Proposed Platform Group - A public key exchange using semidirect prod- prod-ucts of groups

A public key exchange using semidirect prod- prod-ucts of groups

2. Proposed Platform Group

The group B can be an additive abelian p-group of order p^m with the addi-tional property that pb = 0 for every b ∈ B, where p is approximately 10⁵. ThenB may be considered anm-dimensional vector space overZ/pZ=F^p. Un-der these conditions the group of automorphisms ofB isGLm(F^p). The order of GLm(F^p) is (p^m−1)(p^m−p)· · ·(p^m−p^m⁻¹). Since we require a homomorphism φ : A → Aut(B), the order of φ(a) must divide the order of a. We know that Aut(B) has an element of orderp, and so to ensure that we can find a non-trivial homomorphismφ, we require that the groupAalso be apgroup of orderp^l. Now

|BoφA|=p^m+l, and so 1< n < p^m+l. For security purposes, we requirento be sufficiently large.

If we requireB andA to be as above, the homomorphismsφa andψa have matrix representations J and K respectively, and the element b and the shared keykcan be represented as column vectors.

We would like to ensure that it is easy to find homomorphismsφa, ψa that commute. We begin by choosing an arbitrary matrixM ∈GLm(F^p) and a natural number swith s=bm

2c, which are made public. Bob chooses an automorphism of the formH =

Q 0 0 I

and Alice chooses an automorphism of the form S = I 0

0 R

, whereQ, Rares×sblock matrices andIis the (m−s)×(m−s) identity matrix. The matricesH andS are kept secret. Bob and Alice select the matrices

J =PB(M HM⁻¹) =

t⁰

i=1

ciM HⁱM⁻¹ and

K=PA(M SM⁻¹) = Xt i=1

diM SⁱM⁻¹

respectively, whereci, di ∈F^pare randomly selected coefficients. We would like to add the additional requirement that the matricesJ andKdo not have an ”‘easy”’

form, such as diagonal, upper triangular or lower triangular matrices, although the

4 M. Habeeb, D. Kahrobaei and V. Shpilrain

probability of this occurring is negligible. The matricesJ and K commute, and can be used asφa andψa. Now computing the shared key takes the form

n−1

i=1

Jⁱ(K·b+K²·b+· · ·Kⁿ⁻¹·b) =

n−1

i=1

(JⁱK·b+JⁱK²·b+· · ·+JⁱKⁿ⁻¹·b)

= (J+J²+· · ·+Jⁿ⁻¹)(K·b+K²·b+· · ·+Kⁿ⁻¹·b)

=k or

n−1

i=1

Kⁱ(J·b+J²·b+· · ·Jⁿ⁻¹·b) =

nX−1

i=1

(KⁱJ·b+KⁱJ²·b+· · ·KⁱJⁿ⁻¹·b)

= (K+K²+· · ·+Kⁿ⁻¹)(J·b+J²·b+· · ·+Jⁿ⁻¹·b)

Finding the matrixK from the public informationb and K·b+K²·b+· · ·+Kⁿ⁻¹·b=g is equivalent to solving the matrix equation

(K+K²+· · ·+Kⁿ⁻¹)·b=g. (2.1) Similarly, from the public information we may findJ by solving the equation

(J+J²+· · ·+Jⁿ⁻¹)b=h. (2.2) We may write these matrix equations as a system ofm polynomial equations in the entries ofK (or J). The search problem for polynomial equations over finite fields has been well studied and is known to be NP-hard [1]. By addingb to both sides of (2.1), which is public to the attacker, equation (2.1) becomes

(I+K+K²+· · ·+Kⁿ⁻¹)·b=g+b, which is equivalent to

(I−Kⁿ)·b= (I−K)·(g+b).

Although this simplifies equation (2.1) it does not simplify the problem at hand since we will still have a matrix equation, which can still be written as a system of non-linear equations over a finite field. We also note that if the matrices J andK are of a simple form (diagonal, upper or lower triangular) then this equa-tion becomes easier to solve, but the probability of this occuring is neglible. The cryptosystem is secure against eigenvalue attacks as the matrices J and K are unknown.

