Worst case QC-MDPC decoder for McEliece cryptosystem

McEliece encryption scheme which enjoys relatively small key sizes as well as a security reduction to hard problems of coding theory. Furthermore, it remains secure against a quantum adversary and is very well suited to low cost implementations on embedded devices. Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm, as for LDPC codes. Variable time decoders might leak some information on the code structure (that is on the sparse parity check equations) and must be avoided. A constant time decoder is easy to emulate, but its running time depends on the worst case rather than on the average case. So far implementations were focused on minimizing the average cost. We show that the tuning of the algorithm is not the same to reduce the maximal number of iterations as for reducing the average cost. This provides some indications on how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel attack.Comment: 5 pages, conference ISIT 201

Linear codes with complementary duals meet the Gilbert–Varshamov bound

AbstractUsing the hull dimension spectra of linear codes, we show that linear codes with complementary dual meet the asymptotic Gilbert–Varshamov bound

The problem with the SURF scheme

There is a serious problem with one of the assumptions made in the security proof of the SURF scheme. This problem turns out to be easy in the regime of parameters needed for the SURF scheme to work. We give afterwards the old version of the paper for the reader's convenience.Comment: Warning : we found a serious problem in the security proof of the SURF scheme. We explain this problem here and give the old version of the paper afterward

On the concatenated structures of a [49, 18, 12] binary abelian code

AbstractWe here introduce a new formalism for describing concatenated codes. Using this formalism, we show how any generalized concatenated code can be viewed as a first order concatenated code. Finally, we give an illustrative example: using Jensen's result (1985) which shows that any abelian code has a generalized concatenated structure, we first give the representation of the [49, 18, 12] abelian code introduced by Camion (1971) as a second order concatenated code; then using our description, we show that this code is also equal to the first order concatenation of two linear cyclic codes

The Support Splitting Algorithm

Two linear codes are permutation-equivalent if they are equal up to a fixed permutation of the codewords coordinates. We present here an algorithm able to compute this permutation. We introduce the concept of signature: a property of a position of a code such that the set of all signatures of a given code is globally invariant by permutation. To compute the permutati- on between two equivalent codes, one needs a signature which is both discrimin- ant and easy to compute. The weight enumerator of the hull of a code provides a signature which has such properties in most cases

Wave Parameter Selection

Wave is a provably EUF-CMA (existential unforgeability under adaptive chosen message attacks) digital signature scheme based on codes \cite{DST19a}. It is an hash-and-sign primitive and its security is built according to a GPV-like framework \cite{GPV08} under two assumptions related to coding theory: (i) the hardness of finding a word of prescribed Hamming weight and prescribed syndrome, and (ii) the pseudo-randomness of ternary generalized $(U|U+V)$ codes. Forgery attacks (i)---or message attacks---consist in solving the ternary decoding problem for large weight \cite{BCDL19}, while, to the best of our knowledge, key attacks (ii) will try to exhibit words that are characteristic of $(U|U+V)$ codes, which are called type-U or type-V codewords in the present paper. In the current state-of-the-art, the best known attacks both reduce to various flavours of Information Set Decoding (ISD) algorithms for different regime of parameters. In this paper we give estimates for the complexities of the best known ISD variants for those regimes. Maximizing the computational effort, thus the security, for both attacks lead to conflicting constraints on the parameters. We provide here a methodology to derive optimal trade-offs for selecting parameters for the Wave signature scheme achieving a given security. We apply this methodology to the current state-of-the-art and propose some effective parameters for Wave. For $\lambda=128$ bits of classical security, the signature is $737$ bytes long, scaling linearly with the security, and the public key size is $3.6$ Mbytes, scaling quadratically with the security

Secure Sampling of Constant-Weight Words -Application to BIKE

The pseudo-random sampling of constant weight word, as it is currently implemented in schemes like BIKE or HQC, is prone to the leakage of information on the seed being used. This creates a vulnerability when the semantic security conversion requires a deterministic re-encryption. This observation was first made in [HLS21] about HQC, and a timing attack was presented to recover the secret key. As suggested in [HLS21] a similar attack applies to BIKE and an instance of such an attack is presented here, as well as countermeasures similar to those suggested in [HLS21] for HQC. A new approach for fixing the issue is also proposed. It is first remarked that, contrary to what is done currently, the sampling of constant weight words doesn't need to produce a uniformly distributed output. If the distribution is close to uniform in the appropriate metric, the impact on security is negligible. Also, a new variant of Fisher-Yates shuffle is proposed which is (1) very well suited for secure implementations against timing and cache attacks, and (2) produces constant weight words with a distribution close enough to uniform

Un algorithme pour trouver la permutation entre deux codes binaires équivalents

Nous présentons ici un algorithme permettant de retrouver la permutation entre deux codes linéaires binaires équivalents. L'algorithme ne fonctionne que lorsque le groupe d'automorphisme des codes considérés est trivial, c'est-à-dire réduit à la seule identité. Pour deux codes binaires équivalents aléatoires de longueur 1000 et de dimension 500, le temps de calcul varie entre 7 et 80 secondes sur une station de travail DEC 3000/900

On the Structure of Randomly Permuted Concatenated Code

Résumé disponibel dans le fichier PD