Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

Similar documents
Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Post-Quantum Cryptography

Wild McEliece Incognito

Attacking and defending the McEliece cryptosystem

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

A distinguisher for high-rate McEliece Cryptosystems

Post-Quantum Code-Based Cryptography

Code Based Cryptography

Ball-collision decoding

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Wild McEliece Incognito

Code-Based Cryptography

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Decoding One Out of Many

Code-Based Cryptography McEliece Cryptosystem

Code-based Cryptography

Attacks in code based cryptography: a survey, new results and open problems

Code-based Cryptography

Code-based Cryptography

Constructive aspects of code-based cryptography

3. Focus on secure cryptosystems. How do we know what a quantum computer will do?

Code Based Cryptology at TU/e

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Smaller Decoding Exponents: Ball-Collision Decoding

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Objectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography.

How to improve information set decoding exploiting that = 0 mod 2

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

THIS paper investigates the difficulty of the Goppa Code

Enhanced public key security for the McEliece cryptosystem

Security and complexity of the McEliece cryptosystem based on QC-LDPC codes

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

Quasi-dyadic CFS signatures

List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

Error-correcting pairs for a public-key cryptosystem

Vulnerabilities of McEliece in the World of Escher

A Fuzzy Sketch with Trapdoor

Hexi McEliece Public Key Cryptosystem

Recent progress in code-based cryptography

MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes

Code-based cryptography

The Support Splitting Algorithm and its Application to Code-based Cryptography

Errors, Eavesdroppers, and Enormous Matrices

Error-correcting Pairs for a Public-key Cryptosystem

McEliece type Cryptosystem based on Gabidulin Codes

Introduction to Quantum Safe Cryptography. ENISA September 2018

Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form

Reducing Key Length of the McEliece Cryptosystem

arxiv: v2 [cs.cr] 14 Feb 2018

Error-correcting pairs for a public-key cryptosystem

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

Side-channel analysis in code-based cryptography

Cryptanalysis of the Original McEliece Cryptosystem

An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model

A Fast Provably Secure Cryptographic Hash Function

Code-based cryptography

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Signing with Codes. c Zuzana Masárová 2014

Proof of Plaintext Knowledge for Code-Based Public-Key Encryption Revisited

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

Low Rank Parity Check codes and their application to cryptography

LDPC codes in the McEliece cryptosystem: attacks and countermeasures

An Overview to Code based Cryptography

Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis

DAGS: Key Encapsulation using Dyadic GS Codes

Computational algebraic number theory tackles lattice-based cryptography

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes

A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems

Classic McEliece vs. NTS-KEM

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Recovering short secret keys of RLCE in polynomial time

Hidden Field Equations

Code-based identification and signature schemes in software

Side-Channel Attacks on the McEliece and Niederreiter Public-Key Cryptosystems

McBits: Fast code-based cryptography

8 Elliptic Curve Cryptography

On the Security of Some Cryptosystems Based on Error-correcting Codes

Cryptographic applications of codes in rank metric

Strengthening McEliece Cryptosystem

A New Code-based Signature Scheme with Shorter Public Key

A Smart Card Implementation of the McEliece PKC

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Oblivious Transfer Based on the McEliece Assumptions

McEliece in the world of Escher

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

COMP4109 : Applied Cryptography

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity

Cryptanalysis of the Sidelnikov cryptosystem

Decoding Random Binary Linear Codes in 2 n/20 : How 1+1=0Improves Information Set Decoding

Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis

Inoculating Multivariate Schemes Against Differential Attacks

Division Property: a New Attack Against Block Ciphers

Generalized subspace subcodes with application in cryptology

Transcription:

Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago

Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate quadratic introduction and bibliography. 2. pq.crypto.tw/pqc11/: PQCrypto 2011, Taipei, just before Asiacrypt. Deadline 24 June 2011. 3. 2011.indocrypt.org: Indocrypt 2011, Chennai, just after Asiacrypt. Deadline 31 July 2011.

The McEliece cryptosystem (1978 McEliece) McEliece public key: linear map G : F 524 2,! F 1024 2 represented as 1024 524 matrix. McEliece plaintext: m 2 F 524 2 ; and e 2 F 1024 2 of weight 50. McEliece ciphertext: y = Gm + e 2 F 1024 2. Basic problem for attacker: Given G; y, find codeword Gm close to y in the code GF 524 2.

