A Distinguisher for High-Rate McEliece Cryptosystems

The Goppa Code Distinguishing (GD) problem consists in distinguishing the matrix of a Goppa code from a random matrix. The hardness of this problem is an assumption to prove the security of code-based cryptographic primitives such as McEliece's cryptosystem. Up to now, it is widely believed that the GD problem is a hard decision problem. We present the first method allowing to distinguish alternant and Goppa codes over any field. Our technique can solve the GD problem in polynomial time provided that the codes have sufficiently large rates. The key ingredient is an algebraic characterization of the key-recovery problem. The idea is to consider the rank of a linear system which is obtained by linearizing a particular polynomial system describing a key-recovery attack. It appears that this dimension depends on the type of code considered. Explicit formulas derived from extensive experimentations for the rank are provided for “generic” random, alternant, and Goppa codes over any field. Finally, we give theoretical explanations of these formulas in the case of random codes, alternant codes over any field of characteristic two and binary Goppa codes.

[1]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[2]  Mark Stamp,et al.  Public Key Systems , 2007 .

[3]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[4]  Bhaskar Biswas,et al.  McEliece Cryptosystem Implementation: Theory and Practice , 2008, PQCrypto.

[5]  Damien Vergnaud,et al.  Provably Secure Code-Based Threshold Ring Signatures , 2009, IMACC.

[6]  J. K. Gibson,et al.  Equivalent Goppa Codes and Trapdoors to McEliece's Public Key Cryptosystem , 1991, EUROCRYPT.

[7]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[8]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[9]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[10]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC , 2001, Public Key Cryptography.

[11]  Nicholas J. Patterson,et al.  The algebraic decoding of Goppa codes , 1975, IEEE Trans. Inf. Theory.

[12]  Arne Dür,et al.  The automorphism groups of Reed-Solomon codes , 1987, J. Comb. Theory A.

[13]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2013, IEEE Trans. Inf. Theory.

[14]  Colin Cooper,et al.  On the distribution of rank of a random matrix over a finite field , 2000, Random Struct. Algorithms.

[15]  Nicolas Sendrier McEliece Public Key Cryptosystem , 2005, Encyclopedia of Cryptography and Security.

[16]  T. Berger On the Cyclicity of Goppa Codes, Parity-Check Subcodes of Goppa Codes, and Extended Goppa Codes , 2000 .

[17]  Thierry P. Berger,et al.  Reducing Key Length of the McEliece Cryptosystem , 2009, AFRICACRYPT.

[18]  Phillip Rogaway Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings , 2011, CRYPTO.

[19]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[20]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[21]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[22]  V. Sidelnikov,et al.  On insecurity of cryptosystems based on generalized Reed-Solomon codes , 1992 .

[23]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[24]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[25]  N. Sendrier On the Use of Structured Codes in Code Based Cryptography1 , 2012 .

[26]  E. Berlekamp Factoring polynomials over finite fields , 1967 .

[27]  Harald Niederreiter,et al.  A Public-Key Cryptosystem based on Shift Register Sequences , 1985, EUROCRYPT.

[28]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[29]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[30]  Ayoub Otmani,et al.  A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes , 2012, ArXiv.

[31]  Pierre-Louis Cayrel,et al.  Improved identity-based identification using correcting codes , 2009, ArXiv.

[32]  Jean-Charles Faugère,et al.  Algebraic Cryptanalysis of McEliece Variants with Compact Keys , 2010, EUROCRYPT.

[33]  Ayoub Otmani,et al.  A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes , 2012, IACR Cryptol. ePrint Arch..

[34]  Ruud Pellikaan,et al.  Error-correcting pairs for a public-key cryptosystem , 2012, ArXiv.

[35]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[36]  Anne Canteaut,et al.  A further improvement of the work factor in an attempt at breaking McEliece's cryptosystem , 1994 .

[37]  Alexander Russell,et al.  McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks , 2011, CRYPTO.

[38]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[39]  Nicolas Sendrier,et al.  Finding the permutation between equivalent linear codes: The support splitting algorithm , 2000, IEEE Trans. Inf. Theory.

[40]  Anderson C. A. Nascimento,et al.  A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model , 2009, CT-RSA.

[41]  Alain Couvreur,et al.  Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes , 2013, Des. Codes Cryptogr..

[42]  Ilya Dumer,et al.  Suboptimal decoding of linear codes: partition technique , 1996, IEEE Trans. Inf. Theory.

[43]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[44]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[45]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[46]  Paulo S. L. M. Barreto,et al.  Compact McEliece Keys from Goppa Codes , 2009, IACR Cryptol. ePrint Arch..

[47]  Stanislav Bulygin,et al.  Selecting parameters for secure McEliece-based cryptosystems , 2012, International Journal of Information Security.

[48]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[49]  Kazukuni Kobara,et al.  Semantic security for the McEliece cryptosystem without random oracles , 2008, Des. Codes Cryptogr..

[50]  Léonard Dallot Towards a Concrete Security Proof of Courtois, Finiasz and Sendrier Signature Scheme , 2007, WEWoRC.

[51]  Axthonv G. Oettinger,et al.  IEEE Transactions on Information Theory , 1998 .

[52]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .