List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Size: px

Start display at page:

Download "List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem"

Austin Sutton
5 years ago
Views:

1 List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 1 / 39

2 Outline 1 Introduction Principles of list decoding Johnson s bounds 2 Decoding of Reed-Solomon codes Berlekamp-Welsh s decoding Sudan s algorithm Guruswami-Sudan s algorithm 3 List decoding of Goppa codes Goppa codes List decoding 4 Application to McEliece M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 2 / 39

3 Definitions Definition (Linear code) A linear code C over F q, of length n and dimension k, is vectorial subspace of F n q of dimension k. Definition (Distances) Let x, y F n q, and C be an [n, k] linear code. The Hamming distance d(x, y) and the minimum distance, noted d, of C are given by : d(x, y) = # {i : x i y i }. d = min d(x, y). x y C M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 3 / 39

4 Encoding and decoding Let C be an [n, k, d] linear code over F q, m F k q be a message, e F n q be a error vector. We define E and D in the following way : E : F k q C, D : F n q F k q {?}, { m, if w(e) d 1 D(E(m) + e) = 2 m or?, if w(e) > d 1 2 Where w(e) is the Hamming weight of e. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 4 / 39

5 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 5 / 39

6 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 6 / 39

7 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 7 / 39

8 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 8 / 39

9 Johnson s bounds Theorem Let v F n q and e be an integer such that then B(v, e) C n 2. e < J(n, d, q) n q 1 q ( 1 ) 1 q d, q 1 n When q +, we obtain the generic Johnson bound : For the binary case : q = 2 J(n, d) = n n J(n, d, 2) = n 2 n 2 1 d n. 1 2d n. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 9 / 39

10 Comparison of the Johnson bounds e/n : normalised error capacity Binary Johnson s bound Generic Johnson s bound Unambiguous bound d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 10 / 39

11 Reed-Solomon codes Definition (Reed-Solomon codes as evaluation codes) Let α 1,..., α n be different elements of F q. A Reed-Solomon code of length n and dimension k over F q is RS[n, k] {(P(α 1 ),..., P(α n )) : P P k }, where P k = {P F q [X ] / deg(p) < k}. = n q implies that the field is large enough. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 11 / 39

12 Encoding and decoding of Reed-Solomon codes Let P(X ) P k, then P(X ) = k 1 i=0 P ix i. We can write P = (P 0,..., P k 1 ) F k q. The encoding function E is : m F k q P k, E(m) = (m(α 1 ),..., m(α n )). Usually, the decoding step consists in finding the element m in polynomial form. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 12 / 39

13 Decoding context Let α 1,..., α n F q, C be the [n, k, d = n k + 1] Reed-Solomon code over F q and c C, then P P k such that c = (P(α 1 ),..., P(α n )). Let the received word y = (y 1,..., y n ) F n q be such that y = c + e. Where e F n q and w(e) t d 1 2. From y, we have to compute P such that y = (P(α 1 ) + e 1,..., P(α n ) + e n ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 13 / 39

14 Berlekamp-Welsh s idea At least n t points such that e i = 0, so for these points y i = P(α i ). Compute Q(X, Y ) F q [X, Y ] such that Q(X, Y ) = Q 0 (X ) + Y Q 1 (X ), Q(α i, y i ) = 0, i {1,..., n} (1) deg(q 0 (X )) n t 1, (2) deg(q 1 (X )) n t k, (3) with Q 0 (X ), Q 1 (X ) F q [X ]. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 14 / 39

15 Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous constraints always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. Q(X, P(X )) = Q 0 (X ) + P(X )Q 1 (X ) = 0 = P(X ) = Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 15 / 39

16 Algorithm Berlekamp-Welsh Input : y the received word, C a Reed-Solomon code. Output : P(X ) the codeword in polynomial form. Q(X, Y ) Interpolation BW ((α i, y i ) i=1,...,n ), P(x) Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 16 / 39

17 Main idea of Sudan s algorithm Decoding τ > t errors, = different codeword candidates, = different Y -linear factors of Q(X, Y ). Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n}, deg(q j (X )) n τ 1 j(k 1), j {0,..., l}. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 17 / 39

18 Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. The previous theorem gives Q(X, P(X )) = 0 then P(X ) is a root of Q X (Y ) F q [X ][Y ]. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 18 / 39

19 Algorithm Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation S ((α i, y i ) i=1,...,n ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )), M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 19 / 39

20 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

21 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

22 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). Definition (Multiplicity) Let (a, b) F 2 q and Q(X + a, Y + b) = i,j q i,j X i Y j. The point (a, b) is a zero of Q(X, Y ) of mutiplicity s N, if Q(a, b) = 0, i, j such that i + j < s then q i,j = 0, and s is the larger integer satisfying this property. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

23 Q(X, Y ) in the case of GS Theorem Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n} with multiplicity s, deg(q j (X )) s(n τ) 1 j(k 1), j {0,..., l}. The polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exist. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 21 / 39

24 Algorithm Guruswami-Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation GS ((α i, y i ) i=1,...,n, s). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 22 / 39

25 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

26 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

27 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

28 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. Guruswami-Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0 with multiplicities. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

29 Definitions Definition (Subfield subcode) Let C be a code over F p m of length n. The subfield subcode C of C over F p e, with e m is given by C C F n p e. Definition (Generalised Reed-Solomon GRS) Let β 1,..., β n be distinct elements of F q and α 1,..., α n be distinct elements of F q. The Generalised Reed-Solomon code (GRS) is given by GRS k [(β i ) i, (α i ) i ] {(β 1 P(α 1 ),..., β n P(α n )) : P P k }. Definition (Alternant codes) The code C is called alternant if C is a subfield subcode of a GRS. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 24 / 39

30 Goppa codes Definition (Goppa codes as alternant codes) Let α 1,..., α n be distinct elements of F p m, G(X ) a polynomial over F p m of degree r such that i n, G(α i ) 0. The Goppa code over F p e is given by : Γ ((α i ) i, G) GRS n r [(β i ) i, (α i ) i ] F n p e, where β i = G(α i ) j i (α i α j ). length n, dimension n mr, minimum distance r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 25 / 39

31 Particular property Theorem Let α 1,..., α n be distinct elements of F 2 m, G(X ) a polynomial over F 2 m of degree r such that i, G(α i ) 0. If G(X ) is square-free (without multiple roots) then Γ((α i ) i, G) = Γ((α i ) i, G 2 ). length n, dimension n mr, minimum distance 2r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 26 / 39

32 Context of decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and let y F n 2 be the received word. It exists e F n 2 and P(X ) F 2m[X ] of degree strictly less than n r, such that y = (β 1 P(α 1 ) + e 1,..., β n P(α n ) + e n ), where β i = G(α i ) j i (α i α j ). Decode y find P. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 27 / 39

33 Decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and y F n 2. Compute Q(X, Y ) l j=0 Q j(x )Y j such that Q(X, Y ) 0, Q(x i, y i β 1 i ) = 0 with multiplicity s(1 J 2 /n), Q(x i, zβ 1 i ) = 0 with multiplicity sj 2 /n, z F 2 \ {y i }, ( deg(q j ) < sn (1 J 2 /n) 2 + (J 2 /n) 2) j(n mr 1), j {1,..., l}, M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 28 / 39

34 Computation of P(X ) Theorem The polynomial Q(X, Y ) F p m[x, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 29 / 39

35 Algorithm Augot, B., Couvreur Input : y the received word, Γ((α i ) i, G) the Goppa code. Output : (c 1 (X ),..., c l (X )) a list of codewords. Q(X, Y ) Interpolation ABC (y, Γ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). For i [1, l] do ci (β 1 P i (α 1 ),..., β n P i (α n )) ; end for M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 30 / 39

36 Correction Radii e/n : normalised error capacity Our method GS BW d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 31 / 39

37 Complexity Theorem To decode a square-free binary Goppa code up to the binary Johnson bound ( ) n J 2 (n, r) = 1 1 4r n our algorithm runs in O(n 7 ) field operations. Theorem To decode up to (1 ɛ)j 2, our algorithm runs in O(n 2 ɛ 5 ) field operations. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 32 / 39

38 Context of McEliece Choose : Γ((α i ) i, G) a Goppa code, G a generator matrix of Γ, S an invertible matrix, P a permutation matrix. Public key : (SGP, r). Secret key : (S 1, G, P 1 ). Encryption : m the message, c = msgp + e, s.t. w(e) = r Decryption : c = cp 1, m = Dec(c ), m = m S 1 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 33 / 39

39 List decoding and McEliece Two types of attack : structural attack and decoding attack. = adding more errors makes the decoding attacks more difficult and does not add any structure. The encryption and decryption steps of McEliece s cryptosystem are fast, but have large keys. = tradeoff between decrease the keysize and increase the time of decryption (decoding). How to find the original plaintext? = use CCA2 McEliece variants. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 34 / 39

40 Key reduction for the generic variant of McEliece Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 35 / 39

41 The dyadic variant is broken? Dyadic codes : quasi-cyclic of Goppa codes. Structural attack : Faugère, Otmani, Perret and Tillich. = find the structure of alternant code by a Groebner basis computation but 1 does not find the Goppa structure (i.e. G the Goppa polynomial), 2 space memory too large for m 16. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 36 / 39

42 Key reduction for the dyadic variant r(r + 1) > n Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 37 / 39

43 Key reduction for the dyadic variant m 16 Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 38 / 39

44 List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 39 / 39

List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

List Decoding of Binary Goppa Codes up to the Binary Johnson Bound Daniel Augot Morgan Barbier Alain Couvreur École Polytechnique INRIA Saclay - Île de France ITW 2011 - Paraty Augot - Barbier - Couvreur