Weight two Masking in the McEliece system Violetta Weger University - - PowerPoint PPT Presentation
Weight two Masking in the McEliece system Violetta Weger University of Zurich The 13th International Conference on Finite Fields and their Applications June 5, 2017 Violetta Weger Weight two Masking in the McEliece system Outline 1
Violetta Weger
University of Zurich
The 13th International Conference
June 5, 2017
Violetta Weger Weight two Masking in the McEliece system
1 Preliminaries 2 BBCRS Scheme 3 Distinguisher Attack 4 Weight two Masking
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system
Choose n = 2m, t < n
m and Γ a binary Goppa code of length n,
dimension k ≥ n − mt, which can correct upto t errors. Γ has a generator matrix G of size k × n. Choose a k × k invertible matrix S and a n × n permutation matrix P and compute G′ = SGP. Public Key = (G′, t) Private Key = (S, G, P)
Violetta Weger Weight two Masking in the McEliece system
Encryption: Let x ∈ Fk
2 be the message and e ∈ Fn 2 the error
vector, s.t. wt(e) ≤ t, then the cipher is computed as y = xG′ + e. Decryption: Compute yP −1 = xSG + eP −1, then xSG is a code word of Γ and since wt(eP −1) ≤ t, we can apply the decoding algorithm and get xS and by multiplication with the inverse of S we get the message x.
Violetta Weger Weight two Masking in the McEliece system
Let Fq be a finite field. Let 1 ≤ k < n ≤ q be integers. Construct a [n, k]-linear code C, that can correct upto t errors and has an efficient decoding algorithm. C has a parity check matrix H of size r × n, where r = n − k. Choose a r × r invertible matrix S and a n × n permutation matrix P and compute H′ = SHP. Public Key = (H′, t) Private Key = (S, H, P)
Violetta Weger Weight two Masking in the McEliece system
Encryption: Let x ∈ Fn
q be the message, s.t. wt(x) ≤ t, then the
cipher is computed as yT = H′xT . Decryption: Compute S−1yT = HPxT = H(xP T )T . Since wt(xP T ) ≤ t, we can apply syndrome decoding to get xP T and by multiplication with the inverse of P T we get the message x.
Violetta Weger Weight two Masking in the McEliece system
Definition (Schur Product) Let x, y ∈ Fn
q . The Schur product of x and y is
x ⋆ y = (x1y1, . . . , xnyn).
Violetta Weger Weight two Masking in the McEliece system
Definition (Schur Product) Let x, y ∈ Fn
q . The Schur product of x and y is
x ⋆ y = (x1y1, . . . , xnyn). Definition (Schur Product of Codes and Square Code) Let A, B be two codes of length n. The Schur product of A and B is A ⋆ B = {a ⋆ b | a ∈ A, b ∈ B}. If A = B, then we call A ⋆ A the square code of A and denote it by A2.
Violetta Weger Weight two Masking in the McEliece system
Definition (Schur Matrix) Let G be a k × n matrix, with rows gi for 1 ≤ i ≤ k. We denote by S(G) the Schur matrix of G, which consists of the rows gi ⋆ gj for 1 ≤ i ≤ j ≤ k. Thus S(G) is of the size 1
2(k2 + k) × n.
Proposition Let A be a code of length n and dimension k, then dim(A2) ≤ min
k + 1 2
Violetta Weger Weight two Masking in the McEliece system
Proposition (M´ arquez-Corbella, Pellikaan (2016)) Let A be an [n, k] linear code chosen at random, then with high probability the square code of A has maximal dimension.
Violetta Weger Weight two Masking in the McEliece system
Proposition (M´ arquez-Corbella, Pellikaan (2016)) Let A be an [n, k] linear code chosen at random, then with high probability the square code of A has maximal dimension. Proposition If 2k − 1 < n GRSn,k(α, β)2 = GRSn,2k−1(α, β ⋆ β) (2)
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system
Baldi, Bianchi, Chiaraluce, Rosenthal and Schipani proposed a variant of the McEliece cryptosystem, in order to reconsider the use of GRS codes as secret code. Instead of the permutation matrix they use as scrambling matrix the sum T + R, where T is a sparse matrix of row weight m and R is a matrix of rank z.
Violetta Weger Weight two Masking in the McEliece system
Let Fq be a finite field. Let 1 ≤ k < n ≤ q be integers. Let G = k × n generator matrix of GRS code, T = n × n permutation matrix, R = n × n rank 1 matrix, R = αT β, Q = n × n invertible matrix, Q = R + T, S = k × k invertible matrix. Compute: G′ = S−1GQ−1 and tpub = t = ⌊ n−k
2 ⌋.
Public Key = (G′, t) Private Key = (G, T, R, Q, S)
Violetta Weger Weight two Masking in the McEliece system
Encryption: Let x ∈ Fk
q be the message and e ∈ Fn q , s.t.
wt(e) ≤ t be the error vector. Compute the cipher as y = xG′ + e. Decryption: Guess the value of eR. Then compute y′ = yQ − eR = xS−1G + eT. Since wt(eT) ≤ t by decoding algorithm we get xS−1 and by multiplication with S we get the message x.
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system
Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani and Tillich presented for some parameters a distinguisher attack on the BBCRS scheme. Proposition (Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani, Tillich (2015)) Let Cpub denote the public code of length n and dimension k of the BBCRS scheme. Then dim(C2
pub) ≤ 3k − 1.
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system
Take a basis g1, . . . , gk of Cpub and random other elements z1, z2, z3 from Cpub. Then define B = {zi ⋆ gj | 1 ≤ i ≤ 3, 1 ≤ j ≤ k}. Proposition (Couvreur, Gaborit, Gauthier-Uma˜ na, Otmani, Tillich (2015)) If dim(B) ≤ 2k + 2, then zi is in Csub for i ∈ {1, 2, 3}.
Remark (M´ arquez-Corbella, Mart´ ınez-Moro, Pellikaan (2013)) Let A be an ℓ dimensional subspace of GRSn,k(α, β). If ℓ is large enough, then with high probability we have A2 = GRSn,k(α, β)2.
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system
Let Fq be a finite field and 1 ≤ k < n ≤ q integers. Let G be a k × n generator matrix of GRSn,k(α, β) code over Fn
q , which is
able to correct upto t = ⌊ n−k
2 ⌋ errors. We choose a k × k
invertible matrix S, and a n × n invertible matrix Q, which is of row and column weight 2, both over Fq. We define tpub = ⌊ t
2⌋
and compute G′ = S−1GQ−1. Public Key = (G′, tpub) Private Key = (G, S, Q)
Violetta Weger Weight two Masking in the McEliece system
Encryption: Let x ∈ Fk
q be the message and e ∈ Fn q be the error
vector, s.t. wt(e) ≤ tpub and compute the cipher y = xG′ + e. Decryption: Compute y′ = yQ = xS−1G + eQ. Since wt(eQ) ≤ t we can decode and get xS−1 and by multiplication with S we get the message x.
Violetta Weger Weight two Masking in the McEliece system
In order for the ISD attack to reach a work factor greater than 280 the following key sizes are needed with the different systems. n k Key Size McEliece 1632 1269 460647 BBCRS scheme 346 252 199899 Weight two Masking 450 225 447326
Violetta Weger Weight two Masking in the McEliece system
Monte Carlo test with 1000 tries q n r Success rate 512 500 250 1 256 255 100 1 151 100 50 1 128 100 50 1
Violetta Weger Weight two Masking in the McEliece system
Let Qn be a matrix of row and column weight two of the following form Qn = x1 yn y1 x2 ... ... yn−1 xn . (3) Remark For every n × n matrix R over Fq of row and column weight two, there exist permutation matrices P, P ′, s.t. PRP ′ = Q1
n1
... Ql
nl
(4) where Qi
ni are ni × ni matrices of the form (3) for 1 ≤ l < n.
Violetta Weger Weight two Masking in the McEliece system
Let Hn,r denote a generator matrix of GRS code of length n and dimension r. Let m denote the maximal square code dimension of an [n, r] code, i.e. m = min
2(r2 + r)
Define An = {Rn ∈ GLn(Fq)
GHn,r =
n ∈ An
n) has rank m
Violetta Weger Weight two Masking in the McEliece system
Lemma Let Fq be a finite field and 1 ≤ n ≤ q integers. Let p be a nontrivial homogeneous polynomial in Fq[x1, . . . , xn, y1, . . . , yn],
has that each monomial is of the form
n
xdi
i y2−di i
, for 0 ≤ di ≤ 2, ∀ 1 ≤ i ≤ n. Then there exist at least ((q − 1)2 − 2(q − 1))n choices for x1, . . . , xn, y1, . . . , yn in F×
q , s.t. p evaluated in these
choices is nonzero.
Violetta Weger Weight two Masking in the McEliece system
Under the assumption that there exists a nontrivial principal minor of S(Hn,rRT
n) we get that the probability for Rn to avoid
the distinguisher attack is greater than or equal to
2(r2 + r)
((q − 1)2 − 2(q − 1))n (q − 1)2n =
2 q − 1 n .
2(r2 + r)
((q − 1)2 − 2(q − 1))m(q − 1)2(n−m) (q − 1)2n =
2 q − 1 m .
Violetta Weger Weight two Masking in the McEliece system
Qn = x1 yn y1 x2 ... ... yn−1 xn .
Violetta Weger Weight two Masking in the McEliece system
2(r2 + r)
Violetta Weger Weight two Masking in the McEliece system
Define
= xiβi ∀ 1 ≤ i ≤ n,
= yiβi+1 ∀ 1 ≤ i ≤ n − 1 and yn = ynβ1. Then S(Hn,r(α, β)QT
n(x, y)) = S(Hn,r(α, 1)QT n(
x, y)). Now divide each column j ∈ {1, . . . , n} by y2
j and define
yi ∀ 1 ≤ i ≤ n. Then det
n(x, y))
n(
x, 1))
Violetta Weger Weight two Masking in the McEliece system
Remaining to show: For all α ∈ Fn
q distinct n-tuple, there exists a x ∈
q
n, such that det
n(x, 1))
Violetta Weger Weight two Masking in the McEliece system
Violetta Weger Weight two Masking in the McEliece system