on the security of some compact keys for mceliece scheme
play

On the security of Some Compact Keys for McEliece Scheme lise - PowerPoint PPT Presentation

Apr 14, 2023 •392 likes •1.01k views

On the security of Some Compact Keys for McEliece Scheme lise Barelli INRIA Saclay and LIX, CNRS UMR 7161 cole Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June

  1. On the security of Some Compact Keys for McEliece Scheme Élise Barelli INRIA Saclay and LIX, CNRS UMR 7161 École Polytechnique, 91120 Palaiseau Cedex June 16, 2017 E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 1 / 35

  2. 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 2 / 35

  3. McEliece scheme 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 3 / 35

  4. McEliece scheme McEliece scheme It is the first public key cryptosystem based on error-correcting codes. Advantages: Fast encryption and decryption. Candidate for post-quantum cryptography Drawback: Large key size E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 4 / 35

  5. McEliece scheme McEliece scheme It is the first public key cryptosystem based on error-correcting codes. Advantages: Fast encryption and decryption. Candidate for post-quantum cryptography Drawback: Large key size Structural attacks → Let F be any family of linear codes. → Let G be a random looking generator matrix of a code C ∈ F . From G , can we recover the structure of the code C ? E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 4 / 35

  6. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  7. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  8. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  9. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] Concatenation of AG codes (Janwa, Moreno, 1996) → [Sendrier,1998] (for all concatenated codes) E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  10. McEliece scheme Some propositions Binary Goppa codes (McEliece, 1978) → No structural attack Generalised Reed-Solomon (GRS) (Niederreiter, 1986) → [Sidelnikov, Shestakov,1992] Algebraic-geometry (AG) codes (Janwa, Moreno, 1996) → [Faure, Minder, 2009] → [Couvreur, Márquez-Corbella, Pellikaan, 2014] Concatenation of AG codes (Janwa, Moreno, 1996) → [Sendrier,1998] (for all concatenated codes) Subfied subcodes of AG codes (Janwa, Moreno, 1996) → No structural attack E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 5 / 35

  11. McEliece scheme Some propositions with compact keys Quasi-cyclic alternant codes (Berger, Cayrel, Gaborit, Otmani, 2009) Quasi-dyadic alternant codes (Misoczki, Baretto, 2009) Structural attacks: → [Faugère, Otmani, Perret, Tillich, 2010] → [Faugère, Otmani, Perret, Portzamparc, Tillich, 2015] → [B., 2017] E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 6 / 35

  12. Algebraic-geometry codes 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 7 / 35

  13. Algebraic-geometry codes Functions on a curve X We consider an algebraic curve X ⊂ P 2 ( F q m ) , with affine equation: F ( x , y ) = 0 . The function field over F q m of X , denoted by F q m ( X ) is the fraction field of F q m [ x , y ] / ( F ) . A divisor of X is a formal sum, with integer coefficients, of points of X . For g ∈ F q m ( X ) , the principal divisor of g, denoted by ( g ) , is defined as the formal sum of zeros and poles of g , counted with multiplicity. We denote by L ( G ) := { g ∈ F q m ( X ) | ( g ) ≥ − G } ∪ { 0 } , the Riemann-Roch space associated to a divisor G . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 8 / 35

  14. Algebraic-geometry codes AG codes on X Definition Let P = { P 1 , . . . , P n } be a set of n distinct rational points of X and G be a divisor, then the AG code C L ( X , P , G ) is defined by: C L ( X , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . Dual � C L ( X , P , G ′ ) F q m C L ( X , P , G ) � Subfield Subcode C L ( X , P , G ′ ) ∩ F n F q q A r ( X , P , G ) := C L ( X , P , G ′ ) ∩ F n q , where r = dim ( C L ( X , P , G )) . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 9 / 35

  15. Security of Quasi-cyclic Alternant Codes on P 1 1 McEliece scheme 2 Algebraic-geometry codes Security of Quasi-cyclic Alternant Codes on P 1 3 Induced permutations of Alternant Codes Invariant and Folded Codes Alternant codes on cyclic cover of P 1 4 Codes with automorphisms Security 5 Alternant codes on the Hermitian curve Invariant code and quotient curve Security analysis 6 Conclusion E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 10 / 35

  16. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes AG codes on P 1 Let P = { P 1 , . . . , P n } be a set of n distinct points of P 1 F qm and G be a divisor, then the AG code C L ( P 1 , P , G ) is defined by: C L ( P 1 , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 11 / 35

  17. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes AG codes on P 1 Let P = { P 1 , . . . , P n } be a set of n distinct points of P 1 F qm and G be a divisor, then the AG code C L ( P 1 , P , G ) is defined by: C L ( P 1 , P , G ) := { Ev P ( f ) | f ∈ L ( G ) } . Proposition The AG code C L ( P 1 , P , G ) is the GRS code : GRS k ( x , y ) := { ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | f ∈ F q m [ X ] < k } . where: → P := { ( x i : 1 ) | i ∈ { 1 , . . . , n }} , → G := ( k − 1 ) P ∞ − ( g ) , with g ∈ F q m ( P 1 ) a function such that for all i ∈ { 1 , . . . , n } , g ( x i ) = y i � = 0 . E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 11 / 35

  18. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Automorphim group of P 1 PGL 2 ( F q m ) is the automorphism group of the projective line P 1 defined by: P 1 P 1 � a , b , c , d ∈ F q m , → � � � F qm F qm PGL 2 ( F q m ) := . � ( x : y ) �→ ( ax + by : cx + dy ) ad − bc � = 0 � E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 12 / 35

  19. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Automorphim group of P 1 PGL 2 ( F q m ) is the automorphism group of the projective line P 1 defined by: P 1 P 1 � a , b , c , d ∈ F q m , → � � � F qm F qm PGL 2 ( F q m ) := . � ( x : y ) �→ ( ax + by : cx + dy ) ad − bc � = 0 � Remark The permutations of PGL 2 ( F q m ) have also a matrix representation, ie: � a � b ∀ σ ∈ PGL 2 ( F q m ) , we write σ := , with ad − bc � = 0 . c d Where the elements a , b , c and d are defined up to a multiplication by a nonzero scalar. E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 12 / 35

  20. Security of Quasi-cyclic Alternant Codes on P 1 Induced permutations of Alternant Codes Support and divisor σ -invariant Let σ be an automorphism of P 1 F qm . For a point Q ∈ P 1 , we denote Orb σ ( Q ) := { σ j ( Q ) | j ∈ { 1 ..ℓ }} . We define the support : n /ℓ � (1) P := Orb σ ( Q i ) , i = 1 where the points Q i ∈ P 1 F qm are pairwise distinct with trivial stabilizer subgroup. E. Barelli (INRIA Saclay and LIX) Security of Compact McEliece Scheme June 16, 2017 13 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained

Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained

Solutions for the Storage Problem of McEliece Public and Private Keys on Memory-constrained Platforms Falko Strenzke FlexSecure GmbH, Darmstadt, Germany strenzke@flexsecure.de January 18, 2013 Solutions for the McEliece Key Storage Problem

411 views • 28 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Preliminaries A bounded asynchronous Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys asynchronous scheme Concluding remarks Jason Crampton Questions Information Security Group Royal

673 views • 43 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven - ESAT 26 June 2017 The UOV signature scheme 2/6 The Unbalanced Oil and Vinegar (UOV) signature scheme has withstood attacks since its formulation in

476 views • 6 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
Migration Policy Development Board 30/5/2019 Social Security Scheme - Briefing Social Security

Migration Policy Development Board 30/5/2019 Social Security Scheme - Briefing Social Security

Migration Policy Development Board 30/5/2019 Social Security Scheme - Briefing Social Security scheme overview Contributions States grant Social Security Fund Other contributory Pensions benefits 2 Social Security scheme

165 views • 14 slides
T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP Kaufman et al: Ch 17, 11.2 SSL/TLS 18, 19 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy Email encryption program

566 views • 8 slides
You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Drmuth Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)

571 views • 11 slides
Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

1.11k views • 68 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke

Efficiency and Implementation Security of Code-based Cryptosystems PhD Thesis by Falko Strenzke Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany,

1.73k views • 160 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan

Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan

Introduction A General Method for Binary Sequence Implementation Efficient Algorithm for the Linear Complexity of Sequences and Some Related Consequences Johan Chrisnata ISIT 2020 Joint work with: Yeow Meng Chee Tuvi Etzion Han Mao Kiah

786 views • 64 slides
Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc

Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc

AG codes Numerical semigroups Arf semigroups Inductive semigroups Feng-Rao distances in Arf and inductive semigroups Jos e I. Farr an Pedro A. Garc a-S anchez International Meeting on Numerical Semigroups Levico Terme July

393 views • 20 slides
Numerical Semigroups and Codes Cortona 2014 Jos e Ignacio Farr an Mart n

Numerical Semigroups and Codes Cortona 2014 Jos e Ignacio Farr an Mart n

I NTERNATIONAL M EETING ON N UMERICAL S EMIGROUPS Numerical Semigroups and Codes Cortona 2014 Jos e Ignacio Farr an Mart n jifarran@eii.uva.es Departamento de Matem atica Aplicada Universidad de Valladolid Campus de Segovia

719 views • 48 slides
A Geometric Approach for the Computation of Riemann-Roch Spaces : Algorithm and Complexity Aude Le

A Geometric Approach for the Computation of Riemann-Roch Spaces : Algorithm and Complexity Aude Le

A Geometric Approach for the Computation of Riemann-Roch Spaces : Algorithm and Complexity Aude Le Gluher and Pierre-Jean Spaenlehauer Universit de Lorraine / INRIA Nancy Grand Est / CNRS CARAMBA team JNCF, Luminy, 2019 1 / 26

484 views • 29 slides

More recommend