Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes

We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. The aforementioned constraint on the public and secret keys implies to choose very structured permutations. We prove that this variant is not secure by producing many linear equations that the entries of the secret permutation matrix have to satisfy by using the fact that the secret code is a subcode of a known BCH code. This attack has been implemented and in all experiments we have performed the solution space of the linear system was of dimension one and revealed the permutation matrix. The other variant uses quasi-cyclic low density parity-check (LDPC) codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on LDPC codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. This cryptanalysis adopts a polynomial-oriented approach and basically consists in searching for two polynomials of low weight such that their product is a public polynomial. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered with time complexity O(n3) where n is the length of the considered code. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic LDPC codes requires the search of codewords of low weight which can be done with about 237 operations for the specific parameters proposed.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  V. Sidelnikov,et al.  A public-key cryptosystem based on binary Reed-Muller codes , 1994 .

[3]  Christian Wieschebrink,et al.  An Attack on a Modified Niederreiter Encryption Scheme , 2006, Public Key Cryptography.

[4]  Pierre-Louis Cayrel,et al.  On Kabatianskii-Krouk-Smeets Signatures , 2007, WAIFI.

[5]  Marc Girault,et al.  Lightweight code-based identification and signature , 2007, 2007 IEEE International Symposium on Information Theory.

[6]  J. Rosenthal,et al.  Using low density parity check codes in the McEliece cryptosystem , 2000, 2000 IEEE International Symposium on Information Theory (Cat. No.00CH37060).

[7]  Amin Shokrollahi,et al.  Cryptanalysis of the Sidelnikov Cryptosystem , 2007, EUROCRYPT.

[8]  Marco Baldi,et al.  Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC Codes , 2007, 2007 IEEE International Symposium on Information Theory.

[9]  Raphael Overbeck,et al.  A Summary of McEliece-Type Cryptosystems and their Security , 2007, J. Math. Cryptol..

[10]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[11]  Thierry P. Berger,et al.  How to Mask the Structure of Codes for a Cryptographic Use , 2005, Des. Codes Cryptogr..

[12]  Cédric Lauradoux,et al.  SYND: a Fast Code-Based Stream Cipher with a Security Reduction , 2007, 2007 IEEE International Symposium on Information Theory.

[13]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[14]  Philippe Gaborit,et al.  Shorter keys for code-based cryptography , 2005 .

[15]  Anne Canteaut,et al.  A further improvement of the work factor in an attempt at breaking McEliece's cryptosystem , 1994 .

[16]  Ernst M. Gabidulin,et al.  Public_Key Cryptosystems Based on Linear Codes , 1995 .

[17]  V. Sidelnikov,et al.  On insecurity of cryptosystems based on generalized Reed-Solomon codes , 1992 .

[18]  Nicolas Sendrier,et al.  On the Concatenated Structure of a Linear Code , 1998, Applicable Algebra in Engineering, Communication and Computing.

[19]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[20]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[21]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[22]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[23]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .