code-based cryptography - mceliece cryptosystemcode-based cryptography mceliece cryptosystem 0 i....
TRANSCRIPT
![Page 1: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/1.jpg)
Code-Based CryptographyMcEliece Cryptosystem
0I. Márquez-Corbella
![Page 2: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/2.jpg)
2. McEliece Cryptosystem
1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY
![Page 3: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/3.jpg)
Low-density parity-check (LDPC) codes1963: Gallager introduced LDPC codes
R. G. Gallager.Low-Density Parity-Check Codees.PhD thesis, MIT, 1963.
1981: Tanner introduced a graphical representationR. M. Tanner.A recursive approach to low complexity codes.In IEEE Transaction on Information Theory, 27(5):533-547, 2006.
1996: MacKay and Neal (re)-discovered LDPC codesD. J.C. MacKay and R. M. Neal.Near shannon limit performance of Low Density Parity Check codes.Electronics Letters, 32:1645âAS1646, 1996.
1
![Page 4: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/4.jpg)
Low-density parity-check (LDPC) codes1963: Gallager introduced LDPC codes
R. G. Gallager.Low-Density Parity-Check Codees.PhD thesis, MIT, 1963.
1981: Tanner introduced a graphical representationR. M. Tanner.A recursive approach to low complexity codes.In IEEE Transaction on Information Theory, 27(5):533-547, 2006.
1996: MacKay and Neal (re)-discovered LDPC codesD. J.C. MacKay and R. M. Neal.Near shannon limit performance of Low Density Parity Check codes.Electronics Letters, 32:1645âAS1646, 1996.
1
![Page 5: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/5.jpg)
Low-density parity-check (LDPC) codes1963: Gallager introduced LDPC codes
R. G. Gallager.Low-Density Parity-Check Codees.PhD thesis, MIT, 1963.
1981: Tanner introduced a graphical representationR. M. Tanner.A recursive approach to low complexity codes.In IEEE Transaction on Information Theory, 27(5):533-547, 2006.
1996: MacKay and Neal (re)-discovered LDPC codesD. J.C. MacKay and R. M. Neal.Near shannon limit performance of Low Density Parity Check codes.Electronics Letters, 32:1645âAS1646, 1996.
1
![Page 6: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/6.jpg)
Representation for LDPC codes• Matrix Representation: Sparse parity check matrix H ∈ Fm×n
2
• Graphical Representation
C V
C1
C2
. . .
Cm
V1
. . .
Vn
Check nodesCi ←→ i-th row of H
Variable nodesVj ←→ j-th column of H
Edgesei ,j = {Ci ,Vj} ←→ hi ,j = 1 in H
2
![Page 7: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/7.jpg)
Representation for LDPC codes• Matrix Representation: Sparse parity check matrix H ∈ Fm×n
2• Graphical Representation
C V
Bipartite Graph
C1
C2
. . .
Cm
V1
. . .
Vn
Check nodesCi ←→ i-th row of H
Variable nodesVj ←→ j-th column of H
Edgesei ,j = {Ci ,Vj} ←→ hi ,j = 1 in H
2
![Page 8: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/8.jpg)
Representation for LDPC codes• Matrix Representation: Sparse parity check matrix H ∈ Fm×n
2• Graphical Representation
C V
Tanner Graph
C1
C2
. . .
Cm
V1
. . .
Vn
Check nodesCi ←→ i-th row of H
Variable nodesVj ←→ j-th column of H
Edgesei ,j = {Ci ,Vj} ←→ hi ,j = 1 in H
2
![Page 9: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/9.jpg)
Representation for LDPC codes• Matrix Representation: Sparse parity check matrix H ∈ Fm×n
2• Graphical Representation
C V
Tanner Graph
C1
C2
. . .
Cm
V1
. . .
Vn
Check nodesCi ←→ i-th row of H
Variable nodesVj ←→ j-th column of H
Edgesei ,j = {Ci ,Vj} ←→ hi ,j = 1 in H
2
![Page 10: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/10.jpg)
Representation for LDPC codes• Matrix Representation: Sparse parity check matrix H ∈ Fm×n
2• Graphical Representation
C V
Tanner Graph
C1
C2
. . .
Cm
V1
. . .
Vn
Check nodesCi ←→ i-th row of H
Variable nodesVj ←→ j-th column of H
Edgesei ,j = {Ci ,Vj} ←→ hi ,j = 1 in H
2
![Page 11: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/11.jpg)
Example
V1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 12: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/12.jpg)
ExampleV1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 13: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/13.jpg)
ExampleV1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 14: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/14.jpg)
ExampleV1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 15: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/15.jpg)
ExampleV1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 16: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/16.jpg)
ExampleV1
V2
V3
V4
V5
V6
V7
V8
V9
V10
C1
C2
C3
Let C be an [10,7] binary LDPC code withparity-check matrix:
H =
0 1 1 1 0 1 0 0 0 01 0 0 0 0 0 1 0 1 11 1 1 0 0 0 0 1 0 0
∈ F3×102
3
![Page 17: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/17.jpg)
Bit-Flipping decoding algorithmStep 1 - Iteration I Compute:
fj := Number of unsatisfied parity-check equations of Vj with j = 1, . . . ,nf := max(f1, . . . , fn)
Step 2 - Iteration I Bit-Flipping
Vj =
{1− Vj , if fj = f
Vj , otherwise
Step 3 - Iteration I Stop Criterion• Success: If f = 0 and I < Imax
• Failure: If f 6= 0 and I = Imax
4
![Page 18: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/18.jpg)
Bit-Flipping decoding algorithmStep 1 - Iteration I Compute:
fj := Number of unsatisfied parity-check equations of Vj with j = 1, . . . ,nf := max(f1, . . . , fn)
Step 2 - Iteration I Bit-Flipping
Vj =
{1− Vj , if fj = f
Vj , otherwise
Step 3 - Iteration I Stop Criterion• Success: If f = 0 and I < Imax
• Failure: If f 6= 0 and I = Imax
4
![Page 19: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/19.jpg)
Bit-Flipping decoding algorithmStep 1 - Iteration I Compute:
fj := Number of unsatisfied parity-check equations of Vj with j = 1, . . . ,nf := max(f1, . . . , fn)
Step 2 - Iteration I Bit-Flipping
Vj =
{1− Vj , if fj = f
Vj , otherwise
Step 3 - Iteration I Stop Criterion• Success: If f = 0 and I < Imax
• Failure: If f 6= 0 and I = Imax
4
![Page 20: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/20.jpg)
Bit-Flipping Decoding - Example
V1 V2 V3 V4Current 0 1 1 1
C0 7 7 − −C1 3 − 3 3
fj 1 1 0 0Updated 1 0 1 1
C0 7 7 − −C1 7 − 7 7
fj 2 1 1 1Updated 0 0 1 1
C0 3 3 − −C1 3 − 3 3
fj 0 0 0 0
Received Data: (0,1,1,1)
C1 C2
V1 V2 V3 V4
Decoding Result: (0,0,1,1)
5
![Page 21: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/21.jpg)
Bit-Flipping Decoding - ExampleV1 V2 V3 V4
Current 0 1 1 1C0 7 7 − −C1 3 − 3 3
fj 1 1 0 0
Updated 1 0 1 1C0 7 7 − −C1 7 − 7 7
fj 2 1 1 1Updated 0 0 1 1
C0 3 3 − −C1 3 − 3 3
fj 0 0 0 0
Received Data: (0,1,1,1)
C1 C2
V1 V2 V3 V4
Decoding Result: (0,0,1,1)
5
![Page 22: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/22.jpg)
Bit-Flipping Decoding - ExampleV1 V2 V3 V4
Current 0 1 1 1C0 7 7 − −C1 3 − 3 3
fj 1 1 0 0Updated 1 0 1 1
C0 7 7 − −C1 7 − 7 7
fj 2 1 1 1
Updated 0 0 1 1C0 3 3 − −C1 3 − 3 3
fj 0 0 0 0
Received Data: (0,1,1,1)
C1 C2
V1 V2 V3 V4
Decoding Result: (0,0,1,1)
5
![Page 23: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/23.jpg)
Bit-Flipping Decoding - ExampleV1 V2 V3 V4
Current 0 1 1 1C0 7 7 − −C1 3 − 3 3
fj 1 1 0 0Updated 1 0 1 1
C0 7 7 − −C1 7 − 7 7
fj 2 1 1 1Updated 0 0 1 1
C0 3 3 − −C1 3 − 3 3
fj 0 0 0 0
Received Data: (0,1,1,1)
C1 C2
V1 V2 V3 V4
Decoding Result: (0,0,1,1)
5
![Page 24: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/24.jpg)
Bit-Flipping Decoding - ExampleV1 V2 V3 V4
Current 0 1 1 1C0 7 7 − −C1 3 − 3 3
fj 1 1 0 0Updated 1 0 1 1
C0 7 7 − −C1 7 − 7 7
fj 2 1 1 1Updated 0 0 1 1
C0 3 3 − −C1 3 − 3 3
fj 0 0 0 0
Received Data: (0,1,1,1)
C1 C2
V1 V2 V3 V4
Decoding Result: (0,0,1,1)
5
![Page 25: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/25.jpg)
Variants based on LDPC codes
âUsing pure LDPC codesC. Monico, J. Rosenthal, A. Shokrollahi.Using low density parity check codes in the McEliece cryptosystem.In ISIT 2000, pp. 215.
7Weakness: Search for low weight codewords in the dual of the publiccode
6
![Page 26: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/26.jpg)
Variants based on LDPC codes
âUsing pure LDPC codesC. Monico, J. Rosenthal, A. Shokrollahi.Using low density parity check codes in the McEliece cryptosystem.In ISIT 2000, pp. 215.
7Weakness: Search for low weight codewords in the dual of the publiccode
6
![Page 27: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/27.jpg)
Variants using QC-LDPC codesâ First proposal
M. Baldi, F. Chiaraluce, and R. Garello.On the usage of quasicyclic low-density parity-check codes in the McEliece cryptosystem..In ICEE 2006, pp. 305-310.
7 Weakness: Same as the pure LDPC variants.
â Using an auxiliary “dense” matrixM. Baldi, F. Chiaraluce, R. Garello, and F. Mininni.Quasi-cyclic low-density parity-check codes in the McEliececryptosystem.In ICC 2007, pp. 951-956.
M. Baldi and F. Chiaraluce.Cryptanalysis of a new instance of McEliece cryptosystem basedon QC-LDPC codes.In ISIT 2007, pp. 2591-2595.
7 Attack:A. Otmani, J.P. Tillich, and L. Dallot.Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes.Special Issues of Mathematics in Computer Science, pp. 126-140, 2010.
â New variant:M. Baldi, M. Bodrato, and F. Chiaraluce.A new analysis of the McEliece cryptosystem based on QC-LDPC codes.In SCN 2008, pp. 246-262.
7
![Page 28: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/28.jpg)
Variants using QC-LDPC codesâ First proposal
M. Baldi, F. Chiaraluce, and R. Garello.On the usage of quasicyclic low-density parity-check codes in the McEliece cryptosystem..In ICEE 2006, pp. 305-310.
7 Weakness: Same as the pure LDPC variants.
â Using an auxiliary “dense” matrixM. Baldi, F. Chiaraluce, R. Garello, and F. Mininni.Quasi-cyclic low-density parity-check codes in the McEliececryptosystem.In ICC 2007, pp. 951-956.
M. Baldi and F. Chiaraluce.Cryptanalysis of a new instance of McEliece cryptosystem basedon QC-LDPC codes.In ISIT 2007, pp. 2591-2595.
7 Attack:A. Otmani, J.P. Tillich, and L. Dallot.Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes.Special Issues of Mathematics in Computer Science, pp. 126-140, 2010.
â New variant:M. Baldi, M. Bodrato, and F. Chiaraluce.A new analysis of the McEliece cryptosystem based on QC-LDPC codes.In SCN 2008, pp. 246-262.
