. p evaluated in these choices is nonzero. Violetta Weger Weight two Masking in the McEliece system