Code Based Cryptology at TU/e

Similar documents
Error-correcting Pairs for a Public-key Cryptosystem

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

Error-correcting pairs for a public-key cryptosystem

Code Based Cryptography

Arrangements, matroids and codes

Error-correcting pairs for a public-key cryptosystem

McEliece type Cryptosystem based on Gabidulin Codes

Attacking and defending the McEliece cryptosystem

Errors, Eavesdroppers, and Enormous Matrices

An Overview to Code based Cryptography

Post-Quantum Cryptography

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems

Error-correcting codes and applications

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

Attacks in code based cryptography: a survey, new results and open problems

Post-Quantum Code-Based Cryptography

Decoding One Out of Many

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Error-correcting codes and Cryptography

Quantum-resistant cryptography

How to improve information set decoding exploiting that = 0 mod 2

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Gurgen Khachatrian Martun Karapetyan

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Code-Based Cryptography Error-Correcting Codes and Cryptography

Side-channel analysis in code-based cryptography

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

Wild McEliece Incognito

Chapter 8 Public-key Cryptography and Digital Signatures

On the Security of Some Cryptosystems Based on Error-correcting Codes

A Fuzzy Sketch with Trapdoor

Public Key Cryptography

Notes 10: Public-key cryptography

Code-based Cryptography

Hexi McEliece Public Key Cryptosystem

Reducing Key Length of the McEliece Cryptosystem

Channel Coding for Secure Transmissions

2 Description of McEliece s Public-Key Cryptosystem

The failure of McEliece PKC based on Reed-Muller codes.

Code-based cryptography

Code-based Cryptography

McEliece in the world of Escher

Introduction to Quantum Safe Cryptography. ENISA September 2018

8.1 Principles of Public-Key Cryptosystems

Public Key Algorithms

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture 1: Introduction to Public key cryptography

Public-Key Cryptosystems CHAPTER 4

Strengthening McEliece Cryptosystem

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Vulnerabilities of McEliece in the World of Escher

MATH 433 Applied Algebra Lecture 21: Linear codes (continued). Classification of groups.

Signing with Codes. c Zuzana Masárová 2014

Lecture 12: November 6, 2017

Codes used in Cryptography

Hidden Field Equations

Constructive aspects of code-based cryptography

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

Cryptanalysis of the TTM Cryptosystem

Code-Based Cryptography

Enhanced public key security for the McEliece cryptosystem

Cryptographic Engineering

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

RSA. Ramki Thurimella

Cryptanalysis of the Original McEliece Cryptosystem

Recovering short secret keys of RLCE in polynomial time

How SAGE helps to implement Goppa Codes and McEliece PKCSs

Code-based Cryptography

5.0 BCH and Reed-Solomon Codes 5.1 Introduction

MaTRU: A New NTRU-Based Cryptosystem

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

Algebraic Codes for Error Control

Lecture 3: Error Correcting Codes

Error-Correcting Codes

A FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER

Theory of Computation Chapter 12: Cryptography

Lecture V : Public Key Cryptography

THE RSA CRYPTOSYSTEM

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Partial Key Exposure: Generalized Framework to Attack RSA

A Fast Provably Secure Cryptographic Hash Function

Solutions of Exam Coding Theory (2MMC30), 23 June (1.a) Consider the 4 4 matrices as words in F 16

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes

My brief introduction to cryptography

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Toward Secure Implementation of McEliece Decryption

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

LDPC codes in the McEliece cryptosystem: attacks and countermeasures

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

MATH32031: Coding Theory Part 15: Summary

Math 412: Number Theory Lecture 13 Applications of

A new zero-knowledge code based identification scheme with reduced communication

Transcription:

Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah Mada, Yogyakarta, Nov. 9 University Sebelas Maret, Surakarta, Nov. 11 /k November 2015

Content 2/48 1. Ambassador of TU/e 2. Introduction on Coding, Crypto and Security 3. Public-key crypto systems 4. One-way functions and 5. Code based public-key crypto system 6. Error-correcting codes 7. Error-correcting pairs /k

