Using low density parity check codes in the McEliece by kdv44249


									                                                                                                    ISIT 2000,   Sorrento. Italy. June 25-30.2000

Using Low Density Parity Check Codes in the McEliece Cryptosystem
                      Chris Monico                       Joachim Rosenthal’                       Amin Shokrollahi
              Department of Mathematics              Department of Mathematics                      Bell Labs
               University of Notre Dame               University of Notre Dame                 600 Mountain Avenue
              Notre Dame, Indiana 46556              Notre Dame, Indiana 46556                Murray Hill, NJ 07974
                e-mail:               email: Rosenthal .                      email:
                   aminaresearch. b e l l - l a b s .com

   Abstract - We examine-the implications of us-                        However, a simple observation shows that if T is’chosen too
ing a Low Density Parity Check Code (LDPCC) in                          sparsely, this latter task is not difficult. In what follows, if
place of the usual Goppa code in McEliece’s cryp-                                          .                   .
                                                                        U = ( ~ 1 ,. . , u n ) and v = (VI,. . , v n ) are two vectors over
tosystem. Using a LDPCC allows for larger block                         Fz, U * v := ( ~ 1 ~ 1. . ,unvn) denotes the intersection of the
                                                                                                      , .
lengths and the possibility of a combined error cor-                    binary vectors U,U. This is a vector whose support is exactly
rection/encryption protocol.                                            supp(u), n supp(v). Equivalently, it can be considered as the
                                                                        ‘AND’ of U and v.
                       I. INTRODUCTION                                      Let h l , . . . , h n - k denote the- row vectors of H and
If one wishes to use a LDPCC in the McEliece system, there              A I , . . . , An-,+ the row veitors of If. ‘Notice that the h; are
are several ways t o proceed. An efficient way seems to be the          sparse vectors and each hj is a linear combination of the hi.
following:                                                              Furthermore, if T is sparse, each hj = hj,         +      +
                                                                                                                            . . . hjYj with
As usual, suppose Bob wishes t o send Alice a secure message            the wj small. That is, each hj is a linear combination of a
over an insecure channel. Alice chooses a random ( n- k ) x TI          small number of rows of H . If the wj are too small (i.e., T
sparse parity check matrix, HI for a binary LDPCC, C, that              ts too sparse), then with reasonable probability one has that
admits decoding of any pattern o f t or fewer errors with, say,         hj * hj, = hj, for many of the 1 5 j 5 n - k , 1 5 j , 5 j w j .
belief propagation. She also randomly chooses sparse invert-            In this case, since each hj, appears in several of the hj, we
ible matricy S E GL(k,& ) and T E G L ( n- k , &). She then             can, with non-negligible probability, find j l ,j z such that
calculates H := T-H and has keys:
Public Key: ( H ,S, t )
Private Key: ( H , T )
Now, if Bob wants t o send Alice the message m, he first com-           for some i. Thus, in time k(k-1)/2, we can recover some of the
putes the generator matrix, G, for-the code C in row reduced            original rows of H by computing the intersection of all pairs of
echelon form, and then computes G = S-’G. He then applies               rows, checking t o see if the intersection is in Rowsp(H). Hav-
the encryption map:                                                     ing found some of the original rows, we can determine, with
                                                                        high probability, which of the    h;. have these rows as compo-
                         m w m G i - e =: y                             nents in their linear combinations. We thus subtract each
                                                                        original row from the hj that have many nonzero coordinates
where e is a random error vector of weight at most t. Alice’s
                                                                        in common with it. Then go back to computing the intersec-
decryption procedure is then as follows: Since G and G define
                                                                        tion of all pairs of rows again, and keep repeating until we’ve
thesame code, C, she can use H to decode the word y to
                                                                        found sufficiently many original rows to allow decoding.
,mG = mS-’G. Since G is in row reduced echelon form, this
reveals mS-’ in the k coordinates of mG in which G has
only one nonzero entry (i.e., the systema,tic coordinates of G).                              111. CONCLUSION
Right multiplication by S finally recovers Bob’s message m.
                                                                        Empirical evidence has shown this attack and some variants
This seems relatively efficient because the keys consist of             of it, to be effective enough that we consider this system in-
sparse matrices, allowing considerable compression. Hence,              secure unless T is chosen to be dense. Thus, there seems to
one could have key sizes comparable to those of a (1024,512)            be no advantage to using a parity check matrix as the public
McEliece system, but for a code of size (16384,8192).                   key. However, this system is still of possible interest in the
                                                                        following case: If one is using a LDPCC for error correction,
                          11. SECURITY                                  some security can be added at very little extra cost.

The security of this system is based on two observations:                                        REFERENCES
    0   If T is chosen with the proper parameters, fi will most         [l] R.J. McEliece, “A Public Key Cryptosystem Based on Algebraic
        likely not admit decoding with, e.g. belief propagation,            Coding Theory,” Technical Report DSN Progress Report #42-
        for the correction of up t o t errors.                             4 4 , Jet Propulsion Laboratory, Pasadena, California, 1978.
    0   It seems difficult to recover a matrix, H’, equivalent to       [2] R.G. Gallager, “LOW Density Parity Check Codes,” MIT
        k that admits decoding wi$h, e.g. belief propagation,               Press,Cambridge, MA, 1963.
        for the correction of up t o t errors. In particular it seems   [3] T. Richardson, M.A. Shokrollahi, and R. Urbanke. Design of
        difficult to recover the specific degree structure of the           provably good low-density parity check codes. IEEE Pans.
        parity check matrix H .                                             Inform. Theory (submitted), 1999.

  ’The research is supported in part by NSF grant DMS-96-10389.

                                                                    21 5
0-7803-5857-0/00/$10.00 0 2 0 0 0 IEEE.

To top