What is... the McEliece system? Violetta Weger University of Zurich - - PowerPoint PPT Presentation

what is the mceliece system
SMART_READER_LITE
LIVE PREVIEW

What is... the McEliece system? Violetta Weger University of Zurich - - PowerPoint PPT Presentation

Mar 28, 2023 485 likes •780 views

What is... the McEliece system? Violetta Weger University of Zurich Zurich Graduate Colloquium 20 November 2018 Violetta Weger What is... the McEliece system? Outline Violetta Weger What is... the McEliece system? 1 Coding Theory 2 Public

slide-1
SLIDE 1

What is... the McEliece system?

Violetta Weger

University of Zurich

Zurich Graduate Colloquium 20 November 2018

Violetta Weger What is... the McEliece system?

slide-2
SLIDE 2

Outline

1 Coding Theory 2 Public Key Cryptography 3 McEliece cryptosystem 4 Research

Violetta Weger What is... the McEliece system?

slide-3
SLIDE 3

Toy Example: Repetition code

Repetition Code: Me → you 1 → 111111 111010 We can correct 2 errors and detect 3 errors.

Violetta Weger What is... the McEliece system?

slide-4
SLIDE 4

Toy Example: Repetition code

Repetition Code: Me → you 1 → 111111 → 111010 We can correct 2 errors and detect 3 errors.

Violetta Weger What is... the McEliece system?

slide-5
SLIDE 5

Coding Theory

Let Fq be a fjnite fjeld. Defjnition (Linear Code) An [n, k]-linear code C over Fq is a k-dimensional linear subspace of Fn

  • q. c ∈ C is called a codeword.

The toy example of the repetition code was a [6, 1]-linear code

  • ver F2, with the codewords {000000, 111111}.

Violetta Weger What is... the McEliece system?

slide-6
SLIDE 6

Coding Theory

Let C be an [n, k]-linear code over Fq. Defjnition (Generator Matrix) There exists an k × n generator matrix G of C defjned by: C = { uG | u ∈ Fk

q

} . Defjnition (Parity Check Matrix) There exists an (n−k)×n parity check matrix H of C defjned by: C = { x ∈ Fn

q | HxT = 0

} .

Violetta Weger What is... the McEliece system?

slide-7
SLIDE 7

Coding Theory

Let C be an [n, k]-linear code over Fq. Let G be its k × n generator matrix. Defjnition (Information Set) A set of k coordinates I ⊂ {1, . . . , n}, for which the columns of G are linearly independent is called an information set. Defjnition (Systematic Form) If G is of the form ( Idk | A ) , we say G is of systematic form and then H is given by ( −AT | Idn−k ) .

Violetta Weger What is... the McEliece system?

slide-8
SLIDE 8

Coding Theory

Let x, y ∈ Fn

q.

Defjnition (Hamming Distance) The Hamming distance of x, y is defjned as d(x, y) =| {i ∈ {1, . . . , n} | xi ̸= yi} | . Defjnition (Hamming Weight) The Hamming weight of x is defjned as wt(x) =| {i ∈ {1, . . . , n} | xi ̸= 0} | .

Violetta Weger What is... the McEliece system?

slide-9
SLIDE 9

Coding Theory

Let C be an [n, k]-linear code over Fq. Defjnition (Minimum Distance) We defjne the minimum distance of C to be d(C) = min {d(x, y) | x, y ∈ C, x ̸= y} = min {wt(x) | x ∈ C, x ̸= 0} . In our toy example of the [6, 1]-Repetition code we have d(C) = 6. Theorem (Singleton Bound) Let C be an [n, k]-linear block code. Then d(C) ≤ n − k + 1.

Violetta Weger What is... the McEliece system?

slide-10
SLIDE 10

Coding Theory

Theorem Let C be an [n, k]-linear code over Fq with minimum distance d. Then C can correct up to t = ⌊ d−1

2 ⌋ errors.

Violetta Weger What is... the McEliece system?

slide-11
SLIDE 11

Coding Theory

Let Fq be a fjnite fjeld and 1 ≤ k < n ≤ q integers. Defjnition (Generalized Reed-Solomon Code) Let α ∈ Fn

q be an n-tuple of distinct elements and β ∈ Fn q, be an

n-tuple of nonzero elements. GRSn,k(α, β) = {(β1p(α1), . . . , βnp(αn)) | p ∈ Fq[x], deg(p) < k} . We can write the generator matrix of GRSn,k(α, β) as G =      β1 · · · βn β1α1 · · · βnαn . . . . . . β1αk−1

1

· · · βnαk−1

n

     .

Violetta Weger What is... the McEliece system?

slide-12
SLIDE 12

Difgerence between Coding and Cryptography

Violetta Weger What is... the McEliece system?

slide-13
SLIDE 13

Public-Key Cryptography

We consider two people: Bob and Alice. Key generation: Bob constructs a private key and a public key, which he publishes. Encryption: Alice uses the public key to encrypt the message m to get the cipher c and sends c to Bob. Decryption: Bob uses the private key to decrypt the cipher c and recover the message m.

Violetta Weger What is... the McEliece system?

slide-14
SLIDE 14

Public-Key Cryptography

Violetta Weger What is... the McEliece system?

slide-15
SLIDE 15

Public-Key Cryptography

Violetta Weger What is... the McEliece system?

slide-16
SLIDE 16

Public-Key Cryptography

Example: RSA Let p, q be primes. Compute n = pq and the Euler-totient function φ(n) = (p − 1)(q − 1). Choose e < φ(n), s.t. gcd(e, φ(n)) = 1. Public Key = (n, e) Private Key = (p, q) Encryption: Let m be the message. The cipher is computed as c = me mod n. Decryption: Compute d and b s.t. de + bφ(n) = 1. Then by computing cd mod n we recover the message, since cd = (me)d = m1−bφ(n) = m(mφ(n))−b ≡ m1−b = m mod n.

Violetta Weger What is... the McEliece system?

slide-17
SLIDE 17

Post-quantum Cryptography

The PKC systems, which we currently use are: RSA, DLP

  • ver elliptic curves or fjnite fjelds, ...

NSA and NIST believe that a quantum computer will be available in 2030. Shor’s Algorithm and Grover’s Algorithm are quantum algorithms and will break those systems. Cryptosystems which will be resistant against attacks on a quantum computer are called post-quantum cryptosystems. Promising candidates for post-quantum cryptography are: lattice-based cryptosystems, multivariate cryptography and code-based cryptography.

Violetta Weger What is... the McEliece system?

slide-18
SLIDE 18

McEliece Cryptosystem

Choose an [n, k]-linear code C over Fq, which can correct upto t errors and has an effjcient decoding algorithm. C has a generator matrix G of size k × n. Choose a k × k invertible matrix S and a n × n permutation matrix P and compute G′ = SGP. Public Key = (G′, t) Private Key = (S, G, P)

Violetta Weger What is... the McEliece system?

slide-19
SLIDE 19

McEliece Cryptosystem

Encryption: Let m ∈ Fk

q be the message and e ∈ Fn q the error

vector, s.t. wt(e) ≤ t, then the cipher is computed as c = mG′ + e. Decryption: Compute cP−1 = mSG + eP−1, then mSG is a code word of C and since wt(eP−1) ≤ t, we can apply the decoding algorithm and get mS and by multiplication with the inverse of S we get the message m.

Violetta Weger What is... the McEliece system?

slide-20
SLIDE 20

Niederreiter system

Choose an [n, k]-linear code C, that can correct upto t errors and has an effjcient decoding algorithm. C has a parity check matrix H of size (n − k) × n. Choose a (n − k) × (n − k) invertible matrix S and a n × n permutation matrix P and compute H′ = SHP. Public Key = (H′, t) Private Key = (S, H, P)

Violetta Weger What is... the McEliece system?

slide-21
SLIDE 21

Niederreiter system

Encryption: Let m ∈ Fn

q be the message, s.t. wt(m) ≤ t, then

the cipher is computed as cT = H′mT. Decryption: Compute S−1cT = HPmT = H(mPT)T. Since wt(mPT) ≤ t, we can apply syndrome decoding to get mPT and by multiplication with the inverse of PT we get the message m.

Violetta Weger What is... the McEliece system?

slide-22
SLIDE 22

Security of McEliece Cryptosystem

The underlying problem of decoding a random linear code is an NP-complete problem, this makes it a quantum-secure cryptosystem. Nevertheless, the codes we use are not random, hence there might exist structural attacks. There also exists a nonstructural attack called Information Set Decoding (ISD), which has to be considered for the choice of secure parameters. The complexity of the best algorithms so far is O(2n/20).

Violetta Weger What is... the McEliece system?

slide-23
SLIDE 23

ISD

The easiest version of the ISD algorithm is given by Lee-Brickell

  • ver the binary:

We denote by eI, cI, GI its k columns indexed by the information set. Input: G ∈ Fk×n

2

, c = mG + e, where e ∈ Fn

2 of weight t ∈ N,

p < t. Output: e ∈ Fn

2.

1 Choose an information set I ⊂ {1, . . . , n} of size k. 2 Choose eI with wt(eI) = p. 3 If wt(c + (cI + eI)G−1

I G) = t:

Output e = c + (cI + eI)G−1

I G.

4 Else: go back to 1. Violetta Weger What is... the McEliece system?

slide-24
SLIDE 24

ISD

To picture how this algorithm works, assume that G is given in systematic form and hence I = {1, . . . , k} and G = ( Idk | A ) . Hence if we have chosen eI correctly, i.e. the correct error distribution in the fjrst k bits, then cI + eI = mGI and hence (cI + eI)G−1

I

= m and c + (cI + eI)G−1

I G = c + mG = e.

Violetta Weger What is... the McEliece system?

slide-25
SLIDE 25

Advantages and Disadvantages of McEliece Cryptosystem

Although the McEliece system is quantum secure, there is the major drawback of large key sizes: Security Level Key Size RSA Key Size original McEliece 280 1248 520047 2128 3248 1537536 2256 15424 7667855

Violetta Weger What is... the McEliece system?

slide-26
SLIDE 26

Research

The main idea to bring down the key sizes is to use another family of codes. Proposal Idea Attack Niederreiter GRS codes Sidelnikov-Shestakov Berger, Loidreau Subcodes of GRS codes Wieschebrink Gabidulin et al. Gabidulin codes Overbeck Sidelnikov Reed-Muller codes Minder-Shokrollahi Baldi et al. LDPC codes Couvreur et al. Rosenthal et al. GRS, new scrambling Couvreur et al.

Violetta Weger What is... the McEliece system?

slide-27
SLIDE 27

Research

New proposals: Proposal Idea Attack Baldi et al. QC-MDPC codes Baldi et al. MDPC codes Khathuria, Rosenthal, W. GRS, weight two matrix Horlemann-Trautmann, W. Ring linear codes

Violetta Weger What is... the McEliece system?

slide-28
SLIDE 28

Thank you!

Violetta Weger What is... the McEliece system?