Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Size: px

Start display at page:

Download "Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes"

Edward Clarke
6 years ago
Views:

1 Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F Mont-Saint-Aignan, France. Inria, SECRET Project, Le Chesnay Cedex, France. PQCrypto 2016 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 1/24

2 Introduction McEliece Public-Key Encryption Scheme ( 78) 1 Based on linear codes equipped with an efficient decoding algorithm Public key = random basis Private key = decoding algorithm 2 McEliece proposed binary Goppa codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 2/24

3 Introduction Textbook McEliece encryption scheme Key Generation step: Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24

4 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24

5 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) 2 Randomly pick n n permutation matrix P and k k invertible matrix S Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24

6 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) 2 Randomly pick n n permutation matrix P and k k invertible matrix S 3 Private key = (S, G, P) and public key = (G pub, t) with G pub = SGP Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24

7 Introduction Textbook McEliece Encryption scheme Encryption For m F k q, 1 Generate randomly e F n q of Hamming weight t 2 Cipher text c = mg pub + e Vlad Dragoi Cryptanalysis of McEliece Polar Codes 4/24

8 Introduction Textbook McEliece Encryption scheme Encryption For m F k q, 1 Generate randomly e F n q of Hamming weight t 2 Cipher text c = mg pub + e Decryption 1 Compute z = cp 1 z = msg + ep 1 2 Compute y = Decode G (z) y = ms 3 Return m = ys 1 m = m Vlad Dragoi Cryptanalysis of McEliece Polar Codes 4/24

9 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

10 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

11 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

12 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

13 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Shrestha and Kim proposed in 2014 a McEliece PKC using Polar Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

14 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Shrestha and Kim proposed in 2014 a McEliece PKC using Polar Codes. Our main contribution Find the permutation P Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24

15 Definitions Polar Codes and Reed-Muller Codes Definition G m def = ( ) ( ) }{{} m times The polar code of length n = 2 m and dimension k is obtained by choosing a specific subset of k rows of G m. The r th order Reed-Muller Codes R(r, m) is obtained by choosing all the rows of G m with Hamming weight greater or equal to 2 m r. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 6/24

16 Polar Codes We built the generator matrix G 1 = ( ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24

17 Polar Codes We built the generator matrix for m = 2 we have: G 2 = G 1 0 G 1 G 1 G 1 = ( ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24

18 Polar Codes We built the generator matrix G 1 = ( ) for m = 2 we have: G 2 = G 1 0 G 1 G 1 = Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24

19 Polar Codes for m = 3 we have: G 1 0 G G 3 = 1 G 1 G 1 0 G 1 G G 1 0 G 1 G 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24

20 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G = Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24

21 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G 1 = The Polar Code [2 3, 5, 2] Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24

22 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G 1 = The Polar Code [2 3, 5, 2] The first order Reed-Muller Code R(1, 3) ([2 3, 4, 4]) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24

23 Motivations The purpose is to find the permutation P Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

24 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

25 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

26 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

27 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

28 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Polar codes are neither vulnerable to the SSA attack nor to the Minder and Shokrollahi attack Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

29 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Polar codes are neither vulnerable to the SSA attack nor to the Minder and Shokrollahi attack What is the permutation group of Polar Codes? Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24

30 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24

31 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) For any g R 2 [x 0,..., x m 1 ] we naturally associate the evaluation over all elements in F m 2. ev(g) = ( g(u 0,..., u m 1 ) ) (u 0,...,u m 1 ) F m 2 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24

32 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) For any g R 2 [x 0,..., x m 1 ] we naturally associate the evaluation over all elements in F m 2. ev(g) = ( g(u 0,..., u m 1 ) ) (u 0,...,u m 1 ) F m 2 Let M define the set of all monomials M def = {1, x 0,..., x m 1, x 0 x 1,..., x 0 x m 1 }. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24

33 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

34 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

35 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

36 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

37 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

38 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

39 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

40 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

41 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

42 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x x 1 x x x The [2 3, 5, 2] Polar Code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

43 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x x x The [2 3, 5, 2] Polar Code. The [2 3, 4, 4] Reed-Muller Code or the R(1, 3). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24

44 Decreasing Monomial Codes Definition (Monomial order) The monomials of the same degree are ordered as x i1... x is x j1... x js if and only if for any l {1,..., s}, i l j l where we assume that i 1 > > i s and j 1 > > j s. This order is extended to other monomials through divisibility, namely: f g if and only if there is a divisor g of g such that f g. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 12/24

45 Decreasing Monomial Code 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

46 Decreasing Monomial Code x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

47 Decreasing Monomial Code x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

48 Decreasing Monomial Code x 1 x 0 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

49 Decreasing Monomial Code x 2 x 0 x 1 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

50 Decreasing Monomial Code x 2 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

51 Decreasing Monomial Code x 2 x 1 x 0 x 2 x 1 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

52 Decreasing Monomial Code x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

53 Decreasing Monomial Code x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

54 Decreasing Monomial Code x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

55 Decreasing Monomial Code x 3 x 2 x 1 x 0 x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

56 Decreasing Monomial Code x 3 x 2 x 1 x 0 x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Fact g M with deg(g) r we have x r 1... x 0 g. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24

