Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 WEAKNESS ON CRYPTOGRAPHIC SCHEMES BASED ON REGULAR LDPC CODES Omessaad Hamd, Manel abdelhed 2, Ammar Bouallegue 2, Sam Harar 3 SYSTEL, SUPCOM, Tunsa hamd@unv-tln.fr 2 SYSCOM, ENIT, Tunsa abdelhed manel@yahoo.fr, ammar.bouallegue@ent.rnu.tn 3 SIS, USTV, France harar@unv-tln.fr ABSTRACT We propose a method to recover the structure of a randomly permuted chaned code and how to cryptanalyse cryptographc schemes based on these knds of error codng. As applcaton of these methods s a cryptographc schema usng regular Low Densty Party Check (LDPC) Codes. Ths result prohbts the use of chaned code and partcularly regular LDPC codes on cryptography. KEYWORDS: Cryptography, Chaned Codes, LDPC Codes, Attack, Complexty.. INTRODUCTION RSA and McElece are the oldest publc key cryptosystems. They are based respectvely on ntractablty of factorzaton and syndrome decodng problems []. However, McElece [2] was not qute as successful as RSA, partallydue to ts large publc key and to the belef that could not be used n sgnature. In 2, Courtos, Fnasz and Sendrer [3] show a new method to buld practcal sgnature schemes wth the McElece publc key cryptosystem. Ths scheme has the drawback of a hgh sgnature cost. One dea to counter ths drawback conssts n replacng Goppa code by other codes whch have faster decodng algorthms lke chaned codes. In ths paper, we show an nvarant n the structure of chaned codes whch makes a weakness n cryptographc schemes based on chaned codes. Our approach s based on the fact that any gven chaned equvalent code can be transformed n a systematc code whch has a specal generator matrx representaton. Regular LDPC code s generally a chaned repetton code. We show that these codes are useless n cryptography. 57
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 2. CHAINED CODE A chaned code C s defned as a drect sum of elementary codes N = n and of dmenson = = k = K. C = C = = {( u u ); u C,..., u C },..., C. Ths code s of length To encode an nformaton m = ( m,..., m ), where m s generator matrx to obtan the codeword u = m. G = ( u,..., u ) wth u s the obtaned from m usng the elementary code dagonal s formed by elementary generator matrces k bts, we smply multply t by the n bts codeword C. So, G s a dagonal matrx n blocs and whose G of the code C. We assume that we have an effcent decodng algorthm for each elementary code u ( u,..., u ) decoded word s m ( m,..., ) =, we apply for each codeword m = dec u. C. To decode dec. The u ts correspondent decodng algorthm C ( ) = wth ( ) m We defne the support of a non zero word x ( x,..., x n ) zero postons. sup( ) { {,.., n}, x } = C =, denoted sup(x ), as the set of ts non x and the support of a set S { y,..., } U = as the unon of the supports of ts words sup( S) = sup( y ). So the support of a code C ( N, K) s the unon of ts k 2 codeword supports. y S Two words x and y are sad to be connected f ther supports are not dsjonts.e sup( x ) sup( y) = Θ and two sets I and J are sad to be dsjonts f there s no connecton subset between them. A non zero codeword x of C s sad to be mnmal support f there s no codeword sup( y) sup( x). y y C such that Two codes C ( N, K ) and '( N, K),.., N such as: C' = σ ( C) = { cσ ( ),.., cσ ( N ) }. In other words, C and C' are equvalents f there s a C are sad to be equvalents f there s a permutaton σ of { } permutaton matrx such as for any generator matrx G ofc, the matrx matrx of C '. G '= G. P s a generator 58
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 3. CHAINED CODES AND CRYPTOGRAPHY As we mentoned n the ntroducton, the drawback of the unque dgtal sgnature scheme based on error codng s the hgh sgnature complexty whch s due to Goppa decodng algorthm. One dea to counter ths drawback conssts n replacng Goppa code by chaned code whch have faster decodng algorthm. Generally, the secret key of a cryptographc scheme based on error codng s the code tself, for whch an effcent decodng algorthm s known, and the publc key s a transformaton of the generator or party check matrces. We consder a dgtal sgnature scheme based on chaned code, and then we develop an algorthm to dscover the prvate key from publc key. Ths attack s applcable for each cryptographc scheme snce t s a structural attack. Secret key: Publc key: Sgnature: Verfcaton: o S s a random ( K K ) non sngular matrx called the scramblng matrx. o G s a ( K N) generator matrx of a chaned code o P s a random ( N N ) permutaton matrx o G '= S. G. P s a randomly scrambled et permuted generator matrx. It s a generator matrx of an equvalent non structured code to the chaned code c s the completed correcton capactes calculated as [3]. o h( ) s a hash functon. o The sgner, frst, calculates y = h( M ). P, where h(m ) s the N bt message, P s the nverse of P. Then he uses the completed decodng algorthm [3] for the orgnal chaned code C to obtan x = S. σ. Fnally, the recever obtans the sgnature by computng S σ =. x where S s the nverse of S. o The verfer calculates ρ ' = σ. G' and ρ = h(m ) o The sgnature s vald f d ( ρ, ρ' ) < c We have ntroduced a dgtal sgnature scheme and then we present the weakness of ths scheme. Ths weakness s due to the fact that chaned codes have an nvarant. Code equvalence means that one generator matrx s a permutaton of the other, because matrx S does not change the code but only performs a modfcaton on the bass of the lnear subspace. Canteaut showed that the 59
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 matrx S may be mportant to hde the systematc structure of the Goppa codes, therefore havng an mportant securty role [4]. However, Heman was the frst to study ths pont and states that the random matrx S used n the orgnal McElece scheme serves no securty purpose concernng the protecton [5]. We confrm ths argument and we show that the random matrx S has no securty role for cryptographc schemes based on lnear codes. We state also that dsjont elementary code supports s an nvarant by permutaton. To avod exhaustve attack, we used at least fve dfferent elementary codes and to avod attack by nformaton set, we used a chaned code wth length at least equal to 9 bts. The attack explores the characterstcs of the code transformaton n order to dentfy ts buldng blocks. Its nput s a generatng matrx G' of a randomly permuted chaned code of length N and dmenson K. Its output s a structured chaned code. The algorthm s steps are: o Apply a Gauss elmnaton to the rows of the matrx form G = ( I, d Z ). G' to obtan the systematc Sendrer shows that rows of any systematc generator matrx of a code C are mnmal support codewords of C and that any mnmal support codeword of C s a row of a systematc generator matrx of C [4]. The systematc chaned code support s formed by dsjont sets. Each set represents the support of an elementary code. The transformaton of any randomly permuted chaned code generator matrx nto a systematc matrx by lnear algebrac algorthms wll allow us to fnd these supports and thus elementary codes. o Search the dsjont sets of rows of the systematc matrx G. Each set forms the elementary code support. o Use elementary decodng algorthms to decode every message. As applcaton of these codes, regular LDPC codes whch represent chaned repetton codes. Next sectons represent the propretes of these codes. 4. LOW DENSITY PARITY CHECK CODES Low-densty party-check (LDPC) codes were frst dscovered by Gallager [6] n 962 and have recently been redscovered by Mackay and Neal [7], [8]. In fact, when LDPC codes have been nvented, ther decodng was too complcated for the technology, and so they have been forgotten. These codes delver very good performance when decoded wth the belef-propagaton (BP) algorthm [7]. Bnary LDPC codes, are lnear block codes defned by a sparse party check matrx H ( M N ), where N denotes the codeword length and M the number of party-check equatons. When the numbers of s n each column and row are constant the code s called a regular LDPC code. Otherwse, t s sad to be rregular. 4.. Regular LDPC codes In ths secton, we show that the party check matrx of an LDPC code has a partcular structure. The unqueness of the canoncal matrx provdes us to recover used codes of any equvalent code. 6
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 The support of systematc LDPC code s formed by dsjont sets. Each set represents the support of an elementary repetton code. The transformaton of any randomly permuted LDPC code party check matrx nto a systematc matrx by lnear algebrac algorthms wll allow us to fnd these supports and thus elementary codes. The regular LDPC party check matrx s constructed as follows: t s a concatenaton of permuted repetton code. H = 4.2. Party check matrx propertes We are nterested, n ths secton, on party check matrx propertes whch wll be used to analyse the regular LDPC code structure. The party check matrx H of a lnear code s not unque, any S.H s also a party check matrx. o If the systematc party check matrx exsts then t s unque [4]. o Rows of any systematc party check matrx of a code C are mnmal support codewords of C [4]. o Any mnmal support codeword of C s a row of a systematc party check matrx of C [4]. Consequently, the systematc LDPC code party check matrx rows are dvded n dsjont sets. Each set defnes the support of a repetton code C. Ths property s nvarant by permutaton. Based on ths property, we show that, a randomly permuted LDPC party check matrx H ' = SHP has a partcular structure. Ths structure permts to dscover easly the hdden matrx H '. 5. RESULTS 5.. Attack complexty on chaned lnear codes The securty of cryptographc schemes based on error codng s hghly dependent on the class of used codes. Some class of codes reveal ther characterstcs even when they go through the permutaton used to construct the publc code. It s the case of chaned codes. The startng pont was the observaton that any systematc matrx s formed by small weght codeword and that chaned code contans so many mnmal support codewords. These two propertes lead to a structural attack of dgtal sgnature scheme based on chaned code. Fgure shows the complexty of the attack of some cryptosystems usng chaned codes. The complexty s always 45 less 2 even wth so long codes ( N = 3). Ths complexty prohbts usng chaned code n cryptography. 6
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 Fgure : Attack complexty on chaned lnear codes 5.2. Attack complexty on LDPC Codes The complexty s the number of bnary operatons to dscover a randomly permuted regular LDPC code structure. 2 o N. M / 2 bnary operatons for Gaussan elmnaton. o M. N bnary operatons to compute all lne weghts. Thus, the number of bnary operatons necessary for ths algorthm s equal to 2 N. M / 2 + N. M. Fgure 2: Complexty of the attack on cryptosystem usng regular LDPC 62
Internatonal Journal of Network Securty & Its Applcaton (IJNSA), Vol.2, No., January 2 Fgure 2 shows the complexty of the attack of some cryptosystems usng regular LDPC. The 45 complexty s always less 2 even wth so long codes ( N = 3). Ths complexty prohbts usng LDPC n cryptography. 6. CONCLUSION In ths paper, we dscussed the structure of a randomly permuted chaned code. We explored potental threats from systematc generator matrx that has partcular structure. Chaned code generator matrces have the propertes of dsconnected elementary code supports. Ths property s nvarant by permutaton, whch make ths knd of code useless n cryptography. Regular LDPC codes have ths property. REFERENCES [] E.R. Berlekamp, R.J. McElece, and H.C.A. van Tlborg, On the nherent ntractablty of certan codng problems IEEE Transactons on Informaton Theory, Vol.24, No.3,978, pp.384-386. [2] R.J. McElece, A publc-key cryptosystem based on algebrac codng theory DSN Prog. Rep., Jet Propulson Laboratory, Calforna Inst. Technol., Pasadena, CA, pp. 4-6,January 978. [3] N. Courtos, M. Fnasz, and N. Sendrer, How to acheve a McElece-based dgtal sgnature scheme In C. Boyd, edtor, Asacrypt 2, volume 2248 of LNCS, pages 57-74. Sprnger-Verlag, 2. [4] N.Sendrer, On the structure of a lnear code AAECC, Vol.9, n3, 998, pp.22-242. [5] A. Canteaut, Attaques de cryptosystmes mots de pods fable et constructon de fonctons t-rslentes. PhD thess, Unverst Pars 6, October 996. [6] R. G. Gallager, Low-Densty Party-Check codes PhD thess, MIT, July 963. [7] D. J. C. MacKay, Good error-correctng codes based on very sparse matrces IEEE Transactons on Informaton Theory, vol. 45, pp 399 43, March 999. [8] D. J. C. Mackay, Near shannon lmt performance of low densty party check codes Electron. Lett., vol. 33, pp. 457 458, Mars. 997. [9] J. Chen and M. P. C. Fossorer, Near optmum unversal belef propagaton based decodng of Low- Densty Party Check codes IEEE Transactons on Communcatons, vol. 5, pp. 46 44, March 22. 63