36 research outputs found
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
Variations of the McEliece Cryptosystem
Two variations of the McEliece cryptosystem are presented. The first one is
based on a relaxation of the column permutation in the classical McEliece
scrambling process. This is done in such a way that the Hamming weight of the
error, added in the encryption process, can be controlled so that efficient
decryption remains possible. The second variation is based on the use of
spatially coupled moderate-density parity-check codes as secret codes. These
codes are known for their excellent error-correction performance and allow for
a relatively low key size in the cryptosystem. For both variants the security
with respect to known attacks is discussed
New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem
We consider the decoding problem or the problem of finding low weight
codewords for rank metric codes. We show how additional information about the
codeword we want to find under the form of certain linear combinations of the
entries of the codeword leads to algorithms with a better complexity. This is
then used together with a folding technique for attacking a McEliece scheme
based on LRPC codes. It leads to a feasible attack on one of the parameters
suggested in \cite{GMRZ13}.Comment: A shortened version of this paper will be published in the
proceedings of the IEEE International Symposium on Information Theory 2015
(ISIT 2015
Security and complexity of the McEliece cryptosystem based on QC-LDPC codes
In the context of public key cryptography, the McEliece cryptosystem
represents a very smart solution based on the hardness of the decoding problem,
which is believed to be able to resist the advent of quantum computers. Despite
this, the original McEliece cryptosystem, based on Goppa codes, has encountered
limited interest in practical applications, partly because of some constraints
imposed by this very special class of codes. We have recently introduced a
variant of the McEliece cryptosystem including low-density parity-check codes,
that are state-of-the-art codes, now used in many telecommunication standards
and applications. In this paper, we discuss the possible use of a bit-flipping
decoder in this context, which gives a significant advantage in terms of
complexity. We also provide theoretical arguments and practical tools for
estimating the trade-off between security and complexity, in such a way to give
a simple procedure for the system design.Comment: 22 pages, 1 figure. This paper is a preprint of a paper accepted by
IET Information Security and is subject to Institution of Engineering and
Technology Copyright. When the final version is published, the copy of record
will be available at IET Digital Librar
Optimization of the parity-check matrix density in QC-LDPC code-based McEliece cryptosystems
Low-density parity-check (LDPC) codes are one of the most promising families
of codes to replace the Goppa codes originally used in the McEliece
cryptosystem. In fact, it has been shown that by using quasi-cyclic low-density
parity-check (QC-LDPC) codes in this system, drastic reductions in the public
key size can be achieved, while maintaining fixed security levels. Recently,
some proposals have appeared in the literature using codes with denser
parity-check matrices, named moderate-density parity-check (MDPC) codes.
However, the density of the parity-check matrices to be used in QC-LDPC
code-based variants of the McEliece cryptosystem has never been optimized. This
paper aims at filling such gap, by proposing a procedure for selecting the
density of the private parity-check matrix, based on the security level and the
decryption complexity. We provide some examples of the system parameters
obtained through the proposed technique.Comment: 10 pages, 4 figures. To be presented at IEEE ICC 2013 - Workshop on
Information Security over Noisy and Lossy Communication Systems. Copyright
transferred to IEE
Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes
We cryptanalyse here two variants of the McEliece cryptosystem based on
quasi-cyclic codes. Both aim at reducing the key size by restricting the public
and secret generator matrices to be in quasi-cyclic form. The first variant
considers subcodes of a primitive BCH code. We prove that this variant is not
secure by finding and solving a linear system satisfied by the entries of the
secret permutation matrix.
The other variant uses quasi-cyclic low density parity-check codes. This
scheme was devised to be immune against general attacks working for McEliece
type cryptosystems based on low density parity-check codes by choosing in the
McEliece scheme more general one-to-one mappings than permutation matrices. We
suggest here a structural attack exploiting the quasi-cyclic structure of the
code and a certain weakness in the choice of the linear transformations that
hide the generator matrix of the code. Our analysis shows that with high
probability a parity-check matrix of a punctured version of the secret code can
be recovered in cubic time complexity in its length. The complete
reconstruction of the secret parity-check matrix of the quasi-cyclic low
density parity-check codes requires the search of codewords of low weight which
can be done with about operations for the specific parameters
proposed.Comment: Major corrections. This version supersedes previuos one
Structural Cryptanalysis of McEliece Schemes with Compact Keys
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor on the public-key. The fundamental remark is that from the public generator matrix of a compact McEliece, one can construct a generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\it folded code}. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called ``structural elimination\u27\u27 which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters
Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities
The rise of quantum computers exposes vulnerabilities in current public key
cryptographic protocols, necessitating the development of secure post-quantum
(PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches,
covering the constructional design, structural vulnerabilities, and offer
security assessments, implementation evaluations, and a particular focus on
side-channel attacks. We analyze global standardization processes, evaluate
their metrics in relation to real-world applications, and primarily focus on
standardized PQ schemes, selected additional signature competition candidates,
and PQ-secure cutting-edge schemes beyond standardization. Finally, we present
visions and potential future directions for a seamless transition to the PQ
era