CodeCode--BasedBased PKCs And Their Applications KkiKbKazukuni Kobara RCIS/AIST ICITS 2009 No. 1 PKCs can be divided into Number Theoretic (Cyclic) Problem Combinatorial Problem Integer Factoring Based Code Based RSA[RSA78] McEliece[Mc78] Rabin[[]Ra79] Niederreiter[[]Ni86] Okamoto-Uchiyama[OU98] Lattice Based Paillier[Pa99] NTRU[HS96] S-Paillier[CHGN01] AjtaiD wor k[AD97] … Goldreich-Goldwasser- Discrete Logarithm Based Halevi [GGH97] Diffie-Hellman[DH77] Ajtai[Ajt05] ElGamal[El84] Regev[Reg03,Reg05] ECC[Mi85][Ko87] Peikert[Pei09] XTR[LV00] … Cramer-Shoup[][CS03] Subset Sum Based Kurosawa-Desmedt[KD04] Okamoto-Tanaka- Uchiyama[OTU00] … No. 2 Cyclic Problem: Integer Factoring (IF) Given a positive integer n, find its prime factor pi Equivalent to finding r s.t. gr≡1 (mod n) for a g of GCD(g,n)=1 and g≡±1 (mod n) r/2 r/2 Since GCD(g -1,n) or GCD(g +1,n) is pi This cycle can be gi mod n IF determined in poly time with 1D-QFT, a.k.a. Shor’s quantum algorithm. i r rr QFT : Quantum Fourier Transform No. 3 Cyclic Problem: Discrete-Log (DL) Given p, g and y, find r s.t. x ≡ g r mod p p: prime, g: generator of Zp*, x a member of Zp* except 1, p-1. Equivalent to finding a0, a1, b0 and b1 s.t. xa0 g b0 ≡ xa1 g b1 mod p (a −a ) r(a −a ) (b −b ) Since x 1 0 ≡ g 1 0 ≡ g 0 1 mod p (b − b ) a DL r ≡ 0 1 mod p -1 (a1 − a0 ) a0 This inclination can be a b determined in poly time a1 x g mod p with 2D-QFT, a.kSh’k.a. Shor’s -b quantum algorithm. b0 b1 No. 4 Lesson to learn If a problem is written in the form of dedeetermining a cycl e, Then it can be solved in polynomial time using a quantum computer. No. 5 Combinatorial Problems Note: Underlying security find A set of vectors ddlhtdepends also on how to or scalars make the trapdoor r1, r2, r3… ri, --11 = 00010000100100100 public-key Arithmetic Unit Condition Condition ciphertext given No. 6 Code Based: McEliece find Plaintext PK is a kxn generator matrix of a linear code over GF(q) , usually q=2 r1, r2, r3… ri, --11 = 00010000100100100 public-key wt() <=t GF(q) Condition ciphertext wt(): Hamming weight given (# of non zeros) No. 7 Code Based: Niederreiter find Plaintext PK is a nx(n-k) parity check matrix of a linear code over GF(q), usually q=2 r1, r2, r3… ri, -1 = 00000000000000000 wt(r) <=t public-key All Zero GF(q) r ∈{r1,r2 ,L,ri} Condition Condition ciphertext given No. 8 Lattice Based: NTRU find PK is a n dimensional Plaintext cyclic vector over Zq , q=2048 etc. r1, r2, r3… ri, -1 = 00100-100100-10000 ri ∈{−1,0,1}, public-key mi ∈{−1,0,1}, wt() = dm wt() = dr Zq Condition Condition ciphertext given No. 9 Lattice Based: Regev PK is a (u+v)x(n+v) matrix find Plaintext uxn random uxv parity-with- binary matrix A noise Axs+E r1, r2,…,ri, m1, …,mv, -1 = 0000000000 q All Zero r ,m ∈{0,1}, wt(r ) < i i 2 A Axs+E Zq q 0000000000000 2 00 q Condition 0000000000000 0 2 0 q Condition 0000000000000 00 2 ciphertext given No. 10 Subset Sum Problem: OTU find Plaintext PK is a set of n positive integers r1, r2, r3… ri, -1 = 0 Zero ri ∈{0,1}, wt(r) = k public-key Z Condition Condition ciphertext given No. 11 So far it is not known To reduce combinatorial problems to a cyclic problem The best attack on combinatorial problem is: Grover’s algorithm GG’rover’s allithgorithm can reduce Running time to states but it is still exponential to its input size No. 12 Advantages of Combinatorial Based Quantum Tolerant: No polynomial time algorithm is known so far even on quantum computers Arithmetic unit is small: for encryption (and signature verification) Usually xors or additions in a small Field/Ring They are hihihlghly paralleli zabl e No heavy multi-precision modular exponentiation No. 13 Advantages of CodeCode-- Based IfInforma tion RtiRatio, i.e. (Plaintest Size) (Ciphertext Size) is better Arithmecetic unit is ssae:maller: for encryption and signature verification Usually xors => Suitable for low computational power or Ubiquitous devices No. 14 History of CodeCode--BasedBased Code-based PKEs Number Theoretic 1978: McEliece 2000: Error expansion/hold [Loi00] 1977 Hiffie- 1977: RSA Hellman 1985: ECC 1986: Niederreiter Attack [KI03] 1991: GPT PKC Attack on Attack on small cardinality [GPT91] (rank code) em hh GRS [SS92] including BCH [LS01] Goppa code (more generally Attack on sparse alternant code) with large cardinality S [MRS00] me of t attacks oo nn 2001: IND-CCA2 Attac k on LDPC LDPC Conv. in RO 2005: Quasi-Cyclic in general here s here reactio [KI02] BCH subcode 2007: QCQ - Attack on ww 2005: with [Gab05] LDPC [BC07] subfield P GRS subcode [Ove05] 2009: Quasi- tical like tical like attacks attacks ii [[]BL05] 2009: QasiQuasi- Cyclic alternant Attack on QC 2008: ext field Attack on GRS Dyadic [MB09] code [BCG+09] [OTD08] P [Gab08] A lot of cr were subcode Large extension Attack on small [Wie06] degree extension degrees [Wie09] Idea can be [UL09] applied to No. 15 How to see the history Green Letters: Underlying Liner Code : Attack : Already Broken : Not Yet Brok en (()as far as I know as of Dec. 2009) No. 16 History of Non PKE Code-Based Primitives ZKIP: Zero Knowledge Interactive Proof 1994: ZKIP ((gas well as Digital OT: Oblivious Transfer Signature applying Fiat-Shamir heuristic) (random code) [Ste94] Public matrix can be 2001: Dig ita l compressed by generating Signature (Goppa) it from a random seed [CFS01] 2005: Hash Function (random Bleichenbacher’s code) [AFS05] attack [[]Ble06] 2007: Liggght Weight Unlinkable-ID for RFID (Goppa) [SKI06][CKM+07] 2008: Bit (1,2)-OT (Goppa) [DGQ+08] 2008: String (1,2)- With appropriate OT (Goppa) [KMO08] parameter choice [FS09] No. 17 Construction of CodeCode--BasedBased PKCs No. 18 Keys for McEliece PKE Secret key Random Permutation Matrix n Non-Singular Matrix P Sk G Generator matrix of ECC which can correct up to t-error symbols Public key May be systematic if an G’ appropriate IND- I G’’ CCA2 conversion is applied No. 19 Encryption of Primitive MEliMcEliece PKE C=MG’+Z Random vector with weight t Z (0,1,0,0,1,0, ... 0,0,1,0) C Plaintext is a k dimensional vector MG’ Ciphertext over GF(2) M G’ No. 20 Decryption of Primitive MEliMcEliece PKE 1. CP-1=MSG+ZP-1 P-1 C 2. Correct the t-error bits using error- correction algorithm and obtain MS 3. M=MS S-1 S-1 MS M No. 21 Keys for Niederreiter PKE Secret key n-k Non- Random Singular Permutation Matrix P n H Matrix S Parity check matrix of ECC which can correct up to t-error symbols Public key May be I systematic if an H’ appropriate IND- CCA2 conversion H’’ is applied No. 22 Encryption of Primitive Nied erreit er PKE C=ZH’ Plainstext is an n dimensional vector of weight t Ciphertext Z C (0,1,0,0,1,0, ... 0,0,1,0) = ZH’ H’ No. 23 Decryption of Primitive Nied erreit er PKE 1. CS-1=ZH’S-1=ZPH SS-1=(ZP)H S-1 C 2. Correct the t-error bits using error- correction algorithm and obtain ZP 3. Z=ZP P-1 ZP Z P-1 No. 24 Unfortunately Due to the simple structure of a linear code, a lot of practical attacks are known This is the reason why some people still think that code-based PKEs have already been broken Ex. ) Reaction attack can decrypt a given cihipher tex t in O(k). No. 25 Reaction Attack on McEliece PKC Flip one bit of the given ciphertext Let the receiver decrypt it If its reaction is normal, error is within the error correction bound. 1 Receiver (decryption oracl)le) C= 011000101011010 1 1 0 0 0 1 0 1 0 1 1 0 1 Given ciphertext Reaction Countermeasures Attacks Using decryption oracles Against indistinguishability or non- malleability Can be prevented applying an “appropriate” conversion scheme Naïve application sometimes does not work No. 27 Naïve application of OAEP is vulnerable r m Const G Random en Plaintext Number OAEP module H a sh y2 y1 y3 G’ Primitive z McEliece PKC c Ciphertext No. 28 Slight Modification Makes it Provably Secure and Compact r m Const Encryption Random Gen Plaintext Number OAEP Hash module y2 y1 y5 y4 y3 G’ Conv Primitive z McEliece PKC y5 c Ciphertext (Len(y2 ) + Len(y1) ≥ Len(y4 ) + Len(y3 )) and must hold ((Len(y1) ≥ Len(y3 )) or (Len(y1) ≥ Len(y4 ) by swapping y3 and y4 )) No. 29 Decryption of Conversion Plaintext m ? Const G = e OAEP n Error messages between this module integrity check and Ha undecodable error must be s h indistinguishable. (Implementation must take y2 y1 care this!!) y5 y4 y3 G’ Conv Primitive z McEliece PKC y5 c Ciphertext No. 30 In The Case of Niederreiter Make the ciphertext most compact and provably secure in the RO OAEP+ for short plaintext OAEP++ for long plaintext No proof btbut no attack OAEP SAEP+ Insecure (since Niederreiter primitive is position-wise malleable) SAEP No. 31 Provable Security in the Standard Model 2007: IND-CPA in the standard model [NIK+07] 2008: IND-CCA2 in the standard model [DQN08] IND: Indistinguishability CPA: Chosen Plaintext Attack CCA2: Adaptive Chosen Ciphertext Attack No.