The McEliece cryptosystem is a public-key cryptosystem based on coding theory that has successfully resisted cryptanalysis for thirty years. The original version, based on Goppa codes, is able to guarantee a high level of security, and is faster than competing solutions, like RSA. Despite this, it has been rarely considered in practical applications, due to two major drawbacks: i) large size of the public key and ii) low transmission rate. Low-Density Parity-Check (LDPC) codes are state-of-art forward error correcting codes that permit to approach the Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes are a particular class of LDPC codes, able to join low complexity encoding of QC codes with high-performing and low-complexity decoding of LDPC codes. In a previous work it has been proposed to adopt a particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the key size and increase the transmission rate. Recently, however, new attacks have been found that are able to exploit a flaw in the transformation from the private key to the public one. Such attacks can be effectively countered by changing the form of some constituent matrices, without altering the system parameters. This work gives an overview of the QC-LDPC codes-based McEliece cryptosystem and its cryptanalysis. Two recent versions are considered, and their ability to counter all the currently known attacks is discussed. A third version able to reach a higher security level is also proposed. Finally, it is shown that the new QC-LDPC codes-based cryptosystem scales favorably with the key length.
Deep Dive into LDPC codes in the McEliece cryptosystem: attacks and countermeasures.
The McEliece cryptosystem is a public-key cryptosystem based on coding theory that has successfully resisted cryptanalysis for thirty years. The original version, based on Goppa codes, is able to guarantee a high level of security, and is faster than competing solutions, like RSA. Despite this, it has been rarely considered in practical applications, due to two major drawbacks: i) large size of the public key and ii) low transmission rate. Low-Density Parity-Check (LDPC) codes are state-of-art forward error correcting codes that permit to approach the Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes are a particular class of LDPC codes, able to join low complexity encoding of QC codes with high-performing and low-complexity decoding of LDPC codes. In a previous work it has been proposed to adopt a particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the key size and increase the transmission rate. Recently, however, new attacks have bee
First presented by Robert J. McEliece in 1978 [1], the McEliece cryptosystem represents one of the most famous examples of error correcting codes-based public key cryptosys-tem. It adopts generator matrices of linear block codes as private and public keys, and the combination of a dense transformation and a permutation to hide the structure of the secret code into the public generator matrix. Its security lies in the difficulty of decoding a large linear code having no visible structure, that is an NP complete problem [2]. The McEliece cryptosystem has successfully resisted cryptanalysis for thirty years, and no algorithm able to realize a total break in a reasonable time has been found up to now.
Attacks achieving the lowest work factors aim at solving the general decoding problem, that consists in deriving the error vector affecting a codeword of an (n, k)-linear block code (i.e., having length n and dimension k). It can be shown that this problem can be translated into that of finding the minimum weight codeword in an (n, k + 1)-linear block code, so the McEliece cryptosystem can also be attacked by means of algorithms aimed at finding low weight codewords.
A first decoding attack was already proposed by McEliece in his paper [1] and is based on the principle of information set decoding. It consists in selecting k bits of the ciphertext and inverting the encoding map, hoping that none of them is in error. This attack has been further improved by Lee and Brickell [3], who proposed a systematic procedure for validating the decoded words and showed that the attack can be attempted also when the chosen information set is affected by a small number of errors.
More recent decoding attacks are instead based on probabilistic algorithms searching for low weight codewords. Stern’s algorithm [4] is among the most famous ones, and it has been later improved by Canteaut and Chabaud [5]. Very recently, Bernstein et al. have proposed a highly efficient implementation of the attack based on Stern’s algorithm [6], that is able to achieve a speedup of about 12. The improved algorithm has been run on a computer cluster, and an encrypted codeword of the original McEliece cryptosystem has been correctly deciphered, thus proving the feasibility of an attack for the original choice of the system parameters. Despite this, no polynomial time attack has been found up to now, and the system remains secure, provided that large enough keys are adopted in order to reach suitable work factors on modern computers. In addition, the McEliece cryptosystem can be considered to be a post-quantum cryptographic system [7], since no polynomial time algorithm able to exploit quantum computers for an attack has been found up to now. On the contrary, Shor presented a quantum polynomial time algorithm for calculating discrete logarithms that should be able to break RSA, DSA and ECDSA [8].
Moreover, the original version of the McEliece cryptosystem, based on binary Goppa codes with irreducible generator polynomials, can be two or three orders of magnitude faster than RSA. However, unlike RSA, the original McEliece cryptosystem has been rarely considered in practical applications, due to its two major drawbacks: large keys and low transmission rates. Many attempts have been made for replacing Goppa codes with other families of codes in order to overcome such drawbacks, but they always compromised the system security. This occurred for Generalized Reed-Solomon Codes [9] and Reed-Muller codes [10]. Successful total break attacks have also been conceived for some versions adopting Quasi-Cyclic (QC) codes [11] and Low-Density Parity-Check (LDPC) codes [12,13].
LDPC codes represent the state of the art in forward error correction and are able to approach the ultimate capacity bounds [14]. Their performance under belief propagation decoding depends on the characteristics of their sparse parity-check matrices and their design can be performed on a random basis. Thus, it is possible to obtain large families of equivalent codes, that is the first requisite for their application in cryptography. The adoption of LDPC codes in the McEliece cryptosystem can yield many advantages: the sparse nature of their parity-check matrices could help to reduce the key size, at least in principle, and their easy design could allow to increase the transmission rate. Unfortunately, the usage of LDPC matrices as public keys can compromise the system security [12,13,15]. For this reason, it has been proposed to adopt public keys in the form of generator matrices of a particular family of QC-LDPC codes, that are structured LDPC codes. Their structured character allows to reduce the key size though using dense generator matrices.
Even with this choice, the adoption of sparse and block-wise diagonal transformation matrices can still expose the cryptosystem to total break attacks [16]; so, the original proposal has been recently revised in such a way to not include this kind o
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
