A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set $L$. We give here a distinguisher that detects if one or several columns belong to $L$ or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called "square code"). This operation is applied to punctured versions of this square code obtained by picking a subset $I$ of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of $I$ with $L$. This allows an attack which recovers the full set $L$ and which can then decrypt any ciphertext.Comment: 11 page

New Identities Relating Wild Goppa Codes

For a given support $L \in \mathbb{F}_{q^m}^n$ and a polynomial $g\in \mathbb{F}_{q^m}[x]$ with no roots in $\mathbb{F}_{q^m}$, we prove equality between the $q$-ary Goppa codes $\Gamma_q(L,N(g)) = \Gamma_q(L,N(g)/g)$ where $N(g)$ denotes the norm of $g$, that is $g^{q^{m-1}+\cdots +q+1}.$ In particular, for $m=2$, that is, for a quadratic extension, we get $\Gamma_q(L,g^q) = \Gamma_q(L,g^{q+1})$. If $g$ has roots in $\mathbb{F}_{q^m}$, then we do not necessarily have equality and we prove that the difference of the dimensions of the two codes is bounded above by the number of distinct roots of $g$ in $\mathbb{F}_{q^m}$. These identities provide numerous code equivalences and improved designed parameters for some families of classical Goppa codes.Comment: 14 page

A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes

Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main idea is to replace its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, and it would reduce the key size while keeping the same security against generic decoding attacks. The authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed by considering the code generated by component-wise products of codewords of the public code (the so-called "square code"). By using square-code dimension considerations, the initial generalized Reed-Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already been successful for mounting an attack against a homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work can be viewed as another illustration of how a distinguisher of Reed-Solomon codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668

Co-Registration of Optically Sensed Images and Correlation (COSI-Corr): an Operational Methodology for Ground Deformation Measurements

Recent methodological progress, Co-Registration of Optically Sensed Images and Correlation, outlined here, makes it possible to measure horizontal ground deformation from optical images on an operational basis, using the COSI-Corr software package. In particular, its sub-pixel capabilities allow for accurate mapping of surface ruptures and measurement of co-seismic offsets. We retrieved the fault rupture of the 2005 Mw 7.6 Kashmir earthquake from ASTER images, and we also present a dense mapping of the 1992 Mw 7.3 Landers earthquake of California, from the mosaicking of 30 pairs of aerial images

Algebraic Properties of Polar Codes From a New Polynomial Formalism

Polar codes form a very powerful family of codes with a low complexity decoding algorithm that attain many information theoretic limits in error correction and source coding. These codes are closely related to Reed-Muller codes because both can be described with the same algebraic formalism, namely they are generated by evaluations of monomials. However, finding the right set of generating monomials for a polar code which optimises the decoding performances is a hard task and channel dependent. The purpose of this paper is to reveal some universal properties of these monomials. We will namely prove that there is a way to define a nontrivial (partial) order on monomials so that the monomials generating a polar code devised fo a binary-input symmetric channel always form a decreasing set. This property turns out to have rather deep consequences on the structure of the polar code. Indeed, the permutation group of a decreasing monomial code contains a large group called lower triangular affine group. Furthermore, the codewords of minimum weight correspond exactly to the orbits of the minimum weight codewords that are obtained from (evaluations) of monomials of the generating set. In particular, it gives an efficient way of counting the number of minimum weight codewords of a decreasing monomial code and henceforth of a polar code.Comment: 14 pages * A reference to the work of Bernhard Geiger has been added (arXiv:1506.05231) * Lemma 3 has been changed a little bit in order to prove that Proposition 7.1 in arXiv:1506.05231 holds for any binary input symmetric channe

Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D{\"{u}}r). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page

Influence of camera distortions on satellite image registration and change detection applications

Applications such as change detection and digital elevation model extraction from optical images require a rigorous modeling of the acquisition geometry. We show that the unrecorded satellite jitter during image acquisition, and the uncertainties on the CCD arrays geometry are the current major limiting factors for applications requiring high accuracy. These artifacts are identified and quantified on several optical satellites, i.e., SPOT, ASTER, QuickBird, and HiRISE

Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes

We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. We prove that this variant is not secure by finding and solving a linear system satisfied by the entries of the secret permutation matrix. The other variant uses quasi-cyclic low density parity-check codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on low density parity-check codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered in cubic time complexity in its length. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic low density parity-check codes requires the search of codewords of low weight which can be done with about $2^{37}$ operations for the specific parameters proposed.Comment: Major corrections. This version supersedes previuos one

La sécurité des ascenseurs avec des communications Ethernet-Based Real-Time

National audiencel'évolution des systèmes de contrôle industriels tendent vers des infrastructures de plus en plus connectées, ce qui les rendent plus dépendantes de réseaux et de protocoles de communication utilisés. Plusieurs travaux existants se sont focalisés sur la fiabilité de ces systèmes et la robustesse de leurs modèles de contrôle en cas de pannes ou de dysfonctionnement. Ces travaux n'ont pas considéré l'aspect réseau qui est devenu un vecteur d'attaque important étant donné l'utilisation de protocoles de communication pour l'échange des informations entre les équipements. Les conséquences de ces attaques, parfois deviennent extrêmement dévastatrices. En effet, récemment ces réseaux sont devenus la cible de plusieurs attaques en exploitant des vulnérabilités présentes dans les couches logicielles ou protocolaires de leurs équipements. Dans le cadre de la nouvelle génération de commande de l'ascenseur, un cas de transition sera analysé à partir d'un composant électrique/électrotechnique au réseau de composants électroniques communiqués dans le cadre de la sécurité du système de déplacement d'un ascenseur. La proposition repose sur la sécurité des modules IP interconnectés entre eux, qui supportent un protocole temps réel industriel (Powerlink, EtherCat et Sercos). Cette proposition représente un des démonstrateurs du projet collaboratif avec un noyau déterministe sûr de fonctionnement par construction

New lift safety architecture to meet PESSRAL requirements

ISBN : 978-1-4799-8171-7International audienceAs part of new lift control generation, we will analyze a transition case from an electrical/electro-mechanical components to a networked control system. The main element we focus on in the lift system is the safety chain. This paper will describe the analysis of dependability requirements (IEC 61508) for the next electronic lift control