Results 1 
5 of
5
McEliece in the world of Escher
"... Abstract. We present a new family of linear binary codes of length n and dimension k accompanied with a fast list decoding algorithm that can correct up to n2 errors in a bounded channel with an error density ρ. The decisional problem of decoding random codes using these generalized error sets is NP ..."
Abstract
 Add to MetaCart
Abstract. We present a new family of linear binary codes of length n and dimension k accompanied with a fast list decoding algorithm that can correct up to n2 errors in a bounded channel with an error density ρ. The decisional problem of decoding random codes using these generalized error sets is NPcomplete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme. The security analysis of our scheme have two main parts: 1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes; 2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code. Based on this security analysis we suggest some concrete parameters for the security levels in the range of 280 − 2128. An additional feature of the decryption process is that it admits massive and trivial parallelization that could potentially make
Leif Nilsen UNIK
, 2011
"... Det må ikke kopieres fra denne boka ut over det som er tillatt etter bestemmelser i «Lov om opphavsrett til åndsverk», og avtaler om kopiering inngått med Kopinor. Redaktør: Ragnar Soleng, Universitetet i Tromsø Digital trykk og innbinding: AIT Oslo AS ..."
Abstract
 Add to MetaCart
Det må ikke kopieres fra denne boka ut over det som er tillatt etter bestemmelser i «Lov om opphavsrett til åndsverk», og avtaler om kopiering inngått med Kopinor. Redaktør: Ragnar Soleng, Universitetet i Tromsø Digital trykk og innbinding: AIT Oslo AS
A PolynomialTime KeyRecovery Attack on MQQ Cryptosystems
"... Abstract. We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQSIG signature scheme is the fastest scheme in the ECRYPT benchmarking of crypto ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQSIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQSIG and the encryption scheme MQQENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time keyrecovery attack. Our keyrecovery attack finds an equivalent key using the idea of socalled good keys that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomialtime assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic 2 which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the publickey, that is, using the minus modifier. This was not the case for previous MinRank likeattacks againstMQ schemes. From a practical point of view, we are able to break an MQQSIG instance of 80 bits security in less than 2 days, and one of the more conservative MQQENC instances of 128 bits security in little bit over 9 days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure.
The Multivariate Probabilistic Encryption Scheme MQQENC
"... Abstract. We propose a new multivariate probabilistic encryption scheme with decryption errors MQQENC that belongs to the family of MQQbased public key schemes. Similarly to MQQSIG, the trapdoor is constructed using quasigroup string transformations with multivariate quadratic quasigroups, and a ..."
Abstract
 Add to MetaCart
Abstract. We propose a new multivariate probabilistic encryption scheme with decryption errors MQQENC that belongs to the family of MQQbased public key schemes. Similarly to MQQSIG, the trapdoor is constructed using quasigroup string transformations with multivariate quadratic quasigroups, and a minus modifier with relatively small and fixed number of removed equations. To make the decryption possible and also efficient, we use a universal hash function to eliminate possibly wrong plaintext candidates. We show that, in this way, the probability of erroneous decryption becomes negligible. MQQENC is defined over the fields F 2 k for any k ≥ 1, and can easily be extended to any F p k,forprime p. One important difference from MQQSIG is that in MQQENC we use left MQQs (LMQQs) instead of bilinear MQQs. Our choice can be justified by our extensive experimental analysis that showed the superiority of the LMQQs over the bilinear MQQs for the design of MQQENC. We apply the standard cryptanalytic techniques on MQQENC, and from the results, we pose a plausible conjecture that the instances of the MQQENC trapdoor are hard instances with respect to the MQ problem. Under this assumption, we adapt the KobaraImai conversion of the McEliece scheme for MQQENC and prove that it provides IND−CCA security despite the negligible probability of decryption errors. We also recommend concrete parameters for MQQENC for encryption of blocks of 128 bits for a security level of O(2 128).
A Generalization of the Rainbow Band Separation Attack and its Applications to Multivariate Schemes
"... Abstract. The Rainbow Signature Scheme is a nontrivial generalization of the well known Unbalanced Oil and Vinegar (UOV) signature scheme (Eurocrypt '99) minimizing the length of the signatures. By now the Rainbow Band Separation attack is the best key recovery attack known. For some sets of p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The Rainbow Signature Scheme is a nontrivial generalization of the well known Unbalanced Oil and Vinegar (UOV) signature scheme (Eurocrypt '99) minimizing the length of the signatures. By now the Rainbow Band Separation attack is the best key recovery attack known. For some sets of parameters it is even faster than a direct attack on the public key. Unfortunately the available description of the attack does not provide deep insights. In this article we provide another view on the Rainbow Band Separation attack using the theory of equivalent keys and a new generalization called good keys. Thereby we generalize the attack into a framework that also includes Reconciliation attacks. We further formally prove the correctness of the attack and show that it also performs well on all multivariate quadratic (MQ) schemes that su er from missing crossterms. We apply our attack to break the MFE encryption scheme based on Diophantine equations, the Enhanced STS signature scheme and all its variants, as well as the MQQ Encryption and Signature schemes. In the case of Rainbow and Enhanced TTS we show that parameters have to be chosen carefully and that the remaining e ciency gain over UOV is small.