DE102018200617A1 - Method for decoding an encrypted message of an asymmetric cryptographic system - Google Patents

Abstract

The invention relates to a method for decoding a message, in particular a message encrypted with a public key of an asymmetric cryptographic system, which uses a graph-based message passing (MP) algorithm with variable nodes and control nodes which are connected by edges. To decode the message, messages are iteratively sent along the edges from the variable nodes to the control nodes and messages from the control nodes to the variable nodes. The method is characterized in that the messages are modified, in particular extinguished, from the variable nodes to the control nodes with a predetermined probability. This makes it resistant to GJS attack. Furthermore, a larger number of errors can be decoded compared to known methods

Description

The invention relates to a method for decoding a coded message. In particular, the invention relates to a method for decoding a message encrypted with a public key of an asymmetric cryptographic system. The invention further relates to a decoder.

Asymmetric cryptographic methods use a key pair consisting of a private key used to decrypt data and a public key to which the data is encrypted. The private key is kept secret and can only be calculated with great effort from the public key. One such asymmetric cryptographic method is the McEliece cryptosystem (hereafter also referred to as the McEliece method). As keys, large matrices are used in the McEliece method. The description of a key with a security level of 128 bit requires on the order of 1 MB a relatively large amount of memory, which is why the method according to McEliece is rarely used practically. The McEliece method is based on the decoding of a linear code over a binary or q-stage balanced channel. The basic procedure can be found, for example, in publication [1]. Currently, even using quantum computers, no efficient algorithm is known that can break the McEliece method, making it a promising candidate for post-quantum cryptography.

Almost all cryptosystems based on a public key (so-called Public-Key Cryptosystems (PKC)) currently in use use a method proposed by Rivest, Shamir and Adleman (RSA) whose security is based on the hard problem of factoring large integers (see Publication [4]). Since then, the RSA cryptosystem has been used in many communication systems and is included in many communication standards. For the factorization of large integers for conventional computers, no efficient algorithms are known. In publication [5] an algorithm is described which factors this problem to a quantum computer in polynomial time. Assuming that a quantum computer of sufficient size can be built in the future, the RSA cryptosystem can be broken in polynomial time. For this reason, the McEliece cryptosystem is considered a potential candidate for post-quantum cryptography.

betrachtet. Jeder Code C der Familie F kann durch eine Generatormatrix $\mathbf{G}\in {\mathbb{F}}^{p\times n}$

und eine Kontrollmatrix $\mathbf{H}\in {\mathbb{F}}^{p\times n},$

wobei r = n - k ist, dargestellt werden. Ein t-fehlerkorrigierender Dekoder DEC_H(·) für den Code C, der durch die Generatormatrix H definiert ist, gibt eine Schätzung des übertragenden Codeworts zurück.The McEliece method is based on linear error-correcting codes. It becomes a family F of t error-correcting linear codes of length n and dimension k over a body $\mathbb{F}$

considered. Every code C the family F can be generated by a generator matrix $\mathbf{G}\in {\mathbb{F}}^{p\times n}$

and a control matrix $\mathbf{H}\in {\mathbb{F}}^{p\times n}.$

where r = n - k. A T-error correcting decoder DEC _H (·) for the code C , defined by the generator matrix H, returns an estimate of the transmitted codeword.

The key generation is as follows: Each user randomly chooses a code C EF and generates a generator matrix G for the code C as his public key. The private key is the secret t-error correcting decoder DEC _H (·) for the code C ,

zu verschlüsseln, berechnet ein Nutzer den Chiffretext c mit dem öffentlichen Schlüssel G gemäß $$c=m\mathbf{G}+e$$

wobei e ein Fehlervektor ist, der gleichverteilt aus allen Vektoren von ${\mathbb{F}}^n$

eines Hamming-Gewichts bis zu t ausgewählt wird.To a plain text element $\text{m}\in {\mathbb{F}}^k$

to encrypt, a user calculates the ciphertext c with the public key G according to $$c=m\mathbf{G}+e$$

where e is an error vector uniformly distributed among all vectors of ${\mathbb{F}}^n$

Hamming weight up to t is selected.

zu erhalten. Der Klartext m kann aus mG erhalten werden, indem das Produkt aus der richtigen pseudo-Inversen mit der Generatormatrix G ermittelt wird.To a ciphertext c To decrypt an authorized recipient uses the private key DEC _H (·) to get the result $$\text{m}\mathbf{G}={\text{DEC}}_{\text{H}}\left(\text{m}\mathbf{G}+\text{e}\right)$$

to obtain. The plaintext m can be obtained from mG by determining the product from the correct pseudo-inverse with the generator matrix G.

The security of the McEliece method is based on the severity of the decoding of the unknown linear code, which is known as a hard problem (see publication [2]). This problem can only be solved efficiently if the corresponding private key DEC _H (·) is known. By using CCA 2 Security conversions can be provided to the generator matrix G in a systematic manner without a security reduction, which makes it possible to reduce the size of the public key (see publication [3]).

In the past, various versions of the McEliece method based on different code families F have been proposed. The original McEliece method described in publication [1] is based on binary Goppa codes and is still considered safe. Other variants, such as these, for example in in publications [6] and [7] allow smaller keys because of their inherent algebraic structure. Further, McEliece methods based on random codes such as Low Density Parity Check (LDPC) codes have been considered, as shown in publication [8]. In particular, quasi-cyclic (QC) LDPC codes enable compact keys due to their block-wise cyclically structured control matrix (see Publication [9]).

definiert, die eine moderate Anzahl von $w\approx O\sqrt{nlog\left(n\right)}$

Einsen („1“) pro Zeile enthält. Für n = nop, die Dimension k = kop, die Redundanz r = n - k = rop mit ro = no - ko für eine ganze Zahl (Integer) p, hat die Kontrollmatrix H eines QC-MDPC-Codes die Form $$\mathbf{H}=\left(\begin{array}{cccc}{\mathbf{H}}_{\mathrm{0,0}}& {\mathbf{H}}_{\mathrm{0,1}}& \dots & {\mathbf{H}}_{\mathrm{0,}{n}_0-1}\\ {\mathbf{H}}_{\mathrm{1,0}}& {\mathbf{H}}_{\mathrm{1,1}}& \dots & {\mathbf{H}}_{\mathrm{1,}{n}_0-1}\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{H}}_{r_0-\mathrm{1,0}}& {\mathbf{H}}_{r_0-\mathrm{1,1}}& \dots & {\mathbf{H}}_{r_0-\mathrm{1,}{n}_0-1}\end{array}\right)$$

wobei jeder Block H_i,j eine binäre p × p zyklische Matrix ist.The variant of the McEliece method, which allows the currently smallest public keys, is based on a family of binary QC-MDPC (Moderate-Density Parity-Check) codes (see publication [10]). A binary MDPC code of length n, dimension k and line weight w is passed through a control matrix H (so-called parity check matrix) over the binary body ${\mathbb{F}}_{}$${\mathbb{}}_2$

that defines a moderate number of $w\approx O\sqrt{nlOG\left(n\right)}$

Contains one ("1") per line. For n = nop, the dimension k = kop, the redundancy r = n - k = rop with ro = no - ko for an integer p, the control matrix H of a QC MDPC code has the form $$\mathbf{H}=\left(\begin{array}{cccc}{\mathbf{H}}_{0.0}& {\mathbf{H}}_{0.1}& ...& {\mathbf{H}}_{0n_0-1}\\ {\mathbf{H}}_{1.0}& {\mathbf{H}}_{1.1}& <figure-callout\; id="1"\; label="...\; H"\; filenames="DE102018200617A1\_0079.png,DE102018200617A1\_0080.png"\; state="\{\{state\}\}">...\; </figure-callout>& {\mathbf{H}}_{}{\mathbf{}}_{\mathrm{1,}{n}_0-1}\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{H}}_{r_0-1.0}& {\mathbf{H}}_{r_0-1.1}& ...& {\mathbf{H}}_{r_0-\mathrm{1,}{n}_0-1}\end{array}\right)$$

where each block H _{i, j is} a binary p × p cyclic matrix.

der Form nach Formel (3) erzeugt, wobei jeder Block ${\mathbf{H}}_i\in {\mathbb{F}}_2^{p\times p}$

eine zyklische Matrix (auch zirkulante Matrix genannt) mit dem Zeilengewicht w_i ist. Die Kontrollmatrix H mit dem Zeilengewicht $w={\displaystyle {\sum }_{i=0}^{n_0-1}{w}_i}$

ist der private Schlüssel und von einer zufälligen blockweise zyklischen Matrix nicht unterscheidbar.For key generation, a control matrix happens to be random $\mathbf{H}\in {\mathbb{F}}_2^{r\times n}$

of the form according to formula (3), where each block ${\mathbf{H}}_i\in {\mathbb{F}}_2^{p\times p}$

a cyclic matrix (also called circular matrix) with the line weight w _i . The control matrix H with the line weight $w={\displaystyle {\Sigma }_{i=0}^{n_0-1}{w}_i}$

is the private key and indistinguishable from a random block-by-block cyclic matrix.

in systematischer Form, d.h. $${\mathbf{G}}_{sys}=\left(\begin{array}{ccc}1& & \\ & \ddots & \\ & & 1\end{array}|\left[\begin{array}{ccc}{\tilde{H}}_{\mathrm{0,0}}^T& \cdots & {\tilde{H}}_{r_{0-\mathrm{1,0}}}^T\\ ⋮& \ddots & ⋮\\ {\tilde{H}}_{\mathrm{0,}{k}_{0-1}}^T& \cdots & {\tilde{H}}_{r_{0-1},k_{0-1}}^T\end{array}\right]\right)$$

wobei jedes H̃_i,j eine binäre p × p zyklische Matrix ist. Die Generatormatrix G_sys umfasst roko zyklische Blöcke der Größe p × p und kann daher durch rokop, was der Größe des öffentlichen Schlüssels entspricht, beschrieben werden.The public key is the corresponding generator matrix $\mathbf{G}\in {\mathbb{F}}_2^{k\times n}$

in a systematic form, ie $${\mathbf{G}}_{sys}=\left(\begin{array}{ccc}1& & \\ & \ddots & \\ & & 1\end{array}|\left[\begin{array}{ccc}{\tilde{H}}_{0.0}^T& \cdots & {\tilde{H}}_{r_{0-1.0}}^T\\ ⋮& \ddots & ⋮\\ {\tilde{H}}_{0k_{0-1}}^T& \cdots & {\tilde{H}}_{r_{0-1}.k_{0-1}}^T\end{array}\right]\right)$$

where each H _{i, j is} a binary p × p cyclic matrix. The generator matrix G _sys comprises roko cyclic blocks of the size p × p and can therefore be described by rokop, which corresponds to the size of the public key.

With knowledge of the secret MDPC control matrix H, known graph-based, iterative decoding algorithms (so-called Message Passing (MP) decoding algorithms) can be used as the decoding function DEC _H (·). The performance of the decoder depends heavily on the density of the control matrix. Thus, an attacker equipped with a denser version of the control matrix H receives a highly degraded decoder that is unable to correct the required number of t errors. For the QC-MDPC method described in Publication [10], a bit flipping (BF) decoder for LDPC codes is proposed.

Thus, the variants using QC-LDPC codes have the problem that attacks based on finding low-weight codewords in the binary code are possible, which is possible because the control matrix H has a low density (see Publication [8]). The method using QC MDPC codes has the smallest public key size for a given security level, but can be broken with a so-called reaction attack, as shown in publication [10]. The attacker injects ciphertext c = mG _sys + e with specially chosen error vectors e and observes whether or not the receiver can decrypt, ie, whether the decoder DEC can ( _H ) decode () or not. The observation of the decoding error probability then enables the determination of the control matrix H.

Recently, Guo, Johansson and Stankovski (GJS) have introduced a response-based key-recovery-attack on the QC-MDPC system (Publication [12]). This attack reveals the control matrix by observing the decoding error probability for selected ciphertexts c constructed with error patterns having a specific structure. A modified version of the attack can break a system that uses secure CCA-2 conversions, as publication [3] shows.

It is an object of the invention to provide a decoding method and a decoder which are resistant to GJS attack. Another object of the invention is to provide a decoding method and decoder which can decode a larger number of errors.

These objects are achieved by a method according to the features of claim 1, a computer program product according to the features of claim 14 and a decoder according to the features of claim 17. Further advantageous embodiments emerge from the dependent claims.

According to a first aspect of the invention, a method is proposed for decoding a message, in particular a message encrypted with a public key of an asymmetric cryptographic system, using a graph-based message passing (MP) algorithm with variable nodes and control nodes connected by edges are. To decode the message, messages are iteratively sent along the edges from the variable nodes to the control nodes and messages from the control nodes to the variable nodes. The method is characterized in that the messages are modified, in particular extinguished, from the variable nodes to the control nodes with a predetermined probability.

The inventive method has the advantage that this is resistant to GJS attack. Furthermore, a larger number of errors can be decoded compared to methods known from the prior art.

The method and the associated decoder can be used both in an asymmetric cryptographic system, in particular according to McEliece, as well as for decoding in the message transmission.

In a first variant of the method, the modification or deletion of the message from the variable nodes to the control nodes takes place independently of the value of the ciphertext bit c E {+1, -1}.

gelöscht, wenn sie nicht einem erwarteten Chiffriertext-Bit c entsprechen.In a second variant of the method, the messages from the variable nodes become the control nodes at the ith iteration with the given probability $p_e^{\left(l\right)}$

cleared if they do not match an expected ciphertext bit c.

mit der eine Löschung erfolgt, kann über die Anzahl an Iterationen variiert werden. Es kann zweckmäßig vorgesehen sein, dass die vorgegebene Wahrscheinlichkeit $p_e^{\left(l\right)}$

mit zunehmender Anzahl der Iterationen, insbesondere nicht-linear, abfällt.The default probability $p_e^{\left(l\right)}.$

With the deletion can be varied over the number of iterations. It may be appropriate to provide the predetermined probability $p_e^{\left(l\right)}$

decreases with increasing number of iterations, in particular non-linear.

According to a second aspect, there is provided a computer program product that can be loaded directly into the internal memory of a digital computer and includes software code portions that perform the steps according to the method described in this document when the product is run on a computer. The computer program product may be implemented as a USB stick, DVD-CD-ROM or as a hard disk on which a respective program for carrying out the methods described in this document is stored. The computer program product also includes a program loadable via a wireless or wired network.

According to a third aspect, there is provided a decoder for decoding a message adapted to execute a variable-node graph-based message passing (MP) algorithm and control nodes connected by edges, wherein for decoding the message along the edges iteratively messages from the variable nodes to the control nodes as well as messages from the control nodes to the variable nodes. The decoder is set up to modify the messages from the variable nodes to the control nodes with a predetermined probability, in particular to delete them.

• 1 ein Diagramm, das die Nachrichtenfehlerrate für eine Anzahl an Simulationen für ein aus dem Stand der Technik bekanntes Bitflipping (BF)-Dekodierverfahren zeigt;
• 2 ein Diagramm, das die Nachrichtenfehlerrate für eine Anzahl an Simulationen für ein aus dem Stand der Technik bekanntes Message Passing (MP)-Dekodierverfahren zeigt;
• 3 ein Diagramm, das die Nachrichtenfehlerrate für eine Anzahl an Simulationen für ein aus dem Stand der Technik bekanntes Dekodierverfahren zeigt, das als Algorithmus E bekannt ist;
• 4 ein Diagramm, das die Nachrichtenfehlerrate für eine Anzahl an Simulationen für eine erste Ausgestaltungsvariante (REMP-1) eines erfindungsgemäßen Dekodierverfahrens, das auf dem Algorithmus E basiert, im Vergleich zum Algorithmus E (Algorithm E) zeigt;
• 5 ein Diagramm, das die Nachrichtenfehlerrate für eine Anzahl an Simulationen für eine zweite Ausgestaltungsvariante (REMP-2) eines erfindungsgemäßen Dekodierverfahrens, das auf dem Algorithmus E basiert, im Vergleich zum Algorithmus E (Algorithm E) zeigt, wobei eine erhöhte Anzahl an Fehlern e dekodiert ist;
• 6 ein Diagramm, das die Nachrichtenfehlerrate in Abhängigkeit des Gewichts des Fehlermusters für verschiedene Message Passing-Dekodierverfahren im Vergleich zeigt; und
• 7 einen erfindungsgemäßen Dekodierer.

The invention will be described in more detail below with reference to an embodiment in the drawings. Show it:

• 1 Figure 11 is a graph showing the message error rate for a number of simulations for a prior art bitflipping (BF) decoding method;
• 2 Figure 12 is a diagram showing the message error rate for a number of simulations for a prior art Message Passing (MP) decoding method;
• 3 Figure 11 is a graph showing the message error rate for a number of simulations for a prior art decoding method known as Algorithm E;
• 4 a diagram showing the message error rate for a number of simulations for a first embodiment variant (REMP-1) of a decoding method according to the invention based on the algorithm E compared to the algorithm E (Algorithm E);
• 5 a diagram showing the message error rate for a number of simulations for a second embodiment variant (REMP-2) of a decoding method according to the invention based on the algorithm E compared to the algorithm E (Algorithm E), wherein an increased number of errors e decodes e is;
• 6 a diagram showing the message error rate as a function of the weight of the error pattern for different message passing decoding method in comparison; and
• 7 a decoder according to the invention.

In the following description, the hidden variable private key generation method and the asymmetric cryptosystem based thereon are explained in detail, the cryptosystem being based on the well-known McEliece cryptography method.

In the following description, when talking about a length of a message or a message part, small letters represent message or message parts in bits and large letters in matrices.

• - Zunächst wird ein (N, K) linearer Code C über einen endlichen Körper mit q Elementen $\left({\mathbb{F}}_q\right)$
  
  mit Hilfe einer Generatormatrix G der Größe K × N Symbolen ausgewählt, welche in der Lage ist, t Fehler über dem q-stufigen symmetrischen Kanal zu korrigieren. Wenn angenommen wird, dass q eine Zweierpotenz ist, kann jedes Symbol des endlichen Körpers repräsentiert werden durch log₂ q Informationsbits.
• - Der ausgewählte Code muss eine Struktur besitzen, die einen effizienten Dekodierungsalgorithmus ermöglicht.
• - Anschließend wird zufällig eine nicht-singuläre, invertierbare K × K Matrix A ausgewählt.
• - In einem nächsten Schritt wird eine N × N Permutationsmatrix II zufällig ausgewählt.
• - Aus den oben erhaltenen Informationen wird der öffentliche Schlüssel Ĝ erzeugt gemäß Ĝ = A · G · Π.

First, the known method is described according to McEliece. It is assumed that a user wants to send Bob (sender) a message to a sender Alice (receiver) based on a q-stage linear code. First, there is a key generation in which a public and a private key are generated. Key generation involves the following steps:

• - First, an (N, K) linear code C over a finite field with q elements $\left({\mathbb{F}}_q\right)$
  
  is selected by means of a generator matrix G of size K × N symbols, which is able to correct t errors over the q-stage symmetric channel. Assuming that q is a power of two, each symbol of the finite field can be represented by log ₂ q bits of information.
• The selected code must have a structure that enables an efficient decoding algorithm.
• Subsequently, a non-singular, invertible K × K matrix A is randomly selected.
• In a next step, an N × N permutation matrix II is selected at random.
• From the information obtained above, the public key Ĝ is generated according to Ĝ = A · G · Π.

The public key of Alice (the recipient of a message) thus corresponds to Ĝ, the private key G being given by the triplet (A, G, Π).

Symbolen in ${\mathbb{F}}_q$

ab. Die Verschlüsselung umfasst die Berechnung von $$c=u\cdot \widehat{G}+e,$$

wobei c die verschlüsselte Nachricht mit einer Größe von 1 × N Symbolen in F_q, u die zu verschlüsselnde (Klartext-)Nachricht mit einer Größe von 1 × K Symbolen in ${\mathbb{F}}_q,$

Ĝ der öffentliche Schlüssel von Alice mit einer Größe von K × N Symbolen in ${\mathbb{F}}_q,$

und e ein zufällig erzeugter 1 × N Vektor mit Symbolen in F_q ist, wobei dieser genau t Elemente ungleich Null aufweist. Dabei ist jedes Element ungleich Null gleichförmig zufällig von ${\mathbb{F}}_q\setminus 0$

gewählt (d.h. gleichförmig in dem endlichen Körper, jedoch ohne das Null Element).Message encryption is done as follows: Alice (recipient) provides Bob (sender) with the public key Ĝ. Bob wants to send a message m with a length of k bits to Eliece. Bob first forms the message m into a vector u with a length of $K=\raisebox{1ex}{$k$}\!\left/ \!\raisebox{-1ex}{${\text{log}}_{2}q$}\right.$

Symbols in ${\mathbb{F}}_q$

from. Encryption involves the calculation of $$c=u\cdot \widehat{G}+e.$$

where c is the encrypted message having a size of 1 × N symbols in F _q , u is the (plaintext) message to be encrypted with a size of 1 × K symbols in ${\mathbb{F}}_q.$

Ĝ Alice's public key with a size of K × N symbols in ${\mathbb{F}}_q.$

and e is a randomly generated 1 × N vector with symbols in F _q , which has exactly t non-zero elements. Each element other than zero is uniformly random from ${\mathbb{F}}_q\setminus 0$

chosen (ie uniform in the finite field, but without the zero element).

• - Berechnung von c' = Π^-1 · c,
• - basierend auf G und unter Verwendung eines effizienten Dekodierungsalgorithmus für den Linearcode C berechnet Alice u' = dec(c'),
• - Berechnung des Vektors u = u' · A^-1, und
• - Abbilden des Vektors u in m, um die von Bob gesendete Nachricht zu erhalten.

The message encryption follows the following principle. Alice (recipient of the encrypted message) can restore the message sent by Bob (the sender of the encrypted message) as follows:

• - calculation of c '= Π ^-1 · c,
• based on G and using an efficient decoding algorithm for linear code C, Alice calculates u '= dec (c'),
• - Calculation of the vector u = u '· A ^-1 , and
• Map the vector u in m to get the message sent by Bob.

The originally developed McEliece method described in publication [1] uses binary Goppa codes.

1. a) Angriffe, die auf dem mehr als einmaligen Verschlüsseln einer Nachricht basieren (Wiederholung);
2. b) Angriffe, die auf Klartext-Nachrichten mit einer bekannten linearen Beziehung basieren;
3. c) bestimmte Klartext-Nachrichten-Angriffe;
4. d) nicht-adaptive, ausgewählte Chiffriertext-Attacken;
5. e) adaptive, ausgewählte Chiffriertext-Attacken.

The McEliece-developed cryptosystem is vulnerable to various types of attacks:

1. a) attacks based on more than one time encryption of a message (repetition);
2. b) attacks based on plaintext messages with a known linear relationship;
3. c) certain plaintext message attacks;
4. d) non-adaptive, selected ciphertext attacks;
5. e) adaptive, selected ciphertext attacks.

1. a) Der öffentliche Schlüssel ist vergleichsweise lang, nämlich K N log₂ q Bits lang. Hieraus resultiert bei der Verwaltung einer Vielzahl von öffentlichen Schlüsseln ein hoher Speicherplatzbedarf.
2. b) Das McEliece-Kryptosystem weist eine vergleichsweise geringe Effizienz auf. Das Kryptogramm, d.h. die verschlüsselte Nachricht ist n = N log₂ q Bits lang, während die zu verschlüsselnde Nachricht (Klartext-Nachricht) lediglich k = K log₂ q Bits lang ist. Hieraus ergibt sich eine Informationsrate des McEliece-Kryptosystems aus dem Verhältnis der Coderate und des Linearcodes C: $$R=\frac{k}{n}=\frac{K}{N}.$$
   
   In einer typischen Konfiguration ist R = 0,5 gewählt, was bedeutet, dass die Größe des Kryptogramms doppelt so hoch ist wie die Größe der Klartext-Nachricht.

As described in the introduction, the McEliece cryptosystem could not be broken even using quantum computers. Nonetheless, the McEliece cryptosystem has some disadvantages:

1. a) The public key is comparatively long, namely KN log ₂ q bits long. This results in the management of a large number of public keys, a high storage space requirement.
2. b) The McEliece cryptosystem has a comparatively low efficiency. The cryptogram, ie the encrypted message, is n = N log ₂ q bits long while the message to be encrypted (plaintext message) is only k = K log ₂ q bits long. This results in an information rate of the McEliece cryptosystem from the ratio of the code rate and the linear code C: $$R=\frac{k}{n}=\frac{K}{N},$$
   
   In a typical configuration, R = 0.5 is chosen, which means that the size of the cryptogram is twice the size of the plaintext message.

verschiedene Werte zu kodieren.The error vector e used for encoding in the McEliece method has non-zero ("0") values at t positions, and at each of these positions, this q-1 can take different values. This makes it theoretically possible in the error vector e up to $$\lfloor {\text{log}}_2\left(\begin{array}{c}N\\ t\end{array}\right)+t{\text{log}}_2\left(q-1\right)\rfloor \text{bits}$$

encode different values.

definiert, die eine moderate Anzahl von $w\approx 0\left(\sqrt{nlog\left(n\right)}\right)$

Einsen („1“) pro Zeile enthält. Für n = nop, die Dimension k = kop, die Redundanz r = n - k = rop mit ro = no - ko für eine ganze Zahl (Integer) p, hat die Kontrollmatrix H eines QC-MDPC-Codes die Form der eingangs bereits beschriebenen Gleichung (3) $$\mathbf{H}=\left(\begin{array}{cccc}{\mathbf{H}}_{\mathrm{0,0}}& {\mathbf{H}}_{\mathrm{0,1}}& \dots & {\mathbf{H}}_{\mathrm{0,}{n}_0-1}\\ {\mathbf{H}}_{\mathrm{1,0}}& {\mathbf{H}}_{\mathrm{1,1}}& \dots & {\mathbf{H}}_{\mathrm{1,}{n}_0-1}\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{H}}_{r_0-\mathrm{1,0}}& {\mathbf{H}}_{r_0-\mathrm{1,1}}& \dots & {\mathbf{H}}_{r_0-\mathrm{1,}{n}_0-1}\end{array}\right)$$

wobei jeder Block H_i,j eine binäre p × p zyklische Matrix ist.The proposed McEliece cryptosystem is based on a family of binary QC-MDPC (Quasi-Cyclic Moderate-Density Parity-Check) codes that currently allow the smallest public keys. A binary MDPC code of length n, dimension k and line weight w is passed through a control matrix H (so-called parity check matrix) over the binary body ${\mathbb{F}}_{}$${\mathbb{}}_2$

that defines a moderate number of $w\approx 0\left(\sqrt{nlOG\left(n\right)}\right)$

Contains one ("1") per line. For n = nop, the dimension k = kop, the redundancy r = n - k = rop with ro = no - ko for an integer (integer) p, the control matrix H of a QC MDPC code already has the form of the beginning described equation (3) $$\mathbf{H}=\left(\begin{array}{cccc}{\mathbf{H}}_{0.0}& {\mathbf{H}}_{0.1}& ...& {\mathbf{H}}_{0n_0-1}\\ {\mathbf{H}}_{1.0}& {\mathbf{H}}_{1.1}& ...& {\mathbf{<figure-callout\; id="1"\; label="H"\; filenames="DE102018200617A1\_0079.png,DE102018200617A1\_0080.png"\; state="\{\{state\}\}">H</figure-callout>}}_{\mathrm{1,}{n}_0-1}\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{H}}_{r_0-1.0}& {\mathbf{H}}_{r_0-1.1}& ...& {\mathbf{H}}_{r_0-\mathrm{1,}{n}_0-1}\end{array}\right)$$

where each block H _{i, j is} a binary p × p cyclic matrix.

die durch zyklisches Verschieben ihrer ersten Zeile a = (a₀, a₁, ..., a_Q-1) nach rechts erhalten wird gemäß $$\text{A}=\left(\begin{array}{cccc}{\text{a}}_0& {\text{a}}_1& \dots & {\text{a}}_{Q-1}\\ {\text{a}}_{Q-1}& {\text{a}}_0& \dots & {\text{a}}_{Q-2}\\ ⋮& ⋮& \ddots & ⋮\\ {\text{a}}_1& {\text{a}}_2& \dots & {\text{a}}_0\end{array}\right)$$

A cyclic matrix is a binary cyclic matrix A of size Q, ie a Q × Q matrix with coefficients in a vector space ${\mathbb{F}}_{}$${\mathbb{}}_2.$

which is obtained by cyclically shifting its first line a = (a ₀ , a ₁ , ..., a _Q-1 ) to the right according to $$\text{A}=\left(\begin{array}{cccc}{\text{a}}_0& {\text{a}}_1& ...& {\text{a}}_{Q-1}\\ {\text{a}}_{Q-1}& {\text{a}}_0& ...& {\text{a}}_{Q-2}\\ ⋮& ⋮& \ddots & ⋮\\ {\text{a}}_1& {\text{a}}_2& ...& {\text{a}}_0\end{array}\right)$$

Zu dem Zirkulanten A (d.h. der zyklischen Matrix A) kann ein Polynom $a\left(X\right)=a_0+a_{0}X+\cdots +a_{Q-1}{x}^{Q-1}\in {\mathbb{F}}_2\left[x\right]$

assoziiert werden. Zwei Q × Q Zirkulanten A und B haben zugehörige Polynome a(X) und b(X). Daraus können die Zirkulanten C = A + B und D = AB bestimmt werden. Dann sind die Zirkulanten C und D den Polynomen c(X) = a(X) + b(X) und d(X) = a(X) · b(X) mod (X^Q - 1) zugeordnet. Der Koeffizientenvektor eines Polynoms a(X) wird als a(X) = (a₀, a₁, ..., a_Q-1) beschrieben. Das Gewicht eines Polynoms a(X) ist die Anzahl seiner Koeffizienten ungleich Null (d.h. ≠ 0), d.h. es ist das Hamming-Gewicht seines Koeffizientenvektors a. Beide Gewichte werden mit dem Operator wht (·) an, d.h. wht (a(X)) = wht (a), bezeichnet. Im weiteren Verlauf wird die polynomiale Darstellung zyklischer Matrizen verwendet, um eine effiziente Beschreibung der Struktur der analysierten Codes zu erhalten.The set of Q × Q cyclic matrices together with the matrix multiplication and addition form a commutative ring and is isomorphic to the polynomial ring $\left({\mathbb{F}}_2\left[X\right]\text{/}\left(X^Q-1\right).+.\cdot \right),$

To the circulator A (ie the cyclic matrix A) may be a polynomial $a\left(X\right)=a_0+a_{0}X+\cdots +a_{Q-1}{x}^{Q-1}\in {\mathbb{F}}_2\left[x\right]$

be associated. Two Q × Q circulators A and B have associated polynomials a (X) and b (X). From this the circulators C = A + B and D = AB can be determined. Then the circulators C and D is associated with the polynomials c (X) = a (X) + b (X) and d (X) = a (X) * b (X) mod (X ^Q -1). The coefficient vector of a polynomial a (X) is described as a (X) = (a ₀ , a ₁ , ..., a _Q-1 ). The weight of a polynomial a (X) is the number of its nonzero coefficients (ie, ≠ 0), ie, it is the Hamming weight of its coefficient vector a. Both weights are denoted by the operator wht (·), ie wht (a (X)) = wht (a). In the further course, the polynomial representation of cyclic matrices is used to obtain an efficient description of the structure of the analyzed codes.

To generate the key pair comprising the private key and the public key, the proposed McEliece cryptosystem uses protographs. A protograph P is a bipartite graph containing a set of No variable nodes (VNs) (also referred to as VN types) {V ₀ , V ₁ , ..., V _N0-1 } and a set of M ₀ control _nodes ( check nodes, CNs) (also referred to as CN types) {C ₀ , C ₁ , ..., C _M0-1 }. A VN type V _j is connected to a CN type C _i through b _ij edges. A protograph can be equivalently represented in a matrix form by a Mo x N ₀ matrix B. The ij- The column of the matrix B is assigned to the VN type V _j , and the ith row of the matrix B is assigned to the CN type C _i . The (ij) element of the matrix B is b _ij .

A protograph P defines a so-called Codeensemble C.

auf. Die Erweiterung des Protographen kann in einer strukturierten Weise durchgeführt werden, wodurch eine QC-MDPC-Kontrollmatrix in polynomialer Form erhalten wird: $$H\left(X\right)=\left(h_{00}\left(X\right){\text{ h}}_{01}\left(X\right)\right)$$

A particular feature of protographers is the ability to specify such graphs containing variable nodes VN associated with codeword symbols. The QC-MDPC codes mentioned in the beginning allow a protographic representation as a Tanner graph, which will be described in more detail later. For the information rate R = ½, a base matrix has the form $$B=\left(b_{00}{b}_{01}\right)$$

on. The extension of the protograph may be performed in a structured manner, thereby obtaining a QC-MDPC control matrix in polynomial form: $$H\left(X\right)=\left(H_{00}\left(X\right){\text{H}}_{01}\left(X\right)\right)$$

Here, the weight wht (h _ij (X)) = b _ij . In the further description, an information rate R = ½ is assumed, which is done only for the sake of simplicity. The ensemble described in Equation (6) is called a reference ensemble or C _A. Furthermore, the shortest possible public key described in Publication [7] is considered, where Q = 4801 is the size of the public key and n = 9602 is the block length of the QC MDPC code. For this particular case, considered a reference case, a reference ensemble is obtained by assuming b ₀₀ = b ₀₁ = 45.

In addition to traditional key recovery and decoding attacks based on information set decoding, GJS proposed a reaction-based key recovery attack on the QC-MDPC McEliece cryptosystem [10], which is currently the most critical attack on the scheme [15]. The efficient iterative decoding of LDPC / MDPC codes comes at the cost of decoding errors. For example, the MDPC codes proposed in Publication [10] are operated with a target decoding error probability of less than 10 ^-7 .

The GJS attack exploits the observation that the decoding error probability for some specially selected error patterns is correlated with the structure of the secret key, i. control matrix H Hereinafter, the procedure of the attack will be described to understand the invention.

The Lee distance d _L between two entries at positions i and j of a binary vector 1 a = (a ₀ a ₁ ... a _n-1 ) is defined as follows according to publication [16]: $$d_L\left(i.j\right)=\text{min}\left\{\left|i-j\right|.n-\left|i-j\right|\right\}$$

definiert, wobei die maximale Entfernung im Abstandsprofil D(a) $U=\lfloor \frac{Q}{2}\rfloor$

ist. Die Multiplizität µ(d) ist definiert als die Anzahl der Vorkommen der Distanz d in dem Vektor a. Ein binärer Vektor a ist vollständig durch sein Abstandsprofil D(a) spezifiziert und kann daher mit hoher Wahrscheinlichkeit aus dem Abstandsprofil D(a) rekonstruiert werden (bis hin zu zyklischen Verschiebungen), wie die Publikation [12] zeigt. The Lee distance profile of a binary vector a of length Q is as $$D\left(a\right)=\left\{d:\exists i.j\in \left(0Q-1\right)s,t,a_i=a_j=1und{d}_L\left(i.j\right)=d\right\}$$

defined, wherein the maximum distance in the distance profile D (a) $U=\lfloor \frac{\mathrm{<figure-callout\; id="2"\; label="Q"\; filenames="DE102018200617A1\_0081.png,DE102018200617A1\_0082.png"\; state="\{\{state\}\}">Q</figure-callout>}}{2}\rfloor$

is. The multiplicity μ (d) is defined as the number of occurrences of the distance d in the vector a. A binary vector a is completely specified by its distance profile D (a) and can therefore be reconstructed with high probability from the distance profile D (a) (up to cyclical shifts), as the publication [12] shows.

mit der Lee-Distanz d in den ersten Q Positionen des Vektors platziert sind. Durch Begrenzen der Fehler auf die ersten Q Positionen bestimmt nur der erste zyklische Block ho(X) der Matrix H(X) das Ergebnis der Dekodierungsprozedur. Der GJS-Angriff läuft dann wie folgt ab:

• - Für d = 1,..., U werden jeweils Fehlermengen ψ_d der Größe M generiert, wobei M ein Parameter ist, der zusammen mit U die Anzahl der vom Angreifer verwendeten Versuche definiert.
• - Es werden M Chiffretexte (2) mit e E Ψ_d für alle d = 1,..., U gesendet. Anschließend wird die Nachrichtenfehlerrate (FER) bestimmt.

ψ _d is a set that contains all binary vectors of length n with exactly t ones, which are called $\lfloor \frac{\mathrm{<figure-callout\; id="2"\; label="t"\; filenames="DE102018200617A1\_0081.png,DE102018200617A1\_0082.png"\; state="\{\{state\}\}">t</figure-callout>}}{2}\rfloor -\text{pairs}$

with the Lee distance d placed in the first Q positions of the vector. By limiting the errors to the first Q positions, only the first cyclic block ho (X) of the matrix H (X) determines the result of the decoding procedure. The GJS attack will proceed as follows:

• - For d = 1, ..., U respectively error quantities ψ _d of size M are generated, where M is a parameter that defines together with U the number of attempts used by the attacker.
• - M ciphertext ( 2 ) with e E Ψ _d for all d = 1, ..., U sent. Subsequently, the message error rate (FER) is determined.

Since for a sufficiently large set M of ciphertext the decoding error probability _is lower for e E Ψ _d with d ∈ D (h ₀ ), ie, when μ (d)> 0, the measured message error rate FER can be used to obtain the distance profile D (ho) to determine. The vector ho can then be reconstructed from the distance profile D (h ₀ ) using the methods from publication [12].

The remaining blocks of H (X) in equation (7) can then be passed over the generator matrix G (X) using linear algebraic Relationships are reconstructed. The success of the attack depends on how the decoders handle decryption errors because the message error rate FER can only be measured when retransmissions are requested. Another important factor is which decoding scheme is used. It is shown in publications [12] and [17] that the GJS attack is successful when using bit flipping (BF) or belief propagation (BP) decoding algorithms.

In key exchange protocols, the attack can be fended off by using ephemeral keys (i.e., a new key pair for each key exchange), as shown in publication [18]. However, this can only be used in very specific scenarios.

und in ähnlicher Weise bezeichnet $N\left(c\right)$

die Nachbarschaft des Kontrollknotens c. Die Nachrichten der variablen Knoten VN ν_j an die Kontrollknoten CN c_i werden mit m_{ν j→c i} bezeichnet und die Nachrichten von c_i an v_j mit m_{c i→v j} . Im Folgenden wird auf die Verwendung von Indizes der variablen Knoten VN und der Kontrollknoten CN verzichtet, wenn diese aus dem Kontext ersichtlich sind.For the understanding of the present invention, classical decoding algorithms for LDPC codes will be described below and their error correction capability for MDPC codes as well as their resistance to GJS attack analyzed. For decoding, each ciphertext bit c _{i is assigned} the value +1 if c _i = 0, and -1 if c _i = 1 gives a ciphertext c E {+1, -1} ⁿ . Now consider the next iterative MP decoding on the Tanner graph [19] of the code. The Tanner graph consists of n variable nodes (VNs) and r control nodes (CNs). A variable node VN ν _j is connected to a control node CN c _i when the corresponding entry h _{i, j} in the control matrix is equal to 1. In the following, only regular Tanner graphs are considered, ie graphs in which the number of edges of each variable node VN is _dν and the number of edges emanating from each control node CN is _dc . The edges _dν and _dc are called variable node measure and control node measure respectively. The neighborhood of a variable node v is $N\left(v\right).$

and similarly designated $N\left(c\right)$

the neighborhood of the control node c. The messages of the variable nodes VN ν _j to the control nodes CN c _i are _denoted by m _{ν j → c i} and the messages from c _i to v _j with m _{c i → v j} , In the following, the use of indices of the variable nodes VN and the control nodes CN is omitted if they are apparent from the context.

Bit flipping (BF) algorithm

For decryption in the QC-MDPC cryptosystem described in Publication [10], an efficient BF algorithm for LDPC codes (see, e.g., Algorithm 5.4 in Publication [20]) is considered.

Die Kontrollknoten CN senden die Nachrichten $$m_{c\to v}={\displaystyle \prod _{v\text{'}\in N\left(c\right)}{m}_{v\text{'}\to c}}$$

(10) zu allen benachbarten variablen Knoten VN $\vee \in N\left(v\right).$

Es ist zu berücksichtigen, dass Gleichung (10) äquivalent zu der Modulo-Summe aller eingehenden Nachrichten über ${\mathbb{F}}_2$

ist. Jeder variable Knoten zählt die Anzahl der nicht erfüllten Prüfgleichungen (d.h. die Anzahl der Nachrichten m_c→v = -1) und sendet an seine Nachbarn das „geflippte“ Chiffretextbit, wenn mindestens b Kontrollgleichungen nicht erfüllt sind, d.h. $$m_{v\to c}=\{\begin{array}{ll}-cwenn\left|\left\{c\text{'}\in N\left(v\right):m_{c\text{'}\to v}=-1\right\}\right|\ge \hfill & b\hfill \\ \text{ansonsten}\hfill & c\hfill \end{array}$$

For a ciphertext c, a threshold b ≤ r and a maximum number of iterations Imax, the BF algorithm proceeds as follows. Each variable node VN v is initialized with the corresponding ciphertext bit c E {+ 1, -1} and sends the message m _{v → c} = c to all neighboring control nodes CN $\text{c}\in N\left(v\right),$

The control nodes CN send the messages $$m_{c\to v}={\displaystyle \underset{v\text{'}\in N\left(c\right)}{\Pi }{m}_{v\text{'}\to c}}$$

(10) to all adjacent variable nodes VN $\vee \in N\left(v\right),$

It should be noted that Equation (10) is equivalent to the modulo sum of all incoming messages over ${\mathbb{<figure-callout\; id="2"\; label="F"\; filenames="DE102018200617A1\_0081.png,DE102018200617A1\_0082.png"\; state="\{\{state\}\}">F</figure-callout>}}_2$

is. Each variable node counts the number of unacknowledged check equations (ie the number of messages m _{c → v} = -1) and sends to its neighbors the "flipped" ciphertext bit if at least b control equations are not met, ie $$m_{v\to c}=\{\begin{array}{ll}-cwenn\left|\left\{c\text{'}\in N\left(v\right):m_{c\text{'}\to v}=-1\right\}\right|\ge \hfill & b\hfill \\ \text{otherwise}\hfill & c\hfill \end{array}$$

The algorithm is terminated when either all control equations are satisfied or the maximum number of iterations Imax has been reached. The error correction capability of the BF algorithm depends on the choice of the threshold b.

Gallager B algorithm

An efficient binary MP decoder for LDPC codes, often referred to as Gallager B, has been presented and analyzed in Publication [21]. Each variable node VN v is initialized with the corresponding ciphertext bit c E {+1, -1}. The variable nodes VN send the messages $$m_{v\to c}=\{\begin{array}{ll}-cwenn\left|\left\{c\text{'}\in N\left(v\right)/c:m_{c\text{'}\to v}=-c\right\}\right|\ge \hfill & b\hfill \\ \text{otherwise}\hfill & c\hfill \end{array}$$

senden. Die Kontrollknoten CN senden die Nachrichten $$m_{c\to v}={\displaystyle \prod _{v\text{'}\in N\left(c\right)\setminus v}{m}_{v\text{'}\to c}}$$

an die benachbarten variablen Knoten VN. Nach höchstens Imax Iterationen gemäß den Gleichungen (12) und (13) wird die endgültige Entscheidung getroffen durch $$\widehat{c}=\{\begin{array}{ll}-cwenn\left|\left\{m_{c\to v}=-c\right\}\right|>\hfill & b\hfill \\ \text{ansonsten}\hfill & c\hfill \end{array}$$

Algorithmus EThis means that the variable nodes VN v in the first iteration, the message m _{v → c} = c to all adjacent control nodes CN $\text{c}\in N\left(v\right)$

send. The control nodes CN send the messages $$m_{c\to v}={\displaystyle \underset{v\text{'}\in N\left(c\right)\setminus v}{\Pi }{m}_{v\text{'}\to c}}$$

to the adjacent variable nodes VN. After at most Imax iterations according to the equations (12) and (13) the final decision is taken by $$\widehat{c}=\{\begin{array}{ll}-cwenn\left|\left\{m_{c\to v}=-c\right\}\right|>\hfill & b\hfill \\ \text{otherwise}\hfill & c\hfill \end{array}$$

Algorithm E

A generalization of the Gallager B algorithm, which can correct extinctions (so-called "erasures") and is called algorithm E, was introduced and analyzed in publications [13] and [14]. To account for erasures, the decoder requires a ternary message alphabet {-1, 0, +1}, where 0 indicates erasure. The variable nodes VN are initialized with the corresponding ciphertext bit c and send the messages $$m_{v\to c}=siGn\left[\omega c+{\displaystyle \underset{c\text{'}\in N\left(v\right)\setminus c}{\Sigma }{m}_{c\text{'}\to v}}\right]$$

getroffen. Für ungerade dv und keinen Auslöschungen im Kanal entspricht der Algorithmus E dem Gallager B-Dekodieralgorithmus mit einer Schwelle von $b=\lceil \frac{\omega +d_v-1}{2}\rceil ,$

wodurch auch der Algorithmus E ist anfällig gegen den GJS-Angriff ist.Here, ω is a heuristic weighting factor proposed in Publication [14] to improve the performance of Algorithm E. In the following, the case is considered in which ω is kept constant over all iterations. The test nodes operate in the same way as in the Gallager B algorithm, ie the control nodes CN send the messages m _{c → v} according to equation (13). After at most Imax iteration according to equations (13) and (15), the final decision according to $$\widehat{c}=siGn\left[\omega c+{\displaystyle \underset{c\in N\left(v\right)}{\Sigma }{m}_{c\to v}}\right]$$

met. For odd dv and no quenching in the channel, the algorithm E corresponds to the Gallager B decoding algorithm with a threshold of $b=\lceil \frac{\omega +d_v-1}{2}\rceil .$

which also makes the algorithm E is vulnerable to the GJS attack.

The invention uses the deletions known from the algorithm E in order to be able to decode the error correction capability on the one hand and an increased number of errors on the other hand. This can be exploited when using MDPC codes in a McEliece cryptographic system to increase security. In a coding system, it is possible to use the method for decoding a larger number of errors.

The 1 . 2 and 3 show the simulation results for a code from C for the above-mentioned BF algorithm ("BF decoding"), an MF algorithm (MF-1 decoding ") and the algorithm E (" Algorithm E "). The figures each show the message error rate FER for a particular simulation point SP. The simulation results contain 45 simulations, which are subdivided into four different groups μ (h ₀ ) = 0, μ (h ₀ ) = 1, μ (h ₀ ) = 2 and μ (h ₀ ) = 3. The four groups differ with respect to the structure of the error pattern chosen for the simulations. The number of errors e selected for the different algorithms is given in the legend, with e = 100 selected in each case. In addition, in the legend further, for the respective algorithm specific parameters (MF decoding algorithm according to 1 : Probabilities p *, p _dec ; BF decoding algorithm according to 2 : δ; Algorithm E according to 3 : Weighting factor ω), which are known in the art.

so gewählt, dass die Nachrichtenfehlerrate FER für alle in dem Abstandsprofil D(ho) auftretenden Multiplizitäten ähnlich ist. Daher kann das Abstandsprofil D(ho) nicht rekonstruiert werden, wenn das MF-Dekodierungsschema mit der geeigneten Wahl von p_e verwendet wird. Da Simulationen SP verschiedener Codes aus C sehr ähnliche Ergebnisse zeigen, wird vermutet, dass die Wahl von $p_e^{\left(l\right)}$

eher vom Codeensemble als vom Code C selbst abhängt.The results in the 1 to 3 show that with the exception of the MF decoding algorithm ( 1 ) all considered schemes are vulnerable to GJS attacks because the message error rate FER depends on the class of the structure of the error pattern. For the MF decoding scheme in 1 became the probability $p_e^{\left(l\right)}$

is chosen such that the message error rate FER is similar for all multiplicities occurring in the distance profile D (ho). Therefore, the distance profile D (ho) can not be reconstructed if the MF decoding scheme with the appropriate choice of p _e is used. Since simulations of SP different codes from C show very similar results, it is believed that the choice of $p_e^{\left(l\right)}$

depends on the code ensemble rather than code C itself.

The invention utilizes modified message passing (MP) decoding algorithms that allow deletions. The methods allow for modifying MP decoding algorithms in a probabilistic manner to render them resistant to appropriate choice of decoding parameters against GJS attack.

gelöscht (d.h. auf 0 (Null) gesetzt) werden. Dies führt gleichzeitig auch zu einer verbesserten Fehlerkorrekturfähigkeit.The basic idea of the method according to the invention is that the messages sent by the variable nodes VN to the control nodes CN (so-called VN-CN messages) are modified with a given probability each iteration. In particular, the modification by the MP decoder is such that the messages m _{v → c} under certain conditions with a given probability $p_e^{\left(l\right)}$

deleted (ie to 0 (zero) set). At the same time, this also leads to an improved error correction capability.

In the following two embodiments, which are referred to in the figures as REMP-1 (Random Erasure Message Passing-1) and REMP-2 (Random Erasure Message Passing-2), this method is used to modify the algorithm E.

gelöscht wird. An den variablen Knoten VN wird dabei zuerst eine temporäre Ausgabenachricht $${\tilde{m}}_{v\to c}=sign\left[\omega c+{\displaystyle \sum _{c\text{'}N\left(v\right)\setminus c}{m}_{c\text{'}\to v}}\right]$$

berechnet.According to a first variant (REMP-1), the algorithm E is modified so that each non-zero message m _{v → c} at one iteration / with a probability $p_e^{\left(l\right)}$

is deleted. At first, a temporary output message is sent to the variable node VN $${\tilde{m}}_{v\to c}=siGn\left[\omega c+{\displaystyle \underset{c\text{'}N\left(v\right)\setminus c}{\Sigma }{m}_{c\text{'}\to v}}\right]$$

calculated.

und m_v→c = 0 sonst. Bei den Kontrollknoten CN wird die gleiche Operation wie im Algorithmus E durchgeführt (siehe Gleichung (13)). Die endgültige Entscheidung nach höchstens Imax Iterationen der Gleichungen (13) und (16) wird durch Gleichung (18) getroffen.If the message m _{v → c} contains no deletion, ie if m _{v → c} ≠ 0, then the variable node sends VN $$m_{v\to c}=\{\begin{array}{cc}{\tilde{m}}_{c\to v}mitderWaHrscHeinlicHkeit1& -p_e^{\left(l\right)}\\ 0mit\text{d}erWaHrscHeinlicHkeit& p_e^{\left(l\right)}\end{array}$$

and m _{v → c} = 0 else. At the control nodes CN, the same operation as in the algorithm E is performed (see Equation (13)). The final decision on at most Imax iterations of equations (13) and (16) is made by equation (18).

gelöscht werden (d.h. auf einen Wert gemäß m_v→c = 0 gesetzt werden), wenn sie nicht dem entsprechenden Chiffriertext-Bit c entsprechen. Bei den variablen Knoten VN wird zuerst eine temporäre Ausgabenachricht gemäß $${\tilde{m}}_{v\to c}=sign\left[\omega c+{\displaystyle \sum _{c\text{'}\in N\left(v\right)\setminus c}{m}_{c\text{'}\to v}}\right]$$

berechnet. Wenn die Nachricht m̃_v→c nicht dem Chiffriertext-Bit c entspricht, d.h. wenn Gleichung m̃_v→c = -c erhalten wird, sendet der variable Knoten VN $$m_{v\to c}=\{\begin{array}{cc}{\tilde{m}}_{c\to v}\text{mit der Whrscheinlichkeit }1-& p_e^{\left(l\right)}\\ 0\text{ mit der Wahrscheinlichkeit}& p_e^{\left(l\right)}\end{array}$$

und andernfalls m_v→c = m̃_c→v. An den Kontrollknoten CN wird die gleiche Operation wie im Algorithmus E gemäß Gleichung (13) durchgeführt. Die endgültige Entscheidung nach höchstens Imax Iterationen der Gleichungen (13) und (17) erfolgt gemäß $$\widehat{c}=sign\left[\omega c+{\displaystyle \sum _{c\in N\left(v\right)}{m}_{c\to v}}\right]$$

According to the second variant (REMP-2), a modification of algorithm E takes place such that the messages m _{v → c} in the iteration 1 with a probability $p_e^{\left(l\right)}$

be cleared (ie set to a value according to m _{v → c} = 0) if they do not correspond to the corresponding ciphertext bit c. At the variable nodes VN, a temporary output message is first determined according to $${\tilde{m}}_{v\to c}=siGn\left[\omega c+{\displaystyle \underset{c\text{'}\in N\left(v\right)\setminus c}{\Sigma }{m}_{c\text{'}\to v}}\right]$$

calculated. If the message m _{v → c} does not correspond to the ciphertext bit c, ie if equation m _{v → c} = -c is obtained, the variable node sends VN $$m_{v\to c}=\{\begin{array}{cc}{\tilde{m}}_{c\to v}\text{with the probability}1-& p_e^{\left(l\right)}\\ 0\text{with the probability}& p_e^{\left(l\right)}\end{array}$$

and otherwise m _{v → c} = m _{c → v} . At the control node CN, the same operation as in the algorithm E according to equation (13) is performed. The final decision on at most Imax iterations of equations (13) and (17) is made in accordance with $$\widehat{c}=siGn\left[\omega c+{\displaystyle \underset{c\in N\left(v\right)}{\Sigma }{m}_{c\to v}}\right]$$

kann wieder verringert werden, wenn l ansteigt.The probability $p_e^{\left(l\right)}$

can be reduced again as l increases.

