Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D{\"{u}}r). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page

Using Reed-Solomon codes in the (U | U + V ) construction and an application to cryptography

International audience—In this paper we present a modification of Reed-Solomon codes that beats the Guruswami-Sudan 1 − √ R decoding radius of Reed-Solomon codes at low rates R. The idea is to choose Reed-Solomon codes U and V with appropriate rates in a (U | U + V) construction and to decode them with the Koetter-Vardy soft information decoder. We suggest to use a slightly more general version of these codes (but which has the same decoding performance as the (U | U + V)-construction) for being used in code-based cryptography , namely to build a McEliece scheme. The point is here that these codes not only perform nearly as well (or even better in the low rate regime) as Reed-Solomon codes, but also that their structure seems to avoid the Sidelnikov-Shestakov attack which broke a previous McEliece proposal based on generalized Reed-Solomon codes

Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

International audienceThe main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then \textit{symmetries} allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking {\it quasi-cyclic} (\QC{}) or {\it quasi-dyadic} (\QD{}) alternant/Goppa codes. We show that the use of such \textit{symmetric} alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called \textit{folding} that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (\textit{resp}. Goppa) code provides the dual of an alternant (\textit{resp}. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D{\"{u}}r). This enables not only to present a unified view but also to generalize the construction of \QC{}, \QD{} and even \textit{quasi-monoidic} (\QM{}) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks

Criptografía post-cuántica: Análisis de McEliece y una nueva versión con MPC

La seguridad empleada en prácticamente todas comunicaciones realizadas actualmente utiliza una criptografía de clave pública o híbrida mediante el uso de sistemas criptográficos como el RSA, Gamal o de curva elíptica entre otros. Dichos sistemas aunque son actualmente seguros, en cuanto seamos capaces de construir un ordenador cuántico, se conoce un algoritmo que permite romperlos en tiempo polinómico. Por ello, actualmente se están estudiando distintos criptosistemas que sean resistentes a ataques realizados por un ordenador cuántico. El presente documento se centra en el criptosistema de McEliece, el cual es uno de los criptosistemas resistente frente a estos ataques. En adicción se muestran los códigos Reed-Solomon, Goppa y de producto de matrices, que se pueden emplear, entre otros, para construir el criptosistema. Después vemos un posible ataque contra el criptosistema construido a partir de un código Reed-Solomon. También, mostramos el método empleado por Gaborit para intentar eliminar la principal desventaja del criptosistema de McEliece preservando la seguridad, el gran tamaño de las claves. Por último se muestra un método innovador que nos permite reducir notablemente el tamaño de las claves del criptosistema mediante el empleo de códigos de producto de matrices.The security used in almost all communications currently performed a public key cryptography or hybrid through the use of cryptographic systems such as RSA, Gamal or elliptical curve among others. These systems although they are currently safe, as soon as we are able to build a quantum computer, it is known an algorithm that can break them in polynomial time. For this reason, different cryptosystems that are resistant to attacks carried out by a quantum computer are currently being studied. This paper focuses on the McEliece cryptosystem, which is one of the cryptosystems resistant to these attacks. In addition, Reed-Solomon, Goppa and matrix product codes are shown, which can be used to build the cryptosystem. Afterwards, a possible attack against the cryptosystem built from a Reed-Solomon code is shown. Also, it is shown the method used by Gaborit to try to eliminate the main disadvantage of the McEliece cryptosystem while preserving security,the large size of the keys. Finally, it shows an innovative method that allows us to significantly reduce the size of the cryptosystem keys by using matrix product codes.Grado en Matemática

Criptografía Post-cuántica: Implementación de McEliece y una nueva versión

La seguridad empleada en prácticamente todas comunicaciones realizadas actualmente utiliza una criptografía de clave pública o híbrida mediante el uso de sistemas criptográficos como el RSA, Gamal o de curva elíptica entre otros. Dichos sistemas aunque son actualmente seguros, en cuanto seamos capaces de construir un ordenador cuántico, se conoce un algoritmo que permite romperlos en tiempo polinómico. Por ello, actualmente se están estudiando distintos criptosistemas que sean resistentes a ataques realizados por un ordenador cuántico. El presente documento se centra en el criptosistema de McEliece, el cual es uno de los criptosistemas resistente frente a estos ataques. En adicción se muestran los códigos Reed-Solomon, Goppa y de producto de matrices, que se pueden emplear, entre otros, para construir el criptosistema. Después vemos un posible ataque contrael criptosistema construido a partir de un código Reed-Solomon. Por último se muestra un método innovador que nos permite reducir notablemente el tamaño de las claves del criptosistema mediante el empleo de códigos de producto de matrices.Grado en Ingeniería Informática de Servicios y Aplicacione

IEEE Transactions On Information Theory: Vol. 62, No. 1, January 2016

1. Zero-error Capacity of Binary Channels with Memory / G. Cohen, E. Fachini, J. Korner 2. The Feedback Capacity of the Binary Erasure Channel With a No-Consecutive-Ones Input Constraint / O. Sabag, H. H. Peruter N. Kashyap 3. On the Renyi Divergence, Joint Range of Relative Entropies and a Channel Coding Theorem / I. Sason 4. Dissipation of Information in Channels with Input Constraint / Y. Polynskiy, Y. Wu 5. A United Graphical Approach to Random Coding for Single-Hop Networks / S. Rini, A. Goldsmith 6. Short Message Noisy Network Coding With a Decode-Forward Option / J. Hou, G. Kramer 7. Non-Random Coding Error Bounds for Lattices / Y. Domb, M. Feder 8. The Random Coding Bound Is Tight for the Average Linear Code for Lattice / Y. Domb, R. Zamir, M. Feder 9. Pearcon Codes / J. H. Weber K. A. S. Immink, S. R. Blackburn 10. Snake-in-the-Box Codes for Rank Modulation Under Kendall\u27s Metric / Y. Zhang, G. Ge 11. A Construction of Permutation Codes From Rational Functional Fields and Improvement to the Gilbert-Varshamov Bound / L. Jin 12. Searching for Binary and Nonbinary Block and Convolutional LDPC Codes / I. E. Bocharova, B. D. Kudrasyov, R. Johannesson 13. Folding Alternant and Goppa Codes With Non-Trivial Automorphism Groups / J. -C. Faugere, A. Otmani, L. Perret, F. de Portzamparc, J. -P. Tillich 14. On Determining Deep Holes of Generalized Reed-Solomon Codes / J. Zhuang, Q. Cheng, J. L