Liu Jie,Tong Xiaojun,Wang Zhu,Zhang Miao,Ma Jing

DOI: https://doi.org/10.1007/s11235-022-00881-7

2022-01-01

Abstract:The McEliece cryptosystem based on quasi-cyclic moderate-density parity-check with adaptive chosen-ciphertext attack conversion is secure against information set decoding and message-resend attacks. However, it is vulnerable to reaction based key recovery attacks and cannot be implemented over the noise channel. To overcome this problem, we propose an improved McEliece cryptosystem based on quasi-cyclic quasi moderate-density parity-check (QC-QMDPC). In this cryptosystem, a stamp generation function which is based on the pseudorandom sequence is designed to resist the message-resend attack. The random channel noise is employed to enhance security. Furthermore, the upper bound of the density of QC-QMDPC code is proved for optimal efficiency. The index-based storage technique is proposed so that the key size can be reduced to approximately quadruple code length. The encoding and decoding algorithms are optimized to reduce the computational cost on the hardware platform. We analyze the performance of the proposed cryptosystem and compare it with other McEliece cryptosystems. The results show that the proposed cryptosystem is secure against critical attacks while keeping high error correction ability and efficiency.

Marco Baldi

DOI: https://doi.org/10.3233/978-1-60750-002-5-160

2009-01-11

Abstract:The McEliece cryptosystem is a public-key cryptosystem based on coding theory that has successfully resisted cryptanalysis for thirty years. The original version, based on Goppa codes, is able to guarantee a high level of security, and is faster than competing solutions, like RSA. Despite this, it has been rarely considered in practical applications, due to two major drawbacks: i) large size of the public key and ii) low transmission rate. Low-Density Parity-Check (LDPC) codes are state-of-art forward error correcting codes that permit to approach the Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes are a particular class of LDPC codes, able to join low complexity encoding of QC codes with high-performing and low-complexity decoding of LDPC codes. In a previous work it has been proposed to adopt a particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the key size and increase the transmission rate. Recently, however, new attacks have been found that are able to exploit a flaw in the transformation from the private key to the public one. Such attacks can be effectively countered by changing the form of some constituent matrices, without altering the system parameters. This work gives an overview of the QC-LDPC codes-based McEliece cryptosystem and its cryptanalysis. Two recent versions are considered, and their ability to counter all the currently known attacks is discussed. A third version able to reach a higher security level is also proposed. Finally, it is shown that the new QC-LDPC codes-based cryptosystem scales favorably with the key length.

Information Theory

Adarsh Srinivasan,Ayan Mahalanobis

2023-09-08

Abstract:This paper is an attempt to build a new public-key cryptosystem; similar to the McEliece cryptosystem, using permutation error-correcting codes. We study a public-key cryptosystem built using two permutation error-correcting codes. We show that these cryptosystems are insecure. However, the general framework in these cryptosystems can use any permutation error-correcting code and is interesting. We present an enhanced McEliece cryptosystem which subsumes McEliece cryptosystem based on linear error correcting codes.

Information Theory,Cryptography and Security,Group Theory

Terry Shue Chien Lau,Chik How Tan

DOI: https://doi.org/10.1007/s10623-021-01002-2

2022-01-18

Abstract:Recently, Horlemann-Trautmann and Weger (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) proposed a general framework for a Quaternary McEliece cryptosystem over the ring Z4$${\mathbb {Z}}_4$$, and generalized the construction over the ring Zpm$${\mathbb {Z}}_{p^m}$$ where p is a prime integer. By considering the Lee metric, the public key size for the McEliece cryptosystems can be substantially smaller than their counterparts in the Hamming metric. Furthermore, the hardness of the McEliece cryptosystems over Zpm$${\mathbb {Z}}_{p^m}$$ is based on the Lee Syndrome Decoding problem, which was shown to be NP-complete. This paper aims to analyze the design and security of the Lee metric McEliece cryptosystem over Zpm$${\mathbb {Z}}_{p^m}$$ in the Lee metric. We derive some necessary conditions for the quaternary codes used in the Lee metric McEliece cryptosystem, and show that the theoretical quaternary codes proposed in (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) do not exist. Furthermore, we propose a plaintext recovery attack on the Lee metric McEliece cryptosystem over Zpm$${\mathbb {Z}}_{p^m}$$, when the minimum Lee distance of the underlying codes with certain structures is greater than twice the Lee weight of the error. Our plaintext recovery attack is applicable to the cryptosystems over Zpm$${\mathbb {Z}}_{p^m}$$ when m>1$$m>1$$. We apply our plaintext recovery attack on the Quaternary McEliece cryptosystem, and manage to recover partial plaintext of length k1$$k_1$$ within O2min{k1,0.0473n}$$O \left( 2^{\min \{ k_1, 0.0473 n\}} \right) $$ operations, where n is the length of ciphertext. Hence, the proposed theoretical parameters for the Quaternary McEliece over Z4$${\mathbb {Z}}_4$$ in (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) do not achieve 128-bit security, as we can recover the partial plaintext within 0.591 s. This also implies that the use of quaternary codes in the McEliece cryptosystem may not reduce the public key size significantly. Furthermore, for some parameters of the Lee metric McEliece cryptosystems over Z4$${\mathbb {Z}}_4$$, our plaintext recovery attack can be more efficient than the Lee-Brickell’s and Stern’s Information Set Decoding Algorithm over Z4$${\mathbb {Z}}_4$$.

Ekta Bindal,Abhay Kumar Singh

DOI: https://doi.org/10.1109/access.2024.3373314

IF: 3.9

2024-03-12

IEEE Access

Abstract:This paper introduces a variant of the McEliece cryptosystem and employs the -construction to generate a new code from two arbitrary linear codes. We propose an efficient hard-decision decoding algorithm for linear codes derived from the -construction and integrate them into the McEliece framework. The security of the cryptosystem varies based on the specific codes used in the -construction. Our proposed variant achieves a good level of security with approximately the same key size compared to one of the classic McEliece candidates of the National Institute of Standards and Technology (NIST) standardization process. Specifically, we demonstrate a 25% key size reduction for our proposed parameters compared to one of the 256-bit secured classic McEliece parameters.

computer science, information systems,telecommunications,engineering, electrical & electronic

Paulo Almeida,Miguel Beltrá,Diego Napp,Cláudia Sebastião

2023-12-11

Abstract:In this paper we present a variant of the McEliece cryptosystem that possesses several interesting properties, including a reduction of the public key for a given security level. In contrast to the classical McEliece cryptosystems, where block codes are used, we propose the use of a convolutional encoder to be part of the public key. The permutation matrix is substituted by a polynomial matrix whose coefficient matrices have columns with weight zero or at least weight two. This allows the use of Generalized Reed-Solomon (GRS) codes which translates into shorter keys for a given security level. Hence, the private key is constituted by a generator matrix of a GRS code and two polynomial matrices containing large parts generated completely at random. In this setting the message is a sequence of messages instead of a single block message and the errors are added throughout the sequence. We discuss possible structural and ISD attacks to this scheme. We conclude presenting the key sizes obtained for different parameters and estimating the computational cost of encryption and decryption process.

Information Theory

Vincent Giraud,Guillaume Bouffard

DOI: https://doi.org/10.48550/arXiv.2305.02855

2023-05-04

Cryptography and Security

Abstract:Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process, a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

Hannes Bartz,Gianluigi Liva

DOI: https://doi.org/10.48550/arXiv.1801.05659

2018-01-17

Abstract:Recently, it has been shown how McEliece public-key cryptosystems based on moderate-density parity-check (MDPC) codes allow for very compact keys compared to variants based on other code families. In this paper, classical (iterative) decoding schemes for MPDC codes are considered. The algorithms are analyzed with respect to their error-correction capability as well as their resilience against a recently proposed reaction-based key-recovery attack on a variant of the MDPC-McEliece cryptosystem by Guo, Johansson and Stankovski (GJS). New message-passing decoding algorithms are presented and analyzed. Two proposed decoding algorithms have an improved error-correction performance compared to existing hard-decision decoding schemes and are resilient against the GJS reaction-based attack for an appropriate choice of the algorithm's parameters. Finally, a modified belief propagation decoding algorithm that is resilient against the GJS reaction-based attack is presented.

Cryptography and Security

Ayoub Otmani,Jean-Pierre Tillich,Leonard Dallot

DOI: https://doi.org/10.48550/arXiv.0804.0409

2010-01-04

Abstract:We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. We prove that this variant is not secure by finding and solving a linear system satisfied by the entries of the secret permutation matrix. The other variant uses quasi-cyclic low density parity-check codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on low density parity-check codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered in cubic time complexity in its length. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic low density parity-check codes requires the search of codewords of low weight which can be done with about $2^{37}$ operations for the specific parameters proposed.

Cryptography and Security,Discrete Mathematics

Amir K. Khandani

2024-01-30

Abstract:This work presents some novel techniques to enhance an encryption scheme motivated by classical McEliece cryptosystem. Contributions include: (1) using masking matrices to hide sensitive data, (2) allowing both legitimate parties to incorporate randomness in the public key without sharing any additional public information, (3) using concatenation of a repetition code for error correction, permitting key recovery with a negligible decoding complexity, (4) making attacks more difficult by increasing the complexity in verifying a given key candidate has resulted in the actual key, (5) introducing memory in the error sequence such that: (i) error vector is composed of a random number of erroneous bits, (ii) errors can be all corrected when used in conjunction with concatenation of a repetition code of length 3. Proposed techniques allow generating significantly larger keys, at the same time, with a much lower complexity, as compared to known post-quantum key generation techniques relying on randomization.

Cryptography and Security,Information Theory

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Xuyun Nie,Zhaohu Xu,Li Lu,Yongjian Liao

DOI: https://doi.org/10.1007/978-3-642-25513-7_9

2011-01-01

Abstract:MFE is a multivariate public key encryption scheme. In 2007, MFE was broken by Ding et al using high order linearization equation attack. In 2009, Huang et al gave an improvement of MFE. They claimed that the improved MFE is secure against high order linearization equation attack. However, through theoretical analysis, we find that there are many first order linearization equations(FOLEs) satisfied by this improved version. Using linearization equation attack can break this version. We also find the improved version satisfied Second Order Linearization Equantions (SOLEs).

Hung -Min Sun,Shiuh -Pyng Shieh

DOI: https://doi.org/10.1007/bfb0053722

1998-01-01

Abstract:Recently J. and R.M. Campello de Souza proposed a private-key encryption scheme based on the product codes with the capability of correcting a special type of structured errors. In this paper, we show that J. and R.M. Campello de Souza's scheme is insecure against chosen-plaintext attacks, and consequently propose a secure modified scheme.

Sen Xu,Xiangjun Lu,Aidong Chen,Haifeng Zhang,Haihua Gu,Dawu Gu,Kaiyu Zhang,Zheng Guo,Junrong Liu

DOI: https://doi.org/10.1109/cc.2018.8543054

2018-01-01

China Communications

Abstract:Public key cryptographic（PKC） algorithms, such as the RSA, elliptic curve digital signature algorithm（ECDSA） etc., are widely used in the secure communication systems, such as OpenSSL, and a variety of information security systems. If designer do not securely implement them, the secret key will be easily extracted by side-channel attacks（SCAs） or combinational SCA thus mitigating the security of the entire communication system. Previous countermeasures of PKC implementations focused on the core part of the algorithms and ignored the modular inversion which is widely used in various PKC schemes. Many researchers believe that instead of straightforward implementation, constant time modular inversion（CTMI） is enough to resist the attack of simple power analysis combined with lattice analysis. However, we find that the CTMI security can be reduced to a hidden t-bit multiplier problem. Based on this feature, we firstly obtain Hamming weight of intermediate data through side-channel leakage. Then, we propose a heuristic algorithm to solve the problem by revealing the secret（partial and full） base of CTMI. Comparing previous nec-essary input message for masking filtering, our procedure need not any information about the secret base of the inversion. To our knowledge, this is the first time for evaluating the practical security of CTMI and experimental results show the fact that CTMI is not enough for high-level secure communication systems.

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Cong Chen,Thomas Eisenbarth,Ingo von Maurich,Rainer Steinwandt

DOI: https://doi.org/10.1007/978-3-319-28166-7_26

2015-01-01

Abstract:This work presents the first differential power analysis of an implementation of the McEliece cryptosystem. Target of this side-channel attack is a state-of-the-art FPGA implementation of the efficient QC-MDPC McEliece decryption operation as presented at DATE 2014. The presented cryptanalysis succeeds to recover the complete secret key after a few observed decryptions. It consists of a combination of a differential leakage analysis during the syndrome computation followed by an algebraic step that exploits the relation between the public and private key.

Zhe Sun,Jincheng Zhuang,Zimeng Zhou,Fang-Wei Fu

DOI: https://doi.org/10.1016/j.tcs.2024.114480

IF: 1.002

2024-02-01

Theoretical Computer Science

Abstract:This paper presents a new McEliece-type cryptosystem using Gabidulin-Kronecker product codes in the rank metric. The contributions of this paper are as follows. Firstly, we propose a new Gabidulin-Kronecker product code which is a kind of block circulant code, and give an efficient decoding algorithm. Secondly, we design a one-way secure public key encryption scheme based on the Gabidulin-Kronecker product codes. Thirdly, we obtain an IND-CCA2 secure public key encryption scheme by converting our one-way secure public key encryption scheme under the hardness assumption of the RSD Dual Problem. In terms of efficiency, our scheme has a smaller public key size by taking advantage of the block circulant structure. For 128-bit security, the public key size of our proposal is 13% of Lau-Tan's cryptosystem (in the rank metric), and 19% of BIKE (in the Hamming metric). In terms of security, our scheme can resist Overbeck attack, Coggia-Couvreur attack and Sendrier attack.

computer science, theory & methods

SF Sun,Udaya Parampalli,TH Yuen,Yong Yu,Dawu Gu

2016-01-01

Abstract:© Springer International Publishing Switzerland 2016.Motivated by tampering attacks in practice, two different but related security notions, termed complete non-malleability and relatedkey attack security, have been proposed recently. In this work, we study their relations and present the first public key encryption scheme that is secure in both notions under standard assumptions. Moreover, by exploiting the technique for achieving complete non-malleability, we give a practical scheme for the related-key attack security. Precisely, the scheme is proven secure against polynomial functions of bounded degree d under a newly introduced hardness assumption called dmodified extended decisional bilinear Diffie-Hellman assumption. Since the schemes are constructed in a direct way instead of relying on the noninteractive zero knowledge proof or signature techniques, they not only achieve the strong security notions but also have better performances.

Pierre-Louis Cayrel,Brice Colombier,Vlad-Florin Drăgoi,Alexandre Menu,Lilian Bossuet

DOI: https://doi.org/10.1007/978-3-030-77886-6_15

2021-01-01

Abstract:Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually F2documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {F}_{2}$$end{document}, guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document} instead. By means of laser fault injection, we illustrate how to compute the matrix-vector product in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document} by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in Ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathbb {N}$$end{document}, we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real-time message recovery attacks against the code-based proposal to the NIST Post-Quantum Cryptography standardization challenge. We perform our attacks in the worst-case scenario, i.e. considering random binary codes, and retrieve the initial message within minutes on a desktop computer.Our attack targets the reference implementation of the Niederreiter cryptosystem in the NIST PQC competition finalist Classic McEliece and is practically feasible for all proposed parameters sets of this submission. For example, for the 256-bit security parameters sets, we successfully recover the message in a couple of seconds on a desktop computer Finally, we highlight the fact that the attack is still possible if only a fraction of the syndrome entries are faulty. This makes the attack feasible even though the fault injection does not have perfect repeatability and reduces the computational complexity of the attack, making it even more practical overall.

Sitao Wang,Yao Zhang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.2991/jimet-15.2015.71

2015-01-01

Abstract:Block ciphers serve as the core of the modern cryptography, with a continuing study of cryptanalysis never stopped. Recently, a specific cryptographic structure, namely Even-Mansour scheme, has been widely revisited and discussed due to its well relevance to most block ciphers. In this paper, we have proposed MB+, a novel and effective solution to key-recovery issue especially for 4 round Even-Mansour schemes. Our method is inspired by a multibridge attack that uses two round keys alternately. Specifically, based on a thorough analysis on the properties of the fixed points, we have observed the existence of invalid keys that can not be disclosed by the multibridge attack. Targeting at the reduction of invalid-key set, we obtain the MB+ method by introducing XOR-parameters in a flexible fashion. With the theoretical analysis and extensive experiments against popular block ciphers, we confirm the effectiveness of our approach systematically.