GRS SUBCODES OF GRS CODES I T HE NON - GAP SEQUENCE OF A SUBCODE OF - PowerPoint PPT Presentation

T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE ARQUEZ -C ORBELLA 1 INEZ -M ORO 2 R. P ELLIKAAN 3 I. M´ E. M ART ´ 1Department of Algebra, Geometry and Topology, University of Valladolid. Supported by a FPU grant AP2008-01598 by Spanish MEC. 2Department of Applied Mathematics, University of Valladolid. 3Department of Mathematics and Computing Science, Eindhoven University of Technology. Seventh International Workshop on Coding and Cryptography 2011

P UBLIC -K EY C RYPTOSYSTEMS T HE NON - GAP SEQUENCE OF A SUBCODE OF A T WO KEYS : M OST PKC ARE BASED ON GENERALIZED NUMBER - THEORETIC PROBLEMS R EED -S OLOMON CODE Private Key: Known only by the recipient. ➜ Quatum computers will break the most popular Public Key: Available to PKCs. anyone.

M C E LIECE CRYPTOSYSTEM T HE NON - GAP SEQUENCE OF A SUBCODE OF A E NCRYPTION GENERALIZED R EED -S OLOMON CODE Encrypt a message m ∈ F k q as K EY G ENERATION y ′ = m G ′ + e ′ Given: where e ∈ F n 1 q is a random error vector of C an [ n , k , d ] linear code over F q weight ≤ t . G ∈ F k × n a generator matrix of C . q S ∈ F k × k a nonsingular matrix. q D ECRYPTION P ∈ F n × n a permutation matrix. q Compute y = y ′ P − 1 = � G ′ = SGP , t � 1 McEliece Public Key : . 2 m G ′ P − 1 + e P − 1 = m SG + e . McEliece Private Key: ( G , S , P ) 3 Apply the decoding algorithm for C 2 to find m S . m = m SS − 1 . 3 McEliece introduced the first PKC based on Error-Correcting Codes in 1978. Advantages: Interesting candidate for post-quantum cryptography. 1 Fast encryption (matrix-vector multiplication) and decryption functions. 2 Drawback: Large key size. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory . DSN Progress Report, 42-44:114-116, 1978.

M OTIVATION T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE Niederreiter in [ ? ] presents a dual version of McEliece cryptosystem which is equivalent in terms of security. ➜ He proposed the class of GRS codes over F 2 m . Sidelnikov and Shestakov in [ ? ] introduced an algorithm to break the initial Niederreiter scheme. Berger and Loidreau in [ ? ] propose another version of the Niederreiter scheme designed to resist the Sidelnikov-Shestakov attack. ➜ Main idea: work with subcodes of the original GRS code. T. Berger and P . Loidreau. How to mask the structure of codes for a cryptographic use . Designs, Codes and Cryptography, 35: 63–79, 2005. H. Niederreiter. Knapsack-type crypto systems and algebraic coding theory . Problems of Control and Information Theory, 15(2):159–166, 1986. V. M. Sidelnikov and S. O. Shestakov. On the insecurity of cryptosystems based on generalized Reed-Solomon codes . Discrete Math. Appl., 2:439–444, 1992.

M OTIVATION T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE In [ ? ] Wieschebrink presents the first feasible attack to the Berger-Loidreau cryptosystem but is impractical for small subcodes. In [ ? ] Wieschebrink notes that if the double code of a subcode of a GRS code is itself a GRS code of dimension 2 k − 1 then we can apply the Sidenikov-Shestakov attack. M AIN TASK OF THIS PAPER Confirm the previous question and give a characterization of the possible parameters that should be used to avoid attacks on the Berger-Loidreau cryptosystem. C. Wieschebrink. An attack on the modified Niederreiter encryption scheme . In PKC 2006, Lecture Notes in Computer Science, volume 3958, 14–26, Berlin, 2006. Springer. C. Wieschebrink. Cryptoanalysis of the Niederreiter public key scheme based on GRS subcodes . In Post-Quantum Cryptography, Lecture Notes in Computer Science, volume 6061, 6–72, Berlin, 2010. Springer.

N OTATION T HE NON - GAP SEQUENCE OF A SUBCODE OF A Let : GENERALIZED F q be a finite field with q elements. R EED -S OLOMON CODE n , k , l ∈ N : 1 ≤ l ≤ k ≤ n ≤ q . L k := { f ∈ F q [ X ] : deg ( f ( X )) ≤ k − 1 } . ev a , b be the evaluation map at the elements a , b ∈ F n q i.e. F n ev a , b : L k → q f �→ ( f ( a 1 ) b 1 , . . . , f ( a n ) b n ) G ENERALIZED R EED -S OLOMON CODES ( OR GRS CODES ) Let a ∈ F n q such that a i � = a j for 1 ≤ i < j ≤ n and b ∈ F n q with non-zero entries. The GRS code GRS k ( a , b ) is defined by: � � GRS k ( a , b ) := ev a , b ( f ( X )) : f ∈ L k We define the star product a ∗ b ∈ F n q by a ∗ b = ( a 1 · b 1 , . . . , a n · b n ) . R EMARK ➜ GRS k ( a , b ) = b ∗ GRS k ( a , 1 ) . ➜ ev a , b ( f ( X ) g ( X )) = ev a , 1 ( f ( X )) ∗ ev a , b ( g ( X )) .

( a , b ) - GAP OF A CODE T HE NON - GAP SEQUENCE OF A SUBCODE OF A Let C be an l -dimensional subcode of the code GRS k ( a , b ) , we denote by GENERALIZED R EED -S OLOMON CODE C i := C ∩ GRS i ( a , b ) . Then C 0 ⊆ C 1 ⊆ . . . ⊆ C k = C ∩ GRS k ( a , b ) = C . ( a , b ) - GAP OF THE CODE i ∈ Z ≥ 0 is called an ( a , b ) -gap of the code C if C i = C i + 1 . We define the associated ( a , b ) non-gap of the code C sequence of C by � � I ( a , b , C ) = I ( C ) = i ∈ Z ≥ 0 : i is a non-gap of C P ROPOSITION 1 ∃ f ∈ F q [ X ] with deg ( f ( X )) = i i ∈ Z ≥ 0 is an ( a , b ) non-gap of C ⇐ ⇒ such that ev a , b ( f ( X )) ∈ C C OROLLARY 1 Let C be an l -dimensional subcode of the code GRS k ( a , b ) with associated non-gap sequence I ( C ) . Then: � � I ( C ) = i | ∃ f ∈ F q [ X ] with deg ( f ( X )) = i < k : ev a , b ( f ( X )) ∈ C 1 � � C = ev a , b ( f ( X )) | f = 0 or f ∈ F q [ X ] and deg ( f ( x )) ∈ I ( C ) 2

( a , b ) - GAP OF A CODE T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED We can obtain a basis of C just studying the associated ( a , b ) non-gap sequence of C . R EED -S OLOMON CODE P ROPOSITION 2 There is a set I = { i 1 , . . . , i l } and there are l polynomials in unique normal form � f j , s X s ∈ F q [ X ] , for all j = 1 , . . . , l , f j ( X ) = X ij + s < ij s / ∈I such that C = � ev a , b ( f j ( X )) with j = 1 , . . . , l � . Furthermore I ( C ) = I and dim ( C ) = |I ( C ) | . P ROPOSITION 3 Let I = { i 1 , . . . , i l } and l � e ( I ) = i 1 l + ( i 2 − i 1 − 1 )( l − 1 ) + · · · + ( il − il − 1 − 1 ) = ( is − is − 1 − 1 )( l − s + 1 ) s = 1 where i 0 = − 1. Then the number of l -dimensional subcodes of the code GRS k ( a , b ) over F q with a given non-gap sequence I is equal to q e ( I ) .

