Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

We give a polynomial time attack on the McEliece public key cryptosystem based on subcodes of algebraic geometry (AG) codes. The proposed attack reposes on the distinguishability of such codes from random codes using the Schur product. Wieschebrink treated the genus zero case a few years ago but his approach cannot be extent straightforwardly to other genera. We address this problem by introducing and using a new notion, which we call the t-closure of a code

Distributed application for cryptanalysis of public-key cryptosystems

Práce zkoumá potenciál distribuované aplikace při kryptoanalýze kryptosystémů s veřejným klíčem. V práci je uvedeno vysvětlení vztahu mezi populárními kryptosystémy s veřejným klíčem, jako je šifra RSA, Diffie-Hellmanova výměna klíčů a šifra ElGamal, a řešení problému faktorizace celých čísel nebo diskrétního logaritmu. Existují numerické metody na řešení těchto problémů, nejefektivnější z nich jsou popsány v této práci. V případě řešení problému diskrétního logaritmu, jsou zde popsány metody jako Shankův baby-step giant-step algoritmus nebo metoda index calculus. Pro účely řešení problému faktorizace celých čísel jsou zde popsány metody jako Pollardova Rho metoda, Dixonova metoda náhodných čtverců, kvadratické síto a obecné číselné síto. Téma práce bylo řešeno vytvořením distribuované aplikace. Jedná se o kompozici webové a desktopové aplikace. Webová aplikace představuje řídící uzel distribuovaného systému. Pro uživatele je využitelná při správě úloh v systému. Poskytuje také základní funkcionalitu pro distribuci úloh podřízeným uzlům. Podřízené uzly jsou reprezentovány desktopovou aplikací. Jedná se o část, kde jsou implementovány popsané numerické metody pro řešení problému faktorizace čísel či diskrétního logaritmu. Nakonec je zde analýza použitelnosti distribuované aplikace pro reálné situace. Ta je složena z měření efektivity metod a jejich potenciálu v distribuované aplikaci. Ukázalo se, že distribuovaná aplikace představuje použitelný přístup pro řešení těchto typů problémů. Nicméně se také prokázalo, že pokud neudělá kryptograf žádnou chybu během implementace popsaných systémů, je téměř nemožné být úspěšný při kryptoanalýze těchto systémů. Práce analyzuje důležité téma související bezpečností dnes používaných kryptosystémů s veřejným klíčem. Toto téma je relevantní nejen pro vědecké účely, ale má také mnoho praktických konsekvencí.The thesis studies the potential of distributed application in cryptanalysis of public-key cryptosystems. There is an explanation of the relation among a popular public-key cryptosystems, such as RSA cypher, Diffie-Hellman key exchange and ElGamal cypher, and solving of integer factorization or discrete logarithm problem. There exists numerical methods for solving of these problems, the most effective ones are described in this thesis. In the case of solving discrete logarithm problems there are described method such as Shank's baby-step giant-step algorithm and Index calculus method. For the purpose of solving integer factorization problem there are described methods such as Pollard's rho method, Dixon's random square method, Quadratic Sieve and General number field sieve. The theme of the theses was solved by creating of distributed application. It is the composition of the web application and the desktop application. The web application represents master nod in the distributed system. It is usable for managing of task in the system for the users. It also provides basic functionality for distributing of the tasks to the slave nods. The slave nod is represented by the desktop application. It is the part where there are implemented described numerical methods for solving of integer factorization or discrete logarithm problem. Finally there is an analysis of usability of the distributed application for real situations. It consists of measurements of efficiency of methods and its potentials in distributed applications. It is shown that distributed application represents usable approach for solving of this kind of problems. However it is also shown that if cryptographers does not do any mistake during implementation of described cryptosystems, it is almost impossible to be successful with cryptanalysis of such system. The thesis analyzes important issue related with security of public-key cryptosystems of nowadays. This issue is relevant not only for scientific purposes but has also many practical consequences

