1. Toward Practical Code-Based Cryptography
Paulo S. L. M. Barreto
University of Washington | Tacoma

2. Objectives Basics of coding theory. Security considerations.
Panorama of code-based cryptosystems.
Choice of codes.
Implementation issues.
Research problems. ⏲️

3. Coding Theory

4. Linear Codes Let 𝑞= 𝑝 𝑚 for some prime 𝑝 and 𝑚>0.
A linear [𝑛,𝑘]-code 𝐶 over 𝔽 𝑞 is a 𝑘-dimensional vector subspace of 𝔽 𝑞 𝑛 .
Let 𝑑∣𝑚 and let 𝑠=𝑝𝑑, so that 𝔽 𝑝 ⊆ 𝔽 𝑠 ⊆ 𝔽 𝑞 .
An 𝔽 𝑠 -subfield subcode of a code 𝐶 is the subspace of 𝐶 consisting of all words with all components in 𝔽 𝑠 .

5. Weight and Distance
The (Hamming) weight of 𝑢∈ 𝔽 𝑞 𝑛 is the number of nonzero components of 𝑢: wt 𝑢 ≔# 𝑗 𝑢 𝑗 ≠0 .
The (Hamming) distance between 𝑢,𝑣∈ 𝔽 𝑞 𝑛 is dist 𝑢,𝑣 ≔wt 𝑢−𝑣 .
The minimum distance of a code 𝐶 is dist 𝐶 ≔min dist 𝑢,𝑣 𝑢,𝑣∈𝐶,𝑢≠𝑣 .
Determining dist 𝐶 is NP-hard.

6. Generator and Parity-Check
A generator matrix for an [𝑛,𝑘]-code 𝐶 is a matrix 𝐺 𝑘×𝑛 ∈ 𝔽 𝑞 𝑘×𝑛 whose rows form a basis of 𝐶, i.e. 𝐶= 𝑢𝐺∈ 𝔽 𝑞 𝑛 𝑢∈ 𝔽 𝑞 𝑘 .
A parity-check matrix for the same code is a matrix 𝐻 𝑟×𝑛 ∈ 𝔽 𝑞 𝑟×𝑛 , with 𝑛=𝑟+𝑘, whose rows form a basis for the orthogonal code, i.e. 𝐶= 𝑣∈ 𝔽 𝑞 𝑛 𝑣 𝐻 𝑇 = 0 𝑟 .
Therefore 𝑢𝐺 𝐻 𝑇 =𝑢 𝐺 𝐻 𝑇 = 0 𝑟 for all 𝑢, i.e. 𝐺 𝐻 𝑇 = 0 𝑘×𝑟 .

7. General & Syndrome (Bounded-Distance) Decoding
GDP
Input:
positive integers 𝑛, 𝑘, 𝑡;
generator matrix 𝐺∈ 𝔽 𝑞 𝑘×𝑛 ;
vector 𝑐∈ 𝔽 𝑞 𝑛 .
Question: ∃?𝑚∈ 𝔽 𝑞 𝑘 such that 𝑒≔𝑐−𝑚𝐺 has weight wt 𝑒 ≤𝑡?
SDP
Input:
positive integers 𝑛, 𝑟, 𝑡;
parity-check matrix 𝐻∈ 𝔽 𝑞 𝑟×𝑛 ;
vector 𝑠∈ 𝔽 𝑞 𝑟 .
Question: ∃?𝑒∈ 𝔽 𝑞 𝑛 of weight wt 𝑒 ≤𝑡 such that 𝐻 𝑒 𝑇 = 𝑠 𝑇 ?
Both are NP-complete!

8. Code-Based Cryptography
There exist codes for which efficient decoders are known.
Cryptosystems naturally follow if:
the decoding trapdoor can be securely hidden;
the GDP/SDP remains intractable on average for those codes.
(Obs.: from now on, binary codes)

9. Bounded-Distance Decoding

10. The Prange method Pioneering technique: Prange (1962).
Recap (SDP): given 𝐻∈ 𝔽 𝑞 𝑟×𝑛 and 𝑠∈ 𝔽 𝑞 𝑟 , find 𝑒∈ 𝔽 𝑞 𝑛 such that 𝐻 𝑒 𝑇 = 𝑠 𝑇 with wt 𝑒 ≤𝑡.
Linear system: 𝑟 equations, 𝑛>𝑟 variables.
𝑠 𝑇 𝐻
𝑒 𝑇 ∙ =

11. The Prange method Most of those 𝑛 variables must be 0 ∵wt 𝑒 ≤𝑡.
Idea: set 𝑛−𝑟 randomly picked variables to 0.
This ensures wt 𝑒 ≤𝑟.
The remaining 𝑟 variables satisfy an 𝑟×𝑟 linear system.
The solution is expected to “look random” and hence wt 𝑒 ≈𝑟/2.
Cost: 𝑂 𝑟 3 .
Refinement: information set decoding.

12. Information set decoding
Recap (GDP): given 𝐺∈ 𝔽 𝑞 𝑟×𝑛 and 𝑐∈ 𝔽 𝑞 𝑛 where 𝑐=𝑢𝐺+𝑒 for some 𝑢∈ 𝔽 𝑞 𝑘 and some 𝑒∈ 𝔽 𝑞 𝑛 with wt 𝑒 ≤𝑡, find 𝑒.
An information set (IS) for the error pattern 𝑒 is a subset 𝒥⊆ 0,…,𝑛−1 such that 𝑒 𝑗 =0 for all 𝑗∈𝒥.
In other words, 𝑐 𝑗 is correct at all positions indicated by 𝒥.

13. Decoding with an IS
Let #𝒥=𝑘, and let 𝑐 ​ 𝒥 ∈ 𝔽 2 𝑘 and 𝐺 ​ 𝒥 ∈ 𝔽 2 𝑘×𝑘 denote the restrictions of 𝑐 and 𝐺 to the columns indicated in 𝒥.
∴𝑐 ​ 𝒥 =𝑢𝐺 ​ 𝒥 (i.e. no errors).
If 𝐺 ​ 𝒥 is invertible, then 𝑢= 𝑐 ​ 𝒥 ⋅ 𝐺 ​ 𝒥 −1 .
The method succeeds when wt 𝑐−𝑢𝐺 ≤𝑡 for the recovered 𝑢.
What is the expected cost of a successful decoding?

14. Cost Estimate Let 𝒥 be an IS with #𝒥=𝑝<𝑘.
The probability that 𝒥∪ 𝑗 remains an IS for some uniformly random 𝑗∈ 0,…,𝑛−1 ∖𝒥 is 1−𝑡/ 𝑛−𝑝 , since 𝑡 out of the 𝑛−𝑝 values in 0,…,𝑛−1 ∖𝒥 correspond to error positions.
Hence the probability that a uniformly random 𝒥⊆ 0,…,𝑛−1 with #𝒥=𝑘 is an IS will be 0≤𝑝≤𝑘−1 1−𝑡/ 𝑛−𝑝 .

15. Cost Estimate
The decoding cost (or work factor, 𝑊𝐹, in the number of decoding attempts) is slightly increased by a factor 1/ 𝑄 2 where 𝑄 2 ≈ due to the need that 𝐺 ​ 𝒥 be invertible, i.e.
𝑊𝐹 𝑛,𝑘,𝑡 = 1/ 𝑄 2 0≤𝑝≤𝑘−1 1−𝑡/ 𝑛−𝑝 .
Examples:
lg 𝑊𝐹 4096, 2048, 128 ≈132.5
lg 𝑊𝐹 8192, 4096, 256 ≈263.5

16. Cost still exponential (improvements in the exponent constant)
“Some” improvements
Cost still exponential (improvements in the exponent constant)
1981: Clark-Cain-Omura.
1988: Lee-Brickell; Leon; Stern.
1989: Krouk; Stern; Dumer.
1990: Coffey-Goodman; van Tilburg.
1991: Coffey-Goodman-Farrell; Dumer.
1993: Chabanne-Courteau; Chabaud.
1994: van Tilburg; Canteaut-Chabanne.
1998: Canteaut-Chabaud; Canteaut-Sendrier.
2008: Bernstein-Lange-Peters.
2009: Bernstein-Lange-Peters-van Tilborg; Finiasz-Sendrier.
2011: Bernstein-Lange-Peters (bis); May-Meurer-Thomae.
2012: Becker-Joux-May-Meurer; Hamdaoui-Sendrier.
2015: May-Ozerov.
2016: Canto-Torres-Sendrier.
Sources: Bernstein et al. “Classic McEliece: conservative code-based cryptography” (2017); Bardet et al. “BIG QUAKE – BInary Goppa QUAsi-cyclic Key Encapsulation (2017).

17. Other Attacks Message recovery vs. key recovery.
Finding low-weight code words in related codes (e.g. in the dual).
Exploiting the algebraic structure (e.g. properties of the underlying field, or mapping to other computational problems like MQ systems, or attacking some feature of the specific code).
Exploiting symmetries (e.g. quasi-cyclic).
Implementation attacks (e.g. timing).
Interesting attack names! (DOOM, 1+1=0).

18. Code-Based Cryptosystems

19. (Incomplete) chronology
1978: McEliece (encryption)
1986: Niederreiter (encryption)
1993: Stern (identification)
2001: CFS (signatures)
2007: Gaborit-Girault (improved identification)
2008: Zheng-Chen (ring signatures)
2009: Overbeck (blind signatures)
2011: Aguilar-Melchor et al. (threshold signatures)
2013: Alaoui (improved signatures)
2017: Aguilar-Melchor et al; Albrecht et al; Aragon et al; Baldi et al; Bardet et al; Bernstein et al; … (KEM) …

20. McEliece Encryption

21. McEliece Cryptosystem
Key generation:
Choose a secure, uniformly random 𝑡-error correcting [𝑛, 𝑘]-code 𝐶 over 𝔽 2 , equipped with a decoding trapdoor, usually a specific parity-check matrix 𝐻 ∈ 𝔽 2 𝑟×𝑛 of some unique form.
Compute for 𝐶 a systematic generator matrix 𝐺∈ 𝔽 2 𝑘×𝑛 .
Set 𝑠𝑘= 𝐻 , 𝑝𝑘=(𝐺,𝑡).

22. McEliece Cryptosystem
“Hey, wait, I know McEliece, and this does not look quite like it!”
Textbook version:
computing some (private, highly structured) 𝐺 from 𝐻 .
hide it as 𝐺=𝑆 𝐺 𝑃 (with 𝑆 invertible, 𝑃 a permutation).
Does not increase semantic security, is less efficient, and can actually leak side-channel information (Strenzke 2010).
The description here is simpler, more efficient, and more secure.

23. McEliece Cryptosystem
Encryption of a plaintext 𝑚∈ 𝔽 2 𝑘 :
Choose a uniformly random 𝑡-error vector 𝑒∈ 𝔽 2 𝑛 and compute 𝑐←𝑚𝐺+𝑒∈ 𝔽 2 𝑛 (IND-CCA2 variant via e.g. Fujisaki-Okamoto).
Decryption of a ciphertext 𝑐∈ 𝔽 2 𝑛 :
Compute the (private) syndrome 𝑠←𝑐 𝐻 𝑇 =𝑒 𝐻 𝑇 and decode it to obtain 𝑒.
Obtain 𝑚 as the first 𝑘 components of 𝑐−𝑒.

24. McEliece/Fujisaki-Okamoto: Setup
Random oracles (modeling a message authentication code and a symmetric cipher) H : 𝔽 2 𝑘 × 0,1 ∗ →ℤ/ 𝑛 𝑡 ℤ, ℰ : 𝔽 2 𝑘 → 0,1 ∗ .
(Un)ranking function 𝒰 :ℤ/ 𝑛 𝑡 ℤ→ ℬ 𝑡 0 𝑛 .
Decoding algorithm 𝒟 : 𝔽 2 𝑟 → ℬ 𝑡 0 𝑛 such that 𝒟 𝑒 𝐻 𝑇 =𝑒 for all 𝑒∈ ℬ 𝑡 0 𝑛 .

25. McEliece/Fujisaki-Okamoto: Encryption
Input: message 𝑚∈ 0,1 ∗ .
Output: ciphertext 𝑐∈ 𝔽 2 𝑛 × 0,1 ∗ .
Algorithm:
𝑧 $ 𝔽 2 𝑘
ℎ←H 𝑧, 𝑚 , 𝑒←𝒰 ℎ
𝑤←𝑧𝐺+𝑒, 𝑑←ℰ 𝑧 ⊕𝑚
𝑐← 𝑤,𝑑

26. McEliece/Fujisaki-Okamoto: Encryption
Input: ciphertext 𝑐= 𝑤,𝑑 ∈ 𝔽 2 𝑛 × 0,1 ∗ .
Output: message 𝑚∈ 0,1 ∗ , or rejection.
Algorithm:
𝑠←𝑤 𝐻 𝑇 , 𝑒←𝒟(𝑠), 𝑧← 𝑤−𝑒 ​ 𝑘
𝑚←ℰ 𝑧 ⊕𝑑
ℎ←H 𝑧, 𝑚 , 𝑣←𝒰 ℎ
accept  𝑣=𝑒

27. Niederreiter Encryption

28. Niederreiter Cryptosystem
Setup:
Semantically secure symmetric cipher ℰ : ℬ 𝑡 0 𝑛 × 0,1 ∗ → 0,1 ∗ ∪ ⊥ , where ℰ −1 𝑒,𝑑 = ⊥ indicates decryption failure.
Key generation:
Choose a secure, uniformly random 𝑡-error correcting [𝑛,𝑘]-code 𝐶⊂ 𝔽 2 𝑛 , equipped with a decoding-friendly parity-check matrix 𝐻 ∈ 𝔽 2 𝑟×𝑛 and an efficient decoding algorithm 𝒟 : 𝔽 2 𝑟 → ℬ 𝑡 0 𝑛 .
Compute the systematic parity-check matrix 𝐻∈ 𝔽 2 𝑟×𝑛 such that 𝐻 = 𝑀 𝐻 for some nonsingular matrix 𝑀 ∈ 𝔽 2 𝑟×𝑟 .
Set 𝑠𝑘=( 𝑀 , 𝐻 ), 𝑝𝑘=(𝐻,𝑡).

29. Niederreiter Cryptosystem
Encryption of plaintext 𝑚∈ 0,1 ∗ :
𝑒 $ ℬ 𝑡 0 𝑛
𝑠←𝑒 𝐻 𝑇 , 𝑑←ℰ(𝑒,𝑚)
𝑐←(𝑠, 𝑑)
Decryption of cryptogram 𝑠, 𝑑 ∈ 𝔽 2 𝑟 × 0,1 ∗ :
𝑠 ←𝑠 𝑀 𝑇 // NB: 𝑠 = 𝑒 𝐻 𝑇 𝑀 𝑇 =𝑒 𝑀 𝐻 𝑇 =𝑒 𝐻 𝑇 (therefore 𝑠 is 𝐻 -decodable to 𝑒)
𝑒←𝒟( 𝑠 ), 𝑚← ℰ −1 𝑒,𝑑
accept  𝑚≠ ⊥

30. CFS Signatures

31. CFS Signatures System setup: Key generation:
Random oracle H : 0,1 ∗ ×ℕ→ 𝔽 2 𝑟 .
Key generation:
Choose a secure, uniformly random 𝑡-error correcting [𝑛,𝑘]-code Γ⊂ 𝔽 2 𝑛 with a high density of decodable syndromes, equipped with a decoding-friendly parity-check matrix 𝐻 ∈ 𝔽 2 𝑟×𝑛 and an efficient decoding algorithm 𝒟 : 𝔽 2 𝑟 → ℬ 𝑡 0 𝑛 .
Compute the systematic parity-check matrix 𝐻∈ 𝔽 2 𝑟×𝑛 such that 𝐻 = 𝑀 𝐻 for some nonsingular matrix 𝑀 ∈ 𝔽 2 𝑟×𝑟 .
Set 𝑠𝑘=( 𝑀 , 𝐻 ), 𝑝𝑘=(𝐻,𝑡).

32. CFS Signatures Signing a message 𝑚∈ 0,1 ∗ :
Find 𝑖∈ℕ such that, for 𝑐←H 𝑚,𝑖 and 𝑐 ←𝑐 𝑀 𝑇 , 𝑐 is 𝐻 -decodable.
𝑒←𝒟( 𝑐 )
𝜎← 𝑒,𝑖 // NB: 𝑐 𝑀 𝑇 = 𝑐 =𝑒 𝐻 𝑇 =𝑒 𝑀 𝐻 𝑇 = 𝑒 𝐻 𝑇 𝑀 𝑇 , hence 𝑐=𝑒 𝐻 𝑇 , i.e. 𝑐 is the (public) 𝐻-syndrome of 𝑒.
Verifying a signature 𝜎= 𝑒,𝑖 ∈ ℬ 𝑡 0 𝑛 ×ℕ:
𝑐←𝑒 𝐻 𝑇
accept  𝑐=H 𝑚,𝑖 .

33. CFS Signatures
Best known codes for CFS instantiation: Goppa codes (highest density of decodable syndromes).
Bad news:
number of possible hash values: 2 𝑟 ≈ 𝑛 𝑡
number of decodable syndromes: ≈ 𝑛 𝑡 ≈ 𝑛 𝑡 𝑡!
probability of finding a codeword of weight 𝑡: ≈1/𝑡!
expected value of steps to sign: ≈𝑡! 

34. CFS Signatures
If the 𝑛-bit error 𝑒 of weight 𝑡 is encoded via permutation ranking, the signature length is ≈lg 𝑛 𝑡 /𝑡! +lg 𝑡! =𝑡 lg 𝑛≈𝑚𝑡.
Public key is huge: 𝑚𝑡𝑛 bits.
Key sizes for usual sec levels are several MiB long, coupled with very long processing times 
Bleichenbacher’s attack  security level lower than expected, hence larger key sizes and longer signing times.

35. Stern Identification

36. Stern Identification Key pair:
𝐻 . $ 𝔽 2 𝑟×𝑛 : uniformly random, systematic binary parity-check matrix (e.g. 𝑛=2𝑟).
Gaborit-Girault improvement: uniformly random quasi-cyclic 𝐻=[𝐶∣𝐼], with 𝐶 𝑖𝑗 ≔ ℎ 𝑗−𝑖 mod 𝑟 for some ℎ . $ 𝔽 2 𝑟 .
Key pair:
Private key: 𝑒 . $ ℬ 𝑡 0 𝑛 .
Public key: 𝑠←𝑒 𝐻 𝑇 ∈ 𝔽 2 𝑟 .

37. Stern Identification Commitment:
The prover chooses a uniformly random word 𝑢 . $ 𝔽 2 𝑛 and a uniformly random permutation 𝜎 . $ 𝑆 𝑛 on 0…𝑛−1 .
The prover sends to the verifier:
𝑐 0 ←H 𝜎 𝑢 ,
𝑐 1 ←H 𝜎 𝑒+𝑢 ,
𝑐 2 ←H 𝜎∣∣𝑢 𝐻 𝑇 .

38. Stern Identification Challenge & Response:
The verifier sends a uniformly random 𝑏 . $ 0, 1, 2 to the prover.
The prover responds by revealing:
𝑒+𝑢 and 𝜎 if 𝑏=0;
𝑢 and 𝜎 if 𝑏=1;
𝜎 𝑒 and 𝜎 𝑢 if 𝑏=2.

39. Stern Identification Verification: The verifier verifies that:
𝑐 1 and 𝑐 2 are correct if 𝑏=0 (noticing that 𝑢 𝐻 𝑇 = 𝑒+𝑢 𝐻 𝑇 +𝑒 𝐻 𝑇 = 𝑒+𝑢 𝐻 𝑇 +𝑠);
𝑐 0 and 𝑐 2 are correct if 𝑏=1;
𝑐 0 and 𝑐 1 are correct and wt 𝜎 𝑒 =𝑡 if 𝑏=2 (noticing that 𝜎 𝑒+𝑢 =𝜎 𝑒 +𝜎 𝑢 ).
The probability of cheating in this ZKP is 2/3. Repeating lg 𝜀 /(1−lg 3) times reduces the cheating probability below 𝜀.

