Coding-theoretic problems in public key cryptography Carl Löndahl Department of Electrical and Information Technology Lund University, Sweden SWITS 12 June 3rd, 2012
Outline 1 Error correcting codes 2 Public key cryptography
Outline 1 Error correcting codes 2 Public key cryptography
Error correcting codes The big picture... How to transmit information over a noisy channel. Fundamental structure The structure of an information bearing system: u Encoder v Channel e û Decoder v + e By adding redundancy, we create an error-correcting code which is used by the encoder and decoder.
Error correcting codes In general, we work with linear codes. The encoded codeword v is created by multiplying the information sequence with a generator matrix G: ug = v, where G is a n k matrix, u F k and v F n. This gives us n k bits of redundancy.
Error correcting codes In general, we work with linear codes. The encoded codeword v is created by multiplying the information sequence with a generator matrix G: ug = v, where G is a n k matrix, u F k and v F n. This gives us n k bits of redundancy. Example (Repetition code) Let G = [ 1 1 1 ]. Then, 1 0 1 111 000 111 110 000 111 1 0 1 1 0 1 111 000 111 010 000 111 0 0 1 Can correct at most one error in every block.
Error correcting codes Problem statement: General (linear) decoding problem Find u using v = ug + e, such that the weight of e is minimized. Basically the least squares problem over the field F. Why is this interesting?
Error correcting codes Problem statement: General (linear) decoding problem Find u using v = ug + e, such that the weight of e is minimized. Basically the least squares problem over the field F. Why is this interesting? In 1978, Berlekamp, McEliece and van Tilborg proved that the general problem is N P-hard! We can use this to construct a public key cryptosystem!
Outline 1 Error correcting codes 2 Public key cryptography
What is public key cryptography? A public key cryptosystem has 1. A public key for encryption, known by everyone...
What is public key cryptography? A public key cryptosystem has 1. A public key for encryption, known by everyone... 2....and a private key decryption, which is secret.
What is public key cryptography? A public key cryptosystem has 1. A public key for encryption, known by everyone... 2....and a private key decryption, which is secret. The ideal situation Eve Bob (has key!) Encrypt O(poly(n)) O(poly(n)) Decrypt O(exp(n)) O(poly(n))
How to construct a public key cryptosystem? 1. A problem with a set S E with easy instances
How to construct a public key cryptosystem? 1. A problem with a set S E with easy instances 2....and a set S H of hard instances
How to construct a public key cryptosystem? 1. A problem with a set S E with easy instances 2....and a set S H of hard instances 3....and an invertable function transforming a problem in S E into a problem in S H. The function is often called a trap-door function.
McEliece public key cryptosystem: McEliece suggested in a paper in 1978 to use the decoding problem. It is hard for the random case... Step 1 Alice randomly chooses a triple (S, G, P) as her secret key. She constructs the product SGP = Ĝ, which is the public key. Now Alice publishes Ĝ.
Now, suppose we want to encrypt... Step 2 Bob encrypts a message m by computing the vector c = mĝ, using Alice s public key Ĝ. He then adds a randomly generated error vector e of weight t to form the ciphertext, c = c + e.
Alice now wants to decrypt the message c sent to her, where Ĝ is random (or at least random-looking!). This is hard, but we have a trumph card up our sleeve... remember the trap-door?
Alice now wants to decrypt the message c sent to her, where Ĝ is random (or at least random-looking!). This is hard, but we have a trumph card up our sleeve... remember the trap-door? c = hard {}}{ mĝ + e = m(sgp) + e = (ms)gp + e cp 1 = ((ms)gp + e)p 1 = (ms)g + ep 1 = ˆmG + ê }{{} easy Note: P is a permutation matrix and does not change the number of errors in e, i.e. weight(e) = weight(ê)!
Alice now wants to decrypt the message c sent to her, where Ĝ is random (or at least random-looking!). This is hard, but we have a trumph card up our sleeve... remember the trap-door? c = hard {}}{ mĝ + e = m(sgp) + e = (ms)gp + e cp 1 = ((ms)gp + e)p 1 = (ms)g + ep 1 = ˆmG + ê }{{} easy Note: P is a permutation matrix and does not change the number of errors in e, i.e. weight(e) = weight(ê)! Step 3 Alice decrypts the ciphertext by computing ĉ = cp 1 and uses the efficient decoding algorithm to decode ĉ to ˆm = ms. Finally, the plaintext m is given by ˆmS 1 = (ms)s 1 = m.
What about security? A trivial attack 1. Choose k columns from Ĝ. 2. Form a k k matrix G and hope that the errors are in the remaining n k columns. 3. Invert the matrix. Now m = c G 1. Probabilistic algorithm, expected exponential complexity. Best algorithms use information set decoding. See [JL11], [MMT11], [BJMM12]. Still expected exponential complexity.
My research right now: Some codes however have efficent decoding algorithms, even without knowing the key. These kinds of attacks are called structural attacks. The original approach use a set of easy instances based on a class of codes called Goppa codes. They have a well-defined structure making them susceptable to structural attacks. We have approached the problem of low entropy by using time-variant convolutional codes. These codes have large sets of independent random parity bits (or variables) = lots of entropy.
Thank you for your attention! Questions?