Attacks in code based cryptography: a survey, new results and open problems
|
|
- Dominick Baldwin
- 6 years ago
- Views:
Transcription
1 Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018
2 1. Code based cryptography introduction Difficult problem in coding theory Problem 1. [Decoding] Input: n, r, t with r < n, parity-check matrix H F r n q, s F r q Question:? e such that { He = s e t where e = hamming weight of e = #{i 1, n, e i 0}. Problem N P -complete 1/52
3 The dual problem introduction Code C def = { c F n q : Hc = 0 } dim C = n r = k Input: t, C subspace of dim k of F n q, y F n q Question:? c C such that y c t. H(y }{{ c) } = Hy = s e y = the word that we want to decode e = y c = the error we want to find 2/52
4 A long-studied problem introduction Correct. t errors in a code of length n and dim. k has cost Õ(2α(k n, t n )n ) Author(s) Year max α(r, τ) R,τ Prange Stern Dumer Bernstein, Lange, Peters 2011 May, Meurer and Thomae Becker, Joux, May, Meurer May, Ozerov Both, May Both, May /52
5 Complexities collapse when t = o(n) introduction [CantoTorres, Sendrier, 2016] complexity 2 log(1 R)t(1+o(1)) when t = o(n) and where R = k/n 4/52
6 Code-based cryptography introduction Code C def = {c F n q : Hc = 0} Take a code that has an efficient decoding algorithm Public key: random parity-check matrix of the code H rand = QH where Q is a random invertible matrix in F r r q Private key: trapdoor to the efficient decoding algorithm 5/52
7 Two approaches introduction Pick up your favorite code (that has an efficient decoder) Choose a code/scheme with a reduction to decoding a generic linear code 6/52
8 History introduction 1978 McEliece: binary Goppa codes 1986 Niederreiter variant based on GRS codes 1991 Gabidulin, Paramonov, Tretjakov: Gabidulin codes 1994 Sidelnikov: Reed-Muller codes 1996 Janwa-Moreno: algebraic geometric codes 199* a zillion propositions with LDPC codes 2003 Alekhnovich: Alekhnovich system 2005 Berger-Loidreau: subcodes of GRS codes 2006 Wieschebrink, GRS codes + random columns in the generator matrix 7/52
9 2008 Baldi-Bodrato-Chiaraluce: LDPC based MDPC codes 2010 Bernstein, Lange, Peters: non-binary wild Goppa codes 2012 Misoczki-Tillich-Barreto-Sendrier: MDPC codes 2012 Löndahl-Johansson: convolutional codes 2013 Gaborit, Murat, Ruatta, Zémor: LRPC codes 2014 Shrestha, Kim: polar codes 2014 Hooshmand, Shooshtari, Eghlidos, Aref: subcodes of polar codes 8/52
10 Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=3 m=2 BIG QUAKE Classic McEliece NTS KEM RLCE KEM pqsigrm Reed Muller related 9/52
11 Code based NIST submissions in Hamming metric Non-algebraic codes BIKE HQC LEDAkem LEDApkc Lepton QC-MDPC RaCoSS 10/52
12 Code based NIST submissions in the rank metric Edon-K LAKE LOCKER McNie Ourobouros-R RankSign RQC 11/52
13 2. The main cryptanalytic techniques for attacking the key Finding small weight codewords in C or in C that reveal the underlying structure Algebraic attacks Product considerations Folding techniques Computing the hull C C 12/52
14 3. Product considerations product 13/52
15 Square code attacks product Definition 1. [Componentwise product] Given two vectors a = (a 1,..., a n ) and b = (b 1,..., b n ) F n q, we denote by a b the componentwise product a b def = (a 1 b 1,..., a n b n ) Definition 2. [Product of codes & square code] The star product code denoted by A B of A and B is the vector space spanned by all products a b where a and b range over A and B respectively. When B = A, A A is called the square code of A and is rather denoted by A 2. 14/52
16 Dimension of the square code product A and B codes with respective bases (a i ) and (b j ). 1. dim(a B) dim(a) dim(b) (generated by the a i b j s) ( ) dim(a) dim(a 2 ) (generated by the a i a j s with i j) 2 15/52
