Content uploaded by Kapish Chand Meena
Author content
All content in this area was uploaded by Kapish Chand Meena on Mar 17, 2023
Content may be subject to copyright.
(G)RS codes Niederreiter Cryptosystem SS Attack
Codes
Question:
What is a code?
Answer:
A collection of fixed length vectors (codewords) which are obtained
by applying a certain rule on the vectors of a fixed length (message
vectors).
Linear code
Ak-dimensional subspace of Fn
qcalled a linear [n,k] codeaover
Fq. Here nrepresents its length and krepresents its dimension.
aF. J. McWilliams and N. J. A. Sloane, The Theory of Error-Correcting
Codes, North Holland, Amsterdam, 1977.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 1
(G)RS codes Niederreiter Cryptosystem SS Attack
Codes
Question:
What is a code?
Answer:
A collection of fixed length vectors (codewords) which are obtained
by applying a certain rule on the vectors of a fixed length (message
vectors).
Linear code
Ak-dimensional subspace of Fn
qcalled a linear [n,k] codeaover
Fq. Here nrepresents its length and krepresents its dimension.
aF. J. McWilliams and N. J. A. Sloane, The Theory of Error-Correcting
Codes, North Holland, Amsterdam, 1977.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 1
(G)RS codes Niederreiter Cryptosystem SS Attack
Codes
Question:
What is a code?
Answer:
A collection of fixed length vectors (codewords) which are obtained
by applying a certain rule on the vectors of a fixed length (message
vectors).
Linear code
Ak-dimensional subspace of Fn
qcalled a linear [n,k] codeaover
Fq. Here nrepresents its length and krepresents its dimension.
aF. J. McWilliams and N. J. A. Sloane, The Theory of Error-Correcting
Codes, North Holland, Amsterdam, 1977.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 1
(G)RS codes Niederreiter Cryptosystem SS Attack
Reed-Solomon code
Definition
Let α1, α2, . . . , αnbe distinct elements of Fq. Then the set
C={(f(α1),f(α2),...,f(αn)) : deg f(x)<k&f(x)∈Fq[x]}
is called Reed-Solomon code of length nand dimension kover Fq.
Here α1, . . . , αnare called evaluation points.
Remarks
(i) Message = (f0,f1,...,fk−1); Equivalently a polynomial
f(x) = f0+f1x+f2x2+. . . fk−1xk−1∈Fq[x] of degree at
most k−1.
(ii) Codeword = (f(α1),f(α2),...,f(αn)).
(iii) RS code is a linear code because for
(f(α1),f(α2),...,f(αn)) and (g(α1),g(α2),...,g(αn)) ∈ C
we have ((f+g)(α1),(f+g)(α2),...,(f+g)(αn)) ∈ C.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 2
(G)RS codes Niederreiter Cryptosystem SS Attack
Reed-Solomon code
Definition
Let α1, α2, . . . , αnbe distinct elements of Fq. Then the set
C={(f(α1),f(α2),...,f(αn)) : deg f(x)<k&f(x)∈Fq[x]}
is called Reed-Solomon code of length nand dimension kover Fq.
Here α1, . . . , αnare called evaluation points.
Remarks
(i) Message = (f0,f1,...,fk−1); Equivalently a polynomial
f(x) = f0+f1x+f2x2+. . . fk−1xk−1∈Fq[x] of degree at
most k−1.
(ii) Codeword = (f(α1),f(α2),...,f(αn)).
(iii) RS code is a linear code because for
(f(α1),f(α2),...,f(αn)) and (g(α1),g(α2),...,g(αn)) ∈ C
we have ((f+g)(α1),(f+g)(α2),...,(f+g)(αn)) ∈ C.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 2
(G)RS codes Niederreiter Cryptosystem SS Attack
Example of a RS code
Let F24=F2[x]
hx4+x+1i=F2(α) and n= 15,k= 9.
Let the message vector having length k= 9 be
m= (1,1,1, α, α, α, 1 + α, 1 + α2,1 + α+α2);
Equivalently message polynomial m(x) = 1 + x+x2+αx3+
αx4+αx5+ (1 + α)x6+ (1 + α2)x7+ (1 + α+α2)x8∈F24[x].
Let α1, α2, . . . , α15 (all are distinct) be evaluations points.
Codeword is (m(α1),m(α2),...,m(α15)) =
(0, α3+α2+α, α3+α2, α3+α2, α3, α3, α3+α2, α2+α, α3+
α2+α+ 1, α3+α, α3+α2+ 1, α3+α, α2+α+ 1, α, α).
C={(m(α1),m(α2),...,m(α15)) : deg(m(x)∈F24[x]) <9}
is a RS code of length 15 and dimension 9 over F24.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 3
(G)RS codes Niederreiter Cryptosystem SS Attack
Generator matrix of Reed-Solomon code
RS Code
C={(f(α1),f(α2),...,f(αn)) : deg f(x)<k&f(x)∈Fq[x]}
Generator matrix
Since f(x) can be linear combination of 1,x,...,xk−1, this deduce
the basis of Cover Fq:
{(1, 1, . . . , 1), (α1,α2,. . . ,αn),. . . , (αk−1
1,αk−1
2,. . . ,αk−1
n)}.
Hence the generator matrix is
G=
1 1 · · · 1
α1α2· · · αn
.
.
..
.
.....
.
.
αk−1
1αk−1
2· · · αk−1
n
k×n
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 4
(G)RS codes Niederreiter Cryptosystem SS Attack
Generalized Reed-Solomon code
Definition
Let α1, α2, . . . , αnbe distinct and v1,v2,...,vnbe non-zero
elements of Fq. Then the set GRSn,k(α
α
α, v
v
v) =
{(v1f(α1),v2f(α2),...,vnf(αn)) : deg f(x)<k&f(x)∈Fq[x]}
is called Generalized Reed-Solomon code of length nand
dimension k. Here α1, . . . , αnare called evaluation points.
Remarks
(i) Message = (f0,f1,...,fk−1); Equivalently a polynomial
f(x) = f0+f1x+f2x2+. . . fk−1xk−1∈Fq[x] of degree at
most k−1.
(ii) Codeword = (v1f(α1),v2f(α2),...,vnf(αn)).
(iii) GRS code is a linear code.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 5
(G)RS codes Niederreiter Cryptosystem SS Attack
Generalized Reed-Solomon code
Definition
Let α1, α2, . . . , αnbe distinct and v1,v2,...,vnbe non-zero
elements of Fq. Then the set GRSn,k(α
α
α, v
v
v) =
{(v1f(α1),v2f(α2),...,vnf(αn)) : deg f(x)<k&f(x)∈Fq[x]}
is called Generalized Reed-Solomon code of length nand
dimension k. Here α1, . . . , αnare called evaluation points.
Remarks
(i) Message = (f0,f1,...,fk−1); Equivalently a polynomial
f(x) = f0+f1x+f2x2+. . . fk−1xk−1∈Fq[x] of degree at
most k−1.
(ii) Codeword = (v1f(α1),v2f(α2),...,vnf(αn)).
(iii) GRS code is a linear code.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 5
(G)RS codes Niederreiter Cryptosystem SS Attack
Generator matrix
The generator matrix for GRS codes become
G=
v1v2· · · vn
v1α1v2α2· · · vnαn
.
.
..
.
.....
.
.
v1αk−1
1v2αk−1
2· · · vnαk−1
n
k×n
This can be written as:
G=
1 1 · · · 1
α1α2· · · αn
.
.
..
.
.....
.
.
αk−1
1αk−1
2· · · αk−1
n
k×n
v10· · · 0
0v2· · · 0
.
.
..
.
.....
.
.
0 0 · · · vn
n×n
Remark:
Let α
α
α, v
v
vbe defined as above and u
u
u= (u1,...,un) where
ui=v−1
iQi6=j1
(αi−αj). Then GRSn,k(α
α
α, v
v
v)⊥=GRSn,n−k(α
α
α, u
u
u).
Equivalently, Gis parity check matrix of GRSn,n−k(α
α
α, u
u
u).
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 6
(G)RS codes Niederreiter Cryptosystem SS Attack
Generator matrix
The generator matrix for GRS codes become
G=
v1v2· · · vn
v1α1v2α2· · · vnαn
.
.
..
.
.....
.
.
v1αk−1
1v2αk−1
2· · · vnαk−1
n
k×n
This can be written as:
G=
1 1 · · · 1
α1α2· · · αn
.
.
..
.
.....
.
.
αk−1
1αk−1
2· · · αk−1
n
k×n
v10· · · 0
0v2· · · 0
.
.
..
.
.....
.
.
0 0 · · · vn
n×n
Remark:
Let α
α
α, v
v
vbe defined as above and u
u
u= (u1,...,un) where
ui=v−1
iQi6=j1
(αi−αj). Then GRSn,k(α
α
α, v
v
v)⊥=GRSn,n−k(α
α
α, u
u
u).
Equivalently, Gis parity check matrix of GRSn,n−k(α
α
α, u
u
u).
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 6
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem
About the cryptosystem
(i) Published by Harald Niederreiterain 1986
(ii) A variant of the McEliece Cryptosystemb
(iii) A public-key cryptosystem for low-weight Plaintext vectors
(iv) Choices of GRS codes turned out to be not suitable due to
the structural attack proposed by Sidelnikov and Shestakovc
in 1992
aH. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory,
Probl. Control and Inform. Theory, 15 (2), 159-166, 1986.
bR. J. McEliece, A public-key cryptosystem based on algebraic coding theory,
DSN Progress Report 42-44, Jet Propulsion Lab., Pasadena, 114-116, 1978.
cV. M. Sidelnikov and S. O. Shestakov, On insecurity of cryptosystems
based on generalized Reed-Solomon codes, Discrete Math. Appl., 2(4),
439-444, 1992.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 7
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem
Step 1: Key Generation
(i) Choose a random permutation matrix: Pn×n
(ii) Choose a invertible matrix: S(n−k)×(n−k)
(iii) A parity check matrix of a GRS code: H(n−k)×n
(iv) Public key : The matrix (S·H·P)(n−k)×n
(v) Private key : The matrices P,Sand H
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 8
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem (continued...)
Step 2: Encryption
(i) Plaintext: mof length ‘n’ and Hamming weight ≤‘t’
(ii) Ciphertext: c= (S·H·P)·mT
Step 3: Decryption
(i) Compute S−1c=H(mPT)T
(ii) By linear algebra, one finds ysuch that HyT=S−1c
(iii) Since wt(mPT)≤t, on applying decoding algorithms for
syndrome S−1cone can get codeword and error vector mPT
(iv) Recover mby computing (mPT)·P
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 9
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem (continued...)
Step 2: Encryption
(i) Plaintext: mof length ‘n’ and Hamming weight ≤‘t’
(ii) Ciphertext: c= (S·H·P)·mT
Step 3: Decryption
(i) Compute S−1c=H(mPT)T
(ii) By linear algebra, one finds ysuch that HyT=S−1c
(iii) Since wt(mPT)≤t, on applying decoding algorithms for
syndrome S−1cone can get codeword and error vector mPT
(iv) Recover mby computing (mPT)·P
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 9
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem (continued...)
Remark
The cryptosystem depends on the simple but crucial fact that the
matrix Hyields a one-to-one mapping from Fn
q→Fn−k
qif it is
restricted to the vectors of weight ≤t. Because for
HyT=HzT=⇒H(y−z)T= 0 =⇒y−zis a codeword. Now
d(y,0) = wt(y)≤tand d(y,y-z) = wt(y-y+z)≤t. Thus
y-z =0.
Hardness of the cryptosystem: NP-complete problem
For a given Ciphertext c= (S·H·P)·mTone can not recover the
Plaintext mwith Hamming weight at most twithout the
knowledge of S,Hand P. Equivalently, this is a decoding problem
for a random linear code whose parity check matrix is (S·H·P).
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 10
(G)RS codes Niederreiter Cryptosystem SS Attack
Niederreiter cryptosystem (continued...)
Remark
The cryptosystem depends on the simple but crucial fact that the
matrix Hyields a one-to-one mapping from Fn
q→Fn−k
qif it is
restricted to the vectors of weight ≤t. Because for
HyT=HzT=⇒H(y−z)T= 0 =⇒y−zis a codeword. Now
d(y,0) = wt(y)≤tand d(y,y-z) = wt(y-y+z)≤t. Thus
y-z =0.
Hardness of the cryptosystem: NP-complete problem
For a given Ciphertext c= (S·H·P)·mTone can not recover the
Plaintext mwith Hamming weight at most twithout the
knowledge of S,Hand P. Equivalently, this is a decoding problem
for a random linear code whose parity check matrix is (S·H·P).
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 10
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack
About the attack
(i) A Key Recovery Structural Attack
(ii) Mountable on the cryptosystems based on GRS codes
Assumptions for Private Keys
(i) Permutation matrix: P=In×n
(ii) Parity check matrix of a GRS Code:
H=
v1v2· · · vn
v1α1v2α2· · · vnαn
.
.
..
.
.....
.
.
v1αk−1
1v2αk−1
2· · · vnαk−1
n
k×n
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 11
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack
About the attack
(i) A Key Recovery Structural Attack
(ii) Mountable on the cryptosystems based on GRS codes
Assumptions for Private Keys
(i) Permutation matrix: P=In×n
(ii) Parity check matrix of a GRS Code:
H=
v1v2· · · vn
v1α1v2α2· · · vnαn
.
.
..
.
.....
.
.
v1αk−1
1v2αk−1
2· · · vnαk−1
n
k×n
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 11
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Formulation of the Problem
(i) Given
K=SH =
v1f1(α1)v2f1(α2)· · · vnf1(αn)
v1f2(α1)v2f2(α2)· · · vnf2(αn)
.
.
..
.
.....
.
.
v1fk−1(α1)v2fk−1(α2)· · · vnfk−1(αn)
k×n
where fj(x) are linearly independent polynomials with
deg(fj)≤k−1 determined by Ssuch that fj(∞) =
coefficient of xk−1.
(ii) Find S, and Hor (α1, α2, . . . , αn;v1,v2,...,vn).
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 12
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Step 1: Algorithm to finding a solution of K=SH
Let (S, α1, α2, . . . , αn;v1,v2,...,vn) be a solution of K=SH.
Then (SS−1
1,aα1+b,...,aαn+b;d−1
1v1,d−1
2v2,...,d−1
nvn) is
also a solution of K= (SS−1
1)H1, where a∈F∗
q,b∈Fqand
sij ∈Fqfor 0 ≤i,j≤k−1 such that (ax +b)i=
k−1
P
j=0
sij xj,
S1=ksij k,di= 1 and di=a−(k−1) if αi=∞.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 13
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Similarly, if
S2=
0 0 · · · 1
.
.
..
.
.· · · .
.
.
0 1 · · · 0
1 0 · · · 0
and di=α−(k−1)
ifor αi6= 0,∞and else di= 1, then we see that
(SS−1
2, α−1
1, α−1
2, . . . , α−1
n;d−1
1v1,d−1
2v2,...,d−1
nvn) is also a
solution of K= (SS−1
2)H2.
It follows that for any birational transformation φ:x7→ ax+b
cx+d;
ad −bc 6= 0 over Fqthere exist a matrix Sφand v0
1,v0
2,...,v0
n
such that (SS−1
φ, φ(α1), φ(α2), . . . , φ(αn); v0
1,v0
2,...,v0
n) is a
solution of K= (SS−1
φ)Hφ.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 14
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Similarly, if
S2=
0 0 · · · 1
.
.
..
.
.· · · .
.
.
0 1 · · · 0
1 0 · · · 0
and di=α−(k−1)
ifor αi6= 0,∞and else di= 1, then we see that
(SS−1
2, α−1
1, α−1
2, . . . , α−1
n;d−1
1v1,d−1
2v2,...,d−1
nvn) is also a
solution of K= (SS−1
2)H2.
It follows that for any birational transformation φ:x7→ ax+b
cx+d;
ad −bc 6= 0 over Fqthere exist a matrix Sφand v0
1,v0
2,...,v0
n
such that (SS−1
φ, φ(α1), φ(α2), . . . , φ(αn); v0
1,v0
2,...,v0
n) is a
solution of K= (SS−1
φ)Hφ.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 14
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
By the literature, it is possible to find that birational
transformation φif φ(α1)=1, φ(α2)=0, φ(α3) = ∞.
Therefore for vector α
α
α0= (1,0,∞, α0
4, α0
5, . . . , α0
n) there exist a
matrix S0, and a vector v
v
v0= (v0
1,v0
2,...,v0
n) such that
K=S0H0=kkij k.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 15
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
By the literature, it is possible to find that birational
transformation φif φ(α1)=1, φ(α2)=0, φ(α3) = ∞.
Therefore for vector α
α
α0= (1,0,∞, α0
4, α0
5, . . . , α0
n) there exist a
matrix S0, and a vector v
v
v0= (v0
1,v0
2,...,v0
n) such that
K=S0H0=kkij k.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 15
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Step 1: Proposed algorithm for finding α
α
α0
(i) Find c1i,c2i∈Fq,0≤i≤k−1, such that for
j= 1,k+ 1,...,2(k−1) and j= 2,k+ 1,...,2(k−1) the
equalities
k−1
P
i=1
c1ikij = 0 and
k−1
P
i=1
c2ikij = 0 hold respectively.
(ii) Calculate β1j=
k−1
P
i=0
c1ikij and β2j=
k−1
P
i=0
c2ikij for
j= 3,...,k,2(k−1) + 1,...,n, and find bj=β1j
β2j.
(iii) Find c3i,c4i∈Fq,0≤i≤k−1, such that for
j= 1,3,4,...,kand j= 2,3,4,...,kthe equalities
k−1
P
i=1
c3ikij = 0 and
k−1
P
i=1
c4ikij = 0 hold respectively.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 16
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Step 1: Proposed algorithm for finding α
α
α0(continued...)
(iv) Calculate β3j=
k−1
P
i=0
c3ikij and β4j=
k−1
P
i=0
c4ikij for
j=k+ 1,...,2(k−1), and find bj=bnβ4n
β3n
β3j
β4jfor
j=k+ 1,...,2(k−1) where bnis found at step (ii).
(v) Put α0
1= 1, α0
2= 0, α0
3=∞and α0
j=b3
b3−bjfor 4 ≤j≤n.
(vi) Choose β∈Fqdiffering from all α0
j, and replace each α0
jwith
1
β−α0
j. The new set of α0
jis also a part of some solution of
K=S0H0containing no α0
j=∞.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 17
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Step 2: Proposed algorithm for finding S0and v0
i
(i) Find c1,...,ck+1 ∈Fq,such that
k+1
P
j=1
cjkij = 0 for
0≤i≤k−1.
(ii) Put v0
1= 1 and find v0
2,...,v0
k+1 ∈Fqsuch that
k+1
P
j=1
cjv0
j(α0
j)i= 0 for 0 ≤i≤k−1.
(iii) For each i,0≤i≤k−1, find si0,...,si(k−1) ∈Fqsuch that
Pk+1
j=1 sil α0
j
l= (v0
j)−1kij , 1 ≤j≤l, and Put S0=ksij k.
(iv) Find (S0)−1=ks0
ij kand calculate v0
j=
k−1
P
i=0
s0
0ikij for
k+ 2 ≤j≤n.
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 18
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Attack Outputs: Equivalent Keys Recovered
Using Public Key SH the attack gives:
(i) An invertible matrix S0
(ii) H0i.e. (α0
1, α0
2, . . . , α0
n;v0
1,v0
2,...,v0
n)
(iii) S0H0=K
Recovering original Plaintext
On applying Decryption for Ciphertext cwith using equivalent
private keys S0and H0one gets the original Plaintext m.
Attack Complexity
O((k−1)4+ (k−1)n)
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 19
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Attack Outputs: Equivalent Keys Recovered
Using Public Key SH the attack gives:
(i) An invertible matrix S0
(ii) H0i.e. (α0
1, α0
2, . . . , α0
n;v0
1,v0
2,...,v0
n)
(iii) S0H0=K
Recovering original Plaintext
On applying Decryption for Ciphertext cwith using equivalent
private keys S0and H0one gets the original Plaintext m.
Attack Complexity
O((k−1)4+ (k−1)n)
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 19
(G)RS codes Niederreiter Cryptosystem SS Attack
Sidelnikov and Shestakov Attack (continued...)
Attack Outputs: Equivalent Keys Recovered
Using Public Key SH the attack gives:
(i) An invertible matrix S0
(ii) H0i.e. (α0
1, α0
2, . . . , α0
n;v0
1,v0
2,...,v0
n)
(iii) S0H0=K
Recovering original Plaintext
On applying Decryption for Ciphertext cwith using equivalent
private keys S0and H0one gets the original Plaintext m.
Attack Complexity
O((k−1)4+ (k−1)n)
Kapish Chand Meena Brief of Sidelnikov Shestakov Attack 19