16 research outputs found
Quantifying Shannon's Work Function for Cryptanalytic Attacks
Attacks on cryptographic systems are limited by the available computational
resources. A theoretical understanding of these resource limitations is needed
to evaluate the security of cryptographic primitives and procedures. This study
uses an Attacker versus Environment game formalism based on computability logic
to quantify Shannon's work function and evaluate resource use in cryptanalysis.
A simple cost function is defined which allows to quantify a wide range of
theoretical and real computational resources. With this approach the use of
custom hardware, e.g., FPGA boards, in cryptanalysis can be analyzed. Applied
to real cryptanalytic problems, it raises, for instance, the expectation that
the computer time needed to break some simple 90 bit strong cryptographic
primitives might theoretically be less than two years.Comment: 19 page
MV3: A new word based stream cipher using rapid mixing and revolving buffers
MV3 is a new word based stream cipher for encrypting long streams of data. A
direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word
version will obviously need vast amounts of memory. This scaling issue
necessitates a look for new components and principles, as well as mathematical
analysis to justify their use. Our approach, like RC4's, is based on rapidly
mixing random walks on directed graphs (that is, walks which reach a random
state quickly, from any starting point). We begin with some well understood
walks, and then introduce nonlinearity in their steps in order to improve
security and show long term statistical correlations are negligible. To
minimize the short term correlations, as well as to deter attacks using
equations involving successive outputs, we provide a method for sequencing the
outputs derived from the walk using three revolving buffers. The cipher is fast
-- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor.
A word based cipher needs to output more bits per step, which exposes more
correlations for attacks. Moreover we seek simplicity of construction and
transparent analysis. To meet these requirements, we use a larger state and
claim security corresponding to only a fraction of it. Our design is for an
adequately secure word-based cipher; our very preliminary estimate puts the
security close to exhaustive search for keys of size < 256 bits.Comment: 27 pages, shortened version will appear in "Topics in Cryptology -
CT-RSA 2007
A new approach based on quadratic forms to attack the McEliece cryptosystem
We bring in here a novel algebraic approach for attacking the McEliece
cryptosystem. It consists in introducing a subspace of matrices representing
quadratic forms. Those are associated with quadratic relationships for the
component-wise product in the dual of the code used in the cryptosystem.
Depending on the characteristic of the code field, this space of matrices
consists only of symmetric matrices or skew-symmetric matrices. This matrix
space is shown to contain unusually low-rank matrices (rank or
depending on the characteristic) which reveal the secret polynomial structure
of the code. Finding such matrices can then be used to recover the secret key
of the scheme. We devise a dedicated approach in characteristic consisting
in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank
. This allows to analyze the complexity of solving the corresponding
algebraic system with Gr\"obner bases techniques. This computation behaves
differently when applied to the skew-symmetric matrix space associated with a
random code rather than with a Goppa or an alternant code. This gives a
distinguisher of the latter code family. We give a bound on its complexity
which turns out to interpolate nicely between polynomial and exponential
depending on the code parameters. A distinguisher for alternant/Goppa codes was
already known [FGO+11]. It is of polynomial complexity but works only in a
narrow parameter regime. This new distinguisher is also polynomial for the
parameter regime necessary for [FGO+11] but contrarily to the previous one is
able to operate for virtually all code parameters relevant to cryptography.
Moreover, we use this matrix space to find a polynomial time attack of the
McEliece cryptosystem provided that the Goppa code is distinguishable by the
method of [FGO+11] and its degree is less than , where is the alphabet
size of the code.Comment: 61 page
A new approach based on quadratic forms to attack the McEliece cryptosystem
We introduce a novel algebraic approach for attacking the McEliece cryptosystem which is currently at the -th round of the NIST competition. The contributions of the article are twofold.
(1) We present a new distinguisher on alternant and Goppa codes working in a much broader range of parameters than \cite{FGOPT11}.
(2) With this approach we also provide a polynomial--time key recovery attack on alternant codes which are distinguishable with the distinguisher \cite{FGOPT11}.
These results are obtained by introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relations for the component-wise product in the dual of the Goppa (or alternant) code of the cryptosystem. It turns out that this subspace of matrices contains matrices of unusually small rank in the case of alternant or Goppa codes ( or depending on the field characteristic) revealing the secret polynomial structure of the code.
MinRank solvers can then be used to recover the secret key of the scheme. We devise a dedicated algebraic modeling in characteristic where the Gröbner basis techniques to solve it can be analyzed.
This computation behaves differently when applied to the matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code families, which contrarily to the one proposed in \cite{FGOPT11} working only in a tiny parameter regime is now able to work for code rates above . It applies to most of the instantiations of the McEliece cryptosystem in the literature. It coincides with the one of \cite{FGOPT11}
when the latter can be applied (and is therefore of polynomial complexity in this case). However, its complexity increases significantly when \cite{FGOPT11} does not apply anymore, but stays subexponential as long as the co-dimension of the code is sublinear in the length (with an asymptotic exponent which is below those of all known key recovery or message attacks). For the concrete parameters of the McEliece NIST submission \cite{ABCCGLMMMNPPPSSSTW20}, its complexity is way too complex to threaten the cryptosystem, but is smaller than known key recovery attacks for most of the parameters of the submission. This subspace of quadratic forms can also be used in a different manner to give a polynomial time attack of the McEliece cryptosystem based on generic alternant codes or Goppa codes provided that these codes are distinguishable by the method of \cite{FGOPT11}, and in the Goppa case we need the additional assumption that its degree is less than , where is the alphabet size of the code