List decoding of binary Goppa codesand key reduction for McEliece’s cryptosystem
Morgan [email protected]
Ecole PolytechniqueINRIA Saclay - Ile de France
17, March 2011University of Grenoble
Seminar of BIPOP-CASYS
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 1 / 38
Outline
1 IntroductionPrinciples of list decodingJohnson’s bounds
2 Decoding of Reed-Solomon codesBerlekamp-Welsh’s decodingSudan’s algorithmGuruswami-Sudan’s algorithm
3 List decoding of Goppa codesGoppa codesList decoding
4 Application to McEliece
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 2 / 38
Definitions
Definition (Linear code)
A linear code C over Fq, of length n and dimension k, is vectorial subspaceof Fn
q of dimension k.
Definition (Distances)
Let x , y ∈ Fnq, and C be an [n, k] linear code. The Hamming distance
d(x , y) and the minimum distance, noted d, of C are given by :
d(x , y) = # {i : xi 6= yi} .
d = minx 6=y∈C
d(x , y).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 3 / 38
Encoding and decoding
Let C be an [n, k , d ] linear code over Fq,
m ∈ Fkq be a message,
e ∈ Fnq be a error vector.
We define E and D in the following way :
E : Fkq 7−→ C,
D : Fnq 7−→ Fk
q ∪ {?},
D(E (m) + e) =
{m, if w(e) ≤
⌊d−1
2
⌋m′ or ?, if w(e) >
⌊d−1
2
⌋Where w(e) is the Hamming weight of e.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 4 / 38
Johnson’s bounds
Theorem
Let v ∈ Fnq and e be an integer such that
e < J(n, d , q) , nq − 1
q
(1−
√1− q
q − 1
d
n
),
then |B(v , e) ∩ C| ≤ n2.
When q → +∞, we obtain the generic Johnson bound :
J(n, d) = n − n
√1− d
n.
For the binary case : q = 2
J(n, d , 2) = n2 −
n2
√1− 2d
n .
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 9 / 38
Comparison of the Johnson bounds
0
0.1
0.2
0.3
0.4
0.5
0 0.1 0.2 0.3 0.4 0.5
e/n :
norm
alis
ed e
rror
capac
ity
d/n : normalised minimum distance
Binary Johnson s boundGeneric Johnson s bound
Unambiguous bound
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 10 / 38
Reed-Solomon codes
Definition (Reed-Solomon codes – as evaluation codes)
Let x1, . . . , xn be different elements of Fq. A Reed-Solomon code of lengthn and dimension k over Fq is
RS[n, k] , {(P(x1), . . . ,P(xn)) : P ∈ Pk},
where Pk = {P ∈ Fq[X ] / deg(P) < k}.
=⇒ n ≤ q implies that the field is large enough.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 11 / 38
Encoding and decoding of Reed-Solomon codes
Let P(X ) ∈ Pk , then P(X ) =∑k−1
i=0 PiXi .
We can write P = (P0, . . . ,Pk−1) ∈ Fkq .
The encoding function E is :
∀m ∈ Fkq w Pk , E (m) = (m(x1), . . . ,m(xn)).
Usually, the decoding step consists in finding the element m in polynomialform.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 12 / 38
Decoding context
Let x1, . . . , xn ∈ Fq, C be the [n, k , d = n − k + 1] Reed-Solomon codeover Fq and c ∈ C, then ∃P ∈ Pk such that
c = (P(x1), . . . ,P(xn)).
Let the received word y = (y1, . . . , yn) ∈ Fnq be such that
y = c + e.
Where e ∈ Fnq and w(e) ≤ t , bd−1
2 c.
From y , we have to compute P such that
y = (P(x1) + e1, . . . ,P(xn) + en).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 13 / 38
Berlekamp-Welsh’s idea
At least n − t points such that ei = 0, so for these points
yi = P(xi ).
