Code-Based Pkcs and Their Based Pkcs and Their Code-Based Pkcs

CodeCode--BasedBased PKCs And Their Applications

KkiKbKazukuni Kobara RCIS/AIST

ICITS 2009 No. 1 PKCs can be divided into

Number Theoretic (Cyclic) Problem Combinatorial Problem Integer Factoring Based Code Based RSA[RSA78] McEliece[Mc78] Rabin[[]Ra79] Niederreiter[[]Ni86] Okamoto-Uchiyama[OU98] Lattice Based Paillier[Pa99] NTRU[HS96] S-Paillier[CHGN01] AjtaiD work [AD97] … Goldreich-Goldwasser- Discrete Logarithm Based Halevi [GGH97] Diffie-Hellman[DH77] Ajtai[Ajt05] ElGamal[El84] Regev[Reg03,Reg05] ECC[Mi85][Ko87] Peikert[Pei09] XTR[LV00] … Cramer-Shoup[][CS03] Subset Sum Based Kurosawa-Desmedt[KD04] Okamoto-Tanaka- Uchiyama[OTU00] … No. 2 Cyclic Problem: Integer Factoring (IF)

Given a positive integer n, find its prime factor pi

Equivalent to finding r s.t. gr≡1 (mod n) for a g of GCD(g,n)=1 and g≡±1 (mod n) r/2 r/2 Since GCD(g -1,n) or GCD(g +1,n) is pi This cycle can be gi mod n IF determined in poly time with 1D-QFT, a.k.a. Shor’s quantum algorithm. i r rr QFT : Quantum Fourier Transform No. 3 Cyclic Problem: Discrete-Log (DL) Given p, g and y, find r s.t. x ≡ g r mod p

p: prime, g: generator of Zp*, x a member of Zp* except 1, p-1. Equivalent to finding a0, a1, b0 and b1 s.t. xa0 g b0 ≡ xa1 g b1 mod p (a −a ) r(a −a ) (b −b ) Since x 1 0 ≡ g 1 0 ≡ g 0 1 mod p (b − b ) a DL r ≡ 0 1 mod p -1 (a1 − a0 ) a0 This inclination can be a b determined in poly time a1 x g mod p with 2D-QFT, a.kSh’k.a. Shor’s -b quantum algorithm. b0 b1 No. 4 Lesson to learn

If a problem is written in the form of dedeetermining a cycle , Then it can be solved in polynomial time using a quantum computer.

No. 5 Combinatorial Problems

Note: Underlying security find A set of vectors ddlhtdepends also on how to or scalars make the trapdoor r1, r2, r3… ri, --11 = 00010000100100100

public-key Arithmetic Unit

Condition Condition

ciphertext

given No. 6 Code Based: McEliece find Plaintext PK is a kxn generator matrix of a linear code over GF(q) , usually q=2 r1, r2, r3… ri, --11 = 00010000100100100 public-key wt() <=t GF(q)

Condition

ciphertext wt(): Hamming weight given (# of non zeros) No. 7 Code Based: Niederreiter

find Plaintext PK is a nx(n-k) parity check matrix of a linear code over GF(q), usually q=2

r1, r2, r3… ri, -1 = 00000000000000000 wt(r) <=t public-key All Zero GF(q) r ∈{r1,r2 ,L,ri}

Condition

Condition ciphertext

given No. 8 Lattice Based: NTRU

find PK is a n dimensional Plaintext

cyclic vector over Zq , q=2048 etc. r1, r2, r3… ri, -1 = 00100-100100-10000 ri ∈{−1,0,1}, public-key mi ∈{−1,0,1}, wt() = dm wt() = dr Zq

Condition Condition ciphertext

given No. 9 Lattice Based: Regev

PK is a (u+v)x(n+v) matrix find Plaintext uxn random uxv parity-with- binary matrix A noise Axs+E r1, r2,…,ri, m1, …,mv, -1 = 0000000000 q All Zero r ,m ∈{0,1}, wt(r) < i i 2 A Axs+E Zq

q 0000000000000 2 00 q Condition 0000000000000 0 2 0 q Condition 0000000000000 00 2 ciphertext

given No. 10 Subset Sum Problem: OTU

find Plaintext PK is a set of n positive integers

r1, r2, r3… ri, -1 = 0 Zero ri ∈{0,1}, wt(r) = k public-key Z

Condition

Condition ciphertext

given No. 11 So far it is not known

To reduce combinatorial problems to a cyclic problem The best attack on combinatorial problem is: Grover’s algorithm GG’rover’s alithlgorithm can red uce Running time to states but it is still exponential to its input size

No. 12 Advantages of Combinatorial Based

Quantum Tolerant: No polynomial time algorithm is known so far even on quantum comput ers Arithmetic unit is small: for encryption (and signature verification) Usually xors or additions in a small Field/Ring They are hihihlghly paralleli zabl e No heavy multi-precision modular exponentiation No. 13 Advantages of CodeCode-- Based

IfInforma tion RtiRatio, i.e. (Plaintest Size) (Ciphertext Size) is better

Arithmecetic unit is ssae:maller: for encryption and signature verification Usually xors

=> Suitable for low computational power or Ubiquitous devices No. 14 History of CodeCode--BasedBased

