error-correcting pairs and arrays from algebraic geometry

ERROR-CORRECTING PAIRSAND ARRAYS FROM

ALGEBRAIC GEOMETRYCODES

INTRODUCTION TO CODINGTHEORY

CODE BASEDCRYPTOGRAPHY

MCELIECE CRYPTOSYSTEM

GENERIC ATTACKS ON THE

MCELIECE PKC

NIEDERREITER CRYPTOSYSTEM

ERROR CORRECTING PAIRS

EXAMPLES OF THEEXISTENCE OF ECPGRS CODES

SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS

REVERSE ENGINEERING AGCODES

ERROR-CORRECTING PAIRS AND ARRAYS FROMALGEBRAIC GEOMETRY CODES

I. MARQUEZ-CORBELLA 1 R. PELLIKAAN 2

1Department of Algebra, Geometry and Topology, University of Valladolid.Supported by a FPU grant AP2008-01598 by Spanish MEC.

2Department of Mathematics and Computing Science, Eindhoven University of Technology.

Applications of Computer Algebra - ACA 2013







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


INTRODUCTION TO CODING THEORY

An [n, k ] linear code C over Fq is a k -dimensional subspace of Fnq .

Its size is M = qk , the information rate is R = kn and the redundancy is n− k .

The generator matrix of C is a k × n matrix G whose rows form a basis of C,i.e.

C ={

xG | x ∈ Fkq

}.

The parity-check matrix of C is an (n − k)× n matrix H whose nullspace isgenerated by the codewords of C, i.e.

C ={

y ∈ Fnq | HyT = 0

}.

The hamming distance between x, y ∈ Fnq is dH (x, y) = |{i | xi 6= yi}|.

The minimum distance of C is

d(C) = min {dH (c1, c2) | c1, c2 ∈ C and c1 6= c2} .

x1y x2

FIGURE: If d(C) = 3

x1y x2

FIGURE: If d(C) = 4







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


PUBLIC-KEY CRYPTOSYSTEMS

TWO KEYS:

Private Key: Known only bythe recipient.

Public Key: Available toanyone.

MOST PKC ARE BASED ONNUMBER-THEORETIC PROBLEMS

Ü Quatum computers will breakthe most popular PKCs: RSA,DSA, ECDSA, ECC, HECC, ...can be attacked in polynomial time using

Shor’s algorithm

GOOD NEWS: POST-QUATUMCRYPTOGRAPHY

Hash-based cryptography,

Code-based cryptography,

Lattice-based cryptography,

Multivariate-quadratic-equationcryptography

D. J. Bernstein, J. Buchmann, E. Dahmen.

Post-Quatum Cryptography.

Springer, 2009.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS



KEY GENERATION

1 Given:

C an [n, k, d ] linear code over Fq

G ∈ Fk×nq a generator matrix of C.

S ∈ Fk×kq a nonsingular matrix.

P ∈ Fn×nq a permutation matrix.

2 McEliece Public Key :(G′ = SGP, t

).

3 McEliece Private Key: (G,S,P)

ENCRYPTION

Encrypt a message m ∈ Fkq as

y′ = mG′ + e′

where e and e′ = eP in Fnq are random

error vectors of weight t .

DECRYPTION

1 Compute y = y′P−1 =

mG′P−1 + e′P−1 = mSG + e.

2 Apply the decoding algorithm for Cto find mS.

3 m = mSS−1.

McEliece introduced the first PKC based on Error-Correcting Codes in 1978.Advantages:

1 Interesting candidate for post-quantum cryptography.2 Fast encryption (matrix-vector multiplication) and decryption functions.

Drawback: Large key size.

R. J. McEliece.

A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114-116, 1978.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ATTACKS ON THE MCELIECE PKC

Ü Most effective attack against the McEliece cryptosystem is Information SetDecoding. Many variants:

1 McEliece (1978)2 Leon (1988)3 Lee and Brickell (1988)4 Stern (1989)5 van Tilburg (1990)

6 Canteaut and Chabanne (1994)7 Canteaut and Chabaud (1998)8 Canteaut and Sendrier (1998)9 Bernstein, Lange and Peters (2008)

10 Becker, Coron and Joux (2011)

A. Canteaut and H. Chabanne.

A further improvement of the work factor in anattempt at breaking McEliece’s cryptosystem.EUROCODE 94, 1994.

A. Canteaut and F. Chabaud.

A new algorithm for finding minimum-weight wordsin a linear code: application to McEliece’scryptosystem and to narrow-sense BCH codes oflength 511.IEEE Transaction on Information Theory.

A. Canteaut and N. Sendrier.

Crytanalysis of the original McEliece cryptosystem.Advances in cryptology - ASIACRYPT’98.

P. J. Lee and E. F. Brickell.

An observation on the security of McEliece’spublic-key cryptosystem.Advances in cryptology - EUROCRYPT’98.

A. Becker, J. S. Coron and A. Joux

Improved generic algorithms for hard knapsacks.Advances in cryptology - EUROCRYPT 2011

D. J. Bernstein, T. Lange, C. Peters.

Attacking and defending the McEliececryptosystem.Post-Quantum Cryptography

J. S. Leon.

A probabilistic algorithm for computing minimumweights of large error-correcting codes.IEEE Transaction on Information Theory.

R. J. McEliece.

A public-key cryptosystem based on algebraiccoding theory.DSN Progress Report

J. Stern.

A method for finding codewords of small weight.Coding theory and applications, Vol 388 of LectureNotes in Computer Science, 106-113. Springer,New York, 1989.

J. van Tilburg.

On the McEliece public-key cryptosystem.Advances in cryptology - CRYPTO’88.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS



Ü Niederreiter presents a dual version of McEliece cryptosystem in 1986 which isequivalent in terms of security, with the same Goppa codes.

KEY GENERATION

1 Given:

C an [n, k, d ] linear code over Fq

H ∈ F(n−k)×nq a parity check matrix of

C.S ∈ F(n−k)×(n−k)

q a nonsingularmatrix.P ∈ Fn×n

q a permutation matrix.

2 Niederreiter Public Key :(H′ = SHP, t

).

3 Niederreiter Private Key: (H,S,P)

ENCRYPTION

Encrypt a message m ∈ Fkq as

y′ = mH′T .

DECRYPTION

1 Compute y = y′ = (S−1)T =

mPT HT = m′HT . Syndrome of m′ by H.

2 Apply decoding algorithm for C tofind m′ = mPT and thereby m.

Ü In its original paper Niederreiter proposed the class of GRS codes over F2m .

H. Niederreiter.

Knapsack-type crypto system and algebraic codingtheory.Problems of Control and Information Theory, 1986.

Y. Xing Li, R. H. Deng and X. Mei Wang.

On the equivalence of McEliece’s and Niederreiterpublic-key cryptosystems.IEEE Transaction on Information Theory, 1994.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


NOTATION

Ü For all a, b ∈ Fnq we define:

Star Multiplication: a ∗ b = (a1b1, . . . , anbn) ∈ Fnq .

Standard Inner Multiplication: a · b =∑n

i=1 ai bi .

Ü For all subsets A, B ⊆ Fnq we define:

A ∗ B = {a ∗ b | a ∈ A and b ∈ B}.

A ⊥ B ⇐⇒ a · b = 0 ∀ a ∈ A and b ∈ B.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ERROR-CORRECTING PAIRS (ECP)

ERROR-CORRECTING PAIRS (ECP)

Let C be an Fq linear code of length n. The pair (A,B) of Fqm -linear codes of length nis a t-ECP for C over Fqm if the following properties hold:

E.1 (A ∗ B) ⊥ C.

E.2 k(A) > t .

E.3 d(B⊥) > t .

E.4 d(A)+d(C) > n.

An [n, k ] code which has a t-ECP over Fqmhas a decoding algorithm with complexity

O(

(nm)3)

.

R. Pellikaan

On decoding by error location and dependent sets of error positions.

Discrete Math., 106–107: 369–381 (1992).

R. Kotter.

A unified description of an error locating procedure for linear codes.

In Proceedings of Algebraic and Combinatorial Coding Theory, 113–117. Voneshta Voda (1992).







