10,943 research outputs found
Algebraic Attack on the Alternating Step(r,s)Generator
The Alternating Step(r,s) Generator, ASG(r,s), is a clock-controlled sequence
generator which is recently proposed by A. Kanso. It consists of three
registers of length l, m and n bits. The first register controls the clocking
of the two others. The two other registers are clocked r times (or not clocked)
(resp. s times or not clocked) depending on the clock-control bit in the first
register. The special case r=s=1 is the original and well known Alternating
Step Generator. Kanso claims there is no efficient attack against the ASG(r,s)
since r and s are kept secret. In this paper, we present an Alternating Step
Generator, ASG, model for the ASG(r,s) and also we present a new and efficient
algebraic attack on ASG(r,s) using 3(m+n) bits of the output sequence to find
the secret key with O((m^2+n^2)*2^{l+1}+ (2^{m-1})*m^3 + (2^{n-1})*n^3)
computational complexity. We show that this system is no more secure than the
original ASG, in contrast to the claim of the ASG(r,s)'s constructor.Comment: 5 pages, 2 figures, 2 tables, 2010 IEEE International Symposium on
Information Theory (ISIT2010),June 13-18, 2010, Austin, Texa
A Smart Approach for GPT Cryptosystem Based on Rank Codes
The concept of Public- key cryptosystem was innovated by McEliece's
cryptosystem. The public key cryptosystem based on rank codes was presented in
1991 by Gabidulin -Paramonov-Trejtakov(GPT). The use of rank codes in
cryptographic applications is advantageous since it is practically impossible
to utilize combinatoric decoding. This has enabled using public keys of a
smaller size. Respective structural attacks against this system were proposed
by Gibson and recently by Overbeck. Overbeck's attacks break many versions of
the GPT cryptosystem and are turned out to be either polynomial or exponential
depending on parameters of the cryptosystem. In this paper, we introduce a new
approach, called the Smart approach, which is based on a proper choice of the
distortion matrix X. The Smart approach allows for withstanding all known
attacks even if the column scrambler matrix P over the base field Fq.Comment: 5 pages. to appear in Proceedings of IEEE ISIT201
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
On improving security of GPT cryptosystems
The public key cryptosystem based on rank error correcting codes (the GPT
cryptosystem) was proposed in 1991. Use of rank codes in cryptographic
applications is advantageous since it is practically impossible to utilize
combinatoric decoding. This enabled using public keys of a smaller size.
Several attacks against this system were published, including Gibson's attacks
and more recently Overbeck's attacks. A few modifications were proposed
withstanding Gibson's attack but at least one of them was broken by the
stronger attacks by Overbeck. A tool to prevent Overbeck's attack is presented
in [12]. In this paper, we apply this approach to other variants of the GPT
cryptosystem.Comment: 5 pages. submitted ISIT 2009.Processed on IEEE ISIT201
The decoding failure probability of MDPC codes
Moderate Density Parity Check (MDPC) codes are defined here as codes which
have a parity-check matrix whose row weight is where is the
length of the code. They can be decoded like LDPC codes but they decode
much less errors than LDPC codes: the number of errors they can decode in this
case is of order . Despite this fact they have been proved
very useful in cryptography for devising key exchange mechanisms. They have
also been proposed in McEliece type cryptosystems. However in this case, the
parameters that have been proposed in \cite{MTSB13} were broken in
\cite{GJS16}. This attack exploits the fact that the decoding failure
probability is non-negligible. We show here that this attack can be thwarted by
choosing the parameters in a more conservative way. We first show that such
codes can decode with a simple bit-flipping decoder any pattern of
errors. This avoids the
previous attack at the cost of significantly increasing the key size of the
scheme. We then show that under a very reasonable assumption the decoding
failure probability decays almost exponentially with the codelength with just
two iterations of bit-flipping. With an additional assumption it has even been
proved that it decays exponentially with an unbounded number of iterations and
we show that in this case the increase of the key size which is required for
resisting to the attack of \cite{GJS16} is only moderate
On the Duality of Probing and Fault Attacks
In this work we investigate the problem of simultaneous privacy and integrity
protection in cryptographic circuits. We consider a white-box scenario with a
powerful, yet limited attacker. A concise metric for the level of probing and
fault security is introduced, which is directly related to the capabilities of
a realistic attacker. In order to investigate the interrelation of probing and
fault security we introduce a common mathematical framework based on the
formalism of information and coding theory. The framework unifies the known
linear masking schemes. We proof a central theorem about the properties of
linear codes which leads to optimal secret sharing schemes. These schemes
provide the lower bound for the number of masks needed to counteract an
attacker with a given strength. The new formalism reveals an intriguing duality
principle between the problems of probing and fault security, and provides a
unified view on privacy and integrity protection using error detecting codes.
Finally, we introduce a new class of linear tamper-resistant codes. These are
eligible to preserve security against an attacker mounting simultaneous probing
and fault attacks
Natural Density Distribution of Hermite Normal Forms of Integer Matrices
The Hermite Normal Form (HNF) is a canonical representation of matrices over
any principal ideal domain. Over the integers, the distribution of the HNFs of
randomly looking matrices is far from uniform. The aim of this article is to
present an explicit computation of this distribution together with some
applications. More precisely, for integer matrices whose entries are upper
bounded in absolute value by a large bound, we compute the asymptotic number of
such matrices whose HNF has a prescribed diagonal structure. We apply these
results to the analysis of some procedures and algorithms whose dynamics depend
on the HNF of randomly looking integer matrices
- âŠ