Scribd
Upload
16 views109 pages

Code Based Cryptography

Uploaded by

mrtabijohn
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
16 views109 pages

Code Based Cryptography

Uploaded by

mrtabijohn
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 109

Tutorial “Code-Based Cryptography”

Sven Puchinger
Antonia Wachter-Zeh

{sven.puchinger, antonia.wachter-zeh}@tum.de
x
IEEE Information Theory Workshop 2021
Outline

Part I: Motivation & Notations of linear codes [Sven]


Part II: McEliece and Niederreiter Schemes [Antonia]
Part III: Information-Set Decoding and Signatures [Sven]
Part IV: The System HQC [Antonia]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 2


References for Further Reading

Daniel J. Bernstein, Tanja Lange, Post-Quantum Cryptography – Dealing with the Fallout of Physics
Success
National Institute of Standards and Technology Post-Quantum Competition
https://csrc.nist.gov/Projects/post-quantum-cryptography
In particular the systems ClassicMcEliece, HQC, BIKE
Raphael Overbeck, Nicolas Sendrier, Code-based Cryptography, Springer 2009

Sven Puchinger, Antonia Wachter-Zeh (TUM) 3


Outline

Part I: Motivation & Notations of linear codes [Sven]


Part II: McEliece and Niederreiter Schemes [Antonia]
Part III: Information-Set Decoding and Signatures [Sven]
Part IV: The System HQC [Antonia]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 4


Basic Encryption Model
encrypted
message
(ciphertext)
Bob Alice

secret message

Eve

Sven Puchinger, Antonia Wachter-Zeh (TUM) 5


Basic Encryption Model
encrypted
message
(ciphertext)
Bob Alice

secret message

Eve

• Symmetric:
I Same secret key
I Example: Advanced Encryption Standard (AES; based on Rijndael cipher)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 5


Basic Encryption Model
encrypted
message
(ciphertext)
Bob Alice

secret message

Eve

• Symmetric:
I Same secret key
I Example: Advanced Encryption Standard (AES; based on Rijndael cipher)

• Asymmetric/public-key cryptosystems (PKCs): [this tutorial]


I Two keys: public key for encryption & private (secret) key for decryption
I Examples: RSA (factorization problem), ElGamal, or Elliptic-Curve Cryptography (discrete log problem)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 5


Quantum Computers, Shor’s Algorithm & Grover’s Algorithm

Shor’s Algorithm
• Integer factorization of n = pq: around O(s 3 log s) operations
on 2s + 3 qubits if n fits into s bits
• Similar variant for the discrete logarithm problem exists
⇒ would break classical PKCs (RSA, ElGamal,...)

[Image source: GEO 05/2018]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 6


Quantum Computers, Shor’s Algorithm & Grover’s Algorithm

Shor’s Algorithm
• Integer factorization of n = pq: around O(s 3 log s) operations
on 2s + 3 qubits if n fits into s bits
• Similar variant for the discrete logarithm problem exists
⇒ would break classical PKCs (RSA, ElGamal,...)

• Many qubits needed to correct computational errors


• Size of current quantum computers still far from being useful!

[Image source: GEO 05/2018]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 6


Quantum Computers, Shor’s Algorithm & Grover’s Algorithm

Shor’s Algorithm
• Integer factorization of n = pq: around O(s 3 log s) operations
on 2s + 3 qubits if n fits into s bits
• Similar variant for the discrete logarithm problem exists
⇒ would break classical PKCs (RSA, ElGamal,...)

• Many qubits needed to correct computational errors


• Size of current quantum computers still far from being useful!

Grover’s Algorithm

• finds root (domain of size n) of a polynomial f (x ) with n
evaluations (instead of n)
⇒ key size of symmetric systems has to be doubled

[Image source: GEO 05/2018]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 6


Pre- & Post-Quantum Security1

1
Table from D. J. Bernstein, T. Lange, ”Post-quantum cryptography — dealing with the fallout of physics success”
Sven Puchinger, Antonia Wachter-Zeh (TUM) 7
Long-Term Security
Why do we need PQ-secure systems? Large enough quantum computers do not yet exist!
=⇒ Long-term security is needed!
10–30 years
5–25 years 10 years > 20 years

Some devices are hard to update!

Sven Puchinger, Antonia Wachter-Zeh (TUM) 8


Post-Quantum Secure PKCs

Post-quantum secure PKCs should:


• be based on NP-hard problems
• not be breakable by polynomial attacks on quantum computers
• be efficiently implementable (similar to currently employed systems)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 9


Post-Quantum Secure PKCs

Post-quantum secure PKCs should:


• be based on NP-hard problems
• not be breakable by polynomial attacks on quantum computers
• be efficiently implementable (similar to currently employed systems)

Possible systems:
• Code-based cryptosystems: based on the hardness of decoding a random code [this tutorial]
• Lattice-based cryptosystems: based on hard problems in lattices
• Hash-based
• Multivariate-quadratic
• Supersingular isogenies

Sven Puchinger, Antonia Wachter-Zeh (TUM) 9


National Institute of Standards and Technology (NIST) Competition

• In 2017, NIST started a process to standardize quantum-resistant public-key cryptographic algorithms:


https://csrc.nist.gov/Projects/post-quantum-cryptography

• 45 KEM/Encryption and 19 Signature schemes were submitted

Sven Puchinger, Antonia Wachter-Zeh (TUM) 10


National Institute of Standards and Technology (NIST) Competition

• In 2017, NIST started a process to standardize quantum-resistant public-key cryptographic algorithms:


https://csrc.nist.gov/Projects/post-quantum-cryptography

• 45 KEM/Encryption and 19 Signature schemes were submitted

• In 2020, the third round started. The KEM/Encryption


I finalists: Classic McEliece, CRYSTALS-KYBER, NTRU, SABER
I alternate candidates: BIKE, FrodoKEM, HQC, NTRU Prime, SIKE

• Recent talk about the process by Dustin Moody from NIST [from 7:03 to 49:35]:
https://www.youtube.com/watch?v=CBGX1OMzN1o

Sven Puchinger, Antonia Wachter-Zeh (TUM) 10


Syntax of Encryption
Encryption Scheme Π= (KeyGen, Enc, Dec)

KeyGen
Input: security parameter λ
Output: key k

Enc
Input: plaintext m, key k
Output: ciphertext c

Dec
Input: ciphertext c, key k
Output: plaintext m

Sven Puchinger, Antonia Wachter-Zeh (TUM) 11


Key Size and Security Level
Key Size and Security Level
• The key size s is the length of the key in bit.

• Security level (SL):a


I measure for computational security
I ` bit if fastest known attack has complexity 2` to recover the secret key or the message
a
We consider computational security, not information-theoretical (provable) security.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 12


Key Size and Security Level
Key Size and Security Level
• The key size s is the length of the key in bit.

• Security level (SL):a


I measure for computational security
I ` bit if fastest known attack has complexity 2` to recover the secret key or the message
a
We consider computational security, not information-theoretical (provable) security.

Design: choose parameters such that SL large enough (e.g., ≥ 128, 192, 256)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 12


Key Size and Security Level
Key Size and Security Level
• The key size s is the length of the key in bit.

• Security level (SL):a


I measure for computational security
I ` bit if fastest known attack has complexity 2` to recover the secret key or the message
a
We consider computational security, not information-theoretical (provable) security.

