Abstract
The security of public-key cryptosystems is mostly based on number-theoretic problems like factorization and the discrete logarithm. There exists an algorithm which solves these problems in polynomial time using a quantum computer. Hence, these cryptosystems will be broken as soon as quantum computers emerge. Code-based cryptography is an alternative which resists quantum computers since its security is based on an NP-complete problem, namely decoding of random linear codes. The McEliece cryptosystem is the most prominent scheme to realize code-based cryptography. Many code classes were proposed for the McEliece cryptosystem, but most of them are broken by now. Sendrier suggested to use ordinary concatenated codes, however, he also presented an attack on such codes. This work investigates generalized concatenated codes to be used in the McEliece cryptosystem. We examine the application of Sendrier’s attack on generalized concatenated codes and present alternative methods for both partly finding the code structure and recovering the plaintext from a cryptogram. Further, we discuss modifications of the cryptosystem making it resistant against these attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Estimation of the complexity up to a constant factor which is not depending on the parameters of the system.
- 2.
With “nonstructural”, we do not mean “generic”. The method assumes that there is a specific structure, but it does not try to recover it. Therefore, it is not applicable to a McEliece cryptosystem using an arbitrary code class.
- 3.
If the obtained algorithms that can correct more than half the minimum distance of errors, we can simply declare a decoding failure if the distance of codeword to received word is greater than half the minimum distance.
References
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): how 1+ 1= 0 improves information set decoding. In: Advances in Cryptology—EUROCRYPT 2012, pp. 520–536. Springer, Berlin (2012)
Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Des. Codes Cryptogr. 35(1), 63–79 (2005)
Berlekamp, E.R., McEliece, R.J., Van Tilborg, H.C.A.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (1978)
Bossert, M.: Channel Coding for Telecommunications. Wiley, New York (1999)
Blokh, È.L., Zyablov, V.V.: Coding of generalized concatenated codes. Problemy Peredachi Informatsii 10(3), 45–50 (1974)
Chizhov, I.V., Borodin, M.A.: The failure of McEliece PKC based on Reed–Muller codes. IACR Cryptol. ePrint Arch. 2013, 287 (2013)
Coffey, J.T., Goodman, R.M.: The complexity of information set decoding. IEEE Trans. Inf. Theory 36(5), 1031–1037 (1990)
Couvreur, A., Márquez-Corbella, I., Pellikaan, R.: A polynomial time attack against algebraic geometry code based public key cryptosystems (2014). arXiv:1401.6025
Chabanne, H., Sendrier, N.: On the concatenated structures of a [49, 18, 12] binary abelian code. Discret. Math. 112(1), 245–248 (1993)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Forney, D.G.: Concatenated codes. vol. 11 MIT press, Cambridge (1966)
Heyse, S.: Post quantum cryptography: implementing alternative public key schemes on embedded devices. PhD thesis, dissertation for the degree of doktor-ingenieur: 10.2013/Stefan Heyse.–Bochum, 2013.–235 p.–Bibliogr (2013)
Janwa, H., Moreno, O.: McEliece public key cryptosystems using algebraic-geometric codes. Des. Codes Cryptogr. 8(3), 293–307 (1996)
Justesen, J.: Class of constructive asymptotically good algebraic codes. IEEE Trans. Inf. Theory 18(5), 652–656 (1972)
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. Workshop on the Theory and Application of Cryptographic Techniques. Springer, Berlin, Heidelberg. (1988)
Li, Y.X., Deng, R.H., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (1994)
Lidl, R., Niederreiter, H.: Finite Fields, vol. 20. Cambridge University Press, Cambridge (1997)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42(44), 114–116 (1978)
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes. Elsevier, Amsterdam (1977)
Minder, L., Shokrollahi, A.: Cryptanalysis of the Sidelnikov cryptosystem. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 347–360. Springer, Berlin (2007)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory (Problemy Upravleniya I Teorii Informatsii) 15(2), 159–166 (1986)
Peters, C.: Information-set decoding for linear codes over \(\mathbf{F}_q\). In: Post-Quantum Cryptography, pp. 81–94. Springer, Berlin (2010)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Sendrier, N.: On the structure of randomly permuted concatenated code. [Research Report] RR-2460, INRIA (1995). <inria-00074216>
Sendrier, N.: On the concatenated structure of a linear code. Appl. Algebra Eng. Commun. Comput. 9(3), 221–242 (1998)
Shor, P.W.: Algorithms for quantum computation: discrete Logarithms and factoring. In: 1994 Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Sidelnikov, V.M.: Public-key cryptosystem based on binary Reed–Muller codes. Discret. Math. Appl. 4(3), 191–207 (1994)
Sidelnikov, V.M., Shestakov, S.O.: On the insecurity of cryptosystems based on generalized Reed–Solomon codes. Discret. Math. Appl. 2(4), 439–444 (1992)
Wardlaw, W.P.: Matrix representation of finite fields. Math. Mag. 67, 289–293 (1994)
Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: International Workshop on Post-Quantum Cryptography, pp. 61–72. Springer, Berlin (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 A GCC Construction and Decoding
Generalized concatenated (GC) codes were introduced by [5]. This appendix presents construction and decoding of GC codes according to [4, Chap. 9]. Code concatenation is used in order to obtain long codes with low decoding complexity. The advantage of a GC code in comparison to an OC code with same length and dimension is, that the GC code can correct more errors, see [4]. A GC code consists of one inner and several outer codes of different dimensions. If we only use one outer code, we obtain an OC code.
The idea of generalized code concatenation is to partition the inner code into several levels of subcodes. We generate a partition tree as follows. The inner code becomes the root of the tree. We partition the inner code into subcodes which form the second level of the tree. We again partition each of the subcodes and continue until we end up at a level in which each subcode consists of only one codeword. These subcodes become the leaves of the tree. Let \(\mathscr {B}_i^{(j)}\big (q;{n_B},{k_B}_i^{(j)},{d_B}_i^{(j)}\big )\) denote the inner codes at level j. The partitioning should be done such that the minimum distance of the subcodes increases strictly monotonically from level to level in the partition tree. Each codeword can be uniquely identified by enumerating the branches of the partition tree and following this enumeration from the root to the corresponding leaf. The numeration from level j to level \(j+1\) is protected by an outer code \(\mathscr {A}^{(j)}\big (q^{k_{j}};{n_A},{k_A^{(j)}},{d_A^{(j)}}\big )\). This encoding scheme matches the definition of GC codes in Sect. 3.2.2 by simply taking \(\theta \) as the function that maps the enumeration of a codeword from the root to a leaf to the codeword of \(\mathscr {B}\) which is contained in this leaf. Note, that for many linear codes \(\mathscr {B}\), there is a partitioning which corresponds to an \(\mathbb {F}_q\)-linear mapping \(\theta \) [4]. Also, most practically good GC codes fulfill \({k_{1}}={k_{2}}=\dots ={k_{\ell }}=1\) due to the existence of many linear subcodes of \(\mathscr {B}\) (e.g., Reed–Muller codes), which helps constructing many partitionings. An example of the encoding and transmission process is visualized in [4, Fig. 9.10].
To obtain a good GC code, the dimensions of the outer codes have to be different. Also, the minimum distances of the outer codes should decrease from level to level. Keeping the product \({d_A^{(j)}} \cdot {d_B}_i^{(j)}\) for all i, j roughly constant also leads to good properties. The latter follows from a decoding procedure that reduces the problem of decoding GC codes to a sequence of \(\ell \) decoders of OC codes with minimum distances \({d_A^{(j)}} \cdot {d_B}_{i_j}^{(j)}\) for some sequence of \(i_j\)’s for all \(j=1,\dots ,\ell \). We refer to the example presented in [4, Fig. 9.11]. The length of the constructed GC code is \({n_\mathrm {GC}}= {n_A}\cdot {n_B}\), the dimension is \(k = \sum _{i=1}^{\ell } {k_A^{(i)}}\), and the minimum distance is lower bounded by \({d_\mathrm {GC}}\ge \min _{i,j}\big ({d_A^{(j)}} \cdot {d_B}_i^{(j)}\big )\).
1.2 B Proof of Theorem 2
In this appendix, we prove Theorem 2. We first recall some useful and well-known facts about vector and matrix representations of extension fields.
Every finite field \(\mathbb {F}_{q^{m}}\) is an \(\mathbb {F}_q\)-vector space of dimension m. Thus, there is a basis \(B= \{\beta _1,\dots ,\beta _m\} \subseteq \mathbb {F}_{q^{m}}\) in which every element \(a \in \mathbb {F}_{q^{m}}\) has a unique representation \(a = \sum _{i=1}^{m} a_i \beta _i\) with \(a_i \in \mathbb {F}_q\). Define the vector space isomorphism
We call \(\mathrm {ext}_B(a)\) the vector representation of a with respect to the basis \(B\). It is well known that the set \(\{\mathrm {ext}_B(\cdot ) : B\text {basis of }\mathbb {F}_{q^{m}} \text {over} \mathbb {F}_q\}\) is equal to all vector space isomorphisms (\(=\) \(\mathbb {F}_q\)-linear maps) \(\mathbb {F}_{q^{m}} \rightarrow \mathbb {F}_q^m\). This implies that for any \(b \in \mathbb {F}_{q^{m}}\) and \(\mathbf {b}\in \mathbb {F}_q^m\), there is a basis \(B\) such that \(\mathrm {ext}_B(b) = \mathbf {b}\).
Lemma 3
Some facts about vector and matrix representation of finite extensions of finite fields \(\mathbb {F}_{q^{m}}/\mathbb {F}_q\):
-
(i)
Every finite field \(\mathbb {F}_{q^{m}}\) is isomorphic to a subfield \(\mathscr {M}_{q^{m}}\) of the matrix ring \(\mathbb {F}_q^{m \times m}\). We write \(\mathrm {mr}(a) \in \mathscr {M}_{q^{m}}\) to denote the matrix representation of an element \(a \in \mathbb {F}_{q^{m}}\).
-
(ii)
Every column or row of a matrix representation of \(\mathbb {F}_{q^{m}}\) can be used to uniquely represent elements of \(\mathbb {F}_{q^{m}}\). We denote the vector representation of an element \(a \in \mathbb {F}_{q^{m}}\), given by this column or row, by \(\mathrm {vr}(a) \in \mathbb {F}_q^m\). \(\mathrm {vr}(\cdot ) = \mathrm {ext}_B(\cdot )\) for some basis \(B\).
-
(iii)
If a specific column or row as in (ii) is chosen, the set of representative vectors of all elements in \(\mathbb {F}_{q^{m}}\) is equal to \(\mathbb {F}_q^m\).
-
(iv)
If a specific row as in (ii) is chosen, the multiplication of two elements \(a,b \in \mathbb {F}_{q^{m}}\) corresponds to \(\mathrm {vr}(a \cdot b) = \mathrm {vr}(a) \cdot \mathrm {mr}(b)\).
-
(v)
If a specific column as in (ii) is chosen, the multiplication of two elements \(a,b \in \mathbb {F}_{q^{m}}\) corresponds to \(\mathrm {vr}(a \cdot b) = \mathrm {mr}(a) \cdot \mathrm {vr}(b)\).
-
(vi)
For a specific row or column as in (ii) and an arbitrary basis B of \(\mathbb {F}_{q^{m}}\) over \(\mathbb {F}_q\), \(\mathscr {M}_{q^{m}}\) can be chosen such that the vector representation of \(a \in \mathbb {F}_{q^{m}}\) is \(\mathrm {ext}_B(a)\).
Proof
-
(i)
This statement is well known and can be found in [18] or [30].
-
(ii)
Since the operations multiplication, addition and inversion in \(\mathbb {F}_{q^{m}}\) correspond to the same operations of matrices in \(\mathscr {M}_{q^{m}}\), all matrices except for the zero matrix in \(\mathscr {M}_{q^{m}}\) are invertible. Now choose an arbitrary row (column) index i. We show that the rows (columns) of matrices in \(\mathscr {M}_{q^{m}}\) of this index are distinct. Choose two matrices \(\mathbf {M}_1,\mathbf {M}_2 \in \mathscr {M}_{q^{m}}\). Assume that their i-th rows (columns) are the same. Then the i-th row (column) of \(\mathbf {M}_1-\mathbf {M}_2 \in \mathscr {M}_{q^{m}}\) is the zero vector. Thus, \(\mathbf {M}_1-\mathbf {M}_2\) is not invertible and must be the zero matrix, implying that \(\mathbf {M}_1=\mathbf {M}_2\). Let \(\phi (a)\) be the operation of extracting a specific row (column) from \(a \in \mathscr {M}_{q^{m}}\). Since
$$\begin{aligned} \phi (\mathrm {mr}(\alpha \cdot a + \beta \cdot b))= & {} \phi (\alpha \cdot \mathrm {mr}(a) + \beta \cdot \mathrm {mr}(b)) \\= & {} \alpha \cdot \phi (\mathrm {mr}(a)) + \beta \cdot \phi (\mathrm {mr}(b)) \end{aligned}$$for all \(\alpha , \beta \in \mathbb {F}_q\) and \(a,b \in \mathbb {F}_{q^{m}}\), \(\phi (\mathrm {mr}(\cdot ))\) is a vector space isomorphism and is therefore equal to \(\mathrm {ext}_B(\cdot )\) for some basis \(B\).
-
(iii)
This follows from a simple counting argument. Due to (ii), a specific row (column) represents all elements from \(\mathscr {M}_{q^{m}}\), thus also from \(\mathbb {F}_{q^{m}}\), uniquely. Hence, \(|\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\}| = |\mathbb {F}_{q^{m}}| = q^m = |\mathbb {F}_q^m|\). Since \(\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\} \subseteq \mathbb {F}_q^m\),
\(\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\} = \mathbb {F}_q^m\).
-
(iv)
It is clear by \(\mathrm {mr}(a \cdot b) = \mathrm {mr}(a) \cdot \mathrm {mr}(b)\) and by looking at the operations necessary to calculate the i-th column (\(= \mathrm {vr}(a \cdot b)\)) of the result on the right-hand side.
-
(v)
Analog statement as in (iv).
-
(vi)
The statement is clear since we can simply change the basis of the matrix representation, by setting \(\mathrm {mr}_\mathrm {new}(a) = B \cdot \mathrm {mr}(a) \cdot B^{-1}\) for all \(a \in \mathbb {F}_{q^{m}}\).
\(\blacksquare \)
Using these definitions and statements, we are able prove Theorem 2. We also recall its statement.
Theorem 2
If \({k_{1}}={k_{2}}=\dots ={k_{\ell }}\), a GCC is an OCC \(\Leftrightarrow \) \(\mathscr {A}^{(i)}=\mathscr {A}^{(j)}\) \(\forall i,j\).
Proof
“\(\Rightarrow \)”: Let \(\mathscr {C}_\mathrm {GC}= \varTheta (\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\), with \(\theta \) \(\mathbb {F}_q\)-linear, be a GC code. Assume that \(\mathscr {C}_\mathrm {GC}\) is an OCC. Then, there are an \(\mathbb {F}_q\)-linear \(\theta '\) and an \(\mathbb {F}_{q^{{k_B}}}\)-linear code \(\mathscr {A}\) such that \(\varTheta '(\mathscr {A}) = \varTheta \left( \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\right) \) and thus,
Hence, \(\varTheta '^{-1}\left( \varTheta \left( \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\right) \right) \) must be an \(\mathbb {F}_{q^{{k_B}}}\)-linear code. The mapping \(\varTheta '^{-1}(\varTheta (\cdot )): \bigoplus _{i=1}^{\ell } \mathbb {F}_{q^{{k_{i}}}}^{n_A}\rightarrow \mathbb {F}_{q^{{k_B}}}^{n_A}\) is componentwise \(\mathbb {F}_q\)-linear, i.e., there is an \(\mathbb {F}_q\)-linear mapping \(\tilde{\theta } : \bigoplus _{i=1}^{\ell } \mathbb {F}_{q^{{k_{i}}}} \rightarrow \mathbb {F}_{q^{{k_B}}}\) such that
for all \(\mathbf {a}_i \in \mathbb {F}_{q^{{k_{i}}}}\). Due to \({k_B}= \sum _{i=1}^{\ell } {k_{i}} = \sum _{i=1}^{\ell } {k_{1}} = \ell \cdot {k_{1}}\), \({k_{i}} = {k_{1}}|{k_B}\) and \(\mathbb {F}_{q^{{k_B}}}\) can be seen as an extension field of \(\mathbb {F}_{q^{{k_{1}}}}\) with extension degree \([\mathbb {F}_{q^{{k_B}}} : \mathbb {F}_{q^{{k_{1}}}}] = \ell \).
Choosing the corresponding matrix representation of \(\alpha \in \mathbb {F}_{q^{{k_B}}}\) over \(\mathbb {F}_{q^{{k_{1}}}}\) as in Lemma 3, we can write
Since \(\mathbf {a}_i \in \mathscr {A}^{(i)}\), \(\begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \in \mathscr {A}\) also \(\alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix}\) must be in \(\mathscr {A}\) for all \(\alpha \in \mathbb {F}_{q^{{k_B}}}\) and thus, \(\mathrm {ext}_B\left( \alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) \in \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\). Due to Lemma 3, we can choose \(\alpha \) such that the i-th row of \(\mathrm {mr}(\alpha )\) is can be an arbitrary \(\begin{bmatrix} \alpha _1&\alpha _2&\dots&\alpha _\ell \end{bmatrix} \in \mathbb {F}_{q^{{k_{i}}}}^\ell \) and thus, the i-th row of \(\mathrm {ext}_B\left( \alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) \) is \(\sum _{j=1}^{\ell } \alpha _i \mathbf {a}_i\). This implies that \(\mathscr {A}^{(j)} \subseteq \mathscr {A}^{(i)}\) for all \(j,i=1,\dots ,\ell \) and thus all outer codes \(\mathscr {A}^{(i)}\) are the same.
“\(\Leftarrow \)” : If \(\mathscr {A}^{(j)} = \mathscr {A}^{(i)}\) for all i, j, we can choose any basis B of \(\mathbb {F}_{q^{{k_B}}}\) over \(\mathbb {F}_{q^{{k_{i}}}}\). Since multiplying elements of \(\mathrm {ext}_B^{-1}(\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\) by \(\mathbb {F}_{q^{{k_B}}}\) scalars corresponds to a left multiplication by a matrix in \(\mathscr {M}_{q^{{k_B}}}\), and any \(\mathbb {F}_{q^{{k_{i}}}}\)-linear combination of elements of different \(\mathscr {A}^{(i)}\)’s again is contained in any \(\mathscr {A}^{(i)}\), the set \(\mathscr {A}:= \mathrm {ext}_B^{-1}(\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\) is an \(\mathbb {F}_{q^{{k_B}}}\)-linear code. The \(\mathbb {F}_q\)-linear map is given by \(\theta \circ \mathrm {ext}_B\).\(\blacksquare \)
1.3 C Work Factor of Nonstructural Attack on Code Ex. in [25]
This appendix computes the work factor of our nonstructural attack presented in Sect. 6.2 when applied to the OC code example which was proposed by Sendrier in [25] with parameters \((2048, 308, \ge 425)\).
The inner code is a random code \(\mathscr {B}(16, 7, 5)\) over \(\mathbb {F}_{2}\) and the outer code is a GRS code \(\mathscr {A}(128, 44, 85)\) over \(\mathbb {F}_{2^7}\). A simulation was performed using Matlab on 1500 random codes \((\mathscr {B}(16, 7, 5))\) by adding errors with a probability of \(\frac{212}{2048}\) to each codeword of \(\mathscr {B}\) and then decoding it. 1,000,000 codewords for each code were used. The estimations for the probabilities of correct decoding, wrong decoding and failure in decoding are \(p_\mathsf {c} = 0.7741\), \(p_\mathsf {w} = 0.0441 \) and \(p_\mathsf {f} = 0.1818\), respectively. The corresponding standard deviation values are 0.00042, 0.0043 and 0.0043. The expected number of correctly and wrongly decoded, and failed inner blocks are then given by
By choosing \(m={k_A}=44\) inner blocks, we obtain the work factor
With
\(W_1 \ll W_2\), and the overall work factor is then equal to
This work factor is considered to be insecure [13].
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Puchinger, S., Müelich, S., Ishak, K., Bossert, M. (2017). Code-Based Cryptosystems Using Generalized Concatenated Codes. In: Kotsireas, I., Martínez-Moro, E. (eds) Applications of Computer Algebra. ACA 2015. Springer Proceedings in Mathematics & Statistics, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-56932-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-56932-1_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56930-7
Online ISBN: 978-3-319-56932-1
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)