Post-Quantum Cryptography #2

Transcription

1 Post-Quantum Cryptography #2 Prof. Claude Crépeau McGill University 49

2 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate Integer GCD Lattices 50

3 ( 51

4 Public Key Encryption 52

5 Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security 53

6 $ Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security 53

7 $ Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security 53

8 Will you marry me?» Public-Key Cryptography»»»»»» Decryption Encryption»» marry me? 54

9 Will you marry me?» Public-Key Cryptography»»»»»» Decryption Encryption»» marry me? 54

10 Will you marry me?» Public-Key Cryptography»»»»»» Decryption Encryption»» marry me? 54

11 Digital Signatures 55

12 Asymmetric Authentication (Digital Signature Scheme) Authentication M K a K v T Verification Complexity Theoretical Security 56

13 Digital Signature»»»» Will you marry me?» Verification»» Authentication» VALID Will you marry me?» marry me? 57

14 Digital Signature»»»» Will you marry me?» Verification»» Authentication» VALID Will you marry me?» marry me? 57

15 Digital Signature»»»» Will you marry me?» Verification»» Authentication» VALID Will you marry me?» marry me? 57

16 ) 58

17 Code Equivalence 59

18 Code Equivalence Two [n,k,d] linear codes C,C are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t. 59

19 Code Equivalence Two [n,k,d] linear codes C,C are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t. G = SGP 59

20 Code Equivalence Two [n,k,d] linear codes C,C are (permutation) equivalent if there exists a kxk non-singular matrix S & an nxn permutation matrix P s.t. G = SGP the codewords of C and C have exactly all the same weights 59

21 Code Equivalence 60

22 Code Equivalence Let C be an [n,k,d] linear code equivalent to a code C. 60

23 Code Equivalence Let C be an [n,k,d] linear code equivalent to a code C. Let Cor:{0,1} n C be an efficient nearest codeword error-correcting procedure for C (upto d-1 / 2 errors) 60

24 Code Equivalence Let C be an [n,k,d] linear code equivalent to a code C. Let Cor:{0,1} n C be an efficient nearest codeword error-correcting procedure for C (upto d-1 / 2 errors) Define C or(w):=cor(wp -1 )P, 60

25 Code Equivalence Let C be an [n,k,d] linear code equivalent to a code C. Let Cor:{0,1} n C be an efficient nearest codeword error-correcting procedure for C (upto d-1 / 2 errors) Define C or(w):=cor(wp -1 )P, then C or:{0,1} n C is an efficient nearest codeword error-correcting procedure for C (upto d-1 / 2 errors) 60

26 McEliece Cryptosystem 61

27 McEliece Cryptosystem Let G r Goppa t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, 61

28 McEliece Cryptosystem Let G r Goppa t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let e r {error vector of weight t} & m {0,1} k a plaintext let w=mg +e be a ciphertext. 61

29 McEliece Cryptosystem Let G r Goppa t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let e r {error vector of weight t} & m {0,1} k a plaintext let w=mg +e be a ciphertext. Given (only) G,w finding 61

30 McEliece Cryptosystem Let G r Goppa t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let e r {error vector of weight t} & m {0,1} k a plaintext let w=mg +e be a ciphertext. Given (only) G,w finding c = C or(w) is difficult. 61

31 Niederreiter Cryptosystem 62

32 Niederreiter Cryptosystem Let G r GRS t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, 62

33 Niederreiter Cryptosystem Let G r GRS t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let m {error vector of weight t} a plaintext & c r C let w=c +m be a ciphertext. 62

34 Niederreiter Cryptosystem Let G r GRS t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let m {error vector of weight t} a plaintext & c r C let w=c +m be a ciphertext. Given (only) G,w finding 62

35 Niederreiter Cryptosystem Let G r GRS t, S r F 2 kxk, & P r Perm be the private-key, & G = SGP be the public-key, Let m {error vector of weight t} a plaintext & c r C let w=c +m be a ciphertext. Given (only) G,w finding c = C or(w) is difficult. 62

36 Both Cryptosystems 63

37 Both Cryptosystems Let G r GRS/Goppa t, S r F 2 kxk, & P r Perm be the privatekey, & G = SGP be the public-key, e {error vector of weight t} and let w=c+e for c C(G ). 63

38 Both Cryptosystems Let G r GRS/Goppa t, S r F 2 kxk, & P r Perm be the privatekey, & G = SGP be the public-key, e {error vector of weight t} and let w=c+e for c C(G ). Given G,S,P, w finding c=cor(w) and e=w-c is easy. 63

39 64

40 Families of Codes Nicolas Sendrier 65

41 Families of Codes Binary Goppa codes seem safe, but not Nicolas Sendrier 65

42 Families of Codes Binary Goppa codes seem safe, but not (Generalized) Reed-Solomon codes, Nicolas Sendrier 65

43 Families of Codes Binary Goppa codes seem safe, but not (Generalized) Reed-Solomon codes, concatenated codes, Nicolas Sendrier 65

44 Families of Codes Binary Goppa codes seem safe, but not (Generalized) Reed-Solomon codes, concatenated codes, elliptic codes, Nicolas Sendrier 65

45 Families of Codes Binary Goppa codes seem safe, but not (Generalized) Reed-Solomon codes, concatenated codes, elliptic codes, Reed-Muller codes, Nicolas Sendrier 65

46 Families of Codes Binary Goppa codes seem safe, but not (Generalized) Reed-Solomon codes, concatenated codes, elliptic codes, Reed-Muller codes, Convolutional codes Nicolas Sendrier 65

47 Code based cryptography 66

48 Code based cryptography Courtois, Finiasz and Sendrier signature scheme 66

49 Code based cryptography Courtois, Finiasz and Sendrier signature scheme Stern s identification scheme 66

50 Code based cryptography Courtois, Finiasz and Sendrier signature scheme Stern s identification scheme Code based PRNG 66

51 Code based cryptography Courtois, Finiasz and Sendrier signature scheme Stern s identification scheme Code based PRNG Code based hash function 66

52 0 Code based cryptography 67

53 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate Integer GCD Lattices 68

54 Multi-variate Poly based cryptography 69

55 Multi-variate Poly based cryptography 70

56 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F n. 70

57 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F n. z k = p k (x) := i P ik x i + i Q ik x i 2 + i<j R ijk x i x j 70

58 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F n. z k = p k (x) := i P ik x i + i Q ik x i 2 + i<j R ijk x i x j When we are working over F=F 2, note that x 2 = x, so it suffices to consider multilinear polynomials: z k = p k (x) := i P ik x i + i<j R ijk x i x j 70

59 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F n. z k = p k (x) := i P ik x i + i Q ik x i 2 + i<j R ijk x i x j When we are working over F=F 2, note that x 2 = x, so it suffices to consider multilinear polynomials: z k = p k (x) := i P ik x i + i<j R ijk x i x j In general, finding x from z=p(x) is NP-hard. 70

60 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F n. z k = p k (x) := i P ik x i + i Q ik x i 2 + i<j R ijk x i x j When we are working over F=F 2, note that x 2 = x, so it suffices to consider multilinear polynomials: z k = p k (x) := i P ik x i + i<j R ijk x i x j In general, finding x from z=p(x) is NP-hard. We seek more : finding x from z=p(x) being hard on average. 70

61 Multi-variate Poly based cryptography 71

62 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F 2n. 71

63 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F 2n. z k = p k (x) := i P ik x i + i<j R ijk x i x j 71

64 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F 2n. z k = p k (x) := i P ik x i + i<j R ijk x i x j Public-key: P 71

65 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F 2n. z k = p k (x) := i P ik x i + i<j R ijk x i x j Public-key: P Enc P (x)=p(x) 71

66 Multi-variate Poly based cryptography P = (p 1 (x 1,...,x n ),...,p m (x 1,...,x n )) for x=(x 1,...,x n ) over F 2n. z k = p k (x) := i P ik x i + i<j R ijk x i x j Public-key: P Enc P (x)=p(x) Dec(z)= find x s.t. z=p(x) (specific to P s design) 71

67 Multi-variate Poly based cryptography 72

68 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. 72

69 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T Q S: F n F m, or P(x):=M T Q( M S x+c S ) + c T 72

70 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T Q S: F n F m, or P(x):=M T Q( M S x+c S ) + c T In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily. 72

71 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T Q S: F n F m, or P(x):=M T Q( M S x+c S ) + c T In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily. x = MS -1 Q -1 ( M T -1 P(x)-c T ) - c S where c T := M T -1 c T and c S := M S -1 c S 72

72 Multi-variate Poly based cryptography 73

73 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T Q S: F n F m, or P(x):=M T Q( M S x+c S ) + c T 73

74 Multi-variate Poly based cryptography MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T Q S: F n F m, or P(x):=M T Q( M S x+c S ) + c T Private-key: (M T -1, c T ), (M S -1, c S ), Q -1 Dec(y) = MS -1 Q -1 ( M T -1 y-c T ) - c S where c T := M T -1 c T and c S := M S -1 c S 73

75 Matsumoto- Imai 74

76 Matsumoto- Imai Example: ( a sort of RSA type system ) 74

77 Matsumoto- Imai Example: ( a sort of RSA type system ) Any single univariate f over F 2 n can be represented by n multivariate algebraic functions y i = f i (x 1,x 2,...,x n ) over F 2. 74

78 Matsumoto- Imai Example: ( a sort of RSA type system ) Any single univariate f over F 2 n can be represented by n multivariate algebraic functions y i = f i (x 1,x 2,...,x n ) over F 2. Q(x) := x 2a +1, a<n, over F 2 n such that gcd(2 a +1,2 n -1)=1 (squaring over F 2 n is actually a linear transform over F 2 n ) * 74

79 Matsumoto- Imai Example: ( a sort of RSA type system ) Any single univariate f over F 2 n can be represented by n multivariate algebraic functions y i = f i (x 1,x 2,...,x n ) over F 2. Q(x) := x 2a +1, a<n, over F 2 n such that gcd(2 a +1,2 n -1)=1 (squaring over F 2 n is actually a linear transform over F 2 n ) * Then there exists h := (2 a +1) -1 mod 2 n -1 such that Q -1 (y)=y h over F 2 n 74

80 Squaring over F 2 n is linear over F 2 (x n-1,...,x 1,x 0 ) 2 =(x n-1 x n x 1 x+x 0 ) 2 mod P(x) = x n-1 x 2n x 1 x 2 +x 0 mod P(x) / / 1 \ / x 2 \... / x 2n-2 \ \ / x 0 \ = mod mod... mod x 1 \ \ P / \ P /... \ P / /... \x n-1 / = M sq x 75

81 Squaring over F 2 n is linear over F 2 (x n-1,...,x 1,x 0 ) 2 =(x n-1 x n x 1 x+x 0 ) 2 mod P(x) = x n-1 x 2n x 1 x 2 +x 0 mod P(x) / / 1 \ / x 2 \... / x 2n-2 \ \ / x 0 \ = mod mod... mod x 1 \ \ P / \ P /... \ P / /... \x n-1 / = M sq x 75

82 Squaring over F 2 n is linear over F 2 (x n-1,...,x 1,x 0 ) 2 =(x n-1 x n x 1 x+x 0 ) 2 mod P(x) = x n-1 x 2n x 1 x 2 +x 0 mod P(x) / / 1 \ / x 2 \... / x 2n-2 \ \ / x 0 \ = mod mod... mod x 1 \ \ P / \ P /... \ P / /... \x n-1 / = M sq x 75

83 Squaring over F 2 n is linear over F 2 (x n-1,...,x 1,x 0 ) 2 =(x n-1 x n x 1 x+x 0 ) 2 mod P(x) = x n-1 x 2n x 1 x 2 +x 0 mod P(x) / / 1 \ / x 2 \... / x 2n-2 \ \ / x 0 \ = mod mod... mod x 1 \ \ P / \ P /... \ P / /... \x n-1 / = M sq x 75

84 x 2i over F 2 n is linear over F 2 (y n-1,...,y 1,y 0 ) = (x n-1,...,x 1,x 0 ) 2i = M i sq x is a system of n degree 1 equations y 0 = (M i sq) 0 x y 1 = (M i sq) 1 x y 2 = (M i sq) 2 x... y n-1 = (M i sq) n-1 x 76

85 x 2 i+1 over F 2 n is quadratic over F 2 (z n-1,...,z 1,z 0 ) = (x n-1,...,x 1,x 0 ) 2 i+1 = (y n-1,...,y 1,y 0 )*(x n-1,...,x 1,x 0 ) is a system of n degree 2 equations 77

86 MI vs RSA 78

87 MI vs RSA Unlike the RSA scheme, the size q n 1 of the multiplicative group of F n 2 is known, and thus anyone can compute h from 2 a

88 MI vs RSA Unlike the RSA scheme, the size q n 1 of the multiplicative group of F n 2 is known, and thus anyone can compute h from 2 a +1. MI thus based the security of the scheme on the different principle of mapping obfuscation. (à la McEliece) 78

89 SFLASH 79

90 SFLASH The MI scheme was broken by a very clever attack developed by Patarin in

91 SFLASH The MI scheme was broken by a very clever attack developed by Patarin in Based on an idea of Shamir from 1993, Patarin et al proposed to avoid their own attack by deleting r out of the n equations from the MI public key, and called the resulting scheme SFLASH. 79

92 SFLASH 80

93 SFLASH If we denote the final truncation, the SFLASH public key is: P = T Q S 80

94 SFLASH If we denote the final truncation, the SFLASH public key is: P = T Q S Such truncated keys can be used in signature schemes but not in encryption schemes, since they cannot be inverted uniquely. 80

95 SFLASH & NESSIE 81

96 SFLASH & NESSIE The SFLASH scheme was selected in 2003 by the new european schemes for signatures integrity and encryption Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards 81

97 SFLASH & NESSIE The SFLASH scheme was selected in 2003 by the new european schemes for signatures integrity and encryption Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards The first version of SFLASH, called SFLASH v1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASH v2 & v3 ). 81

98 SFLASH & NESSIE The SFLASH scheme was selected in 2003 by the new european schemes for signatures integrity and encryption Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards The first version of SFLASH, called SFLASH v1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASH v2 & v3 ). They differ only in their security parameters: for SFLASH v2 : q = 2 7, n = 37, a = 11 and r = 11 for SFLASH v3 : q = 2 7, n = 67, a = 33 and r = 11 81

99 SFLASH & NESSIE The SFLASH scheme was selected in 2003 by the new european schemes for signatures integrity and encryption Consortium as one of only three recommended public key signature schemes, and as the best known solution for low cost smart cards The first version of SFLASH, called SFLASH v1, had a subtle bug which was discovered by Gilbert and Minier. It was replaced by two versions (SFLASH v2 & v3 ). They differ only in their security parameters: for SFLASH v2 : q = 2 7, n = 37, a = 11 and r = 11 for SFLASH v3 : q = 2 7, n = 67, a = 33 and r = 11 Dubois, Fouque, Shamir, Stern broke SFLASH v2 & v3 in

100 Variations 82

101 Variations * *as of

102 Multi-variate Poly based cryptography 84

103 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate Integer GCD Lattices 85

104 Cryptographic Money based on hidden codes (hidden sub-spaces) 86

105 Hidden (Linear) Code 87

106 Hidden (Linear) Code a linear [n,k,d] code C F n over arbitrary finite field F. 87

107 Hidden (Linear) Code a linear [n,k,d] code C F n over arbitrary finite field F. a positive integer degree D, 87

108 Hidden (Linear) Code a linear [n,k,d] code C F n over arbitrary finite field F. a positive integer degree D, I D,C = { degree-d polynomials that vanish on C }. 87

109 Hidden (Linear) Code a linear [n,k,d] code C F n over arbitrary finite field F. a positive integer degree D, I D,C = { degree-d polynomials that vanish on C }. For simplicity, assume we use F=F 2. 87

110 Hidden Code 88

111 Hidden Code Lemma A It is possible to sample a uniformly-random element of I D,C in time O(n D ). 88

112 Hidden Code Lemma A It is possible to sample a uniformly-random element of I D,C in time O(n D ). Lemma B Fix C F n 2 and β > 1, and choose βn independent uniformly-random samples from I D,C. With probability 1 2 Ω(n), the set of points on which they are all zero is exactly C. 88

113 Aaronson Public Q-Money Christiano 89

114 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) 89

115 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) 89

116 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 89

117 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 $ = c C c, [H] n $ = c C c 89

118 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 $ = c C c, [H] n $ = c C c checking $ : using P 1 (x),...,p βn (x), validate that $ is made only of states from C and using Q 1 (x),...,q βn (x), validate that [H] $ is made only of states from C. 89

119 Aaronson Public Q-Money Christiano 90

120 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) 90

121 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) 90

122 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 90

123 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 The special structure of (C,C ), yields an attack for degree 2 polynomials. So D must be at least 3. 90

124 Aaronson Public Q-Money Christiano P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 The special structure of (C,C ), yields an attack for degree 2 polynomials. So D must be at least 3. In Q-Money C or C may be sampled once. 90

125 Public Q-Money Aaronson P 1 (x), P 2 (x),...,p βn (x) define C=Span(G) Christiano (Public-key) Q 1 (x), Q 2 (x),...,q βn (x) define C =Ker(G) (Public-key) c C,c C,i,j P i (c)=0 and Q j (c )=0 The special structure of (C,C ), yields an attack for degree 2 polynomials. So D must be at least 3. In Q-Money C or C may be sampled once. Weakens the security. Degree D=4 with sample is as hard as degree 3 without a sample. So they choose D=4. 90

126 Hidden Code Let Z D,C, ℇ be the distribution which sets Z D,C, ℇ ={ I D,C with probability 1-ℇ I D, with probability ℇ where is a random code of dimension k. Lemma C Fix C F n 2 and ℇ <1, let β=32/(1-ℇ) 2, and choose βn independent samples from Z D,C, ℇ. Let δ = 1/2 + (1 ℇ)/4. With probability 1 2 Ω(n) the set of points on which at least δβn polynomials are zero is exactly C. 91

127 Public Q-Money 92

128 Public Q-Money P 1 (x), P 2 (x),...,p β n (x) define C=Span(G) (Public-key) 92

129 Public Q-Money P 1 (x), P 2 (x),...,p β n (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q β n (x) define C =Ker(G) (Public-key) 92

130 Public Q-Money P 1 (x), P 2 (x),...,p β n (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q β n (x) define C =Ker(G) (Public-key) c C, c C P i (c)=0 and Q j (c )=0 with probability δ. 92

131 Public Q-Money P 1 (x), P 2 (x),...,p β n (x) define C=Span(G) (Public-key) Q 1 (x), Q 2 (x),...,q β n (x) define C =Ker(G) (Public-key) c C, c C P i (c)=0 and Q j (c )=0 with probability δ. Adding misleading polynomials may only make the assumption harder to break... 92

132 Cryptographic Money based on hidden codes (hidden sub-spaces) 93