Code-Based Cryptography McEliece Cryptosystem I.0 Márquez-Corbella Code-Based Cryptography 1. Error-Correcting Codes and Cryptography 2. McEliece Cryptosystem 3. Message Attacks (ISD) 4. Key Attacks 5. Other Cryptographic Constructions Relying on Coding Theory I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY 1. Key generation algorithm: KEYGEN K 2 N KEYGEN kp 2 Kp k 2 K Security parameter s s § Run in expected polynomial time ∼ O(Kc) Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 1 Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 1. Key generation algorithm: KEYGEN K 2 N KEYGEN kp 2 Kp k 2 K Security parameter s s § Run in expected polynomial time ∼ O(Kc) 1 2. Encryption algorithm: ENCRYPT m 2 P ENCRYPT ENCRYPT(m; Kp) = y 2 C Kp 2 Kp § Run in expected polynomial time ∼ O(Kc) Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 2 Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 2. Encryption algorithm: ENCRYPT m 2 P ENCRYPT ENCRYPT(m; Kp) = y 2 C Kp 2 Kp § Run in expected polynomial time ∼ O(Kc) 2 3. Decryption algorithm: DECRYPT invalid 2 C DECRYPT(c; K ) = m 2 P , or c DECRYPT s ciphertext Ks 2 Ks § Run in polynomial time Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 3 Formal definition of Public-Key Cryptography Plaintext Ciphertext Public-Key Secret-Key P = C = K = K = Space Space p Space s Space 3. Decryption algorithm: DECRYPT invalid 2 C DECRYPT(c; K ) = m 2 P , or c DECRYPT s ciphertext Ks 2 Ks § Run in polynomial time 3 Formal definition of Public-Key Cryptography K 2 N KEYGEN kp 2 Kp k 2 K Security parameter s s m 2 P ENCRYPT ENCRYPT(m; Kp) = y 2 C Kp 2 Kp invalid 2 C DECRYPT(c; K ) = m 2 P , or c DECRYPT s ciphertext Ks 2 Ks § It is required that: DECRYPT (ENCRYPT(m; Kp); Ks) = m K 4 § Fasten known attack should requires ≥ 2 bit operations Advantages: Drawback: 1. Fast ENCRYPT and DECRYPT. ã Large key size. 2. Post-quantum cryptosystem. Security of the McEliece scheme is based on: 1. Hardness of decoding random linear codes 2. Distinguishing Goppa codes The McEliece Cryptosystem McEliece introduced the first PKC based on Error-Correcting Codes in 1978. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44:114-116, 1978. 5 Advantages: Drawback: 1. Fast ENCRYPT and DECRYPT. ã Large key size. 2. Post-quantum cryptosystem. The McEliece Cryptosystem Security of the McEliece scheme is based on: 1. Hardness of decoding random linear codes 2. Distinguishing Goppa codes McEliece introduced the first PKC based on Error-Correcting Codes in 1978. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44:114-116, 1978. 5 Drawback: ã Large key size. The McEliece Cryptosystem Advantages: 1. Fast ENCRYPT and DECRYPT. 2. Post-quantum cryptosystem. Security of the McEliece scheme is based on: 1. Hardness of decoding random linear codes 2. Distinguishing Goppa codes McEliece introduced the first PKC based on Error-Correcting Codes in 1978. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44:114-116, 1978. 5 The McEliece Cryptosystem Advantages: Drawback: 1. Fast ENCRYPT and DECRYPT. ã Large key size. 2. Post-quantum cryptosystem. Security of the McEliece scheme is based on: 1. Hardness of decoding random linear codes 2. Distinguishing Goppa codes McEliece introduced the first PKC based on Error-Correcting Codes in 1978. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 42-44:114-116, 1978. 5 with an efficient Indistinguishable decoding algorithm from random codes Key Generation Algorithm: k×n 1. G 2 Fq a generator matrix for C 2 F 2. AC an “Efficient” decoding algorithm for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (AC) The McEliece Cryptosystem Consider F family of codes 6 Indistinguishable from random codes Key Generation Algorithm: k×n 1. G 2 Fq a generator matrix for C 2 F 2. AC an “Efficient” decoding algorithm for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (AC) The McEliece Cryptosystem Consider F family of codes with an efficient decoding algorithm 6 Key Generation Algorithm: k×n 1. G 2 Fq a generator matrix for C 2 F 2. AC an “Efficient” decoding algorithm for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (AC) The McEliece Cryptosystem Consider F family of codes with an efficient Indistinguishable decoding algorithm from random codes 6 The McEliece Cryptosystem Consider F family of codes with an efficient Indistinguishable decoding algorithm from random codes Key Generation Algorithm: k×n 1. G 2 Fq a generator matrix for C 2 F 2. AC an “Efficient” decoding algorithm for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (AC) 6 Decryption Algorithm: Using Ksecret , the receiver obtain m. DECRYPT(y) = AC(y) = m Parameters Key size Security level 62 [1024; 524; 101]2 67 ko 2 96 [2048; 1608; 48]2 412 ko 2 The McEliece Cryptosystem Encryption Algorithm: k Encrypt a message m 2 Fq as ENCRYPT(m) = mG + e = y where e is a random error vector of weight at most t. 7 Parameters Key size Security level 62 [1024; 524; 101]2 67 ko 2 96 [2048; 1608; 48]2 412 ko 2 The McEliece Cryptosystem Encryption Algorithm: k Encrypt a message m 2 Fq as ENCRYPT(m) = mG + e = y where e is a random error vector of weight at most t. Decryption Algorithm: Using Ksecret , the receiver obtain m. DECRYPT(y) = AC(y) = m 7 The McEliece Cryptosystem Encryption Algorithm: k Encrypt a message m 2 Fq as ENCRYPT(m) = mG + e = y where e is a random error vector of weight at most t. Decryption Algorithm: Using Ksecret , the receiver obtain m. DECRYPT(y) = AC(y) = m Parameters Key size Security level 62 [1024; 524; 101]2 67 ko 2 96 [2048; 1608; 48]2 412 ko 2 7 Differences with the McEliece cryptosystem: 1. The public key is a parity check matrix. This improve- ment reduce the key size. 2. The secret key is an efficient syndrome decoder 3. The encryption mechanism The Niederreiter Cryptosystem Niederreiter presents a dual version of McEliece (which is equivalent in terms of security) in 1986. H. Niederreiter. (1986). Knapsack-type crypto system and algebraic coding theory. Problems of Control and Information Theory. 8 The Niederreiter Cryptosystem Differences with the McEliece cryptosystem: 1. The public key is a parity check matrix. This improve- ment reduce the key size. 2. The secret key is an efficient syndrome decoder 3. The encryption mechanism Niederreiter presents a dual version of McEliece (which is equivalent in terms of security) in 1986. H. Niederreiter. (1986). Knapsack-type crypto system and algebraic coding theory. Problems of Control and Information Theory. 8 with an efficient Indistinguishable Syndrome decoding from random codes algorithm Key Generation Algorithm: (n−k)×n 1. H 2 Fq a parity check matrix for C 2 F 2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (DC) The Niederreiter Cryptosystem Consider F family of codes 9 Indistinguishable from random codes Key Generation Algorithm: (n−k)×n 1. H 2 Fq a parity check matrix for C 2 F 2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (DC) The Niederreiter Cryptosystem Consider F family of codes with an efficient Syndrome decoding algorithm 9 Key Generation Algorithm: (n−k)×n 1. H 2 Fq a parity check matrix for C 2 F 2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (DC) The Niederreiter Cryptosystem Consider F family of codes with an efficient Indistinguishable Syndrome decoding from random codes algorithm 9 The Niederreiter Cryptosystem Consider F family of codes with an efficient Indistinguishable Syndrome decoding from random codes algorithm Key Generation Algorithm: (n−k)×n 1. H 2 Fq a parity check matrix for C 2 F 2. DC an “Efficient” Syndrome Dec. for C which corrects up to t errors. Public Key: Kpub = (G; t) Private Key: Ksecret = (DC) 9 Decryption Algorithm: Using Ksecret , the receiver obtain m. DECRYPT(y) = DC(y) = m Parameters Key size Security level 95 [256; 128; 129]256 67 ko 2 The McEliece Cryptosystem Encryption Algorithm: k Encrypt a message m 2 Fq of weight ≤ t T n−k ENCRYPT(m) = mH 2 F2 10 Parameters Key size Security level 95 [256; 128; 129]256 67 ko 2 The McEliece Cryptosystem Encryption Algorithm: k Encrypt a message m 2 Fq of weight ≤ t T n−k ENCRYPT(m) = mH 2 F2 Decryption Algorithm: Using Ksecret , the receiver obtain m.