## Reaction Attacks Against Several Public-Key Cryptosystems (1996)

### Cached

### Download Links

- [www.counterpane.com]
- [www.counterpane.com]
- [schneier.com]
- [www.schneier.com]
- [www.cypherpunks.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | Department of Computer Science |

Citations: | 30 - 5 self |

### BibTeX

@TECHREPORT{Hall96reactionattacks,

author = {Chris Hall and Ian Goldberg and Bruce Schneier},

title = {Reaction Attacks Against Several Public-Key Cryptosystems},

institution = {Department of Computer Science},

year = {1996}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent intractibility of one or more problems. The attacks we present do not violate the intractibility of the underlying problems, but instead obtain information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key. In the case of the McEliece system we must repeat the attack for each ciphertext we wish to decrypt, whereas for the Ajtai-Dwork system we are able to recover the private key.

### Citations

439 | Algebraic Coding Theory - Berlekamp - 1968 |

272 | Shift-register synthesis and BCH decoding - Massey - 1969 |

224 |
Tilborg. On the inherent intractability of certain coding problems (corresp
- Berlekamp, McEliece, et al.
- 1978
(Show Context)
Citation Context ...ithm. After that M can be recovered using S −1 . This system, like other systems [HR88,J83,N86], depends on the fact that in the worst case, decoding an arbitrary error-correcting code is NP-complet=-=e [BMvT78]. -=-It is hoped that G ′ represents one of these difficult cases.sSince their introduction, public-key cryptosytems based on error-correcting codes have largely been of theoretical interest. They requir... |

207 | A public-key cryptosystem with worst-case/average-case equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ... known to be NP-hard, but the lattice-based systems depend on the apparent difficulty of an easier shortest vector lattice problem (the unique shortest vector lattice problem). We refer the reader to =-=[AD97]-=- for more details.sIn this paper we present attacks against the McEliece Public-Key Cryptosystem (PKC), a McEliece variant [HR88], the Ajtai-Dwork PKC, and a modified version of the Ajtai-Dwork PKC th... |

198 |
A public-key cryptosystem based on algebraic coding theory
- McEliece
- 1978
(Show Context)
Citation Context ...systems which allowed our attacks to work in order to try and give some design criterion for new public-key cryptosystems so that they will not be vulnerable to the same sort of attack. 2 McEliece In =-=[M78], -=-McEliece outlined a public-key cryptosystem based upon error correcting codes. A user chooses a n×k generator matrix G (for a (n, k) error-correcting code which can correct up to t errors), a k × k ... |

58 | Knapsack-type cryptosystems and algebraic coding theory - Niederreiter - 1986 |

51 | An observation on the security of McEliece’s public key cryptosystem - LEE, BRICKELL - 1989 |

42 | A method for solving key equation for decoding Goppa codes - Sugiyama, Kasahara, et al. - 1975 |

28 | The equivalence of McElieces and Niederreiters public key crptosystems - Li, Deng, et al. - 1994 |

28 | The algebraic decoding of Goppa codes - Patterson - 1975 |

23 |
H.Meijer, Security-Related Comments Regarding McEliece’s Public-Key Cryptosystem
- Adams
- 1988
(Show Context)
Citation Context ...be possible that the instances of problems produced by PKCs such as [M78] are much easier to solve. Until recently, the two best attacks against McEliece’s system appear in [AM87,KT91]. The attack i=-=n [AM87]-=- relies on choosing k bits in an n-bit ciphertext that do not contain any errors. Given that the t incorrect bits are unknown, the probability of this event happening is low. However, once it occurs, ... |

22 | Failure of the McEliece public-key cryptosystem under message-resend and related-message attack
- Berson
- 1997
(Show Context)
Citation Context ...rs were not able to make their attack scale as they had wished (when they present it, they had only run it against a toy problem). An even more recent attack against the McEliece PKC was presented in =-=[B97]-=-. This attack relied about known linear relationships between two different ciphertexts (really their underlying plaintexts) in order to determine the error vectors used in encrypting the plaintexts. ... |

11 | Goppa codes - Berlekamp - 1973 |

7 |
Cryptanalysis and Modification of Digital Signature Scheme Based on Error-Correcting Codes
- Harn, Wang
- 1992
(Show Context)
Citation Context ...ill be corrected and match it to a bit in the distribution on the unpermuted code. Note, at least one system explicitly states that vectors with more than t errors should be ignored. For example, see =-=[HW92]-=-. 2.2 Removing an Error Vector Suppose that we have a ciphertext C which we wish to decrypt to its corresponding plaintext M. To find the message, we present an algorithm which allows thesattacker to ... |

7 | Cryptanalysis of McEliece’s public-key cryptosystem”, Adv - KORZHIK, TURKIN - 1991 |

5 | Secret Error-Correcting Codes (SECC - Hwang, Rao - 1990 |

4 | A variant of a public key cryptosystem based on goppa codes - Jordan - 1983 |

4 | An erasures-and-errors decoding algorithm for Goppa codes - Sugiyama, Kasahara, et al. - 1976 |

3 |
Secret Error-Correcting Codes
- Hwang, Rao
- 1990
(Show Context)
Citation Context ...m (the unique shortest vector lattice problem). We refer the reader to [AD97] for more details.sIn this paper we present attacks against the McEliece Public-Key Cryptosystem (PKC), a McEliece variant =-=[HR88]-=-, the Ajtai-Dwork PKC, and a modified version of the Ajtai-Dwork PKC that appears in [GGH97]. In these attacks an attacker presents the owner of the private key with a ciphertext that may contain one ... |

3 | On the McEliece Cryptosystem - Tilburg - 1990 |

3 | Nonbinary BCH Decoding," paper presented at - Berlekamp |

1 | Nonbinary BCH Decoding,” paper presented at - Berlekamp |

1 |
Eliminating Errors
- Goldreich, Goldwasser, et al.
- 1997
(Show Context)
Citation Context ...ils.sIn this paper we present attacks against the McEliece Public-Key Cryptosystem (PKC), a McEliece variant [HR88], the Ajtai-Dwork PKC, and a modified version of the Ajtai-Dwork PKC that appears in =-=[GGH97]-=-. In these attacks an attacker presents the owner of the private key with a ciphertext that may contain one or more errors (that is, the ciphertext may decrypt to a plaintext which fails a simple sign... |

1 | Eliminating Errors in the AjtaiDwork Cryptosystem - Goldreich, Goldwasser, et al. - 1997 |

1 | Cryptanalysis and Modi of Digital Signature Scheme Based on Error-Correcting Codes - Harn, Wang - 1992 |