A New Analysis of the McEliece Cryptosystem Based on QC-LDPC Codes

Baldi, Marco; Bodrato, Marco; Chiaraluce, Franco

doi:10.1007/978-3-540-85855-3_17

Cited by 108 publications

(122 citation statements)

References 19 publications

(30 reference statements)

Supporting

Mentioning

121

Contrasting

Order By: Relevance

“…The complexity of computing G lex from G deg with FGLM is polynomial in the size of V , i.e. O (#V ) 3 . In our case, the size of V is very small (< 10).…”

Section: Resultsmentioning

confidence: 99%

“…After more than thirty years now, it still belongs to the very few public key cryptosystems which remain unbroken. Following McEliece's pioneering work, several different public key cryptosystems based on the intractability of decoding a linear code have been proposed [28,20,31,23,7,6,4,3,5,27]. The original McEliece cryptosystem relies on Goppa codes whereas its variants suggested to use different codes.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Algebraic Cryptanalysis of McEliece Variants with Compact Keys

Faugère

Otmani

Perret

et al. 2010

Advances in Cryptology – EUROCRYPT 2010

128

168

View full text Add to dashboard Cite

Abstract. In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of error-correcting codes. Since its invention thirty years ago, no efficient attack had been devised that managed to recover the private key. We prove that the private key of the cryptosystem satisfies a system of bi-homogeneous polynomial equations. This property is due to the particular class of codes considered which are alternant codes. We have used these highly structured algebraic equations to mount an efficient key-recovery attack against two recent variants of the McEliece cryptosystems that aim at reducing public key sizes. These two compact variants of McEliece managed to propose keys with less than 20,000 bits. To do so, they proposed to use quasi-cyclic or dyadic structures. An implementation of our algebraic attack in the computer algebra system Magma allows to find the secret-key in a negligible time (less than one second) for almost all the proposed challenges. For instance, a private key designed for a 256-bit security has been found in 0.06 seconds with about 2 17.8 operations.

show abstract

“…The complexity of computing G lex from G deg with FGLM is polynomial in the size of V , i.e. O (#V ) 3 . In our case, the size of V is very small (< 10).…”

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Algebraic Cryptanalysis of McEliece Variants with Compact Keys

Faugère

Otmani

Perret

et al. 2010

Advances in Cryptology – EUROCRYPT 2010

128

168

View full text Add to dashboard Cite

show abstract

“…The binary Goppa code C with Goppa polynomial g and support L is defined as a set of binary vectors c ∈ GF (2) n (indexed by elements of L), for which…”

Section: Mceliece Cryptosystem Based On Irreducible Goppa Codesmentioning

confidence: 99%

Overview of the Mceliece Cryptosystem and its Security

Repka

Zajac

2014

Tatra Mountains Mathematical Publications

View full text Add to dashboard Cite

ABSTRACT. McEliece cryptosystem (MECS) is one of the oldest public key cryptosystems, and the oldest PKC that is conjectured to be post-quantum secure. In this paper we survey the current state of the implementation issues and security of MECS, and its variants. In the first part we focus on general decoding problem, structural attacks, and the selection of parameters in general. We summarize the details of MECS based on irreducible binary Goppa codes, and review some of the implementation challenges for this system. Furthermore, we survey various proposals that use alternative codes for MECS, and point out some attacks on modified systems. Finally, we review notable existing implementations on low-resource platforms, and conclude with the topic of side channels in the implementations of MECS.

show abstract

“…Several proposals which suggested to replace binary Goppa codes with alternative families did not meet a similar fate. They all focus on a specific class of codes equipped with a decoding algorithm: generalized Reed-Solomon codes (GRS for short) [Nie86] or large subcodes of them [BL05], Reed-Muller codes [Sid94], algebraic geometry codes [JM96], LDPC and MDPC codes [BBC08,MTSB13] or convolutional codes [LJ12,GSJB14]. Most of them were successfully cryptanalyzed [SS92, Wie10, MS07, FM08, OTD10, CGG + 14, LT13,CMCP14b,COTG15].…”

Section: Introductionmentioning

confidence: 99%

“…Each time a description of the underlying code suitable for decoding is efficiently obtained. But some of them remain unbroken, namely those relying on MDPC codes [MTSB13] and their cousins [BBC08], the original binary Goppa codes of [McE78] and their non-binary variants as proposed in [BLP10,BLP11].…”

Section: Introductionmentioning

confidence: 99%