Code-based post-quantum cryptography by iav17490

VIEWS: 18 PAGES: 32

									Code-based
post-quantum
cryptography

D. J. Bernstein
University of Illinois at Chicago
“Once the enormous
energy boost that quantum
computers are expected
to provide hits the street,
most encryption security
standards—and any
other standard based on
computational difficulty—
will fall, experts believe.”
(Magiq’s web site, 2008;
the “experts” aren’t named)
Is cryptography dead?
Imagine:
15 years from now
someone announces
successful construction
of a large quantum computer.
New York Times headline:
“INTERNET CRYPTOGRAPHY
KILLED BY PHYSICISTS.”
Users panic.

What happens to cryptography?
RSA: Dead.
RSA: Dead.
DSA: Dead.
ECDSA: Dead.
RSA: Dead.
DSA: Dead.
ECDSA: Dead.
ECC in general: Dead.
HECC in general: Dead.
RSA: Dead.
DSA: Dead.
ECDSA: Dead.
ECC in general: Dead.
HECC in general: Dead.
Buchmann–Williams: Dead.
Class groups in general: Dead.
RSA: Dead.
DSA: Dead.
ECDSA: Dead.
ECC in general: Dead.
HECC in general: Dead.
Buchmann–Williams: Dead.
Class groups in general: Dead.
“They’re all dead, Dave.”
RSA: Dead.
DSA: Dead.
ECDSA: Dead.
ECC in general: Dead.
HECC in general: Dead.
Buchmann–Williams: Dead.
Class groups in general: Dead.
“They’re all dead, Dave.”

But we have other types of
cryptographic systems!
Hash-based cryptography.
Example: 1979 Merkle hash-tree
public-key signature system.
Code-based cryptography.
Example: 1978 McEliece
hidden-Goppa-code
public-key encryption system.

Lattice-based cryptography.
Example: 1998 “NTRU.”
Multivariate-quadratic-
equations cryptography.
Example:
1996 Patarin “HFEv  ”
public-key signature system.
Secret-key cryptography.
Example: 1998 Daemen–Rijmen
“Rijndael” cipher, aka “AES.”
Bernstein: “Introduction to
post-quantum cryptography.”
Hallgren, Vollmer:
“Quantum computing.”

Buchmann, Dahmen, Szydlo:
“Hash-based digital signature
schemes.”

Overbeck, Sendrier:
“Code-based cryptography.”
Micciancio, Regev:
“Lattice-based cryptography.”

Ding, Yang: “Multivariate
public key cryptography.”
The McEliece cryptosystem
Receiver’s public key: “random”
500 ¢ 1024 matrix à over F2 .
Specifies linear F1024
                  2      F500 .
                          2

Messages suitable for encryption:
1024-bit strings of weight 50;
i.e., Ñ ¾ F1024 :
             2
       # : Ñ = 1 = 50 .

Encryption of   Ñ is ÃÑ ¾ F500 .
                           2

Can use Ñ as secret AES key
to encrypt much more data.
Attacker, by linear algebra,
can easily work backwards
from ÃÑ to some Ú ¾ F1024 2
such that ÃÚ = ÃÑ.

i.e. Attacker finds some
element Ú ¾ Ñ + Kerà .
Note that #Kerà 2524 .
Attacker wants to decode Ú :
to find element of KerÃ
at distance only 50 from Ú .
Presumably unique, revealing   Ñ.
But decoding isn’t easy!
Information-set decoding
Choose random size-500 subset
Ë 123          1024 .

For typical à : Good chance
that FË ¸ F1024    F500
       2       2
                   Ã
                        2
is invertible.

Hope Ñ ¾ F2 ; chance
               Ë
                               2  53 .
Apply inverse map to ÃÑ,
revealing Ñ if Ñ ¾ FË .
                    2

If   Ñ ¾ FË , try again.
          2
     280 operations overall.
Various improvements:
1988 Lee–Brickell;
1988 Leon;
1989 Stern;
1990 van Tilburg;
1994 Canteaut–Chabanne;
1998 Canteaut–Chabaud;
1998 Canteaut–Sendrier.
2 68 Alpha cycles.

2008 Bernstein–Lange–Peters:
further improvements;
2 58 Core 2 Quad cycles;

carried out successfully!
1988 Lee–Brickell idea:
Hope that Ñ + ¾ FË   2
for some weight-2 vector .
Reuse one matrix inversion
for all choices of .

1989 Stern idea:
Hope that Ñ + + ¼ ¾ FË      2
for low-weight vectors     ¼.
Search for collision between
function of , function of    ¼.
2008 Bernstein–Lange–Peters:
more reuse, optimization, etc.
Modern McEliece
Easily rescue system by using
a larger public key: “random”
(Ò 2) ¢ Ò matrix à over F2 .
e.g., 1800 ¢ 3600.
Larger weight:   Ò (2 lg Ò).
e.g. Ñ ¾ F3600 of weight 150.
           2

All known attacks scale badly:
roughly 2Ò (2 lg Ò) operations.
For much more precise analysis
see 2009 Bernstein–Lange–
Peters–van Tilborg.
Receiver secretly generates
public key à with a
hidden Goppa-code structure
that allows fast decoding.

Namely: Ã = ËÀÈ for secret
(Ò 2) ¢ (Ò 2) invertible matrix   Ë,
(Ò 2) ¢ Ò Goppa matrix À ,
Ò ¢ Ò permutation matrix È .
Detecting this structure
seems even more difficult
than attacking random à .
Goppa codes
Fix   Õ¾ 8 16 32       ;
ؾ 2 3         (Õ   1) lg Õ 
 ;
Ò ¾ Ø lg Õ + 1 Ø lg Õ + 2      Õ .
e.g. Õ = 1024, Ø = 50, Ò = 1024.
or Õ = 4096, Ø = 150, Ò = 3600.
Receiver’s matrix À is
the parity-check matrix
for the classical (genus-0)
irreducible length-Ò degree-Ø
binary Goppa code defined by
a monic degree-Ø irreducible
polynomial ¾ FÕ [Ü] and
distinct 1 2          Ò ¾ FÕ .
   which means:           À=
    ¼                                      ½
         1
        ( 1)
                     ¡¡¡      (
                                  1
                                      Ò)


        (
             1
                     ¡¡¡          Ò

                1)            (       Ò)
            .
            .        ..           .
                                  .
            .             .       .
        Ø 1                  Ø 1  
        (
         1           ¡¡¡      Ò
                1)            (       Ò)



View each element of FÕ here
                lg Õ
as a column in F2 .
Then À : F2
          Ò       Ø lg Õ
                F2 .
More useful view: Consider
               È
the map Ñ         Ñ (Ü           )
from FÒ to FÕ [Ü] .
      2

À is the matrix for this map
where FÒ has standard basis
         2
and FÕ [Ü] has basis
        ¤   ¥      ¤    ¥
   Ü
, Ü2 , , ÜØ .
One-line proof: In FÕ [Ü] have
   ( )=                 Ü .
                          +1
 Ü             0
Decoding Goppa codes
1975 Patterson: Given   ÀÑ,
can quickly find Ñ
if weight of Ñ is Ø.

Given ciphertext ÃÑ = ËÀÈ Ñ:
receiver computes ÀÈ Ñ
by applying secret Ë  1 ;
decodes À to obtain È Ñ
by Patterson’s algorithm;
computes message Ñ
by applying secret È  1 .
Patterson input is Ö ¾ FÕ [Ü]
            È
having form     Ñ (Ü   )
where Ñ ¾ FÒ has weight Ø.
             2
Output will be Ñ.
If Ö = 0, output 0 and stop.
If Ö = 0:
     Ô  1
Lift Ö   Ü from FÕ [Ü]
to × ¾ FÕ [Ü] of degree Ø.
Consider lattice Ä FÕ [Ü]2
generated by (× 1) and ( 0).
Define length of (« ¬ )
as norm of «  2 + ܬ 2 .

Find a minimum-length
nonzero vector («0 ¬0 ) ¾ Ä.
Monic part of ¯0 = «2 + ܬ0
                      0
                           2
           É
is exactly   :Ñ =1 (Ü   ).
Factor ¯0 and print Ñ.

Why this works:
             É
Define ¯ =       :Ñ =1 (Ü   ).
Write ¯ as «2 + ܬ 2 in FÕ [Ü].
Have ¯¼ ¯ = Ö in FÕ [Ü]
so ¬  2 («2 + ܬ 2 ) = 1 (×2 + Ü)

so × = « ¬ in FÕ [Ü] ;
i.e., (« ¬ ) ¾ Ä.
Volume of Ä forces
(« ¬ ) ¾ («0 ¬0 )FÕ [Ü]
so ¯ = square ¡ ¯0 ;
¯ is squarefree so square ¾ FÕ .
What if Patterson is used for
Ñ having weight Ø?
Volume argument fails.
(« ¬ ) ¾ («0 ¬0 )FÕ [Ü].

But can compute short basis
(«0 ¬0 ) («1 ¬1 ) of Ä.

Then ¯ is a linear combination
of ¯0 = «2 + ܬ0
         0
                 2

and ¯1 = «2 + ܬ1 .
           1
                   2

Coefficients are small squares;
“small” depends on weight of Ñ.
Divisors in residue classes
Want all divisors of Ò in Ù + Ú Z,
given positive integers Ù Ú Ò
with gcd Ú Ò = 1.

Easy if   Ú   Ò1   2.

1984 Lenstra: polynomial-time
algorithm for Ú Ò  1 3.

1997 Konyagin–Pomerance:
polynomial-time algorithm for
Ú Ò3 10 .
1998 Coppersmith–Howgrave-
Graham–Nagaraj: polynomial-
time algorithm for Ú Ò1 4+¯ .
2000 Boneh: can view same
algorithm as a list-decoding
algorithm for CRT codes.

Function-field analogue is
famous 1999 Guruswami–Sudan
algorithm for list decoding
of Reed–Solomon codes.
Can build grand unified picture
of “Coppersmith-type” algorithms
and “Sudan-type” algorithms.
See, e.g., my survey paper
“Reducing lattice bases
to find small-height values
of univariate polynomials.”
2008 Bernstein:
Tweak parameters
in the same algorithm
to find all divisors of Ò that are
linear combinations of Ù Ú
with small coprime coefficients.
2008 Bernstein:
Tweak parameters
in the same algorithm
to find all divisors of Ò that are
linear combinations of Ù Ú
with small coprime coefficients.
Apply to the Goppa situation:
analogous algorithm finds all
            É
divisors of   (Ü   ) that are
linear combinations of ¯0 ¯1
with small coprime coefficients.
Compared to Patterson,
pushes allowable weight of   Ñ
up to Ø + Ø  2 Ò.
New algorithm assumes that
              É
                                 ¯1
is coprime to   (Ü   ).
Easy to achieve by adding
a small multiple of ¯0 to ¯1 .

    unless Ò = Õ and
¯1 ¯0 is a permutation function.
Can this happen to Patterson?

I don’t know any examples.
Weil forces rather large degree:
can show that the curve
¯0 (Ü)¯1 (Ý)   ¯1 (Ü)¯0 (Ý)
          Ü Ý
                            =0

has no points over FÕ .
Many other current topics
in code-based cryptography.
e.g. 2009 Misoczki–Barreto:
Hide quasi-dyadic Goppa code
as quasi-dyadic public key.
Key length only 1+Ó(1) .
Encryption time lg 3+Ó(1) .
Decryption time   lg 3+Ó(1) .

2009 Bernstein: easy tweak
to Misoczki–Barreto algorithms,
reducing time to 1+Ó(1) .

								
To top