You are on page 1of 12

Coding theory at work in cryptography

:
revisited
Grigory Kabatiansky, KUSTAR, UAE
on leave from IITP RAS, Russia

Coding and Cryptography Day in the UAE; May 21, 2012

Coding theory at work in cryptography: revisited Grigory Kabatiansky, KUSTAR, UAE on leave from IITP RAS, Russia

97’IEEE Information Theory Workshop. Coding theory at work in cryptology and vice versa. Cirencester. England.. an overview. 1995 Blakley. Huffman). 23.. van Tilborg. van Tilborg. V. Massey. “Coding problems of cryptography or codesets vs codewords.A. 2009.A. NATO Science for Peace and Security Series.R. van Tilborg. H..C.A. in: Handbook of Coding Theory (ed. G.Publications J. in: Enhancing Cryptographic Primitives with Techniques from Error Correcting Codes. 1997. 1195-1227. KUSTAR. Johansson. p. UAE on leave from IITP RAS. Russia . H. Kabatiansky.Some Applications of Coding Theory in Cryptography Fourth IMA Conference on Cryptography and Coding.1998.S. Coding theory at work in cryptography: revisited Grigory Kabatiansky. North-Holland. L. Pless and W. G. Vol. Norway. IOS Press. T.A.C. Authentication codes: an area where coding and cryptography meet. 1993 H.C. Authentication codes from error-correcting codes.C. Longyerbyen.

and Niederreiter 1986) perfect hash functions (Mehlhorn. KUSTAR. boolean functions via Reed-Muller codes. Azarov&Wyner 84) unconditional authentication (MacWilliams et al 1973. Shamir. 1979) McEliece public-key cryptosystem (1978.Simmons. correlation immune functions.Collection : Codes for Crypto wire-tap channel (Wyner 75. UAE on leave from IITP RAS.Simmons-1980s) secret sharing schemes (Blakley. Russia . G. 1983) OUT OF MY COLLECTION: local randomness. and many(?) others Coding theory at work in cryptography: revisited Grigory Kabatiansky. 1984) tracing traitors and digital fingerprinting (1994) steganography (G.

Codes A linear (n. . xn ) : Hx T = 0}. Hamming distance d(x. . m = (m1 . . v . If interchange matrices H and G then the corresponding code called dual. . lindt). where (n − k) × n-matrix H called a parity-check matrix of the code V . . Code V can corrects t errors iff d(V ) ≥ 2t + 1 ⇔ any 2t columns of H are linear independent (shortly. k)-code V = {x = (x1 . . Russia . KUSTAR.v 0 ∈V d(v . v 0 ). . Coding theory at work in cryptography: revisited Grigory Kabatiansky. Codes are designed to transmit messages. UAE on leave from IITP RAS. . mk ) → mG and V = {mG }. y ) = |{i : xi 6= yi }| and the minimal code distance d(V ) = minv 6=v 0 . where k × n-matrix G called a generator matrix of the code V .

k)-code V.e. Coding theory at work in cryptography: revisited Grigory Kabatiansky. but not more. hence. equally often!). and for linear codes it is the same as that the dual code has distance at least L + 1. sets Vs = {x : Hx T = s}.Wire-tap channel Wyner (1975) showed how one could obtain ”perfect secrecy” when a receiver enjoys a better channel than does the opponent. KUSTAR. ”Perfect secrecy” without KEYS! Namely. 1984. The opponent has no information about m if for any coset and any L positions all 2L vectors appear on these positions (and. i. Channels with side information. of total n bits of cipher text. introduced by Azarow&Wyner. Russia . Consider wire-tap channel II. messages corresponds to cosets of some linear (n. Cosets instead of codewords. UAE on leave from IITP RAS. It is known in combinatorics as orthogonal array of strength L. For L ≤ n/2 it means that we can transmit messages with nonzero rate R ≥ 1 − H(L/n) providing perfect secrecy without usage of keys. and a message s is transmitted by a randomly chosen vector from Vs . The opponent can read any L bits.

MacWilliams et all proved that Ps ≥ 1/|K | and moreover = implies that |K | ≥ |M|2 . But what if it is allowed Ps ≤  + 1/|K |? (It is also called  2-universal hash family) The answer is exponentially many in |K | messages! “Code” of length n = |K | and |M| codewords where kth position of codeword m is the authentication tag attached to m under the key k. KUSTAR. but is it possible to guarantee (with rather small probability of mistake) an error detection? Ps . moreover. Ka and B.Unconditional authentication The opponent can arbitrary change a cipher text.Johansson. Russia . No way for error correction. it is assumed that he knows the corresponding plain text.the probability that the opponent successfully substitute a false message. Eurocrypt-93. UAE on leave from IITP RAS. T.Smeets. Coding theory at work in cryptography: revisited Grigory Kabatiansky.

Coding theory at work in cryptography: revisited Grigory Kabatiansky. Digital signature in McENi style needs a family of codes with good correcting properties and effective MLD decoding! Not known yet. and that the suggested “hiding” of Goppa codes is really good. and McEliece&Sarwate in 1981 showed that Shamir’s secret sharing = Reed-Solomon codes. Codes and matroids. UAE on leave from IITP RAS. KUSTAR.SSS and McENi Secret sharing schemes were invented by Blakley and Shamir in 1979. Based on unproved conjecture that decoding of general linear codes up to d/2 is NP-hard. Russia . McEliece crypto scheme (1978) and its “syndrom” version by Niederraiter (1984). and then van Dijk and Blakley&Ka more general scheme “all or nothing”. Massey proposed construction of SSS via minimal codewords in 1993.

Generalized hashing were applied for solving parent identifying codes problem (Barg et al. 1988. KUSTAR.Perfect hash functions Another theoretic approach to hash function . Kerner& Marton “New bounds for perfect hashing via information theory”. UAE on leave from IITP RAS. 1984. Linear codes are not good more! Number of separating coordinates as a generalization of Hamming distance (Bassalygo et al). Blackburn.property that for any s points there is a function in a family which separates all these points. Friedman Komlos“On the size of separating systemts and families of perfect hash functions”. 2001). Russia . Wild (1978) and Bassalygo et al (1997) new upper bounds and better technique of random coding. Coding theory at work in cryptography: revisited Grigory Kabatiansky.

Fingerprinting codes .G. Question about capacity of the corresponding channel. Fiat.digital fingerprinting Tracing traitors. KUSTAR. M. 1998. similar but more difficult than capacity of arbitrary varying channels. Boneh and Shaw. Parent identifying codes. 1994. Barg et al. Coding theory at work in cryptography: revisited Grigory Kabatiansky.Tardos (2003). Russia . Collusion secure digital fingerprinting. new type of random codes. UAE on leave from IITP RAS. 2001. Chor. Naor. 1996. van Lint et al. Tracing traitors or parent identifying codes combines properties of hash and separating codes.

. g (E (x. .t. Alice wants to send to Bob k bits of information x = (x1 . cn ) ∈ B n . dH (c. where |S(n.combinatorial model Let B n = {0. E (x.e.steganography . . Property 2)⇒ every set V (x) is a covering of B n by Hamming spheresP of radius i T . KUSTAR. . xk ).. . . Russia . T )| ≤ nH(T /n) (1) Coding theory at work in cryptography: revisited Grigory Kabatiansky. Embedding (encoding) is a mapping E : B n × B k → B n such that: 1 there is a “decoding” g : B n → B k s. . xk ) by embedding it into some covertext c = (c1 . Hence. |V (x)| ≥ |B n |/|S(n. T )|. . 1}n denotes the n-dimensional Boolean cube. . UAE on leave from IITP RAS. . c)) ≤ T Let V (x) = {E (x. c)) = x 2 embedding is T -“invisible”. c) : c ∈ B n } = be the set of all stegotexts corresponding to a given message x = (x1 . 2003) for any stegosystem (linear or not) k ≤ log2 |S(n. . . T )| = T i=0 Cn Therefore (Galand&Ka. i.

e. “locked” them. Dumer. could be interpreted as studied before in coding theory codes correcting defects. 75 BUT r (n. t) ≥ H(t/n) for linear codes if GV-bound tight. Tsyb. 1990 Coding theory at work in cryptography: revisited Grigory Kabatiansky.Writing on wet paper = codes correcting defects J. For q-ary alphabet cosets of RS-codes provide sending (hiding) of n − t symbols.Fridrich et al (2005) observed that a natural for steganography restriction that some positions of a covertext is better not touch. Russia . t) of codes correcting t defects: t ≤ r (n. n−1 r (n. t) ≤ t + 1 + log2 log2 Cnt for “smart” usage of linear codes. 1974. t) ≤ t + log2 ln Cnt 2t Kuznetsov&Tsybakov. Let n the length of a covertext (code length) and t be the number of locked (wet) or defective positions. i. UAE on leave from IITP RAS. For larger n it’s known that the minimal redundancy r (n. KUSTAR.

Russia . UAE on leave from IITP RAS. KUSTAR.Blinovsky (1990) results on covering codes.Locked positions and distortion If I were J.Fridrich et al (2005) then I would consider the following problem: To hide k bits of information via covertexts of length n with minimal possible distortion T (max or average) and an additional restriction that covertext can have t or less locked positions. Coding theory at work in cryptography: revisited Grigory Kabatiansky. It is easy to prove that k ≤ t + (n − t)H( T ) n−t Solution which asymptotically achieves this bound is given by random coding thanks to V.