Solving ECDLP via List Decoding

We provide a new approach to the elliptic curve discrete logarithm problem (ECDLP). First, we construct Elliptic Codes (EC codes) from the ECDLP. Then we propose an algorithm of finding the minimum weight codewords for algebraic geometry codes, especially for the elliptic code, via list decoding. Finally, with the minimum weight codewords, we show how to solve ECDLP. This work may provide a potential approach to speeding up the computation of ECDL

Kodierungstheorie

[no abstract available

Cryptographic error correction

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (leaves 67-71).It has been said that "cryptography is about concealing information, and coding theory is about revealing it." Despite these apparently conflicting goals, the two fields have common origins and many interesting relationships. In this thesis, we establish new connections between cryptography and coding theory in two ways: first, by applying cryptographic tools to solve classical problems from the theory of error correction; and second, by studying special kinds of codes that are motivated by cryptographic applications. In the first part of this thesis, we consider a model of error correction in which the source of errors is adversarial, but limited to feasible computation. In this model, we construct appealingly simple, general, and efficient cryptographic coding schemes which can recover from much larger error rates than schemes for classical models of adversarial noise. In the second part, we study collusion-secure fingerprinting codes, which are of fundamental importance in cryptographic applications like data watermarking and traitor tracing. We demonstrate tight lower bounds on the lengths of such codes by devising and analyzing a general collusive attack that works for any code.by Christopher Jason Peikert.Ph.D

Application of Computer Algebra in List Decoding

The amount of data that we use in everyday life (social media, stock analysis, satellite communication etc.) are increasing day by day. As a result, the amount of data needs to be traverse through electronic media as well as to store are rapidly growing and there exist several environmental effects that can damage these important data during travelling or while in storage devices. To recover correct information from noisy data, we do use error correcting codes. The most challenging work in this area is to have a decoding algorithm that can decode the code quite fast, in addition with the existence of the code that can tolerate highest amount of noise, so that we can have it in practice. List decoding is an active research area for last two decades. This research popularise in coding theory after the breakthrough work by Madhu Sudan where he used list decoding technique to correct errors that exceeds half the minimum distance of Reed Solomon codes. Towards the direction of code development that can reach theoretical limit of error correction, Guruswami-Rudra introduced folded Reed Solomon codes that reached at $1 - R - \epsilon.$ To decode this codes, one has to first interpolate a multivariate polynomial first and then have to factor out all possible roots. The difficulties that lies here are efficient interpolation, dealing with multiplicities smartly and efficient factoring. This thesis deals with all these cases in order to have folded Reed Solomon codes in practice

Sur des algorithmes de décodage de codes géométriques au delà de la moitié de la distance minimale

This thesis deals with algebraic geometric (AG) codes and theirdecoding. Those codes are composed of vectors constructed by evaluatingspecific functions at points of an algebraic curve. The underlyingalgebraic structure of these codes made it possible to design severaldecoding algorithms. A first one, for codes from plane curves isproposed in 1989 by Justesen, Larsen, Jensen, Havemose and Hoholdt. Itis then extended to any curve by Skorobatov and Vladut and called"basic algorithm" in the literature. A few years later, Pellikaan andindependently Koetter, give a formulation without algebraic geometryusing simply the language of codes. This new interpretation, takes thename "Error Correcting Pairs" (ECP) algorithm and represents abreakthrough in coding theory since it applies to every code having acertain structure which is described only in terms of component-wiseproducts of codes. The decoding radius of this algorithm depends onthe code to which it is applied. For Reed-Solomon codes, it reacheshalf the minimum distance, which is the threshold for the solution tobe unique. For AG, the algorithm almost always manages todecode a quantity of errors equal to half the designeddistance. However, the success of the algorithm is only guaranteed fora quantity of errors less than half the designed distance minussome multiple curve's genus. Several attempts were thenmade to erase this genus-proportional penalty. A first decisiveresult was that of Pellikaan, who proved the existence of an algorithmwith a decoding radius equal to half the designed distance. Thenin 1993 Ehrhard obtained an effective procedure for constructing such analgorithm.In addition to the algorithms for unique decoding, AG codes havealgorithms correcting amount of errors greater than half thedesigned distance. Beyond this quantity, the uniqueness of thesolution may not be guaranteed. We then use a so-called "listdecoding" algorithm which returns the list of any possiblesolutions. This is the case of Sudan's algorithm for Reed-Solomoncodes. Another approach consists in designing algorithms, whichreturns a single solution but may fail. This is the case ofthe "power decoding". Sudan's and power decoding algorithms have firstbeen designed for Reed-Solomon codes, then extended to AG codes. Weobserve that these extensions do not have the same decoding radii:that of Sudan algorithm is lower than that of the power decoding,the difference being proportional to the genus of the curve.In this thesis we present two main results. First, we propose a newalgorithm that we call "power error locating pairs" which, like theECP algorithm, can be applied to any code with a certain structuredescribed in terms of component-wise products. Compared to the ECPalgorithm, this algorithm can correct errors beyond half thedesigned distance of the code. Applied to Reed-Solomon or to AG codes,it is equivalent to the power decoding algorithm. But it can also beapplied to specific cyclic codes for which it can be used to decodebeyond half the Roos bound. Moreover, this algorithm applied to AGcodes disregards the underlying geometric structure whichopens up interesting applications in cryptanalysis.The second result aims to erase the penalty proportional to thegenus in the decoding radius of Sudan's algorithm forAG codes. First, by following Pellikaan's method, weprove that such an algorithm exists. Then, by combining andgeneralizing the works of Ehrhard and Sudan, we give aneffective procedure to build this algorithm.Cette thèse porte sur les codes géométriques et leur décodage. Cescodes sont constitués de vecteurs d'evaluations de fonctionsspécifiques en des points d'une courbe algébrique. La structurealgébrique sous-jacente de ces codes a permis de concevoir plusieursalgorithmes de décodage. Un premier algorithme pour les codesprovenant de courbes planes est proposé en 1989 par Justesen, Larsen,Jensen, Havemose et Hoholdt. Il est ensuite étendu à toute courbe parSkorobatov et Vladut et appelé "basic algorithm" dans laliterature. Quelques années plus tard, Pellikaan et indépendammentKoetter en donnent une formulation sans géométrie algébrique utilisantsimplement le langage des codes. Cette nouvelle interprétation prendle nom d'algorithme "Error Correcting Pairs" (ECP) et représente unepercée en théorie des codes, car l'algorithme s'applique à toutcode muni d'une certaine structure qui se décrit uniquement entermes de produits coordonnées par coordonnées de codes. Le rayon dedécodage de cet algorithme dépend du code auquel il est appliqué. Pourles codes de Reed-Solomon, il atteint la moitié de la distanceminimale,seuil d'unicité de la solution. Pour les codes géométriques,l'algorithme arrive à décoder presque toujours une quantité d'erreurségale à la moitié de la distance construite. Toutefois, le bonfonctionnement de l'algorithme n'est garanti que pour une quantitéd'erreurs inférieure à la moitié de la distance construite moins unmultiple du genre de la courbe. Plusieurs tentatives ont ensuite été menéespour effacer cette penalité dûe au genre. Un premierrésultat déterminant a été celui de Pellikaan, qui a prouvél'existence d'un algorithme avec rayon de décodage égal à la moitié dela distance construite. Puis,en 1993 Ehrhard est parvenu à uneprocédure effective pour construire un tel algorithme.En plus des algorithmes pour le décodage unique,les codesgéométriques disposent d'algorithmes corrigeant une quantité d'erreurssupérieure à la moitié de la distance construite. Au delà de cettequantité, l'unicité de la solution pourrait ne pas être assurée. Onutilise alors des algorithmes dits de "decodage en liste" quirenvoient la liste des solutions possibles. C'est le cas del'algorithme de Sudan. Une autre approche consiste à concevoirdes algorithmes qui renvoient une unique solution mais peuvent échouer.C'est le cas du "power decoding". Les algorithmes de Sudan etdu power decoding ont d'abord été conçus pour les codes deReed-Solomon,puis étendus aux codes géométriques.On observe que ces extensions n'ont pas les mêmes rayonsde décodage: celui de l'algorithme de Sudan est inférieur à celui duPower decoding, la différence étant proportionnelle au genre de la courbe.Dans cette thèse nous présentons deux résultatsprincipaux. Premièrement, nous proposons un nouvel algorithme que nousappelons "power error locating pairs" qui, comme l'algorithme ECP,peut être appliqué à tout code muni d'une certainestructure se décrivant en termes de produits coordonnées parcoordonnées. Comparé à l'algorithme ECP, cetalgorithme peut corriger des erreurs au delà de la moitié de ladistance construite du code. Appliqué aux codes de Reed--Solomon ou,plus généralement, aux codes géométriques, il est equivalent àl'algorithme du power decoding. Mais il peut aussi être appliqué àdes codes cycliques spécifiques pour lesquels il permet de décoder audelà de la moitié de la borne de Roos. Par ailleurs, cet algorithmeappliqué aux codes géométriques fait abstraction de la structuregéométrique sous-jascente ce qui ouvre d'intéressantes applications encryptanalyse.Le second résultat a pour but d'effacer la penalité proportionnelle augenre dans le rayon de décodage de l'algorithme de Sudan pour lescodes géométriques. D'abord, en suivant la méthode de Pellikaan, nousprouvons que un tel algorithme existe. Puis, engénéralisant les travaux de Ehrhard et Sudan, nous donnons uneprocédure effective pour construire cet algorithme

Curves, codes, and cryptography

This thesis deals with two topics: elliptic-curve cryptography and code-based cryptography. In 2007 elliptic-curve cryptography received a boost from the introduction of a new way of representing elliptic curves. Edwards, generalizing an example from Euler and Gauss, presented an addition law for the curves x2 + y2 = c2(1 + x2y2) over non-binary fields. Edwards showed that every elliptic curve can be expressed in this form as long as the underlying field is algebraically closed. Bernstein and Lange found fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on these curves, and showed that these explicit formulas save time in elliptic-curve cryptography. It is easy to see that all of these curves are isomorphic to curves x2 + y2 = 1 + dx2y2 which now are called "Edwards curves" and whose shape covers considerably more elliptic curves over a finite field than x2 + y2 = c2(1 + x2y2). In this thesis the Edwards addition law is generalized to cover all curves ax2 +y2 = 1+dx2y2 which now are called "twisted Edwards curves." The fast explicit formulas for addition and doubling presented here are almost as fast in the general case as they are for the special case a = 1. This generalization brings the speed of the Edwards addition law to every Montgomery curve. Tripling formulas for Edwards curves can be used for double-base scalar multiplication where a multiple of a point is computed using a series of additions, doublings, and triplings. The use of double-base chains for elliptic-curve scalar multiplication for elliptic curves in various shapes is investigated in this thesis. It turns out that not only are Edwards curves among the fastest curve shapes, but also that the speed of doublings on Edwards curves renders double bases obsolete for this curve shape. Elliptic curves in Edwards form and twisted Edwards form can be used to speed up the Elliptic-Curve Method for integer factorization (ECM). We show how to construct elliptic curves in Edwards form and twisted Edwards form with large torsion groups which are used by the EECM-MPFQ implementation of ECM. Code-based cryptography was invented by McEliece in 1978. The McEliece public-key cryptosystem uses as public key a hidden Goppa code over a finite field. Encryption in McEliece’s system is remarkably fast (a matrix-vector multiplication). This system is rarely used in implementations. The main complaint is that the public key is too large. The McEliece cryptosystem recently regained attention with the advent of post-quantum cryptography, a new field in cryptography which deals with public-key systems without (known) vulnerabilities to attacks by quantum computers. The McEliece cryptosystem is one of them. In this thesis we underline the strength of the McEliece cryptosystem by improving attacks against it and by coming up with smaller-key variants. McEliece proposed to use binary Goppa codes. For these codes the most effective attacks rely on information-set decoding. In this thesis we present an attack developed together with Daniel J. Bernstein and Tanja Lange which uses and improves Stern’s idea of collision decoding. This attack is faster by a factor of more than 150 than previous attacks, bringing it within reach of a moderate computer cluster. We were able to extract a plaintext from a ciphertext by decoding 50 errors in a [1024, 524] binary code. The attack should not be interpreted as destroying the McEliece cryptosystem. However, the attack demonstrates that the original parameters were chosen too small. Building on this work the collision-decoding algorithm is generalized in two directions. First, we generalize the improved collision-decoding algorithm for codes over arbitrary fields and give a precise analysis of the running time. We use the analysis to propose parameters for the McEliece cryptosystem with Goppa codes over fields such as F31. Second, collision decoding is generalized to ball-collision decoding in the case of binary linear codes. Ball-collision decoding is asymptotically faster than any previous attack against the McEliece cryptosystem. Another way to strengthen the system is to use codes with a larger error-correction capability. This thesis presents "wild Goppa codes" which contain the classical binary Goppa codes as a special case. We explain how to encrypt and decrypt messages in the McEliece cryptosystem when using wild Goppa codes. The size of the public key can be reduced by using wild Goppa codes over moderate fields which is explained by evaluating the security of the "Wild McEliece" cryptosystem against our generalized collision attack for codes over finite fields. Code-based cryptography not only deals with public-key cryptography: a code-based hash function "FSB"was submitted to NIST’s SHA-3 competition, a competition to establish a new standard for cryptographic hashing. Wagner’s generalized birthday attack is a generic attack which can be used to find collisions in the compression function of FSB. However, applying Wagner’s algorithm is a challenge in storage-restricted environments. The FSBday project showed how to successfully mount the generalized birthday attack on 8 nodes of the Coding and Cryptography Computer Cluster (CCCC) at Technische Universiteit Eindhoven to find collisions in the toy version FSB48 which is contained in the submission to NIST

Integer Polynomial Recovery from Outputs and its Application to Cryptanalysis of a Protocol for Secure Sorting

{We investigate the problem of recovering integer inputs (up to an affine scaling) when given only the integer monotonic polynomial outputs. Given $n$ integer outputs of a degree-$d$ integer monotonic polynomial whose coefficients and inputs are integers within known bounds and $n \gg d$, we give an algorithm to recover the polynomial and the integer inputs (up to an affine scaling). A heuristic expected time complexity analysis of our method shows that it is exponential in the size of the degree of the polynomial but polynomial in the size of the polynomial coefficients. We conduct experiments with real-world data as well as randomly chosen parameters and demonstrate the effectiveness of our algorithm over a wide range of parameters. Using only the polynomial evaluations at specific integer points, the apparent hardness of recovering the input data served as the basis of security of a recent protocol proposed by Kesarwani et al. for secure $k$-nearest neighbour computation on encrypted data that involved secure sorting. The protocol uses the outputs of randomly chosen monotonic integer polynomial to hide its inputs except to only reveal the ordering of input data. Using our integer polynomial recovery algorithm, we show that we can recover the polynomial and the inputs within a few seconds, thereby demonstrating an attack on the protocol of Kesarwani et al