DISTINGUISHABILITY OF PUBLIC KEYS AND EXPERIMENTAL VALIDATION: THE MCELIECE PUBLIC-KEY CRYPTOSYSTEM by Hai Pham A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, FL December 2015 Copyright 2015 by Hai Pham ii ACKNOWLEDGEMENTS I would like to express my deepest gratitude to my master thesis advisor, Dr. Steinwandt. I have learned many things since I became Dr. Steinwandt's student. I admire his personality, his vast knowledge and his passion for cryptography. I am grateful for the time that he spent on guiding me, providing feedbacks, and sometimes giving tough love. I also would like to thank my small family (my dad, my mom, and my sister) for everything they have done for me. In addition, I owe many thanks to my big family (my grandparents, my aunts and uncles) for all their love. iv ABSTRACT Author: Hai Pham Title: Distinguishability of Public Keys and Experimental Validation: The McEliece Public-key Cryptosystem Institution: Florida Atlantic University Thesis Advisor: Dr. Rainer Steinwandt Degree: Master of Science Year: 2015 As quantum computers continue to develop, they pose a threat to cryptography since many popular cryptosystems will be rendered vulnerable. This is because the security of most currently used asymmetric systems requires the computational hard- ness of the integer factorization problem, the discrete logarithm or the elliptic curve discrete logarithm problem. However, there are still some cryptosystems that resist quantum computing. We will look at code-based cryptography in general and the McEliece cryptosystem specifically. Our goal is to understand the structure behind the McEliece scheme, including the encryption and decryption processes, and what some advantages and disadvantages are that the system has to offer. In addition, using the results from Courtois, Finiasz, and Sendrier's paper in 2001 [12], we will discuss a digital signature scheme based on the McEliece cryptosystem. We analyze one classical algebraic attack against the security analysis of the system based on the distinguishing problem whether the public key of the McEliece scheme is generated from a generating matrix of a binary Goppa code or a random binary matrix. The idea of the attack involves solving an algebraic system of equations and we examine the dimension of the solution space of the linearized system of equations. With the v assistance from a paper in 2010 by Faug`ere,Gauthier-Uma~na,Otmani, Perret, Til- lich [14], we will see the parameters needed for the intractability of the distinguishing problem. vi To my paternal grandfather DISTINGUISHABILITY OF PUBLIC KEYS AND EXPERIMENTAL VALIDATION: THE MCELIECE PUBLIC-KEY CRYPTOSYSTEM List of Tables .............................. x List of Figures ............................. xi 1 Cryptography .............................. 1 1.1 Introduction and Motivation.......................1 1.2 Cryptosystem...............................2 1.3 The McEliece Cryptosystem.......................4 2 Background in Coding theory .................... 5 2.1 Terminology................................5 2.2 Generator and Parity-Check Matrices..................7 2.3 Error Detection and Error Correction..................8 2.4 Goppa Codes and Patterson's algorithm................8 3 The McEliece Cryptosystem ..................... 14 3.1 Encryption and Decryption in McEliece's scheme........... 14 3.2 Advantages and Disadvantages of the McEliece Cryptosystem.... 17 3.3 McEliece-based Digital Signature Scheme................ 18 4 A Distinguisher for Public Keys in McEliece Cryptosystems . 20 4.1 Motivation................................. 20 4.2 The Goppa Code Distinguishing Problem................ 21 4.3 Building A Distinguisher......................... 21 viii 5 Conclusion ............................... 32 Bibliography .............................. 33 ix LIST OF TABLES 4.1 Maximal Degree for Distinguishability ................. 20 4.2 Experimental Validation ......................... 29 4.3 Observations for the Second Experiment ................ 31 x LIST OF FIGURES 4.1 The Matrix G in the Form of Ik j P ................. 23 xi CHAPTER 1 CRYPTOGRAPHY 1.1 INTRODUCTION AND MOTIVATION Quantum computing explores systems that make use of quantum mechanical phenom- ena to perform operations on data. The development of actual quantum computers is still in an early stage, but we can already determine the effects that they will have on the current cryptographic systems. Large-scale quantum computers will be able to solve certain problems much more quickly than any classical computers that use even the best currently known algorithms. Private-key cryptography will be weakened, but it seems that with an increase in key size, one may restore the necessary security. For example, AES-128 uses a key of 128 bits, and so around 2127 operations are the expec- ted requirement to recover the key. However, quantum computers can run algorithms that require approximately 264 operations to recover an AES-128 key [1]. The solution in mind here is to switch to AES-256. The effect is more devastating with public-key cryptography because quantum computers can perform algorithms that break popu- lar public-key cryptosystems in a relatively short amount of time. It is because the current systems' security requires the hardness of the integer factorization problem, the discrete logarithm problem or the elliptic curve discrete logarithm problem. For instance, Shor's algorithm [3] can recover an RSA key in polynomial time. These reasons bring us to an important question: what can we do about this? Crypto- graphers have started to study post-quantum cryptography. There are currently six prominent classes of cryptosystems that resist quantum computers. They are: lattice- based cryptography, multivariate cryptography, hash-based cryptography, code-based 1 cryptography, supersingular elliptic curve isogeny cryptography, and symmetric key based cryptography. In code-based cryptography, one of the classsical examples is the McEliece cryptosystem. Before explaining the McEliece cryptosystem in more detail, let us review some of the basic notions about cryptography. One definition of cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries) [2]. To briefly describe the idea behind encryption, the sender chooses a message that he/she would like to send, applies some encryption process, and sends this encrypted message over a network. Upon receiving the encrypted message, the receiver uses a known decryp- tion process to recover the original message. Although the adversary may intercept the encrypted message, he or she will be unable to recover any partial information (other than length) of the original message without knowledge of a piece of secret information, known as a private key. 1.2 CRYPTOSYSTEM Accompanied with cryptography, a cryptosystem is an implementation of one or more cryptographic algorithms [10]. It is designed to fulfill particular specifications while providing certain security properties. Cryptosystems consist of two types: private or public-key (also known as symmetric or asymmetric key respectively). In private- key cryptography, the parties share a single piece of information, which is called the private key, and use this to perform the encryption and decryption processes. Here we assume that the private key is established in confidentiality between the parties. The adversary, in this case, would have no knowledge of this private key. One example of private key cryptography is a one-time pad. Suppose that Alice wants to send a message to Bob. Alice would generate a large sequence of uniformly random numbers chosen in f0,. ,25g for example (which will serve as the private key). After that, she has to communicate this sequence of random numbers (pad) to 2 Bob in confidentiality so that Eve, the adversary, would have no knowledge of it. The idea behind the encryption process is that each bit or character of the message that Alice wants to send to Bob is encrypted by combining it with the corresponding bit or character from the pad using modular addition. When Bob receives the encrypted message, he takes out his copy of the pad and correspondingly performs modular addition component-wise to recover the original message. If the pad is random, at least as long as the message, used only once, and kept secret, then this scheme can guarantee that an eavesdropper will not be able to recover any partial information (other than the length) of the original message [5]. One disadvantage of private key cryptography relates to the hardness of keeping the private key synchronized. As in the one-time padding scheme above, we see that it is essential to have the sequence of number truly random and only use it once. Since everyone has to agree on a secret key, in larger networks, it becomes difficult to establish the secret key in confidentiality. This issue does not show up in public key cryptography. In public-key cryptography, each individual manages a distinct private key and a distinct public key. All parties can have access to an individual's public key, but each individual keeps his or her private key secret. An example of public key cryptography is RSA [7]. Basic RSA can be summarized as follows. Bob chooses two distinct prime numbers p and q and computes their product. He then picks an integer e such that e is coprime