Optimal Asymmetric Data Encryption Algorithm

Today, public-key cryptosystems are particularly vulnerable to fetching cipher text and adaptively matched plaintext attacks. To prevent such attacks, in practice, optimal asymmetric algorithms are used, for example, RSA-OAEP and etc. In this article, using the method of encoding messages by points of an elliptic curve, an optimal asymmetric algorithm is proposed for data encryption which is based on elliptic curves

Towards the security of McEliece's cryptosystem based on Hermitian subfield subcodes

The purpose of this paper is to provide a comprehensive security analysis for the parameter selection process, which involves the computational cost of the information set decoding algorithm using the parameters of subfield subcodes of 1-point Hermitian codes. The purpose of this paper is to provide a comprehensive security analysis for the parameter selection process, which involves the computational cost of the information set decoding (ISD) algorithm using Hermitian subfield subcode parameters

Is it hard to retrieve an error-correcting pair?

International audienceCode-based cryptography is an interesting alternative to classic number-theory Public-Key Cryptosystems (PKC) since it is conjectured to be secure against quantum computer attacks. Many families of codes have been proposed for these cryp-tosystems. One of the main requirements is having high performance t-bounded decoding algorithms which is achieved in the case the code has a terror correcting pair (ECP). The class of codes with a t-ECP is proposed for the McEliece cryp-tosystem. The hardness of retrieving the t-ECP for a given code is considered. To this end we have to solve a large system of bilinear equations. Two possible induction procedures are considered, one for sub/super ECP's and one by punctur-ing/shortening. In both procedures in every step only a few bilinear equations need to be solved

Variations of the McEliece Cryptosystem

Two variations of the McEliece cryptosystem are presented. The first one is based on a relaxation of the column permutation in the classical McEliece scrambling process. This is done in such a way that the Hamming weight of the error, added in the encryption process, can be controlled so that efficient decryption remains possible. The second variation is based on the use of spatially coupled moderate-density parity-check codes as secret codes. These codes are known for their excellent error-correction performance and allow for a relatively low key size in the cryptosystem. For both variants the security with respect to known attacks is discussed

On Linear Codes with Random Multiplier Vectors and the Maximum Trace Dimension Property

Let $C$ be a linear code of length $n$ and dimension $k$ over the finite field $\mathbb{F}_{q^m}$. The trace code $\mathrm{Tr}(C)$ is a linear code of the same length $n$ over the subfield $\mathbb{F}_q$. The obvious upper bound for the dimension of the trace code over $\mathbb{F}_q$ is $mk$. If equality holds, then we say that $C$ has maximum trace dimension. The problem of finding the true dimension of trace codes and their duals is relevant for the size of the public key of various code-based cryptographic protocols. Let $C_{\mathbf{a}}$ denote the code obtained from $C$ and a multiplier vector $\mathbf{a}\in (\mathbb{F}_{q^m})^n$. In this paper, we give a lower bound for the probability that a random multiplier vector produces a code $C_{\mathbf{a}}$ of maximum trace dimension. We give an interpretation of the bound for the class of algebraic geometry codes in terms of the degree of the defining divisor. The bound explains the experimental fact that random alternant codes have minimal dimension. Our bound holds whenever $n\geq m(k+h)$, where $h\geq 0$ is the Singleton defect of $C$. For the extremal case $n=m(h+k)$, numerical experiments reveal a closed connection between the probability of having maximum trace dimension and the probability that a random matrix has full rank

Cryptanalysis of public-key cryptosystems based on algebraic geometry codes

This paper addresses the question of retrieving the triple (X,P,E) from the algebraic geometry code CL(X,P,E), where X is an algebraic curve over the finite field Fq,P is an n-tuple of Fq-rational points on X and E is a divisor on X. If deg(E) ≥2g+1 where g is the genus of X, then there is an embedding of X onto Y in the projective space of the linear series of the divisor E. Moreover, if deg(E) ≥2g+2, then I(Y), the vanishing ideal of Y, is generated by I2(Y), the homogeneous elements of degree two in I(Y). If n>2 deg(E), then I2(Y)=I2(Q), where Q is the image of P under the map from X to Y. These two results imply that certain algebraic geometry codes are not secure if used in the McEliece public-key cryptosystem