Code-Based Cryptography - McEliece Cryptosystem...Address the problem of decoding a random linear...
Transcript of Code-Based Cryptography - McEliece Cryptosystem...Address the problem of decoding a random linear...
Code-Based CryptographyMcEliece Cryptosystem
0I. Márquez-Corbella
Code-Based Cryptography
1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
2. McEliece Cryptosystem
1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
1. Key generation algorithm: KEYGEN
K ∈ NSecurity parameter KEYGEN kp ∈ Kp ks ∈ Ks
Ü Run in expected polynomial time ∼ O(Kc)
1
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
1. Key generation algorithm: KEYGEN
K ∈ NSecurity parameter KEYGEN kp ∈ Kp ks ∈ Ks
Ü Run in expected polynomial time ∼ O(Kc)
1
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
2. Encryption algorithm: ENCRYPT
m ∈ P ENCRYPT ENCRYPT(m,Kp) = y ∈ C
Kp ∈ Kp
Ü Run in expected polynomial time ∼ O(Kc)
2
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
2. Encryption algorithm: ENCRYPT
m ∈ P ENCRYPT ENCRYPT(m,Kp) = y ∈ C
Kp ∈ Kp
Ü Run in expected polynomial time ∼ O(Kc)
2
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
3. Decryption algorithm: DECRYPT
c ∈ C DECRYPT DECRYPT(c,Ks) = m ∈ P , or invalidciphertext
Ks ∈ Ks
Ü Run in polynomial time
3
Formal definition of Public-Key CryptographyP =
PlaintextSpace
C =Ciphertext
SpaceKp =
Public-KeySpace
Ks =Secret-Key
Space
3. Decryption algorithm: DECRYPT
c ∈ C DECRYPT DECRYPT(c,Ks) = m ∈ P , or invalidciphertext
Ks ∈ Ks
Ü Run in polynomial time
3
Formal definition of Public-Key CryptographyK ∈ N
Security parameter KEYGEN kp ∈ Kp ks ∈ Ks
m ∈ P ENCRYPT ENCRYPT(m,Kp) = y ∈ C
Kp ∈ Kp
c ∈ C DECRYPT DECRYPT(c,Ks) = m ∈ P , or invalidciphertext
Ks ∈ Ks
Ü It is required that: DECRYPT (ENCRYPT(m,Kp),Ks) = mÜ Fasten known attack should requires ≥ 2K bit operations4
The McEliece Cryptosystem
Advantages:
1. Fast ENCRYPT and DECRYPT.2. Post-quantum cryptosystem.
Drawback:
ã Large key size.
Security of the McEliece scheme is based on:
1. Hardness of decoding random linear codes2. Distinguishing Goppa codes
McEliece introduced the first PKC basedon Error-Correcting Codes in 1978.
R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.5
The McEliece Cryptosystem
Advantages:
1. Fast ENCRYPT and DECRYPT.2. Post-quantum cryptosystem.
Drawback:
ã Large key size.
Security of the McEliece scheme is based on:
1. Hardness of decoding random linear codes2. Distinguishing Goppa codes
McEliece introduced the first PKC basedon Error-Correcting Codes in 1978.
R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.5
The McEliece CryptosystemAdvantages:
1. Fast ENCRYPT and DECRYPT.2. Post-quantum cryptosystem.
Drawback:
ã Large key size.
Security of the McEliece scheme is based on:
1. Hardness of decoding random linear codes2. Distinguishing Goppa codes
McEliece introduced the first PKC basedon Error-Correcting Codes in 1978.
R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.5
The McEliece CryptosystemAdvantages:
1. Fast ENCRYPT and DECRYPT.2. Post-quantum cryptosystem.
Drawback:
ã Large key size.
Security of the McEliece scheme is based on:
1. Hardness of decoding random linear codes2. Distinguishing Goppa codes
McEliece introduced the first PKC basedon Error-Correcting Codes in 1978.
R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.5
The McEliece Cryptosystem
Consider(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
6
The McEliece Cryptosystem
Consider(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
6
The McEliece Cryptosystem
Consider(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
6
The McEliece Cryptosystem
Consider(F
)family of codes
with an efficientdecoding algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. G ∈ Fk×nq a generator matrix for C ∈ F
2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)
6
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q as
ENCRYPT(m) = mG + e = y
where e is a random error vector of weight at most t .
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = AC(y) = m
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
7
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q as
ENCRYPT(m) = mG + e = y
where e is a random error vector of weight at most t .
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = AC(y) = m
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
7
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q as
ENCRYPT(m) = mG + e = y
where e is a random error vector of weight at most t .
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = AC(y) = m
Parameters Key size Security level[1024,524,101]2 67 ko 262
[2048,1608,48]2 412 ko 296
7
The Niederreiter Cryptosystem
Differences with the McEliece cryptosystem:
1. The public key is a parity check matrix. This improve-ment reduce the key size.
2. The secret key is an efficient syndrome decoder3. The encryption mechanism
Niederreiter presents a dual version ofMcEliece (which is equivalent in terms of
security) in 1986.
H. Niederreiter. (1986).Knapsack-type crypto system and algebraic coding theory.Problems of Control and Information Theory.
8
The Niederreiter CryptosystemDifferences with the McEliece cryptosystem:
1. The public key is a parity check matrix. This improve-ment reduce the key size.
2. The secret key is an efficient syndrome decoder3. The encryption mechanism
Niederreiter presents a dual version ofMcEliece (which is equivalent in terms of
security) in 1986.
H. Niederreiter. (1986).Knapsack-type crypto system and algebraic coding theory.Problems of Control and Information Theory.
8
The Niederreiter CryptosystemConsider
(F
)family of codes
with an efficientSyndrome decoding
algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. H ∈ F(n−k)×nq a parity check matrix for C ∈ F
2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (DC)
9
The Niederreiter CryptosystemConsider
(F
)family of codes
with an efficientSyndrome decoding
algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. H ∈ F(n−k)×nq a parity check matrix for C ∈ F
2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (DC)
9
The Niederreiter CryptosystemConsider
(F
)family of codes
with an efficientSyndrome decoding
algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. H ∈ F(n−k)×nq a parity check matrix for C ∈ F
2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (DC)
9
The Niederreiter CryptosystemConsider
(F
)family of codes
with an efficientSyndrome decoding
algorithm
Indistinguishablefrom random codes
Key Generation Algorithm:
1. H ∈ F(n−k)×nq a parity check matrix for C ∈ F
2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors.
Public Key: Kpub = (G, t)Private Key: Ksecret = (DC)
9
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q of weight ≤ t
ENCRYPT(m) = mHT ∈ Fn−k2
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = DC(y) = m
Parameters Key size Security level[256,128,129]256 67 ko 295
10
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q of weight ≤ t
ENCRYPT(m) = mHT ∈ Fn−k2
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = DC(y) = m
Parameters Key size Security level[256,128,129]256 67 ko 295
10
The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk
q of weight ≤ t
ENCRYPT(m) = mHT ∈ Fn−k2
Decryption Algorithm:Using Ksecret , the receiver obtain m.
DECRYPT(y) = DC(y) = m
Parameters Key size Security level[256,128,129]256 67 ko 295
10
Cryptanalysis - McEliece scheme
We have mainly 2 ways of cryptanalyzing the McEliece system:
1. Message Attacks• Address the problem of decoding a random linear code• More efficient Message-Attacks Ü Larger codes
2. Key Attacks• Try to retrieve the code structure• Efficiently applied to: GRS codes, subcodes of GRS codes, Reed-Muller
codes, AG codes, Concatenated codes, ...
11
Cryptanalysis - McEliece scheme
We have mainly 2 ways of cryptanalyzing the McEliece system:
1. Message Attacks• Address the problem of decoding a random linear code• More efficient Message-Attacks Ü Larger codes
2. Key Attacks• Try to retrieve the code structure• Efficiently applied to: GRS codes, subcodes of GRS codes, Reed-Muller
codes, AG codes, Concatenated codes, ...
11
Cryptanalysis - McEliece scheme
We have mainly 2 ways of cryptanalyzing the McEliece system:
1. Message Attacks• Address the problem of decoding a random linear code• More efficient Message-Attacks Ü Larger codes
2. Key Attacks• Try to retrieve the code structure• Efficiently applied to: GRS codes, subcodes of GRS codes, Reed-Muller
codes, AG codes, Concatenated codes, ...
11
2. McEliece Cryptosystem
1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY