Codes and Encryption

December 6, 2022

Coding Theory and Cryptography

Codes and Cryptosystems

Two uses for codes in cryptography:

Error Correction and Diffusion
Post-Quantum Public Key Cryptography

Public Key Cryptography

Recall: Public Key Cryptosystems

Purpose: Secure communications without having to share a private key.
Examples: RSA, ElGamal, DH, ECDH

RSA

Bob chooses large primes \(p\) and \(q\) and computes \(n=pq\).
Bob chooses exponent \(e\) relatively prime to \((p-1)(q-1)\).
Bob computes \(d = e^{-1}\) modulo \((p-1)(q-1)\).
Bob makes \(n\) and \(e\) public, but keeps \(p\), \(q\), and \(d\) secret.
Alice codes a plaintext message as a number \(m\). She computes \(c = m^e \bmod n\) and sends \(c\) to Bob.
Bob decrypts by computing \(m = c^d \bmod n\).

ElGamal

Bob chooses a large prime \(p\) and a generator \(\alpha\in U(p)\), as well as a secret exponent \(a\). Bob computes \(\beta = \alpha^a\) in \(U(p)\), and makes the triple \((p,\alpha, \beta)\) public.
Alice chooses a secret random \(k\) and computes \(r = \alpha^k\) in \(U(p)\).
To send the plaintext message \(m\), Alice computes \(t = \beta^km\) in \(U(p)\) and sends the pair \((r,t)\) to Bob.

Decryption: In \(U(p)\), Bob uses the secret \(a\) to compute \[ tr^{-a} = \beta^km(\alpha^k)^{-a} = (\alpha^a)^km\alpha^{-ak} = m \]

Review

Group Exercise

Exercise: For the linear code generated by the following matrix,

\[ G = \begin{bmatrix} 1&0&0&1&1 \\ 0&1&1&1&0 \end{bmatrix} \]

How many code words are there?
How many errors can the code correct?
How many information bits are there in this code?
Suppose you want to encode the message \(\begin{bmatrix} 1 & 1 \end{bmatrix}\). Compute the corresponding code word \(m\) you would send for this message.
Compute the parity check matrix for \(G\).
Add the error vector \(e = \begin{bmatrix} 0 & 0 & 1 & 0 & 0 \end{bmatrix}\) to \(m\), and compute the syndrome of the result.
What are the syndromes of the weight 1 error vectors?

Using Codes to Encrypt

One-Way Functions

Multiplication in \(\mathbb{Z}_n\) is easy, factoring is hard.
Exponentiation in \(\mathbb{Z}_n\) or \(E\) is easy, discrete logs are hard.
However, both of these problems are easy if quantum computers exist. (See Shor’s Algorithm, Chapter 19.)
Elliptic curve discrete logs also can be solved with Shor’s Algorithm.

Brute force or syndrome decoding is hard (NP-hard).

Goal: Find codes with additional structure so that decoding is easy. Use these for one-way functions.

McEliece Public Key Cryptosystem

Bob chooses a large \([n,k]\) binary linear code that can correct \(t\) errors efficiently and computes its generator matrix \(G\).
Bob chooses a random binary invertible \(k\times k\) matrix \(S\) and a random \(n\times n\) permutation matrix \(P\).
Bob publishes the key \(G_1 = SGP\) and keeps \(S\), \(G\), and \(P\) secret.
To send a message \(x\) (a \(k\)-dimensional row vector), Alice picks a random \(n\)-dimensional error vector \(e\) with weight \(t\), and sends \(y = xG_1 +e\).
To decrypt, Bob computes \(y_1 = yP^{-1}\). Note that \(y_1 = xSG + e_1\) for some other error vector \(e_1\) with weight \(t\).
Bob uses his efficient decoding algorithm to decode \(y_1\) to obtain code word \(x_1\). Let \(x_0\) be the \(k\)-dimensional vector such that \(x_0G = x_1\) (the information bits). The decrypted message is \(x_0S^{-1}\).

Step 1: Bob chooses a code.

\[ G = \begin{bmatrix} 1&0&0&1&1 \\ 0&1&1&1&0 \end{bmatrix} \]

So \(t = 1\), \(n=5\), \(k=2\).

Step 2a: Bob chooses a random invertible \(k\times k\) matrix.

set.seed(4089) # for reproducibility
print(S <- randInvMatrix(2))

$M
     [,1] [,2]
[1,]    1    1
[2,]    1    0

$Minv
     [,1] [,2]
[1,]    0    1
[2,]    1    1

Step 2b: Bob chooses a random \(n\times n\) permutation matrix.

set.seed(1442)
print(P <- randPermMatrix(5))

     [,1] [,2] [,3] [,4] [,5]
[1,]    0    0    1    0    0
[2,]    0    0    0    0    1
[3,]    1    0    0    0    0
[4,]    0    0    0    1    0
[5,]    0    1    0    0    0

Step 3: Bob publishes \(G_1 = SGP\).

Exercise: Compute the matrix \(G_1\) that Bob publishes.

Step 4: Alice sends a message.

Alice wants to send \(x= \begin{bmatrix} 1 & 1 \end{bmatrix}\). She picks a random error vector \(e\):

set.seed(236)
randBinVector(5, 1)

[1] 0 0 1 0 0

and sends \(y = xG_1 + e\).

Exercise: Compute the vector \(y\) that Alice sends.

Step 5: Bob computes \(y_1 = yP^{-1}\).

Compute \(y_1\). (Hint: The inverse of a permutation matrix is its transpose.)

Step 6. Bob decodes \(y_1\) and recovers the message.

Compute the syndrome of \(y_1\), find its coset leader, and decode \(y_1\).
The information bits of \(x_1\) are the first \(k = 2\) bits. Bob recovers the message by multiplying this on the right by \(S^{-1}\).

Check that this works.

Practical considerations

Codes for Cryptography

To suffice as a one-way function, the number of code words needs to be large (e.g., \(n \approx 1024\) gives about \(1.8 \times 10^{308}\) bit strings.)

Codes this large can’t be decoded using syndrome decoding.

Binary Goppa Codes

Parameters: Given \(m\) and \(t\), there is a binary Goppa code with \(n = 2^m\), \(k = n-mt\), and distance \(2t+1\).

To construct a Goppa code, you need:

a degree \(t\) polynomial in \(GF(2^m)\).
\(n\) elements of \(GF(2^m)\) that aren’t roots of the polynomial.

Decoding is fast, if you know this polynomial and these chosen elements. (Patterson)

Example: There are several \([1024, 524]\) Goppa codes that can correct 50 errors.

Efficiency, Implementation, Security

Source: A Summary of McEliece-Type Cryptosystems and their Security, by D. Engelbert, R. Overbeck and A. Schmidt.

How fast is it?
How easy is it to implement?
How secure is it?

McEliece Key Size

RSA Key Size and Security

McEliece Security

Advantages/Disadvantages

Advantages of McEliece:

Faster encryption and decryption than RSA
More secure, especially post-quantum
- Selected as candidate for PQC by NIST in July, 2022.

Disadvantages:

Large key: have to store it.
Large key: have to generate it.
Not many implementations “in the wild.”