Algebraic Decoding of Rank Metric Codes

Transcription

1 Algebraic Decoding of Rank Metric Codes Françoise Levy-dit-Vehel ENSTA Paris, France joint work with Ludovic Perret (UCL Louvain) Special Semester on Gröbner Bases - Workshop D1

2 Outline The Rank Decoding problem (RD) Motivation Some complexity results Easy instances of RD Solving RD: generic algorithms focusing on Ourivski-Johannsson method our approach Practical results Conclusion

3 The Rank Decoding Problem RD Input: N, n, k N, G M k n (F q N ), c F n q N. Question: find m F k q N, such that e = c mg has smallest rank Rk(e F q )? Here, Rk(e F q ) is the rank of e when considered as a (N n) matrix over F q. A related problem: MR Input: N, n, k N, M 0,..., M k M N n (F q ). Question: find (λ 1,..., λ k ) F k q, such that E = M 0 k i=1 λ im i has smallest rank? MR can be seen as a Subcode Rank Decoding problem, where m has to be searched in F k q.

4 The Rank Decoding Problem RD Input: N, n, k N, G M k n (F q N ), c F n q N. Question: find m F k q N, such that e = c mg has smallest rank Rk(e F q )? Here, Rk(e F q ) is the rank of e when considered as a (N n) matrix over F q. A related problem: MR Input: N, n, k N, M 0,..., M k M N n (F q ). Question: find (λ 1,..., λ k ) F k q, such that E = M 0 k i=1 λ im i has smallest rank? MR can be seen as a Subcode Rank Decoding problem, where m has to be searched in F k q.

5 The Rank Decoding Problem RD Input: N, n, k N, G M k n (F q N ), c F n q N. Question: find m F k q N, such that e = c mg has smallest rank Rk(e F q )? Here, Rk(e F q ) is the rank of e when considered as a (N n) matrix over F q. A related problem: MR Input: N, n, k N, M 0,..., M k M N n (F q ). Question: find (λ 1,..., λ k ) F k q, such that E = M 0 k i=1 λ im i has smallest rank? MR can be seen as a Subcode Rank Decoding problem, where m has to be searched in F k q.

6 Motivation: cryptographic applications of MR Birational permutations signature scheme [Sh 93] TTM cryptosystem [Mo 99] Courtois ZK authentication scheme [Co 01]... of RD GPT cryptosystem [GaPaTr 91,GaOu 01] Chen authentication scheme [Ch 96] Berger-Loidreau cryptosystem [BeLo 04]

7 Some Complexity Results Theorem (BuFrSh 96,Co 01) Proof. MR is NP-Hard. By reduction of Maximum Likelihood Decoding over F q - proven to be NP-Hard [BeMcEvT 78, Ba 94, GuVa 05] - to MR. Corollary There exists a reduction from RD to MR. Open Questions No known explicit reduction. Is RD NP-hard?

8 Solving the RD problem (I) Algorithms for particular codes Gabidulin codes: the generator matrix is of the form G = g 1... g n g q 1... gn q..... g qk gn qk 1, (g 1,..., g n ) F n q. N Decoding algorithms (F q N -mult.): r 3 + (2n + N)r [Ga 91], (5/2)n 2 [Lo 05]. ( ) G1 0 Reducible rank codes: generator matrix of the form, A G 2 where G i, i = 1, 2, are matrices of Gabidulin codes. Decoding complexity (F q N -mult.): O(kn + n 3 ) [OuGaHoAm 03].

9 Solving the RD problem (II) Generic algorithms Stern-Chabaud (96): Problem modeled in terms of parity-check matrix. Solving approach: enumerating rank r r-tuples of F q N over F q, and trying to solve a linear system. Improved exhaustive enumeration from q Nr to q (N r)(r 1). Complexity: O((nr + N) 3 q (N r)(r 1) ). Ourivski-Johansson (02): Problem reduced to finding a minimum rank codeword in an extended code. Enumeration + solving a linear system over F q. Two versions, with complexities O((rN) 3 q (r 1)(k+1)+2 ) and O((k + r) 3 r 3 q (N r)(r 1)+2 ).

10 Ourivski-Johannsson algorithm: idea Problem: given G M k n (F q N ) and c F n q N, find m F k q N, such that e = c mg has smallest rank r = Rk(e F q ). Construct the code C e with generator matrix ( ) ( ) ( ) G Ik 0 G = c m 1 e Provided r (d 1)/2, the problem is then reduced to finding a codeword of minimum rank r in C e. Indeed, all those are of the form ɛe, ɛ F q N. Having found e = ɛe, the value of ɛ is retrieved by computing ch t and e H t, H being the parity-check matrix of C.

11 Modeling the problem as a set of quadratic equations Any vector v F n can be expressed in a basis q N X = (x 1,..., x N ) of F q N over F q as v = (x 1,..., x N )A, where A M N n (F q ) and Rk(A) = Rk(v F q ). Thus, if Rk(v F q ) = r, we can write ( ) v = ( x 1,..., x à N ) = ( x 0 1,..., x r )à with à M r n(f q ) of full rank r. Let C e =< G syst >, G syst = (I k+1 R), R M (k+1) (n k 1) (F q N ). Then, there exists u (F q N ) k+1, such that ug syst = (u, ur) = e

12 Modeling the problem as a set of quadratic equations Any vector v F n can be expressed in a basis q N X = (x 1,..., x N ) of F q N over F q as v = (x 1,..., x N )A, where A M N n (F q ) and Rk(A) = Rk(v F q ). Thus, if Rk(v F q ) = r, we can write ( ) v = ( x 1,..., x à N ) = ( x 0 1,..., x r )à with à M r n(f q ) of full rank r. Let C e =< G syst >, G syst = (I k+1 R), R M (k+1) (n k 1) (F q N ). Then, there exists u (F q N ) k+1, such that ug syst = (u, ur) = e

13 Modeling the problem as a set of quadratic equations Writing e = (e 1, e 1 R) = XA, X = (x 0,..., x r 1 ) being an incomplete basis of F q N over F q and A = (α i,j ) M r n (F q ) being of full rank r, we get e 1 = (x 0,..., x r 1 )A 1 and e 1 R = (x 0,..., x r 1 )A 2, where A = (A 1 A 2 ), A 1 M r (k+1) (F q ), A 2 M r (n k 1) (F q ). We thus have to solve (x 0,..., x r 1 )A 2 = (x 0,..., x r 1 )A 1 R. (1) As it suffices to retrieve ɛe, for any ɛ F q N, we can set x 0 = 1. System (1) is a quadratic system of n k 1 equations and nr + r 1 unknowns α i,j, x 1,..., x r 1 over F q N.

14 Modeling the problem... Systeme (1) is equivalent to (x 0,..., x r 1 )(A 2 ) j = (x 0,..., x r 1 )A 1 R j, k + 2 j n, (2) (A 2 ) j (resp. R j ) being the j-th column of A 2 (resp. R). Let Ω = (ω 0,..., ω N 1 ) be a basis of F q N over F q. Over Ω, x i = N 1 j=0 x ij ω j, x ij F q, 0 i r 1. Expressing this way X and each R j w.r.t. Ω, we can rewrite (2) as a system of N(n k 1) equations in nr + N(r 1) unknowns over F q.

15 Solving the system: Ourivski-Johannsson strategy Choose J [k + 2,..., n], J = m, yielding mn equations in N(r 1) + r(m + k + 1) unknowns. Strategy 1: O(((r 1)N + m + k + 1) 3 q (r 1)(m+k+1 r)+2 ) Guess values of α i,j contributing to quadratic terms. Solve the resulting linear system of Nm equations in N(r 1) + m + k + 1 unknowns (m r 1 + k+1 N 1 ). Strategy 2: O((m + k + 1) 3 r 3 q (N r)(r 1)+2 ) Guess the coordinates of the x i s in the basis Ω. Solve the resulting linear system of Nm equations in r(m + k + 1) unknowns (m (k+1)r N r ). Similar to [ChSt 96], but there the system solved is in rn + N unknowns.

16 Solving the system: Ourivski-Johannsson strategy Choose J [k + 2,..., n], J = m, yielding mn equations in N(r 1) + r(m + k + 1) unknowns. Strategy 1: O(((r 1)N + m + k + 1) 3 q (r 1)(m+k+1 r)+2 ) Guess values of α i,j contributing to quadratic terms. Solve the resulting linear system of Nm equations in N(r 1) + m + k + 1 unknowns (m r 1 + k+1 N 1 ). Strategy 2: O((m + k + 1) 3 r 3 q (N r)(r 1)+2 ) Guess the coordinates of the x i s in the basis Ω. Solve the resulting linear system of Nm equations in r(m + k + 1) unknowns (m (k+1)r N r ). Similar to [ChSt 96], but there the system solved is in rn + N unknowns.

17 Solving the system: our approach Add to system (2) the n k syndrome equations: { (x0,..., x r 1 )(A 2 ) j = (x 0,..., x r 1 )A 1 R j, k + 2 j n (x 0,..., x r 1 )AH t = ch t. (3) Take a basis Ω of F q N over F q, and express X w.r.t. Ω. Rewrite (3) as a system of N(2(n k) 1) equations in nr + N(r 1) unknowns over F q. Run a Gröbner basis algorithm (F 4 ) on this system, to obtain the associated variety V over F q. Express each element of V as ( X, Ã) Fr q N M r n (F q ) (going from F rn q back to F r ). q N Set ẽ = XÃ. Compute the rank of ẽ and keep the one satisfying Rk(ẽ F q ) = r and c ẽ C =< G >.

18 Results N n k r OuJo 1 OuJo 2 ChSt LePe s s s.(5min. 30s. ) h. 5min min. 20s h. 30min h. Running time of the algorithm on the system over F q N.

19 Conclusion Our contribution Consider a slightly modified system. Use a different solving approach. For r = 2, our algorithm performs very well even for N, n large. Good results for r = 3 when k n/2. Further research... Exploit information obtained for r = 2, 3 to attack r = 4. Include all the constraints in system (specially, c e C). Construct a system directly from RD, and compare the results.