Information Set Decoding in the Lee Metric Violetta Weger joint - - PowerPoint PPT Presentation

Information Set Decoding in the Lee Metric

Violetta Weger joint work with Franco Chiaraluce, Marco Baldi, Massimo Battaglioni, Anna-Lena Horlemann-Trautmann, Edoardo Persichetti and Paolo Santini

University of Zurich

CBCrypto 2020 9 May 2020

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Changing the Metric The original McEliece cryptosystem using Goppa codes remains unbroken but sufgers from large key sizes. Many attempts of fjxing this issue by exchanging the family of codes. Example: Niederreiter proposed to use GRS codes, which have the highest error correction capacity, hence promise low key sizes, but are vulnerable to algebraic attacks. Within the 7 code-based cryptosystems in the NIST round 2, the ones that are achieving the lowest key sizes are based

• n the rank metric.

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Rank Metric Defjnition (Rank Metric) For A, B ∈ Fm×n

q

we defjne the rank weight to be wtR(A) = rk(A) and the rank distance between A and B to be dR(A, b) = wtR(A − B). Defjnition (Fq-linear Rank Metric Code) C is a Fq-linear rank metric code of length n and dimension k, if C is a k -dimensional linear subspace of Matm×n(Fq) equipped with the rank metric.

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Rank Metric Defjnition (Rank Metric) For x, y ∈ Fn

qm we defjne the rank weight to be

wtR(x) = dim(⟨x1, . . . , xn⟩Fq) and the distance between x and y to be dR(x, y) = wtR(x − y). Defjnition (Fqm-linear Rank Metric Code) C is a Fqm-linear rank metric code of length n and dimension k, if C is a k -dimensional linear subspace of Fn

qm equipped with the

rank metric. Note: all Fqm-linear rank metric codes are also Fq-linear rank metric codes.

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Difgerence between Rank and Hamming Metric Let x ∈ Fn

qm.

Hamming Rank Supp(x) {1 ≤ i ≤ n | xi ̸= 0} ⟨x1, . . . , xn ⟩Fq wt(x) | Supp(x) | dim(Supp(x)) Bruteforce cost (n

t

) (qm − 1)t [m

t

]

q = t−1

∏

i=0 qm−qi qt−qi ∼ q(m−t)t

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Difgerence between Rank and Hamming Metric Hamming Rank NP-complete SDP more costly Advantages studied thoroughly low key sizes large key sizes not studied thoroughly Disadvantages

• nly randomized reduction

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Properties Defjnition (Lee Weight) Let x ∈ Z/mZ, then wtL(x) = min{x, | m − x |}. Example (Z/8Z) wtL(0) = 0 wtL(1) = wtL(7) = 1 wtL(2) = wtL(6) = 2 wtL(3) = wtL(5) = 3 wtL(4) = 4

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Properties Defjnition (Lee Weight) Let x ∈ Z/mZ, then wtL(x) = min{x, | m − x |}.

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Properties Defjnition (Lee Weight) Let x ∈ Z/mZ, then wtL(x) = min{x, | m − x |}.

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Properties Defjnition (Lee Metric) Let x, y ∈ (Z/mZ)n, then the Lee weight is defjned as wtL(x) =

n

∑

i=1

wtL(xi) and the Lee distance between x and y is dL(x, y) = wtL(x − y). Clearly: For all x ∈ (Z/mZ)n : wtH(x) ≤ wtL(x). Defjnition (Lee Metric Code) C is a linear Lee metric code of length n and type | C |, if C is an additive subgroup of (Z/mZ)n equipped with the Lee metric.

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Quaternary Codes Defjnition (Quaternary Code) C is a quaternary code of length n and type 4k12k2, if C is an additive subgroup of (Z/4Z)n equipped with the Lee metric. Defjnition (Gray Isometry) ϕ : (Z/4Z, wtL) → (F2

2, wtH)

0 → (0, 0) 1 → (0, 1) 2 → (1, 1) 3 → (1, 0) We can extend ϕn : (Z/4Z)n → F2n

2 .

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Quaternary Codes Defjnition (Quaternary Code) C is a quaternary code of length n and type 4k12k2, if C is an additive subgroup of (Z/4Z)n equipped with the Lee metric. Defjnition (Gray Isometry) ϕ : (Z/4Z, wtL) → (F2

2, wtH)

0 → (0, 0) 1 → (0, 1) 2 → (1, 1) 3 → (1, 0) We can extend ϕn : (Z/4Z)n → F2n

2 .

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric

Difgerences Let C be a quaternary code of length n and type 4k12k2, then the systematic form of the generator matrix is given by G = (Idk1 A B 2Idk2 2C ) , where A ∈ Zk1×k2

2

, B ∈ Zk1×(n−k1−k2)

4

, C ∈ Zk2×(n−k1−k2)

2

. The systematic form of the parity check matrix is given by H = ( D E Idn−k1−k2 2F 2Idk2 ) , where D ∈ Z(n−k1−k2)×k1

4

, E ∈ Z(n−k1−k2)×k2

4

, F ∈ Zk2×k1

2

.

Violetta Weger Information Set Decoding in the Lee Metric

ISD in the Lee Metric

ISD over the Hamming Metric Prange’s algorithm: Given: H ∈ F(n−k)×n

q

, s ∈ Fn−k

q

, t ∈ N. Find: e ∈ Fn

q, such that He⊤ = s⊤ and wtH(e) = t.

