list decoding of binary goppa codes and key reduction for

List decoding of binary Goppa codesand key reduction for McEliece’s cryptosystem

Morgan [email protected]

Ecole PolytechniqueINRIA Saclay - Ile de France

17, March 2011University of Grenoble

Seminar of BIPOP-CASYS

M. Barbier (LIX) List decoding of Goppa codes BIPOP-CASYS 1 / 38

Outline

1 IntroductionPrinciples of list decodingJohnson’s bounds

2 Decoding of Reed-Solomon codesBerlekamp-Welsh’s decodingSudan’s algorithmGuruswami-Sudan’s algorithm

3 List decoding of Goppa codesGoppa codesList decoding

4 Application to McEliece


Definitions

Definition (Linear code)

A linear code C over Fq, of length n and dimension k, is vectorial subspaceof Fn

q of dimension k.

Definition (Distances)

Let x , y ∈ Fnq, and C be an [n, k] linear code. The Hamming distance

d(x , y) and the minimum distance, noted d, of C are given by :

d(x , y) = # {i : xi 6= yi} .

d = minx 6=y∈C

d(x , y).


Encoding and decoding

Let C be an [n, k , d ] linear code over Fq,

m ∈ Fkq be a message,

e ∈ Fnq be a error vector.

We define E and D in the following way :

E : Fkq 7−→ C,

D : Fnq 7−→ Fk

q ∪ {?},

D(E (m) + e) =

{m, if w(e) ≤

⌊d−1

2

⌋m′ or ?, if w(e) >

⌊d−1

2

⌋Where w(e) is the Hamming weight of e.


Representation


Johnson’s bounds

Theorem

Let v ∈ Fnq and e be an integer such that

e < J(n, d , q) , nq − 1

q

(1−

√1− q

q − 1

d

n

),

then |B(v , e) ∩ C| ≤ n2.

When q → +∞, we obtain the generic Johnson bound :

J(n, d) = n − n

√1− d

n.

For the binary case : q = 2

J(n, d , 2) = n2 −

n2

√1− 2d

n .


Comparison of the Johnson bounds

0

0.1

0.2

0.3

0.4

0.5

0 0.1 0.2 0.3 0.4 0.5

e/n :

norm

alis

ed e

rror

capac

ity

d/n : normalised minimum distance

Binary Johnson s boundGeneric Johnson s bound

Unambiguous bound


Reed-Solomon codes

Definition (Reed-Solomon codes – as evaluation codes)

Let x1, . . . , xn be different elements of Fq. A Reed-Solomon code of lengthn and dimension k over Fq is

RS[n, k] , {(P(x1), . . . ,P(xn)) : P ∈ Pk},

where Pk = {P ∈ Fq[X ] / deg(P) < k}.

=⇒ n ≤ q implies that the field is large enough.


Encoding and decoding of Reed-Solomon codes

Let P(X ) ∈ Pk , then P(X ) =∑k−1

i=0 PiXi .

We can write P = (P0, . . . ,Pk−1) ∈ Fkq .

The encoding function E is :

∀m ∈ Fkq w Pk , E (m) = (m(x1), . . . ,m(xn)).

Usually, the decoding step consists in finding the element m in polynomialform.


Decoding context

Let x1, . . . , xn ∈ Fq, C be the [n, k , d = n − k + 1] Reed-Solomon codeover Fq and c ∈ C, then ∃P ∈ Pk such that

c = (P(x1), . . . ,P(xn)).

Let the received word y = (y1, . . . , yn) ∈ Fnq be such that

y = c + e.

Where e ∈ Fnq and w(e) ≤ t , bd−1

2 c.

From y , we have to compute P such that

y = (P(x1) + e1, . . . ,P(xn) + en).


Berlekamp-Welsh’s idea

At least n − t points such that ei = 0, so for these points

yi = P(xi ).

Compute Q(X ,Y ) ∈ Fq[X ,Y ] such that

Q(X ,Y ) = Q0(X ) + Y · Q1(X ),

Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n} (1)

deg(Q0(X )) ≤ n − t − 1, (2)

deg(Q1(X )) ≤ n − t − k , (3)

with Q0(X ),Q1(X ) ∈ Fq[X ].


Computation of P(X )

Theorem

A polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous constraintsalways exists.

Theorem

The polynomial Q(X ,P(X )) ∈ Fq[X ] is the null polynomial.

Q(X ,P(X )) = Q0(X ) + P(X )Q1(X ) = 0

=⇒ P(X ) = −Q0(X )

Q1(X ).


Algorithm

Berlekamp-Welsh

Input : y the received word, C a Reed-Solomon code.Output : P(X ) the codeword in polynomial form.

Q(X ,Y )←− InterpolationBW ((xi , yi )i=1,...,n),

P(x)←− −Q0(X )Q1(X ) .


Main idea of Sudan’s algorithm

Decoding τ > t errors,=⇒ different codeword candidates,=⇒ different Y -linear factors of Q(X ,Y ).

Q(X ,Y ) = Q0(X ) + YQ1(X ) + . . .+ Y `Q`(X ),

Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n},deg(Qj(X )) ≤ n − τ − 1− j(k − 1), ∀j ∈ {0, . . . , `}.



Theorem

A polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous conditionsalways exists.

Theorem


The previous theorem gives Q(X ,P(X )) = 0 then P(X ) is a root ofQX (Y ) ∈ Fq[X ][Y ].

=⇒ Y − P(X ) | Q(X ,Y ).


Algorithm

Sudan

Input : y the received word, C a Reed-Solomon code.Output : (P1(X ), . . . ,P`(X )) a list of codewords.

Q(X ,Y )←− InterpolationS((xi , yi )i=1,...,n).

(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )),


Extension of Sudan’s algorithm

If ∃i 6= j ∈ {1, . . . , `},∃k ∈ {1, . . . , n} / Pi (xk) = Pj(xk) = yk .then Y − Pi (X ) and Y − Pj(X ) divide Q(X ,Y ) so the point (xk , yk) is azero of order at least two.

=⇒ add multiplicity constraints during the interpolation step of Q(X ,Y ).

Definition (Multiplicity)

Let (a, b) ∈ F2q and Q(X + a,Y + b) =

∑i ,j q∗i ,jX

iY j . The point (a, b) isa zero of Q(X ,Y ) of mutiplicity s ∈ N, if

Q(a, b) = 0,

∀i , j such that i + j < s then q∗i ,j = 0,

and s is the larger integer satisfying this property.


Q(X ,Y ) in the case of GS

Q(X ,Y ) = Q0(X ) + YQ1(X ) + . . .+ Y `Q`(X ),

Q(xi , yi ) = 0, ∀i ∈ {1, . . . , n} with multiplicity s,

deg(Qj(X )) ≤ s(n − τ)− 1− j(k − 1), ∀j ∈ {0, . . . , `}.

Theorem

The polynomial Q(X ,Y ) ∈ Fq[X ,Y ] satisfying the previous conditionsalways exist.

Theorem


=⇒ Y − P(X ) | Q(X ,Y ).


Algorithm

Guruswami-Sudan

Input : y the received word, C a Reed-Solomon code.Output : (P1(X ), . . . ,P`(X )) a list of codewords.

Q(X ,Y )←− InterpolationGS((xi , yi )i=1,...,n, s).

(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )).


Definitions

Definition (Subfield subcode)

Let C be a code over Fpm of length n. The subfield subcode C′ of C overFpe , with e | m is given by

C′ , C ∩ Fnpe .

Definition (Generalised Reed-Solomon – GRS)

Let β1, . . . , βn be distinct elements of F∗q and α1, . . . , αn be distinctelements of F∗q. The Generalised Reed-Solomon code (GRS) is given by

GRSk [(βi )i , (αi )i ] , {(β1P(α1), . . . , βnP(αn)) : ∀P ∈ Pk}.

Definition (Alternant codes)

The code C′ is called alternant if C′ is a subfield subcode of a GRS.


Goppa codes

Definition (Goppa codes – as alternant codes)

Let α1, . . . , αn be distinct elements of F∗pm , G (X ) a polynomial over Fpm

of degree r such that ∀i ≤ n, G (αi ) 6= 0. The Goppa code over Fpe isgiven by :

Γ ((αi )i ,G ) , GRSn−r [(βi )i , (αi )i ] ∩ Fpe ,

where βi = G(αi )∏j 6=i (αi−αj )

.

length n,

dimension ≥ n −mr ,

minimum distance ≥ r + 1.


Particular property

Theorem

Let α1, . . . , αn be distinct elements of F∗2m , G (X ) a polynomial over F2m

of degree r such that ∀i , G (αi ) 6= 0. If G (X ) is square-free (withoutmultiple roots) then

Γ((αi )i ,G ) = Γ((αi )i ,G2).

length n,

dimension ≥ n −mr ,

minimum distance ≥ 2r + 1.


Context of decoding

Let Γ((αi )i ,G ) be a binary Goppa code of length n, where G is asquare-free polynomial of degree r , and let y ∈ Fn

2 be the received word.

It exists e ∈ Fn2 and P(X ) ∈ F2m [X ] of degree strictly less than n− r , such

thaty = (β1P(α1) + e1, . . . , βnP(αn) + en),

where βi = G(αi )∏j 6=i (αi−αj )

.

Decode y ⇐⇒ find P.


Decoding

Let Γ((αi )i ,G ) be a binary Goppa code of length n, where G is asquare-free polynomial of degree r , and y ∈ Fn

2.

Compute Q(X ,Y ) ,∑`

j=0 Qj(X )Y j such that

Q(X ,Y ) 6= 0,

Q(xi , yiβ−1i ) = 0 with multiplicity s(1− J2/n),

Q(xi , zβ−1i ) = 0 with multiplicity sJ2/n, ∀z ∈ F2 \ {yi},

deg(Qj) < sn(

(1− J2/n)2 + (J2/n)2)− j(n −mr − 1),

∀j ∈ {1, . . . , `},



Theorem

The polynomial Q(X ,Y ) ∈ Fpm [X ,Y ] satisfying the previous conditionsalways exists.

Theorem


=⇒ Y − P(X ) | Q(X ,Y ).


Algorithm

Augot, B., Couvreur

Input : y the received word, Γ((αi )i ,G ) the Goppa code.Output : (c1(X ), . . . , c`(X )) a list of codewords.

Q(X ,Y )←− InterpolationABC (y , Γ).

(P1(X ), . . . ,P`(X ))←− LinearFactors(Q(X ,Y )).

For i ∈ [1, `] doI ci ←− (β1Pi (α1), . . . , βnPi (αn)) ;

end for


Correction Radii

0

0.1

0.2

0.3

0.4

0.5

0 0.1 0.2 0.3 0.4 0.5

e/n :

norm

alis

ed e

rror

capac

ity

d/n : normalised minimum distance

Our methodGS

BW


Complexity

Theorem

To decode a square-free binary Goppa code up to the binary Johnsonbound

J2(n, t) =

⌈n

2

(1−

√1− 4r + 2

n

)⌉− 1

our algorithm runs in O(n7) field operations.

Theorem

To decode up to (1− ε)J2, our algorithm runs in O(n2ε−5) field operations.


Context of McEliece

Choose :

Γ((αi )i ,G ) a Goppa code,

G a generator matrix of Γ,

S an invertible matrix,

P a permutation matrix.

Public key : (SGP, r).

Secret key : (S−1,G,P−1).

Encryption :

m the message,

c = mSGP + e, s.t. w(e) = r

Decryption :

c′ = cP−1,

m′ = Dec(c′),

m = m′S−1


List decoding and McEliece

Two types of attack : structural attack and decoding attack.=⇒ adding more errors makes the decoding attacks more difficult anddoes not add any structure.

The encryption and decryption steps of McEliece’s cryptosystem arefast, but have large keys.=⇒ tradeoff between decrease the keysize and increase the time ofdecryption (decoding).

How to find the original plaintext ?=⇒ use CCA2 McEliece variants.


Key reduction for the generic variant of McEliece

Method m n k r τ2 WF Keysize gain

U.D. 11 1670 1285 35 80.0064 494725

L.D. 11 1676 1324 32 33 80.0183 466048 5.80

U.D. 12 2677 2101 48 112.022 1210176

L.D. 12 2353 1657 58 60 112.032 1153272 4.70

U.D. 12 3059 2387 56 128.001 1604064

L.D. 12 2768 2012 63 65 128.029 1521072 5.17

U.D. 13 4996 3852 88 192.002 4406688

L.D. 12 4046 2654 116 120 192.006 3694368 16.16

U.D. 13 6718 5171 119 256.006 7999537

L.D. 13 6357 4745 124 127 256.026 7648940 4.38


The dyadic variant is broken ?

Dyadic codes : quasi-cyclic of Goppa codes.

Structural attack : Faugere, Otmani, Perret and Tillich.=⇒ find the structure of alternant code by a Groebner basiscomputation but

1 does not find the Goppa structure (i.e. G the Goppa polynomial),2 space memory too large for m ≥ 16.


Key reduction for the dyadic variant r(r + 1) > n


U.D. 11 1600 896 64 83.368 9856

L.D. 11 1536 832 64 67 83.1916 9152 7.14

U.D. 12 2816 1280 128 120.341 15360

L.D. 12 2688 1152 128 135 117.726 13824 10

U.D. 12 2944 1408 128 128.643 16896

L.D. 12 2944 1408 128 134 134.514 16896 0

U.D. 14 9216 2048 512 196.301 28672

L.D. 14 9216 2048 512 544 208.46 28672 0

U.D. 14 10240 3072 512 274.745 43008

L.D. 14 10240 3072 512 541 290.311 43008 0


Key reduction for the dyadic variant m ≥ 16


U.D. 16 3072 1024 128 83.2917 16384

L.D. 16 3072 1024 128 134 86.819 16384 0

U.D. 16 5632 1536 256 126.439 24576

L.D. 16 5376 1280 256 270 114.841 20480 16.66

U.D. 16 9728 1536 512 136.433 24576

L.D. 16 9728 1536 512 563 149.56 24576 0

U.D. 16 10752 2560 512 210.959 40960

L.D. 16 18432 2048 1024 1088 195.89 32768 20

U.D. 16 19456 3072 1024 265.418 49152

L.D. 16 19456 3072 1024 1167 302.507 49152 0


List decoding of binary Goppa codesand key reduction for McEliece’s cryptosystem

Morgan [email protected]

Ecole PolytechniqueINRIA Saclay - Ile de France

17, March 2011University of Grenoble

Seminar of BIPOP-CASYS


list decoding of binary goppa codes and key reduction for

Documents