Codes used in Cryptography

Size: px

Start display at page:

Download "Codes used in Cryptography"

Morris Miles Randall
6 years ago
Views:

1 Prasad Krishnan Signal Processing and Communications Research Center, International Institute of Information Technology, Hyderabad March 29, 2016

2 Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

3 Linear Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

4 Linear Codes What is a code A code is a finite subset of some mathematical structure. Used to encode messages passing through a channel. The elements of the subset are picked in such a way as to ensure that errors occurring during transmission do not cause confusion during decoding. Encoding function of a code C E : Messages Codewords.

5 Linear Codes Linear Codes over F n q C is a linear code if E is linear in the message set. If E : F k q F n q, then we can represent E using a matrix G k n over F such that c = xg. G is called the generator matrix of C, which is a (n, k) code. The linear code is completely defined by its generator matrix G k n. Alternatively, one can used a parity check matrix H n k n to define the code, where H is any matrix such that GH T = 0. C = Span(G) = Null space(h).

6 Linear Codes Linear Codes over F n q Received vector is r = c + e e = (e 0, e 1,..., e n 1 ) captures the error occuring in the n coordinates. Minimum distance: d = min c C (w H (c)). Singleton bound: d n k + 1. Theorem (Error correction) A linear code C with minimum distance 2t + 1 can correct any t errors. Theorem (Independence of the H matrix) A linear code C has minimum distance d if and only if any set of d 1 columns of H are linearly independent.

7 Linear Codes Linear Codes over F n q - Syndrome Decoding Received vector r = c + e F n q. Compute s = rh T = ch T + eh T = xgh T + eh T = eh T F n k q. 2t + 1 d n k + 1. Corresponding to any error vector of weight upto t there is an unique syndrome. Syndrome decoding for errors of weight upto t. 1. Find the syndrome s 2. Find e corresponding to s (here code structure helps build efficient algorithms). 3. Find c = r e. Map it back to x.

8 Codes and Cryptography Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

9 Codes and Cryptography Linear Codes over F n q - Connection to Crytography Public Key Cryptography: Want to convey a message secretly (make it easy for the intended receiver, but hard for everyone else). Encoding key is public, but decoding key is ideally known to receiver alone. {E e : Plaintext Ciphertext e KeySpace}. (1) {D d : Plaintext Ciphertext d KeySpace}. (2) Given a (e, d) pair (e and d are mathematically related) 1. D d (E e (p)) = p p Plaintext. 2. Knowing e it is hard to get d.

10 Codes and Cryptography McEliece Cryptosystem - Code-based Crypto System Example Want to transmit x F k q secretly. Choose A code C (i.e., an appropriate Gk n ) that can correct t errors, and has an efficient decoding algorithm = O(nt). An invertible matrix Sk k A permutation matrix P n n McEliece Scheme Public Key: G = SGP (generates code having same distance properties as C, but does not have an efficient decoding algorithm). Send xg + e, for some random t vector e with w H (e) = t. Private Key: (S, P, Efficient decoding algorithm for code G)

11 Codes and Cryptography McEliece Cryptosystem - Code-based Crypto Example Receiver and wiretapper both see r = xg + e. Receiver knows S, P and the efficient decoding algorithm for G. Thus it does the following. Note that e and e have weight t. rp 1 = xsgpp 1 + ep 1 (3) = xsg + e, (4) From the above equation, receiver can decode for x = xs by the efficient algorithm. Finally get x = x S 1. Wiretapper sees a random code, G, in the sense that there is no efficient algorithm to get x (the bruteforce method is exponential in n k).

12 Codes and Cryptography McEliece Cryptosystem - Code-based Crypto Example McEliece chose the class of binary Goppa codes for his scheme, because Fast algorithms are available for codes with large k, n (required further for making the algorithm secure). McEliece gives an example of n = 1024, k = 524 with t = 50. Large number of Goppa codes exist so wiretapper finds it hard to find G. Unbroken, unlike other codes proposed like Reed Solomon, etc. (till 2008 :(, but suggested increase in size of parameters). Rest of this talk : Focus on understanding construction and decoding of Goppa Codes (well, kind of)

13 Codes and Cryptography Why Kind of?

14 Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

15 Cyclic Codes Denote a codeword (c 0, c 1,..., c n 1 ) as a polynomial in X, c(x ) = c 0 + c 1 X + c 2 X c n 1 X n 1. A cyclic code is a linear code where if c(x ) is a codeword, then Xc(X )mod(x n 1), i.e., (c 0, c 1, c 2,..., c n 1 ) C (c n 1, c 0, c 1,..., c n 2 ) C. For any (n, k) cyclic code C, we can identify one (n k) degree polynomial g(x ), such that any C = {m(x )g(x ) : m(x ) F q [X ], deg(m(x )) k 1}which is known as the generator polynomial of C. Generator polynomial of n-length cyclic codes divide x n 1.

16 Bose-Chaudhari-Hocquenghem codes Let α be the n th root of unity in F q m for a given m. A (narrow-sense) BCH code with design distance 2t + 1 and length n over F q has generator polynomial g BCH (X ) = LCM(minpoly q (α)minpoly q (α 2 )..minpoly q (α 2t )), where minpoly q (α i ) is the minimum degree polynomial with coefficients from F q with α i as a root.

17 Parity Check matrix Thus, any for any codeword c(x ), (c(α), c(α 2 ),..., c(α 2t )) = 0. In other words, the parity check matrix 1 α α 2... α n 1 1 α 2 α 4... α 2 n 1 H BCH = α 2t α 4t... α 2t(n 1) BCH q (n, 2t) = NullSpace(H BCH ) in F n q. Any set of 2t columns from H BCH is linearly independent over F q. Therefore BCH code with design distance 2t + 1 can correct any t errors.

18 Decoding Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

19 Decoding Decoding r(x ) = c(x ) + e(x ), w H (e) t. Idea: find syndrome, find error, find information symbols. For any α i, i = 1, 2,.., 2t we have n 1 r(α i ) = c(α i ) + e(α i ) = e(α i ) = e j (α i ) j Suppose e has errors in ν locations for some ν t. Let those locations be j 1, j 2,..., j ν. Then, j=0 r(α i ) = ν e jl (α i ) j l, i = 1, 2,.., 2t. l=1

20 Decoding Decoding Let X l = α j l and S i = r(α i ). Therefore we have the set of equations S 1 = e j1 X 1 + e j2 X e jν X ν (5) S 2 = e j1 X e j2 X e jν X 2 ν (6)... (7) S 2t = e j1 X 2t 1 + e j2 X 2t e jν X 2t ν, (8) Note that X l = α j l indicates the location of the l th error (i.e, j l ) while e jl is the error value at that position. We want to get both X l s and the e jl s in that order. Direct solving for X l s involve nonlinear equations. So we use another trick.

21 Decoding Decoding Error Locator Polynomial: A polynomial whose roots are X 1 l, l = 1,.., ν. Λ(x) = Π ν i=1(1 X l x) = 1 + Λ 1 x + Λ 2 x Λ ν x ν. If we have the coefficients Λ i s, then getting the roots of Λ(x) is equivalent to finding error locations (can be done by evaluations of Λ(x)). If we have the error locations, we can use the equations in the previous slide to get the error values. Coefficients Λ i s and the syndromes are related by Newton s identities.

22 Decoding Decoding Newton s identities: S 1 S 2... S ν S 2 S 3... S ν S ν S ν+1... S 2ν 1 Λ ν Λ ν 1. Λ 1 = S ν+1 S ν+2. S 2ν Above equation is well defined for ν t. Set ν = t. Form M ν (the matrix above) and find det(m ν ). If det(m ν ) = 0 then set ν ν 1 and repeat the previous step. If M ν is invertible, solve for coefficients Λ i, i = 1, 2,.., ν. Finally solve for the error values.

23 Reed Solomon and Generalised Reed Solomon Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

24 Reed Solomon and Generalised Reed Solomon Codes Generalised Reed Solomon Codes RS Code is a BCH Code with n = q m 1 over F q m. Thus, g RS (X ) = (X α)(x α 2 )...(X α 2t ) Another way to encode RS code: For any m(x ) (upto degree k 1), the codeword is (m(1), m(α),..., m(α n 1 )) (min distance d = n k + 1). GRS Codes (also have max distance d = n k + 1) v = (v 1, v 2,..., v n ) : non-zero elements in F q m β = (β 1, β 2,..., β n ): distinct elements in F q m. The GRS(β, v,) is the set of all vectors of the form (v 1 m(β 1 ), v 2 m(β 2 ),..., v n m(β n )), where m(x ) is any polynomial of degree k 1.

25 Reed Solomon and Generalised Reed Solomon Codes Generalised RS Codes The H matrix GRS Code takes the form, β 1 β 2... β n H GRS = β1 2 β βn β1 n k 1 β2 n k 1... βn n k 1 = XY, y 1... y y n (9) (10) where y = (y 1,..., y n ) is some vector (with non-zero y i s) such that H GRS is an appropriate H matrix to GRS(β, v). GRS(β, v) = NullSpace(H GRS ) in F q m.

26 Alternant Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

27 Alternant Codes Alternant Codes Long BCH codes are not good (rate(k/n) and error correction (d/n)don t keep growing together). Rectified by Alternant codes. Subcodes of GRS codes. Alternant Code For β consisting of n distinct values from F q m, and y being non-zero values from F q m, A(β, y) = NullSpace(H GRS ) in F q.

28 Goppa Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

29 Goppa Codes Goppa Codes Let G(z) be a polynomial with coefficients from F q m. Let β = {β 1, β 2,..., β n } be n elements such that G(β i ) 0, i = 1, 2,..., n. For a vector a = (a 1,..., a n ) F n q, we define associate the rational function R a (z) = n i=1 a i z β i. 1 Note that has an polynomial inverse in Fq[z] z β i (G(z)). Goppa Code (β, G(z)) is defined as { a F n q R a (z) 0(modG(z)) }.

30 Goppa Codes Goppa Codes as Alternant Codes G(z) a polynomial with coefficients from F q m. β = {β 1, β 2,..., β n } are n elements such that G(β i ) 0, i = 1, 2,..., n. Let y = (G(β 1 ) 1, G(β 2 ) 1,..., G(β n ) 1 ). Goppa Code Goppa Code (β, G(z)) = A(β, y). If β is set of all non-zeros of G(z) then the Goppa code is completely determined by G(z). Has an optimised decoding algorithm because of its further structure.

Code-Based Cryptography Error-Correcting Codes and Cryptography

Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding