Advertisement

Smaller Decoding Exponents: Ball-Collision Decoding

  • Daniel J. Bernstein
  • Tanja Lange
  • Christiane Peters
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)

Abstract

Very few public-key cryptosystems are known that can encrypt and decrypt in time b 2 + o(1) with conjectured security level 2 b against conventional computers and quantum computers. The oldest of these systems is the classic McEliece code-based cryptosystem.

The best attacks known against this system are generic decoding attacks that treat McEliece’s hidden binary Goppa codes as random linear codes. A standard conjecture is that the best possible w-error-decoding attacks against random linear codes of dimension k and length n take time 2(α(R,W) + o(1))n if k/n → R and w/n → W as n → ∞.

Before this paper, the best upper bound known on the exponent α(R,W) was the exponent of an attack introduced by Stern in 1989. This paper introduces “ball-collision decoding” and shows that it has a smaller exponent for each (R,W): the speedup from Stern’s algorithm to ball-collision decoding is exponential in n.

Keywords

McEliece cryptosystem Niederreiter cryptosystem post-quantum cryptography attacks information-set decoding collision decoding 

References

  1. 1.
    Adams, C.M., Meijer, H.: Security-related comments regarding McEliece’s public-key cryptosystem. In: Crypto’87 [46], pp. 224–228 (1987); See also newer version [2]; Citations in this document:Google Scholar
  2. 2.
    Adams, C.M., Meijer, H.: Security-related comments regarding McEliece’s public-key cryptosystem. IEEE Transactions on Information Theory 35, 454–455 (1988); See also older version [1]; Citations in this document:MathSciNetCrossRefGoogle Scholar
  3. 3.
    Al Jabri, A.: A statistical decoding algorithm for general linear block codes. In: IMA 2001 [31], pp. 1–8 (2001); Citations in this document:Google Scholar
  4. 4.
    Ashikhmin, A.E., Barg, A.: Minimal vectors in linear codes. IEEE Transactions on Information Theory 44, 2010–2017 (1998); Citations in this document:MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Barg, A., Krouk, E.A., van Tilborg, H.C.A.: On the complexity of minimum distance decoding of long linear codes. IEEE Transactions on Information Theory 45, 1392–1405 (1999); Citations in this document:zbMATHCrossRefGoogle Scholar
  6. 6.
    Batten, L., Safavi-Naini, R. (eds.): Information security and privacy: 11th Australasian conference, ACISP 2006, Melbourne, Australia, July 3–5, 2006, proceedings. LNCS, vol. 4058. Springer, Heidelberg (2006); See [43]Google Scholar
  7. 7.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum cryptography. Springer, Heidelberg (2009); See [44] zbMATHGoogle Scholar
  8. 8.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008 [14], pp. 31–46 (2008), http://eprint.iacr.org/2008/318; Citations in this document:
  9. 9.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding (full version) (2010), http://eprint.iacr.org/2010/585; Citations in this document:
  10. 10.
    Bernstein, D.J., Lange, T., Peters, C., van Tilborg, H.C.A.: Explicit bounds for generic decoding algorithms for code-based cryptography. In: WCC 2009 (2009); Citations in this document:Google Scholar
  11. 11.
    Berson, T.A.: Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. In: Crypto ’97 [33], pp. 213–220 (1997); Citations in this document:Google Scholar
  12. 12.
    Blaum, M., Farrell, P.G., van Tilborg, H.C.A. (eds.): Information, coding and mathematics. Kluwer International Series in Engineering and Computer Science, vol. 687. Kluwer, Dordrecht (2002); See [53]zbMATHGoogle Scholar
  13. 13.
    Brent, R.P., Kung, H.T.: The area-time complexity of binary multiplication. Journal of the ACM 28, 521–534 (1981), http://wwwmaths.anu.edu.au/~brent/pub/pub055.html; Citations in this document:MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Buchmann, J., Ding, J. (eds.): Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17–19, 2008, proceedings. LNCS, vol. 5299. Springer, Heidelberg (2008); see [8]Google Scholar
  15. 15.
    Camion, P., Charpin, P., Harari, S. (eds.): Eurocode ’92: proceedings of the international symposium on coding theory and applications held in Udine, October 23–30, 1992. Springer, Heidelberg (1993); See [20]Google Scholar
  16. 16.
    Canteaut, A., Chabanne, H.: A further improvement of the work factor in an attempt at breaking McEliece’s cryptosystem. In: EUROCODE ’94 [21] (1994), http://www.inria.fr/rrrt/rr-2227.html; Citations in this document:
  17. 17.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44, 367–378 (1998), ftp://ftp.inria.fr/INRIA/tech-reports/RR/RR-2685.ps.gz; Citations in this document:MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Canteaut, A., Sendrier, N.: Cryptanalysis of the original McEliece cryptosystem. In: Asiacrypt ’98 [42], pp. 187–199 (1998); Citations in this document: Google Scholar
  19. 19.
    Chabanne, H., Courteau, B.: Application de la méthode de décodage itérative d’Omura à la cryptanalyse du système de McEliece. Université de Sherbrooke, Rapport de Recherche, number 122 (1993); Citations in this document:Google Scholar
  20. 20.
    Chabaud, F.: Asymptotic analysis of probabilistic algorithms for finding short code-words. In: [15], pp. 175–183 (1993); Citations in this document:Google Scholar
  21. 21.
    Charpin, P.(ed.): Livre des résumé — EUROCODE ’94. Abbaye de la Bussière sur Ouche, France, October 1994 (1994); See [16]Google Scholar
  22. 22.
    Clark Jr., G.C., Bibb Cain, J.: Error-correcting coding for digital communication. Plenum, New York (1981); Citations in this document: Google Scholar
  23. 23.
    Coffey, J.T., Goodman, R.M.: The complexity of information set decoding. IEEE Transactions on Information Theory 35, 1031–1037 (1990); Citations in this document:MathSciNetCrossRefGoogle Scholar
  24. 24.
    Coffey, J.T., Goodman, R.M., Farrell, P.: New approaches to reduced complexity decoding. Discrete and Applied Mathematics 33, 43–60 (1991); Citations in this document:MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Cohen, G.D., Wolfmann, J. (eds.): Coding theory and applications. LNCS, vol. 388. Springer, Heidelberg (1989); See [50]zbMATHGoogle Scholar
  26. 26.
    Dumer, I.I.: Two decoding algorithms for linear codes. Problemy Peredachi Informatsii 25, 24–32 (1989); Citations in this document:MathSciNetGoogle Scholar
  27. 27.
    Dumer, I.I.: On minimum distance decoding of linear codes. In: [32], pp. 50–52 (1991); Citations in this document:Google Scholar
  28. 28.
    Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Asiacrypt 2009 [40] (2009), http://eprint.iacr.org/2009/414; Citations in this document:
  29. 29.
    Goldwasser, S. (ed.): Advances in cryptology|CRYPTO ’88, proceedings of the conference on the theory and application of cryptography held at the University of California, Santa Barbara, California, August 21–25, 1988. LNCS, vol. 403. Springer, Heidelberg (1990); See [51]Google Scholar
  30. 30.
    Günther, C.G. (ed.): Advances in cryptology — EUROCRYPT ’88, proceedings of the workshop on the theory and application of cryptographic techniques held in Davos, May 25–27, 1988. LNCS, vol. 330. Springer, Heidelberg (1988); See [38] Google Scholar
  31. 31.
    Honary, B. (ed.): Cryptography and coding: proceedings of the 8th IMA international conference held in Cirencester, December 17–19. LNCS, vol. 2260. Springer, Heidelberg (2001); See [3]Google Scholar
  32. 32.
    Kabatianskii, G.A. (ed.): Fifth joint Soviet-Swedish international workshop on information theory, Moscow, 1991 (1991); See [27]Google Scholar
  33. 33.
    Kaliski Jr., B.S. (ed.): Advances in cryptology — CRYPTO ’97: 17th annual international cryptology conference, Santa Barbara, California, USA, August 17–21, 1997, proceedings. LNCS, vol. 1294. Springer, Heidelberg (1997); See[11]Google Scholar
  34. 34.
    Kim, K. (ed.): Public key cryptography: proceedings of the 4th international workshop on practice and theory in public key cryptosystems (PKC 2001) held on Cheju Island, February 13–15, 2001. LNCS, vol. 1992. Springer, Heidelberg (2001); See [36]Google Scholar
  35. 35.
    Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-bit RSA modulus. In: Crypto 2010 [48], pp. 333–350 (2010), http://eprint.iacr.org/2010/006; Citations in this document:
  36. 36.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems — conversions for McEliece PKC. In: PKC 2001 [34], pp. 19–35 (2001); Citations in this document:Google Scholar
  37. 37.
    Krouk, E.A.: Decoding complexity bound for linear block codes. Problemy Peredachi Informatsii 25, 103–107 (1989); Citations in this document:Google Scholar
  38. 38.
    Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Eurocrypt ’88 [30], pp. 275–280 (1988), http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/E88/275.PDF; Citations in this document:
  39. 39.
    Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Transactions on Information Theory 34, 1354–1359 (1988); Citations in this document:MathSciNetCrossRefGoogle Scholar
  40. 40.
    Matsui, M. (ed.): Advances in cryptology — ASIACRYPT 2009, 15th international conference on the theory and application of cryptology and information security, Tokyo, Japan, December 6–10, 2009, proceedings. LNCS, vol. 5912. Springer, Heidelberg (2009); See [28] Google Scholar
  41. 41.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report 114–116 (1978), http://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF; Citations in this document:
  42. 42.
    Ohta, K., Pei, D. (eds.): Advances in cryptology — ASIACRYPT’98: proceedings of the international conference on the theory and application of cryptology and information security held in Beijing. LNCS, vol. 1514. Springer, Heidelberg (1998); See [18] Google Scholar
  43. 43.
    Overbeck, R.: Statistical decoding revisited. In: ACISP 2006 [6], pp. 283–294 (2006); Citations in this document:Google Scholar
  44. 44.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: [7], pp. 95–145 (2009); Citations in this document:Google Scholar
  45. 45.
    Peters, C.: Information-set decoding for linear codes over F q. In: Post-Quantum Cryptography [49], pp. 81–94 (2010); Citations in this document:Google Scholar
  46. 46.
    Pomerance, C. (ed.): Advances in cryptology — CRYPTO ’87, proceedings of the conference on the theory and applications of cryptographic techniques held at the University of California, Santa Barbara, California, August 16–20, 1987. LNCS, vol. 293. Springer, Heidelberg (1987), http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C87/224.PDF; See [1]
  47. 47.
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory IT-8, S5–S9 (1962); Citations in this document:Google Scholar
  48. 48.
    Rabin, T. (ed.): Advances in cryptology — CRYPTO 2010, 30th annual cryptology conference, Santa Barbara, CA, USA, August 15–19, 2010, proceedings. LNCS, vol. 6223. Springer, Heidelberg (2010); See [35] Google Scholar
  49. 49.
    Sendrier, N. (ed.): Post-quantum cryptography, third international workshop, PQCrypto, Darmstadt, Germany, May 25–28, 2010, proceedings. LNCS, vol. 6061. Springer, Heidelberg (2010); See [45] Google Scholar
  50. 50.
    Stern, J.: A method for finding codewords of small weight. In: [25], pp. 106–113 (1989); Citations in this document:Google Scholar
  51. 51.
    van Tilburg, J.: On the McEliece public-key cryptosystem. In: Crypto ’88 [29], pp. 119–131 (1990); Citations in this document:Google Scholar
  52. 52.
    van Tilburg, J.: Security-analysis of a class of cryptosystems based on linear error-correcting codes. Ph.D. thesis, Technische Universiteit Eindhoven (1994); Citations in this document:Google Scholar
  53. 53.
    Verheul, E.R., Doumen, J.M., van Tilborg, H.C.A.: Sloppy Alice attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem. In: [12], pp. 99–119 (2002); Citations in this document:Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Tanja Lange
    • 2
  • Christiane Peters
    • 2
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands

Personalised recommendations