scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Reducible rank codes and their applications to cryptography

TL;DR: A new family of so-called reducible rank codes which are a generalization of rank product codes is presented, which includes maximal rank distance (MRD) codes for lengths n>N in the field F/sub N/.
Abstract: We present a new family of so-called reducible rank codes which are a generalization of rank product codes . This family includes maximal rank distance (MRD) codes for lengths n>N in the field F/sub N/. We give methods for encoding and decoding reducible rank codes. A public key cryptosystem based on these codes and on the idea of a column scrambler is proposed. The column scrambler "mixes" columns of a generator (parity-check) matrix of a code. It makes the system more resistant to structural attacks such as Gibson's attacks. Possible attacks on the system are thoroughly studied. The system is found to be secure against known attacks for public keys of about 16 kbits and greater.
Citations
More filters
Book ChapterDOI
01 Jan 2009

150 citations


Cites background from "Reducible rank codes and their appl..."

  • ...[27], [ 26 ], [28], [70] and [35]) in order to reduce the public key size....

    [...]

  • ...8. Reducible Codes [ 26 ]: Choose some matrices Y ∈ F k×n and S ∈ F l×k with l ≤ k. Then take the code generated by % SG 0...

    [...]

Journal ArticleDOI
TL;DR: The Gabidulin version of the McEliece cryptosystem and its variants are looked at, with the result that there are no secure parameter sets left for GPT variants, which one would like to use in practice.
Abstract: In this paper we look at the Gabidulin version of the McEliece cryptosystem (GPT) and its variants. We give an overview over the existing structural attacks on the basic scheme, and show how to combine them to get an effective attack for every GPT variant. As a consequence, there are no secure parameter sets left for GPT variants, which one would like to use in practice.

149 citations


Cites background from "Reducible rank codes and their appl..."

  • ...In [9], the authors proposed to substitute the underlying code by a reducible rank code:...

    [...]

  • ...In the examples from [9] the authors propose to take two Gabidulin codes G1 and G2 over Fqm (with length ni and dimension ki , i = 1,2) and a random matrix Y = Y21 ∈ Fk2×n1 qm to build a reducible rank code G....

    [...]

  • ...Using this construction, the authors of [9] propose that the...

    [...]

  • ...The authors of [9] considered every parameter set with mi ≥ 24 and r ≥ 4 to provide sufficient security, even if X1 and X2 are zero matrices....

    [...]

Journal ArticleDOI
TL;DR: It is proved that if [(r + 1)(k + 1)- (n + 1))/r)1 ≤ k, the RSD problem can be solved with an average complexity of O(r3k3qrΓ(((r+1)(k+1)-(n+1) - 1)l)⌉ operations in the base field GF(q).
Abstract: In this paper, we propose two new generic attacks on the rank syndrome decoding (RSD) problem. Let $C$ be a random $[n,k]$ rank code over $GF(q^{m})$ and let $y=x+e$ be a received word, such that $x \in C$ and rank $(e)=r$ . The first attack, the support attack, is combinatorial and permits to recover an error $e$ of rank weight $r$ in min $(O((n-k)^{3}m^{3}q^{r\lfloor ({km}/{n})\rfloor }, O((n-k)^{3}m^{3}q^{(r-1)\lfloor (({(k+1)m})/{n})\rfloor }))$ operations on $GF(q)$ . This new attack improves the exponent for the best generic attack for the RSD problem in the case $n > m$ , by introducing the ratio $m/n$ in the exponential coefficient of the previously best known attacks. The second attack, the annulator polynomial attack, is an algebraic attack based on the theory of $q$ -polynomials introduced by Ore. We propose a new algebraic setting for the RSD problem that permits to consider equations and unknowns in the extension field $GF(q^{m})$ rather than in $GF(q)$ as it is usually the case. We consider two approaches to solve the problem in this new setting. The linearization technique shows that if $n \ge (k+1) (r+1)-1$ the RSD problem can be solved in polynomial time. More generally, we prove that if $\lceil (({(r+1)(k+1)-} \,\, {(n+1)})/{r}) \rceil \le k$ , the RSD problem can be solved with an average complexity of $O(r^{3}k^{3}q^{r\lceil (({(r+1)(k+1)-(n+1)})/{r}) \rceil })$ operations in the base field $GF(q)$ . We also consider solving with Grobner bases for which we discuss theoretical complexity, we also consider hybrid solving with Grobner bases on practical parameters. As an example of application, we use our new attacks on all recent cryptosystems parameters, which repair the GPT cryptosystem, we break all examples of published proposed parameters, and some parameters are broken in less than 1 s in certain cases.

93 citations

Posted Content
TL;DR: In this article, two new generic attacks on the rank syndrome decoding problem were proposed, one based on combinatorial attacks and the other based on algebraic attacks, both of which are based on the theory of polynomials introduced by Ore.
Abstract: In this paper we propose two new generic attacks on the Rank Syndrome Decoding (RSD) problem Let $C$ be a random $[n,k]$ rank code over $GF(q^m)$ and let $y=x+e$ be a received word such that $x \in C$ and the $Rank(e)=r$. The first attack is combinatorial and permits to recover an error $e$ of rank weight $r$ in $min(O((n-k)^3m^3q^{r\lfloor\frac{km}{n}\rfloor}, O((n-k)^3m^3q^{(r-1)\lfloor\frac{(k+1)m}{n}\rfloor}))$ operations on $GF(q)$. This attack dramatically improves on previous attack by introducing the length $n$ of the code in the exponent of the complexity, which was not the case in previous generic attacks. which can be considered The second attack is based on a algebraic attacks: based on the theory of $q$-polynomials introduced by Ore we propose a new algebraic setting for the RSD problem that permits to consider equations and unknowns in the extension field $GF(q^m)$ rather than in $GF(q)$ as it is usually the case. We consider two approaches to solve the problem in this new setting. Linearization technics show that if $n \ge (k+1)(r+1)-1$ the RSD problem can be solved in polynomial time, more generally we prove that if $\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil \le k$, the problem can be solved with an average complexity $O(r^3k^3q^{r\lceil \frac{(r+1)(k+1)-(n+1)}{r} \rceil})$. We also consider solving with \grob bases for which which we discuss theoretical complexity, we also consider consider hybrid solving with \grob bases on practical parameters. As an example of application we use our new attacks on all proposed recent cryptosystems which reparation the GPT cryptosystem, we break all examples of published proposed parameters, some parameters are broken in less than 1 s in certain cases.

92 citations

References
More filters
Book
01 Jun 1984
TL;DR: In this article, the Routh-Hurwitz problem of singular pencils of matrices has been studied in the context of systems of linear differential equations with variable coefficients, and its applications to the analysis of complex matrices have been discussed.
Abstract: Volume 2: XI. Complex symmetric, skew-symmetric, and orthogonal matrices: 1. Some formulas for complex orthogonal and unitary matrices 2. Polar decomposition of a complex matrix 3. The normal form of a complex symmetric matrix 4. The normal form of a complex skew-symmetric matrix 5. The normal form of a complex orthogonal matrix XII. Singular pencils of matrices: 1. Introduction 2. Regular pencils of matrices 3. Singular pencils. The reduction theorem 4. The canonical form of a singular pencil of matrices 5. The minimal indices of a pencil. Criterion for strong equivalence of pencils 6. Singular pencils of quadratic forms 7. Application to differential equations XIII. Matrices with non-negative elements: 1. General properties 2. Spectral properties of irreducible non-negative matrices 3. Reducible matrices 4. The normal form of a reducible matrix 5. Primitive and imprimitive matrices 6. Stochastic matrices 7. Limiting probabilities for a homogeneous Markov chain with a finite number of states 8. Totally non-negative matrices 9. Oscillatory matrices XIV. Applications of the theory of matrices to the investigation of systems of linear differential equations: 1. Systems of linear differential equations with variable coefficients. General concepts 2. Lyapunov transformations 3. Reducible systems 4. The canonical form of a reducible system. Erugin's theorem 5. The matricant 6. The multiplicative integral. The infinitesimal calculus of Volterra 7. Differential systems in a complex domain. General properties 8. The multiplicative integral in a complex domain 9. Isolated singular points 10. Regular singularities 11. Reducible analytic systems 12. Analytic functions of several matrices and their application to the investigation of differential systems. The papers of Lappo-Danilevskii XV. The problem of Routh-Hurwitz and related questions: 1. Introduction 2. Cauchy indices 3. Routh's algorithm 4. The singular case. Examples 5. Lyapunov's theorem 6. The theorem of Routh-Hurwitz 7. Orlando's formula 8. Singular cases in the Routh-Hurwitz theorem 9. The method of quadratic forms. Determination of the number of distinct real roots of a polynomial 10. Infinite Hankel matrices of finite rank 11. Determination of the index of an arbitrary rational fraction by the coefficients of numerator and denominator 12. Another proof of the Routh-Hurwitz theorem 13. Some supplements to the Routh-Hurwitz theorem. Stability criterion of Lienard and Chipart 14. Some properties of Hurwitz polynomials. Stieltjes' theorem. Representation of Hurwitz polynomials by continued fractions 15. Domain of stability. Markov parameters 16. Connection with the problem of moments 17. Theorems of Markov and Chebyshev 18. The generalized Routh-Hurwitz problem Bibliography Index.

9,334 citations

Book
01 Jan 1974
TL;DR: This text introduces the basic data structures and programming techniques often used in efficient algorithms, and covers use of lists, push-down stacks, queues, trees, and graphs.
Abstract: From the Publisher: With this text, you gain an understanding of the fundamental concepts of algorithms, the very heart of computer science. It introduces the basic data structures and programming techniques often used in efficient algorithms. Covers use of lists, push-down stacks, queues, trees, and graphs. Later chapters go into sorting, searching and graphing algorithms, the string-matching algorithms, and the Schonhage-Strassen integer-multiplication algorithm. Provides numerous graded exercises at the end of each chapter. 0201000296B04062001

9,262 citations


"Reducible rank codes and their appl..." refers background in this paper

  • ...1An algorithm to find the greatest common divisor for two linearized polynomials of degree from the ring of linearized polynomials with complexity ( log ) can be elaborated on the basis of the algorithm for finding gcd for two ordinary polynomials described in [8]....

    [...]

Book ChapterDOI
08 Apr 1991
TL;DR: A new modification of the McEliece public-key cryptosystem is proposed that employs the so-called maximum-rank-distance codes in place of Goppa codes and that hides the generator matrix of the MRD code by addition of a randomly-chosen matrix.
Abstract: A new modification of the McEliece public-key cryptosystem is proposed that employs the so-called maximum-rank-distance (MRD) codes in place of Goppa codes and that hides the generator matrix of the MRD code by addition of a randomly-chosen matrix. A short review of the mathematical background required for the construction of MRD codes is given. The cryptanalytic work function for the modified McEliece system is shown to be much greater than that of the original system. Extensions of the rank metric are also considered.

265 citations


"Reducible rank codes and their appl..." refers background in this paper

  • ...Originally, codes in rank metric were proposed for cryptographic applications in the GPT public-key cryptosystem [3]....

    [...]

  • ...The Gabidulin–Paramonov–Tretjakov (GPT) public-key cryptosystem (PKC) (see [3]) is built on linear MRD codes....

    [...]

Book ChapterDOI
18 Oct 1998
TL;DR: An attack against public-key cryptosystems based on error-correcting codes is presented, which notably points out that McEliece cipher with its original parameters does not provide a sufficient security level.
Abstract: The class of public-key cryptosystems based on error-correcting codes is one of the few alternatives to the common algorithms based on number theory. We here present an attack against these systems which actually consists of a new probabilistic algorithm for finding minimum-weight words in any large linear code. This new attack notably points out that McEliece cipher with its original parameters does not provide a sufficient security level.

122 citations


"Reducible rank codes and their appl..." refers background in this paper

  • ...It is well known that the use of a parity-check matrix in systematic form is as secure as the use of any parity-check matrix: this will halve the size of the key (see further [11])....

    [...]