17 Generalized Reed-Solomon (GRS) codes product Definition 3. [Generalized Reed-Solomon code] Let k and n be integers such that 1 k < n q where q is a power of a prime number. The generalized Reed-Solomon code GRS k (x, y) of dimension k is associated to a pair (x, y) F n q F n q where x is an n-tuple of distinct elements of F q and the entries y i are arbitrary nonzero elements in F q. GRS k (x, y) is defined as: GRS k (x, y) def = { } (y 1 p(x 1 ),..., y n p(x n )) : p F q [X], deg p < k. x is the support and y the multiplier. 16/52
18 GRS codes, alternant codes product A GRS code corrects n k 2 errors. Definition 1. Let x (F q m) n, y (F q m) n be as in the definition of GRS codes. The alternant code Alt r (x, y) is defined by Proposition 1. Alt r (x, y) def = GRS } r {{ (x, y) } (F q ) n GRS n r (x,y ) dim Alt r (x, y) n mr d min Alt r (x, y) r /52
19 product What is wrong with generalized Reed-Solomon codes? When C is a random code of length n, with high probability [Cascudo, Cramer, Mirandola, Zémor] {( ) } dim(c) + 1 dim(c 2 ) = min, n 2 When C is a generalized Reed-Solomon code dim(c 2 ) = min {2 dim(c) 1, n} 18/52
20 The explanation product c = (y 1 p(x 1 ),..., y n p(x n )), c = (y 1 q(x 1 ),..., y n q(x n )) GRS k (x, y) where p and q are two polynomials of degree at most k 1. c c = ( y1p(x 2 1 )q(x 1 ),..., ynp(x 2 n )q(x n ) ) = ( y1r(x 2 1 ),..., ynr(x 2 n ) ) where r is a polynomial of degree 2k 2. = c c GRS 2k 1 (x, y 2 ) 19/52
21 product The Wieschebrink attack on the Berger-Loidreau cryptosystem known: a subcode C GRS k (x, y) unknown: x and y. If the codimension of C is small enough C C = GRS k (x, y) GRS k (x, y) = GRS 2k 1 (x, y ) The Wieschebrink attack 1. Compute C C = GRS 2k 1 (x, y ) 2. Recover x and y by using the Sidelnikov-Shestakov algorithm. 20/52
22 Filtration attack product [Couvreur, Otmani, T 2014]: m = 2. Attack on wild Goppa codes when 21/52
23 A filtration for GRS codes product A new attack on McEliece based on GRS codes. known : C 0 = GRS k (x, y) unknown : x,y. C 0 = GRS k (x, y) C 1 = GRS k 1 (x, y) C k 1 = GRS 1 (x, y) The point: C k 1 = {αy, α F q } y known x by solving a linear system. 22/52
24 The fundamental induction product C i C i 2 = C i 1 C i 1 C i C i 2 = GRS k i (x, y) GRS k i+2 (x, y) = GRS 2k 2i+1 (x, y y) = GRS k i+1 (x, y) GRS k i+1 (x, y) = C i 1 C i 1 23/52
25 The picture product Alternant codes GRS codes m=1 m=3 m=2 Goppa codes wild Goppa codes binary Goppa codes 24/52
26 Code based NIST submissions in Hamming metric Algebraic codes binary Goppa codes m=1 DAGS m=3 m=2 BIG QUAKE Classic McEliece NTS KEM RLCE KEM pqsigrm Reed Muller related 25/52
27 4. Folding operation, the Origami attack folding 26/52
28 Origami attack folding Related to Gentry attack on NTRU-composite Applies to codes with a non trivial permutation group For σ S n, c σ C σ def = (c σ(i) ) i 1,n def = {c σ : c C} σ is a permutation automorphism of C iff C σ = C 27/52
29 Examples folding Parity-check matrix has a block form H = with blocks of some size l of the form B (11)... B (1n ). B (ij).... B (r n ) B (r 1) B (ij) = a 0 a 1 a l 1 a l 1 a 0 a l a 1 a 2 a 0 B(ij) = a 0 a 1 a 2 a 3 a 1 a 0 a 3 a 2 a 2 a 3 a 0 a 1 a 3 a 2 a 1 a 0 quasi-cyclic case B (ij) s,t = a t s (mod l) quasidyadic case B (ij) s,t = a t s 28/52
30 Folding folding Folding x = w.r. to σ adding the coordinates in a same orbit of σ σ = (123)(456)(678) x = (x } 1, x {{ 2, x } 3,..., } x 7, x {{ 8, x } 9 ) orbit orbit x σ = (x 1 + x 2 + x 3,..., x 7 + x 8 + x 8 ) C σ def = {c σ : c C}. 29/52
31 Why is this an interesting operation? folding Orbits of σ of size l Code gets smaller C = code of length n dim. k C σ = code of length n/l and dim. k l Words do not increase their weight c = w c σ w 30/52
32 folding Folding quasi- alternant codes/ Goppa codes [Faugère, Otmani, Perret, Portzamparc, T 2014] Folding the dual of a Q*-alternant or Q*-Goppa code dual of an alternant or a Goppa code [Barelli-Couvreur 2017] Folding a Q*-alternant or a Q*-Goppa code alternant or a Goppa code 31/52
33 Message attacks folding { He = s { e t H σ (e σ ) = (s σ ) e σ t We recover e σ (say = e 0 ) and then solve the much easier problem H σ e = s e t e σ = e 0 32/52
34 5. Algebraic attacks algebraic Alternant code Alt r (x, y) parity-check matrix H of the form H = y 1 y y n y 1 x 1. y 2 x y n x n... y j x i j y 1 x1 r 1 y 2 x2 r y n x r 1 n Goppa code Gop(x, Γ) = Alt deg Γ (x, 1 Γ(x) ). 33/52
35 Algebraic attacks algebraic G = (g ij ) i 1,k j 1,n Unknowns: y 1,..., y n, x 1,..., x n 2n unknowns Algebraic system generator matrix of C = Alt r (x, y). n j=1 GH = 0 g ij y j x a j = 0 (i, a) 1, k 0, r 1 k r equations 34/52
36 When was this successful? algebraic [Faugère,Otmani,Perret,T ] Q*-alternant of Q*-Goppa codes [Faugère,Perret,Portzamparc 2014] Wild Goppa codes for certain parameters 35/52
37 Rank Metric rank Difficult problem in coding theory Problem 2. [Decoding] Input: n, r, t integers, r < n, parity-check matrix H F q m r n, syndrome s F r q Question:? e such that (i) He = s, (ii) e t where e R = rank weight of e. Randomized reduction to N P -complete problems. 36/52
38 Rank metric rank (β 1... β m ) basis of F q m over F q x = (x 1,..., x n ) F n q m Mat(x) = where x j = m i=1 x ijβ i. x 11 x 12 x 1n x 21 x 22 x 2n.... Fm n q x m1 x m2... x mn Rank metric = viewing an element of F n q m as an m n matrix. x y r def = Rank (Mat(x) Mat(y)). 37/52
39 Complexity of the best known algorithms Algebraic attacks (MinRank) Combinatorial attacks Õ ( q t(k+1) m) when m = n. 38/52
40 LRPC codes [Gaborit, Murat, Ruatta, Zémor 2013] Definition 4. An LRPC code over F q m of weight d is a code that admits an (n k) n parity-check matrix H with entries h ij that span an F q space of dimension d. x r = dim x 1,..., x n Fq all rows of H have weight d. Correct t errors when td n k. 39/52
41 RankSign Secret key H where H = [ H R ] P with H = (n k) n parity-check matrix of an LRPC code over F q m R = random (n k) t matrix over F q m P = (n + t) (n + t) invertible matrix over F q P isometry xp r = x r. LRPC code of weight d codewords of weight d + t in the dual code. 40/52
42 Attack on RankSign rank [Debris-Alazard, T 2018] Looking for low weight codewords in the dual code? 41/52
43 Attack on RankSign rank [Debris-Alazard, T 2018] Looking for low weight codewords in the code itself Product trick 42/52
44 Getting rid of R rank If there is a low weight codeword c LRPC in C LRPC low weight codeword c = (c LRPC, 0 t )(P 1 ) in the public code of parity-check matrix H pub = QH = [ H R ] P H pub c = Hpub P 1 (c LRPC, 0 t ) = Q [ H R ] P P 1 (c LRPC, 0 t ) = Q [ H R ] (c LRPC, 0 t ) = QHc LRPC ( R F (n k) t q m ) = 0 (c LRPC belongs to the code of parity-check matrix H) 43/52
45 Product trick rank F F q -space of dimension d generated by the entries of H parity-check of the [n, k] LRPC code C LRPC. U and V two subspaces of F q m, U V def = uv : u U, v V Fq. Lemma 1. It there exists an F q -subspace F of F q m such that (n k) dim(f F ) < n dim F. Then there exist nonzero codewords in the LRPC code of weight dim F. 44/52
46 Proof A codeword c of the LRPC code satisfies n i 1, n k H i,j c j = 0. (1) j=1 If its entries are in F then n j=1 H i,jc j F F unknowns coordinates c ij of c j in F = f 1,..., f d Fq : c j = i 1,d c ij f i rank # equations = (n k) dim F F #unknowns = n dim F 45/52
47 Consequence on RankSign rank Necessary condition for RankSign to work n = (n k)d Problem: typically dim F F = dim F dim F and therefore n dim F = n d = (n k)d d = (n k) dim F F F = f 1,..., f d Fq F def = f 1, f 2 Fq F F = x i x j : i 1, d, j 1, 2 Fq dim F F = 2d 1< dim F dim F codewords in C LRPC of weight 2 46/52
48 Consequence on LRPC in general? rank No direct attack on LRPC codes without the additional condition n = (n k)d 47/52
49 Conclusion conclusion Up to now all distinguishers of the public parity-check matrix / random matrix with the exception of high rate alternant/goppa codes. [Faugère,Gauthier,Otmani,Perret,T 2011], [Márquez-Corbella, Pellikaan 2012], when r is sufficiently small dim ( Alt r (x, y) Alt r (x, y) ) unusually small The problem, when x, y F n q m Alt r (x, y) = {(y j p(x j )) : deg p < n r} F n q {( ) } Alt r (x, y) = Tr Fq m F q (y j p(x j ) : deg p < r 48/52
50 Other open problems conclusion improving algebraic attacks in the rank metric Polynomial time attacks on Reed-Muller codes? other families of codes (MDPC,... )? 49/52
51 What about alternant/goppa codes? We have square Alt r (x, y) = GRS r (x, y) F n q = GRS n r (x, y ) F n q Alt r (x, y) 2 Alt 2r n+1 (x, y ) and Fact 1. dim Alt r (x, y) n mr. To distinguish we need 2r n + 1 > 0 = r n/2, however m > 1 = n mr 0. 50/52
52 square A miracle when m = 2 in the case of wild Goppa codes Theorem 1. [Couvreur, Otmani, Tillich] wild Goppa code (here r = (q 1)r ) When Alt r (x, y) is a Alt r (x, y) n 2r + r (r 2) and for r close to n/2 we may have wild Goppa codes of small dimension such that 2r n + 1 > 0 51/52
53 Shortening trick for other dimensions square A shortened alternant code is still an alternant code of the same degree r as the original alternant code. Leads to a distinguisher of wild Goppa codes when m = 2 Leads to an attack of the McEliece scheme based on wild Goppa codes when m = 2. First time that there is an attack working in polynomial time on a McEliece scheme based on Goppa codes. 52/52
Code Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationA distinguisher for high-rate McEliece Cryptosystems
A distinguisher for high-rate McEliece Cryptosystems JC Faugère (INRIA, SALSA project), A Otmani (Université Caen- INRIA, SECRET project), L Perret (INRIA, SALSA project), J-P Tillich (INRIA, SECRET project)
More informationRecovering short secret keys of RLCE in polynomial time
Recovering short secret keys of RLCE in polynomial time Alain Couvreur 1, Matthieu Lequesne,3, and Jean-Pierre Tillich 1 Inria & LIX, CNRS UMR 7161 École polytechnique, 9118 Palaiseau Cedex, France. Inria,
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationCryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes
Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes Alain Couvreur, Irene Márquez-Corbella and Ruud Pellikaan Abstract We give a polynomial time attack on the McEliece
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationDistinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes
Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes Alain Couvreur 1, Philippe Gaborit 2, Valérie Gauthier 3, Ayoub Otmani 4, and Jean-Pierre Tillich 5 1 GRACE Project, INRIA
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationAn efficient structural attack on NIST submission DAGS
An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 1 1 INRIA & LIX, CNRS UMR 7161 École polytechnique, 91128 Palaiseau Cedex, France Abstract We present an efficient
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationList decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationCode-based Cryptography
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy channel data?
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Ruud Pellikaan and Irene Márquez-Corbella Discrete Mathematics, Techn. Univ. Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands. E-mail: g.r.pellikaan@tue.nl
More informationA Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems
A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems Alain Couvreur 1, Irene Márquez-Corbella 1, and Ruud Pellikaan 1 INRIA Saclay & LIX, CNRS UMR 7161 École Polytechnique,
More informationA New Code-based Signature Scheme with Shorter Public Key
A New Code-based Signature Scheme with Shorter Public Key Yongcheng Song, Xinyi Huang, Yi Mu, and Wei Wu Fujian Provincial Key Laboratory of Network Security and Cryptology College of Mathematics and Informatics,
More informationAn Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal University of Zürich Finite Geometries Fifth Irsee Conference, September 10 16, 2017. Outline 1 Basics
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Irene Márquez-Corbella and Ruud Pellikaan Department of Algebra, Geometry and Topology, University of Valladolid Facultad de Ciencias, 47005 Valladolid,
More informationGeneralized subspace subcodes with application in cryptology
1 Generalized subspace subcodes with application in cryptology Thierry P. BERGER, Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI arxiv:1704.07882v1 [cs.cr] 25 Apr 2017 Cheikh Thiécoumba GUEYE and Jean Belo
More informationCode-based Cryptography
Code-based Cryptography Codes correcteurs d erreurs et applications à la cryptographie MPRI 2014/2015-2.13.2 Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationMDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes
MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, Paulo S. L. M. Barreto To cite this version: Rafael Misoczki, Jean-Pierre
More informationCryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes Magali Bardet, Julia Chaulet, Vlad Dragoi, Ayoub Otmani, Jean-Pierre Tillich To cite this version: Magali Bardet, Julia Chaulet,
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationVulnerabilities of McEliece in the World of Escher
Vulnerabilities of McEliece in the World of Escher Dustin Moody and Ray Perlner National Institute of Standards and Technology, Gaithersburg, Maryland, USA dustin.moody@nist.gov, ray.perlner@nist.gov Abstract.
More informationSecurity and complexity of the McEliece cryptosystem based on QC-LDPC codes
This paper is a preprint of a paper accepted by IET Information Security and is subject to Institution of Engineering and Technology Copyright. When the final version is published, the copy of record will
More informationCryptographic applications of codes in rank metric
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Introduction Rank metric and cryptography Gabidulin codes and linearized
More informationA Reaction Attack on the QC-LDPC McEliece Cryptosystem
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomáš Fabšič 1, Viliam Hromada 1, Paul Stankovski 2, Pavol Zajac 1, Qian Guo 2, Thomas Johansson 2 1 Slovak University of Technology in Bratislava
More informationCryptanalysis of a public key encryption scheme based on QC-LDPC and QC-MDPC codes
arxiv:72.0267v [cs.cr] 6 Dec 207 Cryptanalysis of a public key encryption scheme based on QC-LDPC and QC-MDPC codes Vlad Dragoi and Hervé Talé Kalachi Faculty of Exact Sciences, Aurel Vlaicu University
More informationAlgebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form
Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form Jean-Charles Faugère 1,2,3, Ludovic Perret 2,1,3, and Frédéric de Portzamparc 4,1,2,3 INRIA, Paris-Rocquencourt Center
More informationReducing Key Length of the McEliece Cryptosystem
Reducing Key Length of the McEliece Cryptosystem Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit, Ayoub Otmani To cite this version: Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit,
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationCryptanalysis of the Sidelnikov cryptosystem
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi Laboratoire de mathématiques algorithmiques (LMA), EPFL c 2007 IACR. This paper appeared in Advances in cryptology Eurocrypt
More informationMcEliece in the world of Escher
McEliece in the world of Escher Danilo Gligoroski 1 and Simona Samardjiska 1,2 and Håkon Jacobsen 1 and Sergey Bezzateev 3 1 Department of Telematics, Norwegian University of Science and Technology (NTNU),
More informationThe extended coset leader weight enumerator
The extended coset leader weight enumerator Relinde Jurrius Ruud Pellikaan Eindhoven University of Technology, The Netherlands Symposium on Information Theory in the Benelux, 2009 1/14 Outline Codes, weights
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationStructural Cryptanalysis of McEliece Schemes with Compact Keys
Structural Cryptanalysis of McEliece Schemes with Compact Keys Jean-Charles Faugère, Ayoub Otmani, Ludovic Perret, Frédéric De Portzamparc, Jean-Pierre Tillich To cite this version: Jean-Charles Faugère,
More informationOn the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders
On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders Nicolas Sendrier 1 and Valentin Vasseur 12 1 Inria, Paris, France FirstName.LastName@inria.fr, 2 Université Paris Descartes, Sorbonne Paris
More informationCompact McEliece keys based on Quasi-Dyadic Srivastava codes
Compact McEliece keys based on Quasi-Dyadic Srivastava codes Edoardo Persichetti Department of Mathematics, University of Auckland, New Zealand epersichetti@mathaucklandacnz Abstract The McEliece cryptosystem
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationNew results for rank based cryptography
New results for rank based cryptography Philippe Gaborit University of Limoges, France (based on works with O. Ruatta,J. Schrek and G. Zémor) Telecom Sud Paris 6 juin 2014 Summary 1 Post-Quantum Cryptography
More informationArrangements, matroids and codes
Arrangements, matroids and codes first lecture Ruud Pellikaan joint work with Relinde Jurrius ACAGM summer school Leuven Belgium, 18 July 2011 References 2/43 1. Codes, arrangements and matroids by Relinde
More informationLecture 2 Linear Codes
Lecture 2 Linear Codes 2.1. Linear Codes From now on we want to identify the alphabet Σ with a finite field F q. For general codes, introduced in the last section, the description is hard. For a code of
More informationCode-Based Cryptography
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Australian Summer School on Embedded Cryptography 11 December 2018 Error correction
More informationCryptanalysis of NISTPQC submissions
Cryptanalysis of NISTPQC submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny University of Illinois at Chicago, Technische Universiteit Eindhoven 18 August 2018 Workshops on Attacks in Cryptography
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationQuasi-dyadic CFS signatures
Quasi-dyadic CFS signatures Paulo S. L. M. Barreto 1, Pierre-Louis Cayrel 2, Rafael Misoczki 1, and Robert Niebuhr 3 1 Departamento de Engenharia de Computação e Sistemas Digitais (PCS), Escola Politécnica,
More informationTHIS paper investigates the difficulty of the Goppa Code
A Distinguisher for High Rate McEliece Cryptosystems Jean-Charles Faugère, Valérie Gauthier-Umaña, Ayoub Otmani, Ludovic Perret, Jean-Pierre Tillich Abstract The Goppa Code Distinguishing (GCD problem
More informationLecture 12: November 6, 2017
Information and Coding Theory Autumn 017 Lecturer: Madhur Tulsiani Lecture 1: November 6, 017 Recall: We were looking at codes of the form C : F k p F n p, where p is prime, k is the message length, and
More informationVector spaces. EE 387, Notes 8, Handout #12
Vector spaces EE 387, Notes 8, Handout #12 A vector space V of vectors over a field F of scalars is a set with a binary operator + on V and a scalar-vector product satisfying these axioms: 1. (V, +) is
More informationMATH 291T CODING THEORY
California State University, Fresno MATH 291T CODING THEORY Spring 2009 Instructor : Stefaan Delcroix Chapter 1 Introduction to Error-Correcting Codes It happens quite often that a message becomes corrupt
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationLDPC codes in the McEliece cryptosystem: attacks and countermeasures
arxiv:0710.0142v2 [cs.it] 11 Jan 2009 LDPC codes in the McEliece cryptosystem: attacks and countermeasures Marco BALDI 1 Polytechnic University of Marche, Ancona, Italy Abstract. The McEliece cryptosystem
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationMATH 291T CODING THEORY
California State University, Fresno MATH 291T CODING THEORY Fall 2011 Instructor : Stefaan Delcroix Contents 1 Introduction to Error-Correcting Codes 3 2 Basic Concepts and Properties 6 2.1 Definitions....................................
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationarxiv: v1 [cs.cr] 6 Jan 2013
On the complexity of the Rank Syndrome Decoding problem P. Gaborit 1, O. Ruatta 1 and J. Schrek 1 Université de Limoges, XLIM-DMI, 123, Av. Albert Thomas 87060 Limoges Cedex, France. philippe.gaborit,julien.schrek,olivier.ruatta@unilim.fr
More informationSigning with Codes. c Zuzana Masárová 2014
Signing with Codes by Zuzana Masárová A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization
More informationarxiv: v4 [cs.cr] 30 Nov 2017
The problem with the SURF scheme Thomas Debris-Alazard 1,, Nicolas Sendrier, and Jean-Pierre Tillich 1 Sorbonne Universités, UPMC Univ Paris 06 Inria, Paris {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr
More informationSolutions of Exam Coding Theory (2MMC30), 23 June (1.a) Consider the 4 4 matrices as words in F 16
Solutions of Exam Coding Theory (2MMC30), 23 June 2016 (1.a) Consider the 4 4 matrices as words in F 16 2, the binary vector space of dimension 16. C is the code of all binary 4 4 matrices such that the
More informationAlgebraic Geometry Codes. Shelly Manber. Linear Codes. Algebraic Geometry Codes. Example: Hermitian. Shelly Manber. Codes. Decoding.
Linear December 2, 2011 References Linear Main Source: Stichtenoth, Henning. Function Fields and. Springer, 2009. Other Sources: Høholdt, Lint and Pellikaan. geometry codes. Handbook of Coding Theory,
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationMathematics Department
Mathematics Department Matthew Pressland Room 7.355 V57 WT 27/8 Advanced Higher Mathematics for INFOTECH Exercise Sheet 2. Let C F 6 3 be the linear code defined by the generator matrix G = 2 2 (a) Find
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationKnow the meaning of the basic concepts: ring, field, characteristic of a ring, the ring of polynomials R[x].
The second exam will be on Friday, October 28, 2. It will cover Sections.7,.8, 3., 3.2, 3.4 (except 3.4.), 4. and 4.2 plus the handout on calculation of high powers of an integer modulo n via successive
More informationDAGS: Key Encapsulation using Dyadic GS Codes
DAGS: Key Encapsulation using Dyadic GS Codes Anonymized for Submission Abstract. Code-based Cryptography is one of the main areas of interest for the Post-Quantum Cryptography Standardization call. In
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
Cryptographie basée sur les correcteurs d erreurs et arithmétique with with with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France
More informationA Smart Approach for GPT Cryptosystem Based on Rank Codes
A Smart Approach for GPT Cryptosystem Based on Rank Codes arxiv:10060386v1 [csit 2 Jun 2010 Haitham Rashwan Department of Communications InfoLab21, South Drive Lancaster University Lancaster UK LA1 4WA
More informationCodes used in Cryptography
Prasad Krishnan Signal Processing and Communications Research Center, International Institute of Information Technology, Hyderabad March 29, 2016 Outline Coding Theory and Cryptography Linear Codes Codes
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationarxiv: v3 [cs.it] 3 Jun 2017
Cryptanalysis of McEliece Cryptosystem Based on Algebraic Geometry Codes and their Subcodes Alain Couvreur 1, Irene Márquez-Corbella, and Ruud Pellikaan 3 arxiv:1401.605v3 [cs.it] 3 Jun 017 1 INRIA, Laboratoire
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationEfficient Encryption from Random Quasi-Cyclic Codes
1 Efficient Encryption from Random Quasi-Cyclic Codes Carlos Aguilar, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit and Gilles Zémor ENSEEIHT, Université de Toulouse, France, carlos.aguilar@enseeiht.fr
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationPOLYNOMIAL CODES AND FINITE GEOMETRIES
POLYNOMIAL CODES AND FINITE GEOMETRIES E. F. Assmus, Jr and J. D. Key Contents 1 Introduction 2 2 Projective and affine geometries 3 2.1 Projective geometry....................... 3 2.2 Affine geometry..........................
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationMATH3302 Coding Theory Problem Set The following ISBN was received with a smudge. What is the missing digit? x9139 9
Problem Set 1 These questions are based on the material in Section 1: Introduction to coding theory. You do not need to submit your answers to any of these questions. 1. The following ISBN was received
More informationGabidulin Codes that are Generalized. Reed Solomon Codes
International Journal of Algebra, Vol. 4, 200, no. 3, 9-42 Gabidulin Codes that are Generalized Reed Solomon Codes R. F. Babindamana and C. T. Gueye Departement de Mathematiques et Informatique Faculte
More informationList Decoding of Binary Goppa Codes up to the Binary Johnson Bound
List Decoding of Binary Goppa Codes up to the Binary Johnson Bound Daniel Augot Morgan Barbier Alain Couvreur École Polytechnique INRIA Saclay - Île de France ITW 2011 - Paraty Augot - Barbier - Couvreur
More informationEfficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment
cryptography Article Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment Edoardo Persichetti Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431,
More informationLecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012
CS 59000 CTT Current Topics in Theoretical CS Oct 4, 01 Lecturer: Elena Grigorescu Lecture 14 Scribe: Selvakumaran Vadivelmurugan 1 Introduction We introduced error-correcting codes and linear codes in
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Coding Theory Introduction Linear Codes Reed-Solomon codes Application: Mc Eliece
More information