List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Similar documents
List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

A distinguisher for high-rate McEliece Cryptosystems

Code-Based Cryptography Error-Correcting Codes and Cryptography

Code Based Cryptography

Error-correcting Pairs for a Public-key Cryptosystem

Codes used in Cryptography

Wild McEliece Incognito

Errors, Eavesdroppers, and Enormous Matrices

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

Attacks in code based cryptography: a survey, new results and open problems

Code Based Cryptology at TU/e

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

Code-Based Cryptography McEliece Cryptosystem

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Post-Quantum Code-Based Cryptography

Cryptographic Engineering

Decoding Reed-Muller codes over product sets

McEliece type Cryptosystem based on Gabidulin Codes

Lecture 12: November 6, 2017

Code-based Cryptography

Hexi McEliece Public Key Cryptosystem

Notes 10: List Decoding Reed-Solomon Codes and Concatenated codes

Signing with Codes. c Zuzana Masárová 2014

Error-correcting codes and Cryptography

Enhanced public key security for the McEliece cryptosystem

CRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES

Distinguisher-Based Attacks on Public-Key Cryptosystems Using Reed-Solomon Codes

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

Error-correcting pairs for a public-key cryptosystem

Error-correcting codes and applications

A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems

Attacking and defending the McEliece cryptosystem

Lecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012

Toward Secure Implementation of McEliece Decryption

An Overview to Code based Cryptography

Code-based cryptography

Constructive aspects of code-based cryptography

MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes

On the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier

On Generalized Reed-Solomon Codes Over Commutative and Noncommutative Rings

Coding Theory. Ruud Pellikaan MasterMath 2MMC30. Lecture 11.1 May

Recovering short secret keys of RLCE in polynomial time

A Lifting Decoding Scheme and its Application to Interleaved Linear Codes

Lecture Introduction. 2 Formal Definition. CS CTT Current Topics in Theoretical CS Oct 30, 2012

Post-Quantum Cryptography

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Error-correcting pairs for a public-key cryptosystem

An efficient structural attack on NIST submission DAGS

Channel Coding for Secure Transmissions

The BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes

Reducing Key Length of the McEliece Cryptosystem

Polynomial interpolation over finite fields and applications to list decoding of Reed-Solomon codes

Lecture 9: List decoding Reed-Solomon and Folded Reed-Solomon codes

Compact McEliece keys based on Quasi-Dyadic Srivastava codes

Side-channel analysis in code-based cryptography

New Steganographic scheme based of Reed- Solomon codes

Cryptographic applications of codes in rank metric

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Cryptanalysis of the Sidelnikov cryptosystem

An Efficient CCA2-Secure Variant of the McEliece Cryptosystem in the Standard Model

Security and complexity of the McEliece cryptosystem based on QC-LDPC codes

A Reaction Attack on the QC-LDPC McEliece Cryptosystem

Strengthening McEliece Cryptosystem

A Fuzzy Sketch with Trapdoor

Reed-Solomon codes. Chapter Linear codes over finite fields

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Quasi-dyadic CFS signatures

Algebraic Codes for Error Control

Lecture 19 : Reed-Muller, Concatenation Codes & Decoding problem

List Decoding of Reed Solomon Codes

Lecture B04 : Linear codes and singleton bound

Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis

LDPC codes in the McEliece cryptosystem: attacks and countermeasures

Code-based Cryptography

Generalized subspace subcodes with application in cryptology

The Support Splitting Algorithm and its Application to Code-based Cryptography

Low Rank Parity Check codes and their application to cryptography

On Irreducible Polynomial Remainder Codes

EE512: Error Control Coding

Notes 10: Public-key cryptography

Algebraic Cryptanalysis of Compact McEliece s Variants Toward a Complexity Analysis

An Overview on Post-Quantum Cryptography with an Emphasis. an Emphasis on Code based Systems

Error Correcting Codes Questions Pool

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Code-based Cryptography

Construction of Real Algebraic Numbers in Coq

Decoding One Out of Many

Simple Matrix Scheme for Encryption (ABC)

Wild McEliece Incognito

An Interpolation Algorithm for List Decoding of Reed-Solomon Codes

Computing Error Distance of Reed-Solomon Codes

MATH32031: Coding Theory Part 15: Summary

Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017

On the Security of Some Cryptosystems Based on Error-correcting Codes

ECEN 604: Channel Coding for Communications

Computing over Z, Q, K[X]

Efficient Root Finding of Polynomials over Fields of Characteristic 2.

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

R. A. Carrasco and M. Johnston, Non-Binary Error Control Coding Cork 2009

Transcription:

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 1 / 39

Outline 1 Introduction Principles of list decoding Johnson s bounds 2 Decoding of Reed-Solomon codes Berlekamp-Welsh s decoding Sudan s algorithm Guruswami-Sudan s algorithm 3 List decoding of Goppa codes Goppa codes List decoding 4 Application to McEliece M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 2 / 39

Definitions Definition (Linear code) A linear code C over F q, of length n and dimension k, is vectorial subspace of F n q of dimension k. Definition (Distances) Let x, y F n q, and C be an [n, k] linear code. The Hamming distance d(x, y) and the minimum distance, noted d, of C are given by : d(x, y) = # {i : x i y i }. d = min d(x, y). x y C M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 3 / 39

Encoding and decoding Let C be an [n, k, d] linear code over F q, m F k q be a message, e F n q be a error vector. We define E and D in the following way : E : F k q C, D : F n q F k q {?}, { m, if w(e) d 1 D(E(m) + e) = 2 m or?, if w(e) > d 1 2 Where w(e) is the Hamming weight of e. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 4 / 39

Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 5 / 39

Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 6 / 39

Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 7 / 39

Representation M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 8 / 39

Johnson s bounds Theorem Let v F n q and e be an integer such that then B(v, e) C n 2. e < J(n, d, q) n q 1 q ( 1 ) 1 q d, q 1 n When q +, we obtain the generic Johnson bound : For the binary case : q = 2 J(n, d) = n n J(n, d, 2) = n 2 n 2 1 d n. 1 2d n. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 9 / 39

Comparison of the Johnson bounds e/n : normalised error capacity 0.5 0.4 0.3 0.2 0.1 Binary Johnson s bound Generic Johnson s bound Unambiguous bound 0 0 0.1 0.2 0.3 0.4 0.5 d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 10 / 39

Reed-Solomon codes Definition (Reed-Solomon codes as evaluation codes) Let α 1,..., α n be different elements of F q. A Reed-Solomon code of length n and dimension k over F q is RS[n, k] {(P(α 1 ),..., P(α n )) : P P k }, where P k = {P F q [X ] / deg(p) < k}. = n q implies that the field is large enough. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 11 / 39

Encoding and decoding of Reed-Solomon codes Let P(X ) P k, then P(X ) = k 1 i=0 P ix i. We can write P = (P 0,..., P k 1 ) F k q. The encoding function E is : m F k q P k, E(m) = (m(α 1 ),..., m(α n )). Usually, the decoding step consists in finding the element m in polynomial form. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 12 / 39

Decoding context Let α 1,..., α n F q, C be the [n, k, d = n k + 1] Reed-Solomon code over F q and c C, then P P k such that c = (P(α 1 ),..., P(α n )). Let the received word y = (y 1,..., y n ) F n q be such that y = c + e. Where e F n q and w(e) t d 1 2. From y, we have to compute P such that y = (P(α 1 ) + e 1,..., P(α n ) + e n ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 13 / 39

Berlekamp-Welsh s idea At least n t points such that e i = 0, so for these points y i = P(α i ). Compute Q(X, Y ) F q [X, Y ] such that Q(X, Y ) = Q 0 (X ) + Y Q 1 (X ), Q(α i, y i ) = 0, i {1,..., n} (1) deg(q 0 (X )) n t 1, (2) deg(q 1 (X )) n t k, (3) with Q 0 (X ), Q 1 (X ) F q [X ]. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 14 / 39

Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous constraints always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. Q(X, P(X )) = Q 0 (X ) + P(X )Q 1 (X ) = 0 = P(X ) = Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 15 / 39

Algorithm Berlekamp-Welsh Input : y the received word, C a Reed-Solomon code. Output : P(X ) the codeword in polynomial form. Q(X, Y ) Interpolation BW ((α i, y i ) i=1,...,n ), P(x) Q 0(X ) Q 1 (X ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 16 / 39

Main idea of Sudan s algorithm Decoding τ > t errors, = different codeword candidates, = different Y -linear factors of Q(X, Y ). Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) +... + Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n}, deg(q j (X )) n τ 1 j(k 1), j {0,..., l}. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 17 / 39

Computation of P(X ) Theorem A polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. The previous theorem gives Q(X, P(X )) = 0 then P(X ) is a root of Q X (Y ) F q [X ][Y ]. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 18 / 39

Algorithm Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation S ((α i, y i ) i=1,...,n ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )), M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 19 / 39

Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

Extension of Sudan s algorithm Let P i and P j be two polynomials in the output list. Then it exists k {1,..., n} such that P i (α k ) = P j (α k ) = y k, so (α k, y k ) is a zero of Q(X, Y ) of order at least two. = add multiplicity constraints during the interpolation step of Q(X, Y ). Definition (Multiplicity) Let (a, b) F 2 q and Q(X + a, Y + b) = i,j q i,j X i Y j. The point (a, b) is a zero of Q(X, Y ) of mutiplicity s N, if Q(a, b) = 0, i, j such that i + j < s then q i,j = 0, and s is the larger integer satisfying this property. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 20 / 39

Q(X, Y ) in the case of GS Theorem Q(X, Y ) = Q 0 (X ) + YQ 1 (X ) +... + Y l Q l (X ), Q(α i, y i ) = 0, i {1,..., n} with multiplicity s, deg(q j (X )) s(n τ) 1 j(k 1), j {0,..., l}. The polynomial Q(X, Y ) F q [X, Y ] satisfying the previous conditions always exist. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 21 / 39

Algorithm Guruswami-Sudan Input : y the received word, C a Reed-Solomon code. Output : (P 1 (X ),..., P l (X )) a list of codewords. Q(X, Y ) Interpolation GS ((α i, y i ) i=1,...,n, s). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 22 / 39

Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

Decoding of Reed-Solomon codes Berlekamp-Welsh : Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. Guruswami-Sudan : Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0 with multiplicities. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 23 / 39

Definitions Definition (Subfield subcode) Let C be a code over F p m of length n. The subfield subcode C of C over F p e, with e m is given by C C F n p e. Definition (Generalised Reed-Solomon GRS) Let β 1,..., β n be distinct elements of F q and α 1,..., α n be distinct elements of F q. The Generalised Reed-Solomon code (GRS) is given by GRS k [(β i ) i, (α i ) i ] {(β 1 P(α 1 ),..., β n P(α n )) : P P k }. Definition (Alternant codes) The code C is called alternant if C is a subfield subcode of a GRS. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 24 / 39

Goppa codes Definition (Goppa codes as alternant codes) Let α 1,..., α n be distinct elements of F p m, G(X ) a polynomial over F p m of degree r such that i n, G(α i ) 0. The Goppa code over F p e is given by : Γ ((α i ) i, G) GRS n r [(β i ) i, (α i ) i ] F n p e, where β i = G(α i ) j i (α i α j ). length n, dimension n mr, minimum distance r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 25 / 39

Particular property Theorem Let α 1,..., α n be distinct elements of F 2 m, G(X ) a polynomial over F 2 m of degree r such that i, G(α i ) 0. If G(X ) is square-free (without multiple roots) then Γ((α i ) i, G) = Γ((α i ) i, G 2 ). length n, dimension n mr, minimum distance 2r + 1. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 26 / 39

Context of decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and let y F n 2 be the received word. It exists e F n 2 and P(X ) F 2m[X ] of degree strictly less than n r, such that y = (β 1 P(α 1 ) + e 1,..., β n P(α n ) + e n ), where β i = G(α i ) j i (α i α j ). Decode y find P. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 27 / 39

Decoding Let Γ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and y F n 2. Compute Q(X, Y ) l j=0 Q j(x )Y j such that Q(X, Y ) 0, Q(x i, y i β 1 i ) = 0 with multiplicity s(1 J 2 /n), Q(x i, zβ 1 i ) = 0 with multiplicity sj 2 /n, z F 2 \ {y i }, ( deg(q j ) < sn (1 J 2 /n) 2 + (J 2 /n) 2) j(n mr 1), j {1,..., l}, M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 28 / 39

Computation of P(X ) Theorem The polynomial Q(X, Y ) F p m[x, Y ] satisfying the previous conditions always exists. Theorem The polynomial Q(X, P(X )) F q [X ] is the null polynomial. = Y P(X ) Q(X, Y ). M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 29 / 39

Algorithm Augot, B., Couvreur Input : y the received word, Γ((α i ) i, G) the Goppa code. Output : (c 1 (X ),..., c l (X )) a list of codewords. Q(X, Y ) Interpolation ABC (y, Γ). (P 1 (X ),..., P l (X )) LinearFactors(Q(X, Y )). For i [1, l] do ci (β 1 P i (α 1 ),..., β n P i (α n )) ; end for M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 30 / 39

Correction Radii e/n : normalised error capacity 0.5 0.4 0.3 0.2 0.1 Our method GS BW 0 0 0.1 0.2 0.3 0.4 0.5 d/n : normalised minimum distance M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 31 / 39

Complexity Theorem To decode a square-free binary Goppa code up to the binary Johnson bound ( ) n J 2 (n, r) = 1 1 4r + 2 1 2 n our algorithm runs in O(n 7 ) field operations. Theorem To decode up to (1 ɛ)j 2, our algorithm runs in O(n 2 ɛ 5 ) field operations. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 32 / 39

Context of McEliece Choose : Γ((α i ) i, G) a Goppa code, G a generator matrix of Γ, S an invertible matrix, P a permutation matrix. Public key : (SGP, r). Secret key : (S 1, G, P 1 ). Encryption : m the message, c = msgp + e, s.t. w(e) = r Decryption : c = cp 1, m = Dec(c ), m = m S 1 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 33 / 39

List decoding and McEliece Two types of attack : structural attack and decoding attack. = adding more errors makes the decoding attacks more difficult and does not add any structure. The encryption and decryption steps of McEliece s cryptosystem are fast, but have large keys. = tradeoff between decrease the keysize and increase the time of decryption (decoding). How to find the original plaintext? = use CCA2 McEliece variants. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 34 / 39

Key reduction for the generic variant of McEliece Method m n k r τ 2 WF Keysize gain U.D. 11 1670 1285 35 80.0064 494725 L.D. 11 1676 1324 32 33 80.0183 466048 5.80 U.D. 12 2677 2101 48 112.022 1210176 L.D. 12 2353 1657 58 60 112.032 1153272 4.70 U.D. 12 3059 2387 56 128.001 1604064 L.D. 12 2768 2012 63 65 128.029 1521072 5.17 U.D. 13 4996 3852 88 192.002 4406688 L.D. 12 4046 2654 116 120 192.006 3694368 16.16 U.D. 13 6718 5171 119 256.006 7999537 L.D. 13 6357 4745 124 127 256.026 7648940 4.38 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 35 / 39

The dyadic variant is broken? Dyadic codes : quasi-cyclic of Goppa codes. Structural attack : Faugère, Otmani, Perret and Tillich. = find the structure of alternant code by a Groebner basis computation but 1 does not find the Goppa structure (i.e. G the Goppa polynomial), 2 space memory too large for m 16. M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 36 / 39

Key reduction for the dyadic variant r(r + 1) > n Method m n k r τ 2 WF Keysize gain U.D. 11 1792 1088 64 82.518 11968 L.D. 11 1728 1024 64 67 82.976 11264 5.88 U.D. 12 2944 1408 128 116.735 16896 L.D. 13 2816 1280 128 134 113.896 15360 9.09 L.D. 13 7680 1024 512 552 113.084 13312 21.21 U.D. 12 3200 1664 128 131.235 19968 L.D. 12 3072 1536 128 134 129.745 18432 7.69 U.D. 13 5888 2560 256 205.804 33280 L.D. 13 5632 2304 256 269 199.473 29952 10.00 U.D. 15 11264 3584 512 279.002 53760 L.D. 15 10752 3072 512 539 258.223 46080 14.29 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 37 / 39

Key reduction for the dyadic variant m 16 Method m n k r τ 2 WF Keysize gain U.D. 16 3072 1024 128 83.2917 16384 L.D. 16 3072 1024 128 134 86.819 16384 0 U.D. 16 5632 1536 256 126.439 24576 L.D. 16 5376 1280 256 270 114.841 20480 16.66 U.D. 16 9728 1536 512 136.433 24576 L.D. 16 9728 1536 512 563 149.56 24576 0 U.D. 16 10752 2560 512 210.959 40960 L.D. 16 18432 2048 1024 1088 195.89 32768 20 U.D. 16 19456 3072 1024 265.418 49152 L.D. 16 19456 3072 1024 1167 302.507 49152 0 M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 38 / 39

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University of Caen M. Barbier (LIX) List decoding of Goppa codes Caen, 2011 April 39 / 39

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback