An Observation on the Security of McEliece’s Public-Key Cryptosystem

Lee, P. J.; Brickell, Ernest F.

doi:10.1007/3-540-45961-8_25

Cited by 198 publications

(148 citation statements)

References 3 publications

(2 reference statements)

Supporting

Mentioning

144

Contrasting

Unclassified

Order By: Relevance

“…The first assumption is enforced by complexity theory results [3,2,16], and by extensive research on general purpose decoders [7,18,4]. The second assumption received less attention.…”

Section: A Brief Description Of Mceliece's and Niederreiter's Schemesmentioning

confidence: 99%

How to Achieve a McEliece-Based Digital Signature Scheme

Courtois

Finiasz

Sendrier

2001

Advances in Cryptology — ASIACRYPT 2001

289

256

View full text Add to dashboard Cite

Abstract. McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical signature scheme based on coding theory. Its security can be reduced in the random oracle model to the well-known syndrome decoding problem and the distinguishability of permuted binary Goppa codes from a random code. For example we propose a scheme with signatures of 81-bits and a binary security workfactor of 2 83 .

show abstract

“…The first assumption is enforced by complexity theory results [3,2,16], and by extensive research on general purpose decoders [7,18,4]. The second assumption received less attention.…”

Section: A Brief Description Of Mceliece's and Niederreiter's Schemesmentioning

confidence: 99%

How to Achieve a McEliece-Based Digital Signature Scheme

Courtois

Finiasz

Sendrier

2001

Advances in Cryptology — ASIACRYPT 2001

289

256

View full text Add to dashboard Cite

show abstract

“…Even if z k = 0, m can be recovered by guessing z k among small Hamming weights [15] (we call this the generalized information-set-decoding (GISD) attack). The correctness of the recovered plaintext m is verifiable by checking whether the Hamming weight of c ⊕ mG is t or not.…”

Section: Non-critical Attacksmentioning

confidence: 99%

“…if A distinguishes b for any combinations of Hashz and Gen, the fault must be in the conversion structure. (16) from (12), (14) and (15). The number of steps of B is at most t + (T Dec + T G ) · q G + T H · q H where T Dec is the number of steps for decrypting the original McEliece PKC using a new query to Gen asz, T G is both for checking whether a query to Gen is new or not and for returning the corresponding value, and T H is both for checking whether a query to Hash z is new or not and for returning the corresponding value.…”

Section: Definition 1 Let Askg Denote the Event Thatz Is Asked Tomentioning

confidence: 99%

“…It is based on the decoding problem of a large linear code with no visible structure which is conjectured to be an NP-complete problem. 2 While no polynomial-time algorithm has been discovered yet for decoding an arbitrary linear code of large length with no visible structure, a lot of attacks (some of them work in polynomial-time) are known to the McEliece PKC [1,3,4,12,15,28,17,13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Semantically Secure McEliece Public-Key Cryptosystems -Conversions for McEliece PKC -

Kobara

Imai

2001

Public Key Cryptography

129

105

View full text Add to dashboard Cite

Abstract. Almost all of the current public-key cryptosystems (PKCs) are based on number theory, such as the integer factoring problem and the discrete logarithm problem (which will be solved in polynomial-time after the emergence of quantum computers). While the McEliece PKC is based on another theory, i.e. coding theory, it is vulnerable against several practical attacks. In this paper, we carefully review currently known attacks to the McEliece PKC, and then point out that, without any decryption oracles or any partial knowledge on the plaintext of the challenge ciphertext, no polynomial-time algorithm is known for inverting the McEliece PKC whose parameters are carefully chosen. Under the assumption that this inverting problem is hard, we propose slightly modified versions of McEliece PKC that can be proven, in the random oracle model, to be semantically secure against adaptive chosen-ciphertext attacks. Our conversions can achieve the reduction of the redundant data down to 1/3 ∼ 1/4 compared with the generic conversions for practical parameters.

show abstract

“…Both problems are NP-hard. Moreover SD have withstood more than 20 years of extensive research on the cryptanalysis of the McEliece cryptosystem [22] and all the known attacks for SD are still exponential, [1,3,21,36,40]. MinRank in fact contains SD and thus is also probably exponential.…”

Section: Introductionmentioning

confidence: 99%

Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank

Courtois

2001

Advances in Cryptology — ASIACRYPT 2001

View full text Add to dashboard Cite

Abstract.A Zero-knowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NP-hard problems. Among them, the problem SD of decoding linear codes is in spite of some 30 years of research effort, still exponential. We study a more general problem called MinRank that generalizes SD and contains also other well known hard problems. MinRank is also used in cryptanalysis of several public key cryptosystems such as birational schemes (Crypto'93), HFE (Crypto'99), GPT cryptosystem (Eurocrypt'91), TTM (Asiacrypt'2000) and Chen's authentication scheme (1996). We propose a new Zero-knowledge scheme based on MinRank. We prove it to be Zero-knowledge by black-box simulation. An adversary able to fraud for a given MinRank instance is either able to solve it, or is able to compute a collision on a given hash function. MinRank is one of the most efficient schemes based on NP-complete problems. It can be used to prove in Zero-knowledge a solution to any problem described by multivariate equations. We also present a version with a public key shared by a few users, that allows anonymous group signatures (a.k.a. ring signatures).

show abstract

An Observation on the Security of McEliece’s Public-Key Cryptosystem

Cited by 198 publications

References 3 publications

How to Achieve a McEliece-Based Digital Signature Scheme

How to Achieve a McEliece-Based Digital Signature Scheme

Semantically Secure McEliece Public-Key Cryptosystems -Conversions for McEliece PKC -

Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank

Contact Info

Product

Resources

About