Code-Based Cryptography - McEliece Cryptosystem · The security of the McEliece Cryptosystem is based in two assumptions: Assumption 1: Decoding a random linear code is a difﬁcult

Code-Based CryptographyMcEliece Cryptosystem

0I. Márquez-Corbella

2. McEliece Cryptosystem

1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

McEliece Assumptions

The security of the McEliece Cryptosystem is based in two assumptions:

Assumption 1: Decoding a random linear code is a difficult problem.

Assumption 2: The generator matrix of a Goppa code looks random.

1





1





1

Syndrome DecoderGiven an [n, k ]q code C with parity check matrix H ∈ F(n−k)×n

q .Let y ∈ Fn

q be the received word.

Minimum Dist. Decoding (MDD):

Find x ∈ Csuch that dH(y, x) is minimized.

Syndrome Decoding (SD):

Find e ∈ Fnq with

He = Hy and wH(e) is minimized.

In a linear code:dH(x, y) = wH(x− y) = wH(e)

if y = c + e, i.e. Hy = He

Minimal codewords:Consider y = 0 ∈ Fn

q

Find w ∈ C i.e. He = 0and wH(w) is minimized.

2

Syndrome DecoderGiven an [n, k ]q code C with parity check matrix H ∈ F(n−k)×n

q .Let y ∈ Fn

q be the received word.

Minimum Dist. Decoding (MDD):

Find x ∈ Csuch that dH(y, x) is minimized.

Syndrome Decoding (SD):

Find e ∈ Fnq with

He = Hy and wH(e) is minimized.

In a linear code:dH(x, y) = wH(x− y) = wH(e)

if y = c + e, i.e. Hy = He

Minimal codewords:Consider y = 0 ∈ Fn

q

Find w ∈ C i.e. He = 0and wH(w) is minimized.

2

The Syndrome Decoding (SD) problemAssumption 1: Decoding a random linear code is a difficult problem.

The Syndrome Decoding (SD) problem

Output(Decision): Does e ∈ Fn

2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn

2 of wH(e) ≤ w such that eHT = s NP-difficult

E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.

A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.

Hn − k

n

e×

= s

Input:

Ü A matrix H ∈ F(n−k)×n2

Ü A syndrome s ∈ Fn−k2

Ü A weight w ∈ Z

3








Hn − k

n

e×

= s

Input:



Ü A weight w ∈ Z

3








Hn − k

n

e×

= s

Input:



Ü A weight w ∈ Z

3








Hn − k

n

e×

= s

Input:



Ü A weight w ∈ Z3


The Syndrome Decoding (SD) problemOutput

(Decision): Does e ∈ Fn2 of wH(e) ≤ w such that eHT = s exists? NP-complete

(Computational): Find e ∈ Fn2 of wH(e) ≤ w such that eHT = s NP-difficult



Hn − k

n

e×

= s

Input:





The Syndrome Decoding (SD) problemOutput

(Decision): Does e ∈ Fn2 of wH(e) ≤ w such that eHT = s exists? NP-complete

(Computational): Find e ∈ Fn2 of wH(e) ≤ w such that eHT = s NP-difficult



Hn − k

n

e×

= s

Input:





The Bounded-Distance Decoding problem

(Computational): Find e ∈ Fn2 of wH(e) ≤ d−1

2 such that eHT = s ConjecturedNP-Hard


Hn − k

n

e×

= s

Input:



Ü A weight w ∈ Z

4






Hn − k

n

e×

= s

Input:



Ü A weight w ≤ d − 12

4






Hn − k

n

e×

= s

Input:




4






Hn − k

n

e×

= s

Input:




4


The Goppa Parameterized Syndrome Decoding

(Computational): Find e ∈ Fn2 of wH(e) ≤ n−k

2 such that eHT = s NP-difficult

M. Finiasz.Nouvelles constructions utilisant des codes correcteurs d’erreurs en cryptographie à clef publique.PhD thesis, INRIA - Ecole Polytechnique, 2004

Hn − k

n

e×

= s

Input:



5






Hn − k

n

e×

= s

Input:

Ü A matrix H ∈ F(n−k)×n2 with k = n −mt

and n = 2m


5






Hn − k

n

e×

= s

Input:


and n = 2m


5






Hn − k

n

e×

= s

Input:


and n = 2m


5

Distinguisher for Goppa codesAssumption 2: The generator matrix of a Goppa code looks random.

KGoppa = All generator matrices of a [n, k ]-binary Goppa code

Goppa Code Distinguishing (GCD) problem Conjectured NP-hard

INPUT: A matrix G ∈ Fk×n2

OUTPUT: Is G ∈ KGoppa?

1. There exists an efficient distinguisher for high-rate codes.J. . Faugère, V. Gauthier-Umana, A. Otmani, L. Perret and J. P. TillichA Distinguisher for High-Rate McEliece Cryptosystems.IEEE Trans. Inf. Theory. 59(10), pp. 6830-6844, 2013.

2. General case: best-known attacks are based on the support splittingalgorithm and have exponential runtime.

P. Loidreau, N. SendrierWeak keys in McEliece public-key cryptosystem.IEEE Trans. Inf. Theory 47(3):1207âAS1212

6









6









6










We have seen that:

4 The general decoding problem of a linear code whose parameters arethose of a binary Goppa code is in the average case difficult.

4 There exists no efficient distinguisher for Goppa codes

7

2. McEliece Cryptosystem

1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

Code-Based Cryptography - McEliece Cryptosystem · The security of the McEliece Cryptosystem is based in two assumptions: Assumption 1: Decoding a random linear code is a difﬁcult

Documents