Compute Q(X ,Y ) ∈ Fq[X ,Y ] such that
Q(X ,Y ) = Q0(X ) + Y · Q1(X ),
Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n} (1)
deg(Q0(X )) ≤ n − t − 1, (2)
deg(Q1(X )) ≤ n − t − k , (3)
with Q0(X ),Q1(X ) ∈ Fq[X ].
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 14 / 38
Computation of P(X )
Theorem
A polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous constraintsalways exists.
Theorem
The polynomial Q(X ,P(X )) ∈ Fq[X ] is the null polynomial.
Q(X ,P(X )) = Q0(X ) + P(X )Q1(X ) = 0
=⇒ P(X ) = −Q0(X )
Q1(X ).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 15 / 38
Algorithm
Berlekamp-Welsh
Input : y the received word, C a Reed-Solomon code.Output : P(X ) the codeword in polynomial form.
Q(X ,Y )←− InterpolationBW ((xi , yi )i=1,...,n),
P(x)←− −Q0(X )Q1(X ) .
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 16 / 38
Main idea of Sudan’s algorithm
Decoding τ > t errors,=⇒ different codeword candidates,=⇒ different Y -linear factors of Q(X ,Y ).
Q(X ,Y ) = Q0(X ) + YQ1(X ) + . . .+ Y `Q`(X ),
Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n},deg(Qj(X )) ≤ n − τ − 1− j(k − 1), ∀j ∈ {0, . . . , `}.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 17 / 38
Computation of P(X )
Theorem
A polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous conditionsalways exists.
Theorem
The polynomial Q(X ,P(X )) ∈ Fq[X ] is the null polynomial.
The previous theorem gives Q(X ,P(X )) = 0 then P(X ) is a root ofQX (Y ) ∈ Fq[X ][Y ].
=⇒ Y − P(X ) | Q(X ,Y ).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 18 / 38
Algorithm
Sudan
Input : y the received word, C a Reed-Solomon code.Output : (P1(X ), . . . ,P`(X )) a list of codewords.
Q(X ,Y )←− InterpolationS((xi , yi )i=1,...,n).
(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )),
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 19 / 38
Extension of Sudan’s algorithm
If ∃i 6= j ∈ {1, . . . , `},∃k ∈ {1, . . . , n} / Pi (xk) = Pj(xk) = yk .then Y − Pi (X ) and Y − Pj(X ) divide Q(X ,Y ) so the point (xk , yk) is azero of order at least two.
=⇒ add multiplicity constraints during the interpolation step of Q(X ,Y ).
Definition (Multiplicity)
Let (a, b) ∈ F2q and Q(X + a,Y + b) =
∑i ,j q∗i ,jX
iY j . The point (a, b) isa zero of Q(X ,Y ) of mutiplicity s ∈ N, if
Q(a, b) = 0,
∀i , j such that i + j < s then q∗i ,j = 0,
and s is the larger integer satisfying this property.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 20 / 38
Q(X ,Y ) in the case of GS
Q(X ,Y ) = Q0(X ) + YQ1(X ) + . . .+ Y `Q`(X ),
Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n} with multiplicity s,
deg(Qj(X )) ≤ s(n − τ)− 1− j(k − 1), ∀j ∈ {0, . . . , `}.
Theorem
The polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous conditionsalways exist.
Theorem
The polynomial Q(X ,P(X )) ∈ Fq[X ] is the null polynomial.
=⇒ Y − P(X ) | Q(X ,Y ).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 21 / 38
Algorithm
Guruswami-Sudan
Input : y the received word, C a Reed-Solomon code.Output : (P1(X ), . . . ,P`(X )) a list of codewords.
Q(X ,Y )←− InterpolationGS((xi , yi )i=1,...,n, s).
(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 22 / 38
Definitions
Definition (Subfield subcode)
Let C be a code over Fpm of length n. The subfield subcode C′ of C overFpe , with e | m is given by
C′ , C ∩ Fnpe .
Definition (Generalised Reed-Solomon – GRS)
Let β1, . . . , βn be distinct elements of F∗q and α1, . . . , αn be distinctelements of F∗q. The Generalised Reed-Solomon code (GRS) is given by
GRSk [(βi )i , (αi )i ] , {(β1P(α1), . . . , βnP(αn)) : ∀P ∈ Pk}.
Definition (Alternant codes)
The code C′ is called alternant if C′ is a subfield subcode of a GRS.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 23 / 38
Goppa codes
Definition (Goppa codes – as alternant codes)
Let α1, . . . , αn be distinct elements of F∗pm , G (X ) a polynomial over Fpm
of degree r such that ∀i ≤ n, G (αi ) 6= 0. The Goppa code over Fpe isgiven by :
Γ ((αi )i ,G ) , GRSn−r [(βi )i , (αi )i ] ∩ Fpe ,
where βi = G(αi )∏j 6=i (αi−αj )
.
length n,
dimension ≥ n −mr ,
minimum distance ≥ r + 1.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 24 / 38
Particular property
Theorem
Let α1, . . . , αn be distinct elements of F∗2m , G (X ) a polynomial over F2m
of degree r such that ∀i , G (αi ) 6= 0. If G (X ) is square-free (withoutmultiple roots) then
Γ((αi )i ,G ) = Γ((αi )i ,G2).
length n,
dimension ≥ n −mr ,
minimum distance ≥ 2r + 1.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 25 / 38
Context of decoding
Let Γ((αi )i ,G ) be a binary Goppa code of length n, where G is asquare-free polynomial of degree r , and let y ∈ Fn
2 be the received word.
It exists e ∈ Fn2 and P(X ) ∈ F2m [X ] of degree strictly less than n− r , such
thaty = (β1P(α1) + e1, . . . , βnP(αn) + en),
where βi = G(αi )∏j 6=i (αi−αj )
.
Decode y ⇐⇒ find P.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 26 / 38
Decoding
Let Γ((αi )i ,G ) be a binary Goppa code of length n, where G is asquare-free polynomial of degree r , and y ∈ Fn
2.
Compute Q(X ,Y ) ,∑`
j=0 Qj(X )Y j such that
Q(X ,Y ) 6= 0,
Q(xi , yiβ−1i ) = 0 with multiplicity s(1− J2/n),
Q(xi , zβ−1i ) = 0 with multiplicity sJ2/n, ∀z ∈ F2 \ {yi},
deg(Qj) < sn(
(1− J2/n)2 + (J2/n)2)− j(n −mr − 1),
∀j ∈ {1, . . . , `},
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 27 / 38
Computation of P(X )
Theorem
The polynomial Q(X ,Y ) ∈ Fpm [X ,Y ] satisfying the previous conditionsalways exists.
Theorem
The polynomial Q(X ,P(X )) ∈ Fq[X ] is the null polynomial.
=⇒ Y − P(X ) | Q(X ,Y ).
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 28 / 38
Algorithm
Augot, B., Couvreur
Input : y the received word, Γ((αi )i ,G ) the Goppa code.Output : (c1(X ), . . . , c`(X )) a list of codewords.
Q(X ,Y )←− InterpolationABC (y , Γ).
(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )).
For i ∈ [1, `] doI ci ←− (β1Pi (α1), . . . , βnPi (αn)) ;
end for
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 29 / 38
Correction Radii
0
0.1
0.2
0.3
0.4
0.5
0 0.1 0.2 0.3 0.4 0.5
e/n :
norm
alis
ed e
rror
capac
ity
d/n : normalised minimum distance
Our methodGS
BW
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 30 / 38
Complexity
Theorem
To decode a square-free binary Goppa code up to the binary Johnsonbound
J2(n, t) =
⌈n
2
(1−
√1− 4r + 2
n
)⌉− 1
our algorithm runs in O(n7) field operations.
Theorem
To decode up to (1− ε)J2, our algorithm runs in O(n2ε−5) field operations.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 31 / 38
Context of McEliece
Choose :
Γ((αi )i ,G ) a Goppa code,
G a generator matrix of Γ,
S an invertible matrix,
P a permutation matrix.
Public key : (SGP, r).
Secret key : (S−1,G,P−1).
Encryption :
m the message,
c = mSGP + e, s.t. w(e) = r
Decryption :
c′ = cP−1,
m′ = Dec(c′),
m = m′S−1
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 32 / 38
List decoding and McEliece
Two types of attack : structural attack and decoding attack.=⇒ adding more errors makes the decoding attacks more difficult anddoes not add any structure.
The encryption and decryption steps of McEliece’s cryptosystem arefast, but have large keys.=⇒ tradeoff between decrease the keysize and increase the time ofdecryption (decoding).
How to find the original plaintext ?=⇒ use CCA2 McEliece variants.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 33 / 38
Key reduction for the generic variant of McEliece
Method m n k r τ2 WF Keysize gain
U.D. 11 1670 1285 35 80.0064 494725
L.D. 11 1676 1324 32 33 80.0183 466048 5.80
U.D. 12 2677 2101 48 112.022 1210176
L.D. 12 2353 1657 58 60 112.032 1153272 4.70
U.D. 12 3059 2387 56 128.001 1604064
L.D. 12 2768 2012 63 65 128.029 1521072 5.17
U.D. 13 4996 3852 88 192.002 4406688
L.D. 12 4046 2654 116 120 192.006 3694368 16.16
U.D. 13 6718 5171 119 256.006 7999537
L.D. 13 6357 4745 124 127 256.026 7648940 4.38
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 34 / 38
The dyadic variant is broken ?
Dyadic codes : quasi-cyclic of Goppa codes.
Structural attack : Faugere, Otmani, Perret and Tillich.=⇒ find the structure of alternant code by a Groebner basiscomputation but
1 does not find the Goppa structure (i.e. G the Goppa polynomial),2 space memory too large for m ≥ 16.
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 35 / 38
Key reduction for the dyadic variant r(r + 1) > n
Method m n k r τ2 WF Keysize gain
U.D. 11 1600 896 64 83.368 9856
L.D. 11 1536 832 64 67 83.1916 9152 7.14
U.D. 12 2816 1280 128 120.341 15360
L.D. 12 2688 1152 128 135 117.726 13824 10
U.D. 12 2944 1408 128 128.643 16896
L.D. 12 2944 1408 128 134 134.514 16896 0
U.D. 14 9216 2048 512 196.301 28672
L.D. 14 9216 2048 512 544 208.46 28672 0
U.D. 14 10240 3072 512 274.745 43008
L.D. 14 10240 3072 512 541 290.311 43008 0
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 36 / 38
Key reduction for the dyadic variant m ≥ 16
Method m n k r τ2 WF Keysize gain
U.D. 16 3072 1024 128 83.2917 16384
L.D. 16 3072 1024 128 134 86.819 16384 0
U.D. 16 5632 1536 256 126.439 24576
L.D. 16 5376 1280 256 270 114.841 20480 16.66
U.D. 16 9728 1536 512 136.433 24576
L.D. 16 9728 1536 512 563 149.56 24576 0
U.D. 16 10752 2560 512 210.959 40960
L.D. 16 18432 2048 1024 1088 195.89 32768 20
U.D. 16 19456 3072 1024 265.418 49152
L.D. 16 19456 3072 1024 1167 302.507 49152 0
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 37 / 38
List decoding of binary Goppa codesand key reduction for McEliece’s cryptosystem
Morgan [email protected]
Ecole PolytechniqueINRIA Saclay - Ile de France
17, March 2011University of Grenoble
Seminar of BIPOP-CASYS
M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 38 / 38