The Security of Cryptosystems Based on Error-Correcting Codes

2.1 Finite fields

Finite fields are the basis of many error-correcting codes and cryptographic systems, it is therefore essential to recall the theory of finite fields in order to understand the functioning of linear codes. In this paragraph we present some properties of finite fields and a method of representing them for later use. We are interested in constructing finite fields F2m and the calculations on these fields. Finite fields are generally constructed from primitive polynomials [3].

Definitions

The minimal polynomial of an element β on a finite field Fis the unit polynomial with coefficients in F smaller degree and its value in β is zero.

Proposition

1. The ring Kx/P is a field if and only if the polynomial Px is irreducible on the field K.

2. If Px is irreducible of degree mand K a finite field of q elements then Kx/P is field of qm elements.

This proposition gives us a way to build a finite field: Take a polynomial P irreducible over a field K et former le quotient Kx/P.

Theorem (the primitive element)

If K is a finite field of order q, then the multiplicative group K∗ is cyclic generated by an element α called primitive element of K and we write K∗=αii=1…q−. Any generator of this group is called a primitive element of K.

Definition (primitive polynomial)

We say that a polynomial P∈F2x of degree m is primitive if it is the minimal polynomial of a generator of F2m∗.

Lemma

Let F2xm=Qx∈F2xdQx≤m−1, Px∈F2xm primitive and α a root of Px, so we have: F2m≈F2xm≈F2x/Px≈F2m≈0∪1α…α2m−1.

It follows from this lemma that we can represent the nonzero elements of a finite field F2m by nonzero vectors of F2m and that the αi have representatives of ximodPx and consequently αi=ximodPx. In what follows we denote by α a primitive element of F2m.

2.2 Principle of error-correcting codes

In order to transmit a message, it must be coded, it consists in temporarily giving it a certain form, the coding mode depends on the means of transmission, it can be disturbed by noise, hence the need for coding which allows the receiver to find the initial message even if it has been altered. Such coding is called channel coding. The principle of error-correcting codes is to add to a message to be transmitted additional information called redundant or control information, so that transmission errors can be detected and corrected. This operation is called coding and its result is a code word, each message is associated, therefore a code word of length greater than that of the message.

The code is the set of code words thus obtained. We assume that all messages are words of the same length >0, written using an alphabet F of q elements. Each message x0x1…xk−1 is an element of the set of Fk (message space). We then have qk possible messages. We assume that all the code words are of the same length n>k. Encode m messages of length k,m≤qk consists in choosing an integer n>k, and associate with each message from Fk a word from Fn (injectively). The coding introduces a redundancy equal to n−k. Decoding consists of receiving a word x of Fn to determine if x is a code word and if not correct it thanks to the redundancy. This is done using the Hamming distance.

Definition (hamming distance)

let x=x0x1…xn−1≔x0x1…xn−1 and y=y0y1…yn−1≔y0y1…yn−1 of Fn. We call the Hamming distance between words x and y, and we note dHxy=dxy the number of index i∈012…n−1 such as xi≠yi, we call Hamming’s weight of a word x the number of nonzero components of x, we notewx=dx0.

Definitions

We call the minimum distance of a code C an integer d such as d=mindmm′m∈Cm′∈Cm≠m′. We call the weight of a word x of code Con integer wx=dx0.

Proposal (correction capacity)

Let C a minimum distance code d, and x∈Fn a received message assigned to r errors, with r≥1.

1. If 2r<d that is to say that r≤d−12, the code Ccorrect r errors.

2. If d−12<r=d2, the C code detects the existence of r errors but cannot always correct them.

3. If d2<r≤d−1, the C code detects the existence d’ errors but risk of making an erroneous correction.

The integer t=d−12 is called code correction capability, we also say that C is a t-corrector code.

Proof

Let m the code word transmitted and x the message received and assigned from r errors then dmx=r.

1. We show that the code word m is the only code word such as dmx≤r.

Otherwise it exists m′ of C such as dm′x≤r, we are dmm′≤dmx+dxm′≤2r<d, then m=m′.

1. There is no code word m′ of C such as dxm′<dmx=r, but the code word m is not necessarily the only one to check dmx=r. Indeed be m=m1m2…mn and m′=m′1m′2…m′n two code words and if we receive the message x=m1m2…mrm′1…m′r, we’ll have dxm=dxm′=r.

2. We know there is an error because x∉C, but there may be a code word m′∉C such as dm′x<dmx=r.

The most used codes are the linear codes which we discuss in the next part.

2.3 Linear codes

Definitions

A linear code C of size n and dimension k on the finite field Fq is a vector subspace of Fqn. We note it nkdq with d its minimum distance.

Linear codes are codes in which each code word y is obtained by linear transformation of the components of the initial word (information) x.

A linear code is characterized by its generator matrix G, we have C=y=xG/x∈Fqk.

let Hn−k×n matrix with coefficients in Fq. H is called the parity control matrix of C if “x∈C⇔Hxt”.

Fqk: the message space.

The systematic code

The matrix G defines a bijective function Fqk→C by x→xG which we represent qk messages, its length k by code words, of lengthn.

The generator matrix G of a C code is not unique; G can be transformed into G′=IkA with Ik the identity matrix with k order and A the matrix of k lines and n−k columns.

G and G′ generate the same C subspace; G′ is called canonical generator matrix and if the generator matrix of a code is of the form G=IkA, this code is said systematic.

Theorem

Let C a nkq linear code.

1. If G is a generator matrix of C and H a parity control matrix of C then GHt=0.

2. If G is a k×n matrix of rank k and H is a n−k×n matrix of rank n−k such as GHt=0 then we have:

H is a parity control matrix of C if and only if G is a generator matrix of C.

Proof

1. We know that Ht=0, ∀x∈C, in particular we have GiHt=0 for all i=1…k with Gi is line of G. It follows that GHt=0.

2. ⇒) Since GHt=0, then we have GiHt=0. For all i=1…k. And since H is a parity control matrix of C, we have the Gi belong to C. rgG=k, then Gii=1…k constitute a basis of C. It follows that G is a generator matrix of C.

⇐) we have y∈C if and only if it exists x∈Fqk such as y=xG. Then y∈C if and only if yHt=xGHt=0. Then H is a parity control matrix of C.

In the case of systematic code, we have the following corollary.

Corollary

Let C a nkq linear code

1. If G=IkA a canonical generator matrix of C then H=−AtIn−k is a parity control matrix ofC.

2. If H=BIn−k is a parity control matrix of C then, G=Ik−Bt is a generator matrix of C.

Proof

By applying the preceding theorem

1. we have GHt=IkA−AtIn−kt=−A+A=0, if G is a generator matrix of C then, H is a parity control matrix ofC.

2. we have GHt=Ik−BtBIn−kt=Bt−Bt=0 then if H is a parity control matrix of C we will have G is a generator matrix of C.

Encoding and decoding

The coding is obtained by applying the generator matrix. Decoding consists in applying the control matrix to the message; if the result is 0 then the message is valid otherwise look for errors and correct them. Hxt is called syndrome. Suppose the word x is sent through a noisy channel and the word received is y so the error vector is e=y−x.

Given y, the decoder must decide which word of the code x has been transmitted (which error vector?). For a vector u and a code C we call coset class of C, the set u+C=u+cc∈C. A representative of a class of C of minimum weight is called a leader of this class.

Theorem

Let C a nkdq linear code then,

1. u and v are of the same coset class of C if and only if u−v∈C.

2. Any vector of Fqn is in a coset of C.

3. Given two coset classes, they are either disjoint or identical.

Proof

1. If u,v∈x+C then, it exists y,z∈C such as u=x+y and v=x+z, then u−v=y−z∈C, because C is a vector subspace of Fqn.

If u−v∈C it exists x∈C such as u−v=x then u=v+x∈v+C and we have v=v+0∈v+C.

1. Let a∈Fqn, on a 0∈C thena=a+0∈a+C.

2. Suppose that a+C∩b+C≠∅, the nit exists v∈Fqn such as a+C∩b+C contains the element v, the nit exists x,y∈C such as v=a+x=b+y hence b=a+x−y and a=b+y−x. ∀b+c∈b+C we have b+c=a+x−y+c∈a+C (then b+C⊂a+C). ∀a+c∈a+C We have a+c=b+y−x+c∈b+C (then a+C⊂b+C), hence b+C=a+C.

Principle

We construct the standard array of C which is a matrix of qn−k lines and qk columns. It contains all the vectors of Fqn; its first line corresponds to the words of C with vector 0 on the left. The other lines represent the cosets ui+C with the class leader ui to the left. The procedure is as follows:

1. We list the words of C starting with 0 on the first line.

2. We choose a vector u1 of minimum weight that does not belong to the first line and we list in the second line the elements u1+C, by entering below 0 the class leader u1 and below each element x∈C the element u1+x.

3. We choose u2 in the same way and we repeat the same operation.

4. We iterate this process until all the side classes are listed and all the vectors of Fqn appear only once.

When the word y is received, we look for its position in the standard table. The decoder then decides that the error vector e corresponds to the class leader who is located in the first column of the same row of y and decode y like x=y−e, by choosing the code word of the first line on the same column ofy.

Remark

The standard table provides nearest neighbor decoding. Note that this process is too slow and too expensive in memory for large codes. In practice each code has by its structure a decoding algorithm.

2.4 The hamming code

A Hamming code with r≤2 redundancy is a linear code 2r−12r−1−r2 its parity control matrix H, with H is a matrix of r lines and 2r−1 columns that correspond to the set of all nonzero vectors of F2r.

Theorem

The minimum distance of the Hamming 2r−12r−1−r2 code is d=3 (it therefore corrects a single error).

Proof

This code does not contain any element of weight 1 and 2 otherwise we would have a column of H which would be zero or two columns of H would be identical.

It exists x∈C such as wx=3, indeed by definition of the parity control matrix H, the first 3 columns are 000…⋮⋮⋮…000…011…101… then the vector x=1110⋯0 its weight wx=3 and belongs to C because Hxt=0.

Decoding

The vector syndrome x of which only the jth component is nonzero is none other than the transpose of the jth column of H. If the columns of H are ordered in increasing order of binary numbers, the jth column corresponds to the binary writing of j, hence the following decoding algorithm:

Let y a message received, we calculate Hyt. If Hyt=0 then, y corresponds to the message transmitted. If Hyt≠0 and assuming there is only one error, Hyt directly gives the position of the error written in binary in the form ⋯b3b2b1b0. We can then correct y=y1⋯yn like x+ej for j=∑i=1nbi2i and ej the vector of which only the jth coordinate is nonzero.

2.5 The Reed-Solomon codes

Let n=q−1 with q=2m et Fqxk The set of polynomials of degree strictly less than k on F2m. Let us build a length code n and dimension k. Let L=α1α2⋯αn a vector formed of distinct elements of F2m∗=αii=1…n, with α primitive of F2m. Each word of the code is the evaluation of a function f of Fqxk on L then, we have a length code n and dimension k and generator matrix

By its structure, this code has a minimum distance of at least n−k+1, because two polynomials of degrees less than k distinct cannot be equal in addition to k−1 positions. This distance is exactly equal to n−k+1, since the evaluation of a polynomial of the form ∏i=1k−1x−αi his weight is n−k+1. So we have a code on F2m of the form nkn−k+1q which can have both good transmission rate and good correction ability.

Remark

Reed-Solomon codes represent a special case of a slightly more general class called generalized Reed-Solomon codes GRS whose definition is as follows.

Definition

Let v1v2…vn a vector of length n in F2m∗ et α1α2⋯αn a vector of length n in F2m∗, with the αi are distinct two by two.

The set of codes with the generator matrix G of the form G=v1v2…vnv1α1v2α2…vnαn…..……v1α1k−1v2α2k−1…vnαnk−1 is called the family of generalized Reed-Solomon codes.

2.6 The classical Goppa codes

Definition

Let L=α1α2…αn a suite of n distinct elements of F2m and gz∈F2mz a unit polynomial of degree r irreducible in F2mz. The irreducible binary Goppa code, its support L (generator vector) and its generator polynomial g noted ΓLg is the set of words a=a1…an∈F2n such that one of the following equivalent characterizations is verified:

1. Raz=∑i=1naiz−αi=0modgz.

2. Hat=0 with H=11…1α1α2…αn...………α1r−1α2r−1…αnr−1gα1−1....gαn−1 parity check matrix.

3. gz divided dσazdz with c σaz=∏i=1nz−αiai locator polynomial.

The construction of a code Goppa:

Goppa’s code is a linear code on the field F2, its construction requires the use of an extension F2m. Each element of the matrix H is then broken down into m elements of F2 placed in columns, using a projection of F2m in F2m; we go from a size matrix r×n on F2m to a matrix of size rm×n on F2 so it is a length code n=L and dimension k=n−mr and has a minimum distance at least equal to d=r+1. Indeed the parity check matrix H is written as the product of a Vandermonde matrix and an invertible matrix therefore all under a square matrix r×r of H is invertible, then there are no code words with a weight less than or equal to r.

The decoding of a Goppa code:

Several techniques exist to decode Goppa codes but they work by the same principle. Let c′=c+e and we<r2. We start by calculating the syndrome Rc′z on F2m; from this syndrome we will write a key equation, and we will finish the decoding by solving the key equation to finde.

If Raz=0 the word will belong to the code.

The key equation

Let σez=∑i=1nz−αiei of degree <r2. On introduit le polynôme wez=σezRezmodgz called evaluator polynomial.

We can solve the key equation in two different ways: Berlekamp Massey’s algorithm and the extended Euclidean algorithm. The latter has the advantage of being easier to present. Indeed we seek to find we and σe of degree <r2 such as wez=σezRezmodgz=σezRez+kzgz. If we try to calculate the gcd of gRe with the extended Euclidean algorithm, we will calculate at each step the polynomials ui,vi,ri checking Reui+gvi=ri. At each step the polynomials ui and vi will be of degree <i and the degree of ri is equal to r−i. There is therefore a step at which if we stop the algorithm we will find a solution of the equation σe=ui0 and wi0=ri0 to a scalar coefficient.

3.1 The basic system (McEliece)

We start by generating a code nkdq linear of a well-chosen family and its generator matrix G. We are going to mix this matrix to make it indistinguishable from a random matrix, so we need a permutation matrix P her size is n×n (having 1 in each row and column and 0 everywhere) and an invertible matrix S her size k×k (S is jammer). The public key will be G′=SGP which is indistinguishable from a random matrix (The definition of a random matrix comes from the definition of random code which be introduced in section four). The knowledge of S, P and G allows us to find the structure of the design code and provides us with the decoding algorithm.

3.2 The Niederreiter variant

Let C a linear t-corrector code of length n and dimension k. Let H a parity check matrix of C her size is n−k×n. We randomly choose an invertible matrix S and P a permutation matrix. We calculate H′=SHP. We will have H′ a public key and SHP the private key, with the knowledge of a syndrome decoding algorithm in C. Let x a plaintext of length n and weight t, we calculate the cipher text y=H′xt. The recipient receives y knowing the secret key, he can calculate S−1y=HPxt. Using the syndrome decoding algorithm of C, he can find Pxt and applying P−1 the plaintext x is found.

The algorithms of the Niederreiter cryptosystem [5]

The generation of keys

Input

A linear code nkdq is chosen for the design, of which we know a decoding algorithm by syndrome.

Procedure

Choose a parity check matrix H of design code.

Choose a matrix S, invertible of size k with coefficients inFq.

Choose a permutation matrix P of sizen×n.

Calculate H′=SHP.

Output

The public key H′.

The private keySHP.

Encryption

Input

The public key H′.

The plaintext x∈Fqn of weight less than or equal to the correction capacity.

Procedure

Calculate y=H′xt.

Output

The cipher texty.

Decryption

Input

The private key SHP.

The cipher texty.

Procedure

Calculate y′=S−1y.

Calculate x′=fHy′ with fH the code syndrome decoding algorithm, its parity check matrix is H.

Calculate x=x′P−1.

Output

The plaintext x.

Remark

Reed-Solomon codes were originally proposed by Niederreiter as a family of codes that could be considered by his cryptosystem. In 1992 Sidelnikov and Shestakov have shown that it is easy to attack this cryptosystem [2].

4.1 Decoding attack

The attacker directly attempts to decode the cipher text in the C code (generator matrix G or public key parity H); the principle consists of decoding the intercepted cipher text relative to the public code using general decoding algorithms. We cite two decoding problems in a random code:

Problem 1

Given G a random binary matrix of size k×n, generator of a C code of dimension k. xa random word of F2n and t a positive integer, find if there is an error word e of F2n such as we≤t and x+e∈C.

Problem 2

Given H a binary random parity matrix; her size n−k×n of a C code its dimension k, sa random vector of F2n−k and ta positive integer, find if there is a word x of F2n such as wx≤t and Hxt=s.

Decoding in random code is behind the following attacks:

• Algorithme de décodage par ensemble d’information

The principle is based on two steps: the selection of a set of information and the search for low-weight word. There are several variants which propose to optimize one or the other of these two steps.

Definition

Let C a linear code of generator matrix G and length n. A set of information I is a subset of 12…n such as GI, her size k×k formed of columns of G labeled by the elements of I, is invertible.

Remark

The matrix GIGJ with I∪J=12…n is equivalent to G.

Algorithm

Input

G: a matrix generating of a code C.

t: a positive integer.

y: a word of F2n such as dyC≤t.

Output

The couple xe such as y=xG+e wherewe≤t.

Procedure

Randomly draw a set of information I of the code C (let J such as I∪J=12…n).

Calculate R=GI−1GJ.

Write y=yIyJ.

Calculate eJ=yJ−yIR.

Repeat the previous operations until you find eJ such as weJ≤t.

Returne=0eJ.

Determine the word x such as y−e=xG.

Proof

We have a y=xG+e and y=yIyJ=xGIGJ+eIeJ. Hence eI=yI−xGI and eJ=yJ−xGJ.

If the set of information I does not contain an error position eI=0 and like GI is invertible, we obtain yI=xGI, eJ=yJ−yIGI−1GJ. Then e=0yJ−yIGI−1GJ. is the solution sought.

Remark

We have Cnk possibilities to choose k=I positions of 12…n (I is a cardinally of I). And we have Cn−tk possibilities to choose k=I positions among n−t positions where ei=0. So the probability of getting the set of information I with eI=0 is p=Cn−tkCnk and the average number of iterations will be 1p.

Example

Let us try to attack the following system by this method: We haveG=1110010101011110.

The cipher text y=10101011 ett=1.

looking me such as mG+e=y.

Let I=15⊂12…8 then GI=1001=GI−1 andGJ=110101101110.

yI=11 and yJ=010011. Then eJ=yJ−yIGI−1GJ=001000, it follows that eIeJ=00001000.

then m=11.

• Decoding by paradox of birthdays

Consider an instance of problem 2. For a parity check matrix H of size r×n, a syndrome s and a weight t. If the weight t is even, let us separate the columns of H in two sets of the same size H1 and H2 such as H=H1H2.

Let us build L1=H1e1te1of lengthn2and the weightt2 et L2=s+H2e2,te2of lengthn2and the weightt2. Common elements of L1 and L2 are such that H1e1t=s+H2e2t, that is to say e1e2 is solution of problem 2.

The probability that one of the solutions splits into two equal parts of the parity matrix is p=Cn/2t/22Cnt; to solve problem 2 you have to repeat these operations 1p on different permutations of the public code.

• The recovery of a plaintext encrypted twice by the same McEliece system

This is an active attack that only applies to the McEliece encryption system (because it is not deterministic) and does not apply to the Niederreiter system. Suppose the plaintext x is encrypted in two different ways. We will have y1=xG+e1, y2=xG+e2 où e1 et e2 sont deux vecteurs d’erreur distincts de poids t. We get the word y1−y2=e1−e2 which is less than or equal to 2t. Once an attacker has detected that the two cipher texts y1 and y2 correspond to the same plaintext, this information will reduce the number of iterations of the decoding algorithm set of information. Message forwarding is detected by observing the weight of the two cipher texts. If the two plaintexts are identical then, the weight of the sum of the two numerical texts remains less than 2t in general (tthe correction capacity).

Algorithm

Input

G: The public key of sizek×n.

Two words y1 and y2 such as y1=xG+e1, y2=xG+e2 where e1 and e2 are two distinct error vectors of weightt.

Output

The plaintext x.

Procedure

Calculate y1−y2.

Randomly draw a set of information I⊂12…n which label the zero positions of y1−y2.

Calculate eJ=yJ−yIGI−1GJ où y1=yIyJ etI∪J=12…n.

Repeat the previous operations until the weight of e (≤t).

Return x=yIGI−1.

Example

Let us try to attack by this method the system of the previous example.

Either plaintext encrypted two ways in which the public key is

Draw a set of information that labels the zero positions of y1+y2 let I=78.

GI=0110=GI−1, GJ=111001010111; y1=10101011,yI=11,yJ=101010.

So we extract m=11.

4.2 Structural attack

The attacker tries to find a decomposition of the key G′=S1G1P1, which allows it to develop its own decoding algorithm. Succeeding in a structural attack generally amounts to finding a code equivalent to the public code for which we know a decoding algorithm. This attack depends exclusively on the structure of the space of the keys used. We quote here a successful attack on an McEliece system with the Reed-Solomon code as the design code.

• The attack of Sidelnikov and Shestakov

Sidelnikov and Shestakov showed [6] that generalized Reed-Solomon codes were so structured that one could find a decoder of the public code in polynomial time. The systematic form of the matrix generating a GRS code can be obtained from the following proposition:

Proposal

Let G=v1v2…vnv1α1v2α2…vnαn…..……v1α1k−1v2α2k−1…vnαnk−1 a matrix generating a Reed-Solomon code generalized on Fqm then there is a matrix k×k invertible S coefficient in Fqm and a matrix R=Riji=1…kj=k+1…n such that IR=SG and Rij=vjvi∏s=1s≠ikαj−αsαi−αs

Proof

For i=1,2…k we define the following interpolation polynomial fix=∏s=1s≠ikαj−αsαi−αs=∑j=1kfijxj−1 of degree k−1 such that fiαi=1, fiαj=0 for j=1,2…k and j≠i. We noteS=fijvii=1…kj=1….k.

The ith row of the matrix produces SG is fiα1v1vifiα2v2vi…fiαnvnvi

By construction of polynomials fi, the kfirst columns of the matrix SG form the identity matrix, therefore S is invertible and SG=IR where R=Rij and Rij=fiαjvjvi.

Corollary

Let I the identity matrix its order k and R=Riji=1…kj=k+1…n where Rij=vjvi∏s=1s≠ikαj−αsαi−αs. Alors la matrice IR is the generator matrix in systematic form of the generator matrix GRS code G=v1v2…vnv1α1v2α2…vnαn…..……v1α1k−1v2α2k−1…vnαnk−1.

Proof

Can be deducted from the definition of the generalized Reed-Solomon code and the latest proposal.

Algorithm

Input

A family of generalized Reed-Solomon code of length n, of dimension k constituting the key space.

The public key G′.

Results

The matrix G=vjαjii=0,..k−1j=1…n and S invertible matrix its size k×k such that G′=SG.

Procedure

Put the matrix G′ in form IR by Gaussian elimination.

Determine the matrix G=vjαjii=0,..k−1j=1…n such that α1,…αn et v1,…vn check the equations Rij=vjvi∏s=1s≠ikαj−αsαi−αs.

Determine the matrix S such that G′=SG.