Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
|
|
- Edward Clarke
- 6 years ago
- Views:
Transcription
1 Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F Mont-Saint-Aignan, France. Inria, SECRET Project, Le Chesnay Cedex, France. PQCrypto 2016 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 1/24
2 Introduction McEliece Public-Key Encryption Scheme ( 78) 1 Based on linear codes equipped with an efficient decoding algorithm Public key = random basis Private key = decoding algorithm 2 McEliece proposed binary Goppa codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 2/24
3 Introduction Textbook McEliece encryption scheme Key Generation step: Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24
4 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24
5 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) 2 Randomly pick n n permutation matrix P and k k invertible matrix S Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24
6 Introduction Textbook McEliece encryption scheme Key Generation step: 1 Pick a k n generator matrix G for C (a t error correcting code with a low complexity decoding algorithm) 2 Randomly pick n n permutation matrix P and k k invertible matrix S 3 Private key = (S, G, P) and public key = (G pub, t) with G pub = SGP Vlad Dragoi Cryptanalysis of McEliece Polar Codes 3/24
7 Introduction Textbook McEliece Encryption scheme Encryption For m F k q, 1 Generate randomly e F n q of Hamming weight t 2 Cipher text c = mg pub + e Vlad Dragoi Cryptanalysis of McEliece Polar Codes 4/24
8 Introduction Textbook McEliece Encryption scheme Encryption For m F k q, 1 Generate randomly e F n q of Hamming weight t 2 Cipher text c = mg pub + e Decryption 1 Compute z = cp 1 z = msg + ep 1 2 Compute y = Decode G (z) y = ms 3 Return m = ys 1 m = m Vlad Dragoi Cryptanalysis of McEliece Polar Codes 4/24
9 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
10 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
11 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
12 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
13 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Shrestha and Kim proposed in 2014 a McEliece PKC using Polar Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
14 Motivations Arguments for Polar Codes Polar codes represent a powerful family of codes 1 They allow to attain the capacity of any memoryless channel. 2 They can be decoded with a low complexity algorithm the successive cancellation decoder by Arikan (2009). 3 Polar codes do not seem to be very structured Shrestha and Kim proposed in 2014 a McEliece PKC using Polar Codes. Our main contribution Find the permutation P Vlad Dragoi Cryptanalysis of McEliece Polar Codes 5/24
15 Definitions Polar Codes and Reed-Muller Codes Definition G m def = ( ) ( ) }{{} m times The polar code of length n = 2 m and dimension k is obtained by choosing a specific subset of k rows of G m. The r th order Reed-Muller Codes R(r, m) is obtained by choosing all the rows of G m with Hamming weight greater or equal to 2 m r. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 6/24
16 Polar Codes We built the generator matrix G 1 = ( ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24
17 Polar Codes We built the generator matrix for m = 2 we have: G 2 = G 1 0 G 1 G 1 G 1 = ( ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24
18 Polar Codes We built the generator matrix G 1 = ( ) for m = 2 we have: G 2 = G 1 0 G 1 G 1 = Vlad Dragoi Cryptanalysis of McEliece Polar Codes 7/24
19 Polar Codes for m = 3 we have: G 1 0 G G 3 = 1 G 1 G 1 0 G 1 G G 1 0 G 1 G 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24
20 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G = Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24
21 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G 1 = The Polar Code [2 3, 5, 2] Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24
22 Polar Codes for m = 3 we have: G G G 3 = 1 G G 1 0 G 1 0 G 1 G 1 G 1 G 1 = The Polar Code [2 3, 5, 2] The first order Reed-Muller Code R(1, 3) ([2 3, 4, 4]) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 8/24
23 Motivations The purpose is to find the permutation P Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
24 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
25 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
26 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
27 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
28 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Polar codes are neither vulnerable to the SSA attack nor to the Minder and Shokrollahi attack Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
29 Motivations The purpose is to find the permutation P 1 General method Support Splitting Algorithm by Sendrier Small Permutation Group (leaves the code invariant) 2 Small dimension Hull= C C 2 Try to adapt the Minder and Shokrollahi attack (Reed-Muller Codes) to Polar Codes. Polar codes are neither vulnerable to the SSA attack nor to the Minder and Shokrollahi attack What is the permutation group of Polar Codes? Vlad Dragoi Cryptanalysis of McEliece Polar Codes 9/24
30 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24
31 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) For any g R 2 [x 0,..., x m 1 ] we naturally associate the evaluation over all elements in F m 2. ev(g) = ( g(u 0,..., u m 1 ) ) (u 0,...,u m 1 ) F m 2 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24
32 Monomial Codes The ambient space is the polynomial ring: R 2 [x 0,..., x m 1 ] = F 2 [x 0,..., x m 1 ] (x 2 0 x 0,..., x 2 m 1 x m 1) For any g R 2 [x 0,..., x m 1 ] we naturally associate the evaluation over all elements in F m 2. ev(g) = ( g(u 0,..., u m 1 ) ) (u 0,...,u m 1 ) F m 2 Let M define the set of all monomials M def = {1, x 0,..., x m 1, x 0 x 1,..., x 0 x m 1 }. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 10/24
33 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
34 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
35 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
36 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
37 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
38 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
39 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
40 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
41 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x 2 x 1 x x 2 x x 2 x x x 1 x x x Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
42 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x x 1 x x x The [2 3, 5, 2] Polar Code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
43 Monomial Codes Polar and Reed-Muller Codes Example for m = 3. Consider G 3 and all the elements of F 3 2 g x x x The [2 3, 5, 2] Polar Code. The [2 3, 4, 4] Reed-Muller Code or the R(1, 3). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 11/24
44 Decreasing Monomial Codes Definition (Monomial order) The monomials of the same degree are ordered as x i1... x is x j1... x js if and only if for any l {1,..., s}, i l j l where we assume that i 1 > > i s and j 1 > > j s. This order is extended to other monomials through divisibility, namely: f g if and only if there is a divisor g of g such that f g. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 12/24
45 Decreasing Monomial Code 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
46 Decreasing Monomial Code x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
47 Decreasing Monomial Code x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
48 Decreasing Monomial Code x 1 x 0 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
49 Decreasing Monomial Code x 2 x 0 x 1 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
50 Decreasing Monomial Code x 2 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
51 Decreasing Monomial Code x 2 x 1 x 0 x 2 x 1 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
52 Decreasing Monomial Code x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
53 Decreasing Monomial Code x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
54 Decreasing Monomial Code x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
55 Decreasing Monomial Code x 3 x 2 x 1 x 0 x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
56 Decreasing Monomial Code x 3 x 2 x 1 x 0 x 3 x 2 x 1 x 3 x 2 x 0 x 3 x 1 x 0 x 2 x 1 x 0 x 2 x 1 x 3 x 2 x 3 x 1 x 2 x 0 x 1 x 0 x 3 x 0 x 3 x 2 x 1 x 0 1 Fact g M with deg(g) r we have x r 1... x 0 g. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 13/24
57 Decreasing Monomial Codes Definition (Decreasing set) A set I M is decreasing if and only if f I and g f = g I. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 14/24
58 Decreasing Monomial Codes Definition (Decreasing set) A set I M is decreasing if and only if f I and g f = g I. Definition (Decreasing monomial codes) The linear code defined by a set I of polynomials is C (I) = {ev(f ) f I}. 1 When I M, C (I) is a monomial code. 2 When I M is a decreasing set, C (I) is a decreasing monomial code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 14/24
59 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24
60 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Proposition The dual of a Decreasing Monomial Code is a Decreasing Monomial Code Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24
61 Decreasing Monomial Codes Main Properties Theorem (Bardet et all 2016) Polar Codes are Decreasing Monomial Codes Proposition The dual of a Decreasing Monomial Code is a Decreasing Monomial Code Polar Codes with rate (sufficiently) smaller than 1 2 self-dual C C. are weakly Vlad Dragoi Cryptanalysis of McEliece Polar Codes 15/24
62 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m 2. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24
63 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m b for m = 5 A = b = b 2 b 3 b 4. 1 b 5 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24
64 Decreasing Monomial Codes Permutation Group Let A be a lower triangular binary matrix with 1 s on the diagonal and b be an arbitrary element in F m b for m = 5 A = b = b 2 b 3 b 4. 1 b 5 We define the lower triangular affine group LTA m as the set of affine transformations of the form x Ax + b Vlad Dragoi Cryptanalysis of McEliece Polar Codes 16/24
65 Decreasing Monomial Codes Permutation Group The image of a variable x i is: i 1 i = x i + a ij x j + b i. x j=0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 17/24
66 Decreasing Monomial Codes Permutation Group The image of a variable x i is: i 1 i = x i + a ij x j + b i. x j=0 Theorem LTA m is included in the permutation group of a decreasing monomial code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 17/24
67 Cryptanalysis of Polar Codes Tools and Techniques Puncturing and shortening a code { P J (C ) def = S J (C ) def = } ; (c i ) i / J c C { (c i ) i / J c = (c i ) i C such that i J, c i = 0 }. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 18/24
68 Cryptanalysis of Polar Codes Tools and Techniques Definition (Signature) Let G be a subgroup of permutations of C (linear code of length n) and W be a subset of C globally invariant under G. Σ(c, C ) is a signature of c if and only if (i) Σ(c, C ) = Σ(c π, C π ) for π from S n (i.e. Σ is invariant by permutation), (ii) Σ(c, C ) Σ(c, C ) if c and c both belong to W but are not in the same orbit under G (i.e. Σ takes distinct values for each orbit). Vlad Dragoi Cryptanalysis of McEliece Polar Codes 19/24
69 Cryptanalysis of Polar Codes Tools and Techniques Facts Let C (I) be a decreasing monomial code and I r be the set of maximum degree monomials. Recall that x r 1... x 0 I r. { r 1 } O xr 1...x 0 = (x i + b i ) i=0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 20/24
70 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24
71 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24
72 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. 3 Use the signature and the action of LTA m to distinguish the orbits of monomials in particular x r 1... x 0 (denote c min = ev(x r 1... x 0 ) and c π min ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24
73 Cryptanalysis of Polar Codes Key steps of the attack 1 Find the set of minimum weight codewords W min (C ) and W min (C π ) 2 c W min (C ) Σ c = ( ) Dim(S supp(c) (C ) ), W min (S supp(c) (C ) ) the same definition for Σ c π. 3 Use the signature and the action of LTA m to distinguish the orbits of monomials in particular x r 1... x 0 (denote c min = ev(x r 1... x 0 ) and c π min ) 4 Let J = {j c min [j] = 0}. Find a permutation that works for P J (C ) and P J π (C π ). Continue by induction in order to retrieve the underlying Polar Code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 21/24
74 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
75 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
76 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) c π W min (C π ) compute S supp(c π )(C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
77 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) c π W min (C π ) compute S supp(c π )(C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
78 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
79 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
80 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Let c i = ev(x i 1... x 0 ) with c 0 = ev(1) (c i ) π = ev(x i 1... x π 0 ) Let J i = {j c i [j] = 0} Let (J i ) π = {j (c i ) π [j] = 0} D i def = P J i (C ) (D i ) π def = P (J i ) π (C π ) Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
81 Cryptanalysis of Polar Codes The private polar code C The public permuted code C π W min (C ) = LTA m(i r ) (Bardet et all 2016) Compute W min (C π ) (Dumer 1991, Stern 1988) g I r compute S supp(ev(g)) (C ) { r 1 } compute O xr 1...x0 = (x i + b i ) b i F 2 i=0 c π W min (C π ) compute S supp(c π )(C π ) Identify O xr 1...x 0 π using the list of signatures Since (x r 1 + 1)x r 2... x 0 O xr 1...x 0 Find (x r 1 + 1)x r 2... x π 0 Compute (x r 1 + 1)x r 2... x 0 + x r 1... x 0 = x r 2... x 0 Compute (x r 1 + 1)x r 2... x π 0 + x r 1... x π 0 = x r 2... x π 0 Use induction to compute the list (x i... x 0 ) 0 i r 1 By induction compute (x i... x π 0 ) 0 i r 1 Let c i = ev(x i 1... x 0 ) with c 0 = ev(1) (c i ) π = ev(x i 1... x π 0 ) Let J i = {j c i [j] = 0} Let (J i ) π = {j (c i ) π [j] = 0} D i def = P J i (C ) (D i ) π def = P (J i ) π (C π ) Solve the code equivalence for D i and (D i ) π by induction from i = r down to 0 Vlad Dragoi Cryptanalysis of McEliece Polar Codes 22/24
82 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
83 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
84 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
85 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
86 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. It took 27 seconds to find these codewords in C π and 3 seconds to find these codewords in (C π ) on a 8-core XEON E running at 3.40 GHz. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
87 Cryptanalysis of Polar Codes Implementation We consider the [2048, 614]-Polar Code that is able to correct up to 200 errors. The security level is 2 105, given by generic linear codes decoding algorithms. We checked the decreasing property of both C and C as well as the weakly duality property of the code. d min C = 32 and there were W min (C ) = For the dual code d min C = 8 and there were 6912 codewords. It took 27 seconds to find these codewords in C π and 3 seconds to find these codewords in (C π ) on a 8-core XEON E running at 3.40 GHz. The most time consuming part is the last part of the induction. The time for a successful attack was less than 14 days on the same processor. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 23/24
88 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24
89 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. The introduction of an algebraic formalism was crucial for a successful attack. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24
90 Summary Polar Codes in a public key cryptographic scheme are vulnerable to structural attacks. The introduction of an algebraic formalism was crucial for a successful attack. A unified formalism for Polar Codes and Reed-Muller Codes under the name of Decreasing Monomial Codes. Vlad Dragoi Cryptanalysis of McEliece Polar Codes 24/24
Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes Magali Bardet, Julia Chaulet, Vlad Dragoi, Ayoub Otmani, Jean-Pierre Tillich To cite this version: Magali Bardet, Julia Chaulet,
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationCryptanalysis of the Sidelnikov cryptosystem
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi Laboratoire de mathématiques algorithmiques (LMA), EPFL c 2007 IACR. This paper appeared in Advances in cryptology Eurocrypt
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationDistinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes
Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes Alain Couvreur 1, Philippe Gaborit 2, Valérie Gauthier 3, Ayoub Otmani 4, and Jean-Pierre Tillich 5 1 GRACE Project, INRIA
More informationCryptanalysis of a public key encryption scheme based on QC-LDPC and QC-MDPC codes
arxiv:72.0267v [cs.cr] 6 Dec 207 Cryptanalysis of a public key encryption scheme based on QC-LDPC and QC-MDPC codes Vlad Dragoi and Hervé Talé Kalachi Faculty of Exact Sciences, Aurel Vlaicu University
More informationList decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationA distinguisher for high-rate McEliece Cryptosystems
A distinguisher for high-rate McEliece Cryptosystems JC Faugère (INRIA, SALSA project), A Otmani (Université Caen- INRIA, SECRET project), L Perret (INRIA, SALSA project), J-P Tillich (INRIA, SECRET project)
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationA Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems
A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems Alain Couvreur 1, Irene Márquez-Corbella 1, and Ruud Pellikaan 1 INRIA Saclay & LIX, CNRS UMR 7161 École Polytechnique,
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationIN this paper, we exploit the information given by the generalized
4496 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 10, OCTOBER 2006 A New Upper Bound on the Block Error Probability After Decoding Over the Erasure Channel Frédéric Didier Abstract Motivated by
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationAn Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal University of Zürich Finite Geometries Fifth Irsee Conference, September 10 16, 2017. Outline 1 Basics
More informationRecovering short secret keys of RLCE in polynomial time
Recovering short secret keys of RLCE in polynomial time Alain Couvreur 1, Matthieu Lequesne,3, and Jean-Pierre Tillich 1 Inria & LIX, CNRS UMR 7161 École polytechnique, 9118 Palaiseau Cedex, France. Inria,
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationChannel Coding for Secure Transmissions
Channel Coding for Secure Transmissions March 27, 2017 1 / 51 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51 Outline We present an overiew of linear
More informationAlgebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis
Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis Jean-Charles Faugère 1, Ayoub Otmani 2,3, Ludovic Perret 1, and Jean-Pierre Tillich 2 1 SALSA Project - INRIA (Centre
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationStructural Cryptanalysis of McEliece Schemes with Compact Keys
Structural Cryptanalysis of McEliece Schemes with Compact Keys Jean-Charles Faugère, Ayoub Otmani, Ludovic Perret, Frédéric De Portzamparc, Jean-Pierre Tillich To cite this version: Jean-Charles Faugère,
More informationReducing Key Length of the McEliece Cryptosystem
Reducing Key Length of the McEliece Cryptosystem Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit, Ayoub Otmani To cite this version: Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit,
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationMDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes
MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, Paulo S. L. M. Barreto To cite this version: Rafael Misoczki, Jean-Pierre
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationOn the Security of Some Cryptosystems Based on Error-correcting Codes
On the Security of Some Cryptosystems Based on Error-correcting Codes Florent Chabaud * Florent.Chabaud~ens.fr Laboratoire d'informatique de FENS ** 45, rue d'ulm 75230 Paris Cedex 05 FRANCE Abstract.
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationVulnerabilities of McEliece in the World of Escher
Vulnerabilities of McEliece in the World of Escher Dustin Moody and Ray Perlner National Institute of Standards and Technology, Gaithersburg, Maryland, USA dustin.moody@nist.gov, ray.perlner@nist.gov Abstract.
More informationCryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes
Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes Alain Couvreur, Irene Márquez-Corbella and Ruud Pellikaan Abstract We give a polynomial time attack on the McEliece
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationToward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationTHIS paper investigates the difficulty of the Goppa Code
A Distinguisher for High Rate McEliece Cryptosystems Jean-Charles Faugère, Valérie Gauthier-Umaña, Ayoub Otmani, Ludovic Perret, Jean-Pierre Tillich Abstract The Goppa Code Distinguishing (GCD problem
More informationCompact McEliece keys based on Quasi-Dyadic Srivastava codes
Compact McEliece keys based on Quasi-Dyadic Srivastava codes Edoardo Persichetti Department of Mathematics, University of Auckland, New Zealand epersichetti@mathaucklandacnz Abstract The McEliece cryptosystem
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationImproved Timing Attacks against the Secret Permutation in the McEliece PKC
INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL ISSN 1841-9836, 1(1):7-5, February 017. Improved Timing Attacks against the Secret Permutation in the McEliece PKC D. Bucerzan, P.L. Cayrel,
More informationA Reaction Attack on the QC-LDPC McEliece Cryptosystem
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomáš Fabšič 1, Viliam Hromada 1, Paul Stankovski 2, Pavol Zajac 1, Qian Guo 2, Thomas Johansson 2 1 Slovak University of Technology in Bratislava
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
Cryptographie basée sur les correcteurs d erreurs et arithmétique with with with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France
More informationSupport weight enumerators and coset weight distributions of isodual codes
Support weight enumerators and coset weight distributions of isodual codes Olgica Milenkovic Department of Electrical and Computer Engineering University of Colorado, Boulder March 31, 2003 Abstract In
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Irene Márquez-Corbella and Ruud Pellikaan Department of Algebra, Geometry and Topology, University of Valladolid Facultad de Ciencias, 47005 Valladolid,
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationPost-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017
Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017 1 Background I will use: Linear algebra. Vectors x. Matrices A, matrix multiplication AB, xa,
More informationOn Cryptographic Properties of the Cosets of R(1;m)
1494 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 4, MAY 2001 On Cryptographic Properties of the Cosets of R(1;m) Anne Canteaut, Claude Carlet, Pascale Charpin, and Caroline Fontaine Abstract
More informationError-correcting codes and applications
Error-correcting codes and applications November 20, 2017 Summary and notation Consider F q : a finite field (if q = 2, then F q are the binary numbers), V = V(F q,n): a vector space over F q of dimension
More informationCryptanalysis of the Wu}Dawson Public Key Cryptosystem
Finite Fields and Their Applications 5, 386}392 (1999) Article ID!ta.1999.0264, available online at http://www.idealibrary.com on Cryptanalysis of the Wu}Dawson Public Key Cryptosystem Peter Roelse Philips
More informationarxiv: v4 [cs.cr] 30 Nov 2017
The problem with the SURF scheme Thomas Debris-Alazard 1,, Nicolas Sendrier, and Jean-Pierre Tillich 1 Sorbonne Universités, UPMC Univ Paris 06 Inria, Paris {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr
More informationLDPC codes in the McEliece cryptosystem: attacks and countermeasures
arxiv:0710.0142v2 [cs.it] 11 Jan 2009 LDPC codes in the McEliece cryptosystem: attacks and countermeasures Marco BALDI 1 Polytechnic University of Marche, Ancona, Italy Abstract. The McEliece cryptosystem
More informationGeneralized subspace subcodes with application in cryptology
1 Generalized subspace subcodes with application in cryptology Thierry P. BERGER, Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI arxiv:1704.07882v1 [cs.cr] 25 Apr 2017 Cheikh Thiécoumba GUEYE and Jean Belo
More informationAn efficient structural attack on NIST submission DAGS
An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 1 1 INRIA & LIX, CNRS UMR 7161 École polytechnique, 91128 Palaiseau Cedex, France Abstract We present an efficient
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationKnow the meaning of the basic concepts: ring, field, characteristic of a ring, the ring of polynomials R[x].
The second exam will be on Friday, October 28, 2. It will cover Sections.7,.8, 3., 3.2, 3.4 (except 3.4.), 4. and 4.2 plus the handout on calculation of high powers of an integer modulo n via successive
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationError-correcting pairs for a public-key cryptosystem
Error-correcting pairs for a public-key cryptosystem Ruud Pellikaan and Irene Márquez-Corbella Discrete Mathematics, Techn. Univ. Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands. E-mail: g.r.pellikaan@tue.nl
More informationBREAKING THE AKIYAMA-GOTO CRYPTOSYSTEM. Petar Ivanov & José Felipe Voloch
BREAKING THE AKIYAMA-GOTO CRYPTOSYSTEM by Petar Ivanov & José Felipe Voloch Abstract. Akiyama and Goto have proposed a cryptosystem based on rational points on curves over function elds (stated in the
More informationCryptographic applications of codes in rank metric
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Introduction Rank metric and cryptography Gabidulin codes and linearized
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationApplications of Lattices in Telecommunications
Applications of Lattices in Telecommunications Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013 1 Sphere Decoder Algorithm Rotated Signal Constellations
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationOpen problems on cyclic codes
Open problems on cyclic codes Pascale Charpin Contents 1 Introduction 3 2 Different kinds of cyclic codes. 4 2.1 Notation.............................. 5 2.2 Definitions............................. 6
More informationThe Feng Rao bounds. KIAS International Conference on Coding Theory and Applications Olav Geil, Aalborg University, Denmark
Olav Geil Aalborg University Denmark KIAS International Conference on Coding Theory and Applications 2012 Linear code = a subspace. Operations are: Vector addition. Scalar multiplication. [n, k, d] the
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationOptimal XOR based (2,n)-Visual Cryptography Schemes
Optimal XOR based (2,n)-Visual Cryptography Schemes Feng Liu and ChuanKun Wu State Key Laboratory Of Information Security, Institute of Software Chinese Academy of Sciences, Beijing 0090, China Email:
More information24th Conference on ACA Santiago de Compostela Session on CACTC Computer Algebra Tales on Goppa Codes and McEliece Cryptography
24th Conference on ACA Santiago de Compostela Session on CACTC Computer Algebra Tales on Goppa Codes and McEliece Cryptography N. Sayols & S. Xambó UPC 19/6/2018 N. Sayols & S. Xambó (UPC) McECS,PyECC
More informationError-correcting codes and Cryptography
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationQuasi-dyadic CFS signatures
Quasi-dyadic CFS signatures Paulo S. L. M. Barreto 1, Pierre-Louis Cayrel 2, Rafael Misoczki 1, and Robert Niebuhr 3 1 Departamento de Engenharia de Computação e Sistemas Digitais (PCS), Escola Politécnica,
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationOn some properties of PRNGs based on block ciphers in counter mode
On some properties of PRNGs based on block ciphers in counter mode Alexey Urivskiy, Andrey Rybkin, Mikhail Borodin JSC InfoTeCS, Moscow, Russia alexey.urivskiy@mail.ru 2016 Pseudo Random Number Generators
More information