Code-Based Cryptography - McEliece Cryptosystem · Other Cryptographic Constructions Relying on Coding Theory I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY. 4. Key Attacks 1. Introduction

Code-Based Cryptography

1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist


The Code Equivalence Problem of Linear Codes

Permutation CodeEquivalence (PCE)

Semilinear CodeEquivalence (SLCE)

Linear CodeEquivalence (LCE)

Three notions of codeEquivalence:

1






Semilinear Code Equivalence (SLE)

C1SLE⇠ C2 () 9� : C2 = �(C1)

with � = ( � 2 Sn| {z }Permutation

,� = (�1, . . . ,�n) 2 (F⇤q)

n

| {z }Scalar

,↵ 2 Aut(Fq)| {z }Automorphism

)

1






Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }

Permutation

: C2 = �(C1) = {�(x) | x 2 C}

1






Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }

Permutation

: C2 = �(C1) = {�(x) | x 2 C}

1


The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2

OUTPUT:

(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)

2



OUTPUT:

(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)

2



OUTPUT:(Decision): Are C1 ⇠ C2?

(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)

2



OUTPUT:(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)

2

The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as

hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.

‹ Known Algorithms:

• The Support Splitting Algorithm for PE for F2, F3 and F4N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.

N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.

• Computation of canonical forms for LC over Fq, with qsmall.

T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009

3



‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.




3



‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4





3

InvariantsInvariants

V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)

The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )

Recall that WC(X ) =nX

i=0

AiX i with Ai = | {c 2 C | wH(c) = i} |

WC1(X ) = WC2(X ) but C1 6⇠ C2

Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:

G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0

!

‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!

4





i=0


WC1(X ) = WC2(X ) but C1 6⇠ C2


G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0

!


4





i=0


WC1(X ) = WC2(X ) but C1 6⇠ C2


G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0

!


4

Punctured codeLet:

‹ C be an [n, k ]q code

‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C

5

Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}

‹ xJ the restriction of x 2 Fnq to the

coordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ


CJ =�

cJ | c 2 C

5

Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn


G =

Spans CJ

|J| n � |J|

Punctured code CJ


CJ =�

cJ | c 2 C

5

Punctured codeLet:



G =

Spans CJ

|J| n � |J|

Punctured code CJ


CJ =�

cJ | c 2 C

5

Punctured codeLet:



G =

Spans CJ

|J| n � |J|

Punctured code CJ


CJ =�

cJ | c 2 C

5

Punctured codeLet:



G = Spans CJ

|J| n � |J|

Punctured code CJ


CJ =�

cJ | c 2 C

5

Signature

SignatureS is a signature if S(C, i) = S(�(C),�(i))

Building a signature from an invariant: If V is an invariant then,

C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}

Where Ci is the punctured code C on i

6

Signature



C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}


6

Signature



C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}Where Ci is the punctured code C on i

6

Signature



C ⇠ C =)⇢

V(C) = V(C){V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}


6

Fully Discriminant Signatures

Fully Discriminant SignaturesA signature S is fully discriminant for C if:

S(C, i) 6= S(C, j) for all i 6= j

How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:

8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)

=) �(i) = j

7




How to retrieve the permutation? Suppose that C2 = �(C1)

If S is fully discriminant for C then:


=) �(i) = j

7






=) �(i) = j

7





8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j) =) �(i) = j

7

Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}

8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2

8


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2

8


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2

8


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28


Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><

>>:

C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3

8>>><

>>>:

C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28

Refined Signatures

Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�

9

Refined Signatures




C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�

9

Refined SignaturesRefined Signature

Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ



C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�

WC1(X ) = WC2(X ) =) �(1) = 2

WC4(X ) = WC4(X ) =) �(4) = 4

WC5(X ) = WC3(X ) =) �(5) = 3

9

Refined Signatures




C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�

Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5

(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated

9





C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�



WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}

WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}

Thus �(2) = 5 and �(3) = 19





C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

�



WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}

WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}

Thus �(2) = 5 and �(3) = 19

Some notation

From now on, let C be a linear code of length n defined over Fq. We denote

• Its dimension by K (C) .

• Its minimum distance by d(C) .

10

Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

⌘

• When h �! 0, Then the Algorithm runs in polynomial time.


11


Input: A signature S and two codes: C1 and C2.

1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘



11



S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘



11



S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘



11



S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘



11



S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘



11



S0 = S,S1, . . . ,Sr





⇣n3 + 2hn2 log(n)

⌘

• When h �! 0, Then the Algorithm runs in polynomial time.N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.

11

Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective

12


Goppa codeLet:

‹ L = (↵1, . . . ,↵n) 2 F2m with ↵i 6= ↵j for all i 6= j .‹ g(X ) 2 F2m [X ] monic separable polynomial with deg(g) = t and g(↵i) 6= 08i

�(L, g) = Altt(a,b) = (GRSt(a,b)) \ Fq

with a = L and bi =1

g(ai)


K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub



k � n � mt .

2. We check the equivalence with the public code.There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)


12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12



K (C) � n � mt and d(C) � t + 1

‹ Let Gpub






12

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist


Code-Based Cryptography - McEliece Cryptosystem · Other Cryptographic Constructions Relying on Coding Theory I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY. 4. Key Attacks 1. Introduction

Documents