12 research outputs found
Structural Cryptanalysis of McEliece Schemes with Compact Keys
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor on the public-key. The fundamental remark is that from the public generator matrix of a compact McEliece, one can construct a generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\it folded code}. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called ``structural elimination\u27\u27 which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters
Structural Cryptanalysis of McEliece Schemes with Compact Keys
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor on the public-key. The fundamental remark is that from the public generator matrix of a compact McEliece, one can construct a generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\it folded code}. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called ``structural elimination\u27\u27 which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters
New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem
We consider the decoding problem or the problem of finding low weight
codewords for rank metric codes. We show how additional information about the
codeword we want to find under the form of certain linear combinations of the
entries of the codeword leads to algorithms with a better complexity. This is
then used together with a folding technique for attacking a McEliece scheme
based on LRPC codes. It leads to a feasible attack on one of the parameters
suggested in \cite{GMRZ13}.Comment: A shortened version of this paper will be published in the
proceedings of the IEEE International Symposium on Information Theory 2015
(ISIT 2015
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
Reducing the Key Size of McEliece Cryptosystem from Automorphism-induced Goppa Codes via Permutations
In this paper, we propose a new general construction to reduce the public key size of McEliece cryptosystems constructed from automorphism-induced Goppa codes. In particular, we generalize the ideas of automorphism-induced Goppa codes by considering nontrivial subsets of automorphism groups to construct Goppa codes with a nice block structure. By considering additive and multiplicative automorphism subgroups, we provide explicit constructions to demonstrate our technique. We show that our technique can be applied to automorphism-induced Goppa codes based cryptosystems to further reduce their key sizes
Structural cryptanalysis of McEliece schemes with compact keys
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor on the public-key. The fundamental remark is that from the public generator matrix of a compact McEliece, one can construct a generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\it folded code}. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called ``structural elimination\u27\u27 which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters
Structural Cryptanalysis of McEliece Schemes with Compact Keys
International audienceA very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor p on the public-key. The fundamental remark is that from the k Ă— n public generator matrix of a compact McEliece, one can construct a k/p Ă— n/p generator matrix which is - from an attacker point of view - as good as the initial public-key. We call this new smaller code the folded code. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faug'ere, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called "structural elimination" which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than 2 hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters
CriptografĂa post-cuántica: Análisis de McEliece y una nueva versiĂłn con MPC
La seguridad empleada en prácticamente todas comunicaciones realizadas actualmente
utiliza una criptografĂa de clave pĂşblica o hĂbrida mediante el uso de sistemas
criptográficos como el RSA, Gamal o de curva elĂptica entre otros. Dichos sistemas
aunque son actualmente seguros, en cuanto seamos capaces de construir un ordenador
cuántico, se conoce un algoritmo que permite romperlos en tiempo polinómico.
Por ello, actualmente se están estudiando distintos criptosistemas que sean resistentes
a ataques realizados por un ordenador cuántico.
El presente documento se centra en el criptosistema de McEliece, el cual es uno
de los criptosistemas resistente frente a estos ataques. En adicciĂłn se muestran los
cĂłdigos Reed-Solomon, Goppa y de producto de matrices, que se pueden emplear,
entre otros, para construir el criptosistema. Después vemos un posible ataque contra
el criptosistema construido a partir de un cĂłdigo Reed-Solomon.
También, mostramos el método empleado por Gaborit para intentar eliminar la
principal desventaja del criptosistema de McEliece preservando la seguridad, el gran
tamaño de las claves. Por último se muestra un método innovador que nos permite
reducir notablemente el tamaño de las claves del criptosistema mediante el empleo de
cĂłdigos de producto de matrices.The security used in almost all communications currently performed a public key
cryptography or hybrid through the use of cryptographic systems such as RSA, Gamal
or elliptical curve among others. These systems although they are currently safe,
as soon as we are able to build a quantum computer, it is known an algorithm that
can break them in polynomial time. For this reason, different cryptosystems that are
resistant to attacks carried out by a quantum computer are currently being studied.
This paper focuses on the McEliece cryptosystem, which is one of the cryptosystems
resistant to these attacks. In addition, Reed-Solomon, Goppa and matrix product
codes are shown, which can be used to build the cryptosystem. Afterwards, a possible
attack against the cryptosystem built from a Reed-Solomon code is shown.
Also, it is shown the method used by Gaborit to try to eliminate the main disadvantage
of the McEliece cryptosystem while preserving security,the large size of the
keys. Finally, it shows an innovative method that allows us to significantly reduce the
size of the cryptosystem keys by using matrix product codes.Grado en Matemática