7
![Page 29: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/29.jpg)
Variants using QC-LDPC codesâ First proposal
M. Baldi, F. Chiaraluce, and R. Garello.On the usage of quasicyclic low-density parity-check codes in the McEliece cryptosystem..In ICEE 2006, pp. 305-310.
7 Weakness: Same as the pure LDPC variants.
â Using an auxiliary “dense” matrixM. Baldi, F. Chiaraluce, R. Garello, and F. Mininni.Quasi-cyclic low-density parity-check codes in the McEliececryptosystem.In ICC 2007, pp. 951-956.
M. Baldi and F. Chiaraluce.Cryptanalysis of a new instance of McEliece cryptosystem basedon QC-LDPC codes.In ISIT 2007, pp. 2591-2595.
7 Attack:A. Otmani, J.P. Tillich, and L. Dallot.Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes.Special Issues of Mathematics in Computer Science, pp. 126-140, 2010.
â New variant:M. Baldi, M. Bodrato, and F. Chiaraluce.A new analysis of the McEliece cryptosystem based on QC-LDPC codes.In SCN 2008, pp. 246-262.
7
![Page 30: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/30.jpg)
Variants using QC-LDPC codesâ First proposal
M. Baldi, F. Chiaraluce, and R. Garello.On the usage of quasicyclic low-density parity-check codes in the McEliece cryptosystem..In ICEE 2006, pp. 305-310.
7 Weakness: Same as the pure LDPC variants.
â Using an auxiliary “dense” matrixM. Baldi, F. Chiaraluce, R. Garello, and F. Mininni.Quasi-cyclic low-density parity-check codes in the McEliececryptosystem.In ICC 2007, pp. 951-956.
M. Baldi and F. Chiaraluce.Cryptanalysis of a new instance of McEliece cryptosystem basedon QC-LDPC codes.In ISIT 2007, pp. 2591-2595.
7 Attack:A. Otmani, J.P. Tillich, and L. Dallot.Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes.Special Issues of Mathematics in Computer Science, pp. 126-140, 2010.
â New variant:M. Baldi, M. Bodrato, and F. Chiaraluce.A new analysis of the McEliece cryptosystem based on QC-LDPC codes.In SCN 2008, pp. 246-262.
7
![Page 31: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/31.jpg)
Variants using QC-LDPC codesâ First proposal
M. Baldi, F. Chiaraluce, and R. Garello.On the usage of quasicyclic low-density parity-check codes in the McEliece cryptosystem..In ICEE 2006, pp. 305-310.
7 Weakness: Same as the pure LDPC variants.
â Using an auxiliary “dense” matrixM. Baldi, F. Chiaraluce, R. Garello, and F. Mininni.Quasi-cyclic low-density parity-check codes in the McEliececryptosystem.In ICC 2007, pp. 951-956.
M. Baldi and F. Chiaraluce.Cryptanalysis of a new instance of McEliece cryptosystem basedon QC-LDPC codes.In ISIT 2007, pp. 2591-2595.
7 Attack:A. Otmani, J.P. Tillich, and L. Dallot.Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes.Special Issues of Mathematics in Computer Science, pp. 126-140, 2010.
â New variant:M. Baldi, M. Bodrato, and F. Chiaraluce.A new analysis of the McEliece cryptosystem based on QC-LDPC codes.In SCN 2008, pp. 246-262.
7
![Page 32: Code-Based Cryptography - McEliece CryptosystemCode-Based Cryptography McEliece Cryptosystem 0 I. Márquez-Corbella 2. McEliece Cryptosystem 1.Formal Definition 2.Security-Reduction](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa3d4774639e47458081e8d/html5/thumbnails/32.jpg)
2. McEliece Cryptosystem
1. Formal Definition2. Security-Reduction Proof3. McEliece Assumptions4. Notions of Security5. Critical Attacks - Semantic Secure Conversions6. Reducing the Key Size7. Reducing the Key Size - LDPC codes8. Reducing the Key Size - MDPC codes9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY