Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

Similar documents
2 Description of McEliece s Public-Key Cryptosystem

McEliece type Cryptosystem based on Gabidulin Codes

Ideals over a Non-Commutative Ring and their Application in Cryptology

Error-correcting codes and Cryptography

Vector spaces. EE 387, Notes 8, Handout #12

Code-Based Cryptography McEliece Cryptosystem

Code-based Cryptography

Attacking and defending the McEliece cryptosystem

A Fuzzy Sketch with Trapdoor

Decoding One Out of Many

Computers and Electrical Engineering

On the Security of Some Cryptosystems Based on Error-correcting Codes

Cryptanalysis of the TTM Cryptosystem

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Code Based Cryptology at TU/e

Errors, Eavesdroppers, and Enormous Matrices

Coset Decomposition Method for Decoding Linear Codes

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Mathematics Department

Side-channel analysis in code-based cryptography

An Overview to Code based Cryptography

Computers and Mathematics with Applications

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

A Fast Provably Secure Cryptographic Hash Function

A FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

AES side channel attacks protection using random isomorphisms

CRYPTOGRAPHY AND NUMBER THEORY

24th Conference on ACA Santiago de Compostela Session on CACTC Computer Algebra Tales on Goppa Codes and McEliece Cryptography

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems

Code-Based Cryptography Error-Correcting Codes and Cryptography

Error-correcting Pairs for a Public-key Cryptosystem

Vector Space Basics. 1 Abstract Vector Spaces. 1. (commutativity of vector addition) u + v = v + u. 2. (associativity of vector addition)

Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem

Code-based cryptography

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Tactical Decompositions of Steiner Systems and Orbits of Projective Groups

Algorithms to Compute Bases and the Rank of a Matrix

Linear Algebra for Beginners Open Doors to Great Careers. Richard Han

ANALYTICAL MATHEMATICS FOR APPLICATIONS 2018 LECTURE NOTES 3

Post-Quantum Code-Based Cryptography

Error-correcting pairs for a public-key cryptosystem

Applied Matrix Algebra Lecture Notes Section 2.2. Gerald Höhn Department of Mathematics, Kansas State University

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

A SHORT SUMMARY OF VECTOR SPACES AND MATRICES

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

Working with Block Structured Matrices

Generalized hyper-bent functions over GF(p)

Notes 10: Public-key cryptography


Compact McEliece keys based on Quasi-Dyadic Srivastava codes

INVERSE OF A MATRIX [2.2] 8-1

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Cryptographic applications of codes in rank metric

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Quantum-resistant cryptography

Math 2174: Practice Midterm 1

A Smart Approach for GPT Cryptosystem Based on Rank Codes

Affine equivalence in the AES round function

Miscellaneous Results, Solving Equations, and Generalized Inverses. opyright c 2012 Dan Nettleton (Iowa State University) Statistics / 51

Topics. Vectors (column matrices): Vector addition and scalar multiplication The matrix of a linear function y Ax The elements of a matrix A : A ij

MaTRU: A New NTRU-Based Cryptosystem

output H = 2*H+P H=2*(H-P)

Introduction to Determinants

arxiv: v2 [cs.cr] 14 Feb 2018

Noisy Diffie-Hellman protocols

Error-correcting pairs for a public-key cryptosystem

from Lattice Reduction Problems MIT - Laboratory for Computer Science November 12, 1996 Abstract

Lecture 4: DES and block ciphers

Enhanced public key security for the McEliece cryptosystem

Public Key Cryptography

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Review of Matrices and Block Structures

McBits: Fast code-based cryptography

Strengthening McEliece Cryptosystem

Division Property: a New Attack Against Block Ciphers

Binary Linear Codes G = = [ I 3 B ] , G 4 = None of these matrices are in standard form. Note that the matrix 1 0 0

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

Background: Lattices and the Learning-with-Errors problem

Secret-sharing with a class of ternary codes

Error-Correcting Codes

CS Topics in Cryptography January 28, Lecture 5

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

9 Knapsack Cryptography

Linear Algebra. and

Glossary of Linear Algebra Terms. Prepared by Vince Zaccone For Campus Learning Assistance Services at UCSB

Gurgen Khachatrian Martun Karapetyan

The idea is that if we restrict our attention to any k positions in x, no matter how many times we

Structural Cryptanalysis of SASAS

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

1 Introduction An old folklore rooted in Brassard's paper [7] states that \cryptography" cannot be based on NPhard problems. However, what Brassard ha

Constructive aspects of code-based cryptography

Cryptanalysis of the Original McEliece Cryptosystem

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

Transcription:

Finite Fields and Their Applications 5, 386}392 (1999) Article ID!ta.1999.0264, available online at http://www.idealibrary.com on Cryptanalysis of the Wu}Dawson Public Key Cryptosystem Peter Roelse Philips Crypto B.V., P.. Box 218, 5600 MD Eindhoven, The Netherlands E-mail address: p.roelse@crypto.philips.com Communicated by Received date A new public key cryptosystem was introduced by Wu and Dawson at the Fourth International Conference on Finite Fields (Fq4). This scheme is similar to the McEliece public key cryptosystem, in the sense that it also can be described in terms of linear error-correcting codes over "nite "elds. However, in contrast to the McEliece scheme, the security of the Wu}Dawson system is not based on a decoding problem which is assumed to be intractable but on the theory of generalized inverses of matrices over "nite "elds. The authors compare their scheme with the McEliece scheme and claim that the same level of security can be obtained using smaller codes, therefore reducing the key size. In this note it will be shown that the Wu}Dawson scheme is insecure, i.e., a trapdoor can be computed e$ciently from the knowledge of the public key. 1999 Academic Press Key =ords: Finite "elds; generalized inverses; error-correcting codes; cryptanalysis. 1. INTRDUCTIN The use of linear error-correcting codes over "nite "elds in cryptography dates back to 1978, when McEliece introduced a public key cryptosystem using Goppa codes [3]. The security of this scheme is based on the decoding problem for arbitrary linear error-correcting codes, which was shown to be NP-hard in [1]. Although the McEliece system attracted a lot of attention since its introduction, it is still unbroken. Two practical disadvantages of the scheme are message expansion and the large size of the keys used. The latter is the major drawback of the scheme. For a detailed discussion of the McEliece scheme (and related schemes), the reader is referred to [4]. Recently, a new public key cryptosystem was introduced by Wu and Dawson [5]. Their scheme, which will be described in Section 2, uses the 1071-5797/99 $30.00 Copyright 1999 by Academic Press All rights of reproduction in any form reserved. 386

CRYPTANALYSIS F THE WU}DAWSN PUBLIC KEY CRYPTSYSTEM 387 notion of generalized inverses of matrices over "nite "elds. The system is presented using error-correcting codes, although the error-correcting capability of the code is not used. However, this notation is convenient in the sense that it leads to a natural comparison with the McEliece scheme. They give a risk analysis of their scheme and conclude that the same level of security as in the McEliece system can be achieved by using smaller error-correcting codes, therefore reducing the size of the keys. In Section 3 a set of trapdoors for the encryption function will be described. The elements of this set can be computed e$ciently from the public key. A procedure for computing one particular element of this set is given, implying that the scheme is insecure. 2. THE WU}DAWSN SCHEME First some de"nitions and notations are given which are needed in the description of the Wu}Dawson scheme. If A3F mn then the set of generalized inverses of A is de"ned as G :"A3F nm AAA"A and the set of generalized re-inverses of A as R :"A3F nm AAA"A. The transposed matrix of A is denoted by A and the rank of A by rank(a). If rank(a)"r (4minm, n) then (see [5, Lemma 3]) G "q. (2.1) A linear error-correcting code of (block) length n over F is a linear subspace of F. If the dimension of this subspace is k then C is called an [n, k] code. Such a code can be represented by a generator matrix G3F kn for which the rows form a basis for C, i.e. C"mG m3f. Another way of representing the code is by a parity check matrix H3F (n!k)n of rank n!k such that GH"0, i.e., C"x3F xh"0. For more detailed information about the theory of error-correcting codes, the reader is referred to [2]. ¹he =u}dawson Public Key Cryptosystem Let C be an [n, k] code. Let G3F kn be a generator matrix and let H3F be a parity check matrix of the code C. Let H3F be an element of R.

388 PETER RELSE Public key: G, H. Encryption: The plain text m3f is encrypted into c3f by selecting a random vector e3f and computing c :"mg#e(h). Secret key: HH. Decryption: 1. Compute c!c(hh), which equals mg. 2. Select k linearly independent columns of G and solve the corresponding system of linear equations to retrieve m from mg. In their risk analysis the authors show that it is impractical to "nd H by searching through all generalized inverses of H (with r :"rank(h)), since Eq. (2.1) yields G "q/q. A similar argument holds for searching all possible parity check matrices for C (which can be computed using the publicly known generator matrix G) since the number of parity check matrices equals (q!q). Recall that the encryption function in the McEliece public key cryptosystem is given by c"mg#e, where G3F is the public key and e3f is a random vector of Hamming weight t. The secret key consists of a nonsingular matrix S3F and a permutation matrix P3F such that G"SGI P with GI 3F a generator matrix for a Goppa code (for which e$cient decoding algorithms exist). The value of t is small in comparison with n because it has to be correctable by such a decoding algorithm. McEliece suggested using a [1024, 524] Goppa code which is capable of correcting 50 ("t) errors. The best known attack on the McEliece scheme (when no extra assumptions are made such as that the same message is sent more than once) is based on a decoding algorithm for general linear codes. This attack consists of selecting k linearly independent columns of G. If the corresponding k positions of the cipher text are error free, the message can be revealed. A version of this attack, which is somewhat more e$cient in practice, uses a parity check matrix of the code and tries to trap all errors in n!k positions (see [4]). This attack can be applied directly to the Wu}Dawson scheme, but will be less e!ective since the vector e(h) is not necessarily of low (Hamming) weight. Wu and Dawson state that this seems the most e$cient attack and therefore conclude that the same level of security as that obtained in the McEliece scheme can be achieved using smaller codes, which is an important advantage in practical applications.

CRYPTANALYSIS F THE WU}DAWSN PUBLIC KEY CRYPTSYSTEM 389 3. CRYPTANALYSIS F THE SCHEME De"ne the set of suitable secret keys (trapdoors) S for the Wu}Dawson scheme as S :"R3F GR"0 and RH"H. Each element of this set can be used for decryption, since c!cr"mg. f course the key HH is in S, but of interest are the elements in this set that can be e$ciently computed using only the public key, i.e., independent of knowing the (secret) matrix H. The following theorem describes a subset of G which contains the matrix H. This set depends on the public key G, H only and not on the particular choice of the parity check matrix for the code. THEREM 3.1. et HI 3F be a parity check-matrix for the code C. et r denote the rank of H. If the set H is de,ned as H :"G HI H ) HI " (HI H)HI 3F (HI H)3G HI H, then (i) H"G HH ) H, (ii) H3HL G and (iii) H"q /q. Proof. (i) To show that the set H does not depend on the choice of the parity check matrix, note that HI "¹H for some non-singular ¹3F. Use this and the de"nition of a generalized inverse to show that G HI H "G HH ) ¹. This implies that H"G HI H ) HI "G HH ) ¹¹H"G HH ) H, i.e., H"(HH)H3F (HH)3G HH. (ii) Let (HH)H3F be an element of H. Multiplying the equality HH(HH)HH"HH ron both sides from the left with H and using HHH"H yields H(HH)HH"H, implying that (HH)H3G. The equality HHI HH"HHHH"HH yields I 3G and consequently H3H. (iii) From HHH"H it follows that rank(hh)"rank(h)"r. Using Eq. (2.1) shows that G "q. This is also the cardinality of the set H, since H has a right-inverse. From this theorem we see that H"H i! r"n!k. In this case HH3F is of rank n!k, i.e., G "(HH)"I, implying that HH"I. The (secret) matrix H can then be found by selecting an

390 PETER RELSE arbitrary parity check matrix HI for the code C and computing HI H. Inverting this matrix (which is possible since HI H"¹HH"¹I "¹) and multiplying this inverse from the right with HI yields H, so the secret key HH is revealed. If r(n!k (as suggested by Wu and Dawson) then the next corollary shows that replacing H in the secret key by any element of the set H still yields a trapdoor for the encryption function. CRLLARY 3.2. De,ne T :"H ) H"H(HI H)HI 3F (HI H)3 G HI H, then HH3TLS. Proof. If H(HI H)HI is an element of T, then G(H(HI H)HI )"GHI (H(HI H))"0. (3.1) From Theorem 3.1(ii) it follows that HH3H ) H"T and H ) H ) H"H. (3.2) Equations (3.1) and (3.2) imply that TLS. The following algorithm computes one of these trapdoors using (n) "eld operations. The input of the algorithm is the public key G, H. Without loss of generality, assume that the matrix G is in standard form, i.e., G"(I A) for some A3F. Algorithm 3.3. 1. Choose HI "(!A I ) and compute HI H. 2. Use Gaussian elimination to transform HI H to row echelon form, i.e., "nd a non-singular matrix S3F such that SHI H"; with ;3F a row echelon matrix. S represents the row operations on HI H needed for this transformation. 3. Find a permutation matrix P3F such that ;P" A A with A 3F a non-singular matrix, i.e., the "rst r columns of ;P are the pivot columns of ;. 4. Return HP A SHI.

CRYPTANALYSIS F THE WU}DAWSN PUBLIC KEY CRYPTSYSTEM 391 Proof. In order to show that the matrix returned in Step 4 of the algorithm is an element of the set T, note that A A A A A " A A, which implies A 3G SHI H P. The correctness of Algorithm 3.3 now follows from G HI H "PG SHI HP S, since S and P are invertible matrices. Remark 3.4. Consider the following slightly modi"ed version of Algorithm 3.3. In Step 2, "nd two non-singular matrices S, S 3F such that S HI HS " I. This can be done with Gaussian elimination: S and S represent the row and column operations respectively. The set of generalized inverses of S HI HS is given by G HI HS " I B B B 3F, with B 3F, B 3F, and B 3F arbitrary matrices. Select one element (S HI HS )3G HI HS and return the matrix HS (S HI HS )S HI. The correctness of this version follows from G HI H "S G HI HS S. Note that with this version any element of the set T can be computed with (n) "eld operations. However, if only one trapdoor is needed, Algorithm 3.3 is preferable, since it is more e$cient in practice. ACKNWLEDGMENT The author is grateful to the anonymous referees for their valuable remarks.

392 PETER RELSE REFERENCES 1. E. R. Berlekamp, R. J. McEliece, and H. C. A. van Tilborg, n the inherent intractability of certain coding problems, IEEE ¹rans. Inform. ¹heory 24 (1978), 384}386. 2. J. H. van Lint, &&Introduction to Coding Theory,'' 2nd ed., Graduate Texts in Mathematics, Vol. 114, Springer-Verlag, New York, 1992. 3. R. J. McElliece, &&A Public-Key Cryptosystem Based on Algebraic Coding Theory,'' DSN Progress Report 42}44, Jet Propulsion Laboratory, 1978. 4. J. van Tilburg, &&Security Analysis of a Class of Cryptosystems Based on Linear Error- Correcting Codes,'' Ph.D. thesis, KPN Research, The Netherlands, 1994. 5. C.-K. Wu and E. Dawson, &&Cryptographic Applications of Generalized Inverses of Matrices,'' preprint [Paper presented at the Fourth International Conference on Finite Fields, University of Waterloo, Canada, August 1997].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback