Severely denting the Gabidulin version of the McEliece Public Key Cryptosystem

Gibson, J. K.

doi:10.1007/bf01390769

Cited by 65 publications

(43 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For example, Gabidulin et al [5] tried using maximum-rank-distance codes. These schemes were shown to be insecure by Gibson [6,7]. In any event, such code replacements would not prevent our attack, which does not depend on the structure of the code.…”

Section: Remar~mentioning

confidence: 97%

Failure of the McEliece public-key cryptosystem under message-resend and related-message attack

Berson

1997

Advances in Cryptology — CRYPTO '97

View full text Add to dashboard Cite

The McEliece public-key cr3~tosystem fails to protect any message which is sent to a recipient more than once using different random error vectors. In general, it fails to protect any messages sent to a recipient which have a known linear relation to one another. Under these conditions, which are easily detectable, the cryptosystem is subject to a devastating attack which reveals plaintext with a work factor which is 1015 times better than the best general attack.Keywords: McEliece, public-key cryptosystem, randomization, error-correcting codes, error vectors, message-resend attack, related-message attack, protocol failure, eryptanalysis. IntroductionThe McEliece public-key cryptosystem was proposed nearly 20 years ago [14]. The system is simple to explain and is very fast in execution. It is based on an NP-hard problem in coding theory, and features the ability of a hidden error-correcting code to recover plaintext from ciphertexts which the sender intentionally garbles with random errors. Although it has received much attention from the cryptologic community, the system remains unbroken to this day.Despite these advantages, the McEliece public-key cryptosystem it is not widely used. Perhaps this is because it has a large public key and a low information rate. But changes in technology and economics, for example the plummeting cost of storage, keep it on the list of candidates for some applications.In this paper we analyze and exploit the failure of the McEliece public-key cryptosystem to protect plaintext when any message is sent to a recipient more than once using different random error vectors. Our message-resend attack succeeds in flk 3 time, wherefl is a small constant, and k is the message size of the underlying code. We then generalize our attack to a related-message attack, which recovers any messages sent to a recipient when a linear relation between the messages is known, again in flk 3 time.

show abstract

Section: Remar~mentioning

confidence: 97%

Failure of the McEliece public-key cryptosystem under message-resend and related-message attack

Berson

1997

Advances in Cryptology — CRYPTO '97

View full text Add to dashboard Cite

show abstract

“…Gibson in a series of work [11,12] developed attacks that break the GPT public key cryptosystem. Several variants of the GPT public key cryptosystem were introduced to withstand Gibson's attack [7,22].…”

Section: Gibson's Attackmentioning

confidence: 99%

Hexi McEliece Public Key Cryptosystem

Ilanthenraland¹,

Easwarakumar²

2014

Appl. Math. Inf. Sci.

View full text Add to dashboard Cite

This paper introduces a new class of hexi codes namely, hexi polynomial codes, hexi Rank Distance codes, hexi Maximum Rank Distance codes, hexi Goppa codes and hexi wild Goppa codes. These codes are useful to create variants of the McEliece public key cryptosystem known as the hexi McEliece public key cryptosystem and its variants; these cryptosystems are secure against attacks carried out on the existing variants of the McEliece public key cryptosystem. This newly introduced cryptosystem has better error correcting capacity and lesser time complexity making it more feasible to use. The security and possible attacks on these variants of the hexi McEliece public key cryptosystem are analysed.

show abstract

“…That is the reason why their use in the GPT cryptosystem has been the subject to several attacks. Gibson was the first to prove the weakness of the system through a series of successful attacks [Gib95,Gib96]. Following these failures, the first works which modified the GPT scheme to avoid Gibson's attack were published in [GO01,GOHA03].…”

Section: Introductionmentioning

confidence: 99%

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Gaborit

Otmani

Kalachi

2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

ABSTRACT. Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck.In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.Post-quantum cryptography; Gabidulin code; Polynomial reconstruction; Faure-Loidreau scheme.

show abstract

Severely denting the Gabidulin version of the McEliece Public Key Cryptosystem

Cited by 65 publications

References 6 publications

Failure of the McEliece public-key cryptosystem under message-resend and related-message attack

Failure of the McEliece public-key cryptosystem under message-resend and related-message attack

Hexi McEliece Public Key Cryptosystem

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Contact Info

Product

Resources

About