The Code Equivalence problem is that of determining whether two given linear codes are equivalent to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian hidden subgroup problem (HSP), suggesting a possible quantum algorithm analogous to Shor's algorithms for factoring or discrete log. However, we recently showed that in many cases of interest---including Goppa codes---solving this case of the HSP requires rich, entangled measurements. Thus, solving these cases of Code Equivalence via Fourier sampling appears to be out of reach of current families of quantum algorithms. Code equivalence is directly related to the security of McEliece-type cryptosystems in the case where the private code is known to the adversary. However, for many codes the support splitting algorithm of Sendrier provides a classical attack in this case. We revisit the claims of our previous article in the light of these classical attacks, and discuss the particular case of the Sidelnikov cryptosystem, which is based on Reed-Muller codes.
Deep Dive into Quantum Fourier sampling, Code Equivalence, and the quantum security of the McEliece and Sidelnikov cryptosystems.
The Code Equivalence problem is that of determining whether two given linear codes are equivalent to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian hidden subgroup problem (HSP), suggesting a possible quantum algorithm analogous to Shor’s algorithms for factoring or discrete log. However, we recently showed that in many cases of interest—including Goppa codes—solving this case of the HSP requires rich, entangled measurements. Thus, solving these cases of Code Equivalence via Fourier sampling appears to be out of reach of current families of quantum algorithms. Code equivalence is directly related to the security of McEliece-type cryptosystems in the case where the private code is known to the adversary. However, for many codes the support splitting algorithm of Sendrier provides a classical attack in this case. We revisit the claims of our previous article in the light of these classical attacks, and discuss the particular c
Code Equivalence is the problem of deciding whether two matrices over a finite field generate equivalent linear codes, i.e., codes that are equal up to a fixed permutation on the codeword coordinates. Petrank and Roth [1997] showed that Code Equivalence is unlikely to be NP-complete, but is at least as hard as Graph Isomorphism. We consider a search version of Code Equivalence: given generator matrices M and M ′ for two equivalent linear q-ary codes, find a pair of matrices (S, P), where S is an invertible square matrix over F q and P is a permutation matrix, such that M ′ = SMP.
Code Equivalence has an immediate presentation as a hidden subgroup problem, suggesting that one might be able to develop an efficient quantum algorithm for it via the quantum Fourier transform. In our previous article [Dinh et al., 2011], however, we showed that under natural structural assumptions on the code, the resulting instance of the hidden subgroup problem requires entangled measurements of the coset state and, hence, appears to be beyond the reach of current methods.
We argued in [Dinh et al., 2011] that our results strengthen the case for the McEliece cryptosystem as a candidate for post-quantum cryptography-a cryptosystem that can be implemented with classical computers, but which will remain secure even if and when quantum computers are built. In this note, we revisit this statement in light of Sendrier’s support splitting algorithm (SSA), which finds the hidden permutation P for many families of codes. In particular, the SSA implies that the McEliece cryptosystem based on Goppa codes is classically insecure when the private code is known. We also observe that our results apply to Reed-Muller codes and thus to a natural quantum attack on the Sidelnikov cryptosystem.
The private key of a McEliece cryptosystem is a triple (S, M, P), where S is an invertible matrix over F q , P is a permutation matrix, and M is the generator matrix for a q-ary error-correcting code that efficient decoding. The public key is the generator matrix M ′ = SMP. If both M and M ′ are known to an adversary, the problem of recovering S and P (the remainder of the secret key) is precisely the version of Code Equivalence described above. If M and M ′ have full rank, then given P we can find S by linear algebra. Thus the potentially hard part of the problem is finding the hidden permutation P.
We call an adversary apprised of both M and M ′ a known-code adversary. In our recent article [Dinh et al., 2011], we noted that our results on Goppa codes imply that the natural quantum attack available to a knowncode adversary yields hard cases of the hidden subgroup problem, and asserted that this should bolster our confidence in the post-quantum security of the McEliece cryptosystem.
However, the classical support splitting algorithm (SSA) of Sendrier [2000] can efficiently solve Code Equivalence for Goppa codes, and many other families of codes as well. (In addition, Goppa codes of high rate can be distinguished from random codes, opening them to additional attacks [Faugére et al., 2010].) Thus for McEliece based on Goppa codes, the known-code adversary is too powerful: it can break the cryptosystem classically. Therefore, the hardness of the corresponding instances of the HSP has little bearing on the post-quantum security of the McEliece cryptosystem, at least for this family of codes.
The situation is similar in many ways to the status of Graph Isomorphism. There is a natural reduction from Graph Isomorphism to the HSP on the symmetric group, but a long series of results (e.g., Hallgren et al. [2010], Moore et al. [2010]) have shown that the resulting instances of the HSP require highly-entangled measurements, and that known families of such measurements cannot succeed. Thus the miracle of Shor’s algorithms for factoring and discrete log, where we can solve these problems simply by looking at the symmetries of a certain function, does not seem to apply to Graph Isomorphism. Any efficient quantum algorithm for it would have to involve significantly new ideas.
On the other hand, many cases of Graph Isomorphism are easy classically, including graphs with bounded eigenvalue multiplicity [Babai et al., 1982] and constant degree [Luks, 1982]. Many of these classical algorithms work by finding a canonical labeling of the graph [Babai, 1980, Babai andLuks, 1983], giving each vertex a unique label based on local quantities. These labeling schemes use the details of the graph, and not just its symmetries-precisely what the reduction to the HSP leaves out. Analogously, the support splitting algorithm labels each coordinate of the code by the weight enumerator of the hull of the code punctured at that coordinate. For most codes, including Goppa codes, this creates a labeling that is unique or nearly unique, allowing us to determine the permutation P.
There are families of instances of Graph Isomorphism that defeat known methods, due to the fact that no loca
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
