vulnerabilities of code-based cryptographyruudp/lectures/11-11-17-scd2011.pdf · 2011. 11. 25. ·...

VULNERABILITIES OFCODE-BASED

CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE

GRS SUBCODES OF GRSCODES

THE SQUARE OF A CODE

PROOFS

VULNERABILITIES OF CODE-BASEDCRYPTOGRAPHY

I. MARQUEZ-CORBELLA 1 E. MARTINEZ-MORO 2 R. PELLIKAAN 3

1Department of Algebra, Geometry and Topology, University of Valladolid.Supported by a FPU grant AP2008-01598 by Spanish MEC.

2Department of Applied Mathematics, University of Valladolid.

3Department of Mathematics and Computing Science, Eindhoven University of Technology.

Spanish Cryptography Days (SCD 2011)


CRYPTOGRAPHY

INTRODUCTION

MCELIECE CRYPTOSYSTEM

ATTACKS ON THE MCELIECE PKC

NIEDERREITER CRYPTOSYSTEM

PKC USING

ALGEBRAIC-GEOMETRY CODES

GAPS OF A CODE



PROOFS

PUBLIC-KEY CRYPTOSYSTEMS

TWO KEYS:

Private Key: Known only bythe recipient.

Public Key: Available toanyone.

MOST PKC ARE BASED ONNUMBER-THEORETIC PROBLEMS

Ü Quatum computers will breakthe most popular PKCs: RSA,DSA, ECDSA, ECC, HECC, ...can be attacked in polynomial time using

Shor’s algorithm

GOOD NEWS: POST-QUATUMCRYPTOGRAPHY

Hash-based cryptography,

Code-based cryptography,

Lattice-based cryptography,

Multivariate-quadratic-equationcryptography

D. J. Bernstein, J. Buchmann, E. Dahmen.

Post-Quatum Cryptography.

Springer, 2009.


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


KEY GENERATION

1 Given:

C an [n, k, d ] linear code over Fq

G ∈ Fk×nq a generator matrix of C.

S ∈ Fk×kq a nonsingular matrix.

P ∈ Fn×nq a permutation matrix.

2 McEliece Public Key :(G′ = SGP, t

).

3 McEliece Private Key: (G,S,P)

ENCRYPTION

Encrypt a message m ∈ Fkq as

y′ = mG′ + e′

where e and e′ = eP in Fnq are random

error vectors of weight t .

DECRYPTION

1 Compute y = y′P−1 =

mG′P−1 + e′P−1 = mSG + e.

2 Apply the decoding algorithm for Cto find mS.

3 m = mSS−1.

McEliece introduced the first PKC based on Error-Correcting Codes in 1978.Advantages:

1 Interesting candidate for post-quantum cryptography.2 Fast encryption (matrix-vector multiplication) and decryption functions.

Drawback: Large key size.

R. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


Ü Most effective attack against the McEliece cryptosystem is Information SetDecoding. Many variants:

1 McEliece (1978)2 Leon (1988)3 Lee and Brickell (1988)4 Stern (1989)5 van Tilburg (1990)

6 Canteaut and Chabanne (1994)7 Canteaut and Chabaud (1998)8 Canteaut and Sendrier (1998)9 Bernstein, Lange and Peters (2008)

A. Canteaut and H. Chabanne.

A further improvement of the work factor in anattempt at breaking McEliece’s cryptosystem.EUROCODE 94, 1994.

A. Canteaut and F. Chabaud.

A new algorithm for finding minimum-weight wordsin a linear code: application to McEliece’scryptosystem and to narrow-sense BCH codes oflength 511.IEEE Transaction on Information Theory.

A. Canteaut and N. Sendrier.

Crytanalysis of the original McEliece cryptosystem.Advances in cryptology - ASIACRYPT’98.

P. J. Lee and E. F. Brickell.

An observation on the security of McEliece’spublic-key cryptosystem.Advances in cryptology - EUROCRYPT’98.

J. S. Leon.

A probabilistic algorithm for computing minimumweights of large error-correcting codes.IEEE Transaction on Information Theory.

R. J. McEliece.

A public-key cryptosystem based on algebraiccoding theory.DSN Progress Report

J. Stern.

A method for finding codewords of small weight.Coding theory and applications, Vol 388 of LectureNotes in Computer Science, 106-113. Springer,New York, 1989.

J. van Tilburg.

On the McEliece public-key cryptosystem.Advances in cryptology - CRYPTO’88.

D. J. Bernstein, T. Lange, C. Peters.

Attacking and defending the McEliece cryptosystem.Post-Quantum Cryptography


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


Ü Niederreiter presents a dual version of McEliece cryptosystem in 1986 which isequivalent in terms of security, with the same Goppa codes.

KEY GENERATION

1 Given:

C an [n, k, d ] linear code over Fq

H ∈ F(n−k)×nq a parity check matrix of

C.S ∈ F(n−k)×(n−k)

q a nonsingularmatrix.P ∈ Fn×n

q a permutation matrix.

