: An algorithm for finding small-weight words in large linear codes is developed. It is in particular able to decode random [512,256,57]-linear codes in 9 hours on a DEC alpha computer. We determine with it the minimum distance of some binary BCH codes of length 511, which were not known. Key-words: error-correcting codes, decoding algorithm, minimum weight, random linear codes, BCH codes. (R'esum'e : tsvp) submitted to IEEE Transactions on Information Theory Also with ' Ecole Nationale Sup'erieure de Techniques Avanc'ees, laboratoire LEI, 32 boulevard Victor, F-75015 Paris. Laboratoire d'Informatique de l'Ecole Normale Sup'erieure, 45 rue d'Ulm, 75230 Paris Cedex 05 Unite de recherche INRIA Rocquencourt Domaine de Voluceau, Rocquencourt, BP 105, 78153 LE CHESNAY Cedex (France) Telephone : (33 1) 39 63 55 11 -- Telecopie : (33 1) 39 63 53 Un nouvel algorithme pour trouver des mots de poids minimum dans un code lin'eaire : application aux codes BCH primitifs au sens strict de l...

Zero-knowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([4]), who turned zero-knowledge proofs of quadratic residuosity into efficient means of establishing user identities. Still, as is almost always the case in public-key cryptography, the Fiat-Shamir scheme relied on arithmetic operations on large numbers. In 1989, there were two attempts to build identification protocols that only use simple operations (see [11, 10]). One appeared in the EUROCRYPT proceedings and relies on the intractability of some coding problems, the other was presented at the CRYPTO rump session and depends on the so-called Permuted Kernel problem (PKP). Unfortunately, the first of the schemes was not really practical. In the present paper, we propose a new identification scheme, based on error-correcting codes, which is zero-knowledge and is of practical value. Furthermore, we describe several variants, including one which has an identity based character. The security of our scheme depends on the hardness of decoding a word of given syndrome w.r.t. some binary linear error-correcting code.

This paper describes new methods for fast correlation attacks, based on the theory of convolutional codes. They can be applied to arbitrary LFSR feedback polynomials, in opposite to the previous methods, which mainly focus on feedback polynomials of low weight. The results improve significantly the few previous results for this general case, and are in many cases comparable with corresponding results for low weight feedback polynomials.

. A certain number of public-key cryptosystems based on errorcorrecting codes have been proposed as an alternative to algorithms based on number theory. In this paper, we analyze algorithms that can be used to attack such cryptosystems in a very precise way, and optimize them. Thus, we obtain some more efficient attacks than those previously known. Even if they remain unfeasible, they indicate the cryptosystems parameters forbidden by the existence of these algorithms. 1 Introduction 1.1 An NP-complete problem It is known [BMT78] that the problem of finding a codeword of given weight in a linear binary code is NP-complete. This property can be used to build cryptosystems or identification systems. But, as for other NP-complete problems, some cases of this problem can be solved by probabilistic algorithms. This means that cryptographic systems such as the following ones must take into account the performances of these algorithms. 1.2 The McEliece public key cryptosystem Presentation T...

Abstract. This paper presents several improvements to Stern’s attack on the McEliece cryptosystem and achieves results considerably better than Canteaut et al. We show that the system with the originally proposed parameters can be broken on a moderate cluster in about a week. We have implemented our attack and are carrying it out now. This paper proposes new parameters for the McEliece and Niederreiter cryptosystems achieving standard levels of security against all known attacks. The new parameters take account of our improved attack; the recent introduction of list decoding for binary Goppa codes; and the possibility of choosing code lengths that are not a power of 2. We achieve considerably smaller public key sizes than previous parameter choices for the same level of security.

This paper describes new methods for fast correlation attacks on stream ciphers, based on techniques used for constructing and decoding the by now famous turbo codes. The proposed algorithm consists of two parts, a preprocessing part and a decoding part. The preprocessing part identifies several parallel convolutional codes, embedded in the code generated by the LFSR, all sharing the same information bits. The decoding part then finds the correct information bits through an iterative decoding procedure. This provides the initial state of the LFSR.

Code-based cryptography is often viewed as an interesting “Post-Quantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms have made their effective complexity quite complex to compute. We give here some lower bounds on the work factor of idealized versions of these algorithms, taking into account all possible tweaks which could improve their practical complexity. The aim of this article is to help designers select durably secure parameters.

www.iaik.tugraz.at/research/krypto Abstract. This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security. 1

The present article investigates the possibility of designing zero-knowledge identification schemes based on hard problems from coding theory. Zero-knowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([16]). Their practical significance was soon demonstrated in the work of Fiat and Shamir ([11]), who turned zero-knowledge proofs of quadratic residuosity into efficient means of establishing user identities. In the present paper, we propose a new identification scheme, based on error-correcting codes, which is zero-knowledge and seems of practical value. Furthermore

Our purpose here is to show how it is possible to recover the structure of a randomly permuted concatenated code, and how to use this information for decoding. This result prohibits the use of first order concatenated codes in public-key cryptosystems based on error-correcting codes.