Cryptographic applications of codes in rank metric
|
|
- Abner Berry
- 5 years ago
- Views:
Transcription
1 Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Université de Rennes June 16th, 2009
2 Introduction Rank metric and cryptography Gabidulin codes and linearized polynomials McEliece type cryptosystems AF-like cryptosystems
3 Rank metric and cryptography
4 History of Cryptographic applications Encryption schemes, [Gabidulin-Paramonov-Tretjakov 91] Trapdoor: Difficulty of decoding in rank metric. Authentification codes, [Johannson95] ZK-identification scheme, [Chen96] Hash functions for MAC, [Savafi-Naini-Charnes 05]
5 Rank metric Definition (Rank of a vector) γ 1,...,γ m, a basis of F q m/f q, e = (e 1,...,e n ) (F q m) n, e i (e i1,...,e in ), e 11 e 1n e F q m, Rk(e) def = Rk..... e m1 e mn Definition C F n q m is a (n,m,d) r-code if M = C Min. rank distance: d = min c1 c 2 C Rk(c 1 c 2 )
6 Bounds in rank metric Volume of sphere: q (m+n 1)t t2 S t q (m+n+1)t t2 Volume of ball: q (m+n 1)t t2 B t q (m+n+1)t t2 +1 Classical Bounds Singleton: M q min(m(n d+1),n(m d+1)) MRD codes Sphere-packing: MB (d 1)/2 q mn perfect codes GV-like: MB d 1 < q mn = (n,m + 1,d) r code
7 Singleton: M q min(m(n d+1),n(m d+1)) MRD codes Sphere-packing: MB (d 1)/2 q mn perfect codes GV-like: MB d 1 < q mn = (n,m + 1,d) r code Proposition ([L.06]) No perfect codes exist For C on GV: if mn log q M = o(n)(m + n) d n + m + n 1 2 logq M 1 + m + n (m n)2 4log q M,
8 Decoding problems for linear codes Parameters C generated by matrix G y F n qm, received vector t an integer Problems MDD: Find x, s.t. Rk(y xg) = min c C (Rk(y c)) BDD: Find, if exists, x, s.t. Rk(y xg) t LD: Find all x such that Rk(y xg) t Are these search problems NP-hard?
9 Solving BDD(t) for t (d 1)/2 Principle: Find min. rank codewords in code generated by ( ) G G = = S (I y k+1 R) System: (β 1,...,β t )(U 2 U 1 R) = 0 Methods Try and solve, [Chabaud-Stern 96, Ourivski-Johannson 02] Algo. type Basis enumeration Coordinates enumeration Complexity (k + t) 3 q (t 1)(m t)+2 (k + t) 3 t 3 q (t 1)(k+1) Projection on base field and use of Groebner bases techniques, [Levy-Perret 06]
10 Why use rank metric for cryptographic applications Complexities of solving BDD(t) for a [n,k,d] code over F 2 m IS Decoding: M(F 2 m)n 3 2 n(h 2(t/n) (1 R)H 2 (t/((1 R))n)) = m 2 n 3 2 αn Coord. Enum.: (k + t) 3 t 3 2 (α 1n 1)(α 2 n+1) Use of smaller public-keys in McEliece type system.
11 Gabidulin codes and linearized polynomials
12 Gabidulin codes Let a = (a 1,...,a n ) F q m, where a i s are l.i. over F q. Consider G = a 1 a n..... a [k 1] 1 a n [k 1], where [i] def = q i (1) Definition ([Gabidulin85]) The code generated by G is denoted Gab k (a).
13 Properties of the codes They are MRD codes (implies also MDS codes) Dual of Gab k (a) is a Gab n k (h) Rank distribution is known Permutation group trivial, [Berger 03]
14 Decoding algorithms Algorithm Complexity (mult. in F q m) Ext. Euclidean 2t(n + 5t) [Gabidulin85] Linear system 2t(n + t solving [Gabidulin91] /2) [Roth91] BM-like 2t(n + 3t + t 2 /4) [Richter-Plass 05] WB-like 2t(4n t) [L.05] Table: Decoding rank t = (d 1)/2 errors in Gab n d+1 (g) code
15 McEliece like cryptosystems
16 Description [Gabidulin-Paramonov-Tretjakov 91] Parameters g = (g 1,..., g n ) F q m Private key G generates Gab k (g), correcting rank t errors T isometry of rank metric Z size k t 1 over F q m Public-key G pub = S(G Z }{{} t 1 cols )T (2)
17 Encryption y = xg pub + e, Rk(e) t t 1 Decryption Compute yt 1 = x(g Z) + et 1 Puncture on last t 1 positions and decode Security assumption: BDD(t) difficult
18 Properties in rank metric Advantages Fast in Encryption-Decryption Enables small keys ( bits) Security against reaction attacks Drawbacks Not optimal transmission rate Weakness against message resend attacks ONLY ONE family of decodable codes is known Mandatory to scramble the structure
19 History of systems G, G 1, G 2, generator matrices of Gabidulin codes H, parity-check matrix of Gabidulin codes G pub = SG + X Tretjakov91] [Gabidulin-Paramonov- Scrambling matrix Right scrambler Subcodes Reducible Rank codes G pub = S(G Z)T [Gabidulin-Ourivski 01] ( ) H H pub = S [Berger-L. 02] A ( ) [Ourivski-Gabidulin- G1 0 G pub = S T Honary-Ammar03] A G 2 [Berger-L. 04 ]
20 Structural attacks [Overbeck06] Principle for G pub = S(G Z)T 0 Quasi-stability under action of Frobenius: α α q def = α [1] Gab k (g) [Gab k (g)] [1] = Gab k 1 ( g [1]) Use public-key G pub = S(G Z)T and compute G pub. G [n k 1] pub {z } G pub 1 0 S C B A C B 0 S [n k 1] {z } S G. G [n k 1] Z. Z [n k 1] 1 {z } (G Z) C AT,
21 Proposition If dim(ker r (G pub )) = 1 a decoder for public-code can be recovered in polynomial-time Proof. In that case ker r (G pub ) = {T 1 (αh 0) T, α F q m},
22 For security: Choose Z so that dim(ker r (G pub )) > 1 Proposition If 1 Rk(Z) (t 1 l)/(n k), then dim(ker r (G pub )) 1 + l Possible parameters m = n k Rk(Z) l t 1 Key size Decoding k/n Rate Improv > % 35% > % 33% Same problem with Reducible Rank Codes Modifications imply increased public-key size
23 AF-like systems
24 q-polynomials Definition ([Øre33]) P(z) = t p i z qi, p i F q m i=0 If p t 0, deg q (P) def = t is the q-degree of P. Properties Non-commutative ring with +, Euclidean algorithms on the left and on the right P. Time interpolation and root finding algorithms
25 Reconstruction problem Parameters g F n qm support vector y F n q m, k, t integers PR: Find P of q-degree k s.t. Rk(P(g) y) t Link with other problems: if t (n k)/2, equivalent to decode Gab k (g) if t > (n k)/2, supposed to be difficult LD(y, t) is difficult
26 Description of the cryptosystem Parameters g = (g 1,..., g n ) F q m, k Private key: E = (E 1,...,E n ) of rank W > (n k)/2. exists Q GL n (F q ) such that EQ = ( }{{} 0 E ) n W coords q-polynomial P of q-degree k 1 n W over F q m. Public-key: K = P(g) + E }{{} Gab k (g) Security assumption: PR(K, W ) difficult
27 Encryption and decryption Encryption: y = x(g) + αk + e, where x has q-degree k 2 n W e of rank t (n k W)/2 α F q m random n W Decryption: Let v def {}}{ = ( ṽ V ) We have yq = (x( gq) + αp( gq) + ẽq Y ) Decode ỹq in Gab k( gq) (x + αp)( gq) Since deg q (x) < deg q (P) α Since k 1 n W x Security assumption: BDD(x(g) + αk,t) in some code is difficult
28 Possible attacks Solving the system { V (yi ) = (V x)(g i ) + V (αk i ), i = 1,...,n, deg q (V ) t Linearization: Solve V (y i ) = N(g i ) + U(K i ), deg q (V ) t deg q (N) k + t 2 deg q (U) t i = 1,...,n, Linear system of k + 3t + 1 unknowns and n equations
29 Evolution of the system (I) Parameters g = (g 1,..., g n ) F q m, k Private key: E i F W qm, i = 1,...,u of rank W > (n k)/2. Q GL n (F q ) P i, i = 1,...,u of q-degree k 1 n W over F q m. Public-key: 8 >< K 1 = P 1(g) + (0 E 1)Q 1,. >: K u = P u(g) + (0 E u)q 1, Rk(E 1) = W > (n k)/2 Rk(E u) = W > (n k)/2
