A PSEUDO-RANDOM GENERATOR EFFICIENT BASED ON THE DECODING OF THE RATIONAL BINARY GOPPA CODE

A PSEUDO-RANDOM GENERATOR

EFFICIENT BASED ON THE

DECODING OF THE RATIONAL

BINARY GOPPA CODE

DRISSI AHMED

LabSiv, Equipe SCCAM

Faculty of sciences Ibn Zohr University B.P 8106, City Dakhla, Agadir, Morocco.

idrissi2006@yahoo.fr

AHMED ASIMI

LabSiv, Equipe SCCAM

Faculty of sciences Ibn Zohr University B.P 8106, City Dakhla, Agadir, Morocco.

asimiahmed2008@gmail.com

ABSTRACT

Computer science uses pseudo-random sequences on a daily basis. They are used in games, in network communication protocols, and above all in cryptographic protocols. Number theory is the basis for the majority of pseudo-random generators. In this paper, we propose a new construction of pseudo random generator. This generator is based on the syndrome decoding problem of the rational binary Goppa code. The parameters of the code are generated randomly. The generator is proven secure, effective and simple to implement. it provides an alternative to the theory of numbers and is distinguished by its good performance.

Keywords: pseudo-random generator, the classical Goppa code, syndrome decoding.

1. . INTRODUCTION

Cryptology often uses generators, dubbed pseudo-random, which are cryptographically secure. The concept of pseudo-random generator was formalized mainly by Blum, Micali and Yao , who are behind the birth of the theory of pseudorandom generators based on complexity.

We discuss in the following section, the relationship between the existence of a pseudo-random generator and the existence of one-way function. In the third section we study the construction of a one-way function from a difficult problem, which is that of syndrome decoding. This difficult problem will be extracted from the specific properties of rational binary Goppa code, which is presented in section four and we deduce a one-way function in the fifth section, to arrive at a construction of our pseudo-random generator in the sixth section, and come out with a study of the security and performance of the proposed generator.

2. PSEUDO-RANDOM GENERATOR AND ONE WAY FUNCTION

Theoretical research efforts in the Eighties previous century on the design of pseudo-random generators went evolved through different steps, mainly when Yao demonstrated that the existence of one-way permutation is sufficient to construct a pseudorandom generator. And, after investigating the notion of bit difficult, the research proved the demonstration of the equivalence between the existence of pseudo-random generator and the

existence of a one-way function. In this section we go over the definitions of pseudo-random generators, the bit difficult and one-way functions.

Definition of pseudo-random generator

A pseudo-random generator is an algorithm, producing a pseudo-random bit sequence, i.e. a sequence of bits that can not be distinguished effectively from a random sequence.

Definition of the bit difficult

Formally

A bit

b

:

 

0

,

1

n



 

0

,

1

is called difficult to a function

f

:

 

0

,

1

n



 

0

,

1

m if for any algorithm

A

of calculation time below a threshold

t

fixed, The prediction probability

)

2

1

))

(

))

(

(

((

A

f

x



b

x



p

of bit

b

is negligible, that is to say less than a second threshold



fixed.

The notion of bit difficult naturally extends in that of difficult function

g

for function

f

.

A number of difficult bit was highlighted such as low weight function RSA and a function of Rabin. Definition of one-way function

A one-way function is a function easy to compute and difficult to reverse. Formalization of one-way function

Let

l

(

n

)

and

k

(

n

)

two functions







.

) ( 2 ) ( 2

:

l n kn

n

F

F

f



function is called (strongly) one-way if

- There exists an algorithm polynomial input

x



F

₂l(n) and output

f

_n

(

x

)



F

₂k(n)

- For any polynomial algorithm

A

, all

c

positive and

n

large enough

c n

n n n n

n

X

f

f

X

f

A

P

(

(

(

))



1

(

(

)))



1

where

X

_n is a random variable uniformly distributed on

F

₂l(n). There is no function with absolute proof that it is one-way, however, some function such as RSA and exponentiation in finite field are conjectured one-way.

Goldreich and Levin shown that if there is a one-way function then it is also possible to derive a one-way function which has a bit difficult. This result led to the construction generally a pseudo-random generator from a one-way permutation then its extension by Implagliazzo, Levin, Luby and Hastad [3] in case of a one-way function.

After a series of articles we can conclude the following:

- The existence of one-way function is equivalent to the existence of a pseudorandomgenerator

-

The proposed theoretical constructs are often not practical

.

J.B. Fisher and J. Stern proposed a generator more practical based on the problem of syndromedecoding. 3. ONE WAY FUNCTION BASED ON THE PROBLEM OF SYNDROME DECODING

3.1.The problem of syndrome decoding

A binary linear code

C

of length

n

and of dimension

k

is a linear subspace of

F

₂n of dimension

k

.

C

can be defined by its check matrix

H

as follows

C





x



F

₂n

/

Hx

t



0



.

Decoding in a code

C

denotes the action of associating a code word (element of the subspace) Toa word of the vector space

F

₂n. We often try to decode by associating to a word the code word which is the nearestwithin the meaning of Hamming distance. Decoding is possible if the Hamming distance between theword to decodeand the code word does not exceed a threshold, called correction capability of the code

C

.

Random code is a linear code whose the

n

colonnes linearly independent of the parity matrix

are

randomly generated.

Currently there is no effective general algorithm for decoding a random code

.

Thus decoding random linear code is an open problem in coding theory. It follows that it is difficult to find a word of weight from its given syndrome. We formalize as follows:

Instance

H

a matrix in

M

_rn

(

F

₂

)

s

a vector in

F

₂r et







3.2.The difficulty of solving the problem of syndrome decoding

The Known algorithms to solve the problem of syndrome decoding are probabilistic. They all have a computational complexity that grows exponentially dependent on the size

n

. According to J.B Fisher and J.Stern the syndrome decoding problem in the case of random codes is difficult in theneighborhood of the terminalGilbert Varshamov corresponding to the dimension of the code.

the terminal of Gilbert Varshamov



of the code



n

,

k

,

d



₂ is defined by the relation

1

H

₂

(



)

n

k





where

)

1

(

log

)

1

(

)

(

log

)

(

_{2 2}

2

x

x

x

x

x

H











.

It is concluded that to ensure the difficulty of the problem of syndrome decoding we mustchoose a size code

n

large enough and the weight of vector should be close to the terminal Gilbert Varshamov.

Among the codes that have a large size are the Goppa codes. 3.3. A Construction of one-way function

From the above discussion we can assume the following hypothesis Hypothesis Let













_

_

_

_

_

_



_

n

r

H

x

F

x

F

M

H

x

H

A

_n

(

,

)

/

_{r n}

(

₂

),

₂n

/







(

)



;

₂

(



)

;



(

x

)

denotes the weight of

x

and

B

_n





(

H

,

Hx

)

/

H



M

_rn

(

F

₂

),

x



F

₂n



n n

n

A

B

f

:



is a one-way function.

(

H

,

x

)



(

H

,

Hx

)

This assumption is made by Jean Bernard and Jaque Stern in [2], due to the fact that despite a lot of work is done and no efficient algorithm inversion is found.

The construction of the pseudo-random generators based on the decoding by syndromerequires thegeneration of a random matrix in

M

_rn

(

F

₂

)

.

We assume that the desired matrix is a check matrix of a rational Goppa code chosen randomly. To obtain a random matrix, we will generate random parameters of rational binary Goppa code and deduce its check matrix. 4. The classical rational binary Goppa code

The Goppa codes were introduced by the Russian mathematician V.D.Goppa in 1970. They are distinguished by specific properties. Initially scruinized for their properties of error correcting code, they were then studied for their cryptographic properties with the appearance of cryptosystems MC Eliece [13].

4.1.Definition

Let

L



(



₁

,...,



_n

)

a sequence of

n

elements distinct in

F

₂m

,

and

g

(

x

)



F

₂m

 

x

one polynomial

of

degree

t

in

F

m

 

x

2 such as

1



t



n



1

and

g

(



i

)



0

for all

i



1

,...,

n

.

Rational Goppa code of support

L

(generating vector) and generator polynomial

g

(Goppa polynomial)

denoted



(

L

,

g

)

is the set



(

L

,

g

)





a



(

a

₁

,...,

a

_n

)



F

₂n

/

Ha

t



0



,

with























































     1 1 1 1 1 2 1 1 2 1

)

(

..

..

)

(

...

...

...

....

..

...

1

...

1

1

n r n r r n

g

g

H

















.

Properties:

The binary Goppa codes are linear codes over the finite field

F

₂. However, their construction requiresthe use of an extension

F

m

2 . Its parity matrix is then obtained from the matrix

H

. Each element of this matrix is

then

decomposed into elements

F

₂ placed in columns, using a projection

F

m

2 in m

size

t



n

on

F

m

2 to a new parity matrix of size

mt



n

on

F

2.we note





(

L

,

g

)



n

,

k



n



mt

,

d



t



1



. with

n

, its size

k

its dimension and

d

its minimum distance. The parity matrix

H

can be written as the product of a Vandermonde matrix and a nonsingular matrix therefore any square submatrix

t



t

of

H

is invertible, then there is no code word of weight or less

t

,

then it has a minimum distance of at least

d



t



1

(correction capacity









2

t

).

If

g

has no multiple factors,the correction capacity can be doubled. We will go





(

L

,

g

)



n

,

k



n



mt

,

d



2

t



1



.

The Goppa code has no visible structure that is exploited by an attacker. This has led to define a security strong assumption, that is to say that there is no attack that is simply able to distinguish between a matrix of a Goppa code and a matrix randomly drawn. This new problem is called indistinguishability of Goppa codes. On the other hand it has a fairly large size compared with other codes.

4.2. The problem of Goppa code syndrome decoding

The problem of bounded decoding Goppa code is a special case of the problem of syndrome decoding. This has also been proven NP-hard by M.Finiasz in [7].

Instance Input

H

a matrix

n



k



n

binary (the parity check matrix of a code Goppa

 

n

,

k

and a syndrome

s



F

₂nk. Output

A word

e



F

₂n such as

)

(

log

)

(

2

n

k

n

e







and

He

t



s

.

Another problem used in cryptography-based codes is the problem of distinguishability of Goppa codes. Instance

Input

H

a matrix

n



k



n

binary (the parity check matrix of a code Goppa

 

n

,

k

or a matrix

n



k



n

random binary

Output

1



b

if

H

is a parity check matrix of a code Goppa

 

n

,

k

.

0



b

otherwise.

5. One-way function based on the decoding of classical Goppa code 5.1.Construction of one-way function based on the classical Goppa code

Considering the goal of building a one-way function, Goppa codes are interesting in this respect. Indeed, it is

computationally difficult to distinguish a binary Goppa code performance close to

2

1

which we know neither

the support northe generator polynomial of a random code of the same length and the same size. This means

intuitively that thedifficulty of decoding binary Goppa codes yield close to

2

1

which we know neither the

support nor thegenerator polynomial is not fundamentally different from that of decoding a random code. Two difficult problems, listed above, decoding the syndrome and that of distinguabilté rational Goppa code from a random code, justify the fact that the function constructed in the third section is one-way to a control matrix of rational Goppa code randomly generated parameters.

5.2.Construction of the control matrix Goppa

The implementation of our pseudorandom generator requires pre implementation of a finite field.

Construction of finite field

F

₂m

Theorem

If

p

(

x

)



F

₂

[

x

]

an irreducible polynomial of degree

m

, then there exists

a

finite field can be given by



0 1 1 2



1 1 1

0

2

a

a

...

a

/

p

(

)

0

/

a

,

a

,...,

a

F

F

m









_m m



_m













and can be writtenas



2 2 2



2

1

,

,

,...,





m

m

F







.

With



is an primitive element of this field.

It is easy to show that

F

m

2 is isomorphic to m

F

₂ , it follows that we can present the elements of

F

m

2 by vectors of

F

₂m

.

Generation randomly of a binary rational Goppa code

We want to generate randomly a Goppa code on the finite field

F

m

2 from a random seed, we generate a bit sequence of length

2

m



1

:





1 2 2

1

,

y

,...,

y

m_

y

by congruential generator. We take

n

the number of bits of

value 1 in

y

.

i.e

n





i

/

y

i



1



and











m

n

t

2

if

n



2

m

and

t



1

otherwise.

The generator

polynomial of Goppa is

g

(

x

)



x

t and support of Goppa

L

which is made up of

the elements of



2 2 2



,...,

,

,

1







m Exhibitors whose indicators correspond to

y

i nonzero taken in the same order. We denote

L







₁

,



₂

,...,



_n



with in

n

i











1

,...,



1

.

 

j t _ij t_n i t i j i i

j i n i

t j

ji

g

H

H

... 11.. 1

1 ,...,

11,...,

.

)

(

.

)

(

  

 





















 



k j t



_ij _nt n

ij t ji

i

H

... 1

.... 1 ) ( ...

1 ...

1  _







Transforming

H

element in

F

m

2 to

H

'

element in

F

2 by replacing each element with its representation in m

F

2 placed in columns.

6. Our pseudo random generator

Our pseudorandom generator requires pre implementation of a finite field, and includes three algorithms: the generation of a parity check matrix and an iterative algorithm which gives us the desired number of bits, each iteration requires the generation of a word given weight.

6.1. Iterative algorithm

We need an iterative algorithm that gives us many bits we want. Following a standard construction we consider the following iterative method.

For input



H

,

x



with

H



M

_rn

(

F

₂

)

and

x



F

₂n we can have as many bits we want. 1.



y

₁

,

y

₂





Hx

t;

y

₁ of length



2.

y

₂ Output

3. Transforming

y

₁ to

x

of length

n

and of weight



. 4. Return to 1

To perform this iteration we need an efficient algorithm that takes a vector of size

n

and of weight



from a vector of length



. We propose such an algorithm as follows:

6.2.Algorithm for generating a word of a given weight

The following algorithm extracts from a vector of length



, a vector of length

n





and given weight. Such an algorithm is necessary in our pseudo-random generator, Moreover, its time of calculation has no effect on the efficiency of the generator, In fact it only uses assignments

.

Input :

s





s

₁

,...,

s

_



,

n

By Euclidean division of

n





on



we obtain

n









q



r

. We get

n





q



d

with

d







r

and

0



d





.

For

i



1

,

2

,...,



do

y

_qid1



1

and

y

_qid



s

_i . and

y

_i



0

for another.

This algorithm is based on a simple and effecient method for vector processing

s





s

1

,...,

s

_



of



2

F

into a

vector

y





y

₁

,...,

y

_n



of

F

₂n of weight



.

The idea is to simply assume that

s





s

1

,...,

s

_



is the binary representation of the integer







1

2

i i i

s

and its

transformed is the binary representation of





  

 

_



 

1 1

1

2

2

i

d qi i i

d

qi

_s

y

with

n





q



d

and

0



d





.

7. Security and performance 7.1. Scheme security

B.Fisher and J.Stern have shown that the generator based on a parity check matrix

H

is pseudorandom; it remains to check that

H

is randomly generated. But in our case this is largely verified indeed

,

the recent attacks of cryptosystems based on error-correcting codes can not break the cryptosystem based on Goppa code of well-chosen parameter. Also Finiasz showed that Goppa code isindistinguishable from a random code. In our construction we randomly generates parameters

n

and

t

of Goppa code



(

L

,

g

)

which the probability

of

choosing support

L



(



₁

,...,



_n

)

non-zero elements of

F

m

2 is 2 1 1 2

2





m m

C

n

_.

7.2.Scheme performance

Our pseudorandom generator requires a pre calculation of elements of

F

m

2

.

Computing the product of a matrix by a vector is carried out only by the logic operations AND, XOR parity and which leads to a fast implementation. The check matrix used is defined by the output of a congruential and operations on integers of small sizes and assignments vectors in

F

₂m

For sampling algorithm that calculates a binary vector of length and weight given we used one Euclidean division and a set of allocations which don’t exceed the size wanted.

It follows that our generator is faster and easier to implement, and its output may contain alarge amount of bits per iteration, which itdiffers from other generators with a good performance.

Conclusion

The use of problems inspired from the theory of error correcting codes, in the design of pseudo-random generators contributes an alternative to the theory of numbers; we hope that our work will provide an added value in this field.

REFERENCES

[1] Anne Canteaut A new algorithm for finding minimum weight words in large linear codes.

[2] Jean-Bernard Fisher and Jaques Stern An efficient pseudo-random generator provably as secure as syndrome decoding.Ecole normale Superieure paris cedex05 France.

[3] Johan HASTAD, Russel IMPALGLIAZZO,LEONID A Levin and MICHAEL Luby.1999. A pseudorandom generator from any one way function.

[4] L.A..Levin One way functions and pseudorandom generator.

[5] Léonard DALLOT.2010. Sécurité de protocoles cryptographiques fondés sur les codes correcteurs d’erreurs. Thèse. [6] MANUEL Blum and SILVIO MICALI. How to generate cryptographically strong sequences of pseudo-random bits.

[7] Mathieu Finasz.2004.Nouvelles constructions utilisant des codes correcteurs d’erreurs en cryptographie à clé publique. Thèse INRIA. [8] ODED Goldreich 1989 A note on computational indistinguishability.

[9] ODED Gldreich,HUGO KRAWCZYK and MICHEL LUBY. On the existence of pseudorandom generators. [10] ODED GOLDREICH, SHAFI GOLDWASSER and SILVIO MICALI How to construct Random Functions. [11] Oliver pretzel,imperial college London .1992. Error-correcting codes and finite fields.

[12] Pierre-Louis CAYREL.2008. Construction et optimisation de cryptosystemes basés sur les codes correcteurs d’erreurs. Thèse. [13] R.J.Mc Eliece 1978.A public key cryptosystem based on algebraic coding theory.

[14] Rosarrio Gennaro. An improved pseudo-random generator based on discrete log.