78 research outputs found
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes
Bogdanov and Lee suggested a homomorphic public-key encryption scheme based
on error correcting codes. The underlying public code is a modified
Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde
generating matrix defining it. The columns that define this submatrix are kept
secret and form a set . We give here a distinguisher that detects if one or
several columns belong to or not. This distinguisher is obtained by
considering the code generated by component-wise products of codewords of the
public code (the so called "square code"). This operation is applied to
punctured versions of this square code obtained by picking a subset
of the whole set of columns. It turns out that the dimension of the
punctured square code is directly related to the cardinality of the
intersection of with . This allows an attack which recovers the full set
and which can then decrypt any ciphertext.Comment: 11 page
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
New Identities Relating Wild Goppa Codes
For a given support and a polynomial with no roots in , we prove equality
between the -ary Goppa codes where
denotes the norm of , that is In
particular, for , that is, for a quadratic extension, we get
. If has roots in
, then we do not necessarily have equality and we prove that
the difference of the dimensions of the two codes is bounded above by the
number of distinct roots of in . These identities provide
numerous code equivalences and improved designed parameters for some families
of classical Goppa codes.Comment: 14 page
A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes
Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main
idea is to replace its permutation matrix by adding to it a rank 1 matrix. The
motivation for this change is twofold: it would allow the use of codes that
were shown to be insecure in the original McEliece's cryptosystem, and it would
reduce the key size while keeping the same security against generic decoding
attacks. The authors suggest to use generalized Reed-Solomon codes instead of
Goppa codes. The public code built with this method is not anymore a
generalized Reed-Solomon code. On the other hand, it contains a very large
secret generalized Reed-Solomon code. In this paper we present an attack that
is built upon a distinguisher which is able to identify elements of this secret
code. The distinguisher is constructed by considering the code generated by
component-wise products of codewords of the public code (the so-called "square
code"). By using square-code dimension considerations, the initial generalized
Reed-Solomon code can be recovered which permits to decode any ciphertext. A
similar technique has already been successful for mounting an attack against a
homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work
can be viewed as another illustration of how a distinguisher of Reed-Solomon
codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668
Low Complexity Tail-Biting Trellises for Some Extremal Self-Dual Codes
International audienceWe obtain low complexity tail-biting trellises for some extremal self-dual codes for various lengths and fields such as the [12,6,6] ternary Golay code and a [24,12,8] Hermitian self-dual code over GF(4). These codes are obtained from a particular family of cyclic Tanner graphs called necklace factor graphs
An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder
Low Rank Parity Check (LRPC) codes form a class of rank-metric
error-correcting codes that was purposely introduced to design public-key
encryption schemes. An LRPC code is defined from a parity check matrix whose
entries belong to a relatively low dimensional vector subspace of a large
finite field. This particular algebraic feature can then be exploited to
correct with high probability rank errors when the parameters are appropriately
chosen. In this paper, we present theoretical upper-bounds on the probability
that the LRPC decoding algorithm fails
Algebraic Properties of Polar Codes From a New Polynomial Formalism
Polar codes form a very powerful family of codes with a low complexity
decoding algorithm that attain many information theoretic limits in error
correction and source coding. These codes are closely related to Reed-Muller
codes because both can be described with the same algebraic formalism, namely
they are generated by evaluations of monomials. However, finding the right set
of generating monomials for a polar code which optimises the decoding
performances is a hard task and channel dependent. The purpose of this paper is
to reveal some universal properties of these monomials. We will namely prove
that there is a way to define a nontrivial (partial) order on monomials so that
the monomials generating a polar code devised fo a binary-input symmetric
channel always form a decreasing set.
This property turns out to have rather deep consequences on the structure of
the polar code. Indeed, the permutation group of a decreasing monomial code
contains a large group called lower triangular affine group. Furthermore, the
codewords of minimum weight correspond exactly to the orbits of the minimum
weight codewords that are obtained from (evaluations) of monomials of the
generating set. In particular, it gives an efficient way of counting the number
of minimum weight codewords of a decreasing monomial code and henceforth of a
polar code.Comment: 14 pages * A reference to the work of Bernhard Geiger has been added
(arXiv:1506.05231) * Lemma 3 has been changed a little bit in order to prove
that Proposition 7.1 in arXiv:1506.05231 holds for any binary input symmetric
channe
Contribution à la cryptanalyse de primitives cryptographiques fondées sur la théorie des codes
A large part in the design of secure cryptographic primitives consists in identifying hard algorithmic problems. Despite the fact that several problems have been proposed as a foundation for public-key primitives, those effectively used are essentially classical problems coming from integer factorization and discrete logarithm. On the other hand, coding theory appeared with the goal to solve the challenging problem of decoding a random linear code. It is widely admitted as a hard problem that has led McEliece in 1978 to propose the first code-based public-key encryption scheme. The key concept is to focus on codes that come up with an efficient decoding algorithm. He also advocated the use of binary Goppa codes. Since then, it belongs to the very few cryptosystems which remain unbroken. This thesis is primarily interested in studying the security of code-based primitives. The first category we analyzed consists of variants of the McEliece cryptosystem. Our works expose practical key-recovery attacks either by mounting dedicated techniques, or by devising algebraic attacks. This latter result also provides a new framework to assess the security of the McEliece cryptosystem and a first step towards the design of attacks based on the solving of algebraic systems. Furthermore, we show that this approach can be used to study the Goppa Code Distinguishing problem, which asks whether there is an efficient way to distinguish a Goppa code from a randomly drawn linear code. It represents an important assumption which supports the use of Goppa codes in cryptography. We show that it is possible to efficiently solve it as long as the code rate is sufficiently high. Finally, we investigate the security of a signature scheme based on two random linear codes. Our analysis shows that the attack is sensitive to their rates and can be practical when the rates are close
Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes
We cryptanalyse here two variants of the McEliece cryptosystem based on
quasi-cyclic codes. Both aim at reducing the key size by restricting the public
and secret generator matrices to be in quasi-cyclic form. The first variant
considers subcodes of a primitive BCH code. We prove that this variant is not
secure by finding and solving a linear system satisfied by the entries of the
secret permutation matrix.
The other variant uses quasi-cyclic low density parity-check codes. This
scheme was devised to be immune against general attacks working for McEliece
type cryptosystems based on low density parity-check codes by choosing in the
McEliece scheme more general one-to-one mappings than permutation matrices. We
suggest here a structural attack exploiting the quasi-cyclic structure of the
code and a certain weakness in the choice of the linear transformations that
hide the generator matrix of the code. Our analysis shows that with high
probability a parity-check matrix of a punctured version of the secret code can
be recovered in cubic time complexity in its length. The complete
reconstruction of the secret parity-check matrix of the quasi-cyclic low
density parity-check codes requires the search of codewords of low weight which
can be done with about operations for the specific parameters
proposed.Comment: Major corrections. This version supersedes previuos one
- …