Improved algorithms for finding low-weight polynomial multiples in F 2 [ x ] and some cryptographic applications

In this paper we present an improved algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The associated code defined by the given polynomial has a cyclic structure, allowing an algorithm to search for shifts of the sought minimum-weight codeword. Therefore, a code with higher dimension is constructed, having a larger number of low-weight codewords and through some additional processing also reduced minimum distance. Applying an algorithm for finding low-weight codewords in the constructed code yields a lower complexity for finding low-weight polynomial multiples compared to previous approaches. As an application, we show a key-recovery attack against TCHo that has a lower complexity than the chosen security level indicate. Using similar ideas we also present a new probabilistic algorithm for finding a multiple of weight 4, which is faster than previous approaches. For example, this is relevant in correlation attacks on stream ciphers.

[1]  Serge Vaudenay,et al.  When Stream Cipher Analysis Meets Public-Key Cryptography , 2006, Selected Areas in Cryptography.

[2]  Anne Canteaut,et al.  Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 , 2000, EUROCRYPT.

[3]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[4]  Gregor Leander,et al.  A Practical Key Recovery Attack on Basic TCHo , 2009, Public Key Cryptography.

[5]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[6]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[7]  Yann Laigle-Chapuy,et al.  Finding low-weight polynomial multiples using discrete logarithm , 2007, 2007 IEEE International Symposium on Information Theory.

[8]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[9]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[10]  Thomas Johansson,et al.  An improvement to Stern's algorithm ⋆ , 2011 .

[11]  Martin Hell,et al.  Improved message passing techniques in fast correlation attacks on stream ciphers , 2012, 2012 7th International Symposium on Turbo Codes and Iterative Information Processing (ISTC).

[12]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[13]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[14]  Willi Meier,et al.  TCHo: A Hardware-Oriented Trapdoor Cipher , 2007, ACISP.

[15]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[16]  Joachim von zur Gathen,et al.  Finding Low Weight Polynomial Multiples Using Lattices , 2007, IACR Cryptol. ePrint Arch..

[17]  J. D. Golic Computation of low-weight parity-check polynomials , 1996 .

[18]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[19]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[20]  Willi Meier,et al.  Fast correlation attacks on certain stream ciphers , 1989, Journal of Cryptology.

[21]  Antoine Joux,et al.  Fast Correlation Attacks: An Algorithmic Point of View , 2002, EUROCRYPT.

[22]  Daniel J. Bernstein,et al.  Introduction to post-quantum cryptography , 2009 .

[23]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .