Abstract
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (\(\mathrm{QC}\)), quasi-dyadic (\(\mathrm{QD}\)), or quasi-monoidic (\(\mathrm{QM}\)) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor \(p\) on the public-key. The fundamental remark is that from the \(k\times n\) public generator matrix of a compact McEliece, one can construct a \(k/p \times n/p\) generator matrix which is—from an attacker point of view—as good as the initial public-key. We call this new smaller code the folded code. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called “structural elimination” which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on \(\mathrm{QD}\)/\(\mathrm{QM}\) codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the hardest case requires less than 2 h). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for \(\mathrm{QD}\) and \(\mathrm{QM}\) encryption schemes. We mention that some parameters that have been proposed in the literature remain out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with \(\mathrm{QM}\) or \(\mathrm{QD}\) symmetries. Indeed, the security of such schemes is not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.
Similar content being viewed by others
References
Baldi M., Bianchi M., Chiaraluce F.: Security and complexity of the McEliece cryptosystem based on QC-LDPC codes. IET Inf. Secur. 7(3), 212–220 (2013). See also arXiv:1109.5827v6[cs.CR]
Baldi M., Bodrato M., Chiaraluce F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Proceedings of the 6th International Conference on Security and Cryptography for Networks SCN ’08, pp. 246–262. Springer, Berlin (2008)
Barbier M.: Key reduction of McEliece’s cryptosystem using list decoding. CoRR, arXiv:1102.2566 (2011)
Barreto P.S.L.M., Cayrel P.-L., Misoczki R., Niebuhr R.: Quasi-dyadic CFS signatures. In: Lai X., Yung M., Lin D. (eds.) Inscrypt. Lecture Notes in Computer Science, vol. 6584, pp. 336–349. Springer, Heidelberg (2010)
Barreto P.S.L.M., Lindner R., Misoczki R.: Monoidic codes in cryptography. In: Yang B.Y. (ed.) PQCrypto. Lecture Notes in Computer Science, vol. 7071, pp. 179–199. Springer, Heidelberg (2011)
Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^{n/20}\): how 1 + 1 = 0 improves information set decoding. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)
Berger T.P.: Cyclic alternant codes induced by an automorphism of a GRS code. In: Mullin R., Mullen G. (eds.) Finite Fields: Theory, Applications and Algorithms. Contemporary Mathematics, vol. 225, pp. 143–154. AMS, Waterloo, Canada (1999)
Berger T.P.: Goppa and related codes invariant under a prescribed permutation. IEEE Trans. Inf. Theory 46(7), 2628 (2000)
Berger T.P.: On the cyclicity of Goppa codes, parity-check subcodes of Goppa codes and extended Goppa codes. Finite Fields Appl. 6, 255–281 (2000)
Berger T.P., Cayrel P.L., Gaborit P., Otmani A.L.: Reducing key length of the McEliece cryptosystem. In: Preneel B. (ed.) Progress in Cryptology—Second International Conference on Cryptology in Africa (AFRICACRYPT 2009). Lecture Notes in Computer Science, vol. 5580, pp. 77–97, 21–25 June 2009, Gammarth, Tunisia
Bernstein D.J., Lange T., Peters C.: Attacking and defending the McEliece cryptosystem. In : PQCrypto. Lecture Notes in Computer Science, vol. 5299. pp. 31–46. Springer, Heidelberg (2008)
Bernstein D.J., Lange T., Peters C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto, pp. 31–46. (2008)
Bernstein D.J., Lange T., Peters C., van Tilborg H.: Explicit bounds for generic decoding algorithms for code-based cryptography. In: Pre-proceedings of WCC 2009, pp. 168–180 (2009)
Bernstein D.J., Lange T., Peters C.: Smaller decoding exponents: ball-collision decoding. In: Phillip R. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 6841, pp. 743–760. Springer, Heidelberg (2011)
Bosma W., Cannon J.J., Playoust C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997)
Buchberger B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965)
Canteaut A., Chabaud F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998)
Cox D.A., Little J.B., O’Shea D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics. Springer, New York (2001)
Faugère J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Faugère J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero: F5. In: ISSAC’02, pp. 75–83. ACM Press, New York (2002)
Faugère, J.-C.: FGb: a library for computing Gröbner bases. In: Fukuda K., Hoeven J., Joswig M., Takayama N. (eds.) Mathematical Software—ICMS 2010. Lecture Notes in Computer Science, vol. 6327, pp. 84–87. Springer, Berlin (2010)
Faugère J.-C., Gauthier V., Otmani A., Perret L., Tillich J.-P.: A distinguisher for high rate McEliece cryptosystems. IEEE Trans. Inf. Theory 59(10), 6830–6844 (2013)
Faugère J.-C., Gauthier-Umana V., Otmani A., Perret L., Tillich J.-P.: A distinguisher for high rate McEliece cryptosystems. In: Information Theory Workshop (ITW), 2011 IEEE, pp. 282–286 (2011)
Faugère J.-C., Otmani A., Perret L., de Portzamparc F., Tillich J.-P.: Folding alternant and Goppa codes with non-trivial automorphism groups. (2014). arXiv:1405.5101 [cs.IT]
Faugère J.-C., Otmani A., Perret L., de Portzamparc L., Tillich J.-P.: Structural weakness of compact variants of the McEliece cryptosystem. In: Proceedings of the IEEE International Symposium Information Theory—ISIT 2014, Honolulu, HI, USA, pp. 1717–1721 (2014)
Faugère J.-C., Otmani A., Perret L., Tillich J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6110, pp. 279–298. Springer, Berlin (2010)
Faugère J.-C., Otmani A., Perret L., Tillich J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys—toward a complexity analysis. In: SCC ’10: Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, pp. 45–55. RHUL (2010)
Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui M. (ed.) Asiacrypt 2009. Lecture Notes in Computer Science, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)
Gaborit P.: Shorter keys for code based cryptography. In: Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), Bergen, Norway, pp. 81–91 (2005)
Gauthier U.V., Leander G.: Practical key recovery attacks on two McEliece variants. In: International Conference on Symbolic Computation and Cryptography-SCC, vol. 2010, p. 62 (2010)
Gilbert H., (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6110. Springer, Berlin (2010)
Heyse S.: Implementation of McEliece based on quasi-dyadic Goppa codes for embedded devices. In: Yang B.-Y. (ed.) Post-quantum Cryptography. Lecture Notes in Computer Science, vol. 7071, pp. 143–162. Springer, Berlin (2011)
Lee P.J., Brickell E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Advances in Cryptology—EUROCRYPT’88. Lecture Notes in Computer Science, vol. 330/1988, pp. 275–280. Springer, Berlin (1988)
Leon J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (1988)
Loidreau P., Sendrier N.: Weak keys in the McEliece public-key cryptosystem. IEEE Trans. Inf. Theory 47(3), 1207–1211 (2001)
Loidreau P.: On cellular code and their cryptographic applications. In: Landjev I., Kabatiansky G. (eds.) Proceedings of ACCT14 (Algebraic and Combinatorial Coding Theory). Svetlogorsk, Russia (2014)
Löndahl C., Johansson T., Koochak Shooshtari M., Ahmadian-Attari M., Reza Aref M.: A New Attack on McEliece Public-Key Cryptosystems Using Quasi-cyclic Codes of Even Dimension (preprint) (2014)
Lyubashevsky L., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6110, pp. 1–23. Springer, Berlin (2010)
MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes, 5th edn. Amsterdam, North-Holland (1986)
May A., Meurer A., Thomae E.: Decoding random linear codes in \(\tilde{O}(2^{0.054n})\). In: Lee D.H., Wang X. (eds.) ASIACRYPT. Lecture Notes in Computer Science, vol. 7073, pp. 107–124. Springer, Berlin (2011)
McEliece R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab. DSN Progress Report 44 (1978)
Misoczki R., Barreto P.S.L.M.: Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography (SAC 2009). Calgary, Canada, 13–14 August 2009
Misoczki R., Barreto P.S.L.M.: Compact McEliece keys from Goppa codes. IACR Cryptology ePrint Archive, 2009:187 (2009)
Patterson N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theory 21(2), 203–207 (1975)
Persichetti E.: Compact McEliece keys based on quasi-dyadic Srivastava codes. J. Math. Cryptol. 6(2), 149–169 (2012)
Peters C.: Information-set decoding for linear codes over F\(_{\text{ q }}\). In: Nicolas S. (ed.) PQCrypto. Lecture Notes in Computer Science, vol. 6061, pp. 81–94. Springer, Berlin (2010)
Sendrier N.: Finding the permutation between equivalent linear codes: the support splitting algorithm. IEEE Trans. Inf. Theory 46(4), 1193–1203 (2000)
Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. In: Matsui M. (ed.) ASIACRYPT. Lecture Notes in Computer Science, vol. 5912, pp. 617–635. Springer, Heidelberg (2009)
Stern J.: A method for finding codewords of small weight. In: Cohen G.D., Wolfmann J. (eds.) Coding Theory and Applications. Lecture Notes in Computer Science, vol. 388, pp. 106–113. Springer, Heidelberg (1988)
Acknowledgments
We would like to thank the referees of Design, Codes and Cryptography for helpful comments on a preliminary version of this paper. The work of the first and third authors has been partly supported by the French ANR-11-BS02-0013 HPAC Project.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by K. Matsuura.
Appendices
Appendix 1: A toy example of folding
We build a QM binary Goppa code with parameters \(n=28\), \(m=5\) and \(t=2^2=4\) (\(\lambda =2\)) built according to Theorem 2. We work in \(\mathbb {F}_{2^5}=\frac{\mathbb {F}_2[\omega ]}{(\omega ^5+\omega ^2+1)}\). To build the support \(\varvec{x}\) we pick
and \(\alpha _{0}=\omega ^{17},\alpha _1=1\). Then, we apply Eq. 4: for \(0\leqslant j \leqslant 3\), \(x_{4i+j}=x_{4i}+j_1\alpha _1+j_0\alpha _0\), with \(j=2j_1+j_0\) (and \(j_1,j_0\in \{0,1\}\)), so that we obtain
We pick a Goppa polynomial such that the multipliers are constant over each block of size \(t_2=4\) (Eq. 5 with \(\gamma (z)=z\)):
The corresponding multipliers are:
Then, the code \(\fancyscript{C}_2=\fancyscript{A}_{t}(\varvec{x},\varvec{y})=\fancyscript{G}(\varvec{x},\varGamma (z))\) has automorphism group
It admits as generator matrix \(G^{(2)}\):
Now we fold the quasi-monoidic code \(\fancyscript{C}_2\). The generator matrix of \(\overline{\fancyscript{C}_2^{\sigma _1}}\) is deduced without knowing the private elements \(\varvec{x}\) and \(\varvec{y}\). One only needs to sum up the coefficients of the generator matrix corresponding to each orbit of \(\sigma _1\) (that is, the subsets of the code positions of the form \(\{2i,2i+1\}\)):
Thanks to Theorem 3, we known that \(\overline{\varvec{G}}^{(1)}\) generates a Goppa code \(\fancyscript{C}_1=\fancyscript{A}_{2}(\overline{\varvec{x}}^{(1)},\overline{\varvec{y}}^{(1)})=\fancyscript{G}(\overline{\varvec{x}}^{(1)},\varGamma _1(z))\) defined by the following vectors and Goppa polynomial:
In our example, the order of symmetry introduced in \(\fancyscript{C}_2\) was \(2^2\), as \(\varvec{x}\) satisfies both relations \(x_{\sigma _1(i)}=x_i+\alpha _0\) and \(x_{\sigma _2(i)}=x_i+\alpha _1\) (and \(\varGamma (z+\alpha _1)= \varGamma (z+\alpha _0)=\varGamma (z)\)). In this case, \(\overline{\varvec{x}}^{(1)}\) satisfies \(\overline{x}_{i\ominus 1}^{(1)}=\overline{x}_{i}^{(1)}+\alpha _1^2-\alpha _0\alpha _1\). This shows that \(\overline{\fancyscript{C}_2^{\sigma _1}}\) can still be folded ! As this second symmetry is inherited from the code position permutation \(\sigma _2\) of \(\fancyscript{C}_2\), we denote by \(\overline{\fancyscript{C}_2^{\sigma _2,\sigma _1}}\) the resulting code. Its generator matrix can be obtained either by summing the coefficients of \(\overline{\varvec{G}}^{(1)}\) over the orbits \(\{2i,2i+1\}\), or directly on the matrix \(\varvec{G}^{(2)}\), by considering the orbits \(\{4i,4i+1,4i+2,4i+3\}\):
Then, thanks to Theorem 3, we know that \(\overline{\varvec{G}}^{(0)}\) is a Goppa code, \(\fancyscript{C}_0=\fancyscript{A}_{1}(\overline{\varvec{x}}^{(0)},\overline{\varvec{y}}^{(0)})=\fancyscript{G}(\overline{\varvec{x}}^{(0)},\varGamma _0(z))\) with private elements:
Appendix 2: Proof of Theorem 4
We recall that a central tool in the construction of \(\mathrm{QM}\) codes is the sequence of \(\mathbb {F}_p\)-independent elements \(\alpha _0,\ldots ,\alpha _{\lambda -1} \in \mathbb {F}_{q^m}\) (Theorem 3). They generate a group \(G\) of size \(p^\lambda \) whose elements are defined for \(\ell \in [0,\ldots ,p^\lambda -1]\) by \(g_\ell =\sum _{j=0}^{\lambda -1} \ell _j \alpha _j\), \(\ell =\sum _{j=0}^{\lambda -1} \ell _j p^j\) the decomposition in base \(p\) of \(\ell \). The support is chosen so as to satisfy Eq. 4. An example of resolution of 4 is in [42], Algorithm \(1\)] and [5], Algorithm \(3\)] (by setting \(\alpha _i=h_{a_i}^{-1}+\omega \)). Then, the Goppa polynomial is derived from its roots \(A\) that are picked in \(G\). The case \(t=p^\lambda \) corresponds to a Goppa polynomial \(\varGamma (z)\) whose roots \(A\) are all the elements of \(G\). The fact that its roots form a group is the crucial point for proving Eq. 5, and to exhibit the structure of the automorphism group. The cases where \(t\not =p^\lambda \) are those when \(A\) is a sub-set of \(G\) (and not a sub-group). The associated Goppa code is not stable by the expected permutations \(\sigma _\ell \) (as defined in Proposition 1), so folding the code is not possible any more. So, the idea is to select a subspace of the codewords that is stable by more permutations. This is formalized by the following statement:
Lemma 1
Let \(\alpha _0,\ldots ,\alpha _{\lambda -1} \in \mathbb {F}_{q^m}\) as in Theorem 2, whose linear combinations (with scalars in \(\mathbb {F}_p\)) form the set \(G=\{g_0,\ldots ,g_{p^\lambda -1}\}\). Let \(A=\{g_0,\dots ,g_{t-1}\}\) be a subset of \(G\). Let \(\varvec{x}\) be built thanks to the \(\alpha _i\)’s according to 4. As a consequence, each \(g\in G\) corresponds to an offset \(0 \leqslant j_g < p^\lambda \) of the indices on the support such that \(x_{i \oplus j_g}=x_i+g\) for all \(i,0\leqslant i \leqslant n-1\). The public code is defined by \(\fancyscript{C}^{(t)}_{pub}=\fancyscript{G}\big (\varvec{x},\underset{g\in A}{\prod }(z-g)\big )\), and we define \(\fancyscript{C}^{(p^\lambda )}=\fancyscript{G}\big (\varvec{x},\underset{g\in G}{\prod }(z-g)\big )\). It holds that:
Proof
Let \(g\in G\). Recall the relation \(P_{\varvec{c}^{\sigma _{j_g}} ,\varvec{x}}(z)=P_{\varvec{c},\varvec{x}}(z-g)\), proven in the proof of Proposition 2. We have
As all the elements of \(G\) are pairwise distinct, the polynomials \((z-a)\) are coprime. The least common multiple of all the polynomials \(\underset{a\in A-g}{\prod }(z-a)\) is \(P=\prod _{g \in G} (z - g)\). So, we conclude,
The lemma permits to deduce a parity-check matrix of \(\fancyscript{C}^{(p^\lambda )}\) from any parity-check matrix \(\varvec{H}\) of \(\fancyscript{C}^{(t)}_{pub}\). Indeed, observe that for any row \(\mathbf h\) of \(\varvec{H}\) and any permutation \(\sigma \) of the indices:
To ensure that a word \(\varvec{c}\) and all its permuted words \(c^{\sigma _{j_g}}\) for \(g\in G\) belong to \(\fancyscript{C}^{(t)}_{pub}\), it suffices to permute the rows of \(\varvec{H}\) according to all the \(\sigma _g\)’s with \(g\in G\) and concatenate the obtained matrices. This is precisely what the function \(\Delta _{p^\lambda }\) does for a group \(G\) of size \(p^\lambda \). \(\square \)
Rights and permissions
About this article
Cite this article
Faugère, JC., Otmani, A., Perret, L. et al. Structural cryptanalysis of McEliece schemes with compact keys. Des. Codes Cryptogr. 79, 87–112 (2016). https://doi.org/10.1007/s10623-015-0036-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-015-0036-z