View
1
Download
0
Category
Preview:
Citation preview
Cryptographic applications of codes in rank metric
Cryptographic applications of codes in rank
metric
Pierre Loidreau
CELAr and Universite de RennesPierre.Loidreau@m4x.org
June 16th, 2009
Cryptographic applications of codes in rank metric
Introduction
Rank metric and cryptography
Gabidulin codes and linearized polynomials
McEliece type cryptosystems
AF-like cryptosystems
Cryptographic applications of codes in rank metric
Rank metric and cryptography
Cryptographic applications of codes in rank metric
History of Cryptographic applications
Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91]
−→ Trapdoor: Difficulty of decoding in rank metric.
Authentification codes, [Johannson95]
ZK-identification scheme, [Chen96]
Hash functions for MAC, [Savafi-Naini-Charnes 05]
Cryptographic applications of codes in rank metric
Rank metric
Definition (Rank of a vector)
γ1, . . . , γm, a basis of Fqm/Fq,
e = (e1, . . . , en) ∈ (Fqm)n, ei 7→ (ei1, . . . , ein),
∀e ∈ Fqm , Rk(e)def= Rk
e11 · · · e1n...
. . ....
em1 · · · emn
Definition
C ⊂ Fnqm is a (n,M, d)r -code if
M = |C|
Min. rank distance: d = minc1 6=c2∈C Rk(c1 − c2)
Cryptographic applications of codes in rank metric
Bounds in rank metric
Volume of sphere: q(m+n−1)t−t2≤ St ≤ q(m+n+1)t−t2
Volume of ball: q(m+n−1)t−t2≤ Bt ≤ q(m+n+1)t−t2+1
Classical Bounds
Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) −→ MRD codes
Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn −→ perfect codes
GV-like: MBd−1 < qmn =⇒ ∃(n,M + 1, d)r code
Cryptographic applications of codes in rank metric
Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) −→ MRD codes
Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn −→ perfect codes
GV-like: MBd−1 < qmn =⇒ ∃(n,M + 1, d)r code
Proposition ([L.06])
No perfect codes exist
For C on GV: if mn ≥ logq M = o(n)(m + n)
d
m + n
n→+∞∼
1
2−
√logq M
m + n
√1 +
(m − n)2
4 logq M,
Cryptographic applications of codes in rank metric
Decoding problems for linear codes
Parameters
C generated by matrix G
y ∈ Fnqm , received vector
t an integer
Problems
MDD: Find x, s.t. Rk(y − xG) = minc∈C(Rk(y − c))
BDD: Find, if exists, x, s.t. Rk(y − xG) ≤ t
LD: Find all x such that Rk(y − xG) ≤ t
Are these search problems NP-hard ?
Cryptographic applications of codes in rank metric
Solving BDD(t) for t ≤ ⌊(d − 1)/2⌋
Principle: Find min. rank codewords in code generated by
G′ =
(G
y
)= S (Ik+1 | R)
System: (β1, . . . , βt) (U2 − U1R) = 0
Methods
Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02]
Algo. type Complexity
Basis enumeration ≤ (k + t)3q(t−1)(m−t)+2
Coordinates enumeration ≤ (k + t)3t3q(t−1)(k+1)
Projection on base field and use of Groebner bases techniques,[Levy-Perret 06]
Cryptographic applications of codes in rank metric
Why use rank metric for cryptographic applications
Complexities of solving BDD(t) for a [n, k, d ] code over F2m
IS Decoding:
∼ M(F2m)n32n(H2(t/n)−(1−R)H2(t/((1−R))n)) = m2n32αn
Coord. Enum.:
≤ (k + t)3t32(α1n−1)(α2n+1)
Use of smaller public-keys in McEliece type system.
Cryptographic applications of codes in rank metric
Gabidulin codes and linearized polynomials
Cryptographic applications of codes in rank metric
Gabidulin codes
Let a = (a1, . . . , an) ∈ Fqm , where ai ’s are l.i. over Fq. Consider
G =
a1 · · · an
.... . .
...
a[k−1]1 · · · a
[k−1]n
, where [i ]
def= qi (1)
Definition ([Gabidulin85])
The code generated by G is denoted Gabk(a).
Cryptographic applications of codes in rank metric
Properties of the codes
They are MRD codes (implies also MDS codes)
Dual of Gabk(a) is a Gabn−k(h)
Rank distribution is known
Permutation group trivial, [Berger 03]
Cryptographic applications of codes in rank metric
Decoding algorithms
Algorithm Complexity (mult. in Fqm)
Ext. Euclidean 2t(n + 5t) [Gabidulin85]
Linear systemsolving
2t(n + t2/2)[Gabidulin91]
[Roth91]
BM-like 2t(n + 3t + t2/4) [Richter-Plass 05]
WB-like 2t(4n − t) [L.05]
Table: Decoding rank t = ⌊(d − 1)/2⌋ errors in Gabn−d+1(g) code
Cryptographic applications of codes in rank metric
McEliece like cryptosystems
Cryptographic applications of codes in rank metric
Description [Gabidulin-Paramonov-Tretjakov 91]
Parameters
g = (g1, . . . , gn) ∈ Fqm
Private key
G generates Gabk (g), correcting rank t errorsT isometry of rank metricZ size k × t1 over Fqm
Public-keyGpub = S(G | Z︸︷︷︸
t1 cols
)T (2)
Cryptographic applications of codes in rank metric
Encryptiony = xGpub + e, Rk(e) ≤ t − t1
Decryption
Compute yT−1 = x(G | Z) + eT−1
Puncture on last t1 positions and decode
Security assumption: BDD(t) difficult
Cryptographic applications of codes in rank metric
Properties in rank metric
Advantages
Fast in Encryption-Decryption
Enables small keys (≤ 50 000 bits)
Security against reaction attacks
Drawbacks
Not optimal transmission rate
Weakness against message resend attacks
ONLY ONE family of decodable codes is known→ Mandatory to scramble the structure
Cryptographic applications of codes in rank metric
History of systems
G, G1, G2, generator matrices of Gabidulin codes
H, parity-check matrix of Gabidulin codes
Scrambling
matrixGpub = SG + X
[Gabidulin-Paramonov-
Tretjakov91]
Right scram-
blerGpub = S(G|Z)T [Gabidulin-Ourivski 01]
Subcodes Hpub = S
(H
A
)[Berger-L. 02]
Reducible
Rank codesGpub = S
(G1 0
A G2
)T
[Ourivski-Gabidulin-
Honary-Ammar03]
[Berger-L. 04 ]
Cryptographic applications of codes in rank metric
Structural attacks [Overbeck06]
Principle for Gpub = S(G|Z)T
Quasi-stability under action of Frobenius: α 7→ αq def= α[1]
Gabk(g) ∩ [Gabk(g)][1] = Gabk−1
(g[1])
Use public-key Gpub = S(G|Z)T and compute
0
B@
Gpub
...
G[n−k−1]pub
1
CA
| {z }
Gpub
=
0
B@
S · · · 0...
. . ....
0 · · · S[n−k−1]
1
CA
| {z }
S
0
B@
G Z...
...
G[n−k−1] Z[n−k−1]
1
CA
| {z }
(G | Z)
T,
Cryptographic applications of codes in rank metric
Proposition
If dim (kerr (Gpub)) = 1 → a decoder for public-code can be
recovered in polynomial-time
Proof.
In that case
kerr (Gpub) = {T−1(αh | 0)T , α ∈ Fqm},
Cryptographic applications of codes in rank metric
For security: Choose Z so that dim (kerr (Gpub)) > 1
Proposition
If 1 ≤ Rk(Z) ≤ (t1 − ℓ)/(n − k), then dim (kerr (Gpub)) ≥ 1 + ℓ
Possible parameters
m = n k Rk(Z) ℓ t1 Key size Decoding k/n Rate Improv.
24 12 3 4 40 14 976 > 283 19% 35%24 12 4 4 52 18 432 > 283 15.8% 33%
Same problem with Reducible Rank Codes
Modifications imply increased public-key size
Cryptographic applications of codes in rank metric
AF-like systems
Cryptographic applications of codes in rank metric
q-polynomials
Definition ([Øre33])
P(z) =
t∑
i=0
pizqi
, pi ∈ Fqm
If pt 6= 0, degq(P)def= t is the q-degree of P.
Properties
Non-commutative ring with +, ◦
Euclidean algorithms on the left and on the right
P. Time interpolation and root finding algorithms
Cryptographic applications of codes in rank metric
Reconstruction problem
Parameters
g ∈ Fnqm support vector
y ∈ Fnqm ,
k , t integers
PR: Find P of q-degree ≤ k s.t. Rk(P(g) − y) ≤ t
Link with other problems:
if t ≤ ⌊(n − k)/2⌋, equivalent to decode Gabk(g)if t > ⌊(n − k)/2⌋, supposed to be difficult⇒ LD(y, t) is difficult
Cryptographic applications of codes in rank metric
Description of the cryptosystem
Parameters
g = (g1, . . . , gn) ∈ Fqm , k
Private key:
E = (E1, . . . , En) of rank W > (n − k)/2.⇒ exists Q ∈ GLn(Fq) such that EQ = ( 0︸︷︷︸
n−W coords
| E′)
q-polynomial P of q-degree k − 1 ≤ n − W over Fqm .
Public-key:
K = P(g)︸︷︷︸∈Gabk (g)
+ E
Security assumption: PR(K,W ) difficult
Cryptographic applications of codes in rank metric
Encryption and decryption
Encryption: y = x(g) + αK + e, where
x has q-degree k − 2 ≤ n − W
e of rank t ≤ (n − k − W )/2α ∈ F
∗
qm random
Decryption: Let vdef= (
n−W︷︸︸︷v |V′)
We have
yQ =(x(gQ) + αP(gQ) + eQ | Y′
)
Decode yQ in Gabk (gQ) ⇒ (x + αP)(gQ)Since degq(x) < degq(P) ⇒ αSince k − 1 ≤ n − W ⇒ x
Security assumption: BDD(x(g) + αK, t) in some code is difficult
Cryptographic applications of codes in rank metric
Possible attacks
Solving the system
{V (yi) = (V ◦ x)(gi ) + V (αKi), ∀ i = 1, . . . , n,degq(V ) ≤ t
Linearization: Solve
V (yi) = N(gi ) + U(Ki ), ∀ i = 1, . . . , n,degq(V ) ≤ t
degq(N) ≤ k + t − 2degq(U) ≤ t
Linear system of k + 3t + 1 unknowns and n equations
Cryptographic applications of codes in rank metric
Evolution of the system (I)
Parameters
g = (g1, . . . , gn) ∈ Fqm , k
Private key:
Ei ∈ FWqm , i = 1, . . . , u of rank W > (n − k)/2.
Q ∈ GLn(Fq)Pi , i = 1, . . . , u of q-degree k − 1 ≤ n − W over Fqm .
Public-key:8
><
>:
K1 = P1(g) + (0|E1)Q−1, Rk(E1) = W > (n − k)/2
...Ku = Pu(g) + (0|Eu)Q
−1, Rk(Eu) = W > (n − k)/2
Cryptographic applications of codes in rank metric
Evolution of the system (II)
Encryption: y = x(g) +∑u
i=1 αiKi + e, where
x has q-degree k − u − 1e of rank t ≤ (n − k − W )/2αi ∈ F
∗
qm random for all i = 1, . . . , u
Decryption:
We have
yQ =
(x(gQ) +
u∑
i=1
αiPi (gQ) + eQ | Y′
)
Decode yQ in Gabk (gQ) ⇒ (x +∑
i αiPi )(gQ)Since degq(x) < k − 1 − u ⇒ (α1, . . . , αu)Since k − u ≤ n − W ⇒ x
Cryptographic applications of codes in rank metric
Possible attacks
Decoding attacks: solve system
V (y) = V ◦ X (g) +uX
i=1
V (αiKi ),
8
<
:
degq(V ) = Rk(e)degq(x) = k − u − 1αi ∈ Fqm
Structural attacks:
Set
K =
K1
...Ku
=
P1(g)...
Pu(g)
+
E1
0...
Eu
Q−1
Under some conditions one can apply Overbeck’s approach torecover the secret elements
Cryptographic applications of codes in rank metric
Parameters
Compromise between attacks ⇒ not many choices for u
u n = m k W Rk(e) key size Rate
3 56 28 16 6 9408 44%3 54 32 13 4 11664 44%
Cryptographic applications of codes in rank metric
Open problems
Are the discussed problems really NP-hard ?
How to improve arithmetic complexity of q-polynomials ?
Johnson bound for Gabidulin codes and list-decoder ?
How construct new decodable families of rank metric codes ?
What changes the use of skew polynomials instead ofq-polynomials ?
Recommended