49
Code-Based Cryptography Error-Correcting Codes and Cryptography 0 I. Márquez-Corbella
Code-Based CryptographyError-Correcting Codes and Cryptography
0I. Márquez-Corbella
1. Error-Correcting Codes and Cryptography
1. Introduction I - Cryptography2. Introduction II - Coding Theory3. Encoding (Linear Transformation)4. Parity Checking5. Error Correcting Capacity6. Decoding (A Difficult Problem)7. Reed-Solomon Codes8. Goppa Codes9. McEliece Cryptosystem
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)
2
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)
2
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)2
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.
2. If y is the received word.Compute the Hamming distance dH(c, y) , ∀c ∈ C
3. Return the codeword that minimizes dH
3
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C
3. Return the codeword that minimizes dH
3
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors
1. Precompute the syndrome corresponding to 0, 1, . . . , tNumber of Syndromes to pre-compute and store:(
n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE
5
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors1. Precompute the syndrome corresponding to 0, 1, . . . , t
Number of Syndromes to pre-compute and store:(n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE
5
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors1. Precompute the syndrome corresponding to 0, 1, . . . , t
Number of Syndromes to pre-compute and store:(n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE5
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}
Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1d−2∑i=0
ji
(q − 1)i
7
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1d−2∑i=0
n − 1i
(q − 1)i
7
Gilbert Varshamov distance
Gilbert-Varshamov (GV) distanceThe GV distance of an [n, k ]q code is the maximal integer d0 such that:
d0−1∑i=0
(ni
)(q − 1)i ≤ qn−k
8
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete
(Computational): Find e ∈ Fn2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
General DecodingInput:
Ü A parity-check matrix H ∈ F(n−k)×n2
Ü A generator matrix G ∈ Fk×n2
Ü A received vector y ∈ Fn−k2
Ü A weight w ∈ Z
SDFind e ∈ Fn
2 of wH(e) ≤ w such thateHT = yHT = s
MDDFind m ∈ Fk
2 such thatwH(y−mG) ≤ w
Hn − k
n
e×=s
G k
n
mk
−yn
= en
11
General DecodingInput:
Ü A parity-check matrix H ∈ F(n−k)×n2 Ü A generator matrix G ∈ Fk×n
2
Ü A received vector y ∈ Fn−k2
Ü A weight w ∈ Z
SDFind e ∈ Fn
2 of wH(e) ≤ w such thateHT = yHT = s
MDDFind m ∈ Fk
2 such thatwH(y−mG) ≤ w
Hn − k
n
e×=s
G k
n
mk
−yn
= en
11
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
1. Error-Correcting Codes and Cryptography
1. Introduction I - Cryptography2. Introduction II - Coding Theory3. Encoding (Linear Transformation)4. Parity Checking5. Error Correcting Capacity6. Decoding (A Difficult Problem)7. Reed-Solomon Codes8. Goppa Codes9. McEliece Cryptosystem
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
![NewHope AlgorithmSpecificationsandSupportingDocumentation · 2020. 4. 14. · The CVP is the inhomogeneous version of the SVP and can also be formulated as syndrome decoding problemforfullranklattices[107].](https://static.documents.pub/doc/80x56/60aee95073f20106b1073ec3/newhope-algorithmspeciicationsandsupportingdocumentation-2020-4-14-the-cvp.jpg)
