36 research outputs found
Quantum Fourier sampling, Code Equivalence, and the quantum security of the McEliece and Sidelnikov cryptosystems
The Code Equivalence problem is that of determining whether two given linear
codes are equivalent to each other up to a permutation of the coordinates. This
problem has a direct reduction to a nonabelian hidden subgroup problem (HSP),
suggesting a possible quantum algorithm analogous to Shor's algorithms for
factoring or discrete log. However, we recently showed that in many cases of
interest---including Goppa codes---solving this case of the HSP requires rich,
entangled measurements. Thus, solving these cases of Code Equivalence via
Fourier sampling appears to be out of reach of current families of quantum
algorithms.
Code equivalence is directly related to the security of McEliece-type
cryptosystems in the case where the private code is known to the adversary.
However, for many codes the support splitting algorithm of Sendrier provides a
classical attack in this case. We revisit the claims of our previous article in
the light of these classical attacks, and discuss the particular case of the
Sidelnikov cryptosystem, which is based on Reed-Muller codes
Cryptanalysis of McEliece Cryptosystem Based on Algebraic Geometry Codes and their subcodes
We give polynomial time attacks on the McEliece public key cryptosystem based
either on algebraic geometry (AG) codes or on small codimensional subcodes of
AG codes. These attacks consist in the blind reconstruction either of an Error
Correcting Pair (ECP), or an Error Correcting Array (ECA) from the single data
of an arbitrary generator matrix of a code. An ECP provides a decoding
algorithm that corrects up to errors, where denotes
the designed distance and denotes the genus of the corresponding curve,
while with an ECA the decoding algorithm corrects up to
errors. Roughly speaking, for a public code of length over ,
these attacks run in operations in for the
reconstruction of an ECP and operations for the reconstruction of an
ECA. A probabilistic shortcut allows to reduce the complexities respectively to
and . Compared to the
previous known attack due to Faure and Minder, our attack is efficient on codes
from curves of arbitrary genus. Furthermore, we investigate how far these
methods apply to subcodes of AG codes.Comment: A part of the material of this article has been published at the
conferences ISIT 2014 with title "A polynomial time attack against AG code
based PKC" and 4ICMCTA with title "Crypt. of PKC that use subcodes of AG
codes". This long version includes detailed proofs and new results: the
proceedings articles only considered the reconstruction of ECP while we
discuss here the reconstruction of EC
Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes
We cryptanalyse here two variants of the McEliece cryptosystem based on
quasi-cyclic codes. Both aim at reducing the key size by restricting the public
and secret generator matrices to be in quasi-cyclic form. The first variant
considers subcodes of a primitive BCH code. We prove that this variant is not
secure by finding and solving a linear system satisfied by the entries of the
secret permutation matrix.
The other variant uses quasi-cyclic low density parity-check codes. This
scheme was devised to be immune against general attacks working for McEliece
type cryptosystems based on low density parity-check codes by choosing in the
McEliece scheme more general one-to-one mappings than permutation matrices. We
suggest here a structural attack exploiting the quasi-cyclic structure of the
code and a certain weakness in the choice of the linear transformations that
hide the generator matrix of the code. Our analysis shows that with high
probability a parity-check matrix of a punctured version of the secret code can
be recovered in cubic time complexity in its length. The complete
reconstruction of the secret parity-check matrix of the quasi-cyclic low
density parity-check codes requires the search of codewords of low weight which
can be done with about operations for the specific parameters
proposed.Comment: Major corrections. This version supersedes previuos one
Cryptanalysis of the McEliece Public Key Cryptosystem based on Polar Codes
International audiencePolar codes discovered by Arikan form a very powerful family of codes attaining many information theoretic limits in the fields of error correction and source coding. They have in particular much better decoding capabilities than Goppa codes which places them as a serious alternative in the design of both a public-key encryption scheme à la McEliece and a very efficient signature scheme. Shrestha and Kim proposed in 2014 to use them in order to come up with a new code-based public key cryptosystem. We present a key-recovery attack that makes it possible to recover a description of the permuted polar code providing all the information required for decrypting any message
Cryptanalysis of Ivanov-Krouk-Zyablov cryptosystem
Recently, F.Ivanov, E.Krouk and V.Zyablov proposed new cryptosystem based of Generalized Reed--Solomon (GRS) codes over field extensions. In their approach, the subfield images of GRS codes are masked by a special transform, so that the resulting public codes are not equivalent to subfield images of GRS code but burst errors still can be decoded. In this paper, we show that the complexity of message-recovery attack on this cryptosystem can be reduced due to using burst errors, and the secret key of Ivanov-Krouk-Zyablov cryptosystem can successfully recovered in polynomial time with a linear-algebra based attack and a square-based attack