ebook img

Improved code-based identification scheme PDF

0.1 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Improved code-based identification scheme

Improved code-based identification scheme Pierre-Louis Cayrel Pascal Véron CASED IMATH Mornewegstrasse, 32 Université de Toulon et du Var. 64293 Darmstadt B.P.20132, F-83957 La Garde Cedex, Germany France [email protected] [email protected] 0 1 0 2 n Abstract—Werevisitthe3-passcode-basedidentificationscheme is a three-pass interaction between the prover and the verifier. a proposed by Stern at Crypto’93, and give a new 5-pass protocol Stern’ scheme has two major drawbacks : J for which the probability of the cheater is ≈1/2 (instead of 2/3 1) many rounds are required because the cheater suc- intheoriginal Stern’sproposal).Furthermore, weproposetouse 8 quasi-cyclic construction in order todramatically reduce the size cess probability is 2/3 instead of 1/2 for Fiat-Shamir’s 1 ofthe public key. factorization-based protocol [8], hence typically 27 The proposed scheme is zero-knowledge and relies on an NP- rounds are needed so that this probability be less than R] cSoymndprleotmeepDroebcloedmingcopmroinbglemfro).mTackoidnigngintthoeaocrcyou(nnatmaerlyectehnetsqt-uadryy 2−16, of a generalization of Stern’s information-set-decoding algorithm 2) the public key is very large, typically 66 Kbits. C fordecodinglinearcodesoverarbitraryfinitefieldsFq,wesuggest ThefirstissuewasaddressedbyGaboritandGiraultin[10] . parameters so that the public key be 34Kbits while those of s and the second one was partially adressed by Véron [20]. In c Stern’s scheme is about 66Kbits. This provides a very practical [ identification (and possibly signature) scheme which is mostly this paper, we focus on the first drawback. Using q-ary codes attractive for light-weight cryptography. insteadofbinaryones,wedefinea5passidentificationscheme 1 for which the probability of a cheater is bounded by 1/2. We I. INTRODUCTION v then propose to use quasi-cyclic construction to address the 7 Cryptosystembasedonnumber-theory(problemsoffactori- second drawback. 1 sation and discrete logarithm) is more and more widely used 0 in the real world. After Shor’s algorithm which describes a Organisation of the paper 3 quantum algorithm tosolve inpolynomial timethe twoprevi- In Section II, we give basics facts about code-based cryp- 1. ous problems, there is a strong need for public key schemes tography,wedescribetheoriginalStern’sschemeandpropose 0 whicharenotbasedonsuchproblems.Firstlybecauseitwould in Section III a new identification scheme which permits to 0 beunreasonabletoconsideronlyonetypeofhardproblem.At reducethenumberofroundsinvolvedduringtheidentification 1 thetime,nearlyallpublickeycryptographicproductsarebased process. In Section IV, we describe the properties of our : onintegerfactorizationordiscretelogarithm.Secondly,evenif v proposal and study its security. The Section V concludes our i theabovementioned problemsremainhard, practicalprogress contribution. X in factorization and discrete logarithm computation leads to r choose larger and larger keys. II. CODE-BASEDCRYPTOGRAPHY a The Shor’s algorithm doesn’t threaten the so-called post- In this section we recall basic facts about code-based cryp- quantum cryptosystems as lattice-based, code-based, and tography. We refer to [4], for a general introduction to these multivariate-based cryptosystems. problems. In this paper, we consider a particular type of alternative cryptography, based on error-correcting code theory. Code- A. Definitions based cryptography was initiated a long time ago with the Linear codes are k-dimensional subspaces of an n- celebrated McEliece encryption algorithm. Publickeyidentification(ID)protocolsallowapartyholding dimensional vector space over a finite field Fq, where k and n are positive integers with k < n, and q is a prime power. a secret key to prove its identity to any other entity holding Theerror-correctingcapabilityofsuchacodeisthemaximum the corresponding public key. The minimum security of such number t of errors that the code is able to decode. In short, protocolsshouldbethatapassiveobserverwhoseestheinter- linearcodeswiththeseparametersaredenoted(n,k,t)-codes. action should not then be able to perform his own interaction and successfully impersonate the prover. At Crypto’93, Stern proposed a new scheme, which is still Definition II.1 (Hamming weight) The(Hamming)weightof today the reference in this area [18]. The Stern’s scheme is avectorx isthenumber of non-zero entries. Weusewt(x)to a multiple round zero-knowledge protocol, where each round represent the Hamming weight of x. Definition II.2 (Generator and Parity Check Matrix) Let B. SD identification schemes C be a linear code over Fq. A generator matrix G of C is a Stern’s scheme is the first practical zero-knowledge matrix whose rows form a basis of C: identification scheme based on the Syndrome Decoding C ={xG:x∈Fk}. problem[18].Theschemeusesabinary(n−k)×nmatrixH q common toallusers. If H ischosen randomly, itwillprovide A parity check matrix H of C is defined by a parity check matrix for a code with asymptotically good minimum distance given by the (binary) Gilbert-Varshamov C ={x∈Fnq :HxT =0} (GV) bound. The private key for a user will thus be a word and generates the dual space of C. s of low weight wt(s)= ω (with H2(ω)≈1−k/n), which sums up to the syndrome HsT = y, the public key. By Stern’s 3-pass zero-knowledge protocol, the secret key holder Wedescribeherethemainhardproblemsonwhicharebased can prove his knowledge of s using two blending factors: the code-based cryptosystems. a permutation and a random vector. However, a dishonest Letnandrbetwointegerssuchthatn≥r,Binary(n,r)(resp. prover not knowing s can cheat the verifier in the protocol q−ary(n,r)) be the set of binary (resp. q-ary) matriceswith withprobability 2/3. Thus, the protocol has to be run several n columns and r rows of rank r. Moreover, let us denote by x←R A, the fact that x is randomly selected in the set A. times to detect cheating provers. The security of the scheme reliesonthedifficultyofthegeneraldecodingproblem,thatis on the difficulty of determining the preimage s of y=HsT. Definition II.3 (binary Syndrome Decoding (SD) problem) As mentioned in [3], the SD problem, stated in terms of generator matrix is also NP-complete since one can go from Input : H ←R Binary(n,r), y ←R Fr2 and an integer the parity-check to the generator matrix (or vice-versa) in ω>0. polynomialtime.In[20],theauthorusesageneratormatrixof Ouput: A word s∈Fn2 such that wt(s)≤ω, HsT =y. arandom linear binary as the public key and defines thisway a dual version of Stern’s scheme in order to obtain, among This problem was proven to be NP-complete in 1978 [3], but other things, an improvement of the transmission rate. only for binary codes. Figure 1 sums up the performances of the two 3-pass SD Definition II.4 (q-ary Syndrome Decoding (qSD) problem) identification schemes for a probability of cheating bounded by 10−6. The computation complexity is the number of bits Input : H ←R q−ary(n,r), y ←R Fr and an integer operation involved by the protocol and the communication q ω>0. complexity the number of exchanged bits. Ouput: A word s∈Fn such that wt(s)≤ω, HsT =y. q SD G-SD In 1994, A. Barg proved that this result holds for codes over Rounds 35 35 all finite fields [1, in russian]. Public data (bits) 66048 66816 Computation complexity 222.13 222.5 The problems which cryptographic applications rely upon Communication complexity 40133 34160 can have different numbers of solutions. For example, public key encryption schemes usually have exactly one solution, Fig.1. Performances ofSDschemes while digital signatures often have more than one possible solution. For code-based cryptosystems, the uniqueness of C. Attacks solutions can be expressed by the Gilbert-Varshamov (GV) bound : For SD identification schemes, since the matrix used is a random one, the cryptanalyst is faced to the problem of decoding a random binary linear code. There are two main Definition II.5 (q-ary Gilbert-Varshamov bound) families of algorithms to solve this problem : Information Set Let Hq(x) be the q-ary entropy function, given by : Decoding(ISD)and(Generalized)BirthdayAlgorithm(GBA). Hq(x)=xlo˙gq(q−1)−xlo˙gqx−(1−x)lo˙gq(1−x). TheInformation-Set-DecodingAttackseemstohavethelowest complexity. Suppose 0 ≤ δ ≤ (q−1)/q. Then there exists an infinite Onetriestorecover the k information symbols as follows: sequence of (n,k,d) q-ary linear codes with d/n = δ and thefirststepistopickk of thencoordinates randomlyinthe rate R=k/n satisfying the inequality : hope that all of them are errors free. Try then to recover the messagebysolvingak×k linear system(binaryoroverFq). R≥1−Hq(δ) ∀n. In [15], the author presents a generalization of Stern’s information-set-decoding algorithm from [17] for decoding linear codes over arbitrary finite fields F and analyzes the q complexity.Wewillchooseourparameterswithregardstothe Algorithm 2 Identification Scheme complexity of this attack. Private key, sk: s∈Fn such that HsT =y and wt(s)= q ω. III. ANEWIDENTIFICATIONSCHEME Public key, pk: H a (n−k×n) random matrix of rank ofIsnizweh⌈altogfo2l(lqo)w⌉s,=wNe .coWnseidreerpraenseenltemeaecnht eolfemFnqenatsonf Fbqlocass nFnq−−kkaonvderωFq∈,Nhacollisionresistancehashfunction, y∈ N bits.Wefirstintroduceaspecialtransformationthatwewill ⊲Prover:generatesavectoru∈Fnq,avectorγ ∈Fnq∗ and use in our protocol. apermutationΣover{1,...,n}atrandomandcomputes the commitments : γDe=fin(itγi1o,n..I.II,.γ1n)Le∈t ΣFnqbesucahptehramtu∀tai,tiγoin6=of0{.1W,.e.d.,enfin}eatnhde 21:: SSeett cc12 ←←hh(cid:0)(ΠΣγ,,γΣ,(Hu)u,TΠ(cid:1)γ,Σ(s)) transformation Π as : γ,Σ 3: Sends the commitments {c1,c2} to the Verifier. Πγ,Σ : Fnq −→ Fnq ⊲ Verifier: chooses a random α ∈ Fq and sends it to the v 7→ (γ v ,...,γ v ) Prover. Σ(1) Σ(1) Σ(n) Σ(n) ⊲ Prover: sends Πγ,Σ(u+αs)=β ∈Fnq to the Verifier. ⊲ Verifier: sends a challenge b∈{0,1} to the Prover. Notice that ∀α∈Fq, ∀v∈Fnq, ⊲ Prover: answers the challenge 4: if b=0 then reveals Σ and γ. Πγ,Σ(αv)=αΠγ,Σ(v) and wt(Πγ,Σ(v))=wt(v). 5: else if b=1 then reveals Πγ,Σ(s). A. Key generation 6: end if Letr=n−k,theschemeusesarandom(r×n)q-arymatrix ⊲ Verifier: checks commitment correctness H common to all users. It can be considered as the parity 7: if b =0 then checks if c1 = h(Σ,γ,HΠ−γ,1Σ(β)T −αy) check matrix of a random linear (n,k) q-ary code. Without is correct loss of generality, we can assume that H is given under the 8: else if b = 1 then checks if c2 = h(β − form H =(Ir|M) where M is a random r×r matrix, since αΠγ,Σ(s),Πγ,Σ(s)) is correct and if wt(Πγ,Σ(s))=ω. it is well known that a Gaussian elimination doesn’t change 9: end if the code generated by H. Let κ be the security parameter, algorithm 1 describes the key generation process. with wt(z) = ω. Which gives β − β′ = (α− α′)z and Algorithm 1 Key generation(1κ) HΠ−1(β−β′)T =(α−α′)y.WethendeduceHΠ−1(z)T = γ,Σ γ,Σ ⊲ Choose n,k,ω and q such that WFISD(n,r,ω,q)≥2κ y and wt(Π−γ,1Σ(z))=wt(z)=ω. ⊲ Randomly pick a (r×n) q-ary matrix H. Hence the success probability of a cheater is bounded by ⊲ Randomly pick s∈Fn with wt(s)=ω. q+1. q 2q ⊲ Compute y such that HsT =y. C. Signature ⊲ Output : pk =(H,y,ω) and sk = s. By using the so-called Fiat-Shamir paradigm [8], it is theoretically possible to convert this protocol into a signature B. Identification scheme, even if it is practically questionable, since the signa- ture is large. The secret key holder can prove his knowledge of s using twoblendingfactors:thetransformationabovementionnedand IV. PROPERTIESANDSECURITYOFTHESCHEME a random vector. However, a dishonest prover not knowing s A. Zero-knowledge can cheat the verifier in the protocol with probability ≈ 1/2. Thus,theprotocolhastoberunseveraltimestodetectcheating Let I = (H,y,ω) be the public data shared by the prover provers. The security of the scheme relies on the difficulty and the verifier and let P(I,s) be the following predicate : of the general decoding problem, that is on the difficulty of P(I,s)= “s isavector which satisfiesHsT =y,wt(s)= determining the preimage s of y=HsT. ω” then : This protocol is repeated δ times. A cheater has, once c 1 and c2 sent, to be able to answer to 2q possible questions. If Proposition IV.1 The protocol is an interactive proof of heisonly abletoanswer toq+2questions thenheisableto knowledge for P(I,s). find a solution to the problem. Indeed, let us denote by z the value sent when b = 1, for c and c fixed, this means that Due to the limited size of this paper we don’t detail this 1 2 there exist α and α′ distinct and β and β′ such that : proposition here. HΠ−1(β)T −αy=HΠ−1(β′)T −α′y γ,Σ γ,Σ Theorem IV.1 The protocol is a zero-knowledge interactive ′ ′ β−αz =β −αz proof for P(I,s) in the random oracle model. Wewilldetailthistheoreminalongerversionofthisarticle. same level of security and a probability of cheating of 2−16. However, notice that because of the randomness of u and α We considered that all seeds used are of length 128. only random values are exchanged during the protocol. B. Security and Parameters SD G-SD Our scheme Rounds 27 27 16 Like binaries SD identification schemes, security of our Publicdata(bits) 123200 124250 33792 schemereliesonthreepropertiesofrandomlinearq-arycodes: Communication(bits) 37872 31572 30848 1) Randomlinearcodessatisfytheq-aryGilbert-Varshamov Computation 222.7 223.1 212.1mult+ lower bound [11]; (bits. op) (bits. op) 211.3add 2) For large n almost all linear codes lie over the Gilbert- (bytes op.) Varshamov bound [16]; 3) Solving the q-ary syndrome decoding problem for ran- Fig.2. SDschemesvs.q-arySDscheme dom codes is NP-complete [1]. To obtain a security level of 2128 suggested parameters are Now taking into account the bounds on the workfactor of the Information Set Decoding algorithm over Fq given in [14] q=256,n=208,k=104,wt(s)=78 (and which generalizes the bounds given in [9]) we have to set up parameters in order to obtain a practical scheme which gives a scheme with the following properties : with a security level greater or equal than 280. We have then to choose the number of rounds in order to minimize the Rounds : 16 probability of success of a cheater. Public data (bits) : 88192 Communication (bits) : 46224 Since we deal with random codes, we have to select Computation (bytes op.) : 212.9mult. and 211.5add. parameters with respect to the Gilbert-Varshamov bound (see Definition II.5), i.e. choose a weight ω with respect to this Notice that in [18], Stern has proposed two 5 pass variant bound. Moreoverasusualwewillnowsupposek=r=n/2. of his scheme : one to minimize the computing load and the Let N be the number of bits needed to encode an element other one to lower the number of rounds. However, for these of Fq, ℓh the output size of the hash function h, ℓΣ (resp. twovariants,thesizeofthepublicdataandthecommunication ℓγ) the size of the seed used to generate the permutation Σ complexityaregreater thantheoneofour scheme .Aprecise (resp.thevectorγ) and δ the number of rounds. We have the comparison for the computation complexity willbe made ina following properties for our scheme : longer version of this paper. C. Reducing public key size Size of the public data in bits : 1) Quasi-cyclic construction: In [10], the authors propose k×k×N +nN(we use the systematic form of H) a variation of the Stern identification scheme by using double circulant codes. The circulant structure of the public matrix Total number of bits exchanged : makes the computation very easy without having to generate δ(2ℓh+N+nN +1+(ℓΣ+ℓγ+nN)/2) thewholebinarymatrix, indeed thewholeschemeonly needs veryfewmemorystorage.Theyproposeaschemewithapublic Computation complexity over F : q key of size 347 bits and a private key of size 694 bits. Wecanusethisconstructioninourcontextbyreplacingthe δ(k+n+2wt(s) multiplications+k+wt(s) additions) random q-ary matrix H by a random q-ary double circulant To obtain a precise complexity on the workfactor of matrix. ISD algorithms over Fq we’ve used the code developped 2) Quasi-dyadic construction: We can also imagine a con- by C. Peters which estimates (using a Markov chain struction based on quasi-dyadic codes as proposed in [13]. implementation)thenumberofiterationsofthebestalgorithm Recentlyseveralnewstructuralattacksappearedin[19]and for an attack using all possible known tricks [15]. ISD [7] that extract the private key of some parameters of the algorithmsdependonasetofparametersandthiscodeallows variants presented in [2] and [13]. But in our context we deal to test which ones can minimize the complexity of the attack. withrandomcodesandwearethreatenbythiskindofattacks. Furthermorein[6] theauthors describe asecureimplemen- We suggest to use for our scheme : tation of the Stern scheme using quasi-circulant codes. Our proposal inherits of the good properties of the original Stern q=256,n=128,k=64,wt(s)=49. schemefacetoleakageofinformationasSPAandDPAattacks. The complexity of an attack using ISD algorithms is then at The parameters using quasi-cyclic or quasi-dyadic randoms least287.ForthesamesecuritylevelinSDschemes,weneed codes are q =256,n=128,k =64,wt(s)=49 this gives a to take n = 700,k = 350,wt(s) = 75. Table 2 sums up the publickeyof512bitsandaprivatekeyof1024bitsforalmost characteristics of our scheme and those of SD schemes for a the same complexity for an ISD attack. 3) Embeddingthesecretinthematrix: Infactitispossible [12] C. Aguilar Melchor, P.-L. Cayrel, and P. Gaborit. A new to still decrease the sizes obtained in the previous subsection. efficientthresholdringsignatureschemebasedoncodingtheory. In Post-quantum cryptography, second international workshop, The idea (from [10]) consists in embedding the secret key x PQCrypto 2008, volume 5299 of Lecture Notes in Computer inthepublicmatrix.Toachievethat,weconsiderthesecretas Science, pages1–16.editors :J.BuchmannandJ.Ding. a word of the dual code of the code generated by the public [13] R. Misoczki and P. S. L. M. Barreto. Compact mceliece keys matrixH.Thismeans thatwewilluseanull syndrom, which fromgoppacodes. InSelectedAreasinCryptography–SAC’09, does not change the zero-knowledge property. We will detail Proceedings, Calgary, Canada, 2009. [14] R. Niebuhr and P. L. Cayrel. Generalizing information set this improvement in a longer version of this paper. decoding and the (generalized) birthday attack to q-ary codes. Inpreprint, 2009. V. CONCLUSION [15] C.Peters. Information-set decoding forlinear codes overfq. In We have defined an identification scheme which among all Cryptology ePrintArchive,Report2009/589, 2009. theschemesbasedontheSDproblemhasthebestparameters [16] J. N. Pierce. Limit distributions of the minimum distance of random linear codes. In IEEE Trans. Inf. theory, volume 13, forthesizeofthepublicdataaswellasforthecommunication pages595–599, 1967. complexity. Moreover, we have proposed a variant so as to [17] J. Stern. A method for finding codewords of small weight. In reduce the size of the public data. Proc.ofCodingTheoryandApplications,pages106–113,1989. The improvement proposed here to the Stern scheme can [18] J. Stern. A new identification scheme based on syndrome be applied to all the Stern-based identification and signature decoding. LectureNotesinComputerSciencevol.773Springer 1993:13–21, 1993. schemes (as identity-based identification and signature [5] or [19] V. Gauthier Umana and G. Leander. Practical key threshold ring signature [12] for example). recovery attacks on two McEliece variants. 2009. Webelieve that thistype of scheme isarealisticalternative http://eprint.iacr.org/2009/509.pdf. to the usual number theory identification schemes in the [20] P. Véron. Improved identification schemes based on error- correcting codes. Appl. Algebra Eng. Commun. Comput., case of constrained environments such as smart cards and of 8(1):57–69, 1996. applications such as Pay-TV or vending machines. ACKNOWLEDGMENT The authors want to thank Robert Niebuhr and Philippe Gaboritfortheircommentsduringthepreparationofthispaper and Christiane Peters for comments on her code. REFERENCES [1] S. Barg. Some new np-complete coding problems. Probl. PeredachiInf.,30:23–28,1994. [2] T.P.Berger, P.-L.Cayrel, P.Gaborit, andA.Otmani. Reducing key length ofthe McEliece cryptosystem. InProgress inCryp- tology – Africacrypt’2009, Lecture Notes in Computer Science, pages77–97.Springer, 2009. [3] E.Berlekamp,R.McEliece,andH.vanTilborg. Ontheinherent intractability ofcertain coding problems. IEEETransactions on Information Theory,24(3):384–386, 1978. [4] D. J. Bernstein, J. Buchmann, and E. Dahmen. Post-Quantum Cryptography. Springer, 2008. [5] P.-L. Cayrel, P. Gaborit, and M. Girault. Identity-based iden- tification and signature schemes using correcting codes. In International Workshop on Coding and Cryptography, WCC 2007,pages69–78.editors:Augot,D.,Sendrier,N.,andTillich, J.-P. [6] P.L.Cayrel,P.Gaborit,andE.Prouff. Secureimplementationof the stern authentication and signature schemes for low-resource devices. CARDIS,2008. [7] J.-C.Faugère, A.Otmani, L.Perret, andJ.-P.Tillich. Algebraic cryptanalysis ofMcEliece variants withcompact keys. 2009. [8] A. Fiat and A. Shamir. How to prove yourself practical solu- tions to identification and signature problems. Springer LNCS 263:186–194, 1987. [9] M. Finiasz and N. Sendrier. Security bounds for the design of code-basedcryptosystems. IntoappearinAdvancesinCryptol- ogy–Asiacrypt’2009, 2009. http://eprint.iacr.org/2009/414.pdf. [10] P.GaboritandM.Girault.Lightweightcode-basedauthentication andsignature. InIEEEInternationalSymposiumonInformation Theory–ISIT’2007,pages 191–195,Nice,France, 2007.IEEE. [11] F. J. MacWilliams and N. J. A. Sloane. The theory of error correcting codes. InNorth-Holland, 1977.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.