Cryptographic applications of codes in rank metric

Cryptographic applications of codes in rank metric

Cryptographic applications of codes in rank

metric

Pierre Loidreau

CELAr and Universite de [email protected]

June 16th, 2009


Introduction

Rank metric and cryptography

Gabidulin codes and linearized polynomials

McEliece type cryptosystems

AF-like cryptosystems


Rank metric and cryptography


History of Cryptographic applications

Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91]

−→ Trapdoor: Difficulty of decoding in rank metric.

Authentification codes, [Johannson95]

ZK-identification scheme, [Chen96]

Hash functions for MAC, [Savafi-Naini-Charnes 05]


Rank metric

Definition (Rank of a vector)

γ1, . . . , γm, a basis of Fqm/Fq,

e = (e1, . . . , en) ∈ (Fqm)n, ei 7→ (ei1, . . . , ein),

∀e ∈ Fqm , Rk(e)def= Rk

e11 · · · e1n...

. . ....

em1 · · · emn

Definition

C ⊂ Fnqm is a (n,M, d)r -code if

M = |C|

Min. rank distance: d = minc1 6=c2∈C Rk(c1 − c2)


Bounds in rank metric

Volume of sphere: q(m+n−1)t−t2≤ St ≤ q(m+n+1)t−t2

Volume of ball: q(m+n−1)t−t2≤ Bt ≤ q(m+n+1)t−t2+1

Classical Bounds

Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) −→ MRD codes

Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn −→ perfect codes

GV-like: MBd−1 < qmn =⇒ ∃(n,M + 1, d)r code


Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) −→ MRD codes

Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn −→ perfect codes

GV-like: MBd−1 < qmn =⇒ ∃(n,M + 1, d)r code

Proposition ([L.06])

No perfect codes exist

For C on GV: if mn ≥ logq M = o(n)(m + n)

d

m + n

n→+∞∼

1

2−

√logq M

m + n

√1 +

(m − n)2

4 logq M,


Decoding problems for linear codes

Parameters

C generated by matrix G

y ∈ Fnqm , received vector

t an integer

Problems

MDD: Find x, s.t. Rk(y − xG) = minc∈C(Rk(y − c))

BDD: Find, if exists, x, s.t. Rk(y − xG) ≤ t

LD: Find all x such that Rk(y − xG) ≤ t

Are these search problems NP-hard ?


Solving BDD(t) for t ≤ ⌊(d − 1)/2⌋

Principle: Find min. rank codewords in code generated by

G′ =

(G

y

)= S (Ik+1 | R)

System: (β1, . . . , βt) (U2 − U1R) = 0

Methods

Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02]

Algo. type Complexity

Basis enumeration ≤ (k + t)3q(t−1)(m−t)+2

Coordinates enumeration ≤ (k + t)3t3q(t−1)(k+1)

Projection on base field and use of Groebner bases techniques,[Levy-Perret 06]


Why use rank metric for cryptographic applications

Complexities of solving BDD(t) for a [n, k, d ] code over F2m

IS Decoding:

∼ M(F2m)n32n(H2(t/n)−(1−R)H2(t/((1−R))n)) = m2n32αn

Coord. Enum.:

≤ (k + t)3t32(α1n−1)(α2n+1)

Use of smaller public-keys in McEliece type system.


Gabidulin codes and linearized polynomials


Gabidulin codes

Let a = (a1, . . . , an) ∈ Fqm , where ai ’s are l.i. over Fq. Consider

G =

a1 · · · an

.... . .

...

a[k−1]1 · · · a

[k−1]n

, where [i ]

def= qi (1)

Definition ([Gabidulin85])

The code generated by G is denoted Gabk(a).


Properties of the codes

They are MRD codes (implies also MDS codes)

Dual of Gabk(a) is a Gabn−k(h)

Rank distribution is known

Permutation group trivial, [Berger 03]


Decoding algorithms

Algorithm Complexity (mult. in Fqm)

Ext. Euclidean 2t(n + 5t) [Gabidulin85]

Linear systemsolving

2t(n + t2/2)[Gabidulin91]

[Roth91]

BM-like 2t(n + 3t + t2/4) [Richter-Plass 05]

WB-like 2t(4n − t) [L.05]

Table: Decoding rank t = ⌊(d − 1)/2⌋ errors in Gabn−d+1(g) code


McEliece like cryptosystems


Description [Gabidulin-Paramonov-Tretjakov 91]

Parameters

g = (g1, . . . , gn) ∈ Fqm

Private key

G generates Gabk (g), correcting rank t errorsT isometry of rank metricZ size k × t1 over Fqm

Public-keyGpub = S(G | Z︸︷︷︸

t1 cols

)T (2)


Encryptiony = xGpub + e, Rk(e) ≤ t − t1

Decryption

Compute yT−1 = x(G | Z) + eT−1

Puncture on last t1 positions and decode

Security assumption: BDD(t) difficult


Properties in rank metric

Advantages

Fast in Encryption-Decryption

Enables small keys (≤ 50 000 bits)

Security against reaction attacks

Drawbacks

Not optimal transmission rate

Weakness against message resend attacks

ONLY ONE family of decodable codes is known→ Mandatory to scramble the structure


History of systems

G, G1, G2, generator matrices of Gabidulin codes

H, parity-check matrix of Gabidulin codes

Scrambling

matrixGpub = SG + X

[Gabidulin-Paramonov-

Tretjakov91]

Right scram-

blerGpub = S(G|Z)T [Gabidulin-Ourivski 01]

Subcodes Hpub = S

(H

A

)[Berger-L. 02]

Reducible

Rank codesGpub = S

(G1 0

A G2

)T

[Ourivski-Gabidulin-

Honary-Ammar03]

[Berger-L. 04 ]


Structural attacks [Overbeck06]

Principle for Gpub = S(G|Z)T

Quasi-stability under action of Frobenius: α 7→ αq def= α[1]

Gabk(g) ∩ [Gabk(g)][1] = Gabk−1

(g[1])

Use public-key Gpub = S(G|Z)T and compute

0

B@

Gpub

...

G[n−k−1]pub

1

CA

| {z }

Gpub

=

0

B@

S · · · 0...

. . ....

0 · · · S[n−k−1]

1

CA

| {z }

S

0

B@

G Z...

...

G[n−k−1] Z[n−k−1]

1

CA

| {z }

(G | Z)

T,


Proposition

If dim (kerr (Gpub)) = 1 → a decoder for public-code can be

recovered in polynomial-time

Proof.

In that case

kerr (Gpub) = {T−1(αh | 0)T , α ∈ Fqm},


For security: Choose Z so that dim (kerr (Gpub)) > 1

Proposition

If 1 ≤ Rk(Z) ≤ (t1 − ℓ)/(n − k), then dim (kerr (Gpub)) ≥ 1 + ℓ

Possible parameters

m = n k Rk(Z) ℓ t1 Key size Decoding k/n Rate Improv.

24 12 3 4 40 14 976 > 283 19% 35%24 12 4 4 52 18 432 > 283 15.8% 33%

Same problem with Reducible Rank Codes

Modifications imply increased public-key size


AF-like systems


q-polynomials

Definition ([Øre33])

P(z) =

t∑

i=0

pizqi

, pi ∈ Fqm

If pt 6= 0, degq(P)def= t is the q-degree of P.

Properties

Non-commutative ring with +, ◦

Euclidean algorithms on the left and on the right

P. Time interpolation and root finding algorithms


Reconstruction problem

Parameters

g ∈ Fnqm support vector

y ∈ Fnqm ,

k , t integers

PR: Find P of q-degree ≤ k s.t. Rk(P(g) − y) ≤ t

Link with other problems:

if t ≤ ⌊(n − k)/2⌋, equivalent to decode Gabk(g)if t > ⌊(n − k)/2⌋, supposed to be difficult⇒ LD(y, t) is difficult


Description of the cryptosystem

Parameters

g = (g1, . . . , gn) ∈ Fqm , k

Private key:

E = (E1, . . . , En) of rank W > (n − k)/2.⇒ exists Q ∈ GLn(Fq) such that EQ = ( 0︸︷︷︸

n−W coords

| E′)

q-polynomial P of q-degree k − 1 ≤ n − W over Fqm .

Public-key:

K = P(g)︸︷︷︸∈Gabk (g)

+ E

Security assumption: PR(K,W ) difficult


Encryption and decryption

Encryption: y = x(g) + αK + e, where

x has q-degree k − 2 ≤ n − W

e of rank t ≤ (n − k − W )/2α ∈ F

∗

qm random

Decryption: Let vdef= (

n−W︷︸︸︷v |V′)

We have

yQ =(x(gQ) + αP(gQ) + eQ | Y′

)

Decode yQ in Gabk (gQ) ⇒ (x + αP)(gQ)Since degq(x) < degq(P) ⇒ αSince k − 1 ≤ n − W ⇒ x

Security assumption: BDD(x(g) + αK, t) in some code is difficult


Possible attacks

Solving the system

{V (yi) = (V ◦ x)(gi ) + V (αKi), ∀ i = 1, . . . , n,degq(V ) ≤ t

Linearization: Solve

V (yi) = N(gi ) + U(Ki ), ∀ i = 1, . . . , n,degq(V ) ≤ t

degq(N) ≤ k + t − 2degq(U) ≤ t

Linear system of k + 3t + 1 unknowns and n equations


Evolution of the system (I)

Parameters

g = (g1, . . . , gn) ∈ Fqm , k

Private key:

Ei ∈ FWqm , i = 1, . . . , u of rank W > (n − k)/2.

Q ∈ GLn(Fq)Pi , i = 1, . . . , u of q-degree k − 1 ≤ n − W over Fqm .

Public-key:8

><

>:

K1 = P1(g) + (0|E1)Q−1, Rk(E1) = W > (n − k)/2

...Ku = Pu(g) + (0|Eu)Q

−1, Rk(Eu) = W > (n − k)/2


Evolution of the system (II)

Encryption: y = x(g) +∑u

i=1 αiKi + e, where

x has q-degree k − u − 1e of rank t ≤ (n − k − W )/2αi ∈ F

∗

qm random for all i = 1, . . . , u

Decryption:

We have

yQ =

(x(gQ) +

u∑

i=1

αiPi (gQ) + eQ | Y′

)

Decode yQ in Gabk (gQ) ⇒ (x +∑

i αiPi )(gQ)Since degq(x) < k − 1 − u ⇒ (α1, . . . , αu)Since k − u ≤ n − W ⇒ x


Possible attacks

Decoding attacks: solve system

V (y) = V ◦ X (g) +uX

i=1

V (αiKi ),

8

<

:

degq(V ) = Rk(e)degq(x) = k − u − 1αi ∈ Fqm

Structural attacks:

Set

K =

K1

...Ku

=

P1(g)...

Pu(g)

+

E1

0...

Eu

Q−1

Under some conditions one can apply Overbeck’s approach torecover the secret elements


Parameters

Compromise between attacks ⇒ not many choices for u

u n = m k W Rk(e) key size Rate

3 56 28 16 6 9408 44%3 54 32 13 4 11664 44%


Open problems

Are the discussed problems really NP-hard ?

How to improve arithmetic complexity of q-polynomials ?

Johnson bound for Gabidulin codes and list-decoder ?

How construct new decodable families of rank metric codes ?

What changes the use of skew polynomials instead ofq-polynomials ?

Cryptographic applications of codes in rank metric

Documents