A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes

Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main idea is to replace its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, and it would reduce the key size while keeping the same security against generic decoding attacks. The authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed by considering the code generated by component-wise products of codewords of the public code (the so-called "square code"). By using square-code dimension considerations, the initial generalized Reed-Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already been successful for mounting an attack against a homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work can be viewed as another illustration of how a distinguisher of Reed-Solomon codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set $L$. We give here a distinguisher that detects if one or several columns belong to $L$ or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called "square code"). This operation is applied to punctured versions of this square code obtained by picking a subset $I$ of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of $I$ with $L$. This allows an attack which recovers the full set $L$ and which can then decrypt any ciphertext.Comment: 11 page

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

We give a polynomial time attack on the McEliece public key cryptosystem based on subcodes of algebraic geometry (AG) codes. The proposed attack reposes on the distinguishability of such codes from random codes using the Schur product. Wieschebrink treated the genus zero case a few years ago but his approach cannot be extent straightforwardly to other genera. We address this problem by introducing and using a new notion, which we call the t-closure of a code

Variations of the McEliece Cryptosystem

Two variations of the McEliece cryptosystem are presented. The first one is based on a relaxation of the column permutation in the classical McEliece scrambling process. This is done in such a way that the Hamming weight of the error, added in the encryption process, can be controlled so that efficient decryption remains possible. The second variation is based on the use of spatially coupled moderate-density parity-check codes as secret codes. These codes are known for their excellent error-correction performance and allow for a relatively low key size in the cryptosystem. For both variants the security with respect to known attacks is discussed

Chaves mais pequenas para criptossistemas de McEliece usando codificadores convolucionais

The arrival of the quantum computing era is a real threat to the confidentiality and integrity of digital communications. So, it is urgent to develop alternative cryptographic techniques that are resilient to quantum computing. This is the goal of pos-quantum cryptography. The code-based cryptosystem called Classical McEliece Cryptosystem remains one of the most promising postquantum alternatives. However, the main drawback of this system is that the public key is much larger than in the other alternatives. In this thesis we study the algebraic properties of this type of cryptosystems and present a new variant that uses a convolutional encoder to mask the so-called Generalized Reed- Solomon code. We conduct a cryptanalysis of this new variant to show that high levels of security can be achieved using significant smaller keys than in the existing variants of the McEliece scheme. We illustrate the advantages of the proposed cryptosystem by presenting several practical examples.A chegada da era da computação quântica é uma ameaça real à confidencialidade e integridade das comunicações digitais. É, por isso, urgente desenvolver técnicas criptográficas alternativas que sejam resilientes à computação quântica. Este é o objetivo da criptografia pós-quântica. O Criptossistema de McEliece continua a ser uma das alternativas pós-quânticas mais promissora, contudo, a sua principal desvantagem é o tamanho da chave pública, uma vez que é muito maior do que o das outras alternativas. Nesta tese estudamos as propriedades algébricas deste tipo de criptossistemas e apresentamos uma nova variante que usa um codificador convolucional para mascarar o código de Generalized Reed-Solomon. Conduzimos uma criptoanálise dessa nova variante para mostrar que altos níveis de segurança podem ser alcançados usando uma chave significativamente menor do que as variantes existentes do esquema de McEliece. Ilustramos, assim, as vantagens do criptossistema proposto apresentando vários exemplos práticos.Programa Doutoral em Matemátic

Cryptography based on the Hardness of Decoding

This thesis provides progress in the fields of for lattice and coding based cryptography. The first contribution consists of constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption. The second contribution is a novel instantiation of the lattice-based learning with errors problem which uses uniform errors