A Distinguisher for High-Rate McEliece Cryptosystems

Faugère, Jean-Charles; Gauthier-Umaña, Valérie; Otmani, Ayoub; Perret, Ludovic; Tillich, Jean–Pierre

doi:10.1109/tit.2013.2272036

Cited by 92 publications

(83 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Generic decoding is NP-complete [3] and is also believed to be hard on average. Though the pseudorandomness of Goppa codes has not been studied as thoroughly as generic decoding, no efficient algorithm is known to distinguish a random matrix from a generator matrix of a Goppa code, except when the code rate is close to one [4], a case which is not a threat against the McEliece encryption scheme.…”

Section: Introductionmentioning

confidence: 99%

Worst case QC-MDPC decoder for McEliece cryptosystem

Chaulet¹,

Sendrier²

2016

2016 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

Abstract-QC-MDPC-McEliece is a recent variant of theMcEliece encryption scheme which enjoys relatively small key sizes as well as a security reduction to hard problems of coding theory. Furthermore, it remains secure against a quantum adversary and is very well suited to low cost implementations on embedded devices.Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm, as for LDPC codes. Variable time decoders might leak some information on the code structure (that is on the sparse parity check equations) and must be avoided. A constant time decoder is easy to emulate, but its running time depends on the worst case rather than on the average case. So far implementations were focused on minimizing the average cost. We show that the tuning of the algorithm is not the same to reduce the maximal number of iterations as for reducing the average cost. This provides some indications on how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel attack.

show abstract

Section: Introductionmentioning

confidence: 99%

Worst case QC-MDPC decoder for McEliece cryptosystem

Chaulet¹,

Sendrier²

2016

2016 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

show abstract

“…We recall the following result on the generic behaviour of random codes with respect to this operation. This provides a distinguisher between random codes and algebraically structured codes such as generalised Reed Solomon codes [19,8], Reed Muller codes [7], polar codes [2] some Goppa codes [12,10] or algebraic geometry codes [9]. For instance, in the case of GRS codes, we have the following result.…”

Section: Schur Product Of Codes and Square Codes Distinguishermentioning

confidence: 98%

“…• If i ∈ I GRS (see (2), (8) and (12) for the definition), puncturing does not affect the dimension of the square code:…”

Section: Identifying Pairs Of Twin Positionsmentioning

confidence: 99%

Recovering Short Secret Keys of RLCE in Polynomial Time

Couvreur¹,

Lequesne²,

Tillich³

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Historically, the first digital signature scheme based on error correcting codes is the Courtois-Finiasz-Sendrier (CFS) scheme [9], that uses high rate Goppa codes and follows a hash-and-sign approach. This scheme is known to be unpractical, since it has some security flaws (high rate Goppa codes can be distinguished from random codes [10]) and requires very large public-keys and long signature times.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of a One-Time Code-Based Digital Signature Scheme

Santini

Baldi

Chiaraluce

2019

2019 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

We consider a one-time digital signature scheme recently proposed by Persichetti and show that a successful key recovery attack can be mounted with limited complexity. The attack we propose exploits a single signature intercepted by the attacker, and relies on a statistical analysis performed over such a signature, followed by information set decoding. We assess the attack complexity and show that a full recovery of the secret key can be performed with a work factor that is far below the claimed security level. The efficiency of the attack is motivated by the sparsity of the signature, which leads to a significant information leakage about the secret key.

show abstract

A Distinguisher for High-Rate McEliece Cryptosystems

Cited by 92 publications

References 21 publications

Worst case QC-MDPC decoder for McEliece cryptosystem

Worst case QC-MDPC decoder for McEliece cryptosystem

Recovering Short Secret Keys of RLCE in Polynomial Time

Cryptanalysis of a One-Time Code-Based Digital Signature Scheme

Contact Info

Product

Resources

About