code-based cryptography - mceliece cryptosystem · other cryptographic constructions relying on...

Post on 14-Mar-2020






Click to see full reader


Code-Based Cryptography

1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory


4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist


The Code Equivalence Problem of Linear Codes

Permutation CodeEquivalence (PCE)

Semilinear CodeEquivalence (SLCE)

Linear CodeEquivalence (LCE)

Three notions of codeEquivalence:


The Code Equivalence Problem of Linear Codes

Permutation CodeEquivalence (PCE)

Semilinear CodeEquivalence (SLCE)

Linear CodeEquivalence (LCE)

Three notions of codeEquivalence:

Semilinear Code Equivalence (SLE)

C1SLE⇠ C2 () 9� : C2 = �(C1)

with � = ( � 2 Sn| {z }Permutation

,� = (�1, . . . ,�n) 2 (F⇤q)


| {z }Scalar

,↵ 2 Aut(Fq)| {z }Automorphism



The Code Equivalence Problem of Linear Codes

Permutation CodeEquivalence (PCE)

Semilinear CodeEquivalence (SLCE)

Linear CodeEquivalence (LCE)

Three notions of codeEquivalence:

Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }


: C2 = �(C1) = {�(x) | x 2 C}


The Code Equivalence Problem of Linear Codes

Permutation CodeEquivalence (PCE)

Semilinear CodeEquivalence (SLCE)

Linear CodeEquivalence (LCE)

Three notions of codeEquivalence:

Permutation Code Equivalence (PE)C1 ⇠ C2 () 9 � 2 Sn| {z }


: C2 = �(C1) = {�(x) | x 2 C}


The Code Equivalence Problem of Linear Codes

The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2


(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)


The Code Equivalence Problem of Linear Codes

The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2


(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)


The Code Equivalence Problem of Linear Codes

The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2

OUTPUT:(Decision): Are C1 ⇠ C2?

(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)


The Code Equivalence Problem of Linear Codes

The Code Equivalence ProblemINPUT: Two [n, k ]q linear codes: C1 and C2

OUTPUT:(Decision): Are C1 ⇠ C2?(Computational): If C1 ⇠ C2. Find � 2 Sn such that C2 = �(C1)


The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as

hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.

‹ Known Algorithms:

• The Support Splitting Algorithm for PE for F2, F3 and F4N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.

N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.

• Computation of canonical forms for LC over Fq, with qsmall.

T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009


The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as

hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.

‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.

N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.

• Computation of canonical forms for LC over Fq, with qsmall.

T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009


The Code Equivalence Problem of Linear Codes‹ Complexity: The PE problem is not NP-Complete but it is at least as

hard as Graph Isomorphism ProblemE. Petrank and R.M. Roth,Is code equivalence easy to decide?,1997.

‹ Known Algorithms:• The Support Splitting Algorithm for PE for F2, F3 and F4

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.

N. Sendrier and D. E. SimosThe hardness of code equivalence over Fq and its application to code-based cryptography.Post-Quantum Cryptography, volume 7932 of LNCS, 203-216, 2013.

• Computation of canonical forms for LC over Fq, with qsmall.

T. Feulner,The automorphism groups of linear codes and canonical representatives of their semilinearisometry classes,AMC, vol. 3 (4), p. 363-383, 2009



V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)

The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )

Recall that WC(X ) =nX


AiX i with Ai = | {c 2 C | wH(c) = i} |

WC1(X ) = WC2(X ) but C1 6⇠ C2

Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:

G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0


‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!



V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)

The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )

Recall that WC(X ) =nX


AiX i with Ai = | {c 2 C | wH(c) = i} |

WC1(X ) = WC2(X ) but C1 6⇠ C2

Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:

G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0


‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!



V is an invariant if C1 ⇠ C2 ) V(C1) = V(C2)

The Weight Enumerator is an invariant: C1 ⇠ C2 ) WC1(X ) = WC2(X )

Recall that WC(X ) =nX


AiX i with Ai = | {c 2 C | wH(c) = i} |

WC1(X ) = WC2(X ) but C1 6⇠ C2

Consider two binary [6, 3] codes C1 and C2 with respective generator matrices:

G1 =

1 1 0 0 0 00 0 1 1 0 00 0 0 0 1 1

!and G2 =

1 0 0 0 1 00 1 0 1 1 10 0 1 0 1 0


‹ Both codes have the same weight distribution: 1, 0, 3, 0, 3, 0, 1‹ But they are not permutation-equivalent!


Punctured codeLet:

‹ C be an [n, k ]q code

‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C


Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}

‹ xJ the restriction of x 2 Fnq to the

coordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C


Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C


Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C


Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G =

Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C


Punctured codeLet:

‹ C be an [n, k ]q code‹ (J, J) be a partition of {1, . . . , n}‹ xJ the restriction of x 2 Fn

q to thecoordinates indexed by J

G = Spans CJ

|J| n � |J|

Punctured code CJ

The words of CJ are codewords of C restricted to theJ-locations, i.e.

CJ =�

cJ | c 2 C



SignatureS is a signature if S(C, i) = S(�(C),�(i))

Building a signature from an invariant: If V is an invariant then,

C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}

Where Ci is the punctured code C on i



SignatureS is a signature if S(C, i) = S(�(C),�(i))

Building a signature from an invariant: If V is an invariant then,

C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}

Where Ci is the punctured code C on i



SignatureS is a signature if S(C, i) = S(�(C),�(i))

Building a signature from an invariant: If V is an invariant then,

C ⇠ C =)⇢

V(C) = V(C)

{V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}Where Ci is the punctured code C on i



SignatureS is a signature if S(C, i) = S(�(C),�(i))

Building a signature from an invariant: If V is an invariant then,

C ⇠ C =)⇢

V(C) = V(C){V(Ci) | i 2 {1, . . . , n}} = {V(Ci) | i 2 {1, . . . , n}}

Where Ci is the punctured code C on i


Fully Discriminant Signatures

Fully Discriminant SignaturesA signature S is fully discriminant for C if:

S(C, i) 6= S(C, j) for all i 6= j

How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:

8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)

=) �(i) = j


Fully Discriminant Signatures

Fully Discriminant SignaturesA signature S is fully discriminant for C if:

S(C, i) 6= S(C, j) for all i 6= j

How to retrieve the permutation? Suppose that C2 = �(C1)

If S is fully discriminant for C then:

8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)

=) �(i) = j


Fully Discriminant Signatures

Fully Discriminant SignaturesA signature S is fully discriminant for C if:

S(C, i) 6= S(C, j) for all i 6= j

How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:

8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j)

=) �(i) = j


Fully Discriminant Signatures

Fully Discriminant SignaturesA signature S is fully discriminant for C if:

S(C, i) 6= S(C, j) for all i 6= j

How to retrieve the permutation? Suppose that C2 = �(C1)If S is fully discriminant for C then:

8i 2 {1, . . . , n}, 9 unique j such that S(C1, i) = S(C2, j) =) �(i) = j


Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}



C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2


Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2


Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 2


Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28

Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28

Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28

Fully Discriminant SignaturesAn Example of Fully Discriminant Signature

Let C = {1110, 0111, 1010} and C = {0011, 1011, 1101}8>><


C1 = {110, 111, 010} �! WC1 = X + X 2 + X 3

C2 = {110, 011} �! WC2 = 2X 2

C3 = {110, 011, 100} �! WC3 = X + 2X 2

C4 = {111, 011, 101} �! WC4 = 2X 2 + X 3



C1 = {011, 101} �! WC1= 2X 2

C2 = {011, 111, 101} �! WC2= 2X 2 + X 3

C3 = {001, 101, 111} �! WC3= X + X 2 + X 3

C4 = {001, 101, 110} �! WC4= X + 2X 2

Thus �(1) = 3 �(2) = 1 �(3) = 4 and �(4) = 28

Refined Signatures

Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011


Refined Signatures

Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011


Refined SignaturesRefined Signature

Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

WC1(X ) = WC2(X ) =) �(1) = 2

WC4(X ) = WC4(X ) =) �(4) = 4

WC5(X ) = WC3(X ) =) �(5) = 3


Refined Signatures

Refined SignatureLet S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5

(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated


Refined SignaturesRefined Signature

Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5

(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated

WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}

WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}

Thus �(2) = 5 and �(3) = 19

Refined SignaturesRefined Signature

Let S be a signature. Let J be a subset of {1, . . . , n} If C ⇠ C =) CJ ⇠ CJ

Thus S(CJ , i) and S(CJ , i) give additional information.

Example of Refined Signature

C =

⇢01101, 01011,

01110, 10101, 11110

�and C =

⇢10101, 00111,

10011, 11100, 11011

Note that: WC2(X ) = WC3(X ) = WC1(X ) = WC5

(X ).Thus: positions {2, 3} in C and {1, 5} in C cannot be discriminated

WC{1,2} = WC{2,5}=) �({1, 2}) = {2, 5}

WC{1,3} = WC{2,1}=) �({1, 3}) = {2, 1}

Thus �(2) = 5 and �(3) = 19

Some notation

From now on, let C be a linear code of length n defined over Fq. We denote

• Its dimension by K (C) .

• Its minimum distance by d(C) .


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.

1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.

N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Support Splitting AlgorithmThe Algorithm:

Input: A signature S and two codes: C1 and C2.1. Construct a sequence of signatures:

S0 = S,S1, . . . ,Sr

of increasing “discriminancy” such that Sr isfully discriminant for C.

2. From Sr we retrieve � such that C2 = �(C1)

Proposal of signature: S(C, i) = WH(Ci )(X ) where H(C) = C \ C?

• For binary codes C of length n and h = dim(H(C)).The (heuristic) complexity: O

⇣n3 + 2hn2 log(n)

• When h �! 0, Then the Algorithm runs in polynomial time.N. Sendrier,Finding the permutation between equivalent linear codes: The Support Splitting Algorithm,IEEE Trans. on Inf. Theory, vol. 46(4), 2000.


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

Goppa codeLet:

‹ L = (↵1, . . . ,↵n) 2 F2m with ↵i 6= ↵j for all i 6= j .‹ g(X ) 2 F2m [X ] monic separable polynomial with deg(g) = t and g(↵i) 6= 08i

�(L, g) = Altt(a,b) = (GRSt(a,b)) \ Fq

with a = L and bi =1


‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .

2. We check the equivalence with the public code.There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


Application in Code-Based CryptographyThe public key of the original McEliece scheme is a randomly permutedbinary Goppa code.

‹ A Goppa code C = �(L, g) has :

K (C) � n � mt and d(C) � t + 1

‹ Let Gpub

2 Fk⇥n2 be the public key of the McEliece scheme.

1. We enumerate all polynomials g of degree t over Fm2 such that

k � n � mt .2. We check the equivalence with the public code.

There are 2498.55 binary Goppa codes!!(for n = 1024 and t = 50)

Is necessary to use a large family of codesto make this attack ineffective


4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist


top related