Error Correcting Coding and Security for Data Networks

“…If we want to avoid that the knowledge of a message/signature pair allows to recover the secret key, this implies for instance that the rate R of C known should be significantly larger than 2ρ, that is twice the rate of the secret code C hidden . This would change the parameters of the scheme significantly and give much larger key sizes than has been proposed in [KKS97, KKS05,BMJ11].…”

“…A possible approach to meet this goal could be to build such schemes whose security relies on the difficulty of decoding linear codes. Two code based schemes of this kind have been proposed, namely the Courtois-Finiasz-Sendrier signature scheme [CFS01] and the Kabatianskii, Krouk and Smeets (KKS) scheme [KKS97,KKS05].…”

“…It turns out that such algorithms are unusually successful in this setting due to the conjunction of three factors: (i) there are many low-weight codewords, (ii) they are localized on a rather small support, (iii) some part of this support is known to the attacker. It appears that all parameters suggested in [KKS97, KKS05,BMJ11] are easily broken by this approach and this without even knowing a single signature pair. Moreover, this approach can exploit the knowledge of a message-signature pair which speeds up the attack.…”

“…We provide an analysis of this attack which explains what makes it feasible for the parameters proposed in [KKS97, KKS05,BMJ11]. The KKS scheme relies on a couple of matrices which can be viewed as parity-check matrices of two linear codes.…”

“…This phenomenon was clearly not taken into in the parameters suggested in [KKS97, KKS05,BMJ11] as shown in Table 1. The values of d GV (|I |, k) are extremely low (in the range 1 − 6).…”

An Efficient Attack on All Concrete KKS Proposals

“…If we want to avoid that the knowledge of a message/signature pair allows to recover the secret key, this implies for instance that the rate R of C known should be significantly larger than 2ρ, that is twice the rate of the secret code C hidden . This would change the parameters of the scheme significantly and give much larger key sizes than has been proposed in [KKS97, KKS05,BMJ11].…”

“…A possible approach to meet this goal could be to build such schemes whose security relies on the difficulty of decoding linear codes. Two code based schemes of this kind have been proposed, namely the Courtois-Finiasz-Sendrier signature scheme [CFS01] and the Kabatianskii, Krouk and Smeets (KKS) scheme [KKS97,KKS05].…”

“…It turns out that such algorithms are unusually successful in this setting due to the conjunction of three factors: (i) there are many low-weight codewords, (ii) they are localized on a rather small support, (iii) some part of this support is known to the attacker. It appears that all parameters suggested in [KKS97, KKS05,BMJ11] are easily broken by this approach and this without even knowing a single signature pair. Moreover, this approach can exploit the knowledge of a message-signature pair which speeds up the attack.…”

“…We provide an analysis of this attack which explains what makes it feasible for the parameters proposed in [KKS97, KKS05,BMJ11]. The KKS scheme relies on a couple of matrices which can be viewed as parity-check matrices of two linear codes.…”

“…This phenomenon was clearly not taken into in the parameters suggested in [KKS97, KKS05,BMJ11] as shown in Table 1. The values of d GV (|I |, k) are extremely low (in the range 1 − 6).…”

An Efficient Attack on All Concrete KKS Proposals

Block Codes

An Introduction to the Principles of Coding and Decoding of Discrete Signals