cryptanalysis of the mceliece public key cryptosystem ...magali bardet1 julia chaulet2 vlad dragoi 1...
TRANSCRIPT
![Page 1: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/1.jpg)
Cryptanalysis of the McEliece Public KeyCryptosystem Based on Polar Codes
Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1
Ayoub Otmani 1 Jean-Pierre Tillich2
Normandie Univ, France; UR, LITIS, F-76821 Mont-Saint-Aignan, France.
Inria, SECRET Project, 78153 Le Chesnay Cedex, France.
PQCrypto 2016
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 1/24
![Page 2: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/2.jpg)
Introduction
McEliece Public-Key Encryption Scheme (’78)1 Based on linear codes equipped with an efficient decoding
algorithm
Public key = random basis
Private key = decoding algorithm
2 McEliece proposed binary Goppa codes
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 2/24
![Page 3: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/3.jpg)
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
![Page 4: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/4.jpg)
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
![Page 5: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/5.jpg)
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
![Page 6: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/6.jpg)
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
![Page 7: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/7.jpg)
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
![Page 8: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/8.jpg)
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
![Page 9: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/9.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 10: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/10.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 11: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/11.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 12: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/12.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 13: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/13.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 14: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/14.jpg)
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
![Page 15: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/15.jpg)
DefinitionsPolar Codes and Reed-Muller Codes
Gmdef=
(1 01 1
)⊗ · · · ⊗
(1 01 1
)︸ ︷︷ ︸
m times
.
DefinitionThe polar code of length n = 2m and dimension k is obtained bychoosing a specific subset of k rows of Gm.
The r th order Reed-Muller Codes R(r ,m) is obtained bychoosing all the rows of Gm with Hamming weight greater orequal to 2m−r .
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 6/24
![Page 16: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/16.jpg)
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)
for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
![Page 17: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/17.jpg)
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0
=
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
![Page 18: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/18.jpg)
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
![Page 19: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/19.jpg)
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0
=
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
![Page 20: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/20.jpg)
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
![Page 21: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/21.jpg)
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 01 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
![Page 22: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/22.jpg)
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 0
1 0
1 1
0 0
0 0
1 0
1 1
0 0
0 01 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
![Page 23: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/23.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 24: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/24.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 25: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/25.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 26: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/26.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 27: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/27.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 28: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/28.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 29: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/29.jpg)
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
![Page 30: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/30.jpg)
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
![Page 31: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/31.jpg)
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
![Page 32: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/32.jpg)
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
![Page 33: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/33.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 34: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/34.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0
x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 35: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/35.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0
x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 36: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/36.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 37: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/37.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 38: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/38.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 39: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/39.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0
x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 40: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/40.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 0
1 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 41: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/41.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 42: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/42.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 43: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/43.jpg)
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
![Page 44: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/44.jpg)
Decreasing Monomial Codes
Definition (Monomial order)The monomials of the same degree are ordered as
xi1 . . . xis � xj1 . . . xjs if and only if for any ` ∈ {1, . . . , s}, i` 6 j`
where we assume that i1 > · · · > is and j1 > · · · > js.
This order is extended to other monomials through divisibility,namely: f � g if and only if there is a divisor g∗ of g such that f � g∗.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 12/24
![Page 45: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/45.jpg)
Decreasing Monomial Code
1
x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 46: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/46.jpg)
Decreasing Monomial Code
1x0
x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 47: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/47.jpg)
Decreasing Monomial Code
1x0x1
x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 48: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/48.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 49: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/49.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 50: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/50.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 51: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/51.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 52: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/52.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0
x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 53: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/53.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0
x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 54: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/54.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1
x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 55: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/55.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 56: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/56.jpg)
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
![Page 57: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/57.jpg)
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
![Page 58: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/58.jpg)
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
![Page 59: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/59.jpg)
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
![Page 60: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/60.jpg)
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
![Page 61: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/61.jpg)
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
![Page 62: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/62.jpg)
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
![Page 63: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/63.jpg)
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
![Page 64: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/64.jpg)
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
![Page 65: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/65.jpg)
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
![Page 66: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/66.jpg)
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
![Page 67: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/67.jpg)
Cryptanalysis of Polar CodesTools and Techniques
Puncturing and shortening a code
PJ (C )def={
(ci)i /∈J | c ∈ C}
;
SJ (C )def={
(ci)i /∈J | ∃c = (ci)i ∈ C such that ∀i ∈ J , ci = 0}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 18/24
![Page 68: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/68.jpg)
Cryptanalysis of Polar CodesTools and Techniques
Definition (Signature)
Let G be a subgroup of permutations of C (linear code of length n)and W be a subset of C globally invariant under G.
Σ(c,C ) is a signature of c if and only if
(i) Σ(c,C ) = Σ(cπ,C π) for π from Sn (i.e. Σ is invariant bypermutation),
(ii) Σ(c,C ) 6= Σ(c′,C ) if c and c′ both belong to W but are not in thesame orbit under G (i.e. Σ takes distinct values for each orbit).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 19/24
![Page 69: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/69.jpg)
Cryptanalysis of Polar CodesTools and Techniques
FactsLet C (I) be a decreasing monomial code and Ir 6= ∅ be the set ofmaximum degree monomials. Recall that xr−1 . . . x0 ∈ Ir .
Oxr−1...x0 =
{r−1∏i=0
(xi + bi)
}
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 20/24
![Page 70: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/70.jpg)
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
![Page 71: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/71.jpg)
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
![Page 72: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/72.jpg)
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
![Page 73: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/73.jpg)
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
![Page 74: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/74.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 75: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/75.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 76: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/76.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 77: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/77.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 78: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/78.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 79: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/79.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 80: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/80.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 81: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/81.jpg)
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
![Page 82: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/82.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 83: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/83.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 84: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/84.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 85: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/85.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 86: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/86.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 87: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/87.jpg)
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
![Page 88: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/88.jpg)
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
![Page 89: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/89.jpg)
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
![Page 90: Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich2 Normandie Univ, France; UR, LITIS, F-76821](https://reader036.vdocument.in/reader036/viewer/2022071401/60eace50b3c2c440ff4424fd/html5/thumbnails/90.jpg)
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24