Abstract
Guo et al. recently presented a reaction attack against the QC-MDPC McEliece cryptosystem. Their attack is based on the observation that when a bit-flipping decoding algorithm is used in the QC-MDPC McEliece, then there exists a dependence between the secret matrix H and the failure probability of the bit-flipping algorithm. This dependence can be exploited to reveal the matrix H which constitutes the private key in the cryptosystem. It was conjectured that such dependence is present even when a soft-decision decoding algorithm is used instead of a bit-flipping algorithm.
This paper shows that a similar dependence between the secret matrix H and the failure probability of a decoding algorithm is also present in the QC-LDPC McEliece cryptosystem. Unlike QC-MDPC McEliece, the secret key in QC-LDPC McEliece also contains matrices S and Q in addition to the matrix H. We observe that there also exists a dependence between the failure probability and the matrix Q. We show that these dependences leak enough information to allow an attacker to construct a sparse parity-check matrix for the public code. This parity-check matrix can then be used for decrypting ciphertexts.
We tested the attack on an implementation of the QC-LDPC McEliece using a soft-decision decoding algorithm. Thus we also confirmed that soft-decision decoding algorithms can be vulnerable to leaking information about the secret key.
Keywords
T. Fabšič, V. Hromada and P. Zajac—Support by grant VEGA 1/0159/17 is acknowledged.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
These parameters were selected because they were proposed in [3]. The attack presented in this paper is equally feasible for other sets of parameters, including parameters with p odd.
- 2.
In particular, we ran Algorithm 2 with inputs \(D=D_{0.118}\) and \(w=13\) for all possible values of \(p_1\). We tested candidates for \(p_1\) in ascending order. After a candidate for \(p_1\) was tested, it was removed from \(D_{0.118}\).
References
Baldi, M.: QC-LDPC Code-Based Cryptography. Springer Science & Business, Heidelberg (2014)
Baldi, M., Chiaraluce, F.: Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes. In: Proceedings of IEEE ISIT 2007, Nice, France, June 2007, pp. 2591–2595 (2007)
Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QCLDPC codes. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) 6th International Conference on Security and Cryptography for Networks (SCN 2008). LNCS, vol. 5229, pp. 246–262. Springer, Berlin (2008)
BitPunch. https://github.com/FrUh/BitPunch
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_29
Hill, R.: A First Course in Coding Theory. Oxford University Press, Oxford (1986)
Jungnickel, D.: Finite Fields: Structure and Arithmetics. B.I Wissenschaftsverlag, Leipzig (1993)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Prog. Rep. 44, 114–116 (1978)
Misoczki, R., Tillich, J.-P., Sendrier, N., Barreto, P.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: IEEE International Symposium on Information Theory (ISIT2013), Istanbul, pp. 2069–2073 (2013)
Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes. In: Proceedings of First International Conference on Symbolic Computation and Cryptography, Beijing, China, (SCC 2008) (2008)
Radford, M.N.: Software for Low Density Parity Check (LDPC) codes. http://www.cs.utoronto.ca/radford/ldpc.software.html
Shooshtari, M.K., Ahmadian-Attari, M., Johansson, T., Aref, M.R.: Cryptanalysis of McEliece cryptosystem variants based on quasi-cyclic low-density parity check codes. IET Inf. Secur. 10(4), 194–202 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: On the Rank of a Randomly Generated Block-Circulant Matrix
Appendix: On the Rank of a Randomly Generated Block-Circulant Matrix
In this appendix we study the rank over GF(2) of a matrix composed of \(n_0\times n_0\) randomly generated circulant blocks, the blocks being of size \(p\times p\). We focus on the case when p is odd, since this ensures that the QC-LDPC McEliece cryptosystem is immune against the attack presented in [12].
Firstly, we recall some well-known facts about circulant matrices.
Fact 1
(Proposition 1.7.1 in [7]). Consider the mapping \(\tau \) which sends the circulant binary \((p\times p)\)-matrix with the first row \((c_0,c_1, c_2, \dots , c_{p-1})\) onto the polynomial \(c(x)=c_0+c_1x+c_2x^2+\dots +c_{p-1}x^{p-1}\). Then the mapping \(\tau \) is an isomorphism between the ring of circulant binary (\(p\times p\))-matrices and the ring \(\mathbb {Z}_2[x]/(x^p+1)\).
Fact 2
(p. 42 in [7]). The inverse of a non-singular circulant matrix is again circulant. A circulant binary (\(p\times p\))-matrix C is non-singular if and only if \(\tau (C)\) is relatively prime to \(x^p+1\).
Let f be a polynomial in \(\mathbb {Z}_2[x]/(x^p+1)\) and let \(f(x)=g(x)h(x)\) where \(g(x)=\gcd (f(x),x^p+1)\). Then \(\tau ^{-1}(f)=\tau ^{-1}(g)\tau ^{-1}(h)\). By Fact 2, \(\tau ^{-1}(h)\) is non-singular. Therefore \(\tau ^{-1}(f)\) has the same rank as \(\tau ^{-1}(g)\). It is well-known (e.g. Theorem 12.12 in [6]) that \(\tau ^{-1}(g)\) generates a cyclic code of dimension \(p-d\) where d is the degree of g. Thus we have:
Fact 3
The rank of a circulant binary (\(p\times p\))-matrix C is equal to \(p-d\) where d is the degree of \(\gcd (\tau (C),x^p+1)\).
Let f and g be polynomials in \(\mathbb {Z}_2[x]\), and denote by \(\psi (f)\) the number of polynomials of smaller degree which are relatively prime to f in \(\mathbb {Z}_2[x]\).
Fact 4
(Theorem 1.7.5 in [7]). If \(\gcd (f(x),g(x))=1\), then \(\psi (fg)=\psi (f)\psi (g)\)
Fact 5
(Theorem 1.7.6 in [7]). Let p be odd. Then we have
Here \(o_j(2)\) denotes the order of 2 in the group \(\mathbb {Z}^{*}_{j}\) and \(\phi (j)\) denotes the Euler function.
It follows that the number of \(p\times p\) circulant matrices with full rank is \(\psi (x^p+1)\). Circulant \(p\times p\) matrices with rank \(p-1\) are precisely the matrices whose corresponding polynomial is a product of \(x+1\) and a polynomial coprime to \(\frac{x^p+1}{x+1}\) with degree less than \(p-1\). If p is odd, then \(x+1\) appears in the irreducible factorization of \(x^p+1\) only once. Thus it follows that the number of \(p\times p\) circulant matrices with rank \(p-1\) is \(\psi (\frac{x^p+1}{x+1})=\psi (x^p+1)/\psi (x+1)=\psi (x^p+1)\).
Now we turn to block-circulant matrices. Let \(\rho (p)=\psi (x^p+1)/2^p\).
Proposition 1
Let p be odd. Let B be a matrix composed of \((n_0-1)\times (n_0-1)\) circulant blocks of size \(p\times p\). Suppose that the blocks in B were generated uniformly and independently at random from the space of all binary circulant \(p\times p\) matrices. Then
Proof
Let \(B_{ij}\) be the \(p\times p\) block present in the i-th block-row and j-th block-column of B. Let \(b_{ij}(x)=\tau (B_{ij})\). With probability \(1-\left( 1-\rho (p)\right) ^{n_0-1}+\rho (p)^{n_0-1}\) it holds that either one of the blocks in the first block-column is invertible or all blocks in the first block-column have rank \(p-1\).
Firstly, we look at the case when there exists an invertible block in the first block-column. Without loss of generality we can assume that this block is \(B_{11}\) (if not, we can swap block-rows of B). For every \(i\in \left\{ 2,\dots , n_0-1\right\} \) we can erase the block \(B_{i1}\) by adding to the i-th block-row the first block-row multiplied by \(\left( B_{i1}\times B_{11}^{-1}\right) \). This corresponds to multiplying B from the left by the matrix \(M_i=I_{p(n_0-1)\times p(n_0-1)}+\tilde{M}_i\), where \(\tilde{M}_i\) is the matrix composed of \((n_0-1)\times (n_0-1)\) blocks of size \(p\times p\) with the block \(B_{i1}\times B_{11}^{-1}\) in the i-th block-row and the first block-column and with zero blocks everywhere else. Thus the resulting matrix has the same rank as B. We obtain a matrix of the form
where \(\tilde{B}\) is a matrix composed of \((n_0-2)\times (n_0-2)\) circulant blocks of size \(p\times p\). Let \(\tilde{B}_{ij}\) be the \(p\times p\) block present in the i-th block-row and j-th block-column of \(\tilde{B}\). Then \(\tilde{B}_{ij}=B_{i+1,1}\times B_{11}^{-1}\times B_{1,j+1}+B_{i+1,j+1}\). The block \(B_{i+1,j+1}\) was generated independently from all other blocks in B, hence we can see \(\tilde{B}_{ij}\) as a sum of \(B_{i+1,j+1}\) and an independent circulant matrix. Since \(B_{i+1,j+1}\) was generated uniformly at random from the space of circulant \(p\times p\) matrices, \(\tilde{B}_{ij}\) will, like \(B_{i+1,j+1}\), have the property that each bit in its first row will be 1 with probability 1/2 independently of other bits in its first row. Thus we can think of \(\tilde{B}_{i,j}\) as of another uniformly randomly generated matrix from the space of circulant \(p\times p\) matrices. Moreover, \(\tilde{B}_{i,j}\) is independent of other blocks in \(\tilde{B}\) and it is also independent of blocks in the first block-column of the original matrix B.
Now we consider the case when all blocks in the first block-column of B have rank \(p-1\). Then for every \(b_{i1}(x)\) there exists \(r_i(x)\in \mathbb {Z}_2[x]/(x^p+1)\) such that \(b_{i1}(x)r_i(x)=x+1\mod (x^p+1)\) (the polynomial \(r_i(x)\) can be found by the extended Euclidean algorithm). Thus for every \(i\in \left\{ 2,\dots , n_0-1\right\} \) we can erase the block \(B_{i1}\) by adding to the i-th block-row the first block-row multiplied by \(\tau ^{-1}\left( \frac{b_{i1}(x)}{x+1}\right) \times \tau ^{-1}\left( r_1(x)\right) \). By the same argument as in the previous case, this will not change the rank of B. We obtain a matrix of the form (2), where \(\tilde{B}\) is again composed of \((n_0-2)\times (n_0-2)\) circulant blocks of size \(p\times p\). Now we have \(\tilde{B}_{ij}=\tau ^{-1}\left( \frac{b_{i+1,1}(x)}{x+1}\right) \times \tau ^{-1}\left( r_1(x)\right) \times B_{1,j+1}+B_{i+1,j+1}\). By the same argument as in the previous case, we can again think of \(\tilde{B}_{i,j}\) as of a uniformly randomly generated matrix from the space of circulant \(p\times p\) matrices. In addition, \(\tilde{B}_{i,j}\) is independent of other blocks in \(\tilde{B}\) and it is also independent of blocks in the first block-column of the original matrix B.
Thus in both cases we were able to transform the matrix B to a matrix of the form (2), while preserving its rank. The submatrix \(\tilde{B}\) in (2) has the same properties as the original matrix B except it contains \((n_0-2)\times (n_0-2)\) blocks instead of \((n_0-1)\times (n_0-1)\) blocks. In addition, the submatrix \(\tilde{B}\) is independent of blocks in the first block-column of the original matrix B. Proceeding inductively, the statement of the proposition follows.
In the QC-LDPC McEliece cryptosystem \(n_0\) is typically small (3 or 4, for example). Let \(\alpha (p,n_0)\) be the lower bound from Proposition 1, i.e.
In Fig. 3 we present values of \(\alpha (p,4)\) for all odd p in the range from 1 to 20000. The smallest value of \(\alpha (p,4)\) in the figure is 0.11. Thus the figure shows that if \(n_0=4\) then the probability that the rank of B is close to the full rank is nontrivial for all odd p below 20000.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T. (2017). A Reaction Attack on the QC-LDPC McEliece Cryptosystem. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham. https://doi.org/10.1007/978-3-319-59879-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-59879-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59878-9
Online ISBN: 978-3-319-59879-6
eBook Packages: Computer ScienceComputer Science (R0)