( a , b ) - GAP OF A CODE T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE R EMARK e ( I ) is minimal and equal to 0 for I = { 0 , 1 , . . . , l − 1 } . e ( I ) is maximal and equal to l ( k − l ) for I = { k − l , . . . , k − 1 } . ➜ The number of l -dimensional subcodes of the code GRS k ( a , b ) over F q is equal to the Gaussian binomial: ( q k − 1 )( q k − q ) · · · ( q k − q l − 1 ) � � k � q e ( I ) . := = ( q l − 1 )( q l − q ) · · · ( q l − q l − 1 ) l q I⊆{ 0 ,..., k − 1 } |I| = l ➜ This number is polynomial in q with non-negative integers as coefficients.

GRS SUBCODES OF GRS CODES I T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED We study the l -dimensional subcodes C of the code GRS k ( a , b ) that are themselves R EED -S OLOMON CODE GRS codes. C = GRS l ( a , b ) with 2 ≤ l ≤ k . 1 P ROPOSITION 4 C = GRS l ( a , b ) ⇐ ⇒ I ( C ) = { 0 , . . . , l − 1 } There is exactly ONE l -dimensional subcode C with I ( C ) = { 0 , . . . , l − 1 } which is GRS l ( a , b ) . C = GRS l ( a , a i ∗ b ) with i + l ≤ k . 2 P ROPOSITION 5 Let I ( C ) = { i 1 , . . . , i l } and c = ev a ( f ( X )) with f ∈ F q [ X ] and deg ( f ( X )) = i . If i + i l < k then I ( c ∗ C ) = i + I ( C ) . Note that the converse is not true in general. C OROLLARY 3 If i + l ≤ k then I ( GRS l ( a , a i ∗ b )) = { i , i + 1 , . . . , i + l − 1 } .

GRS SUBCODES OF GRS CODES II T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED C = GRS l ( c , d ) . R EED -S OLOMON CODE 3 P ROPOSITION 6 a ∈ F n b ∈ F n q : ai � = aj with 1 ≤ i < j ≤ n , q : bi � = 0 with 1 ≤ i ≤ n , l ≥ 2, Let d 0 = deg ( g 0 ( X )) , d 1 = d 0 + deg ( h 1 ( X )) g 0 , h 1 ∈ F q [ X ] , d 0 < d 1 ev a ( h 1 ( X )) = c : ci � = cj with 1 ≤ i < j ≤ n , 1 3 If d 0 + ( l − 1 )( d 1 − d 0 ) < k . ev a , b ( g 0 ( X )) = d : di � = 0 with 1 ≤ i ≤ n , 4 2 Then the code C = GRS l ( c , d ) is an l -dimensional subcode of GRS k ( a , b ) with : I ( C , a , b ) = { d 0 , d 1 , . . . , d 0 + j ( d 1 − d 0 ) , . . . , d 0 + ( l − 1 )( d 1 − d 0 ) } P ROPOSITION 7 Assume that C = GRS l ( c , d ) ⊆ GRS k ( a , b ) . And let d 0 < d 1 be the first two elements of I ( C , a , b ) . Then ∃ g 0 , h 1 ∈ F q [ X ] such that: d 0 = deg ( g 0 ( X )) . ev a , b ( g 0 ( X )) = d . 1 3 d 1 = d 0 + deg ( h 1 ( X )) . ev a ( h 1 ( X )) = c . 2 4

GRS SUBCODES OF GRS CODES III T HE NON - GAP SEQUENCE OF A SUBCODE OF A GENERALIZED R EED -S OLOMON CODE C OROLLARY 5 If 2 k − 2 < n and 2 ≤ l ≤ k . Then the number of l -dimensional subcodes of the code GRS k ( a , b ) over F q that are G RS code is at most q k − l + 3 . The probability that an arbitrary l -dimensional subcode of the code GRS k ( a , b ) is a GRS code is at most q k − l + 3 ≤ q k − l + 3 q l ( k − l ) = q − ( l − 1 )( k − l )+ 3 � � k l q This fraction tends to zero for k → ∞ or ( k − l ) → ∞ .