Design: choose parameters such that SL large enough (e.g., ≥ 128, 192, 256)

SL ≤ key size (consider attack to brute-force all possible keys)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 12


Key Size and Security Level
Key Size and Security Level
• The key size s is the length of the key in bit.

• Security level (SL):a


I measure for computational security
I ` bit if fastest known attack has complexity 2` to recover the secret key or the message
a
We consider computational security, not information-theoretical (provable) security.

Design: choose parameters such that SL large enough (e.g., ≥ 128, 192, 256)

SL ≤ key size (consider attack to brute-force all possible keys)

Example: Assume there are 2145 possible keys, and attacks with complexities 2203 , 2108 , 2150 are known
=⇒ The key size is 145 bit and the system has 108 bit security.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 12


Finite Fields
Definition
Finite Field Fq = field containing a finite number (q) of elements
Field = set with operations + · satisfying certain rules (field axioms) ⇒ also operations − /

Sven Puchinger, Antonia Wachter-Zeh (TUM) 13


Finite Fields
Definition
Finite Field Fq = field containing a finite number (q) of elements
Field = set with operations + · satisfying certain rules (field axioms) ⇒ also operations − /

• Fq exists if and only if q is a power of a prime


• Any two finite fields of the same size are isomorphic
• Fq ⊆ Fqm Fqm ' Fm q

Sven Puchinger, Antonia Wachter-Zeh (TUM) 13


Finite Fields
Definition
Finite Field Fq = field containing a finite number (q) of elements
Field = set with operations + · satisfying certain rules (field axioms) ⇒ also operations − /

• Fq exists if and only if q is a power of a prime


• Any two finite fields of the same size are isomorphic
• Fq ⊆ Fqm Fqm ' Fm q

Practical Construction
Prime field (p prime):
• Fp = {0, . . . , p − 1}, addition/multiplication modulo p e.g. F2 = {0, 1}
Finite Fields
Definition
Finite Field Fq = field containing a finite number (q) of elements
Field = set with operations + · satisfying certain rules (field axioms) ⇒ also operations − /

• Fq exists if and only if q is a power of a prime


• Any two finite fields of the same size are isomorphic
• Fq ⊆ Fqm Fqm ' Fm q

Practical Construction
Prime field (p prime):
• Fp = {0, . . . , p − 1}, addition/multiplication modulo p e.g. F2 = {0, 1}
Extension field (base field Fq ):
• f (x ) irreducible polynomial over Fq , degree m
• Fqm = {a(x ) ∈ Fq [x ] : deg a(x ) < m}, + component-wise, · modulo f (x )

Sven Puchinger, Antonia Wachter-Zeh (TUM) 13


Error-Correcting Codes
e

m c r ĉ
source encoder + decoder sink û

• The source provides a message m of length k which is...

Sven Puchinger, Antonia Wachter-Zeh (TUM) 14


Error-Correcting Codes
e

m c r ĉ
source encoder + decoder sink û

• The source provides a message m of length k which is...

• ... encoded to a codeword of length n (one-to-one mapping)


=⇒ add redundancy

Sven Puchinger, Antonia Wachter-Zeh (TUM) 14


Error-Correcting Codes
e

m c r ĉ
source encoder + decoder sink û

• The source provides a message m of length k which is...

• ... encoded to a codeword of length n (one-to-one mapping)


=⇒ add redundancy

• In the channel, this codeword is corrupted by an error e

Sven Puchinger, Antonia Wachter-Zeh (TUM) 14


Error-Correcting Codes
e

m c r ĉ
source encoder + decoder sink û

• The source provides a message m of length k which is...

• ... encoded to a codeword of length n (one-to-one mapping)


=⇒ add redundancy

• In the channel, this codeword is corrupted by an error e

• The decoder has to reconstruct the codeword c given only the received word r
=⇒ this can be done since any two codewords have a certain minimum distance

Sven Puchinger, Antonia Wachter-Zeh (TUM) 14


Linear Block Codes: Definition
Definition: Linear Block Code
A linear [n, k, d]q block code C is a k-dimensional linear subspace of the vector space Fnq with minimum
distance d.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 15


Linear Block Codes: Definition
Definition: Linear Block Code
A linear [n, k, d]q block code C is a k-dimensional linear subspace of the vector space Fnq with minimum
distance d.

Minimum distance
d := min {d(a, b)} = min {wt(a)}
a,b∈C,a6=b a∈C,a6=0

Sven Puchinger, Antonia Wachter-Zeh (TUM) 15


Linear Block Codes: Definition
Definition: Linear Block Code
A linear [n, k, d]q block code C is a k-dimensional linear subspace of the vector space Fnq with minimum
distance d.

Minimum distance
d := min {d(a, b)} = min {wt(a)}
a,b∈C,a6=b a∈C,a6=0

Singleton bound
d ≤n−k +1

Sven Puchinger, Antonia Wachter-Zeh (TUM) 15


Linear Block Codes: Definition
Definition: Linear Block Code
A linear [n, k, d]q block code C is a k-dimensional linear subspace of the vector space Fnq with minimum
distance d.

Minimum distance
d := min {d(a, b)} = min {wt(a)}
a,b∈C,a6=b a∈C,a6=0

Singleton bound
d ≤n−k +1

Generator matrix
• G ∈ Fk×n
q
• rows are basis of C
• encoding: c = m · G
Sven Puchinger, Antonia Wachter-Zeh (TUM) 15
Linear Block Codes: Definition
Definition: Linear Block Code
A linear [n, k, d]q block code C is a k-dimensional linear subspace of the vector space Fnq with minimum
distance d.

Minimum distance
d := min {d(a, b)} = min {wt(a)}
a,b∈C,a6=b a∈C,a6=0

Singleton bound
d ≤n−k +1

Generator matrix Parity-check matrix


• G ∈ Fk×n
q • H ∈ Fq(n−k)×n , rank(H) = n − k
• rows are basis of C • G · H> = 0
• encoding: c = m · G • rows = basis of dual code C ⊥
Sven Puchinger, Antonia Wachter-Zeh (TUM) 15
Decoding: Unique Error-Correction

c(2)

Theorem: Unique Decoding r

If wt(e) ≤ d−1 c(1)


j k
2 , then c ∈ C can always be
uniquely reconstructed (decoded) from r = c + e.

Practical problem: efficient decoder?


 d−1  c(3)
2

Sven Puchinger, Antonia Wachter-Zeh (TUM) 16


(Generalized) Reed–Solomon (GRS) Codes
Definition
• α0 , α1 , . . . , αn−1 ∈ Fq distinct
• ν0 , ν1 , . . . , νn−1 ∈ Fq non-zero
Corresponding GRS code is defined by the parity-check matrix
   

1 1 ... 1  ν0 
 α0 α1 . . . αn−1  
·
ν1

HRS :=
   

.. .. ... ..  . ..

. . . 
  
  
   
α0n−k−1 α1n−k−1 n−k−1
. . . αn−1 νn−1

Sven Puchinger, Antonia Wachter-Zeh (TUM) 17


(Generalized) Reed–Solomon (GRS) Codes
Definition
• α0 , α1 , . . . , αn−1 ∈ Fq distinct
• ν0 , ν1 , . . . , νn−1 ∈ Fq non-zero
Corresponding GRS code is defined by the parity-check matrix
   

1 1 ... 1  ν0 
 α0 α1 . . . αn−1  
·
ν1

HRS :=
   

.. .. ... ..  . ..

. . . 
  
