New results for rank based cryptography
|
|
- Charity Owens
- 6 years ago
- Views:
Transcription
1 New results for rank based cryptography Philippe Gaborit University of Limoges, France (based on works with O. Ruatta,J. Schrek and G. Zémor) Telecom Sud Paris 6 juin 2014
2 Summary 1 Post-Quantum Cryptography
3 Motivations Post-quantum cryptography
4 General problems Motivations Cryptography needs different difficult problems factorization discrete log SVP for lattices syndrome decoding problem For code-based cryptography, the security of cryptosystems is usually related to the problem of syndrome decoding for a special metric.
5 PQ Crypto Motivations Consider the simple linear system problem : H a random (n k) n matrix over GF (q) Knowing s GF (q) n k is it possible to recover a given x GF (q) n such that H.x t = s? Easy problem : fix n k columns of H, one gets a (n k) (n k) submatrix A of H A invertible with good probability, x = A 1 s.
6 Motivations How to make this problem difficult? (1) add a constraint to x : x of small weight for a particular metric metric = Hamming distance code-based cryptography metric = Euclidean distance lattice-based cryptography metric = Rank distance rank-based cryptography only difference : the metric considered, and its associated properties!! (2) consider rather a multivariable non linear system : quadratic, cubic etc... Mutivariate cryptography
7 Motivations General interest of post-quantum cryptogrphy a priori resistant to a quantum computer usually faster than number-theory based cryptography easier to protect against side-channel attacks size of keys may be larger
8 Lattice-based cryptography Motivations Knapsack 78, NTRU 96, GGH 97 Regev 04 LWE difficult problem : finding short vectors in lattices cryptanalysis : LLL algorithm with heuristics FHE, better security reduction?, reasonable size of keys
9 Code-based cryptography Motivations McEliece 78, Stern 93,CFS 01, G. 05, MDPC 13 difficult problem : syndrome decoding problem cryptanalysis : ISD, closed formulae faster than lattices?, reasonable size of keys with cyclicity, security reduction?
10 Multivariate cryptography Motivations Matsumoto-Imai 88, HFE 95, SFlash 96, Rainbow 05, QUAD difficult problem : solving a multivariable system cryptanalysis : Groebner basis many instation broken (Crypto 07), security reduction?, unreasonable size of keys
11 Rank Codes : definition and basic properties
12 Rank metric codes The rank metric is defined in finite extensions. GF (q) a finite field with q a power of a prime. GF (q m ) an extension of degree m of GF (q). B = (b 1,..., b m ) a basis of GF (q m ) over GF (q). GF (q m ) can be seen as a vector space on GF (q). C a linear code over GF (q m ) of dimension k and length n. G a k n generator matrix of the code C. H a (n k) n parity check matrix of C, G.H t = 0. H a dual matrix, x GF (q m ) n syndrome of x = H.x t GF (q m ) n k
13 Rank metric Words of the code C are n-uplets with coordinates in GF (q m ). v = (v 1,..., v n ) with v j GF (q m ). Any coordinate v j = m i=1 v ijb i with v ij GF (q). v(v 1,..., v n ) V = v 11 v v 1n v 21 v v 2n v m1 v m2... v mn
14 Definition (Rank weight of word) v has rank r = Rank(v) iff the rank of V = (v ij ) ij is r. equivalently Rank(v) = r <=> v j V r GF (q m ) n with dim(v r )=r. the determinant of V does not depend on the basis Definition (Rank distance) Let x, y GF (q m ) n, the rank distance between x and y is defined by d R (x, y) = Rank(x y).
15 Definition (Minimum distance) Let C be a [n, k] rank code over GF (q m ), the minimum rank distance d of C is d = min{d R (x, y) x, y C, x y} ; Theorem (Unique decoding) Let C[n, k, d] be a rank code over GF (q m ). Let e an error vector with r = Rank(e) d 1 2, and c C : if y = c + e then there exists a unique element c C such that d(y, c ) = r. Therefore c = c. proof : same as for Hamming, distance property.
16 Rank isometry Notion of isometry : weight preservation Hamming distance : n n permutation matrices Rank distance : n n invertible matrices over GF (q) proof : multiplying a codeword x GF (q m ) n by an n n invertible matrix over the base field GF(q) does not change the rank (see x as a m n matrix over GF (q)). remark : for any x GF (q m ) n : Rank(x) w H (x) : potential linear combinations on the x i may only decrease the rank weight.
