Alain Couvreur,Ilaria Zappatore

2023-06-26

Abstract:In this article, we discuss the decoding of Gabidulin and related codes from a cryptographic point of view, and we observe that these codes can be decoded solely from the knowledge of a generator matrix. We then extend and revisit Gibson and Overbeck attacks on the generalized GPT encryption scheme (instantiated with the Gabidulin code) for different ranks of the distortion matrix. We apply our attack to the case of an instantiation with twisted Gabidulin codes.

Cryptography and Security,Information Theory,Rings and Algebras

Zhe Sun,Jincheng Zhuang,Zimeng Zhou,Fang-Wei Fu

DOI: https://doi.org/10.1016/j.tcs.2024.114480

IF: 1.002

2024-02-01

Theoretical Computer Science

Abstract:This paper presents a new McEliece-type cryptosystem using Gabidulin-Kronecker product codes in the rank metric. The contributions of this paper are as follows. Firstly, we propose a new Gabidulin-Kronecker product code which is a kind of block circulant code, and give an efficient decoding algorithm. Secondly, we design a one-way secure public key encryption scheme based on the Gabidulin-Kronecker product codes. Thirdly, we obtain an IND-CCA2 secure public key encryption scheme by converting our one-way secure public key encryption scheme under the hardness assumption of the RSD Dual Problem. In terms of efficiency, our scheme has a smaller public key size by taking advantage of the block circulant structure. For 128-bit security, the public key size of our proposal is 13% of Lau-Tan's cryptosystem (in the rank metric), and 19% of BIKE (in the Hamming metric). In terms of security, our scheme can resist Overbeck attack, Coggia-Couvreur attack and Sendrier attack.

computer science, theory & methods

Sabira El Khalfaoui,Mathieu Lhotel,Jade Nardi

2023-04-14

Abstract:In this paper, we introduce a family of codes that can be used in a McEliece cryptosystem, called Goppa--like AG codes. These codes generalize classical Goppa codes and can be constructed from any curve of genus $\mathfrak{g} \geq 0$. Focusing on codes from $C_{a,b}$ curves, we study the behaviour of the dimension of the square of their dual to determine their resistance to distinguisher attacks similar to the one for alternant and Goppa codes developed by Mora and Tillich. We also propose numerical experiments to measure how sharp is our bound.

Information Theory,Algebraic Geometry

Herve Tale Kalachi

DOI: https://doi.org/10.48550/arXiv.2010.15678

2020-10-28

Abstract:This paper describes a new algorithm for breaking the smart approach of the GPT cryptosystem. We show that by puncturing the public code several times on specific positions, we get a public code on which applying the Frobenius operator appropriately allows to build an alternative secret key.

Cryptography and Security

Alain Couvreur,Rocco Mora,Jean-Pierre Tillich

2023-08-24

Abstract:We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gröbner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gröbner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

Cryptography and Security

Marco Baldi

DOI: https://doi.org/10.3233/978-1-60750-002-5-160

2009-01-11

Abstract:The McEliece cryptosystem is a public-key cryptosystem based on coding theory that has successfully resisted cryptanalysis for thirty years. The original version, based on Goppa codes, is able to guarantee a high level of security, and is faster than competing solutions, like RSA. Despite this, it has been rarely considered in practical applications, due to two major drawbacks: i) large size of the public key and ii) low transmission rate. Low-Density Parity-Check (LDPC) codes are state-of-art forward error correcting codes that permit to approach the Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes are a particular class of LDPC codes, able to join low complexity encoding of QC codes with high-performing and low-complexity decoding of LDPC codes. In a previous work it has been proposed to adopt a particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the key size and increase the transmission rate. Recently, however, new attacks have been found that are able to exploit a flaw in the transformation from the private key to the public one. Such attacks can be effectively countered by changing the form of some constituent matrices, without altering the system parameters. This work gives an overview of the QC-LDPC codes-based McEliece cryptosystem and its cryptanalysis. Two recent versions are considered, and their ability to counter all the currently known attacks is discussed. A third version able to reach a higher security level is also proposed. Finally, it is shown that the new QC-LDPC codes-based cryptosystem scales favorably with the key length.

Information Theory

Wenshuo Guo,Fangwei Fu

DOI: https://doi.org/10.48550/arXiv.2104.02254

2021-04-06

Abstract:This paper presents two modifications for Loidreau's code-based cryptosystem. Loidreau's cryptosystem is a rank metric code-based cryptosystem constructed by using Gabidulin codes in the McEliece setting. Recently a polynomial-time key recovery attack was proposed to break Loidreau's cryptosystem in some cases. To prevent this attack, we propose the use of subcodes to disguise the secret codes in Modification \Rmnum{1}. In Modification \Rmnum{2}, we choose a random matrix of low column rank over $\mathbb{F}_q$ to mix with the secret matrix. According to our analysis, these two modifications can both resist the existing structural attacks. Additionally, we adopt the systematic generator matrix of the public code to make a reduction in the public-key size. In additon to stronger resistance against structural attacks and more compact representation of public keys, our modifications also have larger information transmission rates.

Information Theory

Terry Shue Chien Lau,Zhe Sun,Sook-Chin Yip,Ji-Jian Chin,Choo-Yee Ting

2024-10-09

Abstract:This paper is a preliminary study on the security and design of cryptosystems using Gabidulin-Kronecker Product Codes. In particular, we point out the design impracticality of the system, and propose ways to improve it.

Cryptography and Security

Ayoub Otmani,Jean-Pierre Tillich,Leonard Dallot

DOI: https://doi.org/10.48550/arXiv.0804.0409

2010-01-04

Abstract:We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. We prove that this variant is not secure by finding and solving a linear system satisfied by the entries of the secret permutation matrix. The other variant uses quasi-cyclic low density parity-check codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on low density parity-check codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered in cubic time complexity in its length. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic low density parity-check codes requires the search of codewords of low weight which can be done with about $2^{37}$ operations for the specific parameters proposed.

Cryptography and Security,Discrete Mathematics

Paulo Almeida,Miguel Beltrá,Diego Napp,Cláudia Sebastião

2023-12-11

Abstract:In this paper we present a variant of the McEliece cryptosystem that possesses several interesting properties, including a reduction of the public key for a given security level. In contrast to the classical McEliece cryptosystems, where block codes are used, we propose the use of a convolutional encoder to be part of the public key. The permutation matrix is substituted by a polynomial matrix whose coefficient matrices have columns with weight zero or at least weight two. This allows the use of Generalized Reed-Solomon (GRS) codes which translates into shorter keys for a given security level. Hence, the private key is constituted by a generator matrix of a GRS code and two polynomial matrices containing large parts generated completely at random. In this setting the message is a sequence of messages instead of a single block message and the errors are added throughout the sequence. We discuss possible structural and ISD attacks to this scheme. We conclude presenting the key sizes obtained for different parameters and estimating the computational cost of encryption and decryption process.

Information Theory

Rocco Mora

DOI: https://doi.org/10.3934/amc.2024026

2024-06-19

Advances in Mathematics of Communications

Abstract:In this article, we continue the analysis started in [8] for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in the Classic McEiece cryptosystem, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in [8] to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges to recover the key of the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial.

computer science, theory & methods,mathematics, applied

Étienne Burle,Hervé Talé Kalachi,Freddy Lende Metouke,Ayoub Otmani

2024-04-10

Abstract:The LG cryptosystem is a public-key encryption scheme in the rank metric using the recent family of $\lambdav-$Gabidulin codes and introduced in 2019 by Lau and Tan. In this paper, we present a cryptanalysis showing that the security of several parameters of the scheme have been overestimated. We also show the existence of some weak keys allowing an attacker to find in polynomial time an alternative private key.

Cryptography and Security

Angelot Behajaina,Martino Borello,Javier de la Cruz,Wolfgang Willems

DOI: https://doi.org/10.1007/s10623-024-01367-0

IF: 1.4

2024-03-05

Designs Codes and Cryptography

Abstract:In this paper we investigate left ideals as codes in twisted skew group rings. The considered rings, which are in most cases algebras over a finite field, allow us to retrieve many of the well-known codes. The presentation, given here, unifies the concept of group codes, twisted group codes and skew group codes.

mathematics, applied,computer science, theory & methods

Jintai Ding,Jean-Pierre Tillich,Elisa Bertino

DOI: https://doi.org/10.1007/978-3-030-44223-1

2020-01-01

Abstract:We address the problem of decoding Gabidulin codes beyond their unique error-correction radius. The complexity of this problem is of importance to assess the security of some rank-metric code-based cryptosystems. We propose an approach that introduces row or column erasures to decrease the rank of the error in order to use any proper polynomial-time Gabidulin code error-erasure decoding algorithm. The expected work factor of this new randomized decoding approach is a polynomial term times qm(n−k)−w(n+m)+w 2+min{2ξ( n+k 2 −ξ),wk}, where n is the code length, q the size of the base field, m the extension degree of the field, k the code dimension, w the number of errors, and ξ := w− n−k 2 . It improves upon generic rank-metric decoders by an exponential factor.

Jonathan Conrad,Jens Eisert,Jean-Pierre Seifert

2024-07-02

Abstract:We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling $\Delta \propto \sqrt{n}$ with high probability, where $n$ is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenating single mode GKP codes into a qubit-quantum error correcting code with linear distance. The derived class of NTRU-GKP codes has the additional property that decoding for a stochastic displacement noise model is equivalent to decrypting the NTRU cryptosystem, such that every random instance of the code naturally comes with an efficient decoder. This construction highlights how the GKP code bridges aspects of classical error correction, quantum error correction as well as post-quantum cryptography. We underscore this connection by discussing the computational hardness of decoding GKP codes and propose, as a new application, a simple public key quantum communication protocol with security inherited from the NTRU cryptosystem.

Quantum Physics,Cryptography and Security,Information Theory

Alain Couvreur,Philippe Gaborit,Valérie Gauthier-Umaña,Ayoub Otmani,Jean-Pierre Tillich

DOI: https://doi.org/10.48550/arXiv.1307.6458

2014-03-28

Abstract:Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed-Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et \textit{al.} which hides the generalized Reed-Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed-Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed-Solomon code.

Cryptography and Security,Information Theory

Zhe Li,Chaoping Xing,Sze Ling Yeo

DOI: https://doi.org/10.1007/978-3-030-17259-6_20

2019-01-01

Abstract:In this paper, we propose a new general construction to reduce the public key size of McEliece cryptosystems constructed from automorphism-induced Goppa codes. In particular, we generalize the ideas of automorphism-induced Goppa codes by considering nontrivial subsets of automorphism groups to construct Goppa codes with a nice block structure. By considering additive and multiplicative automorphism subgroups, we provide explicit constructions to demonstrate our technique. We show that our technique can be applied to automorphism-induced Goppa codes based cryptosystems to further reduce their key sizes.

Rui Chen,Wee Teck Gan

DOI: https://doi.org/10.1017/s1474748024000197

2024-05-25

Journal of the Institute of Mathematics of Jussieu

Abstract:In this paper, we investigate the twisted GGP conjecture for certain tempered representations using the theta correspondence and establish some special cases, namely when the L-parameter of the unitary group is the sum of conjugate-dual characters of the appropriate sign.

mathematics

Nicolas Aragon,Alain Couvreur,Victor Dyseryn,Philippe Gaborit,Adrien Vinçotte

2024-10-17

Abstract:The McEliece scheme is a generic frame which allows to use any error correcting code of which there exists an efficient decoding algorithm to design an encryption scheme by hiding the generator matrix code. Similarly, the Niederreiter frame is the dual version of the McEliece scheme, and achieves smaller ciphertexts. We propose a generalization of the McEliece frame and the Niederreiter frame to matrix codes and the MinRank problem, that we apply to Gabidulin matrix codes (Gabidulin rank codes considered as matrix codes). The masking we consider consists in starting from a rank code C, to consider a matrix version of C and to concatenate a certain number of rows and columns to the matrix codes version of the rank code C and then apply to an isometry for matric codes. The security of the schemes relies on the MinRank problem to decrypt a ciphertext, and the structural security of the scheme relies on a new problem EGMC-Indistinguishability problem that we introduce and that we study in detail. The main structural attack that we propose consists in trying to recover the masked linearity over the extension field which is lost during the masking process. Overall, starting from Gabidulin codes we obtain a very appealing tradeoff between the size of ciphertext and the size of the public key. For 128b of security we propose parameters ranging from ciphertext of size 65 B (and public keys of size 98 kB) to ciphertext of size 138B (and public key of size 41 kB). Our new approach permits to achieve better trade-off between ciphertexts and public key than the classical McEliece scheme. Our new approach permits to obtain an alternative scheme to the classic McEliece scheme, to obtain very small ciphertexts, with moreover smaller public keys than in the classic McEliece scheme. For 256 bits of security, we can obtain ciphertext as low as 119B, or public key as low as 87kB.

Cryptography and Security