McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Similar documents
The McEliece Cryptosystem Resists Quantum Fourier Sampling Attack

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

The Hunt for a Quantum Algorithm for Graph Isomorphism

Quantum-resistant cryptography

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP

Quantum-secure symmetric-key cryptography based on Hidden Shifts

The quantum threat to cryptography

Errors, Eavesdroppers, and Enormous Matrices

Lecture 15: The Hidden Subgroup Problem

The Support Splitting Algorithm and its Application to Code-based Cryptography

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Post-Quantum Cryptography

Algorithms for ray class groups and Hilbert class fields

arxiv: v2 [cs.cr] 15 Oct 2010

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

What are we talking about when we talk about post-quantum cryptography?

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Quantum LDPC Codes Derived from Combinatorial Objects and Latin Squares

Code-based Cryptography

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

WALNUT DIGITAL SIGNATURE ALGORITHM

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

An Overview to Code based Cryptography

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

The failure of McEliece PKC based on Reed-Muller codes.

McEliece type Cryptosystem based on Gabidulin Codes

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Graph isomorphism, the hidden subgroup problem and identifying quantum states

Factoring integers with a quantum computer

Quantum Algorithms Lecture #2. Stephen Jordan

Decoding One Out of Many

Introduction to Quantum Safe Cryptography. ENISA September 2018

Coset Decomposition Method for Decoding Linear Codes

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

LDPC Codes in the McEliece Cryptosystem

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Code-Based Cryptography Error-Correcting Codes and Cryptography

Post-Quantum Code-Based Cryptography

arxiv:quant-ph/ v2 19 Jan 2007

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Error-correcting Pairs for a Public-key Cryptosystem

2. The center of G, denoted by Z(G), is the abelian subgroup which commutes with every elements of G. The center always contains the unit element e.

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

Constructive aspects of code-based cryptography

General Impossibility of Group Homomorphic Encryption in the Quantum World

Error-correcting codes and applications

An Introduction to Quantum Information and Applications

MATH 433 Applied Algebra Lecture 22: Review for Exam 2.

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS II

Introduction to Elliptic Curve Cryptography

} has dimension = k rank A > 0 over F. For any vector b!

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Introduction to Quantum Computing

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Codes used in Cryptography

Combinatorics of p-ary Bent Functions

MATH 433 Applied Algebra Lecture 21: Linear codes (continued). Classification of groups.

A Provably Secure Group Signature Scheme from Code-Based Assumptions

BASIC GROUP THEORY : G G G,

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

McBits: Fast code-based cryptography

Wild McEliece Incognito

Side-channel analysis in code-based cryptography

Lecture 6: Cryptanalysis of public-key algorithms.,

Error-correcting pairs for a public-key cryptosystem

From the shortest vector problem to the dihedral hidden subgroup problem

Interesting Examples on Maximal Irreducible Goppa Codes

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction

1. Group Theory Permutations.

On error distributions in ring-based LWE

Post-Quantum Cryptography

An Efficient Lattice-based Secret Sharing Construction

Signing with Codes. c Zuzana Masárová 2014

Background: Lattices and the Learning-with-Errors problem

Quantum Computers. Peter Shor MIT

Attacking and defending the McEliece cryptosystem

9 Knapsack Cryptography

Code-based cryptography

How SAGE helps to implement Goppa Codes and McEliece PKCSs

A Smart Card Implementation of the McEliece PKC

Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts

New Directions in Multivariate Public Key Cryptography

Code-based cryptography

Code-Based Cryptography McEliece Cryptosystem

Lecture 8: Finite fields

Hexi McEliece Public Key Cryptosystem

Direction: You are required to complete this test within 50 minutes. Please make sure that you have all the 10 pages. GOOD LUCK!

A survey on quantum-secure cryptographic systems

Lossy Trapdoor Functions and Their Applications

8 Elliptic Curve Cryptography

Factoring on a Quantum Computer

On the query complexity of counterfeiting quantum money

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009

Transcription:

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity of Connecticut

Post-quantum cryptography Shor s quantum algorithms for Factoring and Discrete Logarithm break RSA, ElGamal, elliptic cure cryptography... Are there post-quantum cryptosystems? cryptosystems we can carry out with classical computers [unlike quantum cryptosystems, which require quantum facility] which will remain secure een if and when quantum computers are built.

Post-quantum cryptography Candidates for post-quantum cryptosystems: lattice-based code-based (the McEliece system and its relaties) hash-based multiariate secret-key cryptography Bernstein, 2009: These systems are belieed to resist quantum computers. Nobody has figured out a way to apply Shor s algorithm to any of these systems.

We show that some McEliece and Niederreiter cryptosystems resist the natural analog of Shor s quantum attack.

How Shor s algorithm works Breaking RSA priate key Breaking ElGamal, elliptic cure cryptography Integer Factorization Discrete Logarithm Hidden Subgroup Problem oer a cyclic group Z N Hidden Subgroup Problem oer an abelian group Z N Z N Quantum Fourier Sampling oer Z N Quantum Fourier Sampling oer Z N Z N

Hidden Subgroup Problem (HSP) HSP oer a finite group G: Input: function f : G {,, } that distinguishes the left cosets of an unknown subgroup H <G Output: H H g 2 H g 3 H g k H Notable reductions to nonabelian HSP: Unique Shortest Vector Problem HSP oer D n [Rege 04] Graph Isomorphism HSP oer S n with H 2

Quantum Fourier Sampling (QFS) QFS oer G to find hidden subgroup H: Uniform superposition oer G Use input function f random coset state gh uniform superposition oer coset gh Quantum Fourier transform,i, j gh ij,i, j Measure weak strong block matrix corresponding to irreducible representation ρ of G ρ ρ ρ column j

McEliece/Niederreiter Cryptosystems Scramble M s rows Permute M s columns

McEliece/Niederreiter Cryptosystems McEliece system F q = F q l l = 1 M is a generator matrix of an n, k -code oer F q. Equialent to the McEliece system using C, if dim C = n lk. Originally used classical binary Goppa codes (q=2) Niederreiter system F q F q l l 1 M is a parity check matrix of an n, k -code C oer F q. Equialent to the McEliece system using C, if k = n lk. Originally used rational Goppa codes (GRS codes)

Security of McEliece and Niederreiter Systems Two basic types of attacks Decoding attacks [preious talk] Attacks on priate key [this talk] Recoer S, M, P from M* Security against known classical attacks Still secure if using classical Goppa codes [EOS 07] Broken if using rational Goppa codes (Ouch!) Sidelnoko & Shestako s attack factors SMP into S and MP.

~ McEliece/Niederreiter s security reduces to HSP Scrambler-Permutation Problem Gien: M and M* = SMP for some (S, P) GL k (F q ) S n Find: S and P Can this HSP be soled by strong QFS?

Our Answer (1) Strong QFS yields negligible information about hidden (S, P) if M is good, meaning M has column rank r k o Aut M e o n, and n /l, Minimal degree of Aut(M) is (n). Next question: the minimal number of points moed by a non-identity permutation in Aut(M) Are there matrices M satisfying the conditions aboe?

Our Answer (2) 1 1 2 2 1 1 1 2 2 1 1 2 1 k n n k k n n n S M 's are distinct. }, { F {0}, F, F GL i q i q i q k l l l S

Conclusion The following cryptosystems resist the natural analog of Shor s QFS attack: McEliece systems using rational Goppa codes Niederreiter systems using classical Goppa codes. In general, any McEliece/Niederreiter system using linear codes with good generator/parity check matrices. Warning: This neither rules out other quantum (or classical) attacks nor iolates a natural hardness assumption.

Conclusion (Moral) Quantum Fourier Sampling need new ideas RSA ElGamal McEliece Niederreiter

Open Questions What are other linear codes that possess good generator/parity check matrices? Can these cryptosystems resist stronger quantum attacks, e.g., multiple-register QFS attacks? Hallgren et al., 2006: subgroups of order 2 require highly-entangled measurements of many coset states. Does this hold for subgroups of order > 2?

Questions? Thank you all for staying till the last minute!

Parameters In case of Niederreiter systems using a classical q-ary Goppa code C, we need q k 2 n 0.2 n and q 3 l e on Typically, n = q l, then we only need k 2 0.2nl, which implies C must hae large dimension: dim C n kl n 0.2n l 3/ 2

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback