code-based cryptography - mceliece cryptosystem · other cryptographic constructions relying on...
Post on 14-Mar-2020
10 Views
Preview:
TRANSCRIPT
Code-Based Cryptography
1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
The Code Equivalence Problem of Linear Codes
Permutation CodeEquivalence (PCE)
Semilinear CodeEquivalence (SLCE)
Linear CodeEquivalence (LCE)
Three notions of codeEquivalence:
1
The Code Equivalence Problem of Linear Codes
Permutation CodeEquivalence (PCE)
Semilinear CodeEquivalence (SLCE)
Linear CodeEquivalence (LCE)
Three notions of codeEquivalence:
Semilinear Code Equivalence (SLE)
C1SLE⇠ C2 () 9� : C2 = �(C1)
with � = ( � 2 Sn| {z }Permutation
,� = (�1, . . . ,�n) 2 (F⇤q)
n
| {z }Scalar
,↵ 2 Aut(Fq)| {z }Automorphism
)
1
The Code Equivalence Problem of Linear Codes
Permutation CodeEquivalence (PCE)
Semilinear CodeEquivalence (SLCE)
Linear CodeEquivalence (LCE)
Three notions of codeEquivalence:
Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }
Permutation
: C2 = �(C1) = {�(x) | x 2 C}
1
The Code Equivalence Problem of Linear Codes
Permutation CodeEquivalence (PCE)
Semilinear CodeEquivalence (SLCE)
Linear CodeEquivalence (LCE)
Three notions of codeEquivalence:
Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }
Permutation
: C2 = �(C1) = {�(x) | x 2 C}
1
The Code Equivalence Problem of Linear Codes
The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2
OUTPUT:
(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)
2
The Code Equivalence Problem of Linear Codes
The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2
OUTPUT:
(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)
2
The Code Equivalence Problem of Linear Codes
The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2
OUTPUT:(Decision): Are C1 ⇠ C2?
(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)
2
The Code Equivalence Problem of Linear Codes
The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2
OUTPUT:(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)
2
The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as
hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.
‹ Known Algorithms:
• The Support Splitting Algorithm for PE for F2, F3 and F4N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.
• Computation of canonical forms for LC over Fq, with qsmall.
T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009
3
The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as
hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.
‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.
• Computation of canonical forms for LC over Fq, with qsmall.
T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009
3
The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as
hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.
‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.
• Computation of canonical forms for LC over Fq, with qsmall.
T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009
3
InvariantsInvariants
V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)
The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )
Recall that WC(X ) =nX
i=0
AiX i with Ai = | {c 2 C | wH(c) = i} |
WC1(X ) = WC2(X ) but C1 6⇠ C2
Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:
G1 =
1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1
!and G2 =
1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0
!
‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!
4
InvariantsInvariants
V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)
The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )
Recall that WC(X ) =nX
i=0
AiX i with Ai = | {c 2 C | wH(c) = i} |
WC1(X ) = WC2(X ) but C1 6⇠ C2
Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:
G1 =
1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1
!and G2 =
1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0
!
‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!
4
InvariantsInvariants
V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)
The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )
Recall that WC(X ) =nX
i=0
AiX i with Ai = | {c 2 C | wH(c) = i} |
WC1(X ) = WC2(X ) but C1 6⇠ C2
Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:
G1 =
1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1
!and G2 =
1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0
!
‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!
4
Punctured codeLet:
‹ C be an [n, k ]q code
‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn
q to thecoordinates indexed by J
G =
Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Punctured codeLet:
‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}
‹ xJ the restriction of x 2 Fnq to the
coordinates indexed by J
G =
Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Punctured codeLet:
‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn
q to thecoordinates indexed by J
G =
Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Punctured codeLet:
‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn
q to thecoordinates indexed by J
G =
Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Punctured codeLet:
‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn
q to thecoordinates indexed by J
G =
Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Punctured codeLet:
‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn
q to thecoordinates indexed by J
G = Spans CJ
|J| n � |J|
Punctured code CJ
The words of CJ are codewords of C restricted to theJ-locations, i.e.
