Algebraic Attack on the Alternating Step(r,s)Generator

The Alternating Step(r,s) Generator, ASG(r,s), is a clock-controlled sequence generator which is recently proposed by A. Kanso. It consists of three registers of length l, m and n bits. The first register controls the clocking of the two others. The two other registers are clocked r times (or not clocked) (resp. s times or not clocked) depending on the clock-control bit in the first register. The special case r=s=1 is the original and well known Alternating Step Generator. Kanso claims there is no efficient attack against the ASG(r,s) since r and s are kept secret. In this paper, we present an Alternating Step Generator, ASG, model for the ASG(r,s) and also we present a new and efficient algebraic attack on ASG(r,s) using 3(m+n) bits of the output sequence to find the secret key with O((m^2+n^2)*2^{l+1}+ (2^{m-1})*m^3 + (2^{n-1})*n^3) computational complexity. We show that this system is no more secure than the original ASG, in contrast to the claim of the ASG(r,s)'s constructor.Comment: 5 pages, 2 figures, 2 tables, 2010 IEEE International Symposium on Information Theory (ISIT2010),June 13-18, 2010, Austin, Texa

A Smart Approach for GPT Cryptosystem Based on Rank Codes

The concept of Public- key cryptosystem was innovated by McEliece's cryptosystem. The public key cryptosystem based on rank codes was presented in 1991 by Gabidulin -Paramonov-Trejtakov(GPT). The use of rank codes in cryptographic applications is advantageous since it is practically impossible to utilize combinatoric decoding. This has enabled using public keys of a smaller size. Respective structural attacks against this system were proposed by Gibson and recently by Overbeck. Overbeck's attacks break many versions of the GPT cryptosystem and are turned out to be either polynomial or exponential depending on parameters of the cryptosystem. In this paper, we introduce a new approach, called the Smart approach, which is based on a proper choice of the distortion matrix X. The Smart approach allows for withstanding all known attacks even if the column scrambler matrix P over the base field Fq.Comment: 5 pages. to appear in Proceedings of IEEE ISIT201

Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes

Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years all these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that this scheme like other schemes based on Gabidulin codes, is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break concrete proposed $80$ bits security parameters in a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa

On improving security of GPT cryptosystems

The public key cryptosystem based on rank error correcting codes (the GPT cryptosystem) was proposed in 1991. Use of rank codes in cryptographic applications is advantageous since it is practically impossible to utilize combinatoric decoding. This enabled using public keys of a smaller size. Several attacks against this system were published, including Gibson's attacks and more recently Overbeck's attacks. A few modifications were proposed withstanding Gibson's attack but at least one of them was broken by the stronger attacks by Overbeck. A tool to prevent Overbeck's attack is presented in [12]. In this paper, we apply this approach to other variants of the GPT cryptosystem.Comment: 5 pages. submitted ISIT 2009.Processed on IEEE ISIT201

The decoding failure probability of MDPC codes

Moderate Density Parity Check (MDPC) codes are defined here as codes which have a parity-check matrix whose row weight is $O(\sqrt{n})$ where $n$ is the length $n$ of the code. They can be decoded like LDPC codes but they decode much less errors than LDPC codes: the number of errors they can decode in this case is of order $\Theta(\sqrt{n})$. Despite this fact they have been proved very useful in cryptography for devising key exchange mechanisms. They have also been proposed in McEliece type cryptosystems. However in this case, the parameters that have been proposed in \cite{MTSB13} were broken in \cite{GJS16}. This attack exploits the fact that the decoding failure probability is non-negligible. We show here that this attack can be thwarted by choosing the parameters in a more conservative way. We first show that such codes can decode with a simple bit-flipping decoder any pattern of $O\left(\frac{\sqrt{n} \log \log n}{\log n}\right)$ errors. This avoids the previous attack at the cost of significantly increasing the key size of the scheme. We then show that under a very reasonable assumption the decoding failure probability decays almost exponentially with the codelength with just two iterations of bit-flipping. With an additional assumption it has even been proved that it decays exponentially with an unbounded number of iterations and we show that in this case the increase of the key size which is required for resisting to the attack of \cite{GJS16} is only moderate

On the Duality of Probing and Fault Attacks

In this work we investigate the problem of simultaneous privacy and integrity protection in cryptographic circuits. We consider a white-box scenario with a powerful, yet limited attacker. A concise metric for the level of probing and fault security is introduced, which is directly related to the capabilities of a realistic attacker. In order to investigate the interrelation of probing and fault security we introduce a common mathematical framework based on the formalism of information and coding theory. The framework unifies the known linear masking schemes. We proof a central theorem about the properties of linear codes which leads to optimal secret sharing schemes. These schemes provide the lower bound for the number of masks needed to counteract an attacker with a given strength. The new formalism reveals an intriguing duality principle between the problems of probing and fault security, and provides a unified view on privacy and integrity protection using error detecting codes. Finally, we introduce a new class of linear tamper-resistant codes. These are eligible to preserve security against an attacker mounting simultaneous probing and fault attacks

Natural Density Distribution of Hermite Normal Forms of Integer Matrices

The Hermite Normal Form (HNF) is a canonical representation of matrices over any principal ideal domain. Over the integers, the distribution of the HNFs of randomly looking matrices is far from uniform. The aim of this article is to present an explicit computation of this distribution together with some applications. More precisely, for integer matrices whose entries are upper bounded in absolute value by a large bound, we compute the asymptotic number of such matrices whose HNF has a prescribed diagonal structure. We apply these results to the analysis of some procedures and algorithms whose dynamics depend on the HNF of randomly looking integer matrices