ISIT 2000, Sorrento. Italy. June 25-30.2000 Using Low Density Parity Check Codes in the McEliece Cryptosystem Chris Monico Joachim Rosenthal’ Amin Shokrollahi Department of Mathematics Department of Mathematics Bell Labs University of Notre Dame University of Notre Dame 600 Mountain Avenue Notre Dame, Indiana 46556 Notre Dame, Indiana 46556 Murray Hill, NJ 07974 e-mail: cmonicoQnd.edu email: Rosenthal . lQnd.edu email: http://www.nd.edu/-cmonico/ http://www.nd.edu/-rosen/ aminaresearch. b e l l - l a b s .com Abstract - We examine-the implications of us- However, a simple observation shows that if T is’chosen too ing a Low Density Parity Check Code (LDPCC) in sparsely, this latter task is not difficult. In what follows, if place of the usual Goppa code in McEliece’s cryp- . . U = ( ~ 1 ,. . , u n ) and v = (VI,. . , v n ) are two vectors over tosystem. Using a LDPCC allows for larger block Fz, U * v := ( ~ 1 ~ 1. . ,unvn) denotes the intersection of the , . lengths and the possibility of a combined error cor- binary vectors U,U. This is a vector whose support is exactly rection/encryption protocol. supp(u), n supp(v). Equivalently, it can be considered as the ‘AND’ of U and v. I. INTRODUCTION Let h l , . . . , h n - k denote the- row vectors of H and If one wishes to use a LDPCC in the McEliece system, there A I , . . . , An-,+ the row veitors of If. ‘Notice that the h; are are several ways t o proceed. An efficient way seems to be the sparse vectors and each hj is a linear combination of the hi. following: Furthermore, if T is sparse, each hj = hj, + + . . . hjYj with As usual, suppose Bob wishes t o send Alice a secure message the wj small. That is, each hj is a linear combination of a over an insecure channel. Alice chooses a random ( n- k ) x TI small number of rows of H . If the wj are too small (i.e., T sparse parity check matrix, HI for a binary LDPCC, C, that ts too sparse), then with reasonable probability one has that admits decoding of any pattern o f t or fewer errors with, say, hj * hj, = hj, for many of the 1 5 j 5 n - k , 1 5 j , 5 j w j . belief propagation. She also randomly chooses sparse invert- In this case, since each hj, appears in several of the hj, we ible matricy S E GL(k,& ) and T E G L ( n- k , &). She then can, with non-negligible probability, find j l ,j z such that calculates H := T-H and has keys: Public Key: ( H ,S, t ) Private Key: ( H , T ) Now, if Bob wants t o send Alice the message m, he first com- for some i. Thus, in time k(k-1)/2, we can recover some of the putes the generator matrix, G, for-the code C in row reduced original rows of H by computing the intersection of all pairs of echelon form, and then computes G = S-’G. He then applies rows, checking t o see if the intersection is in Rowsp(H). Hav- the encryption map: ing found some of the original rows, we can determine, with high probability, which of the h;. have these rows as compo- m w m G i - e =: y nents in their linear combinations. We thus subtract each original row from the hj that have many nonzero coordinates where e is a random error vector of weight at most t. Alice’s in common with it. Then go back to computing the intersec- decryption procedure is then as follows: Since G and G define tion of all pairs of rows again, and keep repeating until we’ve thesame code, C, she can use H to decode the word y to found sufficiently many original rows to allow decoding. ,mG = mS-’G. Since G is in row reduced echelon form, this reveals mS-’ in the k coordinates of mG in which G has only one nonzero entry (i.e., the systema,tic coordinates of G). 111. CONCLUSION Right multiplication by S finally recovers Bob’s message m. Empirical evidence has shown this attack and some variants This seems relatively efficient because the keys consist of of it, to be effective enough that we consider this system in- sparse matrices, allowing considerable compression. Hence, secure unless T is chosen to be dense. Thus, there seems to one could have key sizes comparable to those of a (1024,512) be no advantage to using a parity check matrix as the public McEliece system, but for a code of size (16384,8192). key. However, this system is still of possible interest in the following case: If one is using a LDPCC for error correction, 11. SECURITY some security can be added at very little extra cost. The security of this system is based on two observations: REFERENCES 0 If T is chosen with the proper parameters, fi will most [l] R.J. McEliece, “A Public Key Cryptosystem Based on Algebraic likely not admit decoding with, e.g. belief propagation, Coding Theory,” Technical Report DSN Progress Report #42- for the correction of up t o t errors. 4 4 , Jet Propulsion Laboratory, Pasadena, California, 1978. 0 It seems difficult to recover a matrix, H’, equivalent to  R.G. Gallager, “LOW Density Parity Check Codes,” MIT k that admits decoding wi$h, e.g. belief propagation, Press,Cambridge, MA, 1963. for the correction of up t o t errors. In particular it seems  T. Richardson, M.A. Shokrollahi, and R. Urbanke. Design of difficult to recover the specific degree structure of the provably good low-density parity check codes. IEEE Pans. parity check matrix H . Inform. Theory (submitted), 1999. ’The research is supported in part by NSF grant DMS-96-10389. 21 5 0-7803-5857-0/00/$10.00 0 2 0 0 0 IEEE.
Pages to are hidden for
"Using low density parity check codes in the McEliece"Please download to view full document