40. SFS Signatures Commitments: Challenges: for 𝑖←0…𝑁−1 do
𝑢 𝑖 . $ 𝔽 2 𝑛 , 𝜎 𝑖 . $ 𝑆 𝑛
𝑐 𝑖,0 ←H 𝜎 𝑖 𝑢 𝑖
𝑐 𝑖,1 ←H 𝜎 𝑖 𝑒+ 𝑢 𝑖
𝑐 𝑖,2 ←H 𝜎 𝑖 ∣∣ 𝑢 𝑖 𝐻 𝑇
end
Challenges:
𝑏 0 ,…, 𝑏 𝑁−1 ← H ∗ 𝑀; 𝑐 0,0 || 𝑐 0,1 || 𝑐 0,2 ; …; 𝑐 𝑁−1,0 || 𝑐 𝑁−1,1 || 𝑐 𝑁−1,2

41. SFS Signatures Responses: Signature: for 𝑖←0…𝑁−1 do
if 𝑏 𝑖 =0 then 𝜌 𝑖 ← 𝑐 𝑖,0 ;𝑒+ 𝑢 𝑖 ; 𝜎 𝑖
if 𝑏 𝑖 =1 then 𝜌 𝑖 ← 𝑐 𝑖,1 ; 𝑢 𝑖 ; 𝜎 𝑖
if 𝑏 𝑖 =2 then 𝜌 𝑖 ← 𝑐 𝑖,2 ; 𝜎 𝑖 𝑢 𝑖 ; 𝜎 𝑖 𝑒
end
Signature:
Σ← 𝑏 0 , 𝜌 0 ;…; 𝑏 𝑁−1 , 𝜌 𝑁−1

42. SFS Signatures Verification: for 𝑖←0…𝑁−1 do if 𝑏 𝑖 =0 then
𝑐 𝑖,1 ←H 𝜎 𝑖 𝑒+ 𝑢 𝑖 , 𝑐 𝑖,2 ←H 𝜎 𝑖 ∣∣ (𝑒+𝑢 𝑖 ) 𝐻 𝑇 +𝑠
if 𝑏 𝑖 =1 then
𝑐 𝑖,0 ←H 𝜎 𝑖 𝑢 𝑖 , 𝑐 𝑖,2 ←H 𝜎 𝑖 ∣∣ 𝑢 𝑖 𝐻 𝑇
if 𝑏 𝑖 =2 then
𝑐 𝑖,0 ←H 𝜎 𝑖 𝑢 𝑖 , 𝑐 𝑖,1 ←H 𝜎 𝑖 𝑒 + 𝜎 𝑖 𝑢 𝑖
if wt 𝜎 𝑖 𝑒 ≠𝑡 then “reject”
end

43. SFS Signatures Verification: Signature size?
𝑏 0 ′ ,…, 𝑏 𝑁−1 ′ ← H ∗ 𝑀; 𝑐 0,0 || 𝑐 0,1 || 𝑐 0,2 ; …; 𝑐 𝑁−1,0 || 𝑐 𝑁−1,1 || 𝑐 𝑁−1,2
if 𝑏 0 ′ ,…, 𝑏 𝑁−1 ′ ≠ 𝑏 0 ,…, 𝑏 𝑁−1 then “reject” else “accept”
Signature size?
𝑁 elements of form 𝑏 𝑖 , 𝑐 𝑖, 𝑏 𝑖 ; 𝑣 𝑖 ; 𝜎 𝑖 ∈ 0…2 × 0… 2 ℎ −1 × 𝔽 2 𝑛 × 𝑆 𝑛 or 𝑏 𝑖 , 𝑐 𝑖, 𝑏 𝑖 ; 𝑣 𝑖 ; 𝜎 𝑖 𝑒 ∈ 0…2 × 0… 2 ℎ −1 × 𝔽 2 𝑛 × ℬ 𝑡 ( 0 𝑛 ).
Hence ≈1.36ℎ+𝑁⋅ ℎ+𝑛+ (2𝑛+𝑡)/3 lg 𝑛 bits.

44. AGS Identification

45. AGS Identification
Aguilar-Gaborit-Schrek: identification in the GDP (rather than SDP) setting.
𝐺 . $ 𝔽 2 𝑘×𝑛 : uniformly random, systematic, quasi-cyclic binary generator matrix (usually 𝑛=2𝑘, 𝐺=[𝐼∣ 𝐶 𝑇 ]).
Key pair:
Private key: 𝑒 . $ ℬ 𝑡 0 𝑛 , 𝑚 . $ 𝔽 2 𝑘 .
Public key: 𝑐←𝑚𝐺+𝑒∈ 𝔽 2 𝑛 .

46. AGS Identification Commitment 1:
The prover chooses a uniformly random word 𝑢 . $ 𝔽 2 𝑘 and a uniformly random permutation 𝜎 . $ 𝑆 𝑛 on 0…𝑛−1 .
The prover sends to the verifier:
𝑐 0 ←H 𝜎 ,
𝑐 1 ←H 𝜎 𝑢𝐺 .

47. AGS Identification Challenge 1: Commitment 2:
The verifier chooses a uniformly random 𝑟 . $ {0,…,𝑘−1} and sends it to the prover.
Commitment 2:
The prover sends to the verifier:
𝑐 2 ←H 𝜎 𝑢𝐺+ rot 𝑟 𝑒

48. AGS Identification Challenge 2 & Response:
The verifier sends a uniformly random 𝑏 . $ 0, 1 to the prover.
The prover responds by revealing:
𝜎 and rot 𝑟 (𝑚)+𝑢 if 𝑏=0;
𝜎 𝑢𝐺 and 𝜎 rot 𝑟 𝑒 if 𝑏=1.

49. AGS Identification Verification: The verifier verifies that:
𝑐 0 and 𝑐 2 are correct if 𝑏=0, noticing that rot 𝑟 𝑚 +𝑢 rot 𝑟 𝑚 +𝑢 𝐺= rot 𝑟 𝑚𝐺 +𝑢𝐺= rot 𝑟 𝑚𝐺+𝑒 + rot 𝑟 𝑒 +𝑢𝐺= rot 𝑟 𝑐 +𝑢𝐺+ rot 𝑟 (𝑒), hence 𝜎 𝑢𝐺+ rot 𝑟 𝑒 =𝜎 rot 𝑟 𝑚 +𝑢 𝐺+ rot 𝑟 𝑐 ;
𝑐 1 and 𝑐 2 are correct and wt 𝜎 rot 𝑟 𝑒 =𝑡, if 𝑏=1.
The probability of cheating in this ZKP is 1/2. Repeating −lg 𝜀 times reduces the cheating probability below 𝜀.

50. Stern & AGS Keys
Gaborit-Girault propose 𝑟=347, 𝑡=76 to achieve 283 security.
Modern recommendation would be 𝑟=449, 𝑡=99 for security, or (better yet) 𝑟=727, 𝑡=160 for security.
Private and public keys are very short (respectively 2𝑟 and 𝑟 bits long).
Signatures are possible via the Fiat-Shamir heuristics, but rather large (e.g. ≈122 KiB at security).

51. Identity-Based Signatures

52. Identity-based signatures
Cayrel et al.: Goppa trapdoor for the Stern scheme combined with CFS signatures.
Stern parameter 𝐻 is the KGC’s CFS public key.
Stern public key is the user’s identity mapped to a decodable syndrome (N.B. necessary to increase weight to cover radius 𝑡+𝛿, otherwise the scheme is not id-based).
Identity-based private key is a CFS signature of the user’s identity, i.e. an error vector of weight 𝑡+𝛿 computed by the KGC.
Not practical because of CFS (also, the distinguishability of Goppa codes may affect formal security properties).

53. Choosing the Code

54. Which Code to Choose? Not all codes are suitable for cryptography.
Needed: code equipped with a trapdoor that can be easily and securely hidden.
Most popular choice: Goppa codes.
… except for a few weak cases, e.g. binary Goppa polynomial (Loidreau-Sendrier 1998).
… distinguishing a Goppa code from a random code of the same length can be done in 𝑂 𝑛 2 time (Márquez-Corbella, Martínez-Moro and Pellikaan 2013; Faugère et al. 2013).
… OTOH interesting quantum-resistance properties (Dinh-Moore-Russell 2011)
… short keys? (Misoczki-B. 2009, Couvreur et al. 2017)

55. Which Code to Choose? Other choices:
(quasi-cyclic) random(!) codes (Gaborit-Girault 2005)
(quasi-cyclic) LDPC codes (Baldi-Chiaraluce-Garello-Mininni 2007)
(quasi-cyclic) GRS codes (Niederreiter 1986, Berger-Cayrel-Gaborit-Otmany 2009)
(quasi-dyadic) Srivastava codes (Persichetti 2012)
(quasi-cyclic) MDPC codes (Misoczki-Tillich-Sendrier-B. 2013)
(quasi-cyclic) random+BCH codes (Melchor et al. 2016)
All of the above are codes in the Hamming metric. There are proposals that adopt different metrics:
(quasi-cyclic) random+LRPC codes (Aguilar-Melchor et al. 2016; Aragon et al “RankSign”)
punctured Reed-Muller codes (Lee et al “pqsigRM”)

56. Goppa Codes

57. Goppa Codes
Let 𝑔 𝑥 ≔ 𝑖=0 𝑡 𝑔 𝑖 𝑥 𝑖 ∈ 𝔽 2 𝑚 [𝑥] be a monic ( 𝑔 𝑡 =1) polynomial.
Let 𝐿≔ 𝐿 0 ,…, 𝐿 𝑛−1 ∈ 𝔽 2 𝑚 𝑛 (all distinct) such that 𝑔 𝐿 𝑗 ≠0 for all 𝑗. This is called the support.
Properties:
Easy to generate and plentiful.
Usually 𝑔 𝑥 is chosen to be irreducible; if so, 𝔽 2 𝑚 𝑡 = 𝔽 2 𝑚 𝑥 /𝑔 𝑥 .

58. Goppa Codes
The Goppa syndrome function is the linear map 𝑆 : 𝔽 2 𝑛 → 𝔽 2 𝑚 𝑥 /𝑔(𝑥): 𝑆 𝑐 𝑥 ≔ 𝑖=0 𝑛−1 𝑐 𝑖 𝑥− 𝐿 𝑖 = 𝑐 𝑖 ≠0 1 𝑥− 𝐿 𝑖 mod 𝑔 𝑥 .
The Goppa code Γ(𝐿,𝑔) is the kernel of the Goppa syndrome function, i.e. Γ(𝐿,𝑔)= 𝑐∈ 𝔽 2 𝑛 𝑆 𝑐 𝑥 ≡0 .

59. Distance of a Goppa code
In general the minimum distance of Γ(𝐿,𝑔) is only known to be 𝑑≥𝑡+1.
In the binary case when 𝑔 𝑥 is square-free (e.g. when 𝑔 𝑥 is irreducible) the minimum distance becomes 𝑑≥2𝑡+1.
How do we correct errors/decode?

60. Error Locator Polynomial
Efficient decoding procedure for known 𝑔 and 𝐿 via the (Patterson) error locator polynomial: 𝜎 𝑥 ≔ 𝑒 𝑖 ≠0 𝑥− 𝐿 𝑖 ∈ 𝔽 2 𝑚 [𝑥]/𝑔(𝑥).
Property: 𝜎 𝐿 𝑖 =0⇔ 𝑒 𝑖 =1.

61. The Key Equation Property: 𝜎 𝑥 = 𝑖 𝑥− 𝐿 𝑖 𝑒 𝑖 .
𝜎 ′ 𝑥 = 𝑖 𝑒 𝑖 𝑥− 𝐿 𝑖 𝑒 𝑖 −1 𝑗≠𝑖 𝑥− 𝐿 𝑗 𝑒 𝑗 = 𝑖 𝑒 𝑖 𝑥− 𝐿 𝑖 𝑗 𝑥− 𝐿 𝑗 𝑒 𝑗 = 𝑖 𝑒 𝑖 𝑥− 𝐿 𝑖 𝜎 𝑥 .
∴ 𝜎 ′ 𝑥 =𝜎 𝑥 𝑆 𝑒 𝑥 mod 𝑔 𝑥 .

62. Error Correction
Let 𝑚∈Γ(𝐿,𝑔), let 𝑒∈ 𝔽 2 𝑛 be an error vector of weight 𝑤𝑡 𝑒 ≤𝑡, and 𝑐=𝑚⊕𝑒.
Compute the syndrome of 𝑒 through the relation 𝑆 𝑒 𝑥 = 𝑆 𝑐 𝑥 .
Compute the error locator polynomial 𝜎 from the syndrome.
Determine which 𝐿𝑖 are zeroes of 𝜎, thus retrieving 𝑒 and recovering 𝑚.

63. Error Correction
Let 𝑠 𝑥 ≔ 𝑆 𝑒 𝑥 . If 𝑠 𝑥 ≡0, nothing to do (no error), otherwise 𝑠 𝑥 is invertible.
Property #1: 𝜎 𝑥 =𝑎 𝑥 2 +𝑥 𝑏 𝑥 2 .
Property #2: 𝜎 ′ 𝑥 =𝑏 𝑥 2 .
Property #3: 𝜎 ′ 𝑥 =𝜎 𝑥 𝑠 𝑥 .
Thus 𝑏 𝑥 2 = 𝑎 𝑥 2 +𝑥𝑏 𝑥 2 𝑠(𝑥), hence 𝑎 𝑥 =𝑏 𝑥 𝑣(𝑥) with 𝑣 𝑥 = 𝑥+1/𝑠(𝑥) mod 𝑔(𝑥).
Extended Euclid!
Extended Euclid!

64. Decoding a binary Goppa syndrome
Given: 𝑣(𝑥), 𝑔 𝑥 ∈𝕂[𝑥]
Find: 𝑎(𝑥), 𝑏(𝑥), 𝑓 𝑥 ∈𝕂[𝑥]
Where: 𝑏 𝑥 𝑣 𝑥 +𝑓 𝑥 𝑔 𝑥 =𝑎(𝑥)
Thus 𝑎 𝑥 =𝑏 𝑥 𝑣 𝑥 mod 𝑔 𝑥 , i.e. 𝑎 𝑥 =𝑏 𝑥 𝑣 𝑥 ∈𝕂[𝑥]/𝑔 𝑥 .
Conditions:
deg 𝑎 ≤⌊𝑡/2⌋, deg 𝑏 ≤⌊(𝑡−1)/2⌋.

65. Patterson’s decoding algorithm
𝐹←𝑣, 𝐺←𝑔, 𝐵←1, 𝐶←0, 𝑡← deg 𝑔 while deg(𝐺)>⌊𝑡/2⌋ do 𝐹↔𝐺, 𝐵↔𝐶 while deg 𝐹 ≥deg(𝐺) do 𝑗← deg 𝐹 − deg 𝐺 , ℎ← 𝐹 deg 𝐹 / 𝐺 deg 𝐺 𝐹←𝐹−ℎ 𝑥 𝑗 𝐺, 𝐵←𝐵−ℎ 𝑥 𝑗 𝐶 end end 𝜎 𝑥 ←𝐺 𝑥 2 +𝑥𝐶 𝑥 return 𝜎 // error locator polynomial

66. Challenges
Isochronous decoding: possible, but hard to implement properly (error-prone) and efficiently.
Code size in software and area in hardware tend to be large (hindrance for embedded platforms/IoT).
But mainly: large keys.

67. The key size problem
Using systematic Goppa codes, key size is only 𝑘× 𝑛−𝑘 bits. And yet…
Goppa variants
Quasi-dyadic (Misoczki-B. 2009): distinguishable from random.
Quasi-cyclic (Bardet et al. 2017):
level m n k t
key size
2128 12
3307
2515 66
2256 13
6960
5413
119
level m n k t
key size
2128 12
3510
2418 91
203112
2256 13
10070
6650
190

68. Gallager Codes

69. Gallager (LDPC) Codes
Extremely sparse parity-check matrices, e.g. 𝐻 ∈ 𝔽 × with ∼3 nonzero components at randomly chosen positions on each column.
Higher error-correction capability than Goppa codes (almost 3 times in the above example).

70. Gallager (LDPC) Codes
Symbols in red affect parity bit in green through the parity-checks in blue. 𝐻 𝑐
𝑠 T = 𝐻 𝑐 T

71. Gallager (LDPC) Codes
If the green parity bit is 1, at least one of the red bits is wrong. 𝐻 𝑐
𝑠 T = 𝐻 𝑐 T

72. Gallager (LDPC) Codes
Symbol in red affects parity bits in green through the parity-checks in blue. 𝐻
𝑠 T = 𝐻 𝑐 T 𝑐

73. Gallager (LDPC) Codes
If the red bit is wrong, some of the green parity bits will likely reveal it. 𝐻
𝑠 T = 𝐻 𝑐 T 𝑐

74. Gallager (LDPC) Codes Bit flipping:
Determine which symbol bits are the most suspect (i.e. influence the largest number of parity bits in error) by counting how many parity errors it influences via the parity-check matrix.
Flip those bits (0↔1).
Repeat until no parity error is left (or max number of attempts is exceeded).

75. Bit-flipping Trouble: 𝑛 symbol bits  𝑛 counters.
More trouble: one pass to count and find the maximum count value, another pass to flip most suspect bits and recompute affected parity-check bits.
Memory-consuming and slow.

76. MDPC codes
Plain LDPC codes are susceptible to key recovery attacks: dual codes contain too sparse words of small 𝑂 1 weight.
Idea: set density 𝑤 and number of errors 𝑡 near the decodability threshold 𝑂 𝑛 for security, but still within the range of bit-flipping or belief-propagation.
Moderate-density parity-check (MDPC) codes (Misoczki et al. 2013).

77. Short(ish) keys Quasi-cyclic MDPC codes (QC-MDPC)
The trapdoor (private) 𝑟×𝑛 parity-check matrix consists of 𝑛 0 blocks of sparse circulant 𝑟×𝑟 matrices, 𝐻 =[ 𝐻 0 ∣…∣ 𝐻 𝑛 0 −1 ], with 𝑛= 𝑛 0 𝑟: 𝐻
𝐻 0 …
𝐻 𝑛 0 −1 =𝐼
NB: sparse!

78. Short(ish) keys
The systematic (public) parity-check matrix consists of 𝑛 0 blocks of dense circulant matrices, 𝐻=[ 𝐻 0 ∣…∣ 𝐻 𝑛 0 −1 ], with 𝐻 𝑖 = 𝐻 𝑛 0 −1 −1 𝐻 𝑖 , 0≤𝑖< 𝑛 0 −1:
NB: dense!
𝐻 ∗
𝐻 0
𝐻 𝑛 0 −1 =𝐼 …

79. Short(ish) keys
Shorter public (and private) keys than conventional schemes:
level n k t w
QC-MDPC
Goppa
shrink
2128
20326
10163
134
142
202×
2256
65498
32749
264
274
256×

80. Challenges Decoding failures. Isochronous implementations.
Low enough probability to be a concern regarding passive adversaries, but (sometimes, depending on the parameters) high enough to be a concern regarding active attacks.
Isochronous implementations.
Goal: avoid timing leaks.
Worst-case behavior (e.g. emulating more bit-flipping rounds even when not needed) leads to in efficiencies.
Also an issue for Goppa/Srivastava codes.
Embedded/IoT platforms.

81. What Next?

82. Limitations and trends
Codes are fine for key agreement and encryption 👍
…but hard to use for many other applications ☹️
Improvements for advanced functionalities (blind signatures, identity-based encryption, …)? 🤔
More research, please! 🎓

83. Questions?