A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes

Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main idea is to replace its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, and it would reduce the key size while keeping the same security against generic decoding attacks. The authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed by considering the code generated by component-wise products of codewords of the public code (the so-called "square code"). By using square-code dimension considerations, the initial generalized Reed-Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already been successful for mounting an attack against a homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work can be viewed as another illustration of how a distinguisher of Reed-Solomon codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668

Key Reduction of McEliece's Cryptosystem Using List Decoding

International audienceDifferent variants of the code-based McEliece cryptosystem were pro- posed to reduce the size of the public key. All these variants use very structured codes, which open the door to new attacks exploiting the underlying structure. In this paper, we show that the dyadic variant can be designed to resist all known attacks. In light of a new study on list decoding algorithms for binary Goppa codes, we explain how to increase the security level for given public keysizes. Using the state-of-the-art list decoding algorithm instead of unique decoding, we exhibit a keysize gain of about 4% for the standard McEliece cryptosystem and up to 21% for the adjusted dyadic variant

A tiny public key scheme based on Niederreiter Cryptosystem

Due to the weakness of public key cryptosystems encounter of quantum computers, the need to provide a solution was emerged. The McEliece cryptosystem and its security equivalent, the Niederreiter cryptosystem, which are based on Goppa codes, are one of the solutions, but they are not practical due to their long key length. Several prior attempts to decrease the length of the public key in code-based cryptosystems involved substituting the Goppa code family with other code families. However, these efforts ultimately proved to be insecure. In 2016, the National Institute of Standards and Technology (NIST) called for proposals from around the world to standardize post-quantum cryptography (PQC) schemes to solve this issue. After receiving of various proposals in this field, the Classic McEliece cryptosystem, as well as the Hamming Quasi-Cyclic (HQC) and Bit Flipping Key Encapsulation (BIKE), chosen as code-based encryption category cryptosystems that successfully progressed to the final stage. This article proposes a method for developing a code-based public key cryptography scheme that is both simple and implementable. The proposed scheme has a much shorter public key length compared to the NIST finalist cryptosystems. The key length for the primary parameters of the McEliece cryptosystem (n=1024, k=524, t=50) ranges from 18 to 500 bits. The security of this system is at least as strong as the security of the Niederreiter cryptosystem. The proposed structure is based on the Niederreiter cryptosystem which exhibits a set of highly advantageous properties that make it a suitable candidate for implementation in all extant systems

Cryptanalysis of McEliece Cryptosystem Based on Algebraic Geometry Codes and their subcodes

We give polynomial time attacks on the McEliece public key cryptosystem based either on algebraic geometry (AG) codes or on small codimensional subcodes of AG codes. These attacks consist in the blind reconstruction either of an Error Correcting Pair (ECP), or an Error Correcting Array (ECA) from the single data of an arbitrary generator matrix of a code. An ECP provides a decoding algorithm that corrects up to $\frac{d^*-1-g}{2}$ errors, where $d^*$ denotes the designed distance and $g$ denotes the genus of the corresponding curve, while with an ECA the decoding algorithm corrects up to $\frac{d^*-1}{2}$ errors. Roughly speaking, for a public code of length $n$ over $\mathbb F_q$, these attacks run in $O(n^4\log (n))$ operations in $\mathbb F_q$ for the reconstruction of an ECP and $O(n^5)$ operations for the reconstruction of an ECA. A probabilistic shortcut allows to reduce the complexities respectively to $O(n^{3+\varepsilon} \log (n))$ and $O(n^{4+\varepsilon})$. Compared to the previous known attack due to Faure and Minder, our attack is efficient on codes from curves of arbitrary genus. Furthermore, we investigate how far these methods apply to subcodes of AG codes.Comment: A part of the material of this article has been published at the conferences ISIT 2014 with title "A polynomial time attack against AG code based PKC" and 4ICMCTA with title "Crypt. of PKC that use subcodes of AG codes". This long version includes detailed proofs and new results: the proceedings articles only considered the reconstruction of ECP while we discuss here the reconstruction of EC