Reproducible families of codes and cryptographic applications

2.1 Coding theory background

A linear code C is a k-dimensional subspace of the n-dimensional vector space over the finite field F q . The parameters n (length) and k (dimension) are positive integers with k ≤ n . The value r = n − k is known as codimension of the code.

A linear code of length n, dimension k, and minimum distance d is called an [ n , k , d ] -code.

The error-correcting capability of a linear code is connected to its minimum distance, and in particular it corresponds to ⌊ ( d − 1 ) / 2 ⌋ under bounded distance decoding. When soft-decision decoding is used, a linear block code with distance d may correct up to d − 1 symbol errors.

Note that the parity-check matrix of a code C is also a generator matrix of the dual code C ⊥ , i.e., the linear code formed by all the words of F q n that are orthogonal to C . It follows that for any generator matrix G and parity-check matrix H of a code, we have H G T = 0 r × k .

Both matrices are required to have full rank. Moreover, note that, clearly, neither matrix is unique: for instance, given a generator matrix G it is always possible to obtain another generator matrix for the same code by a linear transformation, that is, the left multiplication by an invertible k × k matrix S , so that G ′ = S G . This corresponds to a change of basis for the vector space. A similar property is verified by the parity-check matrix. Finally, two generator matrices generate equivalent codes if one is obtained from the other by a permutation of columns. These two facts are at the basis of the McEliece cryptosystem.

Joining the two properties above, we can write any generator matrix G in systematic form as G = [ I k ∣ A ] , where ∣ denotes concatenation. If C is generated by G = [ I k ∣ A ] , then a (systematic) parity-check matrix for C is H = [ − A T ∣ I r ] .

2.2 The McEliece cryptosystem

The McEliece public-key encryption scheme [2] was introduced by R.J. McEliece in 1978. The original scheme uses binary Goppa codes, with which it remains unbroken (with a proper choice of parameters), but the scheme can be used with any class of codes for which an efficient decoding algorithm is known.

2.3 Sparse-matrix codes

One of the most delicate points about the McEliece cryptosystem is that, in order for the security to reduce to the SDP, it is assumed that the matrix used as the public key is indistinguishable from a uniformly random matrix of the same size. This is a plausible assumption, which however has been shown to be false in several cases. For many variants of McEliece (e.g., ref. [12]), in fact, this opened up avenues of attack which simply ruled out the variant altogether. Even the long-standing binary Goppa codes have been shown to be distinguishable from random codes [13] when the code rate is chosen carelessly (too high). This is arguably one of the main reasons that pushed researchers away from algebraic codes and toward codes of a different nature.

LDPC codes are defined by parity-check matrices whose main requirement is to be sparse, with a very low row and column weight. These codes are easy to generate and moreover admit a variety of choices for the decoding algorithm D , inspired by the Bit Flipping (BF) decoder of Gallager [14], which is very efficient in practice. For these reasons, this class of codes is a natural candidate for the McEliece cryptosystem. A first instantiation was studied in ref. [4], where a private LDPC matrix was considered, along with a linearly transformed version of the same matrix used as the public key. As highlighted in ref. [4], security of the private LDPC code is not preserved unless the public matrix is dense. Thus, in such a framework, the private LDPC code C is represented through its sparse parity-check matrix H , while the public key corresponds to a dense generator matrix G for C . It is important to note that, from the knowledge of G , the opponent can compute several parity-check matrices H ′ for C , but they will not lead to an efficient decoding, unless they are sparse. As explained in Section 2.2, typically having G in systematic form is enough to guarantee such a property. Indeed, we can always write H = [ H 0 ∣ H 1 ] , where H 0 and H 1 have size r × k and r × r , respectively, and H 1 is full rank. Then, the corresponding generator matrix in systematic form is obtained as G = [ I k ∣ H 0 T H 1 − T ] . Typically (unless for particular choices of H ), the inverse of a sparse matrix is dense, and so H 1 − T is dense: in such a case, the multiplication of H 0 T by H 1 − T is enough to hide the structure of H into the one of G .

It is important to note that, due to their probabilistic nature, decoding algorithms for LDPC codes are characterized by a non-trivial Decoding Failure Rate (DFR). This means that, in the case of a decoding failure, Bob must ask Alice for a retransmission of the plaintext, encrypted with a different error vector. In order to avoid frequent retransmissions, which would obviously increase the latency of the system, the DFR must be kept sufficiently low; typically, values are in the range of 1 0 − 6 to 1 0 − 9 . As we will discuss later, this fact represents a crucial difference, with respect to the case of algebraic codes, since it leads to a new family of attacks aimed at recovering the secret key by observing Bob’s reactions. This also has implications on the security model against a Chosen Ciphertext Attack (CCA) for these systems [15]. Therefore, finding reliable models for their DFR is necessary to ensure that its value is negligible for those instances designed to achieve indistinguishability under chosen ciphertext attack (IND-CCA) [16].

2.4 Main attacks

We briefly recall the two main types of attacks that can be mounted against the McEliece cryptosystem and its variants when using sparse-matrix codes.

2.5 Structured sparse-matrix codes

Using generic LDPC and MDPC codes without any structure in the McEliece cryptosystem is not a practical choice, as pointed out in ref. [4]. This is because the need to avoid sparse public matrices makes the resulting public key sizes significantly larger than the ones we can obtain with other families of codes, like Goppa codes. In fact, even if the private sparse parity-check matrix can be compactly represented through the positions of its non-null entries (and so, a row with Hamming weight equal to w can be stored just with w log 2 n log 2 q bits), applying this technique to the public key is not possible, since a sparse G might compromise the security of the system. One way to avoid this issue is to add some structure to the code family. This idea was first introduced by considering Quasi-Cyclic (QC) codes [3] and was then extended to LDPC codes [24] and algebraic codes [25]. In all cases, the authors propose to use QC codes to reduce the public key size. A QC code can be simply seen as a code which admits parity-check and generator matrices made of circulant blocks. A circulant matrix is a matrix in which every row is obtained as the cyclic shift of the previous one; an example of a circulant matrix is

Any circulant matrix is fully described by one of its rows, conventionally the first one. This means that, in the McEliece cryptosystem, we can describe the public key completely using just the first row of each one of its circulant blocks; it is clear that this results in a significant reduction in the public key size with respect to instances using non-structured public matrices. However, this additional structure presents some drawbacks, since it exposes the system to structural weaknesses. In particular, the QC structure summed to the algebraic structure of the underlying codes provides a lot of information to the attacker and opens up the possibility of structural attacks aimed at recovering the private code. The most famous structural attack of this type is known as FOPT [26] and works by solving a multivariate algebraic system with Gröbner bases techniques together with the QC property, which greatly reduces the number of unknowns of the system. As a result, it seems very hard to provide secure schemes which involve QC algebraic codes (Goppa, GRS etc.), while still obtaining an effective key reduction: the recent NIST proposal BIG QUAKE [27] shows a reduction of about 1/4 in the key size compared to what would be obtained in a “classical” McEliece using unstructured binary Goppa codes.

Therefore, once again, it seems safer to deploy code-based schemes using sparse-matrix codes, since in this case there is no additional algebraic structure, and the QC property alone is not enough to provide a structural attack. However, some care is still necessary when using sparse-matrix codes. In particular, two main aspects have to be considered:

• ISD algorithms might obtain a speed up from the QC structure. This results in a complexity reduction for the relevant attacks. Such a speedup is achieved for both key recovering attacks and decoding attacks (following from the Decoding One Out of Many [DOOM] approach [28]). The attack complexity remains exponential in the key length, but the attack speedup leads to an increase in the row weight of H and in the number of errors to be used during encryption, which in turn results in an increase in the key length.

• It has been recently shown that the probability of a decoding failure depends on the number of overlapping ones between the error vector and rows of H [29]. In addition, in a circulant matrix, all the rows are characterized by the same set of cyclic distances between set symbols (given two ones at positions i and j, the corresponding cyclic distance is computed as min { ± ( i − j ) mod p } , with p being the circulant size). Based on these considerations, it has been shown in ref. [29] that an adversary can mount a key recovery attack by impersonating Alice, producing many ciphertexts and requesting Bob to decrypt them. The adversary can then exploit Bob’s reactions concerning decoding failures, which are of public knowledge, in order to gather information about the secret key structure. The set of all distances of the rows of H is called distance spectrum and can be used to reconstruct H . This problem can be related to a graph problem, in which a row of H corresponds to a clique with maximum size. For a sparse QC matrix, such a graph is sparse as well, which gives a small number of cliques. This means that, once the distance spectrum is known, recovering the corresponding parity-check matrix is not a hard task in most cases.

Currently, the countermeasures that have been devised against the aforementioned reaction attacks exploit the use of ephemeral keys [30,31], of special iterative decoders that allow theoretical modeling of their failure rate [32,33], or of particular families of codes that make the reconstruction of the secret key unfeasible [34]. However, all these solutions come with some price to key pair must be generated for each encryption (in the first case) or the size of the public key must be increased (in the second and third cases).

As we will see in the rest of this article, the idea of using some structure to reduce the public key size can be strongly generalized. In particular, we will show that existing solutions are just very special cases of a wider framework, characterized by a large variety of options. This generalization comes with no increase in public key size, while on the other hand potentially allows us to avoid DOOM and/or reaction attacks, or at least to reduce their efficiency.

3.1 Pseudo-rings induced by families of permutations

In the particular case of signatures made of just one row (i.e., reproducible order m = 1 ) and the functions σ i being permutations, we have a further result, which is described in Theorem 3.10. We point out that all the results we present in this section can be generalized, in order to consider the case m > 1 , but we will not go into further details here. Since a p × p permutation corresponds to a matrix in which every row and column has weight equal to 1, it can equivalently be described as a bijection over [ 0 , p − 1 ] ⊂ N . Given a permutation matrix σ i , we denote the corresponding bijection as f σ i . If the element of σ i in position ( v , z ) is equal to 1, then f σ i ( v ) = z . The inverse of f σ i is denoted as f σ i − 1 , which is the bijection associated with the permutation matrix σ i − 1 = σ i T ; if f σ i ( v ) = j , then f σ i − 1 ( j ) = v . Let a and a ′ be two row vectors with entries { a 0 , a 1 , a 2 , … } and { a 0 ′ , a 1 ′ , a 2 ′ , … } , respectively, such that a ′ = a σ i . Then, a j ′ = a f σ i − 1 ( j ) . If instead a ′ T = σ i a T , then a j ′ = a f σ i ( j ) . We use f σ i ∘ f σ j to denote the bijection defined by the application of f σ i after f σ j . In other words, f σ i ∘ f σ j corresponds to the permutation matrix σ i σ j , and f σ i ∘ f σ j ( v ) = f σ i ( f σ j ( v ) ) . The identity I p can be seen as the particular permutation that does not change the order of the elements; the corresponding bijection, which will be denoted as f I p , is such that each element is mapped into itself (in other words, f I p ( v ) = v ).

Starting from the result of Theorem 3.10, we can easily derive some other properties that ℱ must satisfy.

Sum and multiplication are not the only matrix operations we consider. In Theorem 3.14, we analyze how transposition acts on the matrices belonging to an ℱ -reproducible pseudo-ring ℳ q ℱ , 1 .

Depending on the properties stated in the previous theorems, the family ℱ might induce different algebraic structures over F q p × p . In particular, let us consider the case of ℱ corresponding to ℳ q ℱ , 1 satisfying both Theorems 3.13 and 3.14. Let A be a square matrix whose elements are picked from ℳ q ℱ , 1 . By definition, we have A − 1 = det ( A ) − 1 adj ( A ) , where det ( A ) is the determinant of A and adj ( A ) is the adjugate of A . Computing det ( A ) involves only sums and multiplications: this means that det ( A ) ∈ ℳ q ℱ , 1 ; because of Theorem 3.13, det ( A ) − 1 ∈ ℳ q ℱ , 1 . Computing adj ( A ) involves sums, multiplications and transpositions: because of Theorem 3.14, we have that the entries of adj ( A ) are again elements of ℳ q ℱ , 1 . This means that A − 1 is a matrix whose elements belong to ℳ q ℱ , 1 , and so has the same ℱ -quasi-reproducible structure of A .

3.2 Known examples of ℱ -reproducible pseudo-rings

In Section 3.1, we have described some properties that a family of permutations ℱ must have to guarantee that it induces algebraic structures on F q p × p . Well-known cases of such objects, with common use in cryptography, are circulant matrices and dyadic matrices.