PALOMA: Binary Separable Goppa-Based KEM

Abstract

In this paper, we propose PALOMA, a new code-based key encapsulation mechanism, which is designed by combining an NP-hard SDP(Syndrome Decoding Problem)-based trapdoor with a binary separable Goppa code and FO(Fujisaki-Okamoto) transformation. Cryptographic schemes based on an SDP defined with a binary Goppa code have not been found to be vulnerable to critical attacks, and the FO transformation ensures IND-CCA2 security in the ROM(Random Oracle Model). The combination is highly regarded in cryptographic communities for its strong security guarantees. PALOMA has a public key size of approximately 300KB or more due to its SDP-based trapdoor nature. Furthermore, the key generation process, which involves generating the parity-check matrix of the scrambled Goppa code, is relatively slow compared to other post-quantum ciphers. However a primary role of post-quantum cryptography is to serve as an alternative to current cryptosystems that are vulnerable to quantum computing attacks. Therefore, in post-quantum cryptography, ensuring strong security guarantees is more important than efficiency. Consequently, we have designed PALOMA with a focus on conservative security guarantees, while ensuring that there is no significant degradation in application quality.

Appendices

A Mathematical Background

In this section, we provide the necessary mathematical background to understand the operating principles of PALOMA.

1.1 A.1 Syndrome Decoding Problem

SDP is the problem of finding a syndrome preimage vector with a specific Hamming weight. The formal definition of SDP is as follows.

Definition 1

(SDP). Given a parity-check matrix \({\textbf {H}}\in {\mathbb {F}}_{2}^{(n-k)\times n}\) of a random binary linear code \(\mathcal {C}=[n,k]_{2}\), a syndrome \(s \in {\mathbb {F}}_{2}^{n-k}\) and \(t\in \{1,\ldots ,n\}\), find the vector \(e\in {\mathbb {F}}_{2}^{n}\) that satisfies \({\textbf {H}}e = s\) and \(w_{H}(e) = t\).

SDP has been proven to be an NP-hard problem due to its equivalence to the 3-dimensional matching problem, as demonstrated in 1978 [3, 15].

Number of Roots of SDP. The preimage vector with Hamming weight less than or equal to \(\left\lfloor {\frac{d-1}{2}} \right\rfloor \) is unique. Generally, in SDP-based schemes, the Hamming weight condition w of SDP is set to \(\left\lfloor {\frac{d-1}{2}} \right\rfloor \) for the uniqueness of root.

1.2 A.2 Binary Separable Goppa Code

Binary separable Goppa codes are special cases of algebraic-geometric codes proposed by V. D. Goppa in 1970 [13]. The formal definition of a binary separable Goppa code over \({\mathbb {F}}_{2}\) is as follows.

Definition 2 (Binary Separable Goppa code)

For a set of distinct \(n(\le 2^{m})\) elements \(L=[\alpha _{0},\alpha _{1},\ldots ,\alpha _{n-1}]\) of \({\mathbb {F}}_{2^m}\) and a separable polynomial \(g(X)=\sum _{j=0}^t g_j X^j\in {\mathbb {F}}_{2^m}[X]\) of degree t such that none of the elements of L are roots of g(X), i.e., \(g(\alpha )\not =0\) for all \(\alpha \in L\), a binary separable Goppa code of length n over \({\mathbb {F}}_{2}\) is the subspace \(\mathcal {C}_{L,g}\) of \({\mathbb {F}}_{2}^{n}\) defined by

$$\begin{aligned} \mathcal {C}_{L,g} := \{(c_{0},\ldots ,c_{n-1})\in {\mathbb {F}}_{2}^n : \sum _{j=0}^{n-1} c_j (X-\alpha _j)^{-1} \equiv 0 \pmod {g(X)}\}, \end{aligned}$$

where \((X-\alpha )^{-1}\) is the polynomial of degree \(t-1\) satisfying \((X-\alpha )^{-1} (X-\alpha )\equiv 1 {\pmod {g(X)}}\). L and g(X) are referred to as a support set and a Goppa polynomial, respectively.

Dimension and Minimum Hamming Distance. The dimension k and the minimum Hamming distance d of \(\mathcal {C}_{L,g}\) satisfy \(k \ge n -mt\) and \(d \ge 2t + 1\). PALOMA set the dimension k of \(\mathcal {C}_{L,g}\) to \(n-mt\) and the Hamming weight condition of the SDP to t to ensure the uniqueness of the root.

Parity-Check Matrix. The parity-check matrix \({\textbf {H}}\) of \(\mathcal {C}_{L,g}\) is defined with each coefficient of the polynomial \((X-\alpha _j)^{-1}\) with degree \(t-1\), and \({\textbf {H}}\) can be decomposed into \({\textbf {A}}{\textbf {B}}{\textbf {C}}\), defined by

(2)

Since the matrix \({\textbf {A}}\) is invertible (\(g_t\not =0\)), \({\textbf {B}}{\textbf {C}}\) is another parity-check matrix of \(\mathcal {C}_{L,g}\). Classic McEliece uses \({\textbf {B}}{\textbf {C}}\) as a parity-check matrix.

1.3 A.3 Extended Patterson for Binary Separable Goppa code

Patterson decoding is the algorithm for a binary irreducible Goppa code, not a separable Goppa code. However, it can be extended for a binary separable Goppa code [7, 25]. Given a syndrome vector \(s\in {\mathbb {F}}_{2}^{n-k}\), the extended Patterson decoding procedure to find the preimage vector \(e\in {\mathbb {F}}_{2}^n\) of s with \(w_H(e) = t\) is as follows. (Note that preimage vector is called an error vector in coding theory)

Step 1.:

Convert the syndrome vector s into the syndrome polynomial \(s(X)\in {\mathbb {F}}_{2^m}[X]\) of degree t or less.

Step 2.:

Derive the key equation for finding the error locator polynomial \(\sigma (X)\in {\mathbb {F}}_{2^m}[X]\) of degree t.

Step 3.:

Solve the key equation using the extended Euclidean algorithm.

Step 4.:

Calculate \(\sigma (X)\) using a root of the key equation.

Step 5.:

Find all roots of \(\sigma (X)\) and compute the preimage vector e. At this stage, to ensure resistance against timing attacks, PALOMA uses the exhaustive search.

In the above procedure, the error locator polynomial \(\sigma (X)=\prod _{j\in \textrm{supp}\left( e\right) } (X - \alpha _j) \in {\mathbb {F}}_{2^m}[X]\) and \(\sigma (X)\) satisfies the following identity.

$$\begin{aligned} \sigma (X)s(X) \equiv \sigma '(X) \pmod {g(X)}. \end{aligned}$$

(3)

Note that \(\sigma (X)\) satisfying Eq. (3) is unique since the number of errors is t. In \({\mathbb {F}}_{2^{m}}[X]\), all polynomials f(X) has two polynomials a(X) and b(X) such that \(f(X) = a(X)^2 + b(X)^2 X\), \(\deg (a) \le \left\lfloor {{t}/{2}} \right\rfloor \), and \(\deg (b) \le \left\lfloor {{(t-1)}/{2}} \right\rfloor \). Thus, if \(\sigma (X) = a(X)^2 + b(X)^2 X\), Eq. (3) can be rewritten as follows.

$$\begin{aligned} b(X)^2 (1 + X s(X)) \equiv a(X)^2\,s(X) \pmod {g(X)}. \end{aligned}$$

(4)

When g(X) is irreducible, \(s^{-1}(X)\) and \(\sqrt{s^{-1}(X) + X}\) exist in modulo g(X). Patterson decoding uses the extended Euclidean algorithm to find a(X) and b(X) of the following key equation to generate the error locator polynomial \(\sigma (X)\).

$$\begin{aligned} b(X) \sqrt{(s^{-1}(X) + X)} \equiv a(X) \pmod {g(X)},\ \deg (a) \le \left\lfloor {{t}/{2}} \right\rfloor ,\ \deg (b) \le \left\lfloor {{(t-1)}/{2}} \right\rfloor . \end{aligned}$$

However, if g(X) is separable, the existence of \(s^{-1}(X)\) cannot be guaranteed because g(X) and s(X) are unlikely to be relatively prime.

We define

$$\begin{aligned} \begin{gathered} \widetilde{s}(X) := 1+ Xs(X), \quad g_1(X) := \gcd (g(X), s(X)),\quad g_2(X) := \gcd (g(X), \widetilde{s}(X)). \end{gathered} \end{aligned}$$

Since \(\gcd (s(X), \widetilde{s}(X))= \gcd (s(X), \widetilde{s}(X) \bmod s(X)) = \gcd (s(X), 1 ) \in {\mathbb {F}}_{2^m} \setminus \{0\}\), we know

Therefore, the following polynomials can be defined in \({\mathbb {F}}_{2^m}[X]\).

$$\begin{aligned} \begin{gathered} {b_1}(X):=\frac{b(X)}{g_1(X)}, \quad {a_2}(X):=\frac{a(X)}{g_2(X)}, \quad {g_{12}}(X):=\frac{g(X)}{g_1(X)g_2(X)}, \\ {\widetilde{s}_2}(X):= \frac{\widetilde{s}(X)}{g_2(X)}, \quad {s_1}(X):=\frac{s(X)}{g_1(X)}. \end{gathered} \end{aligned}$$

Equation (4) can be rewritten as follows.

$$\begin{aligned} &b(X)^2 \widetilde{s}(X) \equiv a(X)^2\,s(X) \pmod {g(X)}\\ &\Rightarrow \ b_1^2(X)g_1(X) \widetilde{s}_2(X) \equiv a_2^2(X)g_2(X)s_1(X) \pmod {g_{12}(X)}. \end{aligned}$$

Because \(\gcd (g_2(X), g_{12}(X)), \gcd (s_1(X), g_{12}(X))\) is an element of \({\mathbb {F}}_{2^m}\), we know \(\gcd ( g_2(X) s_1(X), g_{12}(X)) \in {\mathbb {F}}_{2^m}\). Therefore, there exists the inverse of \(g_2(X)s_1(X)\) modulo \(g_{12}(X)\), and we have the following equation.

$$\begin{aligned} b_1^2(X)u(X)\equiv a_2^2(X) \pmod {g_{12}(X)}\ \text { where }u(X):=g_1(X) \widetilde{s}_2(X) (g_2(X)s_1(X))^{-1}. \end{aligned}$$

Since u(X) has a square root modulo \(g_{12}(X)\) (Remark 2), \(a(X)=a_2(X)g_2(X)\) and \(b(X)=b_1(X)g_1(X)\) are obtained by calculating \(a_2(X)\) and \(b_1(X)\) that satisfy the following key equation using the extended Euclidean algorithm.

$$\begin{aligned} \begin{gathered} b_1(X) \sqrt{u(X)}\equiv a_2(X) \pmod {g_{12}(X)},\\ \deg (a_2) \le \left\lfloor {{t}/{2}} \right\rfloor -\deg (g_{2}),\ \deg (b_1) \le \left\lfloor {{(t-1)}/{2}} \right\rfloor -\deg (g_{1}). \end{gathered} \end{aligned}$$

Remark 2

Since all elements of \({\mathbb {F}}_{2^{13}}\) are roots of the equation \(X^{2^{13}} - X = 0\) and \(g_{12}(X) \mid X^{2^{13}} - X\), we know \(\sqrt{X} = X^{2^{12}} \bmod {g_{12}(X)}\). A polynomial \(u(X)=\sum _{i=0}^{l}u_iX^i \in {\mathbb {F}}_{2^{13}}[X]\) of degree l can be written as \( u(X) =({\sum _{i=0}^{\left\lfloor {{l}/{2}} \right\rfloor } \sqrt{u_{2i}}X^{i}})^2 + ({\sum _{i=0}^{\left\lfloor {{(l-1)}/{2}} \right\rfloor } \sqrt{u_{2i+1}}X^{i}})^2X\) where \(\sqrt{u_j} = (u_j)^{2^{12}}\) for all j. Thus, the square root \(\sqrt{u(X)}\) of u(X) modulo \(g_{12}(X)\) is

$$\begin{aligned} \sqrt{u(X)} = \left( {\sum _{i=0}^{\left\lfloor {{l}/{2}} \right\rfloor } \sqrt{u_{2i}}X^{i}}\right) + \left( {\sum _{i=0}^{\left\lfloor {{(l-1)}/{2}} \right\rfloor } \sqrt{u_{2i+1}}X^{i}}\right) \sqrt{X} \bmod {g_{12}(X)}. \end{aligned}$$

B Pseudo codes for PALOMA

In this section, we provide pseudo codes of the functions used in PALOMA.