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


MOTIVATION

“At the heart of any public-key cryptosystem is a one-way function - a functiony = f (x) that is easy to evaluate but for which is computationally infeasible (one

hopes) to find the inverse x = f−1(y)”.

N. Koblitz, A. Menezes.

The brave new world of bodacious assumptions in cryptography.

Notices Amer. Math. Soc. 57(3), 357-365 (2010).

Let Ct the class of linear codes over Fq that have a t-ECP over an extension of Fq .

Ü This family have an efficient decoding algorithm⇒ they are appropriate forcode-based cryptography.

Ü Most families of codes used in code-based cryptography belongs to Ct .

(Like GRS codes, Goppa codes, AG codes ... )

Ü We proposed to use the subclass of Ct formed by those linear codes C whoseerror correcting pair is not easily reconstructed from C, i.e. we consider thefollowing one way function:

x = (A,B) 7−→ y = A ∗ B,

where (A,B) is a t-ECP.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ALGORITHM TO FIND THE ERROR POSITIONS I

Let

C be an Fq -linear code of length n.

A and B be linear subspaces of Fnqm .

y ∈ Fnq be the received word with error vector e Ü y = c + e for some c ∈ C

Define:Ky = {a ∈ A | 〈y, a ∗ b〉 = 0, for all b ∈ B}

LEMMA 1:

If A ∗ B ⊆ C⊥ =⇒ Ky = Ke

Let J be a subset of {1, . . . , n}, define:

A(J) ={

a ∈ A | aj = 0, for all j ∈ J}

LEMMA 2:

If (A ∗ B) ⊥ C and I = supp(e) =⇒ A(I) ⊆ Ky .

Moreover, if d(B⊥) > wH (e) =⇒ A(I) = Ky

LEMMA 3:

If k(A) > t ≥ wH (e) and I = supp(e) =⇒ ∃a ∈ A(I) \ {0}







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ALGORITHM TO FIND THE ERROR POSITIONS II

LEMMA 4:

If d(A) + d(C) > n =⇒ ∀a ∈ A : |J| = n − |supp(a)| ≤ d(C)− 1

Moreover, if d(B⊥) > t ≥ wH (e) =⇒ I = supp(e) ⊆ J

1 Compute:Ky = {a ∈ A | 〈y, a ∗ b〉 = 0, for all b ∈ B}

Find the zero space of a set of linear equations over Fqm

2 If Ky = 0 =⇒ The received word has more than t errors

Ü Else take a nonzero a ∈ Ky ⊆ A(I) and define J ={

j | aj = 0}

3 Find e ∈ Fnq by solving the following linear equation (which has a unique

solution):HxT = HyT such that xj = 0 for j ∈ J

Solve linear equations over Fq

Complexity: ∼ O(

(nm)3)







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


GENERALIZED REED-SOLOMON CODES

Let

a = (a1, . . . , an) be an n-tuple of mutually distinct elements of Fq .

b = (b1, . . . , bn) be an n-tuple of nonzero elements of Fq .

The GRS code GRSk (a, b) is defined by:

GRSk (a, b) ={

eva,b (f (X)) = (f (a1)b1, . . . , f (an)bn) | f ∈ Fq [X ] and deg(f ) < k}

PARAMETERS OF GRSk (a, b)

The GRSk (a, b) is an MDS code with parameters [n, k, n − k + 1].

Ü A generator matrix of GRSk (a, b) is given by

Ga,b =

b1 . . . bn

b1a1 . . . bnan...

. . ....

b1ak−11 . . . bnak−1

n

∈ Fk×nq







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


t -ECP FOR GRS

Note that: eva,b (f (X)) ∗ eva,c (g(X)) = eva,b (f (X)g(X)) ∗ c. Therefore:GRSk (a, b) ∗ GRSl (a, c) = GRSk+l−1(a, b ∗ c)

Let

A = GRSt+1(a, b1), B = GRSt (a, b2) and C = GRS2t (a, b1 ∗ b2)⊥

then (A,B) is a t-ECP for C.

Conversely, let C = GRSn−2t (a, b) then

A = GRSt+1(a, b′) and B = GRSt (a, 1)

is a t-ECP for C where b′ ∈ (Fq \ {0})n verifies that

C⊥ = GRSn−2t (a, b)⊥ = GRS2t (a, b′).

Moreover an [n, n − 2t, 2t + 1] code that has a t-ECP is a GRS code.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


GRS FOR CODE-BASED PKC

Ü The class of GRS codes was proposed by Niederreiter for code-based PKC.

Ü Sidelnikov and Shestakov introduced an algorithm that breaks the originalNiederreiter cryptosystem in polynomial time.

V. M. Sidelnikov and S. O. Shestakov.

On insecurity of cryptosystems based on generalized Reed-Solomon codes.

Discrete mathematics and Applications.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


SUBCODES

Ü Let:

D be a code that has (A,B) as t-ECP.C be a subcode of D

Ü Then (A,B) is also a t-ECP for C.

Ü The class of subcodes of GRS codes was proposed by Berger-Loidreau forcode-based PKC to resist Sidelnikov-Shestakov attack.

Ü For certain parameters, this proposal is not secure.

T. Berger and P. Loidreau.

How to mask the structure of codes for acryptographic use.Designs, Codes and Cryptography, 35:63–79, 2005.

I. Marquez-Corbella, E. Martınez-Moro and

R. Pellikaan.The non-gap sequence of a subcode of ageneralized Reed-Solomon code.Proceedings of the Seventh InternationalWorkshop on Coding and Cryptography,April 11-15, Paris, France, 183-193, 2011.

C. Wieschebrink.

An attack on the modified Niederreiterencryption scheme.In PKC 2006, Lecture Notes in ComputerScience, volume 3958, 14–26, Berlin, 2006.Springer.

C. Wieschebrink.

Cryptoanalysis of the Niederreiter public keyscheme based on GRS subcodes.In Post-Quantum Cryptography, LectureNotes in Computer Science, volume 6061,6–72, Berlin, 2010. Springer.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ALGEBRAIC GEOMETRY CODES

Ü Let:

X be an algebraic curve of genus g defined over the finite field Fq ,P = (P1, . . . ,Pn) be an n-tuple of distinct Fq -rational points on XE be a divisor of X with supp(E) ∩ P = ∅ and deg(E) = m.

SPACE OF RATIONAL FUNCTIONS ASSOCIATED TO E

The space of rational functions associated to E is

L(E) = {f ∈ Fq(X ) | f = 0 or (f ) + E ≥ 0}

Ü Since supp(E) ∩ P = ∅ the following evaluation map is well defined:

evP : L(E) −→ Fnq

f 7−→ evP (f ) = (f (P1), . . . , f (Pn))

RIEMMAN-ROCH THEOREM

dim L(E) ≥ m + 1− g.

Furthermore if m > 2g − 2 then dim L(E) = m + 1− g.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ALGEBRAIC GEOMETRY CODES

ALGEBRAIC GEOMETRY CODES (AG CODES)

The AG code associated to X , P = (P1, . . . ,Pn) and E is

CL(X ,P,E) = {evP (f ) | f ∈ L(E)}

THEOREM: PARAMETERS OF AN AG CODE

If n > m then CL(X ,P,E) is an [n, k, d ] code over Fq where

k ≥ m + 1− g and d ≥ n − m

Moreover, if m > 2g − 2 then k = m + 1− g.

Ü If {f1, . . . , fk} is a basis of L(E) then

G =

f1(P1) . . . f1(Pn)

......

fk (P1) . . . fk (Pn)

∈ Fk×nq

is a generator matrix of the code CL(X ,P,E)







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


t -ECP FOR AG CODES I

Let F and G be divisors of X . Then there is a well defined linear map:

L(E)⊗ L(G) −→ L(F + G)f ⊗ g 7−→ fg

Hence:

CL(X ,P, F ) ∗ CL(X ,P,G) ⊆ CL(X ,P, F + G)

Let C = CL(X ,P,E)⊥ and choose a divisor F with disjoint support from P ,then:

A = CL(X ,P,E) and B = CL(X ,P,E − F )

is a t-ECP for C.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


t -ECP FOR AG CODES II

PROPOSITION: [PELLIKAAN (1989)]

An AG code on a curve of genus g with designed minimum distance d has a t-ECPover Fq with

t =

⌊d − 1−g

2

⌋

PROPOSITION: [PELLIKAAN (1996)]

If m is sufficiently large then an AG code with designed minimum distance d has at-ECP over Fqm where

t =

⌊d − 1

2

⌋

Ü With ECPs we do not have a constructive decoding scheme

Ü BUT an Error-correcting array gives a decoding algorithm that decodes up to⌊d∗ − 1

2

⌋where d∗ = Feng-Rao designed minimum distance

with complexity O(

n3)

=⇒ Majority coset decoding







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


AG CODES FOR CODE-BASED PKC

Ü In 1996 Janwa and Moreno propose to use AG codes for the McEliececryptosystem.

Ü This system was broken for:

1 Codes on curves of genus g = 0 by the Sidelnikov-Shestakov attack.

GRS codes are Algebraic Geometry codes on the projective line.

2 Codes on curves of genus g ≤ 2 by Faure and Minder.3 VSAG are not secure for McEliece cryptosystem by

M-Martınez-Pellikaan-Ruano

VERY STRONG ALGEBRAIC-GEOMETRIC (VSAG) CODES

A code C has a VSAG representation if C = CL(X ,P,E) where the curve X hasgenus g, P consists of n points and E has degree m such that

2g + 2 < m < 12 n or 1

2 n + 2g − 2 < m < n − 4

C. Faure and L. Minder.

Cryptanalysis of the McEliece cryptosystem overhyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic andCombinatorial Coding Theory, 2008.

H. Janwa and O. Moreno.

McEliece public crypto system usingalgebraic-geometric codes.Designs, Codes and Cryptography, 1996.

I. Marquez-Corbella, E. Martınez-Moro and

R. Pellikaan.On the unique representation of very strongalgebraic geometry codes.Designs, Codes and Cryptography, 2013.

I. Marquez-Corbella, E. Martınez-Moro,

R. Pellikaan and D. Ruano.Computational aspects of retrieving arepresentation of an algebraic geometry code.Submitted to Designs, Codes and Cryptography.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


ALTERNANT CODES

Let

a = (a1, . . . , an) be an n-tuple of mutually distinct elements of Fqm .

b = (b1, . . . , bn) be an n-tuple of nonzero elements of Fqm .

Ü GRSk (a, b) be the GRS code over Fqm of dimension k .

The alternant code Altr (a, b) is the Fq -linear restriction:

Altr (a, b) = Fnq ∩ (GRSr (a, b))⊥

PARAMETERS OF Altr (a, b)

The Altr (a, b) has parameters [n, k, d ]q with:

k ≥ n − mr and d ≥ r + 1

Every [n, k, d ] linear code with d ≥ 2 is an alternant code!







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


t -ECP FOR ALTERNANT CODES

Let C = Alt2t (a, b). Then:

d(C) ≥ 2t + 1 and C ⊆ (GRS2t+1(a, b))⊥

LetA = GRSt+1(a, 1), and B = GRSt (a, b)

then (A,B) is a t-ECP over Fqm for C.

No known structural attacks against code-base PKC using Alternant codes







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


GOPPA CODES

Let


g be a polynomial with coefficients in Fqm such that

g(aj ) 6= 0 for all j = 1, . . . , n

The Goppa code Γ(a, g) is the Fq -linear code defined by:

Γ(a, g) =

c ∈ Fnq |

n∑j=1

cj

X − aj≡ 0 mod g(X)

GOPPA CODES ARE ALTERNANT CODES

Let


g be a Goppa polynomial of degree r .

b = (b1, . . . , bn) be an n-tuple of nonzero elements of Fqm such that bj = 1g(aj )

Then: Γ(a, g) = Altr (a, b) =⇒ it has an⌊ r

2

⌋-ECP







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


BINARY GOPPA CODES

Let:

a = (a1, . . . , an) be an n-tuple of mutually distinct elements of F2m .

g be a Goppa polynomial with coefficients in F2m of degree r .

Ü And suppose moreover that g has no square factor.

Then:

1 Γ (a, g) = Γ(a, g2).

