An Improved Attack Algorithm

We note that an adversary does not have to make the whole 1 × n ciphertext c to be error-free.

He only has to make sure some k-bits {a1,a2, . . . ,ak} ⊂ {1, 2, . . . , n} are error-free, where the corresponding columns of G⁰ are linearly independent. Thus we design the following attack algorithm.

Algorithm 3.6.1: Improved reaction attack algorithm Input: Ciphertext c.

Output: Plaintext m corresponds to c.

1. Select k columns index by {a₁,a₂, . . . ,a_k} ⊂ {1, 2, . . . , n} in G⁰, such that the k columns of G⁰are linearly independent.

2. Combine the k columns of G⁰to form a k × k matrix Gk. 3. Combine the k bits {c_a1,c_a2, . . . ,c_ak}of c to form a vector c_k. 4. Run the original Algorithm A and B to eliminate the errors in c_k. 5. m = c⁰⁰·G⁰⁻_k ¹

that the algorithm requires at most k + 2t queries to recover the plaintext.

Chapter 4

Trichotomy Reaction Attack

In the reaction attack presented by Hall et al, it takes n + 2t queries to recover the plaintext in the worst case. In this chapter, we propose a new trichotomy reaction oracle model. Under the new model, we establish connection between the reaction attack of the MEPKC and a special version of the counterfeit coins problem, which we name the Comparative Counterfeit Coins Problem (CCCP). Combine the connection and a greedy approach of the CCCP, we can design a new algorithm to recover the plaintext from ciphertext in at most bk/2c + t + 3 queries when 4t ≤ k.

This chapter is organized as follows: In Section 1, we propose the trichotomy reaction oracle model. In Section 2, we introduce the formal denition of the counterfeit coins problem and some modied versions of it. In Section 3, we design a greedy algorithm to solve the CCCP. In Section 4, we show the connection between the attack of MEPKC and the CCCP. In Section 5, we design a new attack algorithm by applying the greedy algorithm proposed in Section 3.

4.1 Trichotomy Reaction Oracle Model

In the original reaction oracle model, when a ciphertext with less than t error bits is received, it will be treated as a valid ciphertext to decrypt, and represent the Type 2 reaction. But in the MEPKC, randomly selecting an error vector with constant weight t is suggested to avoid weak

41

encryptions. So it is reasonable to assume that a common implementation of the MEPKC will check whether the ciphertext is corresponding to a received vector with error weight t. This check can be simply done by watching if the decrypted plaintext m consists with weight((m · G⁰) ⊕ c) = t. To match its purpose, we call it the error-weight check.

Clearly, the check should be done with a correct plaintext m to make sense. Thus one has to apply the check after the decryption and the checksum verication procedures. When the error-weight check fails, it indicates an improper encryption. But since the ciphertext c passed the decryption and the decrypted plaintext m passed the checksum verication, the failure in the error-weight check does not hurt the correctness of m. Thus it is reasonable to assume that the error-weight fault is considered as a non-critical error and a Warning Message is returned in this case. Under the assumption, we propose the trichotomy reaction oracle model. In this reaction oracle, when we input a vector c, there are three types of oracle outputs:

Type 1: Return an error message due to failure in decryption or illegal plain-text checksum.

Type 2: Return nothing or an acknowledgement message to reect the successful decryption, legal plaintext checksum and proper error-weight.

Type 3: Return a warning message due to the failure in the error-weight check.

Our model also requires the assumption proposed in Assumption 3.6.1. We can abstract the trichotomy reaction oracle as follows.

Trichotomy Reaction Oracle in (S, G, P, t)-MEPKC:

Input: A vector c.

Output: Compare with the codeword m · G⁰, one of the reactions is presented.

Type 1: If c corresponds to a receive vector with error-weight > t.

Type 2: If c corresponds to a receive vector with error-weight = t.

Type 3: If c corresponds to a receive vector with error-weight < t.

We present an instance of MEPKC implementation that matches the trichotomy reaction oracle assumption.

4.1. TRICHOTOMY REACTION ORACLE MODEL 43 Key Generation algorithm:

Generate four matrices G,S ,P,G⁰, a checksum function Checksum(m) and its corresponding verifying function Vari f y(m⁰,C).

G k × n generator matrix of a binary Goppa code with correcting ability t.

S k × k random binary invertible matrix.

P n × n random permutation matrix.

G⁰ G⁰ =S GP

Checksum(m) a checksum function, it outputs an xed-length characteristic binary string C for each input string with low collision probability.

Veri f y(m⁰,C) the corresponding verifying function which gives a acknowledgement output if and only if C = Checksum(m⁰).

Secret key: S, G, P

Public key: G⁰,t, Checksum, Veri f y

Encryption algorithm:

To encrypt a 1 × (k − |Checksum(m)|) message m, one has to randomly select a 1 × n error vector e with Hamming weight t. Then output the corresponding ciphertext c:

Ciphertext: c = (m||Checksum(m)) · G⁰⊕e

Decryption algorithm:

To decrypt a ciphertext c, one has to go through the following steps.

1. Calculate c⁰ =c · P⁻¹, thus c⁰=m⁰S G ⊕ eP⁻¹

2. Apply the decoding algorithm for Goppa code to eliminate the error vector.

If the decoding procedure failed (it will happen only when a more-than-t error bits are present), output Error.

Otherwise we have the vector m⁰S . 3. Calculate m⁰⁰ =m⁰·S⁻¹.

4. split m⁰⁰into (m||C) = m⁰, where |C| is the length of the checksum and

|m| = k − |C|.

5. If Veri f y(m, C) , acknowledgement, output Error. Otherwise step 6.

6. If |(m⁰⁰·G⁰) ⊕ c| , t, output Warning. Otherwise step 7.

7. Output message m and an Acknowledgement.

The behavior of the decryption algorithm in this implementation can be described by a codeword-ball diagram, see Figure 4.1.

Clearly, the behavior of the decryption algorithm consists with the assumption of the trichotomy reaction oracle model.

'

Figure 4.1: The decryption algorithm behavior that consists with trichotomy reaction oracle model.