Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1...
Transcript of Cryptanalysis of the McEliece Public Key Cryptosystem ...Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1...
Cryptanalysis of the McEliece Public KeyCryptosystem Based on Polar Codes
Magali Bardet1 Julia Chaulet2 Vlad Dragoi 1
Ayoub Otmani 1 Jean-Pierre Tillich2
Normandie Univ, France; UR, LITIS, F-76821 Mont-Saint-Aignan, France.
Inria, SECRET Project, 78153 Le Chesnay Cedex, France.
PQCrypto 2016
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 1/24
Introduction
McEliece Public-Key Encryption Scheme (’78)1 Based on linear codes equipped with an efficient decoding
algorithm
Public key = random basis
Private key = decoding algorithm
2 McEliece proposed binary Goppa codes
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 2/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece encryption scheme
Key Generation step:
1 Pick a k × n generator matrix G for C (a t error correcting codewith a low complexity decoding algorithm)
2 Randomly pick n × n permutation matrix P and k × k invertiblematrix S
3 Private key = (S,G,P) and public key = (Gpub, t) with
Gpub = SGP
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 3/24
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
IntroductionTextbook McEliece Encryption scheme
Encryption
For m ∈ Fkq,
1 Generate randomly e ∈ Fnq of Hamming weight t
2 Cipher text c = mGpub + e
Decryption
1 Compute z = cP−1 z = mSG + eP−1
2 Compute y = DecodeG(z) y = mS3 Return m′ = yS−1 m′ = m
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 4/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
MotivationsArguments for Polar Codes
Polar codes represent a powerful family of codes
1 They allow to attain the capacity of any memoryless channel.
2 They can be decoded with a low complexity algorithm – thesuccessive cancellation decoder by Arikan (2009).
3 Polar codes do not seem to be very structured
Shrestha and Kim proposed in 2014 a McEliece PKC using PolarCodes.
Our main contributionFind the permutation P
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 5/24
DefinitionsPolar Codes and Reed-Muller Codes
Gmdef=
(1 01 1
)⊗ · · · ⊗
(1 01 1
)︸ ︷︷ ︸
m times
.
DefinitionThe polar code of length n = 2m and dimension k is obtained bychoosing a specific subset of k rows of Gm.
The r th order Reed-Muller Codes R(r ,m) is obtained bychoosing all the rows of Gm with Hamming weight greater orequal to 2m−r .
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 6/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)
for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0
=
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
We built the generator matrix
G1 =
(1 01 1
)for m = 2 we have:
G2 =
G1 G1
G1 0 =
1 01 1
0 00 0
1 01 1
1 01 1
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 7/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0
=
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 01 1
1 01 1
0 00 0
0 00 0
1 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 01 01 1
0 00 0
1 01 1
0 00 0
1 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Polar Codes
for m = 3 we have:
G3 =
G1 G1
G1 0
G1 G1
G1 0
G1 G1
G1 0
0 0
0 0 =
1 01 1
0 00 0
0 00 0
0 00 0
1 0
1 1
1 0
1 1
0 0
0 0
0 0
0 0
1 0
1 1
0 0
0 0
1 0
1 1
0 0
0 01 01 1
1 01 1
1 01 1
1 01 1
The Polar Code [23,5,2]
The first order Reed-Muller Code R(1,3) ([23,4,4])
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 8/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Motivations
The purpose is to find the permutation P
1 General method – Support Splitting Algorithm by Sendrier 2000.
1 Small Permutation Group (leaves the code invariant)
2 Small dimension Hull= C ∩ C⊥
2 Try to adapt the Minder and Shokrollahi attack (Reed-MullerCodes) to Polar Codes.
Polar codes are neither vulnerable to the SSA attack nor to theMinder and Shokrollahi attack
What is the permutation group of Polar Codes?
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 9/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial Codes
The ambient space is the polynomial ring:
R2[x0, . . . , xm−1] =F2[x0, . . . , xm−1]
(x20 − x0, . . . , x2
m−1 − xm−1)
For any g ∈ R2[x0, . . . , xm−1] we naturally associate theevaluation over all elements in Fm
2 .
ev(g) =(g(u0, . . . ,um−1)
)(u0,...,um−1)∈Fm
2
LetM define the set of all monomials
M def= {1, x0, . . . , xm−1, x0x1, . . . , x0 · · · xm−1}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 10/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0
x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0
x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0
x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 0
1 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0x1x0 1 0 0 0 1 0 0 0x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Monomial CodesPolar and Reed-Muller Codes
Example for m = 3. Consider G3 and all the elements of F32
g 111 110 101 100 011 010 001 000
x2x1x0 1 0 0 0 0 0 0 0x2x1 1 1 0 0 0 0 0 0x2x0 1 0 1 0 0 0 0 0
x2 1 1 1 1 0 0 0 0
x1x0 1 0 0 0 1 0 0 0
x1 1 1 0 0 1 1 0 0x0 1 0 1 0 1 0 1 01 1 1 1 1 1 1 1 1
The [23,5,2] Polar Code.
The [23,4,4] Reed-Muller Code or the R(1,3).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 11/24
Decreasing Monomial Codes
Definition (Monomial order)The monomials of the same degree are ordered as
xi1 . . . xis � xj1 . . . xjs if and only if for any ` ∈ {1, . . . , s}, i` 6 j`
where we assume that i1 > · · · > is and j1 > · · · > js.
This order is extended to other monomials through divisibility,namely: f � g if and only if there is a divisor g∗ of g such that f � g∗.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 12/24
Decreasing Monomial Code
1
x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0
x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1
x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0
x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0
x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1
x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Code
1x0x1x2
x1x0
x3
x2x0
x3x0
x2x1
x3x1
x2x1x0
x3x2
x3x1x0x3x2x0x3x2x1x3x2x1x0
Fact
∀g ∈M with deg(g) > r we have xr−1 . . . x0 � g.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 13/24
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
Decreasing Monomial Codes
Definition (Decreasing set)
A set I ⊆M is decreasing if and only if
f ∈ I and g � f =⇒ g ∈ I.
Definition (Decreasing monomial codes)
The linear code defined by a set I of polynomials isC (I) = {ev(f ) | f ∈ I}.
1 When I ⊆M, C (I) is a monomial code.
2 When I ⊆M is a decreasing set, C (I) is a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 14/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesMain Properties
Theorem (Bardet et all 2016)Polar Codes are Decreasing Monomial Codes
PropositionThe dual of a Decreasing Monomial Code is a Decreasing MonomialCode
Polar Codes with rate (sufficiently) smaller than 12 are weakly
self-dualC ⊂ C⊥.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 15/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
Let A be a lower triangular binary matrix with “1”’s on thediagonal and b be an arbitrary element in Fm
2 .
for m = 5 A =
1 0 0 0 0? 1 0 0 0? ? 1 0 0? ? ? 1 0? ? ? ? 1
b =
b1b2b3b4b5
.
We define the lower triangular affine group LTAm as the set ofaffine transformations of the form
x 7→ Ax + b
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 16/24
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
Decreasing Monomial CodesPermutation Group
The image of a variable xi is:
x ′i = xi +i−1∑j=0
aijxj + bi .
Theorem
LTAm is included in the permutation group of a decreasing monomialcode.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 17/24
Cryptanalysis of Polar CodesTools and Techniques
Puncturing and shortening a code
PJ (C )def={
(ci)i /∈J | c ∈ C}
;
SJ (C )def={
(ci)i /∈J | ∃c = (ci)i ∈ C such that ∀i ∈ J , ci = 0}.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 18/24
Cryptanalysis of Polar CodesTools and Techniques
Definition (Signature)
Let G be a subgroup of permutations of C (linear code of length n)and W be a subset of C globally invariant under G.
Σ(c,C ) is a signature of c if and only if
(i) Σ(c,C ) = Σ(cπ,C π) for π from Sn (i.e. Σ is invariant bypermutation),
(ii) Σ(c,C ) 6= Σ(c′,C ) if c and c′ both belong to W but are not in thesame orbit under G (i.e. Σ takes distinct values for each orbit).
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 19/24
Cryptanalysis of Polar CodesTools and Techniques
FactsLet C (I) be a decreasing monomial code and Ir 6= ∅ be the set ofmaximum degree monomials. Recall that xr−1 . . . x0 ∈ Ir .
Oxr−1...x0 =
{r−1∏i=0
(xi + bi)
}
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 20/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar CodesKey steps of the attack
1 Find the set of minimum weight codewords Wmin(C ) andWmin(C π)
2
∀c ∈Wmin(C ) Σc =(
Dim(Ssupp(c)(C )⊥),Wmin(Ssupp(c)(C )⊥))
the same definition for Σcπ .
3 Use the signature and the action of LTAm to distinguish theorbits of monomials – in particular xr−1 . . . x0 (denotecmin = ev(xr−1 . . . x0) and cπmin)
4 Let J = {j | cmin[j] = 0}. Find a permutation that works forPJ (C ) and PJ π (C π) . Continue by induction in order to retrievethe underlying Polar Code.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 21/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar Codes
The private polar code C The public permuted code C π
Wmin(C ) = LTAm(Ir ) (Bardet et all 2016) Compute Wmin(C π) (Dumer 1991, Stern 1988)
∀g ∈ Ir compute Ssupp(ev(g))(C )⊥ ∀cπ ∈Wmin(C π) compute Ssupp(cπ)(Cπ)⊥
compute Oxr−1...x0 =
{r−1∏i=0
(xi + bi) | bi ∈ F2
}Identify Oxr−1...x0
π using the list of signatures
Since (xr−1 + 1)xr−2 . . . x0 ∈ Oxr−1...x0 Find (xr−1 + 1)xr−2 . . . xπ0
Compute (xr−1 + 1)xr−2 . . . x0 + xr−1 . . . x0 = xr−2 . . . x0 Compute (xr−1 + 1)xr−2 . . . xπ0 + xr−1 . . . xπ0 = xr−2 . . . xπ0
Use induction to compute the list (xi . . . x0)06i6r−1 By induction compute (xi . . . xπ0 )06i6r−1
Let ci = ev(xi−1 . . . x0) with c0 = ev(1) (ci)π = ev(xi−1 . . . xπ0 )
Let J i = {j | ci [j] = 0} Let (J i)π
= {j | (ci)π[j] = 0}
D i def= PJ i (C ) (D i)π
def= P(J i )π (C π)
Solve the code equivalence for D i and (D i)π by induction from i = r down to 0
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 22/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Cryptanalysis of Polar CodesImplementation
We consider the [2048,614]-Polar Code that is able to correct upto 200 errors.
The security level is 2105, given by generic linear codes decodingalgorithms.
We checked the decreasing property of both C and C⊥ as wellas the weakly duality property of the code.
dminC = 32 and there were |Wmin(C )| = 42176. For the dualcode dminC
⊥ = 8 and there were 6912 codewords.
It took 27 seconds to find these codewords in C π and 3 secondsto find these codewords in (C π)⊥ on a 8-core XEON E3-1240running at 3.40 GHz.
The most time consuming part is the last part of the induction.The time for a successful attack was less than 14 days on thesame processor.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 23/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24
Summary
Polar Codes in a public key cryptographic scheme are vulnerableto structural attacks.
The introduction of an algebraic formalism was crucial for asuccessful attack.
A unified formalism for Polar Codes and Reed-Muller Codesunder the name of Decreasing Monomial Codes.
Vlad Dragoi Cryptanalysis of McEliece – Polar Codes 24/24