Errors, Eavesdroppers, and Enormous Matrices

Size: px

Start display at page:

Download "Errors, Eavesdroppers, and Enormous Matrices"

Gabriel Harvey
6 years ago
Views:

1 Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln

2 Keep it secret, keep it safe

3 Public Key Cryptography The idea: We want a one-way lock so, for example, Amazon.com doesn t need to create a new encryption key for each one of its customers. 1

4 Public Key Cryptography The idea: We want a one-way lock so, for example, Amazon.com doesn t need to create a new encryption key for each one of its customers. Think: lock a padlock on a box, mail it to someone who already has the key. 1

5 RSA The facts: Introduced publicly in

6 RSA The facts: Introduced publicly in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman 2

7 RSA The facts: Introduced publicly in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman widely used! 2

8 How it works Each organization using RSA gets assigned two large primes, call them p and q. The public key that is available to everyone is their product, n = p q. 3

9 How it works Each organization using RSA gets assigned two large primes, call them p and q. The public key that is available to everyone is their product, n = p q. Encryption algorithm only uses n 3

10 How it works Each organization using RSA gets assigned two large primes, call them p and q. The public key that is available to everyone is their product, n = p q. Encryption algorithm only uses n Decryption algorithm requires knowledge of the specific values of p and q, so nobody else can decrypt the data 3

11 Let s try it How would we factor 364? 4

12 Let s try it How would we factor 364? You can see that 2 divides 364 evenly to leave also divides 182, which leaves and 5 do not divide 91 evenly, but 7 does. This leaves 13, which is also a prime. So 364 =

13 Let s try it How would we factor 364? You can see that 2 divides 364 evenly to leave also divides 182, which leaves and 5 do not divide 91 evenly, but 7 does. This leaves 13, which is also a prime. So 364 = There is a fancy algorithm - The Generalized Number Field Sieve 4

14 But factoring is hard. The challenge (1977) Factor this number:

15 But factoring is hard. The challenge (1977) Factor this number: In 1994, the answer:

16 Can you hear me now?

17 Errors are everywhere 6

18 Coding Theory information 7

19 Coding Theory information Encoder 7

20 Coding Theory information Encoder code word 7

21 Coding Theory information Encoder Channel code word 7

22 Coding Theory information Encoder code word Channel received word 7

23 Coding Theory information Encoder code word Channel received word Decoder 7

24 Coding Theory information Encoder code word Channel received word Decoder estimated word 7

25 Coding Theory information Encoder code word Channel received word Decoder estimated word Unencoder 7

26 Coding Theory information Encoder code word Channel received word Decoder estimated word Unencoder message 7

27 For example... Repetition code Let C = {00000, 11111}. What are the possible messages? How would you decode? (You receive 00010, or 00??0, or 10101, or...) 8

28 For example... Repetition code Let C = {00000, 11111}. What are the possible messages? How would you decode? (You receive 00010, or 00??0, or 10101, or...) 0 and 1 8

29 For example... Repetition code Let C = {00000, 11111}. What are the possible messages? How would you decode? (You receive 00010, or 00??0, or 10101, or...) 0 and 1 Majority rules! 8

30 A Generator Matrix We need a way to encode information efficiently. 9

31 A Generator Matrix We need a way to encode information efficiently. A matrix G is called a generator matrix for a code C if the rows of G form a basis for C. 9

32 For Example Consider G = To encode the message [ ] , multiply! 10

33 For Example Consider G = [ ] To encode the message , multiply! [ ] (Hopefully we got ) 10

34 Recovering from Errors Definition For vectors x = (x 1,..., x n ) and y = (y 1,..., y n ), the Hamming distance from x to y is d(x, y) = #{i x i y i }. 11

35 Recovering from Errors Definition For vectors x = (x 1,..., x n ) and y = (y 1,..., y n ), the Hamming distance from x to y is d(x, y) = #{i x i y i }. Examples: d(hat, CAT)= 1 11

36 Recovering from Errors Definition For vectors x = (x 1,..., x n ) and y = (y 1,..., y n ), the Hamming distance from x to y is d(x, y) = #{i x i y i }. Examples: d(hat, CAT)= 1 d(pear, PLUM)=3 11

37 Recovering from Errors Definition For vectors x = (x 1,..., x n ) and y = (y 1,..., y n ), the Hamming distance from x to y is d(x, y) = #{i x i y i }. Examples: d(hat, CAT)= 1 d(pear, PLUM)=3 d(11100, 11001)=2 11

38 Recovering from Errors Definition For vectors x = (x 1,..., x n ) and y = (y 1,..., y n ), the Hamming distance from x to y is d(x, y) = #{i x i y i }. Examples: d(hat, CAT)= 1 d(pear, PLUM)=3 d(11100, 11001)=2 11

39 Recovering from Errors Definition The minimum distance of a binary linear code C is d min (C) = min{d(x, y) x y C} 12

40 Recovering from Errors Definition The minimum distance of a binary linear code C is d min (C) = min{d(x, y) x y C} How many bits do we have to flip to get from one codeword to another? 12

41 Recovering from Errors Definition The minimum distance of a binary linear code C is d min (C) = min{d(x, y) x y C} How many bits do we have to flip to get from one codeword to another? How many errors does it take to make a message unrecognizable? 12

42 Decoding Algorithms If a code has minimum distance d, we can correct up to d 1 2 errors. (Why?) 13

43 Decoding Algorithms If a code has minimum distance d, we can correct up to d 1 2 errors. (Why?) And... how? 13

44 Decoding Algorithms If a code has minimum distance d, we can correct up to d 1 2 errors. (Why?) And... how? Nearest neighbor decoding Syndrome decoding Belief propagation Berlekamp-Welch... each optimized for specific codes. 13

45 What can coding theory do? The tradeoff: To increase reliability, we sacrifice efficiency. 14

46 What can coding theory do? The tradeoff: To increase reliability, we sacrifice efficiency. Choices depend on specific application: Point-to-point communication Distributed storage Streaming Network communication 14

47 All Together Now (The McEliece Cryptosystem)

48 Choose-your-own-error-adventure Coding theory is designed to protect information from random errors. But what if I just added errors on purpose? Information becomes hidden by choice. 15

49 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. 16

50 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. 16

51 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. A disguise! 16

52 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. A disguise! Private key: The matrices S, G, P. 16

53 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. A disguise! Private key: The matrices S, G, P. Encryption: m m G + e, where e is an error vector with weight half the minimum distance. 16

54 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. A disguise! Private key: The matrices S, G, P. Encryption: m m G + e, where e is an error vector with weight half the minimum distance. Decryption: Decode msg + ep 1 with respect to G. 16

55 The McEliece Cryptosystem Design: A generator matrix G, an efficient decoder. Public key: G := SGP where S is a random invertible matrix and P a permutation matrix. A disguise! Private key: The matrices S, G, P. Encryption: m m G + e, where e is an error vector with weight half the minimum distance. Decryption: Decode msg + ep 1 with respect to G. Undo the process, using secret information! 16

56 Let s try it. Consider G =

57 Let s try it. Consider G = Pick S =

58 Let s try it. Consider G = Pick S = Pick P, some permutation of columns. Find SGP. 17

59 History Introduced by Robert McEliece in What s the catch? 18

60 History Introduced by Robert McEliece in What s the catch? Well, key size is larger than RSA... 18

61 History Introduced by Robert McEliece in What s the catch? Well, key size is larger than RSA... and too much structure is vulnerable to attack. 18

62 Why does it work? Decoding a random linear code is hard! (NP-hard, in fact.) 18

63 Quantum Stuff

64 Advancing technology Quantum Computing... studies theoretical computation systems (quantum computers) that make direct use of quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. 19

65 Advancing technology Quantum Computing... studies theoretical computation systems (quantum computers) that make direct use of quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. The big difference? Binary states replaced by quantum states. 19

66 It is unclear when scalable quantum computers will be available, however in the past year or so, researchers working on building a quantum computer have estimated that it is likely that a quantum computer capable of breaking RSA-2048 in a matter of hours could be built by 2030 for a budget of about a billion dollars. This is a serious long - term threat to the cryptosystems currently standardized by NIST. 19

67 The threat: Shor s algorithm: Formulated in

68 The threat: Shor s algorithm: Formulated in 1994 Polynomial time algorithm for factoring 20

69 The threat: Shor s algorithm: Formulated in 1994 Polynomial time algorithm for factoring Currently the largest number to have been successfully factored on a quantum computer is... 20

70 The threat: Shor s algorithm: Formulated in 1994 Polynomial time algorithm for factoring Currently the largest number to have been successfully factored on a quantum computer is

71 but McEliece still works! PQCRYPTO currently recommends the following parameters to achieve post-quantum security: McEliece with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors. Examples of other choices under evaluation: Quasi-cyclic MDPC codes with parameters at least n = , k = , d = 274 and adding t = 264 errors. 21

72 Open Questions What s the best code? Reed-Solomon, algebraic geometry codes, etc too structured! 22

73 Open Questions What s the best code? Reed-Solomon, algebraic geometry codes, etc too structured! Low-density parity-check codes too random! 22

74 Open Questions What s the best code? Reed-Solomon, algebraic geometry codes, etc too structured! Low-density parity-check codes too random! Spatially-coupled or quasi-cyclic codes just right? 22

75 Open Questions What s the best code? Reed-Solomon, algebraic geometry codes, etc too structured! Low-density parity-check codes too random! Spatially-coupled or quasi-cyclic codes just right? What do we need to know to implement? 22

76 Open Questions What s the best code? Reed-Solomon, algebraic geometry codes, etc too structured! Low-density parity-check codes too random! Spatially-coupled or quasi-cyclic codes just right? What do we need to know to implement? algorithms protocols software speedups key sizes... 22

77 Thank you! 22

Code-based Cryptography

Code-based Cryptography a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based