Code-Based Cryptosystems Using Generalized Concatenated Codes

Abstract

The security of public-key cryptosystems is mostly based on number-theoretic problems like factorization and the discrete logarithm. There exists an algorithm which solves these problems in polynomial time using a quantum computer. Hence, these cryptosystems will be broken as soon as quantum computers emerge. Code-based cryptography is an alternative which resists quantum computers since its security is based on an NP-complete problem, namely decoding of random linear codes. The McEliece cryptosystem is the most prominent scheme to realize code-based cryptography. Many code classes were proposed for the McEliece cryptosystem, but most of them are broken by now. Sendrier suggested to use ordinary concatenated codes, however, he also presented an attack on such codes. This work investigates generalized concatenated codes to be used in the McEliece cryptosystem. We examine the application of Sendrier’s attack on generalized concatenated codes and present alternative methods for both partly finding the code structure and recovering the plaintext from a cryptogram. Further, we discuss modifications of the cryptosystem making it resistant against these attacks.

Appendix

1.1 A GCC Construction and Decoding

Generalized concatenated (GC) codes were introduced by [5]. This appendix presents construction and decoding of GC codes according to [4, Chap. 9]. Code concatenation is used in order to obtain long codes with low decoding complexity. The advantage of a GC code in comparison to an OC code with same length and dimension is, that the GC code can correct more errors, see [4]. A GC code consists of one inner and several outer codes of different dimensions. If we only use one outer code, we obtain an OC code.

The idea of generalized code concatenation is to partition the inner code into several levels of subcodes. We generate a partition tree as follows. The inner code becomes the root of the tree. We partition the inner code into subcodes which form the second level of the tree. We again partition each of the subcodes and continue until we end up at a level in which each subcode consists of only one codeword. These subcodes become the leaves of the tree. Let \(\mathscr {B}_i^{(j)}\big (q;{n_B},{k_B}_i^{(j)},{d_B}_i^{(j)}\big )\) denote the inner codes at level j. The partitioning should be done such that the minimum distance of the subcodes increases strictly monotonically from level to level in the partition tree. Each codeword can be uniquely identified by enumerating the branches of the partition tree and following this enumeration from the root to the corresponding leaf. The numeration from level j to level \(j+1\) is protected by an outer code \(\mathscr {A}^{(j)}\big (q^{k_{j}};{n_A},{k_A^{(j)}},{d_A^{(j)}}\big )\). This encoding scheme matches the definition of GC codes in Sect. 3.2.2 by simply taking \(\theta \) as the function that maps the enumeration of a codeword from the root to a leaf to the codeword of \(\mathscr {B}\) which is contained in this leaf. Note, that for many linear codes \(\mathscr {B}\), there is a partitioning which corresponds to an \(\mathbb {F}_q\)-linear mapping \(\theta \) [4]. Also, most practically good GC codes fulfill \({k_{1}}={k_{2}}=\dots ={k_{\ell }}=1\) due to the existence of many linear subcodes of \(\mathscr {B}\) (e.g., Reed–Muller codes), which helps constructing many partitionings. An example of the encoding and transmission process is visualized in [4, Fig. 9.10].

To obtain a good GC code, the dimensions of the outer codes have to be different. Also, the minimum distances of the outer codes should decrease from level to level. Keeping the product \({d_A^{(j)}} \cdot {d_B}_i^{(j)}\) for all i, j roughly constant also leads to good properties. The latter follows from a decoding procedure that reduces the problem of decoding GC codes to a sequence of \(\ell \) decoders of OC codes with minimum distances \({d_A^{(j)}} \cdot {d_B}_{i_j}^{(j)}\) for some sequence of \(i_j\)’s for all \(j=1,\dots ,\ell \). We refer to the example presented in [4, Fig. 9.11]. The length of the constructed GC code is \({n_\mathrm {GC}}= {n_A}\cdot {n_B}\), the dimension is \(k = \sum _{i=1}^{\ell } {k_A^{(i)}}\), and the minimum distance is lower bounded by \({d_\mathrm {GC}}\ge \min _{i,j}\big ({d_A^{(j)}} \cdot {d_B}_i^{(j)}\big )\).

1.2 B Proof of Theorem 2

In this appendix, we prove Theorem 2. We first recall some useful and well-known facts about vector and matrix representations of extension fields.

Every finite field \(\mathbb {F}_{q^{m}}\) is an \(\mathbb {F}_q\)-vector space of dimension m. Thus, there is a basis \(B= \{\beta _1,\dots ,\beta _m\} \subseteq \mathbb {F}_{q^{m}}\) in which every element \(a \in \mathbb {F}_{q^{m}}\) has a unique representation \(a = \sum _{i=1}^{m} a_i \beta _i\) with \(a_i \in \mathbb {F}_q\). Define the vector space isomorphism

$$\begin{aligned} \mathrm {ext}_B: \mathbb {F}_{q^{m}} \rightarrow {\mathbb {F}_q}^m, a \mapsto \mathbf {a}= [a_1,\dots ,a_m]. \end{aligned}$$

We call \(\mathrm {ext}_B(a)\) the vector representation of a with respect to the basis \(B\). It is well known that the set \(\{\mathrm {ext}_B(\cdot ) : B\text {basis of }\mathbb {F}_{q^{m}} \text {over} \mathbb {F}_q\}\) is equal to all vector space isomorphisms (\(=\) \(\mathbb {F}_q\)-linear maps) \(\mathbb {F}_{q^{m}} \rightarrow \mathbb {F}_q^m\). This implies that for any \(b \in \mathbb {F}_{q^{m}}\) and \(\mathbf {b}\in \mathbb {F}_q^m\), there is a basis \(B\) such that \(\mathrm {ext}_B(b) = \mathbf {b}\).

Lemma 3

Some facts about vector and matrix representation of finite extensions of finite fields \(\mathbb {F}_{q^{m}}/\mathbb {F}_q\):

1. (i)

   Every finite field \(\mathbb {F}_{q^{m}}\) is isomorphic to a subfield \(\mathscr {M}_{q^{m}}\) of the matrix ring \(\mathbb {F}_q^{m \times m}\). We write \(\mathrm {mr}(a) \in \mathscr {M}_{q^{m}}\) to denote the matrix representation of an element \(a \in \mathbb {F}_{q^{m}}\).

2. (ii)

   Every column or row of a matrix representation of \(\mathbb {F}_{q^{m}}\) can be used to uniquely represent elements of \(\mathbb {F}_{q^{m}}\). We denote the vector representation of an element \(a \in \mathbb {F}_{q^{m}}\), given by this column or row, by \(\mathrm {vr}(a) \in \mathbb {F}_q^m\). \(\mathrm {vr}(\cdot ) = \mathrm {ext}_B(\cdot )\) for some basis \(B\).

3. (iii)

   If a specific column or row as in (ii) is chosen, the set of representative vectors of all elements in \(\mathbb {F}_{q^{m}}\) is equal to \(\mathbb {F}_q^m\).

4. (iv)

   If a specific row as in (ii) is chosen, the multiplication of two elements \(a,b \in \mathbb {F}_{q^{m}}\) corresponds to \(\mathrm {vr}(a \cdot b) = \mathrm {vr}(a) \cdot \mathrm {mr}(b)\).

5. (v)

   If a specific column as in (ii) is chosen, the multiplication of two elements \(a,b \in \mathbb {F}_{q^{m}}\) corresponds to \(\mathrm {vr}(a \cdot b) = \mathrm {mr}(a) \cdot \mathrm {vr}(b)\).

6. (vi)

   For a specific row or column as in (ii) and an arbitrary basis B of \(\mathbb {F}_{q^{m}}\) over \(\mathbb {F}_q\), \(\mathscr {M}_{q^{m}}\) can be chosen such that the vector representation of \(a \in \mathbb {F}_{q^{m}}\) is \(\mathrm {ext}_B(a)\).

Proof

1. (i)

   This statement is well known and can be found in [18] or [30].

2. (ii)

   Since the operations multiplication, addition and inversion in \(\mathbb {F}_{q^{m}}\) correspond to the same operations of matrices in \(\mathscr {M}_{q^{m}}\), all matrices except for the zero matrix in \(\mathscr {M}_{q^{m}}\) are invertible. Now choose an arbitrary row (column) index i. We show that the rows (columns) of matrices in \(\mathscr {M}_{q^{m}}\) of this index are distinct. Choose two matrices \(\mathbf {M}_1,\mathbf {M}_2 \in \mathscr {M}_{q^{m}}\). Assume that their i-th rows (columns) are the same. Then the i-th row (column) of \(\mathbf {M}_1-\mathbf {M}_2 \in \mathscr {M}_{q^{m}}\) is the zero vector. Thus, \(\mathbf {M}_1-\mathbf {M}_2\) is not invertible and must be the zero matrix, implying that \(\mathbf {M}_1=\mathbf {M}_2\). Let \(\phi (a)\) be the operation of extracting a specific row (column) from \(a \in \mathscr {M}_{q^{m}}\). Since

   $$\begin{aligned} \phi (\mathrm {mr}(\alpha \cdot a + \beta \cdot b))= & {} \phi (\alpha \cdot \mathrm {mr}(a) + \beta \cdot \mathrm {mr}(b)) \\= & {} \alpha \cdot \phi (\mathrm {mr}(a)) + \beta \cdot \phi (\mathrm {mr}(b)) \end{aligned}$$

   for all \(\alpha , \beta \in \mathbb {F}_q\) and \(a,b \in \mathbb {F}_{q^{m}}\), \(\phi (\mathrm {mr}(\cdot ))\) is a vector space isomorphism and is therefore equal to \(\mathrm {ext}_B(\cdot )\) for some basis \(B\).

3. (iii)

   This follows from a simple counting argument. Due to (ii), a specific row (column) represents all elements from \(\mathscr {M}_{q^{m}}\), thus also from \(\mathbb {F}_{q^{m}}\), uniquely. Hence, \(|\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\}| = |\mathbb {F}_{q^{m}}| = q^m = |\mathbb {F}_q^m|\). Since \(\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\} \subseteq \mathbb {F}_q^m\),

   \(\{\mathrm {mr}(a) : a \in \mathbb {F}_{q^{m}}\} = \mathbb {F}_q^m\).

4. (iv)

   It is clear by \(\mathrm {mr}(a \cdot b) = \mathrm {mr}(a) \cdot \mathrm {mr}(b)\) and by looking at the operations necessary to calculate the i-th column (\(= \mathrm {vr}(a \cdot b)\)) of the result on the right-hand side.

5. (v)

   Analog statement as in (iv).

6. (vi)

   The statement is clear since we can simply change the basis of the matrix representation, by setting \(\mathrm {mr}_\mathrm {new}(a) = B \cdot \mathrm {mr}(a) \cdot B^{-1}\) for all \(a \in \mathbb {F}_{q^{m}}\).

\(\blacksquare \)

Using these definitions and statements, we are able prove Theorem 2. We also recall its statement.

Theorem 2

If \({k_{1}}={k_{2}}=\dots ={k_{\ell }}\), a GCC is an OCC \(\Leftrightarrow \) \(\mathscr {A}^{(i)}=\mathscr {A}^{(j)}\) \(\forall i,j\).

Proof

“\(\Rightarrow \)”: Let \(\mathscr {C}_\mathrm {GC}= \varTheta (\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\), with \(\theta \) \(\mathbb {F}_q\)-linear, be a GC code. Assume that \(\mathscr {C}_\mathrm {GC}\) is an OCC. Then, there are an \(\mathbb {F}_q\)-linear \(\theta '\) and an \(\mathbb {F}_{q^{{k_B}}}\)-linear code \(\mathscr {A}\) such that \(\varTheta '(\mathscr {A}) = \varTheta \left( \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\right) \) and thus,

$$\begin{aligned} \mathscr {A}= \varTheta '^{-1}\left( \varTheta \left( \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\right) \right) . \end{aligned}$$

Hence, \(\varTheta '^{-1}\left( \varTheta \left( \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\right) \right) \) must be an \(\mathbb {F}_{q^{{k_B}}}\)-linear code. The mapping \(\varTheta '^{-1}(\varTheta (\cdot )): \bigoplus _{i=1}^{\ell } \mathbb {F}_{q^{{k_{i}}}}^{n_A}\rightarrow \mathbb {F}_{q^{{k_B}}}^{n_A}\) is componentwise \(\mathbb {F}_q\)-linear, i.e., there is an \(\mathbb {F}_q\)-linear mapping \(\tilde{\theta } : \bigoplus _{i=1}^{\ell } \mathbb {F}_{q^{{k_{i}}}} \rightarrow \mathbb {F}_{q^{{k_B}}}\) such that

$$\begin{aligned} \varTheta '^{-1}\left( \varTheta \left( \mathbf {a}_1, \mathbf {a}_2, \dots , \mathbf {a}_\ell \right) \right)&:= \varTheta '^{-1}\left( \varTheta \left( \begin{bmatrix} a_{1,1} \\ a_{1,2} \\ \vdots \\ a_{1,{n_A}} \end{bmatrix}, \begin{bmatrix} a_{2,1} \\ a_{2,2} \\ \vdots \\ a_{2,{n_A}} \end{bmatrix}, \dots , \begin{bmatrix} a_{\ell ,1} \\ a_{\ell ,2} \\ \vdots \\ a_{\ell ,{n_A}} \end{bmatrix} \right) \right) \\&= \begin{bmatrix} \tilde{\theta }(a_{1,1}, \dots , a_{\ell ,1}) \\ \tilde{\theta }(a_{1,2}, \dots , a_{\ell ,2}) \\ \vdots \\ \tilde{\theta }(a_{\ell ,{n_A}}, \dots , a_{\ell ,{n_A}}) \end{bmatrix} =: \begin{bmatrix} \tilde{a}_1 \\ \tilde{a}_2 \\ \vdots \\ \tilde{a}_{n_A}\end{bmatrix} \in \mathbb {F}_{q^{{k_B}}}^{n_A}\end{aligned}$$

for all \(\mathbf {a}_i \in \mathbb {F}_{q^{{k_{i}}}}\). Due to \({k_B}= \sum _{i=1}^{\ell } {k_{i}} = \sum _{i=1}^{\ell } {k_{1}} = \ell \cdot {k_{1}}\), \({k_{i}} = {k_{1}}|{k_B}\) and \(\mathbb {F}_{q^{{k_B}}}\) can be seen as an extension field of \(\mathbb {F}_{q^{{k_{1}}}}\) with extension degree \([\mathbb {F}_{q^{{k_B}}} : \mathbb {F}_{q^{{k_{1}}}}] = \ell \).

$$\begin{aligned} \begin{bmatrix} \mathbf {a}_1 \\ \mathbf {a}_2 \\ \vdots \\ \mathbf {a}_\ell \end{bmatrix} = \begin{bmatrix} a_{1,1}&a_{1,2}&\dots&a_{1,{n_A}} \\ a_{2,1}&a_{2,2}&\dots&a_{2,{n_A}} \\ \vdots&\vdots&\ddots&\vdots \\ a_{\ell ,1}&a_{\ell ,2}&\dots&a_{\ell ,{n_A}} \end{bmatrix} =\mathrm {ext}_B\left( \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) . \end{aligned}$$

Choosing the corresponding matrix representation of \(\alpha \in \mathbb {F}_{q^{{k_B}}}\) over \(\mathbb {F}_{q^{{k_{1}}}}\) as in Lemma 3, we can write

$$\begin{aligned} \mathrm {ext}_B\left( \alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) = \mathrm {mr}(\alpha ) \cdot \mathrm {ext}_B\left( \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) = \mathrm {mr}(\alpha ) \cdot \begin{bmatrix} \mathbf {a}_1 \\ \mathbf {a}_2 \\ \vdots \\ \mathbf {a}_\ell \end{bmatrix} \end{aligned}$$

Since \(\mathbf {a}_i \in \mathscr {A}^{(i)}\), \(\begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \in \mathscr {A}\) also \(\alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix}\) must be in \(\mathscr {A}\) for all \(\alpha \in \mathbb {F}_{q^{{k_B}}}\) and thus, \(\mathrm {ext}_B\left( \alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) \in \bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)}\). Due to Lemma 3, we can choose \(\alpha \) such that the i-th row of \(\mathrm {mr}(\alpha )\) is can be an arbitrary \(\begin{bmatrix} \alpha _1&\alpha _2&\dots&\alpha _\ell \end{bmatrix} \in \mathbb {F}_{q^{{k_{i}}}}^\ell \) and thus, the i-th row of \(\mathrm {ext}_B\left( \alpha \cdot \begin{bmatrix} \tilde{a}_1&\tilde{a}_2&\dots&\tilde{a}_{n_A}\end{bmatrix} \right) \) is \(\sum _{j=1}^{\ell } \alpha _i \mathbf {a}_i\). This implies that \(\mathscr {A}^{(j)} \subseteq \mathscr {A}^{(i)}\) for all \(j,i=1,\dots ,\ell \) and thus all outer codes \(\mathscr {A}^{(i)}\) are the same.

“\(\Leftarrow \)” : If \(\mathscr {A}^{(j)} = \mathscr {A}^{(i)}\) for all i, j, we can choose any basis B of \(\mathbb {F}_{q^{{k_B}}}\) over \(\mathbb {F}_{q^{{k_{i}}}}\). Since multiplying elements of \(\mathrm {ext}_B^{-1}(\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\) by \(\mathbb {F}_{q^{{k_B}}}\) scalars corresponds to a left multiplication by a matrix in \(\mathscr {M}_{q^{{k_B}}}\), and any \(\mathbb {F}_{q^{{k_{i}}}}\)-linear combination of elements of different \(\mathscr {A}^{(i)}\)’s again is contained in any \(\mathscr {A}^{(i)}\), the set \(\mathscr {A}:= \mathrm {ext}_B^{-1}(\bigoplus _{i=1}^{\ell } \mathscr {A}^{(i)})\) is an \(\mathbb {F}_{q^{{k_B}}}\)-linear code. The \(\mathbb {F}_q\)-linear map is given by \(\theta \circ \mathrm {ext}_B\).\(\blacksquare \)

1.3 C Work Factor of Nonstructural Attack on Code Ex. in [25]

This appendix computes the work factor of our nonstructural attack presented in Sect. 6.2 when applied to the OC code example which was proposed by Sendrier in [25] with parameters \((2048, 308, \ge 425)\).

The inner code is a random code \(\mathscr {B}(16, 7, 5)\) over \(\mathbb {F}_{2}\) and the outer code is a GRS code \(\mathscr {A}(128, 44, 85)\) over \(\mathbb {F}_{2^7}\). A simulation was performed using Matlab on 1500 random codes \((\mathscr {B}(16, 7, 5))\) by adding errors with a probability of \(\frac{212}{2048}\) to each codeword of \(\mathscr {B}\) and then decoding it. 1,000,000 codewords for each code were used. The estimations for the probabilities of correct decoding, wrong decoding and failure in decoding are \(p_\mathsf {c} = 0.7741\), \(p_\mathsf {w} = 0.0441 \) and \(p_\mathsf {f} = 0.1818\), respectively. The corresponding standard deviation values are 0.00042, 0.0043 and 0.0043. The expected number of correctly and wrongly decoded, and failed inner blocks are then given by

$$\begin{aligned} n_{\mathrm {c}}&= {n_A}\cdot p_\mathsf {c} = 128 \cdot 0.7741 \approx&99, \\ n_{\mathrm {w}}&= {n_A}\cdot p_\mathsf {w} = 128 \cdot 0.0441 \approx&6, \\ n_{\mathrm {f}}&= {n_A}\cdot p_\mathsf {f} = 128 \cdot 0.1818 \approx&23. \end{aligned}$$

By choosing \(m={k_A}=44\) inner blocks, we obtain the work factor

$$\begin{aligned} W_2 = \frac{308^3}{p} \approx \frac{308^3}{0.0345} \approx 8.4686 \cdot 10^{8} \approx 2^{29.7}. \end{aligned}$$

With

$$\begin{aligned} W_1 = 128 \cdot \frac{7^3\cdot {16 \atopwithdelims ()7 }}{{16-{\lfloor \frac{5-1}{2}\rfloor }\atopwithdelims ()7}}\approx 1.4635 \cdot 10^5, \end{aligned}$$

\(W_1 \ll W_2\), and the overall work factor is then equal to

$$\begin{aligned} W \approx 2^{29.7}. \end{aligned}$$

This work factor is considered to be insecure [13].