Code-based PKEs Number Theoretic 1978: McEliece 2000: Error expansion/hold [Loi00] 1977 Hiffie- 1977: RSA Hellman 1985: ECC 1986: Niederreiter Attack [KI03] 1991: GPT PKC Attack on Attack on small cardinality [GPT91] (rank code) em

hh GRS [SS92] including BCH [LS01] Goppa code (more generally Attack on sparse alternant code) with large cardinality S [MRS00] me of t attacks oo nn 2001: IND-CCA2 Attac k on LDPC LDPC Conv. in RO 2005: Quasi-Cyclic in general here s here reactio [KI02] BCH subcode 2007: QCQ - Attack on ww 2005: with [Gab05] LDPC [BC07] subfield P GRS subcode [Ove05] 2009: Quasi- tical like tical like attacks attacks

ii [[]BL05] 2009: QasiQuasi- Cyclic alternant Attack on QC 2008: ext field Attack on GRS Dyadic [MB09] code [BCG+09] [OTD08] P [Gab08]

A lot of cr were subcode Large extension Attack on small [Wie06] degree extension degrees [Wie09] Idea can be [UL09] applied to No. 15 How to see the history

Green Letters: Underlying Liner Code

: Attack

: Already Broken

: Not Yet Brok en (()as far as I know as of Dec. 2009)

No. 16 History of Non PKE Code-Based Primitives ZKIP: Zero Knowledge Interactive Proof 1994: ZKIP ((gas well as Digital OT: Oblivious Transfer Signature applying Fiat-Shamir heuristic) (random code) [Ste94] Public matrix can be 2001: Digit al compressed by generating Signature (Goppa) it from a random seed [CFS01] 2005: Hash Function (random Bleichenbacher’s code) [AFS05] attack [[]Ble06] 2007: Liggght Weight Unlinkable-ID for RFID (Goppa) [SKI06][CKM+07] 2008: Bit (1,2)-OT (Goppa) [DGQ+08] 2008: String (1,2)- With appropriate OT (Goppa) [KMO08] parameter choice [FS09]

No. 17 Construction of CodeCode--BasedBased PKCs

No. 18 Keys for McEliece PKE

Secret key Random Permutation Matrix

n Non-Singular Matrix P Sk G

Generator matrix of ECC which can correct up to t-error symbols

Public key May be systematic if an G’ appropriate IND- I G’’ CCA2 conversion is applied No. 19 Encryption of Primitive MEliMcEliece PKE C=MG’+Z Random vector with weight t Z (0,1,0,0,1,0, ... 0,0,1,0) C Plaintext is a k dimensional vector MG’ Ciphertext over GF(2) M G’

No. 20 Decryption of Primitive MEliMcEliece PKE

1. CP-1=MSG+ZP-1 P-1

C 2. Correct the t-error bits using error- correction algorithm and obtain MS 3. M=MS S-1

S-1 MS M

No. 21 Keys for Niederreiter PKE Secret key n-k Non- Random Singular Permutation Matrix P n H Matrix S Parity check matrix of ECC which can correct up to t-error symbols

Public key May be I systematic if an H’ appropriate IND- CCA2 conversion H’’ is applied No. 22 Encryption of Primitive Nied erreit er PKE C=ZH’

Plainstext is an n dimensional vector of weight t Ciphertext

Z C (0,1,0,0,1,0, ... 0,0,1,0) = ZH’

H’

No. 23 Decryption of Primitive Nied erreit er PKE

1. CS-1=ZH’S-1=ZPH SS-1=(ZP)H S-1 C 2. Correct the t-error bits using error- correction algorithm and obtain ZP 3. Z=ZP P-1 ZP Z

P-1

No. 24 Unfortunately

Due to the simple structure of a linear code, a lot of practical attacks are known This is the reason why some people still think that code-based PKEs have already been broken

Ex. ) Reaction attack can decrypt a given cihipher text in O(k).

No. 25 Reaction Attack on McEliece PKC

Flip one bit of the given ciphertext Let the receiver decrypt it If its reaction is normal, error is within the error correction bound. 1 Receiver (decryption oracl)le)

C= 011000101011010 1 1 0 0 0 1 0 1 0 1 1 0 1 Given ciphertext Reaction Countermeasures

Attacks Using decryption oracles Against indistinguishability or non- malleability Can be prevented applying an “appropriate” conversion scheme Naïve application sometimes does not work

No. 27 Naïve application of OAEP is vulnerable

r m Const G

Random en Plaintext Number OAEP

module H a sh

y2 y1

y3 G’ Primitive z McEliece PKC c Ciphertext

No. 28 Slight Modification Makes it Provably Secure and Compact

r m Const Encryption

Random Gen Plaintext Number

OAEP Hash module

y2 y1

y5 y4 y3 G’ Conv Primitive z McEliece PKC

y5 c Ciphertext

(Len(y2 ) + Len(y1) ≥ Len(y4 ) + Len(y3 )) and must hold

((Len(y1) ≥ Len(y3 )) or (Len(y1) ≥ Len(y4 ) by swapping y3 and y4 )) No. 29 Decryption of Conversion

Plaintext m ? Const

G = e OAEP n Error messages between this module integrity check and Ha undecodable error must be s

h indistinguishable. (Implementation must take

y2 y1 care this!!)