2 Γ (a, g) has parameters [n, k, d ] with

k ≥ n − mr and d ≥ 2r + 1

Γ(a, g) has an r -ECP







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


BCH CODES

Letn = qm − 1α be a primitive element of F∗qm

mi (X) be the minimal polynomial of αi

The primitive narrow-sense BCH code over Fq of length n and distance at least d isthe cyclic code with generator polynomial: g(X) = lcm (mi (X), . . . ,md−1(X))

BCH CODES ARE ALTERNANT CODES

Let

a = (a1, . . . , an) with ai = αi−1 for i = 1, . . . , n.

b = 1 ∈ Fnqm .

Then the BCH code with defining zeros Z = {0, 1, . . . , δ − 2} is: Altδ−1(a, b).

Ü ECP for cyclic codes were found beyond half the BCH bound by Duursma andKotter.

I. Duursma

Decoding codes from curves and cyclic codes.Ph.D thesis, Eindhoven University of Technology(1993)

I. Duursma, R. Kotter.

Error-locating pairs for cyclic codes.IEEE Trans. Inform. Theory, Vol.40, 1108–1121(1994)

R. Kotter.

On algebraic decoding of algebraic-geometric andcyclic codes.Ph.D thesis, Linkoping University of Technology(1996).







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


STRUCTURAL ATTACKS AGAINST CODE-BASED PKC I

GRS codes

V. M. Sidelnikov and S. O. Shestakov.

On insecurity of cryptosystems based on generalized Reed-Solomon codes.

Discrete mathematics and Applications.

Subcodes of GRS codes

I. Marquez-Corbella, E. Martınez-Moro

and R. Pellikaan.The non-gap sequence of a subcodeof a generalized Reed-Solomon code.Proceedings of the SeventhInternational Workshop on Coding andCryptography, April 11-15, Paris,France, 183-193, 2011.

C. Wieschebrink.

An attack on the modified Niederreiter encryption scheme.In PKC 2006, Lecture Notes in Computer Science,volume 3958, 14–26, Berlin, 2006. Springer.

C. Wieschebrink.

Cryptoanalysis of the Niederreiter public key schemebased on GRS subcodes.In Post-Quantum Cryptography, Lecture Notes in ComputerScience, volume 6061, 6–72, Berlin, 2010. Springer.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


STRUCTURAL ATTACKS AGAINST CODE-BASED PKC II

AG codes

C. Faure and L. Minder.

Cryptanalysis of the McEliececryptosystem over hyperelliptic codes.Proceedings 11th Int. Workshop onAlgebraic and Combinatorial CodingTheory, 2008.

I. Marquez-Corbella, E. Martınez-Moro and R. Pellikaan.

On the unique representation of very strong algebraicgeometry codes.Designs, Codes and Cryptography, 2013.

I. Marquez-Corbella, E. Martınez-Moro, R. Pellikaan and

D. Ruano.Computational aspects of retrieving a representation of analgebraic geometry code.Submitted to Designs, Codes and Cryptography.

Subfield subcodes of GRS codes = Alternant codes:OPEN







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


QUESTION:

Ü If a code has a t-ECP how difficult / easy is to retrieve such a pair?







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES

LetX be an algebraic curve over Fq of genus g.E be a divisor of X with deg(E) = m and {f0, . . . , fr} be a basis of L(E).

We consider the following map:

ϕE : X −→ Pr (Fq)P 7−→ ϕE (P) = (f0(P), . . . , fr (P))

CURVES DEFINED BY QUADRATIC EQUATIONS

1 If m ≥ 2g + 2 then ϕE (X ) = Y is a normal curve in Pm−g which is theintersection of quadrics.

Ü In particular I(Y) is generated by I2(Y).

2 If m ≥ 2g + 1 then ϕE (X ) = Y is a normal curve in Pm−g which is theintersection of quadrics and cubics.

Ü In particular I(Y) is generated by I2(Y) and I3(Y).

D. Mumford.

Varieties defined by quadratic equations.Questions on algebraic varieties, C.I.M.E, IIICiclo, Varenna, 1969, pp. 29–100, EdizioniCremonese, Rome, 1970.

B. Saint-Donat.

Sur les equatons definissant une courbealgebrique.C. R. Acad. Sci. Paris Sr. A, volume 274, pp.487–489, 1972.

Id (Y)

Id (Y) is the ideal generated by the homogeneous elements of degree d in I(Y).







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES II

Let

Y be an algebraic curve in Pr of degree m such that I(Y) = I2(Y).

Q be an n-tuples of points that lies on the curve Y (i.e. I(Y) ⊆ I(Q))

PROPOSITION: DUE TO BEZOUT-THEOREM

If n > 2m then,I2(Q) = I2(Y)







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES III

Ü Let C be a k -dimensional subspace of Fn with basis {g1, . . . , gk}.

We denote:1 The second symmetric power of C by S2(C)

S2(C) has basis{

Xi Xj | 1 ≤ i ≤ j ≤ n}

and dimension(k+1

2

)2 The square code of C by 〈C ∗ C〉 or by C(2).

C(2) is the linear subspace in Fn generated by {a ∗ b | a, b ∈ C}.

Ü We consider the linear map:

σ : S2(C) −→ C(2)

Xi Xj 7−→ gi ∗ gj

We denote by K2(C) the kernel of this map, then

0 −→ K2(C) −→ S2(C) −→ C(2) −→ 0

is an exact sequence.And

I2(Q) =

∑1≤i≤j≤k

aij Xi Xj |∑

1≤i≤j≤k

aij(gi ∗ gj

)= 0

= K2(C)

PROPOSITION

Let Q be an n-tuple of points in Pr over F not in a hyperplane. Then the complexity ofthe computation of I2(Q) is at most O

(n2(r

2

)).







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES IV

VERY STRONG ALGEBRAIC-GEOMETRIC (VSAG) CODES

A code C has a VSAG representation if C = CL(X ,P,E) where the curve X hasgenus g, P consists of n points and E has degree m such that

2g + 2 < m < 12 n or 1

2 n + 2g − 2 < m < n − 4

The dual of a VSAG code is again VSAG

Ü The dimension of such a code is k = m + 1− g. Thus the dimension satisfiesthe following bound:

g + 3 < k < 12 n − g + 1 or 1

2 n + g − 1 < k < n − g − 2

THEOREM

Let C be a VSAG code then a VSAG representation can be obtained from itsgenerator matrix.

Ü Moreover all VSAG representations of C are strict isomorphic.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES V

Let C = CL (X ,P,E)⊥ be an AG code where

the curve X has genus g.

the divisor E has degree m such that 2g + 2 ≤ m < 12 n

Ü C is a VSAG code with d∗ = m − 2g + 1

Our goal: Construct ECP’S eluding the use of Riemann-Roch spaces!!

The attackers will use an equivalent representation (Y,Q, F ) of the same code C⊥,which is also VSAG.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES V

Recall that: Let C = CL(Y,Q, F )⊥ be an AG code of genus g and designed mini-mum distance d∗ such that

m = deg(F ) > 2g − 2.

Then C has parameters [n,≥ n + g − m − 1,≥ m − 2g + 2].

Define A = CL(Y,Q, F − D) and B = CL(Y,Q,D)

Then < A ∗ B >⊆ C⊥. Moreover if

t =⌊

d∗−1−g2

⌋and deg(D) = t + g

then (A,B) is a t-ECP for C.

In particular we take D = (t + g)Q1 where Q1 is the first rational point of Q.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


REVERSE ENGINEERING AG CODES VI

Define:

Ü A0 = CL(Y,Q, F − (m − t − g)Q1).

Note that L(F − (m − t − g)Q1) ⊆ L(F ), thus A0 ⊆ C⊥ = CL(Y,Q, F )

A0 is the space of those codewords in C⊥ that are zero at the first positionof multiplicity m − t − g. This multiplicity can be controlled!!!

Ü B0 = 〈A ∗ C〉⊥

Note that B⊥0 ⊆ B⊥ so d(B⊥0 ) ≥ d(B⊥) > t

Thus (A0,B0) is a t-ECP for C.







MCELIECE PKC




SUBCODES

AG CODES

ALTERNANT CODES

GOPPA CODES

BCH CODES

CONCLUSIONS


THANK YOU FOR YOUR ATTENTION!

error-correcting pairs and arrays from algebraic geometry

Documents