12 research outputs found
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
Ătude de la sĂ©curitĂ© de certaines clĂ©s compactes pour le schĂ©ma de McEliece utilisant des codes gĂ©omĂ©triques
In 1978, McEliece introduce a new public key encryption scheme coming from errors correcting codes theory. The idea is to use an error correcting code whose structure would be hidden, making it impossible to decode a message for anyone who do not know a specific decoding algorithm for the chosen code.The McEliece scheme has some advantages, encryption and decryption are very fast and it is a good candidate for public-key cryptography in the context of quantum computer. The main constraint is that the public key is too large compared to other actual public-key cryptosystems. In this context, we propose to study the using of some quasi-cyclic or quasi-dyadic codes.In this thesis, the two families of interest are: the family of alternant codes and the family of subfield subcode of algebraic geometry codes. We can constructquasi-cyclic alternant codes using an automorphism which acts on the support and the multiplier of the code. In order to estimate the securtiy of these QC codes we study the {\em invariant code}. This invariant code is a smaller code derived from the public key. Actually the invariant code is exactly the subcode of codewords fixed by the automorphism . We show that it is possible to reduce the key-recovery problem on the original quasi-cyclic code to the same problem on the invariant code. This is also true in the case of QC algebraic geometry codes. This result permits us to propose a security analysis of QC codes coming from the Hermitian curve. Moreover, we propose compact key for the McEliece scheme using subfield subcode of AG codes on the Hermitian curve.The case of quasi-dyadic alternant code is also studied. Using the invariant code, with the {\em Schur product} and the {\em conductor} of two codes, we show weaknesses on the scheme using QD alternant codes with extension degree 2. In the case of the submission DAGS, proposed in the context of NIST competition, an attack exploiting these weakness permits to recover the secret key in few minutes for some proposed parameters.En 1978, McEliece introduit un schĂ©ma de chiffrement Ă clĂ© publique issu de la thĂ©orie des codes correcteurs dâerreurs. LâidĂ©e du schĂ©ma de McEliece est dâutiliser un code correcteur dont la structure est masquĂ©e, rendant le dĂ©codage de ce code difficile pour toute personne ne connaissant pas cette structure. Le principal dĂ©faut de ce schĂ©ma est la taille de la clĂ© publique. Dans ce contexte, on se propose d'Ă©tudier l'utilisation de codes dont on connaĂźt une reprĂ©sentation compacte, en particulier le cas de codes quais-cyclique ou quasi-dyadique. Les deux familles de codes qui nous intĂ©ressent dans cette thĂšse sont: la famille des codes alternants et celle des sous--codes sur un sous--corps de codes gĂ©omĂ©triques. En faisant agir un automorphisme sur le support et le multiplier des codes alternants, on sait qu'il est possible de construire des codes alternants quasi-cycliques. On se propose alors d'estimer la sĂ©curitĂ© de tels codes Ă l'aide du \textit{code invariant}. Ce sous--code du code public est constituĂ© des mots du code strictement invariant par l'automorphisme . On montre ici que la sĂ©curitĂ© des codes alternants quasi-cyclique se rĂ©duit Ă la sĂ©curitĂ© du code invariant. Cela est aussi valable pour les sous--codes sur un sous--corps de codes gĂ©omĂ©triques quasi-cycliques. Ce rĂ©sultat nous permet de proposer une analyse de la sĂ©curitĂ© de codes quasi-cycliques construit sur la courbe Hermitienne. En utilisant cette analyse nous proposons des clĂ©s compactes pour la schĂ©ma de McEliece utilisant des sous-codes sur un sous-corps de codes gĂ©omĂ©triques construits sur la courbe Hermitienne. Le cas des codes alternants quasi-dyadiques est aussi en partie Ă©tudiĂ©. En utilisant le code invariant, ainsi que le \textit{produit de Schur} et le \textit{conducteur} de deux codes, nous avons pu mettre en Ă©vidence une attaque sur le schĂ©ma de McEliece utilisant des codes alternants quasi-dyadique de degrĂ© . Cette attaque s'applique notamment au schĂ©ma proposĂ© dans la soumission DAGS, proposĂ© dans le contexte de l'appel du NIST pour la cryptographie post-quantique
Polynomial time attack on high rate random alternant codes
A long standing open question is whether the distinguisher of high rate
alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm
recovering the algebraic structure of such codes from the mere knowledge of an
arbitrary generator matrix of it. This would allow to break the McEliece scheme
as soon as the code rate is large enough and would break all instances of the
CFS signature scheme. We give for the first time a positive answer for this
problem when the code is {\em a generic alternant code} and when the code field
size is small : and for {\em all} regime of other
parameters for which the aforementioned distinguisher works. This breakthrough
has been obtained by two different ingredients : (i) a way of using code
shortening and the component-wise product of codes to derive from the original
alternant code a sequence of alternant codes of decreasing degree up to getting
an alternant code of degree (with a multiplier and support related to those
of the original alternant code);
(ii) an original Gr\"obner basis approach which takes into account the non
standard constraints on the multiplier and support of an alternant code which
recovers in polynomial time the relevant algebraic structure of an alternant
code of degree from the mere knowledge of a basis for it
An Algebraic Attack Against McEliece-like Cryptosystems Based on BCH Codes
We present an algebraic attack on a McEliece-like scheme based on BCH codes (BCH-McEliece), where the Goppa code is replaced by a suitably permuted BCH code. Our attack continues the line of work devising attacks against McEliece-like schemes with Goppa-like codes, with the goal of getting a better understanding of why Goppa codes are so intractable. Our starting point is the work of FaugĂšre, Perret and Portzamparc (Asiacrypt 2014). We take their algebraic model and adapt and improve their attack algorithm so that it can handle BCH-McEliece. We implement the attack and exhibit a parameter range where our attack is practical while generic attacks suggest cryptographic security
Recommended from our members
Finite Fields: Theory and Applications
Finite ïŹelds are the focal point of many interesting geometric, algorithmic and combinatorial problems. The workshop was devoted to progress on these questions, with an eye also on the important applications of ïŹnite ïŹeld techniques in cryptography, error correcting codes, and random number generation
McEliece in the world of Escher
We present a new family of linear binary codes of length n and dimension k accompanied with a fast list decoding algorithm that can correct up to n/2 errors in a bounded channel with an error density . The decisional problem of decoding random codes using these generalized error sets is NP-complete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme.
The security analysis of our scheme have four parts:
1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes;
2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code;
3. An analysis of the cost of cheap distinguishing attacks on the generator matrix of the code or on its dual code that have expensive list-decoding properties;
4. We interpret our scheme as multivariate quadratic system and discuss difficulties of solving that system using algebraic approaches such as Gröbner bases.
Based on this security analysis we suggest some concrete parameters for the security levels in the range of . An additional feature of the decryption process is that it admits massive and trivial parallelization that could potentially make our scheme in hardware as fast as the symmetric crypto primitives
Scalable and Transparent Proofs over All Large Fields, via Elliptic Curves (ECFFT part II)
Concretely efficient interactive oracle proofs (IOPs) are of interest due to their applications to scaling blockchains, their minimal security assumptions, and their potential future-proof resistance to quantum attacks.
Scalable IOPs, in which prover time scales quasilinearly with the computation size and verifier time scales poly-logarithmically with it, have been known to exist thus far only over a set of finite fields of negligible density, namely, over FFT-friendly fields that contain a sub-group of size .
Our main result is to show that scalable IOPs can be constructed over any sufficiently large finite field, of size that is at least quadratic in the length of computation whose integrity is proved by the IOP. This result has practical applications as well, because it reduces the proving and verification complexity of cryptographic statements that are naturally stated over pre-defined finite fields which are not FFT-friendly .
Prior state-of-the-art scalable IOPs relied heavily on arithmetization via univariate polynomials and Reed--Solomon codes over FFT-friendly fields. To prove our main result and extend scalability to all large finite fields, we generalize the prior techniques and use new algebraic geometry codes evaluated on sub-groups of elliptic curves (elliptic curve codes). We also show a new arithmetization scheme that uses the rich and well-understood group structure of elliptic curves to reduce statements of computational integrity to other statements about the proximity of functions evaluated on the elliptic curve to the new family of elliptic curve codes.
This paper continues our recent work that used elliptic curves and their subgroups to create FFT-based algorithms for polynomial manipulation over generic finite fields. However, our new IOP constructions force us to use new codes (ones that are not based on polynomials), and this poses a new set of challenges involving the more restricted automorphism group of these codes, and the constraints of Riemann-Roch spaces of strictly positive genus