Code-Based Cryptography Error-Correcting Codes and Cryptography

Similar documents
Error-correcting Pairs for a Public-key Cryptosystem

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Codes used in Cryptography

Attacks in code based cryptography: a survey, new results and open problems

List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

: Error Correcting Codes. November 2017 Lecture 2

Code-Based Cryptography McEliece Cryptosystem

McEliece type Cryptosystem based on Gabidulin Codes

Outline. MSRI-UP 2009 Coding Theory Seminar, Week 2. The definition. Link to polynomials

The BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes

Toward Secure Implementation of McEliece Decryption

Error Correction Review

: Error Correcting Codes. October 2017 Lecture 1

Code Based Cryptography

Errors, Eavesdroppers, and Enormous Matrices

Code Based Cryptology at TU/e

The Support Splitting Algorithm and its Application to Code-based Cryptography

Post-Quantum Cryptography

ECEN 604: Channel Coding for Communications

Cryptographic Engineering

Error-correcting codes and applications

Side-channel analysis in code-based cryptography

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Wild McEliece Incognito

Coding Theory and Applications. Solved Exercises and Problems of Cyclic Codes. Enes Pasalic University of Primorska Koper, 2013

RINGS: SUMMARY OF MATERIAL

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Algebraic Geometry Codes. Shelly Manber. Linear Codes. Algebraic Geometry Codes. Example: Hermitian. Shelly Manber. Codes. Decoding.

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Error-correcting codes and Cryptography

New Generalized Sub Class of Cyclic-Goppa Code

ERROR CORRECTING CODES

1 Vandermonde matrices

Signing with Codes. c Zuzana Masárová 2014

Generalized Reed-Solomon Codes

Hexi McEliece Public Key Cryptosystem

An Overview to Code based Cryptography

Lecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012

Lecture 12: Reed-Solomon Codes

Generator Matrix. Theorem 6: If the generator polynomial g(x) of C has degree n-k then C is an [n,k]-cyclic code. If g(x) = a 0. a 1 a n k 1.

A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems

24th Conference on ACA Santiago de Compostela Session on CACTC Computer Algebra Tales on Goppa Codes and McEliece Cryptography

Code-based Cryptography

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

EE512: Error Control Coding

Error Correcting Codes: Combinatorics, Algorithms and Applications Spring Homework Due Monday March 23, 2009 in class

MATH32031: Coding Theory Part 15: Summary

Information Theory. Lecture 7

Coding problems for memory and storage applications

Cyclic codes. Vahid Meghdadi Reference: Error Correction Coding by Todd K. Moon. February 2008

A commutative algebra approach to linear codes

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

Distributed Lossless Compression. Distributed lossless compression system

Cyclic codes: overview

An efficient structural attack on NIST submission DAGS

Notes 10: Public-key cryptography

Lecture 12. Block Diagram

Great Theoretical Ideas in Computer Science

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

A distinguisher for high-rate McEliece Cryptosystems

Berlekamp-Massey decoding of RS code

How SAGE helps to implement Goppa Codes and McEliece PKCSs

CYCLIC SIEVING FOR CYCLIC CODES

EE512: Error Control Coding

Lecture 12: November 6, 2017

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Lecture Introduction. 2 Formal Definition. CS CTT Current Topics in Theoretical CS Oct 30, 2012

Recovering short secret keys of RLCE in polynomial time

2 Description of McEliece s Public-Key Cryptosystem

Communications II Lecture 9: Error Correction Coding. Professor Kin K. Leung EEE and Computing Departments Imperial College London Copyright reserved

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Error Detection & Correction

ELG 5372 Error Control Coding. Lecture 12: Ideals in Rings and Algebraic Description of Cyclic Codes

7.1 Definitions and Generator Polynomials

And for polynomials with coefficients in F 2 = Z/2 Euclidean algorithm for gcd s Concept of equality mod M(x) Extended Euclid for inverses mod M(x)

McBits: Fast code-based cryptography

Wild McEliece Incognito

Lecture 19 : Reed-Muller, Concatenation Codes & Decoding problem

Fault Tolerance & Reliability CDA Chapter 2 Cyclic Polynomial Codes

Asymptotically good sequences of codes and curves

Operations with Polynomials

Decoding Procedure for BCH, Alternant and Goppa Codes defined over Semigroup Ring

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

Proof: Let the check matrix be

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

FPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes

EECS Components and Design Techniques for Digital Systems. Lec 26 CRCs, LFSRs (and a little power)

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

x n k m(x) ) Codewords can be characterized by (and errors detected by): c(x) mod g(x) = 0 c(x)h(x) = 0 mod (x n 1)

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

Math 512 Syllabus Spring 2017, LIU Post

Code-based Cryptography

p-adic fields Chapter 7

Skew Cyclic Codes Of Arbitrary Length

1. Algebra 1.5. Polynomial Rings

MTAT : Introduction to Coding Theory. Lecture 1

Fast Decoding Of Alternant Codes Using A Divison-Free Analog Of An Accelerated Berlekamp-Massey Algorithm

Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman

Transcription:

Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0

1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding (Linear Transformation) 4. Parity Checking 5. Error Correcting Capacity 6. Decoding (A Difficult Problem) 7. Reed-Solomon Codes 8. Goppa Codes 9. McEliece Cryptosystem I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

New codes from the GRS codes 1. Main disadvantage of GRS codes: Consider GRS k (a, b) of length n, then n q 1

New codes from the GRS codes 1. Main disadvantage of GRS codes: Consider GRS k (a, b) of length n, then n q 2. New codes from GRS: How to construct codes over small alphabets with the same features as GRS codes? 1

New codes from the GRS codes 1. Main disadvantage of GRS codes: Consider GRS k (a, b) of length n, then n q 2. New codes from GRS: How to construct codes over small alphabets with the same features as GRS codes? Construct a GRS over a large extension of F 1

New codes from the GRS codes 1. Main disadvantage of GRS codes: Consider GRS k (a, b) of length n, then n q 2. New codes from GRS: How to construct codes over small alphabets with the same features as GRS codes? Construct a GRS over a large extension of F C NEW = GRS F 1

Alternant codes a = (a 1,..., a n ) F n q m with a i a j for all i j b = (b 1,..., b n ) F n q m with b i 0 for all i. Alternant codes Alt r (a, b) = (GRS r (a, b)) F q 2

Alternant codes a = (a 1,..., a n ) F n q m with a i a j for all i j b = (b 1,..., b n ) F n q m with b i 0 for all i. = support = column multipliers Alternant codes Alt r (a, b) = (GRS r (a, b)) F q 2

Alternant codes - Parameters Proposition Alt r (a, b) is an [n, k, d] q code with k n mr and d r + 1 3

Decoding Alternant codes Alt r (a, b) GRS n r (a, c) 4

Decoding Alternant codes Alt r (a, b) GRS n r (a, c) Efficient decoding algorithms which correct up to t = d 1 2 4

Decoding Alternant codes Alt r (a, b) GRS n r (a, c) Efficient decoding algorithms which correct up to t = d 1 2 We have an efficient decoding algorithm for Alt r (a, b) which corrects up to d 1 2 = r 2 4

Goppa Codes L = (α 1,..., α n ) F q m with α i α j for all i j g(x) F q m[x] monic polynomial with deg(g) = t and g(α i ) 0, i 5

Goppa Codes L = (α 1,..., α n ) F q m with α i α j for all i j = support g(x) F q m[x] monic polynomial with deg(g) = t and g(α i ) 0, i = generator polynomial 5

Goppa Codes L = (α 1,..., α n ) F q m with α i α j for all i j g(x) F q m[x] monic polynomial with = support deg(g) = t and g(α i ) 0, i = generator polynomial Goppa Code Γ (L, g) = Alt t (a, b) = (GRS t (a, b)) F q with a = L and b i = 1 g(a i ) 5

Goppa Codes L = (α 1,..., α n ) F q m with α i α j for all i j g(x) F q m[x] monic polynomial with = support deg(g) = t and g(α i ) 0, i = generator polynomial Goppa Code Γ (L, g) = Alt t (a, b) = (GRS t (a, b)) F q with a = L and b i = 1 g(a i ) Proposition: Alternative definition of Goppa codes 5 c Γ (L, g) R c (X) = n j=1 c j X α j 0 mod g(x)

Alternative Definition of Goppa Codes n c Γ(L, g) c i p i,j = 0 for j = 1,..., t 1 i=1 with p i,j such that p i (X) = p i,0 + p i,1 X +... + p i,t 1 X t 1 1 mod g(x) X α i 6

Alternative Definition of Goppa Codes c Γ(L, g) n c i p i,j = 0 for j = 1,..., t 1 i=1 with p i,j such that p i (X) = p i,0 + p i,1 X +... + p i,t 1 X t 1 1 mod g(x) X α i Thus p 1,0 p n,0 H =..... Fq t n is a parity-check matrix for Γ(L, g) p 1,t 1 p n,t 1 6

Alternative Definition of Goppa Codes c Γ(L, g) n c i p i,j = 0 for j = 1,..., t 1 i=1 We claim that p i (X) g(x) g(α i) X α i g(α i ) 1 mod g(x) 1. g(x) g(α j ) has α j as zero. So g(x) g(α j ) is divisible by X α j 2. p i (X)(X α j ) = ( g(x) g(α j ) ) g(α j ) 1 = 1 g(x)g(α j ) 1 1 mod g(x) 6

Alternative Definition of Goppa Codes Let g(x) = g 0 + g 1 X +... + g t X t p i (X) g(x) g(α i) X α i g(α i ) 1 mod g(x) Result from the previous slide 7

Alternative Definition of Goppa Codes Let g(x) = g 0 + g 1 X +... + g t X t p i (X) t j=1 j 1 g j l=0 X l α j 1 l i g(α i ) 1 mod g(x) X j α j i X α i X j 1 + α i X j 2 +... + α j 1 i 7

Alternative Definition of Goppa Codes Let g(x) = g 0 + g 1 X +... + g t X t p i (X) t 1 l=0 t j=l+1 g j α j 1 l i g(α i ) 1 X l mod g(x) Rearrange the terms 7

Alternative Definition of Goppa Codes Let g(x) = g 0 + g 1 X +... + g t X t p i (X) t 1 l=0 t j=l+1 g j α j 1 l i g(α i ) 1 X l mod g(x) Thus we have the following expressions for p i,j : p i,0 = (g 1 + g 2 α i +... + g t α t 1 i )g(α i ) 1 p i,1 = (g 2 + g 3 α i +... + g t α t 2 i )g(α i ) 1... p i,t 1 = g t g(α i ) 1 7

Alternative Definition of Goppa Codes Let g(x) = g 0 + g 1 X +... + g t X t t 1 t p i (X) l=0 j=l+1 g j α j 1 l i g(α i ) 1 X l mod g(x) We find that H = CAB with 0 0 0 g t....... C = 0 0 g t... g 3, 0 g t g t 1 g 2 g t g t 1 g t 2 g 1 1 1 α 1 α n g(α 1 ) 1 0 A =..... and B =... α t 1 1 αn t 1 0 g(α n ) 1 7

Alternative Definition of Goppa Codes Since C is invertible H = A B = 1 1 α 1 α n..... α t 1 1 αn t 1 g(α 1 ) 1 0... 0 g(α n ) 1 is another parity check matrix for Γ(L, g) 8

Binary Goppa Codes L = (α 1,..., α n ) F 2 m with α i α j for all i j g(x) F 2 m[x] monic separable polynomial with deg(g) = t and g(α i ) 0, i Separable = All its roots are distinct = Square Free polynomial 9

Binary Goppa Codes L = (α 1,..., α n ) F 2 m with α i α j for all i j = support g(x) F 2 m[x] monic separable polynomial with deg(g) = t and g(α i ) 0, i = generator polynomial Separable = All its roots are distinct = Square Free polynomial 9

Binary Goppa Codes L = (α 1,..., α n ) F 2 m with α i α j for all i j = support g(x) F 2 m[x] monic separable polynomial with deg(g) = t and g(α i ) 0, i = generator polynomial Proposition The binary Goppa code Γ(L, g) has minimum distance d with d 2t + 1 9

Binary Goppa Codes Proposition Let g be a square free Goppa polynomial with coefficients in F 2 m. Then, Γ(L, g) = Γ(L, g 2 ) Proof: 10

Binary Goppa Codes Proposition Let g be a square free Goppa polynomial with coefficients in F 2 m. Then, Alt r (L, 1 g(α i ) ) =Γ(L, g) = Γ(L, 1 g2 ) = Alt 2r (L, g 2 (α i ) ) Proof: 10

Binary Goppa Codes Proposition Let g be a square free Goppa polynomial with coefficients in F 2 m. Then, the binary Goppa code Γ(L, g) has minimum distance d with d 2t + 1 Proof: 11

1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding (Linear Transformation) 4. Parity Checking 5. Error Correcting Capacity 6. Decoding (A Difficult Problem) 7. Reed-Solomon Codes 8. Goppa Codes 9. McEliece Cryptosystem I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback