Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes

Cryptanal y sis of Two McEliece Cryp to systems Based on Qu asi-Cyc l ic Co des Ay oub Otmani, Jean-Pierre Tillic h and L´ eonard Dallot Abstract. W e cryptanalyse here tw o v arian ts of t h e McEliece cryptosystem based on q uasi-cyclic codes. Both aim at reducing th e key size by restrict- ing the public and secret generator matrices to b e in quasi-cyclic form. The first v arian t considers su b co des of a primitive B CH co de. The aforemen tioned constrain t on the public and secret keys implies to choose very structured p er- mutatio ns. W e p rove that this v ariant is not secure by prod ucing many linear equations th at the entries of the secret p ermutation matrix h a ve to satisfy by using the fact th at the secret co de is a sub cod e of a k now n BCH co de. This attack has b een implemented and in all exp eriments w e hav e p erformed the solution space of t h e linear system was of dimension one and reveal ed the p erm utation matrix. The other va riant uses quasi-cyclic lo w density parity-c heck cod es. This sc heme w as devised to b e imm une against general attac ks w orking for McEliece type cryptosystems based on lo w d ensity parity-c heck co des by c ho osing in the McEliece sc heme more general one-to-one mappings than p ermutation m atri- ces. W e suggest here a structural attack exploiting the quasi-cyclic structure of the co de and a certain weakness in the choice of the linear transforma- tions that hide the generator matrix of the co de. This cry ptanalysis adopts a p olynomial-oriented approach and basically consists in searching for tw o p olynomials of low weigh t such that their pro duct is a pu blic p olynomial. Our analysis shows that with high probabilit y a parity-c heck matrix of a punctured version of the secret code can be reco vered with time complexity O  n 3  where n i s the length of the considered co de. The complete recon- struction of the secret parity-c heck matrix of the quasi-cyclic lo w density parity-c heck co des requires the search of codewords of lo w w eight which can b e done with ab out 2 37 operations for the sp ecific parameters p rop osed. Keywords . McEliece cryp tosystem, quasi-cyclic co des, BCH co des, LDPC codes, cryp tanalysis. 2 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot 1. In tro duction Since the introduction of the Mc E liece public-key cryptosys tem [17], several a t- tempts hav e b een made to prop ose alterna tives to the clas sical Goppa co des. The main motiv atio n is to dr astically reduce the size of the public and priv ate keys, which is of r eal concern for any concr ete deploymen t. F or instance, the parameter s suggested in the o riginal cryptosys tem, a nd now outdated, ar e ab out 500 Kbits for the public key and 300 K bits for the priv ate key . The reas on of such a lar ge amount co mes from the fa ct that McEliece prop osed to us e as public key a gen- erator matrix o f a linear block code. He suggested to take a co de that admits an efficient de c o ding algo rithm capable to correct up to a certain num b er of errors, and then to hide its structure by applying tw o secr et linear tra ns formations: a scrambling transforma tion that se nds the chosen genera tor matrix to ano ther o ne, and a p ermutation matr ix that reor ders the co ordinates. The resulting matr ix is then the public key . The pr iv ate key cons is ts in the tw o secret transformations a nd the deco ding alg orithm. Niederreiter als o inv e n ted [19] a co de-based as ymmetric cryptosystem by choosing to describ e co des through a parit y-check matrix. These tw o sy s tems are equiv ale nt in terms of secur ity [16]. Their security relie s on tw o difficult pr oblems: the One-W ayness a gainst Chosen-Pla intext Attac k (OW-CP A) tha nk s to the diffi- cult y of deco ding large r a ndom linea r blo ck co des, and the difficulty of guessing the deco ding algor ithm from a hidden genera tor matr ix. It is w orthwhile mentioning that the OW-CP A character is well esta blished a s long as a ppropriate par ameters are taken. This is due to tw o facts: first it is proven in [2] that deco ding a ran- dom linear code is NP-Hard, and sec ond the b est known algo rithms [8 , 3] and [20, V olume I, Chapter 7] op erate exp onentially with the length n of the underlying co de (see [10] for mo re details ). How e ver, the second criter ia is not alwa ys verified by a n y class of co de s that has a deco ding algo rithm. F or instance, Sidel’nikov and Shestako v pr ov ed in [22] that the str ucture of Generalised Reed-Solomon co des of leng th n can b e recov ered in O  n 3  (See for instance [2 4, page 39]). Sendrier prov ed [27] that the p ermutation tra nsformation can be ex tracted fo r co ncatenated co des. Minder and Shokrollahi presented in [18] a structural attack that crea tes a priv a te key aga ins t a cryptosys tem bas e d on Reed-Muller codes [2 1]. How ever, despite these attac ks on these v ariants of the McEliece cry ptosys- tem, the origina l scheme still remains resistant to any structural attack. Addition- ally , the McEliece system and its Nieder r eiter homolog ue display b etter encr yption and decryption complexit y than an y other co mpeting asymmetric schemes like RSA. Unfortuna tely , they suffer from the same drawback namely , they need v ery large key s izes as previously p o int ed out. It is therefore crucial to find a metho d to reduce the repr esentation of a linea r co de as w ell as the matrices of the linear transformatio ns. A p ossible solution is to take very sparse matrices. This idea ha s bee n applied in [5] which exa mined the implications o f using Low Densit y Parity-Check (LDPC) Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 3 co des. The authors show ed that taking sparse matr ices for the linear tr ansforma- tions is not a secure so lution. Indeed, it is po ssible to recov er the secr et co de fro m the public parity-c heck matrix. Another idea due to [25] is to ta ke sub co des of an optimal co de such as Generaliz e d Reed-Solomo n co des in o rder to decrease the co de ra te. But a g reat care has to b e taken in the choice of para meter s b ecause in [26] it has been proved that some parameters are not secure. A r ecent trend a p- pea red in co de-based public key crypto systems that tries to use quasi-cyclic co des [11, 1, 13, 12, 9]. This particular fa mily of co des offers the a dv antage o f having a v ery simple and co mpact description. Many co de words can simply b e obtained by consider ing cyclic shifts of a so le co deword. Exploiting this fa ct leads to m uch smaller public and priv ate keys. Currently there exist tw o public-key cryptosys- tems based up on qua si-cyclic co des. The first pr o po sal [11 ] uses sub co des of a primitive BCH cyclic co de. The size of the public key for this cryptosystem is ab out 2 0Kbits. The o ther one [1] tries to co mb ine these t wo p ositive asp ects by requiring quasi- c yclic LDPC co des . It also av oids tr ivial attacks aga ins t McE lie ce t yp e cryptosystems based on LDPC co des b y using in the secret key a mor e gen- eral kind of in vertible matr ix ins tead o f a permutation matrix. F or this particula r system, the autho rs prop ose a public k ey size that is ab out 48Kbits. In this work, we cr yptanalyse these tw o c ryptosystems. W e show that the cryptosystem of [11] is no t secure becaus e it is p os sible to recov er the secret p er- m utation that is suppo sed to hide the str ucture o f the secr et qua s i-cyclic co de. W e prov e it by pro ducing many linear equa tio ns tha t the en tries o f the secret per m u- tation matrix ha ve to satisfy b y using the fact that the secr et co de is a sub co de of a known BCH co de. This attack has been implemented and in all e x per iment s we hav e p erformed the solution spa ce of the linear system was of dimensio n one and revealed the permutation matrix. In a seco nd part, we a lso sugg est a structura l attack of [1 ] ex plo iting the quasi-cyclic s tructure of the co de and a c ertain weakness in the c hoice of the lin- ear tr ansformations that hide the generator matr ix o f the co de. This cryptanalys is adopts a p olynomia l-oriented a pproach and basically c onsists in se a rching for tw o po lynomials o f low weight such that their pro duct is a public p olynomia l. Our analysis shows that with high probability a parity-chec k matrix of a punctured version of the secret co de can be recov ered with time complexity O  n 3  where n is the length of the considered co de. An implement atio n shows that this recovery can b e done in ab out 140 s econds on a PC. The final step that c o nsists in c om- pletely reconstructing the origina l parity-chec k matrix o f the s ecret qua si-cyclic low density parity-c heck co de requires the search for low weight co dewords whic h can b e done with ab out 2 37 op erations for the specific parameters prop osed. The rest o f this paper is org anised as follows. In Section 2, we r ecall definitions and basic pro per ties of circulant matrices. Section 3 gives a descriptio n of how to totally bre a k the McE liece v a riant pr op osed in [1 1]. In Sectio n 4 we pro po se a metho d to totally cryptanalyse the scheme of [1]. Se c tio n 5 concludes the pap er. 4 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot 2. Notation and Definitions 2.1. Circulant Matrices Let F 2 be the finite field with t wo elemen ts and denote by F 2 [ x ] the set of uni- v ar iate p o lynomials with co efficients in F 2 . Any p -bit v ector v = ( v 0 , . . . , v p − 1 ) is ident ified to the poly nomial v ( x ) = v 0 + · · · v p − 1 x p − 1 . The supp ort of a vector (or a polyno mial) v is the set of p ositio ns i such that v i is no n-zero and the weight wt ( v ) of v is the cardinality of its supp ort. The interse ction polynomia l for any t wo po lynomials u ( x ) a nd v ( x ) is u ( x ) ⋆ v ( x ) = P u i v i x i . A binar y cir culant matrix M is a p × p matrix obtained by cyclically right shifting the fir st row: M =      m 0 m 1 · · · m p − 1 m p − 1 m 0 · · · m p − 2 . . . . . . . . . . . . m 1 m 2 · · · m 0      . (1) Thu s any circulant matrix M is completely describ ed by o nly its first row m = ( m 0 , . . . , m p − 1 ). Note that a circulant matrix is also obtained by cyclically down shifting its first column. W e sha ll s e e that the cla ssical ma trix ope r ations of addi- tion and mult iplicatio n pr eserve the circula nt str ucture of matrices. It is po ssible to characterise the i -th row of a circ ulant matrix M as the polynomia l: x i · m ( x ) mo d ( x p − 1) . If one lo oks at the pro duct b × M of a cir culant matr ix M with a bina ry vector b = ( b 0 , . . . , b p − 1 ) then it exactly co rresp onds to the p -bit vector represented b y the p olyno mial b ( x ) · m ( x ) mo d ( x p − 1). This pro pe rty na turally ex tends to the pro duct of tw o p × p circulant matrices M a nd N . Indeed, the first row of M × N is exactly m ( x ) · n ( x ) mo d ( x p − 1) and the i -th row of M × N is repre sented by the p olynomial:  x i · m ( x )  · n ( x ) mod ( x p − 1) = x i ·  m ( x ) · n ( x )  mo d ( x p − 1) . W e ha ve therefor e the following result. Prop osition 1. L et C p b e the set of binary p × p cir culant matric es, then ther e exists an isomorph ism b et we en the rings  C p , + , ×  and  F 2 [ x ] / ( x p − 1) , + , ·  :  C p , + , ×  ≃  F 2 [ x ] / ( x p − 1) , + , ·  Remark 1. Th e first c olumn of a cir culant matrix M define d by m ( x ) c orr esp onds to the p olynomial m ⋆ ( x ) = x p · m ( 1 x ) mo d ( x p − 1) . Prop ositio n 1 can b e used to provide a simple characterisation of in vertible matrices of cir culant matrices : Prop osition 2. A p × p cir culant matrix M is invertible if and only if m ( x ) is prime with x p − 1 . Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 5 Pr o of. One has only to prov e that the inv ert of a circulant matrix M defined by a po lynomial m ( x ) of F 2 [ x ] / ( x p − 1) is necessar ily a circulant matrix. Assume tha t there exists N suc h tha t N × M = M × N = I p with I p being the p × p identit y matrix. Let n = ( n 0 , . . . , n p − 1 ) b e the first row of N . W e hav e previous ly seen that the pro duct n × M can b e seen as the po lynomial n ( x ) · m ( x ) mo d ( x p − 1). This latter poly no mial is equa l to 1 by assumption. Co nsequently , for a ny i such that 0 ≤ i ≤ p − 1 we also hav e  x i · n ( x )  · m ( x ) = x i mo d ( x p − 1) which prov es that the circulant matrix defined b y n ( x ) is the in vert of M . Ther efore N is circulant.  A matrix G of size k × n is p - blo ck cir culant with k = k 0 p and n = n 0 p where k 0 and n 0 are p ositive integers if there exis t p × p circulant matr ices G i,j ∈ C p such that: G =    G 1 , 1 · · · G 1 ,n 0 . . . . . . G k 0 , 1 · · · G k 0 ,n 0    It is str aightforw ard to see that the set of blo ck circula nt matr ic es is stable by matrix addition and matrix m ultiplication. It is therefore natural to establish an ident ificatio n b etw een a blo ck circulant matrix G with a p olynomial k 0 × n 0 matrix G ( x ) with ent ries in F 2 [ x ] / ( x p − 1) by means o f the mapping that sends ea ch blo ck G i,j to the p olynomia l g i,j ( x ) defining it. Prop osition 3 . L et B p k 0 ,n 0 b e the set of p - blo ck cir culant matric es of size k 0 × n 0 . L et R p = F 2 [ x ] / ( x p − 1) and define by M k 0 ,n 0 ( R p ) the set of k 0 × n 0 matri- c es with c o efficients in R p . Ther e exists a ring isomorphism b etwe en B p k 0 ,n 0 and M k 0 ,n 0 ( R p ) : B p k 0 ,n 0 ≃ M k 0 ,n 0 ( R p ) G 7− → G ( x ) . In par ticular any p - blo ck circula n t matr ix G is in vertible if and only if det( G )( x ) is prime with x p − 1 and its in verse is also a p - blo ck circula n t matrix . 2.2. Cyclic and Quasi-Cy c lic Co des A (binar y ) linear co de C o f length n and dimension k is a k -dimensional v ector subspace of F n 2 . T he elements of a code are called c o dewor ds . A gener ator matrix G of C is a k ′ × n matrix w ith k ′ ≥ k whos e rows gener ate C . A p arity-che ck matrix H of C is an r × n matrix with r ≥ n − k such that for any co deword c ∈ C we hav e: H × c T = 0 . It is well-kno wn that if a gener ator matrix of C is of the form ( I | A ) where I is the iden tity matrix then ( A T | I ) is a parity-c heck ma trix for C . Suc h a g enerator matrix is sa id to be in r e duc e d e chelon form . A code C ′ is said to be p ermutation e quivalent to C if there exists a p ermutation of the symmetric gr oup of order n that 6 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot reorder s the c o o rdinates of co dewords o f C ′ int o co dewords of C . It is conv enient to consider eq uiv alent c o des as the s ame co de. A cyclic co de C o f length n is an ideal of the ring F 2 [ x ] / ( x n − 1). Such a co de is characterised b y a unique po lynomial g ( x ) divisor of ( x n − 1). Let r b e the degree of g ( x ). An y codeword c ( x ) is o btained as a pro duct in F 2 [ x ] o f the form: c ( x ) = m ( x ) · g ( x ) where m ( x ) is a po lynomial o f F 2 [ x ] of degr ee n − 1 − r . C is a linea r co de of dimension k = n − r . The p olynomial g ( x ) is called the gener ator p olynomial of the cyclic co de C and we sha ll write C = < g ( x ) > . A co de C is quasi-cyclic of index p if there exists a genera tor matr ix G that is p -blo ck cir culant. W e a ssume that all the G i,j ’s are squa re matrices of size p × p and therefore n = n 0 p and k = k 0 p . Cyclic co des of length n ar e th us qua si-cyclic co des of index n where a g enerator matrix is a circulant matrix asso ciated to its generator p olynomial. A use ful metho d dev elop ed in [11] for obtaining quasi-cyclic co des of length n = pn 0 and index p is to cons ide r a cyclic co de C gener ated by a p olyno mial g ( x ) and constr uct the subco de S n 0 ( c ) spanned by a codeword c ( x ) and its p − 1 shifts mo dulo ( x n − 1) of n 0 bits x n 0 · c ( x ) , . . . , x ( p − 1) n 0 · c ( x ). How ever note that S n 0 ( c ) do e s not admit a p -blo ck circula n t g enerator matrix. Actually , one has to consider the equiv alent co de of C obta ine d with the p ermutation π that maps any an 0 + b to bp + a with 1 ≤ a ≤ p − 1 and 0 ≤ b ≤ n 0 − 1. It mea ns that up to a p e r mut ation any co deword c ( x ) of a cyclic co de C can b e seen as a vector c = ( c 0 , . . . , c n 0 − 1 ) wher e ea ch c i belo ngs to F p 2 ≃ F 2 [ x ] / ( x p − 1) a nd such that the vector c ′ = ( c ′ 0 , . . . , c ′ n 0 − 1 ) with c ′ j ( x ) = x · c j ( x ) mo d ( x p − 1) is also a co deword of S n 0 ( c ). 3. A McEliece Cry ptosystem Based o n Sub co des of a BCH Co de 3.1. Descr iption Let C 0 be a c y clic co de of length n = p n 0 and let k b e the dimension of C 0 . Assume that C 0 admits a n k ′ × n generator matrix with k ′ ≥ k and such that k ′ = pk 0 . F or simplicity , we set k ′ = k . Let c 1 ( x ), c 2 ( x ),. . . , c k 0 − 1 ( x ) b e random co dewords of C 0 and consider the linear co de C defined as: C = S n 0 ( c 1 ) + · · · + S n 0 ( c k 0 − 1 ) . W e assume that C is of dimension k − p = p ( k 0 − 1). Recall from Section 2.2 that up to a per m utation any n -bit vector c i ( x ) with 1 ≤ i ≤ k 0 − 1 can b e seen as a vector ( c i, 0 , . . . , c i,n 0 − 1 ) where each c i,j can also b e s een a s an element of F 2 [ x ] / ( x p − 1 ). Thus C is a quasi-cyclic co de of index p whose genera to r matrix Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 7 G ( x ) in p - blo ck circula n t form is: G ( x ) =    c 1 , 1 ( x ) · · · c 1 ,n 0 ( x ) . . . . . . c k 0 − 1 , 1 ( x ) · · · c k 0 − 1 ,n 0 ( x )    . The v ariant of the McE liece cr yptosystem propos e d in [11] s tarts fr om a secret sub co de C of dimension p ( k 0 − 1) of a primitive B CH co de C 0 obtained by the metho d explained ab ov e. A secret pe rmut atio n π of the symmetric gr o up of o rder n 0 hides the str uc tur e o f C while keeping its qua si-cyclic structure by publicly making a v ailable a generato r matrix G π ( x ) defined b y: G π ( x ) =    c 1 ,π (1) ( x ) · · · c 1 ,π ( n 0 ) ( x ) . . . . . . c k 0 − 1 ,π (1) ( x ) · · · c k 0 − 1 ,π ( n 0 ) ( x )    . The cyclic co de C 0 given in [1 1] is a pr imitiv e BCH of length 2 m − 1 and dimen- sion n − tm where t is a p ositive in teger . Two sets of parameter s are prop os e d resp ectively c orresp onding to 2 100 and 2 80 security le vels. • Parameters A: m = 12, t = 2 6 , p = 91, n 0 = 45, and k 0 = 43. • Parameters B : m = 11, t = 31 , p = 89 , n 0 = 23 and k 0 = 21 . Note that w e alwa ys hav e p > n 0 . This proper ty will be us eful for cry ptanalyzing the cryptos ystem. 3.2. Structural Cr yptanalysis W e describ e a method that r e cov ers the secret p ermutation π o f the cr yptosystem of [11] and th us reveals the secret key of a ny us er. It explo its three facts: 1. The co de C 0 admits a binary ( n − k ) × n parity chec k matr ix H 0 which can be assumed to b e known. There are only a few different primitive BCH co des for a given para meter set ( n, m, t ) and we c a n try all of them. This is a co nsequence o f the fact that the num b er of such c o des is clear ly upp er- bo unded by the n umber of primitive polyno mials of degree m . F or instance for the par ameter set B, this n umber is equal to 176. 2. Since C is a subco de of C 0 , any n - bit co deword c of C m us t satisfy the equation: H 0 × c T = 0 . (2) 3. Perm uting thr ough a p ermutation π the columns of a polyno mial generator matrix G ( x ) of C can also b e tr anslated into a ma tr ix pro duct by the asso- ciated n 0 × n 0 per mut ation matrix Π o f π . No te that Π can also b e seen as a p olynomia l matrix Π ( x ) ∈ B p n 0 ,n 0 where 0 (resp. 1) entry corr esp onds to 0 (resp. 1) c onstant p olynomia l so that we hav e: G π ( x ) = G ( x ) × Π ( x ) . (3) 8 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot Note that Equatio n (3) ca n b e rewritten a s an equality b etw een binary p - blo ck circula nt matrices: G π = G × Π , (4) where G π is the ( k − p ) × n public generato r matrix a nd Π = Π ⊗ I p with I p being the p × p identit y matrix. Finding Π actua lly amounts to so lve a linear system of n 2 0 unknowns repres en ting the entries of Π − 1 such that: H 0 ×  G π × Π − 1  T = 0 . (5) In o ther words, each row of the public matrix G π after b eing p ermuted by Π − 1 m ust s atisfy Equa tion (2 ). This is a linear system since Π − 1 may b e rewritten as Π − 1 ⊗ I p . This means that each row of G π provides ( n − k ) binar y linear equations verified by Π − 1 . T hus Equa tion (5) giv es a total n umber of ( k − p )( n − k ) linear eq uations that must be satisfied by n 2 0 unknowns. The cryptanaly sis o f [11] amounts to solve an over-constrained linear s ystem consti- tuted of p 2 ( k 0 − 1)( n 0 − k 0 ) equations a nd n 2 0 unknowns since a s we hav e rema rked that p > n 0 . F or instance, Parameter s B give 529 unknowns that sho uld sa tisfy 316 , 840 equatio ns. As for Parameters A we obta in 2 , 025 unkno wns that satisfy 695 , 604 equatio ns. Ma n y of these equations are obviously linearly dep endent . The success of this metho d heavily depends on the size of the s olution vector space. An implementation in Magma soft ware actually a lw ays gav e in b oth c a ses a vector space of dimension one. This re vealed the secre t per m utation. 4. A Cryptosystem Based on Q uasi-Cycli c LDPC Co des 4.1. Descr iption LDPC codes a re linear codes defined by spars e binary parity-chec k matrices. W e assume a s in [1] that n = pn 0 and k = p ( n 0 − 1), and w e consider a parity-chec k matrix H o f the following form: H =  H 1 · · · H n 0  (6) where ea ch matrix H j is a sparse cir culant matrix of size p × p . Without loss of generality , H n 0 is chosen to hav e full ra nk . Each c o lumn of H has a fixe d weigh t d v which is very small compared to the length n . W e also ass ume that one ha s a go o d approximation of the num b er t of cor rectable e rrors thr ough iterative deco ding of the co de defined b y H . The quasi-cyclic LDPC cryptosystem pr op o sed in [1] takes tw o inv ertible p - blo ck circulant matrices S and Q of size k × k and n × n r esp ectively . The matrix S (resp. Q ) is chosen such that the weigh t of each row and each column is s (resp. m ). The priv ate key consists of the pa r ity-c heck ma trix H and the matrices S and Q . In o rder to pro duce the public key , one has to co mpute a gene r ator matrix G ′ in r educed echelon form and make public the matrix G = S − 1 × G ′ × Q − 1 . The plain text spa ce is the set F k 2 and the ciphertext space is F n 2 . I f one wis hes to encrypt a messa ge x ∈ F k 2 , one has to randomly choose a n -bit vector e of weight Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 9 t ′ ≤ t/m a nd compute c = x × G + e . The decryption step consists in itera tively deco ding c × Q = x × S − 1 × G ′ + e × Q to output z = x × S − 1 and then computing x = z × S . The cr ucial p oint that mak es this cryptosy s tem v alid is that e × Q is a corr ectable error b ecause its weight is less than or equal to t ′ m . 4.2. Some Remarks on the Choice of the Parameters The authors sugg est to ta ke a matr ix Q in diagonal form. They a lso suggest the following v alues: p = 403 2, n 0 = 4, d v = 13 , m = 7 and t = 190 ( t ′ = 27). Finally , each blo ck circulant matrix o f S has a column/ row w eight equals to m so as to hav e s = m ( n 0 − 1 ). Unfortunately , for this sp ecific constraint, there is a flaw in this choice bec a use the matr ix S is not inv ertible. This follows from the fact that in this ca se x − 1 alwa ys divides det( S )( x ) which is ther efore not copr ime with x p − 1 and this implies that S ( x ) is not invertible. This can b e prov ed by using the following a rguments. Lemma 1. L et S ( x ) = ( s i,j ( x )) in M n 0 − 1 ,n 0 − 1 ( R p ) and define the binary matrix ˜ S = ( ˜ s i,j ) by ˜ s i,j = wt ( s i,j ) mo d 2 . We have then: det( ˜ S ) = wt (det( S )) mo d 2 . Pr o of. This co mes fr o m the fact that wt ( u + v ) = wt ( u ) + w t ( v ) − 2 wt ( u ⋆ v ) for any u ( x ) and v ( x ) in F 2 [ x ] which implies that:  wt ( u + v ) = wt ( u ) + wt ( v ) mod 2 wt ( u · v ) = wt ( u ) · w t ( v ) mo d 2 .  Prop osition 4 . F or any S ( x ) in M 3 , 3 ( R p ) such that e ach s i,j is of weight m then x − 1 divi des det( S )( x ) . Pr o of. By using the s ame notatio n as in the previo us lemma we k now tha t det( ˜ S ) is equa l to zero since ˜ S is the all one matrix. F rom the previous lemma it follo ws that det( S )( x ) has a support of even weight. This implies that x − 1 divides det( S )( x ).  In order to avoid this situation we introduce as few p olynomials o f weigh t different fro m m in S suc h that det ( ˜ S ) = 1. A pos sible choice is the following one. First we ch o os e a nonsingular ˜ S equal to ˜ S =   1 1 1 1 0 1 0 1 1   When ˜ s ij = 1 we choo se the cor r esp onding entry s ij ( x ) to b e of w eight m and if ˜ s ij = 0 we choos e the cor resp onding entry s ij ( x ) to b e of weigh t m − 1. It should a lso b e mentioned that a deco ding attack s earching for a word of weigh t less than t = 27 in a co de of leng th n = 161 28 a nd dimension k = 120 96 as prop osed b y using the algo rithm g iven in [6] has a w or k factor of a bo ut 2 78 . 5 . Note that this w ork factor may even b e decreased with the algorithm of [7]. 10 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot 4.3. Structural Attac k 4.3.1. Preliminaries. The goal of this a ttack is to re c ov er the secret code C defined by the parity-chec k matrix H given in Equatio n (6). W e know that S and Q are equiv ale ntly defined by p olynomia ls s i,j ( x ) a nd q i,j ( x ) r esp ectively . Q is chosen to be in diagona l form, that is to say q i,j ( x ) = 0 if i 6 = j . F or the sa ke of simplicity , we set q i ( x ) = q i,i ( x ). Moreov er the p olyno mials q i ( x ) are in vertible mo dulo x p − 1 since Q is invertible. It is also straig h tforward to remar k that the secret g enerator matrix G ′ is equa l to: G ′ =    ( H − 1 n 0 H 1 ) T I k . . . ( H − 1 n 0 H n 0 − 1 ) T    . In others words, if we denote by G ≤ k the matrix obtained by ta king the k fir st columns of G then we have: G ≤ k = S − 1 ×       Q − 1 1 0 · · · 0 0 . . . . . . . . . . . . . . . . . . 0 0 · · · 0 Q − 1 n 0 − 1       . This implies that G − 1 ≤ k is a p -blo ck circula nt matrix defined by p oly no mials g i,j ( x ) that satisfies the following equations : g i,j ( x ) = q i ( x ) · s i,j ( x ) mod ( x p − 1) . (7) Note that the weigh t o f g i,j ( x ) is at most m 2 . Actually , due the fact that the secret p olynomials have very lo w weight s, we s ha ll see that the suppor t of g i,j ( x ) is exactly m 2 with a g o o d probability . F or the sake of simplicity , w e set q i ( x ) = x e 1 + · · · + x e m and s i,j ( x ) = x ℓ 1 + · · · + x ℓ m with 0 ≤ e a ≤ p − 1 and 0 ≤ ℓ a ≤ p − 1 for any 1 ≤ a ≤ m . W e fix q i ( x ) a nd we a ssume that the monomia ls x ℓ a of s i,j ( x ) are indepe ndently and uniformly chosen. W e wish to e s timate the probability that the supp ort of g i,j ( x ) contains the suppo rt of at least one shift x ℓ a · q i ( x ), and the probability that the w eight of g i,j ( x ) is exa ctly m 2 . Lemma 2. L et ℓ 1 , . . . , ℓ w b e w differ ent inte gers such t hat 0 ≤ ℓ a ≤ p − 1 for 1 ≤ a ≤ w . F or any r andom inte ger 0 ≤ ℓ ≤ p − 1 such t hat ℓ is differ ent fr om ℓ 1 , . . . , ℓ w , we have: Pr  x ℓ 1 + · · · + x ℓ w  · q i ( x ) ⋆ x ℓ · q i ( x ) 6 = 0  ≤ w m ( m − 1) p − w Pr o of. Set first r ( x ) =  x ℓ 1 + · · · + x ℓ w  · q i ( x ). By the union b ound we hav e: Pr  r ( x ) ⋆ x ℓ · q i ( x ) 6 = 0  ≤ w X a =1 Pr  x ℓ a · q i ( x ) ⋆ x ℓ · q i ( x ) 6 = 0  Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 11 The pro ba bilit y Pr  x ℓ a · q i ( x ) ⋆ x ℓ · q i ( x ) 6 = 0  is at most the fraction of integers ℓ different from ℓ 1 , . . . , ℓ w such that there exist 1 ≤ b ≤ m a nd 1 ≤ c ≤ m with: ℓ a + e b = ℓ + e c mo d p. Thu s, this fraction is given b y the ratio of the num be r of pairs ( e b , e c ) with b 6 = c to the num b er o f pos sible v alues for ℓ whic h is ex a ctly m ( m − 1) / ( p − w ).  Prop osition 5. The pr ob ability Pr  x ℓ · q i ( x ) ⊂ g i,j ( x )  for ℓ in { ℓ 1 , . . . , ℓ m } that the supp ort of g i,j ( x ) c ontains the supp ort of x ℓ · q i ( x ) is lower-b ounde d by: Pr  x ℓ · q i ( x ) ⊂ g i,j ( x )  ≥  1 − m ( m − 1) p − 1  m − 1 . Pr o of. This inequality is obtained by taking w = 1 in Lemma 2 and b y the inde- pendenc e of the choice of the ( m − 1) other monomials of s i,j ( x ).  Prop osition 6. The pr ob ability q that g i,j ( x ) is exactly of weight m 2 is lower- b oun de d by: q ≥ m − 1 Y w =1  1 − w · m ( m − 1) p − w  . Pr o of. F or any 2 ≤ w ≤ m , let E w denote the even t that E w : ( x ℓ 1 + · · · + x ℓ w − 1 ) · q i ( x ) ⋆ x ℓ w · q i ( x ) = 0 when each mono mial x ℓ a is uniformly and indep endently c hose n. W e als o set E 1 as the who le universe. T he n we hav e: q ≥ Pr { E 2 ∩ · · · ∩ E m } Using Bay es’ rule we also hav e Pr { E 2 ∩ · · · ∩ E m } = m Y w =1 Pr { E w | E w − 1 ∩ · · · ∩ E 1 } . But by Lemma 2 w e know that Pr { E w | E w − 1 ∩ · · · ∩ E 1 } ≥  1 − w · m ( m − 1) p − w  .  4.3.2. Different Strategie s. First Strategy. W e hav e seen in Lemma 2 that the supp ort o f g i,j ( x ) co nt ains with very high probability the supp ort of at leas t 1 a shifted version of q i ( x ) since for the parameters given in [1], we obta in Pr  x ℓ · q i ( x ) ⊂ g i,j ( x )  ≥ 0 . 9 4. One po ssible stra tegy to rec over the poly nomial q i ( x ) consists in enumerating m -tuples u 1 , . . . , u m that belo ng in the supp or t of g i,j ( x ) in o rder to form u ( x ) = P a x u a such that u − 1 ( x ) · g i,j ′ ( x ) is of weight m for 1 ≤ j ′ ≤ n 0 − 1. The cost o f this attack is O   m 2 m  · p 2  which co rresp onds to 2 50 . 3 op erations for the sp ecific par a meters prop osed. 1 Actually , the support of g i,j ( x ) con tains with go od probabilit y all the supports of x ℓ a · q i ( x ) with 1 ≤ a ≤ m since q ≥ 0 . 79 for the proposed parameters. 12 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot Second Strategy . W e present another strategy that can be used to recover secr e t matrices S and th us matrices Q 1 , . . . , Q n 0 − 1 . This s trategy requires to sear ch for co dewords o f very low weigh t in a linear code. The most efficient a lgorithm that accomplishes this task is the a lgorithm o f [3] which improv es up on Stern’s algo- rithm [23]. Howev er in order to derive a simple b ound o n the time co mplexit y , w e consider this second algorithm as in [1 ]. The work factor Ω n,k,w of Stern’s algo- rithm to find A w co dewords of w eight w in a co de of leng th n and dimension k satisfies Ω k,n,w ≥ N A w P w where ( g , ℓ ) are t wo pa r ameters and N is the num b er of binary op era tions required for ea ch iteration N = ( n − k ) 3 / 2 + k ( n − k ) 2 + 2 g ℓ  k / 2 g  + 2 g ( n − k )  k/ 2 g  2 2 ℓ . (8) P w represents the probability of finding a given co deword of weigh t w P w =  w g  n − w k/ 2 − g   n k/ 2   w − g g  n − k/ 2 − w + g k/ 2 − g   n − k/ 2 k/ 2   n − k − w +2 g ℓ   n − k ℓ  . Recall that G − 1 ≤ k is specified by po lynomials g i,j ( x ). L e t d i,j ( x ) b e the poly nomial g i,j ( x ) · g − 1 i, 1 ( x ) mo d ( x p − 1) and cons ider the co de E i defined by the following generator matrix: E i =  I p D i, 2 · · · D i,n 0 − 1  where as usual the circulant matrix D i,j is characterised by the p olynomial d i,j ( x ). Then E i contains at least p co dewords of lo w weight ( n 0 − 1) m = 21 since S i, 1 × E i =  S i, 1 S i, 2 · · · S i,n 0 − 1  . It is ther e fore p ossible to recover matrices S i, 1 , . . . , S i,n 0 − 1 with a co mplexity of 2 32 op erations by a pplying Stern’s algorithm with ( g , ℓ ) = (3 , 4 3 ) in order to find a co deword o f weigh t 21 in a co de of dimension p and length ( n 0 − 1) p = 12 096. 4.3.3. Extraction o f the Secret Co de . After recov ering S , Q 1 , . . . , Q n 0 − 1 , o ne is therefore able to compute the following genera to r matrix ˜ G defined by: ˜ G = G ′ ×       I p 0 · · · 0 0 . . . . . . . . . . . . . . . I p 0 0 · · · 0 Q − 1 n 0       =    A 1 I k . . . A n 0 − 1    where for 1 ≤ i ≤ n 0 − 1, we set A i = ( H − 1 n 0 × H i ) T × Q − 1 n 0 . Recall that matrices H 1 , . . . , H n 0 and Q n 0 are still unknown. How ever, one can easily chec k that for any different i and j , we als o have ( A i × A − 1 j ) T = H i × H − 1 j whenever H j is inv ertible. Thu s, if we set B i,j = ( A i × A − 1 j ) T then for a fixed 1 ≤ i ≤ n 0 − 1 and for a ny different in tegers j and j ′ , we have that H j × B i,j = H j ′ × B i,j ′ = H i . Consider now the code defined b y the following genera tor matrix G 1 : G 1 =  I p B 2 , 1 · · · B n 0 − 1 , 1  . Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 13 It is e asy to s ee tha t H 1 × G 1 =  H 1 H 2 · · · H n 0 − 1  . This also means that G 1 spans a co de with a minimum distance that is smaller than ( n 0 − 1 ) d v . Ther e- fore, b y applying dedicated algorithms ([8] or [20, V o lume I, Cha pter 7]) searching for co dewords of s mall weight, it is p os sible to recov er matr ices H 1 , . . . , H n 0 − 1 . F or instance, the work factor of Stern’s alg orithm for sea rching codewords of weigh t ( n 0 − 1) d v = 3 ∗ 13 = 39 in a co de of dimension p = 40 32 and length p ( n 0 − 1) = 12 096 is ab out 2 37 op erations with ( g , ℓ ) = (3 , 43). Finally , we are able to compute ( H T i ) − 1 × A i = ( H − 1 n 0 ) T × Q − 1 n 0 for any 1 ≤ i ≤ n 0 − 1. Inv erting this ma tr ix a nd apply ing a gain the sec o nd str ategy presented in Section 4.3.2, it is p os sible to find the matrices H n 0 and Q n 0 . 4.4. Example W e illustra te the previo usly des crib ed atta cks with so me randomly ge ner ated p oly - nomials s i,j ( x ) a nd q i,j ( x ) o f weigh t m = 7 and degree le s s than p = 40 32 as given in [1]. W e only put the e x po nen ts of the monomials that intervene in the expression of the poly no mials. Recall tha t some co efficients s i,j ( x ) has to be of even weight (actually of weigh t m − 1 = 6) in order to gene r ate an in vertible matrix S . W e implemen ted the a ttack in MAGMA softw are [4]. The running time on a Pen tium 4 (2.80 GHz) with 500 Mb ytes RAM for the sec ond str ategy is 140 seconds. The last step that consists in recov ering the s ecret LDPC co de is per formed b y apply- ing Can teaut-Chaba ud a lgorithm. The work factor of this o per ation is a bo ut 2 36 op erations. O ur implement atio n in MAGMA softw are finds a co deword of w eight ( n 0 − 1) d v = 39 in ab out 1 5 min utes. H 1 = [213 , 457 , 1467 , 1702 , 1786 , 2015 , 2155 , 2197 , 2569 , 2744 , 2823 , 2902 , 3710] H 2 = [6 , 626 , 868 , 1102 , 1564 , 1894 , 2401 , 2595 , 2982 , 3570 , 3605 , 3771 , 3835] H 3 = [615 , 639 , 1198 , 1513 , 1712 , 1850 , 1941 , 2397 , 2553 , 3074 , 3373 , 3798 , 3960] H 4 = [135 , 149 , 241 , 735 , 1265 , 2075 , 2869 , 3111 , 3218 , 3625 , 3760 , 3785 , 3969] S 1 , 1 = [24 , 274 , 334 , 2025 , 2574 , 2661 , 3601] S 1 , 2 = [512 , 1177 , 2524 , 2526 , 2904 , 2968 , 3340] S 1 , 3 = [930 , 1175 , 1210 , 1459 , 2200 , 2303 , 2811] S 2 , 1 = [503 , 1258 , 1632 , 1658 , 2055 , 2221 , 2764] S 2 , 2 = [989 , 1256 , 2568 , 2625 , 2906 , 3139] S 2 , 3 = [561 , 616 , 2499 , 2787 , 2835 , 3061 , 3865] S 3 , 1 = [177 , 465 , 1659 , 1958 , 2795 , 3605] S 3 , 2 = [419 , 461 , 1540 , 2262 , 2435 , 3474 , 3587] S 3 , 3 = [554 , 1119 , 1307 , 2018 , 2193 , 2631 , 3755] Q 1 = [456 , 578 , 1551 , 1562 , 1992 , 2919 , 3476] Q 2 = [250 , 268 , 897 , 1782 , 2127 , 3163 , 3378] Q 3 = [14 , 1132 , 1672 , 1716 , 2164 , 2723 , 3409] Q 4 = [443 , 593 , 2401 , 2615 , 2981 , 3612 , 3993] 14 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot 5. Conclusion The idea to introduce quasi- c yclic co des and quasi-cyclic low density parity-chec k co des is motiv ated b y practical concerns to reduce key sizes of McE lie ce cryptos y s- tem. The fir s t v ariant of [11] uses quasi- cyclic co des obtained from s ubco des of a cyclic BCH co de. The other v ariant of [1] us e s quasi-cyclic low density parity-c heck co des. How ever, we hav e shown her e that the cos t of these tw o attempts at re- ducing key size is made at the expense of the security . Indeed, we hav e presented different s tructural c r yptanalysis of these tw o v aria n ts of McEliece cr y ptosystem. The first attack is applied to the v ariant of [11] a nd extracts the se cret p ermuta- tion supp osed to hide the structure of the se cret co des. W e show that the secret key recovery amounts to s olve an ov er- constrained linear sys tem. The second at- tack accomplishes a total break of [1]. In the first phase, we lo ok for divisors of low weigh t of a given public p olyno mial. The last pha se recov ers the secr et par ity chec k matrix of the secret quas i-cyclic low densit y parity-chec k code by lo oking for low weight co dewords in a punctured version of the secret co de. An implemen- tation shows that the first phas e can b e accomplished in ab out 140 seconds and the second pha se in ab out 15 min utes. How ever these r esults canno t b e applied to the orig inal McEliece’s scheme using Goppa co des which represe nts up to now the only unbroken scheme. An op en problem which would be desir able to solve is to come up with a wa y of reducing significantly the k ey s izes in this t yp e of public- key cryptosystem b y maintaining the security int act. References [1] M. Baldi and G. F. Chiaraluce. Cryp tanalysis of a n ew instance of McEliece cryp- tosystem based on QC-LDPC co des. In IEEE International Symp osium on Informa- tion The ory , p ages 2591–2595, Nice, F rance, March 2007. [2] E. R. Berlek amp, R. J. McEliec e, and H. C. A. v an Tilb org. On the intractabilit y of certain co ding problems. I EEE T r ansactions on Information The ory , 24(3):384–386, 1978. [3] D.J. Berstein, T. Lange, and C. Peters. Attac king and defending th e McEliece cryp- tosystem. PQCrypto, pages 31–46, 2008. [4] W. Bosma, J. J. Cannon, and C. Pla youst. The Magma algebra system I: The user language. J. Symb. Comput. , 24(3/4):235 –265, 1997. [5] A. Shokrollahi C. Monico, J. Rosenthal. U sing lo w density parit y chec k codes in t h e McEliece cryptosystem. In IEEE International Symp osium on Inf ormation The ory (ISIT 2000) , page 215, Sorrento, Italy , 2000. [6] A. Canteaut and H . Chabanne. A further improv ement of the work factor in an attempt at breaking McEliece’s cryptosystem. In EUROCODE 94 , pages 169–173. INRIA , 1994. [7] A. Canteaut and F. Chabaud . Improv ements of the attacks on crypt osystems b ased on error-correcting co des. T ec hnical Rep ort 95–21, INRIA, 1995. Cryptanalysis of McE liece Cryptosys tems Bas e d on Quasi-Cyc lic Co des 15 [8] A. Canteaut and F. Chabaud. A new algorithm for finding minim um-weigh t words in a linear cod e: Application to McEliece’ s cryptosystem and to narro w-sense BCH codes of length 511. I EEE T r ansactions on Information The ory , 44(1):36 7–378, 1998. [9] P .L. Ca yrel, A. Otmani, and D. V ergnaud . On Kabatianskii-Krouk-S meets Signa- tures. In Pr o c e e dings of the first International Workshop on the Arithmetic of Finite Fields (W AIFI 2007) , Springer V erlag Lecture N otes, pages 237–251, Madrid, Spain, June 21–22 2007. [10] D. Engelbert, R. Overbeck, and A. Schmidt. A summary of McEliece-type cryp - tosystems an d their security . In Journal of Mathematic al C ryptolo gy , vo lume 1, pages 151–199 , 2007. [11] P . Gaborit. S h orter keys for co de based crypt ography . In Pr o c e e dings of the 2005 International Workshop on Co ding and Crypto gr aphy (WCC 2005) , p ages 81–91, Bergen, N orw ay , Marc h 2005. [12] P . Gab orit and M. Girault. Light weigh t co de-b ased authentication and signature. In IEEE International Symp osium on Information The ory (ISIT 2007) , pages 191–195, Nice, F rance, March 2007. [13] P . Gab orit, C. Lauradoux , and N. Send rier. Synd: a fast co de-b ased stream cipher with a security reduction. In IEEE I nternat ional Symp osium on Inf ormation The ory (ISIT 2007) , pages 186–190, Nice, F rance, March 2007. [14] P . J. Lee and E. F. Brick ell. An observ ation on th e security of McEliece’s public-key cryptosystem. In A dvanc es i n Cryptolo gy - EUROCR YPT’88 , volume 330/1988 of L e ctur e Notes in Computer Scienc e , pages 275–28 0. Springer, 1988. [15] J. S. Leon. A probabilistic algorithm for computing minimum weigh ts of large error- correcting codes. I EEE T r ansactions on I nformation The ory , 34(5):1354–1359 , 1988. [16] Y. X . Li, R . H. Deng, and X.-M. W ang. O n the equ iv alence of McEliece’ s and Niederreiter’s pub lic-key cryptosystems. IEEE T r ansactions on Information The ory , 40(1):271– 273, 1994. [17] R. J. McEliece. A Public-Key System Base d on Algebr aic Co ding The ory , pages 114– 116. Jet Propulsion Lab, 1978. DSN Progress Rep ort 44. [18] L. Minder and A. S hokrollahi. Cryptanalysis of th e Sidelniko v cryptosystem. In Eur o crypt 2007 , volume 4515 of L e ctur e Notes in Com puter Scienc e , pages 347–360, Barcelona, Spain, 2007. [19] H. N iederreiter. Knapsack-t yp e cryptosystems and algebraic codin g theory . Pr oblems Contr ol Inform. The ory , 15(2):159–166, 1986. [20] V.S. Pless and W.C. Huffman, editors. Handb o ok of c o di ng the ory . North Holland, 1998. [21] V.M. S id elnik ov. A public-key cryptosystem based on binary R eed - Muller cod es. Discr ete Mathematics and Applic ations , 4(3), 1994. [22] V.M. Sidelniko v and S.O. Shestak ov. On the insecurity of cryptosystems based on generalized R eed-Solomon co des. Discr ete Mathematics and Applic ations , 1(4):439– 444, 1992. [23] J. Stern. A metho d for fin ding co dewords of small w eight. In G. D. Cohen and J. W olfmann, editors, Co ding The ory and Applic ations , volume 388 of L e ctur e Notes in Computer Scienc e , pages 106–1 13. Sp ringer, 1988. [24] E. M. Gabidulin. Public-Key Cryptosystems Based on Linear Co des. 1995. 16 Ayoub Otmani, Jean-Pierr e Tillich and L´ eonard Dallot [25] T.P . Berger and P . Loidreau. How to Mask th e Stru cture of Codes for a Crypto- graphic Use. Des. Codes Cryptography , 35(1):63– 79, 2005. [26] C. Wiesc hebrink. An Attac k on a Mo dified Niederreiter Encry ption Scheme. Public Key Cryptography - PK C 2006, V olume 3958/2006 of L e ctur e Notes in C om puter Scienc e , pages 14–26. Springer, 2006. [27] N. Sendrier. On the Concatenated Structure of a Linear Co de. AAECC, 9(3):221– 242, No vem b er 1998. Ayoub Otmani GREYC - Ensicaen - Universit ´ e de Caen, Campus I I, Boulev ard Mar´ echal Juin, F-14050 Caen Cedex, F rance. e-mail: Ayoub.Otmani@info. unicaen.fr Jean-Pierre Tillich INRIA , Pro jet Secret, BP 105, D omaine de V oluceau F-78153 Le Chesna y , F rance. e-mail: jean-pierre.tillic h@inria.fr L´ eonard Dallot GREYC - Ensicaen - Universit ´ e de Caen, Campus I I, Boulev ard Mar´ echal Juin, F-14050 Caen Cedex, F rance. e-mail: Leonard.Dallot@inf o.unicaen.fr