Cryptographic applications of codes in rank metric Pierre Loidreau - - PowerPoint PPT Presentation

Cryptographic applications of codes in rank metric

Cryptographic applications of codes in rank metric

Pierre Loidreau

CELAr and Universit´ e de Rennes Pierre.Loidreau@m4x.org

June 16th, 2009

Cryptographic applications of codes in rank metric

Introduction

Rank metric and cryptography Gabidulin codes and linearized polynomials McEliece type cryptosystems AF-like cryptosystems

Cryptographic applications of codes in rank metric

Rank metric and cryptography

Cryptographic applications of codes in rank metric

History of Cryptographic applications

Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91] − → Trapdoor: Difficulty of decoding in rank metric. Authentification codes, [Johannson95] ZK-identification scheme, [Chen96] Hash functions for MAC, [Savafi-Naini-Charnes 05]

Cryptographic applications of codes in rank metric

Rank metric

Definition (Rank of a vector) γ1, . . . , γm, a basis of Fqm/Fq, e = (e1, . . . , en) ∈ (Fqm)n, ei → (ei1, . . . , ein), ∀e ∈ Fqm, Rk(e) def = Rk    e11 · · · e1n . . . ... . . . em1 · · · emn    Definition C ⊂ Fn

qm is a (n, M, d)r-code if

M = |C|

• Min. rank distance: d = minc1=c2∈C Rk(c1 − c2)

Cryptographic applications of codes in rank metric

Bounds in rank metric

Volume of sphere: q(m+n−1)t−t2 ≤ St ≤ q(m+n+1)t−t2 Volume of ball: q(m+n−1)t−t2 ≤ Bt ≤ q(m+n+1)t−t2+1 Classical Bounds Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) − → MRD codes Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn − → perfect codes GV-like: MBd−1 < qmn = ⇒ ∃(n, M + 1, d)r code

Cryptographic applications of codes in rank metric

Singleton: M ≤ qmin (m(n−d+1),n(m−d+1)) − → MRD codes Sphere-packing: MB⌊(d−1)/2⌋ ≤ qmn − → perfect codes GV-like: MBd−1 < qmn = ⇒ ∃(n, M + 1, d)r code Proposition ([L.06]) No perfect codes exist For C on GV: if mn ≥ logq M = o(n)(m + n) d m + n

n→+∞

∼ 1 2 − logq M m + n

• 1 + (m − n)2

4 logq M ,

Cryptographic applications of codes in rank metric

Decoding problems for linear codes

Parameters C generated by matrix G y ∈ Fn

qm, received vector

t an integer Problems MDD: Find x, s.t. Rk(y − xG) = minc∈C(Rk(y − c)) BDD: Find, if exists, x, s.t. Rk(y − xG) ≤ t LD: Find all x such that Rk(y − xG) ≤ t Are these search problems NP-hard ?

Cryptographic applications of codes in rank metric

Solving BDD(t) for t ≤ ⌊(d − 1)/2⌋

Principle: Find min. rank codewords in code generated by G′ = G y

• = S (Ik+1 | R)

System: (β1, . . . , βt) (U2 − U1R) = 0 Methods

Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02]

• Algo. type

Complexity Basis enumeration ≤ (k + t)3q(t−1)(m−t)+2 Coordinates enumeration ≤ (k + t)3t3q(t−1)(k+1) Projection on base field and use of Groebner bases techniques,

[Levy-Perret 06]

Cryptographic applications of codes in rank metric

Why use rank metric for cryptographic applications

Complexities of solving BDD(t) for a [n, k, d] code over F2m IS Decoding: ∼ M(F2m)n32n(H2(t/n)−(1−R)H2(t/((1−R))n)) = m2n32αn

• Coord. Enum.:

≤ (k + t)3t32(α1n−1)(α2n+1) Use of smaller public-keys in McEliece type system.

Cryptographic applications of codes in rank metric

Gabidulin codes and linearized polynomials

Cryptographic applications of codes in rank metric

Gabidulin codes

Let a = (a1, . . . , an) ∈ Fqm, where ai’s are l.i. over Fq. Consider G =    a1 · · · an . . . ... . . . a[k−1]

1

· · · a[k−1]

n

   , where [i] def = qi (1) Definition ([Gabidulin85]) The code generated by G is denoted Gabk(a).

Cryptographic applications of codes in rank metric

Properties of the codes

They are MRD codes (implies also MDS codes) Dual of Gabk(a) is a Gabn−k(h) Rank distribution is known Permutation group trivial, [Berger 03]

Cryptographic applications of codes in rank metric

Decoding algorithms

Algorithm Complexity (mult. in Fqm)

• Ext. Euclidean

2t(n + 5t)

[Gabidulin85]

Linear system solving 2t(n + t2/2)

[Gabidulin91] [Roth91]

BM-like 2t(n + 3t + t2/4)

[Richter-Plass 05]

WB-like 2t(4n − t)

[L.05]

Table: Decoding rank t = ⌊(d − 1)/2⌋ errors in Gabn−d+1(g) code

Cryptographic applications of codes in rank metric

McEliece like cryptosystems

Cryptographic applications of codes in rank metric

Description [Gabidulin-Paramonov-Tretjakov 91]

Parameters

g = (g1, . . . , gn) ∈ Fqm

Private key

G generates Gabk(g), correcting rank t errors T isometry of rank metric Z size k × t1 over Fqm

Public-key Gpub = S(G | Z

• t1 cols

)T (2)

Cryptographic applications of codes in rank metric

Encryption y = xGpub + e, Rk(e) ≤ t − t1 Decryption Compute yT−1 = x(G | Z) + eT−1 Puncture on last t1 positions and decode Security assumption: BDD(t) difficult

Cryptographic applications of codes in rank metric

Properties in rank metric

Advantages Fast in Encryption-Decryption Enables small keys (≤ 50 000 bits)

Security against reaction attacks

Drawbacks Not optimal transmission rate Weakness against message resend attacks ONLY ONE family of decodable codes is known → Mandatory to scramble the structure

Cryptographic applications of codes in rank metric

History of systems

G, G1, G2, generator matrices of Gabidulin codes H, parity-check matrix of Gabidulin codes

Scrambling matrix

Gpub = SG + X

[Gabidulin-Paramonov- Tretjakov91] Right scram- bler

Gpub = S(G|Z)T

[Gabidulin-Ourivski 01] Subcodes

Hpub = S H A

• [Berger-L. 02]

Reducible Rank codes

Gpub = S G1 A G2

• T

[Ourivski-Gabidulin- Honary-Ammar03] [Berger-L. 04 ]

Cryptographic applications of codes in rank metric

Structural attacks [Overbeck06]

Principle for Gpub = S(G|Z)T Quasi-stability under action of Frobenius: α → αq def = α[1] Gabk(g) ∩ [Gabk(g)][1] = Gabk−1

• g[1]

Use public-key Gpub = S(G|Z)T and compute

B @ Gpub . . . G[n−k−1]

pub

1 C A | {z }

Gpub

= B @ S · · · . . . ... . . . · · · S[n−k−1] 1 C A | {z }

S

B @ G Z . . . . . . G[n−k−1] Z[n−k−1] 1 C A | {z }

(G | Z)

T,

Cryptographic applications of codes in rank metric

Proposition If dim (kerr(Gpub)) = 1 → a decoder for public-code can be recovered in polynomial-time Proof. In that case kerr(Gpub) = {T−1(αh | 0)T , α ∈ Fqm},

Cryptographic applications of codes in rank metric

For security: Choose Z so that dim (kerr(Gpub)) > 1 Proposition If 1 ≤ Rk(Z) ≤ (t1 − ℓ)/(n − k), then dim (kerr(Gpub)) ≥ 1 + ℓ Possible parameters

m = n k Rk(Z) ℓ t1 Key size Decoding k/n Rate Improv. 24 12 3 4 40 14 976 > 283 19% 35% 24 12 4 4 52 18 432 > 283 15.8% 33%

Same problem with Reducible Rank Codes Modifications imply increased public-key size

Cryptographic applications of codes in rank metric

AF-like systems

Cryptographic applications of codes in rank metric

q-polynomials

Definition ([Øre33]) P(z) =

t

• i=0

pizqi, pi ∈ Fqm If pt = 0, degq(P) def = t is the q-degree of P. Properties Non-commutative ring with +, ◦ Euclidean algorithms on the left and on the right

• P. Time interpolation and root finding algorithms

Cryptographic applications of codes in rank metric

Reconstruction problem

Parameters

g ∈ Fn

qm support vector

y ∈ Fn

qm,

k, t integers

PR: Find P of q-degree ≤ k s.t. Rk(P(g) − y) ≤ t Link with other problems:

if t ≤ ⌊(n − k)/2⌋, equivalent to decode Gabk(g) if t > ⌊(n − k)/2⌋, supposed to be difficult ⇒ LD(y, t) is difficult

Cryptographic applications of codes in rank metric

Description of the cryptosystem

Parameters

g = (g1, . . . , gn) ∈ Fqm, k

Private key:

E = (E1, . . . , En) of rank W > (n − k)/2. ⇒ exists Q ∈ GLn(Fq) such that EQ = (

• n−W coords

| E′) q-polynomial P of q-degree k − 1 ≤ n − W over Fqm.

Public-key:

K = P(g)

• ∈Gabk(g)

+ E

Security assumption: PR(K, W ) difficult

Cryptographic applications of codes in rank metric

Encryption and decryption

Encryption: y = x(g) + αK + e, where

x has q-degree k − 2 ≤ n − W e of rank t ≤ (n − k − W )/2 α ∈ F∗

qm random

Decryption: Let v def = (

n−W

• v

|V′)

We have yQ =

• x(

gQ) + αP( gQ) + eQ | Y′ Decode yQ in Gabk( gQ) ⇒ (x + αP)( gQ) Since degq(x) < degq(P) ⇒ α Since k − 1 ≤ n − W ⇒ x

Security assumption: BDD(x(g) + αK, t) in some code is difficult

Cryptographic applications of codes in rank metric

Possible attacks

Solving the system V (yi) = (V ◦ x)(gi) + V (αKi), ∀ i = 1, . . . , n, degq(V ) ≤ t Linearization: Solve        V (yi) = N(gi) + U(Ki), ∀ i = 1, . . . , n, degq(V ) ≤ t degq(N) ≤ k + t − 2 degq(U) ≤ t Linear system of k + 3t + 1 unknowns and n equations

Cryptographic applications of codes in rank metric

Evolution of the system (I)

Parameters

g = (g1, . . . , gn) ∈ Fqm, k

Private key:

Ei ∈ FW

qm, i = 1, . . . , u of rank W > (n − k)/2.

Q ∈ GLn(Fq) Pi, i = 1, . . . , u of q-degree k − 1 ≤ n − W over Fqm.

Public-key:

8 > < > : K1 = P1(g) + (0|E1)Q−1, Rk(E1) = W > (n − k)/2 . . . Ku = Pu(g) + (0|Eu)Q−1, Rk(Eu) = W > (n − k)/2

Cryptographic applications of codes in rank metric

Evolution of the system (II)

Encryption: y = x(g) + u

i=1 αiKi + e, where

x has q-degree k − u − 1 e of rank t ≤ (n − k − W )/2 αi ∈ F∗

qm random for all i = 1, . . . , u

Decryption:

We have yQ =

• x(

gQ) +

u

• i=1

αiPi( gQ) + eQ | Y′

• Decode

yQ in Gabk( gQ) ⇒ (x +

i αiPi)(

gQ) Since degq(x) < k − 1 − u ⇒ (α1, . . . , αu) Since k − u ≤ n − W ⇒ x

Cryptographic applications of codes in rank metric

Possible attacks

Decoding attacks: solve system

V (y) = V ◦ X(g) +

u

X

i=1

V (αiKi), 8 < : degq(V ) = Rk(e) degq(x) = k − u − 1 αi ∈ Fqm

Structural attacks:

Set K =    K1 . . . Ku    =    P1(g) . . . Pu(g)    +    E1 . . . Eu    Q−1 Under some conditions one can apply Overbeck’s approach to recover the secret elements

Cryptographic applications of codes in rank metric

Parameters

Compromise between attacks ⇒ not many choices for u u n = m k W Rk(e) key size Rate 3 56 28 16 6 9408 44% 3 54 32 13 4 11664 44%

Cryptographic applications of codes in rank metric

Open problems

Are the discussed problems really NP-hard ? How to improve arithmetic complexity of q-polynomials ? Johnson bound for Gabidulin codes and list-decoder ? How construct new decodable families of rank metric codes ? What changes the use of skew polynomials instead of q-polynomials ?