y5 y4 y3 G’ Conv Primitive z McEliece PKC

y5 c Ciphertext

No. 30 In The Case of Niederreiter Make the ciphertext most compact and provably secure in the RO OAEP+ for short plaintext OAEP++ for long plaintext No proof btbut no attack OAEP SAEP+ Insecure (since Niederreiter primitive is position-wise malleable) SAEP

No. 31 Provable Security in the Standard Model

2007: IND-CPA in the standard model [NIK+07] 2008: IND-CCA2 in the standard model [DQN08]

IND: Indistinguishability CPA: Chosen Plaintext Attack CCA2: Adaptive Chosen Ciphertext Attack No. 32 Secure Constructions are Available

As long as the primitive McEliece/Niederreiter PKC satisfies OW- CPA Parameters meeting OW-CPA against most powerful attacks ISD and GBA are estimated in [FS09]

OW-CPA: One-Wayness against Chosen Plaintext Attack ISD: Information Set Decoding GBA: Generalized Birthday Attack No. 33 Parameters for PKE

m t Binary work PK size Plaintext /Ciphertext size factor (KB) McEliece Niederreiter 11 32 286. 8 72. 9KB 1696/2048 bits 233/352bits 12 41 2128.5 216.5KB 3604/4096 bits 327/492bits

Public-key size is large compared to Number Theoretic ones. No. 34 Parameters for Digital Signature m t Binary PK size Iteration Signature Size work (KB) *1 *2,*3 factor 22 9 281.7 101,371KB 218.5 198～216.5 bits 15 12 281.5 716.0KB 228.8 180～208.8 bits 14 13 280.7 360.0KB 232.5 182～214.5 bits 13 14 280.0 178. 0KB 236.4 182～218.4 bits 15 12 288.2 86.0KB 240.3 180～220.3 bits

*1: affects the signing cost *2: Signature size depends on how to express the error pattern and it affects the verification speed. *3: Signature size can be reduced further by removing some error positions while increasing the verification cost further [CFS01] No. 35 How to Reduce PublicPublic-- Key Size Increase the error correction capability Capacity Approaching Codes LDPC, QC-LDPC List Decoding corrects only a couple of more errors for practical parameters while increasing the decoding complexity Compress the public-key Quasi-Cyclic Quasi-Dyadic Small extension degree Large extension degree No. 36 Attack on LDPC Codes

Exploits the fact the density of the secret matrix low.

HT: Parity Check H’T = S Matrix of LDPC code P This may b e hidd en with S and P b ut can b e recovered.

Let

HT: Parity Check Matrix of LDPC H H = 1 2 code

No. 37 Attack on LDPC Codes

1. Make H’ systematic

I T S H’T H’’ = 1

2. Multiply a low density vector h1 , and check if the density of h2 is low. h h h 1 ? 1 2 H I H’’T H H 1 = 1 2

Since # of candidates C(n-k,w) where w is the Hamming weihight of fh h1 (and al so th e possibili ty of b ei ng anoth er l ow density matrix is negligible), H can be recovered.

If one uses this direction, they must find a good code of Middle Density

(we call MDPC). No. 38 List Decoding

⎛ ⎛n⎞ ⎞ ⎜ ⎜ ⎟ ⎟ Exhaustive Search ⎜ ⎜t'⎟ ⎟ O ⎝ ⎠ ⎜ ⎛t + t'⎞ ⎟ Correct any t’ more errors but with ⎜ ⎜ ⎟ ⎟ ⎜ ⎜ t' ⎟ ⎟ the complexit y ⎛n⎞ ⎝ ⎝ ⎠ ⎠ t' ⎜ ⎟ t' ⎛ n − t'+1⎞ ⎝t'⎠ ⎛ n ⎞ ⎜ ⎟ ≥ ≥ ⎜ ⎟ t t' t+t’ errors in the n coordinates ⎝ t +1 ⎠ ⎛ + ⎞ ⎝ t + t' ⎠ ⎜ ⎟ ⎝ t' ⎠ Bernstein’s List Decoding [Ber08] t’ more errors in poly time where m t'= n − n(n − 2t − 2) − t n = 2 m m m (n − k) 2 (1− r) m 2 (1− r) m ⎛ m ⎛ 2 (1− r) ⎞ ⎞ t = = = 2 − − 2 ⎜2 − 2⎜ ⎟ − 2⎟ m ⎜ ⎜ m ⎟ ⎟ m m ⎝ ⎝ ⎠ ⎠ No. 39 # of extra error-correctable bits

Extra error correction bits Extra error correction bits

5 Recommende 3 2 4 d parameters for PKEs Recommended 3 parameters for m 1 Digital 2 Signatures

r=k/n r=k/n No. 40 How to Reduce PublicPublic-- Key Size Increase the error correction capability Capacity Approaching Codes LDPC, QC-LDPC List Decoding corrects only a couple of more errors for practical parameters while increasing the decoding complexity Compress the public-key Quasi-Cyclic Quasi-Dyadic Small extension degree Large extension degree No. 41 Dyadic Matrix

