Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago
Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security standards and any other standard based on computational difficulty will fall, experts believe. (Magiq s web site, 2008; the experts aren t named)
Is cryptography dead? Imagine: 15 years from now someone announces successful construction of a large quantum computer. New York Times headline: INTERNET CRYPTOGRAPHY KILLED BY PHYSICISTS. Users panic. What happens to cryptography?
RSA: Dead.
RSA: Dead. DSA: Dead. ECDSA: Dead.
RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead.
RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead.
RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave.
RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave. But we have other types of cryptographic systems! Hash-based cryptography. Example: 1979 Merkle hash-tree public-key signature system.
Code-based cryptography. Example: 1978 McEliece hidden-goppa-code public-key encryption system. Lattice-based cryptography. Example: 1998 NTRU. Multivariate-quadraticequations cryptography. Example: 1996 Patarin HFE v public-key signature system. Secret-key cryptography. Example: 1998 Daemen Rijmen Rijndael cipher, aka AES.
Bernstein: Introduction to post-quantum cryptography. Hallgren, Vollmer: Quantum computing. Buchmann, Dahmen, Szydlo: Hash-based digital signature schemes. Overbeck, Sendrier: Code-based cryptography. Micciancio, Regev: Lattice-based cryptography. Ding, Yang: Multivariate public key cryptography.
The McEliece cryptosystem Receiver s public key: random 500 1024 matrix à over F 2. Specifies linear F 1024 2 F 500 2. Messages suitable for encryption: 1024-bit strings of weight 50; i.e., Ñ ¾ F 1024 2 : # : Ñ = 1 = 50. Encryption of Ñ is ÃÑ ¾ F 500 2. Can use Ñ as secret AES key to encrypt much more data.
Attacker, by linear algebra, can easily work backwards from ÃÑ to some Ú ¾ F 1024 2 such that ÃÚ = ÃÑ. i.e. Attacker finds some element Ú ¾ Ñ + KerÃ. Note that #Kerà 2 524. Attacker wants to decode Ú: to find element of Kerà at distance only 50 from Ú. Presumably unique, revealing Ñ. But decoding isn t easy!
Information-set decoding Choose random size-500 subset Ë 1 2 3 1024. For typical Ã: Good chance that F Ë 2 F1024 2 Ã F 500 2 is invertible. Hope Ñ ¾ F Ë 2 ; chance 2 53. Apply inverse map to ÃÑ, revealing Ñ if Ñ ¾ F Ë 2. If Ñ ¾ F Ë 2, try again. 2 80 operations overall.
Various improvements: 1988 Lee Brickell; 1988 Leon; 1989 Stern; 1990 van Tilburg; 1994 Canteaut Chabanne; 1998 Canteaut Chabaud; 1998 Canteaut Sendrier. 2 68 Alpha cycles. 2008 Bernstein Lange Peters: further improvements; 2 58 Core 2 Quad cycles; carried out successfully!
1988 Lee Brickell idea: Hope that Ñ + ¾ F Ë 2 for some weight-2 vector. Reuse one matrix inversion for all choices of. 1989 Stern idea: Hope that Ñ + + ¼ ¾ F Ë 2 for low-weight vectors ¼. Search for collision between function of, function of ¼. 2008 Bernstein Lange Peters: more reuse, optimization, etc.
Modern McEliece Easily rescue system by using a larger public key: random (Ò 2) Ò matrix à over F 2. e.g., 1800 3600. Larger weight: Ò (2 lg Ò). e.g. Ñ ¾ F 3600 2 of weight 150. All known attacks scale badly: roughly 2 Ò (2 lg Ò) operations. For much more precise analysis see 2009 Bernstein Lange Peters van Tilborg.
Receiver secretly generates public key à with a hidden Goppa-code structure that allows fast decoding. Namely: à = ËÀÈ for secret (Ò 2) (Ò 2) invertible matrix Ë, (Ò 2) Ò Goppa matrix À, Ò Ò permutation matrix È. Detecting this structure seems even more difficult than attacking random Ã.
Goppa codes Fix Õ ¾ 8 16 32 ; Ø ¾ 2 3 (Õ 1) lg Õ ; Ò ¾ Ø lg Õ + 1 Ø lg Õ + 2 Õ. e.g. Õ = 1024, Ø = 50, Ò = 1024. or Õ = 4096, Ø = 150, Ò = 3600. Receiver s matrix À is the parity-check matrix for the classical (genus-0) irreducible length-ò degree-ø binary Goppa code defined by a monic degree-ø irreducible polynomial ¾ F Õ [Ü] and distinct 1 2 Ò ¾ F Õ.
which means: À = ¼ ½ 1 ( 1 ) 1 ( Ò ) 1 ( 1 )... Ø 1 1 Ò ( Ò )...... Ø 1 ( 1 ) Ò ( Ò ) View each element of F Õ here as a column in F lg Õ Then À : F Ò 2 2. FØ lg Õ 2.
More useful view: Consider the map Ñ È Ñ (Ü ) from F Ò 2 to F Õ[Ü]. À is the matrix for this map where F Ò 2 has standard basis and F Õ [Ü] has basis Ü, Ü 2,, Ü Ø. One-line proof: In F Õ [Ü] have ( ) = Ü Ü +1. 0
Decoding Goppa codes 1975 Patterson: Given ÀÑ, can quickly find Ñ if weight of Ñ is Ø. Given ciphertext ÃÑ = ËÀÈ Ñ: receiver computes ÀÈ Ñ by applying secret Ë 1 ; decodes À to obtain È Ñ by Patterson s algorithm; computes message Ñ by applying secret È 1.
Patterson input È is Ö ¾ F Õ [Ü] having form Ñ (Ü ) where Ñ ¾ F Ò 2 has weight Ø. Output will be Ñ. If Ö = 0, output 0 and stop. If Ö = Ô 0: Lift Ö 1 Ü from F Õ [Ü] to ¾ F Õ [Ü] of degree Ø. Consider lattice Ä F Õ [Ü] 2 generated by ( 1) and ( 0). Define length of («) as norm of «2 + Ü 2. Find a minimum-length nonzero vector («0 0 ) ¾ Ä.
Monic part of 0 = «2 0 + Ü 2 0 is exactly É :Ñ =1 (Ü ). Factor 0 and print Ñ. Why this works: Define = É :Ñ =1 (Ü ). Write as «2 + Ü 2 in F Õ [Ü]. Have ¼ = Ö in F Õ [Ü] so 2 («2 + Ü 2 ) = 1 ( 2 + Ü) so = «in F Õ [Ü] ; i.e., («) ¾ Ä. Volume of Ä forces («) ¾ («0 0 )F Õ [Ü] so = square 0; is squarefree so square ¾ F Õ.
What if Patterson is used for Ñ having weight Ø? Volume argument fails. («) ¾ («0 0 )F Õ [Ü]. But can compute short basis («0 0 ) («1 1 ) of Ä. Then is a linear combination of 0 = «2 0 + Ü 2 0 and 1 = «2 1 + Ü 2 1. Coefficients are small squares; small depends on weight of Ñ.
Divisors in residue classes Want all divisors of Ò in Ù + ÚZ, given positive integers Ù Ú Ò with gcd Ú Ò = 1. Easy if Ú Ò 1 2. 1984 Lenstra: polynomial-time algorithm for Ú Ò 1 3. 1997 Konyagin Pomerance: polynomial-time algorithm for Ú Ò 3 10. 1998 Coppersmith Howgrave- Graham Nagaraj: polynomialtime algorithm for Ú Ò 1 4+.
2000 Boneh: can view same algorithm as a list-decoding algorithm for CRT codes. Function-field analogue is famous 1999 Guruswami Sudan algorithm for list decoding of Reed Solomon codes. Can build grand unified picture of Coppersmith-type algorithms and Sudan-type algorithms. See, e.g., my survey paper Reducing lattice bases to find small-height values of univariate polynomials.
2008 Bernstein: Tweak parameters in the same algorithm to find all divisors of Ò that are linear combinations of Ù Ú with small coprime coefficients.
2008 Bernstein: Tweak parameters in the same algorithm to find all divisors of Ò that are linear combinations of Ù Ú with small coprime coefficients. Apply to the Goppa situation: analogous algorithm É finds all divisors of (Ü ) that are linear combinations of 0 1 with small coprime coefficients. Compared to Patterson, pushes allowable weight of Ñ up to Ø + Ø 2 Ò.
New algorithm É assumes that 1 is coprime to (Ü ). Easy to achieve by adding a small multiple of 0 to 1. unless Ò = Õ and 1 0 is a permutation function. Can this happen to Patterson? I don t know any examples. Weil forces rather large degree: can show that the curve 0(Ü) 1(Ý) 1(Ü) 0(Ý) Ü Ý = 0 has no points over F Õ.
Many other current topics in code-based cryptography. e.g. 2009 Misoczki Barreto: Hide quasi-dyadic Goppa code as quasi-dyadic public key. Key length only 1+Ó(1). Encryption time lg 3+Ó(1). Decryption time lg 3+Ó(1). 2009 Bernstein: easy tweak to Misoczki Barreto algorithms, reducing time to 1+Ó(1).