Weak Keys for the Quasi-Cyclic MDPC Public Key Encryption Scheme

Abstract

We analyze a new key recovery attack against the Quasi-Cyclic MDPC McEliece scheme. Retrieving the secret key from the public data is usually tackled down using exponential time algorithms aiming to recover minimum weight codewords and thus constructing an equivalent code. We use here a different approach and give under certain hypothesis an algorithm that is able to solve a key equation relating the public key to the private key. We relate this equation to a well known problem the Rational Reconstruction Problem and therefore propose a natural solution based on the extended Euclidean algorithm. All private keys satisfying the hypothesis are declared weak keys. In the same time we give a precise number of weak keys and extend our analysis by considering all possible cyclic shifts on the private keys. This task is accomplished using combinatorial objects like Lyndon words. We improve our approach by using a generalization of the Frobenius action which enables to increase the proportion of weak keys. Lastly, we implement the attack and give the probability to draw a weak key for all the security parameters proposed by the designers of the scheme.

A Appendix

Proof of Theorem 1 First of all we define the variables involved in the theorem. Let \(p,\omega ,k\) be integers, such that \(1\leqslant \omega \leqslant p\) and \( k \leqslant p-\omega \). A finite word w is a Lyndon word if w is strictly smaller for the lexicographical order than all of its cyclic shifts. We denote by \(\mathcal {L}(\mathcal A)\) the set of Lyndon words over an alphabet \(\mathcal A\). Let \(\mathcal {B}\) be a binary alphabet, and \(\mathcal {L}^{\leqslant k}(\mathcal {B},p,\omega )\) the set of all Lyndon words with length p, number of ones equal to \(\omega \) and the longest run of zeros less or equal to k over \(\mathcal {B}\). Let \(\mathcal {A}_k=\{a_0,a_1,\dots ,a_k\}\) be an alphabet. Monoids \(\mathcal {A}_k^*\) and \(\mathcal {B}^*\) are endowed with the lexicographic orders satisfying \(0<1\) and \(a_k<\dots <a_0\). The morphism

$$\begin{aligned} \varphi :\mathcal {A}_k^*&\rightarrow \left( 0^*1\right) ^*\subset \mathcal {B}^* \\ a_i&\rightarrow 0^i1 \end{aligned}$$

is clearly an order preserving isomorphism. We deduce that \(w\in \mathcal {A}_k^*\) is a Lyndon word if and only if \(\varphi (w)\) is a Lyndon word (see [Ric03] for details). Setting \(\psi (a_{l_0}\dots a_{l_{j-1}})=j+\sum \limits _{m=0}^{j-1}l_{m}\) we obtain \(\psi (w)=|\varphi (w)|.\)

If we set \(\mathcal {L}_{\psi }(\mathcal {A}_k,\omega ,p)=\bigg \{l \in \mathcal {L}(\mathcal {A}_k) \quad \bigg |\quad |l|=\omega \text { and }\psi (l)=p\bigg \}\) then

$$\varphi \left( \mathcal {L}_{\psi }(\mathcal {A}_k,\omega ,p)\right) = \mathcal {L}_{}^{\leqslant k}(\mathcal {B},p,\omega ).$$

Hence, it suffices to compute \(\left| \mathcal {L}_{\psi }(\mathcal {A}_k,\omega ,p)\right| .\) We use the fact that the alphabet \(\mathcal {A}_k\) is the generating basis for all words in the free monoid \(\mathcal {A}_k^*.\) In terms of formal series this means

$$\begin{aligned} \sum \limits _{w\in \mathcal {A}_k^{\star }}w=\dfrac{1}{1-\sum \limits _{i=0}^{k}a_i}. \end{aligned}$$

(27)

Then we use the Chen-Fox-Lyndon theorem that states that each word can be uniquely expressed as a decreasing product of Lyndon words [KTC58, Lot02]

$$\begin{aligned} \sum \limits _{w\in \mathcal {A}_k^{\star }}w=\prod \limits _{l \in \mathcal {L}(\mathcal {A}_k)}^{\swarrow }\dfrac{1}{1-l}. \end{aligned}$$

(28)

Sending each letter \(a_{l_m}\) to \(zx^{l_m+1}\) one obtains

$$\begin{aligned} \dfrac{1}{1-z\sum \limits _{i=1}^{k+1}x^i}=\prod \limits _{1\leqslant j \leqslant i}^{\infty }{\bigg ( \dfrac{1}{1-x^iz^j}\bigg )}^{\left| \mathcal {L}_{\psi }(\mathcal {A}_k,j,i)\right| }. \end{aligned}$$

(29)

We apply the logarithm in each side of the equality above and develop using the Taylor expansion. In the resulting formula we compare the coefficient of \(z^\omega x^p\) in the left hand side and the right hand side and obtain

$$\begin{aligned} \sum \limits _{\begin{array}{c} j|\omega \\ \frac{\omega }{j}|p \end{array}}j{\left| \mathcal {L}_{\psi }(\mathcal {A}_k,j,\frac{p}{\omega }j)\right| }=\left( {\begin{array}{c}\omega \\ p-\omega \end{array}}\right) _{k}, \end{aligned}$$

(30)

where \( \left( {\begin{array}{c}\omega \\ p\end{array}}\right) _{k}\) denotes the coefficient of \(x^p\) in \((1+x+x^2+\dots +x^k)^\omega .\)

We rewrite the last equation as

$$\begin{aligned} \sum \limits _{ j|\gcd (\omega ,p) }\frac{\omega }{j}{\left| \mathcal {L}_{\psi }(\mathcal {A}_k,\frac{\omega }{j},\frac{p}{j})\right| }=\left( {\begin{array}{c}\omega \\ p-\omega \end{array}}\right) _{k}, \end{aligned}$$

(31)

and apply the Möbius Inversion [Mob32, Lan09]to find the wanted result.

Proof of Proposition 8 By definition we have:

$$\begin{aligned} P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right) =\sum \limits _{\omega _2-1\leqslant k\leqslant p-\omega _1}f_{X_{p,\omega _1}}(k)\left( 1-F_{X_{p,\omega _2}}(p-k-1-1)\right) . \end{aligned}$$

Lemma 3

Let \(\omega \geqslant 2\) and p prime. Then for \(k>\lfloor \frac{p-\omega }{2}\rfloor \) we have

$$\begin{aligned} f_{X_{p,\omega }}(k)=\dfrac{\omega \left( {\begin{array}{c}p-k-2\\ \omega -2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) },\quad F_{X_{p,\omega }}(k-1)=1-\dfrac{\omega \left( {\begin{array}{c}p-k-1\\ \omega -1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) }. \end{aligned}$$

(32)

For \(k\leqslant \lfloor \frac{p-\omega }{2}\rfloor \) the bounds are

$$\begin{aligned} \dfrac{\omega \left( {\begin{array}{c}p-k-2\\ \omega -2\end{array}}\right) -\left( {\begin{array}{c}\omega \\ 2\end{array}}\right) \left[ \left( {\begin{array}{c}p-2k-1\\ \omega -1\end{array}}\right) -\left( {\begin{array}{c}p-2k-3\\ \omega -1\end{array}}\right) \right] }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) }\leqslant f_{X_{p,\omega }}(k)\leqslant \dfrac{\omega \left( {\begin{array}{c}p-k-2\\ \omega -2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) }, \end{aligned}$$

(33)

$$\begin{aligned} \dfrac{\omega \left( {\begin{array}{c}p-k-1\\ \omega -1\end{array}}\right) -\left( {\begin{array}{c}\omega \\ 2\end{array}}\right) \left( {\begin{array}{c}p-2k-1\\ \omega -1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) }\leqslant 1- F_{X_{p,\omega }}(k-1)\leqslant \dfrac{\omega \left( {\begin{array}{c}p-k-1\\ \omega -1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -1\end{array}}\right) }. \end{aligned}$$

(34)

For the upper bound, this gives

$$\begin{aligned} P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right)&\leqslant \sum \limits _{k=\omega _2-1}^{p-\omega _1} \omega _1\dfrac{\left( {\begin{array}{c}p-k-2\\ \omega _1-2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) }\omega _2 \dfrac{\left( {\begin{array}{c}k\\ \omega _2-1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) } =\dfrac{\omega _1\omega _2\left( {\begin{array}{c}p-1\\ \omega _1+\omega _2-2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) \left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) }. \end{aligned}$$

(35)

For the lower bound, we separate our sum into three different sums, for \(k\leqslant \lfloor \frac{p-\omega _1}{2}\rfloor \), \(\lfloor \frac{p-\omega _1}{2}\rfloor < k < p-1-\lfloor \frac{p-\omega _2}{2}\rfloor = \lceil \frac{p+\omega _2}{2}\rceil -1\) and \(\lceil \frac{p+\omega _2}{2}\rceil -1\leqslant k \leqslant p-\omega _1\) and use relations (32),  (33) and (34):

$$\begin{aligned}P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right)&\geqslant \sum \limits _{k=\omega _2-1}^{p-\omega _1} \omega _1\dfrac{\left( {\begin{array}{c}p-k-2\\ \omega _1-2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) }\omega _2 \dfrac{\left( {\begin{array}{c}k\\ \omega _2-1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) }\\&\quad -\sum \limits _{k=\omega _2-1}^{\lfloor \frac{p-\omega _1}{2}\rfloor } \left( {\begin{array}{c}\omega _1\\ 2\end{array}}\right) \dfrac{\left( {\begin{array}{c}p-2k-1\\ \omega _1-1\end{array}}\right) -\left( {\begin{array}{c}p-2k-3\\ \omega _1-1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) }\omega _2 \dfrac{\left( {\begin{array}{c}k\\ \omega _2-1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) }\\&\quad -\sum \limits _{k=\lceil \frac{p+\omega _2}{2}\rceil -1}^{p-\omega _1} \left( {\begin{array}{c}\omega _2\\ 2\end{array}}\right) \dfrac{\left( {\begin{array}{c}p-k-2\\ \omega _1-2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) }\omega _1 \dfrac{\left( {\begin{array}{c}2k-p+1\\ \omega _2-1\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) } \end{aligned}$$

We use the relations \(\left( {\begin{array}{c}p-2k-1\\ \omega _1-1\end{array}}\right) -\left( {\begin{array}{c}p-2k-3\\ \omega _1-1\end{array}}\right) = \left( {\begin{array}{c}p-2k-2\\ \omega _1-2\end{array}}\right) +\left( {\begin{array}{c}p-2k-3\\ \omega _1-2\end{array}}\right) \leqslant 2\left( {\begin{array}{c}p-2k-2\\ \omega _1-2\end{array}}\right) \) (as \(\omega _1\geqslant 2\)), \(\dfrac{\omega _1\omega _2}{\left( {\begin{array}{c}p-1\\ \omega _1-1\end{array}}\right) \left( {\begin{array}{c}p-1\\ \omega _2-1\end{array}}\right) } = \dfrac{p^2}{\left( {\begin{array}{c}p\\ \omega _1\end{array}}\right) \left( {\begin{array}{c}p\\ \omega _2\end{array}}\right) }\) and a change of variable \(k\rightarrow p-k-2\) in the last sum to get

$$\begin{aligned} \dfrac{\left( {\begin{array}{c}p\\ \omega _1\end{array}}\right) \left( {\begin{array}{c}p\\ \omega _2\end{array}}\right) }{p^2}P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right)&\geqslant \left( {\begin{array}{c}p-1\\ \omega -2\end{array}}\right) -\omega _1\sum \limits _{k=\omega _2-1}^{\lfloor \frac{p-\omega _1}{2}\rfloor } \left( {\begin{array}{c}p-2k-2\\ \omega _1-2\end{array}}\right) \left( {\begin{array}{c}k\\ \omega _2-1\end{array}}\right) \\&\quad -\frac{1}{2}\omega _2\sum \limits _{k=\omega _1-2}^{\lfloor \frac{p-\omega _2}{2}\rfloor -1} \left( {\begin{array}{c}p-2k-3\\ \omega _2-1\end{array}}\right) \left( {\begin{array}{c}k\\ \omega _1-2\end{array}}\right) \end{aligned}$$

Now we use the bound \(\left( {\begin{array}{c}p-2k-2\\ \omega _1-2\end{array}}\right) \left( {\begin{array}{c}k\\ \omega _2-1\end{array}}\right) \leqslant \left( {\begin{array}{c}p-k-2\\ \omega -3\end{array}}\right) \) and the relation from [Gou72] \(\sum _{k=r}^s \left( {\begin{array}{c}a-k\\ b\end{array}}\right) = \left( {\begin{array}{c}a-r+1\\ b+1\end{array}}\right) -\left( {\begin{array}{c}a-s\\ b+1\end{array}}\right) \leqslant \left( {\begin{array}{c}a-r+1\\ b+1\end{array}}\right) \) to get

$$\begin{aligned} \dfrac{\left( {\begin{array}{c}p\\ \omega _1\end{array}}\right) \left( {\begin{array}{c}p\\ \omega _2\end{array}}\right) }{p^2}P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right)&\geqslant \left( {\begin{array}{c}p-1\\ \omega -2\end{array}}\right) -\omega _1 \left( {\begin{array}{c}p-\omega _2\\ \omega -2\end{array}}\right) -\frac{1}{2}\omega _2 \left( {\begin{array}{c}p-\omega _1\\ \omega -2\end{array}}\right) \\&\geqslant \left( {\begin{array}{c}p-1\\ \omega -2\end{array}}\right) -\frac{3}{2}\omega _1 \left( {\begin{array}{c}p-\omega _2\\ \omega -2\end{array}}\right) . \end{aligned}$$

if \(\omega _1=\max (\omega _1,\omega _2)\). We finally get the bounds

$$\begin{aligned} 1-\frac{3\omega _1}{2}\dfrac{\left( {\begin{array}{c}p-\omega _2\\ \omega -2\end{array}}\right) }{\left( {\begin{array}{c}p-1\\ \omega -2\end{array}}\right) } \leqslant \dfrac{P\left( Y_{p,\omega _1,\omega _2}\geqslant p-1\right) }{\frac{p^2\left( {\begin{array}{c}p-1\\ \omega -2\end{array}}\right) }{\left( {\begin{array}{c}p\\ \omega _1\end{array}}\right) \left( {\begin{array}{c}p\\ \omega _2\end{array}}\right) }}\leqslant 1. \end{aligned}$$

(36)

We check that the lower bound tends to 1 when \(w_i=O(\sqrt{p\log p}).\)