# The McEliece Public-Key Cryptosystem

Document Sample

```					The McEliece Public-Key
Cryptosystem
Public-Key Cryptosystem
Alice                         Bob
McEliece basis
 Nearest Codeword Problem (NCP)
Given a code with generator matrix G, and received
word r, find a codeword nearest with r

 NCP is proven to NP-hard(1978)

 McEliece depends on no one can correct
the error besides the key owner, even the weight of
error is known (but quite Large)

Example:
Syndrome decoding of [n,k,d]-linear code
generate by kxn matrix G, we have to construct a
2n-kx2k standard array
3
McEliece
Private Key:
1. G: generating matrix G of a [n,k,d]-code
which can correct t=[d-1/2] bits
2. S: (kxk) non-singular matrix (invertible)
3. P: (nxn) permutation matrix (P-1=PT)

Public Key:
1. G': G'=SGP (kxn matrix)
2. t: correcting ability of G
4
McEliece-2
Encryption:
1. To encrypt k bit message: m
compute c=mG'+e, where |e|=t

Decryption:
1. Compute c'=cP-1,thus
c'=(mSGP+e)P-1=mSG+eP-1=m'G+e'
where |e'|=t
2. Decode c' to get m' by correcting e'
3. Compute m=m'S-1
5
McEliece-3
Example
Private key                                  0100000   
0001000   
1000110      1101                       
0100101      1001             0000001   
          
G           S             P  1000000   
0010011      0111 
                              0010000   
0001111      1100                       
0000010   
0000100   
          
Public key
1111000 
1100100 
G '  SGP               t 1
1001101 
         
 0101110                       6
McEliece-4
Example (cont.)

To encrypt a message m  1101  ,randomly select a weight
1 error vector, say e  (0,0,0,0,1,0,0,0) ,and compute

c  mG 'e  0110110        

Receiver computes c'  cP  1000111  , and applies a fast
1

correcting algorithm to obtain m '  mS  1000  , and obtains

m  m ' S 1  1101 
7
McEliece-5
• Although very efficient, the McEliece encryption
scheme has received little attention in practice
because of the very large public keys.

• The original parameters suggested by McEliece
were n=1024, t=50, and k>=524. Based on the
security analysis (see ISD and GISD below), an
optimum choice of parameters for the Goppa
code which maximizes the adversary’s work
factor appears to be n=1024, t=38, and k>=644,
the public key is about 2^19 bits in size.

8
ISD Attack to McEliece
 Information-set decoding
Given generator G, a codeword c=mG, find m

1. Select k lin.indep. columns of G as Gk
2. Construct ck with corresponding columns
3. Compute m=ckGk-1

Example:                100 
Given [3,2,1]-code G= 010 ,c=[1 1 0]
 
select column 1&2, Gk= 10 ,Gk-1= 10 ,ck=[1 1]
10            01       01
m=[1 1]   =[1 1]                
01
9
GISD(Generalized ISD) Attack
 Concept

Since c=mG'+e, if we successfully guess e, then we
can compute c'=c+e=mG' to eliminate the error.

Thus c' is a codeword generated by G'
we can apply information-set decoding to get m

 We have 
n

      possible e
t
 

10
ISD and GISD.
 Concept
C        =   m        .            G

Information-Set
Decode
Ck   =   m        .       Gk

C'         =    m   .       G'            + 01001101

GISD Attack                                                  Easier to GUESS

Ck'   =    m   .   Gk'          +    0100
11
GISD
 Generalized Information-Set Decoding ATTACK
Input: G'[kxn], c=mG'+e [1xn] ; Output: m

1. Select k lin. indep.columns of G' as Gk'

2. Construct ck with correspond columns
note that ck=mGk'+ek ,0<=|ek|<=t

3. For each ek' where 0<=|ek'|<=j    j is a threshold value for
speeding up the attack
compute ck'=ck+ek'

4. For each ek', Compute m'=ck' Gk'-1,
Output m' iff e'=m'G'+c, |e'|=t
12

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 87 posted: 5/16/2010 language: English pages: 12
How are you planning on using Docstoc?