The procedure according to the invention can be transferred analogously to the BP algorithm.

In the 4 and 5 the resistance of the proposed decoding schemes against the GJS attack is evident, with REMP-1 ( 4 ) and REMP-2 ( 5 ) designate the first and second variants of the modification of the algorithm E ("Algorithm E"). The 4 and again show the message error rate FER for a particular simulation point SP. The simulation results contain 45 simulations, which are subdivided into the four different groups μ (h ₀ ) = 0, μ (h ₀ ) = 1, μ (h ₀ ) = 2 and μ (h ₀ ) = 3, the differ with regard to the structure of the error pattern chosen for the simulations.

The number of errors e selected for the algorithms REMP-1 and REMP-2 is given in the legend, with the algorithm REMP-1 e = 100 and the algorithm REMP-2 e = 106. In addition, the legend specifies further parameters specific to the respective algorithm REMP-1 and REMP-2 as well as the comparison algorithm E ("Algorithm E"). The probabilities p _e have been chosen differently for the algorithms REMP-1 and REMP-2, wherein the weighting factor ω is equal. The values and simulation points of the comparison algorithm E correspond to those of 3 ,

For the algorithms REMP-1 and REMP-2, Monte Carlo simulations were performed for randomly chosen C codes that produced up to 200 decoding errors (message errors) with Imax = 50 iterations. For each multiplicity in μ (h ₀ ), 11 different error rates d (simulation points SP) were simulated. The simulation results in the 4 and 5 show that the REMP-1 and REMP-2 decoding schemes are suitable for a Parameter selection have a similar message error rate FER for all occurring multiplicities μ (h ₀ ). Therefore, reconstruction of the distance profile D (ho) from the observed FER is not possible.

For the choice of the parameters hiding the secret key, the message error rate FER of the REMP-2 decoding is slightly worse with an error weight e = 106 than with the REMP-1 decoding with an error weight e = 100. Because of the possible higher error weight the second variant (REMP-2) appears to be improved compared to the first variant (REMP-1).

für ein bestimmtes Fehlergewicht e entscheidend. Wenn der Wahrscheinlichkeitswert $p_e^{\left(l\right)}$

zu groß gewählt wird, dreht sich das Bild um, d.h. höhere Multiplizitäten haben eine höhere Nachrichtenfehlerrate FER als niedrigere Multiplizitäten. Daher sollte das Fehlergewicht e nach dem Dekodieren berechnet werden, und Verschlüsselungen, die mit einem anderen Fehlergewicht als e erzeugt wurden, sollten zurückgewiesen werden, um Angriffe zu verhindern, die diesen Effekt ausnutzen.To hide the structure of H (X) is the choice of the probability value $p_e^{\left(l\right)}$

decisive for a certain error weight e. If the probability value $p_e^{\left(l\right)}$

is too large, the picture turns around, ie higher multiplicities have a higher message error rate FER than lower multiplicities. Therefore, the error weight e should be calculated after decoding, and encryptions generated with a different error weight than e should be rejected to prevent attacks that exploit this effect.

6 FIG. 12 is a graph comparing the message error rate FER versus the weight of the error pattern WEP for various MP decoding methods. It is readily apparent that the methods of the present invention (again referred to as REMP-1 and REMP-2) have increased efficiency over the known hard-decision decoders. At a message error rate FER of 10 ^-2 , the weight of the error pattern WEP for the algorithm E (Alg. E) is 97, while the inventive decoding methods REMP-1 and REMP-2 reach an error pattern weight WEP of 102.

7 shows a decoder DEC according to the invention, which is supplied to an input of the ciphertext c. The decoder DEC is configured to execute the method described above (REMP-1 and / or REMP-2). At an output of the decoder the decrypted message ĉ ≈mG is obtained.

publications

• [1] Robert J. McEliece, "A Public-Key Cryptosystem based on Algebraic Coding Theory," DSN Progress Report, Vol. 4244 (1978), pp. 114-116 ,
• [2] HE Berlekamp, RJ McEliece, and HCA Van Tilborg, "On the Inherent Intractability of Certain Coding Problems," IEEE Transactions on Information Theory, Vol. 24, No. 3, pp. 384-386, May 1978 ,
• [3] K. Kobara and H. Imai, "Semantically Secure McEliece Public-Key Cryptosystems Conversions for McEliece PKC," in Public Key Cryptography, Vol. 1992, Springer, 2001, pp. 19-35 ,
• [4] RL Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications on the ACM, Vol. 21, No. 2, pp. 120-126, 1978 ,
• [5] PW Shor, "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer," SIAM review, Vol. 41, No. 2, pp. 303-332, 1999 ,
• [6] TP Berger, P.-L. Cayrel, P. Gaborit, and A. Otmani, "Reducing key length of the McEliece cryptosystem." Africa Crypt, Vol. 5580, pp. 77-97, 2009 ,
• [7] P. Gaborit, "Shorter Keys for Code Based Cryptography," in Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), 2005, pp. 81-91 ,
• [8th] C. Monico, J. Rosenthal, and A. Shokrollahi, "Using Low Density Parity Check Codes in the McEliece Cryptosystem," in Information Theory, 2000. Proceedings. IEEE International Symposium on. IEEE, 2000, p. 215 ,
• [9] M. Baldi, F. Chiaraluce, R. Garello, and F. Mininni, "Quasi-Cyclic Low-Density Parity Check Codes in the McEliece Cryptosystem," in the IEEE International Conference on Communications (ICC), 2007. IEEE, 2007, Pp. 951-956 ,
• [10] R. Misoczki, J.-P. Tillich, N. Sendrier, and PS Barreto, "MDPC-McEliece: New McEliece Variants from Moderate Density Parity Check Codes," in the IEEE International Symposium on Information Theory (ISIT). IEEE, 2013, pp. 2069-2073 ,
• [12] Q. Guo, T. Johansson, and P. Stankovski, "A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors," in Advances in Cryptology-ASIA-CRYPT 2016: 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, 22nd Springer, 2016, pp. 789-815 ,
• [13] N. Miladinovic and MP Fossorier, "Improved Bit-Flipping Dekoding of Low-Density Parity-Check Codes," IEEE Transactions on Information Theory, vol. 51, no. 4, pp. 1594-1606, 2005 ,
• [14] T. Richardson and R. Urbanke, "The capacity of low-density parity-check codes under message passing decoding," IEEE Trans. Inf. Theory, Vol. 47, No. 2, pp. 599-618, Feb. 2001 ,
• [15] N. Sendrier, "Code-Based Cryptography: State of the Art and Perspectives," IEEE Security & Privacy, vol. 15, no. 4, pp. 44-50, Aug. 2017
• [16] C. Lee, "Some Properties of Nonbinary Error-Correcting Codes," IRE Transactions on Information Theory, vol. 4, no. 2, pp. 77-82, Jun. 1958 ,
• [17] T. Fabsic, V. Hromada, P. Stankovski, P. Zajac, Q. Guo, and T. Johansson, "A Reaction Attack on the QC-LDPC McEliece Cryptosystem," in International Workshop on Post-Quantum Cryptography, 2017, pp , 51-68 ,
• [18] PSLM Barreto, S. Gueron, T. G ueneysu, R. Misoczki, E. Persichetti, N. Sendrier, and J.-P. Tillich, "CAKE: Code-Based Algorithms for Key Encapsulation," Cryptology ePrint Archive, Report 2017/757, 2017, http://eprint.iacr.org/2017/757 ,
• [19] M. Tanner, "A recursive approach to low-complexity codes," IEEE Trans. Inf. Theory, vol. 27, no. 5, pp. 533-547, Sep. 1981
• [20] W. Ryan and S. Lin, Channel codes - Classical and modern. New York, NY, USA: Cambridge University Press, 2009
• [21] R. Gallager, low density parity check codes. Cambridge, MA, USA: MIT Press, 1963

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited non-patent literature

• Robert J. McEliece, "A Public-Key Cryptosystem Based on Algebraic Coding Theory" DSN Progress Report, Vol. 4244 (1978), pp. 114-116 [0077]
• E.R. Berlekamp, R.J. McEliece, and H.C.A. Van Tilborg, "On the Inherent Intractability of Certain Coding Issues," IEEE Transactions on Information Theory, Vol. 24, No. 3, pp. 384-386, May 1978 [0077]
• K. Kobara and H. Imai, "Semantically Secure McEliece Public-Key Cryptosystems Conversions for McEliece PKC," in Public Key Cryptography, Vol. 1992, Springer, 2001, pp. 19-35. [0077]
• R.L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications on the ACM, Vol. 21, No. 2, pp. 120-126, 1978 [0077]
• P.W. Shor, "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on Quantum Computer," SIAM review, Vol. 41, No. 2, pp. 303-332, 1999 [0077]
• T.P. Berger, P.-L. Cayrel, P. Gaborit, and A. Otmani, "Reducing key length of the McEliece cryptosystem." Africa Crypt, Vol. 5580, pp. 77-97, 2009 [0077]
• P. Gaborit, "Shorter Keys for Code Based Cryptography," in Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), 2005, pp. 81-91 [0077]
• C. Monico, J. Rosenthal, and A. Shokrollahi, "Using Low Density Parity Check Codes in the McEliece Cryptosystem," in Information Theory, 2000. Proceedings. IEEE International Symposium on. IEEE, 2000, p. 215 [0077]
• M. Baldi, F. Chiaraluce, R. Garello, and F. Mininni, "Quasi-Cyclic Low-Density Parity Check Codes in the McEliece Cryptosystem," in the IEEE International Conference on Communications (ICC), 2007. IEEE, 2007, Pp. 951-956 [0077]
• R. Misoczki, J.-P. Tillich, N. Sendrier, and P.S. Barreto, "MDPC-McEliece: New McEliece Variants from Moderate Density Parity Check Codes," in the IEEE International Symposium on Information Theory (ISIT). IEEE, 2013, pp. 2069-2073 [0077]
• Q. Guo, T. Johansson, and P. Stankovski, "A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors," in Advances in Cryptology-ASIA-CRYPT 2016: 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, 22nd Springer, 2016, pp. 789-815 [0077]
• N. Miladinovic and M. P. Fossorier, "Improved Bit-Flipping Decoding of Low-Density Parity-Check Codes," IEEE Transactions on Information Theory, vol. 51, no. 4, pp. 1594-1606, 2005 [0077]
• T. Richardson and R. Urbanke, "The capacity of low-density parity-check codes under message passing decoding," IEEE Trans. Inf. Theory, Vol. 47, No. 2, pp. 599-618, Feb. 2001 [0077]
• N. Sendrier, "Code-Based Cryptography: State of the Art and Perspectives," IEEE Security & Privacy, vol. 15, no. 4, pp. 44-50, Aug. 2017 [0077]
• C. Lee, "Some Properties of Nonbinary Error-Correcting Codes," IRE Transactions on Information Theory, vol. 4, no. 2, pp. 77-82, Jun. 1958 [0077]
• T. Fabsic, V. Hromada, P. Stankovski, P. Zajac, Q. Guo, and T. Johansson, "A Reaction Attack on the QC-LDPC McEliece Cryptosystem," in International Workshop on Post-Quantum Cryptography, 2017, pp , 51-68 [0077]
• P.S.L.M. Barreto, S. Gueron, T. G ueneysu, R. Misoczki, E. Persichetti, N. Sendrier, and J.-P. Tillich, "CAKE: Code-Based Algorithms for Key Encapsulation," Cryptology ePrint Archive, Report 2017/757, 2017, http://eprint.iacr.org/2017/757 [0077]
• M. Tanner, "A recursive approach to low-complexity codes," IEEE Trans. Inf. Theory, vol. 27, no. 5, pp. 533-547, Sep. 1981 [0077]
• W. Ryan and S. Lin, Channel codes - Classical and modern. New York, NY, USA: Cambridge University Press, 2009 [0077]
• R. Gallager, low density parity check codes. Cambridge, MA, USA: MIT Press, 1963 [0077]

Claims (17)

A method for decoding a message, in particular a public key encrypted message of an asymmetric cryptographic system, using a variable-node graph-based message passing (MP) algorithm and control nodes connected by edges, wherein for decoding the message along the Edges iteratively send messages from the variable nodes to the control nodes and messages from the control nodes to the variable nodes, characterized in that the messages from the variable nodes to the control nodes are modified with a predetermined probability. Method according to Claim 1 , Characterized in that is used by the MP algorithm, a ternary message alphabet {-1, 0, +1}, where 0 an erasure indicating and the modification comprises a canceling of the messages from the variable nodes to the check nodes. Method according to Claim 1 or 2 , characterized in that the modification of the message from the variable nodes to the control nodes is independent of the value of the ciphertext bit c E {+1, -1}. Method according to Claim 3 , characterized in that at the variable node first a temporary output message $${\tilde{m}}_{v\to c}=siGn\left[\omega c+{\displaystyle \underset{c\text{'}\in N\left(v\right)\setminus c}{\Sigma }{m}_{c\text{'}\to v}}\right]$$

where c is the ciphertext bit, ω is a heuristic weighting factor, m _{c '→ v is} the second message and $N\left(v\right)$

are the neighborhood nodes of the variable node v. Method according to Claim 4 , characterized in that, if the temporary output message m _{v → c} contains no deletion, the variable nodes as a message $$m_{v\to c}=\{\begin{array}{cc}{\tilde{m}}_{c\to v}mitderWaHrscHeinlicHkeit1-& p_e^{\left(l\right)}\\ 0mitderWaHrscHeinlicHkeit& p_e^{\left(l\right)}\end{array}$$

send and otherwise send m _{v → c} = 0 as the first messages. Method according to Claim 1 or 2 , characterized in that the messages m _{v → c} from the variable nodes to the control nodes in the iteration 1 with the predetermined probability $p_e^{\left(l\right)}$

be deleted if they do not correspond to the corresponding ciphertext bit c. Method according to Claim 6 , characterized in that at the variable node first a temporary output message according to $${\tilde{m}}_{v\to c}=siGn\left[\omega c+{\displaystyle \underset{c\text{'}\in N\left(v\right)\setminus c}{\Sigma }{m}_{c\text{'}\to v}}\right]$$

where c is the ciphertext bit, ω is a heuristic weighting factor, m _{c '→ v is} the second message and $N\left(v\right)$

are the neighborhood nodes of the variable node v. Method according to Claim 7 , characterized in that the variable nodes, if the temporary output message m _{v → c} does not correspond to the ciphertext bit c, as a message $$m_{v\to c}=\{\begin{array}{cc}{\tilde{m}}_{c\to v}\text{with the probability 1}& -p_e^{\left(l\right)}\\ 0\text{with the probability}& p_e^{\left(l\right)}\end{array}$$

and otherwise send m _{v → c} = m _{c → v} as messages. Method according to one of the preceding claims, characterized in that the control nodes receive the messages $$m_{c\to v}={\displaystyle \underset{v\text{'}\in N\left(c\right)\setminus v}{\Pi }{m}_{v\text{'}\to c}}$$

to the adjacent variable nodes, where m _{v '→ c} first messages and $N\left(c\right)$

are the neighborhood nodes of control node c. Method according to one of the preceding claims, characterized in that a final decision is made for the value of the ciphertext bit ĉ of the variable node after a number of predetermined iterations according to $$\widehat{c}=siGn\left[\omega c+{\displaystyle \underset{c\in N\left(v\right)}{\Sigma }{m}_{c\to v}}\right],$$

Method according to one of the preceding claims, characterized in that each variable node VN is initialized with a ciphertext bit c E {+1, -1} and in the first iteration as the first one Message m _{v → c} = c to all neighboring control nodes $\text{c}\in N\left(v\right)$

sending out. Method according to one of the preceding claims, characterized in that the predetermined probability over the number of iterations is variable. Method according to Claim 12 , characterized in that the predetermined probability decreases with increasing number of iterations. A computer program product that can be loaded directly into the internal memory of a digital computer and includes software code portions that perform the steps of any one of Claims 1 to 11 running when the product is running on a computer. Use of the method according to one of Claims 1 to 11 in an asymmetric cryptographic system, especially McEliece. Use of the method according to one of Claims 1 to 11 for decoding in the news broadcast. A decoder for decoding a message, in particular a public-key encrypted message of an asymmetric cryptographic system, adapted to execute a variable-node graph-based message passing (MP) algorithm and control nodes connected by edges, wherein for decoding the Message along the edges, iteratively sending messages from the variable nodes to the control nodes and messages from the control nodes to the variable nodes, characterized in that it is arranged to modify the messages from the variable nodes to the control nodes with a predetermined probability, especially extinguish.

Images