Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes

International audiencePolar codes discovered by Arikan form a very powerful family of codes attaining many information theoretic limits in the fields of error correction and source coding. They have in particular much better decoding capabilities than Goppa codes which places them as a serious alternative in the design of both a public-key encryption scheme à la McEliece and a very efficient signature scheme. Shrestha and Kim proposed in 2014 to use them in order to come up with a new code-based public key cryptosystem. We present a key-recovery attack that makes it possible to recover a description of the permuted polar code providing all the information required for decrypting any message

A tiny public key scheme based on Niederreiter Cryptosystem

Due to the weakness of public key cryptosystems encounter of quantum computers, the need to provide a solution was emerged. The McEliece cryptosystem and its security equivalent, the Niederreiter cryptosystem, which are based on Goppa codes, are one of the solutions, but they are not practical due to their long key length. Several prior attempts to decrease the length of the public key in code-based cryptosystems involved substituting the Goppa code family with other code families. However, these efforts ultimately proved to be insecure. In 2016, the National Institute of Standards and Technology (NIST) called for proposals from around the world to standardize post-quantum cryptography (PQC) schemes to solve this issue. After receiving of various proposals in this field, the Classic McEliece cryptosystem, as well as the Hamming Quasi-Cyclic (HQC) and Bit Flipping Key Encapsulation (BIKE), chosen as code-based encryption category cryptosystems that successfully progressed to the final stage. This article proposes a method for developing a code-based public key cryptography scheme that is both simple and implementable. The proposed scheme has a much shorter public key length compared to the NIST finalist cryptosystems. The key length for the primary parameters of the McEliece cryptosystem (n=1024, k=524, t=50) ranges from 18 to 500 bits. The security of this system is at least as strong as the security of the Niederreiter cryptosystem. The proposed structure is based on the Niederreiter cryptosystem which exhibits a set of highly advantageous properties that make it a suitable candidate for implementation in all extant systems

Algebraic Properties of Polar Codes From a New Polynomial Formalism

Polar codes form a very powerful family of codes with a low complexity decoding algorithm that attain many information theoretic limits in error correction and source coding. These codes are closely related to Reed-Muller codes because both can be described with the same algebraic formalism, namely they are generated by evaluations of monomials. However, finding the right set of generating monomials for a polar code which optimises the decoding performances is a hard task and channel dependent. The purpose of this paper is to reveal some universal properties of these monomials. We will namely prove that there is a way to define a nontrivial (partial) order on monomials so that the monomials generating a polar code devised fo a binary-input symmetric channel always form a decreasing set. This property turns out to have rather deep consequences on the structure of the polar code. Indeed, the permutation group of a decreasing monomial code contains a large group called lower triangular affine group. Furthermore, the codewords of minimum weight correspond exactly to the orbits of the minimum weight codewords that are obtained from (evaluations) of monomials of the generating set. In particular, it gives an efficient way of counting the number of minimum weight codewords of a decreasing monomial code and henceforth of a polar code.Comment: 14 pages * A reference to the work of Bernhard Geiger has been added (arXiv:1506.05231) * Lemma 3 has been changed a little bit in order to prove that Proposition 7.1 in arXiv:1506.05231 holds for any binary input symmetric channe

Analysis of code-based digital signature schemes

Digital signatures are in high demand because they allow authentication and non-repudiation. Existing digital signature systems, such as digital signature algorithm (DSA), elliptic curve digital signature algorithm (ECDSA), and others, are based on number theory problems such as discrete logarithmic problems and integer factorization problems. These recently used digital signatures are not secure with quantum computers. To protect against quantum computer attacks, many researchers propose digital signature schemes based on error-correcting codes such as linear, Goppa, polar, and so on. We studied 16 distinct papers based on various error-correcting codes and analyzed their various features such as signing and verification efficiency, signature size, public key size, and security against multiple attacks

On the matrix code of quadratic relationships for a Goppa code

In this article, we continue the analysis started in \cite{CMT23} for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in Classic McEiece, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges about key-recovery attacks on the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial

A new approach based on quadratic forms to attack the McEliece cryptosystem

We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.Comment: 61 page

A Public Key Exchange Cryptosystem Based on Ideal Secrecy

This paper proposes two closely related asymmetric key (or a public key) schemes for key exchange whose security is based on the notion of ideal secrecy. In the first scheme, the private key consists of two singular matrices, a polar code matrix and a random permutation matrix all over the binary field. The sender transmits addition of two messages over a public channel using the public key of the receiver. The receiver can decrypt individual messages using the private key. An adversary, without the knowledge of the private key, can only compute multiple equiprobable solutions in a space of sufficiently large size related to the dimension of the kernel of the singular matrices. This achieves security in the sense of ideal secrecy. The next scheme extends over general matrices. The two schemes are cryptanalyzed against various attacks