Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Tables of subspace codes

One of the main problems of subspace coding asks for the maximum possible cardinality of a subspace code with minimum distance at least $d$ over $\mathbb{F}_q^n$, where the dimensions of the codewords, which are vector spaces, are contained in $K\subseteq\{0,1,\dots,n\}$. In the special case of $K=\{k\}$ one speaks of constant dimension codes. Since this (still) emerging field is very prosperous on the one hand side and there are a lot of connections to classical objects from Galois geometry it is a bit difficult to keep or to obtain an overview about the current state of knowledge. To this end we have implemented an on-line database of the (at least to us) known results at \url{subspacecodes.uni-bayreuth.de}. The aim of this recurrently updated technical report is to provide a user guide how this technical tool can be used in research projects and to describe the so far implemented theoretic and algorithmic knowledge.Comment: 44 pages, 6 tables, 7 screenshot

Problems on q-Analogs in Coding Theory

The interest in $q$-analogs of codes and designs has been increased in the last few years as a consequence of their new application in error-correction for random network coding. There are many interesting theoretical, algebraic, and combinatorial coding problems concerning these q-analogs which remained unsolved. The first goal of this paper is to make a short summary of the large amount of research which was done in the area mainly in the last few years and to provide most of the relevant references. The second goal of this paper is to present one hundred open questions and problems for future research, whose solution will advance the knowledge in this area. The third goal of this paper is to present and start some directions in solving some of these problems.Comment: arXiv admin note: text overlap with arXiv:0805.3528 by other author

Johnson type bounds for mixed dimension subspace codes

Subspace codes, i.e., sets of subspaces of $\mathbb{F}_q^v$, are applied in random linear network coding. Here we give improved upper bounds for their cardinalities based on the Johnson bound for constant dimension codes.Comment: 16 pages, typos correcte

A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes

Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main idea is to replace its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, and it would reduce the key size while keeping the same security against generic decoding attacks. The authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed by considering the code generated by component-wise products of codewords of the public code (the so-called "square code"). By using square-code dimension considerations, the initial generalized Reed-Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already been successful for mounting an attack against a homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work can be viewed as another illustration of how a distinguisher of Reed-Solomon codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668