Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Jakob Rosenthal, and Davide Mose' Schipani. Method and apparatus for public-key cryptography based on error correcting codes. U.S. Pat. No. 9,191,199 B2 (2015)
Martin Tomlinson, Cen Jung Tjhai. Public key cryptosystem based on goppa codes and puf based random generation. U.S. Pat. No. 8,958,553 B2 (2015)
Yongge Wang. Method and Apparatus for Random Linear Code Based Public Key Encryption Schemes. U.S. patent application Ser. No. 15/270,824, filed on Sep. 20, 2016.
Yongge Wang. Method and Apparatus for Quantum Resistant Public Key Encryption Scheme RLCE and IND-CCA2 Security. U.S. Patent application U.S. 62/435,151, filed on Dec. 16, 2016.
Martin Tomlinson and Cen Jung Tjhai. Public key encryption using error correcting codes. WO2012066328 A1 (2012)
Eran Kanter, Ido Kanter. A secure and linear public-key cryptosystem based on parity-check error-correcting code. WO2001050675 A2 (2001).
M. Baldi, M. Bodrato, and F. Chiaraluce. A new analysis of the mceliece cryptosystem based on qc-ldpc codes. In Security and Cryptography for Networks, pages 246-262. Springer, 2008.
M. Bardet, J. Chaulet, V. Dragoi, A. Otmani, and J.-P. Tillich. Cryptanalysis of the McEliece public key cryptosystem based on polar codes. In International Workshop on Post-Quantum Cryptography, pages 118-143. Springer, 2016.
D. Bernstein, T. Lange, and C. Peters. Wild McEeliece. In Selected Areas in Cryptography, pages 143-158. Springer, 2011.
D. J. Bernstein. Grover vs. mceliece. In International Workshop on Post-Quantum Cryptography, pages 73-80. Springer, 2010.
D. J. Bernstein, T. Lange, and C. Peters. Attacking and defending the McEliece cryptosystem. In Post-Quantum Cryptography, pages 31-46. Springer, 2008.
T. A Berson. Failure of the mceliece public-key cryptosystem under message-resend and related-message attack. In Proc Crypto, pages 213-220. Springer, 1997.
D. Boneh. Simplified OAEP for the RSA and rabin functions. In Advances in Cryptology-CRYPTO 2001, pages 275-291. Springer, 2001.
A. Canteaut and N. Sendrier. Cryptanalysis of the original mceliece cryptosystem. In International Conference on the Theory and Application of Cryptology and Information Security, pages 187-199. Springer, 1998.
N. Courtois, A. Klimov, J. Patarin, and A. Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In EUROCRYPT 2000, pages 392-407. Springer, 2000.
A. Couvreur, P. Gaborit, V. Gauthier-Umaña, A. Otmani, and J.-P. Tillich. Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Designs, Codes and Cryptography, pages 1-26, 2013.
A. Couvreur, A. Otmañi, and J.-P. Tillich. Polynomial time attack on wild McEliece over quadratic extensions. In Advances in Cryptology-EUROCRYPT 2014, pages 17-39. Springer, 2014.
T. Cover. Enumerative source encoding. IEEE Transactions on Information Theory, 19(1):73-77, 1973.
J.-C. Faugere, V. Gauthier-Umaña, A. Otmani, L. Perret, and J.-P. Tillich. A distinguishes for high-rate mceliece cryptosystems. Information Theory, IEEE Transactions on, 59(10):6830-6844, 2013.
J.-C. Faugere, A. Otmani, L. Perret, and J.-P. Tillich. Algebraic cryptanalysis of McEliece variants with compact keys. In Eurocrypt 2010, pages 279-298. Springer, 2010.
J.-C. Faugere, L. Perret, and F. De Portzamparc. Algebraic attack against variants of mceliece with goppa polynomial of a special form. In Advances in Cryptology-ASIACRYPT 2014, pages 21-41. Springer, 2014.
E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Annual International Cryptology Conference, pages 537-554. Springer, 1999.
C. Hall, I. Goldberg, and B. Schneier. Reaction attacks against several public-key cryptosystem. In International Conference on Information and Communications Security, pages 2-12. Springer, 1999.
K. Kobara and H. Imai. Semantically secure mceliece public-key cryptosystems-conversions for mceliece pkc. In International Workshop on Public Key Cryptography, pages 19-35. Springer, 2001.
P. J. Lee and E. F. Brickell. An observation on the security of McEliece's public-key cryptosystem. In EUROCRYPT'88, pages 275-280. Springer, 1988.
J. Leon. A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Information Theory, 34(5):1354-1359, 1988.
P. Loidreau and N. Sendrier. Some weak keys in mceliece public-key cryptosystem. In IEEE International symposium on Information Theory, pages 382-382. INSTITUTE OF ELECTRICAL ENGINEERS INC (IEEE), 1998.
R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN progress report, 42(44):114-116, 1978.
R. Misoczki, J.-P. Tillich, N. Sendrier, and P. Barreto. MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In Proc. IEEE ISIT 2013, pages 2069-2073. IEEE, 2013.
H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Prob. Control and Information Theory, 15(2):159-166,1986.
C. Peters. Information-set decoding for linear codes over Fq. In Post-Quantum Cryptography, pages 81-94. Springer, 2010.
D. Pointcheval. Chosen-ciphertext security for any one-way cryptosystem. In International Workshop on Public Key Cryptography, pages 129-146. Springer, 2000.
E. Prange. The use of information sets in decoding cyclic codes. IRE Trans. Information Theory, 8(5):5-9, 1962.
N. Sendrier. Encoding information into constant weight words. In Proc. ISIT 2005, pages 435-438. IEEE, 2005.
V. Shoup. OAEP reconsidered. In CRYPTO 2001, pages 239-259. Springer, 2001.
V. M Sidelnikov and S. Shestakov. On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Mathematics and Applications, 2(4):439-444,1992.
J. Stem. A method for finding codewords of small weight. In Coding theory and applications, pages 106-113. Springer, 1989.
Y. Wang. Quantum resistant random linear code based public key encryption scheme RLCE. In 2016 IEEE International Symposium on Information Theory (ISIT), pages 2519-2523, July 2016.
The present invention relates to methods for public-key cryptography encryption schemes based on linear error correcting codes, and to corresponding encryption and decryption apparatus.
The present invention further relates to computerised methods and systems for encrypting and decrypting data using public key encryption techniques, and to computerised methods and systems for communications using such techniques, as well as other applications thereof. The basic types of things that the invention improves include two kinds of techniques. The first technique is a method and system to integrate randomness within linear error-correcting codes' generator matrices. The second technique is a method and system to use randomized generator matrices as public-keys for encryption schemes for secure communications.
Since McEliece encryption scheme (McEliece 1978) was introduced more than thirty years ago, it has withstood many attacks and still remains unbroken for general cases. It has been considered as one of the candidates for post-quantum cryptography since it is immune to existing quantum computer algorithm attacks. The original McEliece cryptographic system is based on binary Goppa codes. Several variants have been introduced to replace Goppa codes in the McEliece encryption scheme though most of them have been broken. Up to the writing of this invention, secure McEliece encryption schemes include MDPC/LDPC code based McEliece encryption schemes (Baldi 2008, Misoczki 2013), Wang's RLCE (2016), and the original binary Goppa code based McEliece encryption scheme. Sidelnikov and Shestakov (1992) showed that, for the generalized Reed-Solomon code based McEliece encryption scheme, one can efficiently recover the private parameters for the generalized Reed-Solomon code from the public key. Couvreur et al (2013) proposed a general distinguisher based filtration technique to recover keys for generalized Reed-Solomon code based McEliece scheme. The filtration attack was used by Couvreur et al (2014) and Faugere et al (2014) to attack Bernstein et al's (2011) wild Goppa code based McEliece scheme.
Unless specified otherwise, we will use q=pm where p=2 or p is a prime. Our discussion will be based on the field G F(q) through out this paper. Letters such as a, b, e, f, g are used to denote row or column vectors over CF(q). It should be clear from the context whether a specific letter represents a row vector or a column vector. Let k<n<q. The generalized Reed-Solomon code GRSk(x, y) of dimension k is defined as
GRS k(x,y)={(y0p(x0), . . . , yn−1p(xn−1)):p(x)∈ CF(q)[x],deg(p)<k}
where x=(x0 , . . . , xn−1)Å CF(q)n is an n-tuple of distinct elements and y=(y0 , . . . , yn−1)Å GF(q)n is an n-tuple of nonzero (not necessarily distinct) elements.
Several inventors have created several types of techniques to design improved McEliece type public key encryption schemes. U.S. patent application Ser. No. 15/270,824 by Wang (2016) discloses a protocol called RLCE Encryption scheme. The RLCE consists of the following three processes: RLCE.K eySetup, RLCE.Enc, and RLC E.Dec.
RLCE.KeySetup(n, k, d, t, r). Let n, k, d, t>0, and r>1 be given parameters such that n−k+1 ≥d≥2t+1. Let Gs=[g0 , . . . , gn−1] be a k×n generator matrix for an [n, k, d,] linear code such that there is an efficient decoding algorithm to correct at least t errors for this linear code given by Gs.
G
1
=[g
0
;C
0
;g
1
;C
1 . . . , gn−1,Cn−1]
be the k×n(r+1) matrix obtained by inserting the random matrices Ci into Cs.
be an n(r+1)×n(r+1) nonsingular matrix.
RLCE.Enc(G,m,e). For a row vector message m ∈ GF(q)k, choose a random row vector e=[e0 , . . . , en(r+1)−1]Å GF(q)n(r+1) such that the Hamming weight of e is at most t. The cipher text is c=mG+e.
RLCE.Dec(S,Gs, P, A, c). For a received cipher text c=[c0 , . . . , cn(r+1)−1], compute
cP
−1
A
−1
=mSG
1
+eP
−1
A
−1
=[c′
0
, . . . , c′
n(r+1)−1].
Let c′=[c′0, c′r+1 , . . . , c′(n−1)(r+1)] be the row vector of length n selected from the length n(r+1) row vector cP−1A−1. Then c′=mSGs+e′ for some error vector e′Å GF(q)n. Let e″=eP−1=[e″0 , . . . ; e″n(r+1)−1] and e″i=[e″i(r+1) , . . . , e″i(r+1)+r] be a sub-vector of e″ for i≤n−1. Then e′[i] is the first element of e″iAi−1. Thus e′[i]≠0 only if e″i is non-zero. Since there are at most t non-zero sub-vectors e″i, the Hamming weight of e′Å GF(q)n is at most t. Using the efficient decoding algorithm, one can compute m′=mS and m=m′S−1. Finally, calculate the Hamming weight w=weight (c−mG). If w≤t then output m as the decrypted plaintext. Otherwise, output error.
Though the RLCE scheme in Wang's patent application U.S. Ser. No. 15/270,824 is secure, it has the disadvantage that the public keys are extremely large and ciphertexts is very large also.
U.S. Pat. No. 9,191,199 B2 to Baldi, Bianchi, Chiaraluce, Rosenthal, and Schipani (2015) discloses a method for designing McEliece cryptosystem based public key encryption schemes by defining n×n transformation matrices Q with form Q=R+T, where the matrix R is a rank-z matrix and the matrix T is some other matrix rendering Q non-singular. Using this family of Q matrices instead of McEliece scheme's permutation matrices, the inventors proposed a cryptosystem using Goppa codes and RS codes. The afore mentioned patent is related to constructing McEliece type encryption schemes by modifying the permutation matrix content instead of adding randomness to the generator matrices columns and is limited in adding sufficient randomness in the public keys to make the scheme secure. U.S. Pat. No. 8,958,553 B2 to Tomlinson and Tjhai (2015) discloses a method for providing additional features to the original McEliece system which enhance the bandwidth efficiency. This patent assumes the existence of a secure McEliece type encryption scheme which is a very strong assumption. Thu this patent is very limited in applications. This patent is also published as the international patent WO2012066328 A1 (2012). The international patent WO2001050675 A2 to Kanter and Kanter (2001) discloses a method for randomly flipping some or all of the bits in a McEliece encryption public-key. This patent is limited in generating a sequence of public keys instead of one public keys. Thus it is not efficient in practice.
The goal of the present invention is to provide encryption and decryption methods of McEliece type which are capable of improving the security level of a cryptosystem. In this invention, the term “cryptosystem” is to be understood as relating to both a method of encryption and a corresponding method of decryption.
This objective is achieved by three methods: a method for creating a public key from a private linear code generator matrix, a method for encrypting a message to a ciphertext and a method for decrypting the ciphertext. The key generation and encryption methods of the present invention comprise the following steps:
For a more complete understanding of the invention, reference is made to the following description and accompanying drawings, in which:
The features, structures, or characteristics of the invention described throughout this specification may be combined in any suitable manner in one or more embodiments. For example, the usage of the phrases “certain embodiments,” “some embodiments,” or other similar language, throughout this specification refers to the fact that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present invention.
In the following detailed description of the illustrative embodiments, reference is made to the accompanying drawings that form a part hereof. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is understood that other embodiments may be utilized and that logical or structural changes may be made to the invention without departing from the spirit or scope of this disclosure. To avoid detail not necessary to enable those skilled in the art to practice the embodiments described herein, the description may omit certain information known to those skilled in the art. The following detailed description is, therefore, not to be taken in a limiting sense.
The Random Linear Code based Encryption scheme RLCE reported in the present invention is described in the following paragraphs.
G
1
=[g
0
, g
1
; . . . , g
n−w
,C
0
. . . , g
n−1
,C
w−1] (1)
to be a k×(n+w) matrix by inserting random matrices C0, C1 , . . . , Cw−1 into Gs. The second random matrix selection engine 140 chooses dense nonsingular 2×2 matrices A0 , . . . ; An−1Å GF(q)2×2 uniformly at random and defines
to be an (n+w)×(n+w) nonsingular matrix. The engine 140 also chooses a random dense k×k nonsingular matrix S and chooses a random (n+w)×(n+w) permutation matrix P. The private key 150 is the tuple (S; Gs; P, A) and the public key 160 is the k×(n+w) matrix G=SG1AP.
yP
−1
A
−1
=[y′
0
, . . . , y′
n+w)−1
]=mSG
1
+eP
−1
A
−1.
Let y′=[y′0,y′1 , . . . , y′n−w, y′n−w+2; y′n−w+4 , . . . , y′n+w−2] be a length n row vector selected from the length n+w row vector yP−1A−1. Then y′=mSGs+e′ for some error vector e′Å GF(q)n where the Hamming weight of e′Å GF(q)n is at most t. Using the efficient decoding algorithm, the receiver computes m′=mS and m=m′S−1. Finally, the receiver calculates the Hamming weight w=weight(y−mG). If w≤t then the decryption engine 230 outputs m as the decrypted plaintext. Otherwise, the decryption engine 230 outputs an error. The RLCE scheme described above could be formally described as follows with three procedures: RLCE.KeySetup, RLCE.Enc, and RLCE.Dec.
RLCE.KeySetup(n,k,d,t,w). Let n, k,d,t>0, and w Å {1 , . . . , n} be given parameters such that n−k+1≤d≤2t+1. Let Gs be a k×n generator matrix for an [n,k,d] linear code C such that there is an efficient decoding algorithm to correct at least t errors for this linear code given by Gs. Let P1 be a randomly chosen n×n permutation matrix and GsP1=[g0 , . . . , gn−1].
G
1
=[g
0
, . . . , g
n−w
;r
0
, . . . , g
n−1
,r
w−1] (3)
be the k×(n+w) matrix obtained by inserting column vectors r, into Gs.
Å GF(q)2×2 be non-singular 2×2 matrices chosen uniformly at random such that ai,00ai,01ai,10ai,11 ≠0 for all i=0 , . . . , w−1. Let A=diag[1 , . . . , 1, A0 , . . . , Aw−1] be an (n+w)×(n+w) non-singular matrix.
RLCE.Enc(G, m, e). For a row vector message m Å GF(q)k, choose a random row vector e=[e0 , . . . , en+w−1] Å GF(q)n+w such that the Hamming weight of e is at most t. The cipher text is c=mG+e.
RLCE.Dec(S, Gs, P1, P2, A, c). For a received cipher text c=[c0 , . . . , cn+w−1], compute
cP
2
−1
A
−1
=mSG
1
+eP
2
−1
A
−1
=[c′
0
, . . . ; c′
n+w−1].
Let c′=[c′0, c′1 , . . . , c′n−w,c′n−w+2 , . . . ; c′n+w−2] be the row vector of length n selected from the length n+w row vector cP2−1A−1. Then c′P1−1=mSGs+e′ for some error vector e′ Å GF(q)n where the Hamming weight of e′ Å GF(q)n is at most t. Using an efficient decoding algorithm, one can recover mSGs from c′P1−1. Let D be a k×k inverse matrix of SG′s where G″s is the first k columns of Gs. Then m=c1D where c1 is the first k elements of mSGs. Finally, calculate the Hamming weight wt=wt (c−mG). If wt≤t then output m as the decrypted plaintext. Otherwise, output error.
To reduce RLCE scheme public key sizes, one can use a semantic secure message encoding approach (e.g., an IND-CCA2 padding scheme) so that the public key can be stored in a systematic matrix. For a McEliece encryption scheme over GF(q), one needs to store k(n−k) elements from F(q) for a systematic public key matrix instead of nk elements from GF(q) for a non-systematic generator matrix public key.
In a systematic RLCE encryption scheme, the decryption could be done more efficiently. In the RLCE decryption process, one recovers mSGs from c′P1−1=mSGs+e′ first. Let mSGsP1=(d0 , . . . , dn−1) and
cd =(d′0 , . . . , d′n+w)=(d0,d1 , . . . ; dn−w,⊥dn−w+1,⊥, . . . , dn−1;⊥)P2
be a length n+w vector. For each i<k such that d′i=dj for some j<n−w, we have mi=di. Let
I
R
={i:m
i is recovered via mSGs} and
Assume that |ĪR|=u. It suffices to recover the remaining u message symbols mi with i ∈ ĪR. In the following paragraphs, we present three approaches to recover these message symbols.
Decoding algorithm 0 for systematic RLCE encryption scheme: In the first approach, one recovers mS from mSGs first. Then one multiplies m′ with the corresponding u columns SĪ
Decoding algorithm 1 for systematic RLCE encryption scheme: Instead of recovering mS first, one may use public key to recover the remaining message symbols from mSGs directly. Let i0 , . . . , iu−1≥k be indices such that for each ij, we have d′i
m[g
i
, . . . , g
i
]=[d′
i
, . . . , d′
i
]
where gi
mPP
−1
[g
i
, . . . , g
i
]=(mI
where mI
where V is a (k−u)×u matrix and W is a u×u matrix. Then we have
m
Ī
W=[d′
i
, . . . , d′
i
]−m
I
V.
Furthermore, one may pre-compute the inverse of W and include W−1 in the private key. Then one can recover the message symbols
m
Ī
=([d′i
Decoding algorithm 2 for systematic RLCE encryption scheme: In practice, one may use a larger IR. Recall that in the RLCE decryption process, one recovers mSGs from c′P131 1=mSGs+e′ first. Let e′P1=(e0 , . . . , en−1) and
e
c=(e′0 , . . . , e′n+w)=(e0,e1 , . . . , en−w,ēn−w;en−w+1,ēn−w+1 , . . . , en−1, ēn−1)P2
be a length n+w vector. For each en−w+i
IRa32 IR∪{i<k:e′i=en−w+i
and ĪRa={0 , . . . , k−1}\IRa. Using the decoding algorithm 1 with (IR, ĪR) replaced by (IRa, ĪRa), one can then recover message symbols with indices in ĪRa. With a small probability, the message recovered via (IRa, ĪRa) might be incorrect. If this happens, one restarts the decoding process using the pair (IR; ĪR).
Defeating side-channel attacks: The decoding algorithm 2 described might be vulnerable to side-channel attacks. The attacker may generate ciphertexts with appropriately chosen error locations and watch whether the decoding time is significantly long (which means that the message recovered via (IRa; ĪRa) might be incorrect). This information may be used to recover part of the private permutation P2. If such kind of attacks needs to be defeated, then one should not use the decoding algorithm 2.
For the decoding algorithms 0 and 1, the value u is dependent on the choice of the private permutation P2. Though the leakage of the size of u is not sufficient for the adversary to recover P2 or to carry out other attacks against RLCE scheme, this kind of side-channel information leakage could be easily defeated. Table 0.1 lists the values of u0 such that, for each scheme, the value of u is smaller than u0 for 90% of the choices of P2 where the RLCE ID is the scheme ID described in Table 0.3. Thus one can select P2 in such a way that u is smaller than the given u0 of Table 0.1. Furthermore, during the decoding process, one can use dummy computations so that the decoding time is the same as the decoding time for u=u0.
Similar to most cryptographic systems, each type of McElience schemes may contain some weak keys and one should avoid using these weak keys when setting up the scheme. For example, Loidreau (1998) pointed out some weak keys for binary Goppa code based McElience schemes. The second straightforward observation is that one can modify an McElience encryption scheme ciphertext c=mG+e without knowing the message m. For example, one can obtain a valid ciphertext for a message m+m′ by setting c′=c+m′G. This kind of attacks could be defeated by using IND-CCA2-secure message padding schemes which will be discussed in the next Section.
Information-set decoding (ISD) is one of the most important message recovery attacks on McEliece encryption schemes. The state-of-the-art ISD attack for non-binary McEliece scheme is the one presented in Peters (2010), which is an improved version of Stern's algorithm (1989). Peters's attack (2010) also integrated analysis techniques for ISD attacks on binary McEliece scheme discussed in literature. For the RLCE encryption scheme, the ISD attack is based on the number of columns in the public key G instead of the number of columns in the private key Gs. The cost of ISD attack on an [n, k, t; w]-RLCE scheme is equivalent to the cost of ISD attack on an [n+w, k; t]-McEliece scheme.
For the naive ISD, one first uniformly selects k columns from the public key and checks whether it is invertible. If it is invertible, one multiplies the inverse with the corresponding ciphertext values in these coordinates that correspond to the k columns of the public key. If these coordinates contain no errors in the ciphertext, one recovers the plain text. To be conservative, we may assume that randomly selected k columns from the public key is invertible. For each k x k matrix inversion, Strassen algorithm takes O(k2.807) field operations (though Coppersmith-Winograd algorithm takes O(k2.376) field operations in theory, it may not be practical for the matrices involved in RLCE encryption schemes). In a summary, the naive information-set decoding algorithm takes approximately 2k′
and I(x)=−x log2(x)−(1−x) log2(1−x) is the binary entropy of x. There are several improved ISD algorithms in the literature. These improved ISD algorithms allow a small number of error positions within the selected k ciphertext values or select k+δ columns of the public key matrix for a small number δ>0 or both. Peters (2010) provided a script to calculate the security strength of a McEliece encryption scheme using the improved ISD algorithms. For the security strength 128≤κc≤256, our experiment shows that generally we have κ,′c−10≤κ,c≤κ,′c−4.
An RLCE scheme is said to have quantum security level κq if the expected running time (or circuit depth) to decrypt an RLCE ciphertext using Grover's algorithm based ISD is 2κ
Grover iterations and O (l) qubits. Specifically, Grover's algorithm converts the function ƒ to a reversible circuit Cƒ and calculates
in each of the Grover iterations, where |x is an l-qubit register. Thus the total steps for Grover's algorithm is bounded by
For the RLCE scheme, quantum ISD could be carried out similarly as in Bernstein (2010). One first uniformly selects k columns from the public key and checks whether it is invertible. If it is invertible, one multiplies the inverse with the ciphertext. If these coordinates contain no errors in the ciphertext, one recovers the plain text. Though Grover's algorithm requires that the function ƒ evaluate to 1 on only one of the inputs, there are several approaches (see, e.g., Grassl et al (2016)) to cope with cases that ƒ evaluates to 1 on multiple inputs.
For randomly ‘selected k columns from a RLCE encryption scheme public key, the probability that the ciphertext contains no errors in these positions is
the quantum ISD algorithm requires
Grover iterations. For each Grover iteration, the function ƒ needs to carry out the following computations:
steps for the simple ISD algorithm against RLCE encryption scheme. Advanced quantum ISD techniques may be developed based on improved ISD algorithms. However our analysis shows that the reduction on the quantum security is marginal. For each of the recommended schemes in Table 0.3, the row (κ′c,κ,q) in Table 0.2 shows the security strength under the classical ISD and classical quantum ISD attacks. For example, the RLCE scheme with ID=1 in Table 0.3 has 139-bits security strength under classical ISD attacks and 89-bits security strength under quantum ISD attacks.
In this paragraph, we consider improved ISD attacks. We first briefly review
Stern's (1989) algorithm. Let the k×(n+w) matrix G be the public key and c be an RLCE scheme ciphertext. Let
be a (k+1)×(n+w) matrix. Stern's algorithm will find the minimal weight code e that is generated by Ge. It is straightforward to show that e is the error vector for the ciphertext c. Stern's information set decoding algorithm for finding the vector e is as follows.
G
e
P
i
, . . . , i
k
,j
1
, . . . , j
l=(gi
where Gr is a (k+1)×(n+w−k−l) matrix.
G
E
=E(GePi
where S is a (k+1)×(k+1) matrix.
It is noted that if we take p=l=0, then Stern's algorithm is the naive ISD algorithm that we have discussed in the preceding section. For the convenience of analysis, we assume that pl>0 in the following discussion. The algorithm takes approximately
iterations. For each iteration, Step 4 takes (2n+2w−k)k2 field operations, and Step 5 takes 2(pk/2) (q−1)pl(k+1) field operations. For each iteration, Step 6 runs (pk/2)2(q−1)2p−l times approximately and each runs takes (n−k−l)(k+1) field operations. In a summary, Stern's ISD takes approximately 2κ
κc=minp,l{log2(SI((2n+2w−k)k2+2(pk/2)(q−1)pl(k+1) +(pk/2)2(q−1)2p−l(n−k−l))}. (7)
Our experiments show that for RLCE schemes that we have interest in, the equation (7) is always achieved with p=1 and l=3. For quantum version of Stern's ISD algorithm, the Grover's algorithm could be used to reduce the iteration steps to √{square root over (Sr)}. Thus the quantum security level under Stem attacks is approximately
κq=minp,l,{log2 (√{square root over (S1)}((2n+2w−k)k2+2(pk/2)(q−1)pl(k+1)+(pk/2)2(q−1)2p−l(n−l−l))}. (8)
In order to speed up Stern's algorithm, Peters (2010) considers the following improvement:
Using distinguisher techniques by Faugere (2013), Couvreur et al. (2013) designed a filtration technique to attack GRS code based McEliece scheme. The filtration technique was further developed by Couvreur et al (2014) to attack wild Goppa code based McEliece scheme. In the following, we briefly review the filtration attack in Ccouvreur et al (2014). For two codes C1 and C2 of length n, the star product code C1*C2 is the vector space spanned by a*b for all pairs (a, b) ∈ C1×C2 where
a*b=[a
0
b
0
, a
1
b
1
, . . . , a
n−1
b
n−1].
For the square code C2=C*C of C, we have
For an [n, k] GRS code C, let a, b ∈ GRSk(x, y) where a=(y0p1(x0), . . . , yn−1p1(xn−1)) and b=(y0p2(x0), . . . , yn−1p2(xn−1)). Then a*b=(y02p1(x0)p2(x0), . . . , yn−12p1(xn−1)p2(xn−1)). Thus GRSk(x, y)2 ⊆ GRS2k−1(x, y*y) where we assume 2k−1≤n.
Let G be the public key for an (n, k, d, t, w) RLCE encryption scheme based on a GRS code. Let C be the code generated by the rows of G. Let D1 be the code with a generator matrix D1 obtained from G by replacing the randomized 2w columns with all-zero columns and let D2 be the code with a generator matrix D2 obtained from G by replacing the n−w non-randomized columns with zero columns. Since C⊂D1+D2 and the pair (D1, D2) is an orthogonal pair, we have C2⊂D22+D. It follows that
2k−1≤dim C2≤min{2k−1,n−w}2w (9)
where we assume that 2w≤k2. In the following discussion, we assume that the 2w randomized columns in D2 behave like random columns in the filtration attacks. We first consider the simple case of k≥n−w. In this case, we have dim C2=D12+D22=n−w+D22=n+w. Furthermore, for any code C′ of length n′ that is obtained from C using code puncturing and code shortening, we have dim C′2=n′. Thus filtration techniques could not be used to recover any non-randomized columns in D1.
Next we consider the case for k<n−w. For this case, we distinguish two sub-cases: n−w≥2k and n−w<2k. For the case n−w≥2k, let Ci be the punctured C code at position i. We distinguish the following two cases:
Now we consider the case of k<n−w<2k. In order to carry out filtration attacks, we need to shorten the code C at certain locations. Assume that we shorten l<k−1 columns from G. Among the l=l1+l2 columns, l1 columns are non-randomized columns from D1 and l2 columns are randomized columns from D2. Then the shortened code has dimension
d
l,l
=min{(k−l)2, min{2(k−l1)−1,n−w−l1,(k−l)2}+min{2w−l2,(k−l)2}}. (10)
A necessary condition for the filtration attack to be observable is that, after the shortening of the l1 columns in D1, the following condition is satisfied
d
l,l
=2(k−l1)−1+min{2w−l2,(k−l)2}. (11)
Thus for a given l, the probability for the filtration attack to be successful is bounded by the probability
where λ(dl,l
Let
κn,k,wƒ=log2 min{PFn,k,w,l:2k−n+w≤l≤k−2}. (12)
Then in order to guarantee that the RLCE scheme is secure against filtration attacks, the parameters should be chosen in such a way that “n−w≤k” or “n−w<2k and κc≤κn,k,wƒ.”
Filtration attacks could be combined with Grover's quantum search algorithm. The quantum Filtration attacks works in the same way as the filtration attack that we have discussed in the preceding paragraph except that one uses Grover's quantum computer to select 1 columns from the public key C. It can be shown that, under quantum filtration attacks, the attack against the RLCE scheme takes
steps.
For each of the recommended schemes in Table 0.3, the row (κn,k,wƒ, κqƒ) in Table 0.2 shows the security strength under the filtration attack and quantum filtration attacks. For example, the RLCE scheme with ID=1 in Table 0.3 has 128-bits security strength under filtration attacks and 85-bits security strength under quantum filtration attacks.
We mentioned several attacks on RLCE schemes in the preceding paragraphs. To avoid these attacks, it is necessary to use message padding schemes so that the encryption scheme is secure against adaptive chosen ciphertext attacks (IND-CCA2).
We first analyze the amount of information that could be encoded within each ciphertext. Let (n, k, t, w) be the parameters where the public key is of dimension k×(n+w) and G F(q) (with q=2m) be the underlying finite field. There are three approaches to encode messages within the ciphertext.
candidates for the choice of non-zero entries within e, we can encode
bits information within each ciphertext.
The basicEncoding approach is straightforward. For the mediumEncoding, after one recovers the vector m, one needs to compute mG−c to obtain the values of ei
where Wn+w,t ⊆ GF(2)n+w is the set of all (n+w)-bit binary string of weight t. For the invertible function φ in (14), one may use the enumerative source encoding construction in Cover (1973):
where
and 0≤i1<i2<. . . <it<n+w are the positions of ones. The function φ could be evaluated with the cost of
operations (see, e.g., Sendrier 2005).
We assume that the message bandwidth is mLen-bits for each ciphertext. We present two efficient IND-CCA2 padding schemes for the RLCE encryption scheme. Our padding schemes are adapted from the well analyzed Optimal Asymmetric Encryption Padding (OAEP) for RSA/Rabin encryption schemes and its variants OAEP+(Shoup 2001) and SAEP+(Boneh 2001). The first simple padding scheme RLCEspad is a one-round of a Feistel network that is similar to SAEP+. RLCEspad could be used to encrypt short messages (e.g., mLen/4-bits) and is sufficient for applications such as symmetric key transportation using the RLCE public key encryption scheme. The second padding scheme RLCEpad is a two-round Feistel network that is similar to OAEP+. RLCEpad could be used to encrypt messages that are almost as long as mLen-bits. In the following discussions, we assume that messages are binary strings. After padding, it will be converted to field elements and/or other information required for the RLCE scheme. For a RLCE setup process RLCE.KeySetup(n, k, d, t, w), let k×(n+w) matrix G be a public key and (S, Gs, P1, P2, A) be a corresponding private key. The RLCEspad proceeds as follows.
Specifically, RLCEspad could be described for various encoding methods that we have discussed in the preceding paragraphs. We distinguish the following three cases:
y=((m∥H1(m,r,e))⊕H2(r,e))∥r (15)
Convert y to an element yl ∈ GF(q)k. Let the ciphertext be c=y1G+e.
y=((m∥H1(m,r,e0)) ⊕ H2(r,e0))∥r. (16)
Assuming the hardness of decoding RLCE ciphertexts, a similar proof as in Boneh (2001) could be used to show that RLCE-RLCEspad scheme is secure against IND-CCA2 attacks. As an example with κc=128 bits security RLCE scheme (600, 464, 68) over GF(210) in Table 0.3, we use k1=k2=160-bytes for mediumEncoding and k1=k2=170-bytes for advancedEncoding.
Specifically, RLCEpad could be described for various encoding methods that we have discussed in the preceding paragraphs. We distinguish the following three cases:
y=((m∥H1(m,r,e)) ⊕ H2(r,e))∥r⊕ H3(((m∥H1(m,r,e)) ⊕ H2(r,e))) (17)
Convert y to an element y1 ∈ GF(q)k. Let the ciphertext be c=y1G+e.
y=((m∥H1(m, r, e0)) ⊕ H2(r, e0))∥(r⊕H 3((m∥H1(m,r,e0)) ⊕ H2(r,e0))) (18)
Convert y to an element y1 ∈ GF(q)k and an element el ∈ GF(q)t. Integrate el within e0 to form an error vector e ∈ GF(q)n+w of weight t. Let the ciphertext be c=y1G+e.
y=((m∥H1(m,r))⊕ H2(r))∥(r⊕ H3((m∥H1(m,r))⊕ H2(r))) (19)
Convert y to an element y1 ∈ GF(q)k and a vector e ∈ GF(q)n+w of weight t. Let the ciphertext be c=y1G+e.
Assuming the hardness of decoding RLCE ciphertexts, a similar proof as in Shoup (2001) could be used to show that RLCE-RLCEpad scheme is secure against IND-CCA2 attacks. As an example with κ=128 bits security RLCE scheme (600, 464, 68) over GF(210) in Table 0.3, we use k2=32-bytes and k3=33-bytes for both mediumEncoding and advancedEncoding.
Note that either error positions e0 or error vector e is used in the RLCEspad/RLCEpad schemes and the message recipient needs to have the exact e0 or e for message decoding. In case that the randomly generated error values contain zero field elements, the corresponding error positions will be unavailable for the recipient. To avoid this potential issue, the message encryption process needs to guarantee that error values should never be zero. A simple approach to address this challenge is when calculated error values (using the given random value r) contain zero field elements, one revises the random value r to a new value and tries the padding approach again. This process continues until all error values are non-zero.
Taking into account of the cost of Sidelnikov-Shestakov attacks, the cost of recovering McEliece encryption scheme secret keys from the public keys, and the cost of recovering plaintext messages from ciphertexts using the information-set decoding methods, we generated a recommended list of parameters for RLCE scheme in Table 0.3. In particular, the recommendation takes into account of the conditions for avoiding improved classical and quantum information set decoding, the conditions for avoiding Sidelnikov-Shestakov attacks, the conditions for filtration attacks (with or without brute force), the cost of recovering McEliece encryption scheme secret keys from the public keys, and the cost of recovering plaintext messages from ciphertexts. In Table 0.3, n, denotes the conventional security strength and κq denotes the quantum security strength. For example, κc=128 means an equivalent security of AES-128. The recommended parameters is based on any underlying MDS linear code (e.g., GRS code) over GF(q) where q=2[log
In Table 0.3, the schemes with ID=0, 1, 2, 3, 4, 5, 6 are for MDS codes with
The scheme with ID=6 is for testing purpose only.
Table 0.3 also lists the message bandwidth and message padding scheme parameters
for the recommended schemes. In case that v=8(k1+k2+k3)−mLeni>0, the last v-bits of the k3-bytes random seed r should be set to zero and the last v-bit of the encoded string y is discarded. For RLCEspad with v>0, the encoding and decoding process are straightforward. For RLCEpad with v>0, the decoding process produces an encoded string y with last v-bits missing. After using H3 to hash the first part of y resulting in k3-bytes hash output, one discards the last v-bits from the hash output and ⊕ the remaining (8k3−v)-bits with the second half of y to obtain the (8k3−v)-bits of r without the v-bits zero trailer. In the column for sk, the first row is the private key size for RLCE scheme with decoding algorithm 1 and 3. The second row is the private key size for RLCE scheme with decoding algorithm 2.
This application is entitled to the benefit of Provisional Patent Application Ser. No. U.S. 62/435,151 filed on Dec. 16, 2016.
Number | Date | Country | |
---|---|---|---|
62435151 | Dec 2016 | US |