On insecurity of cryptosystems based on generalized Reed-Solomon codes

Discrete Math. AppL, Vol.2, No.4, pp.439-444 (1992)© VSP 1992.

On insecurity of cryptosystemsbased on generalized Reed-Solomon codes4

V. M. SIDELNIKOV and S. O. SHESTAKOV

Abstract — In papers [1, 2] methods of building public-key cryptosystems based on code-theoretic construc-tions have been suggested. Their background is an (s + 1) χ Ν non-secret matrix <B of the form 05 = Η 21with its elements from a finite field F?. Here 21 is some unknown matrix which is a check matrix of a g-arygeneralized Reed-Solomon code. In this paper we suggest a method of finding the unknown matrices H,2t which determines the matrix 93 in O(s4 + sN) arithmetical operations in F7. By this the insecurity ofsuch public-key cryptosystems is demonstrated.

1. DESCRIPTION OF A PUBLIC-KEY CRYPTOSYSTEMLet us apply the public-key cryptosystem suggested in [2] to the generalized Reed-Solomon code (GRS-code). Let ¥q be a finite field with q elements and F = F9 U {oo},where oo has natural properties (l/oo = 0, etc.). The symbol 21 denotes a matrix withthe elements from F0 of the form

(1)

where c*t G F, z{ G Ρς\{0}, α, ^ OLJ for i ^ j, and if a, = oo the corresponding columnis defined as the vector of the form ζ;(0, . . . , 0, 1)T. The matrix 21 is a check matrix ofthe <?-ary code Κ = K(2l) of length N, which is a GRS-code shortened to Ν < q + 1(see [3]). Let S be a collection consisting of all matrices of the form 53 = H$l, where21 is a matrix of type (1) and H is a non-degenerate (s + 1) χ (s + 1) matrix with theelements from ¥q. It follows from the definitions that the typical matrix 03 of 8 has theform

(2)

where f j ( x \ j = 1,...,5 + 1, are polynomials linearly independent over F9 of degreenot higher than s. They are determined by the matrix H in a natural way (/j(oo) is thecoefficient of x8).

We will briefly describe the public-key cryptosystem based on the ideas of [2]. Inthis system a user X randomly and equiprobably chooses a matrix 03 of type (2) in 8.

*UDC 519.72. Originally published in Diskretnaya Matematika (1992) 4, No. 3 (in Russian).Translated by the authors.

22/2(02) ···

Brought to you by | Simon Fraser UniversityAuthenticated | 134.99.128.41

Download Date | 10/1/13 4:37 AM

440 V. M. Sidelnikov and S. O. Shestakov

The matrix 03 is known, and the matrices H and 21 are secret. A message B of a userΥ addressed to the user X is transferred through a public channel and has the form ofa column Β = 03α, where the vector € (Pq)N has not more than t = [s/2] non-zerocoordinates and contains a transmitted confidential information. If the matrices H and21 are known and the message B is received, the user X can reconstruct the vector a'fast enough' by means of one of the known algorithms of decoding a GRS-code. If thematrices H and 21 are unknown, the reconstruction of the vector α becomes a 'difficultproblem' which cannot be solved in satisfactorily short time.

The public-key cryptosystem suggested in [1] is different from the one describedabove, but if the code Κ is over Fg, then the problem of its decryption is also equivalentto finding Η and 21 from 03. If Κ is over some subfield of Fg, then the reconstructionof Η and 21 from 03 grows more difficult, but the authors are sure that this can be doneby means of methods close to the suggested ones.

The principal aim of this work is to construct an algorithm for finding the matricesΗ and 21 in O(s4 + sN) arithmetical operations in ¥q when the matrix 03 is known.Note that by using fast algorithms of linear algebra, the exponent 4 can be reduced toa smaller value.

2. ALGORITHM OF FINDING A SOLUTION OF THE EQUATION 03 = Η 21The task is to find a non-degenerate matrix H, xi, . . . , XN G F and z\, . . . , ZH e F9\{0}such that

03 = #91(χι,...,χ/ν;*ι,. ..,**) (3)provided the matrix 03 is known. We solve the problem in two steps: first we find thenumbers X\ , . . . ,XN, and then the numbers zi,... ,ZN and the matrix H.

First some notes should be made. Let (Η, xi, . . . , XN, z\, · - · , ZN) be some solution ofequation (3), α ^ 0 and b be some elements of F9 and Λ,-j G F9, 0 < i, j < s, be suchthat

j=0

Put HI = \\hij\\] dj = 1 if Xi ^ oo and dt = a~s if xt = oo. Direct evaluations show that

besides, the matrix H\ is triangular and therefore non-degenerate. It is easy to see fromthe equality

Οί/ Λ. _ι_ Ι» Λ. _ι_ ί.« J~l Λ·~! \ LJOi/ . \ Λ>ϊα^αζι τ ο,..., αζ;ν τ ο,α^ ζι,. . . , α^ ΖΝ) — /ιία^ζχ,..., ζτν,2?ι,..., 2?jvj = !ο

that (ΗΗϊι,αχι + δ,...,αζτν + δ ;^ 1 ^ , . . . ,dJ f l z N ) is also a solution of equation (3).Similarly, if

/ 0 0 ... 1 \

H2 =0 1 ... 0

V ι ο ... o yand rf, = zt~e for zt ^ 0, oo and c?t = 1 otherwise, then



On insecurity of cryptosystems 441

Thus (HHil,xil,...,xJfl',dilzi,...,drfzN) is also a solution of (3). It is known thatany birational transformation

6: χ »-> - - ad — be £ 0,ex + α

over F9 is a composition of the transformations χ *-> αχ + 6 and χ Η* Ι/χ. It fol-lows that for any birational transformation φ there exist z{, . . . , zf

N and a matrix ̂such that (ΗΗφ1,φ(χι),...,φ(χΝ)',ζ'ι,...9ζ'Ν) is a solution of equation (3) if(Η, xi, . . . , XN\ zi , . . . , ZN) is a solution of (3).

For any three different numbers χι,χ2,£3 Ε F9{oo} it is possible to find a bira-tional transformation φ such that φ(χ\) = 1, Φ(χ2) = 0 and <^(xs) = oo. It followsthat there exist x 4 , . . . ,XN £ Fg{0, 1}, z[,...,z'N e Fg{0} and a matrix H such that(#; 1, 0, oo, x4, . . . , XN;Z[,. . . , z'N) is a solution of equation (3). Since it is sufficient tofind any solution, we will search for it in this form, that is with xi = 1, x2 = 0 andX3 = OO.

Rewrite equation (3) as

where H = ||Λ0·||, 21ι(χι, . . . , ΧΝ) = »(ΒΙ, . . . , ΧΝ\ 1, . . . , 1), # = diag(*i, . . . , ΖΝ\ so that5

||α#||, (n, = /,-(xj), fi(x) = X)Aijx J>j=0

and consequently, bij - ^j/i(xj) (as before, /(oo) is equal to the coefficient of xs of/ e F,[x] with deg/ < 5). In other words, the matrix D contains the unknowns Zj.

Find c\{ ; e F,, 0 < ζ < θ, not all of which are equal to zero and such that theequalities Σ*=0 ci,6tj = 0 hold for any j = l, s + 2, . . . , 2s. It suffices to solve the systemof 5 homogeneous linear equations with 5 + 1 unknowns. Clearly, this system is solvable.Let

= Σ ci.7<(*), AJ = Σ ci.-*y » l < i < N·t=0 t=0

Then

t=0

and as all Zj are non-zero, it follows from the construction of FI(X) that χι, χθ+2, . . . , %2sare the roots of F\. All χι,χ β+2,. . . ,»2. are finite because x3 = oo; besides, degFi < sbecause deg/, < 5. Therefore

FI(X) = ai(x - xi)(x - xs+2) . . . (x -

in particular, ^ι(χ^) ^ 0 and 0y = ZjFi(xj) ^ 0 for j 0 {1,5 + 2,..., 2s} and

Now we choose c& ; Ε Fg, 0 < i < 5, not all of which are equal to zero and such thatthe equalities £J=0

C2iîj = 0 hold for any j = 2, s + 2, . . . , 2s, and put

t=0 t=0




We have

fa = ZjF2(xj), F2(x) = a2(x - x2)(x - xa+2) . . . (x - x^).

Since 2j ^ 0 for j = 3,..., s + 1,2s -l- l,..., N, one can calculate bj = ij/fa forthese j. The equalities

bj = zjFl(xj)l(zjF2(xj))= i(Xj - Xl)(Xj - X8+2) . . . (Xj - X^/a^Xj - X2)(Xj ~ Xs+2) - - - (Xj ~ X2e)

= αι(χ, - xi)/a2(xj - x2),63 = 3/&3 = αιζ3/α2ζ3 = αι/ο2

imply that

bj = 63(2,· - xi)/(xj - x2\ Xj = (63x1 - 6jX2)/(&3 - bj).

Finally, it follows from xi = 1 and x2 = 0 that Xj = ^/(fe - 6j) forj =4 , . . . , β + 1,25 + Ι , . , . ,ΛΓ.

Now we choose 03, and 04, from F„ 0 < * < 5, such that for j = 1, 3, . . . , 5 + 1 andj = 2, 3,..., 3 + 1 the equalities Σ?-ο03ί'ϋ = 0 ̂ d Σ'-ο^ϋ = Ο ^°W respectively.Let

^3(0;) = Σ ^Λ(»), W = Σ ««/*(«),t=0 t=0

Ai = Σ î^·. i = Σ^^, l < j < N.t=0 t=0

It follows from the equality ^3(0:3) = FI(OO) = 0 that the coefficient of xs in jP3 is zero,i.e., degFs < 5 — 1. Using the equalities F^(XI) = F^(x^) = ... = F3(zs+i) = 0, we findthat

F3(x) = a3(x - xi)(x -x4)...(x- xa+1).

Analogously,F4(x) = a4(x - x2)(x - x4) . . . (x - za+i).

Therefore, for j > s + 2

fo/fo = ZjF3(xj)/ZjF4(xj)(xj - x2)(xj - x4) . . . (xj - zs+i)

(xj - x2).

In particular, for j = Ν these equalities yield

3N/ *N = 3(Z7V - Χι)/α4(χΝ ~ X2) =

hence

03/04 = b^biN/b^bw, ijl tj = b3bw/bNb4H(xj - xi)/(xj — x2).

Let 6j = w/ iN ij/ tjbN for j = 5 + 2,... ,2s. Then 6 ·̂ = 63(xj - xi)/(xj - x2) andXj = 637(63 — bj) for these j, as well as for the other values of j.

Let us briefly describe the algorithm for finding the numbers Xj once more.



On insecurity of ayptosystems 443

(1) Find ei,·,«:* € Fg, 0 < i < 5, such that for j = 1,5 + 2,..., 2s and; = 2,5 + 2,..., 2sthe equalities E?=ociAj = 0 and Ei=oc2t^j = 0 hold respectively (0(s3) operationsinF,).

(2) Calculate β^ = Σ?=ο^ι.·^ and fa = Σ'-oCzAj for j = 3,..., 5 + 1,2s + 1,..., AT,and find bj = ^/fa (0(sN) operations).

(3) Findete* € F„ 0 < * < 5, such that for j = 1,3,...,θ + 1 and j = 2, 3,..., 5 + 1 theequalities E*=oc3«Aj = 0 and Σί-ο^ν = 0 hold respectively (0(s3) operations).

(4) Calculate fa = Σ;=ο^ and 4j = Σ?=ο^ϋ for j = s + 2,..., 2s, TV, andfind 6j = (bN 4N/ 3N) 3j/ 4j for j = s + 2,..., 2s where 6^ is found at step (2)(O(s2) operations).

