Singapore Management University Institutional Knowledge at Singapore Management University

Research Collection School Of Information Systems School of Information Systems

1-1994 On the equivalence of McEliece's and Niederreiter's public- Y. X. LI

Robert H. DENG Singapore Management University, [email protected]

X. M. WANG DOI: https://doi.org/10.1109/18.272496

Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research Part of the Information Security Commons

Citation LI, Y. X.; DENG, Robert H.; and WANG, X. M.. On the equivalence of McEliece's and Niederreiter's public-key cryptosystems. (1994). IEEE Transactions on Information Theory. 40, (1), 271-273. Research Collection School Of Information Systems. Available at: https://ink.library.smu.edu.sg/sis_research/94

This Journal Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please email [email protected]. IKANJALIIUNJ UN INrUKb’lAIlUN IHCUKX, VUL. W,IYU. 1, JAIYUAKX IYY4 LI1

REERENCES of Niederreiter’s , by Niederreiter [3] and by Brickell and Odlyzko [4]. Furthermore, we employ the best known attack, the J. Ziv and A. Lempel, “Compression of individual sequences via Lee-Brickell attack [5], to cryptanalyze the two systems. Some new variable-rate coding,” IEEE Trans. Inform. Theory, vol. IT-24, pp. 530-536, Sept. 1978. optimal parameter values and work factors are obtained. I. Rissanen, “A universal data compression system,” IEEE Trans. We briefly review McEliece’s and Niederreiter’s cryptosystems in Inform. Theory, vol. IT-29, pp. 656-664. Sept. 1983. Section 11. The equivalence of the two systems is derived in Section R. G. Gallager, Information Theory and Reliable Communication. New III. Finally, we cryptanalyze the two systems and comment on the York Wiley, 1968. selection of optimal system.parameters in Section P. Elias, “Universal codeword sets and representations of the integers,” IV. IEEE Trans. Inform. Theory, vol. IT-21, pp. 194-203, Mar. 1975. T. M. Cover and I. A. Thomas, Elements of Information Theory. New MCELIECE’S AND NIEDERREITER’SCRWroSYSTEMS York Wiley, 1991. II. W. F. Stout, Almost Sure Convergence. New York Academic, 1974. In this section, brief descriptions of McEliece’s and Niederreiter’s L. D. Davisson, “Universal noiseless coding,” IEEE Trans. Inform cryptosystems are presented in order to facilitate discussions in later Theory, vol. IT-19, pp. 783-795, Nov. 1973. sections. Both ctyptosystems are algebraic-coded two-key systems. I. C. Kieffer, “A unified approach to weak universal source coding,” IEEE Trans. Inform. Theory, vol. IT-24, pp. 674-682, Nov. 1978. The basic idea behind them was to construct a linear error-correcting A. D. Wyner, “An upper bound on the entropy series.’’ Inform. Contr., code for which a fast decoding algorithm is known, and then to vol. 20, pp. 176181. 1972. disguise it as a general whose decoding problem is L. Gyorfi, I. Pfili, and E. C. van der Meulen, “On universal noise- NP-complete. less source coding for infinite source alphabets,” in European Trans. Telecommun. Related Technol., vol. 4, pp. 125-132, Mar.-Apr. 1993. A. McEliece ’s Cryptosystem [2] On the Equivalence of McEliece’s and This system uses a binary (n, k, 2t+ 1) Goppa code C where n is Niederreiter’s Public-Key Cryptosystems the code length, k is the code dimension, and t is the error-correcting capability of C. C is constructed by randomly selecting an irreducible Yuan Xing Li, Member, IEEE, Robert H. Deng, polynomial of degree t over GF(2’) as the Goppa polynomial (note and Xin Mei Wang, Member, IEEE that n = 2’). Let G be a k x n generator matrix of C [6], S any k x k nonsingular matrix, and P any n x n permutation matrix. Private Key: G, S, P. Abstract-It is shown that McEliece’s and Niederreiter’s public-key Public Key: G‘ = SGP and t. cryptosystems are equivalent when set up for corresponding choices Messages: k bit vectors m over GF(2). of parameters. A security analysis for the two systems, based on this equivalence observation, is presented. : c = mG‘ + e. e, an n bit error vector with (Hamming) weight t. c, the n bit . Index Tenns-Cryptosystems, McEliece’s cryptosystem, Niederreiter’s cryptosystem, security, algebraic codes. Decryption: Since c = mSGP + e, cP-’ = (mS)G+ eP-’ . Use a fast decoding algorithm for C to correct the error “eP-’, find mS and thus m. I. INTRODUCTION McEliece investigated several attacks against his system. One of Since the concept of public-key cryptosystems appeared in the those was to factor the public key to obtain the private key, but fundamental paper of Diffie and Hellman [l] in 1977, the field of this approach was thought to be hopeless. Another attack, considered cryptology has undergone a dramatic development. The last decade as the most promising, was to pick k “error-free” elements of the has seen explosive growth in unclassified research in all aspects of ciphertext c, and then to solve a set of A linear equations to recover the cryptology. Public-key cryptosystem and have been message m. Using this attack, McEliece suggested using n = 1024 two of the most active areas. So far many kinds of public-key and t = 50, i.e., (1024, 524, 101) Goppa code in his system. The cryptosystems have been proposed, and many of them that had been corresponding work factor of the system is approximately 2’O.’ [7]. thought to be secure have been broken. A special class of public-key cryptosystems were constructed B. Nederreiter’s Cryptosystem [3] based on algebraic error-correcting codes. In the present paper, This is a knapsack-type cryptosystem which employs we focus on two such systems, McEliece’s [2] and Niederreiter’s an (n, k, 2t 1) linear code C over GF(q). Let E be an (n - k) x n [3] cryptosystems, examine the relationship between the two, and + parity check matrix of any (n - k) x (n - k) nonsingular derive the interesting result that the two systems are equivalent and C,M matrix, and any n x n permutation matrix, all over GF(q). have the same security when set up for corresponding choices of P parameters. This result allows us to clarify the security evaluations Private Key: E, M, and P. Public Key: H‘ = MHP and t. Manuscript received May 4, 1993; revised November 17, 1993. This work Messages: n dimensional vectors J over GF(q) with weight t. was supported in part by the National Natural Science Foundation of China Encryption: z = #HIT. z, the ciphertext of dimension n - k. under Grant 69072910. z Y. X. Li is with the Magnetic Technology Centre, National University of Decryption: Since = J(MHP)~,z(MT)-’ = (@“)BT. Singapore, Kent Ridge, Singapore 05 1 1, Republic of Singapore. Use a fast decoding algorithm for C to find g$ and thus g. R. H. Deng is with the Department of Electrical Engineering, National Niederreiter [3] cryptanalyzed his system and mentioned two University of Singapore, Kent Ridge, Singapore 05 11, Republic of Singapore. X. M. Wang is with the Department of Information Engineering, Xidian example systems, one using a binary concatenated (104,24, 31) code University, People’s Republic of China. and the other using a (30, 12, 19) ReedSolomon code over GF(31). IEEE Log Number 9215123. The examples were later verified as insecure by Brickell and Odlyzko

0018-9448/94$04.00 Q 1994 IEEE 212 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 40, NO. 1, JANUARY 1994

[4]. The attack used in Niederreiter’s cryptanalysis was to factorize provided that the two cryptosystems are based on the same error- H’ in the hope of getting M,H, and P. However, this cryptanalysis correcting code. Without loss of generality, we assume, throughout was not sufficient to ensure the security of his cryptosystem. Actually, the rest of the paper, that the same binary error-correcting codes are McEliece has shown that this attack was not the most threatening. used in the two systems. In the following, we derive the equivalence relationship between Attack 1 (Lee-Brick11 Attack): Picke a k x k submatrix G6 of the two cryptosystems, and re-evaluate the securities of the two G’ consisting of the jlth, j~th, . , and the jkth columns of G’. systems using the best known attack, the LeeBrickell attack. Let ek and ek be the k dimensional vectors consisting of the jl th, jzth,. , and the jhth bits of e and e, respectively. It then follows that ek +ek = mG6 and that (ck +ek)(GL)-lG = mGL(GL)-lG = EQUIVALENCEOF THE MCELIECE’S m. mG. Choose a k-bit vector ei with t) or fewer ones. If AND NIEDERREITERSCRYFTOSYSTEMS j(< e+ (ek +ei)(GL-l)Ghas weight t, then ei= ek and the message A fair comparison of the two systems dictates that they both be m = (ck + ek)(GL)-’ is recovered; otherwise, choose another e6 based on the same error-correcting (n, k, 2t + 1) linear code C. Let and repeat the above process. If all the bit error pattems eL of H and G denote the parity check matrix and the generator matrix, k weight 5 j have been exhausted and the message still can not be respectively, of C. Then finding H from G (or equivalently finding recovered, then pick another submatrix of G’ and the above process G from H) can be achieved by linear algebra [6]. For instance, by is repeated. The process continues until m is found. converting the generator matrix into the systematic form G = [IkA], The probability that there are i errors in the randomly chosen k-bit the parity check matrix is simply given by H = -[ATIn-k]. vector ck is Given the public key G’ and the encryption equation e = mG‘ +e in McEliece’s cryptosystem, multiplying both sides of the equation PZ = ;)I(;) by HIT, we obtain (f)(; 1 Therefore, the probability that the attack completes successfully is C:=,pZand that the average number of times we must repeat the algorithm before we are successful is since G’HrT = 0. Note that (1) is identical to Niederreiter’s encryption equation. Given z and H‘, if e can be found, i.e., 3 Niederreiter’s cryptosystem is broken, so is McEliece’s cryptosystem. T3 = l/Et. (3) Therefore, it is not more difficult to break McEliece’s cryptosystem i=O than to break Niederreiter’s cryptosystem. The number of k bit error pattems with j or fewer ones is On the other hand, given the public key H’ and the encryption equation z = yHtT in Niederreiter’s cryptosystem, by line& algebra, N, = k(t). an n-dimensional vector e of weight larger than or equal to t can *=O be found such that z = cHIT. Obviously, e may be expressed as Thus, the average overall work factor for this attack is

