745 research outputs found
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes
Bogdanov and Lee suggested a homomorphic public-key encryption scheme based
on error correcting codes. The underlying public code is a modified
Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde
generating matrix defining it. The columns that define this submatrix are kept
secret and form a set . We give here a distinguisher that detects if one or
several columns belong to or not. This distinguisher is obtained by
considering the code generated by component-wise products of codewords of the
public code (the so called "square code"). This operation is applied to
punctured versions of this square code obtained by picking a subset
of the whole set of columns. It turns out that the dimension of the
punctured square code is directly related to the cardinality of the
intersection of with . This allows an attack which recovers the full set
and which can then decrypt any ciphertext.Comment: 11 page
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
New Identities Relating Wild Goppa Codes
For a given support and a polynomial with no roots in , we prove equality
between the -ary Goppa codes where
denotes the norm of , that is In
particular, for , that is, for a quadratic extension, we get
. If has roots in
, then we do not necessarily have equality and we prove that
the difference of the dimensions of the two codes is bounded above by the
number of distinct roots of in . These identities provide
numerous code equivalences and improved designed parameters for some families
of classical Goppa codes.Comment: 14 page
A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes
Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main
idea is to replace its permutation matrix by adding to it a rank 1 matrix. The
motivation for this change is twofold: it would allow the use of codes that
were shown to be insecure in the original McEliece's cryptosystem, and it would
reduce the key size while keeping the same security against generic decoding
attacks. The authors suggest to use generalized Reed-Solomon codes instead of
Goppa codes. The public code built with this method is not anymore a
generalized Reed-Solomon code. On the other hand, it contains a very large
secret generalized Reed-Solomon code. In this paper we present an attack that
is built upon a distinguisher which is able to identify elements of this secret
code. The distinguisher is constructed by considering the code generated by
component-wise products of codewords of the public code (the so-called "square
code"). By using square-code dimension considerations, the initial generalized
Reed-Solomon code can be recovered which permits to decode any ciphertext. A
similar technique has already been successful for mounting an attack against a
homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work
can be viewed as another illustration of how a distinguisher of Reed-Solomon
codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668
Algebraic Properties of Polar Codes From a New Polynomial Formalism
Polar codes form a very powerful family of codes with a low complexity
decoding algorithm that attain many information theoretic limits in error
correction and source coding. These codes are closely related to Reed-Muller
codes because both can be described with the same algebraic formalism, namely
they are generated by evaluations of monomials. However, finding the right set
of generating monomials for a polar code which optimises the decoding
performances is a hard task and channel dependent. The purpose of this paper is
to reveal some universal properties of these monomials. We will namely prove
that there is a way to define a nontrivial (partial) order on monomials so that
the monomials generating a polar code devised fo a binary-input symmetric
channel always form a decreasing set.
This property turns out to have rather deep consequences on the structure of
the polar code. Indeed, the permutation group of a decreasing monomial code
contains a large group called lower triangular affine group. Furthermore, the
codewords of minimum weight correspond exactly to the orbits of the minimum
weight codewords that are obtained from (evaluations) of monomials of the
generating set. In particular, it gives an efficient way of counting the number
of minimum weight codewords of a decreasing monomial code and henceforth of a
polar code.Comment: 14 pages * A reference to the work of Bernhard Geiger has been added
(arXiv:1506.05231) * Lemma 3 has been changed a little bit in order to prove
that Proposition 7.1 in arXiv:1506.05231 holds for any binary input symmetric
channe
Low Complexity Tail-Biting Trellises for Some Extremal Self-Dual Codes
International audienceWe obtain low complexity tail-biting trellises for some extremal self-dual codes for various lengths and fields such as the [12,6,6] ternary Golay code and a [24,12,8] Hermitian self-dual code over GF(4). These codes are obtained from a particular family of cyclic Tanner graphs called necklace factor graphs
An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder
Low Rank Parity Check (LRPC) codes form a class of rank-metric
error-correcting codes that was purposely introduced to design public-key
encryption schemes. An LRPC code is defined from a parity check matrix whose
entries belong to a relatively low dimensional vector subspace of a large
finite field. This particular algebraic feature can then be exploited to
correct with high probability rank errors when the parameters are appropriately
chosen. In this paper, we present theoretical upper-bounds on the probability
that the LRPC decoding algorithm fails
Metastatic neuroblastoma to the mandible in a 3-year-old boy : a case report
Although neuroblastoma is a relatively common malignancy of childhood and its dissemination to distant organs is often seen, metastasis to the mandible is rare. A 3-year-old boy which a mandibular soft tissue mass was the initial presenting symptom of disseminated neuroblastoma is reported. The results of biopsy were inconclusive and the differential diagnosis from the imaging studies included lymphoma, soft tissue sarcoma, and osteosarcoma. A metastatic work-up disclosed neuroblastoma of the adrenal gland origin with osseous and bone marrow metastases. Urinary catecolamines were also increased. Regarding the widespread features of the tumor and lack of adequate treatment at this stage of disease, a palliative chemotherapy was conducted, and the patient died one month after starting treatment. This case illustrates that neuroblastoma at a young age, with bone metastases and bone marrow involvement are predictive of the poor outcome of the disease. Therefore, detecting early stage metastasis is one of the essential factors for improving treatment of neuroblastoma patients
Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.Comment: 19 page
- …