Results 1  10
of
17
Attacking and defending the McEliece cryptosystem
 31–46 in (Buchmann and Ding 2008). URL: http://cr.yp.to/papers.html#mceliece. Citations in this document
"... Abstract. This paper presents several improvements to Stern’s attack on the McEliece cryptosystem and achieves results considerably better than Canteaut et al. We show that the system with the originally proposed parameters can be broken on a moderate cluster in about a week. We have implemented our ..."
Abstract

Cited by 54 (2 self)
 Add to MetaCart
Abstract. This paper presents several improvements to Stern’s attack on the McEliece cryptosystem and achieves results considerably better than Canteaut et al. We show that the system with the originally proposed parameters can be broken on a moderate cluster in about a week. We have implemented our attack and are carrying it out now. This paper proposes new parameters for the McEliece and Niederreiter cryptosystems achieving standard levels of security against all known attacks. The new parameters take account of our improved attack; the recent introduction of list decoding for binary Goppa codes; and the possibility of choosing code lengths that are not a power of 2. We achieve considerably smaller public key sizes than previous parameter choices for the same level of security.
Improved fast syndrome based cryptographic hash functions
 in Proceedings of ECRYPT Hash Workshop 2007 (2007). URL: http://wwwroc.inria.fr/secret/Matthieu.Finiasz
"... Abstract. Recently, some collisions have been exposed for a variety of cryptographic hash functions [19] including some of the most widely used today. Many other hash functions using similar constrcutions can however still be considered secure. Nevertheless, this has drawn attention on the need for ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, some collisions have been exposed for a variety of cryptographic hash functions [19] including some of the most widely used today. Many other hash functions using similar constrcutions can however still be considered secure. Nevertheless, this has drawn attention on the need for new hash function designs. In this article is presented a familly of secure hash functions, whose security is directly related to the syndrome decoding problem from the theory of errorcorrecting codes. Taking into account the analysis by Coron and Joux [4] based on Wagner’s generalized birthday algorithm [18] we study the asymptotical security of our functions. We demonstrate that this attack is always exponential in terms of the length of the hash value. We also study the workfactor of this attack, along with other attacks from coding theory, for non asymptotic range, i.e. for practical values. Accordingly, we propose a few sets of parameters giving a good security and either a faster hashing or a shorter desciption for the function. Key Words: cryptographic hash functions, provable security, syndrome decoding, NPcompleteness, Wagner’s generalized birthday problem.
A Fast Provably Secure Cryptographic Hash Function
 Proceedings of the 2 nd Conference on ObjectOriented Technology and Systems (COOTS’96), Usenix Association
, 1996
"... We propose a family of fast and provably secure cryptographic hash functions. The security of these functions relies directly on the wellknown syndrome decoding problem for linear codes. Attacks on this problem are well identified and their complexity is known. This enables us to study precisely ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
We propose a family of fast and provably secure cryptographic hash functions. The security of these functions relies directly on the wellknown syndrome decoding problem for linear codes. Attacks on this problem are well identified and their complexity is known. This enables us to study precisely the practical security of the hash functions and propose valid parameters for implementation. Furthermore, the design proposed here is fully scalable, with respect to security, hash size and output rate.
Lightweight codebased identification and signature
"... We revisit the codebased identification protocol proposed by Stern at Crypto’93, and give evidence that the size of public keys can be dramatically reduced while preserving a high and wellunderstood level of security. More precisely, the public keys can be made even shorter than RSA ones (typicall ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We revisit the codebased identification protocol proposed by Stern at Crypto’93, and give evidence that the size of public keys can be dramatically reduced while preserving a high and wellunderstood level of security. More precisely, the public keys can be made even shorter than RSA ones (typically 347 bits), while their size is around 150 Kbits in the original scheme. This is achieved by using matrices which are double circulant, rather than purely random. On the whole, this provides a very practical identification (and possibly signature) scheme which is mostly attractive for lightweight cryptography.
Selecting parameters for secure McEliecebased cryptosystems
, 2010
"... Abstract. In 1994, P. Shor showed that quantum computers will be able to break cryptosystems based on integer factorization and on the discrete logarithm, e.g. RSA or ECC. Codebased crytosystems are promising alternatives to public key schemes based on these problems, and they are believed to be se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In 1994, P. Shor showed that quantum computers will be able to break cryptosystems based on integer factorization and on the discrete logarithm, e.g. RSA or ECC. Codebased crytosystems are promising alternatives to public key schemes based on these problems, and they are believed to be secure against quantum computer attacks. In this paper, we solve the problem of selecting optimal parameters for the McEliece cryptosystem that provide security until a given year and give detailed recommendations. Our analysis is based on the lower bound complexity estimates by Sendrier and Finiasz, and the security requirements model proposed by Lenstra and Verheul. Key words: Postquantum cryptography, codes, McEliece, key length, parameters. 1
Oblivious Transfer via McEliece’s PKC and Permuted Kernels
"... Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1outof2 OT using the McEliece cryptosystem and Shamir’s zeroknowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1outof2 OT using the McEliece cryptosystem and Shamir’s zeroknowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT – the primitive of central importance – can be based. Although we obtain a weak version of Rabin OT (where the malicious receiver may decrease his erasure probability), it can nevertheless be reduced to secure 1outof2 OT. Elaborating on the first protocol, we provide a practical construction for 1outof2 OT.
Proof of Plaintext Knowledge for CodeBased PublicKey Encryption Revisited
"... In a recent paper at Asiacrypt’2012, Jain et al point out that Véron codebased identification scheme is not perfect zeroknowledge. In particular, this creates a gap in security arguments of proof of plaintext knowledge (PPK) and verifiable encryption for the McEliece public key encryption (PKE) p ..."
Abstract
 Add to MetaCart
(Show Context)
In a recent paper at Asiacrypt’2012, Jain et al point out that Véron codebased identification scheme is not perfect zeroknowledge. In particular, this creates a gap in security arguments of proof of plaintext knowledge (PPK) and verifiable encryption for the McEliece public key encryption (PKE) proposed by Morozov and Takagi at ACISP’2012. We fix the latter result by showing that PPK for the codebased Niederreiter and McEliece PKE’s can be constructed using Stern zeroknowledge identification scheme, which is unaffected by the above mentioned problem. Since codebased verifiable encryption uses PPK as a main ingredient, our proposal presents a fix for the McEliece verifiable encryption as well. In addition, we present the Niederreiter verifiable encryption. 1
ProjectTeam Codes Codage et cryptographie
"... c t i v it y e p o r t 2007 Table of contents ..."
(Show Context)