/k Content 2/48 1. Ambassador of TU/e 2. Introduction on Coding, - PowerPoint PPT Presentation

Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah Mada, Yogyakarta, Nov. 9 University Sebelas Maret, Surakarta, Nov. 11 November 2015 /k

Content 2/48 1. Ambassador of TU/e 2. Introduction on Coding, Crypto and Security 3. Public-key crypto systems 4. One-way functions and 5. Code based public-key crypto system 6. Error-correcting codes 7. Error-correcting pairs /k

Coding 3/48 ◮ correct transmission of data ◮ error-correction ◮ no secrecy involved ◮ communication: internet, telephone, ... ◮ fault tolerant computing ◮ memory: computer compact disc, DVD, USB stick ... /k

Crypto 4/48 ◮ private transmission of data ◮ secrecy involved ◮ privacy ◮ eaves dropping ◮ insert false messages ◮ authentication ◮ electronic signature ◮ identity fraud /k

Security 5/48 ◮ secure transmission of data ◮ secrecy involved ◮ electronic voting ◮ electronic commerce ◮ money transfer ◮ databases of patients /k

Public-key cryptography (PKC) 6/48 ◮ Diffie and Hellman 1976 in the public domain in ◮ Ellis in 1970 for secret service, not made public until 1997 ◮ advantage with respect to symmetric-key cryptography ◮ no exchange of secret key between sender and receiver /k

One-way function 7/48 ◮ At the heart of any public-key cryptosystem is a ◮ one-way function ◮ a function y = f ( x ) that is ◮ easy to evaluate but ◮ for which it is computationally infeasible ( one hopes ) ◮ to find the inverse x = f − 1 ( y ) /k

Examples of one-way function 8/48 ◮ Example 1 ◮ differentiation a function is easy ◮ integrating a function is difficult ◮ Example 2 ◮ checking whether a given proof is correct is easy ◮ finding the proof of a proposition is difficult /k

Integer factorization 9/48 ◮ x = ( p , q ) is a pair of distinct prime numbers ◮ y = pq is its product ◮ proposed by Cocks in 1973 in secret service ◮ Rivest-Shamir-Adleman (RSA) in 1978 in public domain ◮ based on the hardness of factorizing integers /k

Discrete logarithm 10/48 ◮ G is a group (written multiplicatively) ◮ with a ∈ G and x an integer ◮ y = a x ◮ Diffie-Hellman in 1974 and 1976 in public domain ◮ proposed by Williamson in 1974 in secret service ◮ based on difficulty of finding discrete logarithms in a finite field /k

Elliptic curve discrete logarithm 11/48 ◮ G is an elliptic curve group (written additively) over a finite field ◮ P is a point on the curve ◮ x = k a positive integer k ◮ y = kP is another point on the curve ◮ obtained by the multiplication of P with a positive integer k ◮ proposed by Koblitz and Miller in 1985 ◮ based on the difficulty of inverting this function in G /k

Code based cryptography 12/48 ◮ H is a given r × n matrix with entries in F q ◮ x is in F n q of weight at most t ◮ y = x H T ◮ proposed by McEliece in 1978 and later by Niederreiter ◮ based on the difficulty of decoding error-correcting codes ◮ it is NP complete /k

NP complete problems 13/48 ◮ NP = nondeterministic polynomial time ◮ given a problem with yes/no answer ◮ if answer is yes and the solution is given ◮ then one can check it in polynomial time ◮ Input: integer n ◮ Query: can one factorize n in n = pq with p and q > 1? ◮ if answer is yes and someone gives p and q ◮ then one easily checks that n = pq ◮ otherwise it is difficult to find p and q /k

Abstract 14/48 ◮ error-correcting codes ◮ error-correcting pairs correct errors efficiently ◮ applies to many known codes ◮ prime example Generalized Reed-Solomon codes ◮ can be explained in a short time ◮ is a distinguisher of certain classes of codes ◮ McEliece public-key cryptosystem ◮ polynomial attack if algebraic geometry codes are used ◮ ECP map is a one-way function /k

Information theory: Shannon 15/48 message message sender 001... 011... receiver ✲ ✲ ✲ ✲ target source encoding decoding ✻ noise Block diagram of a communication system /k

Error-correcting codes: Hamming 16/48 Q alphabet of q elements Hamming distance between x = ( x 1 , . . . , x n ) and y = ( y 1 , . . . , y n ) in Q n d ( x , y ) = min |{ i : x i �= y i }| y ❍❍❍❍❍ ❨ ❍ ❍ � ✒ � ❍ d ( y , z ) � ❍ � ❍ � d ( x , y ) ❥ ❍ ❍ � ✘ ✿ z ✘ ✘✘✘✘✘✘✘✘✘✘✘ ✘ ✘ � ✘ � ✘ ✘ ✘ � ✘ � ✘ ✘ ✘ d ( x , z ) ✾ ✘ � � ✠ x Triangle inequality /k

Block codes 17/48 C block code is a subset of Q n d ( C ) = min |{ d ( x , y ) : x , y ∈ C , x �= y }| minimum distance of C t ( C ) = ⌊ d ( C ) − 1 ⌋ 2 error-correcting capacity of C /k

Hamming code - 1 18/48 ✬✩ ✬✩ ✬✩ r 3 ✫✪ m 2 m 1 m 4 ✫✪ ✫✪ r 1 r 2 m 3 Venn diagram of the Hamming code /k

Hamming code - 2 19/48 ✬✩ ✬✩ ✬✩ 1 ✫✪ 1 1 1 ✫✪ ✫✪ 0 0 0 Venn diagram of a code word sent /k

Hamming code - 3 20/48 ✬✩ ✬✩ ✬✩ 1 ✫✪ 0 1 1 ✫✪ ✫✪ 0 0 0 Venn diagram of a received word /k

Hamming code - 4 21/48 ✬✩ ✬✩ ✬✩ 1 ✫✪ 0 1 1 ✫✪ ✫✪ 0 0 0 Correction of one error /k

Linear codes and their parameters 22/48 F q the finite field with q elements, q = p e and p prime F n q is an F q -linear vector space of dimension n C linear code is an F q -linear subspace of F n q parameters [ n , k , d ] q or [ n , k , d ] q = size finite field n = length of C k = dimension of C d = minimum distance of C /k

Encoding linear code 23/48 Let C a linear code in F n q of dimension k It has a basis g 1 , . . . , g k Let G be the k × n matrix with rows g 1 , . . . , g k Then G is called a generator matrix of C The encoding E : F k → F n q − q of C s given by E ( m ) = m G /k

Singleton bound 24/48 Singleton bound d ≤ n − k + 1 Maximum Distance Separable (MDS) d = n − k + 1 /k

Inner product 25/48 The standard inner product is defined by a · b = a 1 b 1 + · · · + a n b n Is bilinear and non-degenerate but "positive definite"makes no sense Two subsets A and B of F n q are perpendicular: A ⊥ B if and only if a · b = 0 for all a ∈ A and b ∈ B /k

Dual code 26/48 Let C be a linear code in F n q The dual code is defined by C ⊥ = { x : x · c = 0 for all c ∈ C } If C has dimension k , then C ⊥ has dimension n − k /k

Star product 27/48 The star product is defined by coordinatewise multiplication a ∗ b = ( a 1 b 1 , . . . , a n b n ) For two subsets A and B of F n q A ∗ B = � a ∗ b | a ∈ A and b ∈ B � /k

Efficient decoding algorithms 28/48 The following classes of codes: ◮ Generalized Reed-Solomon codes ◮ Cyclic codes ◮ Alternant codes ◮ Goppa codes ◮ Algebraic geometry codes have efficient decoding algorithms: ◮ Arimoto, Peterson, Gorenstein, Zierler ◮ Berlekamp, Massey, Sakata ◮ Justesen et al., Vladut-Skrobogatov, ........... ◮ Error-correcting pairs /k

Error-correcting pair 29/48 Let C be a linear code in F n q The pair ( A , B ) of linear subcodes of F n q m is a called a t-error correcting pair (ECP) over F q m for C if E.1 ( A ∗ B ) ⊥ C E.2 k ( A ) > t E.3 d ( B ⊥ ) > t E.4 d ( A ) + d ( C ) > n /k

Generalized Reed-Solomon codes- 1 30/48 Let a = ( a 1 , . . . , a n ) be an n -tuple of mutually distinct elements of F q Let b = ( b 1 , . . . , b n ) be an n -tuple of nonzero elements of F q Evaluation map: ev a , b ( f ( X )) = ( f ( a 1 ) b 1 , . . . , f ( a n ) b n ) GRS k ( a , b ) = { ev a , b ( f ( X )) | f ( X ) ∈ F q [ X ] , deg ( f ( X ) < k } Parameters: [ n , k , n − k + 1 ] if k ≤ n Since a polynomial of degree k − 1 has at most k − 1 zeros. /k

Generalized Reed-Solomon codes - 2 31/48 Furthermore ev a , b ( f ( X )) ∗ ev a , c ( g ( X )) = ev a , b ∗ c ( f ( X ) g ( X )) GRS k ( a , b ) ∗ GRS l ( a , c ) = GRS k + l − 1 ( a , b ∗ c ) /k

t -ECP for GRS n − 2 t ( a , b ) 32/48 Let C ⊥ = GRS 2 t ( a , 1 ) Then C = GRS n − 2 t ( a , b ) for some b has parameters: [ n , n − 2 t , 2 t + 1 ] Let A = GRS t + 1 ( a , 1 ) and B = GRS t ( a , 1 ) Then ( A ∗ B ) ⊆ C ⊥ A has parameters [ n , t + 1 , n − t ] B has parameters [ n , t , n − t + 1 ] So B ⊥ has parameters [ n , n − t , t + 1 ] Hence ( A , B ) is a t -error-correcting pair for C /k

Kernel of a received word 33/48 Let A and B be linear subspaces of F n q m and r ∈ F n q a received word Define the kernel K ( r ) = { a ∈ A | ( a ∗ b ) · r = 0 for all b ∈ B } Lemma Let C be an F q -linear code of length n Let r be a received word with error vector e So r = c + e for some c ∈ C If ( A ∗ B ) ⊆ C ⊥ , then K ( r ) = K ( e ) /k

Kernel for a GRS code 34/48 Let A = GRS t + 1 ( a , 1 ) and B = GRS t ( a , 1 ) and C = � A ∗ B � ⊥ Let a i = ev a , 1 ( X i − 1 ) for i = 1 , . . . , t + 1 b j = ev a , 1 ( X j ) for j = 1 , . . . , t h l = ev a , 1 ( X l ) for l = 1 , . . . , 2 t Then a 1 , . . . , a t + 1 is a basis of A b 1 , . . . , b t is a basis of B h 1 , . . . , h 2 t is a basis of C ⊥ Furthermore a i ∗ b j = ev a , 1 ( X i + j − 1 ) = h i + j − 1 /k