cryptanalysis of two variants of the mceliece cryptosystem
play

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub - PowerPoint PPT Presentation

Sep 06, 2023 •338 likes •857 views

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

  1. Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L´ Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en Informatique, Image, Automatique et Instrumentation de Caen (UMR 6072) 2 ´ Equipe-projet Secret, INRIA-Rocquencourt S´ eminaire ALI/SALSA. April 3, 2009.

  2. I. Background S´ eminaire ALI/SALSA. April 3, 2009. 1

  3. Introduction • Asymmetric cryptography concepts introduced by Diffie & Hellman (’76) • Rivest, Shamir & Adleman invented RSA (’77) – First asymmetric cryptosystem – Widely accepted for practical uses – Extensively studied that induces (too?) many security recommendations • But, alternative cryptosystems exist . . . such as McEliece cryptosystem S´ eminaire ALI/SALSA. April 3, 2009. 2

  4. McEliece Cryptosystem • Let F n,k,t be a family of codes of length n and dimension k capable of correcting ≤ t errors. • Cryptosystem described by three algorithms: − Setup ( 1 λ ) 1. ( PK, SK ) ← 2. c ∈ F n − Encrypt ( m ∈ F k 2 ← 2 ) 3. m ′ ∈ F k − Decrypt ( c ′ ∈ F n 2 ← 2 ) S´ eminaire ALI/SALSA. April 3, 2009. 3

  5. McEliece. Setup ( PK, SK ) ← Setup ( 1 λ ) 1. Take n , k , t according to λ 2. Randomly choose a generator matrix G ′ ∈ F n,k,t 3. Randomly pick: – n × n permutation matrix P – k × k invertible matrix S 4. Set G = S × G ′ × P and γ : F n 2 �→ F k 2 as the decoding algorithm associated with G ′ 5. Output PK = ( G, t ) and SK = ( S, P, γ ) S´ eminaire ALI/SALSA. April 3, 2009. 4

  6. McEliece. Encrypt c ∈ F n 2 ← Encrypt ( m ∈ F k 2 ) 1. Pick a random vector e ∈ F n 2 of weight ≤ t 2. Output c = m × G ⊕ e S´ eminaire ALI/SALSA. April 3, 2009. 5

  7. McEliece. Decrypt m ′ ∈ F k 2 ← Decrypt ( c ′ ∈ F n 2 ) 1. Calculate z = c ′ × P − 1 // z = m × ( S × G ′ ) ⊕ ( e × P − 1 ) // y = m × S 2. Compute y = γ ( z ) 3. Output m ′ = y × S − 1 // m ′ = m S´ eminaire ALI/SALSA. April 3, 2009. 6

  8. McEliece Cryptosystem – Security Assumptions • One-Wayness under Chosen Plaintext Attack (OW-CPA) Difficult to invert Encrypt ( decoding attack ) • Private key recovery Difficult to extract secret matrices or an equivalent secret matrix having an efficient decoding algorithm from the public matrix ( structural attack ) Remark. Public code and secret code are permutation equivalent S´ eminaire ALI/SALSA. April 3, 2009. 7

  9. McEliece Cryptosystem Security – OW-CPA 1. Decoding random linear codes is NP-Hard E. R. Berlekamp, R. J. McEliece, and H. C. A. van Tilborg. On the intractability of certain coding problems . IEEE Transactions on Information Theory , 24(3):384–386, 1978. 2. Best practical algorithms operate exponentially with the length and the rate D.J. Bernstein, T. Lange, and C. Peters. Attacking and defending the mceliece cryptosystem. In PQCrypto , pages 31–46, 2008. 3. Permuted Goppa codes look like random linear codes ALSA. April 3, 2009. 8

  10. McEliece Cryptosystem – Private Key Recovery • Hardness does not come from the problem of permutation equivalence because in practise Support Splitting Algorithm easily solves it N. Sendrier . Finding the permutation between equivalent codes: the support splitting algorithm . IEEE Transactions on Information Theory, vol. 46, no. 4, pages 1193-1203, July 2000. • But rather from the huge sizes of F n,k,t and the symmetric group of order n Remark. Original McEliece scheme is still unbroken unlike many other variants. . . S´ eminaire ALI/SALSA. April 3, 2009. 9

  11. McEliece Cryptosystem Variants Replacing Goppa codes 1. Reed-Solomon codes ( Niederreiter ’86) 2. Concatenated codes 3. Reed-Muller codes ( Sidelnikov ’94) S´ eminaire ALI/SALSA. April 3, 2009. 10

  12. Insecure McEliece Cryptosystem Variants • Reed-Solomon codes V.M. Sidelnikov and S.O. Shestakov. On the insecurity of cryptosystems based on generalized Reed-Solomon codes . Discrete Mathematics and Applications , 1(4):439–444, 1992. • Concatenated codes N. Sendrier . On the Structure of Randomly Permuted Concatenated Code. Rapport de recherche de l’INRIA - Rocquencourt. Janvier 1995 • Reed-Muller codes. L. Minder and A. Shokrollahi . Cryptanalysis of the Sidelnikov cryptosystem . In Eurocrypt 2007 , volume 4515 of Lecture Notes in Computer Science , pages 347–360, Barcelona, Spain, 2007. S´ eminaire ALI/SALSA. April 3, 2009. 11

  13. McEliece Cryptosystem • Three advantages – Fast encryption/decryption algorithms – Original scheme still secure – Alternative solution to RSA for quantum computers! • Main drawback: huge public key For instance, parameters proposed in ’78 (now outdated) ∗ Goppa codes with n = 1024 , k = 524 ∗ Private key ≃ 300 Kbits ∗ Public key ≃ 500 Kbits S´ eminaire ALI/SALSA. April 3, 2009. 12

  14. Reducing Key Sizes 1. Sparse matrices A. Shokrollahi C. Monico, J. Rosenthal . Using low density parity check codes in the McEliece cryptosystem . In IEEE International Symposium on Information Theory (ISIT 2000) , page 215, Sorrento, Italy, 2000. 2. Quasi-cyclic matrices P. Gaborit . Shorter keys for code based cryptography . In Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005) , pages 81–91, Bergen, Norway, March 2005. 3. Sparse quasi-cyclic matrices M. Baldi, G. F. Chiaraluce . Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes . In IEEE International Symposium on Information Theory , pages 2591–2595, Nice, France, March 2007. ALSA. April 3, 2009. 13

  15. Low Density Parity Check Codes Some facts. • Invented by Gallager (’68) and rediscovered by Mackay (’98) • Linear codes defined by very sparse parity check matrices • Iteratively decoded through Belief Propagation algorithm • For any cryptographic use, one has to hide the sparsity of matrices Notation. L n,k,t : family of LDPC codes of length n , dimension k and correcting capability of t errors. S´ eminaire ALI/SALSA. April 3, 2009. 14

  16. LDPC Codes in the McEliece Cryptosystem Setup ( 1 λ ) 1. Randomly choose a parity check matrix H ′ ∈ L n,k,t 2. Randomly pick sparse invertible ( n − k ) × ( n − k ) matrix T and k × k matrix S 3. Set H = T × H ′ 4. Output SK = ( H ′ , T ) and PK = ( H, S, t ) Remark. H and H ′ define the same code C . S´ eminaire ALI/SALSA. April 3, 2009. 15

  17. LDPC Codes in the McEliece Cryptosystem Encrypt ( m ) 1. Compute a generator matrix G in row reduced echelon form from H . G = S − 1 × G 2. Set ˜ 3. Output c = m × ˜ G ⊕ e Decrypt ( c ) // G and ˜ 1. Decode c with H ′ G define the same code C 2. Extract m × S − 1 from m × ˜ G 3. Output m S´ eminaire ALI/SALSA. April 3, 2009. 16

  18. LDPC Codes in the McEliece Cryptosystem – Security Assumption • Dual of the public code must not have codewords of small weight • It should be hard to devise a sparse parity check matrix ˜ H equivalent to H ′ • It turns out not to be the case A. Shokrollahi, C. Monico, J. Rosenthal . Using low density parity check codes in the McEliece cryptosystem . In IEEE International Symposium on Information Theory (ISIT 2000) , page 215, Sorrento, Italy, 2000. S´ eminaire ALI/SALSA. April 3, 2009. 17

  19. LDPC Codes in the McEliece Cryptosystem – Structural Attack Notation. – Let v i be the i th row of a matrix V – Let v i ∩ v j be the intersection vector of v i and v j Basic observation. T and H ′ are (very) sparse matrices With non-negligible probability, for many ℓ , there exist i, j such that h ′ ℓ = h i ∩ h j S´ eminaire ALI/SALSA. April 3, 2009. 18

  20. Secret Parity Check Matrix Recovery 1. for any i, j do compute v = h i ∩ h j 2. if v ∈ C then B = B ∪ { v } 3. for any ℓ do 4. if wt ( h ℓ ⊕ v ) < wt ( h ℓ ) then 5. h ℓ = h ℓ ⊕ v 6. end if 7. end for 8. Goto 1 9. end if 10. end for; 11. Output B S´ eminaire ALI/SALSA. April 3, 2009. 19

  21. II. Quasi-Cyclic Codes S´ eminaire ALI/SALSA. April 3, 2009. 20

  22. Circulant Matrix Definition. • M is a circulant p × p matrix if   m 0 m 1 · · · m p − 1   m p − 1 m 0 · · · m p − 2   M =   . . . ... . . .   . . .     · · · m 1 m 2 m 0 • Weight of M is the weight of m = ( m 0 , . . . , m p − 1 ) Notation. m ( x ) = m 0 + m 1 x + · · · m p − 1 x p − 1 M �− → S´ eminaire ALI/SALSA. April 3, 2009. 21

  23. Circulant Matrix Properties. Let M and N be circulant p × p matrices • M + N is circulant M + N �− → m ( x ) + n ( x ) • M × N is circulant mod ( x p − 1) M × N �− → m ( x ) · n ( x ) • M T is circulant → m ( 1 M T �− x ) · x p • M is invertible iff m ( x ) is coprime with x p − 1 S´ eminaire ALI/SALSA. April 3, 2009. 22

  24. Circulant-by-Block Matrix Definition. M = [ M i,j ] is circulant-by-block if M i,j is a circulant p × p matrix M �− → M ( x ) = [ m i,j ( x )] Properties. Let M and N be circulant-by-block matrices • M + N , M × N , M T are also circulant-by-block matrices • M is invertible iff det( M )( x ) is coprime with ( x p − 1) • M − 1 is a circulant-by-block matrix S´ eminaire ALI/SALSA. April 3, 2009. 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline

Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline

Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline of the Talk RSA Cryptosystem Lattice based Root Finding of Polynomials Common Prime RSA Dual RSA Prime Power RSA Implicit Factorization

773 views • 54 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University January 26, 2018 Joint work with Austin Allen, Keller Blackwell, Olivia Fiol, Rutuja Kshirsagar, and Zoe Nelson, supervised by Gretchen Matthews. Coding

773 views • 18 slides
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

unrestricted Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri Gilbert, Matt Robshaw, and Yannick Seurin Financial Crypto 2008 January 29, 2008 intro HB+ HB-MP HB* HB++ conclusion the context

281 views • 24 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
CMU-informedia @ TRECVID 2011 Semantic Indexing Lei Bao 1,2 , Shoou-I Yu 1 , Alexander Hauptmann 1

CMU-informedia @ TRECVID 2011 Semantic Indexing Lei Bao 1,2 , Shoou-I Yu 1 , Alexander Hauptmann 1

CMU-informedia @ TRECVID 2011 Semantic Indexing Lei Bao 1,2 , Shoou-I Yu 1 , Alexander Hauptmann 1 1 Language Technologies Institute, Carnegie Mellon University 2 Advanced Computing Research Laboratory, Beijing Key Laboratory of Mobile Computing

833 views • 18 slides
Greedy Algorithms for Joint Sparse Recovery Jeff Blanchard with Mike Davies, Michael Cermak,

Greedy Algorithms for Joint Sparse Recovery Jeff Blanchard with Mike Davies, Michael Cermak,

Compressed Sensing Rank Awareness Greedy Algorithms Greedy Algorithms for Joint Sparse Recovery Jeff Blanchard with Mike Davies, Michael Cermak, David Hanle, Yirong Jing Grinnell College, Iowa, USA University of Edinburgh, UK Funding

474 views • 31 slides
ON NONCOMMUTATIVE TORI . Andrzej Sitarz Institute of Physics Institute of Mathematics,

ON NONCOMMUTATIVE TORI . Andrzej Sitarz Institute of Physics Institute of Mathematics,

M ETRIC , TORSION AND MINIMAL OPERATORS ON NONCOMMUTATIVE TORI . Andrzej Sitarz Institute of Physics Institute of Mathematics, Jagiellonian University Polish Academy of Sciences Krakw Warsaw 19.08.2014, Warsaw 1 M ETRIC IN N ONCOMMUTATIVE

889 views • 36 slides
Ulam networks, fractal Weyl law and Anderson localization Dima Shepelyansky (CNRS, Toulouse)

Ulam networks, fractal Weyl law and Anderson localization Dima Shepelyansky (CNRS, Toulouse)

Ulam networks, fractal Weyl law and Anderson localization Dima Shepelyansky (CNRS, Toulouse) www.quantware.ups-tlse.fr/dima with L.Ermann (CNEA TANDAR), K.Frahm (LPT), V.Kandiah (LPT), H.Escaith (WTO Geneve), O.V.Zhirov (BINP Novosibirsk) *

782 views • 26 slides
Critical Points MCV4U: Calculus &amp; Vectors Recap Determine any critical values for y = e x

Critical Points MCV4U: Calculus &amp; Vectors Recap Determine any critical values for y = e x

c u r v e s k e t c h i n g c u r v e s k e t c h i n g Critical Points MCV4U: Calculus &amp; Vectors Recap Determine any critical values for y = e x x . e x x e x 1 2 x Vertical, Horizontal and Oblique Asymptotes The

416 views • 4 slides
Math 1060Q Lecture 11 Jeffrey Connors University of Connecticut October 8, 2014 Rational

Math 1060Q Lecture 11 Jeffrey Connors University of Connecticut October 8, 2014 Rational

Math 1060Q Lecture 11 Jeffrey Connors University of Connecticut October 8, 2014 Rational functions What is a rational function? Horizontal and vertical asymptotes Slant asymptotes Nonlinear asymptotes A rational function

420 views • 18 slides
Calculus (Math 1A) Lecture 10 Vivek Shende September 15, 2017 Hello and welcome to class!

Calculus (Math 1A) Lecture 10 Vivek Shende September 15, 2017 Hello and welcome to class!

Calculus (Math 1A) Lecture 10 Vivek Shende September 15, 2017 Hello and welcome to class! Hello and welcome to class! Last time Hello and welcome to class! Last time We discussed continuity. Hello and welcome to class! Last time We

1.34k views • 87 slides
Inverse and Joint Variation Return to Table of Contents Slide 11 / 179 Slide 12 / 179

Inverse and Joint Variation Return to Table of Contents Slide 11 / 179 Slide 12 / 179

Slide 1 / 179 Slide 2 / 179 Algebra II Rational Expressions &amp; Equations 2015-08-15 www.njctl.org Slide 3 / 179 Slide 4 / 179 Table of Contents click on a topic to go to that section Working with Rational Expressions Joint and Inverse

903 views • 30 slides

More recommend