cryptanalysis of two variants of the mceliece cryptosystem
play

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub - PowerPoint PPT Presentation

Sep 06, 2023 •338 likes •857 views

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

  1. Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L´ Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en Informatique, Image, Automatique et Instrumentation de Caen (UMR 6072) 2 ´ Equipe-projet Secret, INRIA-Rocquencourt S´ eminaire ALI/SALSA. April 3, 2009.

  2. I. Background S´ eminaire ALI/SALSA. April 3, 2009. 1

  3. Introduction • Asymmetric cryptography concepts introduced by Diffie & Hellman (’76) • Rivest, Shamir & Adleman invented RSA (’77) – First asymmetric cryptosystem – Widely accepted for practical uses – Extensively studied that induces (too?) many security recommendations • But, alternative cryptosystems exist . . . such as McEliece cryptosystem S´ eminaire ALI/SALSA. April 3, 2009. 2

  4. McEliece Cryptosystem • Let F n,k,t be a family of codes of length n and dimension k capable of correcting ≤ t errors. • Cryptosystem described by three algorithms: − Setup ( 1 λ ) 1. ( PK, SK ) ← 2. c ∈ F n − Encrypt ( m ∈ F k 2 ← 2 ) 3. m ′ ∈ F k − Decrypt ( c ′ ∈ F n 2 ← 2 ) S´ eminaire ALI/SALSA. April 3, 2009. 3

  5. McEliece. Setup ( PK, SK ) ← Setup ( 1 λ ) 1. Take n , k , t according to λ 2. Randomly choose a generator matrix G ′ ∈ F n,k,t 3. Randomly pick: – n × n permutation matrix P – k × k invertible matrix S 4. Set G = S × G ′ × P and γ : F n 2 �→ F k 2 as the decoding algorithm associated with G ′ 5. Output PK = ( G, t ) and SK = ( S, P, γ ) S´ eminaire ALI/SALSA. April 3, 2009. 4

  6. McEliece. Encrypt c ∈ F n 2 ← Encrypt ( m ∈ F k 2 ) 1. Pick a random vector e ∈ F n 2 of weight ≤ t 2. Output c = m × G ⊕ e S´ eminaire ALI/SALSA. April 3, 2009. 5

  7. McEliece. Decrypt m ′ ∈ F k 2 ← Decrypt ( c ′ ∈ F n 2 ) 1. Calculate z = c ′ × P − 1 // z = m × ( S × G ′ ) ⊕ ( e × P − 1 ) // y = m × S 2. Compute y = γ ( z ) 3. Output m ′ = y × S − 1 // m ′ = m S´ eminaire ALI/SALSA. April 3, 2009. 6

  8. McEliece Cryptosystem – Security Assumptions • One-Wayness under Chosen Plaintext Attack (OW-CPA) Difficult to invert Encrypt ( decoding attack ) • Private key recovery Difficult to extract secret matrices or an equivalent secret matrix having an efficient decoding algorithm from the public matrix ( structural attack ) Remark. Public code and secret code are permutation equivalent S´ eminaire ALI/SALSA. April 3, 2009. 7

  9. McEliece Cryptosystem Security – OW-CPA 1. Decoding random linear codes is NP-Hard E. R. Berlekamp, R. J. McEliece, and H. C. A. van Tilborg. On the intractability of certain coding problems . IEEE Transactions on Information Theory , 24(3):384–386, 1978. 2. Best practical algorithms operate exponentially with the length and the rate D.J. Bernstein, T. Lange, and C. Peters. Attacking and defending the mceliece cryptosystem. In PQCrypto , pages 31–46, 2008. 3. Permuted Goppa codes look like random linear codes ALSA. April 3, 2009. 8

  10. McEliece Cryptosystem – Private Key Recovery • Hardness does not come from the problem of permutation equivalence because in practise Support Splitting Algorithm easily solves it N. Sendrier . Finding the permutation between equivalent codes: the support splitting algorithm . IEEE Transactions on Information Theory, vol. 46, no. 4, pages 1193-1203, July 2000. • But rather from the huge sizes of F n,k,t and the symmetric group of order n Remark. Original McEliece scheme is still unbroken unlike many other variants. . . S´ eminaire ALI/SALSA. April 3, 2009. 9

  11. McEliece Cryptosystem Variants Replacing Goppa codes 1. Reed-Solomon codes ( Niederreiter ’86) 2. Concatenated codes 3. Reed-Muller codes ( Sidelnikov ’94) S´ eminaire ALI/SALSA. April 3, 2009. 10

  12. Insecure McEliece Cryptosystem Variants • Reed-Solomon codes V.M. Sidelnikov and S.O. Shestakov. On the insecurity of cryptosystems based on generalized Reed-Solomon codes . Discrete Mathematics and Applications , 1(4):439–444, 1992. • Concatenated codes N. Sendrier . On the Structure of Randomly Permuted Concatenated Code. Rapport de recherche de l’INRIA - Rocquencourt. Janvier 1995 • Reed-Muller codes. L. Minder and A. Shokrollahi . Cryptanalysis of the Sidelnikov cryptosystem . In Eurocrypt 2007 , volume 4515 of Lecture Notes in Computer Science , pages 347–360, Barcelona, Spain, 2007. S´ eminaire ALI/SALSA. April 3, 2009. 11

  13. McEliece Cryptosystem • Three advantages – Fast encryption/decryption algorithms – Original scheme still secure – Alternative solution to RSA for quantum computers! • Main drawback: huge public key For instance, parameters proposed in ’78 (now outdated) ∗ Goppa codes with n = 1024 , k = 524 ∗ Private key ≃ 300 Kbits ∗ Public key ≃ 500 Kbits S´ eminaire ALI/SALSA. April 3, 2009. 12

  14. Reducing Key Sizes 1. Sparse matrices A. Shokrollahi C. Monico, J. Rosenthal . Using low density parity check codes in the McEliece cryptosystem . In IEEE International Symposium on Information Theory (ISIT 2000) , page 215, Sorrento, Italy, 2000. 2. Quasi-cyclic matrices P. Gaborit . Shorter keys for code based cryptography . In Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005) , pages 81–91, Bergen, Norway, March 2005. 3. Sparse quasi-cyclic matrices M. Baldi, G. F. Chiaraluce . Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes . In IEEE International Symposium on Information Theory , pages 2591–2595, Nice, France, March 2007. ALSA. April 3, 2009. 13

  15. Low Density Parity Check Codes Some facts. • Invented by Gallager (’68) and rediscovered by Mackay (’98) • Linear codes defined by very sparse parity check matrices • Iteratively decoded through Belief Propagation algorithm • For any cryptographic use, one has to hide the sparsity of matrices Notation. L n,k,t : family of LDPC codes of length n , dimension k and correcting capability of t errors. S´ eminaire ALI/SALSA. April 3, 2009. 14

  16. LDPC Codes in the McEliece Cryptosystem Setup ( 1 λ ) 1. Randomly choose a parity check matrix H ′ ∈ L n,k,t 2. Randomly pick sparse invertible ( n − k ) × ( n − k ) matrix T and k × k matrix S 3. Set H = T × H ′ 4. Output SK = ( H ′ , T ) and PK = ( H, S, t ) Remark. H and H ′ define the same code C . S´ eminaire ALI/SALSA. April 3, 2009. 15

  17. LDPC Codes in the McEliece Cryptosystem Encrypt ( m ) 1. Compute a generator matrix G in row reduced echelon form from H . G = S − 1 × G 2. Set ˜ 3. Output c = m × ˜ G ⊕ e Decrypt ( c ) // G and ˜ 1. Decode c with H ′ G define the same code C 2. Extract m × S − 1 from m × ˜ G 3. Output m S´ eminaire ALI/SALSA. April 3, 2009. 16

  18. LDPC Codes in the McEliece Cryptosystem – Security Assumption • Dual of the public code must not have codewords of small weight • It should be hard to devise a sparse parity check matrix ˜ H equivalent to H ′ • It turns out not to be the case A. Shokrollahi, C. Monico, J. Rosenthal . Using low density parity check codes in the McEliece cryptosystem . In IEEE International Symposium on Information Theory (ISIT 2000) , page 215, Sorrento, Italy, 2000. S´ eminaire ALI/SALSA. April 3, 2009. 17

  19. LDPC Codes in the McEliece Cryptosystem – Structural Attack Notation. – Let v i be the i th row of a matrix V – Let v i ∩ v j be the intersection vector of v i and v j Basic observation. T and H ′ are (very) sparse matrices With non-negligible probability, for many ℓ , there exist i, j such that h ′ ℓ = h i ∩ h j S´ eminaire ALI/SALSA. April 3, 2009. 18

  20. Secret Parity Check Matrix Recovery 1. for any i, j do compute v = h i ∩ h j 2. if v ∈ C then B = B ∪ { v } 3. for any ℓ do 4. if wt ( h ℓ ⊕ v ) < wt ( h ℓ ) then 5. h ℓ = h ℓ ⊕ v 6. end if 7. end for 8. Goto 1 9. end if 10. end for; 11. Output B S´ eminaire ALI/SALSA. April 3, 2009. 19

  21. II. Quasi-Cyclic Codes S´ eminaire ALI/SALSA. April 3, 2009. 20

  22. Circulant Matrix Definition. • M is a circulant p × p matrix if   m 0 m 1 · · · m p − 1   m p − 1 m 0 · · · m p − 2   M =   . . . ... . . .   . . .     · · · m 1 m 2 m 0 • Weight of M is the weight of m = ( m 0 , . . . , m p − 1 ) Notation. m ( x ) = m 0 + m 1 x + · · · m p − 1 x p − 1 M �− → S´ eminaire ALI/SALSA. April 3, 2009. 21

  23. Circulant Matrix Properties. Let M and N be circulant p × p matrices • M + N is circulant M + N �− → m ( x ) + n ( x ) • M × N is circulant mod ( x p − 1) M × N �− → m ( x ) · n ( x ) • M T is circulant → m ( 1 M T �− x ) · x p • M is invertible iff m ( x ) is coprime with x p − 1 S´ eminaire ALI/SALSA. April 3, 2009. 22

  24. Circulant-by-Block Matrix Definition. M = [ M i,j ] is circulant-by-block if M i,j is a circulant p × p matrix M �− → M ( x ) = [ m i,j ( x )] Properties. Let M and N be circulant-by-block matrices • M + N , M × N , M T are also circulant-by-block matrices • M is invertible iff det( M )( x ) is coprime with ( x p − 1) • M − 1 is a circulant-by-block matrix S´ eminaire ALI/SALSA. April 3, 2009. 23

Recommend

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline

Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline

Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline of the Talk RSA Cryptosystem Lattice based Root Finding of Polynomials Common Prime RSA Dual RSA Prime Power RSA Implicit Factorization

773 views • 54 slides
A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul

LDPC and MDPC Codes QC-MDPC McEliece Attack of Guo et al. QC-LDPC McEliece Our Attack A Reaction Attack on the QC-LDPC McEliece Cryptosystem Tomas Fabsic 1 , Viliam Hromada 1 , Paul Stankovski 2 , Pavol Zajac 1 , Qian Guo 2 , Thomas Johansson

693 views • 37 slides
Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University

Twisted Hermitian Codes and the McEliece Cryptosystem Bethany Matsick Liberty University January 26, 2018 Joint work with Austin Allen, Keller Blackwell, Olivia Fiol, Rutuja Kshirsagar, and Zoe Nelson, supervised by Gretchen Matthews. Coding

773 views • 18 slides
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

unrestricted Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri Gilbert, Matt Robshaw, and Yannick Seurin Financial Crypto 2008 January 29, 2008 intro HB+ HB-MP HB* HB++ conclusion the context

281 views • 24 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org

1 Classic McEliece: conservative code-based cryptography D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 19701971 Goppa (codes). 1978 McEliece

775 views • 58 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/

Classic McEliece: conservative code-based cryptography Round 2 https://classic.mceliece.org/ Daniel J. Bernstein 1 , Tung Chou 2 , Tanja Lange 3 , Ingo von Maurich, Rafael Misoczki 4 , Ruben Niederhagen 5 , Edoardo Persichetti 6 , Christiane

439 views • 28 slides
McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical):

1 2 McTiny: classic.mceliece.org McEliece for tiny network servers submission team (alphabetical): me; Daniel J. Bernstein, Tung Chou, osaka-u.ac.jp ; uic.edu , rub.de Tanja Lange, tue.nl ; Joint work with: Ingo von Maurich;

1.87k views • 162 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about implementing a famous public key cryptosystem, RSA. Administrative Details: Posted by tomorrow. Due Friday March 7, at Noon. My office hours will be

610 views • 23 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides

More recommend