Finding Low-Weight-Codeword Attack

3.2 Finding Low-Weight-Codeword Attack

Another approach of the attack (we call it the FLWC for simplicity) is to nd a codeword in a general linear-code with a given (low) weight t. The FLWC problem can be formally described as follows: input a generator matrix G of a general linear-code, and a integer t, one must output a codeword v of G such that weight(v) ≤ t. Actually, the GISD problem with a generator matrix G and a received vector c with error-bits fewer than the correcting ability t can be reduced to the FLWC problem. For each input instance of the GISD problem (G, c), we can construct an instance of the FLWC problem (G^∗,t) as follows.

G^∗=

"

Gc

#

and t is the correcting ability of G. We claim the solution of this instance of the FLWC problem is unique and it will be the error vector hidden in the received vector c.

Theorem 3.2.1. [22] If G is a generator matrix of a linear-code with error correcting ability t and c is a received vector with error bits fewer than t, then the solution of instance (G^∗,t) of FLWC exists and is unique.

Proof. We prove the existence and uniqueness by the following discussion. First we show the existence of the solution. Suppose c = mG ⊕e for some m, then e is a solution of instance (G^∗,t) of FLWC since e = [m|1] G^∗. Then we show the uniqueness of the solution. If e⁰ is a solution of instance (G^∗,t) of FLWC such that e⁰, e, there are three possibilities:

Case 1: e⁰ =[m⁰|0] G^∗, m⁰ ,m

weight(m⁰G) ≤ t, but G has correcting ability t, all of its codewords should have weight be larger than 2t, which is a contradiction.

Case 2: e⁰ =[m⁰|1] G^∗, m⁰ ,m

weight(c ⊕ m⁰G) ≤ t and it implies that weight(mG⁰ ⊕m⁰G⁰) ≤ 2t holds. But G has correcting

G⁰ =

"

B | Z | I D | 0 | 0

# .

Figure 3.2: The matrix after arrangement.

ability t, all the distances of its codewords should larger than 2t, it is a contradiction.

Case 3: e⁰ =[m|0] G^∗

weight(mG) ≤ t, but G has correcting ability t, all of its codewords should have weight be larger than 2t, which is a contradiction.



3.2.1 Leon's Algorithm

The algorithm proposed by Leon [20] is a probabilistic algorithm. It introduces two parameters σ and p. The main idea of this algorithm is to randomly select k + σ columns from G, where σ is a comparatively small value such as 2 or 3, and hope that the ”solution vector” has low weight on these selected positions. Each time we randomly select the k + σ columns, we apply a permutation P so that the selected columns are gathered together on the right-hand-side of the matrix (the solution of permuted instance can be transformed to the solution of the original one by making a multiplication of P⁻¹). Then we apply the Gaussian elimination (the solution is not effected by the Gaussian-elimination) so that the resulting matrix G⁰ looks like the form in Figure 3.2.

Where I is a e × e identity matrix, B is an (n − k − σ) × e matrix, Z is a (k + σ − e) × e matrix and D is an (n − k − σ) × (k − e) matrix. After the rearrangement, an exhaustive search on linear-combinations of row of Z|I is applied to nd the combinations such that the resulting sum-vector v consists with weight(v) ≤ p, the p is a threshold value in intuition. We show the precise operations by the following algorithm.

3.2. FINDING LOW-WEIGHT-CODEWORD ATTACK 31 Leon's Algorithm with parameters σ and p

Input: A k × n generator matrix G and an integer t.

Output: The codeword c of G such that weight(c) ≤ t.

1. Randomly select k + σ columns, rearrange the matrix G to the form of Figure 3.2.

2. Search for the linear combinations of [Z||I] that lead to a k + σ vector v such that weight(v) ≤ p. This can be achieved by considering the single matrix Z.

If a vector v consists with weight(v) ≤ p is found, goto step 3.

3. Calculate the corresponding linear combinations of B, if the resulting n − k − σ vector b consists with weight(b) + weight(v) ≤ t then stop and returns [b||v] P⁻¹. Otherwise step 4.

4. Search for all combination of the rows of D, there will be 2^k−e combinations.

For each combination, calculate the summation of the corresponding rows to form a n − k − σ vector d, and check if d consists with weight(d ⊕ b) + weight(z) ≤ t.

If some d consists with the inequality, then stop and returns [b ⊕ d||v] P⁻¹. Otherwise step2.

We introduce an analysis of the Leon's algorithm [6] by following theorem.

Theorem 3.2.2. [20] The expected value of bitwise operations required per selection of the k + σ columns by the Leon's algorithm is:

J_(σ,p)(n, k) =X^k And the expected value of the required column selections is:

Nσ,p(n, k) = 1/

Thus the expected value of the overall bitwise operations required is Nσ,p(n, k) × J(σ,p)(n, k).

Proof. The probability of the event that the ”solution vector” has fewer weight than p in the selected k + σ columns is:

Xp

Thus the expected number of the column selection requirement is its inverse. According to [21], the number of (k, k + σ) binary matrices with rank e is:

2^e(e−1)/2Y^e−1

i=0

(2^k+σ−i−1)(2^k−i−1) (2ⁱ⁺¹−1) ,

so the probability of the event that the rearranged matrix has a specied value of e is given as ρ(σ, k, e). The average number of bit-wise additions and weight-checking on (k + σ − e)-bit words is given by (k + σ − e) ×P_p

i=1i

ei

, and for each checking, the probability of satisfying the weight(v) ≤ p isP_p−i

j=0(^k+σ−ej )

2^k+σ−e. In those cases, additional 2^k−e linear combination of D should be

examined and it takes (n − k − σ)2^k−e bit-wise operations. Summarizing the above discussion,

the formula of J_(σ,p)(n, k) is given. 

3.2.2 Stern's Algorithm

Observing the Leon's algorithm, we can see that the time consumption of step 2 is quiet large, the main purpose of the Stern's algorithm is to reduce the time consuming of step 2. Precisely speaking, they proposed a faster method to search for partial-codewords (the k-prex of code-words) which have hamming weights fewer than a given threshold. Two parameters p and l are introduced in their algorithm.

Their algorithm is rst designed to operate on the parity check matrix, actually the algorithm can be slightly modied to work on a generator matrix. We describe the algorithm of the parity check matrix version as shown in Figure 3.3.

It is interesting that, in the Stern's algorithm, the ”solution vector” is expected to have more weight (precisely, weight = t − 2p) in the n − k columns selected in step 1. In other words, we hope that the solution vector has less weight in the unselected k columns. This hope is the same as Leon's idea. The observation gives us an intuition that these two algorithms are quiet similar in large scale.

3.2. FINDING LOW-WEIGHT-CODEWORD ATTACK 33 Stern's Algorithm with parameters p and l

Input: A k × n − k parity check matrix H and an integer t.

Output: The codeword c of H such that weight(c) ≤ t.

1. Randomly select n − k columns of H, apply a permutation P on H so that the selected columns are gathered together on the right-hand-side of the matrix (the solution of permuted instance can be transformed to the solution of the original one by making a multiplication of P⁻¹). Then we apply the Gaussian elimination (the solution is not effected by the Gaussian-elimination) so that the resulting matrix H⁰P looks like the following form.

H⁰P = h

Q | In−k

i.

2. Randomly split the columns of matrix Q into two subsets, then apply another permutation (all the permutation applied can be summarized to a overall permutation P^∗, and the solution of permuted instance still can be transformed to the solution of the original one by making a multiplication of P^∗−1) so that the matrix HP^∗looks like the following form.

H⁰P^∗ = h

X | Y | In−k

i.

3. Randomly select l rows of the matrix [X|Y] and apply another permutation on rows (the permutation applied on rows does not effect the solution of the instance) so that the resulting matrix H⁰⁰P^∗looks like the following form.

H⁰⁰P^∗ =

4. Search for all combinations of p columns of X_l, compute the corresponding summation vector vCX for each combination CX, save cX into a hash table with key v_CX for further lookup.

5. Search for all combinations of p columns of Yl, compute the corresponding summation vector v_CY for each combination C_Y, look up the hash table built in step 4 for the entry of key v_CY.

6. Each time we have Hash(v_CY) , φ in previous step, then summarize the (k − l) × k matrix [X_k−l|Y_k−l] on columns Hash(v_CY) ∪ C_Yto a (k − l) × 1 vector z.

7. If z consists with weight(z) ≤ t − 2p, then nd the columns set C_J in J_n−ksuch that the summation of HP^∗on columns Hash(vCY) ∪ CY∪CJ is

a zero vector, transform these columns into a vector m⁰such that m⁰_i =1 if and only if i ∈ {Hash(v_CY) ∪ C_Y∪C_J}. Then stop and output m⁰P^∗−1.

8. Otherwise (Hash(v_CY) = φ for all C_Y), goto step 1.

Figure 3.3: Stern's Algorithm with parameters p and l

3.2.3 Canteaut et al.'s Algorithm

A. Canteaut and F. Chabaud [6] proposed an improvement method for both Leon and Stern's algorithm. The idea of their improvement is very similar with the Tilburg's second improvement (see section 3.1.3). Observe step 1 of both Leon and Stern's algorithm, we can see that a Gaussian elimination is needed for each selection (k + σ columns in Leon's algo. and n − k columns in Stern's algo.). The Canteaut et al. proposed a strategy: to select k + σ (or n − k for Stern's algo.) columns with only one different column between the previous selection. The new column joining the selection is randomly selected from the unselected columns and the column departs from the selection is randomly selected from previous selected columns. Furthermore, they made a precise analysis on the expected value of iterations required by their improved algorithm.

Till now, all the mentioned attacks requires an exponential expected time consumption. But actually, the native MEPKC is proven vulnerable when partial information of the plaintext is leaked even against the chosen-plaintext attack. Known attacks of this type are [17] [5]. This kind of attacks substantially reduce the time consumption of the decoding attack with the help of partial information. We will give an introduction to these attacks in the next section.