A public key exchange using semidirect products of groups 5

References

[1] G. V. Bard.Algebraic Cryptanalysis(Springer-Verlag, 2009) 1-392 M. Habeeb

CUNY Graduate Center, City University of New York e-mail:MHabeeb@GC.Cuny.edu

D. Kahrobaei

CUNY Graduate Center, City University of New York e-mail:DKahrobaei@GC.Cuny.edu

V. Shpilrain

The City College of New York and CUNY Graduate Center e-mail:shpil@groups.sci.ccny.cuny.edu

On lower bounds for Information Set Decoding over F

Robert Niebuhr¹, Pierre-Louis Cayrel², Stanislav Bulygin², and Johannes Buchmann^1,2

1 Technische Universit¨at Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra,

Hochschulstraße 10 64289 Darmstadt

Germany

{rniebuhr, buchmann}@cdc.informatik.tu-darmstadt.de

2 CASED – Center for Advanced Security Research Darmstadt, Mornewegstrasse, 32

64293 Darmstadt Germany

{pierre-louis.cayrel, stanislav.bulygin}@cased.de

Abstract. Code-based cryptosystems are promising candidates for post-quantum cryptography. The increasing number of cryptographic schemes that are based on codes over fields different fromF2 requires an analy-sis of their security. Information Set Decoding (ISD) is one of the most important generic attacks against code-based cryptosystems. We give lower bounds for ISD overFq, thereby anticipating future software and hardware improvements. Our results allow to compute conservative pa-rameters for cryptographic applications.

Key words: Information Set Decoding, lower bounds, codes, post quan-tum, cryptography.

Introduction

Error-correcting codes have been applied in cryptography for at least three decades since R. J. McEliece published his paper in 1978 [10]. It has received much attention as it is a promising candidate for post-quantum cryptography.

McEliece used the class of binary Goppa codes for his construction, and most other schemes published since then have also been using binary codes.

However, in recent years, many new proposals use codes over larger fields Fq, mostly in an attempt to reduce the size of the public and private keys. Two examples that received a lot of attention are quasi-cyclic codes [3] by Berger at al., and quasi-dyadic codes [11] (Misoczki-Barreto). The security, however, is not as well understand forq-ary codes as for binary ones: Faug`ere et al. [7] published an attack which broke these two cryptosystems for several sets of parameters.

This makes it important to analyze the complexity of attacks against code-based cryptosystems over larger fieldsFq.

The two most important types of attacks against code-based cryptosystems are structural attacks and decoding attacks. Structural attacks exploit structural weaknesses in the construction, and often they attempt to recover the private key.

Decoding attacks are used to decode a given cipher text. In this paper, we will not consider structural attacks, since they are restricted to certain constructions or classes of codes. Information Set Decoding (ISD) is one of the most important generic decoding attacks, and it is the most efficient against many schemes.

Previous work

Over the years, there have been many improvements and generalizations of this attack, e.g. Lee-Brickell [9], Stern [14], Canteaut-Chabaud [6], Bernstein et al. [5].

Recently, two papers – Finiasz-Sendrier [8] and Peters [12] – studied this algo-rithm. The former provides lower bounds for the complexity of the ISD algorithm over F2, the latter describes how to generalize Stern’s and Lee-Brickell’s algo-rithms toFq.

Our contribution

In this paper, we propose and prove lower bounds for the complexity of ISD algorithms overF^q. Our analysis gives an improvement of the efficiency of the ISD algorithm compared to Peters’ analysis [12] and generalizes the lower bounds proposed by Finiasz and Sendrier in [8]. In addition to that, we show how to use the structure ofFq to increase the algorithm efficiency and compare our lower bounds with the ISD algorithm described by Peters. The details of the proof are given in the Appendix.

Organization of the paper

In Section 1, we start with a review of coding theory and cryptography overFq. The subsequent Section 2 presents the Information Set Decoding algorithm we are analyzing and states the lower bounds result. In Section 3, we apply these lower bounds to concrete parameters and compare the results with the most recent algorithm. We conclude in Section 4.

1 Review

1.1 Coding theory overFq

In general, a linear codeCis ak-dimensional subspace of ann-dimensional vector space over a finite fieldFq, wherekandnare positive integers withk≤n, andq is a prime power. The error-correcting capability of such a code equals (d−1)/2,

and it is the maximum number of errors that can be decoded. By (n, k, t), we denote a code that can efficiently decodet≤(d−1)/2 errors. The co-dimension rof this code is defined byr=n−k.

Definition 1 (Hamming weight). The (Hamming) weightwt(x)of a vector xis the number of its non-zero entries.

Definition 2 (Minimum distance).The (Hamming) distanced(x, y)between two codewordsx, y∈ C is defined as the (Hamming) weight ofx−y. The mini-mum weightdof a codeC is defined as the minimum distance between any two different codewords, or equivalently as the minimum weight over all non-zero codewords:

d:= min

x,y∈C x6=y

d(x, y) = min

c∈C c6=0

wt(c).

A linear code of length n, dimension k and minimum distance d is called an [n, k, d]-code.

Definition 3 (Generator and Parity Check Matrix). Let C be a linear code overFq. A generator matrixG ofCis a matrix whose rows form a basis of C:

C={xG:x∈F^kq}. A parity check matrixH ofC is defined by

C={x∈Fⁿq :Hx^T = 0}

and generates the dual space ofC. For a given parity check matrix H and any vectore, we callsthe syndrome ofewiths^T :=He^T .

Remark 1. Two generator matrices generateequivalent codes if one is obtained from the other by a linear transformation or permutation. Therefore, we can write any generator matrix G in systematic form G = [Ik|R], which allows a more compact representation. IfC is generated byG = [Ik|R], then a parity check matrix forCisH= [−R^T|In−k] (up to permutation,Hcan be transformed so that the identity submatrix is on the left hand side).

The problems which cryptographic applications rely upon can have different numbers of solutions. For example, public key encryption schemes usually have exactly one solution, while digital signatures often have more than one possible solution. The uniqueness of solutions can be expressed by the Gilbert-Varshamov (GV) bound:

Definition 4 (q-ary Gilbert-Varshamov bound).LetC be an(n, k, t)code overFq, and letr:=n−k. Theq-ary GV bound is the smallest integert0such

that Xt0

i=0

n i

(q−1)ⁱ≥q^r.

For large values ofn, the last term dominates the sum, so the condition is often

approximated by

n t0

(q−1)^t⁰≥q^r.

If the number of errors that have to be corrected is smaller than the GV bound, then there is at most one solution. Otherwise, there can be several solutions.

1.2 The syndrome decoding problem and the McEliece PKC

Problem 1. Given a matrixH and a vectors, both overFq, and a non-negative integert; find a vectorx∈Fⁿq of weighttsuch thatHx^T =s^T.

This problem was proved to be NP-complete in 1978 [4], but only for binary codes. In 1994, A. Barg proved that this result holds for codes over all finite fields ([1, in russian] and [2, Theorem 4.1].

Many code-based cryptographic schemes are based on the hardness of syndrome decoding. Among these are the McEliece cryptosystem and the CFS signature scheme. The latter, however, is unsuitable forq-ary codes, since it requires codes with a high density (ratio of the number of codewords to the cipher space size), and the density rapidly decreases with increasing field sizeq. We will therefore briefly describe the McEliece cryptosystem and show how it can be attacked by solving the syndrome decoding problem.

The McEliece PKC The McEliece public-key encryption scheme was pre-sented by R. McEliece in 1978 ([10]). The original scheme uses binary Goppa codes, for which it remains unbroken, but the scheme can be used with any class of codes for which an efficient decoding algorithm is known.

LetGbe a generator matrix for a linear (n, k, t)-code overFq,DGa correspond-ing decodcorrespond-ing algorithm. LetP be an×nrandom permutation matrix andSan k×kinvertible matrix overFq. These form the private key, while (G, t) is madeb public, whereGb=SGP.

Encryption:Represent the plaintext as a vectormof lengthkoverF^q, choose aq-ary random error vectoreof weight at mostt, and compute the ciphertext

c=mGb+e.

Decryption:Compute b

c=cP⁻¹=mSG+eP⁻¹.

AsP is a permutation matrix,eP⁻¹ has the same weight ase. Therefore,DG

corrects these errors:

mSG=DG(bc)

LetJ ⊆ {1, . . . , n}be a set such thatG_·J is invertible, then we can compute the plaintext

m=mSG·G⁻_·_J¹·S⁻¹.

Attacking the McEliece PKC Many variants of the McEliece encryption scheme have been proposed, often in an attempt to reduce the size of the public key. In most cases, these variants differ in which class of codes they use. Many of these variants have been broken, since a structural weakness had been found, but the original scheme using binary Goppa codes remains secure to date. For most parameters, ISD-like attacks are the most efficient attacks against the McEliece scheme (an exception is the CFS signature scheme, where a Generalized Birthday attack due to Bleichenbacher is more efficient).

Dans le document Proceedings of the Second International Conference on Symbolic Computation and Cryptography (Page 139-147)