Error-correcting codes and Cryptography

Transcription

1 Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45

2 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated by circulants Cyclic codes The McEliece cryptosystem Burst-correcting array codes 2/45

3 I Error-correcting codes; the basics Þ Noise Sender m Encode c Å Channel r Decode ` m Receiver Error-correcting codes are (mostly) used to correct independent, random errors that occur during transmission of data or during storage of data. j i (,......,,,, ,,,,..., ) We shall also briefly discuss codes that correct bursts (clusters) of errors, i.e. error patterns of the form: i i+b (, ,,,,...,,,, , ) 3/45

4 m m m2 m3 m4 m5 m6 m7 m8 m9 m m m2 m3 m4 m5 c c c2 c3 c4 c5 c6 c7 c8 c9 c c c2 c3 c4 c5 6 codewords of length 7 4/45

5 A code C is such a (well-chosen) subset of {, }n. So codes here will be binary codes. The generalization to other field sizes is easy. The weight of a word is the number of non-zero coordinates. Example: a code C of length 5 with the following four codewords: c c c2 c3 = = = = 5/45

6 Suppose that each two codewords differ in at least d coordinates (have distance at least d) and put t = b d c. 2 d = 3, t = c c c2 c3 = = = = Then the code C is said to be t-error-correcting, because if you transmit (or store) a codeword and not more than t errors have occurred upon reception (or read out) due of noise or damage, then the received word will still be closer to the original codeword than to any other. For instance, if you receive r = you know that c2 is the most likely transmitted codeword. 6/45

7 From now on codes will be linear, meaning that C is a linear subspace of {, }n. We use the notation [n, k, d] codes, where k denotes the dimension of the code C and d the so-called minimum distance of C : the minimum of all distances between codewords. The quantity r = n k is called the redundancy of the code. This is the number of additional coordinates (apart from the actual information being transmitted) that make error-correction possible. It follows from the linear structure of C that an appropriate choice of k codewords forms a basis for the code. A basis of the code C = {,,, } is given by the rows of. 7/45

8 A basis of the linear (!) [7, 4, 3] code introduced before is given by c, c2, c4, c8 c c c2 c3 c4 c5 c6 c7 c8 c9 c c c2 c3 c4 c5 8/45

9 A matrix G whose rows form a basis of an [n, k, d] code C, is called a generator matrix G of C. Its size is k n. The basis c, c2, c4, c8 of the code on the previous page results in the generator matrix: G =. So, in general, a linear code C with k n generator matrix G consists of all linear combinations of the rows of G. C = {mg m {, }k } 9/45

10 If k is large compared to n, it is often advantageous to describe C as the null-space of a (n k) n matrix H called a parity check matrix: C = {x {, }n HxT = T }. Typically, you transmit a codeword c and you receive r which can be written as r = c e, where e is called the error vector and is caused by the noise. The decoder can not do better than look for the closest codeword to r, i.e. look for e of lowest weight such that r e C. Note that st := HrT = HcT HeT = HeT. This value is called the syndrome of the received word. It only depends on the error-vector. /45

11 Example: The matrix H = is the parity check matrix of a linear code C = {x {, }n HxT = T } of length 7 and dimension 4. Moreover, this code can correct a single error (d = 3, t = ). We give a decoding algorithm. Let r be a received word. Compute its syndrome s, i.e. compute st = HrT. If st = then r C, so (most likely) no error occurred. /45

12 Example continued: Suppose you receive r = Its syndrome with H = is, which is the 5-th column. Note that e = gives the same syndrome, so H(rT et ) = T. So, the most likely transmitted codeword is r e, i.e. c = 2/45

13 II Quasi-cyclic codes; Codes generated by circulants Consider the 5 5 circulant U = 3/45

14 Note that in U = u u4 u6 u7 rows u, u4, and u6 add up (modulo 2) to row u7. So, row u7 is a linear combination of the preceding rows. But then, because of the cyclic structure, also row u8 is a linear combination of the top 7 rows, etc.. We conclude that the rows of U generate a [5, 7] code. 4/45

15 ... U = u(x) xu(x)... x6u(x) x7u(x)... Each row in U is a cyclic shift of the previous row. Define u(x) by the top row u : u(x) = P4 i= U,ixi = + x4 + x6 + x7 + x8. Then xu(x) corresponds to row u, x2 u(x) corresponds to row u2, etc., where these polynomials have to be taken modulo x5. For example, u6 corresponds to x6u(x) = x6 + x + x2 + x3 + x4 u7 corresponds to x7u(x) = x7 + x + x3 + x4 + 5/45

16 The reason that U generates a [5, 7] code (2nd proof) is that:. u(x) has degree 8, so the first 7 rows of U are clearly linearly independent. 2. u(x) divides x5. Indeed x5 = u(x)( + x4 + x6 + x7 ), as one can easily check. So, x7u(x) x7u(x) + (x5 ) (x7 + ( + x4 + x6 + x7)) u(x) ( + x4 + x6)u(x) u(x) + x4u(x) + x6u(x) (mod x5 ). This shows why rows u, u4, u6 add up (modulo 2) to row u7. This argument holds in general when u(x) divides xn. 6/45

17 How about the rank of a code generated by a circulant U with top row u, corresponding to a polynomial u(x) that does not divide xn? U = u u(x) = + x3 + x4 + x5 does not divide x7. 7/45

18 U = u(x) with u(x) does not divide of xn. Define g(x) = gcd(u(x), xn ) and use the extended version of Euclid s Algorithm to write: g(x) = a(x)u(x) + b(x)(xn ). Then g(x) n X! aixi u(x) i= So, g = n X n X ai xiu(x) (mod xn ). i= aiui. i= So, g is a linear combination of the rows of U. 8/45

19 The vector g (and each of its cyclic shifts) is a linear combination of the rows of U. Since g(x) = gcd(u(x), xn ) divides u(x), we also know that u (and each of its shifts) is a linear combination of cyclic shifts of g. We conclude that G, the circulant with g as top row, generates the same code as U does: U = u(x) and G = g(x) generate the same code. But now g(x) divides xn, so the code generated by U has dimension n degree(g(x)). 9/45

20 How about a code that is the linear span of two (or more) circulants underneath each other? u(x) v(x) U V = Codewords are linear combinations of rows of U and V. Things are easy here:. Compute g(x) = gcd(u(x), v(x), xn ). 2. The circulant with g as top row generates the same code. 3. This code has dimension n degree(g(x)). Indeed, g(x) = a(x)u(x) + b(x)v(x) gives g (and all its cyclic shifts) as linear combination of the rows of U and V. 2/45

21 How about a code that is the linear span of two (or more) circulants next to each other? u(x) u2(x) um(x) Some things are still easy here:. Compute g(x) = gcd(u (x), u2 (x),, um (x), xn ). 2. The code has dimension n degree(g(x)). 2/45

22 How about a code that is the linear span of two (or more) rows of circulants next to each other, so-called quasi-cyclic codes? u,(x) u,2(x) u2,(x) u2,2(x) ul,(x) ul,2(x) u,m(x) u2,m(x) ul,m(x) Things are difficult here. Little to nothing can be said about rank, minimum distance, let alone decoding. See Ph.D. thesis: Kristine Lally, Application of the theory of Gröbner bases to the study of quasi-cyclic codes, National University of Ireland, Cork, 6-5-2, especially for the case of a single row of circulants. 22/45

23 III Cyclic codes The codes generated by a column of circulants are commonly called cyclic codes. U V g(x) := gcd(u(x), v(x),, xn )... G = g(x) Only the the top n degree(g(x)) rows of G are needed. The remaining rows are commonly left out. The real question is how to select a divisor g(x) of xn such that the code generated by it has good properties:. large minimum distance 2. easy error-correction. 23/45

24 Consider the irreducible polynomial f (x) = + x + x4 and let α be a zero of f (x) in some extension field of GF (2) = {, }. So + α + α4 =. Then α can be assumed to be in GF (24 ) with as elements all binary polynomials in α of degree less than 4. GF (24) = ( 3 X ) ai α i ai {, }, i 3. i= Arithmetic is modulo 2 and modulo + α + α4. For instance: ( + α2) + ( + α3) = α2 + α3 ( + α2) ( + α3) = + α2 + α3 + α5 = = + α2 + α3 + α5 + α ( + α + α4) = = + α + α3 24/45

25 But α has the additional property of being primitive: α generates GF (24) \ {} (remember that α4 = + α) α α2 α3 α4 α5 α6 α7 α α2 α3 α8 α9 α α α2 α3 α4 α5 α α2 α3 Note that indeed α5 =. Thus α and each of its powers is a zero of x5. Hence x5 = 4 Y x αi i= 25/45

26 In general: when gcd(2, n) = there exists an α in some extension field of GF (2) = {, } such that xn can be written as xn = n Y x αi. i= It follows that g(x) = Q i I (x αi) for some I {,,..., n }. The challenge is to choose a suitable I {,,..., n } to give the code generated by g(x) good properties. 26/45

27 Now consider the parity check matrix H = α α2 α3 α4 α5 α4 α3 α3 2 α3 3 α3 4 α3 5 α3 4 which really stands for H = So, we consider the binary [5, 7,?] code C defined by c {, }5 HcT = T 27/45

28 α α α α α α α α α α α3 5 α3 4 P4 Let c(x) correspond to c = (c, c,..., c4 ). So, c(x) = i= ci xi. H = Then c C HcT = T c(α) = c(α3) =. We shall now show that the minimum distance of this code is 5 and that there exists an easy decoding algorithm to correct up to 2 errors. Suppose that r(x) (corresponding to vector r) is received, while codeword c(x) was transmitted. Write r(x) = c(x) + e(x), where e(x) stands for the error vector e = (e, e,..., e4 ). As always for decoding, we compute the syndrome s = r(α) = c(α) + e(α) = e(α) s3 = r(α3) = c(α3) + e(α3) = e(α3) 28/45

29 s = r(α) = c(α) + e(α) = e(α) s3 = r(α3) = c(α3) + e(α3) = e(α3) We can distinguish three possibilities: No error: e(x) =, s = s3 =. A single error at coordinate i: e(x) = xi, s = αi, s3 = α3i. Two errors, one on coordinate i and the other on coordinate j : e(x) = xi + xj, s = αi + αj, s3 = α3i + α3j. These cases are easy to distinguish: no error s = & s3 = one error s = 6 & s3 = (s)3 two errors s = 6 & s3 6= (s)3 Finding e(x) in these three cases is also elementary. 29/45

30 The technique at the previous sheets can be easily generalized to construct codes that correct more errors and allow efficient decoding methods. So, α α2 α3 α4 α5 αn H = α3 α3 2 α3 3 α3 4 α3 5 α3 (n ) α5 α5 2 α5 3 α5 4 α5 5 α5 (n ) generates a 3-error-correcting code, etc. The family of BCH codes does this. Also the Reed-Solomon codes that are used on CD s and DVD s are related to this construction. Paterson s decoding algorithm does the decoding in t n operations, where n is the length of the code and t the number of errors that can be corrected. 3/45

31 IV The McEliece cryptosystem History: Berlekamp, McEliece, and vt proved in 978 that the general decoding problem is NP-complete. Coset weights problem: Input: a matrix H, a vector s, and an integer w. Property: there exists a vector e of weight w such that HeT = st. Take w =,, 2,... until you find a YES. You do not find e (the/a most likely error pattern with syndrome s) but at least you know its existence and weight. 3/45

32 NP: a decision problem that can be verified in polynomial time (but no known algorithm answers it in polynomial time). Complete: any other NP problem can be converted to this one (in polynomial time). Famous other NP-complete problems are: the Boolean satisfiability problem and the traveling salesman problem. The relevance of being NP-complete to cryptography is limited, as the story of the knapsack based cryptosystems teaches us. Elwyn Berlekamp, Bob McEliece and Henk van Tilborg, On the inherent intractability of certain coding problems, IEEE Trans. Inf. Theory IT-24, 978, p Michael R. Garey and David S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness, Freeman, San Francisco, /45

