Code-Based Public-Key Cryptography: Algorithms, Security, and Applications, Lecture notes of Quantum Computing

Download Code-Based Public-Key Cryptography: Algorithms, Security, and Applications and more Lecture notes Quantum Computing in PDF only on Docsity!

Code-based Cryptography

ECRYPT-CSA Executive School on Post-Quantum Cryptography

2017 TU Eindhoven

Nicolas Sendrier

Linear Codes for Telecommunication

linear expansion data k

data? (^) decoding 

codeword n > k

noisy codeword 

? noisy channel

[Shannon, 1948] (for a binary symmetric channel of error rate p):

Decoding probability −→ 1 if k n

= R < 1 − h(p)

(h(p) = −p log 2 p − (1 − p) log 2 (1 − p) the binary entropy function)

Codes of rate R can correct up to λn errors (λ = h−^1 (1 − R))

For instance 11% of errors for R = 0. 5

Non constructive −→ no poly-time algorithm for decoding in general

Codes with Good Decoders Exist

Coding theory is about finding “good” codes (i.e. linear expansions)

• alternant codes have a poly-time decoder for Θ

( (^) n log n

) errors

• some classes of codes have a poly-time decoder for Θ(n) errors (algebraic geometry, expander graphs, concatenation,... )

Linear Codes for Cryptography

linear expansion plaintext k

decoding plaintext 

codeword n > k

ciphertext 

? intentionally add errors

• If a random linear code is used, no one can decode efficiently
• If a “good” code is used, anyone who knows the structure has access to a fast decoder

Assuming that the knowledge of the linear expansion does not reveal the code structure:

• The linear expansion is public and anyone can encrypt
• The decoder is known to the legitimate user who can decrypt
• For anyone else, the code looks random

Outline

I. Introduction to Codes and Code-based Cryptography

II. Instantiating McEliece

III. Security Reduction to Difficult Problems

IV. Practical Security - The Attacks

V. Other Public Key Systems

I. Introduction to Codes and

Code-based Cryptography

McEliece Public-key Encryption Scheme – Overview

Let F be a family of t-error correcting q-ary linear [n, k] codes

Key generation:

pick C ∈ F →

  

Public Key: G ∈ Fqk ×n, a generator matrix

Secret Key: Φ : Fqn → C, a t-bounded decoder

Encryption:



 EG^ :^ F

qk →^ Fqn

x 7 → xG + e

  (^) with e random of weight t

Decryption:



 DΦ^ :^ F

qn →^ Fqk

y 7 → Φ(y)G∗

  (^) where GG∗^ = 1

Proof: DΦ(EG(x)) = DΦ(xG + e) = Φ(xG + e)G∗^ = xGG∗^ = x

Niederreiter Public-key Encryption Scheme – Overview

Let F be a family of t-error correcting q-ary [n, k] codes, r = n − k

Let Sn( 0 , t) = {e ∈ Fqn | |e| = t}

Key generation: pick C ∈ F

→

  

Public Key: H ∈ Fqr ×n, a parity check matrix

Secret Key: Ψ : Fqr → Fqn , a t-bounded H-syndrome decoder

Encryption:



 EH^ :^ Sn(^0 , t)^ →^ F

qr e 7 → eHT

 

Decryption:



 DΨ^ :^ F

qr →^ Sn(^0 , t)

s 7 → Ψ(s)

 

Proof: DΨ(EH (e)) = DΨ(eHT^ ) = e

In Practice

[McEliece, 1978] “A public-key cryptosystem based on algebraic coding theory”

The secret code family consisted of irreducible binary Goppa codes of length 1024, dimension 524, and correcting up to 50 errors

• public key size: 536 576 bits
• cleartext size: 524 bits
• ciphertext size: 1024 bits

A bit undersized today (attacked in [Bernstein, Lange, & Peters, 08] with ≈ 260 CPU cycles)

[Niederreiter, 1986] “Knapsack-type cryptosystems and algebraic coding theory”

Several families of secret codes were proposed, among them Reed- Solomon codes, concatenated codes and Goppa codes. Only Goppa codes are secure today.

II. Instantiating McEliece

More on Goppa Codes

Goppa codes are not limited to the binary case. It is possible to define

q-ary Goppa codes with a support in Fqm.

[Bernstein, Lange, & Peters, 10]: Wild McEliece. The key size can be reduced in some case. There are limits:

• [Couvreur, Otmani, & Tillich, 14] Choose m > 2
• [Faug`ere, Perret, & Portzamparc, 14] Caution if q not prime

Reducing the Public Key Size

In a block-circulant matrix, each (square) block is completely defined by its first row → public key size is linear instead of quadratic

G =

g 0 , 0 g 0 , 1 g 0 , 2

g 1 , 0 g 1 , 1 g 1 , 2

• Quasi-cyclic [Gaborit, 05] or quasi-dyadic [Misoczki & Barreto, 09] alternant (Goppa) codes. Structure + structure must be used with great care [Faug`ere, Otmani, Perret, & Tillich, 10]
• Disguised QC-LDPC codes [Baldi & Chiaraluce, 07]. New promis- ing trend.
• QC-MDPC [Misoczki, Tillich, Sendrier, & Barreto, 13]. As above with a stronger security reduction.

Encryption/Decryption Speed

sizes cycles/byte cycles/block m, t cipher clear encrypt decrypt encrypt decrypt security 11 , 40 2048 1888 105 800 25K 189K 81 12 , 50 4096 3881 98 618 47K 300K 120

(Intel Xeon 3.4Ghz, single processor) 100 Kcycle ≈ 30 μs AES: 10-20 cycles/byte

McBits [Berstein, Chou, & Schwabe] gains a factor ≈ 5 on decoding (bit-sliced field arithmetic + algorithmic innovations for decoding). Targets key exchange mechanism based on Niederreiter.

Some Sets of Parameters for QC-MDPC-McEliece

Binary QC-MDPC [n, k] code with parity check equations of weight w correcting t errors

size in bits security∗ (n, k, w, t) cipher clear key message key (9602, 4801 , 90 , 84) 9602 4801 4801 80 79 (19714, 9857 , 142 , 134) 19714 9857 9857 128 129

∗ (^) logarithm in base 2 of the cost of the best known attack

lower bound derived from ISD, BJMM variant

The best key attack and the best message attack are both based on generic decoding