23 research outputs found
Cryptanalysis of the Niederreiter Public Key Scheme Based on GRS Subcodes
A new structural attack on the McEliece/Niederreiter public key cryptosystem based on subcodes of generalized Reed-Solomon codes proposed by Berger and Loidreau is described. It allows the reconstruction of the private key for almost all practical parameter choices in polynomial time with high probability
On some properties of the Schur - Hadamard product for linear codes and their applications
Произведение Шура - Адамара активно используется при криптоанализе асимметричных кодовых криптосистем типа Мак-Элиса, основанных на линейных кодах. Именно, это произведение успешно применяется при криптоанализе кодовых систем на подкодах обобщённых кодов Рида - Соломона, на двоичных кодах Рида - Маллера и их подкодах коразмерности 1, на соединении некоторых известных кодов. В качестве способа усиления стойкости криптосистемы авторами ранее предложена система на тензорном произведении линейных кодов. С целью анализа стойкости этой системы в настоящей работе исследуются свойства произведения Шура - Адамара для тензорного произведения произвольных линейных кодов. В результате получены необходимые и достаточные условия, когда s-я степень тензорного произведения кодов перестановочно эквивалентна прямой сумме кодов. Этот результат позволяет, в частности, выбирать параметры линейных кодов так, чтобы произведение Шура - Адамара для тензорного произведения совпадало со всем пространством, в котором это произведение определено. Таким образом, могут быть определены параметры линейных кодов, при которых атака на основе произведения Шура - Адамара, применённого к публичному ключу, не проходит. Получены некоторые новые свойства произведения Шура - Адамара для линейных кодов, которые позволили, в частности, доказать неразложимость двоичных кодов Рида - Маллера. Как следствие, доказана теорема о структуре группы перестановочных автоморфизмов прямой суммы неразложимых кодов
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes
Bogdanov and Lee suggested a homomorphic public-key encryption scheme based
on error correcting codes. The underlying public code is a modified
Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde
generating matrix defining it. The columns that define this submatrix are kept
secret and form a set . We give here a distinguisher that detects if one or
several columns belong to or not. This distinguisher is obtained by
considering the code generated by component-wise products of codewords of the
public code (the so called "square code"). This operation is applied to
punctured versions of this square code obtained by picking a subset
of the whole set of columns. It turns out that the dimension of the
punctured square code is directly related to the cardinality of the
intersection of with . This allows an attack which recovers the full set
and which can then decrypt any ciphertext.Comment: 11 page
Structural Properties of Twisted Reed-Solomon Codes with Applications to Cryptography
We present a generalisation of Twisted Reed-Solomon codes containing a new
large class of MDS codes. We prove that the code class contains a large
subfamily that is closed under duality. Furthermore, we study the Schur squares
of the new codes and show that their dimension is often large. Using these
structural properties, we single out a subfamily of the new codes which could
be considered for code-based cryptography: These codes resist some existing
structural attacks for Reed-Solomon-like codes, i.e. methods for retrieving the
code parameters from an obfuscated generator matrix.Comment: 5 pages, accepted at: IEEE International Symposium on Information
Theory 201
A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes
Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main
idea is to replace its permutation matrix by adding to it a rank 1 matrix. The
motivation for this change is twofold: it would allow the use of codes that
were shown to be insecure in the original McEliece's cryptosystem, and it would
reduce the key size while keeping the same security against generic decoding
attacks. The authors suggest to use generalized Reed-Solomon codes instead of
Goppa codes. The public code built with this method is not anymore a
generalized Reed-Solomon code. On the other hand, it contains a very large
secret generalized Reed-Solomon code. In this paper we present an attack that
is built upon a distinguisher which is able to identify elements of this secret
code. The distinguisher is constructed by considering the code generated by
component-wise products of codewords of the public code (the so-called "square
code"). By using square-code dimension considerations, the initial generalized
Reed-Solomon code can be recovered which permits to decode any ciphertext. A
similar technique has already been successful for mounting an attack against a
homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work
can be viewed as another illustration of how a distinguisher of Reed-Solomon
codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668
On Linear Codes with Random Multiplier Vectors and the Maximum Trace Dimension Property
Let be a linear code of length and dimension over the finite
field . The trace code is a linear code of
the same length over the subfield . The obvious upper bound
for the dimension of the trace code over is . If equality
holds, then we say that has maximum trace dimension. The problem of finding
the true dimension of trace codes and their duals is relevant for the size of
the public key of various code-based cryptographic protocols. Let
denote the code obtained from and a multiplier vector
. In this paper, we give a lower bound for
the probability that a random multiplier vector produces a code
of maximum trace dimension. We give an interpretation of the
bound for the class of algebraic geometry codes in terms of the degree of the
defining divisor. The bound explains the experimental fact that random
alternant codes have minimal dimension. Our bound holds whenever , where is the Singleton defect of . For the extremal case
, numerical experiments reveal a closed connection between the
probability of having maximum trace dimension and the probability that a random
matrix has full rank