Security Bounds for the Design of Code-based Cryptosystems M. - PowerPoint PPT Presentation

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier

The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e ∈ { 0 , 1 } n of weight ≤ w such that e × H = S exist? ⊲ NP-complete problem. slide 1/22 [Berlekamp, McEliece, van Tilborg - 1978]

The Syndrome Decoding Problem e S r H n Computational Syndrome Decoding (CSD) Find e ∈ { 0 , 1 } n of weight ≤ w such that e × H = S . ⊲ The security of most code-based cryptosystems relies on slide 1/22 the difficulty of solving this problem.

Our Point of View ◮ Depending on parameters ( n, r, w ) , what is the difficulty of solving CSD? ⊲ we are looking for a lower bound: � any attack on the system costs at least this. ◮ There are three families of attacks to look at: ⊲ we describe an idealized version of each attack, � trying to take into account improvements to come. ⊲ we propose a lower bound for each of them (or an approximation of a lower bound). slide 2/22

Birthday Algorithm

Birthday Algorithm Basic algorithm ◮ Builds a list/hash table of XORs of w 2 columns of H : ⊲ look for 2 equals elements in this set � each such pair gives a solution to the CSD instance. ◮ The size L of the list to build is: > 2 r then L = 2 r � n ⊲ if � 2 , w � n ⊲ else, if the problem has a single solution, L = � . w 2 ◮ In both cases, the complexity is O ( L log L ) with regards to time or memory. slide 3/22

Birthday Algorithm Basic algorithm ◮ The basic technique has 2 drawbacks: ⊲ one manipulates r -bit long XORs, � w ⊲ in the second case, the solution is found 1 � times. w 2 2 ◮ We thus improve/idealize the algorithm accordingly: ⊲ introduce a “window” of size ℓ � does not improve the asymptotic complexity, ⊲ store a list of smaller size. slide 4/22

Birthday Algorithm Detailed algorithm ◮ W 1 et W 2 are subsets of the words of weight w 2 . input : H 0 ∈ { 0 , 1 } r × n , s ∈ { 0 , 1 } r (main loop) repeat P ← random n × n permutation matrix H ← H 0 P for all e ∈ W 1 i ← h ℓ ( eH T ) (ba 1) write( e, i ) // store e at index i of a structure for all e 2 ∈ W 2 i ← h ℓ ( s + e 2 H T ) (ba 2) S ← read( i ) // extract the elements stored at index i for all e 1 ∈ S if e 1 H T = s + e 2 H T (ba 3) slide 5/22 return ( e 1 + e 2 ) P T (success)

Birthday Algorithm Effective cost ◮ We make two assumptions: ⊲ for all pairs of words ( e 1 , e 2 ) , the sum e 1 + e 2 is uniformly distributed, ⊲ if K 0 is the cost of a complete test, the total cost is: ℓ · ♯ ( ba 1 ) + ℓ · ♯ ( ba 2 ) + K 0 · ♯ ( ba 3 ) . ◮ Then, the cost of solving an instance of CSD is lower bounded by: � � w ) , 2 r/ 2 � WF BA ( n, r, w ) = 2 L log( K 0 L ) with L =min ( n . slide 6/22 � L is the size of W 1 and, in average, of W 2 .

Birthday Algorithm Effective cost ◮ We make two assumptions: ⊲ for all pairs of words ( e 1 , e 2 ) , the sum e 1 + e 2 is uniformly distributed, ⊲ if K 0 is the cost of a complete test, the total cost is: ℓ · ♯ ( ba 1 ) + ℓ · ♯ ( ba 2 ) + K 0 · ♯ ( ba 3 ) . ◮ Then, the cost of solving an instance of CSD is lower bounded by: √ � � w ) , 2 r/ 2 � WF BA ( n, r, w ) = 2 L log( K 0 L ) with L =min ( n . slide 6/22 � the attacker might choose better sets W 1 and W 2 .

Information Set Decoding (ISD)

Information Set Decoding Basic idea ◮ The idea is to look for an information set: � a set of k positions containing no errors. ◮ For CSD, this is equivalent to finding a set of r columns of H containing the w positions of a solution. e S r H k slide 7/22 n

Information Set Decoding Stern’s algorithm � r � ◮ Each Gaussian elimination tests solution candidates, w ⊲ we want to increase this number. ◮ We introduce two parameters ℓ and p . [Stern 1989] ⊲ equality on a window of size ℓ � birthday algorithm. w p p - S ' 1 r H ' 1 ` 0 slide 8/22 n

Information Set Decoding Detailed algorithm ◮ W 1 and W 2 are words of weight p 2 and length k + ℓ . input : H 0 ∈ { 0 , 1 } r × n , s 0 ∈ { 0 , 1 } r (main loop) repeat P ← random n × n permutation matrix ( H ′ , U ) ← PGElim( H 0 P ) // partial Gaussian elimination s ← s 0 U T for all e ∈ W 1 i ← h ℓ ( eH ′ T ) (isd 1) write( e, i ) // store e at index i of a structure for all e 2 ∈ W 2 i ← h ℓ ( s + e 2 H ′ T ) (isd 2) S ← read( i ) // extract the elements stored at index i for all e 1 ∈ S if wt( s + ( e 1 + e 2 ) H ′ T ) = w − p (isd 3) slide 9/22 return ( P, e 1 + e 2 ) (success)

Cost Estimation ◮ Again, we make two assumptions: ⊲ for all pairs of words ( e 1 , e 2 ) , the sum e 1 + e 2 is uniformly distributed, ⊲ if K w − p is the cost of an isd 3 test, the total cost is: ℓ · ♯ ( isd 1 ) + ℓ · ♯ ( isd 2 ) + K w − p · ♯ ( isd 3 ) . ◮ For a CSD instance with a single solution: 2 ℓ ( n w ) � � � WF ISD ( n, r, w ) ≈ min ( k p ) with ℓ =log K w − p . � λ ( r − ℓ ( k + ℓ w − p ) p ) p slide 10/22 ◮ With λ = 1 − e − 1 , success probability of the “birthday”.

Cost Estimation When multiple solutions exist � n > 2 r , we distinguish between 2 cases: � ◮ When w � r �� k ⊲ either isd 3 has less than a solution: ≪ 2 r � w − p p � a similar formula applies, 2 ℓ 2 r � � � WF ISD ( n, r, w ) ≈ min ( k p ) with ℓ =log K w − p . � λ ( r − ℓ ( k + ℓ w − p ) p ) p � r �� k ⊲ or isd 3 has several solutions: > 2 r � w − p p � a single iteration is enough, using smaller lists, 2 ℓ 2 r/ 2 2 r/ 2 � � √ WF ISD ( n, r, w ) ≈ min with ℓ =log K w − p . � r ( r − ℓ w − p ) ( w − p ) p slide 11/22 ◮ Not always very tight, especially for intermediate cases...

Generalized Birthday Algorithm (GBA)

Generalized Birthday Algorithm Basic idea ◮ We first look at a modified problem with f : N → { 0 , 1 } r � Find x 0 , ..., x 2 a − 1 ∈ N such that � i f ( x i ) = 0 . ⊲ We no longer have a length constraint n and w is a power of 2. ⊲ There is an infinite number of solutions. ◮ With the standard birthday algorithm: ⊲ pick a list W 1 of XORs of 2 a − 1 vectors f ( x i ) , ⊲ same for W 2 and then look for collisions, � the list size has to be 2 r/ 2 . ⊲ we do not benefit from the infinite number of solu- slide 12/22 tions...

Generalized Birthday Algorithm Basic idea ◮ Lists W 1 and W 2 are built so as to help collisions: elements are not chosen at random. ⊲ Start with 2 a lists L 0 , ...L 2 a − 1 each containing 2 r a +1 vectors f ( x i ) , ⊲ pairwise merge lists L 2 j and L 2 j +1 to obtain 2 a − 1 lists L ′ j of XORs of 2 f ( x i ) . Keep only elements starting r with a +1 zeros. r a +1 elements in average. � the L ′ j still contain 2 ⊲ similarly merge again until 2 lists of XORs of 2 a − 1 vectors starting with ( a − 1) r zeros remain. a +1 ◮ We end up with a single solution in average, and all slide 13/22 r manipulated lists are of size 2 a +1 .

Application to CSD Addition of constraints ◮ If w is not a power of 2: ⊲ choose different size lists � difficult to analyse, ⊲ we only consider lists of XORs of w 2 a elements. ◮ When the length constraint n is added: ⊲ the starting lists may be too small, � use a smaller a and higher weight starting elements. ⊲ all lists contain the same elements, � less distinct elements in the merged lists. ◮ We build the lists L ′ j so that they only contain unique slide 14/22 elements, bringing us back to the general case.

Application to CSD Addition of constraints ◮ We select 2 a − 1 distinct a -bit vectors s j such that: � s j = 0 w ⊲ in the L ′ j lists we keep the XORs of weight 2 a − 1 having s j as their first a bits, n � � � the possible vectors are distributed among w/ 2 a − 1 the 2 a − 1 lists. ⊲ we then use GBA normally on vectors of length r − a . ◮ We obtain the following constraint on a : � n 1 � r − a a . ≥ 2 2 w 2 a 2 a slide 15/22 r − a ⊲ The complexity of the attack is then r − a a . a 2

Using a non integer value for a An idealized, but realistic, algorithm (a) (b) (c) ◮ Integer values for a give a complexity curve like (a), ⊲ zeroing a few bits in the lists L j we obtain (b) . ◮ Almost the same as a using non-integer values (c) slide 16/22 � this is what should be used in our bound.

Bound on GBA applied to CSD ◮ Our complexity considers an idealized algorithm: ⊲ XORs of non-integer numbers of vectors, ⊲ non-integer number of lists, � impossible to achieve better with GBA. ◮ For any parameter set ( n, r, w ) of CSD we have: r − a r − a WF GBA ( n, r, w ) ≥ r − a 2 a ( n a 2 2 a ) =2 with a such that 1 a . a 2 w slide 17/22

Application to some Existing Cryptosystems

Code-based Encryption [McEliece 1978] and [Niederreiter 1986] ◮ We have to solve instances of CSD with a single “unex- pected” solution, ⊲ below the Gilbert-Varshamov bound. ⊲ GBA can not be applied ( a < 1 in the formula). ◮ Our bound on ISD gives a good approximation: ( m, w ) optimal p optimal ℓ binary work factor 2 59 . 9 (10 , 50) 4 22 2 86 . 8 (11 , 32) 6 33 2 128 . 5 (12 , 41) 10 54 ◮ In the (10 , 50) case, Canteaut-Chabaud costs 2 64 . 2 and slide 18/22 Bernstein-Lange-Peters 2 60 . 5 .