Instead use parity-check matrix (1986 Niederreiter). Niederreiter public key: linear map H : F 1024 2 F 500 2 represented as 500 1024 matrix. Niederreiter plaintext: m 2 F 1024 2 of weight 50. Niederreiter ciphertext: s = Hm 2 F 500 2. Basic problem for attacker: Given H; s, find low-weight m 2 F 1024 2 with Hm = s. Equivalent to previous problem.

Information-set decoding Choose random size-500 subset S f1; 2; 3; : : : ; 1024g. For almost all H: Good chance that F S 2 is invertible.,! F1024 2 H! F 500 2 Hope m 2 F S 2 ; chance 2 53. Apply inverse map to Hm, revealing m if m 2 F S 2. If m =2 F S 2, try again. Total cost 2 80.

Long history, many improvements: 1962 Prange; 1981 Clark (crediting Omura); 1988 Lee Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey Goodman Farrell; 1993 Chabanne Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut Chabanne; 1998 Canteaut Chabaud; 1998 Canteaut Sendrier.

1998 Canteaut Chabaud Sendrier: 2 68 Alpha cycles to attack a McEliece ciphertext. 2008 Bernstein Lange Peters: further improvements; 2 58 Core 2 Quad cycles to attack a McEliece ciphertext. Ran attack successfully! Subsequent literature: 2009 Finiasz Sendrier; 2010 Peters; 2011 Bernstein Lange Peters.

Higher security levels Easily improve security by scaling parameters up from McEliece s 1024; 524; 50 example. Niederreiter public key: linear map H : F n 2 Fn k 2 represented as (n k) n matrix. Niederreiter plaintext: m 2 F n 2 of weight w. Niederreiter ciphertext: s = Hm 2 F n k 2. How large do n; k; w have to be for 2 b security?

Basic information-set decoding: Hope m 2 F S 2. Chance n k w = n w. Trying S costs n 3. Total cost n 3 n w = n k w.

Basic information-set decoding: Hope m 2 F S 2. Chance n k w = n w. Trying S costs n 3. Total cost n 3 n w = n k w. Standard entropy approximation: If w=n! W as n! 1 then n w 1=n! 1 WW (1 W ) 1 W.

Basic information-set decoding: Hope m 2 F S 2. Chance n k w = n w. Trying S costs n 3. Total cost n 3 n w = n k w. Standard entropy approximation: If w=n! W as n! 1 then n w 1=n! 1 WW (1 W ) 1 W. If furthermore k=n! R then 1=n (1 R) 1 R! n k w So cost 1=n! WW (1 R W ) 1 R W. (1 R W )1 R W (1 R) 1 R (1 W ) 1 W.

1988 Lee Brickell idea: Hope m e 2 F S 2 for some weight-2 vector e 2 F n S Chance n k k2 w w 2 = n. Trying S costs n 3 ; reuse one matrix inversion for all choices of e. 2. Speedup k 2 w 2 =2(n k w) 2.

1988 Lee Brickell idea: Hope m e 2 F S 2 for some weight-2 vector e 2 F n S Chance n k k2 w w 2 = n. Trying S costs n 3 ; reuse one matrix inversion for all choices of e. 2. Speedup k 2 w 2 =2(n k w) 2. Not visible in cost 1=n limit: cost 1=n (1 R W R W )1! (1 R) 1 R (1 W ) 1 W. But still quite useful.

Many polynomial speedups in subsequent papers. e.g. 1988 Leon: Choose random S as before; invert F S 2,! Fn 2 H! F n 2 k ; choose size-` subset Z S. Hope m e 2 F S 2 Z for some weight-2 vector e.

Many polynomial speedups in subsequent papers. e.g. 1988 Leon: Choose random S as before; invert F S 2,! Fn 2 H! F n 2 k ; choose size-` subset Z S. Hope m e 2 F S 2 Z for some weight-2 vector e. Advantage over Lee Brickell: quickly reject e if '(m e) 6= 0; ' : F n 2! FZ 2 is composition of F n 2! Fn 2 k! F S 2! FZ 2. Some loss of success chance from disallowing F Z 2 in m e.

Collision decoding (1989 Stern, independently 1989 1991 Dumer): Again choose S; Z. Partition n S into X; Y. Hope m e e 0 2 F S Z 2 for weight-p vectors e; e 0 with e 2 F X 2, e0 2 F Y 2.

Collision decoding (1989 Stern, independently 1989 1991 Dumer): Again choose S; Z. Partition n S into X; Y. Hope m e e 0 2 F S Z 2 for weight-p vectors e; e 0 with e 2 F X 2, e0 2 F Y 2. Don t enumerate (e; e 0 ). Make list of '(m e); make list of '(e 0 ); find collisions between lists.

Collision decoding (1989 Stern, independently 1989 1991 Dumer): Again choose S; Z. Partition n S into X; Y. Hope m e e 0 2 F S Z 2 for weight-p vectors e; e 0 with e 2 F X 2, e0 2 F Y 2. Don t enumerate (e; e 0 ). Make list of '(m e); make list of '(e 0 ); find collisions between lists. Optimal p is unbounded. Exponential speedup for any (R; W ), visible in cost 1=n limit!

Ball-collision decoding (Bernstein Lange Peters, to appear at Crypto 2011): Partition Z into A; B. Hope m e e 0 f f 0 2 F S Z with e 2 F X 2 of weight p, e 0 2 F Y 2 of weight p, f 2 F A 2 of weight q, f 0 2 F B 2 of weight q. Expand '(m e) into ball of radius q; similarly '(e 0 ); find collisions between balls. Exponential speedup over Stern for any reasonable (R; W ). 2

Decryption How does legitimate receiver decrypt s (or y)? Answer: Secretly generate a fast decoding algorithm D for a code C(D). Take random H (or G) with C(D) = Ker H (or C(D) = GF k 2 ). Or systematic H: smaller, faster. Fastest algorithms known to exploit McEliece s choice of D (by, e.g., computing D) are many orders of magnitude slower than collision decoding.

Fix a prime power q; a positive integer m; a positive integer n q m ; distinct a 1 ; : : : ; a n 2 F q m; polynomial g 2 F q m[x] with deg g < n=m and g(a 1 ) g(a n ) 6= 0. The classical Goppa code Γ q (a 1 ; : : : ; a n ; g) is the set of c 2 F n q with P i c i=(x a i ) = 0 in F q m[x]=g. Code dimension k n m deg g. Almost always k = n m deg g.

McEliece s choice of C(D): Γ 2 (a 1 ; : : : ; a n ; g) with irreducible g of degree w. Can you figure out a 1 ; : : : ; a n ; g given Γ 2 (a 1 ; : : : ; a n ; g)?

McEliece s choice of C(D): Γ 2 (a 1 ; : : : ; a n ; g) with irreducible g of degree w. Can you figure out a 1 ; : : : ; a n ; g given Γ 2 (a 1 ; : : : ; a n ; g)? McEliece s choice of D: 1975 Patterson algorithm to decode deg g errors given a 1 ; : : : ; a n ; g.

McEliece s choice of C(D): Γ 2 (a 1 ; : : : ; a n ; g) with irreducible g of degree w. Can you figure out a 1 ; : : : ; a n ; g given Γ 2 (a 1 ; : : : ; a n ; g)? McEliece s choice of D: 1975 Patterson algorithm to decode deg g errors given a 1 ; : : : ; a n ; g. Original parameters: m = 10, w = 50, n = 1024, k = 524.

McEliece s choice of C(D): Γ 2 (a 1 ; : : : ; a n ; g) with irreducible g of degree w. Can you figure out a 1 ; : : : ; a n ; g given Γ 2 (a 1 ; : : : ; a n ; g)? McEliece s choice of D: 1975 Patterson algorithm to decode deg g errors given a 1 ; : : : ; a n ; g. Original parameters: m = 10, w = 50, n = 1024, k = 524. Much higher security: m = 12, w = 150, n = 3600, k = 1800.

If k=n! R as n! 1 then 1 m(deg g)=n! R but m (lg n)= lg q so w=n = (deg g)=n! 0. Standard conjecture is that decoding is still quite hard: (constant+o(1)) n= lg n as n! 1. McEliece reaches 2 b security with n 2 b 1+o(1). Encryption and decryption cost only b 2+o(1). ECC also costs b 2+o(1), but ECC s o(1) seems bigger and ECC isn t post-quantum.

2008 Bernstein Lange Peters: Why stop with deg g errors? Can take w above deg g. Use fast list-decoding algorithms for exactly the same codes. List can have > 1 plaintext, but standard CCA2 conversions easily identify correct plaintext. Each extra error makes known attacks more difficult. More security for same key size. ) Smaller key for same security.

More codes I can increase w using an asymptotically good code! k=n! R > 0 and w=n! W > 0.

More codes I can increase w using an asymptotically good code! k=n! R > 0 and w=n! W > 0. Maybe, but this isn t easy. Do you also have a good D? Does your D run quickly? Are there many choices of D? No exploitable structure in C(D)? Is D actually better than Γ 2 for reasonable values of n?

Tempting to increase q. n= p lg q; k= p lg q; q have same key size as n; k; 2. Maybe better security?

Tempting to increase q. n= p lg q; k= p lg q; q have same key size as n; k; 2. Maybe better security? Problem 1: Structural attacks seem disastrous for large q. e.g. 1992 Shestakov Sidelnikov broke 1986 Niederreiter proposal using Γ q (: : :) with q n.

Tempting to increase q. n= p lg q; k= p lg q; q have same key size as n; k; 2. Maybe better security? Problem 1: Structural attacks seem disastrous for large q. e.g. 1992 Shestakov Sidelnikov broke 1986 Niederreiter proposal using Γ q (: : :) with q n. Problem 2: Patterson s algorithm is specific to q = 2. Conventional wisdom: correct only (deg g)=2 errors for q 3.

2010 Peters: switching from q = 2 to q = 31 gains factor 2 in key size with same security against information-set decoding, despite Problem 2.

2010 Peters: switching from q = 2 to q = 31 gains factor 2 in key size with same security against information-set decoding, despite Problem 2. 2010 Bernstein Lange Peters: Wild Goppa codes Γ q (: : : ; g q 1 ) with squarefree g correct q(deg g)=2 errors, generalizing smoothly from q = 2. Even more with list decoding. Gain already for q = 3. Ongoing work: optimizing Γ q (: : : ; fg q 1 ).

Also many ongoing efforts to reduce key size by creating C(D) with visible structure. But safety is unclear. e.g. 2010 Gauthier Umana Leander and 2010 Faugère Otmani Perret Tillich broke most of the quasi-cyclic and quasi-dyadic proposals by 2009 Berger Cayrel Gaborit Otmani and 2009 Misocki Barreto.

List-decoding algorithms Most often quoted results: Take any alternant code over F q of designed distance t + 1. Assume (n=t)q(lg q m )2(lg n) O(1). 1999 Guruswami Sudan: Polynomial-time algorithm p n(n t 1). for w < n (Roughly: w < t=2 + t 2 =8n.) 2000 Koetter Vardy: Polynomial-time algorithm p for w < n 0 n0 (n 0 t 1) where n 0 = n(q 1)=q. (Roughly: w < t=2 + t 2 =8n + t 2 =8n(q 1).)

What does this mean for Γ q? Easy application: Γ q (: : : ; g) is an alternant code with designed distance deg g + 1. Slightly above (deg g)=2 errors.

What does this mean for Γ q? Easy application: Γ q (: : : ; g) is an alternant code with designed distance deg g + 1. Slightly above (deg g)=2 errors. 2010 Bernstein Lange Peters: Plug 1999 Guruswami Sudan into 1975 Sugiyama Kasahara Hirasawa Namekawa identity Γ q (: : : ; g q 1 ) = Γ q (: : : ; g q ).

What does this mean for Γ q? Easy application: Γ q (: : : ; g) is an alternant code with designed distance deg g + 1. Slightly above (deg g)=2 errors. 2010 Bernstein Lange Peters: Plug 1999 Guruswami Sudan into 1975 Sugiyama Kasahara Hirasawa Namekawa identity Γ q (: : : ; g q 1 ) = Γ q (: : : ; g q ). 2010 Augot Barbier Couvreur: Plug 2000 Koetter Vardy into 1975 Sugiyama Kasahara Hirasawa Namekawa identity.

2011 Bernstein Simplified highspeed high-distance list decoding for alternant codes : Write J 0 = n 0 p n0 (n 0 t 1). n O(1) bit operations if w J 0 + O((lg n)= lg lg n).

2011 Bernstein Simplified highspeed high-distance list decoding for alternant codes : Write J 0 = n 0 p n0 (n 0 t 1). n O(1) bit operations if w J 0 + O((lg n)= lg lg n). O(n 4:5 ) bit operations if w J 0 + o((lg n)= lg lg n).

2011 Bernstein Simplified highspeed high-distance list decoding for alternant codes : Write J 0 = n 0 p n0 (n 0 t 1). n O(1) bit operations if w J 0 + O((lg n)= lg lg n). O(n 4:5 ) bit operations if w J 0 + o((lg n)= lg lg n). n(lg n) O(1) bit operations if w J 0 n=(lg n) O(1). Can of course combine with 1975 Sugiyama Kasahara Hirasawa Namekawa identity.

Still not really fast. Big problem for, e.g., n = 3600. New wave of rational list-decoding algorithms promise much better speeds: 2007 Wu; 2008 Bernstein List decoding for binary Goppa codes (final version: IWCC 2011). These algorithms are efficient only up to about J, not J 0. Can this limitation be removed? I m exploring one idea for this: jet list decoding.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback