cryptanalysis of a variant of the mceliece encryption
play

Cryptanalysis of a variant of the McEliece encryption scheme Julien - PowerPoint PPT Presentation

Oct 21, 2023 •246 likes •782 views

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

  1. Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Université de Rennes 1 Journées Nationales de Calcul Formel 2020 03/03/2020

  2. Outline 1. McEliece cryptosystem and variants 2. Attack on the Reed–Solomon variant 3. Attack on the twisted Reed–Solomon variant 0/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  3. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  4. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. Summary: ◮ private key: an efficient decoding algorithm for a code C , ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message. 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  5. McEliece cryptosystem McEliece cryptosystem (1978): a public-key encryption scheme. Summary: ◮ private key: an efficient decoding algorithm for a code C , ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message. Security relies on two problems: 1. hardness of decoding random codes 2. hardness of recognizing the structure of a code ( ≃ find an efficient decoding algorithm from a random description of a code) 1/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  6. General statement of the problem Let F be a k -dimensional subspace of F q [ x ] / ( x q − x ) . Input.   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . .  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n )  f 1 ( x ) , . . . , f k ( x ) is a basis of F ,  where: ( x 1 , . . . , x n ) are pairwise distinct in F q ,  ( y 1 , . . . , y n ) are non-zero elements of F q . 2/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  7. General statement of the problem Let F be a k -dimensional subspace of F q [ x ] / ( x q − x ) . Input.   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . .  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n )  f 1 ( x ) , . . . , f k ( x ) is a basis of F ,  where: ( x 1 , . . . , x n ) are pairwise distinct in F q ,  ( y 1 , . . . , y n ) are non-zero elements of F q . Output. A basis g 1 ( x ) , . . . , g k ( x ) of F , pairwise distinct elements x ′ 1 , . . . , x ′ n ∈ n ∈ F × F q and non-zero elements y ′ 1 , . . . , y ′ q such that  y ′ 1 g 1 ( x ′ y ′ n g 1 ( x ′  1 ) . . . . . . n ) . .   G = . .  .  . . y ′ 1 g k ( x ′ y ′ n g k ( x ′ 1 ) n ) . . . . . . 2/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  8. Instances of the problem A Public-Key Cryptosystem Based on Algebraic Coding Theory . McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978 . Original McEliece cryptosystem: binary Goppa codes, q = 2 m . – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct, – π ( x ) the derivative of ∏ n i = 1 ( x − x i ) ∈ F q [ x ] , – an irreducible Γ ( x ) ∈ F q [ x ] , � Γ ( x 1 ) � π ( x 1 ) , . . . , Γ ( x 1 ) ∈ ( F × q ) n . – y = π ( x 1 ) � � F x , Γ , r = f ( x ) ∈ F q [ x ] | deg ( f ) < r and y i f ( x i ) ∈ F 2 , ∀ i = 1, . . . , n . 3/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  9. Instances of the problem A Public-Key Cryptosystem Based on Algebraic Coding Theory . McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978 . Original McEliece cryptosystem: binary Goppa codes, q = 2 m . – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct, – π ( x ) the derivative of ∏ n i = 1 ( x − x i ) ∈ F q [ x ] , – an irreducible Γ ( x ) ∈ F q [ x ] , � Γ ( x 1 ) � π ( x 1 ) , . . . , Γ ( x 1 ) ∈ ( F × q ) n . – y = π ( x 1 ) � � F x , Γ , r = f ( x ) ∈ F q [ x ] | deg ( f ) < r and y i f ( x i ) ∈ F 2 , ∀ i = 1, . . . , n . ◮ Still considered as secure (NIST competition). ◮ Main drawback : large key sizes. 3/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  10. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  11. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  12. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). ◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc. On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  13. Intances of the problem In order to reduce key sizes : ◮ Niederreiter (1986): generalized Reed–Solomon codes – x = ( x 1 , . . . , x n ) ∈ F n q pairwise distinct – y = ( y 1 , . . . , y n ) ∈ ( F × q ) n � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k However, broken by Sidelnikov and Shestakov in 1992 (Part II). ◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc. ◮ In 2018: Beelen, Bossert, Puchinger and Rosenkilde proposed twisted Reed–Solomon codes . → claimed key size reduction by a factor 7 → also broken (Part III) On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes . Sidelnikov, Shestakov. Discrete Math. Appl.. 1992 . Cryptanalysis of a System Based on Twisted Reed–Solomon Codes . L. , Renner. Designs, Codes and Cryptograhy. 2020 . 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  14. Outline 1. McEliece cryptosystem and variants 2. Attack on the Reed–Solomon variant 3. Attack on the twisted Reed–Solomon variant 4/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  15. The problem � � Let F = f ( x ) ∈ F q [ x ] | deg ( f ) < k . Input. A matrix   y 1 f 1 ( x 1 ) . . . . . . y n f 1 ( x n ) . .  ∈ F k × n G =   . . , where  . . q y 1 f k ( x 1 ) . . . . . . y n f k ( x n ) – f 1 ( x ) , . . . , f k ( x ) is a basis of F , q are pairwise distinct, and ( y 1 , . . . , y n ) ∈ ( F × – ( x 1 , . . . , x n ) ∈ F n q ) n . Output. A basis g 1 ( x ) , . . . , g k ( x ) of F , pairwise distinct elements n ) ∈ ( F × q ) n such that ( x ′ 1 , . . . , x ′ n ) ∈ F n q and non-zero elements ( y ′ 1 , . . . , y ′  y ′ 1 g 1 ( x ′ y ′ n g 1 ( x ′  1 ) . . . . . . n ) . .   G = . .  .  . . y ′ 1 g k ( x ′ y ′ n g k ( x ′ 1 ) n ) . . . . . . 5/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  16. The problem Remark. One can write G as:   1 1 . . . . . . 1 1 x 1 x 2 . . . . . . x n − 1 x n     x 2 x 2 x 2 x 2 . . . . . .   S · · Diag ( y 1 , . . . , y n ) n − 1 n 1 2   . .   . . . .   x k − 1 x k − 1 x k − 1 x k − 1 . . . . . . n 1 2 n − 1 where S ∈ F k × k is invertible. q 6/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  17. Structural properties Notation. – 1 = ( 1, . . . , 1 ) ∈ F n q � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k – a ⋆ b = ( a 1 b 1 , . . . , a n b n ) – λ a = ( λ a 1 , . . . , λ a n ) 7/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

  18. Structural properties Notation. – 1 = ( 1, . . . , 1 ) ∈ F n q � � F = f ( x ) ∈ F q [ x ] | deg ( f ) < k – a ⋆ b = ( a 1 b 1 , . . . , a n b n ) – λ a = ( λ a 1 , . . . , λ a n ) Definition. Generalized Reed–Solomon code: � ⊆ F n � GRS k ( x , y ) : = y ⋆ ev x ( f ) : = ( y 1 f ( x 1 ) , . . . , y n f ( x n )) | f ( x ) ∈ F q 7/20 J. Lavauzelle – Cryptanalysis of a variant of the McEliece encryption scheme – JNCF 2020

Recommend

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

857 views • 51 slides
Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES Bounding the EDP of differentials over 2, 4 rounds of AES AES and the hypothesis of stochastic equivalence The Advanced Encryption

664 views • 48 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisaw Radziszowski, Rochester Institute of Technology November 2, 2010 1

220 views • 19 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February

Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February

Cryptanalysis of Hummingbird-1 Markku-Juhani O. Saarinen mjos@reveresecurity.com 16 February 2011 Fast Software Encryption 2011 M.-J. O. Saarinen 16-Feb-11 Hummingbird-1 Hummingbird-1 is an encryption and message authentication primitive

378 views • 23 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in my patient pathogenic or benign? &quot;The Doctor&quot; by Sir Luke Fildes (1891) Drop in genome price drives increase in patient variant

500 views • 22 slides
&lt;? &lt;?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

&lt;? &lt;?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

&lt;? &lt;?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant v_ret; ; Variant Variant v_a v_a; ; v_ret v_ret = = f_foo f_foo(v_a (v_a); ); Facebook 2010 (confidential) &lt;?php &lt;?

287 views • 12 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be

IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be

IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be delegated until appropriate variant management solutions are developed http://www.icann.org/en/groups/board/do

533 views • 31 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with:

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Joint work with: Tanja Lange, tue.nl My main question in this talk: Shouldnt NIST PQC simply standardize Classic McEliece, discard the other 25 proposals?

1.18k views • 79 slides
McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange,

1 McTiny: McEliece for tiny network servers Daniel J. Bernstein, uic.edu , rub.de Tanja Lange, tue.nl Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

899 views • 61 slides
Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed

Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed

Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? Cryptographic speed What is the fastest public-key encryption

828 views • 55 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides

More recommend