Cryptanalysis of the McEliece Public KeyCryptosystem Based on Polar Codes
Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1
Ayoub Otmani 1 Jean-Pierre Tillich2
Normandie Univ, France; UR, LITIS, F-76821 Mont-Saint-Aignan, France.
Inria, SECRET Project, 78153 Le Chesnay Cedex, France.
PQCrypto 2016
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 1/24
Introduction
McEliece Public-Key Encryption Scheme (’78)1 Based on linear codes equipped with an efficient decoding
algorithm
Public key = random basis
Private key = decoding algorithm
2 McEliece proposed binary Goppa codes
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 2/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
DefinitionsPolar Codes and Reed-Muller Codes
Gmdef=
(1 01 1
)⊗ · · · ⊗
(1 01 1
)︸ ︷︷ ︸
m times
.
DefinitionThe polar code of length n = 2m and dimension k is obtained bychoosing a specific subset of k rows of Gm.
The r th order Reed-Muller Codes R(r ,m) is obtained bychoosing all the rows of Gm with Hamming weight greater orequal to 2m−r .
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 6/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)
for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0
=
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0
=
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 01 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 0
1 0
1 1
0 0
0 0
1 0
1 1
0 0
0 01 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0
x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0
x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0
x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 0
1 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Decreasing Monomial Codes
Definition (Monomial order)The monomials of the same degree are ordered as
xi1 . . . xis � xj1 . . . xjs if and only if for any ` ∈ {1, . . . , s}, i` 6 j`
where we assume that i1 > · · · > is and j1 > · · · > js.
This order is extended to other monomials through divisibility,namely: f � g if and only if there is a divisor g∗ of g such that f � g∗.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 12/24
Decreasing Monomial Code
1
x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0
x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1
x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0
x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0
x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1
x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
Cryptanalysis of Polar CodesTools and Techniques
Puncturing and shortening a code
PJ (C )def={
(ci)i /∈J | c ∈ C}
;
SJ (C )def={
(ci)i /∈J | ∃c = (ci)i ∈ C such that ∀i ∈ J , ci = 0}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 18/24
Cryptanalysis of Polar CodesTools and Techniques
Definition (Signature)
Let G be a subgroup of permutations of C (linear code of length n)and W be a subset of C globally invariant under G.
Σ(c,C ) is a signature of c if and only if
(i) Σ(c,C ) = Σ(cπ,C π) for π from Sn (i.e. Σ is invariant bypermutation),
(ii) Σ(c,C ) 6= Σ(c′,C ) if c and c′ both belong to W but are not in thesame orbit under G (i.e. Σ takes distinct values for each orbit).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 19/24
Cryptanalysis of Polar CodesTools and Techniques
FactsLet C (I) be a decreasing monomial code and Ir 6= ∅ be the set ofmaximum degree monomials. Recall that xr−1 . . . x0 ∈ Ir .
Oxr−1...x0 =
{r−1∏i=0
(xi + bi)
}
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 20/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24