a distinguisher for high rate mceliece cryptosystems
play

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` - PowerPoint PPT Presentation

Dec 19, 2022 •371 likes •734 views

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

  1. A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val´ erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit´ e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project), J.-P. Tillich (INRIA, SECRET project) May 12th, 2011

  2. Introduction 1. (Generalized) McEliece Cryptosystem McE ( K n,k,t ) C a q − ary, length n , dimension k , t -error correcting code • Public key: G a k × n generator matrix of C in K ( n, k, t ) • Secret key: Ψ a t -error correcting procedure for C • Encryption: x → xG + e with e of Hamming weight t • Decryption: y → Ψ( y ) G − 1 with G − 1 a right inverse of G . 1/34

  3. Introduction Alternant codes/Goppa codes ◮ x = ( x 1 , . . . , x n ) ∈ F n q m with x i � = x j if i � = j ◮ y = ( y 1 , . . . , y n ) ∈ F n q m with y i � = 0   y 1 y 2 · · · y n y 1 x 1 y 2 x 2 · · · y n x n def   For any r < n , let H r ( x , y ) = . . . . . .   . . .   y 1 x r − 1 y 2 x r − 1 y n x r − 1 · · · 1 2 n Definition 1. An alternant code is the kernel of an H of this type q | H r ( x , y ) v T = 0 . v ∈ F n � � A r ( x , y ) = . Goppa code : ∃ Γ , polynomial of degree r such that y i = Γ( x i ) − 1 . 2/34

  4. Introduction Decoding Alternant and Goppa codes Proposition 1. [decoding alternant codes] r/ 2 errors can be decoded in polynomial time as long as x and y are known. Proposition 2. [The special case of binary Goppa codes] In the case of a binary Goppa code ( q = 2 ), r errors can be decoded in polynomial time, if x and Γ are known and if Γ has only simple roots. q More generally a factor q − 1 can be gained (exploited for instance in wild McEliece [Bernstein-Lange-Peters 2010] ) by a suitable choice of Γ . 3/34

  5. Distinguisher (public key) 2. Distinguisher problem K Goppa ( n, k, t ) the ensemble of generator matrices of t -error correcting Goppa codes of length n , dimension k K alt ( n, k ) the ensemble of generator matrices of alternant codes of length n , dimension k K lin ( n, k ) the ensemble of generator matrices of linear codes of length n and dimension k . Can we distinguish between the cases (i) G ∈ K Goppa ( n, k, t ) (ii) G ∈ K alt ( n, k ) (iii) G ∈ K lin ( n, k ) ? 4/34

  6. Distinguisher Niederreiter Nied ( K n,k,t ) C a q − ary, length n , dimension k , t − error correcting code. • Public key: H a ( n − k ) × n parity check matrix of C , H ∈ K n,k,t • Secret key: Ψ a t -error correcting procedure for C • Encryption: e → eH T with e of Hamming weight t • Decryption: To decipher s , choose any y of syndrome s , i.e. such that s = yH T , and output y − Ψ( y ) . 5/34

  7. Distinguisher A probabilistic model of an attacker A ( T, ǫ ) adversary A for Nied ( K n,k,t ) is a program which runs in time at most T and is such that Prob H , e ( A ( H , eH T ) = e | H ∈ K n,k,t ) ≥ ǫ Most attacks actually deal with an adversary for Nied ( K lin ( n, k )) instead of Nied ( K Goppa ( n, k, t )) . 6/34

  8. Distinguisher How the distinguisher appears def = Prob ( A ( H , eH T ) = e | H ∈ K Goppa n,k,t ) − Prob ( A ( H , eH T ) = e | H ∈ K lin Adv n,k ) Distinguisher D : input H ∈ F ( n − k ) × n q Step 1 : pick a random e ∈ F n q of weight t Step 2: if A ( H , eH T ) = e then return 1 , else return 0. Advantage of D = | Adv | . 7/34

  9. Distinguisher Either a decoding algorithm on linear codes or a distinguisher for Goppa codes If ∃ ( T, ǫ ) -adversary against Nied ( K Goppa Proposition 3. n,k,t ) , then there exists either (i) a ( T, ǫ/ 2) -adversary against Nied ( K lin ( n, k ) (i.e. a decoder for general linear codes working in time T with success probability at ≥ ǫ/ 2 ). (ii) A distinguisher between H ∈ K Goppa n,k,t and H ∈ K lin n,k working in time T + O ( n 2 ) and with advantage at least ǫ/ 2 . 8/34

  10. Algebraic approach 3. Algebraic approach for attacking the McEliece cryptosystem What is known: a basis of the code → rows of a generator matrix G = ( g ij ) of size k × n . What we also know: ∃ x , y ∈ F n q m s.t. H r ( x , y ) G T = 0 . (1) What we want to find: find in the case of an alternant code x , y , and in the special case of a binary Goppa code x and Γ . 9/34

  11. algebraic approach The algebraic system H r ( x , y ) G T = 0 translates to  g 1 , 1 Y 1 + · · · + g 1 ,n Y n = 0  . .  . . . .      g k, 1 Y 1 + · · · + g k,n Y n = 0     g 1 , 1 Y 1 X 1 + · · · + g 1 ,n Y n X n = 0   . .  . .  . .  (2) g k, 1 Y 1 X 1 + · · · + g k,n Y n X n = 0  . .  . . . .     g 1 , 1 Y 1 X r − 1 + · · · + g 1 ,n Y n X r − 1  = 0  1 n  . .  . .  . .    g k, 1 Y 1 X r − 1 + · · · + g k,n Y n X r − 1  = 0  1 n where the g i,j ’s are known coefficients in F q and k ≥ n − r m . 10/34

  12. algebraic approach Freedom of choice in (2) Proposition 4. Theoretically, the system has 2 n unknowns but we can take arbitrary values for one Y i and for three X i ’s (as long as these values are different). 11/34

  13. algebraic approach Applications When the number of unknowns is small, ex: • Berger-Cayrel-Gaborit-Otmani proposal at AfricaCrypt’09 based on quasi-cyclic alternant codes • Misoczki-Barreto at SAC’09 variant based on quasi-dyadic Goppa codes ⇒ algebraic system can be solved by (dedicated) Grobner basis techniques. ◮ breaks all parameters proposed in these articles ([Faug` ere-Otmani-Perret- Tillich;Eurocrypt 2010] with the exception of binary dyadic codes. Related to [Leander-Gauthier Umana; SCC2010] 12/34

  14. naive attack 4. A naive attack W.l.o.g. we can assume that G is systematic in its k first positions. k n−k=mr 1 0 G = P k 0 1 13/34

  15. naive attack Step 1 – expressing the Y i X d i ’s in terms of the Y j X d j ’s for j ∈ { k + 1 , . . . , n } . P = ( p ij ) . We can rewrite (2) as 1 ≤ i ≤ k k +1 ≤ j ≤ n  � n Y i = j = k +1 p i,j Y j   � n  Y i X i = j = k +1 p i,j Y j X j  (3) . . .  � n  Y i X r − 1 j = k +1 p i,j Y j X r − 1 =   i j for all i ∈ { 1 , . . . , k } . 14/34

  16. naive attack Step 2.– Exploiting Y i ( Y i X 2 i ) = ( Y i X i ) 2 � n  Y i = j = k +1 p i,j Y j  � n Y i X i = j = k +1 p i,j Y j X j (4) � n Y i X 2 j = k +1 p i,j Y j X 2 =  i j 2       n n n � � � p i,j Y j X 2  = ⇒ p i,j Y j p i,j Y j X j    j   j = k +1 j = k +1 j = k +1 n � � Y j Y j ′ X 2 j ′ + Y j ′ Y j X 2 p i,j p i,j ′ � � ⇒ = 0 j j ′ >j j = k +1 15/34

  17. naive attack Step 3. – Linearization def Y j Y j ′ X 2 j ′ + Y j ′ Y j X 2 Z jj ′ = j n � � p i,j p i,j ′ Z jj ′ = 0 . j ′ >j j = k +1 ≈ m 2 r 2 � n − k � unknowns ◮ 2 2 ◮ k = n − mr equations ⇒ reveals Z jj ′ when n − mr ≥ m 2 r 2 ? 2 ◮ This happens for the Courtois-Finiasz-Sendrier scheme, ex: n = 2 21 , r = 10 , m = 21 which has to choose small values of r . 16/34

  18. naive attack Linearized System Definition 2. Assume that the public key G of the McEliece cryptosystem is in systematic form ( I k | P ) The linearized system associated to G is  n � �  p 1 ,j p 1 ,j ′ Z jj ′ = 0      j = k +1 j ′ >j   n    � �  p 2 ,j p 2 ,j ′ Z jj ′ = 0  j ′ >j j = k +1 .  . .     n   � �  p k,j p k,j ′ Z jj ′ = 0      j = k +1 j ′ >j The dimension of the solution space is denoted by D . 17/34

  19. Algebraic Distinguisher Solving this system requires that � n − k � • Number of equations k is greater than the number of unknowns 2 • rank is (almost) equal to the number of unknowns � �� � n − k If G is random then one would expect that the rank is min k, 2 � � n − k � � = ⇒ D = max 0 , − k 2 � �� � n − k But for several structured (Goppa, alternant) codes rank < min k, 2 and this defect can be quantified 18/34

  20. Example q = 2 and m = 14 3 4 5 6 7 8 9 10 11 12 13 14 r � n − k � 861 1540 2415 3486 4753 6216 7875 9730 11781 14028 16471 19110 2 k 16342 16328 16314 16300 16286 16272 16258 16244 16230 16216 16202 16188 0 0 0 0 0 0 0 0 0 0 269 2922 D rand 42 126 308 560 882 1274 1848 2520 3290 4158 5124 6188 D alternant 252 532 980 1554 2254 3080 4158 5390 6776 8316 10010 11858 D Goppa 19/34

  21. Example q = 2 and m = 14 15 16 17 18 19 20 21 22 23 24 25 26 27 r � n − k � 21945 24976 28203 31626 35245 39060 43071 47278 51681 56280 61075 66066 71253 2 k 16174 16160 16146 16132 16118 16104 16090 16076 16062 16048 16034 16020 16006 D rand 5771 8816 12057 15494 19127 22956 26981 31202 35619 40232 45041 50046 55247 D alternant 7350 8816 12057 15494 19127 22956 26981 31202 35619 40232 45041 50046 55247 D Goppa 13860 16016 18564 21294 24206 27300 30576 34034 37674 41496 45500 50046 55247 20/34

  22. Alternant Case def � � Let ℓ = log q ( r − 1) . (2 ℓ + 1) r − 2 q ℓ +1 − 1 � � D alternant = 1 2 m ( r − 1) q − 1 � n − k � as long as − D alternant < k . 2 21/34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

441 views • 32 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago &amp; algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1

Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1

Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao

434 views • 32 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003

Words of Minimal Weight and Weight Distribution in Binary Goppa Codes Matthieu Finiasz ISIT 2003 Yokohama Binary Goppa Codes Introduction Used for cryptography ( McEliece cryptosystem) Indistinguishable from a random linear code

138 views • 11 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of

Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of

Limits of Rauzy graphs of low-complexity words Blair Drummond August 7, 2019 University of Ottawa The Benjamini-Schramm limit Limits of finite graphs The aim of the thesis is to show the convergence properties of particular sequences of

1.54k views • 65 slides
Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific Norhwest Number Theory Conference Simon Fraser University, Burnaby May 8, 2010 The Problem Let C be a (geometrically integral) curve defined over Q . (We

581 views • 23 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides

More recommend