mceliece and niederreiter cryptosystems that resist ... · • f𝑞=f𝑞𝑙 =1 • m is a...
TRANSCRIPT
![Page 1: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/1.jpg)
McEliece and Niederreiter
Cryptosystems That Resist
Quantum Fourier Sampling
Attacks
Hang Dinh
Indiana University South Bend
joint work with
Alexander Russell
University of Connecticut
Cristopher Moore
University of New Mexico
![Page 2: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/2.jpg)
Post-quantum cryptography
• Shor’s quantum algorithms for Factoring and Discrete Logarithm break RSA, ElGamal, elliptic curve cryptography...
• Are there “post-quantum” cryptosystems?
cryptosystems we can carry out with classical computers
[unlike quantum cryptosystems, which require quantum facility]
which will remain secure even if and when quantum computers are built.
Hang Dinh - IU South Bend
![Page 3: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/3.jpg)
Post-quantum cryptography
• Candidates for post-quantum cryptosystems:
lattice-based
code-based (the McEliece system and its relatives)
hash-based
multivariate
secret-key cryptography
• Bernstein, 2009:
These systems are believed to resist quantum computers.
“Nobody has figured out a way to apply Shor’s algorithm
to any of these systems.”
Hang Dinh - IU South Bend
![Page 4: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/4.jpg)
We show that
some McEliece and Niederreiter cryptosystems resist the natural analog of
Shor’s quantum attack.
Hang Dinh - IU South Bend
![Page 5: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/5.jpg)
How Shor’s algorithm works
Breaking RSA
private key
Integer Factorization
Hidden Subgroup Problem
over a cyclic group ZN
Quantum Fourier Sampling
over ZN
Discrete Logarithm
Breaking ElGamal, elliptic
curve cryptography
Hidden Subgroup Problem
over an abelian group ZN×ZN
Quantum Fourier Sampling
over ZN×ZN
Hang Dinh - IU South Bend
![Page 6: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/6.jpg)
Hidden Subgroup Problem (HSP)
• HSP over a finite group G:
Input: function f : G {,, …} that distinguishes the
left cosets of an unknown subgroup H <G
Output: H
• Notable reductions to nonabelian HSP:
Unique Shortest Vector Problem HSP over Dn [Regev’04]
Graph Isomorphism HSP over Sn with |H|≤2
H g2H g3H … gkH
Hang Dinh - IU South Bend
![Page 7: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/7.jpg)
Quantum Fourier Sampling (QFS)
QFS over G to find hidden subgroup H:
Uniform superposition over G
gH ij,i, j
,i, j
Use input function f
Quantum Fourier transform
Measure
ρ
ρ column j
weak
strong ρ
block matrix corresponding to
irreducible representation ρ of G
uniform
superposition
over coset gH random coset state gH
![Page 8: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/8.jpg)
McEliece/Niederreiter Cryptosystems
•
Scramble M’s rows Permute M’s columns
Hang Dinh - IU South Bend
![Page 9: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/9.jpg)
McEliece/Niederreiter Cryptosystems
McEliece system Niederreiter system
Hang Dinh - IU South Bend
• F𝑞 = F𝑞𝑙 𝑙 = 1
• M is a generator matrix of
an 𝑛, 𝑘 -code over Fq.
Equivalent to the McEliece system using C, if
dim 𝐶 = 𝑛 − 𝑙𝑘 .
• Originally used classical
binary Goppa codes (q=2)
• F𝑞 F𝑞𝑙 𝑙 ≥ 1
• M is a parity check matrix of
an 𝑛, 𝑘′ -code C over Fq.
• Equivalent to the McEliece system using C, if
𝑘′ = 𝑛 − 𝑙𝑘.
• Originally used rational Goppa codes (GRS codes)
![Page 10: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/10.jpg)
Security of McEliece and
Niederreiter Systems
• Two basic types of attacks
Decoding attacks [previous talk]
Attacks on private key [this talk]
Recover S, M, P from M*
• Security against known classical attacks
Still secure if using classical Goppa codes [EOS’07]
Broken if using rational Goppa codes (Ouch!)
Sidelnokov & Shestakov’s attack factors SMP into S and MP.
Hang Dinh - IU South Bend
![Page 11: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/11.jpg)
McEliece/Niederreiter’s
security reduces to HSP
Scrambler-Permutation Problem
Given: M and M* = SMP for some (S, P) GLk(Fq) ×Sn
Find: S and P
~
Can this HSP be solved by strong QFS?
Hang Dinh - IU South Bend
![Page 12: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/12.jpg)
• Strong QFS yields negligible information about
hidden (S, P) if M is good, meaning
M has column rank 𝑟 ≥ 𝑘 − 𝑜 𝑛 /𝑙,
𝐴𝑢𝑡 𝑀 ≤ 𝑒𝑜 𝑛 , and
Minimal degree of Aut(M) is (𝑛).
• Next question:
Are there matrices M satisfying the conditions above?
Our Answer (1)
the minimal number of points moved by
a non-identity permutation in Aut(M)
Hang Dinh - IU South Bend
![Page 13: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/13.jpg)
Our Answer (2)
•
11
22
1
11
2211
21
k
nn
kk
nn
n
vvv
vvv
vvv
SM
distinct. are s'
},{F
},0{F
,FGL
i
qi
qi
qk
l
l
l
v
S
Hang Dinh - IU South Bend
![Page 14: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/14.jpg)
Conclusion
• The following cryptosystems resist the natural analog of Shor’s QFS attack:
McEliece systems using rational Goppa codes
Niederreiter systems using classical Goppa codes.
In general, any McEliece/Niederreiter system using linear codes with good generator/parity check matrices.
Warning: This neither rules out other quantum (or classical) attacks nor violates a natural hardness assumption.
Hang Dinh - IU South Bend
![Page 15: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/15.jpg)
Conclusion (Moral)
McEliece
RSA
Quantum
Fourier
Sampling
ElGamal Niederreiter
need new ideas
Hang Dinh - IU South Bend
![Page 16: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/16.jpg)
Open Questions
• What are other linear codes that possess good
generator/parity check matrices?
• Can these cryptosystems resist stronger quantum attacks, e.g., multiple-register QFS attacks?
Hallgren et al., 2006: subgroups of order 2 require highly-entangled measurements of many coset states.
Does this hold for subgroups of order > 2?
Hang Dinh - IU South Bend
![Page 17: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/17.jpg)
Questions?
Hang Dinh - IU South Bend
• Thank you all for staying till the last minute!
![Page 18: McEliece and Niederreiter Cryptosystems That Resist ... · • F𝑞=F𝑞𝑙 =1 • M is a generator matrix of an , -code over F q. Equivalent to the McEliece system using C, if](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045c157d78dce22740cf8f0/html5/thumbnails/18.jpg)
• In case of Niederreiter systems using a classical
q-ary Goppa code C, we need
• Typically, 𝑛 = 𝑞𝑙, then we only need 𝑘2 ≤ 0.2𝑛𝑙,
which implies C must have large dimension:
Parameters
nolnk qnq e and 32.02
2/3 2.0dim lnnklnC
Hang Dinh - IU South Bend