48 research outputs found
Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes
We give a polynomial time attack on the McEliece public key cryptosystem
based on subcodes of algebraic geometry (AG) codes. The proposed attack reposes
on the distinguishability of such codes from random codes using the Schur
product. Wieschebrink treated the genus zero case a few years ago but his
approach cannot be extent straightforwardly to other genera. We address this
problem by introducing and using a new notion, which we call the t-closure of a
code
Cryptanalysis of McEliece Cryptosystem Based on Algebraic Geometry Codes and their subcodes
We give polynomial time attacks on the McEliece public key cryptosystem based
either on algebraic geometry (AG) codes or on small codimensional subcodes of
AG codes. These attacks consist in the blind reconstruction either of an Error
Correcting Pair (ECP), or an Error Correcting Array (ECA) from the single data
of an arbitrary generator matrix of a code. An ECP provides a decoding
algorithm that corrects up to errors, where denotes
the designed distance and denotes the genus of the corresponding curve,
while with an ECA the decoding algorithm corrects up to
errors. Roughly speaking, for a public code of length over ,
these attacks run in operations in for the
reconstruction of an ECP and operations for the reconstruction of an
ECA. A probabilistic shortcut allows to reduce the complexities respectively to
and . Compared to the
previous known attack due to Faure and Minder, our attack is efficient on codes
from curves of arbitrary genus. Furthermore, we investigate how far these
methods apply to subcodes of AG codes.Comment: A part of the material of this article has been published at the
conferences ISIT 2014 with title "A polynomial time attack against AG code
based PKC" and 4ICMCTA with title "Crypt. of PKC that use subcodes of AG
codes". This long version includes detailed proofs and new results: the
proceedings articles only considered the reconstruction of ECP while we
discuss here the reconstruction of EC
Error-correcting pairs: a new approach to code-based cryptography
International audienceMcEliece proposed the first public-key cryptosystem based on linear error-correcting codes. A code with an efficient bounded distance decoding algorithm is chosen as secret key. It is assumed that the chosen code looks like a random code. The known efficient bounded distance decoding algorithms of the families of codes proposed for code-based cryptography, like Reed-Solomon codes, Goppa codes, alternant codes or algebraic geometry codes, can be described in terms of error-correcting pairs (ECP). That means that, the McEliece cryptosystem is not only based on the intractability of bounded distance decoding but also on the problem of retrieving an error-correcting pair from the public code. In this article we propose the class of codes with a t-ECP whose error-correcting pair that is not easily reconstructed from of a given generator matrix
New Identities Relating Wild Goppa Codes
For a given support and a polynomial with no roots in , we prove equality
between the -ary Goppa codes where
denotes the norm of , that is In
particular, for , that is, for a quadratic extension, we get
. If has roots in
, then we do not necessarily have equality and we prove that
the difference of the dimensions of the two codes is bounded above by the
number of distinct roots of in . These identities provide
numerous code equivalences and improved designed parameters for some families
of classical Goppa codes.Comment: 14 page
Polynomial time attack on high rate random alternant codes
A long standing open question is whether the distinguisher of high rate
alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm
recovering the algebraic structure of such codes from the mere knowledge of an
arbitrary generator matrix of it. This would allow to break the McEliece scheme
as soon as the code rate is large enough and would break all instances of the
CFS signature scheme. We give for the first time a positive answer for this
problem when the code is {\em a generic alternant code} and when the code field
size is small : and for {\em all} regime of other
parameters for which the aforementioned distinguisher works. This breakthrough
has been obtained by two different ingredients : (i) a way of using code
shortening and the component-wise product of codes to derive from the original
alternant code a sequence of alternant codes of decreasing degree up to getting
an alternant code of degree (with a multiplier and support related to those
of the original alternant code);
(ii) an original Gr\"obner basis approach which takes into account the non
standard constraints on the multiplier and support of an alternant code which
recovers in polynomial time the relevant algebraic structure of an alternant
code of degree from the mere knowledge of a basis for it
On the matrix code of quadratic relationships for a Goppa code
In this article, we continue the analysis started in \cite{CMT23} for the
matrix code of quadratic relationships associated with a Goppa code. We provide
new sparse and low-rank elements in the matrix code and categorize them
according to their shape. Thanks to this description, we prove that the set of
rank 2 matrices in the matrix codes associated with square-free binary Goppa
codes, i.e. those used in Classic McEiece, is much larger than what is
expected, at least in the case where the Goppa polynomial degree is 2. We build
upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive
a structural attack on these instances. Our method can break in just a few
seconds some recent challenges about key-recovery attacks on the McEliece
cryptosystem, consistently reducing their estimated security level. We also
provide a general method, valid for any Goppa polynomial degree, to transform a
generic pair of support and multiplier into a pair of support and Goppa
polynomial
Variations of the McEliece Cryptosystem
Two variations of the McEliece cryptosystem are presented. The first one is
based on a relaxation of the column permutation in the classical McEliece
scrambling process. This is done in such a way that the Hamming weight of the
error, added in the encryption process, can be controlled so that efficient
decryption remains possible. The second variation is based on the use of
spatially coupled moderate-density parity-check codes as secret codes. These
codes are known for their excellent error-correction performance and allow for
a relatively low key size in the cryptosystem. For both variants the security
with respect to known attacks is discussed