(5) Put χι = 1, z2 = 0, x3 = oo and Xj = &3/(&3 - fy) for 4 < j < N (O(N) operations).(6) Choose some α € F9 differing from all £j, 1 < j < N, and replace each x; with

l/(a - Xj) (O(N) operations). The new set of Xj is also a part of some solution of(3), however containing no Xj =00.

Now we will find the numbers Zj and the matrix H. If each element of the matrixD is multiplied by some fixed α G F9 and each element of H is multiplied by or1, thenthe product H$liD will be the same. We therefore can presume that z\ = 1.

Find ci, . . . , ca+2 € F9, not all of which are equal to zero and such that the equalities5+2

Σ>Α = ο, o < ; < 5 , (4)j-i

hold. It is sufficient to solve the system of s + 1 homogeneous linear equations withs -v 2 unknowns. All of the numbers c, are non-zero because otherwise the matrix 53would contain s + 1 linearly dependent columns. Since 6,j = ^j/,(xj), equalities (4) canbe written as

3+2

or in the matrix form, ACz = 0, where A = ||α^·||, %· = fi(xj), 0 < i < s,1 < j < 5 4- 2, C = diag(ci,...,ce+2), * = (î)...,^+2)T. But Λ = #»ι(ζι,...,ζθ+2),and therefore H%li(xi,...,xa+2)Cz = 0. Multiplying the last equality by H~l we get2l(xi,...,xe+2)Cff = 0, consequently the relations

are satisfied. Since the numbers Cj and Xj are already known and z\ = 1, we have alinear system of s + 1 equations with s + 1 unknowns z2, ...,2β+2· This system has aunique solution because its determinant is equal to c2...cs+2det2li(z2j... ,2^+2) ^ 0.Solving this system yields the sought numbers z\, . . . , za+2·

If Η = | |Ai* | | ,0<i , fc<5, then

*ϋ = ζ> Σ ·=

Fix some i, 0 < i < s, and vary j from 1 to s + 1. We get the following system of linearequations for hi0, . . . , his:

A:=0




The determinant of this system is the Wandermond determinant, so the numbershn,...,hii can be determined uniquely. Solving this system for every i, 0 < i < s,we find the matrix H.

The multiplication of equality (3) by H'1 gives 2l(xi,...,a?^;î,... ,^/v) = H~l*B.Since the first row of the matrix 21(ζι, . . . , XN\ z\, . . . , ZN) is (z\, . . . , ZN\ the last numbersZj are determined by the equalities

where Η'1 = ||Α^·||. It is not necessary to calculate the whole matrix H~l for finding/4; it is sufficient to solve the system

A^ , = 1, Σ Λ«** = Ο, l<j<*.t=0 t=0

We however need the matrix H"1 for decoding, so it is convenient to calculate it in thisstage.

Let us in short describe the algorithm for finding the matrices H andD = diag(2ri , . . . , ZN) once more.

(1) Find ci,... ,ce+2 G Fg such that £'ίι ofa = 0, 0 < i < s (0(s3) operations).(2) Put zi = 1 and find such z2,...,za+2 G ¥q that Σ^ι^^} = 0, 0 < i < s

(O(s3) operations).(3) For each i, 0 < i < s, find ΑΛ,.- . ,Α^ G Fq such that EUo^fc«* = Ζ71?)ϋ»

1 < j < s + 1, and put Η = ||Λ0|| (O(s4) operations),(4) Find the matrk H~l = \\hf

ia\\ and calculate zj = E?«oAoAj» 5 -f 3 < ; < TV(Ο(ΰ4 + 57V) operations).

Solving equation (3) by means of the suggested algorithm requires O(s4 + 57V)operations in ¥q.

REFERENCES

1. R. J. McEliece, A public-key oyptosystem based on algebraic coding theory. In: DSN Progress Report42-44, Jet Propulsion Lab. Pasadena, 1978, pp. 114-116 .

2. H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory. Probl. Control and Inform.Theory, (1986), 15, 19-34.

3. F. J. McWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. North Holland,Amsterdam, 1977.



Documents

On insecurity of cryptosystems based on generalized Reed-Solomon codes