⎡ ⎡A B⎤ ⎡C D⎤⎤ ⎢ ⎢ ⎥ ⎢ ⎥⎥ ⎡α β ⎤ ⎣B A⎦ ⎣D C⎦ ⎢ ⎥ = ⎢ ⎥ ⎣β α ⎦ ⎢⎡C D⎤ ⎡A B⎤ ⎥ ⎢⎢ ⎥ ⎢ ⎥ ⎥ ⎣⎣D C⎦ ⎣B A⎦ ⎦

No. 42 Advantage of Dyadic Matrix

⎡ ⎡A B⎤ ⎡C D⎤⎤ A BCD ⎢ ⎢ ⎥ ⎢ ⎥⎥ ⎢ ⎣B A⎦ ⎣D C⎦⎥ ⎢⎡C D⎤ ⎡A B⎤ ⎥ ⎢⎢ ⎥ ⎢ ⎥ ⎥ ⎣⎣D C⎦ ⎣B A⎦ ⎦

No. 43 Dyadic Matrix and Goppa Codes have an intersection over the extension field of GF(2)

Public-Key Goppa Codes Dyadic Matrix can be (More generall y, compress Alternant Code with ed!! large cardinality)

No. 44 Goppa Codes and Cauchy Matrix Binaryypp Goppa code is the set of all n s.t. c = (c0 c1 L cn−1 )∈GF(2) n−1 ci Se (X ) ≡ ∑ ≡ 0mod g(X ) i=0 X − Li t−1 g(X ) = (z − x) where z and L are distinct If ∏i=0 i i j it can be written ⎡ 1 1 1 ⎤ L ⎢ z − L z − L z − L ⎥ c ⎢ 0 0 0 1 0 n−1 ⎥⎡ 0 ⎤ ⎢ 1 1 1 ⎥⎢ c ⎥ T L ⎢ 1 ⎥ (cH ) = ⎢ z − L z − L z − L ⎥ = 0 ⎢ 1 0 1 1 1 n−1 ⎥⎢ M ⎥ ⎢ M M O M ⎥⎢ ⎥ 1 1 1 ⎣cn−1 ⎦ ⎢ L ⎥ ⎢⎣ zt−1 − L0 zt−1 − L1 zt−1 − Ln−1 ⎦⎥ No. 45 To Make It Dyadic (more generic than [MB09]) ⊕δ can be applied to either of a ⊕δ ⊕δ3 ⊕δ numerator, a 2 2 denominator or a ⊕δ1 ⊕δ1 ⊕δ1 ⊕δ1 ⎡⎡⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎤ ⎡⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎤⎤ fraction ⎢ ⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⊕δ ⎢⎢⎢ 0 0 0 1 ⎥ ⎢ 0 2 0 3 ⎥⎥ ⎢⎢ 0 4 0 5 ⎥ ⎢ 0 6 0 7 ⎥⎥⎥ 1 ⎢⎢⎢ 1 1 ⎥ ⎢ 1 1 ⎥⎥ ⎢⎢ 1 1 ⎥ ⎢ 1 1 ⎥⎥⎥ ⎢⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢ ⎥ ⎢ ⎥⎥⎥ ⊕δ ⎣ z1 − L0 z1 − L1 ⎦ ⎣ z1 − L2 z1 − L3 ⎦ ⎣ z1 − L4 z1 − L5 ⎦ ⎣ z1 − L6 z1 − L7 ⎦ 2 ⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎥ ⎢⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎥⎥ ⎢⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥⎥ ⎢ 2 0 2 1 ⎥ ⎢ 2 2 2 3 ⎥ ⎢ 2 4 2 5 ⎥ ⎢ 2 6 2 7 ⎥ ⊕δ1 ⎢⎢ 1 1 1 1 ⎥ ⎢ 1 1 1 1 ⎥⎥ ⎢⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢ ⎥ ⎢ ⎥⎥⎥ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⊕δ3 ⎢⎣⎢⎣ 3 0 3 1 ⎦ ⎣ 3 2 3 3 ⎦⎦⎥ ⎣⎢⎣ 3 4 3 5 ⎦ ⎣ 3 6 3 7 ⎦⎦⎥⎥ ⎢⎡ 1 1 1 1 ⎤ ⎡ 1 1 1 1 ⎤⎥ ⎢ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⎢⎢⎢ 4 0 4 1 ⎥ ⎢ 4 2 4 3 ⎥⎥ ⎢⎢ 4 4 4 5 ⎥ ⎢ 4 6 4 7 ⎥⎥⎥ ⊕δ1 ⎢⎢⎢ 1 1 ⎥ ⎢ 1 1 ⎥⎥ ⎢⎢ 1 1 ⎥ ⎢ 1 1 ⎥⎥⎥ ⎢⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢ ⎥ ⎢ ⎥⎥⎥ ⎣ z5 − L0 z5 − L1 ⎦ ⎣ z5 − L2 z5 − L3 ⎦ ⎣ z5 − L4 z5 − L5 ⎦ ⎣ z5 − L6 z5 − L7 ⎦ ⊕δ2 ⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎥ ⎢⎡ 1 1 ⎤ ⎡ 1 1 ⎤⎥⎥ ⎢⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥ ⎢⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥⎥⎥ ⎢ ⎢ 6 0 6 1 ⎥ ⎢ 6 2 6 3 ⎥ ⎢ 6 4 6 5 ⎥ ⎢ 6 6 6 7 ⎥ ⎥ ⊕δ1 ⎢ 1 1 1 1 ⎥ ⎢ 1 1 1 1 ⎥ ⎢⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢ ⎥ ⎢ ⎥⎥⎥ ⎢ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⎢ z − L z − L ⎥ ⎥ ⎣⎣⎢⎣ 7 0 7 1 ⎦ ⎣ 7 2 7 3 ⎦⎦⎥ ⎣⎢⎣ 7 4 7 5 ⎦ ⎣ 7 6 7 7 ⎦⎥⎦⎦ No. 46 [MB09] generates a large full Dyadic block then picks up

