Abstract
In this paper, we propose PALOMA, a new code-based key encapsulation mechanism, which is designed by combining an NP-hard SDP(Syndrome Decoding Problem)-based trapdoor with a binary separable Goppa code and FO(Fujisaki-Okamoto) transformation. Cryptographic schemes based on an SDP defined with a binary Goppa code have not been found to be vulnerable to critical attacks, and the FO transformation ensures IND-CCA2 security in the ROM(Random Oracle Model). The combination is highly regarded in cryptographic communities for its strong security guarantees. PALOMA has a public key size of approximately 300KB or more due to its SDP-based trapdoor nature. Furthermore, the key generation process, which involves generating the parity-check matrix of the scrambled Goppa code, is relatively slow compared to other post-quantum ciphers. However a primary role of post-quantum cryptography is to serve as an alternative to current cryptosystems that are vulnerable to quantum computing attacks. Therefore, in post-quantum cryptography, ensuring strong security guarantees is more important than efficiency. Consequently, we have designed PALOMA with a focus on conservative security guarantees, while ensuring that there is no significant degradation in application quality.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: How 1+1 Improves Information Set Decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Berlekamp, E.: Nonbinary bch decoding (abstr.). IEEE Trans. Inf. Theory 14(2), 242–242 (1968)
Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)
Bernstein, D., et al.: Classic mceliece (2017)
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42
Bezzateev, S.V., Noskov, I.K.: Patterson algorithm for decoding separable binary goppa codes. In: 2019 Wave Electronics and its Application in Information and Telecommunication Systems (WECONF), pp. 1–5 (2019)
Bezzateev, S., Shekhunova, N.: Totally decomposed cumulative goppa codes with improved estimations. Designs, Codes and Cryptography 87(2), March 2019
Canteaut, A., Chabanne, H., national de recherche en informatique et en automatique (France). Unité de recherche Rocquencourt, I.: A Further Improvement of the Work Factor in an Attempt at Breaking McEliece’s Cryptosystem. Rapports de recherche, Institut national de recherche en informatique et en automatique (1994)
Faugère, J.C., Gauthier-Umanã, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate mceliece cryptosystems. In: 2011 IEEE Information Theory Workshop, pp. 282–286 (2011)
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_6
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Goppa, V.D.: A new class of linear error-correcting codes. Probl. Inf. Transm. 6, 300–304 (1970)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) Theory of Cryptography, pp. 341–371. Springer, Cham (2017)
Karp, R.M.: Reducibility among Combinatorial Problems, pp. 85–103. Springer, US, Boston, MA (1972)
Kim, D.-C., Hong, D., Lee, J.-K., Kim, W.-H., Kwon, D.: LSH: a new fast secure hash function family. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 286–313. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15943-0_18
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., Brauer, W., Brinch Hansen, P., Gries, D., Luckham, D., Moler, C., Pnueli, A., Seegmüller, G., Stoer, J., Wirth, N., Günther, C.G. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_25
Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (1988)
Massey, J.: Shift-register synthesis and bch decoding. IEEE Trans. Inf. Theory 15(1), 122–127 (1969)
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(o(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) Advances in Cryptology - ASIACRYPT 2011, pp. 107–124. Springer, Heidelberg (2011)
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report 44, 114–116 (1978)
Minder, L., Shokrollahi, A.: Cryptanalysis of the sidelnikov cryptosystem. In: Naor, M. (ed.) Advances in Cryptology - EUROCRYPT 2007, pp. 347–360. Springer, Heidelberg (2007)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. In: Problems of Control and Information Theory 15, pp. 159–166 (1986)
Patterson, N.: The algebraic decoding of goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (2006)
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)
Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized reed-solomon codes. Discret. Math. Appl. 2(4), 439–444 (1992)
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP Transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Acknowledgements
We are grateful to the anonymous reviewers for their help in improving the quality of the paper. This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (No.NRF-2021R1F1A1062305).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Mathematical Background
In this section, we provide the necessary mathematical background to understand the operating principles of PALOMA.
1.1 A.1 Syndrome Decoding Problem
SDP is the problem of finding a syndrome preimage vector with a specific Hamming weight. The formal definition of SDP is as follows.
Definition 1
(SDP). Given a parity-check matrix \({\textbf {H}}\in {\mathbb {F}}_{2}^{(n-k)\times n}\) of a random binary linear code \(\mathcal {C}=[n,k]_{2}\), a syndrome \(s \in {\mathbb {F}}_{2}^{n-k}\) and \(t\in \{1,\ldots ,n\}\), find the vector \(e\in {\mathbb {F}}_{2}^{n}\) that satisfies \({\textbf {H}}e = s\) and \(w_{H}(e) = t\).
SDP has been proven to be an NP-hard problem due to its equivalence to the 3-dimensional matching problem, as demonstrated in 1978 [3, 15].
Number of Roots of SDP. The preimage vector with Hamming weight less than or equal to \(\left\lfloor {\frac{d-1}{2}} \right\rfloor \) is unique. Generally, in SDP-based schemes, the Hamming weight condition w of SDP is set to \(\left\lfloor {\frac{d-1}{2}} \right\rfloor \) for the uniqueness of root.
1.2 A.2 Binary Separable Goppa Code
Binary separable Goppa codes are special cases of algebraic-geometric codes proposed by V. D. Goppa in 1970 [13]. The formal definition of a binary separable Goppa code over \({\mathbb {F}}_{2}\) is as follows.
Definition 2 (Binary Separable Goppa code)
For a set of distinct \(n(\le 2^{m})\) elements \(L=[\alpha _{0},\alpha _{1},\ldots ,\alpha _{n-1}]\) of \({\mathbb {F}}_{2^m}\) and a separable polynomial \(g(X)=\sum _{j=0}^t g_j X^j\in {\mathbb {F}}_{2^m}[X]\) of degree t such that none of the elements of L are roots of g(X), i.e., \(g(\alpha )\not =0\) for all \(\alpha \in L\), a binary separable Goppa code of length n over \({\mathbb {F}}_{2}\) is the subspace \(\mathcal {C}_{L,g}\) of \({\mathbb {F}}_{2}^{n}\) defined by
where \((X-\alpha )^{-1}\) is the polynomial of degree \(t-1\) satisfying \((X-\alpha )^{-1} (X-\alpha )\equiv 1 {\pmod {g(X)}}\). L and g(X) are referred to as a support set and a Goppa polynomial, respectively.
Dimension and Minimum Hamming Distance. The dimension k and the minimum Hamming distance d of \(\mathcal {C}_{L,g}\) satisfy \(k \ge n -mt\) and \(d \ge 2t + 1\). PALOMA set the dimension k of \(\mathcal {C}_{L,g}\) to \(n-mt\) and the Hamming weight condition of the SDP to t to ensure the uniqueness of the root.
Parity-Check Matrix. The parity-check matrix \({\textbf {H}}\) of \(\mathcal {C}_{L,g}\) is defined with each coefficient of the polynomial \((X-\alpha _j)^{-1}\) with degree \(t-1\), and \({\textbf {H}}\) can be decomposed into \({\textbf {A}}{\textbf {B}}{\textbf {C}}\), defined by
Since the matrix \({\textbf {A}}\) is invertible (\(g_t\not =0\)), \({\textbf {B}}{\textbf {C}}\) is another parity-check matrix of \(\mathcal {C}_{L,g}\). Classic McEliece uses \({\textbf {B}}{\textbf {C}}\) as a parity-check matrix.
1.3 A.3 Extended Patterson for Binary Separable Goppa code
Patterson decoding is the algorithm for a binary irreducible Goppa code, not a separable Goppa code. However, it can be extended for a binary separable Goppa code [7, 25]. Given a syndrome vector \(s\in {\mathbb {F}}_{2}^{n-k}\), the extended Patterson decoding procedure to find the preimage vector \(e\in {\mathbb {F}}_{2}^n\) of s with \(w_H(e) = t\) is as follows. (Note that preimage vector is called an error vector in coding theory)
- Step 1.:
-
Convert the syndrome vector s into the syndrome polynomial \(s(X)\in {\mathbb {F}}_{2^m}[X]\) of degree t or less.
- Step 2.:
-
Derive the key equation for finding the error locator polynomial \(\sigma (X)\in {\mathbb {F}}_{2^m}[X]\) of degree t.
- Step 3.:
-
Solve the key equation using the extended Euclidean algorithm.
- Step 4.:
-
Calculate \(\sigma (X)\) using a root of the key equation.
- Step 5.:
-
Find all roots of \(\sigma (X)\) and compute the preimage vector e. At this stage, to ensure resistance against timing attacks, PALOMA uses the exhaustive search.
In the above procedure, the error locator polynomial \(\sigma (X)=\prod _{j\in \textrm{supp}\left( e\right) } (X - \alpha _j) \in {\mathbb {F}}_{2^m}[X]\) and \(\sigma (X)\) satisfies the following identity.
Note that \(\sigma (X)\) satisfying Eq. (3) is unique since the number of errors is t. In \({\mathbb {F}}_{2^{m}}[X]\), all polynomials f(X) has two polynomials a(X) and b(X) such that \(f(X) = a(X)^2 + b(X)^2 X\), \(\deg (a) \le \left\lfloor {{t}/{2}} \right\rfloor \), and \(\deg (b) \le \left\lfloor {{(t-1)}/{2}} \right\rfloor \). Thus, if \(\sigma (X) = a(X)^2 + b(X)^2 X\), Eq. (3) can be rewritten as follows.
When g(X) is irreducible, \(s^{-1}(X)\) and \(\sqrt{s^{-1}(X) + X}\) exist in modulo g(X). Patterson decoding uses the extended Euclidean algorithm to find a(X) and b(X) of the following key equation to generate the error locator polynomial \(\sigma (X)\).
However, if g(X) is separable, the existence of \(s^{-1}(X)\) cannot be guaranteed because g(X) and s(X) are unlikely to be relatively prime.
We define
Since \(\gcd (s(X), \widetilde{s}(X))= \gcd (s(X), \widetilde{s}(X) \bmod s(X)) = \gcd (s(X), 1 ) \in {\mathbb {F}}_{2^m} \setminus \{0\}\), we know
Therefore, the following polynomials can be defined in \({\mathbb {F}}_{2^m}[X]\).
Equation (4) can be rewritten as follows.
Because \(\gcd (g_2(X), g_{12}(X)), \gcd (s_1(X), g_{12}(X))\) is an element of \({\mathbb {F}}_{2^m}\), we know \(\gcd ( g_2(X) s_1(X), g_{12}(X)) \in {\mathbb {F}}_{2^m}\). Therefore, there exists the inverse of \(g_2(X)s_1(X)\) modulo \(g_{12}(X)\), and we have the following equation.
Since u(X) has a square root modulo \(g_{12}(X)\) (Remark 2), \(a(X)=a_2(X)g_2(X)\) and \(b(X)=b_1(X)g_1(X)\) are obtained by calculating \(a_2(X)\) and \(b_1(X)\) that satisfy the following key equation using the extended Euclidean algorithm.
Remark 2
Since all elements of \({\mathbb {F}}_{2^{13}}\) are roots of the equation \(X^{2^{13}} - X = 0\) and \(g_{12}(X) \mid X^{2^{13}} - X\), we know \(\sqrt{X} = X^{2^{12}} \bmod {g_{12}(X)}\). A polynomial \(u(X)=\sum _{i=0}^{l}u_iX^i \in {\mathbb {F}}_{2^{13}}[X]\) of degree l can be written as \( u(X) =({\sum _{i=0}^{\left\lfloor {{l}/{2}} \right\rfloor } \sqrt{u_{2i}}X^{i}})^2 + ({\sum _{i=0}^{\left\lfloor {{(l-1)}/{2}} \right\rfloor } \sqrt{u_{2i+1}}X^{i}})^2X\) where \(\sqrt{u_j} = (u_j)^{2^{12}}\) for all j. Thus, the square root \(\sqrt{u(X)}\) of u(X) modulo \(g_{12}(X)\) is
B Pseudo codes for PALOMA
In this section, we provide pseudo codes of the functions used in PALOMA.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kim, DC., Jeon, CY., Kim, Y., Kim, M. (2023). PALOMA: Binary Separable Goppa-Based KEM. In: Esser, A., Santini, P. (eds) Code-Based Cryptography. CBCrypto 2023. Lecture Notes in Computer Science, vol 14311. Springer, Cham. https://doi.org/10.1007/978-3-031-46495-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-46495-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-46494-2
Online ISBN: 978-3-031-46495-9
eBook Packages: Computer ScienceComputer Science (R0)