Codes and Lattices in Cryptography

Code-based systems belong to the most promising candidates for post-quantumcryptography. They are highly efficient. By easing the constraints on storagecapacity for key material, technological progress has paved the way for theirpractical deployment. Yet, do we feel certain enough of their security to rec-ommend wide-spread adoption?

While the last 25 years since the first proposal of such a system byR.J. McEliece have seen a steady stream of research into their security, this ef-fort pales in comparison to the scrutiny devoted to currently deployed systemslike RSA and ECC.

Efficient lattice reduction algorithms have been very potent tools of crypt-analysis of many public-key cryptosystems. Applied to code-based systemsthis tool has turned out to be a very blunt one since the lift of cryptographi-cally useful error-correcting codes yields lattices of intractably high dimensionswith an abundance of short vectors.

Yet, the question still remains open whether there is more than the surfaceparallelism between, say, the decoding problem and the closest vector problemin a lattice, whether cross-fertilization between the research into the securityof code- and lattice-based cryptosystems is possible.

This small workshop undertakes an exploration of this question and hopesto stimulate the dialogue between researchers of both communities. The topicsare

• Attacks on code- or lattice-based systems• Hardness of underlying problems, weak instances• The link between Decoding, Learning and Closest Vector Problems• Average versus Worst Case Complexity• Indistinguishability of hidden-trap door and random instances• Security proofs of code-based systems Lattice reduction for cryptanalysis

Lattice reduction algorithms, including their sensitivity to properties ofthe instances they are applied to

The organizers gratefully acknowledge the generous support of the FederalOffice for Information Security (BSI) .

Organizers

Johannes Buchmann, Alexander May, and Ulrich Vollmer

Contents

1 New perspectives for code-based public key cryptographyThierry P. Berger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Blockwise Lattice Basis Reduction RevisitedClaus Peter Schnorr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Sampling methods for shortest vectors, closest vectors andsuccessive minimaJohannes Blomer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 Cyclic lattices: cryptographic applications and openproblemsDaniele Micciancio University of California, San Diego . . . . . . . . . . . . . . . 15

5 On Lattices, Learning with Errors, Random Linear Codes,and CryptographyOded Regev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 Using Lattice Reduction for Cryptanalysis and ListDecodingAlexander May . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

7 List Decoding Interleaved and Folded Reed-Solomon CodesVenkatesan Guruswami . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

8 Key security of code-based public key cryptosystemNicolas Sendrier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

9 Syndrome Decoding in the Non-Standard CasesMatthieu Finiasz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

10 Shorter keys for code based cryptographyPhilippe Gaborit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

11 How to reduce public-key size in McEliece like PKCs ?Pierre Loidreau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

12 Personalized-Public-Key Cryptosystem (P2KC)Kazukuni Kobara, Hideki Imai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

1

New perspectives for code-based public keycryptography

Thierry P. Berger

XLIM, UMR CNRS 6172, Universite de Limoges, France

Summary. Two types of attacks have been exhibited against Bound DecodingProblem based cryptosystems. The first one is a structural attack which consists inrecovering the masked structure of a well-known code. The second family is basedupon the decoding of random codes which try to solve directly the Bounded Decod-ing Problem. To prevent his cryptosystem from this kind of attacks, the designermust lengthen the size of public keys, which is a major obstacle for a practical useof these PKC.

In this paper, we present some of the methods to mask the structure of a codein order to make decrease the size of the public keys. We will give some examples ofconstructions related to the Generalized Reed Solomon codes.

1.1 Background

1.1.1 Coding Theory [10]

A [n, k, d] linear code C over the finite field GF (q) is a subspace of GF (q)n

of dimension k with a minimum distance equal to d. Generally such a code isgiven by its generator matrix M . It can be also described by its parity-checkmatrix H, which is a generator matrix of the dual code C⊥. For a code overGF (2m), the size required to describe a generator under systtematic form ism× k × (n− k) bits.

In coding theory and its applications, for a fixed length n, we generally tryto increase simultaneously the dimension k and the minimum distance d, evenif a trivial bound on these values is given by the so-called Singleton bound: k + d ≤ n + 1. For non-trivial codes, this bound is only reached by codesdefined on extension fields.

1.1.2 Decoding random codes

The security of code-based public key cryptography depends essentially onthe Bounded Decoding Problem proved as NP-Hard [2]:

2 Thierry P. Berger

Bounded Decoding Problem:Input: a [n, k, d] code C, an integer w ≤ b(d− 1)/2c, a word y ∈ GF (q)n.Output: a vector e of length n such that weight(e) ≤ w and x = y − e ∈ C.

This problem is difficult in average, i.e. difficult for random codes. Themost efficient techniques to decode random codes are based upon the searchof an information set without error. The decoding cost is O(k3p−1), wherep =

(nk

)/(n−t

k

). In the binary case, there exist many improvement, but their

cost is always greater than O(p−1) [3, 4, 8, 7, 17].

1.1.3 Code-based Public key cryptosystems

The most popular code-based cryptosystem was presented by McEliece in 1978[11]. The public key is a linear code, the secret key is a decoding algorithm.An error e of weight t is then used to mask the codeword.

A dual cryptosystem was proposed by Niederreiter in 1986. The publicand secret keys are the same than the ones used in the McEliece’s PKC. Themessage is a codeword e of weight t and the cipher is the syndrome of thiserror. The security of this PKC is proven equivalent to the McEliece’s one.The main advantage of code-based PKC is the efficiency of encryption anddecryption processes whereas the main drawback is the size of the public key.

1.2 Codes suitable for a cryptographic use

1.2.1 Criteria

The main criteria for the choice of a code are:- there exists an efficient decoding algorithm,- the code is resistant to decoding attacks,- the structure of the code (i.e. the secret algorithm) will be masked,- the size of the public key is as small as possible.

Except a PKC based upon Reed-Muller codes [15] and those based on rankmetric, the proposed codes belong to the family of Generalized Reed Solomoncodes (GRS codes) and are decoded with Reed Solomon decoders. Since thesecodes are MDS and decodable, they seems to be good candidates for a crypto-graphical use. However, the structure of GRS codes can be recovered in O(n3)operations [16]. It is thus necessary to hide their structure.

1.2.2 How to mask this structure?

Some operations such as concatenation or permutation are not suitable for acryptographic application [13, 14]. In its original paper, McEliece proposedthe class of Goppa codes. It is a particular subclass of Alternant codes, i.e.binary subfield subcodes of GRS codes. Among the binary codes, Goppa codes

References 3

are almost optimal. Consequently, it is necessary to construct new codes de-fined over extension fields in order to decrease the size of the public key. Theother classical methods use subfield subcode over an intermediate subfield oreven subcode over the full extended field [1].

2.3 Some examples of constructions from GRS codes

Subfield subcodes over an intermediate field: C is a subfield subcodeover GF (2m) of a GRS code over GF (22m).

Subcodes of GRS codes: C is a subcode of a GRS code over GF (2m) [1].There exists a partial attack against this construction [18].

A diagonal construction from GRS codes: C is a [2n, 2k, d] code overGF (2m) with a generator matrix equal to

G = S ×(GRS1(d) | A

0k2,n | GRS2(d)

)× P

S: an invertible matrix, P : a permutation matrix, A: a random matrix andGRSi(d) generator matrices of [n, k, d] GRS codes over GF (2m).

A kind of (U,U+V) construction: C is a [2n, k = k1 + k2, 2d] code overGF (2m) with a generator matrix equal to

G = S ×(RS(d)× Scal1 | RS(d)× Scal2

0k2,n | RS(2d)× Scal3 × P3

)× P

S: an invertible matrix, P , P3: permutation matrices Scali: scalar multiplica-tions, RS(d) and RS(2d): generators matrices of [n, k1, d] and [n, k2, 2d]ReedSolomon codes over GF (2m).

Construction Field Parameters Security SizeGoppa code GF (2) [2048, 1608, 81 ] 2102 88, 5 KBInterm. subfield subcode GF (32) [1024, 956 , 34 ] 297 41 KBSubcode of GRS code GF (256) [256 , 142 , 107] 298 16 KBDiagonal construction GF (256) [512 , 372 , 71 ] 299 52 KB(U,U+V) GF (256) [512 , 439 , 50 ] 2102 32 KB

Examples of parameters

Further Works

- An extensive study of random decoding algorithms for codes over extensions.- A more complete analysis of the techniques used to mask the structure.- The use of codes defined on other metrics, such as rank metric [5]- The use of codes with short description such as quasi-cyclic codes [6].

References

1. T.P. Berger and P. Loidreau. How to mask the structure of codes for a crypto-graphic use. Designs, Codes and Cryptography, 35:63-79, April 2005.

2. E.R. Berlekamp, R.J. McEliece and H.C. Van Tilborg. On the inherent in-tractability of certain coding problems IEEE IT, 24(3):384-386, may 1978.

4 Thierry P. Berger

3. A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weightwords in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE IT, 44(1):367-378, Jan. 1998.

4. A. Canteaut and N. Sendrier. Cryptanalysis of the original McEliece cryptosys-tem. Advances in Cryptology - ASIACRYPT’98, LNCS 1514, p. 187-199, 1998.

5. E .M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov. Shorter keys for codebased cryptography. LNCS, 573:482 - 489, 1991.

6. P. Gaborit. Ideals over a non-commutative ring and their application in cryp-tology. WCC 2005, Bergen (Norway) p. 81-91, March 2005.

7. P. J. Lee and E. F. Brickell. An observation on the security of McEliece’s public-key cryptosystem. Advances in Cryptology - EUROCRYPT’88, LNCS 330, p.275-280, 1988.

8. J.S. Leon. A probabilistic algorithm for computing minimum weights of largeerror-correcting codes. IEEE IT, 34(5):1354-1359, 1988.

9. P. Loidreau and N. Sendrier. Weak keys in McEliece public-key cryptosystem.IEEE IT, 47(3), March 2001.

10. F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes.North Holland, 1977.

11. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory.Tech. report, Jet Propulsion Lab. DSN Progress Report, 1978.

12. H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159 - 166, 1986.

13. N. Sendrier. On the concatenated structure of a linear code.. AAECC, 9(3):221-242, 1998.

14. N. Sendrier. Finding the permutation between equivalent codes: the supportsplitting algorithm. IEEE IT, 46(4):1193-1203, July 2000.

15. V. M. Sidel’nikov. A public-key cryptosystem based on binary Reed-Mullercodes. Discrete Math. Appl., 4(3):191-207, 1994.

16. V. M. Sidel’nikov and S. O. Shestakov. On cryptosystems based on generalizedReed-Solomon codes. Discrete Mathematics, 4:57-63, 1992.

17. J. Stern. A method for finding codewords of small weight. Coding Theory andApplications, LNCS 388, p. 106-113, 1989.

18. C. Wieschebrink. An Attack on a Modified Niederreiter Encryption Scheme.Public Key Cryptography - PKC 2006, LNCS, 3958:14-26, 2006.

Blockwise Lattice Basis Reduction Revisited.

Claus Peter SchnorrFachbereich Informatik und Mathematik, Universit�at Frankfurt,

PSF 111932, D-60054 Frankfurt am Main, Germany.schnorr@cs.uni-frankfurt.de { http: www.mi.informatik.uni-frankfurt.de

Abstract. We compare Schnorr's algorithm for semi block 2k-reductionof lattice bases with Koy's primal-dual reduction for blocksize 2k. Koy'salgorithm guarantees within the same time bound under known proofsbetter approximations of the shortest lattice vector. Under reasonableheuristics both algorithms are equally strong and much better thanproven in worst-case. We combine primal-dual reduction with Schnorr'srandom sampling reduction (RSR) to a highly parallel reduction algo-rithm that is on the average more e�cient than previous algorithms. Itreduces the approximation factor 43n=2 guaranteed by the LLL-algorithmto 1:025n=2 using feasible lattice reduction.

SUMMARY. A (lattice) basis of rank n consists of n linearly independent realvectors b1; :::;bn 2 Rm which form the basis matrix B = [b1; :::;bn] 2 Rm�n.The basis B generates the lattice L = L(B) = fBx jx 2 Zng � Rm which isthe set of all integer linear combinations of the basis vectors. The goal of latticereduction is to transform a given basis B into a nice basis BT , T 2 SLn(R),consisting of short and nearly orthogonal vectors.Notation. B = [b1; :::;bn] 2 Rm�n, Bt 2 Rn�m is the transpose of B 2 Rm�n,inverse transpose of R 2 Rn�n,di = det([b1; :::;bi]t[b1; :::;bi]), d0 = 1, D` = dk`=dk`�k for given k;B,detL(B) = det(BtB)1=2 = d1=2n , the `2-length kbk = jbtbj1=2 of b 2 Rm,�i : Rm ! span(b1; :::;bi�1)? is the orthogonal projection,�1(L) = the minimal length of the nonzero vectors of the lattice L, k = max�21(L(B))=detL(B)2=k over all bases B 2 Rm�n of rank k,Q 2 Rm�n is isometric if hQx; Qyi = hx;yi = xty for all x;y 2 Rm,SLn(Z) = fT 2 Zn�n j detT = 1g, In 2 Zn�n denotes the unit matrix.

The QR-decomposition B = QR, R = [r1; : : : ; rn] = [ri;j ] 2 Rn�n of a basisB 2 Rm�n consists of an isometric matrix Q 2 Rm�n and an upper-triangular matrixR 2 Rn�n with positive diagonal entries. TheQR-decompositionis unique, R is preserved under isometric transforms of B. We call R the geo-metric normal form (GNF) of B, R = GNF(B). We describe basis reduction interms of the GNF R. This yields the Gram-Schmidt coe�cients �j;i = ri;j=ri;iand ri;i = k�i(bi)k is the length of the orthogonal vector �i(bi). We see from[b1; :::;bn] = QR that kbik2 =

Pij=1 r2j;i, kb1k = r1;1.

Standard reductions.1. B = QR 2 Rm�n is size-reduced if jri;j j � 12ri;i for all j > i.2. B = QR is LLL-reduced [LLL82] for � 2 ( 14 ; 1] if B is size-reduced and

�r2i;i � r2i;i+1 + r2i+1;i+1 for i = 1; :::; n� 1.Such LLL-bases satisfy r2i;i � � r2i+1;i+1 for � := 1=(�� 14 ). This yields the classicresult on the performance of LLL-bases that we are going to improve:

Theorem 1. [LLL82] An LLL-basis B 2 Rm�n of lattice L satis�es1. kb1k2 � �n�1

2 (detL)2=n, 2. kb1k2 � �n�1�21.

LLL-reduction is due to Lenstra, Lenstra, Lov�asz [LLL82]. The LLL-algorithmtransforms a given basis B into an LLL-basis BT , T 2 SLn(Z). It runs inO(n3m log1=� kBk) arithmetic steps using integers of bit length O(n log2 kBk,where kBk = maxfkb1k; :::; kbnkg for the input basis b1; :::;bn.

The basis B = QR is HKZ-reduced (we call it an HKZ-basis) if B is size-reduced, and each coe�cient ri;i of the GNF R is minimal for all bases of thegiven lattice that coincide with B in the �rst i� 1 vectors.

Survey, background and perspectives of our results. We compare feasible basisreduction algorithms that replace � in Theorem 1 by smaller constants. The ap-proximation factor �n�1

2 for kb1k=�1 has been improved to 2O((n log logn)2= logn)in [S87] and combined with [AKS01] to 2O(n log logn= logn). Here we focus onreductions of � achievable in feasible lattice reduction time for practical dimen-sions. Some reductions are proven by heuristics to be feasible on the average.

We assume � � 1 so that � � 4=3. LLL-bases approximate �1 up to afactor �n�1

2 . 1:155n. They approximate �1 much better for lattices of highdensity where �21 � n(detL)2=n, namely up to a factor . �n�1

4 =p n . 1:075n.Moreover, Nguyen and Stehl�e [NS06] report that � decreases on average to about1:024 � 1:08 for the random lattices of [NS06].

The constant � can be further decreased within polynomial reduction timeby blockwise basis reduction. We compare semi block 2k-reduction [S87] andKoy's primal-dual reduction [K04] with blocksize 2k. Both algorithms performHKZ-reductions in dimension 2k, HKZ-reducing segments b�+1; :::;b�+2k of Bunder ��+1, and have similar polynomial time bounds. They are feasible for2k � 50.

Semi block 2k-reduction (Alg. 1) replaces � in Theorem 1 by (�k=�)1=k for aconstant �k (Theorem 2) that satis�es k=12 < �k < (1 + k2 )2 ln 2�1=k [GHKN06]Koy's primal-dual reduction (Alg. 2) replaces � by (� 22k)1=2k (Theorem 3).Since 2k = �(k) the second bound outperforms the �rst, unless �k is close toits lower bound k=12. Primal-dual reduction for blocks of length 48 replaces � inTheorem 1 within feasible reduction time by (� 248)1=48 � 1:084. Both algorithmsare equally powerful in approximating �1 under the worst-case GSA-heuristicof [S03], they both replace � by 1=(k�1)k .

2

We use some basis reduction algorithms that are e�cient on average butnot proven polynomial time. BKZ-reduction of [SE94] runs in practice for smallblocksize in O(1)-times the LLL-time bound. The LLL with the deep insertionstep of [SE94] seems to be polynomial time on the average and greatly improvesthe approximational power of the LLL. Based on experiments [NS06] reportsthat deep-insertion-LLL decreases � for random lattices on average to 1:0124 �1:05 � �1=6.

We replace HKZ-reduction within primal-dual reduction by random sam-pling reduction (RSR) of [S03], a parallel extension of the deep insertion step.RSR is nearly feasible up to blocksize k = 80. The new algorithm, primal-dualRSR (Alg. 3) replaces under the worst-case GSA-heuristics � in Theorem 1 by(80=11)1=80 � 1:025. Alg. 3 is highly parallel and e�cient on the average butnot proven polynomial time. If the factor 1.025 further decreases from worst toaverage case this might endanger the NTRU scheme for N � 200. The secretkey is a short lattice vector of a lattice of dimension 2N .

Reductions of � � 43 under feasible lattice basis reduction.

1. Semi block 2k-reduction [S87], k = 24proven [GHKN06] (�24=�)1=24 < 1:165by heuristic, GSA 1=4747 � 1:034

2. Primal-dual HKZ-reduction, Koy 2004, k = 48proven (� 248)1=48 � 1:075by heuristic, GSA 1=4748 � 1:034

3. LLL on the average for random latticesexperimentally [NS06] 1.08

4. LLL with deep insertion [SE94]experimentally [NS06] 1:0124 � 1:05

5. Primal-dual RSR, k=80by heuristic, GSA, RA 1:025

RA r�+j;�+j0 2R [� 12 ; 12 ] is random for j0 > j,GSA the quotients ri+1;i+1=ri;i = q are constant for all i, � < i < � + k,

GSA is a worst case property. Bases that do not satisfy GSA have segmentsthat are easier to reduce [S03]. The analysis on the average is open.

FULL PAPER: http: www.mi.informatik.uni-frankfurt.de/research/papers.html

3

3

Sampling methods for shortest vectors, closestvectors and successive minima

Johannes Blomer

Department of Computer Science, University of Paderborn

Summary. Based on algorithms of Ajtai, Kumar, Sivakumar we provide a gen-eral sampling algorithm to solve various lattice problems. We describe randomized,single-exponential time algorithms to compute

1. a shortest vector in a lattice2. to approximate closest vector in a lattice with approximation factor 1 + ε, ε > 0

arbitrary3. to approximate the successive minima of a lattice with approximation factor

1 + ε, ε > 0 arbitrary.

The first two results reproduce results from Ajati, Kumar, and Sivakumar. All threeresults easily follow from a general method to compute short lattice vectors outside agiven sublattice. This method is based on a generalization of the sampling algorithmintroduced by Ajtai, Kumar, and Sivakumar to determine the shortest vector in alattice. We give a considerably simplified analysis of the sampling algorithm thatalso shows how the algorithm can be used to compute short lattice vectors outsidea given sublattice. The results described in this note are joint work with StefanieNaewe from the University of Paderborn and Oded Regev from Tel-Aviv University.

3.1 Introduction

We study three classical problems from the geometry of numbers, the shortestvector problem (Svp), the closest vector problem (Cvp), and the successiveminima problem (Smp). In the shortest vector problem, we are given a latticeL and are asked to find a shortest non-zero vector v in the lattice L. Here asin the sequel, the length of a vector is with respect to the Euclidean norm.In the closest vector problem, we are given a lattice L and some vector t inthe R-vector space span(L) spanned by the vectors in L. We are asked to finda vector u ∈ L, whose Euclidean distance to t is as small as possible, i.e. weneed to find a lattice vector v such that ‖v−t‖ = dist(t, L). To state the thirdproblem, we need to define the successive minima λk(L) of a lattice of L. Wecall the dimension of span(L) the rank of L. Let k be an integer less than or

10 Johannes Blomer

equal to the rank of L. The k-th successive minimum of L is the smallest realnumber r such that L contains k linearly independent vectors of Euclideanlength at most r. In the successive minima problem we are given a lattice Lwith rank n. We are asked to find n linearly independent vectors v1, . . . ,vn

such that the length of vk is λk(L). It is a well-known fact, that vectors withthis property always exist (see [C]). Since λ1(L) is the length of a shortestnon-zero vector, in Smp we need to solve the shortest vector problem as asubproblem.

In the last 25 years the complexity of these problems has been studiedintensively. It is known that all three problems are NP-hard and even hard toapproximate (see for example [A],[M], [Kh],[DKRS],[BS]). Here we concentrateon positive results, i.e. algorithms that solve Svp,Cvp, and Smp either exactlyor approximately. Until a breakthrough paper by Ajtai, Kumar, and Suvaku-mar [AKS1] the best algorithm to solve Svp exactly was due to Kannan[Ka].Kannan’s algorithm has a running time of nn/2sO(1), where n is the rank ofthe lattice L and s is its representation size, i.e. the number of bits used todescribe the basis defining L. Of course, the best polynomial time algorithmsfor approximating Svp are the LLL-algorithm and its improvement and gener-alization due to Schnorr, achieving single exponential approximation factors.In their paper, Ajati, Kumar, and Sivakumar design a randomized algorithmthat solves Svp exactly with probability exponentially close to 1. The AKS-algorithm is based on a novel sampling technique that generates short vectorsfrom the input lattice L. Then, it is shown that a shortest vector of L can befound with high probability as a difference of two of these short lattice vec-tors. Later, Ajtai, Kumar, and Sivakumar extended their sampling techniqueto deal with Cvp. In [AKS2] they describe an algorithm that solves Cvp withapproximation factor (1 + ε) for any ε > 0. The running time of their algo-rithm is

(2(1+1/ε)ns

)O(1). For Cvp the best algorithm that exactly solves theproblem is due to [B] and has a running time of n!sO(1). The best polynomialtime approximation algorithms for Cvp are based on the LLL-algorithm andachieve single exponential approximation factors.

We consider a variant of the AKS-sampling procedure (according to[AKS1] proposed by M. Sudan). We give a simple analysis of the samplingprocedure. Based on this analysis we describe a general approach for solv-ing lattice problems. In fact, we show that the sampling procedure can beused to compute short lattice vectors outside some arbitrary sublattice. Asconsequences of this approach we obtain single exponential time (1 + ε)-approximation algorithms for Svp and Cvp. The running time of our (1 + ε)approximation algorithm for Cvp has a better dependency on 1/ε than theoriginal AKS-algorithm. Additionally, we get a single exponential time (1+ε)-approximation algorithm for Smp. To obtain an exact single exponential timealgorithm for Svp, we use a second general approach to analyze the sam-pling procedure computing short lattice vectors outside a given sublattice.This method shows that the sampling procedure can be used to compute a

3.2 The results 11

shortest lattice vector outside a given sublattice provided there do not existtoo many short lattice vectors outside the given sublattice. This property istrue in case of Svp. In Cvp our approach to determine short vectors outsidea given sublattice will lead to an exact algorithm only for instances wherethe distance of the target vector to the lattice is not too large, i.e. not muchlarger than the length of a shortest lattice. Similarly, the general method canbe used to compute the successive minima of a lattice exactly provided thatthe n-th successive minima λn is bounded by cλ1 for some constant c. In thefollowing section we state our results more precisely.

3.2 The results

To state our main results we need the following definition.

Definition 1 Let L be a lattice and M be a sublattice of L. Then we defineλM(L) by

λM(L) := min{r ∈ R ∃v ∈ L \M, ‖v‖ ≤ r}.

Given a lattice L and some sublattice M our goal is to compute a vectorv ∈ L \M that is as short as possible.

Theorem 2 There exists a randomized algorithm that for any ε > 0, for anylattice L ∈ Qn and any sublattice M of L with probability exponentially closeto 1 computes a vector v ∈ L \M with ‖v‖ ≤ (1 + ε)λM(L). The running timeof the algorithm is

((2 + 1/ε)n · s

)O(1), where s is the size of L and M.

If we choose M = {0}, we obtain from the previous theorem

Theorem 3 There exists an algorithm that for any ε > 0 and any latticeL ∈ Qn with probability exponentially close to 1 computes a vector v ∈ L with‖v‖ ≤ (1 + ε)λ1(L). The running time of the algorithm is

((2 + 1/ε)n · s

)O(1),where s is the size of L.

As we will see later, we can also solve Svp exactly. As a second examplewe consider Smp. Assume i linearly independent vector vj ∈ L satisfying‖vj‖ ≤ (1+ ε)λj(L) have already been computed and set Mi := L(v1, . . . ,vi).Then λM(L) ≤ λi+1(L) and using Theorem 2 we obtain

Theorem 4 There exists an algorithm that for any ε > 0 and any latticeL ∈ Qn with probability exponentially close to 1 computes linearly independentvectors v1, . . . ,vn with ‖vi‖ ≤ (1+ ε)λi(n), i = 1, . . . , n. Here we also assumethat rank(L) = n.The running time of the algorithm is

((2 + 1/ε)n · s

)O(1),where s is the size of L.

To apply Theorem 2 to the closest vector problem one must use a liftingtechnique introduced by Kannan and refined by Ajtai, Kumar and Sivakumar.One obtains

12 Johannes Blomer

Theorem 5 There exists an algorithm that for any ε > 0, any lattice L ∈Qn and target vector t ∈ span(L) with probability exponentially close to 1computes a vector v ∈ L satisfying ‖t − v‖ ≤ (1 + ε)dist(t, L). The runningtime of the algorithm is

((2 + 1/ε)n · s

)O(1), where s is the size of L and t.

To turn the (1 + ε)-approximation algorithm for Svp into an exact algorithmwe can use the following general result.

Theorem 6 Let L ∈ Qn be a lattice and M be a sublattice of L, both of size s.Assume that there exist fixed constants ε, c such that the number of v ∈ L \Msatisfying ‖v‖ ≤ (1 + ε)λM(L) is bounded by 2cn. There exists an algorithmthat with probability exponentially close to 1 and in time

(2n ·s

)O(1) computesa vector v ∈ L \M with ‖v‖ ≤ λM(L).

It is easy to see that the assumptions of Theorem 6 are satisfied in case ofSvp. We obtain

Theorem 7 Let L ∈ Qn be a lattice of size s. A shortest non-zero vector inL can be computed in time

(2n · s

)O(1).

The corresponding result for Cvp is much weaker.

Theorem 8 Let c > 0 be some constant. Assume lattice L ∈ Zn and targetvector t ∈ span(L) are of size s. Assume furthermore that there exists somefixed constant c such that dist(t, L) ≤ cλ1(L). Then a vector v ∈ L satisfying‖t− v‖ = dist(t, L) can be computed in time

(2n · s

)O(1).

References

[A] M. Ajtai, “The shortest vector problem is NP-hard for randomized reductions”,Proc. 30th Symposium on Theory of Computing 1998, pp. 10-19.

[AKS1] M. Ajtai, R. Kumar, D. Sivakumar “A sieve algorithm for the shortest vectorproblem”, Proc. 33rd Symposium on Theory of Computing 2001, pp. 601-610.

[AKS2] M. Ajtai, R. Kumar, D. Sivakumar “Sampling short lattice vectors and theclosest vector problem”, Proc. 17th IEEE Conference on Computational Complex-ity 2002, pp. 53-57.

[B] J. Blomer, “Closest vectors, successive minima, and dual HKZ-bases of lattices”,Proc. 17th ICALP Lecture Notes in Computer Science, Vol. 1853, pp. 248-259,2000.

[BS] J. Blomer, J.-P. Seifert, “The complexity of computing short linearly indepen-dent vectors and sort bases in a Lattice”, Proc. 21stth Symposium on Theory ofComputing 1999, pp. 711-720.

[C] J. W. S. Cassels, An Introduction to the Geometry of Numbers, Springer-Verlag,1971.

[DKRS] I. Dinur, G. Kindler,R. Raz, S. Safra, “Approximating CVP to withinalmost-polynomial factors is NP-hard”, Combinatorica, Vol. 23, No. 2, pp. 205-243,2003.

References 13

[Ka] R. Kannan, “Minkowski’s convex body theorem and integer programming”,Mathematics of Operations Research, Vol. 12, No. 3, pp. 415-440, 1987.

[Kh] S. Khot, “Hardness of approximating the shortest vector problem in lattices”,Journal of the ACM, Vol. 52, No. 5, pp. 789-808, 2005.

[L] L. Lovasz, An algorithmic theory of graphs, numbers and convexity , SIAM, 1986.[M] D. Micciancio, “The shortest vector in a lattice is hard to approximate to within

some constant”, SIAM Journal on Computing , Vol. 30, No. 6, pp. 2008-2035, 2000.

4

Cyclic lattices: cryptographic applications andopen problems

Daniele MicciancioUniversity of California, San Diego

No Institute Given

Summary. Cyclic codes are among the most useful and widely used error correctingcodes in coding theory and communication applications. We consider a similarlydefined class of “cyclic lattices” (and generalizations), and discuss cryptographicapplications, connections with other problems in algebraic number theory, and openproblems concerning their computational complexity.

4.1 Introduction

Large key size has always been recognized as a major obstacle to the practi-cal deployment of cryptographic functions based on lattices, linear codes, orknapsack problems. Full-rank n-dimensional lattices are usually representedby n × n generating matrices over Z. Even when the entries are small in-tegers, this requires O(n2) storage and computation time, i.e., quadratic inthe natural security parameter n. The situation for codes and knapsack basedsystems is similar: typical knapsacks functions are described by n integers,each O(n)-bits long (for a total of O(n2) bits), while codes are described byn×m generating or parity check matrices where typically m = O(n). A sim-ple couting argument shows that this quadratic dependency in the securityparameter n is essentially unavoidable, e.g., the number of different (n, k)q

linear codes for min{k, n− k} = Θ(n) is qO(n2). So, the only way to get codes(or lattices) with smaller description is to consider special classes of codes orlattices.

Cyclic codes are probably the most useful and widely studied class of lin-ear codes in the context of coding theory and error correction applications. Acyclic code is a linear code C ⊂ Fn such that if (x1, . . . , xn) ∈ C is a code-word, then the cyclic rotation rot(x1, . . . , cn) = (xn, x1, . . . , xn−1) ∈ C is alsoa codeword. Many important families of codes (e.g., Reed-Muller codes, andReed-Solomon codes) are cyclic for appropriate permutation of the coordi-nates. The richness of the theory of cyclic codes is largely due to the algebraicstructure of these codes: a cyclic code C ⊂ Fn can be equivalently defined as

16 Daniele Micciancio University of California, San Diego

an ideal of the polynomial ring R = F [α]/(αn − 1). In particular, since R is aprincipal ideal domain, cyclic codes can be represented by a single generatingcodeword, reducing the storage from nk log q to only (n− k) log q.

In the setting of error correction, the code is usually relatively low dimen-sional and fixed once and for all. So, storage requirement is not a major issue.We consider the use of cyclic lattices (and generalizations) as a basis for theconstruction of very efficient lattice based cryptographic functions with smallkey size.

In section 4.2 we describe a typical construction of cryptographic func-tions based on lattices, and how cyclic lattices can be used to substantiallyimprove the (storage and computation) efficiency of these functions. Then, insection 4.3 we list the main open problems in the area and describe currentand future research directions.

4.2 Lattice based cryptography

An attractive feature of lattices in the context of cryptographic applicationsis the possibility of building provably secure cryptographic functions basedon worst-case complexity assumptions. The first such construction [1] is es-sentially as follows: the key is a matrix A ∈ Zn×m

p where p = nO(1) andm = O(n log n), and it describes the function fA : {0, 1}m → Zn

p given by

fA(x) = Ax mod p.

The main result of [1] and subsequent improvements (leading to the strongestcurrently known result of [16]) is that for appropriate choice of the parame-ters fA is a one-way (in fact, collision resistant) hash function based on theworst-case hardness of solving various lattice problems, e.g., approximatingthe length of the shortest vector in an arbitrary lattice within factors almostlinear in the dimension of the lattice.

Notice that Ajtai’s function requires a key of sizeO(nm log p) = O(n2 log2 n)bits. We propose [15] the use of cyclic lattices (and generalizations) as a wayto improve the efficiency of Ajtai’s one-way function. The generalized com-pact knapsack function of [15] can be described in lattice theoretic terms asfollows. Instead of considering an arbitrary n ×m matrix A, consider a ma-trix consisting of m/n blocks, where each block is a structured n× n matrixwith compact representation. The structured matrix used in [15] is a rotationmatrix

Rot(a) =

a1 a2 . . . an

an a1 . . . an−1

......

. . ....

a2 a3 . . . a1

and the main result proved in [15] is that inverting fA is computationally hardon the average (when the structured matrix A is chosen at random) provided

4.3 Current work and open problems 17

it is infeasible to solve various lattice problems in the worst case as in [1, 16],but for the special case of cyclic lattices. I.e., given an arbitrary cyclic lattice,approximate the length of the shortest vector within a factor almost linear inthe dimension of the lattice. The advantage of using a structured matrix A areclear: such A’s can be represented using only m log p bits, a factor n savingover general matrices. Moreover, if the structure of A is chosen appropriately,then the product Ax can be efficiently computed (in almost linear time) usingthe fast Fourier transform. This leads to one-way functions based on worst-case complexity assumptions on n-dimensional lattices with almost linear (inn) key size and computation time.

4.3 Current work and open problems

The one-way functions described in [15] is just the beginning of a promisingresearch program, with the potential of leading to cryptographic functionsthat are both provably secure (based on worst case complexity assumptions)and very efficient. In subsquent work [18, 12], we have shown that a simplemodification of the one-way function based on cyclic lattices of [15] is collisionresistant. The “blocks” of the structure matrix A in [15] can be interpretedas elements of the ring Zq[α]/(αn − 1). The main idea of [12] is that one canconsider instead rings Zq[α]/p(α) for arbitrary polynomials p(α), and the rele-vant property for fA to be collision resistant is that p should be an irreduciblepolynomial. Breaking the resuling function will be as hard as solving worst-case lattice problems for “ideal” lattices, i.e., lattices that can be representedas ideals of the ring Zq[α]/p(α).

We immediately notice some differences between how the algebraic struc-ture is used in our cryptographic application, and in the classic setting ofcoding theory: in coding theory, when working over a field F , if p(α) is anirreducible polynomial, then F [α]/p(α) is also a field and it does not havenon-trivial ideals. In other words, using an irreducible p(α) yields only thetrivial codes 0n and Fn. Still, improving the efficiency (key storage require-ments and computation time) of cryptographic functions based on codes usingideas similar to [15] is a very interesting possibility.

Still within the setting of lattices, another class of open questions concernthe construction of other cryptographic primitives. Many cryptographic primi-tives (e.g., message authentication, digital signatures, etc.) can be constructedin principle from any one-way function, but such generic constructions are veryinefficient. So, even if one starts from an efficient one-way function based oncyclic lattices, the result would be quite inpractical. Are more efficient directconstructions possible, where the resulting primitive based on cyclic latticeshas efficiency comparable to the function of [15]? Along this lines, we notethat [17] give a statistical zero knowledge proof system that can be efficientlyinstantiated using any lattices, provided the prover knows the shortest vectorin the lattice, or the lattice vector closest to the target. This allows to use

18 Daniele Micciancio University of California, San Diego

the proof system of [17] to design relatively efficient identification schemes(and digital signatures in the random oracle model using the Fiat-Shamirheuristics) based on cyclic or ideal lattices.

The most important of the open questions regarding the construction ofother cryptographic primitives concerns public key encryption. There are var-ious known polynomial time (but practically inefficient) cryptosystems basedon worst-case lattice problems [3, 20]. Can efficient public key encryptionschemes be constructed based on the worst-case hardness of cyclic lattices?We remark that the NTRU cryptosystem is a very encouraging example ofcryptosystem based on structure lattices, though it lacks a proof of security.Can NTRU be proved secure based on the worst-case hardness of some prob-lem on special classes of lattices? Or, can some other efficient and provablysecure cryptosystem be designed?

On the complexity (and security) front, the most important question iswhether lattice and coding problems are computationally hard, even whenrestricted to lattices with cyclic (or ideal) structure. Many important problemson linear codes and point lattices are known to be NP-hard to solve exactly,or even approximate within small factors. Specifically,

• The shortest vector problem (for point lattices) is NP-hard (under ran-domized reductions) within any constant factor [2, 14, 10].

• The minimum distance problem (for linear codes) is NP-hard (again underrandomized reductions) within any constant factor [8].

• The closest vector problem is NP-hard within “almost polynomial” factorsn1/ log log n [7].

• The nearest codeword problem is NP-hard within any constant factor [5].

All these hardness results refer to the general case where the lattice or codeis given as part of the input, and can be an arbitrary lattice or code. Areany of these problems still NP-hard (even in their exact version) when thecode or lattice is restricted to be cyclic? What about ideal lattices? Is thereany relation between the complexity of ideal lattices for different values of theirreducible polynomial p(α)? The cyclic or ideal lattice restriction may seema major one: is there still enough freedom in the choice of the lattice or codeto reduce a (typically unstructured) NP-hard problem to it? Recent resultson the hardness of the nearest codeword and closest vector problems withpreprocessing [6, 11, 13, 9, 19, 4] are encouraging in this respect, as they showthat for appropriate (though not cyclic) choice of the lattice or code, NP-hardproblems can be reduced to the target vector alone, keeping the lattice orcode fixed.

References

1. M. Ajtai. Generating hard instances of lattice problems (extended abstract).In Proceedings of the twenty-eighth annual ACM symposium on the theory of

References 19

computing - STOC ’96, pages 99–108, Philadelphia, Pennsylvania, USA, May1996. ACM.

2. M. Ajtai. The shortest vector problem in l2 is NP-hard for randomized reduc-tions (extended abstract). In Proceedings of the thirtieth annual ACM sympo-sium on theory of computing - STOC ’98, pages 10–19, Dallas, Texas, USA,May 1998. ACM.

3. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the twenty-ninth annual ACM symposiumon theory of computing - STOC ’97, pages 284–293, El Paso, Texas, USA, May1997. ACM.

4. M. Alekhnovich, S. Khot, G. Kindler, and N. Vishnoi. Hardness of approxi-mating the closest vector problem with pre-processing. In Proceedings of FOCS2005, 2005.

5. S. Arora, L. Babai, J. Stern, and E. Z. Sweedyk. The hardness of approximateoptima in lattices, codes, and systems of linear equations. Journal of Computerand System Sciences, 54(2):317–331, Apr. 1997. Preliminary version in FOCS1993.

6. J. Bruck and M. Naor. The hardness of decoding linear codes with preprocessing.IEEE Transactions on Information Theory, 36(2):381–385, Mar. 1990.

7. I. Dinur, G. Kindler, R. Raz, and S. Safra. Approximating CVP to withinalmost-polynomial factors is NP-hard. Combinatorica, 23(2):205–243, 2003. Pre-liminary version in FOCS 1998.

8. I. Dumer, D. Micciancio, and M. Sudan. Hardness of approximating the min-imum distance of a linear code. IEEE Transactions on Information Theory,49(1):22–37, Jan. 2003. Preliminary version in FOCS 1999.

9. U. Feige and D. Micciancio. The inapproximability of lattice and coding prob-lems with preprocessing. Journal of Computer and System Sciences, 69(1):45–67, Aug. 2004. Preliminary version in CCC 2002.

10. S. Khot. Hardness of Approximating the Shortest Vector Problem in Lattices.Journal of the ACM, 52(5):789–808, Sept. 2005. Preliminary version in FOCS2004.

11. A. Lobstein. The hardness of solving subset sum with preprocessing. IEEETransactions on Information Theory, 36(4):943–946, July 1990.

12. V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are colli-sion resistant. In I. Wegener, V. Sassone, and B. Preneel, editors, Proceedingsof the 33rd international colloquium on automata, languages and programming- ICALP 2006, volume 4052 of Lecture Notes in Computer Science, pages 144–155, Venice, Italy, July 2006. Springer-Verlag.

13. D. Micciancio. The hardness of the closest vector problem with preprocessing.IEEE Transactions on Information Theory, 47(3):1212–1215, Mar. 2001.

14. D. Micciancio. The shortest vector problem is NP-hard to approximate to withinsome constant. SIAM Journal on Computing, 30(6):2008–2035, Mar. 2001. Pre-liminary version in FOCS 1998.

15. D. Micciancio. Generalized compact knapsaks, cyclic lattices, and efficient one-way functions. Computational Complexity, 2007. To appear. Preliminary versionin FOCS 2002.

16. D. Micciancio and O. Regev. Worst-case to Average-case Reductions based onGaussian Measure. SIAM Journal on Computing, 2006. To appear. Preliminaryversion in FOCS 2004.

20 Daniele Micciancio University of California, San Diego

17. D. Micciancio and S. Vadhan. Statistical zero-knowledge proofs with efficientprovers: lattice problems and more. In D. Boneh, editor, Advances in cryptol-ogy - CRYPTO 2003, proceedings of the 23rd annual international cryptologyconference, volume 2729 of Lecture Notes in Computer Science, pages 282–298,Santa Barbara, California, USA, Aug. 2003. Springer-Verlag.

18. C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-caseassumptions on cyclic lattices. In S. Halevi and T. Rabin, editors, Theory ofcryptography conference - Proceedings of TCC 2006, volume 3876 of LectureNotes in Computer Science, pages 145–166, New York, NY, USA, Mar. 2006.Springer.

19. O. Regev. Improved inapproximability of lattice and coding problems withpreprocessing. IEEE Transactions on Information Theory, 50(9):2031–2037,Sept. 2004. Preliminary version in CCC 2003.

20. O. Regev. New lattice-based cryptographic constructions. Journal of the ACM,51(6):899–942, Nov. 2004. Preliminary version in STOC 2003.

5

On Lattices, Learning with Errors,Random Linear Codes, and Cryptography

Oded Regev

Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel?

Summary. Our main result is a reduction from worst-case lattice problems such asSVP and SIVP to a certain learning problem. This learning problem is a natural ex-tension of the ‘learning from parity with error’ problem to higher moduli. It can alsobe viewed as the problem of decoding from a random linear code. This, we believe,gives a strong indication that these problems are hard. Our reduction, however, isquantum. Hence, an efficient solution to the learning problem implies a quantumalgorithm for SVP and SIVP. A main open question is whether this reduction canbe made classical.

Using the main result, we obtain a public-key cryptosystem whose hardness isbased on the worst-case quantum hardness of SVP and SIVP. Previous lattice-basedpublic-key cryptosystems such as the one by Ajtai and Dwork were only based onunique-SVP, a special case of SVP. The new cryptosystem is much more efficient thanprevious cryptosystems: the public key is of size O(n2) and encrypting a messageincreases its size by O(n) (in previous cryptosystems these values are O(n4) andO(n2), respectively). In fact, under the assumption that all parties share a randombit string of length O(n2), the size of the public key can be reduced to O(n).

Main theorem.

Let n be some integer and let ε ≥ 0 be some real. Consider the ‘learningfrom parity with error’ problem, defined as follows: find s ∈ Zn

2 given a list of‘equations with errors’

〈s,a1〉 ≈ε b1 (mod 2)〈s,a2〉 ≈ε b2 (mod 2)

...

? Supported by an Alon Fellowship, by the Binational Science Foundation, by theIsrael Science Foundation, and by the European Commission under the IntegratedProject QAP funded by the IST directorate as Contract Number 015848.

22 Oded Regev

where the ai’s are chosen independently from the uniform distribution on Zn2

and 〈s,ai〉 =∑

j sj(ai)j is the inner product modulo 2 of s and ai. The inputto the problem consists of the pairs (ai, bi) and the output is a guess for s.By the ≈ε symbol we mean that each equation is independently chosen to becorrect with probability 1 − ε and incorrect with probability ε. Notice thatthe case ε = 0 can be solved efficiently by, say, Gaussian elimination. Thisrequires O(n) equations and poly(n) time.

The problem seems to become significantly harder when we take any posi-tive ε > 0. For example, let us consider again the Gaussian elimination processand assume we are interested in recovering only the first bit of s. Using Gaus-sian elimination, we can find a set S of O(n) equations such that

∑S ai is

(1, 0, . . . , 0). Summing the corresponding values bi gives us a guess for thefirst bit of s. However, a standard calculation shows that this guess is correctwith probability 1

2 + 2−Θ(n). Hence, in order to obtain the first bit with goodconfidence, we have to repeat the whole procedure 2Θ(n) times. This yields analgorithm that uses 2O(n) equations and 2O(n) time. In fact, it can be shownthat given only O(n) equations, the s′ ∈ Zn

2 that maximizes the number ofsatisfied equations is with high probability s. This yields a simple maximumlikelihood algorithm that requires only O(n) equations and runs in time 2O(n).

Blum, Kalai, and Wasserman [8] provided the first subexponential al-gorithm for this problem. Their algorithm requires only 2O(n/ log n) equa-tions/time and is currently the best known algorithm for the problem. Itis based on a clever idea that allows to find a small set S of equations (say,O(√n)) among 2O(n/ log n) equations, such that

∑S ai is, say, (1, 0, . . . , 0).

This gives us a guess for the first bit of s that is correct with probability12 + 2−Θ(

√n). We can obtain the correct value with high probability by re-

peating the whole procedure only 2O(√

n) times. Their algorithm was latershown to have other important applications, such as the first 2O(n)-time al-gorithm for solving the shortest vector problem in a lattice [11, 5].

An important open question is to explain the apparent difficulty in findingefficient algorithms for this learning problem. Our main theorem explains thisdifficulty for a natural extension of this problem to higher moduli, definednext.

Let p = p(n) ≤ poly(n) be some prime integer and consider a list of‘equations with error’

〈s,a1〉 ≈χ b1 (mod p)〈s,a2〉 ≈χ b2 (mod p)

...

where this time s ∈ Znp , ai are chosen independently and uniformly from Zn

p ,and bi ∈ Zp. The error in the equations is now specified by a probabilitydistribution χ : Zp → R+ on Zp. Namely, for each equation i, bi = 〈s,ai〉+ ei

where each ei ∈ Zp is chosen independently according to χ. We denote the

5 On Lattices, LWE, Random Linear Codes and Cryptography 23

problem of recovering s from such equations by LWEp,χ (learning with error).For example, the learning from parity problem with error ε is the special casewhere p = 2, χ(0) = 1 − ε, and χ(1) = ε. Under a reasonable assumption onχ (namely, that χ(0) > 1/p+ 1/poly(n)), the maximum likelihood algorithmdescribed above solves LWEp,χ for p ≤ poly(n) using poly(n) equations and2O(n log n) time. Under a similar assumption, an algorithm resembling the oneby Blum et al. [8] requires only 2O(n) equations/time. This is the best knownalgorithm for the LWE problem.

Our main theorem shows that for certain choices of p and χ, a solution toLWEp,χ implies a quantum solution to worst-case lattice problems.

Theorem 1 (Informal). Let n, p be integers and α ∈ (0, 1) be some realsuch that αp > 2

√n. If there exists a polynomial time algorithm that solves

LWEp,Ψαthen there exists a quantum algorithm that approximates the shortest

vector problem (SVP) and the shortest independent vectors problem (SIVP) towithin O(n/α) in the worst case.

The exact definition of Ψα will be given later. For now, it is enough toknow that it is a distribution on Zp that has the shape of a discrete Gaus-sian centered around 0 with standard deviation αp, as in Figure 5.1. Also,the probability of 0 (i.e., no error) is roughly 1/(αp). A possible setting forthe parameters is p = O(n2) and α = 1/(

√n log n) (in fact, these are the

parameters that we use in our cryptographic application).

−1

−0.5

0

0.5

1

−1−0.5

00.5

1

Pro

babi

lity

−1

−0.5

0

0.5

1

−1−0.5

00.5

1

Pro

babi

lity

Fig. 5.1. Ψα for p = 127 with α = 0.05 (left) and α = 0.1 (right). The elements ofZp are arranged on the circle.

The SVP and SIVP are two of the main computational problems on lat-tices. The best known polynomial time algorithms yield only mildly subex-ponential approximation factors. It is conjectured that there is no classicalpolynomial time algorithm that approximates them to within any polynomialfactor. Lattice-based constructions of one-way functions, such as the one byAjtai [2], are based on this conjecture.

24 Oded Regev

One might guess that the same conjecture holds in the quantum world,i.e., there is no quantum polynomial time algorithm that approximates SVP(or SIVP) to within any polynomial factor. Thus one can interpret the maintheorem as saying that based on this conjecture, the LWE problem is hard. Theonly evidence supporting this conjecture is that there are no quantum algo-rithms for lattice problems that are known to outperform classical algorithms,even though this is probably one of the most important open questions in thefield of quantum computing. We do not know, however, if this conjecture istrue.

In fact, one could also interpret our main theorem as a way to disprove thisconjecture: if one finds an efficient algorithm for LWE, then one also obtainsa quantum algorithm for approximating worst-case lattice problems. Such aresult would be of tremendous importance on its own. Finally, we would liketo stress that it is possible that our result can be made classical. This wouldmake all our results stronger and the above discussion unnecessary.

The LWE problem can be equivalently presented as the problem of decod-ing random linear codes. More specifically, let m = poly(n) be arbitrary andlet s ∈ Zn

p be some vector. Then, consider the following problem: given a ran-dom matrix Q ∈ Zm×n

p and the vector t = Qs+e ∈ Zmp where each coordinate

of the error vector e ∈ Zmp is chosen independently from Ψα, recover s. The

Hamming weight of e is roughly m(1− 1/(αp)) (since a value chosen from Ψα

is 0 with probability roughly 1/(αp)). Hence, the Hamming distance of t fromQs is roughly m(1− 1/(αp)). Moreover, it can be seen that for large enoughm, for any other word s′, the Hamming distance of t from Qs′ is roughlym(1−1/p). Hence, we obtain that approximating the nearest codeword prob-lem to within factors smaller than (1− 1/p)/(1− 1/(αp)) on random codes isas hard as quantumly approximating worst-case lattice problems. This gives apartial answer to the important open question of understanding the hardnessof decoding from random linear codes.

It turns out that certain problems, which are seemingly easier than theLWE problem, are in fact equivalent to the LWE problem. We establish theseequivalences using elementary reductions. For example, being able to distin-guish a set of equations as above from a set of equations in which the bi’s arechosen uniformly from Zp is equivalent to solving LWE. Moreover, it is enoughto correctly distinguish these two distributions for some non-negligible frac-tion of all s. The latter formulation is the one we use in our cryptographicapplications.

Cryptosystem.

Using our main theorem, we obtain a public key cryptosystem whose securityis based on the worst-cast quantum hardness of approximating SIVP and SVPto within O(n1.5). In other words, breaking our cryptosystem implies an effi-cient quantum algorithm for approximating SIVP and SVP to within O(n1.5).We should emphasize that the cryptosystem is completely classical; it is only

5 On Lattices, LWE, Random Linear Codes and Cryptography 25

in the proof of its security that we use quantum computation. In fact, thecryptosystem itself is quite simple.

Previous cryptosystems, such as the Ajtai-Dwork cryptosystem [4] and theone by Regev [15], were only based on the worst-case hardness of the unique-SVP problem, a special case of SVP whose hardness is not so well understood.Basing a cryptosystem on the worst-case hardness of SVP and SIVP is animportant open problem. Our cryptosystem does not quite solve this openproblem because of its quantum aspects.

Another important feature of our cryptosystem is its improved efficiency.In previous cryptosystems, the public key size is O(n4) and the encryptionincreases the size of messages by a factor of O(n2). In our cryptosystem, thepublic key size is only O(n2) and encryption increases the size of messagesby a factor of only O(n). This possibly makes our cryptosystem practical.Moreover, using an idea of Ajtai [3], we can reduce the size of the public keyto O(n). This requires all users of the cryptosystem to share some random bitstring of length O(n2). This can be achieved by, say, distributing such a bitstring as part of the encryption and decryption software.

Finally, we mention that learning problems related to ours were alreadysuggested as possible sources of cryptographic hardness, e.g., [7, 6], althoughthis was done without establishing any connection to lattice problems.

Why quantum?

This paper is almost entirely classical. In fact, quantum is needed only inone step in the proof of the main theorem. Making this step classical wouldmake the entire reduction classical. To demonstrate the difficulty, consider thefollowing situation. Let L be some lattice and let d = λ1(L)/n10 where λ1(L)is the length of the shortest nonzero vector in L. We are given an oracle thatfor any point x ∈ Rn within distance d of L finds the closest lattice vector tox. If x is not within distance d of L, the output of the oracle is undefined.Intuitively, such an oracle seems quite powerful; the best known algorithmsfor performing such a task require exponential time. Nevertheless, we do notsee any way to use this oracle classically. Indeed, it seems to us that the onlyway to generate inputs to the oracle is the following: somehow choose a latticepoint y ∈ L and let x = y + z for some perturbation vector z of length atmost d. Clearly, on input x the oracle outputs y. But this is useless since wealready know y!

It turns out that quantumly, such an oracle is quite useful. Indeed, beingable to compute y from x allows us to uncompute y. More precisely, it allowsus to transform the quantum state |x,y〉 to the state |x, 0〉 in a reversible(i.e., unitary) way. This ability to erase the contents of a memory cell in areversible way seems useful only in the quantum setting.

Techniques.

Our cryptosystem and its analysis are similar to those in the Ajtai-Dworkcryptosystem [4] and the one by Regev [15] (in fact, our analysis is some-

26 Oded Regev

what simpler technically). We believe that the novel part of the paper is themain theorem and in particular, its proof. We now describe some of the newtechniques in our proof.

All lattice-based constructions of one-way functions [2, 9, 12, 13, 14] usea construction known as an iterative reduction. Essentially, this means thatinstead of ‘immediately’ finding very short vectors in a lattice, the reductionproceeds in steps where in each step shorter lattice vectors are found. Typi-cally, in each step the length of the vectors found decreases by some factor,say 2, so that after a polynomial number of steps we end up with vectorsthat are within some polynomial factor of the shortest. Iterative reductions,however, were so far never used in the construction of lattice-based public-keycryptosystems. Our main theorem is the first to apply iterative reductions inthis context. Moreover, we believe that the use of iterative reductions is whatallows us to relate the LWE problem to lattices, and in particular to problemslike SVP and SIVP (as opposed to unique-SVP).

Our proof is based on the Fourier transform of Gaussian measures, a tech-nique that was developed in previous papers [15, 14, 1]. More specifically, weuse a parameter known as the smoothing parameter, as introduced in [14]. Wealso use the discrete Gaussian distribution and approximations to its Fouriertransform, ideas that were developed in [1].

Open questions.

The main open question raised by this work is whether our results can bedequantized, leading to stronger results based on the classical hardness ofSIVP and SVP. We see no reason why this should be impossible. However,despite our efforts, we were not able to show this. As mentioned above, thedifficulty is that there seems to be no classical way to use an oracle that solvesthe closest vector problem within small distances. Quantumly, however, suchan oracle turns out to be quite useful.

Another important open question is to determine the hardness of the learn-ing from parity with errors problem (i.e., the case p = 2). Our theorem onlyworks for p > 2

√n. It seems that in order to prove similar results for smaller

values of p, substantially new ideas are required. Alternatively, one mightinterpret our inability to prove hardness for small p as an indication thatsubstantially better algorithms should exist for this case. Currently, the bestknown algorithms do not perform significantly better for constant p.

Finally, let us mention another promising direction for future research. Ina recent work of Feige [10], a conjecture was presented regarding the hard-ness of certain random instances of 3SAT. Based on this conjecture, Feigeshowed some interesting hardness of approximation results. In a follow-upwork, Alekhnovich [6] showed strong inapproximability results for the nearestcodeword problem and the problem of approximation matrix rigidity basedon several other conjectures. His conjectures are in fact closely related to theLWE problem and perhaps using our main theorem, some inapproximabilityresults can be derived based on the quantum-hardness of lattices.

References 27

References

1. D. Aharonov and O. Regev. Lattice problems in NP intersect coNP. In Proc.45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages362–371, 2004.

2. M. Ajtai. Generating hard instances of lattice problems. In ECCCTR: ElectronicColloquium on Computational Complexity, technical reports, 1996.

3. M. Ajtai. Representing hard lattices with O(n log n) bits. In Proc. 37th AnnualACM Symp. on Theory of Computing (STOC), 2005.

4. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th Annual ACM Symp. on Theory of Computing(STOC), pages 284–293, 1997.

5. M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortestlattice vector problem. In Proc. 33rd ACM Symp. on Theory of Computing,pages 601–610, 2001.

6. M. Alekhnovich. More on average case vs approximation complexity. In Proc.44th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages298–307, 2003.

7. A. Blum, M. Furst, M. Kearns, and R. J. Lipton. Cryptographic primitivesbased on hard learning problems. In Advances in cryptology—CRYPTO ’93(Santa Barbara, CA, 1993), volume 773 of Lecture Notes in Comput. Sci., pages278–291. Springer, Berlin, 1994.

8. A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parityproblem, and the statistical query model. Journal of the ACM, 50(4):506–519,2003.

9. J.-Y. Cai and A. Nerurkar. An improved worst-case to average-case connectionfor lattice problems. In Proc. 38th Annual IEEE Symp. on Foundations ofComputer Science (FOCS), pages 468–477, 1997.

10. U. Feige. Relations between average case complexity and approximation com-plexity. In Proc. 34th Annual ACM Symp. on Theory of Computing (STOC),pages 534–543, 2002.

11. R. Kumar and D. Sivakumar. On polynomial approximation to the shortestlattice vector length. In Proc. 12th Annual ACM-SIAM Symp. on DiscreteAlgorithms, pages 126–127, 2001.

12. D. Micciancio. Improved cryptographic hash functions with worst-case/average-case connection. In Proc. 34th Annual ACM Symp. on Theory of Computing(STOC), pages 609–618, 2002.

13. D. Micciancio. Almost perfect lattices, the covering radius problem, andapplications to Ajtai’s connection factor. SIAM Journal on Computing,2004. Accepted for publication. Available from author’s web page at URLhttp://www.cse.ucsd.edu/users/daniele.

14. D. Micciancio and O. Regev. Worst-case to average-case reductions based onGaussian measures. In Proc. 45th Annual IEEE Symp. on Foundations of Com-puter Science (FOCS), 2004.

15. O. Regev. New lattice based cryptographic constructions. In Proc. 35th AnnualACM Symp. on Theory of Computing (STOC), pages 407–416, 2003.

6

Using Lattice Reduction forCryptanalysis and List Decoding

Alexander May

Department of Computer ScienceTU Darmstadt64289 Darmstadt, Germanymay@informatik.tu-darmstadt.de

Summary. We give an introduction to a method of Don Coppersmith for findingsmall roots of polynomial equations. This method in turn is based on the celebratedLLL lattice reduction algorithm of Lenstra, Lenstra and Lovasz. The talk addressesseveral applications of Coppersmith’s method. We mainly focus on applications inthe field of RSA cryptanalysis with restricted keys. As an exemplary application incoding theory, we present a CRT list decoding algorithm due to Boneh.

Keywords: Lattices, Coppersmith’s method, RSA, CRT list decoding

6.1 Introduction to Coppersmith’s Method

We discuss the problem of finding roots of modular univariate polynomialequation. Let N be a positive integer of unknown factorization with divisorb = Nβ . 1 Let fb(x) be a monic univariate polynomial of degree δ. We arelooking for all small roots of the polynomial fb modulo b. I.e., we want toefficiently find all solutions x0 satisfying

fb(x0) = 0 mod b with |x0| ≤ X,

whereX is an upper bound on the size of the solutions. Our goal is to maximizethe bound X, with the restriction that the running time of our method shouldbe polynomial in the input size, i.e. polynomial in the parameters (logN, δ).

In 1996, Coppersmith [3] proposed an elegant lattice-based method forsolving univariate polynomial equations. His approach is basically a reductionfrom solving modular polynomial equations to solving univariate polynomi-als over the integers. That is one constructs from fb(x) another univariatepolynomial f(x) that contains all the small modular roots of fb(x) over theintegers:

fb(x0) = 0 mod B ⇒ f(x0) = 0 over Z.1 An important special case is b = N .

30 Alexander May

The algorithmic idea for the construction of f(x) from fb(x) can be decribedvia the following two steps:

(1) Fix an integer m. Construct a collection of polynomials f1(x), . . . , fn(x)that all have the small roots x0 modulo bm. As an example, take thecollection

fi(x) = Nm−if i(x) for i = 1, . . . ,mfm+i(x) = xifm(x) for i = 1, . . . ,m.

(2) Construct an integer linear combination f(x) =∑n

i=1 aifi(x), ai ∈ Z suchthat the condition

|f(x0)| < bm

is fulfilled. Notice that bm divides all fi(x0) by construction. Therefore, bm

also divides f(x0). But then f(x0) = 0 mod bm and |f(x0)| < bm, whichimplies that f(x0) = 0 over the integers.

The construction in step (2) is realized by a lattice-based approach. Namely,one can easily show that every polynomial f whose coefficient vector of f(xX)is sufficiently small norm fulfills the condition |f(x0)| < bm. The integer linearcombinations of the coefficient vectors of fi(xX), i = 1 . . . n, form a latticeL. Applying a lattice basis reduction algorithm to a basis of L yields a smallnorm coefficient vector f(xX). One can show that in our case the L3-reductionalgorithm of Lenstra, Lenstra and Lovasz outputs a sufficiently small vector.Therefore, f(x) can be computed in polynomial time.

More precisely, we present the following result.

Theorem 9 Let M be a composite number of unknown factorization withdivisor b ≥ Mβ. Let fb(x) be a monic polynomial of degree δ. Then we canfind all solutions x0 for the equation

fb(x) = 0 mod b with |x0| ≤Mβ2

δ

in time polynomial in (logM, δ).

Coppersmith’s method generalizes in a natural way to modular multivari-ate polynomials fb(x1, . . . , xl). The idea is to construct ` algebraically inde-pendent polynomials f (1), . . . , f (`) that all share the desired small roots overthe integers. The roots are then computed by resultant computations. For` ≥ 2, this is a heuristic method because the algebraic independence of thepolynomials cannot be ensured by our lattice-based construction.

The case of solving multivariate polynomial equations over Z can in turnbe reduced to the case of solving modular multivariate polynomials, as wasshown by Coron in 2004 [5].

6.2 Two applications in RSA Cryptography

In this section, we present two important applications of Theorem 9. Thefirst application is called factoring with high bits known. Let N = pq be an

6.2 Two applications in RSA Cryptography 31

RSA modulus of unknown factorization, where p, q are primes of the samebit-size. Our task is to determine the minimal amount of bits of p that onehas to know in order to factor N in polynomial time. In 1985, Rivest andShamir [11] published an algorithm that factors N given a 2

3 -fraction of thebits of p. Coppersmith [4] improved this bound to 3

5 in 1995. One year later,Coppersmith [3] gave an algorithm using only half of the bits of p.

The factoring with high bits known problem can be reduced to solvingmodular univariate polynomial equations. Let us assume that we are givenhalf of the high-order bits of p, wlog p > q. Omitting constants, we know anapproximation p of p that satisfies |p− p | ≤ N

14 .

Our goal is to recover the least-significant bits of p, i.e. we want to findthe root of the univariate modular polynomial

f(x) = p+ x mod p.

Observe that p− p is a root of f(x) with absolute value smaller than N14 .

Using Theorem 9, this root can be found in polynomial time which yieldsthe factorization of N .

Corollary 10 Let N = pq be an RSA-modulus with p > q. Assume that weare given p with

|p− p | ≤ N14 .

Then N can be factored in polynomial time.

Proof: Apply Theorem 9 with f(x) = p+x, i.e. we have degree δ = 1, β = 12

and M = N . Therefore, we can find all roots x0 with size

|x0| ≤Mβ2

δ = N14 .

Our second application of Theorem 9 addresses the difficulty of computingthe RSA secret exponent from the public information. Let N = pq be an RSA-modulus. Let e, d be the public/secret exponents, respectively, satisfying theequation ed = 1 mod (p − 1)(q − 1). If we are given the public information(N, e) and the factorization of N , then d can be computed in polynomial timeusing the Euclidean algorithm. Rivest, Shamir and Adleman showed that theconverse is also true: Given (N, e, d), one factor N in probabilistic polynomialtime by an algorithm due to Miller [10].

Recently, it was shown in [9] that there is also a deterministic reductionbetween computing d and factorization using Coppersmith’s method. Thisestablishes the deterministic polynomial time equivalence of both problems.

We show that this equivalence is a direct corollary from Theorem 9.

Corollary 11 Let (N, e) be an RSA public key with corresponding secret keyd, where p, q are of the same bit-size and ed < N2. Assume that (N, e, d) isgiven. Then the factorization of N can be found in polynomial time.

32 Alexander May

Proof: In the following analysis, we neglect constants for simplicity reasons.It is easy to see that the knowledge of φ(N) = (p − 1)(q − 1) yields thefactorization of N in polynomial-time. Our goal is to compute φ(N) = N −(p+q−1). Since p, q are of the same bit-size, the term N is an approximationof φ(N) up to roughly N

12 . Therefore, the polynomial

f(x) = N − xmodφ(N)

has a root x0 = p+ q − 1 of size N12 . Let M = ed− 1 = Nα for some α ≤ 2.

We know that M is a multiple of φ(N).Now, we can apply Theorem 9 with the parameter setting: δ = 1, b = φ(N),

M = Nα and β = 1α . We conclude that we can find all roots x0 within the

bound|x0| ≤M

β2

δ = (Nα)1

α2 = N1α .

Since α ≤ 2, we can find all roots within the bound N12 , as desired.

6.3 An Application in Coding Theory: CRT Codes

Our last application of Theorem 9 addresses the task of decoding CRT codes,which are in some sense dual to the well-known Reed-Solomon codes. Decod-ing of Reed-Solomon codes reduces to the following polynomial interpolationproblem.

RS decoding problem: Given k and n points (xi, yi) ∈ F2q, where the xi

are distinct. Find all polynomials f ∈ Fq[x] of degree at most k such thatf(xi) = yi for all but e values of {1, . . . , n}.

The solution f is unique if e < n−k2 and can be found efficiently using the

Berlekamp-Welch algorithm. Surprisingly, it is possible to decode beyond theBerlekamp-Welch bound, however the solution is no longer unique. Recently,Guruswami and Sudan [6] showed that as long as e < n −

√kn a list of all

solutions f can be efficiently computed.The related CRT decoding problem is defined as follows.

CRT decoding problem: Given B ∈ N, and n tuples (ri, pi) ∈ N2, wherethe pi are relatively prime and p1 < p2 < · · · < pn. Find all positive integersm < B such that x = ri mod pi for all but e values of {1, . . . , n}.

Mandelbaum [8] showed that for e < (n − k) log p1log p1+log pn

the solutionis unique and can be efficiently computed using an algorithm analogous toBerlekamp-Welch. In 2000, Boneh showed a bound for CRT codes which re-sembles the Guruswami-Sudan bound. Namely, he showed that as long ase < n−

√kn log pn

log p1a list of all solutions m < B can be efficiently computed.

References 33

Boneh’s algorithm essentially uses Coppersmith’s method for univariatemodular polynomials. Let P =

∏ni=1 pi. Here, we sketch the proof for the

bound e < n − n√

log Blog P · log pn

log p1, from which the analogue of the Guruswami-

Sudan bound can be easily derived. The following theorem is a corollary ofTheorem 9.

Corollary 12 Let B, (ri, pi), 1 ≤ i ≤ n, be an instance of the CRT decodingproblem. Then one can find in polynomial time a list of all solutions m < Bprovided that

e ≤ n− n

√logBlogP

· log pn

log p1.

Proof: Compute R ∈ N such that R = ri mod pi for all 1 ≤ i ≤ n. Defineamp(m) = gcd(P,m−R). First, we show that one can efficiently compute allm < B with

amp(m) > P

qlog Blog P . (6.1)

We start by defining the polynomial f(x) = x−R. Let m be an integer thatsatisfies the bound from Eq.(6.1). Then f(m) = 0modamp(m). We can applyTheorem 9 with the parameter setting b = amp(m), M = P , δ = 1 and

β =√

log Blog P . Thus we can efficiently compute all solutions m satisfying

|m| ≤Mβ2

δ = Plog Blog P = 2log P log B

log P = B,

as desired.If m = rimodpi for all but e locations then amp(m) ≥

∏n−ei=1 pi ≥ pn−e

1 .Hence pn−e

1 has to be larger than the right-hand side of Eq. (6.1). SinceP ≤ pn

n, we can derive the sufficient condition

pn−e1 > p

nq

log Blog P

n .

Solving for e yields the desired bound.

References

1. D. Boneh, “Finding smooth integers in short intervals using CRT decoding”,STOC, pp. 265–272, 2000

2. D. Boneh, G. Durfee, “Cryptanalysis of RSA with private key d less than N0.292”,IEEE Trans. on Information Theory, Vol. 46(4), pp. 1339–1349, 2000

3. D. Coppersmith, “Small solutions to polynomial equations and low exponentvulnerabilities”, Journal of Cryptology, Vol. 10(4), pp. 223–260, 1997.

4. D. Coppersmith, “Factoring with a hint”, IBM Research Report RC 19905, 1995

34 Alexander May

5. J.-S. Coron, “Finding Small Roots of Bivariate Integer Polynomial EquationsRevisited”, Advances in Cryptology (Eurocrypt2004), Lecture Notes in ComputerScience Vol. 3027, Springer-Verlag, 2004

6. V. Guruswami, M. Sudan, “Improved decoding for Reed-Solomon and algebraicgeometric codes”, IEEE Trans. on Information Theory, Vol. 45(6), pp. 1757–1767,1999

7. A. K. Lenstra, H. W. Lenstra, and L. Lovasz, ”Factoring polynomials with ra-tional coefficients,” Mathematische Annalen, Vol. 261, pp. 513–534, 1982

8. Mandelbaum, “Further results on decoding arithmetic residue codes”, IEEETransaction on Information Theory, Vol. 24(5), pp.643–644, 1978

9. A. May, “Computing the RSA Secret Key is Deterministic Polynomial TimeEquivalent to Factoring”, Advances in Cryptology (Crypto 2004), Lecture Notesin Computer Science Volume 3152, pages 213–219, Springer-Verlag, 2004.

10. G.L. Miller, “Riemann’s hypothesis and test for primality”, STOC, pp. 234–239,1975

11. R. Rivest, A. Shamir, “Efficient factoring based on partial information”, Ad-vances in Cryptology (Eurocrypt ’85), Lecture Notes in Computer Science Volume219, pp. 31–34, Springer-Verlag, 1986

List Decoding Interleaved and Folded Reed-Solomon

Codes

Venkatesan Guruswami∗

Department of Computer Science and EngineeringUniversity of Washington

Seattle, WA, U.S.A.

Abstract

The problem of decoding Reed-Solomon (RS) codes (also known as polynomial reconstruc-tion) and its variants have been recently suggested as an intractability assumption to base thesecurity of protocols on. Progress on list decoding algorithms for RS codes has been used insuccessful cryptanalysis of some of these schemes. In a recent work, Guruswami and Rudra [3]present a list decoding algorithm for ”folded” RS codes, which are just RS codes viewed as acode over a larger alphabet. This leads to codes with near-optimal trade-off between the rateand the fraction of errors that can be corrected, namely we can correct a fraction p of errorswith rate approaching 1− p.

Here we briefly describe the construction of such folded RS codes. While we do not discussthe details of the decoding algorithm beyond a high level description, given the cryptographicmotivation of the CLC workshop (on Codes and Lattices in Cryptography), we include a discus-sion of the cryptanalytic context to which the line of research that culminated in this result canbe traced back. In particular, we note that a cryptographic assumption concerning simultaneouspolynomial reconstruction and algorithms for decoding ”interleaved” RS codes that it inspired,eventually, using several ideas, led to the folded RS decoding algorithm.

1 Folded Reed-Solomon codes and list decoding with near-optimalrate

Reed-Solomon (RS) codes are a well-studied and highly influential family of error-correcting codes.For a finite field F and a subset S = {α0, α1, . . . , αn−1} ⊆ F of size n, the RS code RSS,F[n, k] isdefined as

RSS,F[n, k] = {(p(α1), p(α2), . . . , p(αn)) | p(X) ∈ F[X] is a polynomial of degree < k} .

The best known (list) decoding algorithm for RS codes, in terms of number of errors corrected, isdue to Guruswami and Sudan [4] and can correct up to n−

√(k − 1)n errors. In other words, with

rate R one can correct a fraction 1 −√R of errors. An easy random coding argument shows the

existence of codes that can be list decoded with small lists up to a fraction 1 − R of errors. This∗Supported by NSF CCF-0343672, an Alfred P. Sloan Research Fellowship, and a David and Lucile Packard

Fellowship.

1

is, of course, the best one can hope, since information-theoretically we need to receive at least Rncorrect symbols in order to have any hope of recovering the Rn message symbols.

Recently, using a variant of RS codes called folded RS codes, Guruswami and Rudra [3], buildingupon an ingenious construction of “correlated” RS codes by Parvaresh and Vardy [8], were ableto approach the optimal trade-off of p = 1 − R between the fraction p of errors and the rate R.More formally, for any ε > 0, they gave codes of rate R that could be list decoded up to a fraction1−R− ε of errors in nO(1/ε) time.

We now describe an instance of the folded RS code that admits such an improved list decod-ing algorithm. Consider the RS code RSF∗,F[q − 1, k] of block length n = q − 1 over a field ofsize q with the set S = {α0, α1, . . . , αn−1} of evaluation points being all the non-zero elements ofF. Assume that αi = γi for some generator of the multiplicative group F∗ of F. The m-foldedversion of this RS code, denoted FRSF,γ,m,k, is a code of block length N = n/m over Fm. Theencoding of a message consisting of k/m symbols over Fm, viewed in a natural way as a polyno-mial f(X) over F of degree less than k, has as its j’th symbol, for 0 6 j < n/m, the m-tuple(f(γjm), f(γjm+1), · · · , f(γjm+m−1)). In other words, the codewords of the folded RS are in one-one correspondence with those of the original RS code C and are obtained by bundling togetherconsecutive m-tuple of symbols in codewords of C.

For any s, 2 6 s 6 m + 1, the above folded RS code can be list decoded up to a fraction1 − m

m−s+2R1−1/s of errors. (The case m = 1, s = 2 corresponds to RS codes.) Given any desired

ε > 0, picking s = s(ε) large enough, and then picking m large enough compared to s, the decodingradius can be made at least 1−R− ε.

The decoding algorithm is based on multivariate polynomial interpolation, followed by an al-gebraic root-finding step to recover the list of polynomials. For example, for the choice s = 3, oneinterpolates a non-zero trivariate polynomial Q(X,Y, Z) in such a way that any polynomial f(X)that must be output satisfies Q(X, f(X), f(γX)) ≡ 0. Finding f(X) based on this is the non-trivial algebraic component of the decoding algorithm. This is done by noting that f(γX) = f(X)q

mod E(X) for some irreducible polynomial E(X), in fact for the explicit choice E(X) = Xq−1−γ.1This gives an additional algebraic relation (on top of the polynomial Q) between f(X) and f(γX)in the extension field F[X]/(E(X)), and the polynomial f(X) can be recovered by solving these twoalgebraic relations over the extension field. The idea of relating f(γX) to a power of f(X) drawsits inspiration from the work of Parvaresh and Vardy [8], as described in the following account ofthe evolution of this line of work.

2 The cryptographic context and origins

Following [4] and the lack of success in decoding RS codes beyond the 1−√R bound, the hardness

of polynomial reconstruction for random noise far exceeding the 1−√R radius was put forth as a

hardness assumption upon which advanced cryptographic primitives could be built. We point thereader to the survey by Kiayias and Yung for the precise details [6]. In particular, an intractabilityassumption concerning a problem called Simultaneous Polynomial Reconstruction (SPR) was putforth in [5]. In the SPR problem, given integer parameters n, k, t, r and a set of (r + 1)-tuples{(αi, yi1, yi2, . . . , yir)}n

i=1, the goal is to recover a list of all polynomial tuples (p1, p2, . . . , pr) of

1We should note that this choice of E(X) is different and simpler than the choice made in the STOC version [3]of the paper. The algorithm based on this simpler choice will be described in the journal version of the paper.

2

degree less than k that satisfy the following condition: for at least t distinct indices i ∈ {1, 2, . . . , n},we have p`(αi) = yi` for all ` ∈ {1, 2, . . . , r}.

Coding-theoretically, this corresponds to decoding the variant of RS codes where the messageconsists of an r-tuple of independent polynomials of degree less than k over F, and the encodingconsists of joint evaluation of these polynomials at elements of F (so this defines a code over Fr).2

These codes are called interleaved RS codes in the classical coding literature — interleaving is apopular technique to handle bursts of errors, which in presence of interleaving only cause a smallamount of damage to each of the interleaved codewords, and thereby permit recovering each of thethose codewords.

Prompted by the goal of cryptanalysis of the schemes proposed in [5], two independent worksby Coppersmith and Sudan [2] and Bleichenbacher, Kiayias and Yung [1] attempted to refute theintractability assumption concerning SPR by studying the decoding of interleaved RS codes. Inthe sequel let us consider interleaving of order r = 2. A naive way to decode these codes wouldbe to recover the two polynomials individually, by running separate instances of the RS decoder.Of course, this gives no gain over the performance of RS codes. The hope in these works wasthat something can possibly be gained by exploiting that errors in the two polynomials happen at“synchronized” locations. However, these works could not give any improvement over the 1−

√R

bound known for RS codes for worst-case errors. Nevertheless, for random errors, where eacherror replaces the correct symbol by a uniform random field element, they were able to correct wellbeyond a fraction 1−

√R of errors. In fact, as the order of interleaving (i.e., number of independent

polynomials) grows, the radius approaches the optimal value 1−R. This model of random errors isnot very practical or interesting in a coding-theoretic setting, though the algorithms are interestingfrom an algebraic viewpoint.

‘ In [7], Parvaresh and Vardy gave a heuristic decoding algorithm for these interleaved RS codesbased on multivariate interpolation. However, the provable performance of these codes coincidedwith the 1−

√R bound for Reed-Solomon codes. The key obstacle in improving this bound was the

following: for the case when the messages are pairs (f(X), g(X)) of polynomials, two algebraicallyindependent relations were needed to identify both f(X) and g(X). The interpolation methodcould only provide one such relation in general (of the form Q(X, f(X), g(X)) = 0 for a trivariatepolynomial Q(X,Y, Z)). This still left too much ambiguity in the possible values of (f(X), g(X)).(The approach in [7] was to find several interpolation polynomials, but there was no guarantee thatthey were not all algebraically dependent.)

Then, in [8], Parvaresh and Vardy put forth the ingenious idea of obtaining the extra algebraicrelation essentially “for free” by enforcing it as an a priori condition satisfied at the encoder.Specifically, instead of letting the second polynomial g(X) to be an independent polynomial ofdegree less than k, their insight was to make it correlated with f(X) by a specific algebraic condition,such as g(X) = f(X)d mod E(X) for some integer d and an irreducible polynomial E(X) of degreek.

Then, once we have the interpolation polynomial Q(X,Y, Z), f(X) can be found as described inthis chapter: Reduce the coefficients of Q(X,Y, Z) modulo E(X) to get a polynomial T (Y, Z) withcoefficients from F[X]/(E(X)) and then find roots of the univariate polynomial T (Y, Y d). This wasthe key idea in [8] to improve the 1−

√R decoding radius for rates less than 1/16. For rates R→ 0,

their decoding radius approached 1−O(R log(1/R)).2The resulting code is in fact just a Reed-Solomon code where the evaluation points belong to the subfield F of

the extension field over F of degree two.

3

The modification to using independent polynomials does not come for free, however. In par-ticular, since one sends at least twice as much information as in the original RS code, there is noway to construct codes with rate more than 1/2 in the PV scheme. If we use s > 2 correlatedpolynomials for the encoding, we incur a factor 1/s loss in the rate. This proves quite expensive,and as a result the improvements over RS codes offered by these codes are only manifest at verylow rates.

The central idea in the work of Guruswami and Rudra on list decoding folded RS codes [3]was to avoid this rate loss by making the correlated polynomial g(X) essentially identical to thefirst (say g(X) = f(γX)). Then the evaluations of g(X) can be inferred as a simple cyclic shiftof the evaluations of f(X), so intuitively there is no need to explicitly include those too in theencoding. The folded RS encoding of f(X) compresses all the needed information, without anyextra redundancy for g(X). We thus gain back the factor two loss in rate of the PV-scheme. Asuitable choice of parameters then lets us approach a decoding radius of 1 − R2/3 (instead of 1 −(2R)2/3 achieved by Parvaresh and Vardy). Likewise, using higher order say s-variate interpolation(corresponding to (s − 1) correlated polynomials in the PV-scheme), we can approach a decodingradius of 1 − R1−1/s. This explains the intuition behind how folded RS codes can approach theoptimal rate vs. error-correction radius trade-off.

References

[1] D. Bleichenbacher, A. Kiayias, and M. Yung. Decoding of interleaved Reed Solomon codes overnoisy data. In Proceedings of the 30th International Colloquium on Automata, Languages andProgramming, pages 97–108, 2003.

[2] D. Coppersmith and M. Sudan. Reconstructing curves in three (and higher) dimensional spacesfrom noisy data. In Proceedings of the 35th Annual ACM Symposium on Theory of Computing,pages 136–142, June 2003.

[3] V. Guruswami and A. Rudra. Explicit capacity-achieving list-decodable codes. In Proceedingsof the 38th Annual ACM Symposium on Theory of Computing, pages 1–10, May 2006.

[4] V. Guruswami and M. Sudan. Improved decoding of Reed-Solomon and algebraic-geometriccodes. IEEE Transactions on Information Theory, 45:1757–1767, 1999.

[5] A. Kiayias and M. Yung. Secure games with polynomial expressions. In Proceedings of the 28thInternational Colloquium on Automata, Languages and Programming, pages 939–950, 2001.

[6] A. Kiayias and M. Yung. Directions in polynomial reconstruction based cryptography. IEICETransactions, E87-A(5):978–985, May 2004.

[7] F. Parvaresh and A. Vardy. Multivariate interpolation decoding beyond the Guruswami-Sudanradius. In Proceedings of the 42nd Allerton Conference on Communication, Control and Com-puting, 2004.

[8] F. Parvaresh and A. Vardy. Correcting errors beyond the Guruswami-Sudan radius in polyno-mial time. In Proceedings of the 46th Annual IEEE Symposium on Foundations of ComputerScience, pages 285–294, 2005.

4

8

Key security of code-based public keycryptosystem

Nicolas Sendrier

Projet CODES, INRIA, B.P. 105, 78153 Le Chesnay Cedex, France

8.1 Introduction

The message security of code-based cryptosystems is relatively well under-stood, it can be reduced to the difficult problem of decoding in a arbitrarylinear code. The security of the public key (a generator or a parity-checkmatrix) is another matter.

We will limit the scope of this contribution to the main code-based public-key cryptosystem [4, 5, 1] using binary Goppa codes. We will not discuss herewhether those codes are the best choice or not, though the author is convincedit is one of the best.

We examine how the best key attack, or structural attack, perform inpractice.

More theoretically, there is a security reduction for those cryptosystemsto the hardness of decoding and to the pseudo-randomness of Goppa codes.The pseudo-randomness of Goppa codes is not as well understood as thehardness of decoding is. We present some open problems which could helpunderstanding that aspect of the security reduction.

8.2 Preliminaries

8.2.1 Goppa codes and public key

We consider here the key security of code-based public key cryptosystem. Inthat context, the aim of the attacker is to recover the secret key from thepublic key.

The secret key is a binary t-error correcting irreducible Goppa code of fulllength n = 2m. Such a code, denoted Γ (L, g) is completely described by

• a support L = (α0, . . . , αn−1), which is an ordered list of distinct elementsof F2m ,

40 Nicolas Sendrier

• a generator g(z), which is an irreducible monic polynomial of degree t overF2m .

The public key G = (I | R) is a k× n generator matrix (with n = 2m andk = n − tm) in systematic form1 of Γ (L, g). Note that the systematic formwith the identity on the leftmost position is unique. A typical set of secureparameters is (m, t) = (11, 30), providing a 1718 × 2048 binary matrix for G(or a 1718× 330 binary matrix for R).

8.2.2 Equivalence, invariants and signatures

Two binary codes C and C ′ of length n are equivalent, denoted C ∼ C ′, ifC ′ = σC for some permutation σ of In = {0, . . . , n− 1}, where

σC = {(xσ−1(i))i∈In| (xi)i∈In

∈ C}.

A code invariant I is a property of a code which is preserved by equivalence,that is I(C) = I(σC) for any σ. A code signature S takes as arguments acode C of length n and an index i ∈ In and is such that for all permutationσ of In we have S(C, i) = S(σC, σ(i)). A signature S is fully discriminant fora code C if all the S(C, i), i ∈ In are distincts.

Remarks:

• From any invariant I one can derive the signature S(C, i) = I(Ci) (seefootnote2).

• If the signature S is fully discriminant for C, then for all C ′ ∼ C, the per-mutation σ between C and C ′ can be recovered by the following matchings

j = σ(i) ⇔ S(C, i) = S(C ′, j)

8.2.3 The support splitting algorithm

The support splitting algorithm [7] computes the permutation between twobinary linear codes. It takes as arguments two binary linear codes C and C ′

(in practice two generator matrices) and returns

SSA(C,C ′) ={

false if C 6∼ C ′,σ if C ∼ C ′ with C ′ = σC.

As we have seen in the remark above, the problem can be solved by usinga fully discriminant code signature for C. Obtaining such a signature is not1 we assume that the k left-most element of L allow the Gaussian elimination2 the punctured code Ci is obtained by removing the i-th position in all words of

C

8.3 Key security of McEliece cryptosystem 41

easy, moreover it is different for every code. The support splitting algorithmuses the following signature

S(C, i) =(W(H(Ci)),W(H(C⊥i))

),

where H(C) = C ∩ C⊥ is the hull of C and W(C) is the Hamming weightenumerator of C. The signature S is not fully discriminant. The support split-ting finds a (logarithmic) number of variants of S which altogether produce afully discriminant signature for a given C. The complexity is conjectured tobe O(n3)+O(2hn2 log n) where n is the code length and h the hull dimension.The hull dimension is almost always small for random codes [6].

8.3 Key security of McEliece cryptosystem

8.3.1 Structural attacks on Goppa Codes

There are two known attacks, both exhaustive

1. Pick every possible support L (in fact a permutation) and use the algebraicproperties of Goppa codes to recover the generator polynomial g(z) fromthe public key [2].

2. Pick every possible g(z) and apply the support splitting algorithm, takingas arguments the public key and the code Γ (L0, g) for some arbitraryknown support L0 [3].

Without going into too much details the first attack cost is nn(1+o(1)) and isalways higher than the cost of the second one which is nt(1+o(1)).

8.3.2 Security reduction

To break the McEliece cryptosystem only must be able (at least) to

• either decode t errors in a random binary (n, k) code,• or distinguish a binary Goppa code from a random binary (n, k) code.

The public key will be given as a binary matrix G = (I | R). Not all R corre-spond to a binary Goppa code. The question is : can one make the differencebetween a real R and random data? A Goppa code distinguisher will be amapping D : Mk,n−k → {0, 1}. The advantage of D is defined as3

AD = |Pr(D(R) = 1 | G(R) = 1)− Pr(D(R) = 1 | G(R) 6= 1)|

We will say that binary Goppa codes are pseudo-random if there exist noefficient distinguisher, that is running in time T with an advantage ε andT/ε < P (n) for any polynomial P (). The distinguishers of §8.3.1 have anadvantage ε = 1 but run in exponential time. We conjecture that binaryGoppa codes are pseudo-random.3 G(R) = 1 if an only if G = (I | R) is the generator matrix of some binary Goppa

code.

42 Nicolas Sendrier

8.4 Open problems

Links between efficient distinguisher and easy discriminant invariants.

Obtaining an efficient distinguisher for Goppa codes is likely to be same prob-lem as finding an easy invariant (i.e. computable in polynomial time) whichis discriminant for Goppa codes.

Do we know all easy invariants?

In practice, only one non trivial easy invariant is known: the weight enumera-tor of the hull (used by the support splitting algorithm). As far as we can tell,it does not discriminate Goppa codes: the dimension spectrum of the hull ofbinary Goppa codes looks the same as for random codes [6].

Other discriminant invariants are expensive: minimum distance, weightenumerator. . . Furthermore, little is known about the weight enumerator ofGoppa codes, and it may not provide a distinguisher with a large advantage.

Vertigan’s complexity results.

Dirk Vertigan has proved some interesting results on the difficulty for com-puting the Tutte polynomial [8]. This polynomial is defined in graph theoryand its counterpart in coding theory is the Hamming weight enumerator. Ver-tigan’s results translated to coding theory4 states that evaluating the weightenumerator polynomial in any point is always difficult except for a finite num-ber of points which provides trivial information except for one who gives thecardinality of the hull.

In practice, this means that any code invariant that is directly obtainedby evaluation of the weight enumerator is difficult (except those we know).Can we extend those results to other properties of the weight enumerator?

Are all invariants connected with the weight enumerator?

This raises one last question, are there any code invariants that are not re-lated (directly or not) with the weight enumerator? If not, is there any wayto use complexity results to state that all easy invariants are known, andnone of them discriminates Goppa? This would certainly tighten the securityreduction of the McEliece cryptosystem.

References

1. N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-based digitalsignature scheme. In C. Boyd, editor, Asiacrypt 2001, number 2248 in LNCS,pages 157–174. Springer-Verlag, 2001.

4 D. Vertigan, Private communication

References 43

2. J. K. Gibson. Equivalent Goppa codes and trapdoors to McEliece’s publickey cryptosystem. In D. W. Davies, editor, Advances in Cryptology - EURO-CRYPT’91, number 547 in LNCS, pages 517–521. Springer-Verlag, 1991.

3. P. Loidreau and N. Sendrier. Weak keys in McEliece public-key cryptosystem.IEEE Transactions on Information Theory, 47(3):1207–1212, April 2001.

4. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory.DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, pages114–116, January 1978.

5. H. Niederreiter. Knapsack-type crytosystems and algebraic coding theory. Prob.Contr. Inform. Theory, 15(2):157–166, 1986.

6. N. Sendrier. On the dimension of the hull. SIAM Journal on Discrete Mathe-matics, 10(2):282–293, May 1997.

7. N. Sendrier. Finding the permutation between equivalent codes: the supportsplitting algorithm. IEEE Transactions on Information Theory, 46(4):1193–1203,July 2000.

8. D. Vertigan. Bicycle dimension and special points of the Tutte polynomial. Jour-nal of Combinatorial Theory, Series B, 74(2):378–396, November 1998.

9

Syndrome Decoding in the Non-StandardCases

Matthieu Finiasz

No Institute Given

9.1 Introduction

In the late 70’s the McEliece cryptosystem was invented and the syndrome de-coding problem was proven to be NP-complete. The proof of NP-completenessshows that among some instances (those which can be derived from a 3D map-ping problem), some are difficult to solve. The fact that no attack has yet beenfound on the McEliece cryptosystem tends to show that for standard param-eters (like those used in instances of the cryptosystem), finding an attack isnot easy. However, other code based cryptographic constructions rely on thehardness of syndrome decoding, some of them using non-standard parameters.Through the review of a few of these alternate constructions I will introducesome techniques used to solve the problem of syndrome decoding.

9.2 The Problem of Syndrome Decoding

The problem of syndrome decoding is probably the most famous hard problemof coding theory. It is basically a re-writing of the general problem of decodingin terms of syndrome: given a linear code (defined by its parity check matrix)and a random vector, compute the syndrome of this vector and try to find anerror pattern of low weight having the same syndrome. More formally it canbe written as:

Syndrome Decoding: (SD)

Input: a binary n-k × n matrix H, an n-k bit vector S and a weight w.Output: an n bit vector e of Hamming weight ≤ w such that H · e = S.

This problem was proven to be NP-complete in 1978 [2] but of course,depending on the input, some instances can be solved in polynomial time. For

46 Matthieu Finiasz

instance, when w is larger than n2 , solving SD becomes easy, as computing a

pseudo-inverse H−1 of H and computing H−1 · S will return a valid solutionwith large probability. However, for smaller values of w, when a single solutionexists, finding it becomes much harder. For instance, assuming H and S areperfectly random, a solution exists if:(

n

w

)≥ 2n−k. (9.1)

When w is close to the value defined by this bound, the problem of SD isexpected to be hard.

The McEliece and Niederreiter Cryptosystems

In the cryptosystems of McEliece [7] and Niederreiter [8], illegitimate decryp-tion is possible if an instance of SD can be solved. The input of this instanceis a scrambled Goppa code parity check matrix of size mt × 2m, a syndromeof length mt and the target weight is t. In general, for such parameters, nosolution exists as

(2m

t

)< 2mt, but for instances taken from the McEliece (or

Niederreiter) cryptosystems, one knows that a solution exists and that it isunique. Most algorithms designed to solve SD are focused on this type of pa-rameters, but will also work well for any parameters close to the bound givenby equation (9.1).

In this case, the best known algorithms are based on information set de-coding and consist in finding a set of k columns of H such that a solution e tothe problem of SD is all zero on these k positions. Computing a pseudo-inverseH−1 of the remaining n − k columns of H makes it possible to invert S andobtain the solution e. The first algorithm to use this technique was due to Leeand Brickell [6] and then improved by Stern [9]. The latest refinement is dueto Canteaut and Chabaud [3] and greatly improves the polynomial part of thecomplexity of the algorithm. However, this complexity remains exponential ofthe form O

(Poly (n)

(n

n−k

)w).

Typical parameters are m = 11 and t = 30, and thus n = 211, n−k = 330,and w = 30, leading to an attack complexity just above 280.

9.3 McEliece-Based Signatures

In 2001, Courtois, Finiasz and Sendrier [4] presented the first code-basedsignature scheme to rely on the problem of SD. In this construction a counteris appended to the message to sign before hashing it into a syndrome. Thesigner then tries to decode the syndrome and increments the counter until adecodable syndrome is found. The signature then consists of the counter andthe error pattern e corresponding to the syndrome.

9.4 Fast Syndrome Based Hash Function 47

As in the McEliece cryptosystem, the matrix is a scrambled Goppa codematrix, but here the value of t has to be very small: the average numberof decoding attempts before obtaining a decodable syndrome is t!. Typicalparameters are m = 16 and t = 9, and thus n = 216, n − k = 144 andw = 9, once again leading to an attack complexity just above 280 using theCanteaut-Chabaud algorithm.

However, these parameters have been much less studied than previousones: can some attacks take advantage of the very small value of t? Moreover,in this construction the attacker does not have a single instance of SD to solve,but has to solve one among many: each value of the counter corresponds to adifferent instance of SD involving the same matrix. The attacker can now tryto solve multiple instances of SD in parallel, some of which might be easierthan others. This does not seem to improve the complexity of the existingattacks, but might be a weakness against new attacks.

9.4 Fast Syndrome Based Hash Function

Relying on a variation of the SD problem, a family of fast syndrome basedcryptographic hash functions [1] was proposed. In this construction a binarymatrix H is used to build the compression function of a Merkle-Damgardhash function. The input (chaining or initial vector and message block) isconverted into a low weight word using a one to one mapping and the outputis the product of this word by H. For efficiency reasons, instead of convertingthe input into any low weight word, it is converted in a regular word, that is,the word is split in w block of n

w bits and each block has a Hamming weightof 1.

Inverting or finding collisions on the compression function can be reducedto solving an instance of a problem very close to SD, but using regular words,which is also proven to be NP-complete. However, as we need the compres-sion function to compress, it is clear that when trying to invert it or to findcollisions many solutions exist, and finding a single one is enough to break theconstruction. In this case the best algorithm is no longer based on informationset decoding but uses the generalized birthday algorithm of Wagner [10].

This generalized birthday algorithm improves the standard birthday para-dox by only looking for specific solutions and discarding other solutions.Therefore, it does not apply to the standard McEliece parameters of SD as asingle solution exists, but is suitable for values of w yielding many solutions.It applies for any values of w such that:(

nw4

)≥ 2

n−k3 .

The larger w, the more efficient the algorithm will be.

48 Matthieu Finiasz

9.5 The Multiple of Low Weight Problem

In stream cipher analysis and in the trapdoor stream cipher construction ofFiniasz and Vaudenay [5], a key problem is that of finding a multiple of lowweight of a given polynomial on F2.

Multiple of Low Weight Problem:

Input: a polynomial P of degree dP on F2, a weight w and a degree d.Output: a polynomial K of degree ≤ d and weight ≤ w, multiple of P .

This problem can be translated in terms of SD by simply computing thematrix H which columns are defined by Hi = XimodP (X), for i ∈ [1; d].Then, finding a multiple of P of weight ≤ w simply consists in solving aninstance of SD with input H, S = (1, 0, . . . , 0) and weight w − 1.

The best known techniques for solving the multiple of low weight problemuse algorithms designed for SD but it might be possible to improve them basedon the specific structure of the matrix H. Also, for cryptanalysis, d and w canbe chosen by the adversary: a larger d will require to capture more outputbits of the stream cipher, a larger w will also require more output bits andwill increase the complexity of the attack. Each algorithm will thus lead todifferent optimal parameters for the attack and the best attack will dependon the way the multiple polynomial K is used afterwards.

9.6 Conclusion

Algorithms based on information set decoding techniques seem to performbest for most instances of syndrome decoding derived from the cryptosystemsof McEliece and Niederreiter. However, other cryptographic constructions leadto completely different inputs for which deciding which is the best algorithm isnot always obvious. New algorithms do not have to target the cryptosystemsof McEliece and Niederreiter, but can also target these newer constructionswhich might offer more suitable inputs.

References

1. D. Augot, M. Finiasz, and N. Sendrier. A family of fast syndrome based crypto-graphic hash functions. In E. Dawson and S. Vaudenay, editors, Mycrypt 2005,volume 3715 of LNCS, pages 64–83. Springer, 2005.

2. E. R. Berlekamp, R. J. McEliece, and H. C. van Tilborg. On the inherentintractability of certain coding problems. IEEE Transactions on InformationTheory, 24(3), May 1978.

References 49

3. A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weightwords in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory,44(1):367–378, January 1998.

4. N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-baseddigital signature scheme. In C. Boyd, editor, Asiacrypt 2001, volume 2248 ofLNCS, pages 157–174. Springer, 2001.

5. M. Finiasz and S. Vaudenay. When stream cipher analysis meets public-keycryptography. In E. Biham and A.M. Youssef, editors, SAC 2006, volume toappear of LNCS. Springer, 2006.

6. P. J. Lee and E. F. Brickell. An observation on the security of McEliece’s public-key cryptosystem. In C. G. Gunther, editor, Eurocrypt 88, volume 330 of LNCS,pages 275–280. Springer, 1988.

7. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory.DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, pages114–116, January 1978.

8. H. Niederreiter. Knapsack-type crytosystems and algebraic coding theory. Prob.Contr. Inform. Theory, 15(2):157–166, 1986.

9. J. Stern. A method for finding codewords of small weight. In G. Cohen andJ. Wolfmann, editors, Coding theory and applications, volume 388 of LNCS,pages 106–113. Springer, 1989.

10. D. Wagner. A generalized birthday problem. In M. Yung, editor, Crypto 2002,volume 2442 of Lecture Notes in Computer Science, pages 288–304. Springer,2002.

10

Shorter keys for code based cryptography

Philippe Gaborit

XLIM-DMI, Universite de Limoges, 123,av. A. Thomas, 87000 Limoges, FRANCEEmail: gaborit@unilim.fr

Summary. One of the main problem for the development of public key code basedcryptography is the large size of the public key. In this extended abstract (moredetails can be found in [3]) we present a method to shorten the size of public keysfor code based cryptosystem like the McEliece scheme and the Niederreiter scheme.The main idea of our method is the use of a shorter quasi-cyclic description of gen-erator matrices to reduce their size. In particular the method needs large families ofdecodable quasi-cyclic codes. In the case of binary codes and McEliece cryptosys-tem, starting from the class of binary primitive BCH codes to construct quasi-cycliccodes, we achieve a size of public key of O(n) for n the length of the code and fora suitable security. As an example we propose parameters value with public key ofsize as low as 12 kilo bits for length 2047 and 20 kilo bits for length 4095.

