31 research outputs found
An IND-CCA-Secure Code-Based EncryptionScheme Using Rank Metric
The use of rank instead of Hamming metric has been proposed to address the main drawback of code-based cryptography: large key sizes. There exist several Key Encapsulation Mechanisms (KEM) and Public Key Encryption (PKE) schemes using rank metric including some submissions to the NIST call for standardization of Post-Quantum Cryptography. In this work, we present an IND-CCA PKE scheme based on the McEliece adaptation to rank metric proposed by Loidreau at PQC 2017. This IND-CCA PKE scheme based on rank metric does not use a hybrid construction KEM + symmetric encryption. Instead, we take advantage of the bigger message space obtained by the different parameters chosen in rank metric, being able to exchange multiple keys in one ciphertext. Our proposal is designed considering some specific properties of the random error generated during the encryption. We prove our proposal IND-CCA-secure in the QROM by using a security notion called disjoint simulatability introduced by Saito et al. in Eurocrypt 2018. Moreover, we provide security bounds by using the semi-oracles introduced by Ambainis et al
An Algebraic Approach for Decoding Spread Codes
In this paper we study spread codes: a family of constant-dimension codes for
random linear network coding. In other words, the codewords are full-rank
matrices of size (k x n) with entries in a finite field F_q. Spread codes are a
family of optimal codes with maximal minimum distance. We give a
minimum-distance decoding algorithm which requires O((n-k)k^3) operations over
an extension field F_{q^k}. Our algorithm is more efficient than the previous
ones in the literature, when the dimension k of the codewords is small with
respect to n. The decoding algorithm takes advantage of the algebraic structure
of the code, and it uses original results on minors of a matrix and on the
factorization of polynomials over finite fields
Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme
RankSign [GRSZ14a] is a code-based signature scheme proposed to the NIST
competition for quantum-safe cryptography [AGHRZ17] and, moreover, is a
fundamental building block of a new Identity-Based-Encryption (IBE) [GHPT17a].
This signature scheme is based on the rank metric and enjoys remarkably small
key sizes, about 10KBytes for an intended level of security of 128 bits.
Unfortunately we will show that all the parameters proposed for this scheme in
[AGHRZ17] can be broken by an algebraic attack that exploits the fact that the
augmented LRPC codes used in this scheme have very low weight codewords.
Therefore, without RankSign the IBE cannot be instantiated at this time. As a
second contribution we will show that the problem is deeper than finding a new
signature in rank-based cryptography, we also found an attack on the generic
problem upon which its security reduction relies. However, contrarily to the
RankSign scheme, it seems that the parameters of the IBE scheme could be chosen
in order to avoid our attack. Finally, we have also shown that if one replaces
the rank metric in the [GHPT17a] IBE scheme by the Hamming metric, then a
devastating attack can be found
Two attacks on rank metric code-based schemes: RankSign and an IBE scheme
International audienceRankSign [29] is a code-based signature scheme proposed to the NIST competition for quantum-safe cryptography [5] and, moreover , is a fundamental building block of a new Identity-Based-Encryption (IBE) [25]. This signature scheme is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. Unfortunately we will show that all the parameters proposed for this scheme in [5] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords. Therefore, without RankSign the IBE cannot be instantiated at this time. As a second contribution we will show that the problem is deeper than finding a new signature in rank-based cryptography, we also found an attack on the generic problem upon which its security reduction relies. However, contrarily to the RankSign scheme, it seems that the parameters of the IBE scheme could be chosen in order to avoid our attack. Finally, we have also shown that if one replaces the rank metric in the [25] IBE scheme by the Hamming metric, then a devastating attack can be found
Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form
International audienceIn this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose solutions have the structure of a usual vector space. Consequently, to recover a basis of this vector space, we can greatly reduce the number of variables in the corresponding algebraic system. From these solutions, we can then deduce the basis of a GRS code. Finally, the last step of the cryptanalysis of those schemes corresponds to attacking a McEliece scheme instantiated with particular GRS codes (with a polynomial relation between the support and the multipliers) which can be done in polynomial-time thanks to a variant of the Sidelnikov-Shestakov attack. For Wild McEliece & Incognito, we also show that solving the corresponding algebraic system is notably easier in the case of a non-prime base eld Fq. To support our theoretical results, we have been able to practically break several parameters de ned over a non-prime base field q in {9; 16; 25; 27; 32}, t < 7, extension degrees m in {2,3}, security level up to 2^129 against information set decoding in few minutes or hours
Asymptotic behaviour of codes in rank metric over finite fields
International audienceIn this paper, we rst recall some basic facts about rank metric. We then derive an asymptotic equivalent of the minimum rank distance of codes that reach the rank metric GilbertVarshamov bound. We then derive an asymptotic equivalent of the average minimum rank distance of random codes. We show that random codes reach GV bound. Finally, we show that optimal codes in rank metric have a packing density which is bounded by functions depending only on the base eld and the minimum distance and show the potential interest in cryptographic applications
Using the Trace Operator to repair the Polynomial Reconstruction based Cryptosystem
Abstract. In this paper, we present a modi cation of the Augot-Finiasz cryptosystem presented at EUROCRYPT 2003. Coron managed to design an attack against the original cryptosystem enabling an attacker to decrypt any intercepted ciphertext e ciently. We introduce here a modi cation of the scheme which appears to resist to this attack. We furthermore propose parameters thwarting the state of the art attacks.