List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
|
|
- Austin Sutton
- 5 years ago
- Views:
Transcription
1 List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 1 / 39
2 Outline 1 Introduction Principles of list decoding Johnson s bounds 2 Decoding of Reed-Solomon codes Berlekamp-Welsh s decoding Sudan s algorithm Guruswami-Sudan s algorithm 3 List decoding of Goppa codes Goppa codes List decoding 4 Application to McEliece M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 2 / 39
3 Definitions Definition (Linear code) A linear code C over F q, of length n and dimension k, is vectorial subspace of F n q of dimension k. Definition (Distances) Let x, y F n q, and C be an [n, k] linear code. The Hamming distance d(x, y) and the minimum distance, noted d, of C are given by : d(x, y) = # {i : x i y i }. d = min d(x, y). x y C M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 3 / 39
4 Encoding and decoding Let C be an [n, k, d] linear code over F q, m F k q be a message, e F n q be a error vector. We define E and D in the following way : E : F k q C, D : F n q F k q {?}, { m, if w(e) d 1 D(E(m) + e) = 2 m or?, if w(e) > d 1 2 Where w(e) is the Hamming weight of e. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 4 / 39
5 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 5 / 39
6 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 6 / 39
7 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 7 / 39
8 Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 8 / 39
9 Johnson s bounds Theorem Let v F n q and e be an integer such that then B(v, e) C n 2. e < J(n, d, q) n q 1 q ( 1 ) 1 q d, q 1 n When q +, we obtain the generic Johnson bound : For the binary case : q = 2 J(n, d) = n n J(n, d, 2) = n 2 n 2 1 d n. 1 2d n. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 9 / 39
10 Comparison of the Johnson bounds e/n : normalised error capacity Binary Johnson s bound Generic Johnson s bound Unambiguous bound d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 10 / 39
11 Reed-Solomon codes Definition (Reed-Solomon codes as evaluation codes) Let α 1,..., α n be different elements of F q. A Reed-Solomon code of length n and dimension k over F q is RS[n, k] {(P(α 1 ),..., P(α n )) : P P k }, where P k = {P F q [X ] / deg(p) < k}. = n q implies that the field is large enough. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 11 / 39
12 Encoding and decoding of Reed-Solomon codes Let P(X ) P k, then P(X ) = k 1 i=0 P ix i. We can write P = (P 0,..., P k 1 ) F k q. The encoding function E is : m F k q P k, E(m) = (m(α 1 ),..., m(α n )). Usually, the decoding step consists in finding the element m in polynomial form. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 12 / 39
13 Decoding context Let α 1,..., α n F q, C be the [n, k, d = n k + 1] Reed-Solomon code over F q and c C, then P P k such that c = (P(α 1 ),..., P(α n )). Let the received word y = (y 1,..., y n ) F n q be such that y = c + e. Where e F n q and w(e) t d 1 2. From y, we have to compute P such that y = (P(α 1 ) + e 1,..., P(α n ) + e n ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 13 / 39
14 Berlekamp-Welsh s idea At least n t points such that e i = 0, so for these points y i = P(α i ). Compute Q(X, Y ) F q [X, Y ] such that Q(X, Y ) = Q 0 (X ) + Y Q 1 (X ), Q(α i, y i ) = 0, i {1,..., n} (1) deg(q 0 (X )) n t 1, (2) deg(q 1 (X )) n t k, (3) with Q 0 (X ), Q 1 (X ) F q [X ]. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 14 / 39
15 Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous constraints always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. Q(X, P(X )) = Q 0 (X ) + P(X )Q 1 (X ) = 0 = P(X ) = Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 15 / 39
16 Algorithm Berlekamp-Welsh Input : y the received word, C a Reed-Solomon code. Output : P(X ) the codeword in polynomial form. Q(X, Y ) Interpolation BW ((α i, y i ) i=1,...,n ), P(x) Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 16 / 39
17 Main idea of Sudan s algorithm Decoding τ > t errors, = different codeword candidates, = different Y -linear factors of Q(X, Y ). Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n}, deg(q j (X )) n τ 1 j(k 1), j {0,..., l}. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 17 / 39
18 Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. The previous theorem gives Q(X, P(X )) = 0 then P(X ) is a root of Q X (Y ) F q [X ][Y ]. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 18 / 39
19 Algorithm Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation S ((α i, y i ) i=1,...,n ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )), M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 19 / 39
20 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39
21 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39
22 Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). Definition (Multiplicity) Let (a, b) F 2 q and Q(X + a, Y + b) = i,j q i,j X i Y j. The point (a, b) is a zero of Q(X, Y ) of mutiplicity s N, if Q(a, b) = 0, i, j such that i + j < s then q i,j = 0, and s is the larger integer satisfying this property. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39
23 Q(X, Y ) in the case of GS Theorem Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n} with multiplicity s, deg(q j (X )) s(n τ) 1 j(k 1), j {0,..., l}. The polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exist. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 21 / 39
24 Algorithm Guruswami-Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation GS ((α i, y i ) i=1,...,n, s). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 22 / 39
25 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39
26 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39
27 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39
28 Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. Guruswami-Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0 with multiplicities. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39
29 Definitions Definition (Subfield subcode) Let C be a code over F p m of length n. The subfield subcode C of C over F p e, with e m is given by C C F n p e. Definition (Generalised Reed-Solomon GRS) Let β 1,..., β n be distinct elements of F q and α 1,..., α n be distinct elements of F q. The Generalised Reed-Solomon code (GRS) is given by GRS k [(β i ) i, (α i ) i ] {(β 1 P(α 1 ),..., β n P(α n )) : P P k }. Definition (Alternant codes) The code C is called alternant if C is a subfield subcode of a GRS. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 24 / 39
30 Goppa codes Definition (Goppa codes as alternant codes) Let α 1,..., α n be distinct elements of F p m, G(X ) a polynomial over F p m of degree r such that i n, G(α i ) 0. The Goppa code over F p e is given by : Γ ((α i ) i, G) GRS n r [(β i ) i, (α i ) i ] F n p e, where β i = G(α i ) j i (α i α j ). length n, dimension n mr, minimum distance r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 25 / 39
31 Particular property Theorem Let α 1,..., α n be distinct elements of F 2 m, G(X ) a polynomial over F 2 m of degree r such that i, G(α i ) 0. If G(X ) is square-free (without multiple roots) then Γ((α i ) i, G) = Γ((α i ) i, G 2 ). length n, dimension n mr, minimum distance 2r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 26 / 39
32 Context of decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and let y F n 2 be the received word. It exists e F n 2 and P(X ) F 2m[X ] of degree strictly less than n r, such that y = (β 1 P(α 1 ) + e 1,..., β n P(α n ) + e n ), where β i = G(α i ) j i (α i α j ). Decode y find P. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 27 / 39
33 Decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and y F n 2. Compute Q(X, Y ) l j=0 Q j(x )Y j such that Q(X, Y ) 0, Q(x i, y i β 1 i ) = 0 with multiplicity s(1 J 2 /n), Q(x i, zβ 1 i ) = 0 with multiplicity sj 2 /n, z F 2 \ {y i }, ( deg(q j ) < sn (1 J 2 /n) 2 + (J 2 /n) 2) j(n mr 1), j {1,..., l}, M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 28 / 39
34 Computation of P(X ) Theorem The polynomial Q(X, Y ) F p m[x, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 29 / 39
35 Algorithm Augot, B., Couvreur Input : y the received word, Γ((α i ) i, G) the Goppa code. Output : (c 1 (X ),..., c l (X )) a list of codewords. Q(X, Y ) Interpolation ABC (y, Γ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). For i [1, l] do ci (β 1 P i (α 1 ),..., β n P i (α n )) ; end for M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 30 / 39
36 Correction Radii e/n : normalised error capacity Our method GS BW d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 31 / 39
37 Complexity Theorem To decode a square-free binary Goppa code up to the binary Johnson bound ( ) n J 2 (n, r) = 1 1 4r n our algorithm runs in O(n 7 ) field operations. Theorem To decode up to (1 ɛ)j 2, our algorithm runs in O(n 2 ɛ 5 ) field operations. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 32 / 39
38 Context of McEliece Choose : Γ((α i ) i, G) a Goppa code, G a generator matrix of Γ, S an invertible matrix, P a permutation matrix. Public key : (SGP, r). Secret key : (S 1, G, P 1 ). Encryption : m the message, c = msgp + e, s.t. w(e) = r Decryption : c = cp 1, m = Dec(c ), m = m S 1 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 33 / 39
39 List decoding and McEliece Two types of attack : structural attack and decoding attack. = adding more errors makes the decoding attacks more difficult and does not add any structure. The encryption and decryption steps of McEliece s cryptosystem are fast, but have large keys. = tradeoff between decrease the keysize and increase the time of decryption (decoding). How to find the original plaintext? = use CCA2 McEliece variants. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 34 / 39
40 Key reduction for the generic variant of McEliece Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 35 / 39
41 The dyadic variant is broken? Dyadic codes : quasi-cyclic of Goppa codes. Structural attack : Faugère, Otmani, Perret and Tillich. = find the structure of alternant code by a Groebner basis computation but 1 does not find the Goppa structure (i.e. G the Goppa polynomial), 2 space memory too large for m 16. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 36 / 39
42 Key reduction for the dyadic variant r(r + 1) > n Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 37 / 39
43 Key reduction for the dyadic variant m 16 Method m n k r τ 2 WF Keysize gain U.D L.D U.D L.D U.D L.D U.D L.D U.D L.D M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 38 / 39
44 List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 39 / 39
List Decoding of Binary Goppa Codes up to the Binary Johnson Bound
List Decoding of Binary Goppa Codes up to the Binary Johnson Bound Daniel Augot Morgan Barbier Alain Couvreur École Polytechnique INRIA Saclay - Île de France ITW 2011 - Paraty Augot - Barbier - Couvreur
More informationA distinguisher for high-rate McEliece Cryptosystems
A distinguisher for high-rate McEliece Cryptosystems JC Faugère (INRIA, SALSA project), A Otmani (Université Caen- INRIA, SECRET project), L Perret (INRIA, SALSA project), J-P Tillich (INRIA, SECRET project)
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationCodes used in Cryptography
Prasad Krishnan Signal Processing and Communications Research Center, International Institute of Information Technology, Hyderabad March 29, 2016 Outline Coding Theory and Cryptography Linear Codes Codes
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Coding Theory Introduction Linear Codes Reed-Solomon codes Application: Mc Eliece
More informationDecoding Reed-Muller codes over product sets
Rutgers University May 30, 2016 Overview Error-correcting codes 1 Error-correcting codes Motivation 2 Reed-Solomon codes Reed-Muller codes 3 Error-correcting codes Motivation Goal: Send a message Don t
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationLecture 12: November 6, 2017
Information and Coding Theory Autumn 017 Lecturer: Madhur Tulsiani Lecture 1: November 6, 017 Recall: We were looking at codes of the form C : F k p F n p, where p is prime, k is the message length, and
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationNotes 10: List Decoding Reed-Solomon Codes and Concatenated codes
Introduction to Coding Theory CMU: Spring 010 Notes 10: List Decoding Reed-Solomon Codes and Concatenated codes April 010 Lecturer: Venkatesan Guruswami Scribe: Venkat Guruswami & Ali Kemal Sinop DRAFT
More informationSigning with Codes. c Zuzana Masárová 2014
Signing with Codes by Zuzana Masárová A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization
More informationError-correcting codes and Cryptography
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationDistinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes
Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes Alain Couvreur 1, Philippe Gaborit 2, Valérie Gauthier 3, Ayoub Otmani 4, and Jean-Pierre Tillich 5 1 GRACE Project, INRIA
More informationCryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes
Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes Alain Couvreur, Irene Márquez-Corbella and Ruud Pellikaan Abstract We give a polynomial time attack on the McEliece
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Ruud Pellikaan and Irene Márquez-Corbella Discrete Mathematics, Techn. Univ. Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands. E-mail: g.r.pellikaan@tue.nl
More informationError-correcting codes and applications
Error-correcting codes and applications November 20, 2017 Summary and notation Consider F q : a finite field (if q = 2, then F q are the binary numbers), V = V(F q,n): a vector space over F q of dimension
More informationA Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems
A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems Alain Couvreur 1, Irene Márquez-Corbella 1, and Ruud Pellikaan 1 INRIA Saclay & LIX, CNRS UMR 7161 École Polytechnique,
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationLecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012
CS 59000 CTT Current Topics in Theoretical CS Oct 4, 01 Lecturer: Elena Grigorescu Lecture 14 Scribe: Selvakumaran Vadivelmurugan 1 Introduction We introduced error-correcting codes and linear codes in
More informationToward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationMDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes
MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, Paulo S. L. M. Barreto To cite this version: Rafael Misoczki, Jean-Pierre
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationOn Generalized Reed-Solomon Codes Over Commutative and Noncommutative Rings
On Generalized Reed-Solomon Codes Over Commutative and Noncommutative Rings Guillaume Quintin, Morgan Barbier, Christophe Chabot To cite this version: Guillaume Quintin, Morgan Barbier, Christophe Chabot
More informationCoding Theory. Ruud Pellikaan MasterMath 2MMC30. Lecture 11.1 May
Coding Theory Ruud Pellikaan g.r.pellikaan@tue.nl MasterMath 2MMC30 /k Lecture 11.1 May 12-2016 Content lecture 11 2/31 In Lecture 8.2 we introduced the Key equation Now we introduce two algorithms which
More informationRecovering short secret keys of RLCE in polynomial time
Recovering short secret keys of RLCE in polynomial time Alain Couvreur 1, Matthieu Lequesne,3, and Jean-Pierre Tillich 1 Inria & LIX, CNRS UMR 7161 École polytechnique, 9118 Palaiseau Cedex, France. Inria,
More informationA Lifting Decoding Scheme and its Application to Interleaved Linear Codes
Author manuscript, published in "International Symposium on Information Theory (2012) 96-100" DOI : 10.1109/ISIT.2012.6284707 A Lifting Decoding Scheme and its Application to Interleaved Linear Codes Guillaume
More informationLecture Introduction. 2 Formal Definition. CS CTT Current Topics in Theoretical CS Oct 30, 2012
CS 59000 CTT Current Topics in Theoretical CS Oct 30, 0 Lecturer: Elena Grigorescu Lecture 9 Scribe: Vivek Patel Introduction In this lecture we study locally decodable codes. Locally decodable codes are
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Irene Márquez-Corbella and Ruud Pellikaan Department of Algebra, Geometry and Topology, University of Valladolid Facultad de Ciencias, 47005 Valladolid,
More informationAn efficient structural attack on NIST submission DAGS
An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 1 1 INRIA & LIX, CNRS UMR 7161 École polytechnique, 91128 Palaiseau Cedex, France Abstract We present an efficient
More informationChannel Coding for Secure Transmissions
Channel Coding for Secure Transmissions March 27, 2017 1 / 51 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51 Outline We present an overiew of linear
More informationThe BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes
S-723410 BCH and Reed-Solomon Codes 1 S-723410 BCH and Reed-Solomon Codes 3 Background The algebraic structure of linear codes and, in particular, cyclic linear codes, enables efficient encoding and decoding
More informationReducing Key Length of the McEliece Cryptosystem
Reducing Key Length of the McEliece Cryptosystem Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit, Ayoub Otmani To cite this version: Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit,
More informationPolynomial interpolation over finite fields and applications to list decoding of Reed-Solomon codes
Polynomial interpolation over finite fields and applications to list decoding of Reed-Solomon codes Roberta Barbi December 17, 2015 Roberta Barbi List decoding December 17, 2015 1 / 13 Codes Let F q be
More informationLecture 9: List decoding Reed-Solomon and Folded Reed-Solomon codes
Lecture 9: List decoding Reed-Solomon and Folded Reed-Solomon codes Error-Correcting Codes (Spring 2016) Rutgers University Swastik Kopparty Scribes: John Kim and Pat Devlin 1 List decoding review Definition
More informationCompact McEliece keys based on Quasi-Dyadic Srivastava codes
Compact McEliece keys based on Quasi-Dyadic Srivastava codes Edoardo Persichetti Department of Mathematics, University of Auckland, New Zealand epersichetti@mathaucklandacnz Abstract The McEliece cryptosystem
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationNew Steganographic scheme based of Reed- Solomon codes
New Steganographic scheme based of Reed- Solomon codes I. DIOP; S.M FARSSI ;O. KHOUMA ; H. B DIOUF ; K.TALL ; K.SYLLA Ecole Supérieure Polytechnique de l Université Dakar Sénégal Email: idydiop@yahoo.fr;
More informationCryptographic applications of codes in rank metric
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Introduction Rank metric and cryptography Gabidulin codes and linearized
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationCryptanalysis of the Sidelnikov cryptosystem
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi Laboratoire de mathématiques algorithmiques (LMA), EPFL c 2007 IACR. This paper appeared in Advances in cryptology Eurocrypt
More informationAn Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model
An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model Roohallah Rastaghi Advanced Intelligent Signal Processing Center, Tehran, Iran r.rastaghi59@gamail.com Abstract Recently,
More informationSecurity and complexity of the McEliece cryptosystem based on QC-LDPC codes
This paper is a preprint of a paper accepted by IET Information Security and is subject to Institution of Engineering and Technology Copyright. When the final version is published, the copy of record will
More informationA Reaction Attack on the QC-LDPC McEliece Cryptosystem
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomáš Fabšič 1, Viliam Hromada 1, Paul Stankovski 2, Pavol Zajac 1, Qian Guo 2, Thomas Johansson 2 1 Slovak University of Technology in Bratislava
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationReed-Solomon codes. Chapter Linear codes over finite fields
Chapter 8 Reed-Solomon codes In the previous chapter we discussed the properties of finite fields, and showed that there exists an essentially unique finite field F q with q = p m elements for any prime
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationQuasi-dyadic CFS signatures
Quasi-dyadic CFS signatures Paulo S. L. M. Barreto 1, Pierre-Louis Cayrel 2, Rafael Misoczki 1, and Robert Niebuhr 3 1 Departamento de Engenharia de Computação e Sistemas Digitais (PCS), Escola Politécnica,
More informationAlgebraic Codes for Error Control
little -at- mathcs -dot- holycross -dot- edu Department of Mathematics and Computer Science College of the Holy Cross SACNAS National Conference An Abstract Look at Algebra October 16, 2009 Outline Coding
More informationLecture 19 : Reed-Muller, Concatenation Codes & Decoding problem
IITM-CS6845: Theory Toolkit February 08, 2012 Lecture 19 : Reed-Muller, Concatenation Codes & Decoding problem Lecturer: Jayalal Sarma Scribe: Dinesh K Theme: Error correcting codes In the previous lecture,
More informationList Decoding of Reed Solomon Codes
List Decoding of Reed Solomon Codes p. 1/30 List Decoding of Reed Solomon Codes Madhu Sudan MIT CSAIL Background: Reliable Transmission of Information List Decoding of Reed Solomon Codes p. 2/30 List Decoding
More informationLecture B04 : Linear codes and singleton bound
IITM-CS6845: Theory Toolkit February 1, 2012 Lecture B04 : Linear codes and singleton bound Lecturer: Jayalal Sarma Scribe: T Devanathan We start by proving a generalization of Hamming Bound, which we
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationLDPC codes in the McEliece cryptosystem: attacks and countermeasures
arxiv:0710.0142v2 [cs.it] 11 Jan 2009 LDPC codes in the McEliece cryptosystem: attacks and countermeasures Marco BALDI 1 Polytechnic University of Marche, Ancona, Italy Abstract. The McEliece cryptosystem
More informationCode-based Cryptography
Code-based Cryptography Codes correcteurs d erreurs et applications à la cryptographie MPRI 2014/2015-2.13.2 Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy
More informationGeneralized subspace subcodes with application in cryptology
1 Generalized subspace subcodes with application in cryptology Thierry P. BERGER, Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI arxiv:1704.07882v1 [cs.cr] 25 Apr 2017 Cheikh Thiécoumba GUEYE and Jean Belo
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationOn Irreducible Polynomial Remainder Codes
2011 IEEE International Symposium on Information Theory Proceedings On Irreducible Polynomial Remainder Codes Jiun-Hung Yu and Hans-Andrea Loeliger Department of Information Technology and Electrical Engineering
More informationEE512: Error Control Coding
EE51: Error Control Coding Solution for Assignment on BCH and RS Codes March, 007 1. To determine the dimension and generator polynomial of all narrow sense binary BCH codes of length n = 31, we have to
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationAn Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal University of Zürich Finite Geometries Fifth Irsee Conference, September 10 16, 2017. Outline 1 Basics
More informationError Correcting Codes Questions Pool
Error Correcting Codes Questions Pool Amnon Ta-Shma and Dean Doron January 3, 018 General guidelines The questions fall into several categories: (Know). (Mandatory). (Bonus). Make sure you know how to
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationCode-based Cryptography
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy channel data?
More informationConstruction of Real Algebraic Numbers in Coq
Construction of Real Algebraic Numbers in Coq INRIA Saclay Île-de-France LIX École Polytechnique INRIA Microsoft Research Joint Centre cohen@crans.org August 13, 2012 Why algebraic numbers? Field strictly
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationWild McEliece Incognito
Wild McEliece Incognito Daniel J. Bernstein 1, Tanja Lange 2, and Christiane Peters 3 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL 60607 7045, USA djb@cr.yp.to 2 Department
More informationAn Interpolation Algorithm for List Decoding of Reed-Solomon Codes
An Interpolation Algorithm for List Decoding of Reed-Solomon Codes Kwankyu Lee Department of Mathematics San Diego State University San Diego, USA Email: kwankyu@sogangackr Michael E O Sullivan Department
More informationComputing Error Distance of Reed-Solomon Codes
Computing Error Distance of Reed-Solomon Codes Guizhen Zhu Institute For Advanced Study Tsinghua University, Beijing, 100084, PR China Email:zhugz08@mailstsinghuaeducn Daqing Wan Department of Mathematics
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationPost-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017
Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017 1 Background I will use: Linear algebra. Vectors x. Matrices A, matrix multiplication AB, xa,
More informationOn the Security of Some Cryptosystems Based on Error-correcting Codes
On the Security of Some Cryptosystems Based on Error-correcting Codes Florent Chabaud * Florent.Chabaud~ens.fr Laboratoire d'informatique de FENS ** 45, rue d'ulm 75230 Paris Cedex 05 FRANCE Abstract.
More informationECEN 604: Channel Coding for Communications
ECEN 604: Channel Coding for Communications Lecture: Introduction to Cyclic Codes Henry D. Pfister Department of Electrical and Computer Engineering Texas A&M University ECEN 604: Channel Coding for Communications
More informationComputing over Z, Q, K[X]
Computing over Z, Q, K[X] Clément PERNET M2-MIA Calcul Exact Outline Introduction Chinese Remainder Theorem Rational reconstruction Problem Statement Algorithms Applications Dense CRT codes Extension to
More informationEfficient Root Finding of Polynomials over Fields of Characteristic 2.
Efficient Root Finding of Polynomials over Fields of Characteristic 2. Bhaskar Biswas, Vincent Herbert To cite this version: Bhaskar Biswas, Vincent Herbert. Efficient Root Finding of Polynomials over
More informationChapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding
Chapter 6 Reed-Solomon Codes 6. Finite Field Algebra 6. Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding 6. Finite Field Algebra Nonbinary codes: message and codeword symbols
More informationR. A. Carrasco and M. Johnston, Non-Binary Error Control Coding Cork 2009
Design of Non-Binary Error-Correction Codes and their Applications R. A. Carrasco and. Johnston, Non-Binary Error Control Coding for Wireless Communication and Data Storage, Wiley, SBN 978-- 7-89-9 Prof.
More information