CJ =�
cJ | c 2 C
5
Signature
SignatureS is a signature if S(C, i) = S(�(C),�(i))
Building a signature from an invariant: If V is an invariant then,
C ⇠ C =)⇢
V(C) = V(C)
{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}
Where Ci is the punctured code C on i
6
Signature
SignatureS is a signature if S(C, i) = S(�(C),�(i))
Building a signature from an invariant: If V is an invariant then,
C ⇠ C =)⇢
V(C) = V(C)
{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}
Where Ci is the punctured code C on i
6
Signature
SignatureS is a signature if S(C, i) = S(�(C),�(i))
Building a signature from an invariant: If V is an invariant then,
C ⇠ C =)⇢
V(C) = V(C)
{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}Where Ci is the punctured code C on i
6
Signature
SignatureS is a signature if S(C, i) = S(�(C),�(i))
Building a signature from an invariant: If V is an invariant then,
C ⇠ C =)⇢
V(C) = V(C){V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}
Where Ci is the punctured code C on i
6
Fully Discriminant Signatures
Fully Discriminant SignaturesA signature S is fully discriminant for C if:
S(C, i) 6= S(C, j) for all i 6= j
How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:
8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)
=) �(i) = j
7
Fully Discriminant Signatures
Fully Discriminant SignaturesA signature S is fully discriminant for C if:
S(C, i) 6= S(C, j) for all i 6= j
How to retrieve the permutation? Suppose that C2 = �(C1)
If S is fully discriminant for C then:
8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)
=) �(i) = j
7
Fully Discriminant Signatures
Fully Discriminant SignaturesA signature S is fully discriminant for C if:
S(C, i) 6= S(C, j) for all i 6= j
How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:
8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)
=) �(i) = j
7
Fully Discriminant Signatures
Fully Discriminant SignaturesA signature S is fully discriminant for C if:
S(C, i) 6= S(C, j) for all i 6= j
How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:
8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j) =) �(i) = j
7
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}
8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2
8
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2
8
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2
8
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28
Fully Discriminant SignaturesAn Example of Fully Discriminant Signature
Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><
>>:
C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3
C2 = {110, 011} �! WC2 = 2X 2
C3 = {110, 011, 100} �! WC3 = X + 2X 2
C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3
8>>><
>>>:
C1 = {011, 101} �! WC1= 2X 2
C2 = {011, 111, 101} �! WC2= 2X 2 + X 3
C3 = {001, 101, 111} �! WC3= X + X 2 + X 3
C4 = {001, 101, 110} �! WC4= X + 2X 2
Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28
Refined Signatures
Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
9
Refined Signatures
Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
9
Refined SignaturesRefined Signature
Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
WC1(X ) = WC2(X ) =) �(1) = 2
WC4(X ) = WC4(X ) =) �(4) = 4
WC5(X ) = WC3(X ) =) �(5) = 3
9
Refined Signatures
Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5
(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated
9
Refined SignaturesRefined Signature
Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5
(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated
WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}
WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}
Thus �(2) = 5 and �(3) = 19
Refined SignaturesRefined Signature
Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ
Thus S(CJ , i) and S(CJ , i) give additional information.
Example of Refined Signature
C =
⇢01101, 01011,
01110, 10101, 11110
�and C =
⇢10101, 00111,
10011, 11100, 11011
�
Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5
(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated
WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}
WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}
Thus �(2) = 5 and �(3) = 19
Some notation
From now on, let C be a linear code of length n defined over Fq. We denote
• Its dimension by K (C) .
• Its minimum distance by d(C) .
10
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.
1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.
N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Support Splitting AlgorithmThe Algorithm:
Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:
S0 = S,S1, . . . ,Sr
of increasing “discriminancy” such that Sr isfully discriminant for C.
2. From Sr we retrieve � such that C2 = �(C1)
Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?
• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O
⇣n3 + 2hn2 log(n)
⌘
• When h �! 0, Then the Algorithm runs in polynomial time.N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.
11
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
Goppa codeLet:
‹ L = (↵1, . . . ,↵n) 2 F2m with ↵i 6= ↵j for all i 6= j .‹ g(X ) 2 F2m [X ] monic separable polynomial with deg(g) = t and g(↵i) 6= 08i
�(L, g) = Altt(a,b) = (GRSt(a,b)) \ Fq
with a = L and bi =1
g(ai)
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .
2. We check the equivalence with the public code.There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.
‹ A Goppa code C = �(L, g) has :
K (C) � n � mt and d(C) � t + 1
‹ Let Gpub
2 Fk⇥n2 be the public key of the McEliece scheme.
1. We enumerate all polynomials g of degree t over Fm2 such that
k � n � mt .2. We check the equivalence with the public code.
There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)
Is necessary to use a large family of codesto make this attack ineffective
12
4. Key Attacks
1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
top related