33 The Coset Weights Problem is about arbitrary (parity check) matrices, not the well structured parity check matrices that allow easy decoding, like H = and H = α α2 αn α3 α3 2 α3 (n ) 33/45

34 Instead think of s= Write s as linear combination/sum of as few columns of H as possible. 34/45

35 McEliece based his cryptosystem on this: Decoding linear codes is, in general, very hard. But linear codes with a nice structure are easy to decode. He needed a trapdoor to hide the nice structure. Robert McEliece, A public key cryptosystem based on algebraic coding theory, JPL DSN Progress Report 42 44, pp. 4 6, Jan Febr /45

36 Set up Select a generator matrix G of an [n, k, 2t + ] linear code C with an efficient decoding algorithm DecG. Select a random k k invertible matrix S and a random n n permutation matrix P. Compute G = SGP. Make G and t public, but keep S, P, and G secret. Encryption Message m {, }k will be encrypted into r = mg + e, where e is a random vector of weight t. Decryption Compute rp = (mg + e)p = msgp P + ep = (ms)g + e. Apply DecG to this vector to find ms (note that e also has weight t). Retrieve m from (ms)s. 36/45

37 Of course, the adversary should not be able to guess the code C that was used (or the S or P ). There are too few BCH codes and Reed-Somolon codes for given parameters. That is why McEliece did choose the large class of Goppa codes. Their number grows exponentially in the length of the code. In his original proposal (978): n = 24, t = 5, and k 524. Since 28 these parameters are no longer safe. Dan Bernstein, Tanja Lange, and Christiane Peters, Attacking and Defending the McEliece Cryptosystem, Johannes Buchmann and Jintai Ding, PQCrypto 28, Springer-Verlag, Berlin Heidelberg, LNCS-5299, pp. 3 46, /45

38 V Burst-correcting array codes Definition: An (n, n2 )-array code C consists of all n n2 {, }-arrays C whose row and column sums are all congruent to zero modulo n2 2 even parity even parity n even parity even parity even parity It follows directly from this definition that an (n, n2 ) array code C is a linear code with length n n2, dimension (n )(n2 ). 38/45

39 Example: n = 5, n2 = 8. is a codeword. This code has length 5 8 = 4 and dimension 4 7 = 28. Any fixed read-out of these 4 coordinates is fine. 39/45

40 Let R be a received word. h h hn v v2 vn2 The horizontal and vertical syndrome of R are defined by the row sums and column sums. Decoding a single error in this code is extremely simple. 4/45

41 Example continued: Look at the received word: It is clear where the error occurred. So, decoding a single error is easy (but not very impressive). The actual minimum distance of this code is 4. How about decoding bursts? 4/45

42 For burst-correction the particular read-out of the array is important. We follow diagonals, one after another. Example: n = 5, n2 = 6, so n = Without loss of generality we shall assume that n2 n. 42/45

43 It is not so difficult to see that C cannot correct all bursts of length up to n. Indeed, in our example, the two bursts of length 5 indicated below (and many more) have the same syndrome and Both have burst-pattern (,,,, ) and the positions of the ones have been indicated in color. 43/45

44 Let us now see when C can correct all bursts of length n. With a little bit of work one can check that for n2 < 2n 3 there are always two different weight-two bursts of length n with the same syndrome. For instance the two bursts depicted below in red resp. blue have the same syndrome /45

45 Theorem: Let C be the n n2 array code, n2 n, with +-diagonal readout as defined above. Then C can correct all bursts of length n if and only if n2 2n 3. Proof by example: n =, n2 = 9. Mario Blaum, Paddy Farrell, and Henk van Tilborg, A class of burst error correcting array codes, IEEE Trans. Information Theory IT-32, 986, pp /45