Abstract. In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of error-correcting codes. Since its invention thirty years ago, no efficient attack had been devised that managed to recover the private key. We prove that the private key of the cryptosystem satisfies a system of bi-homogeneous polynomial equations. This property is due to the particular class of codes considered which are alternant codes. We have used these highly structured algebraic equations to mount an efficient key-recovery attack against two recent variants of the McEliece cryptosystems that aim at reducing public key sizes. These two compact variants of McEliece managed to propose keys with less than 20,000 bits. To do so, they proposed to use quasi-cyclic or dyadic structures. An implementation of our algebraic attack in the computer algebra system MAGMA allows to find the secret-key in a negligible time (less than one second) for almost all the proposed challenges. For instance, a private key designed for a 256-bit security has been found in 0.06 seconds with about 2 17.8 operations. 1

Abstract. The purpose of this paper is to study the difficulty of the so-called Goppa Code Distinguishing (GD) problem introduced by Courtois, Finiasz and Sendrier in Asiacrypt 2001. GD is the problem of distinguishing the public matrix in the McEliece cryptosystem from a random matrix. It is widely believed that this problem is computationally hard as proved by the increasing number of papers using this hardness assumption. To our point of view, disproving/mitigating this hardness assumption is a breakthrough in code-based cryptography and may open a new direction to attack McEliece cryptosystems. In this paper, we present an efficient distinguisher for alternant and Goppa codes of high rate over binary/non binary fields. Our distinguisher is based on a recent algebraic attack against compact variants of McEliece which reduces the key-recovery to the problem of solving an algebraic system of equations. We exploit a defect of rank in the (linear) system obtained by linearizing this algebraic system. It turns out that our distinguisher is highly discriminant. Indeed, we are able to precisely quantify the defect of rank for “generic ” binary and non-binary random, alternant and Goppa codes. We have verified these formulas with practical experiments, and a theoretical explanation for such defect of rank is also provided. We believe that this work permits to shed some light on the choice of secure parameters

Abstract. The best known non-structural attacks against code-based cryptosystems are based on information-set decoding. Stern’s algorithm and its improvements are well optimized and the complexity is reasonably well understood. However, these algorithms only handle codes over F2. This paper presents a generalization of Stern’s information-set-decoding algorithm for decoding linear codes over arbitrary finite fields Fq and analyzes the complexity. This result makes it possible to compute the security of recently proposed code-based systems over non-binary fields. As an illustration, ranges of parameters for generalized McEliece cryptosystems using classical Goppa codes over F31 are suggested for which the new information-set-decoding algorithm needs 2 128 bit operations.

Abstract. Fix positive integers B and w. Let C be a linear code over F2 of length Bw. The 2-regular-decoding problem is to find a nonzero codeword consisting of w length-B blocks, each of which has Hamming weight 0 or 2. This problem appears in attacks on the FSB (fast syndromebased) hash function and related proposals. This problem differs from the usual information-set-decoding problems in that (1) the target codeword is required to have a very regular structure and (2) the target weight can be rather high, so that there are many possible codewords of that weight. Augot, Finiasz, and Sendrier, in the paper that introduced FSB, presented a variant of information-set decoding tuned for 2-regular decoding. This paper improves the Augot–Finiasz–Sendrier algorithm in a way that is analogous to Stern’s improvement upon basic information-set decoding. The resulting algorithm achieves an exponential speedup over the previous algorithm. Keywords: Information-set decoding, 2-regular decoding, FSB, binary codes.

Abstract. This article presents a modification of the CFS code based signature scheme. By producing two (or more generally i) signatures in parallel, we show that it is possible to protect this scheme from “one out of many ” decoding attacks. With this modification, and at the cost of slightly larger signatures, it is possible to use smaller parameters for the CFS signature, thus making this new Parallel-CFS construction more practical than standard CFS signatures.

Abstract. The original McEliece cryptosystem uses length-n codes over F2 with dimension ≥ n−mt efficiently correcting t errors where 2 m ≥ n. This paper presents a generalized cryptosystem that uses length-n codes over small finite fields Fq with dimension ≥ n − m(q − 1)t efficiently correcting ⌊qt/2 ⌋ errors where q m ≥ n. Previously proposed cryptosystems with the same length and dimension corrected only ⌊(q − 1)t/2⌋ errors for q ≥ 3. This paper also presents list-decoding algorithms that efficiently correct even more errors for the same codes over Fq. Finally, this paper shows that the increase from ⌊(q − 1)t/2 ⌋ errors to more than ⌊qt/2 ⌋ errors allows considerably smaller keys to achieve the same security level against all known attacks.

Abstract. This paper introduces a new generic decoding algorithm that is asymptotically faster than any previous attack against the McEliece cryptosystem. At a 256-bit security level, the attack costs 2.6 times fewer bit operations than the best previous attack; at a theoretical 1000-bit security level, the attack costs 15.5 times fewer bit operations than the best previous attack. The algorithm is asymptotically even faster than the Finiasz–Sendrier “lower bound ” published at Asiacrypt 2009, demonstrating that the Finiasz–Sendrier parameter recommendations are not as secure as claimed. This paper proposes much safer, but still reasonably efficient, parameters based on an analysis of the fundamental bottleneck in all algorithms of this type.

Erfolgreiche Faktorisierungsangriffe gegen RSA in der Praxis

This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe the different code-based signature scheme with additional properties like identity-based, threshold ring and blind signatures.

Abstract. Code-based cryptographic schemes are promising candidates for post-quantum cryptography since they are fast, require only basic arithmetic, and because their security is well understood. While most analyses of security assume that an attacker does not have any information about the secret key, we show that in certain scenarios an attacker can gain partial knowledge of the secret key. We present how this knowledge can be used to improve the efficiency of an attack, and give new bounds for the complexity of such an attack. In this paper, we analyze two types of partial knowledge including concrete scenarios, and give an idea how to prevent the leak of such knowledge to an attacker.