We propose to generate a small full Dyadic block and then generate other full Dyadic blocks by introducing ⊕ Δ (we call it outer delta) Whereas we call ⊕ δ inner delta (since it defines the inner structure of a full Dyadic block

⊕Δ1 ⊕Δ2 ⊕Δ3 ⎡⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤⎤ ⎢⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎥ ⎣⎣DdiDyadic⎦ ⎣DdiDyadic⎦ ⎣DdiDyadic⎦ ⎣DdiDyadic⎦⎦ No. 47 Advantages

Can generate the txn Dya dic mat tirix more flexibly, N=2m can be closer to n+t Can remove the block-wise permutation and removal in key generation Since they are already included by the parameter choice of ⊕Δ

No. 48 Remark

Block-Wise Permutation is the same as

changing Δj’s appropriately. Removal of one block is the same as reducing the number of blocks by one

and then ch angi ng Δj’s appropria tel y

⊕Δ1 ⊕Δ2 ⊕Δ3 ⎡⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤⎤ ⎢⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎥ ⎣⎣DdiDyadic⎦ ⎣DdiDyadic⎦ ⎣DdiDyadic⎦ ⎣DdiDyadic⎦⎦ No. 49 By applying ⊕ δ and ⊕Δ tthdto the denomi nat ors txn Dyadic matrix can be obtained with

z1 =z0 ⊕δ1 z2 =z0 ⊕δ2 z3 =z2 ⊕δ1 =z0 ⊕δ1 ⊕δ2

L1 =L0 ⊕δ1 L2 =L0 ⊕δ2 L3 =L2 ⊕δ2 =L0 ⊕δ1 ⊕δ2

Lt =L0 ⊕Δ1 Lj×t =L0 ⊕Δj where δ δ z , L , , δ , Δ , Δ Δ ∈ GF (2 m ) 0 0 1 2 L log 2 t 1 2 L ( n / t )−1 are chosen at random while making all the z i for 0 ≤ i < t and L j for 0 ≤ j < n distinct. No. 50 Shuffle While Keeping Dyadic Structure

With Column-Block-Wise Scalar Multiplication ⎡[1] ⎤ 0 ⎡ Full Full Full ⎤⎢ ⎥ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ [p1 ] ⎢⎢ ⎥ ⎢ ⎥ L ⎢ ⎥⎥⎢ ⎥ ⎣⎣Dyadic⎦ ⎣Dyadic⎦ ⎣Dyadic⎦⎦⎢ O ⎥ ⎢ 0 ⎥ ⎣ [pb−1 ]⎦ n where p ∈GF(qm ) \{0} and b = i t

No. 51 GF(GF(qqm) to GF(q)

m A,γ i ∈GF(q ) {γ 1,γ 2 Lγ m-1 }is the m ai ∈GF(q) dual basis of GF(q )

⎡ a0 ⎤ ⎡ tr(γ 0 A) ⎤ ⎢ a ⎥ ⎢ tr(γ A) ⎥ A = ⎢ 1 ⎥ = ⎢ 1 ⎥ ⎢ M ⎥ ⎢ M ⎥ ⎢ ⎥ ⎢ ⎥ ⎣am−1 ⎦ ⎣tr(γ m−1 A)⎦

2 m−1 tr(A) = A + Aq + Aq + + Aq L No. 52 GF(GF(qqm) to GF(q)

⎡⎡ a0 ⎤ ⎡ b0 ⎤⎤ ⎢⎢ ⎥ ⎢ ⎥⎥ ⎢⎢ M ⎥ ⎢ M ⎥⎥ ⎢ ⎥ ⎡A B⎤ ⎢⎣am−1 ⎥⎦ ⎣⎢bm−1 ⎦⎥ ⎡ ⎡a b ⎤ ⎤ = ⎢ ⎥ 0 0 ⎢ ⎥ b a ⎢ ⎥ ⎣B A⎦ ⎢⎡ 0 ⎤ ⎡ 0 ⎤⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎣b0 a0 ⎦ ⎥ ⎢ M M ⎥ ⎢⎢ ⎥ ⎢ ⎥⎥ ⎢ M ⎥ ⎢⎢bm−1 ⎥ ⎢am−1 ⎥⎥ ⎣⎣ ⎦ ⎣ ⎦⎦ ⎢⎡am−1 bm−1 ⎤⎥ ⎢ ⎥ ⎢b a ⎥ ⎣⎢⎣ m−1 m−1 ⎦⎦⎥ No. 53 Shuffle While Keeping Dyadic Structure

Multiplication of a Random Dyadic Matrix

⎡⎡Random⎤ ⎡Random⎤⎤⎡⎡FllFull ⎤ ⎡FllFull ⎤ ⎡FllFull ⎤ ⎡FllFull ⎤⎤ ⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎥ ⎢Dyadic⎥ ⎢Dyadic⎥ ⎢Dyadic⎥ ⎢Dyadic⎥ ⎢⎣Dyadic ⎦ ⎣Dyadic ⎦⎥⎢⎣ ⎦ ⎣ ⎦ ⎣ ⎦ ⎣ ⎦⎥ ⎢⎡RdRandom⎤ ⎡RdRandom⎤⎥⎢⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤ ⎡Full ⎤⎥ ⎢⎢ ⎥ ⎢ ⎥⎥⎢⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎥ ⎣⎣Dyadic ⎦ ⎣Dyadic ⎦⎦⎣⎢⎣Dyadic⎦ ⎣Dyadic⎦ ⎣Dyadic⎦ ⎣Dyadic⎦⎦⎥ = (HS)T Note: Dyadic X Dyadic = Dyadic ⎡A B⎤⎡C D⎤ ⎡AC + BD AD + BC⎤ ⎢ ⎥⎢ ⎥ = ⎢ ⎥ ⎣B A⎦⎣D C⎦ ⎣BC + AD BD + AC⎦ No. 54 Attack on Quasi Dyadic [UL09]

Exploits the fact that each column of T each low of H’ is tr(f(Li)) where f() and Li are unknown

If one can make f(()x)=const,,(( tr(f(Li)) becomes independent of Li and all the coordinates in the same block of the low take the same value.

On the contrary, by choosing ri s.t. T ri H ' = ([hi,0 ,L , hi,0 ], [hi,1 ,L , hi,1 ],L ,[hi,b −1 ,L , hi,b −1 ])

f(x) can be const with high probability.No. 55 Attack on Quasi Dyadic [UL09]

T ri H ' = ([hi,0 ,L, hi,0 ], [hi,1,L, hi,1 ],L,[hi,b−1,L, hi,b−1 ]) These constants are linear combinations of tr(tt)(constant)

⎡ r ⎤ ⎡1⎤ 0 ⎢ ⎥ ⎢ r ⎥ 0 ⎢ 1 ⎥ T ⎢ ⎥ = m(m-1) unknown in GF(q) H ' = ⎢ ⎥ ⎢ ⎥ M so the uncertainty of (p1 to M ⎢ ⎥ p ) is m(m-1)log q ⎢ ⎥ ⎣0⎦ m-1 2 ⎣rm −1 ⎦ β β γ ⎡ h0,0 β 0,1 L ββ 0,m −1 ⎤⎡ [tr (γ 01),L] [tr (γ 0 p1 ),L] L⎤ ⎢ ⎥ h β ⎢ [tr ( 1), ] [tr (γ p ), ] ⎥ ⎢ 1,0 1,1 L 1,m −1 ⎥⎢ γ 1 L 1 1 L L⎥ ⎢ M M O M ⎥⎢ M M L⎥ ⎢ ⎥⎢ ⎥ h [tr ( 1), ] [tr (γ p ), ] ⎣ m −1,0 m −1,1 L m −1,m −1 ⎦⎣ m −1 L m −1 1 L No.L 56⎦ Countermeasure Against The Attack on Quasi Dyadic m(m-1) unknown in GF(q) and hence the uncertainty of (p1 to pm-1) is m(m- 1)log2 q bits E.gg).) For q=2, by making m>=10, the uncertainty becomes >=90 bits and this attack can be avoided (though this attack might be improved in future)

No. 57 Parameters for PKE m t Binary work PK size Plaintext /Ciphertext size factor (KB) McEliece Niederreiter 11 32 286.8 72.9KB 1696/2048 bits 233/352bits 12 41 2128.5 216.5KB 3604/4096 bits 327/492bits QD (Parameters are not optimized) mt np l Binary PK size Plaintext/Cip work (KB) hthertext Size factor QD 16 64 2560 1 12 291.3 3.0KB 427/1024 bits 13 64 2048 2 16 290.2 1.9KB 406/832 bits 12 128 2400 1 8 290.7 1.3KB 716/1536 bits No. 58 Parameters for Digital Signature m t BWF PK size Iteration Signature Size (KB) *1 *2, *3 14 13 280.7 360.0KB 232.5 182～214.5 bits 13 14 280.0 178.0KB 236.4 182～218.4 bits 15 12 288.2 86.0KB 240.3 180～220.3 bits QD (Parameters are not optimized) m t n Binary PK size Iteration Signature Size work (KB) *1 *2,*3 factor 15 12 26528 284.0 48.2KB 232.5 180～212.5 bits 14 13 13316 283.4 22. 4KB 236.4 182～218.4 bits 13 14 6736 282.9 10.4KB 240.3 182～222.3 bits No. 59 Suitable Applications for CodeCode-- Based PKCs

No. 60 CodeCode--BasedBased PKCs Fit With Heterogeneous Network/Applications

D1 D2 D3 Di A lot of low cost and low One side has high computational power devices, computational power such as RFIDs, sensors and SCADA devices Since •Encryption and signature verification consist mostly of xors and they are highly parallelizable. •They do not require heavy multi precision modular exponentiations No. 61 Broadcast Authentication

One (powerful) sender

Applications include: •Transmission of mission critical commands and broadcasts a message data to sensors and SCADA devices. •Issue of disaster warning D1 Di D2 D3 a lot of (lightweight) receivers receive it and check its authenticity and data integrity. No. 62 In emergency applications, low latency is crucial

AitAgainst •Earthquake Especially •Tsunami •Flood •Tornado •Thunderbolt •Fire … Disaster warning

D1 Di D2 D3 No. 63 Such warning receivers may be deployed at home, critical infrastructures, and then take appropriate actions if a warning is verified. homes

•Turn off gases •Unlock and open doors

Factories •Stop the lines (()ppnuclear) power plants •Slow down the trains hospitals In some cases, a few seconds are enough to mitigate serious damages, and hence delay is should be minimized while maintaining adequate security level. No. 64 Comparison Among Solutions

MAC MAC TESLA Digital Signature with with (hash - Conventio Code- one pair- chain and nal (RSA, Based master wise delayed DSA, key keys auth) ECDSA) Authenticity X*1 OO OO and Da ta Integrity Computational O O O X O Cost Delay O X*2 X*3 XO

*1: Crack of one device breaks it. *2: Sender must broadcast a lot of MACs and each device must wait until his MAC is received. *3: Verification key is released in the next time slot. TESLA: Timed Efficient Stream Loss-tolerant Authentication No. 65 Comparison Among Solutions

RFID: a tag used for readinggg/writing ID (and information) via wireless communication.

RFID l i t system in general:

item thing, (wilireless c hanne l) animal or human database tag ID reader server User-data

Applications: management of items, e.g. in supply chain No. 67 RFID (for long distance) requires privacy protection mechanism

station a.k.a. location privacy user

malicious readers Area-2 Reader-2

Area-1 Reader-1 Area-4 Reader-4

Area-3 IDA Reader-3 IDA hospital

Same IDs!! A user who carries a tag may be traced by someone else. adversary No. 68 Solutions Can Be Divided Into

Tag disabling Tag enabling solutions solutions Manually removal or Randomized hash destruction lock [WSRE03] Kill command HB+ [JW05] and its Temporally tag- varitiants disabling solutions Code-Based Unlinkable-ID [SKI06] Faraday cage [CKM+07] Access password HhHash lklock Tag enabling solutions: Blocker tag Enable RFID functionalities Mode switch while providing unlinkability of IDs No. 69 Comparison

Exhaustive search of Unlinkability IDs at the server Randomized hash Necessary (Tag ○ lock, identification cost HB+ and its depends on # of tags) variants Code-Based Unnecessary (Tag ○ UlikblUnlinkable-ID ident ificati on cost i s independent of # of tags)

No. 70 CodeCode--BasedBased Unlikable-Unlikable-IDID (1/3)

(WH(): Hamming weight) Niederreiter PKE: n – k n n – k c = mH ' m H’ n ＝ c a ciphertext WH(m) = t

Code-Based Unlinkable-ID:

ann==11//tt n – k n n = n + n n n 1 2 n 1 2 H '1 1 n m = ridH '= t = t + t H '2 n WH(r)=) = t1 WH(d)=) = t2 1 2 2

(random num.) (ID) No. 71 CodeCode--BasedBased UnlinkableUnlinkable--IDID (2/3)

× H ' × H ' c ＝ r 1 ⊕ id 2

c1 ⊕ c2

Let each tag calculate this Pre compute this at the server and assigns it to each tag

No. 72 CodeCode--BasedBased UnlinkableUnlinkable--IDID (3/3)

Q&RlPhQuery & Reply Phase Reader (S, H, P) Tag (H '1 ,c2 ) Query RNG( )

c1 ＝ r × H '1

＝ ID Resolve Phase c c1 ⊕ c2 r||id := Decrypt(c) Unlinkable-ID = c

This scheme p ro vides u nlinkability of IDs against passiv e attack. B ut b y make this challenge-response type, this can also be secure against adaptive attack [CKM+07] No. 73 Conclusion (1/2)

Code-based PKCs are suitable for Heterogeneous Network/Applications, such as Broadcast Authentication and Unlinkable-ID for light weight devices such as RFID, sensors, SCADA devices Since they do not require heavy multi-precision modular exponentiation can be executed mostly using only xors highly in paralle l

No. 74 Conclusion (2/2)

Research themes left in this area include Further reduction of PK sizes New attacks (especially on QD) New pp/pprimitives/applications Implementation and side-channel attacks Provable security etc.

No. 75 Thank you very much for your kind attention!!

No. 76 References

[GPT91] E.M. Gabidulin, A.V. Paramonov, O.V. Tretjakov, “Ideals over a Non-commutative Ring and Their Application in Cryptology,” Proc. of Eurocrypt’91, LNCS 547, pp.482-489, 1991 [SS92] V. Sidelnikov and S. Shestakov, “On insecurity of cryptosystems based on generalized Reed-Solomon codes.”Discrete Math. Appl. 2(4), pp. 439–444, 1992 [MRS00]C. Monico, J. Rosenthal, and A. Shokrollahi, “Using low density parity check codes in the McEliece cryptosystem,” Proc. of IEEE ISIT’00, p. 215, 2000 [Loi00] P. Loidreau “Strengthening McEliece cryptosystem,” Proc. of ASIACRYPT’00, pp. 585–598, 2000 [PCT+02] A. Perrig, R. Canetti, J.D. Tyger and D. Song, “The TESLA Broadcast Authentication Protocol,” CryptoB ytes , Vol.5, No.2, Summer/Fall, pp. 2-13 [KI02] K. Kobara and H. Imai “Semantically secure McEliece public-key cryptosyst em” . IEICE Trans., E85-A(1), pp. 74–83, 2002 No. 77 References

[[]KI03] K. Kobara and H. Imai “On the one-wayness against chosen-plaintext attacks on the Loidreau’s modified McEliece PKC”. IEEE Trans. on IT, 49(12), pp. 3136–3168, 2003 [Ove05] R. Overbeck, “A new structural attack for GPT and variants,” Proc. of Mycrypt’05, LNCS 3517, pp. 50-63, 2005 [[]AFS05] D. Augot, M. Finiasz, and N. Sendrier,,y “A family of fast syndrome based cryp-tographic hash function,” Proc. of Mycrypt’05, LNCS 3715, pp. 64-83, 2005 [][Gab05] P. Gaborit,y, “Shorter keys for code based cryptography,” Proc of WCC’05, pp. 81–91, 2005 [SKI06] M. Suzuki, K. Kobara, and H. Imai. “Privacy enhanced and light weight RFID system without tag synchronization and exhaustive search,” Proc. of IEEE SMC’06, pp. 1250-1255, 2006 [Wie06] C. Wieschebrink, “ An attack on a modified Niederreiter encryption scheme,” Proc. of PKC’06, LNCS 3958, pp.14–26, 2006 No. 78 References

[Ble06] D. Bleichenbacher, http:// www.d erk eil er.com/N ewsgroups/ sci .crypt/2006 - 12/msg00480.html , 2006 [BC07] M. Baldi and F. Chiaraluce “Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC Codes,” IEEE ISIT, pp. 2591-2595, 2007 [CKM+07] Y. Cui, K. Kobara, K. Matsuura, and H. Imai “Lightweight Asymmetric Privacy-Preserving Authentication Protocols Secure against Active Attack” Proc. of PerSec’07, pp. 223–228, 2007 [][NIK+07] R. Nojima,,, H. Imai, K. Kobara and K. Morozov, “Semantic Security for the McEliece Cryptosystem without Random Oracles,” Proc. Of WCC’07, pp. 257-268, 2007 [DQN08] R. Dowsley, J. Müller-Quade and A. C. A. Nascimento, “A CCA2 Secure Publi c Key Encrypti on Sch eme Based on the McEliece Assumptions in the Standard Model,” http://eprint.iacr.org/2008/468 ,2008

No. 79 References

[AFG+08] D. Augot, M. Finiasz, Ph. Gaborit, S. Manuel, and N. SdiSendrier, “SHA-3 proposal: FSB”FSB,” SHA-3 NIST competiti on, 2008 [Ber08] D. J. Bernstein “List decoding for binary Goppa codes,” http://cr.yp.to/codes/goppalist-20081107.pdf , 2008 [DGQ+08] R. DDlowsley, J. van de GGfraaf, J. M.-QQduade, and A. Nascimento. “Oblivious transfer based on the McEliece assumptions.” Proc. of ICITS’08, LNCS 5155, pp. 107-117, 2008 [KMO08] K. Kobara, K. Morozov and R. Overbeck “Coding -Based Oblivious Transfer” Proc. of Mathematical Methods in Computer Science, LNCS 5393, pp. 142-156, 2008 [BLN+09] D. J. Bernstein, T. Lange, R. Niederhagen, C. Peters, P. Schwabe. “FSBday: implementing Wagner's generalized birthday attack against the SHA-3 round-1 candidate FSB.” URL: http://cr.yp.to/papers.html#fsbday , 2009

No. 80 References

[OTD 08] A. OOatmani, J.P. Tillic h, L. Daaollot, “Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes,” http://arxiv. org/abs/0804. 0409 2008 [DQN08] R. Dowsley and J. M. Quade and A. C. A. Nascimento, “ A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model,” http://eprint. iacr. org/2008/468, 2008 [FS09] M. Finiasz and N. Sendrier, “Security Bounds for the Design of Code-based Cryptosystems ” Proc of Asiacrypt’09, http://eprint.iacr.org/2009/414 , 2009

No. 81 References

[[]Wie09] C. Wieschebrink, “Cryptanal ysis of the Niederreiter Public Key Scheme Based on GRS Subcodes,” http://eprint.iacr.org/2009/452, 2009 [][MB09] R. Misoczki and P. Barreto, “Compact McEliece Keys from Goppa Codes,” Proc. of SAC’09, pp. 2009 [MB09a] R. Misoczki and P. Barreto, personal communication, 2009 [BCG+09] T. Berger, P.-L. Cayrel, P. Gaborit, and A. Otmani, “Reducing Key Length of the McEliece Cryptosystem,” Proc. of AFRICACRYPT’09,,pp, LNCS5580, pp. 77-97, 2009 [UL09] V. G. Umana and G. Leander “Practical Key Recovery Attacks On Two McEliece Variants,” http://eprint.iacr.org/2009/509, 2009

No. 82