17 Support analogy An important insight between Rank and Hamming distances tool : support analogy support of a word of GF (q) n in Hamming metric x(x 1, x2,, x n ) : set of positions x i 0 support of a word of GF (q) n in rank metric x(x 1, x2,, x n ) : the subspace over GF (q), E GF (q m ) generated by {x 1,, x n } in both cases if the order of size of the support is small, knowing the support of x and syndrome s = H.x t permits to recover the complete coordinates of x.
18 Sphere packing bound Counting the number of possible supports for length n and dimension t Hamming : number of sets with t elements in sets of n elements : Newton binomial ( n t) ( 2 n ) Rank : number of subspaces of dimension t over GF (q) in the space of dimension n GF (q m ) : Gaussian binomial [ ] n t q ( qtn )
19 Sphere packing bound Theorem (Sphere packing bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k, d and d satisfy : q mk B(n, m, q, d 1 2 ) qnm Theorem (Singleton bound) Let C[n, k, d] be a rank code over GF (q m ) n, the parameters n, k and d satisfy : d 1 + (n k)m n The rank Gilbert-Varshamov (GVR) bound for a C[n, k] rank code over GF (q m ) n with dual matrix H corresponds to the average value of the minimum distance of a random [n, k] rank code. asymptotically : in the case m = n : GVR(n,k,m,q) n 1 k n
20
21 Low Rank Parity Check codes - LRPC Families of decodable codes in rank metric There exists 3 main families of decodable codes in rank metric Gabidulin codes (1985) (analog of Reed-Solomon codes with rank metric and q-polynomials) simple matrix construction (2008) LRPC codes (2013) These codes have different properties, a lot of attention was given to rank metric and especially to subspace metric with the development of Network coding in the years 2000 s.
22 LRPC codes Low Rank Parity Check codes - LRPC LDPC : dual with low weight (ie : small support) equivalent for rank metric : dual with small rank support Definition (GMRZ13) A Low Rank Parity Check (LRPC) code of rank d, length n and dimension k over F q m is a code such that the code has for parity check matrix, a (n k) n matrix H(h ij ) such that the vector space F of F q m generated by its coefficients h ij has dimension at most d. We call this dimension the weight of H. In other terms : all coefficients h ij of H belong to the same low vector space F < F 1, F 2,, F d > of F q m of dimension d.
23 Decoding LRPC codes Low Rank Parity Check codes - LRPC Idea : as usual recover the support and then deduce the coordinates values. Let e(e 1,..., e n ) be an error vector of weight r, ie : e i : e i E, and dim(e)=r. Suppose H.e t = s = (s 1,..., s n k ) t. e i E < E 1,..., E r >, h ij F < F 1, F 2,, F d > s k < E 1 F 1,.., E r F d > if n k is large enough, it is possible to recover the product space < E 1 F 1,.., E r F d >
24 Decoding LRPC codes Low Rank Parity Check codes - LRPC Syndrome s(s 1,.., s n k ) : S =< s 1,.., s n k > < E 1 F 1,.., E r F d > Suppose S =< E.F > possible to recover E. Let S i = F 1 i.s, since S =< E.F >=< F i E 1, F i E 2,.., F i E r,... > E S i E = S 1 S 2 S d
25 General decoding of LRPC codes Low Rank Parity Check codes - LRPC Let y = xg + e 1 Syndrome space computation Compute the syndrome vector H.y t = s(s 1,, s n k ) and the syndrome space S =< s 1,, s n k >. 2 Recovering the support E of the error S i = F 1 i S, E = S 1 S 2 S d, 3 Recovering the error vector e Write e i (1 i n) in the error support as e i = n i=1 e ije j, solve the system H.e t = s. 4 Recovering the message x Recover x from the system xg = y e.
26 Decoding of LRPC Low Rank Parity Check codes - LRPC Conditions of success - S =< F.E > rd n-k. - possibility that dim(s) n k probabilistic decoding with error failure in q (n k rd) - if d = 2 can decode up to (n k)/2 errors. Complexity of decoding : very fast symbolic matrix inversion O(m(n k) 2 ) write the system with unknowns : e E = (e 11,..., e nr ) : rn unknowns in GF (q), the syndrome s is written in the symbolic basis {E 1 F 1,..., E r F d }, H is written in h ij = h ijk F k, nr m(n k) matrix in GF (q), can do precomputation. Decoding Complexity O(m(n k) 2 ) op. in GF (q) Comparison with Gabidulin codes : probabilistic, decoding failure, but as fast.
27 Low Rank Parity Check codes - LRPC Complexity issues : decoding random rankcodes
28 Rank syndrome decoding Semantic complexity Combinatorial attacks Algebraic attacks For cryptography we are interested in difficult problems, in the case of rank metric the problem is : Definition (Rank Syndrome Decoding problem (RSD)) Instance : a (n k) n matrix H over GF (q m ), a syndrome s in GF (q m ) n k and an integer w Question : does there exist x GF(q m ) n such that H.x t = s and w R (x) w? Definition (Syndrome Decoding problem (SD)) Instance : an r n matrix H = [h 1, h 2,..., h n ] over a field GF (q), a column vector s GF (q) r, an integer w Question : does there exist x = (x 1,..., x n ) GF (q) n of Hamming weight at most w such that H t x = n i=1 x ih i = s?
29 Semantic complexity Combinatorial attacks Algebraic attacks Problem SD proven NP-complete by Berlekamp et al. in Computational complexity of RSD : solved in 2014 (G.,Zemor 2014) Definition (embedding strategy) Let m n and Q = q m. Let α = (α 1,... α n ) be an n-tuple of elements of GF (Q). Define the embedding of GF (q) n into GF (Q) n ψ α : GF (q) n GF (Q) n x = (x 1,..., x n ) x = (x 1 α 1,... x n α n ) and for any GF (q)-linear code C in GF (q) n, define C = C(C, α) as the GF (Q)-linear code generated by ψ α (C), i.e. the set of GF (Q)-linear combinations of elements of ψ α (C).
30 A randomized reduction Semantic complexity Combinatorial attacks Algebraic attacks General idea of the embedding : Theorem (1, 0, 0, 1, 0, 1) (α 1, 0, 0, α 4, 0, α 5 ) Let C be a random code over GF(q) and α random, then for convenient m, with a very strong probability :. d H (C) = d R (C) Theorem If there exists a polynomial time algorithms which solves RSD then P=RP.
31 Best known attacks Semantic complexity Combinatorial attacks Algebraic attacks There are two types of attacks on the RSD problem : Combinatorial attacks Algebraic attacks Depending on type of parameters, the efficiency varies a lot.
32 Combinatorial attacks Semantic complexity Combinatorial attacks Algebraic attacks first attack Chabaud-Stern 96 : basis enumeration improvements A.Ourivski and T.Johannson 02 Basis enumeration : (k + r) 3 q (r 1)(m r)+2 (amelioration on polynomial part of Chabaud-Stern 96) Coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) last improvement : G. et al. 12 (k+1)m (r 1) Support attack : O(q n )
33 Semantic complexity Combinatorial attacks Algebraic attacks Basis enumeration Hamming/Rank attacks Attack in rank metric to recover the support - a naive approach would consist in trying ALL possible supports : all set of coordinates of weight w Of course one never does that!!! Attack in rank metric to recover the support The analog of this attack in rank metric : try all possible supports, ie all vector space of dimension r : q (m r).r such basis, then solve a system. it is the Chabaud-Stern ( 96) attack - improved by OJ 02 By analogy with the Hamming : it is clearly not optimal In particular the exponent complexity does not depend on n
34 Improvement : ISD for rank metric Semantic complexity Combinatorial attacks Algebraic attacks Information Set Decoding for Hamming distance (simple original approach) : H.x t = s - syndrome size : n k n k equations - take n k random columns, if they contain the error support, one can solve a system Analog for rank metric : - syndrome size : n k (n k)m equations in F q - consider a random space E of F m q of dimension r which contain E one can solve if nr (n k)m as for ISD for Hamming metric : improve the complexity since easier to find.
35 Support attack Semantic complexity Combinatorial attacks Algebraic attacks Detail : Increasing of searched support : r r avec r n m(n k). e = βu with β a basis of rank r and U a r n matrix. Operations : More support to test : q (r 1)(m r) q (r 1)(m r ) Better probability to find : 1 q(r m) q (r 1)(m r) q (r 1)(m r) Complexity : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n ))
36 Support attack Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on the first attack Improvement on previous attacks based on HU t β t = Hy t. exponential omplexity in the general case Complexité : min(o((n k) 3 m 3 q r km n ), O((n k) 3 m 3 q (r 1) (k+1)m n )) Comparison with previous complexities : basis enumeration : (k + r) 3 q (r 1)(m r)+2 coordinates enumeration : (k + r) 3 r 3 q (r 1)(k+1) Remark : when n = m same expoential complexity that OJ 02
37 Algebraic attacks for rank metric Semantic complexity Combinatorial attacks Algebraic attacks General idea : translate the problem in equations then try to resolve with grobner basis Main difficulty : translate in equations the fact that coordinates belong to a same subspace of dimension r in GF (q m )? Levy-Perret 06 : Taking error support as unknown quadratic setting Kipnis-Shamir 99 ( FLP 08) and others..) : Kernel attack, (r + 1) (r + 1) minors degree r + 1 G. et al. 12 : annulator polynomial degree q r
38 Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Definition (q-polynomials) A q-polynomial is a polynomal of the form P(x) = r i=0 p ix qi with p r 0 et p i F q m. Linearity : P(αx + βy) = αp(x) + βp(y) with x, y F q m and α, β F q. B basis of r vectors of F q m,!p unitary q-polynomial such that b B, P(b) = 0 (Ore 33). One can then define a subspace of dimension r with a polynomial of q-degree r.
39 Attack with q-polynomial Semantic complexity Combinatorial attacks Algebraic attacks Reformulation : c + e = y with c a word of C, e a word of weight r and y known. There exists a polynomial P of q-degree r such that P(c y) = 0 moreover there exists x such that c = xg, which gives : ( r p i (xg 1 y 1 ) qi,..., i=0 r p i (xg n y n ) qi ) with x F q m k, G j the j-ith column of G and y F q m n known. i=0
40 Attack with q-polynomials Semantic complexity Combinatorial attacks Algebraic attacks Advantages : less unknowns, sparse equations Disadvantages : higher degree equations q r + 1 Three methods to solve : Linearization Grobner basis Hybrid approach : partial enumeration of unknowns
41 Semantic complexity Combinatorial attacks Algebraic attacks Conclusion on attacks Combinatorial : quadratic in the exponent, usually the best ones but depend on q Algebraic : very high when r increases but do not depend on q
42 Semantic complexity Combinatorial attacks Algebraic attacks best attacks : exponential with quadratic complexity in the exponent. Comparison of this problem with other problems for a 2 n complexity with best known attacks : problem size of key semantic security factorization Ω(n 3 ) no discrete log (large car.) Ω(n 3 ) no ECDL Ω(n) no SVP ideal lattices Ω(n) no SD cyclic-codes Ω(n) no SD Ω(n 2 ) yes SVP Ω(n 2 ) yes RSD Ω(n 1.5 ) yes
43 The GPT cryptosystem and its variations LRPC codes for cryptography ENCRYPTION IN RANK METRIC
44 The GPT cryptosystem and its variations LRPC codes for cryptography - Gabidulin et al. 91 : first encryption scheme based on rank metric - adaptation of McELiece scheme, many variations : Parameters B {b 1,, b m } a basis of GF (q m ) over GF (q) Private key G generates a Gabidulin code Gab(m, k), r = m k 2 S a random k t 1 matrix in GF (q m ) P a random matrix in GL m+t1 (GF (q)) S a random invertible k k matrix in GF (q m ) Public key G pub = S(G Z)P
45 The GPT cryptosystem and its variations LRPC codes for cryptography y = xg pub + e, Rank(e) r Decryption - Compute yp 1 = x(g Z) + ep 1 - Puncture the last t 1 columns and decode
46 The GPT cryptosystem and its variations LRPC codes for cryptography Other variations :G Gabidulin matrix, H : dual matrix Masking public matrix authors Scrambling matrix SG + X GPT 91 Right scrambling S(G ( Z)P ) Gabi. Ouriv. 01 H Subcodes Ber. Loi. 02 ( A ) G1 0 Rank Reducible [OGHA03],[BL04] A G 2
47 Overbeck s structural attack The GPT cryptosystem and its variations LRPC codes for cryptography Overbeck 06 general idea : if one consider G=Gab[n,k] and one applies the frobenius : x x q to each coordinate of G then G q and G have k 1 rows in common! starting from G pub = S(G Z)P, one can prove there is a rank default in : G pub. G qn k 1 pub the matrix is a k(n k) (n + t 1 ) matrix, first n columns part : rank n 1 and not n! Overbeck uses this point to break parameters of all presented
48 Reparation The GPT cryptosystem and its variations LRPC codes for cryptography and after : reparations an new type of masking resistant to Overbeke attack 2 families of parameters : - Loidreau (PQC 10) - Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 [GRS12] new attacks break all proposed parameters
49 Results Post-Quantum Cryptography The GPT cryptosystem and its variations LRPC codes for cryptography P. Loidreau (PQC 10) Code [n, k, r] m OJ1 OJ2 Over ES L LH HGb [64, 12, 6] non hours [76, 12, 6] non s Haitham Rashwan, Ernst M. Gabidulin, Bahram Honary ISIT 09, 10 Code [n, k, r] m Over ES L LH HGb [28, 14, 3] non days [28, 14, 4] non 2 65 not finished [20, 10, 4] non days [20, 12, 4] non 2 60 not finsihed
50 Conclusion on GPT-like systems The GPT cryptosystem and its variations LRPC codes for cryptography All actual proposed parameters are actually broken New masking still proposed Probably possible to find resistant parameters with public key size 15,000 bits Inherent potential vulnerability structure due to hidden structure of Gabidulin codes Faure-Loidreau cryptosystem??? reconstruction
51 The NTRU-like family The GPT cryptosystem and its variations LRPC codes for cryptography NTRU MDPC LRPC double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, over Z/qZ (small weight) (q=256), N 300 double circulant matrix (A B) (I H) A and B : cyclic with 0 and 1, 45 1, (small weight) N 4500 double circulant matrix (A B) (I H) A and B : cyclic with small weight (small rank)
52 LRPC codes for cryptography The GPT cryptosystem and its variations LRPC codes for cryptography We saw that LRPC codes with H [n-k,n] over F of rank d could decode error of rank r with probability q n k rd+1 : McEliece setting : Public key : G LRPC code : [n, k] of weight d which can decode up to errors of weight r Public key : G = MG Secret key : M c= mg +e, e of rank r Decryption Decode H.c t in e, then recover m. Smaller size of key : double circulant LRPC codes : H=(I A), A circulant matrix
53 Application to cryptography The GPT cryptosystem and its variations LRPC codes for cryptography Attacks on the system - message attack : decode a word of weight r for a [n, k] random code - structural attack : recover the LRPC structure a [n, n k] LRPC matrix of weight d contains a word with n d first zero positions. Searching for a word of weight d in a [n n d, n k n d ] code. Attack on the double circulant structure as for lattices or codes (with Hamming distance) no specific more efficient attack exists exponentially better than decoding random codes.
54 Parameters The GPT cryptosystem and its variations LRPC codes for cryptography n k m q d r failure public key security
55 Conclusion for LRPC The GPT cryptosystem and its variations LRPC codes for cryptography LRPC : new family of rank codes with an efficient probabilistic decoding algorithm Application to cryptography in the spirit of NTRU and MDPC (decryption failure, more controlled) Very small size of keys, comparable to RSA More studies need to be done but very good potentiality
56 The GPT cryptosystem and its variations LRPC codes for cryptography Authentication
57 Chen s protocol Chen ZK authentication protocol : attack and repair Signature in rank metric In 95 K. Chen proposed a rank metric authentication scheme, in the spirit of the Stern SD protocol for Hamming distance and Shamir s PKP protocol. Unfortunately the ZK proof is false... a good toy example to understand some subtilities of rank metric. [G. et al. (2011)]
58 Philippe Gaborit University of Limoges, France Figure: (based onrank-sd works with New O. results protocol Ruatta,J. for Schrek rank based and cryptography G. Zémor) Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric 1 [Commitment step] The prover P chooses x V n, P GL n (GF(q and Q GL m (q). He sends c 1, c 2, c 3 such that : c 1 = hash(q P Hx t ), c 2 = hash(q xp), c 3 = hash(q (x + s)p 2 [Challenge step] The verifier V sends b {0, 1, 2} to P. 3 [Answer step] there are three possibilities : if b = 0, P reveals x and (Q P) if b = 1, P reveals x + s and (Q P) if b = 2, P reveals Q xp and Q sp 4 [Verification step] there are three possibilities : if b = 0, V checks c 1 and c 2. if b = 1, V checks c 1 and c 3. if b = 2, V checks c 2 and c 3 and that rank(q sp) = r.
59 Chen ZK authentication protocol : attack and repair Signature in rank metric Public matrix H : (n k) k m = 2691 bits Public key i : (n k)m = 299 bits Secret key s : r(m + n) = 360 bits Average number of bits exchanged in one round : 2 hash + one word of GF(q m ) 820 bits.
60 Chen ZK authentication protocol : attack and repair Signature in rank metric Signature with rank metric
61 Different approaches for signature Chen ZK authentication protocol : attack and repair Signature in rank metric Signatures by inversion unique inversion : RSA,CFS several inversions : NTRUSign, GGH, GPV Signature by proof of knowledge by construction : Schnorr, DSA, Lyubashevski (lattices 2012) generic : Fiat-Shamir paradigm one-time signatures : KKS 97, Lyubashevski 07
62 A first approach Chen ZK authentication protocol : attack and repair Signature in rank metric In rank metric it is possible to use the FS paradigm with our new protocol leads to small public keys : 2500b, signature length 60, 000b Can we do better?
63 CFS Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric In 2001 Courtois Finiasz and Sendrier proposed a RSA-like signature for codes. SUppose one gets a decoding algorithm (inverse of a syndrome) unlike RSA, is it possible to consider a random codeword and invert it?? in general no : the density of invertible codewords is exponentially low... for a Goppa [2 m, 2 m tm, 2t + 1] the density is 1 t! CFS 01 : consider extreme parameters where t is low ( 10) and repeat until it works! leads to flat hidden matrices : [2 16, 154], signature shorts, very large size of keys : several MB, rather lengthy - more than RSA -(but can be parallelized)
64 New approach for rank metric [Gaborit,Ruatta,Schrek,Zemor 2013] Chen ZK authentication protocol : attack and repair Signature in rank metric Inversion case : there are two approaches : CFS : you are below GV and search for an invertible solution GPV, NTRUSign, GGH : beyond Gauss : construct one special solution which approximates a syndrome leads to better parameters (be careful to information leaking!) is it possible to do that with codes? in Hamming binary seems difficult, in rank? Not usual point of view for codes where one prefers a unique solution!
65 Chen ZK authentication protocol : attack and repair Signature in rank metric Consider the set of x of rank r and the set of reachable syndrome H.x t for H length n. for rank metric : support and coordinates are disjoint suppose we fix T of dimension t, if possible to consider r = r + t just like that then one multiplies the number of decodable syndromes by q tn improvement of density of decodable syndromes. Different choices of T different choices for preimage but unicity of decoding for a given T
66 General idea Chen ZK authentication protocol : attack and repair Signature in rank metric Fix a subspace T of GF (q m ) so that we want T E What is T? T corresponds to the notion of erasure (generalized) Hamming y = (y 1, y 2,..., y n ) = (c 1, c 2 + e 2, c 3,, c 4,,..., c n + e n ) Rank y = (y 1, y 2,..., y n ) = (c 1 + e 1, c 2 + e 2,..., c n + e n ), e i E, but T E
67 Chen ZK authentication protocol : attack and repair Signature in rank metric Theorem (Errors/erasures decoding of LRPC codes) Let H be a dual n k n matrix associated to a LRPC code with small space F of dimension d, over an extension field GF (q m ) over a small field of size q. Let r n k d, and let T be a random subspace of dimension t, such that (r + t).(2d 1) m. Let s be a syndrome such that there exists a unique support E, with T E of dimension r = t + r such that there exists a word e of support E such that H.e t = s. Then knowing T it is possible to retrieve the support E of e with a probability 1/q.
68 idea of the proof Chen ZK authentication protocol : attack and repair Signature in rank metric Similar to LRPC : E = {E 1,..., E r }, F = {F 1,..., F d } H.e t = s s < E.F > from n k s i one recovers S =< E.F > then E = F1 1 S... F 1 S d
69 LRPC with erasure Chen ZK authentication protocol : attack and repair Signature in rank metric Input T =< T 1,, T t >, H a matrix of LRPC, a syndrome s = H.e t, with support E and dim(e) = t + n k d and T E Result : the error vector e. 1 Syndrome computations a) Compute B = {F 1 T 1,, F d T t } of the product space < F.T >. b) Compute the subspace S =< B {s 1,, s n k } >. 2 Recovering the support E of the error Define S i = F 1 i S, compute E = S 1 S 2 S d, and compute a basis {E 1, E 2,, E r } of E. 3 Recovering the error vector e Write e i = n i=1 e ije j, and solve a linear system.
70 Chen ZK authentication protocol : attack and repair Signature in rank metric Seems magical and seems to have errors for free. Price to pay? small price : one cannot take t independently of n one needs in practice in the optimal case : n k n d best results : d = 2 anyway
71 Density Post-Quantum Cryptography Chen ZK authentication protocol : attack and repair Signature in rank metric Lemma Let T a subspace of dimension t of GF (q m ) then the number of distinct subspaces E of dimension r = t + r of GF (q m ) such that T E is : Π r 1 1 i=0 (qm t i q i+1 1 )
72 Chen ZK authentication protocol : attack and repair Signature in rank metric Corollary (Density of decodable syndromes ) The density of unique support decodable syndromes of rank weight r = t + r for a fixed random partial support T of dimension t is : Π r 1 i=0 ( qm t i 1 q i+1 1 ).min(qnr, q rd(n k) ) q (n k)m. density 1 almost independent on q. q = 2, m = 45, n = 40, k = 20, t = 5, r = 10, decodes up to r = t + r = 15 for a fixed random partial support T of dimension 5. GVR bound (m=45) [40, 20] is 13, Singleton bound = 20, decoding radius = 15, and
73 RankSign + signature algorithm Chen ZK authentication protocol : attack and repair Signature in rank metric 1 Secret key : H :LRPC, r = t + n k 2 errors, R random in GF (q m ), invertible in GF (q m ), P invertible in GF (q). 2 Public key : the matrix H = A(R H)P, a small integer value l. 3 Signature of a message M : a) initialization : seed {0, 1} l, pick (e 1,, e t ) GF (q m ) t b) syndrome : s hash(m seed) GF (q m ) n k c) decode by H, s = A 1.s T R.(e 1,, e t ) T with T =< e 1,, e t > and r errors d) if the decoding works (e t+1,, e n+t ) of weight r = t + r, signature=((e 1,, e n+t ).(P T ) 1, seed), else return to a). 4 Verification : Verify that Rank(e) = r = t + r and H.e T = s = hash(m seed).
74 Structural attacks Chen ZK authentication protocol : attack and repair Signature in rank metric Overbeck attack : irrelevant Attack on the dual matrix : r = t + d Attack on isometry matrix P : recover some positions of P
75 Approximation beyond GVR Chen ZK authentication protocol : attack and repair Signature in rank metric Approximate - Rank Syndrome Decoding problem (App-RSD) Let H be a (n k) n matrix over GF (q m ) with k n, s GF (q m ) n k and let r be an integer. The problem is to find a solution of rank r such that rank(x) = r and Hx t = s. if r min((n k), m(n k) n ) (Singleton bound) then the problemis polynomial in general, best attack : Complexity for finding one word Number of words
76 Information leaking Chen ZK authentication protocol : attack and repair Signature in rank metric Main problem for signature (see NTRUSign) : information leaking Theorem For any algorithm that leads to a forged signature using N q/2 authentic signatures, there is an algorithm with the same complexity that leads to a forgery using only the public key as input and without any authentic signatures.
77 Chen ZK authentication protocol : attack and repair Signature in rank metric idea of proof : under the random oracle model, there exists a polynomial time algorithm that takes as input the public matrix H and produces couples (m, σ), where m is a message and σ a valid signature for m, with the same distribution as those output by the authentic signature algorithm. Therefore whatever forgery can be achieved from the knowledge of H and a list of valid signed messages, can be simulated and reproduced with the public matrix H as only input.
78 Parameters Chen ZK authentication protocol : attack and repair Signature in rank metric n n-k m q d t r r GV Sg pk sign LP Dual DS DA > >
79 Chen ZK authentication protocol : attack and repair Signature in rank metric GENERAL CONCLUSION
80 Chen ZK authentication protocol : attack and repair Signature in rank metric Rank distance is interesting since small parameters strong resistance until recently only one family of decodable codes LRPC codes -weak structure-, similar to NTRU or MDPC offer many advantages very good potential with very good parameters but needs more scrutiny
81 Open problems Chen ZK authentication protocol : attack and repair Signature in rank metric deterministic reduction to SD rather than only probabilistic? Is it possible to have worst case - average case reduction? Left over hash lemma? Attacks improvements on rank ISD? Better algebraic settings? Implementations? homomorphic - FHE (be crazy!)
82 Chen ZK authentication protocol : attack and repair Signature in rank metric THANK YOU
arxiv: v1 [cs.cr] 6 Jan 2013
On the complexity of the Rank Syndrome Decoding problem P. Gaborit 1, O. Ruatta 1 and J. Schrek 1 Université de Limoges, XLIM-DMI, 123, Av. Albert Thomas 87060 Limoges Cedex, France. philippe.gaborit,julien.schrek,olivier.ruatta@unilim.fr
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationCryptographic applications of codes in rank metric
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Introduction Rank metric and cryptography Gabidulin codes and linearized
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationAlgebraic Decoding of Rank Metric Codes
Algebraic Decoding of Rank Metric Codes Françoise Levy-dit-Vehel ENSTA Paris, France levy@ensta.fr joint work with Ludovic Perret (UCL Louvain) Special Semester on Gröbner Bases - Workshop D1 Outline The
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationAn Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal University of Zürich Finite Geometries Fifth Irsee Conference, September 10 16, 2017. Outline 1 Basics
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationError-correcting codes and applications
Error-correcting codes and applications November 20, 2017 Summary and notation Consider F q : a finite field (if q = 2, then F q are the binary numbers), V = V(F q,n): a vector space over F q of dimension
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationA Smart Approach for GPT Cryptosystem Based on Rank Codes
A Smart Approach for GPT Cryptosystem Based on Rank Codes arxiv:10060386v1 [csit 2 Jun 2010 Haitham Rashwan Department of Communications InfoLab21, South Drive Lancaster University Lancaster UK LA1 4WA
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationVector spaces. EE 387, Notes 8, Handout #12
Vector spaces EE 387, Notes 8, Handout #12 A vector space V of vectors over a field F of scalars is a set with a binary operator + on V and a scalar-vector product satisfying these axioms: 1. (V, +) is
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationChannel Coding for Secure Transmissions
Channel Coding for Secure Transmissions March 27, 2017 1 / 51 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51 Outline We present an overiew of linear
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationPost-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017
Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017 1 Background I will use: Linear algebra. Vectors x. Matrices A, matrix multiplication AB, xa,
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationMcEliece in the world of Escher
McEliece in the world of Escher Danilo Gligoroski 1 and Simona Samardjiska 1,2 and Håkon Jacobsen 1 and Sergey Bezzateev 3 1 Department of Telematics, Norwegian University of Science and Technology (NTNU),
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationToward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationMATH 291T CODING THEORY
California State University, Fresno MATH 291T CODING THEORY Fall 2011 Instructor : Stefaan Delcroix Contents 1 Introduction to Error-Correcting Codes 3 2 Basic Concepts and Properties 6 2.1 Definitions....................................
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationMATH 291T CODING THEORY
California State University, Fresno MATH 291T CODING THEORY Spring 2009 Instructor : Stefaan Delcroix Chapter 1 Introduction to Error-Correcting Codes It happens quite often that a message becomes corrupt
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationEfficient Encryption from Random Quasi-Cyclic Codes
1 Efficient Encryption from Random Quasi-Cyclic Codes Carlos Aguilar, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit and Gilles Zémor ENSEEIHT, Université de Toulouse, France, carlos.aguilar@enseeiht.fr
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationA distinguisher for high-rate McEliece Cryptosystems
A distinguisher for high-rate McEliece Cryptosystems JC Faugère (INRIA, SALSA project), A Otmani (Université Caen- INRIA, SECRET project), L Perret (INRIA, SALSA project), J-P Tillich (INRIA, SECRET project)
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationA New Code-based Signature Scheme with Shorter Public Key
A New Code-based Signature Scheme with Shorter Public Key Yongcheng Song, Xinyi Huang, Yi Mu, and Wei Wu Fujian Provincial Key Laboratory of Network Security and Cryptology College of Mathematics and Informatics,
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationarxiv: v4 [cs.cr] 30 Nov 2017
The problem with the SURF scheme Thomas Debris-Alazard 1,, Nicolas Sendrier, and Jean-Pierre Tillich 1 Sorbonne Universités, UPMC Univ Paris 06 Inria, Paris {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationReducing Key Length of the McEliece Cryptosystem
Reducing Key Length of the McEliece Cryptosystem Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit, Ayoub Otmani To cite this version: Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit,
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationCryptanalysis of the Wu}Dawson Public Key Cryptosystem
Finite Fields and Their Applications 5, 386}392 (1999) Article ID!ta.1999.0264, available online at http://www.idealibrary.com on Cryptanalysis of the Wu}Dawson Public Key Cryptosystem Peter Roelse Philips
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationELEC 519A Selected Topics in Digital Communications: Information Theory. Hamming Codes and Bounds on Codes
ELEC 519A Selected Topics in Digital Communications: Information Theory Hamming Codes and Bounds on Codes Single Error Correcting Codes 2 Hamming Codes (7,4,3) Hamming code 1 0 0 0 0 1 1 0 1 0 0 1 0 1
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationGabidulin Codes that are Generalized. Reed Solomon Codes
International Journal of Algebra, Vol. 4, 200, no. 3, 9-42 Gabidulin Codes that are Generalized Reed Solomon Codes R. F. Babindamana and C. T. Gueye Departement de Mathematiques et Informatique Faculte
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationEfficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment
cryptography Article Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment Edoardo Persichetti Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431,
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More information