code-based cryptography - mceliece cryptosystem · 2015-06-29 · code-based cryptography 1....
Post on 19-Jul-2020
10 Views
Preview:
TRANSCRIPT
Code-Based Cryptography
1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks
5. Other Cryptographic Constructions Relying on Coding Theory
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes
7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
GRS codes for the McEliece scheme
‚ Generalized Reed-Solomon codes
H. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159 � 166, 1986.
Parameters Key size Security level[256, 128, 129]256 67 ko 295
7Attack against this proposal:
V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439�444, 1992.
1
GRS codes for the McEliece scheme
‚ Generalized Reed-Solomon codes
H. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159 � 166, 1986.
Parameters Key size Security level[256, 128, 129]256 67 ko 295
7Attack against this proposal:
V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439�444, 1992.
1
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
Proof: [Sketch of the Proof]
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
Proof: [Sketch of the Proof]
Ck�1 ⇤ Ck = (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
Proof: [Sketch of the Proof]
Ck�1 ⇤ Ck = (Ck�1)2
(b ⇤ f (a)) ⇤ (b ⇤ g(a)) = (b ⇤ b) (fg)(a)
with deg(f ) < k � 1 , deg(g) < k ) deg(fg) < 2k � 2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b.
If b is known, a can becomputed by solving a linear system.
2
Filtration Attack for GRS codes
Suppose that we know:
Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)
Proposition: Assume that 2k � 1 n � 2
Ck�2 = GRSk�2(a,b) is the solution space of the following problem
c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2
In this way we build the following filtration
GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)
Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤
q
So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.2
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
It’s easy to get a generator matrix of S1( Ck )
G =
Generator matrixfor Ck
0
BBB@
1 a12 . . . a1n0 a22 . . . a2n...
... . . . ...0 ak2 . . . akn
1
CCCA
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
It’s easy to get a generator matrix of S1( Ck )
G =
Generator matrixfor Ck
0
BBB@
1 a12 . . . a1n0 a22 . . . a2n...
... . . . ...0 ak2 . . . akn
1
CCCAGenerator matrix
for S1( Ck )
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.
5. Repeat the process shortening in another position torecover a completely.
3
Filtration Attack for GRS codes
1. Suppose that Ck = GRSk (a,b) is known.
2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a
0,b0)
where
a
0 = (a2, . . . , an) and b
0 = (b02, . . . , b
0n) with b0
j = bj(aj � a1)
3. We can build the filtration:
GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a
0,b0) ◆ GRS1(a0,b0)
4. Se we get the column multiplier b
0 and the support a
0.5. Repeat the process shortening in another position to
recover a completely.
3
Filtration Attack for GRS codes
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 2
1. Determine the code
S1(Cpub) = GRSk�1(a0,b0)
2. Build the filtration:
GRSk (a,b)| {z }Cpub
◆ GRSk�1(a0,b0)| {z }
S1(Cpub)
◆ . . . ◆ GRS1(a0,b0)
3. Return b
0 and a
0
4
Filtration Attack for GRS codes
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the code
S1(Cpub) = GRSk�1(a0,b0)
2. Build the filtration:
GRSk (a,b)| {z }Cpub
◆ GRSk�1(a0,b0)| {z }
S1(Cpub)
◆ . . . ◆ GRS1(a0,b0)
3. Return b
0 and a
0
4
Filtration Attack for GRS codes
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the code
S1(Cpub) = GRSk�1(a0,b0)
2. Build the filtration:
GRSk (a,b)| {z }Cpub
◆ GRSk�1(a0,b0)| {z }
S1(Cpub)
◆ . . . ◆ GRS1(a0,b0)
3. Return b
0 and a
0
4
Filtration Attack for GRS codes
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the code
S1(Cpub) = GRSk�1(a0,b0)
2. Build the filtration:
GRSk (a,b)| {z }Cpub
◆ GRSk�1(a0,b0)| {z }
S1(Cpub)
◆ . . . ◆ GRS1(a0,b0)
3. Return b
0 and a
0
4
Another (Filtration) Attack - Retrieving an ECP
Proposition 1:
Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)
Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)
is a t-ECP for C over Fq
Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)
If we know C = GRSk(c,d) and B = GRSt(c,d?)
