10 research outputs found
Counting generalized Reed-Solomon codes
In this article we count the number of generalized Reed-Solomon (GRS) codes
of dimension k and length n, including the codes coming from a non-degenerate
conic plus nucleus. We compare our results with known formulae for the number
of 3-dimensional MDS codes of length n=6,7,8,9
The Poincaré Polynomial of a Linear Code
We introduce the Poincaré polynomial of a linear q-ary code and its relation to the corresponding weight enumerator. The question of whether the Poincaré polynomial is a complete invariant is answered affirmatively for q = 2, 3 and negatively for q ≥ 4. Finally we determine this polynomial for MDS codes and, by means of a recursive formula, for binary Reed-Muller codes
A characterization of MDS codes that have an error correcting pair
Error-correcting pairs were introduced in 1988 by R. Pellikaan, and were
found independently by R. K\"otter (1992), as a general algebraic method of
decoding linear codes. These pairs exist for several classes of codes. However
little or no study has been made for characterizing those codes. This article
is an attempt to fill the vacuum left by the literature concerning this
subject. Since every linear code is contained in an MDS code of the same
minimum distance over some finite field extension we have focused our study on
the class of MDS codes.
Our main result states that an MDS code of minimum distance has a
-ECP if and only if it is a generalized Reed-Solomon code. A second proof is
given using recent results Mirandola and Z\'emor (2015) on the Schur product of
codes
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
On the matrix code of quadratic relationships for a Goppa code
In this article, we continue the analysis started in \cite{CMT23} for the
matrix code of quadratic relationships associated with a Goppa code. We provide
new sparse and low-rank elements in the matrix code and categorize them
according to their shape. Thanks to this description, we prove that the set of
rank 2 matrices in the matrix codes associated with square-free binary Goppa
codes, i.e. those used in Classic McEiece, is much larger than what is
expected, at least in the case where the Goppa polynomial degree is 2. We build
upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive
a structural attack on these instances. Our method can break in just a few
seconds some recent challenges about key-recovery attacks on the McEliece
cryptosystem, consistently reducing their estimated security level. We also
provide a general method, valid for any Goppa polynomial degree, to transform a
generic pair of support and multiplier into a pair of support and Goppa
polynomial
Polynomial time attack on high rate random alternant codes
A long standing open question is whether the distinguisher of high rate
alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm
recovering the algebraic structure of such codes from the mere knowledge of an
arbitrary generator matrix of it. This would allow to break the McEliece scheme
as soon as the code rate is large enough and would break all instances of the
CFS signature scheme. We give for the first time a positive answer for this
problem when the code is {\em a generic alternant code} and when the code field
size is small : and for {\em all} regime of other
parameters for which the aforementioned distinguisher works. This breakthrough
has been obtained by two different ingredients : (i) a way of using code
shortening and the component-wise product of codes to derive from the original
alternant code a sequence of alternant codes of decreasing degree up to getting
an alternant code of degree (with a multiplier and support related to those
of the original alternant code);
(ii) an original Gr\"obner basis approach which takes into account the non
standard constraints on the multiplier and support of an alternant code which
recovers in polynomial time the relevant algebraic structure of an alternant
code of degree from the mere knowledge of a basis for it
An Algebraic Attack Against McEliece-like Cryptosystems Based on BCH Codes
We present an algebraic attack on a McEliece-like scheme based on BCH codes (BCH-McEliece), where the Goppa code is replaced by a suitably permuted BCH code. Our attack continues the line of work devising attacks against McEliece-like schemes with Goppa-like codes, with the goal of getting a better understanding of why Goppa codes are so intractable. Our starting point is the work of Faugère, Perret and Portzamparc (Asiacrypt 2014). We take their algebraic model and adapt and improve their attack algorithm so that it can handle BCH-McEliece. We implement the attack and exhibit a parameter range where our attack is practical while generic attacks suggest cryptographic security
Contribution à la cryptanalyse de primitives cryptographiques fondées sur la théorie des codes
A large part in the design of secure cryptographic primitives consists in identifying hard algorithmic problems. Despite the fact that several problems have been proposed as a foundation for public-key primitives, those effectively used are essentially classical problems coming from integer factorization and discrete logarithm. On the other hand, coding theory appeared with the goal to solve the challenging problem of decoding a random linear code. It is widely admitted as a hard problem that has led McEliece in 1978 to propose the first code-based public-key encryption scheme. The key concept is to focus on codes that come up with an efficient decoding algorithm. He also advocated the use of binary Goppa codes. Since then, it belongs to the very few cryptosystems which remain unbroken. This thesis is primarily interested in studying the security of code-based primitives. The first category we analyzed consists of variants of the McEliece cryptosystem. Our works expose practical key-recovery attacks either by mounting dedicated techniques, or by devising algebraic attacks. This latter result also provides a new framework to assess the security of the McEliece cryptosystem and a first step towards the design of attacks based on the solving of algebraic systems. Furthermore, we show that this approach can be used to study the Goppa Code Distinguishing problem, which asks whether there is an efficient way to distinguish a Goppa code from a randomly drawn linear code. It represents an important assumption which supports the use of Goppa codes in cryptography. We show that it is possible to efficiently solve it as long as the code rate is sufficiently high. Finally, we investigate the security of a signature scheme based on two random linear codes. Our analysis shows that the attack is sensitive to their rates and can be practical when the rates are close
Étude de la sécurité de certaines clés compactes pour le schéma de McEliece utilisant des codes géométriques
In 1978, McEliece introduce a new public key encryption scheme coming from errors correcting codes theory. The idea is to use an error correcting code whose structure would be hidden, making it impossible to decode a message for anyone who do not know a specific decoding algorithm for the chosen code.The McEliece scheme has some advantages, encryption and decryption are very fast and it is a good candidate for public-key cryptography in the context of quantum computer. The main constraint is that the public key is too large compared to other actual public-key cryptosystems. In this context, we propose to study the using of some quasi-cyclic or quasi-dyadic codes.In this thesis, the two families of interest are: the family of alternant codes and the family of subfield subcode of algebraic geometry codes. We can constructquasi-cyclic alternant codes using an automorphism which acts on the support and the multiplier of the code. In order to estimate the securtiy of these QC codes we study the {\em invariant code}. This invariant code is a smaller code derived from the public key. Actually the invariant code is exactly the subcode of codewords fixed by the automorphism . We show that it is possible to reduce the key-recovery problem on the original quasi-cyclic code to the same problem on the invariant code. This is also true in the case of QC algebraic geometry codes. This result permits us to propose a security analysis of QC codes coming from the Hermitian curve. Moreover, we propose compact key for the McEliece scheme using subfield subcode of AG codes on the Hermitian curve.The case of quasi-dyadic alternant code is also studied. Using the invariant code, with the {\em Schur product} and the {\em conductor} of two codes, we show weaknesses on the scheme using QD alternant codes with extension degree 2. In the case of the submission DAGS, proposed in the context of NIST competition, an attack exploiting these weakness permits to recover the secret key in few minutes for some proposed parameters.En 1978, McEliece introduit un schéma de chiffrement à clé publique issu de la théorie des codes correcteurs d’erreurs. L’idée du schéma de McEliece est d’utiliser un code correcteur dont la structure est masquée, rendant le décodage de ce code difficile pour toute personne ne connaissant pas cette structure. Le principal défaut de ce schéma est la taille de la clé publique. Dans ce contexte, on se propose d'étudier l'utilisation de codes dont on connaît une représentation compacte, en particulier le cas de codes quais-cyclique ou quasi-dyadique. Les deux familles de codes qui nous intéressent dans cette thèse sont: la famille des codes alternants et celle des sous--codes sur un sous--corps de codes géométriques. En faisant agir un automorphisme sur le support et le multiplier des codes alternants, on sait qu'il est possible de construire des codes alternants quasi-cycliques. On se propose alors d'estimer la sécurité de tels codes à l'aide du \textit{code invariant}. Ce sous--code du code public est constitué des mots du code strictement invariant par l'automorphisme . On montre ici que la sécurité des codes alternants quasi-cyclique se réduit à la sécurité du code invariant. Cela est aussi valable pour les sous--codes sur un sous--corps de codes géométriques quasi-cycliques. Ce résultat nous permet de proposer une analyse de la sécurité de codes quasi-cycliques construit sur la courbe Hermitienne. En utilisant cette analyse nous proposons des clés compactes pour la schéma de McEliece utilisant des sous-codes sur un sous-corps de codes géométriques construits sur la courbe Hermitienne. Le cas des codes alternants quasi-dyadiques est aussi en partie étudié. En utilisant le code invariant, ainsi que le \textit{produit de Schur} et le \textit{conducteur} de deux codes, nous avons pu mettre en évidence une attaque sur le schéma de McEliece utilisant des codes alternants quasi-dyadique de degré . Cette attaque s'applique notamment au schéma proposé dans la soumission DAGS, proposé dans le contexte de l'appel du NIST pour la cryptographie post-quantique