  
   
α0n−k−1 α1n−k−1 n−k−1
. . . αn−1 νn−1

Minimum distance d = n − k + 1

Sven Puchinger, Antonia Wachter-Zeh (TUM) 17


(Generalized) Reed–Solomon (GRS) Codes
Definition
• α0 , α1 , . . . , αn−1 ∈ Fq distinct
• ν0 , ν1 , . . . , νn−1 ∈ Fq non-zero
Corresponding GRS code is defined by the parity-check matrix
   

1 1 ... 1  ν0 
 α0 α1 . . . αn−1  
·
ν1

HRS :=
   

.. .. ... ..  . ..

. . . 
  
  
   
α0n−k−1 α1n−k−1 n−k−1
. . . αn−1 νn−1

Minimum distance d = n − k + 1

Has generator matrix of the form


. . . 1  ν00
   
1 1
0
 
 α α1 . . . αn−1 
0

·
ν1

GRS := 
   
 .. .. ... ..  . ..

 . . . 
 
 
Sven Puchinger, Antonia Wachter-Zeh (TUM) 17
   
k−1 k−1 k−1 0
α0 α1 . . . αn−1 νn−1
Goppa Codes
Given C[n, k, d]qm . Subfield subcode w.r.t. Fq :
C 0 [n, k 0 ≥ n − m(n − k), d 0 ≥ d] = C ∩ Fnq
Good for code-based crypto: often hides code structure of C!

Sven Puchinger, Antonia Wachter-Zeh (TUM) 18


Goppa Codes
Given C[n, k, d]qm . Subfield subcode w.r.t. Fq :
C 0 [n, k 0 ≥ n − m(n − k), d 0 ≥ d] = C ∩ Fnq
Good for code-based crypto: often hides code structure of C!

Goppa Code (parameter r )


αi ∈ Fqm distinct, g(x ) ∈ Fp m [x ]: degree r with g(αi ) 6= 0 ∀ i
CG is the Fq -subfield subcode of the GRS code with parity-check matrix
   1 
1 1 ... 1   g(α0 ) 
 1
α0 α1 ... αn−1 
  
  g(α1 )

H= ·

.. .. ... .. 
 
...
 
. . . 
  

   
r −1 r −1 r −1 
1

α0 α1 ... αn−1 g(αn−1 )

Sven Puchinger, Antonia Wachter-Zeh (TUM) 18


Goppa Codes
Given C[n, k, d]qm . Subfield subcode w.r.t. Fq :
C 0 [n, k 0 ≥ n − m(n − k), d 0 ≥ d] = C ∩ Fnq
Good for code-based crypto: often hides code structure of C!

Goppa Code (parameter r )


αi ∈ Fqm distinct, g(x ) ∈ Fp m [x ]: degree r with g(αi ) 6= 0 ∀ i
CG is the Fq -subfield subcode of the GRS code with parity-check matrix
   1 
1 1 ... 1   g(α0 ) 
 1
α0 α1 ... αn−1 
  
  g(α1 )

H= ·

.. .. ... .. 
 
...
 
. . . 
  

   
r −1 r −1 r −1 
1

α0 α1 ... αn−1 g(αn−1 )

• Parameters: [n, k ≥ n − rm, d ≥ d ∗ = r + 1]q


• q = 2 and g(x ) has no multiple
j ∗
zeros, then d ≥ d ∗ = 2r + 1
• Efficient decoder for t ≤ d 2−1 errors
k

Sven Puchinger, Antonia Wachter-Zeh (TUM) 18


Outline

Part I: Motivation & Notations of linear codes [Sven]


Part II: McEliece and Niederreiter Schemes [Antonia]
Part III: Information-Set Decoding and Signatures [Sven]
Part IV: The System HQC [Antonia]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 19


The McEliece (Public-Key) Cryptosystem ΠMcEliece : Idea2

• Generate a t error-correcting code and its generator matrix G


=⇒ this is the private key

• “Scramble” G by multiplying from left and right with other matrices to make it look random
=⇒ this matrix product is the public key Gpub

• Encrypt your secret message with Gpub and add a random error of weight t
=⇒ This sum is the public ciphertext

• Decryption can only be done if the decomposition of Gpub is known (and therefore G).
=⇒ In this case, decryption is equal to decoding t errors.

2
McEliece, “A public-key cryptosystem based on algebraic coding theory,” 1978
Sven Puchinger, Antonia Wachter-Zeh (TUM) 20
The McEliece Cryptosystem ΠMcEliece : Key Generation
ΠMcEliece : KeyGen
Input: q, k, n, t
1. Choose G as the generator matrix of a t-error correcting code
(the type of code is public (e.g., Goppa) and Fq , n, k; but not the αi ’s)
2. Choose S as a random full-rank k × k matrix
3. Choose P as a random full-rank n × n permutation matrix
4. Calculate Gpub = S · G · P
Output: Public key Gpub , private key (S, P, G)

ciphertext:
c = m · Gpub + e
Bob Alice

public key: private key


Gpub , t S, G, P, t
Eve

Gpub , t, c
Sven Puchinger, Antonia Wachter-Zeh (TUM) 21
The McEliece Cryptosystem ΠMcEliece : Encryption

ΠMcEliece : Enc
Input: public key Gpub where Gpub has size k × n, a secret message m = (m0 , m1 , . . . , mk−1 ) ∈ Fkq

1. Find a random vector e of weight t


2. Calculate: c = m · Gpub + e

Output: ciphertext c of length n

• The ciphertext c is longer than the message m by a factor of 1 n


R = k

Sven Puchinger, Antonia Wachter-Zeh (TUM) 22


The McEliece Cryptosystem ΠMcEliece : Decryption

ΠMcEliece : Dec
Input: ciphertext c, secret key S, G, P

1. Calculate ce = c · P−1
2. Decode t errors with the code defined by G and get m
f

3. Calculate mc = mf · S−1

Output: secret message m


c = m

• We have ce = c · P−1 = m · S · G + e · P−1


I denote m f = m·S
I e · P−1 has weight t since P is a permutation matrix

Sven Puchinger, Antonia Wachter-Zeh (TUM) 23


The McEliece Cryptosystem ΠMcEliece : Key Aspects

Selection of the code is a highly critical issue!

• For given parameters [n, k, d]q , the family of codes has to be large enough to avoid enumeration
• Properties of the code determine the key size
generator/parity-check matrices are often large
(Example: for cyclic structure, the key is only the first row of G)
• Structure in codes reduces key size, but might enable attacks
• Encoding is fast on most platforms (matrix multiplication)
• Decoding requires efficient algorithms

Sven Puchinger, Antonia Wachter-Zeh (TUM) 24


The McEliece Cryptosystem ΠMcEliece : Key Aspects

Selection of the code is a highly critical issue!

• For given parameters [n, k, d]q , the family of codes has to be large enough to avoid enumeration
• Properties of the code determine the key size
generator/parity-check matrices are often large
(Example: for cyclic structure, the key is only the first row of G)
• Structure in codes reduces key size, but might enable attacks
• Encoding is fast on most platforms (matrix multiplication)
• Decoding requires efficient algorithms

Broken: Reed–Solomon codes, (partly) Gabidulin codes, Reed–Muller codes, (partly) LDPC codes, polar
codes, ...
Secure: Goppa codes, (partly) Gabidulin codes, MDPC codes, (partly) LDPC codes, LRPC codes

Sven Puchinger, Antonia Wachter-Zeh (TUM) 24


The McEliece Cryptosystem ΠMcEliece : Theoretical Security

Public key cryptosystems rely on two hard problems:

1. Decrypting the ciphertext without knowing the private key (message attack):
I RSA: calculate kpub -th root mod n of the ciphertext
I McEliece: decoding in a random code (NP complete problem)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 25


The McEliece Cryptosystem ΠMcEliece : Theoretical Security

Public key cryptosystems rely on two hard problems:

1. Decrypting the ciphertext without knowing the private key (message attack):
I RSA: calculate kpub -th root mod n of the ciphertext
I McEliece: decoding in a random code (NP complete problem)

2. Recovering the private key from the public key (key attack):
I RSA: factorization of n = pq
I McEliece: distinguishing Gpub from a random matrix

Sven Puchinger, Antonia Wachter-Zeh (TUM) 25


The McEliece Cryptosystem ΠMcEliece : Attacks

• Message/decoding attack: Recover m from the ciphertext c


I Decode assuming that Gpub is random
I Information set decoding [see Part III]
I Work for the McEliece system based on any code class (in the Hamming metric)
I Generic decoding approaches also in the rank, Lee, sum-rank... metric

Sven Puchinger, Antonia Wachter-Zeh (TUM) 26


The McEliece Cryptosystem ΠMcEliece : Attacks

• Message/decoding attack: Recover m from the ciphertext c


I Decode assuming that Gpub is random
I Information set decoding [see Part III]
I Work for the McEliece system based on any code class (in the Hamming metric)
I Generic decoding approaches also in the rank, Lee, sum-rank... metric

• Key attack: Recover G from Gpub


I Use structural weakness of the code (e.g., for Reed–Solomon codes)
I Attacks are customized to specific code classes
I Goppa codes: Test the equivalence between all Goppa codes and the code generated by G:
Complexity: O(mr 2m(r −2) )
=⇒ Exponential complexity, not efficient =⇒ secure!
I Sidelnikov–Shestakov attack for McEliece based on Reed–Solomon codes:
Complexity: O(k 3 + k 2 n) =⇒ insecure

Sven Puchinger, Antonia Wachter-Zeh (TUM) 26


Key Attack on McEliece ΠMcEliece : Sidelnikov–Shestakov Attack

• Structural attack on McEliece based on Reed–Solomon codes


• Reveals an alternative private key in cubic time O(kn2 )
• Public key: Gpub = S · G · P, where
 

1 1 ... 1 
 α α1 . . . αn−1 
0 0 0
G=  · diag(v0 , . . . , vn−1 )
 
 .. .. ... .. 
 . . . 


k−1 k−1 k−1
α0 α1 . . . αn−1
(Generalized RS code)

• Attack first finds the αi and then the vi0 by solving linear systems of equations

=⇒ McEliece based on GRS codes is insecure!


=⇒ Cannot be applied to Goppa codes since the mapping to Fq makes HG look random.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 27


Security Notations

Definition: Negligible function negl


A function f from the natural numbers to the non-negative real numbers is negligible (denoted by negl(λ))
1
if for every positive polynomial p there is a Λ such that for all integers λ > Λ it holds that f (λ) < p(λ) .


• Examples of negligible functions negl(λ): 2−λ , 2− λ , λ− log λ

• For p(λ) = λ5 we have: 2−λ < λ−5 for λ > 23; 2− λ < λ−5 for λ > 3500

Sven Puchinger, Antonia Wachter-Zeh (TUM) 28


Security Notations
• Semantic security: No partial information of the plaintext can be learnt given the ciphertext.
That means for the i-th bit of m, i.e., mi :
1
Pr [A(λ, c) = mi ] ≤ + negl(λ)
2
where A is an adversary and λ a security parameter and c = Enck (m).

• Indistinguishability (IND): An attacker cannot distinguish given c which self-chosen message m was
encrypted.

• Chosen-Plaintext-Attack (CPA): Gives power which plaintext m will get encrypted and attacked.

• Chosen-Ciphertext-Attack (CCA): Gives power which ciphertexts c can be decrypted.

• CCA2: Includes secruity definition of Non-malleability, i.e. if A modifies ciphertext it results either in a
unvalid ciphertext or decrypts in a totally different plaintext.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 29


IND-CPA Security of McEliece ΠMcEliece
• Re-encryption is insecure.

• Plain McEliece is not IND-CPA secure:


1. A outputs m0 ∈ Fkqm and m1 ∈ Fkqm .
2. Challenger chooses b ∈ {0, 1} uniformly at random and returns c = mb Gpub + e.
3. A computes c0 = c − m0 Gpub . A outputs b 0 = 0 if weight of c0 is equal to t and b 0 = 1 otherwise.

• IND-CPA security can be achieved by random padding. Choose r uniformly from Fkq1m , let m ∈ Fkq2m be the
message and let k1 + k2 = k. Then the ciphertext is given by
c = m0 Gpub + e,
where m0 = (r, m) ∈ Fkqm .
• Under the assumption that bounded minimum distance decoding in a random code is hard and that Gpub
cannot be distinguished from a random matrix, the padded McEliece system is provable secure (work
factor see next slide)3 .

3
R. Nojima, H. Imai, K. Kobara, K. Morozov, “Semantic Security for the McEliece Cryptosystem without Random Oracles”
Sven Puchinger, Antonia Wachter-Zeh (TUM) 30
IND-CPA Security of McEliece ΠMcEliece
>
To estimate the work factor of distinguishing two messages, let Gpub = G> >
, where G1 ∈ Fkq1m×n and

1 , G2
G2 ∈ Fkq2m×n . Then,
1. A outputs m0 ∈ Fkq2m and m1 ∈ Fkq2m .
2. Challenger chooses b ∈ {0, 1} and r ∈ Fkq1m uniformly at random and returns c = (r, mb )Gpub + e.
3. A computes
c − m0 G2 = rG1 + mb G2 + e − m0 G2 =: c0
and
c − m1 G2 = rG1 + mb G2 + e − m1 G2 =: c1 .
A uses a generic decoder to decode c0 and c1 to m̂0 ∈ Fkqm and m̂1 ∈ Fkqm . Since cb = (r, 0)G + e, A
returns b 0 according to the vector m̂b 0 whose last k2 positions are zero.

The work factor can be approximated by


n
     
 n
 
3 k 3

k
min  n−t  k , n−t  k1 .
1
 
k k1

Sven Puchinger, Antonia Wachter-Zeh (TUM) 31


The Niederreiter Cryptosystem ΠNiederreiter : Key Generation
ΠNiederreiter : KeyGen
Input: q, k, n, t
1. Choose H as the parity-check matrix of a t-error correcting code
(the type is public (e.g., Goppa) and Fq , n, k; but not the αi ’s)
2. Choose S as a random full-rank (n − k) × (n − k) matrix
3. Choose P as a random full-rank n × n permutation matrix
4. Calculate Hpub = S · H · P
Output: Public key Hpub , private key (S, P, H)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 32


The Niederreiter Cryptosystem ΠNiederreiter : Key Generation
ΠNiederreiter : KeyGen
Input: q, k, n, t
1. Choose H as the parity-check matrix of a t-error correcting code
(the type is public (e.g., Goppa) and Fq , n, k; but not the αi ’s)
2. Choose S as a random full-rank (n − k) × (n − k) matrix
3. Choose P as a random full-rank n × n permutation matrix
4. Calculate Hpub = S · H · P
Output: Public key Hpub , private key (S, P, H)
ciphertext:
c = Hpub ·eT In the NIST proposal ClassicMcEliece (which is in
Bob Alice
Niederreiter form), there is no matrix P:
public key: private key
Hpub , t S, H, P, t • S is chosen sucht that public key Hpub = S · H is
in quasi-systematic form
Eve
• private key: (g(x ), α0 , . . . , αn )
Hpub , t, c
Sven Puchinger, Antonia Wachter-Zeh (TUM) 32
The Niederreiter Cryptosystem ΠNiederreiter : Encryption

• Idea: Encode your information as an “error” vector of weight t


• The ciphertext is the syndrome of the message
• Can be seen as the dual version of McEliece

ΠNiederreiter : Enc
n
  
Input: public key Hpub where Hpub has size (n − k) × n, plaintext m of blogq t (q − 1)t c q-ary symbols

1. Encode your message m to a vector e of length n and weight t


2. Calculate: c = Hpub · eT

Output: ciphertext c of length n − k

Sven Puchinger, Antonia Wachter-Zeh (TUM) 33


The Niederreiter Cryptosystem ΠNiederreiter : Decryption

ΠNiederreiter : Dec
Input: ciphertext c, secret key S, H, P
1. Calculate ce = S−1 · c
2. Use a syndrome decoder on ce to get ee = P · eT
3. Calculate eb T = P−1 · ee T
4. Map eb from a vector of weight t back to a message m
c

Output: secret message m c

• We have ce = S−1 · c = S−1 · S · H · P · eT = H · P · eT


I Denote ee T = P · eT
I P · eT has weight t since P is a permutation matrix

Sven Puchinger, Antonia Wachter-Zeh (TUM) 34


The Niederreiter Cryptosystem ΠNiederreiter :
Encoding Binary Constant-Weight Words
Define a bijective mapping:
n
 
θ : Wn,t → [0, t [
i1 i2 it
     
(i1 , . . . , it ) 7→ 1 + 2 + ··· + t

Enumerative Encoding (inverse mapping)


Input: x ∈ [0, nt [
 

j ←t
while j > 0 do:
//returns i s.t. ji ≤ x < i+1
  
ij ← invert binomial(x , j) j
ij
 
x ←x− j
j ←j −1
Output: t integers i1 , . . . , it where 0 ≤ i1 < · · · < it ≤ n − 1

Sven Puchinger, Antonia Wachter-Zeh (TUM) 35


McEliece vs. Niederreiter
McEliece Niederreiter
k logq ((nt)(q−1)t )
Transmission rate n n−k
log2 (nt) • Security of McEliece and
for binary Goppa codes: rm
Niederreiter systems is
n
  
t
Message length k logq t (q − 1) the same
Ciphertext length n n−k • In its plain version, both
Encryption cost c = m · Gpub + e: O(kn) 1.) mapping: O(t 2 log(n)) not IND-CPA secure
2.) c = Hpub · eT : O((n − k)n)
• Example:
2
Decryption cost 1.) syndrome: O((n − k)n) 1.) decoding: O(n ) [2048, 1751, 55]2 Goppa
2.) decoding: O(n2 ) 2.) matrix inversion: O(n3 ) code with r = 27,
3.) matrix inversion: O(n3 ) 3.) de-mapping: O(tn log(n)) m = 11
Key size, systematic size(Gpub ) = k(n − k) size(Hpub ) = k(n − k)
non-systematic size(Gpub ) = kn size(Hpub ) = n(n − k)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 36


Key Size of McEliece & Niederreiter Cryptosystem

(irreducible Goppa code with d ≥ 2t + 1; systematic key)

Recall:
• RSA with key size s = 1024 bit has 80-bit security
• RSA with s = 2048 has 112-bit security
• RSA with s = 3072 has 128-bit security

=⇒ This is a large difference in the key size!

Sven Puchinger, Antonia Wachter-Zeh (TUM) 37


Outline

Part I: Motivation & Notations of linear codes [Sven]


Part II: McEliece and Niederreiter Schemes [Antonia]
Part III: Information-Set Decoding and Signatures [Sven]
Part IV: The System HQC [Antonia]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 38


Generic Decoding Problem

n
n k n
= · +

wtH (e) = t

r ∈ Fnq m ∈ Fkq G ∈ Fk×n


q e ∈ Fnq

Given Find

Sven Puchinger, Antonia Wachter-Zeh (TUM) 39


Information-Set Decoding (History)4
McEliece Cryptosystem
(+ NP-hardness of decision prob.) First PQCrypto Conference

1960 1970 1980 1990 2000 2010 2020


Prange Lee–Brickell Stern

• ≥ 28 papers on the topic

4
See Documentation of NIST Submission Classic McEliece for a full list & references
Sven Puchinger, Antonia Wachter-Zeh (TUM) 40
Information-Set Decoding (History)4
McEliece Cryptosystem
(+ NP-hardness of decision prob.) First PQCrypto Conference

1960 1970 1980 1990 2000 2010 2020


Prange Lee–Brickell Stern

• ≥ 28 papers on the topic


• For fixed rate, d = Gilbert-Varshamov bound, all algorithms have asymptotic work factor

2c·n
for some constant c.

4
See Documentation of NIST Submission Classic McEliece for a full list & references
Sven Puchinger, Antonia Wachter-Zeh (TUM) 40
Information-Set Decoding (History)4
McEliece Cryptosystem
(+ NP-hardness of decision prob.) First PQCrypto Conference

1960 1970 1980 1990 2000 2010 2020


Prange Lee–Brickell Stern

• ≥ 28 papers on the topic


• For fixed rate, d = Gilbert-Varshamov bound, all algorithms have asymptotic work factor

2c·n
for some constant c.
• Each algorithm decreased c slightly
4
See Documentation of NIST Submission Classic McEliece for a full list & references
Sven Puchinger, Antonia Wachter-Zeh (TUM) 40
First Information-Set Decoder: Prange (1962)
• Idea: Guess k positions and hope that they are error-free
• Denote I ⊂ {0, . . . , n − 1}, |I| = k
• Denote by GIpub the columns of Gpub , indexed by I

Sven Puchinger, Antonia Wachter-Zeh (TUM) 41


First Information-Set Decoder: Prange (1962)
• Idea: Guess k positions and hope that they are error-free
• Denote I ⊂ {0, . . . , n − 1}, |I| = k
• Denote by GIpub the columns of Gpub , indexed by I

Information Set Decoding


1. Choose randomly I ⊂ {0, . . . , n − 1}, |I| = k
2. Note: cI = m · GIpub + eI
3. Check if wt(cI · (GIpub )−1 · Gpub − c) = t
I If yes: Output m̂ = cI · (GIpub )−1
I Else: go to Step 1.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 41


First Information-Set Decoder: Prange (1962)
• Idea: Guess k positions and hope that they are error-free
• Denote I ⊂ {0, . . . , n − 1}, |I| = k
• Denote by GIpub the columns of Gpub , indexed by I

Information Set Decoding


1. Choose randomly I ⊂ {0, . . . , n − 1}, |I| = k
2. Note: cI = m · GIpub + eI
3. Check if wt(cI · (GIpub )−1 · Gpub − c) = t
I If yes: Output m̂ = cI · (GIpub )−1
I Else: go to Step 1.

1. Hope that there is no error in e at these indices


2. If wt(eI ) = 0, then the attacker can get m by m = cI · (GIpub )−1
3. This is only true if the positions in I were error-free
Sven Puchinger, Antonia Wachter-Zeh (TUM) 41
Improvements of Prange5 information set (k pos.) remaining n − k pos.
• Prange (1962):
I Success if 0 errors t errors
I Work factor
n
 

WF =  t 
n−k · k3
|{z}
t work per iteration
| {z }
1
Pr(success)

5
Illustrations as in Overbeck and Sendrier. ”Code-based cryptography.” Post-quantum cryptography. Springer, Berlin, Heidelberg, 2009. 95-145.
Sven Puchinger, Antonia Wachter-Zeh (TUM) 42
Improvements of Prange5 information set (k pos.) remaining n − k pos.
• Prange (1962):
I Success if 0 errors t errors
I Work factor
n
 

WF =  t 
n−k · k3
|{z}
t work per iteration
| {z }
1
Pr(success)

• Lee–Brickell (1988) (parameter p)


I Works if p errors in information set p errors t − p errors
I Work factor
n
 

WF =  t · Poly(n, k, p)
k n−k

p t−p
I Fewer iterations, more work per iteration. Best p usually small, but > 0

5
Illustrations as in Overbeck and Sendrier. ”Code-based cryptography.” Post-quantum cryptography. Springer, Berlin, Heidelberg, 2009. 95-145.
Sven Puchinger, Antonia Wachter-Zeh (TUM) 42
Improvements of Prange5 information set (k pos.) remaining n − k pos.
• Prange (1962):
I Success if 0 errors t errors
I Work factor
n
 

WF =  t 
n−k · k3
|{z}
t work per iteration
| {z }
1
Pr(success)

• Lee–Brickell (1988) (parameter p)


I Works if p errors in information set p errors t − p errors
I Work factor
n
 

WF =  t · Poly(n, k, p)
k n−k

p t−p
I Fewer iterations, more work per iteration. Best p usually small, but > 0
k/2 k/2 ` n−k −`
• Stern (1989) (parameters p, `)
I Success if p p 0 t − 2p
5
Illustrations as in Overbeck and Sendrier. ”Code-based cryptography.” Post-quantum cryptography. Springer, Berlin, Heidelberg, 2009. 95-145.
Sven Puchinger, Antonia Wachter-Zeh (TUM) 42
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL )

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

Key Size k(n − k) ∈ Θ(n2 )

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

Key Size k(n − k) ∈ Θ(n2 ) ⊆ Θ(SL2 )

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

Key Size k(n − k) ∈ Θ(n2 ) ⊆ Θ(SL2 ) Θ(n3 ) ⊆ Θ(SL3/2 )

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

Key Size k(n − k) ∈ Θ(n2 ) ⊆ Θ(SL2 ) Θ(n3 ) ⊆ Θ(SL3/2 )

⇒ Rank-metric code-based cryptosystems may have significantly smaller key size!

6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
Other Generic Decoding Problems
• Codes in other metrics have been considered
• E.g., rank metric:
I Codewords = matrices
I Errors = matrices of (low) rank t
• Below: asymptotic consideration, all code parameters Θ(n)6

Hamming metric Rank Metric


2
Work Factor of 2Θ(n) 2Θ(n )

Generic Decoding (=! 2SL ) ⇒ SL ∈ Θ(n) ⇒ SL ∈ Θ(n2 )

Key Size k(n − k) ∈ Θ(n2 ) ⊆ Θ(SL2 ) Θ(n3 ) ⊆ Θ(SL3/2 )

⇒ Rank-metric code-based cryptosystems may have significantly smaller key size!


• Others: (quasi)-cyclic codes, Lee-metric codes, ...
6
f (n) ∈ Θ(g(n)) if f (n) ∈ O(g(n)) and g(n) ∈ O(f (n)) (Big-Theta notation)
Sven Puchinger, Antonia Wachter-Zeh (TUM) 43
CFS Signature Scheme ΠCFS
• Digital signature scheme based on Niederreiter system
• Goal: Alice wants to append a signature to a transmitted document such that the receiver Bob can check
the authenticity of the sender.
=⇒ CFS (Courtois–Finiasz–Sendrier) signature scheme

Sven Puchinger, Antonia Wachter-Zeh (TUM) 44


CFS Signature Scheme ΠCFS
• Digital signature scheme based on Niederreiter system
• Goal: Alice wants to append a signature to a transmitted document such that the receiver Bob can check
the authenticity of the sender.
=⇒ CFS (Courtois–Finiasz–Sendrier) signature scheme
• Let h(x ) be a hash function which returns hash of length n − k
• Let i be a counter

Sven Puchinger, Antonia Wachter-Zeh (TUM) 44


CFS Signature Scheme ΠCFS
• Digital signature scheme based on Niederreiter system
• Goal: Alice wants to append a signature to a transmitted document such that the receiver Bob can check
the authenticity of the sender.
=⇒ CFS (Courtois–Finiasz–Sendrier) signature scheme
• Let h(x ) be a hash function which returns hash of length n − k
• Let i be a counter

ΠCFS : Sign
• Hash the document D into s = h(D)
• Append the previous hash and a counter and hash it again: si = h([s|i]) for i = 0, 1, 2...
• Find i0 , which is the smallest i for which si as a syndrome is uniquely decodable
• Use Alice’s secret key H to determine the error vector (syndrome decoding)
• Signature: (index of) error vector and i0

Sven Puchinger, Antonia Wachter-Zeh (TUM) 44


CFS Signature Scheme ΠCFS

ΠCFS : Vrfy
• recover error vector e from index
• compute s1 = Hpub · eT with Alice’s public key
• compute s2 = h([h(D)|i0 ]) with the public hash function
• compare s1 and s2 : if they are equal, signature is valid

Sven Puchinger, Antonia Wachter-Zeh (TUM) 45


Outline

Part I: Motivation & Notations of linear codes [Sven]


Part II: McEliece and Niederreiter Schemes [Antonia]
Part III: Information-Set Decoding and Signatures [Sven]
Part IV: The System HQC [Antonia]

Sven Puchinger, Antonia Wachter-Zeh (TUM) 46


The Hamming Quasi-Cyclic (HQC) Cryptosystem7

• Scheme was published in 2017 (quite new compared to McEliece)

• It is one of the Round 3 alternate candidates of the NIST competition

• The trapdoor is knowledge about the error, not about the code class!
=⇒ Security does not depend on the used code class
=⇒ The applied code is public

• Its IND-CCA2 security relies on variants of the syndrome decoding problem

• It features smaller key sizes compared to McEliece but suffers from larger ciphertext sizes and decryption
failures.

7
Aguilar Melchor, Aragon, Bettaieb, Bidoux, Blazy, Bos, Deneuville, Dion, Gaborit, Lacan, Persichetti, Robert, Veron, Zemor, “HQC”, pqc-hqc.org
Sven Puchinger, Antonia Wachter-Zeh (TUM) 47
HQC: Preliminaries

Let the product of u, v ∈ Fn2 be defined as


uv = u rot(v)> = v rot(u)> = vu,
where  

v0 vn−1 ... v1 

v1 v0 ... v2  n×n
rot(v) :=  ∈ F2 .
 

.. .. ... .. 
. . .


 
vn−1 vn−2 ... v0

As a consequence of this definition, elements of Fn2 can be interpreted as polynomials in the ring
R := F2 [x ]/(x n − 1).

Sven Puchinger, Antonia Wachter-Zeh (TUM) 48


HQC: Key Generation
ΠHQC : KeyGen
Input: n, k, δ, w , wr , we (w , wr , we are small compared to n)

1. Choose C of length n, dimension k and error correction capability δ


$
2. h ←−R
$
− R2 such that wt(x) = wt(y) = w
3. (x, y) ←
4. s ← x + hy
Output: Public code C, public key (h, s), private key (x, y)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 49


HQC: Key Generation
ΠHQC : KeyGen
Input: n, k, δ, w , wr , we (w , wr , we are small compared to n)

1. Choose C of length n, dimension k and error correction capability δ


$
2. h ←−R
$
− R2 such that wt(x) = wt(y) = w
3. (x, y) ←
4. s ← x + hy
Output: Public code C, public key (h, s), private key (x, y)

Rationale: Retrieving the private key from the public key requires solving an instance of the syndrome
decoding problem:
 
I  >
s = x + hy = (x, y)  > =: eH .
rot(h)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 49


HQC: Encryption (1)

ΠHQC : Enc
Input: Public code C, public key (h, s), plaintext m

$
1. e0 ←
− R such that wt(e0 ) = we
$
− R2 such that wt(r1 ) = wt(r2 ) = wr
2. (r1 , r2 ) ←
3. u ← r1 + hr2
4. v ← Encode(m) + sr2 + e0 , where Encode maps m to a codeword of C

Output: Ciphertext (u, v)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 50


HQC: Encryption (2)

Rationale of Encryption:

• Retrieving information about r1 or r2 requires solving an instance of the syndrome decoding problem:
 
I  >
u = r1 + hr2 = (r1 , r2 )  > =: ẽH .
rot(h)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 51


HQC: Encryption (2)

Rationale of Encryption:

• Retrieving information about r1 or r2 requires solving an instance of the syndrome decoding problem:
 
I  >
u = r1 + hr2 = (r1 , r2 )  > =: ẽH .
rot(h)

• Since h has large weight, the vector sr2 + e0 = xr2 + hyr2 + e0 has also large weight.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 51


HQC: Encryption (2)

Rationale of Encryption:

• Retrieving information about r1 or r2 requires solving an instance of the syndrome decoding problem:
 
I  >
u = r1 + hr2 = (r1 , r2 )  > =: ẽH .
rot(h)

• Since h has large weight, the vector sr2 + e0 = xr2 + hyr2 + e0 has also large weight.
• The vector

v = Encode(m) + sr2 + e0 = Encode(m) + xr2 + hyr2 + e0


can be seen as a codeword of C corrupted by an error of large weight (too large to be efficiently decoded).

Sven Puchinger, Antonia Wachter-Zeh (TUM) 51


HQC: Encryption (2)

Rationale of Encryption:

• Retrieving information about r1 or r2 requires solving an instance of the syndrome decoding problem:
 
I  >
u = r1 + hr2 = (r1 , r2 )  > =: ẽH .
rot(h)

• Since h has large weight, the vector sr2 + e0 = xr2 + hyr2 + e0 has also large weight.
• The vector

v = Encode(m) + sr2 + e0 = Encode(m) + xr2 + hyr2 + e0


can be seen as a codeword of C corrupted by an error of large weight (too large to be efficiently decoded).
• The vectors h, s, u do not leak any information that help for decoding.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 51


HQC: Decryption
ΠHQC : Dec
Input: Public code C, private key (x, y), ciphertext (u, v)

1. v0 ← v − uy
2. m ← Decode(v0 )

Output: Plaintext m

Sven Puchinger, Antonia Wachter-Zeh (TUM) 52


HQC: Decryption
ΠHQC : Dec
Input: Public code C, private key (x, y), ciphertext (u, v)

1. v0 ← v − uy
2. m ← Decode(v0 )

Output: Plaintext m

Rationale: The vector


v0 = v − uy = Encode(m) + sr2 + e0 − (r1 + hr2 )y
= Encode(m) + xr2 + e0 − r1 y
| {z }
=:e

is a codeword of C corrupted by an error of small weight e (since weight of x, y, r1 , r2 is small). Thus, the
vector v0 can be decoded.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 52


HQC: Choice of the code C

Properties:
• Fast and constant-time en-/decryption
• Guaranteed low decryption failure rate (often ≤ 2−λ )
• Small key and ciphertext sizes

Code class:
• In general, every code that provides the requirements can be used
• In the NIST proposal of HQC, the authors show two possibilities for C:
1. Product code of BCH and repetition code
2. Code concatenation of Reed–Solomon and Reed–Muller code

Note: It is an open research question whether there is a better choice for C!

Sven Puchinger, Antonia Wachter-Zeh (TUM) 53


Conclusion and Open Research Questions
Conclusion
• Code-based cryptography is an efficient approach to provide post-quantum security
• Hard problems are well investigated over decades

Open Questions
• Efficient code-based signature schemes?
• Other metrics (rank, Lee, ...) in McEliece
• Schemes that are not based on hiding the structure of a code (like HQC)

Thank you for your attention!


Sven Puchinger, Antonia Wachter-Zeh (TUM) 54
References on Code-based Cryptography8
Aguilar Melchor, C., Aragon, N., Bardet, M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Hauteville, A., Otmani,
A., Ruatta, O., Tillich, J., Zemor, G.: ROLLO - Rank-Ouroboros, LAKE & LOCKER. Second round submission to the NIST
post-quantum cryptography call (2019). https://pqc- rollo.org

Aguilar Melchor, C., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Zemor, G., Couvreur, A., Hauteville:
Rank quasi cyclic (RQC). Second round submission to the NIST post-quantum cryptography call (2019). https://pqc-rqc.org

C. Aguilar-Melchor, N. Aragon, S. Bettaieb, L. Bidoux, O. Blazy, J. Bos, J. Deneuville, A. Dion, P. Gaborit, J. Lacan, E. Persichetti,
J. Robert, P. Véron, and G. Zémor, “Hamming Quasi-Cyclic (HQC),” Third round submission to the NIST post-quantum
cryptography call, 2019. [Online]. Available: https://pqc-hqc.org

M. R. Albrecht, D. J. Bernstein, T. Chou, C. Cid, J. Gilcher, T. Lange, V. Maram, I. von Maurich, R. Misoczki, R. Niederhagen, K.
G. Paterson, E. Persichetti, C. Peters, P. Schwabe, N. Sendrier, J. Szefer, C. J. Tjhai, M. Tomlinson, and W. Wang, “Classic
McEliece,” Third round submission to the NIST post-quantum cryptography call, 2019. [Online]. Available:
https://classic.mceliece.org

N. Aragon, P. S. L. M. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J.-C. Deneuville, P. Gaborit, S. Ghosh, S. Gueron, T. Güneysu, C.
Aguilar-Melchor, R. Misoczki, E. Persichetti, N. Sendrier, J.-P. Tillich, V. Vasseur, and G. Zémor, “BIKE: Bit Flipping Key
Encapsulation,” Third round submission to the NIST post-quantum cryptography call, 2019. https://bikesuite.org/
8
This list of references does not claim completeness.
Sven Puchinger, Antonia Wachter-Zeh (TUM) 55
References
Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. LNCS: Revised selected
papers of EUROCRYPT 2003 2656, 229–249 (2003)

M. Baldi, M. Battaglioni, F. Chiaraluce, A.-L. Horlemann-Trautmann, E. Per- sichetti, P. Santini, and V. Weger, “A new path to
code-based signatures via identification schemes with restricted errors,” 2020.

Bardet, M., Briaud, P., Bros, M., Gaborit, P., Neiger, V., Ruatta, O., Tillich, J.P.: An algebraic attack on rank metric code-based
cryptosystems. Tech. rep. (2019). arXiv:1910.00810v1

A. Becker, A. Joux, A. May, and A. Meurer, “Decoding random binary linear codes in 2 n/20 : How 1 + 1 = 0 improves information
set decoding,” in Advances in Cryptology - EUROCRYPT 2012, ser. Lecture Notes in Computer Science, D. Pointcheval and T.
Johansson, Eds. Springer Verlag, 2012, vol. 7237, pp. 520–536.

E. Berlekamp, R. McEliece, and H. van Tilborg, “On the inherent intractability of certain coding problems (corresp.),” IEEE
Transactions on Information Theory, vol. 24, no. 3, pp. 384–386, 1978.

D. J. Bernstein, T. Lange, and C. Peters, “Smaller decoding exponents: ball- collision decoding,” in Annual Cryptology Conference.
Springer, 2011, pp. 743–760.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 56


References
D. J. Bernstein, T. Lange, C. Peters, and P. Schwabe, “Faster 2-regular information-set decoding,” in Coding and Cryptology.
Springer Berlin Heidelberg, 2011, pp. 81–98.

Bernstein, D., Chou, T., Lange, T., Maurich, I., Misoczki, R., Niederhagen, R., Persichetti, E., Peters, C., Schwabe, P., Sendrier, N.,
Szefer, J., Wang, W.: Classic McEliece. Second round submission to the NIST post-quantum cryptography call (2019).
https://classic.mceliece.org

Bernstein D.J.: Grover vs. mceliece. In: Sendrier N. (ed.) Post-Quantum Cryptography, pp. 73–80. Springer, Berlin Heidelberg
(2010).

A. Canteaut, “A new algorithm for finding minimum-weight words in a linear code: Application to mceliece’s cryptosystem and to
narrow-sense bch codes of length 511,” IEEE Transactions on Information Theory, vol. 44, pp. 367–378, 1998.

T. Chou, “QcBits: Constant-time small-key code-based cryptography,” in Lecture Notes in Computer Science. Springer Berlin
Heidelberg, 2016, pp. 280–300.

Faure C., Loidreau P.: A new public-key cryptosystem based on the problem of reconstructing p- polynomials. Coding and
Cryptography, pp. 304–315. Springer, Berlin (2006).

Sven Puchinger, Antonia Wachter-Zeh (TUM) 57


References
Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol 26, 80–101 (2013).

Gabidulin E.M., Ourivski A.V., Honary B., Ammar B.: Reducible rank codes and their applications to cryptography. IEEE Trans.
Inform. Theory 49(12), 3289–3293 (2003).

Gaborit P., Otmani A., Talé Kalachi H.: Polynomial-time key recovery attack on the Faure-Loidreau scheme based on gabidulin
codes. Des. Codes Cryptogr. 86(7), 1391–1403 (2018).

D. Gligoroski, S. Samardjiska, H. Jacobsen, and S. Bezzateev, “McEliece in the world of Escher,” Cryptology ePrint Archive, Report
2014/360, 2014.

A.-L. Horlemann-Trautmann and V. Weger, “Information set decoding in the Lee metric with applications to cryptography,”
Advances in Mathematics of Commu- nications, vol. online, 2020.

C. Interlando, K. Khathuria, N. Rohrer, J. Rosenthal, and V. Weger, “Generalization of the ball-collision algorithm,” Journal of
Algebra Combinatorics Discrete Structures and Applications, vol. 7, pp. 195 – 207, 2020.

P. Lee and E. Brickell, “An observation on the security of McEliece’s public-key cryptosystem,” in Advances in Cryptology -
EUROCRYPT 88. Springer Verlag, 1988, pp. 275–280.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 58


References
Loidreau, P.: A new rank metric codes based encryption scheme. In: Int. Conf. on Post-Quantum Cryp- tography (PQCrypto)
(2017)

R. J. McEliece, “A Public-Key Cryptosystem Based on Algebraic Coding Theory,” DSN Progress Report, vol. 44, pp. 114–116, 1978.

D. Moody and R. Perlner, “Vulnerabilities of ‘McEliece in the world of Escher’,” in Post-Quantum Cryptography, T. Takagi, Ed.
Cham: Springer International Publishing, 2016, pp. 104–117.

National Institute of Standards and Technology (NIST), U.S. Department of Commerce: Post-quantum cryptography
standardization (2017), https://csrc.nist.gov/Projects/post-quantum-cryptography/Post- Quantum-Cryptography-Standardization

R. Niebuhr, E. Persichetti, P.-L. Cayrel, S. Bulygin, and J. Buchmann, “On lower bounds for information set decoding over Fq and
on the effect of partial knowl- edge,” International journal of information and coding theory, vol. 4, no. 1, pp. 47–78, 2017.

Nojima R., Imai H., Kobara K., Morozov K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes
Cryptogr. 49, 289–305 (2008).

Overbeck R.: A new structural attack for GPT and variants. LNCS MYCRYPT 3715, 50–63 (2005).

Sven Puchinger, Antonia Wachter-Zeh (TUM) 59


References

C. Peters, “Information-Set Decoding for Linear Codes over F q ,” in International Workshop on Post-Quantum Cryptography.
Springer, 2010, pp. 81–94.

E. Prange, “The use of information sets in decoding cyclic codes,” IRE Trans. Inf. Theory, vol. 8, no. 5, pp. 5–9, Sep. 1962.

M. Rossi, M. Hamburg, M. Hutter, and M. E. Marson, “A side-channel as- sisted cryptanalytic attack against QcBits,” in Lecture
Notes in Computer Science. Springer International Publishing, 2017, pp. 3–23.

T. Schamberger, J. Renner, G. Sigl, and A. Wachter-Zeh, “A power side-channel attack on the CCA2-secure HQC KEM,”

Shehhi H.A., Bellini E., Borba F., Caullery F., Manzano M., Mateu V.: An ind-cca-secure code-based encryption scheme using rank
metric. In: Buchmann J., Nitaj A., Rachidi T. (eds.) Progress in Cryptology: AFRICACRYPT 2019, pp. 79–96. Springer
International Publishing, Cham (2019).

P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factor- ing,” in Proceedings 35th Annual Symposium on
Foundations of Computer Science, 1994, pp. 124–134.

Sven Puchinger, Antonia Wachter-Zeh (TUM) 60


References

A. Shoufan, F. Strenzke, H. G. Molter, and M. Stöttinger, “A timing attack against patterson algorithm in the McEliece PKC,” in
Information, Security and Cryptol- ogy – ICISC 2009. Springer Berlin Heidelberg, 2010, pp. 161–175.

J. Stern, “A method for finding codewords of small weight,” in International Colloquium on Coding Theory and Applications.
Springer, 1988, pp. 106–113.

Wachter-Zeh, A., Puchinger, S., Renner, J.: Repairing the Faure-Loidreau public-key cryptosystem. In: IEEE Int. Symp. Inf. Theory
(ISIT), pp. 2426–2430 (2018)

Sven Puchinger, Antonia Wachter-Zeh (TUM) 61

You might also like