Code-Based Cryptography - McEliece Cryptosystem · 2016. 6. 20. · Formal deﬁnition of Public-Key Cryptography P= Plaintext Space C= Ciphertext Space K p = Public-Key Space K s

Code-Based CryptographyMcEliece Cryptosystem

0I. Márquez-Corbella

Code-Based Cryptography

1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

2. McEliece Cryptosystem

1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation


Formal definition of Public-Key CryptographyP =

PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

1. Key generation algorithm: KEYGEN

K ∈ NSecurity parameter KEYGEN kp ∈ Kp ks ∈ Ks

Ü Run in expected polynomial time ∼ O(Kc)

1


PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

1. Key generation algorithm: KEYGEN

K ∈ NSecurity parameter KEYGEN kp ∈ Kp ks ∈ Ks


1


PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

2. Encryption algorithm: ENCRYPT

m ∈ P ENCRYPT ENCRYPT(m,Kp) = y ∈ C

Kp ∈ Kp


2


PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

2. Encryption algorithm: ENCRYPT


Kp ∈ Kp


2


PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

3. Decryption algorithm: DECRYPT

c ∈ C DECRYPT DECRYPT(c,Ks) = m ∈ P , or invalidciphertext

Ks ∈ Ks

Ü Run in polynomial time

3


PlaintextSpace

C =Ciphertext

SpaceKp =

Public-KeySpace

Ks =Secret-Key

Space

3. Decryption algorithm: DECRYPT


Ks ∈ Ks

Ü Run in polynomial time

3

Formal definition of Public-Key CryptographyK ∈ N

Security parameter KEYGEN kp ∈ Kp ks ∈ Ks


Kp ∈ Kp


Ks ∈ Ks

Ü It is required that: DECRYPT (ENCRYPT(m,Kp),Ks) = mÜ Fasten known attack should requires ≥ 2K bit operations4

The McEliece Cryptosystem

Advantages:

1. Fast ENCRYPT and DECRYPT.2. Post-quantum cryptosystem.

Drawback:

ã Large key size.

Security of the McEliece scheme is based on:

1. Hardness of decoding random linear codes2. Distinguishing Goppa codes

McEliece introduced the first PKC basedon Error-Correcting Codes in 1978.

R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.5


Advantages:


Drawback:

ã Large key size.





The McEliece CryptosystemAdvantages:


Drawback:

ã Large key size.





The McEliece CryptosystemAdvantages:


Drawback:

ã Large key size.






Consider(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

6


Consider(F

)family of codes







6


Consider(F

)family of codes







6


Consider(F

)family of codes







6

The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk

q as

ENCRYPT(m) = mG + e = y

where e is a random error vector of weight at most t .

Decryption Algorithm:Using Ksecret , the receiver obtain m.

DECRYPT(y) = AC(y) = m

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

7


q as






[2048,1608,48]2 412 ko 296

7


q as






[2048,1608,48]2 412 ko 296

7

The Niederreiter Cryptosystem

Differences with the McEliece cryptosystem:

1. The public key is a parity check matrix. This improve-ment reduce the key size.

2. The secret key is an efficient syndrome decoder3. The encryption mechanism

Niederreiter presents a dual version ofMcEliece (which is equivalent in terms of

security) in 1986.

H. Niederreiter. (1986).Knapsack-type crypto system and algebraic coding theory.Problems of Control and Information Theory.

8

The Niederreiter CryptosystemDifferences with the McEliece cryptosystem:

1. The public key is a parity check matrix. This improve-ment reduce the key size.

2. The secret key is an efficient syndrome decoder3. The encryption mechanism

Niederreiter presents a dual version ofMcEliece (which is equivalent in terms of

security) in 1986.

H. Niederreiter. (1986).Knapsack-type crypto system and algebraic coding theory.Problems of Control and Information Theory.

8

The Niederreiter CryptosystemConsider

(F

)family of codes

with an efficientSyndrome decoding

algorithm



1. H ∈ F(n−k)×nq a parity check matrix for C ∈ F

2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (DC)

9


(F

)family of codes


algorithm






9


(F

)family of codes


algorithm






9


(F

)family of codes


algorithm






9


q of weight ≤ t

ENCRYPT(m) = mHT ∈ Fn−k2


DECRYPT(y) = DC(y) = m


10


q of weight ≤ t





10


q of weight ≤ t





10

Cryptanalysis - McEliece scheme

We have mainly 2 ways of cryptanalyzing the McEliece system:

1. Message Attacks• Address the problem of decoding a random linear code• More efficient Message-Attacks Ü Larger codes

2. Key Attacks• Try to retrieve the code structure• Efficiently applied to: GRS codes, subcodes of GRS codes, Reed-Muller

codes, AG codes, Concatenated codes, ...

11






11






11

2. McEliece Cryptosystem

1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation


Documents

Code-Based Cryptography - McEliece Cryptosystem · 2016. 6. 20. · Formal deﬁnition of Public-Key Cryptography P= Plaintext Space C= Ciphertext Space K p = Public-Key Space K s