Algebraic Cryptanalysis of McEliece Variants with Compact Keys - Towards a Complexity Analysis

A new approach based on quadratic forms to attack the McEliece cryptosystem

Preprint

Full-text available

Jun 2023

We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank 2 or 3 depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic 2 consisting in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank 2. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than

q-1

, where q is the alphabet size of the code.

Generalized Subspace Subcodes With Application in Cryptology

Article

Full-text available

Aug 2019

Most codes with an algebraic decoding algorithm are derived from Reed-Solomon codes. They are obtained by taking equivalent codes, for example, generalized Reed-Solomon codes, or by using the so-called subfield subcode method, which leads to alternant codes over the underlying prime field, or over some intermediate subfield. The main advantage of these constructions is to preserve both the minimum distance and the decoding algorithm of the underlying Reed-Solomon code. In this paper, we explore in detail the subspace subcodes construction. This kind of codes was already studied in the particular case of cyclic Reed-Solomon codes. We extend this approach to any linear code over the extension of a finite field. We are interested in additive codes who are deeply connected to subfield subcodes. We characterize the duals of subspace subcodes. We introduce the notion of generalized subspace subcodes. We apply our results to generalized Reed-Solomon codes which leads to codes with interesting parameters, especially over a large alphabet. To conclude this paper, we discuss the security of the use of generalized subspace subcodes of Reed-Solomon codes in a cryptographic context.

Practical Algebraic Attack on DAGS

Preprint

Full-text available

May 2019

DAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic alternant codes that was submitted to NIST standardization process for a quantum resistant public key algorithm. Recently an algebraic attack was devised by Barelli and Couvreur (Asiacrypt 2018) that efficiently recovers the private key. It shows that DAGS can be totally cryptanalysed by solving a system of bilinear polynomial equations. However, some sets of DAGS parameters were not broken in practice. In this paper we improve the algebraic attack by showing that the original approach was not optimal in terms of the ratio of the number of equations to the number of variables. Contrary to the common belief that reducing at any cost the number of variables in a polynomial system is always beneficial, we actually observed that, provided that the ratio is increased and up to a threshold, the solving can be heavily improved by adding variables to the polynomial system. This enables us to recover the private keys in a few seconds. Furthermore, our experimentations also show that the maximum degree reached during the computation of the Gr\"obner basis is an important parameter that explains the efficiency of the attack. Finally, the authors of DAGS updated the parameters to take into account the algebraic cryptanalysis of Barelli and Couvreur. In the present article, we propose a hybrid approach that performs an exhaustive search on some variables and computes a Gr\"obner basis on the polynomial system involving the remaining variables. We then show that the updated set of parameters corresponding to 128-bit security can be broken with 2^83 operations.

On the security of short McEliece keys from algebraic and algebraic geometry codes with automorphisms

Thesis

Dec 2018

Elise Barelli

In 1978, McEliece introduce a new public key encryption scheme coming from errors correcting codes theory. The idea is to use an error correcting code whose structure would be hidden, making it impossible to decode a message for anyone who do not know a specific decoding algorithm for the chosen code.The McEliece scheme has some advantages, encryption and decryption are very fast and it is a good candidate for public-key cryptography in the context of quantum computer. The main constraint is that the public key is too large compared to other actual public-key cryptosystems. In this context, we propose to study the using of some quasi-cyclic or quasi-dyadic codes.In this thesis, the two families of interest are: the family of alternant codes and the family of subfield subcode of algebraic geometry codes. We can constructquasi-cyclic alternant codes using an automorphism which acts on the support and the multiplier of the code. In order to estimate the securtiy of these QC codes we study the {\em invariant code}. This invariant code is a smaller code derived from the public key. Actually the invariant code is exactly the subcode of codewords fixed by the automorphism

\sigma

. We show that it is possible to reduce the key-recovery problem on the original quasi-cyclic code to the same problem on the invariant code. This is also true in the case of QC algebraic geometry codes. This result permits us to propose a security analysis of QC codes coming from the Hermitian curve. Moreover, we propose compact key for the McEliece scheme using subfield subcode of AG codes on the Hermitian curve.The case of quasi-dyadic alternant code is also studied. Using the invariant code, with the {\em Schur product} and the {\em conductor} of two codes, we show weaknesses on the scheme using QD alternant codes with extension degree 2. In the case of the submission DAGS, proposed in the context of NIST competition, an attack exploiting these weakness permits to recover the secret key in few minutes for some proposed parameters.

Étude de la sécurité de certaines clés compactes pour le schéma de McEliece utilisant des codes géométriques

Thesis

Dec 2018

Elise Barelli

In 1978, McEliece introduce a new public key encryption scheme coming from errors correcting codes theory. The idea is to use an error correcting code whose structure would be hidden, making it impossible to decode a message for anyone who do not know a specific decoding algorithm for the chosen code. The McEliece scheme has some advantages, encryption and decryption are very fast and it is a good candidate for public-key cryptography in the context of quantum computer. The main constraint is that the public key is too large compared to other actual public-key cryptosystems. In this context, we propose to study the using of some quasi-cyclic or quasi-dyadic codes. In this thesis, the two families of interest are: the family of alternant codes and the family of subfield subcode of algebraic geometry codes. We can construct quasi-cyclic alternant codes using an automorphism which acts on the support and the multiplier of the code. In order to estimate the securtiy of these QC codes we study the em{invariant code}. This invariant code is a smaller code derived from the public key. Actually the invariant code is exactly the subcode of code words fixed by the automorphism sigma. We show that it is possible to reduce the key-recovery problem on the original quasi-cyclic code to the same problem on the invariant code. This is also true in the case of QC algebraic geometry codes. This result permits us to propose a security analysis of QC codes coming from the Hermitian curve. Moreover, we propose compact key for the McEliece scheme using subfield subcode of AG codes on the Hermitian curve. The case of quasi-dyadic alternant code is also studied. Using the invariant code, with the em{Schur product} and the em{conductor} of two codes, we show weaknesses on the scheme using QD alternant codes with extension degree 2. In the case of the submission DAGS, proposed in the context of NIST competition, an attack exploiting these weakness permits to recover the secret key in few minutes for some proposed parameters.

