Section: New Results

Code-based cryptography

Participants : Rodolfo Canto Torres, Julia Chaulet, Thomas Debris, Adrien Hauteville, Ghazal Kachigar, Irene Márquez Corbella, Nicolas Sendrier, Jean-Pierre Tillich.

The first cryptosystem based on error-correcting codes was a public-key encryption scheme proposed by McEliece in 1978; a dual variant was proposed in 1986 by Niederreiter. We proposed the first (and only) digital signature scheme in 2001. Those systems enjoy very interesting features (fast encryption/decryption, short signature, good security reduction) but also have their drawbacks (large public key, encryption overhead, expensive signature generation). Some of the main issues in this field are

  • security analysis, including against a quantum adversary, implementation and practicality of existing solutions,

  • reducing the key size, e.g., by using rank metric instead of Hamming metric, or by using particular families of codes,

  • addressing new functionalities, like hashing or symmetric encryption.

Recent results:

  • J. Chaulet and N. Sendrier are working on the analysis Gallager's bit flipping algorithm for the decoding of QC-MDPC codes. A first outcome is an improved decoder with an adaptative threshold [47]. The ultimate goal of this work is to avoid side-channel attacks on QC-MDPC-McEliece by designing a failure-free constant-time decoder.

  • We have started to explore whether generalized Reed-Solomon codes, and more generally MDS codes, can be used in a McEliece cryptosystem. We have first started by a fundamental work about MDS codes by first characterizing which MDS codes can be efficiently decoded with the rather general technique using error correcting pairs [25] We have also studied whether it is possible, if we know only a random generator matrix of a code admitting an error correcting pair, to recover the pair itself [55]. The latter problem is precisely the problem that an attacker wants to solve when he wants to perform a key attack on a McEliece system based on MDS codes admitting an error correcting pair. Finally, we have come up with what we believe to be a viable McEliece scheme based on Reed-Solomon codes by combining them with a generalized U|U+V construction which hides at the same time the algebraic structure and even improves the decoding capacity of the code [57].

  • Design of a new code-based stream cipher, named RankSynd, variant of Synd for the rank metric [49] and of the first Identity based Encryption Scheme relying on error correcting codes (paper currently under submission which is joint work of P. Gaborit, A. Hauteville, H. Phan and J.P. Tillich).

  • Structural attacks against some variants of the McEliece cryptosystem based on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic, quasi-dyadic, or quasi-monoidic matrices [22]. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group of the code [21].

  • Cryptanalysis of a variant of McEliece cryptosystem based on polar codes [38].

  • The previous work has been extended by exploring some structural properties of polar codes in [39]. In particular, we have been able to show that these codes have a very large automorphism group and have found an efficient way of counting the number of codewords of low weight.

  • Cryptanalysis of all McEliece cryptosystems relying on algebraic geometry codes [73].

  • Cryptanalysis of a code-based signature scheme proposed at PQCrypto 2013 by Baldi at al. [58]. This paper has received the best paper award of PQCrypto 2016.

  • R. Canto Torres and N. Sendrier have investigated the information-set decoding algorithms applied to the case where the number of errors is sub-linear in the code length [46]. This situation appears in the analysis of the McEliece scheme based on quasi-cyclic Moderate Density Parity Check (MDPC) codes.

  • We have also investigated other decoding techniques such as statistical decoding [74] or quantum algorithms [75]. The last work has led to the best known quantum algorithms for decoding a linear code.