404 research outputs found
Reed-solomon forward error correction (FEC) schemes, RFC 5510
This document describes a Fully-Specified Forward Error Correction (FEC) Scheme for the Reed-Solomon FEC codes over GF(2^^m), where m is in {2..16}, and its application to the reliable delivery of data objects on the packet erasure channel (i.e., a communication path where packets are either received without any corruption or discarded during transmission). This document also describes a Fully-Specified FEC Scheme for the special case of Reed-Solomon codes over GF(2^^8) when there is no encoding symbol group. Finally, in the context of the Under-Specified Small Block Systematic FEC Scheme (FEC Encoding ID 129), this document assigns an FEC Instance ID to the special case of Reed-Solomon codes over GF(2^^8).
Reed-Solomon codes belong to the class of Maximum Distance Separable (MDS) codes, i.e., they enable a receiver to recover the k source symbols from any set of k received symbols. The schemes described here are compatible with the implementation from Luigi Rizzo
Cryptographic applications of sparse polynomials over finite rings
This is a preprint of a book chapter published in Lecture Notes in Computer Science, 2015, Springer-Verlag, Berlin (2001). The original publication is available at www.springerlink.com.This paper gives new examples that exploit the idea of using sparse polynomials with restricted coefficients over a finite ring for designing fast, reliable cryptosystems and identification schemes
Twisted Polynomials and Forgery Attacks on GCM
Polynomial hashing as an instantiation of universal hashing is a widely employed method for the construction of MACs and authenticated encryption
(AE) schemes, the ubiquitous GCM being a prominent example. It is also
used in recent AE proposals within the CAESAR competition which aim at
providing nonce misuse resistance, such as POET. The algebraic structure
of polynomial hashing has given rise to security concerns: At
CRYPTO~2008, Handschuh and Preneel describe key recovery attacks, and at
FSE~2013, Procter and Cid provide a comprehensive framework for forgery
attacks. Both approaches rely heavily on the ability to construct
\emph{forgery polynomials} having disjoint sets of roots, with many roots
(``weak keys\u27\u27) each. Constructing such polynomials beyond naïve
approaches is crucial for these attacks, but still an open problem.
In this paper, we comprehensively address this issue. We propose to use
\emph{twisted polynomials} from Ore rings as forgery polynomials. We
show how to construct sparse forgery polynomials with full control over
the sets of roots. We also achieve complete and explicit disjoint
coverage of the key space by these polynomials. We furthermore leverage
this new construction in an improved key recovery algorithm.
As cryptanalytic applications of our twisted polynomials, we
develop the first universal forgery attacks on GCM in the weak-key
model that do not require nonce reuse. Moreover, we present universal
weak-key forgery attacks for the recently proposed nonce-misuse resistant
AE schemes POET, Julius, and COBRA
An identification scheme based on sparse polynomials
This is a preprint of a book chapter published in Lecture Notes in Computer Science,1751, Springer-Verlag, Berlin (2000). The original publication is available at www.springerlink.com.This paper gives a new example of exploiting the idea of using polynomials with restricted coefficients over finite fields and rings to construct reliable cryptosystems and identification schemes
A kilobit hidden SNFS discrete logarithm computation
We perform a special number field sieve discrete logarithm computation in a
1024-bit prime field. To our knowledge, this is the first kilobit-sized
discrete logarithm computation ever reported for prime fields. This computation
took a little over two months of calendar time on an academic cluster using the
open-source CADO-NFS software. Our chosen prime looks random, and
has a 160-bit prime factor, in line with recommended parameters for the Digital
Signature Algorithm. However, our p has been trapdoored in such a way that the
special number field sieve can be used to compute discrete logarithms in
, yet detecting that p has this trapdoor seems out of reach.
Twenty-five years ago, there was considerable controversy around the
possibility of back-doored parameters for DSA. Our computations show that
trapdoored primes are entirely feasible with current computing technology. We
also describe special number field sieve discrete log computations carried out
for multiple weak primes found in use in the wild. As can be expected from a
trapdoor mechanism which we say is hard to detect, our research did not reveal
any trapdoored prime in wide use. The only way for a user to defend against a
hypothetical trapdoor of this kind is to require verifiably random primes
ADSNARK: Nearly practical and privacy-preserving proofs on authenticated data
We study the problem of privacy-preserving proofs on authenticated data, where a party receives data from a trusted source and is requested to prove computations over the data to third parties in a correct and private way, i.e., the third party learns no information on the data but is still assured that the claimed proof is valid. Our work particularly focuses on the challenging requirement that the third party should be able to verify the validity with respect to the specific data authenticated by the source — even without having access to that source. This problem is motivated by various scenarios emerging from several application areas such as wearable computing, smart metering, or general business-to-business interactions. Furthermore, these applications also demand any meaningful solution to satisfy additional properties related to usability and scalability. In this paper, we formalize the above three-party model, discuss concrete application scenarios, and then we design, build, and evaluate ADSNARK, a nearly practical system for proving arbitrary computations over authenticated data in a privacy-preserving manner. ADSNARK improves significantly over state-of-the-art solutions for this model. For instance, compared to corresponding solutions based on Pinocchio (Oakland’13), ADSNARK achieves up to 25× improvement in proof-computation time and a 20× reduction in prover storage space
Polynomial-Time Algorithms for Quadratic Isomorphism of Polynomials: The Regular Case
Let and be
two sets of nonlinear polynomials over
( being a field). We consider the computational problem of finding
-- if any -- an invertible transformation on the variables mapping
to . The corresponding equivalence problem is known as {\tt
Isomorphism of Polynomials with one Secret} ({\tt IP1S}) and is a fundamental
problem in multivariate cryptography. The main result is a randomized
polynomial-time algorithm for solving {\tt IP1S} for quadratic instances, a
particular case of importance in cryptography and somewhat justifying {\it a
posteriori} the fact that {\it Graph Isomorphism} reduces to only cubic
instances of {\tt IP1S} (Agrawal and Saxena). To this end, we show that {\tt
IP1S} for quadratic polynomials can be reduced to a variant of the classical
module isomorphism problem in representation theory, which involves to test the
orthogonal simultaneous conjugacy of symmetric matrices. We show that we can
essentially {\it linearize} the problem by reducing quadratic-{\tt IP1S} to
test the orthogonal simultaneous similarity of symmetric matrices; this latter
problem was shown by Chistov, Ivanyos and Karpinski to be equivalent to finding
an invertible matrix in the linear space of matrices over and to compute the square root in a matrix
algebra. While computing square roots of matrices can be done efficiently using
numerical methods, it seems difficult to control the bit complexity of such
methods. However, we present exact and polynomial-time algorithms for computing
the square root in for various fields (including
finite fields). We then consider \\#{\tt IP1S}, the counting version of {\tt
IP1S} for quadratic instances. In particular, we provide a (complete)
characterization of the automorphism group of homogeneous quadratic
polynomials. Finally, we also consider the more general {\it Isomorphism of
Polynomials} ({\tt IP}) problem where we allow an invertible linear
transformation on the variables \emph{and} on the set of polynomials. A
randomized polynomial-time algorithm for solving {\tt IP} when
is presented. From an algorithmic point
of view, the problem boils down to factoring the determinant of a linear matrix
(\emph{i.e.}\ a matrix whose components are linear polynomials). This extends
to {\tt IP} a result of Kayal obtained for {\tt PolyProj}.Comment: Published in Journal of Complexity, Elsevier, 2015, pp.3
Some Notes on Code-Based Cryptography
This thesis presents new cryptanalytic results in several areas of coding-based cryptography. In addition, we also investigate the possibility of using convolutional codes in code-based public-key cryptography. The first algorithm that we present is an information-set decoding algorithm, aiming towards the problem of decoding random linear codes. We apply the generalized birthday technique to information-set decoding, improving the computational complexity over previous approaches. Next, we present a new version of the McEliece public-key cryptosystem based on convolutional codes. The original construction uses Goppa codes, which is an algebraic code family admitting a well-defined code structure. In the two constructions proposed, large parts of randomly generated parity checks are used. By increasing the entropy of the generator matrix, this presumably makes structured attacks more difficult. Following this, we analyze a McEliece variant based on quasi-cylic MDPC codes. We show that when the underlying code construction has an even dimension, the system is susceptible to, what we call, a squaring attack. Our results show that the new squaring attack allows for great complexity improvements over previous attacks on this particular McEliece construction. Then, we introduce two new techniques for finding low-weight polynomial multiples. Firstly, we propose a general technique based on a reduction to the minimum-distance problem in coding, which increases the multiplicity of the low-weight codeword by extending the code. We use this algorithm to break some of the instances used by the TCHo cryptosystem. Secondly, we propose an algorithm for finding weight-4 polynomials. By using the generalized birthday technique in conjunction with increasing the multiplicity of the low-weight polynomial multiple, we obtain a much better complexity than previously known algorithms. Lastly, two new algorithms for the learning parities with noise (LPN) problem are proposed. The first one is a general algorithm, applicable to any instance of LPN. The algorithm performs favorably compared to previously known algorithms, breaking the 80-bit security of the widely used (512,1/8) instance. The second one focuses on LPN instances over a polynomial ring, when the generator polynomial is reducible. Using the algorithm, we break an 80-bit security instance of the Lapin cryptosystem
- …