Niederreiter cryptosystem
 | This article includes a list of general references, but it remains largely unverified because it lacks sufficient corresponding inline citations. (April 2009) (Learn how and when to remove this template message) |
In cryptography, the Niederreiter cryptosystem is a variation of the McEliece cryptosystem developed in 1986 by Harald Niederreiter.[1] It applies the same idea to the parity check matrix, H, of a linear code. Niederreiter is equivalent to McEliece from a security point of view. It uses a syndrome as ciphertext and the message is an error pattern. The encryption of Niederreiter is about ten times faster than the encryption of McEliece. Niederreiter can be used to construct a digital signature scheme.
Scheme definition
A special case of Niederreiter's original proposal was broken[2] but the system is secure when used with a Binary Goppa code.
Key generation
- Alice selects a binary (n, k)-linear Goppa code, G, capable of correcting t errors. This code possesses an efficient decoding algorithm.
- Alice generates a (n − k) × n parity check matrix, H, for the code, G.
- Alice selects a random (n − k) × (n − k) binary non-singular matrix, S.
- Alice selects a random n × n permutation matrix, P.
- Alice computes the (n − k) × n matrix, Hpub = SHP.
- Alice's public key is (Hpub, t); her private key is (S, H, P).
Message encryption
Suppose Bob wishes to send a message, m, to Alice whose public key is (Hpub, t):
- Bob encodes the message, m, as a binary string em' of length n and weight at most t.
- Bob computes the ciphertext as c = HpubeT.
Message decryption
Upon receipt of c = HpubmT from Bob, Alice does the following to retrieve the message, m.
- Alice computes S−1c = HPmT.
- Alice applies a syndrome decoding algorithm for G to recover PmT.
- Alice computes the message, m, via mT = P−1PmT.
Signature scheme
Courtois, Finiasz and Sendrier showed how the Niederreiter cryptosystem can be used to derive a signature scheme .[3][4]
- Calculate [math]\displaystyle{ s=h(d) }[/math], where [math]\displaystyle{ h }[/math] is a Hash Function and [math]\displaystyle{ d }[/math] is the signed document.
- Calculate [math]\displaystyle{ s_i = h(s|i), i = 0, 1, 2, \dots }[/math], where [math]\displaystyle{ | }[/math] denotes concatenation.
- Attempt to decrypt [math]\displaystyle{ s_i }[/math] until the smallest value of [math]\displaystyle{ i }[/math] (denoted further as [math]\displaystyle{ i_0 }[/math]) for which [math]\displaystyle{ s_i }[/math] is decryptable is found.
- Use the trapdoor function to compute such [math]\displaystyle{ z }[/math] that [math]\displaystyle{ Hz^T=s_{i_0} }[/math], where [math]\displaystyle{ H }[/math] is the public key.
- Compute the index [math]\displaystyle{ I_z }[/math] of [math]\displaystyle{ z }[/math] in the space of words of weight 9.
- Use [math]\displaystyle{ \left[I_z|z\right] }[/math] as the signature.
The Verification algorithm is much simpler:
- Recover [math]\displaystyle{ z }[/math] from index [math]\displaystyle{ I_z }[/math].
- Compute [math]\displaystyle{ s_1=Hz^T }[/math] with the public key [math]\displaystyle{ H }[/math].
- Compute [math]\displaystyle{ s_2=h(h(d)|i_0) }[/math].
- Compare [math]\displaystyle{ s_1 }[/math] and [math]\displaystyle{ s_2 }[/math]. If they are the same the signature is valid.
The index [math]\displaystyle{ I_z }[/math] of [math]\displaystyle{ z }[/math] can be derived using the formula below, where [math]\displaystyle{ i_1\lt \dots\lt i_9 }[/math] denote the positions of non-zero bits of [math]\displaystyle{ z }[/math].[math]\displaystyle{ I_z = 1 + \sum_{n=1}^{9}{\binom{i_n}{n}} }[/math]The number of bits necessary to store [math]\displaystyle{ i_0 }[/math] is not reducible. On average it will be [math]\displaystyle{ log_2(9!)\approx 18.4 }[/math] bits long. Combined with the average [math]\displaystyle{ 125.5 }[/math] bits necessary to store [math]\displaystyle{ I_z }[/math], the signaure will on average be [math]\displaystyle{ 125.5+18.4\approx 144 }[/math] bits long.
References
- Henk C. A. van Tilborg. Fundamentals of Cryptology, 11.4.
- ↑ H. Niederreiter (1986). "Knapsack-type cryptosystems and algebraic coding theory". Problems of Control and Information Theory. Problemy Upravlenija I Teorii Informacii 15: 159–166.
- ↑ V. M. Sidel'nikov; S. O. Shestakov (1992). "On the insecurity of cryptosystems based on generalized Reed-Solomon codes". Discrete Mathematics and Applications 2 (4): 439–444. doi:10.1515/dma.1992.2.4.439.
- ↑ N. Courtois; M. Finiaz; N. Sendrier (2001). "How to Achieve a McEliece-Based Digital Signature Scheme". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. LNCS 2248. pp. 163-164. doi:10.1007/3-540-45682-1_10. ISBN 978-3-540-42987-6.
- ↑ Makoui, Farshid Haidary; Gulliver, Thomas Aaron; Dakhilalian, Mohammad (17 December 2022). "A new code-based digital signature based on the McEliece cryptosystem". IET Communications (Institution of Engineering and Technology) 17 (10): 1199-1207. 6 April 2023. doi:10.1049/cmu2.12607. https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/cmu2.12607.
External links
- Attacking and defending the McEliece cryptosystem Daniel J. Bernstein and Tanja Lange and Christiane Peters
| |||||||||||||||||||||
 |  |