Main idea: Assume no error happen in the information set. UHe⊤ = ( A Idn−k ) ( 0 e′⊤ ) = Us⊤. Thus we get the condition e′⊤ = Us⊤.

Violetta Weger Information Set Decoding in the Lee Metric

ISD in the Lee Metric

Structure of ISD Algorithms

• 1. Choose an information set.
• 2. Bring the parity check matrix into systematic form and

perform the same row operations on the syndrome.

• 3. By assuming a certain weight distribution of the error

vector we get conditions on the error vector.

• 4. Go through all possible vectors and check if conditions are

satisfjed, if they are output the error vector.

• 5. If not, start over with a new information set.

Violetta Weger Information Set Decoding in the Lee Metric

ISD in the Lee Metric

Cost of ISD Algorithms The cost of an ISD algorithm is given by number of iterations · cost of one iteration. number of iterations = reciprocal of the success probability of

• ne iteration.

Example: Prange in the Hamming metric has a success probability of (n − k t )(n t )−1 .

Violetta Weger Information Set Decoding in the Lee Metric

ISD in the Lee Metric

Quaternary Prange Given: H ∈ Z(n−k1)×n

4

, s ∈ Zn−k1

4

, t ∈ N. Find: e ∈ Zn

4 with He⊤ = s⊤ and wtL(e) = t.

UHe⊤ = ( A Idn−k1−k2 2C ) ( 0 e′⊤ ) = ( s⊤

1

2s⊤

2

) . From this we get the conditions e′ = s1 and s2 = 0. New success probability: (2(n − k1 − k2) t )(2n t )−1 .

Violetta Weger Information Set Decoding in the Lee Metric

Performance

GV - Bounds Proposition (Gilbert-Varshamov Bound) Let n and d be positive integers. There exists a linear binary code C of length n and minimum Hamming distance d, such that | C |≥ 2n ∑d−1

j=0

(n

j

). Furthermore there exists a linear quaternary code C of length n and minimum Lee distance d, such that | C |≥ 4n (∑d−1

j=0

(2n

j

) − 1)3 + 1 .

Violetta Weger Information Set Decoding in the Lee Metric

Performance

Performance for theoretical Parameters In the Lee metric: n k1 k2 dL tL cost Prange Key Size 101 5 90 25 12 83.42 1050 463 230 3 105 52 80.29 107180 173 9 154 41 20 129.96 3106 863 430 3 193 96 128.82 372380 375 20 334 85 42 256.03 14534 1943 970 3 431 215 256.33 1887620 In the Hamming metric: n k dH tH cost Prange Key Size 903 451 103 51 80.53 203852 1683 841 189 94 128.03 708122 3863 1931 429 214 256.68 3730692

Violetta Weger Information Set Decoding in the Lee Metric

Performance

Disclaimer These are only theoretical parameters, since we are not actually proposing a code to be used within the quaternary McEliece cryptosystem!

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric over Zps

Diffjculties of Generalizing Let C be a linear Lee metric code over Zps of length n and type (ps)k1(ps−1)k2 . . . pks. Then the systematic form of the generator matrix is G =      Idk1 A1,2 . . . A1,s A1,s+1 pIdk2 . . . pA2,s pA2,s+1 . . . . . . ... . . . . . . . . . ps−1Idks ps−1As,s+1      , and the systematic form of the parity check matrix is H =      B1,1 B1,2 . . . B1,s Idn−K pB2,1 pB2,2 . . . pIdks . . . . . . ... . . . . . . ps−1Bs,1 ps−1Idk2 . . .      , where K = ∑s

i=1 ki.

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric over Zps

Simplifjcation for ISD For the purpose of ISD algorithms we can choose the following form G = (Idk1 A pB ) , H = ( C Idn−K pD ) , with A ∈ Zk1×(n−k1)

ps

, B ∈ Z(K−k1)×(n−k1)

ps−1

, C ∈ Z(n−K)×K

ps

and D ∈ Z(K−k1)×K

ps−1

. This way we are putting all the zero-divisors together, only considering k1.

Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric over Zps

Simplifjcation for ISD Example: Lee-Brickell We assume that the error vector has weight v in the information set and t − v outside the information set. UHe⊤ = ( C Idn−K pD ) (e⊤

1

e⊤

2

) = ( s⊤

1

ps⊤

2

) = Us⊤. From this we get the conditions Ce⊤

1 + e⊤ 2 = s⊤ 1

pDe⊤

1 = ps⊤ 2

Note that the second condition is again a syndrome decoding problem, but over a smaller ring and of smaller size.

Violetta Weger Information Set Decoding in the Lee Metric

Conclusion

Open Problems Find quaternary code with the properties from code-based cryptography: large error correction capacity, effjcient decoding algorithm and a large family of codes. Find applications of the Lee metric for code-based cryptography, ongoing work: identifjcation scheme, signature scheme. Computation of the cost of the iterative ISD algorithm. Is there a faster way to solve the SDP using tools from lattice-based cryptography?

Violetta Weger Information Set Decoding in the Lee Metric

Thank you!

Violetta Weger Information Set Decoding in the Lee Metric