57 Decreasing Monomial Codes Definition (Decreasing set) A set I M is decreasing if and only if f I and g f = g I. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 14/24

58 Decreasing Monomial Codes Definition (Decreasing set) A set I M is decreasing if and only if f I and g f = g I. Definition (Decreasing monomial codes) The linear code defined by a set I of polynomials is C (I) = {ev(f ) f I}. 1 When I M, C (I) is a monomial code. 2 When I M is a decreasing set, C (I) is a decreasing monomial code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 14/24

59 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24

60 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Proposition The dual of a Decreasing Monomial Code is a Decreasing Monomial Code Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24

61 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Proposition The dual of a Decreasing Monomial Code is a Decreasing Monomial Code Polar Codes with rate (sufficiently) smaller than 1 2 self-dual C C. are weakly Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24

62 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m 2. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24

63 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m b for m = 5 A = b = b 2 b 3 b 4. 1 b 5 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24

64 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m b for m = 5 A = b = b 2 b 3 b 4. 1 b 5 We define the lower triangular affine group LTA m as the set of affine transformations of the form x Ax + b Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24

65 Decreasing Monomial Codes Permutation Group The image of a variable x i is: i 1 i = x i + a ij x j + b i. x j=0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 17/24

66 Decreasing Monomial Codes Permutation Group The image of a variable x i is: i 1 i = x i + a ij x j + b i. x j=0 Theorem LTA m is included in the permutation group of a decreasing monomial code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 17/24

67 Cryptanalysis of Polar Codes Tools and Techniques Puncturing and shortening a code { P J (C ) def = S J (C ) def = } ; (c i ) i / J c C { (c i ) i / J c = (c i ) i C such that i J, c i = 0 }. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 18/24

68 Cryptanalysis of Polar Codes Tools and Techniques Definition (Signature) Let G be a subgroup of permutations of C (linear code of length n) and W be a subset of C globally invariant under G. Σ(c, C ) is a signature of c if and only if (i) Σ(c, C ) = Σ(c π, C π ) for π from S n (i.e. Σ is invariant by permutation), (ii) Σ(c, C ) Σ(c, C ) if c and c both belong to W but are not in the same orbit under G (i.e. Σ takes distinct values for each orbit). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 19/24

69 Cryptanalysis of Polar Codes Tools and Techniques Facts Let C (I) be a decreasing monomial code and I r be the set of maximum degree monomials. Recall that x r 1... x 0 I r. { r 1 } O xr 1...x 0 = (x i + b i ) i=0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 20/24

70 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24

71 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24

72 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. 3 Use the signature and the action of LTA m to distinguish the orbits of monomials in particular x r 1... x 0 (denote c min = ev(x r 1... x 0 ) and c π min ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24

73 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. 3 Use the signature and the action of LTA m to distinguish the orbits of monomials in particular x r 1... x 0 (denote c min = ev(x r 1... x 0 ) and c π min ) 4 Let J = {j c min [j] = 0}. Find a permutation that works for P J (C ) and P J π (C π ). Continue by induction in order to retrieve the underlying Polar Code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24

74 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

75 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

76 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) c π W min (C π ) compute S supp(c π )(C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

77 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) c π W min (C π ) compute S supp(c π )(C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

78 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

79 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

80 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Let c i = ev(x i 1... x 0 ) with c 0 = ev(1) (c i ) π = ev(x i 1... x π 0 ) Let J i = {j c i [j] = 0} Let (J i ) π = {j (c i ) π [j] = 0} D i def = P J i (C ) (D i ) π def = P (J i ) π (C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

81 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Let c i = ev(x i 1... x 0 ) with c 0 = ev(1) (c i ) π = ev(x i 1... x π 0 ) Let J i = {j c i [j] = 0} Let (J i ) π = {j (c i ) π [j] = 0} D i def = P J i (C ) (D i ) π def = P (J i ) π (C π ) Solve the code equivalence for D i and (D i ) π by induction from i = r down to 0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24

82 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

83 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

84 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

85 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

86 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. It took 27 seconds to find these codewords in C π and 3 seconds to find these codewords in (C π ) on a 8-core XEON E running at 3.40 GHz. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

87 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. It took 27 seconds to find these codewords in C π and 3 seconds to find these codewords in (C π ) on a 8-core XEON E running at 3.40 GHz. The most time consuming part is the last part of the induction. The time for a successful attack was less than 14 days on the same processor. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24

88 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24

89 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. The introduction of an algebraic formalism was crucial for a successful attack. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24

90 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. The introduction of an algebraic formalism was crucial for a successful attack. A unified formalism for Polar Codes and Reed-Muller Codes under the name of Decreasing Monomial Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24

Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes

Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes Magali Bardet, Julia Chaulet, Vlad Dragoi, Ayoub Otmani, Jean-Pierre Tillich To cite this version: Magali Bardet, Julia Chaulet,