Cryptographic applications of codes in rank metric

Transcription

1 Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes June 16th, 2009

2 Introduction Rank metric and cryptography Gabidulin codes and linearized polynomials McEliece type cryptosystems AF-like cryptosystems

3 Rank metric and cryptography

4 History of Cryptographic applications Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91] Trapdoor: Difficulty of decoding in rank metric. Authentification codes, [Johannson95] ZK-identification scheme, [Chen96] Hash functions for MAC, [Savafi-Naini-Charnes 05]

5 Rank metric Definition (Rank of a vector) γ 1,...,γ m, a basis of F q m/f q, e = (e 1,...,e n ) (F q m) n, e i (e i1,...,e in ), e 11 e 1n e F q m, Rk(e) def = Rk..... e m1 e mn Definition C F n q m is a (n,m,d) r-code if M = C Min. rank distance: d = min c1 c 2 C Rk(c 1 c 2 )

6 Bounds in rank metric Volume of sphere: q (m+n 1)t t2 S t q (m+n+1)t t2 Volume of ball: q (m+n 1)t t2 B t q (m+n+1)t t2 +1 Classical Bounds Singleton: M q min(m(n d+1),n(m d+1)) MRD codes Sphere-packing: MB (d 1)/2 q mn perfect codes GV-like: MB d 1 < q mn = (n,m + 1,d) r code

7 Singleton: M q min(m(n d+1),n(m d+1)) MRD codes Sphere-packing: MB (d 1)/2 q mn perfect codes GV-like: MB d 1 < q mn = (n,m + 1,d) r code Proposition ([L.06]) No perfect codes exist For C on GV: if mn log q M = o(n)(m + n) d n + m + n 1 2 logq M 1 + m + n (m n)2 4log q M,

8 Decoding problems for linear codes Parameters C generated by matrix G y F n qm, received vector t an integer Problems MDD: Find x, s.t. Rk(y xg) = min c C (Rk(y c)) BDD: Find, if exists, x, s.t. Rk(y xg) t LD: Find all x such that Rk(y xg) t Are these search problems NP-hard?

9 Solving BDD(t) for t (d 1)/2 Principle: Find min. rank codewords in code generated by ( ) G G = = S (I y k+1 R) System: (β 1,...,β t )(U 2 U 1 R) = 0 Methods Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02] Algo. type Basis enumeration Coordinates enumeration Complexity (k + t) 3 q (t 1)(m t)+2 (k + t) 3 t 3 q (t 1)(k+1) Projection on base field and use of Groebner bases techniques, [Levy-Perret 06]

10 Why use rank metric for cryptographic applications Complexities of solving BDD(t) for a [n,k,d] code over F 2 m IS Decoding: M(F 2 m)n 3 2 n(h 2(t/n) (1 R)H 2 (t/((1 R))n)) = m 2 n 3 2 αn Coord. Enum.: (k + t) 3 t 3 2 (α 1n 1)(α 2 n+1) Use of smaller public-keys in McEliece type system.

11 Gabidulin codes and linearized polynomials

12 Gabidulin codes Let a = (a 1,...,a n ) F q m, where a i s are l.i. over F q. Consider G = a 1 a n..... a [k 1] 1 a n [k 1], where [i] def = q i (1) Definition ([Gabidulin85]) The code generated by G is denoted Gab k (a).

13 Properties of the codes They are MRD codes (implies also MDS codes) Dual of Gab k (a) is a Gab n k (h) Rank distribution is known Permutation group trivial, [Berger 03]

14 Decoding algorithms Algorithm Complexity (mult. in F q m) Ext. Euclidean 2t(n + 5t) [Gabidulin85] Linear system 2t(n + t solving [Gabidulin91] /2) [Roth91] BM-like 2t(n + 3t + t 2 /4) [Richter-Plass 05] WB-like 2t(4n t) [L.05] Table: Decoding rank t = (d 1)/2 errors in Gab n d+1 (g) code

15 McEliece like cryptosystems

16 Description [Gabidulin-Paramonov-Tretjakov 91] Parameters g = (g 1,..., g n ) F q m Private key G generates Gab k (g), correcting rank t errors T isometry of rank metric Z size k t 1 over F q m Public-key G pub = S(G Z }{{} t 1 cols )T (2)

17 Encryption y = xg pub + e, Rk(e) t t 1 Decryption Compute yt 1 = x(g Z) + et 1 Puncture on last t 1 positions and decode Security assumption: BDD(t) difficult

18 Properties in rank metric Advantages Fast in Encryption-Decryption Enables small keys ( bits) Security against reaction attacks Drawbacks Not optimal transmission rate Weakness against message resend attacks ONLY ONE family of decodable codes is known Mandatory to scramble the structure

19 History of systems G, G 1, G 2, generator matrices of Gabidulin codes H, parity-check matrix of Gabidulin codes G pub = SG + X Tretjakov91] [Gabidulin-Paramonov- Scrambling matrix Right scrambler Subcodes Reducible Rank codes G pub = S(G Z)T [Gabidulin-Ourivski 01] ( ) H H pub = S [Berger-L. 02] A ( ) [Ourivski-Gabidulin- G1 0 G pub = S T Honary-Ammar03] A G 2 [Berger-L. 04 ]

20 Structural attacks [Overbeck06] Principle for G pub = S(G Z)T 0 Quasi-stability under action of Frobenius: α α q def = α [1] Gab k (g) [Gab k (g)] [1] = Gab k 1 ( g [1]) Use public-key G pub = S(G Z)T and compute G pub. G [n k 1] pub {z } G pub 1 0 S C B A C B 0 S [n k 1] {z } S G. G [n k 1] Z. Z [n k 1] 1 {z } (G Z) C AT,

21 Proposition If dim(ker r (G pub )) = 1 a decoder for public-code can be recovered in polynomial-time Proof. In that case ker r (G pub ) = {T 1 (αh 0) T, α F q m},

22 For security: Choose Z so that dim(ker r (G pub )) > 1 Proposition If 1 Rk(Z) (t 1 l)/(n k), then dim(ker r (G pub )) 1 + l Possible parameters m = n k Rk(Z) l t 1 Key size Decoding k/n Rate Improv > % 35% > % 33% Same problem with Reducible Rank Codes Modifications imply increased public-key size

23 AF-like systems

24 q-polynomials Definition ([Øre33]) P(z) = t p i z qi, p i F q m i=0 If p t 0, deg q (P) def = t is the q-degree of P. Properties Non-commutative ring with +, Euclidean algorithms on the left and on the right P. Time interpolation and root finding algorithms

25 Reconstruction problem Parameters g F n qm support vector y F n q m, k, t integers PR: Find P of q-degree k s.t. Rk(P(g) y) t Link with other problems: if t (n k)/2, equivalent to decode Gab k (g) if t > (n k)/2, supposed to be difficult LD(y, t) is difficult

26 Description of the cryptosystem Parameters g = (g 1,..., g n ) F q m, k Private key: E = (E 1,...,E n ) of rank W > (n k)/2. exists Q GL n (F q ) such that EQ = ( }{{} 0 E ) n W coords q-polynomial P of q-degree k 1 n W over F q m. Public-key: K = P(g) + E }{{} Gab k (g) Security assumption: PR(K, W ) difficult

27 Encryption and decryption Encryption: y = x(g) + αk + e, where x has q-degree k 2 n W e of rank t (n k W)/2 α F q m random n W Decryption: Let v def {}}{ = ( ṽ V ) We have yq = (x( gq) + αp( gq) + ẽq Y ) Decode ỹq in Gab k( gq) (x + αp)( gq) Since deg q (x) < deg q (P) α Since k 1 n W x Security assumption: BDD(x(g) + αk,t) in some code is difficult

28 Possible attacks Solving the system { V (yi ) = (V x)(g i ) + V (αk i ), i = 1,...,n, deg q (V ) t Linearization: Solve V (y i ) = N(g i ) + U(K i ), deg q (V ) t deg q (N) k + t 2 deg q (U) t i = 1,...,n, Linear system of k + 3t + 1 unknowns and n equations

29 Evolution of the system (I) Parameters g = (g 1,..., g n ) F q m, k Private key: E i F W qm, i = 1,...,u of rank W > (n k)/2. Q GL n (F q ) P i, i = 1,...,u of q-degree k 1 n W over F q m. Public-key: 8 >< K 1 = P 1(g) + (0 E 1)Q 1,. >: K u = P u(g) + (0 E u)q 1, Rk(E 1) = W > (n k)/2 Rk(E u) = W > (n k)/2

30 Evolution of the system (II) Encryption: y = x(g) + u i=1 α ik i + e, where x has q-degree k u 1 e of rank t (n k W)/2 α i F qm random for all i = 1,...,u Decryption: We have yq = ( x( gq) + ) u α i P i ( gq) + ẽq Y i=1 Decode ỹq in Gab k( gq) (x + i α ip i )( gq) Since deg q (x) < k 1 u (α 1,..., α u ) Since k u n W x

31 Possible attacks Decoding attacks: solve system V(y) = V X(g) + Structural attacks: Set K = K 1. K u i=1 8 < ux V(α ik i), : = P 1 (g) + 0. P u (g) deg q(v) = Rk(e) deg q(x) = k u 1 α i F q m E 1. E u Q 1 Under some conditions one can apply Overbeck s approach to recover the secret elements

32 Parameters Compromise between attacks not many choices for u u n = m k W Rk(e) key size Rate % %

33 Open problems Are the discussed problems really NP-hard? How to improve arithmetic complexity of q-polynomials? Johnson bound for Gabidulin codes and list-decoder? How construct new decodable families of rank metric codes? What changes the use of skew polynomials instead of q-polynomials?