12 research outputs found
Worst case QC-MDPC decoder for McEliece cryptosystem
McEliece encryption scheme which enjoys relatively small key sizes as well as
a security reduction to hard problems of coding theory. Furthermore, it remains
secure against a quantum adversary and is very well suited to low cost
implementations on embedded devices.
Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm,
as for LDPC codes. Variable time decoders might leak some information on the
code structure (that is on the sparse parity check equations) and must be
avoided. A constant time decoder is easy to emulate, but its running time
depends on the worst case rather than on the average case. So far
implementations were focused on minimizing the average cost. We show that the
tuning of the algorithm is not the same to reduce the maximal number of
iterations as for reducing the average cost. This provides some indications on
how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel
attack.Comment: 5 pages, conference ISIT 201
On Critical Relative Distance of DNA Codes for Additive Stem Similarity
We consider DNA codes based on the nearest-neighbor (stem) similarity model
which adequately reflects the "hybridization potential" of two DNA sequences.
Our aim is to present a survey of bounds on the rate of DNA codes with respect
to a thermodynamically motivated similarity measure called an additive stem
similarity. These results yield a method to analyze and compare known samples
of the nearest neighbor "thermodynamic weights" associated to stacked pairs
that occurred in DNA secondary structures.Comment: 5 or 6 pages (compiler-dependable), 0 figures, submitted to 2010 IEEE
International Symposium on Information Theory (ISIT 2010), uses IEEEtran.cl
3-Designs from all Z4-Goethals-like codes with block size 7 and 8
AbstractWe construct a family of simple 3-(2m,8,14(2m−8)/3) designs, with odd m⩾5, from all Z4-Goethals-like codes Gk. In addition, these designs imply the existence of other design families with the same parameters as the designs constructed from the Z4-Goethals code G1, i.e. the designs with a block size 7 by Shin, Kumar, and Helleseth and the designs with a block size 8 by Ranto. In the existence proofs we count the number of solutions to certain systems of equations over finite fields and use properties of Dickson and linearized polynomials. Also, the nonequivalence of the designs from different Goethals-like codes is considered
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
Algorithms for computing cryptographic characteristics of vectorial boolean functions
Представлены алгоритмы вычисления следующих криптографических характеристик векторых булевых функций: порядка корреляционной иммунности, нелинейности, компонентной алгебраической иммунности и показателя дифференциальной равномерности. Компоненты векторной булевой функции перебираются в порядке, задаваемом кодом Грея. Приводятся результаты экспериментов для случайных векторных булевых функций, подстановок и двух специальных классов Kn и Sn,k обратимых векторных булевых функций от n переменных, координаты которых существенно зависят от всех и заданного числа k < n переменных соответственно. Доказаны некоторые свойства дифференциальной равномерности для функций из классов Kn и Sn,k
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
Fast Evaluation of Interlace Polynomials on Graphs of Bounded Treewidth
We consider the multivariate interlace polynomial introduced by Courcelle
(2008), which generalizes several interlace polynomials defined by Arratia,
Bollobas, and Sorkin (2004) and by Aigner and van der Holst (2004). We present
an algorithm to evaluate the multivariate interlace polynomial of a graph with
n vertices given a tree decomposition of the graph of width k. The best
previously known result (Courcelle 2008) employs a general logical framework
and leads to an algorithm with running time f(k)*n, where f(k) is doubly
exponential in k. Analyzing the GF(2)-rank of adjacency matrices in the context
of tree decompositions, we give a faster and more direct algorithm. Our
algorithm uses 2^{3k^2+O(k)}*n arithmetic operations and can be efficiently
implemented in parallel.Comment: v4: Minor error in Lemma 5.5 fixed, Section 6.6 added, minor
improvements. 44 pages, 14 figure
Cryptanalysis of the multivariate encryption scheme EFLASH
Post-Quantum Cryptography studies cryptographic algorithms that quantum computers cannot break. Recent advances in quantum computing have made this kind of cryptography necessary, and research in the field has surged over the last years as a result. One of the main families of post-quantum cryptographic schemes is based on finding solutions of a polynomial system over finite fields. This family, known as multivariate cryptography, includes both public key encryption and signature schemes.
The majority of the research contribution of this thesis is devoted to understanding the security of multivariate cryptography. We mainly focus on big field schemes, i.e., constructions that utilize the structure of a large extension field. One essential contribution is an increased understanding of how Gröbner basis algorithms can exploit this structure. The increased knowledge furthermore allows us to design new attacks in this setting. In particular, the methods are applied to two encryption schemes suggested in the literature: EFLASH and Dob. We show that the recommended parameters for these schemes will not achieve the proposed 80-bit security. Moreover, it seems unlikely that there can be secure and efficient variants based on these ideas. Another contribution is the study of the effectiveness and limitations of a recently proposed rank attack. Finally, we analyze some of the algebraic properties of MiMC, a block cipher designed to minimize its multiplicative complexity.Doktorgradsavhandlin
Injective Rank Metric Trapdoor Functions with Homogeneous Errors
In rank-metric cryptography, a vector from a finite dimensional linear space
over a finite field is viewed as the linear space spanned by its entries. The
rank decoding problem which is the analogue of the problem of decoding a random
linear code consists in recovering a basis of a random noise vector that was
used to perturb a set of random linear equations sharing a secret solution.
Assuming the intractability of this problem, we introduce a new construction of
injective one-way trapdoor functions. Our solution departs from the frequent
way of building public key primitives from error-correcting codes where, to
establish the security, ad hoc assumptions about a hidden structure are made.
Our method produces a hard-to-distinguish linear code together with low weight
vectors which constitute the secret that helps recover the inputs.The key idea
is to focus on trapdoor functions that take sufficiently enough input vectors
sharing the same support. Applying then the error correcting algorithm designed
for Low Rank Parity Check (LRPC) codes, we obtain an inverting algorithm that
recovers the inputs with overwhelming probability
MQ problem
Cílem této bakalářské práce je popsat obecný MQ problém, především jeho variantu zvanou HFE, nastínit některé útoky na základní schéma založené na HFE a následně popsat nový útok na HFEz, systém vzniklý modifikací HFE, kdy se část výstupů z úvodní transformace opomene. Modifikace HFEz zajistí závislost vstupu do HFE polynomu na větším množství proměnných při zachování velikosti rozšíření tělesa. Útok na tuto modifikaci spočívá v překladu HFEz na HFE s větvením a následné aplikaci algoritmu pro separaci jednotlivých větví navrženého v [Fel06]. Separační algoritmus přes veřejný klíč vytvoří operaci, která společně se sčítáním tvoří komutativní, neasociativní algebru. Následně se aplikací několika poznatků o neasociativních algebrách za pomoci této operace spočte matice, která umožní separovat proměnné do několika sad odpovídajících jednotlivým větvím. Díky tomuto převodu můžeme následně provést útok přímo na HFE polynom neovlivněného modifikací HFEz. Powered by TCPDF (www.tcpdf.org)The aim of this thesis is to describe a general MQ Problem with a focus on its variant called HFE, outline several attacks on a basic scheme based on HFE and describe a new attack on HFEz, a cryptosystem based on special polynomials over finite fields with a modification, which discards a portion of the output from the initial transformation. This ensures a dependency on more variables while keeping the same size of the field. The attack starts with a translation of HFE into HFE with branches, followed by a branch separating algorithm described in [Fel06]. The separation algorithm uses the public key to derive an operation, which induces (with addition) a non-associative algebra. Utilising some properties of non-associative algebras, a matrix, which can separate variables into distinct sets according to branches, is calculated. This leads to stripping off the HFEz modification and thus allowing us to attack directly the HFE polynomial. Powered by TCPDF (www.tcpdf.org)Department of AlgebraKatedra algebryMatematicko-fyzikální fakultaFaculty of Mathematics and Physic