A Reaction Attack on the QC-LDPC McEliece Cryptosystem

Abstract

Guo et al. recently presented a reaction attack against the QC-MDPC McEliece cryptosystem. Their attack is based on the observation that when a bit-flipping decoding algorithm is used in the QC-MDPC McEliece, then there exists a dependence between the secret matrix H and the failure probability of the bit-flipping algorithm. This dependence can be exploited to reveal the matrix H which constitutes the private key in the cryptosystem. It was conjectured that such dependence is present even when a soft-decision decoding algorithm is used instead of a bit-flipping algorithm.

This paper shows that a similar dependence between the secret matrix H and the failure probability of a decoding algorithm is also present in the QC-LDPC McEliece cryptosystem. Unlike QC-MDPC McEliece, the secret key in QC-LDPC McEliece also contains matrices S and Q in addition to the matrix H. We observe that there also exists a dependence between the failure probability and the matrix Q. We show that these dependences leak enough information to allow an attacker to construct a sparse parity-check matrix for the public code. This parity-check matrix can then be used for decrypting ciphertexts.

We tested the attack on an implementation of the QC-LDPC McEliece using a soft-decision decoding algorithm. Thus we also confirmed that soft-decision decoding algorithms can be vulnerable to leaking information about the secret key.

T. Fabšič, V. Hromada and P. Zajac—Support by grant VEGA 1/0159/17 is acknowledged.

Appendix: On the Rank of a Randomly Generated Block-Circulant Matrix

In this appendix we study the rank over GF(2) of a matrix composed of \(n_0\times n_0\) randomly generated circulant blocks, the blocks being of size \(p\times p\). We focus on the case when p is odd, since this ensures that the QC-LDPC McEliece cryptosystem is immune against the attack presented in [12].

Firstly, we recall some well-known facts about circulant matrices.

Fact 1

(Proposition 1.7.1 in [7]). Consider the mapping \(\tau \) which sends the circulant binary \((p\times p)\)-matrix with the first row \((c_0,c_1, c_2, \dots , c_{p-1})\) onto the polynomial \(c(x)=c_0+c_1x+c_2x^2+\dots +c_{p-1}x^{p-1}\). Then the mapping \(\tau \) is an isomorphism between the ring of circulant binary (\(p\times p\))-matrices and the ring \(\mathbb {Z}_2[x]/(x^p+1)\).

Fact 2

(p. 42 in [7]). The inverse of a non-singular circulant matrix is again circulant. A circulant binary (\(p\times p\))-matrix C is non-singular if and only if \(\tau (C)\) is relatively prime to \(x^p+1\).

Let f be a polynomial in \(\mathbb {Z}_2[x]/(x^p+1)\) and let \(f(x)=g(x)h(x)\) where \(g(x)=\gcd (f(x),x^p+1)\). Then \(\tau ^{-1}(f)=\tau ^{-1}(g)\tau ^{-1}(h)\). By Fact 2, \(\tau ^{-1}(h)\) is non-singular. Therefore \(\tau ^{-1}(f)\) has the same rank as \(\tau ^{-1}(g)\). It is well-known (e.g. Theorem 12.12 in [6]) that \(\tau ^{-1}(g)\) generates a cyclic code of dimension \(p-d\) where d is the degree of g. Thus we have:

Fact 3

The rank of a circulant binary (\(p\times p\))-matrix C is equal to \(p-d\) where d is the degree of \(\gcd (\tau (C),x^p+1)\).

Let f and g be polynomials in \(\mathbb {Z}_2[x]\), and denote by \(\psi (f)\) the number of polynomials of smaller degree which are relatively prime to f in \(\mathbb {Z}_2[x]\).

Fact 4

(Theorem 1.7.5 in [7]). If \(\gcd (f(x),g(x))=1\), then \(\psi (fg)=\psi (f)\psi (g)\)

Fact 5

(Theorem 1.7.6 in [7]). Let p be odd. Then we have

$$\begin{aligned} \psi (x^p+1)=2^p\prod _{j|p}\left( 1-2^{-o_j(2)}\right) ^{\phi (j)/o_j(2)}. \end{aligned}$$

Here \(o_j(2)\) denotes the order of 2 in the group \(\mathbb {Z}^{*}_{j}\) and \(\phi (j)\) denotes the Euler function.

It follows that the number of \(p\times p\) circulant matrices with full rank is \(\psi (x^p+1)\). Circulant \(p\times p\) matrices with rank \(p-1\) are precisely the matrices whose corresponding polynomial is a product of \(x+1\) and a polynomial coprime to \(\frac{x^p+1}{x+1}\) with degree less than \(p-1\). If p is odd, then \(x+1\) appears in the irreducible factorization of \(x^p+1\) only once. Thus it follows that the number of \(p\times p\) circulant matrices with rank \(p-1\) is \(\psi (\frac{x^p+1}{x+1})=\psi (x^p+1)/\psi (x+1)=\psi (x^p+1)\).

Now we turn to block-circulant matrices. Let \(\rho (p)=\psi (x^p+1)/2^p\).

Proposition 1

Let p be odd. Let B be a matrix composed of \((n_0-1)\times (n_0-1)\) circulant blocks of size \(p\times p\). Suppose that the blocks in B were generated uniformly and independently at random from the space of all binary circulant \(p\times p\) matrices. Then

$$P(rank(B)\ge (n_0-1)\times (p-1))\ge \prod _{i=1}^{n_0-1}\left( 1-\left( 1-\rho (p)\right) ^i+\rho (p)^i\right) .$$

Proof

Let \(B_{ij}\) be the \(p\times p\) block present in the i-th block-row and j-th block-column of B. Let \(b_{ij}(x)=\tau (B_{ij})\). With probability \(1-\left( 1-\rho (p)\right) ^{n_0-1}+\rho (p)^{n_0-1}\) it holds that either one of the blocks in the first block-column is invertible or all blocks in the first block-column have rank \(p-1\).

Firstly, we look at the case when there exists an invertible block in the first block-column. Without loss of generality we can assume that this block is \(B_{11}\) (if not, we can swap block-rows of B). For every \(i\in \left\{ 2,\dots , n_0-1\right\} \) we can erase the block \(B_{i1}\) by adding to the i-th block-row the first block-row multiplied by \(\left( B_{i1}\times B_{11}^{-1}\right) \). This corresponds to multiplying B from the left by the matrix \(M_i=I_{p(n_0-1)\times p(n_0-1)}+\tilde{M}_i\), where \(\tilde{M}_i\) is the matrix composed of \((n_0-1)\times (n_0-1)\) blocks of size \(p\times p\) with the block \(B_{i1}\times B_{11}^{-1}\) in the i-th block-row and the first block-column and with zero blocks everywhere else. Thus the resulting matrix has the same rank as B. We obtain a matrix of the form

$$\begin{aligned} \left( \begin{array}{cccc} B_{11}&{}B_{12}&{}\dots &{}B_{1,n_0-1}\\ 0&{}&{}&{}\\ \vdots &{}&{}\tilde{B}&{}\\ 0&{}&{}&{} \end{array} \right) , \end{aligned}$$

(2)

where \(\tilde{B}\) is a matrix composed of \((n_0-2)\times (n_0-2)\) circulant blocks of size \(p\times p\). Let \(\tilde{B}_{ij}\) be the \(p\times p\) block present in the i-th block-row and j-th block-column of \(\tilde{B}\). Then \(\tilde{B}_{ij}=B_{i+1,1}\times B_{11}^{-1}\times B_{1,j+1}+B_{i+1,j+1}\). The block \(B_{i+1,j+1}\) was generated independently from all other blocks in B, hence we can see \(\tilde{B}_{ij}\) as a sum of \(B_{i+1,j+1}\) and an independent circulant matrix. Since \(B_{i+1,j+1}\) was generated uniformly at random from the space of circulant \(p\times p\) matrices, \(\tilde{B}_{ij}\) will, like \(B_{i+1,j+1}\), have the property that each bit in its first row will be 1 with probability 1/2 independently of other bits in its first row. Thus we can think of \(\tilde{B}_{i,j}\) as of another uniformly randomly generated matrix from the space of circulant \(p\times p\) matrices. Moreover, \(\tilde{B}_{i,j}\) is independent of other blocks in \(\tilde{B}\) and it is also independent of blocks in the first block-column of the original matrix B.

Now we consider the case when all blocks in the first block-column of B have rank \(p-1\). Then for every \(b_{i1}(x)\) there exists \(r_i(x)\in \mathbb {Z}_2[x]/(x^p+1)\) such that \(b_{i1}(x)r_i(x)=x+1\mod (x^p+1)\) (the polynomial \(r_i(x)\) can be found by the extended Euclidean algorithm). Thus for every \(i\in \left\{ 2,\dots , n_0-1\right\} \) we can erase the block \(B_{i1}\) by adding to the i-th block-row the first block-row multiplied by \(\tau ^{-1}\left( \frac{b_{i1}(x)}{x+1}\right) \times \tau ^{-1}\left( r_1(x)\right) \). By the same argument as in the previous case, this will not change the rank of B. We obtain a matrix of the form (2), where \(\tilde{B}\) is again composed of \((n_0-2)\times (n_0-2)\) circulant blocks of size \(p\times p\). Now we have \(\tilde{B}_{ij}=\tau ^{-1}\left( \frac{b_{i+1,1}(x)}{x+1}\right) \times \tau ^{-1}\left( r_1(x)\right) \times B_{1,j+1}+B_{i+1,j+1}\). By the same argument as in the previous case, we can again think of \(\tilde{B}_{i,j}\) as of a uniformly randomly generated matrix from the space of circulant \(p\times p\) matrices. In addition, \(\tilde{B}_{i,j}\) is independent of other blocks in \(\tilde{B}\) and it is also independent of blocks in the first block-column of the original matrix B.

Thus in both cases we were able to transform the matrix B to a matrix of the form (2), while preserving its rank. The submatrix \(\tilde{B}\) in (2) has the same properties as the original matrix B except it contains \((n_0-2)\times (n_0-2)\) blocks instead of \((n_0-1)\times (n_0-1)\) blocks. In addition, the submatrix \(\tilde{B}\) is independent of blocks in the first block-column of the original matrix B. Proceeding inductively, the statement of the proposition follows.

In the QC-LDPC McEliece cryptosystem \(n_0\) is typically small (3 or 4, for example). Let \(\alpha (p,n_0)\) be the lower bound from Proposition 1, i.e.

$$\alpha (p, n_0)=\prod _{i=1}^{n_0-1}\left( 1-\left( 1-\rho (p)\right) ^i+\rho (p)^i\right) .$$

In Fig. 3 we present values of \(\alpha (p,4)\) for all odd p in the range from 1 to 20000. The smallest value of \(\alpha (p,4)\) in the figure is 0.11. Thus the figure shows that if \(n_0=4\) then the probability that the rank of B is close to the full rank is nontrivial for all odd p below 20000.

Fig. 3.

Values of the lower bound \(\alpha (p,4)\) for the probability that a matrix composed of \(3\times 3\) circulant blocks of size \(p\times p\) which are generated uniformly and independently at random has rank at least \(3\times (p-1)\) for all odd p in the range from 1 to 20000.