Abstract
Very few public-key cryptosystems are known that can encrypt and decrypt in time b 2 + o(1) with conjectured security level 2b against conventional computers and quantum computers. The oldest of these systems is the classic McEliece code-based cryptosystem.
The best attacks known against this system are generic decoding attacks that treat McEliece’s hidden binary Goppa codes as random linear codes. A standard conjecture is that the best possible w-error-decoding attacks against random linear codes of dimension k and length n take time 2(α(R,W) + o(1))n if k/n → R and w/n → W as n → ∞.
Before this paper, the best upper bound known on the exponent α(R,W) was the exponent of an attack introduced by Stern in 1989. This paper introduces “ball-collision decoding” and shows that it has a smaller exponent for each (R,W): the speedup from Stern’s algorithm to ball-collision decoding is exponential in n.
Chapter PDF
Similar content being viewed by others
Keywords
References
Adams, C.M., Meijer, H.: Security-related comments regarding McEliece’s public-key cryptosystem. In: Crypto’87 [46], pp. 224–228 (1987); See also newer version [2]; Citations in this document:
Adams, C.M., Meijer, H.: Security-related comments regarding McEliece’s public-key cryptosystem. IEEE Transactions on Information Theory 35, 454–455 (1988); See also older version [1]; Citations in this document:
Al Jabri, A.: A statistical decoding algorithm for general linear block codes. In: IMA 2001 [31], pp. 1–8 (2001); Citations in this document:
Ashikhmin, A.E., Barg, A.: Minimal vectors in linear codes. IEEE Transactions on Information Theory 44, 2010–2017 (1998); Citations in this document:
Barg, A., Krouk, E.A., van Tilborg, H.C.A.: On the complexity of minimum distance decoding of long linear codes. IEEE Transactions on Information Theory 45, 1392–1405 (1999); Citations in this document:
Batten, L., Safavi-Naini, R. (eds.): Information security and privacy: 11th Australasian conference, ACISP 2006, Melbourne, Australia, July 3–5, 2006, proceedings. LNCS, vol. 4058. Springer, Heidelberg (2006); See [43]
Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum cryptography. Springer, Heidelberg (2009); See [44]
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008 [14], pp. 31–46 (2008), http://eprint.iacr.org/2008/318 ; Citations in this document:
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding (full version) (2010), http://eprint.iacr.org/2010/585 ; Citations in this document:
Bernstein, D.J., Lange, T., Peters, C., van Tilborg, H.C.A.: Explicit bounds for generic decoding algorithms for code-based cryptography. In: WCC 2009 (2009); Citations in this document:
Berson, T.A.: Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. In: Crypto ’97 [33], pp. 213–220 (1997); Citations in this document:
Blaum, M., Farrell, P.G., van Tilborg, H.C.A. (eds.): Information, coding and mathematics. Kluwer International Series in Engineering and Computer Science, vol. 687. Kluwer, Dordrecht (2002); See [53]
Brent, R.P., Kung, H.T.: The area-time complexity of binary multiplication. Journal of the ACM 28, 521–534 (1981), http://wwwmaths.anu.edu.au/~brent/pub/pub055.html ; Citations in this document:
Buchmann, J., Ding, J. (eds.): Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17–19, 2008, proceedings. LNCS, vol. 5299. Springer, Heidelberg (2008); see [8]
Camion, P., Charpin, P., Harari, S. (eds.): Eurocode ’92: proceedings of the international symposium on coding theory and applications held in Udine, October 23–30, 1992. Springer, Heidelberg (1993); See [20]
Canteaut, A., Chabanne, H.: A further improvement of the work factor in an attempt at breaking McEliece’s cryptosystem. In: EUROCODE ’94 [21] (1994), http://www.inria.fr/rrrt/rr-2227.html ; Citations in this document:
Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44, 367–378 (1998), ftp://ftp.inria.fr/INRIA/tech-reports/RR/RR-2685.ps.gz ; Citations in this document:
Canteaut, A., Sendrier, N.: Cryptanalysis of the original McEliece cryptosystem. In: Asiacrypt ’98 [42], pp. 187–199 (1998); Citations in this document:
Chabanne, H., Courteau, B.: Application de la méthode de décodage itérative d’Omura à la cryptanalyse du système de McEliece. Université de Sherbrooke, Rapport de Recherche, number 122 (1993); Citations in this document:
Chabaud, F.: Asymptotic analysis of probabilistic algorithms for finding short code-words. In: [15], pp. 175–183 (1993); Citations in this document:
Charpin, P.(ed.): Livre des résumé — EUROCODE ’94. Abbaye de la Bussière sur Ouche, France, October 1994 (1994); See [16]
Clark Jr., G.C., Bibb Cain, J.: Error-correcting coding for digital communication. Plenum, New York (1981); Citations in this document:
Coffey, J.T., Goodman, R.M.: The complexity of information set decoding. IEEE Transactions on Information Theory 35, 1031–1037 (1990); Citations in this document:
Coffey, J.T., Goodman, R.M., Farrell, P.: New approaches to reduced complexity decoding. Discrete and Applied Mathematics 33, 43–60 (1991); Citations in this document:
Cohen, G.D., Wolfmann, J. (eds.): Coding theory and applications. LNCS, vol. 388. Springer, Heidelberg (1989); See [50]
Dumer, I.I.: Two decoding algorithms for linear codes. Problemy Peredachi Informatsii 25, 24–32 (1989); Citations in this document:
Dumer, I.I.: On minimum distance decoding of linear codes. In: [32], pp. 50–52 (1991); Citations in this document:
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Asiacrypt 2009 [40] (2009), http://eprint.iacr.org/2009/414 ; Citations in this document:
Goldwasser, S. (ed.): Advances in cryptology|CRYPTO ’88, proceedings of the conference on the theory and application of cryptography held at the University of California, Santa Barbara, California, August 21–25, 1988. LNCS, vol. 403. Springer, Heidelberg (1990); See [51]
Günther, C.G. (ed.): Advances in cryptology — EUROCRYPT ’88, proceedings of the workshop on the theory and application of cryptographic techniques held in Davos, May 25–27, 1988. LNCS, vol. 330. Springer, Heidelberg (1988); See [38]
Honary, B. (ed.): Cryptography and coding: proceedings of the 8th IMA international conference held in Cirencester, December 17–19. LNCS, vol. 2260. Springer, Heidelberg (2001); See [3]
Kabatianskii, G.A. (ed.): Fifth joint Soviet-Swedish international workshop on information theory, Moscow, 1991 (1991); See [27]
Kaliski Jr., B.S. (ed.): Advances in cryptology — CRYPTO ’97: 17th annual international cryptology conference, Santa Barbara, California, USA, August 17–21, 1997, proceedings. LNCS, vol. 1294. Springer, Heidelberg (1997); See[11]
Kim, K. (ed.): Public key cryptography: proceedings of the 4th international workshop on practice and theory in public key cryptosystems (PKC 2001) held on Cheju Island, February 13–15, 2001. LNCS, vol. 1992. Springer, Heidelberg (2001); See [36]
Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-bit RSA modulus. In: Crypto 2010 [48], pp. 333–350 (2010), http://eprint.iacr.org/2010/006 ; Citations in this document:
Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems — conversions for McEliece PKC. In: PKC 2001 [34], pp. 19–35 (2001); Citations in this document:
Krouk, E.A.: Decoding complexity bound for linear block codes. Problemy Peredachi Informatsii 25, 103–107 (1989); Citations in this document:
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Eurocrypt ’88 [30], pp. 275–280 (1988), http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/E88/275.PDF ; Citations in this document:
Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Transactions on Information Theory 34, 1354–1359 (1988); Citations in this document:
Matsui, M. (ed.): Advances in cryptology — ASIACRYPT 2009, 15th international conference on the theory and application of cryptology and information security, Tokyo, Japan, December 6–10, 2009, proceedings. LNCS, vol. 5912. Springer, Heidelberg (2009); See [28]
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report 114–116 (1978), http://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF ; Citations in this document:
Ohta, K., Pei, D. (eds.): Advances in cryptology — ASIACRYPT’98: proceedings of the international conference on the theory and application of cryptology and information security held in Beijing. LNCS, vol. 1514. Springer, Heidelberg (1998); See [18]
Overbeck, R.: Statistical decoding revisited. In: ACISP 2006 [6], pp. 283–294 (2006); Citations in this document:
Overbeck, R., Sendrier, N.: Code-based cryptography. In: [7], pp. 95–145 (2009); Citations in this document:
Peters, C.: Information-set decoding for linear codes over F q . In: Post-Quantum Cryptography [49], pp. 81–94 (2010); Citations in this document:
Pomerance, C. (ed.): Advances in cryptology — CRYPTO ’87, proceedings of the conference on the theory and applications of cryptographic techniques held at the University of California, Santa Barbara, California, August 16–20, 1987. LNCS, vol. 293. Springer, Heidelberg (1987), http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C87/224.PDF ; See [1]
Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory IT-8, S5–S9 (1962); Citations in this document:
Rabin, T. (ed.): Advances in cryptology — CRYPTO 2010, 30th annual cryptology conference, Santa Barbara, CA, USA, August 15–19, 2010, proceedings. LNCS, vol. 6223. Springer, Heidelberg (2010); See [35]
Sendrier, N. (ed.): Post-quantum cryptography, third international workshop, PQCrypto, Darmstadt, Germany, May 25–28, 2010, proceedings. LNCS, vol. 6061. Springer, Heidelberg (2010); See [45]
Stern, J.: A method for finding codewords of small weight. In: [25], pp. 106–113 (1989); Citations in this document:
van Tilburg, J.: On the McEliece public-key cryptosystem. In: Crypto ’88 [29], pp. 119–131 (1990); Citations in this document:
van Tilburg, J.: Security-analysis of a class of cryptosystems based on linear error-correcting codes. Ph.D. thesis, Technische Universiteit Eindhoven (1994); Citations in this document:
Verheul, E.R., Doumen, J.M., van Tilborg, H.C.A.: Sloppy Alice attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem. In: [12], pp. 99–119 (2002); Citations in this document:
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 International Association for Cryptologic Research
About this paper
Cite this paper
Bernstein, D.J., Lange, T., Peters, C. (2011). Smaller Decoding Exponents: Ball-Collision Decoding. In: Rogaway, P. (eds) Advances in Cryptology – CRYPTO 2011. CRYPTO 2011. Lecture Notes in Computer Science, vol 6841. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22792-9_42
Download citation
DOI: https://doi.org/10.1007/978-3-642-22792-9_42
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22791-2
Online ISBN: 978-3-642-22792-9
eBook Packages: Computer ScienceComputer Science (R0)