Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

24.10 The McEliece Cryptosystem

In this book, we have mostly described cryptographic systems that are based on number theoretic principles. There are many other cryptosystems that are based on other complex problems. Here we present one based on the difficulty of finding the nearest codeword for a linear binary code.

The idea is simple. Suppose you have a binary string of length 1024 that has 50 errors. There are $(_{50}^{1024}) \approx 3 \times 10^{85}$ $(_{50}^{1024}) \approx 3 \times 10^{85}$ possible locations for these errors, so an exhaustive search that tries all possibilities is infeasible. Suppose, however, that you have an efficient decoding algorithm that is unknown to anyone else. Then only you can correct these errors and find the corrected string. McEliece showed how to use this to obtain a public key cryptosystem.

Bob chooses $G$ $G$ to be the generating matrix for an $(n, k)$ $(n, k)$ linear error correcting code $C$ $C$ with $d (C) = d$ $d (C) = d$ . He chooses $S$ $S$ to be a $k \times k$ $k \times k$ matrix that is invertible mod 2 and lets $P$ $P$ be an $n \times n$ $n \times n$ permutation matrix, which means that $P$ $P$ has exactly one 1 in every row and in every column, with all the other entries being 0. Define

G_{1} = S G P .

$G_{1} = S G P .$

The matrix $G_{1}$ $G_{1}$ is the public key for the cryptosystem. Bob keeps $S, G, P$ $S, G, P$ secret.

In order for Alice to send Bob a message $x$ $x$ , she generates a random binary string $e$ $e$ of length $n$ $n$ that has weight $t$ $t$ . She forms the ciphertext by computing

y \equiv x G_{1} + e (m o d 2) .

$y \equiv x G_{1} + e (m o d 2) .$

Bob decrypts $y$ $y$ as follows:

Calculate $y_{1} \equiv y P^{- 1}$ $y_{1} \equiv y P^{- 1}$ . (Since $P$ $P$ is a permutation matrix, $e_{1} = e P^{- 1}$ $e_{1} = e P^{- 1}$ is still a binary string of weight $t$ $t$ . We have $y_{1} \equiv x S G + e_{1}$ $y_{1} \equiv x S G + e_{1}$ .)
Apply the error decoder for the code $C$ $C$ to $y_{1}$ $y_{1}$ to correct the “error” and obtain the codeword $x_{1}$ $x_{1}$ closest to $y_{1}$ $y_{1}$ .
Compute $x_{0}$ $x_{0}$ such that $x_{0} G \equiv x_{1}$ $x_{0} G \equiv x_{1}$ (in the examples we have considered, $x_{0}$ $x_{0}$ is simply the first $k$ $k$ bits of $x_{1}$ $x_{1}$ ).
Compute $x \equiv x_{0} S^{- 1}$ $x \equiv x_{0} S^{- 1}$ .

The security of the system lies in the difficulty of decoding $y_{1}$ $y_{1}$ to obtain $x_{1}$ $x_{1}$ . There is a little security built into the system by $S$ $S$ ; however, once a decoding algorithm is known for the code generated by $G P$ $G P$ , a chosen plaintext attack allows one to solve for the matrix $S$ $S$ (as in the Hill cipher).

To make decoding difficult, $d (C)$ $d (C)$ should be chosen to be large. McEliece suggested using a $[1024, 512, 101]$ $[1024, 512, 101]$ Goppa code. The Goppa codes have parameters of the form $n = 2^{m}, d = 2 t + 1, k = n - m t$ $n = 2^{m}, d = 2 t + 1, k = n - m t$ . For example, taking $m = 10$ $m = 10$ and $t = 50$ $t = 50$ yields the $[1024, 524, 101]$ $[1024, 524, 101]$ code just mentioned. It can correct up to 50 errors. For given values of $m$ $m$ and $t$ $t$ , there are in fact many inequivalent Goppa codes with these parameters. We will not discuss these codes here except to mention that they have an efficient decoding algorithm and therefore can be used to correct errors quickly.

Example

Consider the matrix

G = (\begin{array}{ccccccc} 1 & 0 & 0 & 0 & 1 & 1 & 0 \\ 0 & 1 & 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 1 & 0 & 0 & 1 & 1 \\ 0 & 0 & 0 & 1 & 1 & 1 & 1 \end{array}),

$G = (\begin{array}{ccccccc} 1 & 0 & 0 & 0 & 1 & 1 & 0 \\ 0 & 1 & 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 1 & 0 & 0 & 1 & 1 \\ 0 & 0 & 0 & 1 & 1 & 1 & 1 \end{array}),$

which is the generator matrix for the $[7, 4]$ $[7, 4]$ Hamming code. Suppose Alice wishes to send a message

m = (1, 0, 1, 1)

$m = (1, 0, 1, 1)$

to Bob. In order to do so, Bob must create an invertible matrix $S$ $S$ and a random permutation matrix $P$ $P$ that he will keep secret. If Bob chooses

S = (\begin{array}{cccc} 1 & 0 & 0 & 1 \\ 1 & 1 & 0 & 1 \\ 0 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0 \end{array})

$S = (\begin{array}{cccc} 1 & 0 & 0 & 1 \\ 1 & 1 & 0 & 1 \\ 0 & 1 & 0 & 1 \\ 1 & 1 & 1 & 0 \end{array})$

and

P = (\begin{array}{ccccccc} 0 & 0 & 1 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 & 1 \\ 0 & 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 \end{array}) .

$P = (\begin{array}{ccccccc} 0 & 0 & 1 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 & 1 \\ 0 & 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 \end{array}) .$

Using these, Bob generates the public encryption matrix

G_{1} = (\begin{array}{ccccccc} 0 & 0 & 1 & 1 & 0 & 1 & 0 \\ 1 & 0 & 1 & 0 & 0 & 1 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 0 \\ 1 & 0 & 1 & 0 & 1 & 0 & 0 \end{array}) .

$G_{1} = (\begin{array}{ccccccc} 0 & 0 & 1 & 1 & 0 & 1 & 0 \\ 1 & 0 & 1 & 0 & 0 & 1 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 0 \\ 1 & 0 & 1 & 0 & 1 & 0 & 0 \end{array}) .$

In order to encrypt, Alice generates her own random error vector $e$ $e$ and calculates the ciphertext $y = x G_{1} + e$ $y = x G_{1} + e$ . In the case of a Hamming code the error vector has weight $1$ $1$ . Suppose Alice chooses

e = (0, 1, 0, 0, 0, 0, 0) .

$e = (0, 1, 0, 0, 0, 0, 0) .$

Then

y = (0, 0, 0, 1, 1, 0, 0) .

$y = (0, 0, 0, 1, 1, 0, 0) .$

Bob decrypts by first calculating

y_{1} = y P^{- 1} = (0, 0, 1, 0, 0, 0, 1) .

$y_{1} = y P^{- 1} = (0, 0, 1, 0, 0, 0, 1) .$

Calculating the syndrome of $y_{1}$ $y_{1}$ by applying the parity check matrix $H$ $H$ and changing the corresponding bit yields

x_{1} = (0, 0, 1, 0, 0, 1, 1) .

$x_{1} = (0, 0, 1, 0, 0, 1, 1) .$

Bob next forms a vector $x_{0}$ $x_{0}$ such that $x_{0} G = x_{1}$ $x_{0} G = x_{1}$ , which can be done by extracting the first four components of $x_{1}$ $x_{1}$ , that is,

x_{0} = (0, 0, 1, 0) .

$x_{0} = (0, 0, 1, 0) .$

Bob decrypts by calculating

x = x_{0} S^{- 1} = (1, 0, 1, 1),

$x = x_{0} S^{- 1} = (1, 0, 1, 1),$

which is the original plaintext message.

The McEliece system seems to be reasonably secure. For a discussion of its security, see [Chabaud]. A disadvantage of the system compared to RSA, for example, is that the size of the public key $G_{1}$ $G_{1}$ is rather large.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 24.10 The McEliece Cryptosystem

Create new playlist

Sign In

Sign Up

Table of Contents for
24.10 The McEliece Cryptosystem