An efficient structural attack on NIST submission DAGS

Preprint

May 2018

We present an efficient key recovery attack on code based encryption schemes using some quasi-dyadic alternant codes with extension degree 2. This attack permits to break the proposal DAGS recently submitted to NIST.

Security of cryptographic protocols based on coding theory

Thesis

Full-text available

Jul 2017

Hervé Talé Kalachi

Contrary to the cryptosystems based on number theory, the security of cryptosystems based on error correcting codes appears to be resistant to the emergence of quantum computers. Another advantage of these systems is that the encryption and decryption are very fast, about five times faster for encryption, and 10 to 100 times faster for decryption compared to RSA cryptosystem. Nowadays, the interest of scientific community in code-based cryptography is highly motivated by the latest announcement of the National Institute of Standards and Technology (NIST). They initiated the Post-Quantum cryptography Project which aims to define new standards for quantum resistant cryptography and fixed the deadline for public key cryptographic algorithm submissions for November 2017. This announcement motivates to study the security of existing schemes in order to find out whether they are secure. This thesis thus presents several attacks which dismantle several code-based encryption schemes. We started by a cryptanalysis of a modified version of the Sidelnikov cryptosystem proposed by Gueye and Mboup [GM13] which is based on Reed-Muller codes. This modified scheme consists in inserting random columns in the secret generating matrix or parity check matrix. The cryptanalysis relies on the computation of the square of the public code. The particular nature of Reed-Muller which are defined by means of multivariate binary polynomials, permits to predict the values of the dimensions of the square codes and then to fully recover in polynomial time the secret positions of the random columns. Our work shows that the insertion of random columns in the Sidelnikov scheme does not bring any security improvement. The second result is an improved cryptanalysis of several variants of the GPT cryptosystem which is a rank-metric scheme based on Gabidulin codes. We prove that any variant of the GPT cryptosystem which uses a right column scrambler over the extension field as advocated by the works of Gabidulin et al. [Gab08, GRH09, RGH11] with the goal to resist Overbeck’s structural attack [Ove08], are actually still vulnerable to that attack. We show that by applying the Frobeniusoperator appropriately on the public key, it is possible to build a Gabidulin code having the same dimension as the original secret Gabidulin code, but with a lower length. In particular, the code obtained by this way corrects less errors than thesecret one but its error correction capabilities are beyond the number of errors added by a sender, and consequently an attacker is able to decrypt any ciphertext with this degraded Gabidulin code. We also considered the case where an isometrictransformation is applied in conjunction with a right column scrambler which has its entries in the extension field. We proved that this protection is useless both in terms of performance and security. Consequently, our results show that all the existingtechniques aiming to hide the inherent algebraic structure of Gabidulin codes have failed. To finish, we studied the security of the Faure-Loidreau encryption scheme [FL05] which is also a rank-metric scheme based on Gabidulin codes. Inspired by our precedent work and, although the structure of the scheme differs considerably from the classical setting of the GPT cryptosystem, we show that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim.

Sécurité de Protocoles Cryptographiques Fondés sur la Théorie des Codes Correcteurs d'Erreurs

Thesis

Full-text available

Jul 2017

Hervé Talé Kalachi

Cette thèse porte sur l'étude de la sécurité de plusieurs protocoles cryptographiques fondés sur la théorie des codes correcteurs d’erreurs. Le premier résultat porte sur la sécurité d’une version modifiée du cryptosystème de Sidelnikov, proposée par Gueye et Mboup et basée sur les codes de Reed-Muller. Nous montrons que l’insertion de colonnes aléatoires dans le schéma de Sidelnikov n’apporte aucune amélioration en matière de sécurité. Le résultat suivant est une cryptanalyse améliorée de plusieurs variantes du cryptosystème GPT qui est un schéma de chiffrement en métrique rang utilisant les codes de Gabidulin. Nous montrons qu’en utilisant le Frobenius de façon appropriée sur le code public, il est possible d’en extraire un code de Gabidulin ayant la même dimension que le code de Gabidulin secret mais, avec une longueur inférieure. Le code obtenu corrige ainsi moins d’erreurs que le code secret, mais sa capacité de correction d’erreurs dépasse le nombre d’erreurs ajoutées par l’expéditeur et par conséquent, un attaquant est capable de déchiffrer tout texte chiffré, à l’aide de ce code de Gabidulin dégradé. Nos résultats montrent qu’en fin de compte, toutes les techniques existantes visant à cacher la structure algébrique des codes de Gabidulin ont échoué. Enfin, nous avons étudié la sécurité du système de chiffrement de Faure-Loidreau, qui est également basé sur les codes de Gabidulin. Bien que la structure de ce schéma diffère considérablement du cadre classique du cryptosystème GPT, nous montrons que ce schéma est également vulnérable à une attaque polynomiale qui récupère la clé privée en appliquant l’attaque d’Overbeck sur un code public approprié.

Polynomial time attack on high rate random alternant codes

Preprint

Full-text available

Apr 2023

A long standing open question is whether the distinguisher of high rate alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm recovering the algebraic structure of such codes from the mere knowledge of an arbitrary generator matrix of it. This would allow to break the McEliece scheme as soon as the code rate is large enough and would break all instances of the CFS signature scheme. We give for the first time a positive answer for this problem when the code is {\em a generic alternant code} and when the code field size q is small :

q \in \{2,3\}

and for {\em all} regime of other parameters for which the aforementioned distinguisher works. This breakthrough has been obtained by two different ingredients : (i) a way of using code shortening and the component-wise product of codes to derive from the original alternant code a sequence of alternant codes of decreasing degree up to getting an alternant code of degree 3 (with a multiplier and support related to those of the original alternant code); (ii) an original Gr\"obner basis approach which takes into account the non standard constraints on the multiplier and support of an alternant code which recovers in polynomial time the relevant algebraic structure of an alternant code of degree 3 from the mere knowledge of a basis for it.

Reproducible families of codes and cryptographic applications

Article

Full-text available

Sep 2021

Structured linear block codes such as cyclic, quasi-cyclic and quasi-dyadic codes have gained an increasing role in recent years both in the context of error control and in that of code-based cryptography. Some well known families of structured linear block codes have been separately and intensively studied, without searching for possible bridges between them. In this article, we start from well known examples of this type and generalize them into a wider class of codes that we call ℱ-reproducible codes. Some families of ℱ-reproducible codes have the property that they can be entirely generated from a small number of signature vectors, and consequently admit matrices that can be described in a very compact way. We denote these codes as compactly reproducible codes and show that they encompass known families of compactly describable codes such as quasi-cyclic and quasi-dyadic codes. We then consider some cryptographic applications of codes of this type and show that their use can be advantageous for hindering some current attacks against cryptosystems relying on structured codes. This suggests that the general framework we introduce may enable future developments of code-based cryptography.

polarRLCE: A New Code-Based Cryptosystem Using Polar Codes

Article

Full-text available

Dec 2019

Security challenges brought about by the upcoming 5G era should be taken seriously. Code-based cryptography leverages difficult problems in coding theory and is one of the main techniques enabling cryptographic primitives in the postquantum scenario. In this work, we propose the first efficient secure scheme based on polar codes (i.e., polarRLCE ) which is inspired by the RLCE scheme, a candidate for the NIST postquantum cryptography standardization in the first round. In addition to avoiding some weaknesses of the RLCE scheme, we show that, with the proper choice of parameters, using polar codes, it is possible to design an encryption scheme to achieve the intended security level while retaining a reasonably small public key size. In addition, we also present a KEM version of the polarRLCE scheme that can attain a negligible decryption failure rate within the corresponding security parameters. It is shown that our proposal enjoys an apparent advantage to decrease the public key size, especially on the high-security level.

Introducing Arithmetic Failures to Accelerate QC-MDPC Code-Based Cryptography

Conference Paper

Full-text available

Jul 2019
Lect Notes Comput Sci

In this work, we optimize the performance of QC-MDPC code-based cryptosystems through the insertion of configurable failure rates in their arithmetic procedures. We present constant time algorithms with a configurable failure rate for multiplication and inversion over binary polynomials, the two most expensive subroutines used in QC-MDPC implementations. Using a failure rate negligible compared to the security level (

2^{-128}

), our multiplication is 2 times faster than NTL on sparse polynomials and 1.6 times faster than a naive constant-time sparse polynomial multiplication. Our inversion algorithm, based on Wu et al., is 2 times faster than the original algorithm and 12 times faster than Itoh-Tsujii using the same modulus polynomial (

x^{32749} - 1

). By inserting these algorithms in a version of QcBits at the 128-bit quantum security level, we were able to achieve a speedup of 1.9 on the key generation and up to 1.4 on the decryption time. Comparing with variant 2 of the BIKE suite, which also implements the Niederreiter Cryptosystem using QC-MDPC codes, our final version of QcBits performs the uniform decryption 2.7 times faster.

Low Rank Parity Check Codes: New Decoding Algorithms and Applications to Cryptography

Preprint

Full-text available

Mar 2019

We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems \`a la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public key encryption (PKE). Unlike rank metric codes used in previous encryption algorithms -notably Gabidulin codes - LRPC codes have a very weak algebraic structure. Our cryptosystems can be seen as an equivalent of the NTRU cryptosystem (and also to the more recent MDPC \cite{MTSB12} cryptosystem) in a rank metric context. The present paper is an extended version of the article introducing LRPC codes, with important new contributions. We have improved the decoder thanks to a new approach which allows for decoding of errors of higher rank weight, namely up to

\frac{2}{3}(n-k)

when the previous decoding algorithm only decodes up to

\frac{n-k}{2}

errors. Our codes therefore outperform the classical Gabidulin code decoder which deals with weights up to

\frac{n-k}{2}

. This comes at the expense of probabilistic decoding, but the decoding error probability can be made arbitrarily small. The new approach can also be used to decrease the decoding error probability of previous schemes, which is especially useful for cryptography. Finally, we introduce ideal rank codes, which generalize double-circulant rank codes and allow us to avoid known structural attacks based on folding. To conclude, we propose different parameter sizes for our schemes and we obtain a public key of 3337 bits for key exchange and 5893 bits for public key encryption, both for 128 bits of security.

DAGS: Key encapsulation using dyadic GS codes

Article

Full-text available

Sep 2018

Code-based cryptography is one of the main areas of interest for NIST’s Post-Quantum Cryptography Standardization call. In this paper, we introduce DAGS, a Key Encapsulation Mechanism (KEM) based on quasi-dyadic generalized Srivastava codes. The scheme is proved to be IND-CCA secure in both random oracle model and quantum random oracle model. We believe that DAGS will offer competitive performance, especially when compared with other existing code-based schemes, and represent a valid candidate for post-quantum standardization.

Evaluation Study of Original McEliece Cryptosystem Against Side Channel Attack.

Article

Full-text available

Jul 2016

Side channel attack is the most efficient attack against original McEliece cryptosystem, especially ball-collision and Bernstein et al. Stern attacks. The modified Stern attack has an ability to break original McEliece cryptosystem with parameter [1024, 524, 101] in 1400 days with personal computers. While with 200 clusters CPU breaking could be done in 7 days. While ball-collision attacks have smaller exponent time than Stern algorithm. This paper will present a modified version of Patterson decoding algorithm using a new evaluation for finding error locations. This approach gave the sender an opportunity to choose errors less than identified errors in public key without notifying the receiver; therefore, it reduces the probability of modified Stern attack against McEliece cryptosystem to (0.02) and increases exponent time of ball-collision attack. In this paper also the leakage of proposed implementation has been measured using a measurement type for possible leakage in Patterson’s decoding algorithm suggested by previous work, and we concluded that the designed system have fewer leakage compared to previous implementation. The work has done using Visual Studio C#.

Worst case QC-MDPC decoder for McEliece cryptosystem

Preprint

Aug 2016

McEliece encryption scheme which enjoys relatively small key sizes as well as a security reduction to hard problems of coding theory. Furthermore, it remains secure against a quantum adversary and is very well suited to low cost implementations on embedded devices. Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm, as for LDPC codes. Variable time decoders might leak some information on the code structure (that is on the sparse parity check equations) and must be avoided. A constant time decoder is easy to emulate, but its running time depends on the worst case rather than on the average case. So far implementations were focused on minimizing the average cost. We show that the tuning of the algorithm is not the same to reduce the maximal number of iterations as for reducing the average cost. This provides some indications on how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel attack.

Порівняльний аналіз складності методів лінеаризації та перебору розв’язання систем нелінійних булевих рівнянь

Article

Mar 2020

Проблема знаходження розв’язків систем нелінійних рівнянь з багатьма змінними над скінченними алгебраїчними структурами та побудови ефективних алгоритмів їх пошуку є важливою для багатьох прикладних задач у різноманітних галузях і актуальність цієї проблеми зростає з часом. Стійкість багатьох існуючих криптосистем базується на складності задачі розв’язання систем нелінійних рівнянь багатьох змінних над скінченними полями. В загальному вигляді ця задача є задачею -повною. Але існує багато випадків, коли до таких систем можна запропонувати методи більш швидкі ніж методи повного перебору. Оскільки вибір методу може значно зменшити час та необхідні ресурси на знаходження розв’язків системи, природньо виникають питання оцінки складності різних методів розв’язання для систем з різними наборами параметрів, а також пошуку спеціальних найбільш ефективних методів для конкретного класу систем. У статті розглядаються найбільш важливі для криптографії та криптоаналізу системи нелінійних рівнянь з багатьма змінними над скінченним полем . Предметом дослідження є порівняльний аналіз складності методу лінеаризації з введенням нових змінних для розв’язання систем нелінійних рівнянь над полем з багатьма невідомими та методу повного перебору в залежності від параметрів системи. Метою роботи є отримання середніх оцінок складності методів та знаходження межі в області зміни параметрів перевизначеної сумісної системи рівнянь, яка дає можливість з двох вказаних методів вибрати більш швидкий і ефективний. Запропоновані імовірнісні моделі для отримання теоретичних, асимптотичних оцінок середньої складності методів та проведення низки статистичних експериментів з отриманням середніх оцінок методом Монте-Карло. Показано, що існує границя в області зміни параметрів, що залежить, перш за все, від співвідношення максимального степеня рівнянь системи та числа невідомих, яка визначає, коли метод лінеаризації працює краще за повний перебір. Теоретичні та експериментальні дані застосовано для побудови цієї границі. Аналітичний вираз для лінії розмежування в області зміни параметрів системи отримано з використанням методу найменших квадратів.

Dihedral Codes with Prescribed Minimum Distance

Book

Feb 2021

Performance Bounds for QC-MDPC Codes Decoders

Chapter

Mar 2022
Lect Notes Comput Sci

Quasi-Cyclic Moderate-Density Parity-Check (QC-MDPC) codes are receiving increasing attention for their advantages in the context of post-quantum asymmetric cryptography based on codes. However, a fundamentally open question concerns modeling the performance of their decoders in the region of a low decoding failure rate (DFR). We provide two approaches for bounding the performance of these decoders, and study their asymptotic behavior. We first consider the well-known Maximum Likelihood (ML) decoder, which achieves optimal performance and thus provides a lower bound on the performance of any sub-optimal decoder. We provide lower and upper bounds on the performance of ML decoding of QC-MDPC codes and show that the DFR of the ML decoder decays polynomially in the QC-MDPC code length when all other parameters are fixed. Secondly, we analyze some hard to decode error patterns for Bit-Flipping (BF) decoding algorithms, from which we derive some lower bounds on the DFR of BF decoders applied to QC-MDPC codes.KeywordsQC-MDPC codesDecoding failure rateBit-Flipping decoderMaximum likelihood decoderError floorPost-quantum cryptographyCode-based cryptography

Analysis of code-based post-quantum cryptosystems

Thesis

May 2021

Matthieu Lequesne

Today, most public-key cryptosystems used to ensure the privacy and authenticity of communications rely on the hardness of number theoretic problems. For instance, the security of the RSA algorithm is based on the fact that factoring a product of large prime numbers is computationally hard. However, in 1994, Shor proposed an algorithm to efficiently solve this problem using a quantum computer. Large-scale quantum computers do not exists yet, but this could change within the next decades. Therefore, we need new public-key cryptosystems that resist quantum attacks. This is known as post-quantum cryptography. In 2017, the American National Institute of Standards and Technologies (NIST) invited researchers to submit proposals for the standardisation of post-quantum cryptographic algorithms. One promising solution is to design cryptosystems based of the hardness of decoding error-correcting codes. A significant proportion of cryptosystems submitted to the NIST use this approach. In this thesis, we propose an analysis of different code-based post-quantum cryptosystems. First, we study the case of QC-MDPC codes and show that one can recover the private key by observing the syndrome weight or the number of iterations of the decoding algorithm. Then, we propose key-recovery attacks exploiting the structure of three cryptosystems: Edon-K, RLCE and XGRS. Finally, we study the hardness of the general decoding problem for ternary codes, in the large weight setting, which is used in the Wave signature scheme.

Two Public-Key Cryptosystems Based on Expanded Gabidulin Codes

Preprint

Full-text available

Aug 2021

This paper presents two public-key cryptosystems based on the so-called expanded Gabidulin codes, which are constructed by expanding Gabidulin codes over the base field. Exploiting the fast decoder of Gabidulin codes, we propose an efficient algorithm to decode these new codes when the noise vector satisfies a certain condition. Additionally, these new codes have an excellent error-correcting capability because of the optimality of their parent Gabidulin codes. Based on different masking techniques, we give two encryption schemes by using expanded Gabidulin codes in the McEliece setting. According to our analysis, these two cryptosystems can both resist the existing structural attacks. Furthermore, our proposals also have an obvious advantage in public-key representation without using the cyclic or quasi-cyclic structure compared to some other code-based cryptosystems. To achieve the security of 256 bits, for instance, a public-key size of 37005 bytes is enough for our first proposal, while around 1044992 bytes are needed for Classic McEliece selected as a candidate of the third round of the NIST PQC project.

Optimizing the Decoding Process of a Post-Quantum Cryptographic Algorithm

Conference Paper

Full-text available

Oct 2017

QcBits is a state-of-the-art constant-time implementation of a code-based encryption scheme for post-quantum public key cryptography. This paper presents an optimized version of its decoding process, which is used for message decryption. Our implementation leverages SSE and AVX instructions extensions and performs 3.6 to 4.8 times faster than the original version, while preserving the 80-bit security level and constant time execution. We also provide experimental data that indicates a further 1.4-factor speedup supposing the existence of instructions for vectorial conditional moves and 256-bit register shifts. Finally, we implemented countermeasures for side-channel security and showed that they do not affect the overall performance.

Survey and Analysis of Lightweight Authentication Mechanisms

Chapter

Full-text available

Jan 2021

Interconnection of devices through Radio Frequency IDentification (RFID) brings enormous applications that are increasing constantly day by day. Due to the rapid growth of such applications, security of RFID networks becomes crucial and is a major challenge. Classical or lightweight cryptography primitives and protocols are the solutions to enhance the security standards in such networks. Authentication protocols are one of the important security protocols required to be integrated before exchange of secured information. This work surveyed the recently developed authentication protocols. Further, classifications, security challenges, and attack analysis are explored. A comparative analysis of different types of authentication protocols explains their applications in resourceful and resource constraint Internet of Things (IoT). Authentication protocols are categorized into: symmetric, asymmetric, lightweight, ultra-lightweight and group protocols. Symmetric and asymmetric protocols are more suitable for resourceful devices whereas lightweight and ultra-lightweight protocols are designed for resource constraint devices. Security and cost analysis shows that asymmetric protocols provide higher security than any other protocol at a reasonable cost. However, lightweight authentication protocols are suitable for passive RFID devices but do not provide full security.

A Fault Attack On The Niederreiter Cryptosystem Using Binary Irreducible Goppa Codes

Article

Mar 2020

A fault injection framework for the decryption algorithm of the Niederreiter public-key cryptosystem using binary irreducible Goppa codes and classical decoding techniques is described. In particular, we obtain low-degree polynomial equations in parts of the secret key. For the resulting system of polynomial equations, we present an efficient solving strategy and show how to extend certain solutions to alternative secret keys. We also provide estimates for the expected number of required fault injections, apply the framework to state-of-the-art security levels, and propose countermeasures against this type of fault attack.

Dihedral codes with prescribed minimum distance

Preprint

Full-text available

Mar 2020

Dihedral codes, particular cases of quasi-cyclic codes, have a nice algebraic structure which allows to store them efficiently. In this paper, we investigate it and prove some lower bounds on their dimension and minimum distance, in analogy with the theory of BCH codes. This allows us to construct dihedral codes with prescribed minimum distance. In the binary case, we present some examples of optimal dihedral codes obtained by this construction.

Cryptanalysis of a system based on twisted Reed–Solomon codes

Article

Full-text available

Jul 2020
DESIGN CODE CRYPTOGR

Twisted Reed–Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed–Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods. In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in

O(n^4)

field operations. A software implementation of the algorithm retrieves a valid private key from the public key within a few minutes, for parameters claiming a security level of 128 bits. The success of the attack also indicates that, contrary to common beliefs, subfield subcodes of the public code need to be precisely analyzed when proposing a McEliece-type code-based cryptosystem. Finally, the paper discusses an attempt to repair the scheme and a modification of the attack aiming at Gabidulin–Paramonov–Tretjakov cryptosystems based on twisted Gabidulin codes.

A Fault Attack on the Niederreiter Cryptosystem Using Binary Irreducible Goppa Codes

Preprint

Full-text available

Feb 2020

A fault injection framework for the decryption algorithm of the Niederreiter public-key cryptosystem using binary irreducible Goppa codes and classical decoding techniques is described. In particular, we obtain low-degree polynomial equations in parts of the secret key. For the resulting system of polynomial equations, we present an efficient solving strategy and show how to extend certain solutions to alternative secret keys. We also provide estimates for the expected number of required fault injections, apply the framework to state-of-the-art security levels, and propose countermeasures against this type of fault attack.

Performance Analysis of TLS for Quantum Robust Cryptography on a Constrained Device

Preprint

Full-text available

Sep 2019

Advances in quantum computing make Shor's algorithm for factorising numbers ever more tractable. This threatens the security of any cryptographic system which often relies on the difficulty of factorisation. It also threatens methods based on discrete logarithms, such as with the Diffie-Hellman key exchange method. For a cryptographic system to remain secure against a quantum adversary, we need to build methods based on a hard mathematical problem, which are not susceptible to Shor's algorithm and which create Post Quantum Cryptography (PQC). While high-powered computing devices may be able to run these new methods, we need to investigate how well these methods run on limited powered devices. This paper outlines an evaluation framework for PQC within constrained devices, and contributes to the area by providing benchmarks of the front-running algorithms on a popular single-board low-power device.

A Code-specific Conservative Model for the Failure Rate of Bit-flipping Decoding of LDPC Codes with Cryptographic Applications

Preprint

Full-text available

Dec 2019

Characterizing the decoding failure rate of iteratively decoded Low- and Moderate-Density Parity Check (LDPC/MDPC) codes is paramount to build cryptosystems based on them, able to achieve indistinguishability under adaptive chosen ciphertext attacks. In this paper, we provide a statistical worst-case analysis of our proposed iterative decoder obtained through a simple modification of the classic in-place bit-flipping decoder. This worst case analysis allows both to derive the worst-case behaviour of an LDPC/MDPC code picked among the family with the same length, rate and number of parity checks, and a code-specific bound on the decoding failure rate. The former result allows us to build a code-based cryptosystem enjoying the

\delta

-correctness property required by IND-CCA2 constructions, while the latter result allows us to discard code instances which may have a decoding failure rate significantly different from the average one (i.e., representing weak keys), should they be picked during the key generation procedure.

Optimized implementation of QC‐MDPC code‐based cryptography

Article

Full-text available

Dec 2018
CONCURR COMP-PRACT E

This paper presents a new enhanced version of the QcBits key encapsulation mechanism, which is a constant‐time implementation of the Niederreiter cryptosystem using QC‐MDPC codes. In this version, we updated the implementation parameters to meet the 128‐bit quantum security level, replaced some of the core algorithms to avoid using slower instructions, vectorized the entire code using the AVX‐512 instruction set extension, and applied several other techniques to achieve a competitive performance level. Our implementation takes 928, 259, and 5008 thousand Skylake cycles to perform batch key generation (cost per key), encryption, and uniform decryption, respectively. Comparing with the current state‐of‐the‐art implementation for QC‐MDPC codes, BIKE, our code is 1.9 times faster when decrypting messages.

Fast Quantum Algorithm for Solving Multivariate Quadratic Equations

Article

Dec 2017

In August 2015 the cryptographic world was shaken by a sudden and surprising announcement by the US National Security Agency NSA concerning plans to transition to post-quantum algorithms. Since this announcement post-quantum cryptography has become a topic of primary interest for several standardization bodies. The transition from the currently deployed public-key algorithms to post-quantum algorithms has been found to be challenging in many aspects. In particular the problem of evaluating the quantum-bit security of such post-quantum cryptosystems remains vastly open. Of course this question is of primarily concern in the process of standardizing the post-quantum cryptosystems. In this paper we consider the quantum security of the problem of solving a system of {\it m Boolean multivariate quadratic equations in n variables} (\MQb); a central problem in post-quantum cryptography. When n=m, under a natural algebraic assumption, we present a Las-Vegas quantum algorithm solving \MQb{} that requires the evaluation of, on average,

O(2^{0.462n})

quantum gates. To our knowledge this is the fastest algorithm for solving \MQb{}.

A New variant of the McEliece cryptosystem based on the Smith form of convolutional codes

Article

Oct 2017

In this article, the authors propose a new version of the McEliece cryptosystem based on the Smith form of convolutional codes. They use the Smith form to hide a part of the code in the public matrix, and they leave the other part secret. The secret part will then be used for decryption. They hide this part by multiplying it on the left by a random matrix, and they add a random matrix which has a few conditions. Their scheme has a small public key size compared to the original McEliece scheme and resists the unique decoding attack against convolutional structure presented at the conference PQCrypto 2013 by Landais and Tillich. Further, the exhaustive search attack is infeasible on their system.

Semantically Secure Symmetric Encryption with Error Correction for Distributed Storage

Article

Full-text available

Jun 2017

Juha Partala

A distributed storage system (DSS) is a fundamental building block in many distributed applications. It applies linear network coding to achieve an optimal tradeoff between storage and repair bandwidth when node failures occur. Additively homomorphic encryption is compatible with linear network coding. The homomorphic property ensures that a linear combination of ciphertext messages decrypts to the same linear combination of the corresponding plaintext messages. In this paper, we construct a linearly homomorphic symmetric encryption scheme that is designed for a DSS. Our proposal provides simultaneous encryption and error correction by applying linear error correcting codes. We show its IND-CPA security for a limited number of messages based on binary Goppa codes and the following assumption: when dividing a scrambled generator matrix G^ into two parts G1^ and G2^ , it is infeasible to distinguish G2^ from random and to find a statistical connection between G1^ and G2^ . Our infeasibility assumptions are closely related to those underlying the McEliece public key cryptosystem but are considerably weaker. We believe that the proposed problem has independent cryptographic interest.

Practical Implementation of the Model Classic McEliece Cryptosystem Using SageMath

Chapter

Oct 2024

Code-based Cryptography in IoT: A HW/SW Co-Design of HQC

Conference Paper

Oct 2022

APCFS – Post-Quantum Code Based Aggregate Signature Scheme

Article

Jan 2019

Artyom Makarov

An improved McEliece cryptosystem based on QC-MDPC code with compact key size

Article

Full-text available

May 2022
TELECOMMUN SYST

The McEliece cryptosystem based on quasi-cyclic moderate-density parity-check with adaptive chosen-ciphertext attack conversion is secure against information set decoding and message-resend attacks. However, it is vulnerable to reaction based key recovery attacks and cannot be implemented over the noise channel. To overcome this problem, we propose an improved McEliece cryptosystem based on quasi-cyclic quasi moderate-density parity-check (QC-QMDPC). In this cryptosystem, a stamp generation function which is based on the pseudorandom sequence is designed to resist the message-resend attack. The random channel noise is employed to enhance security. Furthermore, the upper bound of the density of QC-QMDPC code is proved for optimal efficiency. The index-based storage technique is proposed so that the key size can be reduced to approximately quadruple code length. The encoding and decoding algorithms are optimized to reduce the computational cost on the hardware platform. We analyze the performance of the proposed cryptosystem and compare it with other McEliece cryptosystems. The results show that the proposed cryptosystem is secure against critical attacks while keeping high error correction ability and efficiency.

Expanded Gabidulin Codes and Their Application to Cryptography

Preprint

Full-text available

Jul 2021

This paper presents a new family of linear codes, namely the expanded Gabidulin codes. Exploiting the existing fast decoder of Gabidulin codes, we propose an efficient algorithm to decode these new codes when the noise vector satisfies a certain condition. Furthermore, these new codes enjoy an excellent error-correcting capability because of the optimality of their parent Gabidulin codes. Based on different masking techniques, we give two encryption schemes by using expanded Gabidulin codes in the McEliece setting. According to our analysis, both of these two cryptosystems can resist the existing structural attacks. Our proposals have an obvious advantage in public-key representation without using the cyclic or quasi-cyclic structure compared to some other code-based cryptosystems.

Concise Encyclopedia of Coding Theory

Book

Mar 2021

Recherche de Presque-Collisions pour le Décodage et la Reconnaissance de Codes Correcteurs

Thesis

Jun 2020

Kevin Carrier

Les codes correcteurs d'erreurs sont des outils ayant pour fonction originale de corriger les erreurs produites par des canaux de communication imparfaits. Dans un contexte non coopératif, se pose le problème de reconnaître des codes inconnus à partir de la seule connaissance de mots de code bruités. Ce problème peut s'avérer difficile pour certaines familles de codes, notamment pour les codes LDPC qui sont très présents dans nos systèmes de télécommunication modernes. Dans cette thèse, nous proposons de nouvelles techniques pour reconnaître plus facilement ces codes.À la fin des années 70, McEliece eu l'idée de détourner la fonction première des codes pour les utiliser dans des chiffrements, initiant ainsi une famille de solutions cryptographiques alternative à celle fondée sur la théorie des nombres. Un des avantages de la cryptographie fondée sur les codes est qu'elle semble résister au paradigme de calcul quantique ; notamment grâce à la robustesse du problème de décodage générique. Ce dernier a été profondément étudié ces 60 dernières années. Les dernières améliorations utilisent toutes des algorithmes de recherche de couples de points proches dans une liste. Dans cette thèse, nous améliorons le décodage générique en proposant notamment une nouvelle façon de rechercher des couples proches. Notre méthode repose sur l'utilisation de décodages en liste de codes polaires pour construire des fonctions de hachage floues.Dans ce manuscrit, nous traitons également la recherche de couples de points éloignés. Notre solution peut être utilisée pour améliorer le décodage en grandes distances qui a récemment trouvé des applications dans des designs de signature.

Properties of constacyclic codes under the Schur product

Article

Full-text available

Jun 2020
DESIGN CODE CRYPTOGR

For a subspace W of a vector space V of dimension n, the Schur-product space

W^{\left\langle k \right\rangle }

for

k \in {\mathbb {N}}

is defined to be the span of all vectors formed by the component-wise multiplication of k vectors in W. It is well known that repeated applications of the Schur product to the subspace W creates subspaces

W, W^{\left\langle 2 \right\rangle }, W^{\left\langle 3 \right\rangle }, \ldots

whose dimensions are monotonically non-decreasing. However, quantifying the structure and growth of such spaces remains an important open problem with applications to cryptography and coding theory. This paper characterizes how increasing powers of constacyclic codes grow under the Schur product and gives necessary and sufficient criteria for when powers of the code and/or the dimension of the code are invariant under the Schur product.

Designing a Public Key Cryptosystem Based on Quasi-cyclic Subspace Subcodes of Reed-Solomon Codes

Chapter

Nov 2019

In this paper we introduce a code-based cryptosystem using quasi-cyclic generalized subspace subcodes of Generalized Reed-Solomon codes in order to reduce the public key size. In our scheme the underlying Generalized Reed-Solomon code is not secret, so the classical attacks such as square code or folding attacks have no more purpose against it. In addition one part of the security of this scheme is based on hard problems in coding theory like Equivalence Subcodes (ES) Problem. We propose some parameters to reach at least a security level of 128 and 192 bits. We make a public key size comparison with some well established code-based public key encryption schemes. We also see that for the 128 bits security level the key size of our proposals are often better than the code-based schemes in competition for NIST’s second round.

Speeding up decoding a code with a non-trivial automorphism group up to an exponential factor

Conference Paper

Jul 2019

Practical Algebraic Attack on DAGS

Chapter

Jul 2019
Lect Notes Comput Sci

DAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic alternant codes that was submitted to NIST standardization process for a quantum resistant public key algorithm. Recently an algebraic attack was devised by Barelli and Couvreur (Asiacrypt 2018) that efficiently recovers the private key. It shows that DAGS can be totally cryptanalysed by solving a system of bilinear polynomial equations. However, some sets of DAGS parameters were not broken in practice. In this paper we improve the algebraic attack by showing that the original approach was not optimal in terms of the ratio of the number of equations to the number of variables. Contrary to the common belief that reducing at any cost the number of variables in a polynomial system is always beneficial, we actually observed that, provided that the ratio is increased and up to a threshold, the solving can be heavily improved by adding variables to the polynomial system. This enables us to recover the private keys in a few seconds. Furthermore, our experimentations also show that the maximum degree reached during the computation of the Gröbner basis is an important parameter that explains the efficiency of the attack. Finally, the authors of DAGS updated the parameters to take into account the algebraic cryptanalysis of Barelli and Couvreur. In the present article, we propose a hybrid approach that performs an exhaustive search on some variables and computes a Gröbner basis on the polynomial system involving the remaining variables. We then show that the updated set of parameters corresponding to 128-bit security can be broken with

2^{83}

operations.

Improving the efficiency of a reaction attack on the QC-MDPC McEliece

Article

Full-text available

Oct 2018

The QC-MDPC McEliece scheme was considered one of the most promising public key encryption schemes for efficient post-quantum secure encryption. As a variant of the McEliece scheme, it is based on the syndrome decoding problem, which is a hard problem from Coding Theory. Its key sizes are competitive with the ones of the widely used RSA cryptosystem, and it came with an apparently strong security reduction. For three years, the scheme has not suffered major threats, until the end of 2016, at the Asiacrypt, when Guo, Johansson, and Stankovski presented a reaction attack on the QC-MDPC that exploits one aspect that was not considered in the security reduction: the probability of a decoding failure to occur is lower when the secret key and the error used for encryption share certain properties. Recording the decoding failures, the attacker obtains information about the secret key and then use the information gathered to reconstruct the key. Guo et al. presented an algorithm for key reconstruction for which we can point two weaknesses. The first one is that it cannot deal with partial information about the secret key, resulting in the attacker having to send a large number of decoding challenges. The second one is that it does not scale well for higher security levels. To improve the attack, we propose a key reconstruction algorithm that runs faster than Guo's et al. algorithm, even using around 20% less interactions with the secret key holder than used by their algorithm, considering parameters suggested for 80 bits of security. It also has a lower asymptotic complexity which makes it scale much better for higher security parameters. The algorithm can be parallelized straightforwardly, which is not the case for the one by Guo et al..

On the Performance and Security of Multiplication in GF(2N)

Article

Full-text available

Sep 2018

Multiplications in G F ( 2 N ) can be securely optimized for cryptographic applications when the integer N is small and does not match machine words (i.e., N < 32 ). In this paper, we present a set of optimizations applied to DAGS, a code-based post-quantum cryptographic algorithm and one of the submissions to the National Institute of Standards and Technology’s (NIST) Post-Quantum Cryptography (PQC) standardization call.

Asymptotically Faster Quantum Algorithms to Solve Multivariate Quadratic Equations

Chapter

Apr 2018
Lect Notes Comput Sci

Classifying a class of the fuzzy subgroups of the alternating groups A_n

Conference Paper

Full-text available

Jun 2017

The aim of this paper is to classify the fuzzy subgroups of the alternating group. First, an equivalence relation on *the set of all fuzzy subgroups of a group G is defined. Without any equivalence relation on fuzzy subgroups of group G, the number of fuzzy subgroups is infinite, even for the trivial group. Explicit formula for the number of distinct fuzzy subgroup of finite alternating group are obtained in the particular case n = 5. Some inequalities satisfied by this number are also established for n ≥ 5 .

Code-Based Cryptography: State of the Art and Perspectives

Article

Jan 2017

Nicolas Sendrier

Code-based cryptography is one of the few mathematical techniques that enables the construction of public-key cryptosystems that are secure against an adversary equipped with a quantum computer. The McEliece public-key encryption scheme and its variants are candidates for a postquantum public-key encryption standard.

Generalized Subspace Subcodes With Application in Cryptology

Article

Full-text available

Apr 2017

Most of the codes that have an algebraic decoding algorithm are derived from the Reed Solomon codes. They are obtained by taking equivalent codes, for example the generalized Reed Solomon codes, or by using the so-called subfield subcode method, which leads to Alternant codes and Goppa codes over the underlying prime field, or over some intermediate subfield. The main advantages of these constructions is to preserve both the minimum distance and the decoding algorithm of the underlying Reed Solomon code. In this paper, we propose a generalization of the subfield subcode construction by introducing the notion of subspace subcodes and a generalization of the equivalence of codes which leads to the notion of generalized subspace subcodes. When the dimension of the selected subspaces is equal to one, we show that our approach gives exactly the family of the codes obtained by equivalence and subfield subcode technique. However, our approach highlights the links between the subfield subcode of a code defined over an extension field and the operation of puncturing the q-ary image of this code. When the dimension of the subspaces is greater than one, we obtain codes whose alphabet is no longer a finite field, but a set of r-uples. We explain why these codes are practically as efficient for applications as the codes defined on an extension of degree r. In addition, they make it possible to obtain decodable codes over a large alphabet having parameters previously inaccessible. As an application, we give some examples that can be used in public key cryptosystems such as McEliece.

Algebraic Cryptanalysis of McEliece Variants with Compact Keys - Towards a Complexity Analysis

No full-text available

Recommended publications

Guess-and-determine Attack on the Bit-search Generator

Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and S...

Easing Coppersmith Methods Using Analytic Combinatorics: Applications to Public-Key Cryptography wit...

Time-Space Complexity of Quantum Search Algorithms in Symmetric Cryptanalysis