Worst case QC-MDPC decoder for McEliece cryptosystem

McEliece encryption scheme which enjoys relatively small key sizes as well as a security reduction to hard problems of coding theory. Furthermore, it remains secure against a quantum adversary and is very well suited to low cost implementations on embedded devices. Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm, as for LDPC codes. Variable time decoders might leak some information on the code structure (that is on the sparse parity check equations) and must be avoided. A constant time decoder is easy to emulate, but its running time depends on the worst case rather than on the average case. So far implementations were focused on minimizing the average cost. We show that the tuning of the algorithm is not the same to reduce the maximal number of iterations as for reducing the average cost. This provides some indications on how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel attack.Comment: 5 pages, conference ISIT 201

On Critical Relative Distance of DNA Codes for Additive Stem Similarity

We consider DNA codes based on the nearest-neighbor (stem) similarity model which adequately reflects the "hybridization potential" of two DNA sequences. Our aim is to present a survey of bounds on the rate of DNA codes with respect to a thermodynamically motivated similarity measure called an additive stem similarity. These results yield a method to analyze and compare known samples of the nearest neighbor "thermodynamic weights" associated to stacked pairs that occurred in DNA secondary structures.Comment: 5 or 6 pages (compiler-dependable), 0 figures, submitted to 2010 IEEE International Symposium on Information Theory (ISIT 2010), uses IEEEtran.cl

3-Designs from all Z4-Goethals-like codes with block size 7 and 8

AbstractWe construct a family of simple 3-(2m,8,14(2m−8)/3) designs, with odd m⩾5, from all Z4-Goethals-like codes Gk. In addition, these designs imply the existence of other design families with the same parameters as the designs constructed from the Z4-Goethals code G1, i.e. the designs with a block size 7 by Shin, Kumar, and Helleseth and the designs with a block size 8 by Ranto. In the existence proofs we count the number of solutions to certain systems of equations over finite fields and use properties of Dickson and linearized polynomials. Also, the nonequivalence of the designs from different Goethals-like codes is considered

Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes

Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years all these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that this scheme like other schemes based on Gabidulin codes, is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break concrete proposed $80$ bits security parameters in a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa

Algorithms for computing cryptographic characteristics of vectorial boolean functions

Представлены алгоритмы вычисления следующих криптографических характеристик векторых булевых функций: порядка корреляционной иммунности, нелинейности, компонентной алгебраической иммунности и показателя дифференциальной равномерности. Компоненты векторной булевой функции перебираются в порядке, задаваемом кодом Грея. Приводятся результаты экспериментов для случайных векторных булевых функций, подстановок и двух специальных классов Kn и Sn,k обратимых векторных булевых функций от n переменных, координаты которых существенно зависят от всех и заданного числа k < n переменных соответственно. Доказаны некоторые свойства дифференциальной равномерности для функций из классов Kn и Sn,k

Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D{\"{u}}r). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page

Fast Evaluation of Interlace Polynomials on Graphs of Bounded Treewidth

We consider the multivariate interlace polynomial introduced by Courcelle (2008), which generalizes several interlace polynomials defined by Arratia, Bollobas, and Sorkin (2004) and by Aigner and van der Holst (2004). We present an algorithm to evaluate the multivariate interlace polynomial of a graph with n vertices given a tree decomposition of the graph of width k. The best previously known result (Courcelle 2008) employs a general logical framework and leads to an algorithm with running time f(k)*n, where f(k) is doubly exponential in k. Analyzing the GF(2)-rank of adjacency matrices in the context of tree decompositions, we give a faster and more direct algorithm. Our algorithm uses 2^{3k^2+O(k)}*n arithmetic operations and can be efficiently implemented in parallel.Comment: v4: Minor error in Lemma 5.5 fixed, Section 6.6 added, minor improvements. 44 pages, 14 figure

Cryptanalysis of the multivariate encryption scheme EFLASH

Post-Quantum Cryptography studies cryptographic algorithms that quantum computers cannot break. Recent advances in quantum computing have made this kind of cryptography necessary, and research in the field has surged over the last years as a result. One of the main families of post-quantum cryptographic schemes is based on finding solutions of a polynomial system over finite fields. This family, known as multivariate cryptography, includes both public key encryption and signature schemes. The majority of the research contribution of this thesis is devoted to understanding the security of multivariate cryptography. We mainly focus on big field schemes, i.e., constructions that utilize the structure of a large extension field. One essential contribution is an increased understanding of how Gröbner basis algorithms can exploit this structure. The increased knowledge furthermore allows us to design new attacks in this setting. In particular, the methods are applied to two encryption schemes suggested in the literature: EFLASH and Dob. We show that the recommended parameters for these schemes will not achieve the proposed 80-bit security. Moreover, it seems unlikely that there can be secure and efficient variants based on these ideas. Another contribution is the study of the effectiveness and limitations of a recently proposed rank attack. Finally, we analyze some of the algebraic properties of MiMC, a block cipher designed to minimize its multiplicative complexity.Doktorgradsavhandlin

Injective Rank Metric Trapdoor Functions with Homogeneous Errors

In rank-metric cryptography, a vector from a finite dimensional linear space over a finite field is viewed as the linear space spanned by its entries. The rank decoding problem which is the analogue of the problem of decoding a random linear code consists in recovering a basis of a random noise vector that was used to perturb a set of random linear equations sharing a secret solution. Assuming the intractability of this problem, we introduce a new construction of injective one-way trapdoor functions. Our solution departs from the frequent way of building public key primitives from error-correcting codes where, to establish the security, ad hoc assumptions about a hidden structure are made. Our method produces a hard-to-distinguish linear code together with low weight vectors which constitute the secret that helps recover the inputs.The key idea is to focus on trapdoor functions that take sufficiently enough input vectors sharing the same support. Applying then the error correcting algorithm designed for Low Rank Parity Check (LRPC) codes, we obtain an inverting algorithm that recovers the inputs with overwhelming probability

MQ problem

Cílem této bakalářské práce je popsat obecný MQ problém, především jeho variantu zvanou HFE, nastínit některé útoky na základní schéma založené na HFE a následně popsat nový útok na HFEz, systém vzniklý modifikací HFE, kdy se část výstupů z úvodní transformace opomene. Modifikace HFEz zajistí závislost vstupu do HFE polynomu na větším množství proměnných při zachování velikosti rozšíření tělesa. Útok na tuto modifikaci spočívá v překladu HFEz na HFE s větvením a následné aplikaci algoritmu pro separaci jednotlivých větví navrženého v [Fel06]. Separační algoritmus přes veřejný klíč vytvoří operaci, která společně se sčítáním tvoří komutativní, neasociativní algebru. Následně se aplikací několika poznatků o neasociativních algebrách za pomoci této operace spočte matice, která umožní separovat proměnné do několika sad odpovídajících jednotlivým větvím. Díky tomuto převodu můžeme následně provést útok přímo na HFE polynom neovlivněného modifikací HFEz. Powered by TCPDF (www.tcpdf.org)The aim of this thesis is to describe a general MQ Problem with a focus on its variant called HFE, outline several attacks on a basic scheme based on HFE and describe a new attack on HFEz, a cryptosystem based on special polynomials over finite fields with a modification, which discards a portion of the output from the initial transformation. This ensures a dependency on more variables while keeping the same size of the field. The attack starts with a translation of HFE into HFE with branches, followed by a branch separating algorithm described in [Fel06]. The separation algorithm uses the public key to derive an operation, which induces (with addition) a non-associative algebra. Utilising some properties of non-associative algebras, a matrix, which can separate variables into distinct sets according to branches, is calculated. This leads to stripping off the HFEz modification and thus allowing us to attack directly the HFE polynomial. Powered by TCPDF (www.tcpdf.org)Department of AlgebraKatedra algebryMatematicko-fyzikální fakultaFaculty of Mathematics and Physic