158 research outputs found
A Distinguisher for High Rate McEliece Cryptosystems
International audienceThe Goppa Code Distinguishing (GD) problem consists in distinguishing the matrix of a Goppa code from a random matrix. The hardness of this problem is an assumption to prove the security of code-based cryptographic primitives such as McEliece's cryptosystem. Up to now, it is widely believed that the GD problem is a hard decision problem. We present the first method allowing to distinguish alternant and Goppa codes over any field. Our technique can solve the GD problem in polynomial-time provided that the codes have sufficiently large rates. The key ingredient is an algebraic characterization of the key-recovery problem. The idea is to consider the rank of a linear system which is obtained by linearizing a particular polynomial system describing a key-recovery attack. Experimentally it appears that this dimension depends on the type of code. Explicit formulas derived from extensive experimentations for the rank are provided for "generic" random, alternant, and Goppa codes over any alphabet. Finally, we give theoretical explanations of these formulas in the case of random codes, alternant codes over any field of characteristic two and binary Goppa codes
A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes
Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main
idea is to replace its permutation matrix by adding to it a rank 1 matrix. The
motivation for this change is twofold: it would allow the use of codes that
were shown to be insecure in the original McEliece's cryptosystem, and it would
reduce the key size while keeping the same security against generic decoding
attacks. The authors suggest to use generalized Reed-Solomon codes instead of
Goppa codes. The public code built with this method is not anymore a
generalized Reed-Solomon code. On the other hand, it contains a very large
secret generalized Reed-Solomon code. In this paper we present an attack that
is built upon a distinguisher which is able to identify elements of this secret
code. The distinguisher is constructed by considering the code generated by
component-wise products of codewords of the public code (the so-called "square
code"). By using square-code dimension considerations, the initial generalized
Reed-Solomon code can be recovered which permits to decode any ciphertext. A
similar technique has already been successful for mounting an attack against a
homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work
can be viewed as another illustration of how a distinguisher of Reed-Solomon
codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes
Bogdanov and Lee suggested a homomorphic public-key encryption scheme based
on error correcting codes. The underlying public code is a modified
Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde
generating matrix defining it. The columns that define this submatrix are kept
secret and form a set . We give here a distinguisher that detects if one or
several columns belong to or not. This distinguisher is obtained by
considering the code generated by component-wise products of codewords of the
public code (the so called "square code"). This operation is applied to
punctured versions of this square code obtained by picking a subset
of the whole set of columns. It turns out that the dimension of the
punctured square code is directly related to the cardinality of the
intersection of with . This allows an attack which recovers the full set
and which can then decrypt any ciphertext.Comment: 11 page
A CCA2 Secure Variant of the McEliece Cryptosystem
The McEliece public-key encryption scheme has become an interesting
alternative to cryptosystems based on number-theoretical problems. Differently
from RSA and ElGa- mal, McEliece PKC is not known to be broken by a quantum
computer. Moreover, even tough McEliece PKC has a relatively big key size,
encryption and decryption operations are rather efficient. In spite of all the
recent results in coding theory based cryptosystems, to the date, there are no
constructions secure against chosen ciphertext attacks in the standard model -
the de facto security notion for public-key cryptosystems. In this work, we
show the first construction of a McEliece based public-key cryptosystem secure
against chosen ciphertext attacks in the standard model. Our construction is
inspired by a recently proposed technique by Rosen and Segev
Variations of the McEliece Cryptosystem
Two variations of the McEliece cryptosystem are presented. The first one is
based on a relaxation of the column permutation in the classical McEliece
scrambling process. This is done in such a way that the Hamming weight of the
error, added in the encryption process, can be controlled so that efficient
decryption remains possible. The second variation is based on the use of
spatially coupled moderate-density parity-check codes as secret codes. These
codes are known for their excellent error-correction performance and allow for
a relatively low key size in the cryptosystem. For both variants the security
with respect to known attacks is discussed
- …