30 Evolution of the system (II) Encryption: y = x(g) + u i=1 α ik i + e, where x has q-degree k u 1 e of rank t (n k W)/2 α i F qm random for all i = 1,...,u Decryption: We have yq = ( x( gq) + ) u α i P i ( gq) + ẽq Y i=1 Decode ỹq in Gab k( gq) (x + i α ip i )( gq) Since deg q (x) < k 1 u (α 1,..., α u ) Since k u n W x
31 Possible attacks Decoding attacks: solve system V(y) = V X(g) + Structural attacks: Set K = K 1. K u i=1 8 < ux V(α ik i), : = P 1 (g) + 0. P u (g) deg q(v) = Rk(e) deg q(x) = k u 1 α i F q m E 1. E u Q 1 Under some conditions one can apply Overbeck s approach to recover the secret elements
32 Parameters Compromise between attacks not many choices for u u n = m k W Rk(e) key size Rate % %
33 Open problems Are the discussed problems really NP-hard? How to improve arithmetic complexity of q-polynomials? Johnson bound for Gabidulin codes and list-decoder? How construct new decodable families of rank metric codes? What changes the use of skew polynomials instead of q-polynomials?
McEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationA Smart Approach for GPT Cryptosystem Based on Rank Codes
A Smart Approach for GPT Cryptosystem Based on Rank Codes arxiv:10060386v1 [csit 2 Jun 2010 Haitham Rashwan Department of Communications InfoLab21, South Drive Lancaster University Lancaster UK LA1 4WA
More informationAlgebraic Decoding of Rank Metric Codes
Algebraic Decoding of Rank Metric Codes Françoise Levy-dit-Vehel ENSTA Paris, France levy@ensta.fr joint work with Ludovic Perret (UCL Louvain) Special Semester on Gröbner Bases - Workshop D1 Outline The
More informationAn Overview to Code based Cryptography
Joachim Rosenthal University of Zürich HKU, August 24, 2016 Outline Basics on Public Key Crypto Systems 1 Basics on Public Key Crypto Systems 2 3 4 5 Where are Public Key Systems used: Public Key Crypto
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationAn Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal University of Zürich Finite Geometries Fifth Irsee Conference, September 10 16, 2017. Outline 1 Basics
More informationNew results for rank based cryptography
New results for rank based cryptography Philippe Gaborit University of Limoges, France (based on works with O. Ruatta,J. Schrek and G. Zémor) Telecom Sud Paris 6 juin 2014 Summary 1 Post-Quantum Cryptography
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationEnhanced public key security for the McEliece cryptosystem
Enhanced public key security for the McEliece cryptosystem Marco Baldi 1, Marco Bianchi 1, Franco Chiaraluce 1, Joachim Rosenthal 2, and Davide Schipani 2 1 Università Politecnica delle Marche, Ancona,
More informationIdeals over a Non-Commutative Ring and their Application in Cryptology
Ideals over a Non-Commutative Ring and their Application in Cryptology E. M. Gabidulin, A. V. Paramonov and 0. V. Tretjakov Moscow Institute of Physics and Technology 141700 Dolgoprudnii Moscow Region,
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationGeneralization of Gabidulin Codes over Fields of Rational Functions
Generalization of Gabidulin Codes over Fields of Rational Functions Daniel Augot To cite this version: Daniel Augot Generalization of Gabidulin Codes over Fields of Rational Functions 21st International
More informationarxiv: v1 [cs.cr] 6 Jan 2013
On the complexity of the Rank Syndrome Decoding problem P. Gaborit 1, O. Ruatta 1 and J. Schrek 1 Université de Limoges, XLIM-DMI, 123, Av. Albert Thomas 87060 Limoges Cedex, France. philippe.gaborit,julien.schrek,olivier.ruatta@unilim.fr
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationDirect construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes
Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes Cauchois Victor 1 Loidreau Pierre 1 Merkiche Nabil 23 1 DGA-MI / IRMAR 2 DGA-IP 3 Sorbonnes Université, UPMC, LIP6
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationError-correcting codes and applications
Error-correcting codes and applications November 20, 2017 Summary and notation Consider F q : a finite field (if q = 2, then F q are the binary numbers), V = V(F q,n): a vector space over F q of dimension
More informationList decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University
More informationLDPC Codes in the McEliece Cryptosystem
LDPC Codes in the McEliece Cryptosystem Marco Baldi, and Franco Chiaraluce Member, IEEE Abstract arxiv:0710.0142v1 [cs.it] 30 Sep 2007 The original McEliece cryptosystem, based on Goppa codes, has two
More informationGabidulin Codes that are Generalized. Reed Solomon Codes
International Journal of Algebra, Vol. 4, 200, no. 3, 9-42 Gabidulin Codes that are Generalized Reed Solomon Codes R. F. Babindamana and C. T. Gueye Departement de Mathematiques et Informatique Faculte
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Coding Theory Introduction Linear Codes Reed-Solomon codes Application: Mc Eliece
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationChannel Coding for Secure Transmissions
Channel Coding for Secure Transmissions March 27, 2017 1 / 51 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51 Outline We present an overiew of linear
More informationGeneralized subspace subcodes with application in cryptology
1 Generalized subspace subcodes with application in cryptology Thierry P. BERGER, Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI arxiv:1704.07882v1 [cs.cr] 25 Apr 2017 Cheikh Thiécoumba GUEYE and Jean Belo
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationMcEliece in the world of Escher
McEliece in the world of Escher Danilo Gligoroski 1 and Simona Samardjiska 1,2 and Håkon Jacobsen 1 and Sergey Bezzateev 3 1 Department of Telematics, Norwegian University of Science and Technology (NTNU),
More informationCryptanalysis of the Wu}Dawson Public Key Cryptosystem
Finite Fields and Their Applications 5, 386}392 (1999) Article ID!ta.1999.0264, available online at http://www.idealibrary.com on Cryptanalysis of the Wu}Dawson Public Key Cryptosystem Peter Roelse Philips
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationKnow the meaning of the basic concepts: ring, field, characteristic of a ring, the ring of polynomials R[x].
The second exam will be on Friday, October 28, 2. It will cover Sections.7,.8, 3., 3.2, 3.4 (except 3.4.), 4. and 4.2 plus the handout on calculation of high powers of an integer modulo n via successive
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationELEC 519A Selected Topics in Digital Communications: Information Theory. Hamming Codes and Bounds on Codes
ELEC 519A Selected Topics in Digital Communications: Information Theory Hamming Codes and Bounds on Codes Single Error Correcting Codes 2 Hamming Codes (7,4,3) Hamming code 1 0 0 0 0 1 1 0 1 0 0 1 0 1
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationError-correcting codes and Cryptography
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationStructural Cryptanalysis of McEliece Schemes with Compact Keys
Structural Cryptanalysis of McEliece Schemes with Compact Keys Jean-Charles Faugère, Ayoub Otmani, Ludovic Perret, Frédéric De Portzamparc, Jean-Pierre Tillich To cite this version: Jean-Charles Faugère,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAn Introduction to (Network) Coding Theory
An to (Network) Anna-Lena Horlemann-Trautmann University of St. Gallen, Switzerland April 24th, 2018 Outline 1 Reed-Solomon Codes 2 Network Gabidulin Codes 3 Summary and Outlook A little bit of history
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationA distinguisher for high-rate McEliece Cryptosystems
A distinguisher for high-rate McEliece Cryptosystems JC Faugère (INRIA, SALSA project), A Otmani (Université Caen- INRIA, SECRET project), L Perret (INRIA, SALSA project), J-P Tillich (INRIA, SECRET project)
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationReducing Key Length of the McEliece Cryptosystem
Reducing Key Length of the McEliece Cryptosystem Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit, Ayoub Otmani To cite this version: Thierry Pierre Berger, Pierre-Louis Cayrel, Philippe Gaborit,
More informationSection 3 Error Correcting Codes (ECC): Fundamentals
Section 3 Error Correcting Codes (ECC): Fundamentals Communication systems and channel models Definition and examples of ECCs Distance For the contents relevant to distance, Lin & Xing s book, Chapter
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationarxiv: v1 [cs.it] 17 May 2018
Systematic encoders for generalized Gabidulin codes and the q-analogue of Cauchy matrices Alessandro Neri 1 1 University of Zurich, Switzerland arxiv:1805.06706v1 [cs.it] 17 May 2018 May 18, 2018 Abstract
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationDirect construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes
Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes Victor Cauchois 1, Pierre Loidreau 1 and Nabil Merkiche 2 1 DGA MI and IRMAR, Université de Rennes 1, France 2 DGA
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationAn Introduction to (Network) Coding Theory
An Introduction to (Network) Coding Theory Anna-Lena Horlemann-Trautmann University of St. Gallen, Switzerland July 12th, 2018 1 Coding Theory Introduction Reed-Solomon codes 2 Introduction Coherent network
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationCompact McEliece keys based on Quasi-Dyadic Srivastava codes
Compact McEliece keys based on Quasi-Dyadic Srivastava codes Edoardo Persichetti Department of Mathematics, University of Auckland, New Zealand epersichetti@mathaucklandacnz Abstract The McEliece cryptosystem
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationA Reaction Attack on the QC-LDPC McEliece Cryptosystem
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomáš Fabšič 1, Viliam Hromada 1, Paul Stankovski 2, Pavol Zajac 1, Qian Guo 2, Thomas Johansson 2 1 Slovak University of Technology in Bratislava
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationDecoder Error Probability of MRD Codes
Decoder Error Probability of MRD Codes Maximilien Gadolea Department of Electrical and Compter Engineering Lehigh University Bethlehem, PA 18015 USA E-mail: magc@lehighed Zhiyan Yan Department of Electrical
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationError Performance Analysis of Maximum Rank Distance Codes
Error Performance Analysis of Maximum Rank Distance Codes arxiv:cs/0612051v1 [cs.it] 8 Dec 2006 Maximilien Gadouleau and Zhiyuan Yan Department of Electrical and Computer Engineering Lehigh University,
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
Cryptographie basée sur les correcteurs d erreurs et arithmétique with with with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationELEC 405/ELEC 511 Error Control Coding. Hamming Codes and Bounds on Codes
ELEC 405/ELEC 511 Error Control Coding Hamming Codes and Bounds on Codes Single Error Correcting Codes (3,1,3) code (5,2,3) code (6,3,3) code G = rate R=1/3 n-k=2 [ 1 1 1] rate R=2/5 n-k=3 1 0 1 1 0 G
More informationQuasi-dyadic CFS signatures
Quasi-dyadic CFS signatures Paulo S. L. M. Barreto 1, Pierre-Louis Cayrel 2, Rafael Misoczki 1, and Robert Niebuhr 3 1 Departamento de Engenharia de Computação e Sistemas Digitais (PCS), Escola Politécnica,
More informationarxiv: v4 [cs.cr] 30 Nov 2017
The problem with the SURF scheme Thomas Debris-Alazard 1,, Nicolas Sendrier, and Jean-Pierre Tillich 1 Sorbonne Universités, UPMC Univ Paris 06 Inria, Paris {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr
More informationSigning with Codes. c Zuzana Masárová 2014
Signing with Codes by Zuzana Masárová A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization
More informationCryptanalysis of the Sidelnikov cryptosystem
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi Laboratoire de mathématiques algorithmiques (LMA), EPFL c 2007 IACR. This paper appeared in Advances in cryptology Eurocrypt
More informationAn efficient structural attack on NIST submission DAGS
An efficient structural attack on NIST submission DAGS Élise Barelli 1 and Alain Couvreur 1 1 INRIA & LIX, CNRS UMR 7161 École polytechnique, 91128 Palaiseau Cedex, France Abstract We present an efficient
More informationA New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols
Moldovyan D.N., Moldovyan N.A. St.etersburg, Russia, SPIIRAS A New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols Reporter: Moldovyan N.A. Structure of the report 1. Hard
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More information