syndrome decoding in the non standard cases
play

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz - PowerPoint PPT Presentation

Oct 20, 2022 •110 likes •441 views

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

  1. Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz

  2. Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The Multiple of Low Weight Problem V

  3. Part I The Problem of Syndrome Decoding

  4. What Does Decoding Mean? ◮ A code C can be defined by a k × n generator matrix G ⊲ a message m is encoded into a codeword c , adding some noise e gives a word c ′ = c ⊕ e . ◮ Decoding consists in finding the closest codeword to c ′ .

  5. Parity Check Matrix and Syndromes ◮ A parity check matrix H of the code C is such that: c ∈ C iff H · c = 0 . ⊲ Using H one can make decoding independent of c : H · c ′ = H · ( c ⊕ e ) = H · c ⊕ H · e = S . � S is the syndrome of c ′ (or of e ). ◮ Find the word of syndrome S of lowest weight.

  6. The Problem of Syndrome Decoding Syndrome Decoding: (SD) Input: an n − k × n binary matrix H , an n − k bit vector S and a weight w . Output: an n bit vector e of Hamming weight ≤ w such that H · e = S . ◮ It is a sort of “bounded” decoding: maximum-likelihood decoding is not in NP. ◮ NP-complete [Berlekamp - McEliece - van Tilborg 1978] � some instances are hard.

  7. Known Techniques for Solving SD • Birthday techniques: • standard with 1 list • memory saving with 4 lists [Joux 2002] • generalized birthday with 2 a lists [Wagner 2002] • Decoding techniques: • information set decoding [Canteaut - Chabaud 1998] • iterative decoding [Fossorier - Kobara - Imai 2003] • Lattice-based techniques?

  8. Part II The Cryptosystems of McEliece and Niederreiter

  9. The McEliece Cryptosystem Algorithms ◮ The public key is a scrambled Goppa code generator matrix G ′ = Q × G × P . ( G , P , Q ) is the private key. Encryption: E G ′ ( m ) Pick e of weight ≤ t . Compute c ′ = E G ′ ( m ) = m × G ′ ⊕ e. Decryption: D ( G , P , Q ) ( c ′ ) Compute c ′ × P − 1 = m × Q × G ⊕ e ′ . Decode to remove e ′ and recover m ×Q , and multiply by Q − 1 to get m .

  10. The Niederreiter Cryptosystem Algorithms ◮ Similar to McEliece, but the message is coded in the error e instead of the codeword. ⊲ The public key is H ′ = P ×H×Q where H is a parity check matrix. ⊲ The message is coded into a word e of given weight. ⊲ The ciphertext is the syndrome S = H ′ × e . ◮ Both systems have equivalent security � decryption requires to solve an instance of SD.

  11. Usual Parameters ◮ The original McEliece parameters are n = 1024 , k = 524 and t = 50 � not secure enough. ◮ “Better” parameters are n = 2048 , k = 1718 , t = 33 . ◮ The corresponding instances of SD are very specific: ⊲ there is always a single solution, ⊲ parameters correspond to Goppa codes: n − k w = log n , � w is a little below the Gilbert-Varshamov bound. Most research was focused on this type of parameters, they are believed to be among the hard instances of SD.

  12. Information Set Decoding (ISD) ◮ Find k positions containing no non-zero positions of e . ⊲ This is called an information set. � A Gaussian elimination on the n − k other gives e . ◮ Probability of success = ( n − w = ( n − k k ) w ) � w . � n − k w ) ≃ ( n ( n k ) n � n � w � � � Complexity = O P oly ( n ) . n − k

  13. Birthday Techniques Complexity Comparison ◮ There is a single solution ⊲ generalized birthday does not apply ⊲ simply list words of weight w 2 and look for the collision w ⊲ complexity is of order O � 2 � . n ◮ If n − k > √ n , birthdays are less efficient than ISD � useful only for codes correcting very few errors.

  14. Syndrome Decoding in the Standard Case Summary ◮ “Standard case” refers to the kind of instances of SD derived from McEliece or Niederreiter cryptosystems: ⊲ a single solution exists ⊲ close to the Gilbert-Varshamov bound. ◮ These are the cases that have been the most studied ⊲ the best algorithm is quite complex ⊲ less research was done for other parameters � generic algorithms are used.

  15. Part III McEliece-Based Signatures

  16. The Problem of Code-Based Signatures [Courtois - Finiasz - Sendrier 2001] ◮ One needs to decrypt a “random” ciphertext ⊲ some (most) syndromes/words can’t be decoded. ⊲ some (most) messages can’t be signed! ◮ A simple solution exists: ⊲ get the highest possible probability of success � increase the density of decodable syndromes. ⊲ hash a lot of “equivalent” documents � append a counter, for example. ! The counter is part of the signature.

  17. The Signature Algorithm Signature Algorithm: Sign ( D ) 1. Initialize the counter i = 0 2. Hash D and i into a syndrome: S i = Hash ( D || i ) 3. Try to decode S i into a word e i � if it fails i ++ and go back to 2 4. Return Sign ( D ) = ( i, e i ) . ◮ The average number of attempts is: = 2 n − k N attempts = N S � ≃ t ! � n N e t

  18. Reaching Non-Standard Parameters ◮ For efficiency, we need codes correcting very few errors ⊲ fewer errors also gives shorter signatures! ⊲ we proposed n = 2 16 , n − k = 144 and t = 9 . ◮ Near the limit where birthday techniques become more efficient than ISD ( n − k is very small): � t � n n ⌈ w 2 ⌉ = 2 80 ≈ 2 79 . 5 and n − k ◮ Can another algorithm be more efficient yet?

  19. A Problem a Little Different from SD ◮ Forging a signature does not simply consist in solving one instance of SD: ⊲ there are many instances sharing the same matrix ⊲ among these some give a solution ⊲ a large majority has no solution. ◮ An attacker needs to solve “one of many” instances ⊲ is this easier (attacks can be parallelized)? ⊲ is this harder (most instances are unusable)? ⊲ how can we improve birthday techniques?

  20. Part IV Provably Secure Syndrome-Based Hash Functions

  21. Main Idea [Augot - Finiasz - Sendrier 2005] ◮ Design a compression function for which inversion and collision search requires to solve an instance of SD ⊲ take a large random binary matrix, convert the input into a low weight word and output its syndrome.

  22. Constraints on the Parameters ◮ It has to compress � n > 2 n − k , ⊲ we have to choose a w such that � w ⊲ there are many solutions to SD for inversion/collision. ◮ It has to be fast ⊲ one to one conversion to constant weight word is slow � use regular words.

  23. Security ◮ SD with regular word is still NP-complete ⊲ collision search or inversion requires to solve an in- stance of some new problems. ◮ In practice ⊲ the best attacks use Wagner’s generalized birthday ⊲ secure parameters are for example: n = 21760 , n − k = 400 and w = 85 . ◮ Parameters n and n − k are similar to signature param- eters, but w is huge � far from Goppa codes.

  24. Compared to Standard SD ◮ Quite a few differences compared to attacks on McEliece: ⊲ there are many solutions ⊲ a truly random binary matrix is used ⊲ is this harder in average than a scrambled Goppa? ⊲ though still NP-complete the problems are not SD ⊲ instances can be split in subparts ⊲ ISD attacks can surely be improved ⊲ it has been studied only very little

  25. Part V The Multiple of Low Weight Problem

  26. A Key Problem of Correlation Attacks ◮ Correlation attacks approximate a stream-cipher by two LFSRs and some noise ◮ In order to recover the initialization of LFSR 1 : ⊲ find a multiple K of weight w of LFSR 2 ⊲ multiply the stream by K � suppress LFSR 2 ⊲ results in a decoding problem with noise γ w .

  27. The Multiple of Low Weight Problem Multiple of Low Weight Problem: (MLW) Input: a polynomial P , a degree d and a weight w . Output: a polynomial K of degree ≤ d , weight ≤ w and such that P | K . ◮ This is a re-writing of the SD problem, with a truncated cyclic code: ⊲ compute the d + 1 × d P binary matrix with columns: H i = x i mod P ( x ) , i ∈ [0 , d ] . ⊲ look for a word of weight ≤ w and syndrome 0 .

  28. Classical Cryptanalytic Setting ◮ When attacking a stream cipher, the smaller w and d , the less stream bits will be required to decode ⊲ some kind of trade-off between weight and degree, ⊲ strong threshold: a small change on w and on d will change from no solution to many: � d � w N sol ≃ 2 d P , ⊲ finding several solutions is useful, ⊲ LFSR 2 will be about 100 bits long � d P = n − k is small: ISD is inefficient. ◮ Use birthday techniques (either classical or generalized).

  29. TCHo: the Trapdoor Stream Cipher [Finiasz - Vaudenay 2006] ◮ Use a multiple of low weight as a trapdoor: ⊲ factor a polynomial K of degree d and weight w , ⊲ choose a factor P and use it for LFSR 2 , ⊲ use a small LFSR 1 to encode the message, ⊲ add some noise γ and output a stream of length ℓ . ◮ For key recovery � find a single “unexpected” solution. ◮ For decryption � find many “expected” solutions. ! d P is much larger than before. Typical parameters are: ℓ = 50000 , d P = 6000 , d K = 15000 and w = 100 .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Two cases of deletion 5p syndrome: One with paternal involvement and another with atypical

Two cases of deletion 5p syndrome: One with paternal involvement and another with atypical

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/5433198 Two cases of deletion 5p syndrome: One with paternal involvement and another with atypical presentation Article in Singapore

342 views • 4 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides
Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

908 views • 31 slides
6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding Burst errors and interleaving 6.02 Fall 2012 Lecture 5, Slide #1 Matrix Notation for Linear Block Codes Task: given k-bit message, compute n-bit

417 views • 18 slides
+ - + +/- + - - Syndrome Angelman + + - - - +/- + Syndrome Rett + + - - + +

+ - + +/- + - - Syndrome Angelman + + - - - +/- + Syndrome Rett + + - - + +

Intellectual Language Visual- ADHD Anxiety Autistic Seizures Disability Disability Spatial Features Problems Williams + - + +/- + - - Syndrome Angelman + + - - - +/- + Syndrome Rett + + - - + + + Syndrome Down

768 views • 29 slides
syndrome M E D I C A L P O W E R P O I N T T E M P L A T E This is syndrome If you survive

syndrome M E D I C A L P O W E R P O I N T T E M P L A T E This is syndrome If you survive

syndrome M E D I C A L P O W E R P O I N T T E M P L A T E This is syndrome If you survive sudden cardiac arrest, your doctor will try to learn what caused it to help prevent future episodes. This procedure opens blocked coronary arteries,

745 views • 25 slides
Treatment of complex cases in later life: Problems with the model Mike Bird Greater Southern

Treatment of complex cases in later life: Problems with the model Mike Bird Greater Southern

Treatment of complex cases in later life: Problems with the model Mike Bird Greater Southern Area Health Service and Australian National University One syndrome one treatment ( magic bullet ) model Syndrome Treatment Cure Depression

324 views • 28 slides
Whats happening in the Research World of Down syndrome? Overview of research in Down Syndrome:

Whats happening in the Research World of Down syndrome? Overview of research in Down Syndrome:

Whats happening in the Research World of Down syndrome? Overview of research in Down Syndrome: Guided by the NIH Down Syndrome Research Plan What is our common goal? Increase quality of life of those with Down syndrome Decrease

574 views • 45 slides
Common electronic standard: potential features and use cases EMA/ HMA/ EC w orkshop on

Common electronic standard: potential features and use cases EMA/ HMA/ EC w orkshop on

Common electronic standard: potential features and use cases EMA/ HMA/ EC w orkshop on electronic Product I nform ation ( ePI ) Presented by Elizabeth Scanlan on 28 November 2018 Medical and Health Information, EMA An agency of the European

249 views • 13 slides
Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto, Sergio Jimenez, Eva Onaindia October 16, 2020 Universitat Polit` ecnica de Val` encia 1 What is decoding? What is decoding? Decoding : finding

848 views • 26 slides
Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest probability e best = argmax e p ( e | f ) Two types of

571 views • 34 slides
HIV mother-to-child HIV identified in 1983 transmission of HIV AIDS syndrome described

HIV mother-to-child HIV identified in 1983 transmission of HIV AIDS syndrome described

Prevention of HIV mother-to-child HIV identified in 1983 transmission of HIV AIDS syndrome described in 1981 Kaposis sarcoma, Pneumocystis jiroveci pnemumonia and wasting often combined Retrospectively, cases of HIV seen

526 views • 8 slides
Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the stimulus? What aspects of the stimulus does the system encode? (capacity is limited) Mark van Rossum What information can be extracted from spike trains:

779 views • 16 slides
By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book (Corrective Reading) (3rd Revised edition) From McGraw-Hill Inc.,US By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation

233 views • 5 slides
Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de Math ematiques de Bordeaux, Universit e de Bordeaux Inria, EPI SECRET PQCrypto, Utrecht - 27/06/2017 Ghazal Kachigar , Jean-Pierre Tillich

775 views • 24 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 ,

Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 ,

Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 , 2 , Paul Bastide 3 , 4 , Mahendra Mariadassou 4 , C ecile An ephane Robin 3 St 1 Department of Statistics, University of WisconsinMadison,

1.03k views • 77 slides
See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI Vincent Nozick - IGM

See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI Vincent Nozick - IGM

See in 3d Devices stereoscopic images Orthostereoscopy Shooting Post-production See in 3d Devices stereoscopic images Orthostereoscopy Shooting Post-production See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI

699 views • 25 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 ,

Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 ,

Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 , 09.-11.04.2018 Leif Both , Alexander May Horst Grtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics Our work

554 views • 34 slides
Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer

Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer

Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer School Emerging Topics in Cryptographic Design and Cryptanalysis I. Introduction Binary linear code n the length C a ( n, k ) binary

501 views • 35 slides
Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this sem- inar series should soon be available at http://math.uwyo.edu/~moorhous/quantum/ References F.J. MacWilliams and N.J.A. Sloane, The North-

421 views • 20 slides

More recommend