cryptanalysis of a variant of the mceliece encryption
play

Cryptanalysis of a variant of the McEliece encryption scheme Julien - PowerPoint PPT Presentation

Oct 21, 2023 •246 likes •782 views

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

  1. Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Université de Rennes 1 Journées Nationales de Calcul Formel 2020 03/03/2020

  2. Outline 1. McEliece cryptosystem and variants 2. Attack on the Reed–Solomon variant 3. Attack on the twisted Reed–Solomon variant 0/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  3. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  4. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. Summary: ◮ private key: an efficient decoding algorithm for a code C , ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message. 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  5. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. Summary: ◮ private key: an efficient decoding algorithm for a code C , ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message. Security relies on two problems: 1. hardness of decoding random codes 2. hardness of recognizing the structure of a code ( ≃ find an efficient decoding algorithm from a random description of a code) 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  6. General statement of the problem Let F be a k -dimensional subspace of F q [ x ] / ( x q − x ) . Input.   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . .  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n )  f 1 ( x ) , . . . , f k ( x ) is a basis of F ,  where: ( x 1 , . . . , x n ) are pairwise distinct in F q ,  ( y 1 , . . . , y n ) are non-zero elements of F q . 2/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  7. General statement of the problem Let F be a k -dimensional subspace of F q [ x ] / ( x q − x ) . Input.   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . .  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n )  f 1 ( x ) , . . . , f k ( x ) is a basis of F ,  where: ( x 1 , . . . , x n ) are pairwise distinct in F q ,  ( y 1 , . . . , y n ) are non-zero elements of F q . Output. A basis g 1 ( x ) , . . . , g k ( x ) of F , pairwise distinct elements x ′ 1 , . . . , x ′ n ∈ n ∈ F × F q and non-zero elements y ′ 1 , . . . , y ′ q such that  y ′ 1 g 1 ( x ′ y ′ n g 1 ( x ′  1 ) . . . . . . n ) . .   G = . .  .  . . y ′ 1 g k ( x ′ y ′ n g k ( x ′ 1 ) n ) . . . . . . 2/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  8. Instances of the problem A Public-Key Cryptosystem Based on Algebraic Coding Theory . McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978 . Original McEliece cryptosystem: binary Goppa codes, q = 2 m . – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct, – π ( x ) the derivative of ∏ n i = 1 ( x − x i ) ∈ F q [ x ] , – an irreducible Γ ( x ) ∈ F q [ x ] , � Γ ( x 1 ) � π ( x 1 ) , . . . , Γ ( x 1 ) ∈ ( F × q ) n . – y = π ( x 1 ) � � F x , Γ , r = f ( x ) ∈ F q [ x ] | deg ( f ) < r and y i f ( x i ) ∈ F 2 , ∀ i = 1, . . . , n . 3/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  9. Instances of the problem A Public-Key Cryptosystem Based on Algebraic Coding Theory . McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978 . Original McEliece cryptosystem: binary Goppa codes, q = 2 m . – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct, – π ( x ) the derivative of ∏ n i = 1 ( x − x i ) ∈ F q [ x ] , – an irreducible Γ ( x ) ∈ F q [ x ] , � Γ ( x 1 ) � π ( x 1 ) , . . . , Γ ( x 1 ) ∈ ( F × q ) n . – y = π ( x 1 ) � � F x , Γ , r = f ( x ) ∈ F q [ x ] | deg ( f ) < r and y i f ( x i ) ∈ F 2 , ∀ i = 1, . . . , n . ◮ Still considered as secure (NIST competition). ◮ Main drawback : large key sizes. 3/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  10. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  11. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  12. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). ◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc. On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  13. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). ◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc. ◮ In 2018: Beelen, Bossert, Puchinger and Rosenkilde proposed twisted Reed–Solomon codes . → claimed key size reduction by a factor 7 → also broken (Part III) On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . Cryptanalysis of a System Based on Twisted Reed–Solomon Codes . L. , Renner. Designs, Codes and Cryptograhy. 2020 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  14. Outline 1. McEliece cryptosystem and variants 2. Attack on the Reed–Solomon variant 3. Attack on the twisted Reed–Solomon variant 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  15. The problem � � Let F = f ( x ) ∈ F q [ x ] | deg ( f ) < k . Input. A matrix   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . . , where  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n ) – f 1 ( x ) , . . . , f k ( x ) is a basis of F , q are pairwise distinct, and ( y 1 , . . . , y n ) ∈ ( F × – ( x 1 , . . . , x n ) ∈ F n q ) n . Output. A basis g 1 ( x ) , . . . , g k ( x ) of F , pairwise distinct elements n ) ∈ ( F × q ) n such that ( x ′ 1 , . . . , x ′ n ) ∈ F n q and non-zero elements ( y ′ 1 , . . . , y ′  y ′ 1 g 1 ( x ′ y ′ n g 1 ( x ′  1 ) . . . . . . n ) . .   G = . .  .  . . y ′ 1 g k ( x ′ y ′ n g k ( x ′ 1 ) n ) . . . . . . 5/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  16. The problem Remark. One can write G as:   1 1 . . . . . . 1 1 x 1 x 2 . . . . . . x n − 1 x n     x 2 x 2 x 2 x 2 . . . . . .   S · · Diag ( y 1 , . . . , y n ) n − 1 n 1 2   . .   . . . .   x k − 1 x k − 1 x k − 1 x k − 1 . . . . . . n 1 2 n − 1 where S ∈ F k × k is invertible. q 6/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  17. Structural properties Notation. – 1 = ( 1, . . . , 1 ) ∈ F n q � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k – a ⋆ b = ( a 1 b 1 , . . . , a n b n ) – λ a = ( λ a 1 , . . . , λ a n ) 7/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  18. Structural properties Notation. – 1 = ( 1, . . . , 1 ) ∈ F n q � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k – a ⋆ b = ( a 1 b 1 , . . . , a n b n ) – λ a = ( λ a 1 , . . . , λ a n ) Definition. Generalized Reed–Solomon code: � ⊆ F n � GRS k ( x , y ) : = y ⋆ ev x ( f ) : = ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | f ( x ) ∈ F q 7/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

857 views • 51 slides
Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES Bounding the EDP of differentials over 2, 4 rounds of AES AES and the hypothesis of stochastic equivalence The Advanced Encryption

664 views • 48 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisaw Radziszowski, Rochester Institute of Technology November 2, 2010 1

219 views • 19 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February

Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February

Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February 2011 Fast Software Encryption 2011 M.-J. O. Saarinen 16-Feb-11 Hummingbird-1 Hummingbird-1 is an encryption and message authentication primitive

378 views • 23 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in my patient pathogenic or benign? &quot;The Doctor&quot; by Sir Luke Fildes (1891) Drop in genome price drives increase in patient variant

500 views • 22 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX,

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX, CNRS UMR 7161 cole Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June

1.01k views • 61 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan

Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan

Introduction A General Method for Binary Sequence Implementation Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan Chrisnata ISIT 2020 Joint work with: Yeow Meng Chee Tuvi Etzion Han Mao Kiah

786 views • 64 slides
Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc

Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc

AG codes Numerical semigroups Arf semigroups Inductive semigroups Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc a-S anchez International Meeting on Numerical Semigroups Levico Terme July

393 views • 20 slides

More recommend