Codes used in Cryptography

Similar documents
Code-Based Cryptography Error-Correcting Codes and Cryptography

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

5.0 BCH and Reed-Solomon Codes 5.1 Introduction

EE512: Error Control Coding

Channel Coding for Secure Transmissions

Error-correcting codes and Cryptography

ELEC3227/4247 Mid term Quiz2 Solution with explanation

Code-based Cryptography

Errors, Eavesdroppers, and Enormous Matrices

Error Correction Review

The BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes

Error-correcting Pairs for a Public-key Cryptosystem

ECEN 604: Channel Coding for Communications

} has dimension = k rank A > 0 over F. For any vector b!

1 Vandermonde matrices

Hexi McEliece Public Key Cryptosystem

MATH32031: Coding Theory Part 15: Summary

Cyclic Redundancy Check Codes

Code Based Cryptology at TU/e

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

An Enhanced (31,11,5) Binary BCH Encoder and Decoder for Data Transmission

Coding Theory: Linear-Error Correcting Codes Anna Dovzhik Math 420: Advanced Linear Algebra Spring 2014

Error-correcting codes and applications

McEliece type Cryptosystem based on Gabidulin Codes

Coding Theory and Applications. Solved Exercises and Problems of Cyclic Codes. Enes Pasalic University of Primorska Koper, 2013

Cryptographic Engineering

x n k m(x) ) Codewords can be characterized by (and errors detected by): c(x) mod g(x) = 0 c(x)h(x) = 0 mod (x n 1)

Attacking and defending the McEliece cryptosystem

Solutions of Exam Coding Theory (2MMC30), 23 June (1.a) Consider the 4 4 matrices as words in F 16

Notes for Lecture 17

Math 512 Syllabus Spring 2017, LIU Post

Toward Secure Implementation of McEliece Decryption

Binary Primitive BCH Codes. Decoding of the BCH Codes. Implementation of Galois Field Arithmetic. Implementation of Error Correction

Notes 10: Public-key cryptography

Code Based Cryptography

Fault Tolerant Computing CS 530 Information redundancy: Coding theory. Yashwant K. Malaiya Colorado State University

The Golay codes. Mario de Boer and Ruud Pellikaan

Fault Tolerance & Reliability CDA Chapter 2 Cyclic Polynomial Codes

MATH 291T CODING THEORY

Strengthening McEliece Cryptosystem

Lecture 19 : Reed-Muller, Concatenation Codes & Decoding problem

PAPER A Low-Complexity Step-by-Step Decoding Algorithm for Binary BCH Codes

List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

Chapter 6. BCH Codes

Post-Quantum Cryptography

Information Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper

Cyclic codes. Vahid Meghdadi Reference: Error Correction Coding by Todd K. Moon. February 2008

Error Correcting Codes: Combinatorics, Algorithms and Applications Spring Homework Due Monday March 23, 2009 in class

Solutions or answers to Final exam in Error Control Coding, October 24, G eqv = ( 1+D, 1+D + D 2)

Chapter 6 Lagrange Codes

Cyclic codes: overview

Open problems on cyclic codes

MATH3302 Coding Theory Problem Set The following ISBN was received with a smudge. What is the missing digit? x9139 9

Information redundancy

Coset Decomposition Method for Decoding Linear Codes

Decoding Procedure for BCH, Alternant and Goppa Codes defined over Semigroup Ring

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Error Correction and Trellis Coding

A Fuzzy Sketch with Trapdoor

An Introduction to (Network) Coding Theory

Chapter 9: BCH, Reed-Solomon, and Related Codes

Reed-Solomon codes. Chapter Linear codes over finite fields

REED-SOLOMON CODE SYMBOL AVOIDANCE

An Overview to Code based Cryptography

Constructive aspects of code-based cryptography


Decoding One Out of Many

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

New algebraic decoding method for the (41, 21,9) quadratic residue code

MATH Examination for the Module MATH-3152 (May 2009) Coding Theory. Time allowed: 2 hours. S = q

An Introduction to (Network) Coding Theory

Roll No. :... Invigilator's Signature :.. CS/B.TECH(ECE)/SEM-7/EC-703/ CODING & INFORMATION THEORY. Time Allotted : 3 Hours Full Marks : 70

Side-channel analysis in code-based cryptography

EE 229B ERROR CONTROL CODING Spring 2005

A 2-error Correcting Code

Implementation of Galois Field Arithmetic. Nonbinary BCH Codes and Reed-Solomon Codes

Information Theory. Lecture 7

Objective: To become acquainted with the basic concepts of cyclic codes and some aspects of encoder implementations for them.

ELG 5372 Error Control Coding. Lecture 12: Ideals in Rings and Algebraic Description of Cyclic Codes

Signing with Codes. c Zuzana Masárová 2014

New Algebraic Decoding of (17,9,5) Quadratic Residue Code by using Inverse Free Berlekamp-Massey Algorithm (IFBM)

Code-Based Cryptography McEliece Cryptosystem

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Generator Matrix. Theorem 6: If the generator polynomial g(x) of C has degree n-k then C is an [n,k]-cyclic code. If g(x) = a 0. a 1 a n k 1.

Notes on Alekhnovich s cryptosystems

Attacks in code based cryptography: a survey, new results and open problems

A Brief Encounter with Linear Codes

Berlekamp-Massey decoding of RS code

Section 3 Error Correcting Codes (ECC): Fundamentals

Part III. Cyclic codes

Lecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012

Elliptic Curve Cryptography

COMPSCI 650 Applied Information Theory Apr 5, Lecture 18. Instructor: Arya Mazumdar Scribe: Hamed Zamani, Hadi Zolfaghari, Fatemeh Rezaei

MATH 291T CODING THEORY

Error-Correcting Codes

The number of message symbols encoded into a

Lecture B04 : Linear codes and singleton bound

Lecture 12: November 6, 2017

3. Coding theory 3.1. Basic concepts

Transcription:

Prasad Krishnan Signal Processing and Communications Research Center, International Institute of Information Technology, Hyderabad March 29, 2016

Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Linear Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Linear Codes What is a code A code is a finite subset of some mathematical structure. Used to encode messages passing through a channel. The elements of the subset are picked in such a way as to ensure that errors occurring during transmission do not cause confusion during decoding. Encoding function of a code C E : Messages Codewords.

Linear Codes Linear Codes over F n q C is a linear code if E is linear in the message set. If E : F k q F n q, then we can represent E using a matrix G k n over F such that c = xg. G is called the generator matrix of C, which is a (n, k) code. The linear code is completely defined by its generator matrix G k n. Alternatively, one can used a parity check matrix H n k n to define the code, where H is any matrix such that GH T = 0. C = Span(G) = Null space(h).

Linear Codes Linear Codes over F n q Received vector is r = c + e e = (e 0, e 1,..., e n 1 ) captures the error occuring in the n coordinates. Minimum distance: d = min c C (w H (c)). Singleton bound: d n k + 1. Theorem (Error correction) A linear code C with minimum distance 2t + 1 can correct any t errors. Theorem (Independence of the H matrix) A linear code C has minimum distance d if and only if any set of d 1 columns of H are linearly independent.

Linear Codes Linear Codes over F n q - Syndrome Decoding Received vector r = c + e F n q. Compute s = rh T = ch T + eh T = xgh T + eh T = eh T F n k q. 2t + 1 d n k + 1. Corresponding to any error vector of weight upto t there is an unique syndrome. Syndrome decoding for errors of weight upto t. 1. Find the syndrome s 2. Find e corresponding to s (here code structure helps build efficient algorithms). 3. Find c = r e. Map it back to x.

Codes and Cryptography Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Codes and Cryptography Linear Codes over F n q - Connection to Crytography Public Key Cryptography: Want to convey a message secretly (make it easy for the intended receiver, but hard for everyone else). Encoding key is public, but decoding key is ideally known to receiver alone. {E e : Plaintext Ciphertext e KeySpace}. (1) {D d : Plaintext Ciphertext d KeySpace}. (2) Given a (e, d) pair (e and d are mathematically related) 1. D d (E e (p)) = p p Plaintext. 2. Knowing e it is hard to get d.

Codes and Cryptography McEliece Cryptosystem - Code-based Crypto System Example Want to transmit x F k q secretly. Choose A code C (i.e., an appropriate Gk n ) that can correct t errors, and has an efficient decoding algorithm = O(nt). An invertible matrix Sk k A permutation matrix P n n McEliece Scheme Public Key: G = SGP (generates code having same distance properties as C, but does not have an efficient decoding algorithm). Send xg + e, for some random t vector e with w H (e) = t. Private Key: (S, P, Efficient decoding algorithm for code G)

Codes and Cryptography McEliece Cryptosystem - Code-based Crypto Example Receiver and wiretapper both see r = xg + e. Receiver knows S, P and the efficient decoding algorithm for G. Thus it does the following. Note that e and e have weight t. rp 1 = xsgpp 1 + ep 1 (3) = xsg + e, (4) From the above equation, receiver can decode for x = xs by the efficient algorithm. Finally get x = x S 1. Wiretapper sees a random code, G, in the sense that there is no efficient algorithm to get x (the bruteforce method is exponential in n k).

Codes and Cryptography McEliece Cryptosystem - Code-based Crypto Example McEliece chose the class of binary Goppa codes for his scheme, because Fast algorithms are available for codes with large k, n (required further for making the algorithm secure). McEliece gives an example of n = 1024, k = 524 with t = 50. Large number of Goppa codes exist so wiretapper finds it hard to find G. Unbroken, unlike other codes proposed like Reed Solomon, etc. (till 2008 :(, but suggested increase in size of parameters). Rest of this talk : Focus on understanding construction and decoding of Goppa Codes (well, kind of)

Codes and Cryptography Why Kind of?

Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Cyclic Codes Denote a codeword (c 0, c 1,..., c n 1 ) as a polynomial in X, c(x ) = c 0 + c 1 X + c 2 X 2 +... + c n 1 X n 1. A cyclic code is a linear code where if c(x ) is a codeword, then Xc(X )mod(x n 1), i.e., (c 0, c 1, c 2,..., c n 1 ) C (c n 1, c 0, c 1,..., c n 2 ) C. For any (n, k) cyclic code C, we can identify one (n k) degree polynomial g(x ), such that any C = {m(x )g(x ) : m(x ) F q [X ], deg(m(x )) k 1}which is known as the generator polynomial of C. Generator polynomial of n-length cyclic codes divide x n 1.

Bose-Chaudhari-Hocquenghem codes Let α be the n th root of unity in F q m for a given m. A (narrow-sense) BCH code with design distance 2t + 1 and length n over F q has generator polynomial g BCH (X ) = LCM(minpoly q (α)minpoly q (α 2 )..minpoly q (α 2t )), where minpoly q (α i ) is the minimum degree polynomial with coefficients from F q with α i as a root.

Parity Check matrix Thus, any for any codeword c(x ), (c(α), c(α 2 ),..., c(α 2t )) = 0. In other words, the parity check matrix 1 α α 2... α n 1 1 α 2 α 4... α 2 n 1 H BCH =..... 1 α 2t α 4t... α 2t(n 1) BCH q (n, 2t) = NullSpace(H BCH ) in F n q. Any set of 2t columns from H BCH is linearly independent over F q. Therefore BCH code with design distance 2t + 1 can correct any t errors.

Decoding Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Decoding Decoding r(x ) = c(x ) + e(x ), w H (e) t. Idea: find syndrome, find error, find information symbols. For any α i, i = 1, 2,.., 2t we have n 1 r(α i ) = c(α i ) + e(α i ) = e(α i ) = e j (α i ) j Suppose e has errors in ν locations for some ν t. Let those locations be j 1, j 2,..., j ν. Then, j=0 r(α i ) = ν e jl (α i ) j l, i = 1, 2,.., 2t. l=1

Decoding Decoding Let X l = α j l and S i = r(α i ). Therefore we have the set of equations S 1 = e j1 X 1 + e j2 X 2 +... + e jν X ν (5) S 2 = e j1 X 2 1 + e j2 X 2 2 +... + e jν X 2 ν (6)... (7) S 2t = e j1 X 2t 1 + e j2 X 2t 2 +... + e jν X 2t ν, (8) Note that X l = α j l indicates the location of the l th error (i.e, j l ) while e jl is the error value at that position. We want to get both X l s and the e jl s in that order. Direct solving for X l s involve nonlinear equations. So we use another trick.

Decoding Decoding Error Locator Polynomial: A polynomial whose roots are X 1 l, l = 1,.., ν. Λ(x) = Π ν i=1(1 X l x) = 1 + Λ 1 x + Λ 2 x 2 +... + Λ ν x ν. If we have the coefficients Λ i s, then getting the roots of Λ(x) is equivalent to finding error locations (can be done by evaluations of Λ(x)). If we have the error locations, we can use the equations in the previous slide to get the error values. Coefficients Λ i s and the syndromes are related by Newton s identities.

Decoding Decoding Newton s identities: S 1 S 2... S ν S 2 S 3... S ν+1...... S ν S ν+1... S 2ν 1 Λ ν Λ ν 1. Λ 1 = S ν+1 S ν+2. S 2ν Above equation is well defined for ν t. Set ν = t. Form M ν (the matrix above) and find det(m ν ). If det(m ν ) = 0 then set ν ν 1 and repeat the previous step. If M ν is invertible, solve for coefficients Λ i, i = 1, 2,.., ν. Finally solve for the error values.

Reed Solomon and Generalised Reed Solomon Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Reed Solomon and Generalised Reed Solomon Codes Generalised Reed Solomon Codes RS Code is a BCH Code with n = q m 1 over F q m. Thus, g RS (X ) = (X α)(x α 2 )...(X α 2t ) Another way to encode RS code: For any m(x ) (upto degree k 1), the codeword is (m(1), m(α),..., m(α n 1 )) (min distance d = n k + 1). GRS Codes (also have max distance d = n k + 1) v = (v 1, v 2,..., v n ) : non-zero elements in F q m β = (β 1, β 2,..., β n ): distinct elements in F q m. The GRS(β, v,) is the set of all vectors of the form (v 1 m(β 1 ), v 2 m(β 2 ),..., v n m(β n )), where m(x ) is any polynomial of degree k 1.

Reed Solomon and Generalised Reed Solomon Codes Generalised RS Codes The H matrix GRS Code takes the form, 1 1... 1 β 1 β 2... β n H GRS = β1 2 β2 2... βn 2.... β1 n k 1 β2 n k 1... βn n k 1 = XY, y 1... y 2.......... y n (9) (10) where y = (y 1,..., y n ) is some vector (with non-zero y i s) such that H GRS is an appropriate H matrix to GRS(β, v). GRS(β, v) = NullSpace(H GRS ) in F q m.

Alternant Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Alternant Codes Alternant Codes Long BCH codes are not good (rate(k/n) and error correction (d/n)don t keep growing together). Rectified by Alternant codes. Subcodes of GRS codes. Alternant Code For β consisting of n distinct values from F q m, and y being non-zero values from F q m, A(β, y) = NullSpace(H GRS ) in F q.

Goppa Codes Outline Coding Theory and Cryptography Linear Codes Codes and Cryptography Decoding Variants of BCH codes Reed Solomon and Generalised Reed Solomon Codes Alternant Codes Goppa Codes

Goppa Codes Goppa Codes Let G(z) be a polynomial with coefficients from F q m. Let β = {β 1, β 2,..., β n } be n elements such that G(β i ) 0, i = 1, 2,..., n. For a vector a = (a 1,..., a n ) F n q, we define associate the rational function R a (z) = n i=1 a i z β i. 1 Note that has an polynomial inverse in Fq[z] z β i (G(z)). Goppa Code (β, G(z)) is defined as { a F n q R a (z) 0(modG(z)) }.

Goppa Codes Goppa Codes as Alternant Codes G(z) a polynomial with coefficients from F q m. β = {β 1, β 2,..., β n } are n elements such that G(β i ) 0, i = 1, 2,..., n. Let y = (G(β 1 ) 1, G(β 2 ) 1,..., G(β n ) 1 ). Goppa Code Goppa Code (β, G(z)) = A(β, y). If β is set of all non-zeros of G(z) then the Goppa code is completely determined by G(z). Has an optimised decoding algorithm because of its further structure.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback