What is... the McEliece system? Violetta Weger University of Zurich - PowerPoint PPT Presentation

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system?

Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public Key Cryptography 3 McEliece cryptosystem 4 Research

Toy Example: Repetition code Repetition Code: Me you 1 0 111111 111010 We can correct 2 errors and detect 3 errors. Violetta Weger What is... the McEliece system? → �→

Toy Example: Repetition code Repetition Code: Me you 1 0 111111 111010 We can correct 2 errors and detect 3 errors. Violetta Weger What is... the McEliece system? → �→ �→

Coding Theory Defjnition (Linear Code) Violetta Weger What is... the McEliece system? Let F q be a fjnite fjeld. An [ n , k ] -linear code C over F q is a k-dimensional linear q . c ∈ C is called a codeword. subspace of F n The toy example of the repetition code was a [ 6 , 1 ] -linear code over F 2 , with the codewords { 000000 , 111111 } .

Coding Theory q Violetta Weger Defjnition (Parity Check Matrix) Defjnition (Generator Matrix) What is... the McEliece system? Let C be an [ n , k ] -linear code over F q . There exists an k × n generator matrix G of C defjned by: { } C = uG | u ∈ F k . There exists an ( n − k ) × n parity check matrix H of C defjned by: q | Hx T = 0 { } C = x ∈ F n .

Coding Theory Defjnition (Systematic Form) Violetta Weger we say G is of systematic form and then H is given by If G is of the form What is... the McEliece system? Defjnition (Information Set) G are linearly independent is called an information set. generator matrix. Let C be an [ n , k ] -linear code over F q . Let G be its k × n A set of k coordinates I ⊂ { 1 , . . . , n } , for which the columns of ( ) Id k | A , − A T | Id n − k ( ) .

Coding Theory q . Defjnition (Hamming Distance) Defjnition (Hamming Weight) The Hamming weight of x is defjned as Violetta Weger What is... the McEliece system? Let x , y ∈ F n The Hamming distance of x , y is defjned as d ( x , y ) = | { i ∈ { 1 , . . . , n } | x i ̸ = y i } | . wt ( x ) = | { i ∈ { 1 , . . . , n } | x i ̸ = 0 } | .

Coding Theory Defjnition (Minimum Distance) Theorem (Singleton Bound) Violetta Weger What is... the McEliece system? Let C be an [ n , k ] -linear code over F q . We defjne the minimum distance of C to be d ( C ) = min { d ( x , y ) | x , y ∈ C , x ̸ = y } = min { wt ( x ) | x ∈ C , x ̸ = 0 } . In our toy example of the [ 6 , 1 ] -Repetition code we have d ( C ) = 6. Let C be an [ n , k ] -linear block code. Then d ( C ) ≤ n − k + 1 .

Coding Theory Theorem Violetta Weger What is... the McEliece system? Let C be an [ n , k ] -linear code over F q with minimum distance d. Then C can correct up to t = ⌊ d − 1 2 ⌋ errors.

Coding Theory . Violetta Weger n 1 . . . . . What is... the McEliece system? n-tuple of nonzero elements. q , be an Defjnition (Generalized Reed-Solomon Code) Let F q be a fjnite fjeld and 1 ≤ k < n ≤ q integers. Let α ∈ F n q be an n-tuple of distinct elements and β ∈ F n GRS n , k ( α, β ) = { ( β 1 p ( α 1 ) , . . . , β n p ( α n )) | p ∈ F q [ x ] , deg ( p ) < k } . We can write the generator matrix of GRS n , k ( α, β ) as  · · ·  β 1 β n β 1 α 1 · · · β n α n   G =  .      β 1 α k − 1 · · · β n α k − 1

Difgerence between Coding and Cryptography Violetta Weger What is... the McEliece system?

Public-Key Cryptography We consider two people: Bob and Alice. Key generation: Bob constructs a private key and a public key, which he publishes. Encryption: Alice uses the public key to encrypt the message m to get the cipher c and sends c to Bob. Decryption: Bob uses the private key to decrypt the cipher c and recover the message m . Violetta Weger What is... the McEliece system?

Public-Key Cryptography Violetta Weger What is... the McEliece system?

Public-Key Cryptography Violetta Weger What is... the McEliece system?

Public-Key Cryptography Private Key Violetta Weger Decryption: Compute d and b s.t. Encryption: Let m be the message. The cipher is computed as Example: RSA What is... the McEliece system? Public Key Let p , q be primes. Compute n = pq and the Euler-totient function φ ( n ) = ( p − 1 )( q − 1 ) . Choose e < φ ( n ) , s.t. gcd ( e , φ ( n )) = 1. = ( n , e ) = ( p , q ) c = m e mod n . de + b φ ( n ) = 1 . Then by computing c d mod n we recover the message, since c d = ( m e ) d = m 1 − b φ ( n ) = m ( m φ ( n ) ) − b ≡ m 1 − b = m mod n .

Post-quantum Cryptography The PKC systems, which we currently use are: RSA, DLP over elliptic curves or fjnite fjelds, ... NSA and NIST believe that a quantum computer will be available in 2030. Shor’s Algorithm and Grover’s Algorithm are quantum algorithms and will break those systems. Cryptosystems which will be resistant against attacks on a quantum computer are called post-quantum cryptosystems. Promising candidates for post-quantum cryptography are: lattice-based cryptosystems, multivariate cryptography and code-based cryptography. Violetta Weger What is... the McEliece system?

Public Key McEliece Cryptosystem Private Key Violetta Weger What is... the McEliece system? Choose an [ n , k ] -linear code C over F q , which can correct upto t errors and has an effjcient decoding algorithm. C has a generator matrix G of size k × n . Choose a k × k invertible matrix S and a n × n permutation matrix P and compute G ′ = SGP . ( G ′ , t ) = = ( S , G , P )

Decryption: Compute McEliece Cryptosystem apply the decoding algorithm and get mS and by multiplication with the inverse of S we get the message m . Violetta Weger What is... the McEliece system? Encryption: Let m ∈ F k q be the message and e ∈ F n q the error vector, s.t. wt ( e ) ≤ t , then the cipher is computed as c = mG ′ + e . cP − 1 = mSG + eP − 1 , then mSG is a code word of C and since wt ( eP − 1 ) ≤ t , we can

Niederreiter system Public Key Private Key Violetta Weger What is... the McEliece system? Choose an [ n , k ] -linear code C , that can correct upto t errors and has an effjcient decoding algorithm. C has a parity check matrix H of size ( n − k ) × n . Choose a ( n − k ) × ( n − k ) invertible matrix S and a n × n permutation matrix P and compute H ′ = SHP . ( H ′ , t ) = = ( S , H , P )

Niederreiter system the cipher is computed as Decryption: Compute message m . Violetta Weger What is... the McEliece system? Encryption: Let m ∈ F n q be the message, s.t. wt ( m ) ≤ t , then c T = H ′ m T . S − 1 c T = HPm T = H ( mP T ) T . Since wt ( mP T ) ≤ t , we can apply syndrome decoding to get mP T and by multiplication with the inverse of P T we get the

Security of McEliece Cryptosystem The underlying problem of decoding a random linear code is an NP-complete problem, this makes it a quantum-secure cryptosystem. Nevertheless, the codes we use are not random, hence there might exist structural attacks. There also exists a nonstructural attack called Information Set Decoding (ISD), which has to be considered for the choice of secure parameters. The complexity of the best algorithms so far Violetta Weger What is... the McEliece system? is O ( 2 n / 20 ) .

ISD 2 Violetta Weger 2 . The easiest version of the ISD algorithm is given by Lee-Brickell What is... the McEliece system? information set. over the binary: We denote by e I , c I , G I its k columns indexed by the Input: G ∈ F k × n , c = mG + e , where e ∈ F n 2 of weight t ∈ N , p < t . Output: e ∈ F n 1 Choose an information set I ⊂ { 1 , . . . , n } of size k . 2 Choose e I with wt ( e I ) = p . 3 If wt ( c + ( c I + e I ) G − 1 I G ) = t : Output e = c + ( c I + e I ) G − 1 I G . 4 Else: go back to 1.

ISD A Violetta Weger I To picture how this algorithm works, assume that G is given in What is... the McEliece system? systematic form and hence I = { 1 , . . . , k } and ( ) G = Id k | . Hence if we have chosen e I correctly, i.e. the correct error distribution in the fjrst k bits, then c I + e I = mG I and hence ( c I + e I ) G − 1 = m and c + ( c I + e I ) G − 1 I G = c + mG = e .

Advantages and Disadvantages of McEliece 2 128 Violetta Weger 7667855 15424 2 256 1537536 3248 520047 Cryptosystem 1248 2 80 Key Size original McEliece Key Size RSA Security Level major drawback of large key sizes: Although the McEliece system is quantum secure, there is the What is... the McEliece system?

Research Overbeck Violetta Weger Couvreur et al. GRS, new scrambling Rosenthal et al. Couvreur et al. LDPC codes Baldi et al. Minder-Shokrollahi Reed-Muller codes Sidelnikov Gabidulin codes The main idea to bring down the key sizes is to use another Gabidulin et al. Wieschebrink Subcodes of GRS codes Berger, Loidreau Sidelnikov-Shestakov GRS codes Niederreiter Attack Idea Proposal family of codes. What is... the McEliece system?

Research New proposals: Proposal Idea Attack Baldi et al. QC-MDPC codes Baldi et al. MDPC codes Khathuria, Rosenthal, W. GRS, weight two matrix Horlemann-Trautmann, W. Ring linear codes Violetta Weger What is... the McEliece system?

Thank you! Violetta Weger What is... the McEliece system?