Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding...
Transcript of Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding...
![Page 1: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/1.jpg)
Code-Based CryptographyError-Correcting Codes and Cryptography
0I. Márquez-Corbella
![Page 2: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/2.jpg)
1. Error-Correcting Codes and Cryptography
1. Introduction I - Cryptography2. Introduction II - Coding Theory3. Encoding (Linear Transformation)4. Parity Checking5. Error Correcting Capacity6. Decoding (A Difficult Problem)7. Reed-Solomon Codes8. Goppa Codes9. McEliece Cryptosystem
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
![Page 3: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/3.jpg)
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
![Page 4: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/4.jpg)
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
![Page 5: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/5.jpg)
Decoder
Received Space
y = m G + e ∈ Fnq
Valid codeword(in C)
Encoding matrix
Noise
DECODER Message Spacem ∈ Fk
q
Decoder( Encoder ( Message )︸ ︷︷ ︸codeword
+ Noise ) = Message
1
![Page 6: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/6.jpg)
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)
2
![Page 7: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/7.jpg)
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)
2
![Page 8: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/8.jpg)
Minimum Distance Decoding (MDD)
Messagem ∈ Fk
q
k
Encod
ing
matrix
G∈ F
k×n
q
n
k
+Noisee ∈ Fn
q
n
=Received vector
y = mG + e
n
Instances:Ü A matrix G ∈ Fk×n
q (generator matrix for C)Ü A received vector y ∈ Fn
q
Output:
(Search - MDD): Find m ∈ Fkq to minimize
dH
(y , mG
)2
![Page 9: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/9.jpg)
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
![Page 10: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/10.jpg)
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.
2. If y is the received word.Compute the Hamming distance dH(c, y) , ∀c ∈ C
3. Return the codeword that minimizes dH
3
![Page 11: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/11.jpg)
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C
3. Return the codeword that minimizes dH
3
![Page 12: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/12.jpg)
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
![Page 13: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/13.jpg)
Brute Force
Let y bethe received word
cN
...
c2
c1
with N = qk
dH(cN , y)
dH(c2, y)dH(c1, y)
Return: ci such thatdH(ci , y) is minimized
The complexity is O(nqk
)
First idea: Brute ForceCompute the Hamming distance of the received word with all codewords.
1. Enumerate all codewords of C.2. If y is the received word.
Compute the Hamming distance dH(c, y) , ∀c ∈ C3. Return the codeword that minimizes dH
3
![Page 14: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/14.jpg)
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
![Page 15: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/15.jpg)
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
![Page 16: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/16.jpg)
SyndromeLet C be an [n, k ]q code with parity check matrix H
c ∈ C =⇒ HcT = 0
Syndrome of a vector
The syndrome of a vector x ∈ Fnq is the vector S(x) = HxT ∈ Fn−k
q
sent codeword
y = c + e
received word error vector
H y T= H( c + e )T = H c T︸ ︷︷ ︸
=0
+H e T= H e T
4
![Page 17: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/17.jpg)
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors
1. Precompute the syndrome corresponding to 0, 1, . . . , tNumber of Syndromes to pre-compute and store:(
n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE
5
![Page 18: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/18.jpg)
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors1. Precompute the syndrome corresponding to 0, 1, . . . , t
Number of Syndromes to pre-compute and store:(n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE
5
![Page 19: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/19.jpg)
Syndrome Decoding - Lookup table
Let y bethe received word
S(eN) = SN
...
S(e2) = S2
S(e1) = S1
If Si = S(y), Return: y− ei
Suppose we want to correct all patterns of ≤ t errors1. Precompute the syndrome corresponding to 0, 1, . . . , t
Number of Syndromes to pre-compute and store:(n0
)+ (q − 1)
(n1
)+ (q − 1)2
(n2
)+ . . . + (q − 1)t
(nt
)
2. Compute the Syndrome of the received word S(y)Ü If there exists e ∈ Fn
q with wH(e) ≤ t : S(e) = S(y) =⇒ Return: y− eÜ Otherwise, =⇒ Return: FAILURE5
![Page 20: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/20.jpg)
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
![Page 21: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/21.jpg)
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
![Page 22: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/22.jpg)
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
![Page 23: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/23.jpg)
Gilbert-Varshamov bound
GV bound
d−2∑i=0
(q − 1)i
(n − 1
i
)< qn−k =⇒ Exists an [n, k , d ]q code
Proof:
Let H ∈ F(n−k)×nq be a parity check matrix of C
every d − 1 columns of Hare Linear independent
We construct by induction the columns h1, . . . , hn ∈ Fn−kq of H.
6
![Page 24: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/24.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
![Page 25: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/25.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
![Page 26: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/26.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
![Page 27: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/27.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}
Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1
7
![Page 28: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/28.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1d−2∑i=0
ji
(q − 1)i
7
![Page 29: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/29.jpg)
Proof (Part II)We choose:
• h1 ∈ Fn−kq any nonzero vector
• h2 ∈ Fn−kq any vector that is NOT a multiple of h1
• . . .• hj ∈ Fn−k
q any vector that is NOT a LC of ≤ (d − 2) of{h1, . . . , hj−1
}Let j < n. Exists hj+1 with the above property if:
Number of LC of ≤ (d − 2)of {h1, . . . , hj}
Total number of vectorsin Fn
q but one
≤ qn−k − 1d−2∑i=0
n − 1i
(q − 1)i
7
![Page 30: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/30.jpg)
Gilbert Varshamov distance
Gilbert-Varshamov (GV) distanceThe GV distance of an [n, k ]q code is the maximal integer d0 such that:
d0−1∑i=0
(ni
)(q − 1)i ≤ qn−k
8
![Page 31: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/31.jpg)
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
![Page 32: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/32.jpg)
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
![Page 33: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/33.jpg)
Number of codewords of a given weight
Aw(C) = | {c ∈ C | wH(c) = w} |
Distinct codewords in Cof weight exactly w
In a binary random code: E[Aw(C)] =(n
w
)|C|
2n =
(nw
)2n−k
In average:
Exists c ∈ C with wH(c) = w ⇐⇒(
nw
)> 2n−k
⇐⇒ w is closed tothe GV distance
9
![Page 34: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/34.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 35: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/35.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 36: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/36.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 37: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/37.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 38: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/38.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete
(Computational): Find e ∈ Fn2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 39: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/39.jpg)
The Syndrome Decoding (SD) problemThe Syndrome Decoding (SD) problem
Output(Decision): Does e ∈ Fn
2 of wH(e) ≤ w such that eHT = s exists? NP-complete(Computational): Find e ∈ Fn
2 of wH(e) ≤ w such that eHT = s NP-difficult
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
Hn − k
n
e×
= s
Input:
Ü A matrix H ∈ F(n−k)×n2
Ü A syndrome s ∈ Fn−k2
Ü A weight w ∈ Z
10
![Page 40: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/40.jpg)
General DecodingInput:
Ü A parity-check matrix H ∈ F(n−k)×n2
Ü A generator matrix G ∈ Fk×n2
Ü A received vector y ∈ Fn−k2
Ü A weight w ∈ Z
SDFind e ∈ Fn
2 of wH(e) ≤ w such thateHT = yHT = s
MDDFind m ∈ Fk
2 such thatwH(y−mG) ≤ w
Hn − k
n
e×=s
G k
n
mk
−yn
= en
11
![Page 41: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/41.jpg)
General DecodingInput:
Ü A parity-check matrix H ∈ F(n−k)×n2 Ü A generator matrix G ∈ Fk×n
2
Ü A received vector y ∈ Fn−k2
Ü A weight w ∈ Z
SDFind e ∈ Fn
2 of wH(e) ≤ w such thateHT = yHT = s
MDDFind m ∈ Fk
2 such thatwH(y−mG) ≤ w
Hn − k
n
e×=s
G k
n
mk
−yn
= en
11
![Page 42: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/42.jpg)
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
![Page 43: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/43.jpg)
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
![Page 44: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/44.jpg)
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
![Page 45: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/45.jpg)
Computational Analysis of Syndrome Decoding
(Possibly after permuting some columns)
Case w = n−k2
1 0. . .
0 1
In average:Exists c ∈ C with wH(c) = w ⇐⇒
(nw)
> 2n−k
⇐⇒ w is closed to the GV distance
w
cost (log) of ISDBinary codes
0 dGV n − k2
one solution many solutions
Line
ar
12
![Page 46: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/46.jpg)
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
![Page 47: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/47.jpg)
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
![Page 48: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/48.jpg)
Trapdoor one-way functions - Decoder
EASYEncoder = Matrix Multiplication
MessageLin
ear
Encod
er
= Codeword
HARDDecoding is NP-complete
E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg.On the Inherent Intractability of Certain Coding Problems.IEEE Trans. Inf. Theory. Vol. 24, pp. 384-386, 1978.
A. Barg.Complexity Issues in Coding Theory.Chapter 7, in Handbock of Coding Theory, 1998.
EASY(with TRAPDOOR information)Efficient decoder for certain families of codes
13
![Page 49: Code-Based Cryptography - Error-Correcting Codes and … · 2015-06-29 · The Syndrome Decoding (SD) problem The Syndrome Decoding (SD) problem Output (Decision): Does e∈Fn 2 of](https://reader034.fdocuments.in/reader034/viewer/2022042915/5f50504228cd9b716178fdef/html5/thumbnails/49.jpg)
1. Error-Correcting Codes and Cryptography
1. Introduction I - Cryptography2. Introduction II - Coding Theory3. Encoding (Linear Transformation)4. Parity Checking5. Error Correcting Capacity6. Decoding (A Difficult Problem)7. Reed-Solomon Codes8. Goppa Codes9. McEliece Cryptosystem
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY