Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago “Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security standards—and any other standard based on computational diﬃculty— will fall, experts believe.” (Magiq’s web site, 2008; the “experts” aren’t named) Is cryptography dead? Imagine: 15 years from now someone announces successful construction of a large quantum computer. New York Times headline: “INTERNET CRYPTOGRAPHY KILLED BY PHYSICISTS.” Users panic. What happens to cryptography? RSA: Dead. RSA: Dead. DSA: Dead. ECDSA: Dead. RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann–Williams: Dead. Class groups in general: Dead. RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann–Williams: Dead. Class groups in general: Dead. “They’re all dead, Dave.” RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann–Williams: Dead. Class groups in general: Dead. “They’re all dead, Dave.” But we have other types of cryptographic systems! Hash-based cryptography. Example: 1979 Merkle hash-tree public-key signature system. Code-based cryptography. Example: 1978 McEliece hidden-Goppa-code public-key encryption system. Lattice-based cryptography. Example: 1998 “NTRU.” Multivariate-quadratic- equations cryptography. Example: 1996 Patarin “HFEv ” public-key signature system. Secret-key cryptography. Example: 1998 Daemen–Rijmen “Rijndael” cipher, aka “AES.” Bernstein: “Introduction to post-quantum cryptography.” Hallgren, Vollmer: “Quantum computing.” Buchmann, Dahmen, Szydlo: “Hash-based digital signature schemes.” Overbeck, Sendrier: “Code-based cryptography.” Micciancio, Regev: “Lattice-based cryptography.” Ding, Yang: “Multivariate public key cryptography.” The McEliece cryptosystem Receiver’s public key: “random” 500 ¢ 1024 matrix Ã over F2 . Speciﬁes linear F1024 2 F500 . 2 Messages suitable for encryption: 1024-bit strings of weight 50; i.e., Ñ ¾ F1024 : 2 # : Ñ = 1 = 50 . Encryption of Ñ is ÃÑ ¾ F500 . 2 Can use Ñ as secret AES key to encrypt much more data. Attacker, by linear algebra, can easily work backwards from ÃÑ to some Ú ¾ F1024 2 such that ÃÚ = ÃÑ. i.e. Attacker ﬁnds some element Ú ¾ Ñ + KerÃ . Note that #KerÃ 2524 . Attacker wants to decode Ú : to ﬁnd element of KerÃ at distance only 50 from Ú . Presumably unique, revealing Ñ. But decoding isn’t easy! Information-set decoding Choose random size-500 subset Ë 123 1024 . For typical Ã : Good chance that FË ¸ F1024 F500 2 2 Ã 2 is invertible. Hope Ñ ¾ F2 ; chance Ë 2 53 . Apply inverse map to ÃÑ, revealing Ñ if Ñ ¾ FË . 2 If Ñ ¾ FË , try again. 2 280 operations overall. Various improvements: 1988 Lee–Brickell; 1988 Leon; 1989 Stern; 1990 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier. 2 68 Alpha cycles. 2008 Bernstein–Lange–Peters: further improvements; 2 58 Core 2 Quad cycles; carried out successfully! 1988 Lee–Brickell idea: Hope that Ñ + ¾ FË 2 for some weight-2 vector . Reuse one matrix inversion for all choices of . 1989 Stern idea: Hope that Ñ + + ¼ ¾ FË 2 for low-weight vectors ¼. Search for collision between function of , function of ¼. 2008 Bernstein–Lange–Peters: more reuse, optimization, etc. Modern McEliece Easily rescue system by using a larger public key: “random” (Ò 2) ¢ Ò matrix Ã over F2 . e.g., 1800 ¢ 3600. Larger weight: Ò (2 lg Ò). e.g. Ñ ¾ F3600 of weight 150. 2 All known attacks scale badly: roughly 2Ò (2 lg Ò) operations. For much more precise analysis see 2009 Bernstein–Lange– Peters–van Tilborg. Receiver secretly generates public key Ã with a hidden Goppa-code structure that allows fast decoding. Namely: Ã = ËÀÈ for secret (Ò 2) ¢ (Ò 2) invertible matrix Ë, (Ò 2) ¢ Ò Goppa matrix À , Ò ¢ Ò permutation matrix È . Detecting this structure seems even more diﬃcult than attacking random Ã . Goppa codes Fix Õ¾ 8 16 32 ; Ø¾ 2 3 (Õ 1) lg Õ ; Ò ¾ Ø lg Õ + 1 Ø lg Õ + 2 Õ . e.g. Õ = 1024, Ø = 50, Ò = 1024. or Õ = 4096, Ø = 150, Ò = 3600. Receiver’s matrix À is the parity-check matrix for the classical (genus-0) irreducible length-Ò degree-Ø binary Goppa code deﬁned by a monic degree-Ø irreducible polynomial ¾ FÕ [Ü] and distinct 1 2 Ò ¾ FÕ . which means: À= ¼ ½ 1 ( 1) ¡¡¡ ( 1 Ò) ( 1 ¡¡¡ Ò 1) ( Ò) . . .. . . . . . Ø 1 Ø 1 ( 1 ¡¡¡ Ò 1) ( Ò) View each element of FÕ here lg Õ as a column in F2 . Then À : F2 Ò Ø lg Õ F2 . More useful view: Consider È the map Ñ Ñ (Ü ) from FÒ to FÕ [Ü] . 2 À is the matrix for this map where FÒ has standard basis 2 and FÕ [Ü] has basis ¤ ¥ ¤ ¥ Ü , Ü2 , , ÜØ . One-line proof: In FÕ [Ü] have ( )= Ü . +1 Ü 0 Decoding Goppa codes 1975 Patterson: Given ÀÑ, can quickly ﬁnd Ñ if weight of Ñ is Ø. Given ciphertext ÃÑ = ËÀÈ Ñ: receiver computes ÀÈ Ñ by applying secret Ë 1 ; decodes À to obtain È Ñ by Patterson’s algorithm; computes message Ñ by applying secret È 1 . Patterson input is Ö ¾ FÕ [Ü] È having form Ñ (Ü ) where Ñ ¾ FÒ has weight Ø. 2 Output will be Ñ. If Ö = 0, output 0 and stop. If Ö = 0: Ô 1 Lift Ö Ü from FÕ [Ü] to × ¾ FÕ [Ü] of degree Ø. Consider lattice Ä FÕ [Ü]2 generated by (× 1) and ( 0). Deﬁne length of (« ¬ ) as norm of « 2 + Ü¬ 2 . Find a minimum-length nonzero vector («0 ¬0 ) ¾ Ä. Monic part of ¯0 = «2 + Ü¬0 0 2 É is exactly :Ñ =1 (Ü ). Factor ¯0 and print Ñ. Why this works: É Deﬁne ¯ = :Ñ =1 (Ü ). Write ¯ as «2 + Ü¬ 2 in FÕ [Ü]. Have ¯¼ ¯ = Ö in FÕ [Ü] so ¬ 2 («2 + Ü¬ 2 ) = 1 (×2 + Ü) so × = « ¬ in FÕ [Ü] ; i.e., (« ¬ ) ¾ Ä. Volume of Ä forces (« ¬ ) ¾ («0 ¬0 )FÕ [Ü] so ¯ = square ¡ ¯0 ; ¯ is squarefree so square ¾ FÕ . What if Patterson is used for Ñ having weight Ø? Volume argument fails. (« ¬ ) ¾ («0 ¬0 )FÕ [Ü]. But can compute short basis («0 ¬0 ) («1 ¬1 ) of Ä. Then ¯ is a linear combination of ¯0 = «2 + Ü¬0 0 2 and ¯1 = «2 + Ü¬1 . 1 2 Coeﬃcients are small squares; “small” depends on weight of Ñ. Divisors in residue classes Want all divisors of Ò in Ù + Ú Z, given positive integers Ù Ú Ò with gcd Ú Ò = 1. Easy if Ú Ò1 2. 1984 Lenstra: polynomial-time algorithm for Ú Ò 1 3. 1997 Konyagin–Pomerance: polynomial-time algorithm for Ú Ò3 10 . 1998 Coppersmith–Howgrave- Graham–Nagaraj: polynomial- time algorithm for Ú Ò1 4+¯ . 2000 Boneh: can view same algorithm as a list-decoding algorithm for CRT codes. Function-ﬁeld analogue is famous 1999 Guruswami–Sudan algorithm for list decoding of Reed–Solomon codes. Can build grand uniﬁed picture of “Coppersmith-type” algorithms and “Sudan-type” algorithms. See, e.g., my survey paper “Reducing lattice bases to ﬁnd small-height values of univariate polynomials.” 2008 Bernstein: Tweak parameters in the same algorithm to ﬁnd all divisors of Ò that are linear combinations of Ù Ú with small coprime coeﬃcients. 2008 Bernstein: Tweak parameters in the same algorithm to ﬁnd all divisors of Ò that are linear combinations of Ù Ú with small coprime coeﬃcients. Apply to the Goppa situation: analogous algorithm ﬁnds all É divisors of (Ü ) that are linear combinations of ¯0 ¯1 with small coprime coeﬃcients. Compared to Patterson, pushes allowable weight of Ñ up to Ø + Ø 2 Ò. New algorithm assumes that É ¯1 is coprime to (Ü ). Easy to achieve by adding a small multiple of ¯0 to ¯1 . unless Ò = Õ and ¯1 ¯0 is a permutation function. Can this happen to Patterson? I don’t know any examples. Weil forces rather large degree: can show that the curve ¯0 (Ü)¯1 (Ý) ¯1 (Ü)¯0 (Ý) Ü Ý =0 has no points over FÕ . Many other current topics in code-based cryptography. e.g. 2009 Misoczki–Barreto: Hide quasi-dyadic Goppa code as quasi-dyadic public key. Key length only 1+Ó(1) . Encryption time lg 3+Ó(1) . Decryption time lg 3+Ó(1) . 2009 Bernstein: easy tweak to Misoczki–Barreto algorithms, reducing time to 1+Ó(1) .
Pages to are hidden for
"Code-based post-quantum cryptography"Please download to view full document