c=mG‘+y (2) W1, = T3(ak3+ N,/3k). (4) where m is a k-dimensional vector and the weight of y is t. Attack 1 is based on the encryption equation e = mG‘ + e. As Equation (2) is just (2) McEliece’s encryption equation. Therefore, we have previously shown, this equation can be transformed into if McEliece’s cryptosystem can be broken, so can Niederreiter’s the encryption equation z = eatT by linear algebra. Therefore, the cryptosystem. security of McEliece’s cryptosystem may also be analyzed using a Lee-Brickell type attack based on z = earT.This is demonstrated IV. SECURITYCOMMENTS below. McEliece [2] suggested two possible attacks on his cryptosystem. Attuck2: Pick an (n - k) x (n - k) submatrix Hk-k of H‘ The first attack is to factor the public key G’ in the hope of finding consisting of the jlth, jzth,... ,j,-hth columns of H‘. Let en-k the private key S, G, and P, i.e., finding trapdoors to his system. be the (n - k) bit vector consisting of the jlth, jzth, ... ,jn-kth Adams and Meijer [7] stated that there is usually only one trapdoor bits of e. Let en(n - k) be the n bit vector which is identical to in McEliece’s cryptosystem. Recently, Gibson [8] showed that there en-k in positions j1, jz, . . . ,jn-k, and with the other k positions always exist multiple trapdoors in any instance of McEliece’s system. set to zero. Furthermore let en(k = e + en(n - k). Then z = However, it seems difficult to find trapdoors to McEliece’s system. eHtT = (en(n- k)+-(k))H‘ 4= en(n- k)HIT +en(k)HIT. The second attack proposed by McEliece is to directly recover m Multiply both sides of the above equation by (HEk)-’, and from c without using the private key. The basic idea of this attack after rearrangement, we have en-k = (z en(k)H’T)(HEk)-’. is to repeatedly select k bits at random from an n-bit ciphertext + vector and estimate m based on the k selected bits. If the k selected Choose an n-bit vector eh(k) with (TI - k) zeros at positions bits are error-free, the message m will be recovered; otherwise, the j1, jz, . . . ,jn-k, and j(< t) or fewer ones at the other k positions. process is repeated by selecting another set of k bits from e until the Calculate E (z + eh(k)H’T)(H:k)-l. Augment e& message is recovered correctly. into an n bit vector eh(n - k) which is identical to in The best known attack, proposed by Lee and Brickell [5], is a positions j, , j, ,. . . ,j, -k , and with the other ]E positions set to zero. generalization of McEliece’s second attack. The Lee-Brickell attack If &(n-k)+&(k) has weight t and (eh(n-k)+eh(k))H‘T= z, allows the k selected bits to contain some errors, and try to recover then e = &(n - k) + eh(k) is found; otherwise, choose another the message correctly. Because of the equivalence of McEliece’s and eh(k) and repeat the above procedure. If all the possible vectors Niedereiter’s cryptosystems, in the following we will cryptanalyze eh(k) have been tried and e still cannot be found, pick another McEliece’s cryptosystem under the best known attack. The results Hk-k and repeat the above process. The process continues until of the analysis apply equally well to Niederreiter’s cryptosystem, e is recovered. IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 40, NO. 1, JANUARY 1994 273

The probability that there are t - i ones among the randomly chosen REFERENCES (n - k) bit vector e,-h is [l] W. Diffie and M. E. Hellman, “New direction in ,” IEEE Trans. Inform. Theory, vol. IT-22, pp. 644-654, Nov. 1976. [2] R. J. McEliece, “A public-key cryptosystem based on algebraic coding theory,” DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, Jan.-Feb. 1987, pp. 114-116. = [3] H. Niederreiter, “Knapsack-tye cryptosystems and algebraic coding (:) (; 1:)I(;). theory,” Prob. Contr. Inform. Theory, vol. 15, no. 2, pp. 157-166, 1986. [4] E. F. Brickell and A. M. Odlyzko, “Cryptanalysis: A survey of recent Therefore the probability that the algorithm finishes successfully is results,” Proc. ZEEE, vol. 76, pp. 578-593, May, 1988. pi. The average number of executions T’ is then again given [5] P. J. Lee and E. F. Brickell, “An observation on the security of by (3) with pi’s given in (5). The number of all possible n bit error McEliece’s public-key cryptosystem,” in Advance in Cryptology: Proc. Eurcrypto ’88. New York Springer-Verlag, 1989. pp. 275-280. patterns is eh(k) [6] F. J. MacWilliams and N. J. A. Sloane. The Theory OjError-Correcring Codes. Amsterdam, The Netherlands: North-Holland, 1977. [7] C. M. Adams and H. Meijer, “Security-related comments regarding McEliece’s public-key cryptosystem,” ZEEE Tram. Inform. Theory, vol. 35, pp. 454455, Apr. 1989. [8] J. K. Gibson, “Equivalent Goppa codes and trapdoors to McELiece’s Consequently, the average overall work factor for attack 2 is public-key cryptosystem,” in Advance in Cryptology: Proc. Eurcrypto ’91. New York: Springer-Verlag, 1992, pp. 517-521. W2, = T,(cy(n- k)3 + N3p(n- k)). (6) [9] J. C. Kagarias and A. M. Odlyzko, “Solving low density subset sum problems,” J. Assoc. Comput., vol. 32, pp. 229-246, Mar. 1985. [lo] V. I. Korzkik and A. I. Turkin, “Cryptanalysisof McEliece’s public-key With cy = p, Lee and Brickell showed that the optimum j cryptosystem,” in Advance in Cryptology: Proc. Eurcrypto ‘91. New which minimizes the work factor W1, is 2 for all values of useful York: Springer-Verlag, 1992, pp. 27-28. code parameters. This conclusion also applies to W2,. Assuming cy = /3 = 1 and n = 1024, they further showed that the value of An Attack on the Interlock Protocol t which maximizes Wl2 is 38 and that Wlz M 273.4. result This When for Authentication represents a reduction of order 2” as compared with the work factor Used obtained by Adams and Meijer [7]. Steven M. Bellovin and Michael Merritt With Attacks 1 and 2 presented above, the work factor of attacking McEliece’s-Nederreiter’s cryptosystem should be defined as A6ssiract-Exponential may be used to establish secure W = min(Wl2, W22) (7) communications between two parties who do not share a private key. It fails in the presence of an active wiretap, however. Davies and Price and the coding parameters should be selected to maximize W. Again suggest the use of Shdrand Rivest’s “Interlock Protocol” to surmount this difEculty. We demonstrate that an active attacker can, at the cost of a assuming cy = = 1 and n = our calculations showed that the p 1024, timeout alarm, bypass the passwork exchange, and capture the passwords value oft which maximizes (7) is 41. With this new optimum value used. Furthermore, if the attack is from a terminal or workstation oft, Wlz M 273.1, W22 M 271.9, and therefore, W = W22 M 271.9. attempting to contact a computer, the attacker will have access before Note that, although t = 38 maximizes Wlz, it does not maximizes any alarm can be sounded. W, since in this case W22 M 271.8. Index Tenns-Cryptography, protocol, security, authentication, expo- Brickell and Odlyzko [4] proposed another attack on McEliece’s nential key exchange, Ditlie-Hellman cryptosystem based on the low density algorithm of [9]. However, the lattice basis reduction algorithm employed in this attack is not guaranteed to find the vector e, and the attack does not seem I. INTRODUCTION promising. The exponential key exchange protocol [l] has been suggested as It should be mentioned that Korzhik and Turkin [lo] claimed to a form of public-key cryptosystem. It is also useful if two parties have found a polynomial time algorithm for decoding linear codes wish to set up a secret conversation without prior arrangement, as up to their minimum distance, which in particular would allow one the public keys are relatively easy to generate. to break the two cryptosystems discussed in this paper. However, The dialog works as follows. Let a and p be large, publicly known since the description of this algorithm is very complicated and its numbers. Suppose that A wishes to talk privately with B. Each side correct functioning within the claimed time bounds could never be picks a random number, AR and BR.The following messages are confirmed experimentally according to the authors’ information, it sent: appears doubtful whether this attack has any real significance.

ACKNOWLEDGMENT aARmodP + t aBRmodP. The authors would like to express their deep gratitude to Prof. U. At this point, A, who knows AR, can calculate M. Maurer, the Institute for Theoretical Computer Science, Switzer- land, for his valuable advice and comments which have helped (cv~”)~”modp cyARBR modp. improve the quality and the presentation of the paper significantly. Manuscript received July 15, 1990, revised January 31, 1993. The authors are also grateful to the referees for their helpful com- The authors are with AT&T Bell Laboratories, Murray Hill, NJ 07974. ments. JEEE Log Number 9215185.

0018-9448/94$04.00 0 1994 IEEE