Coding 3/48 correct transmission of data error-correction no secrecy involved communication: internet, telephone,... fault tolerant computing memory: computer compact disc, DVD, USB stick... /k

Crypto 4/48 private transmission of data secrecy involved privacy eaves dropping insert false messages authentication electronic signature identity fraud /k

Security 5/48 secure transmission of data secrecy involved electronic voting electronic commerce money transfer databases of patients /k

Public-key cryptography (PKC) 6/48 Diffie and Hellman 1976 in the public domain in Ellis in 1970 for secret service, not made public until 1997 advantage with respect to symmetric-key cryptography no exchange of secret key between sender and receiver /k

One-way function 7/48 At the heart of any public-key cryptosystem is a one-way function a function y = f(x) that is easy to evaluate but for which it is computationally infeasible (one hopes) to find the inverse x = f 1 (y) /k

Examples of one-way function 8/48 Example 1 differentiation a function is easy integrating a function is difficult Example 2 checking whether a given proof is correct is easy finding the proof of a proposition is difficult /k

Integer factorization 9/48 x = (p, q) is a pair of distinct prime numbers y = pq is its product proposed by Cocks in 1973 in secret service Rivest-Shamir-Adleman (RSA) in 1978 in public domain based on the hardness of factorizing integers /k

Discrete logarithm 10/48 G is a group (written multiplicatively) with a G and x an integer y = a x Diffie-Hellman in 1974 and 1976 in public domain proposed by Williamson in 1974 in secret service based on difficulty of finding discrete logarithms in a finite field /k

Elliptic curve discrete logarithm 11/48 G is an elliptic curve group (written additively) over a finite field P is a point on the curve x = k a positive integer k y = kp is another point on the curve obtained by the multiplication of P with a positive integer k proposed by Koblitz and Miller in 1985 based on the difficulty of inverting this function in G /k

Code based cryptography 12/48 H is a given r n matrix with entries in Fq x is in F n q of weight at most t y = xh T proposed by McEliece in 1978 and later by Niederreiter based on the difficulty of decoding error-correcting codes it is NP complete /k

NP complete problems 13/48 NP = nondeterministic polynomial time given a problem with yes/no answer if answer is yes and the solution is given then one can check it in polynomial time Input: integer n Query: can one factorize n in n = pq with p and q > 1? if answer is yes and someone gives p and q then one easily checks that n = pq otherwise it is difficult to find p and q /k

Abstract 14/48 error-correcting codes error-correcting pairs correct errors efficiently applies to many known codes prime example Generalized Reed-Solomon codes can be explained in a short time is a distinguisher of certain classes of codes McEliece public-key cryptosystem polynomial attack if algebraic geometry codes are used ECP map is a one-way function /k

Information theory: Shannon 15/48 message sender source encoding 001... 011... receiver message target decoding noise Block diagram of a communication system

Error-correcting codes: Hamming 16/48 Q alphabet of q elements Hamming distance between x = (x 1,..., x n ) and y = (y 1,..., y n ) in Q n d(x, y) = min {i : x i = y i } x y d(y,z) d(x,y) z d(x,z) /k Triangle inequality

Block codes 17/48 C block code is a subset of Q n minimum distance of C d(c) = min {d(x, y) : x, y C, x = y } t(c) = d(c) 1 2 error-correcting capacity of C

Hamming code - 1 18/48 Venn diagram of the Hamming code r 3 m 2 m 1 m 4 r 1 m 3 r 2

Hamming code - 2 19/48 Venn diagram of a code word sent 1 1 1 1 0 0 0

Hamming code - 3 20/48 Venn diagram of a received word 1 0 1 1 0 0 0

Hamming code - 4 21/48 Correction of one error 1 0 1 1 0 0 0

Linear codes and their parameters 22/48 F q the finite field with q elements, q = p e and p prime F n q is an F q-linear vector space of dimension n C linear code is an F q -linear subspace of F n q parameters [n, k, d] q or [n, k, d] q = size finite field n = length of C k = dimension of C d = minimum distance of C

Encoding linear code 23/48 Let C a linear code in F n q of dimension k It has a basis g 1,..., g k Let G be the k n matrix with rows g 1,..., g k Then G is called a generator matrix of C The encoding of C s given by E(m) = mg E : F k q Fn q

Singleton bound 24/48 Singleton bound d n k + 1 Maximum Distance Separable (MDS) d = n k + 1

Inner product 25/48 The standard inner product is defined by a b = a 1 b 1 + + a n b n Is bilinear and non-degenerate but "positive definite"makes no sense Two subsets A and B of F n q are perpendicular: A B if and only if a b = 0 for all a A and b B

Dual code 26/48 Let C be a linear code in F n q The dual code is defined by C = { x : x c = 0 for all c C } If C has dimension k, then C has dimension n k

Star product 27/48 The star product is defined by coordinatewise multiplication a b = (a 1 b 1,..., a n b n ) For two subsets A and B of F n q A B = a b a A and b B

Efficient decoding algorithms 28/48 The following classes of codes: Generalized Reed-Solomon codes Cyclic codes Alternant codes Goppa codes Algebraic geometry codes have efficient decoding algorithms: Arimoto, Peterson, Gorenstein, Zierler Berlekamp, Massey, Sakata Justesen et al., Vladut-Skrobogatov,... Error-correcting pairs /k

Error-correcting pair 29/48 Let C be a linear code in F n q The pair (A, B) of linear subcodes of F n q m is a called a t-error correcting pair (ECP) over F q m for C if E.1 (A B) C E.2 k(a) > t E.3 d(b ) > t E.4 d(a) + d(c) > n /k

Generalized Reed-Solomon codes- 1 30/48 Let a = (a 1,..., a n ) be an n-tuple of mutually distinct elements of F q Let b = (b 1,..., b n ) be an n-tuple of nonzero elements of F q Evaluation map: ev a,b (f(x)) = (f(a 1 )b 1,..., f(a n )b n ) GRS k (a, b) = { ev a,b (f(x)) f(x) F q [X], deg(f(x) < k } Parameters: [n, k, n k + 1] if k n Since a polynomial of degree k 1 has at most k 1 zeros.

Generalized Reed-Solomon codes - 2 31/48 Furthermore ev a,b (f(x)) ev a,c (g(x)) = ev a,b c (f(x)g(x)) GRS k (a, b) GRS l (a, c) = GRS k+l 1 (a, b c)

t-ecp for GRS n 2t (a, b) 32/48 Let C = GRS 2t (a, 1) Then C = GRS n 2t (a, b) for some b has parameters: [n, n 2t, 2t + 1] Let A = GRS t+1 (a, 1) and B = GRS t (a, 1) Then (A B) C A has parameters [n, t + 1, n t] B has parameters [n, t, n t + 1] So B has parameters [n, n t, t + 1] Hence (A, B) is a t-error-correcting pair for C

Kernel of a received word 33/48 Let A and B be linear subspaces of F n q m and r F n q a received word Define the kernel K(r) = { a A (a b) r = 0 for all b B} Lemma Let C be an F q -linear code of length n Let r be a received word with error vector e So r = c + e for some c C If (A B) C, then K(r) = K(e)

Kernel for a GRS code 34/48 Let A = GRS t+1 (a, 1) and B = GRS t (a, 1) and C = A B Let a i = ev a,1 (X i 1 ) for i = 1,..., t + 1 b j = ev a,1 (X j ) for j = 1,..., t h l = ev a,1 (X l ) for l = 1,..., 2t Then a 1,..., a t+1 is a basis of A b 1,..., b t is a basis of B h 1,..., h 2t is a basis of C Furthermore /k a i b j = ev a,1 (X i+j 1 ) = h i+j 1

Matrix of syndromes for a GRS code 35/48 Let r be a received word and (s 1,..., s 2t ) = rh T its syndrome Then (b j a i ) r = s i+j 1. To compute the kernel K(r) we have to compute the null space of the matrix of syndromes s 1 s 2 s t s t+1 s 2 s 3 s t+1 s t+2....... s t s t+1 s 2t 1 s 2t

Error location 36/48 Let (A, B) be a t-ecp for C Let J be a subset of {1,..., n} Define the subspace of A of error-locating vectors: A(J) = { a A a j = 0 for all j J } Lemma Let (A B) C Let e be an error vector of the received word r If I = supp(e) = { i e i = 0 }, then A(I) K(r)

Error positions 37/48 Lemma Let (A B) C Let e be an error vector of the received word r Assume d(b ) > wt(e) = t If I = supp(e) = { i e i = 0 }, then A(I) = K(r) If a is a nonzero element of K(r) J zero positions of a Then I J

Basic algorithm 38/48 Let (A, B) be a t-ecp for C with d(c) 2t + 1 Suppose that c C is the code word sent and r = c + e is the received word for some error vector e with wt(e) t The basic algorithm for the code C: - Compute the kernel K(r) This kernel is nonzero since k(a) > t - Take a nonzero element a of K(r) K(r) = K(e) since (A B) C - Determine the set J of zero positions of a supp(e) J since d(b ) > t - Compute the error values by erasure decoding J < d(c) since n d(a) < d(c) /k

t-ecp corrects t errors efficiently 39/48 Theorem Let C be an F q -linear code of length n Let (A, B) be a t-error-correcting pair over F q m for C Then the basic algorithm corrects t errors for the code C with complexity O((mn) 3 )

Code based PKC systems - 1 40/48 McEliece: Let C be a class of codes that have efficient decoding algorithms correcting t errors with t (d 1)/2 Secret key: (S, G, P) S an invertible k k matrix G a k n generator matrix of a code C in C. P an n n permutation matrix Public key: G = SGP

Code based PKC systems - 2 41/48 McEliece: Encryption with public key G = SGP and message m in F k q : /k y = mg + e with random chosen e in F n q of weight t Decryption with secret key (S, G, P): yp 1 = (mg + e)p 1 = msg + ep 1 SG and G are generator matrices of the same code C ep 1 has weight t Decoder gives c = msg as closest codeword

Code based PKC systems - 3 42/48 Minimum distance decoding is NP-hard (Berlekamp-McEliece-Van Tilborg) It is assumed that: 1. P = NP 2. Decoding up to half the minimum distance is hard 3. One cannot distinguish nor retrieve the original code by disguising it by S and P /k

Attacks on code based PKC systems - 1 43/48 Generic attack decoding algorithms: McEliece 1978... Brickell, Lee 1988 Leon 1988 van Tilburg 1988 Stern 1989 Canteaut, Chabaud, Sendrier 1998 Finiasz-Sendrier 2009 Bernstein-Lange-Peters 2008-2011 Becker-Joux-May-Meurer Eurocrypt 2012 /k

Attacks on code based PKC systems - 2 44/48 Structural attacks: GRS codes (Sidelnikov-Shestakov) subcodes of GRS codes (Wieschebrink, Márquez-Martínez-P) Alternant codes: open Goppa codes: open Algebraic geometry codes: (Faure-Minder, genus g 2) VSAG codes: (Márquez-Martínez-P-Ruano, arbitrary g) Polynomial attack on AG codes: (Couvreur-Márquez-P, using ECP s)

Codes with t-ecp P (n, t, q) is the collection of pairs (A, B) that satisfy 45/48 E.2 k(a) > t E.3 d(b ) > t E.5 d(a ) > 1 E.6 d(a) + 2t > n Let Then d(c) is at least 2t + 1 and (A, B) is a t-ecp for C C = F n q (A B)

ECP one-way function 46/48 F (n, t, q) is the collection of F q -linear codes of length n and minimum distance d 2t + 1 Consider the following map ϕ (n,t,q) : P (n, t, q) F (n, t, q) (A, B) C Question: Is this a one-way function?

Conclusion 47/48 Many known classes of codes that have decoding algorithm correcting t-errors have a t-ecp and are not suitable for a code based PKC Question for future research Is the ECP map a one-way function? /k

48/48 Thank you for your attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback