post-quantum cryptography #2 -...
TRANSCRIPT
Post-Quantum Cryptography #2
Prof. Claude CrépeauMcGill University
49jeudi 18 juillet 13
Post-Quantum Cryptography
Finite Fields based cryptography
Codes
Multi-variate Polynomials
Integers based cryptography
Approximate Integer GCD
Lattices
50jeudi 18 juillet 13
(51jeudi 18 juillet 13
Public Key
Encryption
52jeudi 18 juillet 13
P C
EEnnccrryyppttiioonn
DDeeccrryyppttiioonn
AAssyymmmmeettrriicc EEnnccrryyppttiioonn
((PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy))
Kd
Ke
CCoommpplleexxiittyy TThheeoorreettiiccaall SSeeccuurriittyy
53jeudi 18 juillet 13
P C
EEnnccrryyppttiioonn
DDeeccrryyppttiioonn
AAssyymmmmeettrriicc EEnnccrryyppttiioonn
((PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy))
Kd
Ke
CCoommpplleexxiittyy TThheeoorreettiiccaall SSeeccuurriittyy
$
53jeudi 18 juillet 13
P C
EEnnccrryyppttiioonn
DDeeccrryyppttiioonn
AAssyymmmmeettrriicc EEnnccrryyppttiioonn
((PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy))
Kd
Ke
CCoommpplleexxiittyy TThheeoorreettiiccaall SSeeccuurriittyy
$
53jeudi 18 juillet 13
»
»»»»»
»
WWiillll yyoouu mmaarrrryy mmee ??
»
DDeeccrryyppttiioonn
mmaarrrryy mmee ??»EEnnccrryyppttiioonn
PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy
54jeudi 18 juillet 13
»
»»»»»
»
WWiillll yyoouu mmaarrrryy mmee ??
»
DDeeccrryyppttiioonn
mmaarrrryy mmee ??»EEnnccrryyppttiioonn
PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy
54jeudi 18 juillet 13
»
»»»»»
»
WWiillll yyoouu mmaarrrryy mmee ??
»
DDeeccrryyppttiioonn
mmaarrrryy mmee ??»EEnnccrryyppttiioonn
PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy
54jeudi 18 juillet 13
Digital
Signatures
55jeudi 18 juillet 13
Kv
KaM T
CCoommpplleexxiittyy TThheeoorreettiiccaall SSeeccuurriittyy
AAuutthheennttiiccaattiioonn
VVeerriiffiiccaattiioonn
AAssyymmmmeettrriicc AAuutthheennttiiccaattiioonn
((DDiiggiittaall SSiiggnnaattuurree SScchheemmee))
56jeudi 18 juillet 13
» »
»
WWiillll yyoouu mmaarrrryy mmee ??
»»»»»
VVeerriiffiiccaattiioonn
mmaarrrryy mmee ??»AAuutthheennttiiccaattiioonn
DDiiggiittaall SSiiggnnaattuurree
WWiillll yyoouu mmaarrrryy mmee ??
VVAALLIIDD
57jeudi 18 juillet 13
» »
»
WWiillll yyoouu mmaarrrryy mmee ??
»»»»»
VVeerriiffiiccaattiioonn
mmaarrrryy mmee ??»AAuutthheennttiiccaattiioonn
DDiiggiittaall SSiiggnnaattuurree
WWiillll yyoouu mmaarrrryy mmee ??
VVAALLIIDD
57jeudi 18 juillet 13
» »
»
WWiillll yyoouu mmaarrrryy mmee ??
»»»»»
VVeerriiffiiccaattiioonn
mmaarrrryy mmee ??»AAuutthheennttiiccaattiioonn
DDiiggiittaall SSiiggnnaattuurree
WWiillll yyoouu mmaarrrryy mmee ??
VVAALLIIDD
57jeudi 18 juillet 13
)58jeudi 18 juillet 13
Code Equivalence
59jeudi 18 juillet 13
Two [n,k,d] linear codes C,C’ are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t.
Code Equivalence
59jeudi 18 juillet 13
Two [n,k,d] linear codes C,C’ are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t.
G’ = SGP
Code Equivalence
59jeudi 18 juillet 13
Two [n,k,d] linear codes C,C’ are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t.
G’ = SGP
the codewords of C and C’ have exactly all the same weights
Code Equivalence
59jeudi 18 juillet 13
Code Equivalence
60jeudi 18 juillet 13
Let C’ be an [n,k,d] linear code equivalent to a code C.
Code Equivalence
60jeudi 18 juillet 13
Let C’ be an [n,k,d] linear code equivalent to a code C.
Let Cor:0,1n→C be an efficient nearest codeword
error-correcting procedure for C (upto d-1/2 errors)
Code Equivalence
60jeudi 18 juillet 13
Let C’ be an [n,k,d] linear code equivalent to a code C.
Let Cor:0,1n→C be an efficient nearest codeword
error-correcting procedure for C (upto d-1/2 errors)
Define C’or(w):=Cor(wP-1)P,
Code Equivalence
60jeudi 18 juillet 13
Let C’ be an [n,k,d] linear code equivalent to a code C.
Let Cor:0,1n→C be an efficient nearest codeword
error-correcting procedure for C (upto d-1/2 errors)
Define C’or(w):=Cor(wP-1)P,
then C’or:0,1n→C’ is an efficient nearest codeword
error-correcting procedure for C’ (upto d-1/2 errors)
Code Equivalence
60jeudi 18 juillet 13
McElieceCryptosystem
61jeudi 18 juillet 13
Let G∈rGoppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
McElieceCryptosystem
61jeudi 18 juillet 13
Let G∈rGoppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let e∈rerror vector of weight t & m∈0,1k a plaintextlet w=mG′+e be a ciphertext.
McElieceCryptosystem
61jeudi 18 juillet 13
Let G∈rGoppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let e∈rerror vector of weight t & m∈0,1k a plaintextlet w=mG′+e be a ciphertext.
Given (only) G′,w finding
McElieceCryptosystem
61jeudi 18 juillet 13
Let G∈rGoppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let e∈rerror vector of weight t & m∈0,1k a plaintextlet w=mG′+e be a ciphertext.
Given (only) G′,w finding
c’ = C’or(w) is difficult.
McElieceCryptosystem
61jeudi 18 juillet 13
NiederreiterCryptosystem
62jeudi 18 juillet 13
Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
NiederreiterCryptosystem
62jeudi 18 juillet 13
Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let m∈error vector of weight t a plaintext & c’∈rC’let w=c′+m be a ciphertext.
NiederreiterCryptosystem
62jeudi 18 juillet 13
Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let m∈error vector of weight t a plaintext & c’∈rC’let w=c′+m be a ciphertext.
Given (only) G′,w finding
NiederreiterCryptosystem
62jeudi 18 juillet 13
Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key,
Let m∈error vector of weight t a plaintext & c’∈rC’let w=c′+m be a ciphertext.
Given (only) G′,w finding
c’ = C’or(w) is difficult.
NiederreiterCryptosystem
62jeudi 18 juillet 13
BothCryptosystems
63jeudi 18 juillet 13
Let G∈rGRS/Goppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key, e∈error vector of
weight t and let w=c+e for c∈C(G′).
BothCryptosystems
63jeudi 18 juillet 13
Let G∈rGRS/Goppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G′= SGP be the public-key, e∈error vector of
weight t and let w=c+e for c∈C(G′).
Given G,S,P, w finding c=Cor(w) and e=w-c is easy.
BothCryptosystems
63jeudi 18 juillet 13
64jeudi 18 juillet 13
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
(Generalized) Reed-Solomon codes,
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
(Generalized) Reed-Solomon codes,
concatenated codes,
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
(Generalized) Reed-Solomon codes,
concatenated codes,
elliptic codes,
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
(Generalized) Reed-Solomon codes,
concatenated codes,
elliptic codes,
Reed-Muller codes,
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Binary Goppa codes seem safe, but not
(Generalized) Reed-Solomon codes,
concatenated codes,
elliptic codes,
Reed-Muller codes,
Convolutional codes
Families of Codes
Nicolas Sendrier
65jeudi 18 juillet 13
Code based cryptography
66jeudi 18 juillet 13
Code based cryptography
Courtois, Finiasz and Sendrier signature scheme
66jeudi 18 juillet 13
Code based cryptography
Courtois, Finiasz and Sendrier signature scheme
Stern’s identification scheme
66jeudi 18 juillet 13
Code based cryptography
Courtois, Finiasz and Sendrier signature scheme
Stern’s identification scheme
Code based PRNG
66jeudi 18 juillet 13
Code based cryptography
Courtois, Finiasz and Sendrier signature scheme
Stern’s identification scheme
Code based PRNG
Code based hash function
66jeudi 18 juillet 13
0
Code based cryptography
§
67jeudi 18 juillet 13
Post-Quantum Cryptography
Finite Fields based cryptography
Codes
Multi-variate Polynomials
Integers based cryptography
Approximate Integer GCD
Lattices
68jeudi 18 juillet 13
Multi-variate Poly based cryptography
§
69jeudi 18 juillet 13
Multi-variate Poly based cryptography
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.
zk = pk(x) := ∑i Pikxi + ∑i Qikxi2 + ∑i<j Rijkxixj
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.
zk = pk(x) := ∑i Pikxi + ∑i Qikxi2 + ∑i<j Rijkxixj
When we are working over 𝔽=𝔽2 , note that x2 = x, so it suffices to consider multilinear polynomials:zk = pk(x) := ∑
i Pikxi + ∑i<j Rijkxixj
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.
zk = pk(x) := ∑i Pikxi + ∑i Qikxi2 + ∑i<j Rijkxixj
When we are working over 𝔽=𝔽2 , note that x2 = x, so it suffices to consider multilinear polynomials:zk = pk(x) := ∑
i Pikxi + ∑i<j Rijkxixj
In general, finding x from z=P(x) is NP-hard.
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.
zk = pk(x) := ∑i Pikxi + ∑i Qikxi2 + ∑i<j Rijkxixj
When we are working over 𝔽=𝔽2 , note that x2 = x, so it suffices to consider multilinear polynomials:zk = pk(x) := ∑
i Pikxi + ∑i<j Rijkxixj
In general, finding x from z=P(x) is NP-hard.
We seek more : finding x from z=P(x) being hard on average.
70jeudi 18 juillet 13
Multi-variate Poly based cryptography
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.
zk = pk(x) := ∑i Pikxi + ∑i<j Rijkxixj
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.
zk = pk(x) := ∑i Pikxi + ∑i<j Rijkxixj
Public-key: P
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.
zk = pk(x) := ∑i Pikxi + ∑i<j Rijkxixj
Public-key: P
EncP(x)=P(x)
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.
zk = pk(x) := ∑i Pikxi + ∑i<j Rijkxixj
Public-key: P
EncP(x)=P(x)
Dec(z)= find x s.t. z=P(x) (specific to P’s design)
71jeudi 18 juillet 13
Multi-variate Poly based cryptography
72jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T.
72jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T.
So, P=TQS: 𝔽n→𝔽m, or P(x):=MT Q( MSx+cS ) + cT
72jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T.
So, P=TQS: 𝔽n→𝔽m, or P(x):=MT Q( MSx+cS ) + cT
In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily.
72jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T.
So, P=TQS: 𝔽n→𝔽m, or P(x):=MT Q( MSx+cS ) + cT
In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily.
x = MS-1 Q-1( MT-1 P(x)-c′T ) - c′S
where c′T := MT-1 cT and c′S := MS-1 cS
72jeudi 18 juillet 13
Multi-variate Poly based cryptography
73jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=TQS: 𝔽n→𝔽m, or P(x):=MT Q( MSx+cS ) + cT
73jeudi 18 juillet 13
Multi-variate Poly based cryptography
MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=TQS: 𝔽n→𝔽m, or P(x):=MT Q( MSx+cS ) + cT
Private-key: (MT-1, c′T), (MS-1, c′S), Q-1
Dec(y) = MS-1 Q-1( MT-1 y-c′T ) - c′S
where c′T := MT-1 cT and c′S := MS-1 cS
73jeudi 18 juillet 13
Matsumoto-Imai
74jeudi 18 juillet 13
Matsumoto-Imai
Example: ( a sort of RSA type system )
74jeudi 18 juillet 13
Matsumoto-Imai
Example: ( a sort of RSA type system )
Any single univariate f over 𝔽2n can be represented by n multivariate algebraic functions yi = fi(x1,x2, ...,xn) over 𝔽2.
74jeudi 18 juillet 13
Matsumoto-Imai
Example: ( a sort of RSA type system )
Any single univariate f over 𝔽2n can be represented by n multivariate algebraic functions yi = fi(x1,x2, ...,xn) over 𝔽2.
Q(x) := x2a+1 , a<n, over 𝔽2n such that gcd(2a+1,2n-1)=1(squaring over 𝔽2n is actually a linear transform
over 𝔽2n)*
74jeudi 18 juillet 13
Matsumoto-Imai
Example: ( a sort of RSA type system )
Any single univariate f over 𝔽2n can be represented by n multivariate algebraic functions yi = fi(x1,x2, ...,xn) over 𝔽2.
Q(x) := x2a+1 , a<n, over 𝔽2n such that gcd(2a+1,2n-1)=1(squaring over 𝔽2n is actually a linear transform
over 𝔽2n)*
Then there exists h := (2a+1)-1 mod 2n-1 such that Q-1(y)=yh over 𝔽2n
74jeudi 18 juillet 13
Squaring over 𝔽2n is linear over 𝔽2
(xn-1,...,x1,x0)2
=(xn-1xn-1+...+x1x+x0)2 mod P(x)= xn-1x2n-2+...+x1x2+x0 mod P(x)
/ / 1 \ / x2 \ ... / x2n-2 \ \ / x0 \= | |mod| |mod| ... | mod | | | x1 | \ \ P / \ P / ... \ P / / | ... | \xn-1/= Msq x
75jeudi 18 juillet 13
Squaring over 𝔽2n is linear over 𝔽2
(xn-1,...,x1,x0)2
=(xn-1xn-1+...+x1x+x0)2 mod P(x)= xn-1x2n-2+...+x1x2+x0 mod P(x)
/ / 1 \ / x2 \ ... / x2n-2 \ \ / x0 \= | |mod| |mod| ... | mod | | | x1 | \ \ P / \ P / ... \ P / / | ... | \xn-1/= Msq x
75jeudi 18 juillet 13
Squaring over 𝔽2n is linear over 𝔽2
(xn-1,...,x1,x0)2
=(xn-1xn-1+...+x1x+x0)2 mod P(x)= xn-1x2n-2+...+x1x2+x0 mod P(x)
/ / 1 \ / x2 \ ... / x2n-2 \ \ / x0 \= | |mod| |mod| ... | mod | | | x1 | \ \ P / \ P / ... \ P / / | ... | \xn-1/= Msq x
75jeudi 18 juillet 13
Squaring over 𝔽2n is linear over 𝔽2
(xn-1,...,x1,x0)2
=(xn-1xn-1+...+x1x+x0)2 mod P(x)= xn-1x2n-2+...+x1x2+x0 mod P(x)
/ / 1 \ / x2 \ ... / x2n-2 \ \ / x0 \= | |mod| |mod| ... | mod | | | x1 | \ \ P / \ P / ... \ P / / | ... | \xn-1/= Msq x
75jeudi 18 juillet 13
x2i over 𝔽2n is linear over 𝔽2
(yn-1,...,y1,y0) = (xn-1,...,x1,x0)2i = Misq x
is a system of n degree 1 equations
y0 = (Misq)0 x y1 = (Misq)1 x y2 = (Misq)2 x ... yn-1 = (Misq)n-1 x
76jeudi 18 juillet 13
x2i+1 over 𝔽2n is quadratic over 𝔽2
(zn-1,...,z1,z0) = (xn-1,...,x1,x0)2i+1 = (yn-1,...,y1,y0)*(xn-1,...,x1,x0)
is a system of n degree 2 equations
77jeudi 18 juillet 13
MI vs RSA
78jeudi 18 juillet 13
MI vs RSA
Unlike the RSA scheme, the size qn−1 of the multiplicative group of 𝔽2n is known, and thus anyone can compute h from 2a+1.
78jeudi 18 juillet 13
MI vs RSA
Unlike the RSA scheme, the size qn−1 of the multiplicative group of 𝔽2n is known, and thus anyone can compute h from 2a+1.
MI thus based the security of the scheme on the different principle of mapping obfuscation. (à la McEliece)
78jeudi 18 juillet 13
SFLASH
79jeudi 18 juillet 13
SFLASH
The MI scheme was broken by a very clever attack developed by Patarin in 1995.
79jeudi 18 juillet 13
SFLASH
The MI scheme was broken by a very clever attack developed by Patarin in 1995.
Based on an idea of Shamir from 1993, Patarin et al proposed to avoid their own attack by deleting r out of the n equations from the MI public key, and called the resulting scheme SFLASH.
79jeudi 18 juillet 13
SFLASH
80jeudi 18 juillet 13
SFLASH
If we denote the final truncation Π, the SFLASH public key is:
PΠ = ΠTQS
80jeudi 18 juillet 13
SFLASH
If we denote the final truncation Π, the SFLASH public key is:
PΠ = ΠTQS
Such truncated keys can be used in signature schemes but not in encryption schemes, since they cannot be inverted uniquely.
80jeudi 18 juillet 13
SFLASH & NESSIE
81jeudi 18 juillet 13
SFLASH & NESSIEThe SFLASH scheme was selected in 2003 by the ‘new european schemes for signatures integrity and encryption’ Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards
81jeudi 18 juillet 13
SFLASH & NESSIEThe SFLASH scheme was selected in 2003 by the ‘new european schemes for signatures integrity and encryption’ Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards
The first version of SFLASH, called SFLASHv1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASHv2 & v3).
81jeudi 18 juillet 13
SFLASH & NESSIEThe SFLASH scheme was selected in 2003 by the ‘new european schemes for signatures integrity and encryption’ Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards
The first version of SFLASH, called SFLASHv1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASHv2 & v3).
They differ only in their security parameters:for SFLASHv2 : q = 27, n = 37, a = 11 and r = 11for SFLASHv3 : q = 27, n = 67, a = 33 and r = 11
81jeudi 18 juillet 13
SFLASH & NESSIEThe SFLASH scheme was selected in 2003 by the ‘new european schemes for signatures integrity and encryption’ Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards
The first version of SFLASH, called SFLASHv1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASHv2 & v3).
They differ only in their security parameters:for SFLASHv2 : q = 27, n = 37, a = 11 and r = 11for SFLASHv3 : q = 27, n = 67, a = 33 and r = 11
Dubois, Fouque, Shamir, Stern broke SFLASHv2 & v3 in 2007.
81jeudi 18 juillet 13
Variations
82jeudi 18 juillet 13
Variations
*
*as of 2008
83jeudi 18 juillet 13
Multi-variate Poly based cryptography
§
84jeudi 18 juillet 13
Post-Quantum Cryptography
Finite Fields based cryptography
Codes
Multi-variate Polynomials
Integers based cryptography
Approximate Integer GCD
Lattices
85jeudi 18 juillet 13
Cryptographic Moneybased on hidden codes
(hidden sub-spaces)
86jeudi 18 juillet 13
Hidden (Linear) Code
87jeudi 18 juillet 13
Hidden (Linear) Code
a linear [n,k,d] code C ⊂ 𝔽n over arbitrary finite field 𝔽.
87jeudi 18 juillet 13
Hidden (Linear) Code
a linear [n,k,d] code C ⊂ 𝔽n over arbitrary finite field 𝔽.
a positive integer degree D,
87jeudi 18 juillet 13
Hidden (Linear) Code
a linear [n,k,d] code C ⊂ 𝔽n over arbitrary finite field 𝔽.
a positive integer degree D,
ID,C = degree-D polynomials that vanish on C .
87jeudi 18 juillet 13
Hidden (Linear) Code
a linear [n,k,d] code C ⊂ 𝔽n over arbitrary finite field 𝔽.
a positive integer degree D,
ID,C = degree-D polynomials that vanish on C .
For simplicity, assume we use 𝔽=𝔽2 .
87jeudi 18 juillet 13
Hidden Code
88jeudi 18 juillet 13
Hidden Code
Lemma AIt is possible to sample a uniformly-random element of ID,C in time O(nD).
88jeudi 18 juillet 13
Hidden Code
Lemma BFix C ⊂ 𝔽22n and β > 1, and choose βn independent uniformly-random samples from ID,C.With probability 1 − 2−Ω(n), the set of points on which they are all zero is exactly C.
Lemma AIt is possible to sample a uniformly-random element of ID,C in time O(nD).
88jeudi 18 juillet 13
Public Q-MoneyChristianoAaronson
89jeudi 18 juillet 13
Public Q-Money
P1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
ChristianoAaronson
89jeudi 18 juillet 13
Public Q-Money
P1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
ChristianoAaronson
89jeudi 18 juillet 13
Public Q-Money
P1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
ChristianoAaronson
89jeudi 18 juillet 13
Public Q-Money
P1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
|$⟩ = ∑c∈C |c⟩, [H]⊗n|$⟩ = ∑c’∈C⊥ |c’⟩
ChristianoAaronson
89jeudi 18 juillet 13
Public Q-Money
P1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
|$⟩ = ∑c∈C |c⟩, [H]⊗n|$⟩ = ∑c’∈C⊥ |c’⟩
checking |$⟩: using P1(x),...,Pβn(x), validate that |$⟩ is made only of states from C and using Q1(x),...,Qβn(x), validate that [H]|$⟩ is made only of states from C⊥.
ChristianoAaronson
89jeudi 18 juillet 13
Public Q-MoneyChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
ChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
ChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
ChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
The special structure of (C,C⊥), yields an attack for degree 2 polynomials. So D must be at least 3.
ChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
The special structure of (C,C⊥), yields an attack for degree 2 polynomials. So D must be at least 3.
In Q-Money C or C⊥ may be sampled once.
ChristianoAaronson
90jeudi 18 juillet 13
Public Q-MoneyP1(x), P2(x),...,Pβn(x) define C=Span(G) (Public-key)
Q1(x), Q2(x),...,Qβn(x) define C⊥=Ker(G) (Public-key)
∀c∈C,c’∈C⊥,i,j Pi(c)=0 and Qj(c’)=0
The special structure of (C,C⊥), yields an attack for degree 2 polynomials. So D must be at least 3.
In Q-Money C or C⊥ may be sampled once.
Weakens the security. Degree D=4 with sample is as hard as degree 3 without a sample. So they choose D=4.
ChristianoAaronson
90jeudi 18 juillet 13
Hidden Code
Let ZD,C,ℇ be the distribution which sets ID,C with probability 1-ℇ ID,® with probability ℇwhere ® is a random code of dimension k.
Lemma CFix C ⊂ 𝔽22n and ℇ <1, let β=32/(1-ℇ)2 , and choose βn independent samples from ZD,C,ℇ. Let δ = 1/2 + (1− ℇ)/4. With probability 1 − 2−Ω(n) the set of points on which at least δβn polynomials are zero is exactly C.
ZD,C,ℇ =
91jeudi 18 juillet 13
Public Q-Money
92jeudi 18 juillet 13
Public Q-Money
P1′(x), P2′(x),...,Pβ′n(x) define C=Span(G) (Public-key)
92jeudi 18 juillet 13
Public Q-Money
P1′(x), P2′(x),...,Pβ′n(x) define C=Span(G) (Public-key)
Q1′(x), Q2′(x),...,Qβ′n(x) define C⊥=Ker(G) (Public-key)
92jeudi 18 juillet 13
Public Q-Money
P1′(x), P2′(x),...,Pβ′n(x) define C=Span(G) (Public-key)
Q1′(x), Q2′(x),...,Qβ′n(x) define C⊥=Ker(G) (Public-key)
∀c∈C, c’∈C⊥ Pi(c)=0 and Qj(c’)=0 with probability ≥ δ.
92jeudi 18 juillet 13
Public Q-Money
P1′(x), P2′(x),...,Pβ′n(x) define C=Span(G) (Public-key)
Q1′(x), Q2′(x),...,Qβ′n(x) define C⊥=Ker(G) (Public-key)
∀c∈C, c’∈C⊥ Pi(c)=0 and Qj(c’)=0 with probability ≥ δ.
Adding misleading polynomials may only make the assumption harder to break...
92jeudi 18 juillet 13
Cryptographic Moneybased on hidden codes
(hidden sub-spaces)
93jeudi 18 juillet 13