Then, A = GRSt+1(a, 1) =⇣B ⇤ C
⌘?
5
Another (Filtration) Attack - Retrieving an ECP
Proposition 1:
Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)
Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)
is a t-ECP for C over Fq
Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)
If we know C = GRSk(c,d) and B = GRSt(c,d?)
Then, A = GRSt+1(a, 1) =⇣B ⇤ C
⌘?
5
Another (Filtration) Attack - Retrieving an ECP
Proposition 1:
Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)
Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)
is a t-ECP for C over Fq
Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)
If we know C = GRSk(c,d) and B = GRSt(c,d?)
Then, A = GRSt+1(a, 1) =⇣B ⇤ C
⌘?
5
Another (Filtration) Attack - Retrieving an ECP
Proposition 1:
Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)
Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)
is a t-ECP for C over Fq
Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)
If we know C = GRSk(c,d) and B = GRSt(c,d?)
Then, A = GRSt+1(a, 1) =⇣B ⇤ C
⌘?
5
Another (Filtration) Attack - Retrieving an ECP
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 2
1. Determine the codes
C?pub = GRS2t(a,b
?) and S1(C?pub) = GRS2t�1(a
0,⇠ b
?)
2. Build the filtration:
GRS2t(a,b?)| {z }
C?pub
◆ GRS2t�1(a0,⇠ b
?)| {z }S1(C?
pub)
◆ . . . ◆ GRSt(a0,⇠ b
?)| {z }B
3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult
problem.
6
Another (Filtration) Attack - Retrieving an ECP
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the codes
C?pub = GRS2t(a,b
?) and S1(C?pub) = GRS2t�1(a
0,⇠ b
?)
2. Build the filtration:
GRS2t(a,b?)| {z }
C?pub
◆ GRS2t�1(a0,⇠ b
?)| {z }S1(C?
pub)
◆ . . . ◆ GRSt(a0,⇠ b
?)| {z }B
3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult
problem.
6
Another (Filtration) Attack - Retrieving an ECP
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the codes
C?pub = GRS2t(a,b
?) and S1(C?pub) = GRS2t�1(a
0,⇠ b
?)
2. Build the filtration:
GRS2t(a,b?)| {z }
C?pub
◆ GRS2t�1(a0,⇠ b
?)| {z }S1(C?
pub)
◆ . . . ◆ GRSt(a0,⇠ b
?)| {z }B
3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult
problem.
6
Another (Filtration) Attack - Retrieving an ECP
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the codes
C?pub = GRS2t(a,b
?) and S1(C?pub) = GRS2t�1(a
0,⇠ b
?)
2. Build the filtration:
GRS2t(a,b?)| {z }
C?pub
◆ GRS2t�1(a0,⇠ b
?)| {z }S1(C?
pub)
◆ . . . ◆ GRSt(a0,⇠ b
?)| {z }B
3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?
4. Note that: Correcting an error in the first position is not a difficultproblem.
6
Another (Filtration) Attack - Retrieving an ECP
Public Key: Kpub =
(a generator matrix of Cpub = GRSk (a,b)
and t =j
d(C)�12
k
The Algorithm: Assume that 2k � 1 n � 21. Determine the codes
C?pub = GRS2t(a,b
?) and S1(C?pub) = GRS2t�1(a
0,⇠ b
?)
2. Build the filtration:
GRS2t(a,b?)| {z }
C?pub
◆ GRS2t�1(a0,⇠ b
?)| {z }S1(C?
pub)
◆ . . . ◆ GRSt(a0,⇠ b
?)| {z }B
3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult
problem.
6
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes
8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
top related