3,376 research outputs found
Two attacks on rank metric code-based schemes: RankSign and an IBE scheme
International audienceRankSign [29] is a code-based signature scheme proposed to the NIST competition for quantum-safe cryptography [5] and, moreover , is a fundamental building block of a new Identity-Based-Encryption (IBE) [25]. This signature scheme is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. Unfortunately we will show that all the parameters proposed for this scheme in [5] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords. Therefore, without RankSign the IBE cannot be instantiated at this time. As a second contribution we will show that the problem is deeper than finding a new signature in rank-based cryptography, we also found an attack on the generic problem upon which its security reduction relies. However, contrarily to the RankSign scheme, it seems that the parameters of the IBE scheme could be chosen in order to avoid our attack. Finally, we have also shown that if one replaces the rank metric in the [25] IBE scheme by the Hamming metric, then a devastating attack can be found
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
The MacWilliams Identity for the Hermitian Rank Metric
Error-correcting codes have an important role in data storage and
transmission and in cryptography, particularly in the post-quantum era.
Hermitian matrices over finite fields and equipped with the rank metric have
the potential to offer enhanced security with greater efficiency in encryption
and decryption. One crucial tool for evaluating the error-correcting
capabilities of a code is its weight distribution and the MacWilliams Theorem
has long been used to identify this structure of new codes from their known
duals. Earlier papers have developed the MacWilliams Theorem for certain
classes of matrices in the form of a functional transformation, developed using
-algebra, character theory and Generalised Krawtchouk polynomials, which is
easy to apply and also allows for moments of the weight distribution to be
found. In this paper, recent work by Kai-Uwe Schmidt on the properties of codes
based on Hermitian matrices such as bounds on their size and the eigenvalues of
their association scheme is extended by introducing a negative- algebra to
establish a MacWilliams Theorem in this form together with some of its
associated moments. The similarities in this approach and in the paper for the
Skew-Rank metric by Friedlander et al. have been emphasised to facilitate
future generalisation to any translation scheme.Comment: 39 pages. arXiv admin note: substantial text overlap with
arXiv:2210.1615
Lists that are smaller than their parts: A coding approach to tunable secrecy
We present a new information-theoretic definition and associated results,
based on list decoding in a source coding setting. We begin by presenting
list-source codes, which naturally map a key length (entropy) to list size. We
then show that such codes can be analyzed in the context of a novel
information-theoretic metric, \epsilon-symbol secrecy, that encompasses both
the one-time pad and traditional rate-based asymptotic metrics, but, like most
cryptographic constructs, can be applied in non-asymptotic settings. We derive
fundamental bounds for \epsilon-symbol secrecy and demonstrate how these bounds
can be achieved with MDS codes when the source is uniformly distributed. We
discuss applications and implementation issues of our codes.Comment: Allerton 2012, 8 page
Hiding Symbols and Functions: New Metrics and Constructions for Information-Theoretic Security
We present information-theoretic definitions and results for analyzing
symmetric-key encryption schemes beyond the perfect secrecy regime, i.e. when
perfect secrecy is not attained. We adopt two lines of analysis, one based on
lossless source coding, and another akin to rate-distortion theory. We start by
presenting a new information-theoretic metric for security, called symbol
secrecy, and derive associated fundamental bounds. We then introduce
list-source codes (LSCs), which are a general framework for mapping a key
length (entropy) to a list size that an eavesdropper has to resolve in order to
recover a secret message. We provide explicit constructions of LSCs, and
demonstrate that, when the source is uniformly distributed, the highest level
of symbol secrecy for a fixed key length can be achieved through a construction
based on minimum-distance separable (MDS) codes. Using an analysis related to
rate-distortion theory, we then show how symbol secrecy can be used to
determine the probability that an eavesdropper correctly reconstructs functions
of the original plaintext. We illustrate how these bounds can be applied to
characterize security properties of symmetric-key encryption schemes, and, in
particular, extend security claims based on symbol secrecy to a functional
setting.Comment: Submitted to IEEE Transactions on Information Theor
Variations of the McEliece Cryptosystem
Two variations of the McEliece cryptosystem are presented. The first one is
based on a relaxation of the column permutation in the classical McEliece
scrambling process. This is done in such a way that the Hamming weight of the
error, added in the encryption process, can be controlled so that efficient
decryption remains possible. The second variation is based on the use of
spatially coupled moderate-density parity-check codes as secret codes. These
codes are known for their excellent error-correction performance and allow for
a relatively low key size in the cryptosystem. For both variants the security
with respect to known attacks is discussed
- …