Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL Code-based graphy 1/43
Syndrome decoding problem 1 Input. H : matrix of size r n S : vector of F r 2 t : integer 2 Problem. Does there exist a vector e of F n 2 of weight t such that : Problem NP-complete E.R. BERLEKAMP, R.J. MCELIECE and H.C. VAN TILBORG 1978 Pierre-Louis CAYREL Code-based graphy 2/43
Pierre-Louis CAYREL Code-based graphy 3/43
What can we do with this problem? encryption signature identification hash function stream cipher Pierre-Louis CAYREL Code-based graphy 4/43
Pierre-Louis CAYREL Code-based graphy 5/43
Menu 1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 6/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 7/43
Error-correcting make possible the correction of errors when the communication is done on a noisy channel. we add redundancy to the information transmitted. Noise e c = m r Channel y = c e by correcting the errors when the message is corrupted. stronger than a control of parity, they can detect and correct errors. We use them : DVD,CD : reduce the effects of dust... Phone : improve the quality of the communication. graphy? Pierre-Louis CAYREL Code-based graphy 8/43
Linear most used in error correction error correcting for which redundancy depends linearly on the information can be defined by a generator matrix : c is a word of the code C if and only if : Figure : G : generator matrix in systematic form The generator matrix G : is a k n matrix; rows of G form a basis for the code C. Pierre-Louis CAYREL Code-based graphy 9/43
Minimum distance The Hamming weight of a word c is the number of non-zero coordinates. The minimum distance d of a code is the minimum of the Hamming weight between two words of the code. It is also the smallest weight of a non-zero vector. Pierre-Louis CAYREL Code-based graphy 10/43
The parity check matrix H is orthogonal to G : it s a n k n matrix, we will use the notation r := n k it s the generator matrix of the dual; the code C is the kernel of H. c C if and only if H t c = 0. s = H t c = H t c H t e is the syndrome of the error. Pierre-Louis CAYREL Code-based graphy 11/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 12/43
Code based systems introduced at the same time than RSA by McEliece + advantages : faster than RSA ; not based on number theory problem (PQ secure) ; does not need processors ; based on hard problem (syndrome decoding problem...) disadvantages : size of public keys (few hundred bits...) Pierre-Louis CAYREL Code-based graphy 13/43
Pierre-Louis CAYREL Code-based graphy 14/43
How does the McEliece PKC work? generate a code for which we have a decoding algorithm and G the generator matrix. this is the private key. transform G to obtain G which seems random. this is the public key. encrypt a message m by computing : c = m G e with e a random vector of weight t. Pierre-Louis CAYREL Code-based graphy 15/43
A dual construction using H instead of G? Security equivalent to McEliece scheme. Private key : C a [n, r, d] code which corrects t errors, H a parity check matrix of C and γ H a decoding algorithm for C, a r r invertible matrix Q, a n n permutation matrix P. Public key : H = QH P. : φ n,t : m e, with e of weight t. e S = H t e = QH P t e Decryption : decode Q 1 S = (Q 1 Q)H P t e in P t e, then P 1 P t e gives e, φ 1 n,t (e) = m. Pierre-Louis CAYREL Code-based graphy 16/43
Hardware? Eisenbarth et al. "MicroEliece: McEliece for Embedded Devices", CHES 09. Shoufan et al. "A Novel Processor Architecture for McEliece Cryptosystem and FPGA Platforms", ASAP 2009 Heyse. "Low-Reiter: Niederreiter Scheme for Embedded Microcontrollers", PQCrypto 2010 Strenzke. "A Smart Card Implementation of the McEliece PKC", WISTP 2010 Heyse. "CCA2 secure McEliece based on Quasi Dyadic Goppa Codes for Embedded Devices", PQCrypto 2011 Cayrel, Hoffmann and Persichetti. "Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava ", PKC 2012 Pierre-Louis CAYREL Code-based graphy 17/43
generalized Srivastava, Was ist das? Warum? generalized Srivastava (GS) are Alternant (efficient decoding algorithm) there are quasi-dyadic-gs (small public key size, 2560 bytes for 80 bit security) a nice structure ( defined on small extension field secure faces structural attacks) we (Gerhard Hoffmann) implemented a CCA2-secure version of McEliece on microcontroller Figure : from the PKC 2012 paper Pierre-Louis CAYREL Code-based graphy 18/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 19/43
PKC signature. RSA yes McEliece and Niederreiter no directly Pierre-Louis CAYREL Code-based graphy 20/43
Pierre-Louis CAYREL Code-based graphy 21/43
Pierre-Louis CAYREL Code-based graphy 22/43
d the message to sign, we compute M = h(d) h a hash function with values in F r 2 we search e F n 2 of given weight t with h(m) = Ht e let γ be a decoding algorithm 1 i 0 2 while h(m i) is not decodable do i i + 1 3 compute e = γ H (h(m i)) Figure : CFS signature scheme signer sends {e, j} such that h(m j) = H t e Pierre-Louis CAYREL Code-based graphy 23/43
we need a dense family of : Goppa binary Goppa t small the probability for a random element to be decodable (in a ball of radius t centered on the codewords) is 1 t! we take n = 2 m, m = 16, t = 9. we have 1 chance over 9! = 362880 to have a decodable word. Pierre-Louis CAYREL Code-based graphy 24/43
How to improve this scheme (make it more practical)? QD (still dense) implement the scheme on GPU (in progress, Keccak on GPU already) hash directly into decodable elements (hard but in progress) use a stream cipher instead of an hash function (semantical security?) Side channel analysis : decode many times instead of one time in McEliece implementation in hardware (FPGA, ASIC?) countermeasure : Berlekamp-Massey instead of Patterson New construction (from identification or OTS) Pierre-Louis CAYREL Code-based graphy 25/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 26/43
Pierre-Louis CAYREL Code-based graphy 27/43
generate a random matrix H of size r n we choose an integer t which is the weight this is the public key (H, t) each user receive e of n bits and weight t. this is the private key each user compute : S = H t e. just once for H fixed S is public Pierre-Louis CAYREL Code-based graphy 28/43
A wants to prove to B that she knows the secret but she doesn t want to divulgate it. The protocol is on λ rounds and each of them is defined as follows. Pierre-Louis CAYREL Code-based graphy 29/43
Pierre-Louis CAYREL Code-based graphy 30/43
Pierre-Louis CAYREL Code-based graphy 31/43
Pierre-Louis CAYREL Code-based graphy 32/43
efficient (software) implementation of signature scheme (submitted) Figure : from ElYousfi s thesis security of the Fiat-Shamir transformation for n-pass (Africacrypt 2012) generalization to TRSS (WAIFI 2012) 3 rounds and cheating probability 1 2 Pierre-Louis CAYREL Code-based graphy 33/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 34/43
How to hash? Pierre-Louis CAYREL Code-based graphy 35/43
How to hash? Pierre-Louis CAYREL Code-based graphy 36/43
How φ n,t could work? Pierre-Louis CAYREL Code-based graphy 37/43
How to generate pseudo-random sequences? Pierre-Louis CAYREL Code-based graphy 38/43
How to generate pseudo-random sequences? Pierre-Louis CAYREL Code-based graphy 39/43
improved scheme XSYND (Africacrypt 2012), PSYND (submitted) Figure : from Meziani s slides efficient implementations (submitted) Pierre-Louis CAYREL Code-based graphy 40/43
1 Error-correcting 2 3 4 5 6 Pierre-Louis CAYREL Code-based graphy 41/43
: Study of the QC/QD constructions ; Identity-based encryption. : FPGA implementation ; Smaller public keys. : 3-pass and soundness 1/2 ; Efficient implementation. : Fast schemes ; Study of side-channel attacks. Pierre-Louis CAYREL Code-based graphy 42/43
Pierre-Louis CAYREL Code-based graphy 43/43