10.1 Introduction

Since the introduction of public key cryptography in the 70’s many cryptosys-tems have been proposed and many have been broken. The most popularcryptosystems rely on number theory problems like the factorization problemor the discrete logarithm problem over suitable groups. The McEliece cryp-tosystem was introduced by McEliece in 1978 and relies on coding theory. Itis one of the few cryptosystems, which is not broken and which does not relyon number theory. This system presents many advantages: it is very fast forboth encryption and decryption and the best known attacks are exponentialin the length of the code, but this system has a very important drawbackwhich explains why it is not as popular as the other cryptosystems: the size ofthe public key, a generator matrix of a long code, is very large, at least severalhundred thousand bits. We give in this extended abstract the general line of amethod to reduce the size of this key. We refer to the work of Nicolas Sendrierin [4],[5] for a more general context on code based cryptography: the McEliececryptosystem, the Niederreiter cryptosystem, the syndrome decoding problemand the two type of classical attacks for these schemes (the structural attacks

52 Philippe Gaborit

and the decoding attack). To fix the notation we consider a generator matrixG of a code C, that we want to mask with a permutation P .

10.2 Shortening the size of the public key

Let us first recall recall basic facts about quasi-cyclic codes.

10.2.1 Quasi-cyclic codes

Definition 13 A code of length n is called quasi-cyclic of order s, for n amultiple of s if every cyclic shift of a codeword by s coordinates is again acodeword.

We remark that a cyclic code is a quasi-cyclic code with s = 1. and thatif C is a cyclic code of length n then C is also quasi-cyclic of order s, for anys which divides n. We may deduce the following result on the structure ofquasi-cyclic codes.

Proposition 14 Let C be a [n, k] quasi-cyclic code of order s with n = rsthen there exists a k′ × n matrix G (with k′ ≥ k), which generates C of theform:

G =

A1 A2 A3 · · · Ar

Ar A1 A2 · · · Ar−1

......

......

...A2 A3 A4 · · · A1

,

where the Ai are k′

r × s matrices.

The following proposition is then used to construct quasi-cyclic subcodesof a quasi-cyclic code:

Proposition 15 Let C be a [n, k] quasi-cyclic code of order s with n = rsthen there exist quasi-cyclic subcodes strictly included in C of order s withdimension greater or equal to k − r = k − n

s . Moreover let C be a s quasi-cyclic [n, k, d] code, then at least 2k−r distinct codes can be constructed.

10.2.2 A new way to describe the public key

For code based cryptosystems, the public key consists in a particular generatormatrix of a code C[n, k, d] permuted on its coordinates. Since the whole matrixhas to be known, the size of the key is k(n − k) bits for a generator matrixin systematic form. If one wants to resist to attacks, the parameters n and klead to a size of key which is too big for many applications.We propose to use a quasi-cyclic code and the fact that the generator matrix ofsuch a code can be described with less information than the whole generator

10.2 Shortening the size of the public key 53

matrix. Indeed, let C be a quasi-cyclic code of order s. From Proposition14 it is possible to associate to C a matrix G, which can be described asin the proposition with the r sub matrices A1, · · · , Ar of size k′

r × s. Nowconsider a given permutation π on s coordinates and apply it on the r sets ofs coordinates (1, · · · , s), · · · , (n − s + 1, · · · , n). The matrix G is turned intoa matrix G′, which can still be described because of the particular structureof G, only with the knowledge of the action of the permutation π on theAi:A1π, · · · , Arπ. Let us denote by Π the permutation matrix which acts onthe sequences of s coordinates:

Π =

π 0 · · · 00 π · · · 0...

......

...0 0 · · · π

,

The knowledge of the A1π, · · · , Arπ permits to retrieve the whole matrixG′:

G′ =

A1π A2π A3π · · · ArπArπ A1π A2π · · · Ar−1π

......

......

...A2π A3π A4π · · · A1π

,

Hence we propose to start from a quasi-cyclic code of order s and toconsider a random permutation π on s coordinates, the public key consistsonly in the knowledge of the matrices A1π, · · · , Arπ, rather than the wholematrix. Considering the key in such way permits to have a public key of sizenk′

r , with k′ in general close to k (to be compared to n(n− k)).Remark: An extraction procedure (that we do not describe here) is alsonecessary to be sure that both sides use the very same matrix.

10.2.3 New scheme, attacks and family of quasi-cyclic codes

• New schemeThe new scheme is like the usual McEliece scheme except that we start

from a matrix which is quasi-cyclic and masked by the permutation describedin the previous section.• Attacks

Besides classical attacks, a specific attack -the support puncturing attack-was described by T. Berger [1] which uses the quasi-cyclic structure of thematrix, meanwhile this attack relies on the knowledge of both the quasi-cyclicand the permuted quasi-cyclic matrices. This attack can be avoided if theattacker does not know the original non permuted used matrix. It corrspondsexactly to the case of the original McEliece scheme with Goppa codes when

54 Philippe Gaborit

the security of the system for the structural attack relies on the fact that thereare many possible Goppa codes.• Choice of a large family of quasi-cyclic code

To avoid the previous attack we propose to start from primitive BCHcodes. These codes are easy to decode and cyclic. Therefore we may use Propo-sition 15 to construct a large family of decodable quasi-cyclic subcodes derivedfrom a unique BCH code (at the price of a loss on the dimension).

10.3 Applications and new parameters

In this section we give new parameters derived from the new way of describ-ing the key for the McEliece cryptosystem. We consider primitive BCH codessince we obtained codes with better parameters than with non primitive BCHcodes.In the following, Message security consists in the complexity of the decodingattack and Structural security consists in the minimum cost of either testingall possible permutation keys (k.s!) or the cost of the support puncturing at-tack (2r). When constructing the quasi-cyclic form of the matrix, the numberof rows may vary with the Ai considered, we denote by the Matrix generationorder the number of rows of the Ai we obtained, this number is necessarilygreater than k

r . It is possible to give systems with many parameters, but wetried to emphasize solutions with small size of key. The public key correspondsto the dual of the code considered in short quasi-cyclic form. The transmissionrate corresponds to k/n.In the following we give two sets of parameters A and B. The set of parametersA corresponds to a public key of 20 kbits and has strong security parameters.The set of parameters B has a key of shorter size, 12 kbits but with tightsecurity parameters.

Security Parameters A : n = 4095, t = 26, s = 45.Parameters of the code:[4095, 3692, 53]Matrix generation order: 5Public Key: 20505 bitsTransmission rate: 0.9Message security : 2100

Structural security : 291

Security Parameters B : n = 2047, t = 31, s = 23.Parameters of the code:[2047, 1617, 63]Matrix generation order: 6Public Key: 12302 bitsTransmission rate: 0.79Message security : 280

Structural security : 285

References 55

The same type of public key can be used for the Niederreiter scheme. It isalso possible to develop the same ideas in the context of decoding the Reed-Solomon codes. Although the Sidelnikov-Shestakov attack permits to recoverthe permutation if one starts from a Reed-Solomon code, their attack is notefficient if one consider subcodes of Reed-Solomon codes. In this case otherrecent attacks exist but they do not seem to be efficient if one consider Reed-Solomon subcodes with co-dimension greater than 4 or 5. In this context it isthen possible (this is a work in progress) to use quasi-cyclic subcodes of Reed-Solomon codes. In particular starting from Reed-Solomon codes of length 255should lead to a public key of size close to 10 kilo bits.

10.4 Conclusion and perspective

In this paper we have introduced the new idea of using quasi-cyclic codesto reduce the size of the McEliece and the Niederreiter cryptosystems. Themethod we propose is very general and permit to reduce the size of the pub-lic key by a factor which can be chosen from the order of quasi-cyclicity ofthe codes. Remark that this method to be used needs a large family of de-codable quasi-cyclic codes. For our application we constructed such a familyfrom quasi-cyclic subcodes of BCH codes but other families may exist. Aninteresting way for future researches would be to construct large families ofquasi-cyclic decodable codes with the same covering radius as Goppa codes(which is not the case for the subcode construction we consider). This wouldpermit to adapt this method to the case of the code based signature schemeof Courtois,Finiasz and Sendrier [2].

ACKNOWLEDGEMENT

We thank T. Berger, G. Kabatianskiy and N. Sendrierfor helpful discus-sions.

References

1. T. P. Berger, private communication.2. N. Courtois, M. Finiasz and N. Sendrier, How to achieve a MCEliece based dig-

ital signature scheme. In Advances in Cryptology-ASIACRYPT 2001, Springer-Verlag.

3. P. Gaborit, Shorter keys for code based cryptography, Workshop on Codes andCryptography, Bergen 2005, p. 81-90.

4. N. Sendrier, Cryptosystemes a cle publique bases sur les codes correcteursd’erreurs, Memoire d’habilitation, Inria 2002, available at: http://www-rocq.inria.fr/codes/Nicolas.Sendrier/pub.html

5. N. Sendrier, On the security of the McEliece public-key cryptosystem, In: M.Blaum, P.G. Farrell and H. van Tilborg, editors, Information, Coding and Math-ematics , pages 141-163. Kluwer, 2002.

11

How to reduce public-key size in McEliece likePKCs ?

Pierre Loidreau

No Institute Given

11.1 Introduction

Since it was designed in 1978 McEliece cryptosystem has resisted any seriouscryptanalysis. In this system, a ciphertext y is obtained from a plaintext xby the following transformation:

y = xGpub ⊕ e,

where Gpub is a generator matrix of the public code and e is a vector ofupper-bounded Hamming weight. Its principal drawback preventing from be-ing efficiently implanted on limited resources media is the size of the public-keyGpub necessary to resist so-called decoding attacks (at least 1Mbyte [2]).

In this presentation we will overview some existing ways to achieve a re-duced key-size by keeping a sufficient security. We review attempts that havebeen made towards reducing the key-size by using properties of the automor-phism group of Goppa codes, of employing other families of codes or, moreradically, by changing the metric in which the decoding problems are consid-ered, or even by modifying the nature of the decoding problem. In parallel,some of these proposals have been rendered obsolete by the design of effi-cient attacks against specific variants. We will present some of these attacks,since their study forms a first step towards an efficient design of resistantcryptosystems with reduced public-key key-size.

11.2 Use of automorphism group of Goppa codes

Goppa codes form the heart of McEliece cryptosystem. To generate a binaryGoppa code, we need a finite field GF (2m) = GF (n) and an irreducible poly-nomial g ∈ GF (n)[x]. Provided g is chosen at random, Goppa codes haveno particular structure and their automorphism group is trivial. However, ifg ∈ GF (2s)[x], where GF (2s) ⊂ GF (2m), then the Frobenius automorphism

58 Pierre Loidreau

of GF (2m)/GF (2s) lies in the automorphism group of the code. Using sucha property we built a system decoding specific patterns of large Hammingweight [7]. Therefore the the complexity of general decoding attacks could beincreased, by preserving the key-size.

Kobara and Imai showed that the structure of the patterns could lead,by some operations on the intercepted ciphertext to solve the problem ofdecoding in a random code patterns of smaller weight, thus gaining very littleon the original cryptosystem [6]. Still, the approach of using code structureto increase the decoding efficiency remains a possibility worth studying.

11.3 Using other families of codes

Being in the Varshamov-Gilbert bound, binary Goppa codes are good codesfor the binary case. However if relax some constraints, it is possible to findbetter codes suitable for the design of a code-based PKC. Namely, one couldinvestigate the case of Generalised Reed-Solomon codes (hereafter denotedGRS codes) that are optimal over extensions of GF (2). For Reed-Muller codes(hereafter denoted RM codes) there exist algorithms that asymptotically cor-rect up to 50% of errors with a vanishing proportion of errors.

11.3.1 Subcodes of GRS codes

If we consider that the elements are taken over a field extension GF (2m), GRScodes form an optimal family of codes in Hamming metric. A GRS code withgenerating vector v = (v1, . . . , vn) over GF (2m) = GF (n) is defined by

GRSk(α,v) = {(v1P (α1), . . . , vnP (αn)) | deg(P ) ≤ k − 1} ,

where the αi are elements of GF (2m). Unfortunately these codes are so muchstructured that they cannot be used as such in cryptosystems. A mannerto scramble their structure consists in using subcodes of GRS codes. Henceone increases slightly the public-key size by keeping a good error-correctingcapability [1].

Together with this approach, another direction towards diminishing thekey-size could be the use of Sudan list-decoding algorithm that can list-decodea GRS code up to n−

√nk errors [10]. By increasing the number of acceptable

errors one can decrease the size of the public-key.

11.3.2 Use of Reed-Muller codes

Theoretically speaking, binary RM codes have an exponentially low correctingcapability compared to their length. However, if one tolerates exponentiallysmall decoding failures, they are asymptotically very good ! Namely, for a rthorder RM code, one can decode asymptotically up to

References 59

n

2

(1−

(2rm

n

)1/2r+1)errors,

for a length n = 2m and a polylinear complexity. With some efficiency-complexity trade-offs, it is possible to increase significantly the decoding ef-ficiency for average length codes (length of several hundreds of bits). Thisproperty was used by Sidel’nikov in 1994 in the design of a public-key cryp-tosystem using as public-key a permuted RM code [9]. There are no knownattacks against a such system. However, for more practical use it would beinteresting to investigate ways of improving again the decoding efficiency ofthe algorithms.

11.4 Using another metric

A more drastic way to decrease the size of the keys is to change Hammingmetric for another metric for which, decoding random linear codes has a highercomplexity than in Hamming metric. The first attempt was the use of rankmetric. The first cryptosystem based on this metric was published in 1991 andthe first identification scheme in 1996 [5, 3]. The best algorithm for achievingminimum distance decoding have a significantly higher complexity than inHamming metric for a same public-key size. Therefore, provided a suitablefamily of codes is used the key-size could theoretically be reduced to severalthousands of bits for a sufficient security. Namely the complexity of decodingup to t errors in a k-dimensional code of minimum rank distance ≥ 2t+1 overGF (2m) in rank metric is proportional to

k32min((t−1)(m−t),(t−1)(k+1))

operations over GF (2). However all cryptosystems using rank metric rely onthe only known family of codes with fast decoding algorithm: Gabidulin codes.They are evaluation codes of linearized polynomials and are so much struc-tured that it is a very challenging task to conceal efficiently their structure ina resistant PKC. Several attempts have been made until now, but their se-curity against the newest and most efficient attacks still have to be discussed[8].

Another way of research concerns the design of public-key cryptosys-tems whose security relies on other decoding problem such as list-decodingof Gabidulin codes, as was discussed in [4], enabling to construct systemswith smaller public-key sizes.

References

1. T. P. Berger and P. Loidreau. How to mask the structure of codes for a cryp-tographic use. Designs, Codes and Cryptography, 35:63–79, 2005.

60 Pierre Loidreau

2. A. Canteaut and N. Sendrier. Cryptanalysis of the original McEliece cryptosys-tem. In K. Ohta and D. Pei, editors, Advances in Cryptology - ASIACRYPT’98,number 1514 in LNCS, pages 187–199, 1998.

3. K. Chen. A new identification algorithm. In E. Dawson and J. Golic, edi-tors, Cryptographic policy and algorithms, volume 1029, pages 244–249. Springer,1996.

4. C. Faure and P. Loidreau. A new public-key cryptosystem based on the problemof reconstructing p-polynomials. In Ø. Ytrehus, editor, Proceedings of the 4thInternational Workshop on Coding and Cryptography, WCC 2005, number 3969in LNCS, pages 304–315, 2006.

5. E .M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov. Ideals over a non-commutative ring and their application in cryptology. In D. W. Davies, editor,EUROCRYPT’91.

6. K. Kobara and H. Imai. On the one-wayness against chosen-plaintext attacksof the Loidreau’s modified McEliece PKC. IEEE Transactions on InformationTheory, 49(12):3160–3168, December 2003.

7. P. Loidreau. Strengthening McEliece public-key cryptosystem. In T. Okamoto,editor, ASIACRYPT 2000.

8. R. Overbeck. A new structural attack for GPT and variants. In E. Dawsonand S. Vaudenay, editors, Proceedings of MyCrypt 2005, volume 3715 of LNCS,pages 50–63. Springer–Verlag, 2005.

9. V. M. Sidel’nikov. A public-key cryptosystem based on binary Reed-Mullercodes. Discrete Mathematics and Applications, 4(3):191–207, 1994.

10. M. Sudan. Decoding Reed-Solomon codes beyond the error-correction diame-ter. In Proceedings of the 35th Annual Allerton Conference on Communication,Control and Computing, pages 215–224, 1997.

12

Personalized-Public-Key Cryptosystem (P2KC)– Application Where Public-Key Size ofNiederreiter PKC Can Be Reduced –

Kazukuni Kobara1 and Hideki Imai2

1 Research Center for Information Security (RCIS)National Institute of Advanced Industrial Science and Technology (AIST)11F 1102, Akihabara-Daibiru, 1-18-13, Soto-Kanda, Tiyoda-ku, Tokyo, 101-0021,Japan

2 Faculty of Science and EngineeringChuo University1-13-27 Kasuga, Bunkyo-ku, Tokyo, 112-8551, Japan

Summary. Usually, one identical public-key is distributed to many people so thatthey can send confidential messages to the person who has the corresponding secret-key. This is a typical usage of Public-Key Cryptosystem (PKC). In contrast, wepropose a new usage of PKC. We call it “Personalized-Public-Key Cryptosystem(P2KC)” where a public-key is used after personalization. For regular PKCs, suchas RSA, ElGamal and Elliptic Curve Cryptosystem (ECC), this usage does notseem interesting, but for the Niederreiter PKC, the McEliece PKC (and maybe fora certain class of Lattice based PKCs and Hidden Field Equations (HFE) basedPKCs) where both the public-key size and the message size are huge and that arebased on combinatorial hardness, this is useful since P2KC can reduce the size ofencryption keys and the encryption cost. This is crucial when encrypters are memoryconstraint devices such as RFID, smart cards, mobile terminals and so on.

12.1 Personalized-Public-Key Cryptosystem (P2KC)

In this paper, we propose a new concept Personalized-Public-Key Cryptosys-tem (P2KC) where a public-key is used after personalization and encryptionis performed using the personalized-public-key (PPK) (and personalization in-formation). Decryption is performed using a single secret-key (and personal-ization information) whatever PPKs are used as long as they are derived fromthe same public-key. P2KC provides us with new, advanced modes of encryp-tion which are unavailable in either public- or secret-key cryptosystems takenseparately.

62 Kazukuni Kobara and Hideki Imai

12.1.1 Usage Modes

We can consider the following three usage modes for the P2KC.

Distribution then Personalization (DP):The decrypter (the owner of the Public Key (PK) and the Secret-Key(SK)) distributes the PK as is (over public but authentic channels) andthen the encrypter who receives the PK personalizes it.

Personalization then Distribution with Hidden PK (PDH):The decrypter personalizes PK to PPKs and then delivers them to eachencrypter (over private channels3). PKs are hidden from anyone in thismode (though the name of the keys include the word “public”). Advantageof hiding PKs is that the size of encryption keys can be reduced. Advantageof PPKs personalized by the decrypter is that these PPKs can be arrangedso that the decrypter can identify the encrypter.

Personalization then Distribution with Open PK (PDO):The same as PDH except PKs are open to the public. Advantage of open-ing PKs is that the same PK can be used both in the DP mode and inthe PDO mode simultaneously.

12.1.2 Advantages of P2KC

First of all, we note that P2KC is not necessarily useful for regular PKCs, suchas RSA, ElGamal and Elliptic Curve Cryptosystem (ECC). This concept is,however, very useful for a certain class of PKCs, such as the Niederreiter PKC,the McEliece PKC (and maybe a part of Lattice based PKCs and Hidden-Field-Equations (HFE) based PKCs), where both the public-key size and themessage size are huge and that are based on combinatorial problems ratherthan number theoretical problems. The advantages of P2KC (in DP mode)to PKC is that encrypters do not need to possess large keys and that it canreduce the encryption cost.

The advantages of P2KC in PDH and PDO modes to symmetric key cryp-tosystem are summarized below.

No Plaintext Key-ID

In a pure symmetric-key cryptosystem, with which no public-key cryptosystemis composed, the encrypter must send the Key-ID with the ciphertext so thatthe decrypter can identify the key to be use in the decryption4. The Key-3 If parameters are chosen appropriately, PPKs can be delivered over public chan-

nels even though the key size usually becomes larger.4 Key-IDs can either be omitted or encrypted with a common key shared among

the group, but the former requires the decrypter to try all the decryption keys itmanages and the latter has the risk that malicious members might leak out thecommon key to the public.

12.2 Generic Models 63

IDs allow eavesdroppers to link the parties involved in the communications5,which is not suited for privacy conscious applications, such as RFID.

P2KC does not require sending Key-IDs in plaintext since each decrypterhas only one secret key (or a few if they have) to communicate with hugenumber of senders due to the property of PKC.

Partial Forward/Backward Secrecy

If parameters are chosen appropriately, P2KC can provide partial forward/back-ward secrecy or moderate partial forward/backward secrecy whose definitionsare as follows:

Definition 1 (Partial Forward/Backward Secrecy) Partial forward/backwardsecrecy is said to be satisfied if it is hard to decrypt the ciphertexts even afterthe encryption key reveals out.

Definition 2 (Moderate Partial Forward/Backward Secrecy) Moderate par-tial forward/backward secrecy is said to be satisfied if it maintains moderatelevel of difficulty to decrypt the ciphertexts even after the encryption key re-veals out.

Obviously, symmetric-key cryptosystems do not satisfy either of them sincerevealment of the encryption key immediately allow adversaries to decrypt allthe ciphertexts encrypted with it.

12.2 Generic Models

In this section, we define the generic models of PKC and P2KC.

12.2.1 Generic Model of PKC

PKC consists of three algorithms (KeyGen(), Enc(), Dec()) where:

KeyGen(): a probabilistic algorithm that accepts a security parameter(or a set of parameters) and then outputs a secret-key sk and its public-key pk.

Enc(): a deterministic or a probabilistic algorithm that accepts pk, a mes-sage msg (and a random source) and then outputs its ciphertext c.

Dec(): a deterministic algorithm that accepts c and then outputs msg.

5 Key-IDs may be changed synchronously between the encrypter and the decrypter,but this makes the system more complex especially when making backup and/orrestoring the keys.

64 Kazukuni Kobara and Hideki Imai

12.2.2 Generic Model of P2KC

We propose two kinds of P2KCs, P2KC1 and P2KC2. The former is available ifthe decrypter knows the personalization information and the latter is availableif the encrypter knows it. That is, P2KC1 fits with the usage modes PDO andPDH, and P2KC2 fits with DP. (But even in the DP mode P2KC1 is availableby feeding back the personalization information to the decrypter, and P2KC2

is available even in the PDO and PDH modes by telling the personalizationinformation to the encrypter.)

P2PK1 consists of the four algorithms (KeyGen(), Pers(), PEnc(), PDec())and P2PK2 consists of (KeyGen(), Pers(),KEnc(),KDec()) whereKeyGen()and Dec() are the same as those in the PKC and PEnc(), PDec(), KEnc()and KDec() are given as follows:

Pers(): a deterministic or a probabilistic algorithm that accepts pk, apersonalization info pi (and a random source), and then outputs thepersonalized-public-key ppk.

PEnc(): a deterministic or a probabilistic algorithm that accepts ppk, amessage msg′ (and a random source), and then outputs c.

PDec(): a deterministic algorithm that accepts c, sk and pi, invokes Dec()as a subroutine to obtain msg from c and sk, determines pi from msg,converts msg to msg′ using pi, and finally outputs msg′.

KEnc(): a probabilistic algorithm that accepts ppk, pi and a randomsource, generates a random number msg′, invokes PEnc() as a subroutineto encrypt msg′ to c using ppk, converts msg′ to msg using pm and finallyoutputs both c and ms = h(msg) where h() is a one-way function.

KDec(): a deterministic algorithm that accepts c and sk, invokes Dec()to obtain msg from c and sk, and finally outputs ms = h(msg).

12.3 Construction Using Niederreiter PKC

In this section, we recall the primitive Niederreiter PKC [4] and then extendit to primitive Niederreiter P2KCs.

12.3.1 Primitive Niederreiter PKC

KeyGen(), Enc() and Dec() of primitive Niederreiter PKC are give as follows:

KeyGen(): it accepts parameters n,k and t and then generates the followingthree matrices H, S and P:

H: A parity-check matrix of a t-error-correcting (n, k) binary linear code C,which is an (n− k)× n binary matrix of rank n− k such that C consistsexactly of all w ∈ {0, 1}n with w ·HT = 0, where HT denotes the transposeof H. An efficient algorithm ψ(), which recovers the error vector from agiven syndrome, must be known for H.

12.3 Construction Using Niederreiter PKC 65

S: An (n− k)× (n− k) random binary non-singular matrix.P: An n× n random permutation matrix.

It computes K = SHP and finally outputs a secret-key sk and its public-key pk s.t.

sk = (S,P, ψ())pk = (K, t) .

Enc(): it accepts pk and a message msg, which is encoded in a binary vectorof length n having t 1’s, and then outputs

c = msg ·KT.

Dec(): it accepts c and sk = (S,P, ψ()) and then outputs msg, which isperformed as follows. First, it calculates S−1cT where

S−1 · cT = H · P ·msgT, (12.1)

and S−1 denotes the inverse of S. Second, it applies the decoding algorithmψ() to S−1cT. If WH(msg) ≤ t where WH(msg) denotes the Hamming weightof msg, the algorithm ψ() outputs:

P ·msgT = ψ(S−1cT).

The plaintext msg of c is given by

msgT = P−1(P ·msgT).

12.3.2 Primitive Niederreiter P2KC

Pers(), PEnc(), PDec() and KEnc() for the primitive Niederreiter P2KCare given as follows. (We will omit KDec() since it is obvious from KDec()in Sect. 12.2.2.)

12.3.3 Pers()

It accepts both pk = (K, t) and a personalization info that is given by apersonalization vector pv in this case, i.e. pi = pv, and then outputs ppk =(K1, c2, t, Sub). We will explain what are pv, K1, c2 and Sub below.

The main idea of Pers() for the primitive Niederreiter P2KC is to dividen coordinates (columns) of K into the following (n1 + 2) subsets according tothe personalization vector pv where

Sub0: a set of coordinates that will never be used in PEnc() and KEnc().Sub1: a set of coordinates to be exclusive-ored to make c2 and will always

be added in PEnc() and KEnc().

66 Kazukuni Kobara and Hideki Imai

Subi for (n1 + 2) ≥ i ≥ 2: a set of coordinates to be exclusive-ored to make the (i − 1)-th column of K1, which will be either added ornot added according to the msg′ in PEnc() and KEnc().

A personalization vector pv is a vector of length n consisting of the indices iof Subi, which indicates the j-th column of K to be a member of the Subi.

For example, if pv = {1, 2, 1, 3, 2, 1, 3, 0}, then the 1-st, the 3-rd and the6-th columns of K will be the members of Sub1 and they will be exclusive-oredto make c2. The 2-nd and the 5-th columns of K will join in Sub2 and will beexclusive-ored to be the first column of K1. In the same way, the 4-th and the7-th columns will be exclusive-ored to be the second column of K1. The 8-thcolumn will never be used in this case.

Let |Subi| denote the cardinality of Subi, and let Sub denote the list ofthem, i.e. Sub = {|Sub0|, |Sub1|, · · · |Subn1+1|} and n =

∑(n1+1)≥i≥0 |Subi|.

For example, if n = 8 and pv = {1, 2, 1, 3, 2, 1, 3, 0} then Sub = {1, 3, 2, 2}.Finally, Pers() outputs (K1, c2, t, Sub) as ppk where K1 is a (n− k)× n1

binary matrix, c2 is a binary vector of length (n − k) and Sub is a vector ofpositive integers of length (n1 + 2).

12.3.4 PEnc()

Let Sub′ = {|Sub2|, |Sub3|, · · · , |Subn1+1|}. PEnc() accepts ppk = (K1, c2, t, Sub)and msg′, which is a binary vector of length n1 meeting

msg′ · Sub′ + |Sub1| ≤ t (12.2)

where the inner product and the addition is performed over Z. Finally, itoutputs

c = msg′ ·KT1 ⊕ c2 (12.3)

where the inner product and the exclusive-or ⊕ is performed over Z2.

12.3.5 PDec()

It accepts c, sk and the candidates for pv, invokes Dec() as a subroutine toobtain msg from c and sk, looks for pv being consistent with the recoveredmsg and converts it to msg′ using the found pv, and finally outputs msg′.

For example, if msg = {1, 1, 1, 0, 1, 1, 0, 0} and the candidates for pv arepv1 = {0, 2, 1, 3, 2, 1, 3, 1}, pv2 = {1, 3, 1, 2, 2, 1, 3, 0} and pv3 = {1, 2, 1, 3, 2, 1, 3, 0},the pv being consistent with the msg is pv3 since pv3 says that the 8-th bitmust be 0, the 1-st, the 3-rd and the 6-th bits must be 1, the 2-nd and the5-th bits must be the same, and the 4-th and the 7-th bits must be the same.In the same way, you can check that pv1 and pv2 are not consistent with it.Then it transforms msg = {1, 1, 1, 0, 1, 1, 0, 0} to msg′ according to pv3, which

12.4 Examples of Personalization Vectors 67

is msg′ = {1, 0} since the 2-nd and the 5-th bits of msg are 1 and the 4-thand the 7-th bits of msg are 0.

If pv’s are chosen according to the FDS in the next section, both the searchof the pv being consistent with msg and the transformation from msg to msg′

can be done efficiently.

12.3.6 KEnc()

It accepts ppk = (K1, c2, t, Sub). Let Sub′ = {|Sub2|, |Sub3|, · · · , |Subn1+1|}.It generates a random binary vector msg′ meeting (12.2) and then invokesPEnc() to calculate (12.3). Simultaneously, it transforms msg′ to msg usingpv where msg is a binary vector of length n having t (or less) 1’s. Finally, itoutputs c as a ciphertext and ms = h(msg) as a master secret.

The transformation of msg′ to msg is done by replacing i ≥ 2 in pvwith the i − 1-th bit of msg′. For example, if pv = {1, 2, 1, 3, 2, 1, 3, 0} andmsg′ = {1, 0}, msg = {1, 1, 1, 0, 1, 1, 0, 0}.

12.4 Examples of Personalization Vectors

In this section, we show some examples for designing pv. Let PSubi denote aset of coordinates of K being able to belong to Subi, e. g. if any coordinatecan belong to any subset Subi, PSubi = {1, 2, · · · , n} and then if only somecoordinates can belong to the subset Subi, PSubi ⊂ {1, 2, · · · , n}. A set ofpv can be defined using Sub and PSub. For example, if Sub = {1, 3, 2, 2} andPSubi = {1, 2, · · · , 8} for all i, the set of pv is given by the permutations of{0, 1, 1, 1, 2, 2, 3, 3} and the cardinality of it is 8!/(3!2!2!).

12.4.1 Fixed Domain Shrinking (FDS)

Let n1 = [a × n], n2 = n − n1, t1 = [a × t] and t2 = t − t1 where [x]is a rounded integer of x. One example of the set of pv we recommend isSub = {n2 − t2, t2, 1, · · · , 1}, PSub0 = PSub1 = {n1 + 1, n1 + 2, · · · , n} andPSubi = {1, 2, · · · , n1} for (n1 + 1) ≥ i ≥ 2 whose cardinality is

(n2t2

). We

call it Fixed Domain Shrinking (FDS) since the fixed domain coordinates{n1 + 1, n1 + 2, · · · , n} are shrunk to c2. The advantage of FDS is that thedecrypter can know both pv and msg′ right after seeing msg. The FDS can beused to construct P2KC1 in the PDH mode6, which is useful for constructionof privacy enhanced RFID [5].

6 FDS can also be used in the PDO mode, but the size of K1 must be larger thanthat in the PDH mode.

68 Kazukuni Kobara and Hideki Imai

12.4.2 Random Trimming (RT)

Another example of the set of pv we recommend is Sub = {n1, 0, 1, · · · , 1}and PSubi = {1, 2, · · · , n} for all i. We call it Random Trimming (RT) (sinceit trims n1 coordinates at random). RT can be used to construct P2KC2 inthe DP mode. The advantage of RT is that it can reduce the size of ppkpowerfully.

For example, in the primitive Niederreiter PKC of (n, k, t) = (2048, 1630, 38)7,the size of K is 104.50 KB (or 83.17 KB by making it systematic8), but byconverting it to P2KC2 using RT for a = 0.042, the size of K1 can be reducedto 4.39 KB without deteriorating its security. If (n, k, t) = (2048, 1795, 23) isacceptable, which does not provide 280 binary complexity but still infeasiblein practice, K1 can be reduced to 2.78 KB from 63.25 KB (or 55.44 KB ifsystematic) for K.

References

1. A. Canteaut and F. Chabaud. “A new algorithm for finding minimum-weightwords in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511”. IEEE Trans. on IT, 44(1):367–378, 1998.

2. K. Kobara and H. Imai. “On the one-wayness against chosen-plaintext attackson the Loidreau’s modified McEliece PKC”. IEEE Trans. on IT, 49(12), 2003.

3. P. J. Lee and E. F. Brickell. “An observation on the security of McEliece’s public-key cryptosystem”. In Proc. of EUROCRYPT ’88, LNCS 330, pages 275–280.Springer–Verlag, 1988.

4. H. Niederreiter. “Knapsack-type cryptosystem based on algebraic coding theory”.Problems of Control and Information Theory, 15(2):157–166, 1986.

5. M. Suzuki, K. Kobara, and H. Imai. “Privacy enhanced and light weight RFIDsystem without tag synchronization and exhaustive search”. In Proc. of 2006IEEE International Conference on Systems, Man, and Cybernetics (to appear),pages –, October 2006.

7 This parameter maintains OW-CPA [2] against the best current attacks [3, 1].8 We recommend non-systematic K to create K1. In the case of systematic K, the

parameter a in RT must be by far larger than 0.042.