2 Niederreiter Public Key :(H′ = SHP, t

).

3 Niederreiter Private Key: (H,S,P)

ENCRYPTION

Encrypt a message m ∈ Fkq as

y′ = mH′T .

DECRYPTION

1 Compute y = y′ = (S−1)T =

mPT HT = m′HT . Syndrome of m′ by H.

2 Apply decoding algorithm for C tofind m′ = mPT and thereby m.

Ü In its original paper Niederreiter proposed the class of GRS codes over F2m .

H. Niederreiter.

Knapsack-type crypto system and algebraic codingtheory.Problems of Control and Information Theory, 1986.

Y. Xing Li, R. H. Deng and X. Mei Wang.

On the equivalence of McEliece’s and Niederreiterpublic-key cryptosystems.IEEE Transaction on Information Theory, 1994.


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS

PKC USING ALGEBRAIC-GEOMETRY CODES

Sidelnikov and Shestakov in 1992 introduced an algorithm that breaks theoriginal Niederreiter cryptosystem in polynomial time.

GRS codes are Algebraic Geometry codes on the projective line.

Ü This result was generalized to curves of genus 1 and 2 by Faure and Minder in2008.

In 1996 Janwa and Moreno propose to use AG code for the McEliececryptosystem.

Ü For g > 2 the security status was not known.

C. Faure and L. Minder.

Cryptanalysis of the McEliece cryptosystem overhyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic andCombinatorial Coding Theory, 2008.

V. M. Sidelnikov and S. O. Shestakov.

On insecurity of cryptosystems based ongeneralized Reed-Solomon codes.Discrete mathematics and Applications.

H. Janwa and O. Moreno.

McEliece public crypto system using algebraic-geometric codes.

Designs, Codes and Cryptography, 8:293-307, 1996.


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


WAG AND SAG CODES

A code C over Fq is called WAG if C = CL(X ,P,E) where:

X is an algebraic curve over Fq with genus g,

P = {P1, . . . ,Pn} is an n-tuple of mutually distinct points of X (Fq),

E is a divisor on X with supp(E) ∩ P = ∅ and deg(E) = m

Ü If 2g − 2 < m < n then it is called SAG.

Ü Let R = kn be the information rate and γ = g

n the relative genus then:

SAG codes are not secure for code based PKC:

1 If 16 ≤ γ ≤

14 in the range:

γ ≤ R ≤ 1− 3γ or 3γ ≤ R ≤ 1− γ

2 If γ ≤ 16 in the range: γ ≤ R ≤ 1− γ

I. Marquez-Corbella, E. Martınez-Moro and R. Pellikaan.

Evaluation of Public-Key Cryptosystems Based on Algebraic Geometry Codes.

Proceedings of the III International Castle Meeting on Coding Theory and Applications, September 11-15,Castell de Cardona, Spain, 2011.


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


Singleton bound

Gilbert-Varshamov bound

Tsfasman-Vladut-Zink bound

01

2A 1 - ΓB 1

∆

Γ

1

2- Γ

1

2

Γ +1

2

1 - Γ

1R

FIGURE: Bounds on R as a function of the relative minimum distance δ for q = 49and γ = 1

6 .


CRYPTOGRAPHY

INTRODUCTION




PKC USING


GAPS OF A CODE



PROOFS


Berger and Loidreau in 2005 propose another version of the Niederreiterscheme designed to resist the Sidelnikov-Shestakov attack.

Ü Main idea: work with subcodes of the original GRS code.

Attacks:

1 Wieschebrink:Presents the first feasible attack to the Berger-Loidreau cryptosystem but isimpractical for small subcodes.Notes that if the square code of a subcode of a GRS code of parameters [n, k ] isitself a GRS code of dimension 2k − 1 then we can apply Sidelnikov-Shestakovattack.

2 M-Martinez-Pellikaan: Give a characterization of the possible parametersthat should be used to avoid attacks on the Berger-Loidreau cryptosystem.

T. Berger and P. Loidreau.

How to mask the structure of codes for acryptographic use.Designs, Codes and Cryptography, 35: 63–79,2005.

I. Marquez-Corbella, E. Martınez-Moro and

R. Pellikaan.The non-gap sequence of a subcode of ageneralized Reed-Solomon code.Proceedings of the Seventh International Workshopon Coding and Cryptography, April 11-15, Paris,France, 183-193, 2011.

C. Wieschebrink.

An attack on the modified Niederreiter encryptionscheme.In PKC 2006, Lecture Notes in Computer Science,volume 3958, 14–26, Berlin, 2006. Springer.

C. Wieschebrink.

Cryptoanalysis of the Niederreiter public keyscheme based on GRS subcodes.In Post-Quantum Cryptography, Lecture Notes inComputer Science, volume 6061, 6–72, Berlin,2010. Springer.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

NOTATION

Let :

Fq be a finite field with q elements.

n, k, l ∈ N : 1 ≤ l ≤ k ≤ n ≤ q.

Lk := {f ∈ Fq [X ] : deg(f (X)) ≤ k − 1}.

eva,b be the evaluation map at the elements a, b ∈ Fnq i.e.

eva,b : Lk → Fnq

f 7→ (f (a1)b1, . . . , f (an)bn)

GENERALIZED REED-SOLOMON CODES (OR GRS CODES)

Let a ∈ Fnq such that ai 6= aj for 1 ≤ i < j ≤ n and b ∈ Fn

q with non-zero entries.The GRS code GRSk (a, b) is defined by:

GRSk (a, b) :={

eva,b(f (X)) : f ∈ Lk}

We define the star product a ∗ b ∈ Fnq by a ∗ b = (a1 · b1, . . . , an · bn).

REMARK

Ü GRSk (a, b) = b ∗ GRSk (a, 1).

Ü eva,b (f (X)g(X)) = eva,1(f (X)) ∗ eva,b(g(X)).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

(a,b)-GAP OF A CODE

Let C be an l-dimensional subcode of the code GRSk (a, b), we denote by

Ci := C ∩ GRSi (a, b).

Then C0 ⊆ C1 ⊆ . . . ⊆ Ck = C ∩ GRSk (a, b) = C.

(a, b)-GAP OF THE CODE

i ∈ Z≥0 is called an (a, b)-gap of the code C if Ci = Ci+1.We define the associated (a, b) non-gap sequence of C by

I(a, b, C) = I(C) ={

i ∈ Z≥0 : i is a non-gap of C}

PROPOSITION 1 Proof

i ∈ Z≥0 is an (a, b) non-gap of C ⇐⇒ ∃f ∈ Fq [X ] with deg(f (X)) = isuch that eva,b(f (X)) ∈ C

COROLLARY 1

Let C be an l-dimensional subcode of the code GRSk (a, b) with associated non-gapsequence I(C). Then:

1 I(C) ={

i | ∃f ∈ Fq [X ] with deg(f (X)) = i < k : eva,b(f (X)) ∈ C}

2 C ={

eva,b(f (X)) | f = 0 or f ∈ Fq [X ] and deg(f (x)) ∈ I(C)}


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

(a,b)-GAP OF A CODE

We can obtain a basis of C by studying the associated (a, b) non-gap sequence of C.

PROPOSITION 2 Proof

There is a set I = {i1, . . . , il} and there are l polynomials in unique normal form

fj (X) = X ij +∑s<ijs/∈I

fj,sX s ∈ Fq [X ], for all j = 1, . . . , l,

such thatC = 〈eva,b(fj (X)) | j = 1, . . . , l〉.

Furthermore I(C) = I and dim(C) = |I(C)|.

PROPOSITION 3 Proof

Let I = {i1, . . . , il} and

e(I) = i1 l + (i2 − i1 − 1)(l − 1) + · · · + (il − il−1 − 1) =l∑

s=1(is − is−1 − 1)(l − s + 1)

where i0 = −1. Then the number of l-dimensional subcodes of the codeGRSk (a, b) over Fq with a given non-gap sequence I is equal to qe(I).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

(a,b)-GAP OF A CODE

REMARK

e(I) is minimal and equal to 0 for I = {0, 1, . . . , l − 1}.

e(I) is maximal and equal to l(k − l) for I = {k − l, . . . , k − 1}.

Ü The number of l-dimensional subcodes of the code GRSk (a, b) over Fq is equalto the Gaussian binomial:

(qk − 1)(qk − q) · · · (qk − q l−1)

(q l − 1)(q l − q) · · · (q l − q l−1):=

[kl

]q

=∑

I⊆{0,...,k−1}|I|=l

qe(I).

Ü This number is polynomial in q with non-negative integers as coefficients.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

GRS SUBCODES OF GRS CODES I

We study the l-dimensional subcodes C of the code GRSk (a, b) that are themselvesGRS codes.

1 C = GRSl (a, b) with 2 ≤ l ≤ k .

PROPOSITION 4 Proof

C = GRSl (a, b)⇐⇒ I(C) = {0, . . . , l − 1}

There is exactly ONE l-dimensional subcode C with I(C) = {0, . . . , l − 1} which is GRSl (a, b).

2 C = GRSl (a, ai ∗ b) with i + l ≤ k .

PROPOSITION 5 Proof

Let I(C) = {i1, . . . , il} and c = eva(f (X)) with f ∈ Fq [X ] and deg(f (X)) = i . Ifi + il < k then I(c ∗ C) = i + I(C).

Note that the converse is not true in general.

COROLLARY 3

If i + l ≤ k then I(GRSl (a, ai ∗ b)) = {i, i + 1, . . . , i + l − 1}.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

GRS SUBCODES OF GRS CODES II

3 C = GRSl (c, d).

PROPOSITION 6 Proof

Let l ≥ 2,g0, h1 ∈ Fq [X ],

a ∈ Fnq : ai 6= aj with 1 ≤ i < j ≤ n,

d0 = deg(g0(X)),

b ∈ Fnq : bi 6= 0 with 1 ≤ i ≤ n,

d1 = d0 + deg(h1(X))

If 1 eva(h1(X)) = c : ci 6= cj with 1 ≤ i < j ≤ n,

2 eva,b(g0(X)) = d : di 6= 0 with 1 ≤ i ≤ n,

3 d0 < d1

4 d0 + (l − 1)(d1 − d0) < k .

Then the code C = GRSl (c, d) is an l-dimensional subcode of GRSk (a, b) with :

I(C, a, b) = {d0, d1, . . . , d0 + j(d1 − d0), . . . , d0 + (l − 1)(d1 − d0)}

PROPOSITION 7 Proof

If 2k − 2 < n and l ≥ 2.Assume that C = GRSl (c, d) ⊆ GRSk (a, b) and let d0 < d1 be the first two elementsof I(C, a, b). Then ∃g0, h1 ∈ Fq [X ] such that:

1 eva,b(g0(X)) = d.2 eva(h1(X)) = c.

3 d0 = deg(g0(X)).4 d1 = d0 + deg(h1(X)).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

GRS SUBCODES OF GRS CODES III

COROLLARY 5 Proof

If 2k − 2 < n and 2 ≤ l ≤ k . Then the number of l-dimensional subcodes of thecode GRSk (a, b) over Fq that are GRS code is at most qk−l+3.

The probability that an arbitrary l-dimensional subcode of the code GRSk (a, b) is aGRS code is at most

qk−l+3[kl

]q

≤qk−l+3

q l(k−l)= q−(l−1)(k−l)+3

This fraction tends to zero for k →∞ or (k − l)→∞.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS


THE SQUARE CODE

The square code of a [n, k ] code C over Fq ,D = 〈C ∗ C〉, is the code generated by{ri ∗ rj : 1 ≤ i ≤ j ≤ k

}where r1, . . . , rk denotes the rows of a generator matrix of C.

Let:

C be an l-dimensional subcode of GRSk (a, b).

r1, . . . , rl be the rows of a generator matrix of C.

f1, . . . , fl be the polynomials associated to those rows.

Then

ri ∗ rj =(

b21 fi (a1)fj (a1), . . . , b2

n fi (an)fj (an))

= eva,b∗b(fi (X)fj (X))

and deg(fi (X)fj (X)) = deg(fi (X)) + deg(fj (X)) ≤ 2k − 2 for 1 ≤ i ≤ j ≤ l

REMARK

The code D = 〈C ∗ C〉 = 〈ri ∗ rj : 1 ≤ i ≤ j ≤ l〉 is a subcode of the codeGRS2k−1(a, b ∗ b).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

(a,b ∗ b) GAP OF D = 〈C ∗ C〉

We denote by Di = D ∩ GRSi (a, b ∗ b).Then:

i ∈ Z≥0 is an (a, b ∗ b) gap of D if Di = Di+1.

J (D, a, b ∗ b) ={

j ∈ Z≥0 : j is an (a, b ∗ b)-non gap of D}

is the (a, b ∗ b)non-gap sequence associated to the square code.

REMARK

j ∈ J (D, a, b ∗ b) ⇐⇒ ∃g ∈ Fq [X ] with deg(g(X)) = j : eva,b∗b(g(X)) ∈ D

PROPOSITION 8 Proof

I(C, a, b) + I(C, a, b) = {i + j : i, j ∈ I(C, a, b)} ⊆ J (D, a, b ∗ b)

Furthermore:

1 If 0 ∈ I(C, a, b) then I(C, a, b) ⊆ J (D, a, b ∗ b)

2 Let I(C, a, b) = {i1, . . . , il} with i1 + il < 2k − 1 and c = eva,b(f (X)) ∈ C forf ∈ Fq [X ] with deg(f (X)) = i1 then

I(c ∗ C, a, b) = i1 + I(C, a, b) ⊆ J (D).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

THE SQUARE CODE

PROPOSITION 9 Proof

dim(D) ≤ min{

2k − 1,(l + 1

2

)}Furthermore:

1 If D = GRSr (a, b ∗ b) then I(C, a, b) ⊆{

0, . . . , b r−12 c}

.

2 If D = GRSr (a, ai ∗ b ∗ b) then I(C, a, b) ⊆{b i

2 c, . . . , bi+r−1

2 c}

.

3 If D = GRSr (c, d) then I(C, a, b) ⊆{b d0

2 c, . . . , bd0+(r−1)(d1−d0)

2 c}

whered0 < d1 and d0 + (r − 1)(d1 − d0) < 2k − 1


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

THE SQUARE CODE OF A GRS CODE

Let C be a GRS code then:

PROPOSITION 10 Proof

〈GRSk (a, b) ∗ GRSl (a, c)〉 = GRSk+l−1(a, b ∗ c)

In particular GRS2l−1(a, b ∗ b) is the square code of GRSl (a, b).

COROLLARY 6

If I(C, a, b) = {0, . . . , l − 1} then J (D, a, b ∗ b) = {0, . . . , 2l − 2} i.e.D = GRS2l−1(a, b ∗ b).

The converse is NOT true in general


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

WHEN D = 〈C ∗ C〉 = GRS2k−1(a,b ∗ b)?


Let I(C, a, b) = {i1, . . . , il}. If D = GRS2k−1(a, b ∗ b), then

|{ (u, v) : iu + iv ≥ t and 1 ≤ u ≤ v ≤ l }| ≥ 2k − t − 1

for all t = 0, . . . , 2k − 2.

REMARK

Let C be an l-dimensional subcode of GRSk (a, b) with I(C, a, b) = {i1, . . . , il}.If D = 〈C ∗ C〉 = GRS2k−1(a, b ∗ b) then:

1 2k − 1 ≤(l+1

2

)(Particular case t = 0 of Proposition 11).

2 il = k − 1 (Case t = 2k − 2 of Proposition 11).

3 il−1 = k − 2 (Case t = 2k − 3 of Proposition 11).

4 il−2 ≥ k − 4 (Case t = 2k − 5 of Proposition 11).

REMARK

I(C, a, b) = {k − l, . . . , k − 1} satisfies the conditions of Proposition 11 for all t .However this not imply that D = 〈C ∗ C〉 is exactly GRS2k−1(a, b ∗ b).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

WHEN D = 〈C ∗ C〉 = GRS2k−1(a,b ∗ b)?

Let C be an l-dimensional subcode of GRSk (a, b) with I(C, a, b) = {i1, . . . , il}then:

Ü By Proposition 2 there are l polynomials in normal form such that

C =⟨

eva,b(f1(X)), . . . , eva,b(fl (X))⟩

with deg(fj (X)) = ij ∀j = 1, . . . , l

Ü Furthermore

D = 〈C ∗ C〉 =⟨

eva,b(fu(X)fv (X)) | 1 ≤ u ≤ v ≤ l⟩

We denote fu(X)fv (X) = guv (X) = guv,0 + guv,1X + . . . + guv,(2k−2)X2k−2 for

1 ≤ u ≤ v ≤ l .

Ü Then the following matrix form a generating set of the code D:

GD =

g11,0 g11,1 . . . g11,2k−2

......

. . ....

g1l,0 g1l,1 . . . g1l,2k−2g22,0 g22,1 . . . g22,2k−2

......

. . ....

g2l,0 g2l,1 . . . g2l,2k−2

......

. . ....

gll,0 gll,1 . . . gll,2k−2

∈ F

(l+12

)×(2k−1)

q


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

NECESSARY CONDITIONS TO HAVE:D = 〈C ∗ C〉 = GRS2k−1(a,b ∗ b)

FINAL REMARK

The following properties are necessary conditions to have that

D = 〈C ∗ C〉 = GRS2k−1(a, b ∗ b)

1 I(C) = {i1, . . . , il} ⊆ {0, . . . , k − 1}.

2 il = k − 1, il−1 = k − 2 and il−2 ≥ k − 4.

3 rank(GD) = 2k − 1.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

WHEN D = 〈C ∗ C〉 = GRS2k−1(a,b ∗ b)?

If 2k − 1 ≤ n then:

D = 〈C ∗ C〉 = GRS2k−1(a, b ∗ b)⇐⇒ rank(GD) = 2k − 1

Almost all l dimensional subcodes C of GRSk (a, b) have the property that:

I(C) = {k − l, . . . , k − 1} for q >> k.


If 4k − 3l − 1 < q then the number of l-dimensional subcodes C of GRSk (a, b) overFq such that

2k − 1 ≤ n, 2k − 1 ≤(l+1

2

)and I(C) = {k − l, . . . , k − 1}

is at most (4k − 3l − 2)q l(k−l)−1.

If 4k − 3l − 1 < q, 2k − 1 ≤ n and 2k − 1 ≤(l+1

2

)then the sought

probability is at least:

1−(4k − 3l − 2)q l(k−l)−1

q l(k−l)= 1−

4k − 3l − 2q

This fraction tends to one for q →∞.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

THANK FOR YOUR ATTENTION


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5

PROPOSITION 1

PROPOSITION 1 Return

i ∈ Z≥0 is an (a, b) non-gap of C ⇐⇒ ∃f ∈ Fq [X ] with deg(f (X)) = isuch that eva,b(f (X)) ∈ C

⇒ Suppose that i ∈ I(C, a, b) then by definition Ci 6= Ci+1. That is

∃c ∈ Ci+1 \ Ci ⇒{

c ∈ Cc ∈ GRSi+1(a, b) \ GRSi (a, b)

i.e. there exists a unique polynomial f ∈ Li+1 : c = eva,b(f (X))

But if deg(f (X)) < i then c ∈ Ci , thus deg(f (X)) = i .

⇐ If ∃f ∈ Fq [X ] with deg(f (X)) = i such that c = eva,b(f (X)) then c ∈ Ci+1 \ Ci .Hence i ∈ I(C, a, b).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


By Corollary 1, ∀c ∈ C, ∃f ∈ Fq [X ] with deg(f (X)) ∈ I(C) : c = eva,b(f (X)).

Furthermore the code C has dimension l ,i.e. ∃f1, . . . , fl ∈ Fq [X ] with deg(fi (X)) ∈ I(C)) for i ∈ {1, . . . , l} such that

C = 〈eva,b(fi (X)) with i ∈ {1, . . . , l}〉.

To make the notation easier we can assume that:1 deg(fj (X)) = ij for j ∈ {1, . . . , l}.2 deg(f1(X)) ≤ . . . ≤ deg(fl (X)), i.e. I = {i1, . . . , il}.3 The polynomials f1, . . . , fl are monics.

Thus each polynomial fj can be written as

fj (X) =

ij−1∑s=0

fj,sX s + X ij for j = 1, . . . , l.

Let us define the matrix M(f1, . . . , fl ) = (fj,s) ∈ Fl×kq as the matrix whose i-th row

represent the coefficients with respect to the monomials {1,X , . . . ,X k−1} of thepolynomial fj for j ∈ {1, . . . , l}. After applying Gaussian elimination on the previousmatrix we obtain a matrix with the following form:

∗1,0 . . . ∗1,i1−1 1 0 . . . 0 0 . . . 0

∗2,0 . . . ∗2,i1−1 0 ∗2,i1+1 . . . ∗2,i2−1 1 . . . 0

.

.

.. . .

.

.

.

.

.

.

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.∗l,0 . . . ∗l,i1−1 0 ∗l,i1+1 . . . ∗l,i2−1 0 . . . 0

. (1)

From the above matrix we can conclude the result of the Theorem.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Let C be an l-dimensional subcode of GRSk (a, b) with non-gap sequenceI(C) = {i1, . . . , il}.By Proposition 2 there are l polynomials in normal form

fj (X) =

ij−1∑s<ijs/∈I

fj,sX s + X ij for j = 1, . . . , l.

such thatC = 〈eva,b(fi (X)) with i ∈ {1, . . . , l}〉.

If we fix the set I there are qe(I) l-dimensional subcodes of GRSk (a, b) withassociated non-gap sequence I.

∗1,0 . . . ∗1,i1−1 1 0 . . . 0 0 . . . 0

∗2,0 . . . ∗2,i1−1 0 ∗2,i1+1 . . . ∗2,i2−1 1 . . . 0

.

.

.. . .

.

.

.

.

.

.

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.∗l,0 . . . ∗l,i1−1 0 ∗l,i1+1 . . . ∗l,i2−1 0 . . . 0

.

Note that e(I) is equal to the number of elements of the matrix M(f1, . . . , fl ) whichare free to be chosen in Fq as long as the form of M is not changed.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


⇒ If C = GRSl (a, b) by definition I(C) = {0, . . . , l − 1}

⇐ Suppose that the associated non-gap sequence of C is I(C) = {0, . . . , l − 1}i.e. by Proposition 2

{eva,b(X i ) with i ∈ {0, . . . , l − 1}

}form a basis of C

which is also a basis of GRSl (a, b).Thus C = GRSl (a, b).

REMARK

If I = {0, . . . , l − 1} then e(I) = 0, thus there exists exactly ONE l-dimensionalsubcode C of the code GRSk (a, b) with I(C) = {0, . . . , l − 1}.And by Proposition 4 we have that C = GRSl (a, b).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Suppose that I(C) = {i1, . . . , il}, then there are l polynomials in normal form

fj (X) =

ij−1∑s<ijs/∈I

fj,sX s + X ij for j = 1, . . . , l.

such thatC = 〈eva,b(fi (X)) with i ∈ {1, . . . , l}〉.

Since c = eva(f (X)) with f ∈ Fq [X ] and deg(f (X)) = i . Then:

c ∗ eva,b(fj (X)) = eva,b(f (X)fj (X))

with deg(f (X)fj (X)) = i + ij ≤ i + il < k for all j ∈ {1, . . . , l}.

Hence

c ∗ C = 〈eva,b(f (X)fj (X)) with j ∈ {1, . . . , l}〉 ⊆ GRSi+il +1(a, b)

That is {i + i1, . . . , i + il} = i + I(C) ⊆ I(c ∗ C).Since c ∗ C has dimension l then |I(c ∗ C)| = l , thus

I(c ∗ C) = i + I(C).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Let us define gj (X) = g0(X) (h1(X))j with j ∈ {0, . . . , l − 1}.

Then 0 ≤ deg(gj (X)) = d0 + j(d1 − d0) < k for all j ∈ {0, . . . , l − 1}.

Thus the degree of gj (X) is strictly increasing with j , (since d0 < d1).

Furthermore

eva,b(gj (X)) = eva,b(g0(X)) ∗ (eva(h1(X)))j = d ∗ cj

i.e. the code GRSl (c, d) has eva,b(gj (X)) with j ∈ {0, . . . , l − 1} as a basis.

That is GRSl (c, d) is an l-dimensional subcode of the code GRSk (a, b) and

I(C, a, b) = {d0, d1, d0 + 2(d1 − d0), . . . , d0 + (l − 1)(d1 − d0)}


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Let us assume that C = GRSk (c, d) is an l-dimensional subcode of GRSk (a, b),i.e. ∃gj ∈ Fq [X ] : eva,b(gj (X)) = evc,d(X j ) with j ∈ {0, . . . , l − 1}.Hence:

b ∗ eva,b(gi (X)gj (X)) = eva,b(gi (X)) ∗ eva,b(gj (X))

= evc,d(X i ) ∗ evc,d(X j ) = d ∗ evc,d(X i+j )

So eva,b(gi (X))gj (X)) = eva,b(gu(X)gv (X)), i.e. gi (X)gj (X) = gu(X)gv (X) with0 ≤ i, j, u, v ≤ l such that i + j = u + j .In particular we have that

g j−10 (X)gj (X) = g j

1(X) (2)

g0(X)g2(X) = g1(X)g1(X) (3)

From Equation 3 we can deduce that ∃h1 ∈ Fq [X ] such that g1(X) = g0(X)h1(X).That is gj (X) = g0(X)hj

1(X).And this imply that

d ∗ cj = evc,d(X j ) = eva,b(gj (X)) = eva,b(g0(X)) ∗ eva(h1(X))j

1 If j = 0 we deduce that d = eva,b(g0(X)).

2 If j = 1 we deduce that c = eva(h1(X)).

Let d0 = deg(g0(X)) and d1 = d0 + deg(h1(X)). Then the (a, b) non-gap sequenceof C is

d0, d1, d0 + 2(d1 − d0), . . . , d0 + (l − 1)(d1 − d0).

Therefore d0 = d0 and d1 = d1.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


If i1 + i2 ∈ I(C) + I(C)⇒{i1 ∈ I(C) =⇒Prop.1 ∃f1 ∈ Fq [X ] with deg(f1(X)) = i1 : eva,b(f1(X)) ∈ Ci2 ∈ I(C) =⇒Prop.1 ∃f2 ∈ Fq [X ] with deg(f2(X)) = i2 : eva,b(f2(X)) ∈ C

Therefore:

eva,b(f1(X)) ∗ eva,b(f2(X)) = eva,b∗b(f1(X)f2(X)) ∈ D

with deg(f1(X)f2(X)) = deg(f1(X)) + deg(f2(X)) = i1 + i2Thus i1 + i2 ∈ J (D).

COUNTEREXAMPLE: THE EQUALITY DOES NOT HOLD IN GENERAL

Consider C = 〈eva,b(f1), . . . ,mathrmeva,b(fl )〉 ⊆ GRS5(a, b) where

f1 = 1, f2 = X 2 + X , f3 = X 3 and f4 = X 4

Then:

1 I(C) = {0, 2, 3, 4} ⇒ I(C) + I(C) = {0, 2, 3, 4, 5, 6, 7, 8}.

2 1 ∈ J (D) since

X = f1(X)f2(X)− f 22 (X) + f1(X)f4(X) + 2f1(X)f3(X) ∈ 〈C ∗ C〉 = D.

But 1 /∈ I(C) + I(C).

In fact J (D) = {0, 1, . . . , 8} ⇒ D = GRS9(a, b).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Let g1, . . . , gl be a basis of C. Then the elements gi ∗ gj with 1 ≤ i ≤ j ≤ lgenerate D. Therefore

dimD ≤l∑

i=1

i =(l + 1

2

).

Since D ⊆ GRS2k−1(a, b ∗ b) then dimD ≤ 2k − 1

Furthermore:

1 If D = GRSr (a, b)⇒ I(C, a, b) ⊆ {0, . . . , b r−12 c}.

In fact since D = GRSr (a, b) then by Proposition 4:

J (D) = {0, . . . , r − 1}

and by Proposition 8:

I(C, a, b) + I(C, a, b) ⊆ J (D, a, b ∗ b).

i.e. if I(C, a, b) = {i1, . . . , il} then:

1 2i1 = i1 + i1 ≥ 0⇒ i1 ≥ 0.2 If 2il ≤ 2k − 1 then 2il = il + il ∈ J (D)⇒ il ≤ b r−1

2 c.

2 Similarly to the previous procedure we can conclude 2 and 3.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Recall that the code GRSk (a, b) is generated by the elements eva,b(X i ) withi ∈ {0, . . . , k − 1}.

Thus the code 〈GRSk (a, b) ∗ GRSl (a, c))〉 is generated by the elements:

eva,b(X i ) ∗ eva,c(X j ) = eva,b∗c(X i+j )

with i ∈ {0, . . . , k − 1} and j ∈ {0, . . . , l − 1} i.e. 0 ≤ i + j ≤ k + l − 2.

Therefore the right hand side of the previous equality is a complete set of generatorsof the code GRSk+l−1(a, b ∗ c).


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5


Let C be an l-dimensional subcode of GRSk (a, b) with I(C, a, b) = {i1, . . . , il}.Then by Proposition 2 there are l polynomials in normal form

fj (X) = X ij +∑s<ijs/∈I

fj,sX s ∈ Fq [X ], for all j = 1, . . . , l,

with j ∈ {1, . . . , l} such that C =⟨

eva,b(f1(X)), . . . , eva,b(fl (X))⟩.

Then the elements eva,b∗b(fu(X)fv (X)) with 1 ≤ u ≤ v ≤ l generate the squarecode D = 〈C ∗ C〉 where

deg(fu(X)fv (X)) = deg(fu(X)) + deg(fv (X)) = iu + iv

Assume that D = GRS2k−1(a, b ∗ b) i.e. the elements eva,b∗b(X j ) with0 ≤ j ≤ 2k − 2 form a basis of D.Hence ∀t ∈ {0, . . . , 2k − 2}, ∃(u, v) : iu + iv ≥ t and 1 ≤ u ≤ v ≤ l .Since eva,b∗b(fu(X)fv (X)) ∈ GRSt (a, b ∗ b)⇒ iu + iv < t and 1 ≤ u ≤ v ≤ l .Then the vector space Vt = GRS2k−1(a, b ∗ b) \ GRSt (a, b ∗ b) is generated by theelements eva,b∗b(fu(X)fv (X)) with iu + iv ≥ t and 1 ≤ u ≤ v ≤ l , i.e.

dim Vt = 2k − 1− t.

Thus this is a lower bound of the number of elements that generates Vt .


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5

PROPOSITION 12 Return I

Let C be an l-dimensional subcode of GRSk (a, b) such that

2k − 1 ≤ n, 2k − 1 ≤(l+1

2

)and I(C) = {k − l, . . . , k − 1}

By Proposition 2 there are l polynomials fj ∈ Lk in normal form that generates Csuch that:

fu(X) = X k−l−1+u + fu(X) with deg(fu(X)) ≤ k − l − 1 for u = 1, . . . , l

Then

guv (X) = fu(X)fv (X) = X 2l−2l−2+u+v +fu(X)X k−l−1+v +fv (X)X k−l−1+u+fu(X)fv (X)

Where:

deg(fu(X)fv (X)) ≤ 2k − 2l − 2.

deg(fv (X)X k−l−1+u), deg(fu(X)X k−l−1+v ) ≤ 2k − l − 2.

2k − 2l ≤ deg(fu(X)fv (X)) ≤ 2k − 2 and LC(fu(X)fv (X)) = 1

That is to say:

1 The first 2k − 2l − 1 columns of GD are quadratics in the l(k − l) coefficientsof the polynomials fu(X) with 1 ≤ u ≤ l .

2 The following l columns are linear in those coefficients.

3 The last l columns are the constant 0 or 1.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5

PROPOSITION 12 Return II

Suppose that rank(GD) ≤ 2k − 1 then

Ü All square submatrices of GD of size 2k − 1 are singular.

Ü The determinant of such square submatrices is CERO.

Ü The determinant is a polynomial of degree ≤ 2(2k − 2l − 1) + l = 4k − 3l − 2whose variables are the coefficients of the polynomials fu(X) with 1 ≤ u ≤ l .

A polynomial ∆(Y ) ∈ Fq [Y 1, . . . ,YN ] of degree d has at most dqN−1 inFqN if d < q − 1.

Hence the number of roots in Fql(k−l) of one of these determinants is at most

(4k − 3l − 2)q l(k−l)−1 if 4k − 3l − 2 < q − 1.


CRYPTOGRAPHY

INTRODUCTION

GAPS OF A CODE



PROOFS

PROPOSITION 1

PROPOSITION 2

PROPOSITION 3

PROPOSITION 4

PROPOSITION 5

PROPOSITION 6

PROPOSITION 7

PROPOSITION 8

PROPOSITION 9

PROPOSITION 10

PROPOSITION 11

PROPOSITION 12

COROLLARY 5

COROLLARY 5 Return

Let C be an l-dimensional GRS subcode of GRSk (a, b), i.e. C = GRSl (c, d) andd0 < d1 be the first two elements of I(C, a, b).By Proposition 7 there exists g0, h1 ∈ Fq [X ] such that:

1 eva,b(g0(X)) = d.2 eva(h1(X)) = c.

3 d0 = deg(g0(X)).4 d1 = d0 + deg(h1(X)).

Note that

The number of possible polynomials g0 ∈ Fq [X ] is at most (q − 1)qd0 .

The number of possible polynomials h1 ∈ F1[X ] is at most (q − 1)qd1−d0 .

Since the pair (g0, h1) determines the code C uniquely and the number of possiblepairs of given degree d0 and d1 is at most (q − 1)2qd1 , then the number ofl-dimensional subcodes of GRSk (a, b) that are GRS is at most

k−l+1∑d1=1

(q − 1)2qd1 ≤ qk−l+3.

vulnerabilities of code-based cryptographyruudp/lectures/11-11-17-scd2011.pdf · 2011. 11. 25. ·...

Documents